SEFM 06 A partial report Amiram Yehudai SEFM 2006 4th IEEE International Conference on Software Engineering and Formal Methods Pune, India September 11-15, 2006 2 Program Tutorials (Monday, Tuesday). Invited talks + paper sessions (Wenesday, Thursday, Friday). 3 Tutorial 1 Automated Formal Methods with PVS, SAL and Yices Leonardo de Moura, Bruno Dutertre, Sam Owre, John Rushby, N. Shankar, Ashish Tiwari (SRI International, USA) 4 Tutorial 2 Integrating Object-oriented Design and Deductive Verification of Software Bernhard Beckert (University of Koblenz, Germany), Reiner Hähnle (Chalmers University, Sweden), Peter H. Schmitt (University of Karlsruhe, Germany) 5 Tutorial 2 Formal specification and deductive verification of OO programs within a software development platform that supports contemporary design and implementation methodologies. The KeY System implements this approach and integrates formal methods into Borland Together Control Center 6.2 and Eclipse. 6 Tutorial 3 Static Analysis of Programs: A Heapcentric View Uday Khedker (I.I.T. Bombay, India) 7 Tutorial 3 The Dataflow analysis technique Applications: compiler optimization, software engineering, software verification. Traditional literature - simple applications of dataflow, narrow view of the possibilities. This tutorial - the frontiers of dataflow analysis. Advances in analysis of heap allocated data. 8 Tutorial 4 Retrenchment Richard Banach (University of Manchester, UK) 9 Opening Opening (Mathai Joseph) Advances of IT in India, projected growth, … 10 Invited Talk 1 Modelling Heterogeneous Realtime Components in BIP, Joseph Sifakis 11 BIP, Joseph Sifakis a methodology for modeling heterogeneous real-time components. Components are superposition of three layers : – Behavior, specified as a set of transitions; – Interactions between transitions of the behavior; – Priorities, used to choose amongst possible interactions. A parameterized binary composition operator to compose components layer by layer. 12 BIP, Joseph Sifakis (cont.) BIP language and associated tools for executing and analyzing components on a dedicated platform. The language provides a powerful mechanism for structuring interactions involving rendezvous and broadcast. synchronous and timed systems are particular classes of components. Examples, compare BIP to existing ones for heterogeneous component-based modeling. 13 BIP, Joseph Sifakis (cont.) 14 BIP, Joseph Sifakis (cont.) 15 BIP, Joseph Sifakis (cont.) 16 The verified software repository (informal presentation/discussion) Grand Challenge proposed by C. A. R. Hoare Like the landing on the moon. Various activities to discuss it. Attempt to get major funding. http://www.fmnet.info/vsr-net/ 17 Session 1: Verification - I Verification of JavaCard Applets Behavior with respect to Transactions and Card Tears, Claude MARCHE, Nicolas ROUSSET A Theory of Singly-Linked Lists and its Extensible Decision Procedure, Silvio Ranise, Calogero Zarba Formal Modelling and Verification of an Asynchronous DLX Pipeline, Hemangee K. Kapoor 18 Verification of JavaCard Applets Behavior with respect to Transactions and Card Tears JAVA CARD transaction mechanism to protect sensitive operations on smart cards against eg. card tears or power losses. Statements viewed as single atomic operation, all or none performed. KRAKATOA - static verification of Java annotated in JML. modeled transactions within KRAKATOA, by generating onthe-fly spec. of API methods for transactions. consider security problems that can be caused by a card tear. propose new JML constructs to express properties to satisfy when a method is interrupted by a card tear, also taking nonatomic methods into account. present amodeling of these constructs in KRAKATOA, show it is practicable for detection of security holes, or prove absence of risk. 19 A Theory of Singly-Linked Lists and its Extensible Decision Procedure key to approaches to reason about pointer based data structures is availability of decision procedure for proofs in a theory of data, pointers, and pointers reachability. only approximate solutions have been proposed which abstract the data or the reachability component. such approximations cause lack of precision in the verification techniques where decision procedures are exploited. this paper consider pointer-based data structure of singlylinked lists and define a Theory of Linked Lists (TLL). The theory is expressive: can precisely express both data and reachability constraints, while ensuring decidability; decidability is NP-complete. also design practical decision procedure for TLL which can be combined with available decision procedures for theories in first order logic. 