Concurrent systems are hard to program, and ensuring quality by means of traditional testing techniques is often very hard as errors may not show up easily and reproducing them is hard. In previous work, we have advocated a model-driven approach to the analysis and design of concurrent, safety-critical systems. However, to take full advantage of these techniques, they must be supported by code generation schemes for concrete programming languages. Ideally, this translation should be traceable, automated and should support the verification of the generated code. In our work, we consider the problem of generating a concurrent Java component from a high-level model of inter-process interaction (i.e., communication + synchronization). We call our formalism shared resources. From the model, which can be represented in mathematical notation or written as a Java interface annotated using an extension of JML, a Java component can be obtained by a semiautomatic translation. We describe how to obtain shared memory (using a priority monitors library) and message passing (using the JCSP library) implementations. Focusing on inter-process interaction for formal development is justified by several reasons, e.g., mathematical models are language-independent and allow to analyze certain concurrency issues, such as deadlocks or liveness properties prior to code generation. Also, the Java components produced from the shared resource model will contain all the concurrency-related language constructs, which are often responsible for many of the errors in concurrent software. We follow a realistic approach where the translation is semiautomatic (schemata for code generation) and the programmer still retains the power of coding or modifying parts of the code for the resource. The code thus obtained is JML-annotated Java with proof obligations that help with code traceability and verification of safety and liveness properties. As the code thus obtained is not automatically correct, there is still the need to verify its conformance to the original specs. We illustrate the methodology by developing a concurrent control system and verifying the code obtained using the KeY program verification tool. We also show how KeY can be used to find errors resulting from a wrong use of the templates.
There are several patterns or tools for translating from other specification languages to JML specification sentences. An example of them is presented in [15]; in particular, OCL specifications can easily be translated into JML.
For simplicity, we are assuming that the Java code for checking a boolean condition can be represented by a call to an auxiliary method, which would be part of the outcome of Pred2Java. Of course, actual code may take a different, but equivalent, form.
Notice that JML assume statements are those expressions on which the code can “trust” to hold. In the case of the pre, it is assumed that the expression is valid before continuing the execution. However, assert expressions must be checked, and if some of those expressions do not hold, the code must halt or warn the user that the system is in an inconsistent state. In the case of the cpre, the expression must hold before continuing executing the critical section of the operation, indicating that the invariant holds and the access to the shared resource inner state variables is allowed.
A survey on the different monitor flavors, with an analysis of the pros and cons of each proposal, can be found in [8].
Also known as “condition variables,” “event queues,” etc., in the literature.
This idea can be traced back to [19].
Actually, we are assuming that the only distinction between threads blocked on such an operation is calling time, and thus, an FCFS policy is fine. Of course, this might not always be the case, and then, input parameters should be taken into account. For simplicity, we are not considering this possibility now.
The library allows to issue more than one signal before releasing the monitor, but then it can get rather difficult to ensure that cpres hold on resumption, so the template presented does not consider that possibility.
If the cpre is independent, the code only stores the new condition queue in a method associated list.
A map associates a specified value with a specified key in the structure. If the map previously contained a mapping for the key, the old value is replaced by the specified value.
The resemblance with the monitor templates should be evident. We are using synchronous channels to emulate the functionality provided by condition queues.
A ghost field is similar to a JML model field, in that it is also only present for purposes of specification and thus cannot be used outside of JML annotations.
Modifying this generic template for the if/else structure is straightforward.
Notice that the unblocking code is now separated into two different pieces, one per each iteration. The code for exitWarehouse operation is analogous and can be seen in [2].
The experimentation over those implementations that used “deferred request” techniques is not shown in this paper but downloadable from [2].
The analysis of the other scenario, when a exitWarehouse request is processed, is analogous to the presented one.
Appendix 1: fairSelect and server loop instrumentation using synchronized methods
Server loop instrumentation for KeY when requests can be directly processed or refused. The server loop condition is changed from
Appendix 2: WarehouseAccessMonitorNaive instrumentation
Code corresponding to the instrumentation of the unblocking code of each operation belonging to the WarehouseAccessMonitorNaive class.
Appendix 3: Instrumented unblocking code of WarehouseAccessMonitorOpt
1.1 Unblocking code for exitWarehouse operation
1.2 Unblocking code for enterWarehouse operation
