The seminal book on design patterns defines design patterns as "descriptions of communicating objects and classes that are customized to solve a general design problem in a particular context" [ 7 ]. Issued from C. Alexander’s work [ 8 ], design patterns describe object-oriented designs but one could be easily generalized in the context of model checking, as illustrated by Dwyer et al. [ 9 ] who provides form of pattern to specify formal properties. Verification process tools heavily depend on the structure and content of their case for searching, versioning, diagnosing, or adapting models, their description share goals of patterns as they must address a consensus about a topic, shared by a community. Relationships between cases such as uses or extends have also to be expressed in the patterns. In the model-checking community, benchmarks, i.e. collections including models, are used to assess tools performances. Benchmark repositories organize models, properties, verification runs and results. We used the structure of the BEEM benchmark [ 10 ] as a basis for describing cases. In the rest of the article the names of potential pattern's constituents are formatted in italics. 2.2

Lets us take a case borrowed from Lamport [ 11 ], with a viewpoint related to model checking. Alice and Bob are sharing a yard in an exclusive manner because their pets cannot be together in the yard. Lamport's solution uses two threads sharing only two Boolean variables (flags), each of which can be written by one thread and read by the other. For verification purposes, the system based on the mutual exclusion algorithm should be translated into a model describing how the system behaves, with clearly defined components and functions (required to a good diagnosis, i.e. finding the component/function source of the fault). Lamport’s algorithm and a corresponding model in a concurrent automata-like language are given in Fig.1.

Alice: while (true) { flagAlice = up;

while (flagBob == up)skip; catInYard; flagAlice = down; } Bob: while (true) { flagBob = up; while (flagAlice == up) { flagBob = down;

while (flagAlice == up)skip; flagBob = up; } dogInYard; flagBob = down; }

Fig. 1. Lamport's mutual exclusion algorithm To prove the model is correct, a verification by model checking is conducted according properties: - Mutual Exclusion (P1), Bob and Alice must not be together in critical section (CS); - Deadlock Freedom (P2), it never happens that Alice or Bob are trying to enter their CS, but never succeeds; - Lockout Freedom (P3), from a fair path Alice or Bob try to access the CS, it will terminate; - Fairness (P4), it is always possible for Alice or Bob to access the CS. We reach a valid model through several verification endeavors until all properties are satisfied. A verification endeavor is composed of different versions of behavioral models coupled with properties and run results. Models are expressed with different implementations (such as in Fig.2) and properties are checked on these implementation during verification runs. CS: printf("CS\n"); L_CS: atomic{ flagAlice=false; printf("Leaving CS \n"); bool flagAlice,flagBob; #define csa alice@CS; #define csb bob@CS; #define mtx !(csa && csb) #define ecsa alice@E_CS; #define ecsb bob@E_CS; #define lcsa alice@L_CS; #define lcsb bob@L_CS; active proctype alice(){ active proctype bob(){ E_CS: printf("Entering CS\n"); E_CS: printf("Entering CS\n"); do::flagAlice=true; do::flagBob=true; do::!flagBob-> break do:: flagAlice->flagBob=false; ::else->skip; do::!flagAlice od; ->atomic{flagBob=true;break;} ::else->skip; od :: !flagAlice->break od CS: printf("CS\n"); L_CS: atomic{

flagBob=false; printf("Leaving CS\n");} od;}

Once the sample case has been assessed, the most initial declaration; similar problem case is searched in the case base. repeat forever Our case addresses the classical problem case of noncritical section; Mutual Exclusion as it supports almost the same ecnrtirtyic;al section; properties. A problem case is a sample case that has exit ; been reified in the case base. It provides a end repeat specification in a form of a structure and a set of abstract properties that prescribes the system's Fig. 4. Mutual Exclusion Structure behavior. A specification addresses the problem space (not the solution space) and is by definition independent from any implementation language, which is rather given by solution implementations. A problem case provides a structure, for Mutual Exclusion we state that each process’s program may be written as follows (see Fig. 4): The entry statement represents all the operation executions between a noncritical section (NCS) and the subsequent critical section (CS); The exit statement represents all the operation between a CS and the subsequent NCS; The initial declaration describes the initial values of the variables. Abstract properties might be expressed in temporal logic like LTL (see Fig.5) which is based upon the propositional calculus, where formulas are composed of atomic propositions and operators [ 1 ], by contrast to assertions that impose control point in the system and cannot express all properties (deadlock, starvation). Abstract properties are inspired by Lamport's work: -Mutual Exclusion (P1), For any pair of distinct processes i and j, no pair of operation executions CSi and CSj are concurrent i.e. □¬(CSi˄CSj); -Deadlock Freedom (P2), deadlock appends if it is impossible to reach a state in which some processes are trying to enter their CS, but no process is successful; -Lockout Freedom (P3), if a process in a fair path tries to execute its CS then eventually it succeed, i.e. for i □◊CSi→□(E_CSi→◊CSi). -Fairness (P4), it should be possible for each process to access the CS , i.e. (□◊CSi)˄(□◊CSj). and ˄ && implies → ->

The structure and properties of problem cases have to be bound to the sample case including the difficult task to identify and bind parts of the model to equivalent parts of the problem case structure. Parts of the implementation model might be annotated (E_CS, CS, L_CS) in order to apply the properties given the problem structure. The problem case is used to predict the expected behavior, and thus fairness by comparing the observed model of Alice and Bob and deducted which component is not fair. To this intent, a problem case should provide a set of potential causes and solutions to a failed property, for instance fairness property P4 is violated by Bob, it results the cause "Bob is too kind with Alice", and a solution have to be found to this cause that will update processes accordingly.

Thus a problem case may propose a set of solutions, for mutual exclusion many solutions exist with different properties, in our example a possible solution might be the Peterson’s algorithm [ 12 ] given in Fig.6. Then the engineer applies the adequate solution to its wrong model, to do that he/she must understand precisely how to bind the solution to his sample case either by copying or adaptation [ 6 ] techniques. Copying is the trivial type of reuse where the solution is directly transferred to the case as its solution while adaptation is relevant if differences are taken into account, it consists in either reuse the past case solution (transformational reuse), or reuse the past method that constructed the solution (derivational reuse). When a solution is applied to the sample case, a new verification must be performed. If the properties are still not satisfied, the diagnostic of the cause become clearer, and revised solutions can be brought again. Finally the new solution is retained in the case base, together with sample case reified as a problem case. The most relevant features of the new problem case have to be revealed to facilitate further identification. bool flag[ 2 ]; flag[0] = false; flag[ 1 ] = false; int turn; P0: flag[0] = true; turn = 1; P1: flag[ 1 ] = true; turn = 0; while (flag[ 1 ] && turn == 1){ while (flag[0] && turn == 0){ // entry // entry } // critical section // exit flag[0] = false; } // critical section // exit flag[ 1 ] = false; Model checking relies on a large collection of heterogeneous artifacts and diagnosing faults is generally a tedious task which should benefit from a knowledge base system to collect and provide access to well-formalized verification artifacts. In the formal method community, patterns are mostly understood in reference to the work by Dwyer et al. [ 9 ], and actually there is no common agreement on a formalization or organization for the whole verification process artefacts, such as models, traces or sessions of verifications. Hence this paper asks the question about unmet needs for such patterns and their possible relationships, with a particular focus on patterns required for diagnosis techniques such as problem case or solution in CBR. 4