SEFM 06 - PowerPoint PPT Presentation

View by Category
About This Presentation



Automated Formal Methods with PVS, SAL and Yices. Leonardo de Moura, Bruno Dutertre, ... Filtering Retrenchments into Refinements , John Derrick, Richard Banach ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 47
Provided by: csta3
Learn more at:
Tags: sefm | derrick


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: SEFM 06

  • A partial report

Amiram Yehudai
SEFM 2006
  • 4th IEEE International Conference on Software
    Engineering and Formal Methods Pune,
    India September 11-15, 2006

  • Tutorials (Monday, Tuesday).
  • Invited talks paper sessions (Wenesday,
    Thursday, Friday).

Tutorial 1
  • Automated Formal Methods with PVS, SAL and Yices
  • Leonardo de Moura, Bruno Dutertre, Sam Owre, John
    Rushby, N. Shankar, Ashish Tiwari (SRI
    International, USA)

Tutorial 2
  • Integrating Object-oriented Design and Deductive
    Verification of Software
  • Bernhard Beckert (University of Koblenz,
    Germany), Reiner Hähnle (Chalmers University,
    Sweden), Peter H. Schmitt (University of
    Karlsruhe, Germany)

Tutorial 2
  • Formal specification and deductive verification
    of OO programs
  • within a software development platform that
    supports contemporary design and implementation
  • The KeY System implements this approach and
    integrates formal methods into Borland Together
    Control Center 6.2 and Eclipse.

Tutorial 3
  • Static Analysis of Programs A Heap-centric View
  • Uday Khedker (I.I.T. Bombay, India)

Tutorial 3
  • The Dataflow analysis technique
  • Applications compiler optimization, software
    engineering, software verification.
  • Traditional literature - simple applications of
    dataflow, narrow view of the possibilities.
  • This tutorial - the frontiers of dataflow
  • Advances in analysis of heap allocated data.

Tutorial 4
  • Retrenchment
  • Richard Banach (University of Manchester, UK)

  • Opening (Mathai Joseph)
  • Advances of IT in India, projected growth,

Invited Talk 1
  • Modelling Heterogeneous Real-time Components in
  • Joseph Sifakis

BIP, Joseph Sifakis
  • a methodology for modeling heterogeneous
    real-time components.
  • Components are superposition of three layers
  • Behavior, specified as a set of transitions
  • Interactions between transitions of the behavior
  • Priorities, used to choose amongst possible
  • A parameterized binary composition operator to
    compose components layer by layer.

BIP, Joseph Sifakis (cont.)
  • BIP language and associated tools for executing
    and analyzing components on a dedicated platform.
  • The language provides a powerful mechanism for
    structuring interactions involving rendezvous and
  • synchronous and timed systems are particular
    classes of components.
  • Examples, compare BIP to existing ones for
    heterogeneous component-based modeling.

BIP, Joseph Sifakis (cont.)
BIP, Joseph Sifakis (cont.)
BIP, Joseph Sifakis (cont.)
The verified software repository
  • (informal presentation/discussion)
  • Grand Challenge proposed by C. A. R. Hoare
  • Like the landing on the moon.
  • Various activities to discuss it.
  • Attempt to get major funding.
  • http//

Session 1 Verification - I  
  • Verification of JavaCard Applets Behavior with
    respect to Transactions and Card Tears, Claude
  • A Theory of Singly-Linked Lists and its
    Extensible Decision Procedure, Silvio Ranise,
    Calogero Zarba
  • Formal Modelling and Verification of an
    Asynchronous DLX Pipeline, Hemangee K. Kapoor

Verification of JavaCard Applets Behavior with
respect to Transactions and Card Tears
  • JAVA CARD transaction mechanism to protect
    sensitive operations on smart cards against eg.
    card tears or power losses.
  • Statements viewed as single atomic operation, all
    or none performed.
  • KRAKATOA - static verification of Java annotated
    in JML.
  • modeled transactions within KRAKATOA, by
    generating on-the-fly spec. of API methods for
  • consider security problems that can be caused by
    a card tear.
  • propose new JML constructs to express properties
    to satisfy when a method is interrupted by a card
    tear, also taking non-atomic methods into
  • present amodeling of these constructs in
    KRAKATOA, show it is practicable for detection of
    security holes, or prove absence of risk.

A Theory of Singly-Linked Lists and its
Extensible Decision Procedure
  • key to approaches to reason about pointer based
    data structures is availability of decision
    procedure for proofs in a theory of data,
    pointers, and pointers reachability.
  • only approximate solutions have been proposed
    which abstract the data or the reachability
  • such approximations cause lack of precision in
    the verification techniques where decision
    procedures are exploited.
  • this paper consider pointer-based data structure
    of singly-linked lists and define a Theory of
    Linked Lists (TLL).
  • The theory is expressive can precisely express
    both data and reachability constraints, while
    ensuring decidability decidability is
  • also design practical decision procedure for TLL
    which can be combined with available decision
    procedures for theories in first order logic.

