Abstract
Model-based systems engineering approaches support the early adoption of a model - a collection of abstractions - of the system under development. The system model can be augmented with key properties of the system including formal specifications of system behavior that codify portions of system and unit-level requirements. There are obvious gaps between the model with formally specified behavior and the deployed system. Previous work on component contract languages has shown how behavior can be specified in models defined using the Architecture Analysis and Design Language (AADL) - a SAE International standard (AS5506C). That work demonstrated the effectiveness of model-level formal methods specification and verification but did not provide a strong and direct connection to system implementations developed using conventional programming languages. In particular, there was no refinement of model-level contracts to programming language-level contracts nor a framework for formally verifying that program code conforms to model-level behavioral specifications.
To address these gaps and to enable the practical application of model-contract languages for verification of deployed high-integrity systems, this paper describes the design of the GUMBO AADL contract language that integrates and extends key concepts from earlier contract languages. The GUMBO contract language (GCL) is closely aligned to a formal semantics of the AADL run-time framework, which provides a platform- and language- independent specification of AADL semantics. We have enhanced the HAMR AADL code generation framework to translate model-level contracts to programming language-level contracts in the Slang high-integrity language. We demonstrate how the Logika verification tool can automatically verify that Slang-based AADL component implementations conform to contracts, both at the code-level and model-level. Slang-based implementations of AADL systems can be executed directly or compiled to C for deployments on Linux or the seL4 verified microkernel.
- 2015. seL4 Microkernel. sel4.systems/.Google Scholar
- Haniel Barbosa, Clark Barrett, Martin Brain, Gereon Kremer, Hanna Lachnitt, Makai Mann, Abdalrhman Mohamed, Mudathir Mohamed, Aina Niemetz, Andres Nötzli, et al. 2022. cvc5: a versatile and industrialstrength SMT solver. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 415--442.Google Scholar
Digital Library
- Clark Barrett, Christopher L Conway, Morgan Deters, Liana Hadarean, Dejan Jovanovi?, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. Cvc4. In International Conference on Computer Aided Verification. Springer, 171--177.Google Scholar
Digital Library
- Jason Belt, John Hatcliff, Robby, John Shackleton, Jim Carciofini, Todd Carpenter, Eric Mercer, Isaac Amundson, Junaid Babar, Darren Cofer, David Hardin, Karl Hoech, Konrad Slind, Ihor Kuz, and Kent Mcleod. 2022. Model-Driven Development for the seL4 Microkernel Using the HAMR Framework. Journal of Systems Architecture (2022), (to appear).Google Scholar
- SAE AS5506 Rev. C. 2017. Architecture Analysis and Design Language (AADL).Google Scholar
- Fabien Cadoret, Etienne Borde, Sébastien Gardoll, and Laurent Pautet. 2012. Design patterns for rule-based refinement of safety critical embedded systems models. In 2012 IEEE 17th International Conference on Engineering of Complex Computer Systems. IEEE, 67--76.Google Scholar
Cross Ref
- Bernard Carré and Jonathan Garnsworthy. 1990. SPARK-an annotated Ada subset for safety-critical programming. In Proceedings of the conference on TRI-ADA'90. 392--402.Google Scholar
Digital Library
- Darren D. Cofer, Andrew Gacek, Steven P. Miller, Michael W. Whalen, Brian LaValley, and Lui Sha. 2012. Compositional Verification of Architectural Models. In Proceedings of the 4th NASA Formal Methods Symposium (NFM 2012) (Norfolk, VA, USA), Alwyn E. Goodloe and Suzette Person (Eds.), Vol. 7226. Springer-Verlag, Berlin, Heidelberg, 126--140.Google Scholar
Digital Library
- Sylvain Conchon, Albin Coquereau, Mohamed Iguernlala, and Alain Mebsout. 2018. Alt-Ergo 2.2. In SMT Workshop: International Workshop on Satisfiability Modulo Theories.Google Scholar
- Rob Edman, Hazel Shackleton, John Shackleton, Tyler Smith, and Steve Vestal. 2015. A Framework for Compositional Timing Analysis of Embedded Computer Systems. In IEEE International Conference on Embedded Software and Systems (Newark, NJ).Google Scholar
