Formal Specification and Verification of Safety-Critical Software

Abstract: This thesis is about formal specification and formal verification of software and consists of three different parts. In the first two parts, the formal specification language OCL is treated in two different contexts. The third part describes a technique for analysing the consequences of hardware faults as part of formal software verification. The first part describes the development of OCL specifications for all classes and interfaces in JAVA CARD API 2.2, a set of library classes/interfaces used when programming JAVA CARD programs. The primary purpose of the specifications is to support formal verification of JAVA CARD programs in the KeY tool, but the formal documentation itself can also be useful for programmers using the API. The second part of the thesis considers different aspects of simplifying OCL specifications that have been automatically generated. One specific context is examined: a CASE tool equipped with a design pattern instantiation mechanism that, besides generating UML diagrams, also generates OCL constraints. These constraints capture certain properties of the design pattern. OCL constraints that are automatically generated from generic patterns tend to contain redundancies. These redundancies reduce their readability and they therefore need to be simplified. An approach for OCL simplification based on rewriting is presented. The third part describes a technique for formal verification of software where the ability to analyse hardware faults has been introduced. An approach for formal software verification based on symbolic program execution is extended so that hardware faults can be represented in a symbolic way. These simulated hardware faults can be introduced during symbolic execution, and it then becomes possible to calculate the exact consequences of certain hardware faults or prove that a program tolerates these faults.