SEFM 06

SEFM 06SEFM 06

Amiram Yehudai

A partial reportA partial report

22

SEFM 2006SEFM 2006

4th IEEE International 4th IEEE International Conference on Software Conference on Software Engineering and Formal Engineering and Formal MethodsMethodsPune, IndiaPune, IndiaSeptember 11-15, 2006September 11-15, 2006

33

ProgramProgram

Tutorials (Monday, Tuesday).Tutorials (Monday, Tuesday). Invited talks + paper sessions Invited talks + paper sessions

(Wenesday, Thursday, Friday).(Wenesday, Thursday, Friday).

44

Tutorial 1Tutorial 1

Automated Formal Methods with Automated Formal Methods with PVS, SAL and Yices PVS, SAL and Yices

Leonardo de Moura, Bruno Leonardo de Moura, Bruno Dutertre, Sam Owre, Dutertre, Sam Owre, John John RushbyRushby, N. Shankar, Ashish , N. Shankar, Ashish Tiwari (SRI International, USA)Tiwari (SRI International, USA)

55


Integrating Object-oriented Design Integrating Object-oriented Design and Deductive Verification of and Deductive Verification of Software Software

Bernhard BeckertBernhard Beckert (University of (University of Koblenz, Germany), Reiner Hähnle Koblenz, Germany), Reiner Hähnle (Chalmers University, Sweden), (Chalmers University, Sweden), Peter H. SchmittPeter H. Schmitt (University of (University of Karlsruhe, Germany)Karlsruhe, Germany)

66


Formal specification and deductive Formal specification and deductive verification of OO programs verification of OO programs

within a software development platform within a software development platform that supports contemporary design and that supports contemporary design and implementation methodologiesimplementation methodologies..

The KeY System implements this The KeY System implements this approach and integrates formal approach and integrates formal methods into Borland Together Control methods into Borland Together Control Center 6.2 and EclipseCenter 6.2 and Eclipse. .

77


Static Analysis of Programs: A Static Analysis of Programs: A Heap-centric View Heap-centric View

Uday KhedkerUday Khedker (I.I.T. Bombay, (I.I.T. Bombay, India)India)

88


The Dataflow analysis technique The Dataflow analysis technique Applications: compiler optimization, Applications: compiler optimization,

software engineering, software verification. software engineering, software verification. Traditional literature - simple applications Traditional literature - simple applications

of dataflow, narrow view of the of dataflow, narrow view of the possibilities. possibilities.

This tutorial - the frontiers of dataflow This tutorial - the frontiers of dataflow analysisanalysis..

Advances in analysis of heap allocated Advances in analysis of heap allocated data.data.

99


Retrenchment Retrenchment Richard Banach (University of Richard Banach (University of

Manchester, UK) Manchester, UK)

1010

OpeningOpening

Opening (Mathai Joseph) Opening (Mathai Joseph) Advances of IT in India, Advances of IT in India,

projected growth, …projected growth, …

1111

Invited Talk 1Invited Talk 1

Modelling Heterogeneous Modelling Heterogeneous Real-time Components in BIP,Real-time Components in BIP,

Joseph Sifakis Joseph Sifakis

1212

BIP, BIP, Joseph SifakisJoseph Sifakis

a methodology for modeling heterogeneous real-time components.

Components are superposition of three layers :– Behavior, specified as a set of transitions; – Interactions between transitions of the

behavior; – Priorities, used to choose amongst possible

interactions. A parameterized binary composition

operator to compose components layer by layer.

1313

BIP, BIP, Joseph Sifakis Joseph Sifakis (cont.)(cont.) BIP language and associated tools for

executing and analyzing components on a dedicated platform.

The language provides a powerful mechanism for structuring interactions involving rendezvous and broadcast.

synchronous and timed systems are particular classes of components.

Examples, compare BIP to existing ones for heterogeneous component-based modeling.

1414

BIP, BIP, Joseph Sifakis Joseph Sifakis (cont.)(cont.)

1515


1616


1717

The verified software The verified software repositoryrepository (informal presentation/discussion)(informal presentation/discussion) Grand Challenge proposed by C. Grand Challenge proposed by C.