Digital Library
- Peter H Feiler and David P Gluch. 2013. Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language. Addison-Wesley. xx + 468 pages.Google Scholar
- John Hatcliff, Jason Belt, Robby, and Todd Carpenter. 2021. HAMR: An AADL Multi-platform Code Generation Toolset. In Leveraging Applications of Formal Methods, Verification and Validation - 10th International Symposium on Leveraging Applications of Formal Methods, ISoLA 2021, Rhodes, Greece, October 17--29, 2021, Proceedings (Lecture Notes in Computer Science, Vol. 13036), Tiziana Margaria and Bernhard Steffen (Eds.). Springer, 274--295. https://doi.org/10.1007/978--3-030--89159--6_18Google Scholar
- John Hatcliff, Jerome Hugues, Danielle Stewart, and Lutz Wrage. 2022. Formalization of the AADL Run-Time Services. In Leveraging Applications of Formal Methods, Verification and Validation - 11th International Symposium on Leveraging Applications of Formal Methods, ISoLA 2022, Rhodes, Greece (To Appear).Google Scholar
Digital Library
- John Hatcliff, Brian R. Larson, Todd Carpenter, Paul L. Jones, Yi Zhang, and Joseph Jorgens. 2019. The open PCA pump project: an exemplar open source medical device as a community resource. SIGBED Rev. 16, 2 (2019), 8--13.Google Scholar
Digital Library
- John Hatcliff, Gary T. Leavens, K. Rustan M. Leino, Peter Müller, and Matthew J. Parkinson. 2012. Behavioral interface specification languages. ACM Comput. Surv. 44, 3 (2012), 16:1--16:58.Google Scholar
- Duc Hoang, Yannick Moy, AngelaWallenburg, and Roderick Chapman. 2015. SPARK 2014 and GNATprove. International Journal on Software Tools for Technology Transfer 17, 6 (2015).Google Scholar
- Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C, A Software Analysis Perspective. Formal Aspects of Computing 27, 3 (2015).Google Scholar
- SAnToS Laboratory. 2022. GCL case studies. https://github.com/ santoslab/hilt22-case-studies/.Google Scholar
- SAnToS Laboratory. 2022. HAMR ProjectWebsite. https://hamr.sireum. org.Google Scholar
- SAnToS Laboratory. 2022. Sireum Logika. https://logika.v3.sireum. org/index.html.Google Scholar
- Brian Larson, Patrice Chalin, and John Hatcliff. 2013. BLESS: Formal Specification and Verification of Behaviors for Embedded Systems with Software. In Proceedings of the 2013 NASA Formal Methods Conference (Lecture Notes in Computer Science, Vol. 7871). Springer-Verlag, Berlin Heidelberg, 276--290.Google Scholar
Cross Ref
- Gilles Lasnier, Bechir Zalila, Laurent Pautet, and Jérome Hugues. 2009. Ocarina: An environment for AADL models analysis and automatic code generation for high integrity applications. In International Conference on Reliable Software Technologies. Springer, 237--250.Google Scholar
Digital Library
- Xavier Leroy, Sandrine Blazy, Daniel Kästner, Bernhard Schommer, Markus Pister, and Christian Ferdinand. 2016. CompCert-a formally verified optimizing compiler. In ERTS 2016: Embedded Real Time Software and Systems, 8th European Congress.Google Scholar
- Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337--340.Google Scholar
Cross Ref
- Robby and John Hatcliff. 2021. Slang: The Sireum Programming Language. In International Symposium on Leveraging Applications of Formal Methods. Springer, 253--273.Google Scholar
Recommendations
Exploring AADL verification tool through model transformation
Architecture Analysis and Design Language (AADL) is often used to model safety-critical real-time systems. Model transformation is widely used to extract a formal specification so that AADL models can be verified and analyzed by existing tools. Timed ...
Contract-based verification of model transformations: a formally founded approach
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingIn safety-critical applications, using a Model-Driven Engineering (MDE) approach requires a high-level of trust in its underlying model transformations, i.e. the latter's correctness should be verified formally. Yet, the applicability of formal methods ...
Translating AADL into BIP - Application to the Verification of Real-Time Systems
Models in Software EngineeringThis paper studies a general methodology and an associated tool for translating AADL (Architecture Analysis and Design Language) and annex behavior specification into the BIP (Behavior Interaction Priority) language. This allows simulation of systems ...






Comments