20 Formal Modelling and Verification of an Asynchronous DLX Pipeline A five stage pipeline of an asynchronous DLX processor is modelled and its control flow is verified. model use asynchronous pipeline of latches separated by processing logic. processing units modelled as processes in the PROMELA language of the Spin tool. model verified in Spin by assertions, LTL properties and progress labels. 21 Invited Talk 2 Towards a Mathematical Theory of Object-Oriented Computation Bertrand Meyer 22 B. Meyer Market wants software that is “good enough”. IT became a service business, rather than engineering. A program, or in object-oriented programming a feature, is characterized not only by an implementation but by a contract specifying its intent and a proof obligation to ascertain that the implementation meets the contract. From these ideas it is possible to derive a general framework for discussing programs and program development. 23 B. Meyer (cont.) Push-button component testing Thanks to contracts, it is possible to test library components completely automatically, without ever having to prepare test data. The Autotest tool applies this idea to existing libraries (those actually used by programmers, not academic examples) and regularly finds significant bugs. Available for download. 24 B. Meyer (cont.) MML - The Mathematical Model Library is a library of side-effect-free mathematical models that can be used for contracting classes with the Design by Contract approach. Eiffel uses standard boolean expressions of the language to describe the behavior of classes. These boolean expressions do not have the possibility to express complex properties of objects. MML provides an implementation of typed settheory on the basis of an object-oriented library. By using the classes from the library, it is possible to translate first-order predicates into standard Eiffel contracts. 25 Session 2: Java Aspects Jose: Aspects for Design by Contract, Yishai A. Feldman, Ohad Barzilay, Shmuel Tyszberowicz Formalizing AspectJ Weaving for Static Pointcut, Nadia Belblidia, Mourad Debbabi 26 Formalizing AspectJ Weaving for Static Pointcut This paper describes a formal semantics of advice weaving in AspectJ. advice weaving is performed on the bytecode in regions of the code that correspond to join points declared by pointcuts. the paper focus only on static pointcuts. static pointcuts quantify over static properties of join points, and thus correspond directly to locations in the bytecode 27 Session 3: ObjectOrientations and Aspects VPA-based Aspects: Better Support for AOP over Protocols, Dong Ha Nguyen, Mario Südholt A Model for Temporal Relations Between Object Roles, Naresh Gutha, Banshi Dhar Chaudhary Performance Prediction of Componentbased System hosted by Container style Middleware,Yong Zhang, Ningjiang Chen, Jun Wei and Tao Huang 28 VPA-based Aspects: Better Support for AOP over Protocols The declarativeness of aspect definitions and support for verification of AO programs depends on the expressiveness of the aspect languages used. a large spectrum of pointcut languages: regular expression languages, context-free or turing complete languages, the latter almost without any support for analysis or verification. the paper investigate the use of Visibly Pushdown Automata (VPA) as a basis for an aspect language, to enable more declarative aspect definitions (compared to regular approaches) for protocol like relationships and static verification of properties, in particular analysis of interactions among aspects. VPA [Alur & Madhusudan]: disjoint input alphabets 29 for call (push), return (pop), local (no change) VPA-based Aspects: Better Support for AOP over Protocols (cont.) Paper contains: examples to motivate use of VPA-based aspect definitions in the context of P2P systems, formally define a core aspect language for protocols with a VPA-based pointcut language, show that this supports analysis of interaction properties among aspects, briefly present a freely available library implementing basic VPA operations, which we have used to analyze some interaction examples. 30 A Model for Temporal Relations Between Object Roles The concept of roles has been advocated to model application domain objects which evolve dynamically during their lifespan. These objects may acquire new and drop old roles. Several research efforts have focused on formalizing roles as conceptual unit and their mappings to classes and objects of class based languages. This paper presents a formal notation for modelling temporal relationships between roles using notion of semi-intervals rather than intervals. A semi-interval is a partially ordered set of time instances for which the endpoints are either not known or not relevant. 