A. R. HoareA. R. Hoare Like the landing on the moon.Like the landing on the moon. Various activities to discuss it.Various activities to discuss it. Attempt to get major funding.Attempt to get major funding. http://www.fmnet.info/vsr-net/http://www.fmnet.info/vsr-net/

1818

Session 1: Verification - I Session 1: Verification - I

Verification of JavaCard Applets Verification of JavaCard Applets Behavior with respect to Behavior with respect to Transactions and Card Tears, Transactions and Card Tears, Claude MARCHE, Nicolas ROUSSETClaude MARCHE, Nicolas ROUSSET

A Theory of Singly-Linked Lists and A Theory of Singly-Linked Lists and its Extensible Decision Procedure, its Extensible Decision Procedure, Silvio Ranise, Calogero ZarbaSilvio Ranise, Calogero Zarba

Formal Modelling and Verification Formal Modelling and Verification of an Asynchronous DLX Pipeline, of an Asynchronous DLX Pipeline, Hemangee K. KapoorHemangee K. Kapoor

1919

Verification of JavaCard Applets Verification of JavaCard Applets Behavior with respect to Behavior with respect to Transactions and Card TearsTransactions and Card Tears JAVA CARD transaction mechanism to protect sensitive JAVA CARD transaction mechanism to protect sensitive

operations on smart cards against eg. card tears or power operations on smart cards against eg. card tears or power losseslosses. .

Statements viewed as single atomic operation, all or none Statements viewed as single atomic operation, all or none performedperformed..

KRAKATOA - static verification of Java annotated in JML.KRAKATOA - static verification of Java annotated in JML. modeled transactions within KRAKATOA, by generating modeled transactions within KRAKATOA, by generating

on-the-fly spec. of API methods for transactions.on-the-fly spec. of API methods for transactions. consider security problems that can be caused by a card consider security problems that can be caused by a card

tear.tear. propose new JML constructs to express properties to propose new JML constructs to express properties to

satisfy when a method is interrupted by a card tear, also satisfy when a method is interrupted by a card tear, also taking non-atomic methods into account.taking non-atomic methods into account.

present amodeling of these constructs in KRAKATOA, present amodeling of these constructs in KRAKATOA, show it is practicable for detection of security holes, or show it is practicable for detection of security holes, or prove absence of risk.prove absence of risk.

2020

A Theory of Singly-Linked Lists A Theory of Singly-Linked Lists and its Extensible Decision and its Extensible Decision ProcedureProcedure key to approaches to reason about pointer based data key to approaches to reason about pointer based data

structures is availability of decision procedure for proofs structures is availability of decision procedure for proofs in a theory of data, pointers, and pointers reachabilityin a theory of data, pointers, and pointers reachability. .

only approximate solutions have been proposed which only approximate solutions have been proposed which abstract the data or the reachability componentabstract the data or the reachability component..

such approximations cause lack of precision in the such approximations cause lack of precision in the verification techniques where decision procedures are verification techniques where decision procedures are exploitedexploited..

this paper consider pointerthis paper consider pointer--based data structure of singlybased data structure of singly--linked lists and define a Theory of Linked Lists linked lists and define a Theory of Linked Lists ((TLLTLL). ).

The theory is expressive: can precisely express both data The theory is expressive: can precisely express both data and reachability constraints, while ensuring decidability; and reachability constraints, while ensuring decidability; decidability is NPdecidability is NP--completecomplete. .

also design practical decision procedure for TLL which also design practical decision procedure for TLL which can be combined with available decision procedures for can be combined with available decision procedures for theories in first order logictheories in first order logic. .

2121

Formal Modelling and Formal Modelling and Verification of an Asynchronous Verification of an Asynchronous DLX PipelineDLX Pipeline A five stage pipeline of an A five stage pipeline of an

asynchronous DLX processor is asynchronous DLX processor is modelled and its control flow is modelled and its control flow is verifiedverified. .

model use asynchronous pipeline of model use asynchronous pipeline of latches separated by processing logiclatches separated by processing logic..

processing units modelled as processing units modelled as processes in the PROMELA language of processes in the PROMELA language of the Spin toolthe Spin tool..

model verified in Spin by assertions, model verified in Spin by assertions, LTL properties and progress labelsLTL properties and progress labels..

