Holzmann, G.J.: The theory and practice of a formal method: NewCoRe. In: Proc. IFIP World Computer Congress, Hamburg, Germany, August 1994  Home/Search   Document Not in Database   Summary   Related Articles   Check

....has to happen at a higher abstraction level; in our model, object creation and deletion can be observed at the process level (see Section 3.3) 3.2. Property specification with LTL For the specification of behavioral constraints we advocate the use of LTL. In several (industrial) projects like [17,19]and[20] temporal logic has been successfully used for the specification of behavioral constraints that should be satisfied by some executable specification. We feel that LTL especially with its well understood theoretical foundations has the potential to serve as a suitable vehicle for expressing ....

.... no yes [5] N A DS D yes yes [35]N A DB yes yes [2]TChimera DB yes no [3]TROLL IS A yesyes [4]TRIO IS A yesyes [7]OSL IS A yesyes [9] Templar DS AD no yes [36]Rapide DS ADyes no Our model DS D yes yes Even though there are a few success stories of temporal logic in the industry, e.g. [19]and[20] a survey on the use of formal methods [32] revealed that temporal logic receives only marginal attention. Most current temporal logic based proposals for the design stage of software development (e.g. 34] do not consider object systems. The application of research stemming from ....

Holzmann G. The theory and practice of a formal method: NewCoRe. Proceedings of the IFIP World Computer Congress, vol. I, Galton A (ed.). North-Holland, Amsterdam, 1994; 35--44.

....in the last few decades. Those research efforts have led to the definition of different techniques and methods in the area of modeling and design ( 10] 11] 13] 17] 18] 36] 40] 44] 46] 47] 51] 74] 83] 87] 93] simulation ( 10] 23] 68] verification ( 10] 40] [41]) and testing ( 10] 14] 77] In the last decade, the object oriented paradigm has emerged as a leading development technology in the real time system industry. This paradigm allows modeling systems in a way that very much corresponds to the way humans see the world, i.e. in terms of a set ....

....of this approach is that designers can only use transformations that have been proved to be correctness preserving, i.e. transformations contained in the CPT catalogue. This is considered an important limitation of the approach. In the context of formal verification, 3] 4] 7] 16] [41], and [59] define transition methods that allow generating formal models for the purpose of model verification. The objective of these transition methods is to automatically generate formal representations that can be verified using formal verification tools. They map elements of the input model ....

G. Holzmann. The Theory and Practice of a Formal Method: NewCore. Internal Report, At&T Laboratories, Murray Hill, New Jersey 07974, USA.

....The re usable elements of the theories facilitate the formal modelling and reasoning tasks enormously. Moreover they can directly support the systematic understanding of application field specific problems and methods. That this is an actual problem, we can conclude e.g. from the NewCoRe project (Holzmann, 1994). G. Holzmann reports that almost 55 of the original design specifications were logically inconsistent. This experience is a weighty argument for the direction of research we pursue in our work. 15 8 ....

Holzmann, G.J. (1994) The Theory and Practice of A Formal Method: NewCoRe, in 13th World Computer Congress 94, volume I (ed. B. Pehrson and I. Simon), IFIP, Elsevier.

....of a system, one needs more than just a smart debugging tool. One of the practical problems when using model checkers is the management of all (generated) data during the validation trajectory. It is important that the validation results obtained using a validation tool are always reproducible [8]. Without tool support, the validation engineer has to resort to general engineering practices and record all validation activities into a logbook. Consequently, the quality of the validation process depends on the accuracy of the validation engineer. This is clearly undesirable. When an error is ....

Gerard J. Holzmann. The Theory and Practice of a Formal Method: NewCore. In Proceedings of the IFIP World Congress, Hamburg, Germany, August 1994. Also available from URL: http://cm.bell-labs.com/cm/cs/doc/94/index.html.

....the first instances we know of in which validation technology has achieved widespread use in an industrial setting. Our experience with validation differs from other examples reported in the literature in that we perform validation much later in the software design process. In the NewCoRe project [Ho94a], for example, validation was performed on SDL specifications by highly trained validation engineers during the requirements and specification phases. The VFSM validator, by contrast, is used by software developers during the low level design phase, just prior to coding. The use of validation at ....