31 A Model for Temporal Relations Between Object Roles Each role and their instances are associated with a lifespan which is a set of semi-intervals. The temporal relations are defined in terms of relationships between the lifespan of roles. An algorithm for computing the transitive closure of temporal relations is presented for inferring implicit relations. Both explicit and implicit relations define constraints which must be honored for acquiring and dropping the roles. A simple framework has been implemented in Java to demonstrate the usability of these concepts. 32 Invited Talk 3 Harnessing Disruptive Innovation in Formal Verification John Rushby Rushby.pdf 33 Session 1: Refinement, Testing and Program Analysis On Bisimilarities Induced by Relations on Actions , S. Arun-Kumar Filtering Retrenchments into Refinements , John Derrick, Richard Banach Computing Complete Test Graphs for Hierarchical Systems , Deepak D`Souza, Madhu Gopinathan Composing Context Sensitive Analysis, Prahladavaradan Sampath, Shrawan Kumar 34 Session 2: Web and Service Oriented Computation Specifying Data-Flow Requirements for the Automated Composition of Web Services , Annapaola Marconi, Marco Pistore, Paolo Traverso ASEHA: A Framework for Modelling and Verification of Web Services Protocols, Pemadeep Ramsokul, Arcot Sowmya A Semi-Automatic Methodology for Repairing Faulty Web Sites, Maria Alpuente, Demis Ballis, Moreno Falaschi, Daniel Romero A Bag-of-Tasks Approach for State Space Exploration Using Computational Grids, Cássio L. Rodrigues, Paulo E. S. Barbosa, Jairson M. Cabral, Jorge C. A. de Figueiredo, Dalton D. S. Guerrero 35 Invited Talk 4 Automatic Property Checking for Software: Past, Present and Future Sriram Rajamani Microsoft Research India, lead the Rigorous Software Engineering (RSE) Research Group. Former manager for the Software Productivity Tools (SPT) group at MSR Redmond. 36 Sriram Rajamani Software validation is a very hard problem. Traditionally, most validation in our industry has been done by testing. There are various granularities in which testing is performed -- ranging from unit tests that test small units of the system, to system-wide tests. Over the past decade, automatic property checking tools that use static analysis have started providing a complementary approach to software validation. 37 Sriram Rajamani (cont.) These tools are intended to augment, rather than replace, testing. These tools do not typically ensure that the software implements intended functionality correctly. Instead, they look for specific kind of errors more throughly inside the program by analyzing how control and data flow through the program. survey the state of the art in property checking tools and presents the author’s personal perspective on future research in this area. 38 Sriram Rajamani (cont.) Deep spec is hard to pove Testing is not enough, but still the practice Time to market crucial 2 things happened – Software all around us – Internet and hackers – “corner cases” important. (a virus in my car !!) 39 Sriram Rajamani (cont.) Microsoft stopped in 2002 to do code review for 2 months! Enter static verification: combines – Compiler style static analysis – Model checking – Theorem proving Industry and Academia Focus on automation 40 Sriram Rajamani (cont.) Elusive triangle: can deal with two, but not all three of: – Large programs – Deep properties – Automation This talk – shallow properties 41 Sriram Rajamani (cont.) 1st generation – heuristics. MSR PREFfix, PREfast. Found 1/6 of bugs in Win 03. Metal. 2nd generation – sound tools. SLAM. Underapproximate for testing, over-approximate for verification. BLAST, Magic, … 3rd generation – verification + testing. Active research. 42 Sriram Rajamani (cont.) DART: random testing will not find bug. Collect info as run test, then negate the last branch. Combine SLAM + DART – testing and proving together. How far can a test go? Extend it (DART) or show that it cannot be extended (SLAM) 43 Sriram Rajamani (cont.) Future: property tools used more. (PreFAST part of visual studio, SDV part of Win Vista). Integrated in IDE. Software more than code: meta data (access ctrl, config info). Code comes too late. Big mistakes. Early tools. 44 Session 1: Verification - II A PVS based Framework for Validating Compiler Optimizations, Aditya Kanade, Amitabha Sanyal, Uday Khedker Product Automata and Process Algebra, Kamal Lodaya A Formal Model of Context-Awareness and Context-Dependency, Mats Neovius, Kaisa Sere, Lu Yan Describing and Executing Random Reactive Systems, Pascal Raymond, Erwan Jahier and Yvan Roux 45 Session 2: Requirements DISCERN: Towards the Automatic Discovery of Software Contracts, Yishai A. Feldman, Leon Gendler A Rigorous Approach to Requirements Validation, Srihari Sukumaran, Ashok Sreenivas and R. Venkatesh Requirements Modeling - Experience from an Insurance Project, G. Murali Krishna 46