2222


Towards a Mathematical Towards a Mathematical Theory of Object-Oriented Theory of Object-Oriented ComputationComputation

Bertrand MeyerBertrand Meyer

2323

B. MeyerB. Meyer

Market wants software that is “good enough”.Market wants software that is “good enough”. IT became a service business, rather than IT became a service business, rather than

engineering.engineering. A program, or in objectA program, or in object--oriented oriented

programming a feature, is characterized not programming a feature, is characterized not only by an implementation but by a contract only by an implementation but by a contract specifying its intent and a proof obligation to specifying its intent and a proof obligation to ascertain that the implementation meets the ascertain that the implementation meets the contractcontract..

From these ideas it is possible to derive a From these ideas it is possible to derive a general framework for discussing programs general framework for discussing programs and program developmentand program development. .

2424

B. Meyer (cont.)B. Meyer (cont.)

PushPush--button component testingbutton component testing Thanks to contracts, it is possible to test Thanks to contracts, it is possible to test library components completely library components completely automatically, without ever having to automatically, without ever having to prepare test data. The prepare test data. The AutotestAutotest tool tool applies this idea to existing libraries applies this idea to existing libraries (those actually used by programmers, (those actually used by programmers, not academic examples) and regularly not academic examples) and regularly finds significant bugs. Available for finds significant bugs. Available for download.download.

2525

B. Meyer (cont.)B. Meyer (cont.)

MML - The Mathematical Model Library is a MML - The Mathematical Model Library is a library of side-effect-free mathematical models library of side-effect-free mathematical models that can be used for contracting classes with that can be used for contracting classes with the Design by Contract approach. the Design by Contract approach.

Eiffel uses standard boolean expressions of the Eiffel uses standard boolean expressions of the language to describe the behavior of classes. language to describe the behavior of classes. These boolean expressions do not have the These boolean expressions do not have the possibility to express complex properties of possibility to express complex properties of objects. objects.

MML provides an implementation of typed set-MML provides an implementation of typed set-theory on the basis of an object-oriented library. theory on the basis of an object-oriented library. By using the classes from the library, it is By using the classes from the library, it is possible to translate first-order predicates into possible to translate first-order predicates into standard Eiffel contracts. standard Eiffel contracts.

2626

Session 2: Java AspectsSession 2: Java Aspects

Jose: Aspects for Design by Jose: Aspects for Design by Contract, Contract, Yishai A. Feldman, Yishai A. Feldman, Ohad Barzilay, Shmuel Ohad Barzilay, Shmuel TyszberowiczTyszberowicz

Formalizing AspectJ Weaving Formalizing AspectJ Weaving for Static Pointcutfor Static Pointcut, Nadia , Nadia Belblidia, Mourad DebbabiBelblidia, Mourad Debbabi

2727

Formalizing AspectJ Formalizing AspectJ Weaving for Static Weaving for Static PointcutPointcut This paper describes a formal This paper describes a formal

semantics of advice weaving in AspectJsemantics of advice weaving in AspectJ.. advice weaving is performed on the advice weaving is performed on the

bytecode in regions of the code that bytecode in regions of the code that correspond to join points declared by correspond to join points declared by pointcutspointcuts..

the paper focus only on static pointcutsthe paper focus only on static pointcuts. . static pointcuts quantify over static static pointcuts quantify over static

properties of join points, and thus properties of join points, and thus correspond directly to locations in the correspond directly to locations in the bytecodebytecode

2828

Session 3: Object-Session 3: Object-Orientations and Aspects Orientations and Aspects VPA-based Aspects: Better Support VPA-based Aspects: Better Support

for AOP over Protocols, for AOP over Protocols, Dong Ha Dong Ha Nguyen, Mario SüdholtNguyen, Mario Südholt

A Model for Temporal Relations A Model for Temporal Relations Between Object Roles, Between Object Roles, Naresh Gutha, Naresh Gutha, Banshi Dhar ChaudharyBanshi Dhar Chaudhary