Formal Modelling and Verification of an
Asynchronous DLX Pipeline
  • A five stage pipeline of an asynchronous DLX
    processor is modelled and its control flow is
  • model use asynchronous pipeline of latches
    separated by processing logic.
  • processing units modelled as processes in the
    PROMELA language of the Spin tool.
  • model verified in Spin by assertions, LTL
    properties and progress labels.

Invited Talk 2
  • Towards a Mathematical Theory of Object-Oriented
  • Bertrand Meyer

B. Meyer
  • Market wants software that is good enough.
  • IT became a service business, rather than
  • A program, or in object-oriented programming a
    feature, is characterized not only by an
    implementation but by a contract specifying its
    intent and a proof obligation to ascertain that
    the implementation meets the contract.
  • From these ideas it is possible to derive a
    general framework for discussing programs and
    program development.

B. Meyer (cont.)
  • Push-button component testing Thanks to
    contracts, it is possible to test library
    components completely automatically, without ever
    having to prepare test data. The Autotest tool
    applies this idea to existing libraries (those
    actually used by programmers, not academic
    examples) and regularly finds significant bugs.
    Available for download.

B. Meyer (cont.)
  • MML - The Mathematical Model Library is a library
    of side-effect-free mathematical models that can
    be used for contracting classes with the Design
    by Contract approach.
  • Eiffel uses standard boolean expressions of the
    language to describe the behavior of classes.
    These boolean expressions do not have the
    possibility to express complex properties of
  • MML provides an implementation of typed
    set-theory on the basis of an object-oriented
    library. By using the classes from the library,
    it is possible to translate first-order
    predicates into standard Eiffel contracts.

Session 2 Java Aspects
  • Jose Aspects for Design by Contract, Yishai A.
    Feldman, Ohad Barzilay, Shmuel Tyszberowicz
  • Formalizing AspectJ Weaving for Static Pointcut,
    Nadia Belblidia, Mourad Debbabi

Formalizing AspectJ Weaving for Static Pointcut
  • This paper describes a formal semantics of advice
    weaving in AspectJ.
  • advice weaving is performed on the bytecode in
    regions of the code that correspond to join
    points declared by pointcuts.
  • the paper focus only on static pointcuts.
  • static pointcuts quantify over static properties
    of join points, and thus correspond directly to
    locations in the bytecode

Session 3 Object-Orientations and Aspects 
  • VPA-based Aspects Better Support for AOP over
    Protocols, Dong Ha Nguyen, Mario Südholt
  • A Model for Temporal Relations Between Object
    Roles, Naresh Gutha, Banshi Dhar Chaudhary
  • Performance Prediction of Component-based System
    hosted by Container style Middleware,Yong Zhang,
    Ningjiang Chen, Jun Wei and Tao Huang

VPA-based Aspects Better Support for AOP over
  • The declarativeness of aspect definitions and
    support for verification of AO programs depends
    on the expressiveness of the aspect languages
  • a large spectrum of pointcut languages regular
    expression languages, context-free or turing
    complete languages, the latter almost without any
    support for analysis or verification.
  • the paper investigate the use of Visibly Pushdown
    Automata (VPA) as a basis for an aspect language,
    to enable more declarative aspect definitions
    (compared to regular approaches) for protocol
    like relationships and static verification of
    properties, in particular analysis of
    interactions among aspects.
  • VPA Alur Madhusudan disjoint input alphabets
    for call (push), return (pop), local (no change)

VPA-based Aspects Better Support for AOP over
Protocols (cont.)
  • Paper contains
  • examples to motivate use of VPA-based aspect
    definitions in the context of P2P systems,
  • formally define a core aspect language for
    protocols with a VPA-based pointcut language,
  • show that this supports analysis of interaction
    properties among aspects,
  • briefly present a freely available library
    implementing basic VPA operations, which we have
    used to analyze some interaction examples.

A Model for Temporal Relations Between Object
  • The concept of roles has been advocated to model
    application domain objects which evolve
    dynamically during their lifespan.
  • These objects may acquire new and drop old roles.
    Several research efforts have focused on
    formalizing roles as conceptual unit and their
    mappings to classes and objects of class based
  • This paper presents a formal notation for
    modelling temporal relationships between roles
    using notion of semi-intervals rather than
  • A semi-interval is a partially ordered set of
    time instances for which the endpoints are either
    not known or not relevant.

A Model for Temporal Relations Between Object
  • Each role and their instances are associated with
    a lifespan which is a set of semi-intervals.
  • The temporal relations are defined in terms of
    relationships between the lifespan of roles.
  • An algorithm for computing the transitive closure
    of temporal relations is presented for inferring
    implicit relations.
  • Both explicit and implicit relations define
    constraints which must be honored for acquiring
    and dropping the roles.
  • A simple framework has been implemented in Java
    to demonstrate the usability of these concepts.