G. J. Holzmann. The theory and practice of a formal method: NewCoRe. In Proc. IFIP World Congress, August 1994.

....based on process algebra [9, 19, 21, 3] enable equivalence checking checking that SDL specifications and their expected behaviors are the same with respect to some notion of equivalence. Checking equivalence, or refinement, is a common problem in formal software design. Some research on SDL [12] advocates a forward approach to developing protocols requirements are specified as a set of linear time logic properties, and the model is analyzed for conformance with these properties. Model refinement is done in small controlled steps; manual inspection is used to ensure that the ....

....does not support variables, and thus all action and agents are represented by constants. Agents run independently and synchronize when output of one becomes input to another. Researchers trying to verify SDL models discovered that it cannot be effectively done without some simplifying assumptions [12]. First of all, SDL models, by definition, are not finite. SDL allows the use of infinite channels and infinite domain variables and data structures. In addition, standard SDL allows its task statements to contain anything from C code to English poetry. Notably, many SDL tools, e.g. SDT [22] ....

[Article contains additional citation context not shown here]

G. J. Holzmann. "The Theory and Practice of a Formal Method: NewCoRe". In Proc. IFIP World Computer Congress, Hamburg, Germany, August 1994. (invited paper).

....level; in our model, object creation and deletion can be observed at the process level (See Section 3.3) 3. 2 Property specification with LTL For the specification of behavioral constraints we advocate the use of Linear time Temporal Logic (LTL) In several (industrial) projects like [4] [20] and [22] temporal logic has been successfully used for the specification of behavioral constraints that should be satisfied by some executable specification. We feel that LTL especially with its well understood theoretical foundations has the potential to serve as a suitable vehicle for ....

....the complexity of the properties in real systems remains unclear. In [37] Manna and Pnueli give three classes of properties that are believed to cover the majority of properties one would ever wish to specify (and verify) safety (2p) response (2(p 3q) and precedence (2(p q U r) Holzmann [20] followed the argumentation of Manna and Pnueli and considers only the three abovementioned classes. In a similar project [22] only safety properties were considered. In our work it turned out that safety and precedence properties cover a multitude of properties as they are stated upon industrial ....

[Article contains additional citation context not shown here]

G. Holzmann. The theory and practice of a formal method: NewCoRe. In Proceedings of the IFIP World Computer Congress, volume I, pages 35--44, Hamburg, Germany, August 1994. North-Holland Publ., Amsterdam, The Netherlands.

....behavior, a property specification language to express behavioral constraints that the service should satisfy, and validation techniques (like model checking) Unless otherwise stated, the formal technique listed in Table 2 indicates the modelling language. Company Formal technique Ref. Lucent SDL [4] Lucent Esterel [5] Dutch PTT ACTL [6] SNI FSM [7] BT Z [8] CSELT Promela [9] Table 2: Formal techniques in the comm. domain At Lucent, several formal method projects aimed at designing and implementing software for the Lucent 5ESS (Electronic Switching System) and several formal methods have ....

....FSM [7] BT Z [8] CSELT Promela [9] Table 2: Formal techniques in the comm. domain At Lucent, several formal method projects aimed at designing and implementing software for the Lucent 5ESS (Electronic Switching System) and several formal methods have been applied over a longer time period, e.g. [4, 5]. The NewCoRe project described in [4] ran over a two year period. A specification of 7,500 lines of (noncommented) SDL code was written and about 150 correctness properties were formally specified and verified for the SDL model. As a result, a total of 112 serious design errors were detected in ....

[Article contains additional citation context not shown here]

G. Holzmann, "The theory and practice of a formal method: NewCoRe," in Proceedings of the IFIP World Computer Congress, Hamburg, Germany, August 1994, vol. I, pp. 35--44, North-Holland Publ., Amsterdam, The Netherlands.

....8k j; oe; k) j= p (oe; j) j= 3p ( 9k j; oe; k) j= p and finally (oe; j) j= p U q ( 9k j; oe; k) j= q and 8i; j i k; oe; i) j= p. Linear time temporal logic has already been used in several industrial projects to express properties that the software under construction should satisfy [6] [7] However, there is only limited information in the literature about the complexity of the properties as they arise from industrial software development. In most papers, the complexity of the properties expressed in real systems remains unclear. In [8] Manna and Pnueli give three classes of ....

G. Holzmann, "The theory and practice of a formal method: NewCoRe," in Proceedings of the IFIP World Computer Congress, Hamburg, Germany, August 1994, vol. I, pp. 35--44, North-Holland Publ., Amsterdam, The Netherlands.

