SEFM-sum

advertisement
SEFM 06
A partial report
Amiram Yehudai
SEFM 2006
4th IEEE International Conference
on Software Engineering and
Formal Methods
Pune, India
September 11-15, 2006
2
Program


Tutorials (Monday, Tuesday).
Invited talks + paper sessions
(Wenesday, Thursday, Friday).
3
Tutorial 1


Automated Formal Methods with PVS,
SAL and Yices
Leonardo de Moura, Bruno Dutertre,
Sam Owre, John Rushby, N. Shankar,
Ashish Tiwari (SRI International, USA)
4
Tutorial 2


Integrating Object-oriented Design
and Deductive Verification of Software
Bernhard Beckert (University of
Koblenz, Germany), Reiner Hähnle
(Chalmers University, Sweden), Peter
H. Schmitt (University of Karlsruhe,
Germany)
5
Tutorial 2



Formal specification and deductive
verification of OO programs
within a software development platform that
supports contemporary design and
implementation methodologies.
The KeY System implements this approach
and integrates formal methods into Borland
Together Control Center 6.2 and Eclipse.
6
Tutorial 3


Static Analysis of Programs: A Heapcentric View
Uday Khedker (I.I.T. Bombay, India)
7
Tutorial 3





The Dataflow analysis technique
Applications: compiler optimization,
software engineering, software verification.
Traditional literature - simple applications of
dataflow, narrow view of the possibilities.
This tutorial - the frontiers of dataflow
analysis.
Advances in analysis of heap allocated data.
8
Tutorial 4


Retrenchment
Richard Banach (University of
Manchester, UK)
9
Opening


Opening (Mathai Joseph)
Advances of IT in India, projected
growth, …
10
Invited Talk 1


Modelling Heterogeneous Realtime Components in BIP,
Joseph Sifakis
11
BIP, Joseph Sifakis


a methodology for modeling heterogeneous
real-time components.
Components are superposition of three
layers :
– Behavior, specified as a set of transitions;
– Interactions between transitions of the behavior;
– Priorities, used to choose amongst possible
interactions.

A parameterized binary composition
operator to compose components layer by
layer.
12
BIP, Joseph Sifakis (cont.)




BIP language and associated tools for
executing and analyzing components on a
dedicated platform.
The language provides a powerful
mechanism for structuring interactions
involving rendezvous and broadcast.
synchronous and timed systems are
particular classes of components.
Examples, compare BIP to existing ones for
heterogeneous component-based modeling.
13
BIP, Joseph Sifakis (cont.)
14
BIP, Joseph Sifakis (cont.)
15
BIP, Joseph Sifakis (cont.)
16
The verified software
repository






(informal presentation/discussion)
Grand Challenge proposed by C. A. R.
Hoare
Like the landing on the moon.
Various activities to discuss it.
Attempt to get major funding.
http://www.fmnet.info/vsr-net/
17
Session 1: Verification - I

Verification of JavaCard Applets
Behavior with respect to Transactions
and Card Tears, Claude MARCHE, Nicolas
ROUSSET

A Theory of Singly-Linked Lists and its
Extensible Decision Procedure, Silvio
Ranise, Calogero Zarba

Formal Modelling and Verification of
an Asynchronous DLX Pipeline,
Hemangee K. Kapoor
18
Verification of JavaCard Applets Behavior
with respect to Transactions and Card
Tears







JAVA CARD transaction mechanism to protect sensitive
operations on smart cards against eg. card tears or power
losses.
Statements viewed as single atomic operation, all or none
performed.
KRAKATOA - static verification of Java annotated in JML.
modeled transactions within KRAKATOA, by generating onthe-fly spec. of API methods for transactions.
consider security problems that can be caused by a card tear.
propose new JML constructs to express properties to satisfy
when a method is interrupted by a card tear, also taking nonatomic methods into account.
present amodeling of these constructs in KRAKATOA, show it
is practicable for detection of security holes, or prove absence
of risk.
19
A Theory of Singly-Linked Lists and
its Extensible Decision Procedure






key to approaches to reason about pointer based data
structures is availability of decision procedure for proofs in a
theory of data, pointers, and pointers reachability.
only approximate solutions have been proposed which
abstract the data or the reachability component.
such approximations cause lack of precision in the verification
techniques where decision procedures are exploited.
this paper consider pointer-based data structure of singlylinked lists and define a Theory of Linked Lists (TLL).
The theory is expressive: can precisely express both data and
reachability constraints, while ensuring decidability;
decidability is NP-complete.
also design practical decision procedure for TLL which can be
combined with available decision procedures for theories in
first order logic.
20
Formal Modelling and Verification of
an Asynchronous DLX Pipeline




