## Final Report Summary - QUAREM (Quantitative Reactive Modeling)

Formal verification research in computer science had developed a rigorous engineering methodology that ensures that software and hardware operates safely and correctly. Traditional formal methods had focused on a strictly boolean approach which separates systems into safe and unsafe, correct and incorrect. The reality of software and hardware engineering is more complex: among all safe and correct systems, some may be preferred to others because they perform better, use fewer resources, cost less, tolerate failures more gracefully, are more secure, etc. Similarly, among all unsafe or incorrect systems, some are surely preferred to others because they come closer to safety and correctness. Traditional formal methods cannot account for such preference metrics. In this project, we generalized traditional formal methods so that they can be used to measure the quality of a system quantitatively. Such measurements may include the performance and resource consumption of the system (execution time, memory use, number of processors, power, cost), but also robustness properties such as modularity, recovery from failures, and security. We focused on reactive systems, which produce outputs in reaction to inputs provided by humans or other systems. For example, the flight control software of an aircraft is a reactive system that adjusts the flight control surfaces in reaction to the actions of the pilot and the data provided by the navigation system and the flight sensors.

Formal verification methods consist of three parts: the first component consists of mathematical models and formal languages for describing systems and their properties precisely. The second component consists of algorithms and proof methods for checking if a given model satisfies a given property (model analysis), and for constructing models that have desired properties (model synthesis). The third component consists of software tools that implement the models and algorithms and can be used by engineers that develop software and hardware systems. We introduced and developed novel quantitative approaches that comprise all three parts: models and languages, algorithms and proof methods, as well as software tools. We highlight here only three representative pieces of the new methodology.

First, we developed a new modeling language together with a theory for measuring quantitative properties of system behaviors, such as the average response time of a reactive system, by analysis of a model of the system rather than by observing the finished system. (The average response time is the average time a program takes in order to compute a response for a given request.) Second, we developed a theory for building and refining quantitative abstractions of reactive systems. A quantitative abstraction is an approximation that omits some details about a system in a way that ensures that the quantitative properties of the abstraction (such as resource consumption) overestimate the corresponding properties of the system. By refining the abstraction iteratively, the estimates can be made more and more precise. Third, we developed algorithms and tools that decorate a sequential program in order to make it safe for concurrent execution, and choose among all possible decorations the one that makes the resulting concurrent program perform best. Making programs safe for concurrent execution in a way that makes optimal use of the additional processors, whether on a multicore machine or on a network of machines, is a difficult and error-prone task even for experienced programmers. By automating this task we improve both programmer productivity and software quality.

Formal verification methods consist of three parts: the first component consists of mathematical models and formal languages for describing systems and their properties precisely. The second component consists of algorithms and proof methods for checking if a given model satisfies a given property (model analysis), and for constructing models that have desired properties (model synthesis). The third component consists of software tools that implement the models and algorithms and can be used by engineers that develop software and hardware systems. We introduced and developed novel quantitative approaches that comprise all three parts: models and languages, algorithms and proof methods, as well as software tools. We highlight here only three representative pieces of the new methodology.

First, we developed a new modeling language together with a theory for measuring quantitative properties of system behaviors, such as the average response time of a reactive system, by analysis of a model of the system rather than by observing the finished system. (The average response time is the average time a program takes in order to compute a response for a given request.) Second, we developed a theory for building and refining quantitative abstractions of reactive systems. A quantitative abstraction is an approximation that omits some details about a system in a way that ensures that the quantitative properties of the abstraction (such as resource consumption) overestimate the corresponding properties of the system. By refining the abstraction iteratively, the estimates can be made more and more precise. Third, we developed algorithms and tools that decorate a sequential program in order to make it safe for concurrent execution, and choose among all possible decorations the one that makes the resulting concurrent program perform best. Making programs safe for concurrent execution in a way that makes optimal use of the additional processors, whether on a multicore machine or on a network of machines, is a difficult and error-prone task even for experienced programmers. By automating this task we improve both programmer productivity and software quality.

## Contact

Carla Mazuheli-Chibidziura, (Expert Grant Office)

Tel.: +43 2243 9000 1038

Fax: +43 2243 9000 2000

E-mail

Tel.: +43 2243 9000 1038

Fax: +43 2243 9000 2000