....considered in formal models. Thus, the extension of established foundations in the temporal logic domain still needs deeper investigation for industrial strength object oriented distributed systems (OODS) Even though there are a few success stories of temporal logic in the industry, e.g. [19] and [21] a survey on the use of formal methods [38] revealed that temporal logic receives only marginal attention. After twenty years of research, the overall impact of temporal logic on mainstream software design has been limited. In this paper we present a formal model for the design stage of ....

....observe his her own birth. This observation has to happen at a higher abstraction level; in our model, object creation and deletion can be observed at the process level (See Section 2.2) For the specification of behavioral constraints we advocate the use of linear time temporal logic. Holzmann [19] points out that a major engineering discipline discriminates between requirements and implementations. While many formal description techniques like LOTOS or SDL allow to write (executable) formal specifications, they provide no support to express correctness requirements. In several (industrial) ....

[Article contains additional citation context not shown here]

G. Holzmann. The theory and practice of a formal method: NewCoRe. In Proceedings of the IFIP World Computer Congress, volume I, pages 35--44, Hamburg, Germany, August 1994. North-Holland Publ., Amsterdam, The Netherlands.

....industry whereas industry has not paid much attention to other formal methods, such as LOTOS for the specification and validation of communication services. Temporal logic (TL) also seems to have attracted some interest from the industry and has been used in connection with other FDTs such as SDL [42]. TL is also integrated in commercial products [77] 79] Company FM References AT T Esterel [50] AT T SDL [5] 43] 41] AT T SDL, TL [42] AT T Z [83] AT T Promela, Z [84] Bellcore Promela, LTL [60] BT Z [2] BT SDL [54] 28] CSELT Promela [9] Deutsche Telekom et al. 1 Petri nets, SDL [14] Dutch ....

....services. Temporal logic (TL) also seems to have attracted some interest from the industry and has been used in connection with other FDTs such as SDL [42] TL is also integrated in commercial products [77] 79] Company FM References AT T Esterel [50] AT T SDL [5] 43] 41] AT T SDL, TL [42] AT T Z [83] AT T Promela, Z [84] Bellcore Promela, LTL [60] BT Z [2] BT SDL [54] 28] CSELT Promela [9] Deutsche Telekom et al. 1 Petri nets, SDL [14] Dutch PTT, Telia SDL, ACTL [12] 66] France T el ecom Z [53] Nortel SDL [81] Score 2 SDL, Z, ACTL [20] SNI FSM, TL [77] Table 3: Formal ....

[Article contains additional citation context not shown here]

G. Holzmann. The theory and practice of a formal method: NewCoRe. In Proceedings of the IFIP World Computer Congress, volume I, pages 35--44, Hamburg, Germany, August 1994. North-Holland Publ., Amsterdam, The Netherlands.

....hardly considered in formal models. Thus, the extension of established foundations in the temporal logic domain still needs deeper investigation for industrial strength object oriented distributed systems (OODS) Even though there are a few success stories of temporal logic in the industry, e.g. [18] and [20] a survey on the use of formal methods [37] revealed that temporal logic receives only marginal attention. After twenty years of research, the overall impact of temporal logic on mainstream software design has been limited. In this paper we present a formal model for the design stage ....

....observe his her own birth. This observation has to happen at a higher abstraction level; in our model, object creation and deletion can be observed at the process level (See Section 2.2) For the specification of behavioral constraints we advocate the use of linear time temporal logic. Holzmann [18] points out that a major engineering discipline discriminates between requirements and implementations. While many FDTs like LOTOS or SDL allow to write (executable) formal specifications, they provide no support to express correctness requirements. In several (industrial) projects like [4] 18] ....

[Article contains additional citation context not shown here]

G. Holzmann. The theory and practice of a formal method: NewCoRe. In Proceedings of the IFIP World Computer Congress, volume I, pages 35--44, Hamburg, Germany, August 1994. North-Holland Publ., Amsterdam, The Netherlands.

....the complexity of the properties expressed in real systems remains unclear. In [14] Manna and Pnueli give three classes of properties that are believed to cover the majority of properties one would ever wish to verify: invariance (2p) response (2(p 3q) and precedence (2(p q U r) Holzmann [6] followed the argumentation of Manna and Pnueli and considers only the three above mentioned classes. In a similar project [8] only safety properties (invariance properties) were considered. In our work it turned out that safety and precedence properties cover a multitude of properties as they ....