A five stage pipeline of an asynchronous
DLX processor is modelled and its control
flow is verified.
model use asynchronous pipeline of latches
separated by processing logic.
processing units modelled as processes in
the PROMELA language of the Spin tool.
model verified in Spin by assertions, LTL
properties and progress labels.
21
Invited Talk 2


Towards a Mathematical Theory
of Object-Oriented Computation
Bertrand Meyer
22
B. Meyer




Market wants software that is “good enough”.
IT became a service business, rather than
engineering.
A program, or in object-oriented programming a
feature, is characterized not only by an
implementation but by a contract specifying its
intent and a proof obligation to ascertain that the
implementation meets the contract.
From these ideas it is possible to derive a general
framework for discussing programs and program
development.
23
B. Meyer (cont.)

Push-button component testing Thanks
to contracts, it is possible to test library
components completely automatically,
without ever having to prepare test data.
The Autotest tool applies this idea to
existing libraries (those actually used by
programmers, not academic examples) and
regularly finds significant bugs. Available for
download.
24
B. Meyer (cont.)



MML - The Mathematical Model Library is a library
of side-effect-free mathematical models that can be
used for contracting classes with the Design by
Contract approach.
Eiffel uses standard boolean expressions of the
language to describe the behavior of classes. These
boolean expressions do not have the possibility to
express complex properties of objects.
MML provides an implementation of typed settheory on the basis of an object-oriented library. By
using the classes from the library, it is possible to
translate first-order predicates into standard Eiffel
contracts.
25
Session 2: Java Aspects

Jose: Aspects for Design by
Contract, Yishai A. Feldman, Ohad
Barzilay, Shmuel Tyszberowicz

Formalizing AspectJ Weaving for
Static Pointcut, Nadia Belblidia,
Mourad Debbabi
26
Formalizing AspectJ Weaving
for Static Pointcut




This paper describes a formal semantics of
advice weaving in AspectJ.
advice weaving is performed on the
bytecode in regions of the code that
correspond to join points declared by
pointcuts.
the paper focus only on static pointcuts.
static pointcuts quantify over static
properties of join points, and thus
correspond directly to locations in the
bytecode
27
Session 3: ObjectOrientations and Aspects

VPA-based Aspects: Better Support for
AOP over Protocols, Dong Ha Nguyen,
Mario Südholt

A Model for Temporal Relations
Between Object Roles, Naresh Gutha,
Banshi Dhar Chaudhary

Performance Prediction of Componentbased System hosted by Container
style Middleware,Yong Zhang, Ningjiang
Chen, Jun Wei and Tao Huang
28
VPA-based Aspects: Better
Support for AOP over Protocols




The declarativeness of aspect definitions and
support for verification of AO programs depends on
the expressiveness of the aspect languages used.
a large spectrum of pointcut languages: regular
expression languages, context-free or turing
complete languages, the latter almost without any
support for analysis or verification.
the paper investigate the use of Visibly Pushdown
Automata (VPA) as a basis for an aspect language,
to enable more declarative aspect definitions
(compared to regular approaches) for protocol like
relationships and static verification of properties, in
particular analysis of interactions among aspects.
VPA [Alur & Madhusudan]: disjoint input alphabets 29
for call (push), return (pop), local (no change)
VPA-based Aspects: Better Support
for AOP over Protocols (cont.)
Paper contains:
 examples to motivate use of VPA-based aspect
definitions in the context of P2P systems,
 formally define a core aspect language for protocols
with a VPA-based pointcut language,
 show that this supports analysis of interaction
properties among aspects,
 briefly present a freely available library
implementing basic VPA operations, which we have
used to analyze some interaction examples.
30
A Model for Temporal Relations
Between Object Roles




The concept of roles has been advocated to model
application domain objects which evolve
dynamically during their lifespan.
These objects may acquire new and drop old roles.
Several research efforts have focused on
formalizing roles as conceptual unit and their
mappings to classes and objects of class based
languages.
This paper presents a formal notation for modelling
temporal relationships between roles using notion
of semi-intervals rather than intervals.
A semi-interval is a partially ordered set of time
instances for which the endpoints are either not
known or not relevant.
31
A Model for Temporal Relations
Between Object Roles





Each role and their instances are associated with a
lifespan which is a set of semi-intervals.
The temporal relations are defined in terms of
relationships between the lifespan of roles.
An algorithm for computing the transitive closure of
temporal relations is presented for inferring implicit
relations.
Both explicit and implicit relations define constraints
which must be honored for acquiring and dropping
the roles.
A simple framework has been implemented in Java
to demonstrate the usability of these concepts.
32
Invited Talk 3