Invited Talk 3
  • Harnessing Disruptive Innovation in Formal
  • John Rushby
  • Rushby.pdf

Session 1 Refinement, Testing and Program
  • On Bisimilarities Induced by Relations on Actions
    , S. Arun-Kumar
  • Filtering Retrenchments into Refinements , John
    Derrick, Richard Banach
  • Computing Complete Test Graphs for Hierarchical
    Systems , Deepak DSouza, Madhu Gopinathan
  • Composing Context Sensitive Analysis,
    Prahladavaradan Sampath, Shrawan Kumar

Session 2 Web and Service Oriented Computation
  • Specifying Data-Flow Requirements for the
    Automated Composition of Web Services , Annapaola
    Marconi, Marco Pistore, Paolo Traverso
  • ASEHA A Framework for Modelling and Verification
    of Web Services Protocols, Pemadeep Ramsokul,
    Arcot Sowmya
  • A Semi-Automatic Methodology for Repairing Faulty
    Web Sites, Maria Alpuente, Demis Ballis, Moreno
    Falaschi, Daniel Romero
  • A Bag-of-Tasks Approach for State Space
    Exploration Using Computational Grids, Cássio L.
    Rodrigues, Paulo E. S. Barbosa, Jairson M.
    Cabral, Jorge C. A. de Figueiredo, Dalton D. S.

Invited Talk 4
  • Automatic Property Checking for Software Past,
    Present and Future
  • Sriram Rajamani
  • Microsoft Research India, lead the Rigorous
    Software Engineering (RSE) Research Group. 
  • Former manager for the Software Productivity
    Tools (SPT) group at MSR Redmond.

Sriram Rajamani
  • Software validation is a very hard problem.
  • Traditionally, most validation in our industry
    has been done by testing.
  • There are various granularities in which testing
    is performed -- ranging from unit tests that test
    small units of the system, to system-wide tests.
  • Over the past decade, automatic property checking
    tools that use static analysis have started
    providing a complementary approach to software

Sriram Rajamani (cont.)
  • These tools are intended to augment, rather than
    replace, testing.
  • These tools do not typically ensure that the
    software implements intended functionality
  • Instead, they look for specific kind of errors
    more throughly inside the program by analyzing
    how control and data flow through the program.
  • survey the state of the art in property checking
    tools and presents the authors personal
    perspective on future research in this area.

Sriram Rajamani (cont.)
  • Deep spec is hard to pove
  • Testing is not enough, but still the practice
  • Time to market crucial
  • 2 things happened
  • Software all around us
  • Internet and hackers corner cases important.
    (a virus in my car !!)

Sriram Rajamani (cont.)
  • Microsoft stopped in 2002 to do code review for 2
  • Enter static verification combines
  • Compiler style static analysis
  • Model checking
  • Theorem proving
  • Industry and Academia
  • Focus on automation

Sriram Rajamani (cont.)
  • Elusive triangle can deal with two, but not all
    three of
  • Large programs
  • Deep properties
  • Automation
  • This talk shallow properties

Sriram Rajamani (cont.)
  • 1st generation heuristics. MSR PREFfix,
    PREfast. Found 1/6 of bugs in Win 03. Metal.
  • 2nd generation sound tools. SLAM.
    Under-approximate for testing, over-approximate
    for verification. BLAST, Magic,
  • 3rd generation verification testing. Active

Sriram Rajamani (cont.)
  • DART random testing will not find bug. Collect
    info as run test, then negate the last branch.
  • Combine SLAM DART testing and proving
    together. How far can a test go? Extend it (DART)
    or show that it cannot be extended (SLAM)

Sriram Rajamani (cont.)
  • Future property tools used more. (PreFAST part
    of visual studio, SDV part of Win Vista).
    Integrated in IDE.
  • Software more than code meta data (access ctrl,
    config info).
  • Code comes too late. Big mistakes. Early tools.

Session 1 Verification - II
  • A PVS based Framework for Validating Compiler
    Optimizations, Aditya Kanade, Amitabha Sanyal,
    Uday Khedker
  • Product Automata and Process Algebra, Kamal
  • A Formal Model of Context-Awareness and
    Context-Dependency, Mats Neovius, Kaisa Sere, Lu
  • Describing and Executing Random Reactive Systems,
    Pascal Raymond, Erwan Jahier and Yvan Roux

Session 2 Requirements
  • DISCERN Towards the Automatic Discovery of
    Software Contracts, Yishai A. Feldman, Leon
  • A Rigorous Approach to Requirements Validation,
    Srihari Sukumaran, Ashok Sreenivas and R.
  • Requirements Modeling - Experience from an
    Insurance Project, G. Murali Krishna