G. Holzmann. The theory and practice of a formal method: NewCoRe. In Proceedings of the IFIP World Computer Congress, volume I, pages 35--44, Hamburg, Germany, August 1994. North-Holland Publ., Amsterdam, The Netherlands.

....given in the informal service specifications. ii) The service had been designed and implemented without paying any attention to formality. Linear time temporal logic has already been used in several industrial projects to express properties that the software under construction should satisfy (Holzmann 1994) (Jagadeesan, Puchol Olnhausen 1995) However, there is only limited information in the literature about the complexity of the properties as they arise from industrial software development. In most papers, the complexity of the properties expressed in real systems remains unclear. In (Manna ....

....the properties expressed in real systems remains unclear. In (Manna Pnueli 1991b) Manna and Pnueli give three classes of properties that are believed to cover the majority of properties one would ever wish to verify: invariance (2p) response (2(p 3q) and precedence (2(p q U r) Holzmann (Holzmann 1994) followed the argumentation of Manna and Pnueli and considers only the three above mentioned classes. In a similar project (Jagadeesan et al. 1995) only safety properties (invariance properties) were considered. In our work it turned out that safety and precedence properties cover a multitude of ....

Holzmann, G. (1994), The theory and practice of a formal method: NewCoRe, in `Proceedings of the IFIP World Computer Congress', Vol. I, North-Holland Publ., Amsterdam, The Netherlands, Hamburg, Germany, pp. 35--44.

....behaviour of the system. The fundamental point is this: Testing and bug fixing should do more than correct the code. They should identify the root causes in the design process of any error. One example is a well documented project at AT T for a communications product (for CCITT standards) see Holzmann [1994]. This project involved as many as fifty designers working on a two year programme with some 30 of the effort on testing. There were one hundred and twelve errors traced to the high level requirements specification; and almost 55 of all the high level requirements at the start of the project ....

Holzmann [1994] G J Holzmann. The Theory and Practice of a Formal Method: NewCoRe. In B Pehrson and I simon, editors, 13th World Computer Congress, volume 1. North Holland, 1994.

....behaviour of the system. The fundamental point is this: Testing and bug fixing should do more than correct the code. They should identify the root causes in the design process of any error. One example is a well documented project at AT T for a communications product (for CCITT standards) see Holzmann [1994]. This project involved as many as fifty designers working on a two year programme with some 30 of the effort on testing. There were one hundred and twelve errors traced to the high level requirements specification; and almost 55 of all the high level requirements at the start of the project ....

Holzmann [1994] G J Holzmann. The Theory and Practice of a Formal Method: NewCoRe. In B Pehrson and I simon, editors, 13th World Computer Congress, volume 1. North Holland, 1994.

.... hardware practice is still with us, as is a wide spread scepticism about the industrial benefit of formal methods (see the discussion in the literature about what are the right methods and criteria [32, 67, 68, 46, 77, 30, 31] for software engineering to become a mature engineering discipline [53]. I accept with pleasure the invitation to explain to this audience how the new evolving algebra approach contributes to bridging this gap. I will try to convince you that it o#ers a mathematically well founded and rigorous but nevertheless simple discipline practical and scalable to industrial ....

....the ground model must assure the possibility to make statements about the design that are either verifiable or falsifiable and that b) the user must have the possibility to test the appropriateness of the model by experiments with reproducible results, using S 0 or executable prototypes 12 . In [53] these consequences of the Popperian falsifiability criterion are postulated as quality standard for any verification method. The falsifiability request for ground models does not contradict but complements the role of the use of formal methods during the ideally provably correct development ....

G.J. Holzmann, The Theory and Practice of a Formal Method: NewCoRe, in: B. Pehrson and I. Simon (Eds.), Technology and Foundations, Information Processing '94, Volume I, Proc. of the IFIP 13th World Computer Congress 1994, IFIP Transaction A--51, pp. 35--44, Elsevier, Amsterdam.

....of fully automating a human proof that as little as two years ago was considered far out of reach for algorithmic methods [BGK 96] ffl ISDN ISUP. The NewCoRe Project was the first full scale application of formal verification methods in a routine software design project within AT T [Cha92, Hol94] The project lasted from 1989 until 1992. Formal modeling and automated verification were applied to the development of the International Telecommunications Union (formerly CCITT) ISDN IUPP (ISDN User Part Procotol) A team of five verification engineers formalized 145 requirements in temporal ....

G.J. Holzmann. The theory and practice of a formal method: NewCoRe. In Proc. IFIP World Computer Congress, Hamburg, Germany, August 1994.