Harnessing Disruptive Innovation
in Formal Verification
John Rushby

Rushby.pdf

33
Session 1: Refinement, Testing
and Program Analysis


On Bisimilarities Induced by Relations
on Actions , S. Arun-Kumar
Filtering Retrenchments into
Refinements , John Derrick, Richard
Banach

Computing Complete Test Graphs for
Hierarchical Systems , Deepak D`Souza,
Madhu Gopinathan

Composing Context Sensitive Analysis,
Prahladavaradan Sampath, Shrawan Kumar
34
Session 2: Web and Service
Oriented Computation

Specifying Data-Flow Requirements for the
Automated Composition of Web Services ,
Annapaola Marconi, Marco Pistore, Paolo Traverso

ASEHA: A Framework for Modelling and
Verification of Web Services Protocols,
Pemadeep Ramsokul, Arcot Sowmya

A Semi-Automatic Methodology for Repairing
Faulty Web Sites, Maria Alpuente, Demis Ballis,
Moreno Falaschi, Daniel Romero

A Bag-of-Tasks Approach for State Space
Exploration Using Computational Grids, Cássio
L. Rodrigues, Paulo E. S. Barbosa, Jairson M.
Cabral, Jorge C. A. de Figueiredo, Dalton D. S.
Guerrero
35
Invited Talk 4




Automatic Property Checking for
Software: Past, Present and Future
Sriram Rajamani
Microsoft Research India, lead the Rigorous
Software Engineering (RSE) Research
Group.
Former manager for the Software
Productivity Tools (SPT) group at MSR
Redmond.
36
Sriram Rajamani




Software validation is a very hard problem.
Traditionally, most validation in our industry
has been done by testing.
There are various granularities in which
testing is performed -- ranging from unit
tests that test small units of the system, to
system-wide tests.
Over the past decade, automatic property
checking tools that use static analysis have
started providing a complementary
approach to software validation.
37
Sriram Rajamani (cont.)




These tools are intended to augment, rather than
replace, testing.
These tools do not typically ensure that the
software implements intended functionality
correctly.
Instead, they look for specific kind of errors more
throughly inside the program by analyzing how
control and data flow through the program.
survey the state of the art in property checking
tools and presents the author’s personal
perspective on future research in this area.
38
Sriram Rajamani (cont.)




Deep spec is hard to pove
Testing is not enough, but still the
practice
Time to market crucial
2 things happened
– Software all around us
– Internet and hackers – “corner cases”
important. (a virus in my car !!)
39
Sriram Rajamani (cont.)


Microsoft stopped in 2002 to do code
review for 2 months!
Enter static verification: combines
– Compiler style static analysis
– Model checking
– Theorem proving


Industry and Academia
Focus on automation
40
Sriram Rajamani (cont.)

Elusive triangle: can deal with two, but
not all three of:
– Large programs
– Deep properties
– Automation

This talk – shallow properties
41
Sriram Rajamani (cont.)



1st generation – heuristics. MSR PREFfix,
PREfast. Found 1/6 of bugs in Win 03.
Metal.
2nd generation – sound tools. SLAM. Underapproximate for testing, over-approximate
for verification. BLAST, Magic, …
3rd generation – verification + testing.
Active research.
42
Sriram Rajamani (cont.)


DART: random testing will not find
bug. Collect info as run test, then
negate the last branch.
Combine SLAM + DART – testing and
proving together. How far can a test
go? Extend it (DART) or show that it
cannot be extended (SLAM)
43
Sriram Rajamani (cont.)



Future: property tools used more.
(PreFAST part of visual studio, SDV
part of Win Vista). Integrated in IDE.
Software more than code: meta data
(access ctrl, config info).
Code comes too late. Big mistakes.
Early tools.
44
Session 1: Verification - II

A PVS based Framework for Validating
Compiler Optimizations, Aditya Kanade,
Amitabha Sanyal, Uday Khedker


Product Automata and Process
Algebra, Kamal Lodaya
A Formal Model of Context-Awareness
and Context-Dependency, Mats Neovius,
Kaisa Sere, Lu Yan

Describing and Executing Random
Reactive Systems, Pascal Raymond,
Erwan Jahier and Yvan Roux
45
Session 2: Requirements

DISCERN: Towards the Automatic
Discovery of Software Contracts, Yishai
A. Feldman, Leon Gendler

A Rigorous Approach to Requirements
Validation, Srihari Sukumaran, Ashok
Sreenivas and R. Venkatesh

Requirements Modeling - Experience
from an Insurance Project, G. Murali
Krishna
46
Download