Performance Prediction of Performance Prediction of Component-based System hosted by Component-based System hosted by Container style Middleware,Container style Middleware,Yong Yong Zhang, Ningjiang Chen, Jun Wei and Tao Zhang, Ningjiang Chen, Jun Wei and Tao HuangHuang

2929

VPA-based Aspects: Better VPA-based Aspects: Better Support for AOP over Support for AOP over ProtocolsProtocols The declarativeness of aspect definitions and The declarativeness of aspect definitions and

support for verification of AO programs depends on support for verification of AO programs depends on the expressiveness of the aspect languages usedthe expressiveness of the aspect languages used..

a large spectrum of pointcut languages: regular a large spectrum of pointcut languages: regular expression languages, contextexpression languages, context--free or turing free or turing complete languages, the latter almost without any complete languages, the latter almost without any support for analysis or verificationsupport for analysis or verification. .

the paper investigate the use of Visibly Pushdown the paper investigate the use of Visibly Pushdown Automata Automata ((VPAVPA) ) as a basis for an aspect language, as a basis for an aspect language, to enable more declarative aspect definitions to enable more declarative aspect definitions ((compared to regular approachescompared to regular approaches) ) for protocol like for protocol like relationships and static verification of properties, in relationships and static verification of properties, in particular analysis of interactions among aspectsparticular analysis of interactions among aspects..

VPA [Alur & Madhusudan]: disjoint input alphabets VPA [Alur & Madhusudan]: disjoint input alphabets for call (push), return (pop), local (no change) for call (push), return (pop), local (no change)

3030

VPA-based Aspects: Better VPA-based Aspects: Better Support for AOP over Protocols Support for AOP over Protocols (cont.)(cont.)Paper contains:Paper contains: examples to motivate use of VPAexamples to motivate use of VPA--based based

aspect definitions in the context of P2P aspect definitions in the context of P2P systems,systems,

formally define a core aspect language for formally define a core aspect language for protocols with a VPAprotocols with a VPA--based pointcut language,based pointcut language,

show that this supports analysis of interaction show that this supports analysis of interaction properties among aspects, properties among aspects,

briefly present a freely available library briefly present a freely available library implementing basic VPA operations, which we implementing basic VPA operations, which we have used to analyze some interaction have used to analyze some interaction examplesexamples. .

3131

A Model for Temporal A Model for Temporal Relations Between Object Relations Between Object RolesRoles The concept of roles has been advocated to model The concept of roles has been advocated to model

application domain objects which evolve application domain objects which evolve dynamically during their lifespandynamically during their lifespan..

These objects may acquire new and drop old rolesThese objects may acquire new and drop old roles. . Several research efforts have focused on Several research efforts have focused on formalizing roles as conceptual unit and their formalizing roles as conceptual unit and their mappings to classes and objects of class based mappings to classes and objects of class based languageslanguages. .

This paper presents a formal notation for This paper presents a formal notation for modelling temporal relationships between roles modelling temporal relationships between roles using notion of semiusing notion of semi--intervals rather than intervals rather than intervalsintervals..

A semiA semi--interval is a partially ordered set of time interval is a partially ordered set of time instances for which the endpoints are either not instances for which the endpoints are either not known or not relevantknown or not relevant..

3232

A Model for Temporal A Model for Temporal Relations Between Object Relations Between Object RolesRoles Each role and their instances are associated Each role and their instances are associated

with a lifespan which is a set of semiwith a lifespan which is a set of semi--intervalsintervals.. The temporal relations are defined in terms of The temporal relations are defined in terms of

relationships between the lifespan of rolesrelationships between the lifespan of roles.. An algorithm for computing the transitive An algorithm for computing the transitive

closure of temporal relations is presented for closure of temporal relations is presented for inferring implicit relationsinferring implicit relations..

Both explicit and implicit relations define Both explicit and implicit relations define constraints which must be honored for constraints which must be honored for acquiring and dropping the rolesacquiring and dropping the roles..

A simple framework has been implemented in A simple framework has been implemented in Java to demonstrate the usability of these Java to demonstrate the usability of these conceptsconcepts. .