....to problem sizes that would ordinarily have remained well beyond the scope of automated verification tools. We will summarize one of the recent experiences with formal verification based on this technique in a two year case study performed in cooperation with AT T International Switching [C91] [H94]. In this study, named the NewCoRe project, a routine implementation of an ISDN protocol was pursued by a team of five people, with a methodology based on formal verification. A total of 10,000 mechanical verification runs were performed, 145 LTL properties were formalized and proven to be ....

G. J. Holzmann, `The theory and practice of a formal method: NewCoRe,' Proc. 13th IFIP World Computer Congress , Hamburg, Germany, 1994, pp. 35-- 44.

....then it can t be fixed. Hitchhiker s Guide to the Galaxy, Book 5) 1. INTRODUCTION Despite a number of projects that appear to have demonstrated successfully that the adoption of formal design techniques in a mainstream industrial environment is feasible and beneficial, e.g. Ch91] Ru92] [Ho94], in only few cases have such projects led to a permanent change in the design process that they targeted. How, then, can we prove the value of formal methods in such a way that also this second step is taken To do so, we will have to accomplish two separate objectives. First, we will have to ....

....us to our original objective: to show in a rigorous and scientific way that the introduction of a formal method is beneficial. In the NewCoRe project, a pilot formal methods project we performed at AT T between 1990 and 1992, our goal was to provide the much needed hard scientific data, Ch1] [Ho94]. As part of this experiment, a single development project was pursued in two different ways, by two different groups in parallel. The first team used a traditional design method; the second (smaller) team applied formal design and verification techniques. Our aim was to compare the two parallel ....

[Article contains additional citation context not shown here]

G. J. Holzmann, The theory and practice of a formal method: NewCoRe . Proc. 13th IFIP World Computer Congress, August 2 - September 2 1994, Hamburg, Germany.

....without changing the memory limits. The algorithm uses just two bits of memory per reachable state, and allows the expected coverage to be calculated with a statistical argument. The supertrace technique has been applied successfully in a number of large scale industrial applications, e.g. [C91,H94]. 0 50 100 15 20 25 30 35 . N = 427567 states S = 1376 bits Measured Predicted ....

G. J. Holzmann, `The theory and practice of a formal method: NewCoRe,' Proc. 13th IFIP World Computer Congress , Hamburg, Germany, 1994, pp. 35-- 44.

....within a memory arena that may be orders of magnitude smaller than required for exhaustive verifications. The method has made it possible to apply formal verification techniques to problems that would normally have remained beyond the scope of automated tools, e.g. C91] C94] L94] [H94a], H94b] This paper provides an analytical argument that explains the performance of the algorithm. The analysis is then extended to compare the method with two alternative techniques that have been proposed in the recent literature as potential improvements [WL93] Problem Definition In the ....

Holzmann, G.J. (1994) `The theory and practice of a formal method: NewCoRe,' Proc. 13th IFIP World Computer Congress , Hamburg, Germany.

....the required coverage level is reached. Fig. 7. Measured problem coverage [34] 42] effect of the optional bitstate hashing technique in SPIN. The bit state hashing techniques have been applied with good results in several large scale industrial applications of formal verification, e.g. 11] [40]. 4 PRACTICAL APPLICATIONS As typical examples of the application of SPIN to the verification of concurrent systems, we discuss three different types of problems. The first is a protocol for scheduling processes in a distributed operating system, as discussed in [64] The second example is the ....

G.J. Holzmann, "The Theory and Practice of a Formal Method: NewCoRe," Proc. 13th IFIP World Computer Congress, pp. 35-44, Hamburg, Germany, North-Holland, Aug. 1994.

....within a memory arena that may be orders of magnitude smaller than required for exhaustive verifications. The method has made it possible to apply formal verification techniques to problems that would normally have remained beyond the scope of automated tools, e.g. C91] C94] L94] [H94a], H94b] This paper provides an analytical argument that explains the performance of the algorithm. The analysis is then extended to compare the method with alternative techniques, hash compact, and multihash [WL93] SD95] SD96] We show that a variation of the multihash technique, sequential ....

Holzmann, G.J. (1994) `The theory and practice of a formal method: NewCoRe,' Proc. 13th IFIP World Computer Congress , Hamburg, Germany.

No context found.

Holzmann, G.J.: The theory and practice of a formal method: NewCoRe. In: Proc. IFIP World Computer Congress, Hamburg, Germany, August 1994

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC