Formal Verification of Projection-Based Software Systems

Recent implementation languages such as AspectJ and HyperJ allow systems to be decomposed into declaratively complete units. These units are projections of the system, which are partial implementations of the entire system where each program element such as a data structure or procedure may be partially defined in more than one projection. In contrast, traditional languages rely on units that are partitions, which are complete implementations of part of the system: every program element is defined in only one part. Projection-based approaches offer low coupling between units leading to programs that may be easier to maintain and extend. These implementation languages for projection-based systems offer facilities for composing projections to form a complete software package. This composition usually yields a number of complex interactions between the projections. Some of these interactions may manifest themselves as inconsistencies such as undesired interference among projections. Formal verification is an effective mechanism for detecting inconsistencies. However, existing formal specification languages do not provide the means to express the interactions between projections in a clear and concise fashion. Existing projection-based implementation languages perform composition using a similar set of basic constructs. The goal of this work is to find suitable abstractions for these common constructs, which will lead to a formal representation of projection composition and an approach to formal verification of projection-based systems. In order to accomplish this goal, a formal model of the composition mechanisms used in projection-based languages was developed. This model serves as the semantic basis for C3, a language for formally specifying the composition of projections. An analyst who decomposes a formal specification into projections can compose these projections using C3. A C3 description is easily translated to an implementation in a projection-based language. The original projections and the composed specifications can be verified for desired properties. The C3 language and verification approach are demonstrated through two case studies, one using the Alloy language, and another using the Finite State Process (FSP) language. The contributions of this thesis include: a formal model of the mechanisms for composing projections to produce a complete program; C3, a language for specifying the composition of projections; and approaches to verifying properties of compositions specified using C3, and properties of projections written in different formal specification languages. These contributions increase the body of knowledge regarding the underlying principles of projection-based languages.