3333


Harnessing Disruptive Harnessing Disruptive Innovation in Formal Innovation in Formal VerificationVerification

John RushbyJohn Rushby Rushby.pdfRushby.pdf

3434

Session 1: Refinement, Session 1: Refinement, Testing and Program Testing and Program Analysis Analysis On Bisimilarities Induced by On Bisimilarities Induced by

Relations on Actions , Relations on Actions , S. Arun-KumarS. Arun-Kumar Filtering Retrenchments into Filtering Retrenchments into

Refinements , Refinements , John Derrick, Richard John Derrick, Richard BanachBanach

Computing Complete Test Graphs Computing Complete Test Graphs for Hierarchical Systems , for Hierarchical Systems , Deepak Deepak D`Souza, Madhu GopinathanD`Souza, Madhu Gopinathan

Composing Context Sensitive Composing Context Sensitive Analysis, Analysis, Prahladavaradan Sampath, Prahladavaradan Sampath, Shrawan KumarShrawan Kumar

3535

Session 2: Web and Session 2: Web and Service Oriented Service Oriented ComputationComputation Specifying Data-Flow Requirements for the Specifying Data-Flow Requirements for the

Automated Composition of Web Services , Automated Composition of Web Services , Annapaola Marconi, Marco Pistore, Paolo TraversoAnnapaola Marconi, Marco Pistore, Paolo Traverso

ASEHA: A Framework for Modelling and ASEHA: A Framework for Modelling and Verification of Web Services Protocols, Verification of Web Services Protocols, Pemadeep Ramsokul, Arcot SowmyaPemadeep Ramsokul, Arcot Sowmya

A Semi-Automatic Methodology for A Semi-Automatic Methodology for Repairing Faulty Web Sites, Repairing Faulty Web Sites, Maria Alpuente, Maria Alpuente, Demis Ballis, Moreno Falaschi, Daniel RomeroDemis Ballis, Moreno Falaschi, Daniel Romero

A Bag-of-Tasks Approach for State Space A Bag-of-Tasks Approach for State Space Exploration Using Computational Grids, Exploration Using Computational Grids, Cássio L. Rodrigues, Paulo E. S. Barbosa, Jairson Cássio L. Rodrigues, Paulo E. S. Barbosa, Jairson M. Cabral, Jorge C. A. de Figueiredo, Dalton D. S. M. Cabral, Jorge C. A. de Figueiredo, Dalton D. S. GuerreroGuerrero

3636


Automatic Property Checking for Automatic Property Checking for Software: Past, Present and Software: Past, Present and FutureFuture

Sriram RajamaniSriram Rajamani Microsoft Research IndiaMicrosoft Research India, , lead the lead the

Rigorous Software EngineeringRigorous Software Engineering (RSE) (RSE) Research Group. Research Group.

Former manager for the Former manager for the Software Software Productivity ToolsProductivity Tools (SPT) group at (SPT) group at MSR Redmond.MSR Redmond.

3737

Sriram RajamaniSriram Rajamani

Software validation is a very hard Software validation is a very hard problemproblem..

Traditionally, most validation in our Traditionally, most validation in our industry has been done by testingindustry has been done by testing..

There are various granularities in which There are various granularities in which testing is performed testing is performed -- -- ranging from unit ranging from unit tests that test small units of the system, tests that test small units of the system, to systemto system--wide testswide tests. .

Over the past decade, automatic property Over the past decade, automatic property checking tools that use static analysis checking tools that use static analysis have started providing a complementary have started providing a complementary approach to software validation. approach to software validation.

3838

Sriram Rajamani (cont.)Sriram Rajamani (cont.)

These tools are intended to augment, rather These tools are intended to augment, rather than replace, testing. than replace, testing.

These tools do not typically ensure that the These tools do not typically ensure that the software implements intended functionality software implements intended functionality correctly.correctly.

Instead, they look for specific kind of errors Instead, they look for specific kind of errors more throughly inside the program by analyzing more throughly inside the program by analyzing how control and data flow through the program.how control and data flow through the program.

survey the state of the art in property checking survey the state of the art in property checking tools and presents the author’s personal tools and presents the author’s personal perspective on future research in this area.perspective on future research in this area.

3939


Deep spec is hard to poveDeep spec is hard to pove Testing is not enough, but still the Testing is not enough, but still the

practicepractice Time to market crucialTime to market crucial 2 things happened2 things happened

– Software all around usSoftware all around us– Internet and hackers – “corner cases” Internet and hackers – “corner cases”

important. (a virus in my car !!)important. (a virus in my car !!)

4040


Microsoft stopped in 2002 to do Microsoft stopped in 2002 to do code review for 2 months!code review for 2 months!

Enter static verification: combinesEnter static verification: combines– Compiler style static analysisCompiler style static analysis– Model checkingModel checking– Theorem provingTheorem proving

Industry and AcademiaIndustry and Academia Focus on automationFocus on automation

4141


Elusive triangle: can deal with Elusive triangle: can deal with two, but not all three of:two, but not all three of:– Large programsLarge programs– Deep propertiesDeep properties– AutomationAutomation

This talk – shallow propertiesThis talk – shallow properties

4242


11stst generation – heuristics. MSR generation – heuristics. MSR PREFfix, PREfast. Found 1/6 of bugs in PREFfix, PREfast. Found 1/6 of bugs in Win 03. Metal.Win 03. Metal.

22ndnd generation – sound tools. SLAM. generation – sound tools. SLAM. Under-approximate for testing, over-Under-approximate for testing, over-approximate for verification. BLAST, approximate for verification. BLAST, Magic, … Magic, …

33rdrd generation – verification + testing. generation – verification + testing. Active research.Active research.

4343


DART: random testing will not find DART: random testing will not find bug. Collect info as run test, then bug. Collect info as run test, then negate the last branch. negate the last branch.

Combine SLAM + DART – testing Combine SLAM + DART – testing and proving together. How far can and proving together. How far can a test go? Extend it (DART) or a test go? Extend it (DART) or show that it cannot be extended show that it cannot be extended (SLAM)(SLAM)

4444


Future: property tools used more. Future: property tools used more. (PreFAST part of visual studio, (PreFAST part of visual studio, SDV part of Win Vista). Integrated SDV part of Win Vista). Integrated in IDE.in IDE.

Software more than code: meta Software more than code: meta data (access ctrl, config info).data (access ctrl, config info).

Code comes too late. Big Code comes too late. Big mistakes. Early tools.mistakes. Early tools.

4545

Session 1: Verification - IISession 1: Verification - II

A PVS based Framework for A PVS based Framework for Validating Compiler Optimizations, Validating Compiler Optimizations, Aditya Kanade, Amitabha Sanyal, Uday Aditya Kanade, Amitabha Sanyal, Uday KhedkerKhedker

Product Automata and Process Product Automata and Process Algebra, Algebra, Kamal LodayaKamal Lodaya

A Formal Model of Context-A Formal Model of Context-Awareness and Context-Dependency, Awareness and Context-Dependency, Mats Neovius, Kaisa Sere, Lu YanMats Neovius, Kaisa Sere, Lu Yan

Describing and Executing Random Describing and Executing Random Reactive Systems, Reactive Systems, Pascal Raymond, Pascal Raymond, Erwan Jahier and Yvan RouxErwan Jahier and Yvan Roux

4646

Session 2: RequirementsSession 2: Requirements

DISCERN: Towards the Automatic DISCERN: Towards the Automatic Discovery of Software Contracts, Discovery of Software Contracts, Yishai A. Feldman, Leon GendlerYishai A. Feldman, Leon Gendler

A Rigorous Approach to A Rigorous Approach to Requirements Validation, Requirements Validation, Srihari Srihari Sukumaran, Ashok Sreenivas and R. Sukumaran, Ashok Sreenivas and R. VenkateshVenkatesh

Requirements Modeling - Experience Requirements Modeling - Experience from an Insurance Project, from an Insurance Project, G. Murali G. Murali KrishnaKrishna

SEFM 06

Documents

software verification

joseph sifakis bip

joseph sifakis cont

software engineering

components layer

joseph sifakisa methodology

software development

verification iverification