Jonathan P. Bowen Zhiming Liu Zili Zhang (Eds.) l a i r o t u T 4 7 1 Engineering Trustworthy 1 1 S C Software Systems N L Third International School, SETSS 2017 Chongqing, China, April 17–22, 2017 Tutorial Lectures 123 Lecture Notes in Computer Science 11174 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C. Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C. Pandu Rangan Indian Institute of Technology Madras, Chennai, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany More information about this series at http://www.springer.com/series/7408 Jonathan P. Bowen Zhiming Liu (cid:129) Zili Zhang (Eds.) Engineering Trustworthy Software Systems Third International School, SETSS 2017 – Chongqing, China, April 17 22, 2017 Tutorial Lectures 123 Editors JonathanP. Bowen Zili Zhang London SouthBankUniversity Faculty of Computer andInformation London,UK Science Southwest University Zhiming Liu Chongqing,China Southwest University Chongqing,China ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notesin Computer Science ISBN 978-3-030-02927-2 ISBN978-3-030-02928-9 (eBook) https://doi.org/10.1007/978-3-030-02928-9 LibraryofCongressControlNumber:2018958874 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ©SpringerNatureSwitzerlandAG2018 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow knownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictionalclaimsin publishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Preface The Third School on Engineering Trustworthy Software Systems (SETSS 2017) was held during April 17–22, 2017, at Southwest University, Chongqing, China. It was aimedatPh.D.andMasterstudents,inparticular,fromaroundChina,andwassuitable for university researchers and industry software engineers. This volume contains tutorial papers related to most of the lecture courses delivered at the School. SETSS2017wasorganizedbytheSchoolofComputerandInformationScience,in particular, the Centre for Research and Innovation in Software Engineering (RISE) at SouthwestUniversity,providinglecturesoncutting-edgeresearchinmethodsandtools for use in computer system engineering. The School aimed to enable participants to learn about state-of-the-art software engineering methods and technology advances from experts in the field. The opening session was chaired by Prof. Zili Zhang. A welcome speech was deliveredbytheVicePresidentofSouthwestUniversity,Prof.YanqiangCui,followed byanintroductorybriefingforSETSS2017byProf.ZhimingLiu.Thesessionfinished with a ceremony for a guest professorship at Southwest University for Prof. Zhou Chaochen and a photograph of participants at the School. The following lectures courses (four 90-minute lecture sessions each) were deliv- ered during the School: – Ian Hayes: “Rely/Guarantee Thinking” – Gary T. Leavens: “Hoare-Style Specification and Verification of Object-Oriented Programs with JML” – Natarajan Shankar: “Logic, Specification, Verification, and Interactive Proof” – Andreas Podelski: “Software Model Checking with Automizer” – Rustan Leino: “Writing Programs and Proofs” – Xiaoxing Ma: “Engineering Self-adaptive Software-intensive Systems” Inaddition,therewerethreeeveningseminarsandameetingoneducationalissues: – MaartendeRijke:“AgentsthatGettheRightInformationtotheRightPeopleinthe Right Way” – Dang Van Hung: “A Model for Real-time Concurrent Interaction Protocols in Component Interfaces” – Zijiang Yang: “Optimizing Symbolic Execution for Software Testing” – Zhiming Liu (Chair): CCF Formal Methods Division Meeting – “Formal Methods Education” These additional presentations and discussions complemented the longer lecture courses. VI Preface Courses Rely/Guarantee Thinking Lecturer: Prof. Ian Hayes, University of Queensland, Australia Biography: Ian Hayes is a Professor of Computer Science at the University of Queensland, Australia. His research interests focus on formal methods for the specifi- cationanddevelopmentofsoftwareandsystems.HehasworkedontheZspecification notation,andspecificationandrefinementofreal-timesystems.Hismostrecentresearch has focused on the specification and refinement of concurrent systems, along with an algebraic approach todefining its semantics with the aim of providing tool support. Overview:Therely/guaranteeapproachtoreasoningaboutaconcurrentprocessmakes the use of a rely condition to abstractly represent the assumptions the process makes about interference from its environment and a guarantee condition to represent the interferenceitimposesonitsenvironment.Thegeneralviewofrely/guaranteethinking appearstoapplytoaverywiderangeofapplications:itfacilitatesthedevelopmentand formal proof of intricate code — at the other extreme, it provides a framework for deriving the specification of control systems that respond to, and actuate, physical systems that interact with the physical world. In the last couple of years, the way of recording rely assumptions and guarantee commitments has been recast into a style similar to the refinement calculus. This results in a much more algebraic feel to rea- soning about rely/guarantee thinking and the laws of this calculus were explained and demonstrated on examples. Hoare-Style Specification and Verification of Object-Oriented Pro- grams with JML Lecturer: Prof. Gary T. Leavens, University of Central Florida, USA Biography: Gary T. Leavens is a professor and chair of the department of Computer Science at the University of Central Florida. Previously he was a professor at Iowa StateUniversity,wherehestartedin1989,afterreceivinghisPh.D.fromMIT.Before his graduate studies at MIT, he worked at Bell Telephone Laboratories in Denver, Colorado.ProfessorLeavenswasGeneralChairfortheSPLASH2012conferenceand Research Program Committee chair for the 2009 OOPSLA conference. He was the Research Results Program Committee chair for the Modularity 2015 conference. Overview: These lectures addressed the problem of specification and verification of sequentialobject-oriented(OO)programs,whichusesubtypinganddynamicdispatch. Firstwedescribedthesemanticsofclass-basedobject-orientedlanguageswithmutable objects, such as Java. Then we described the problems of applying Hoare-style rea- soning to OO programs in a modular way. We look in detail at the key notions of refinement, modular verification, and modular correctness. This leads to a detailed Preface VII discussion of behavioral subtyping and supertype abstraction. Finally we discussed specification inheritance, its relationship to behavioral subtyping, and how these con- cepts are embodied in JML. Logic, Specification, Verification, and Interactive Proof Lecturer: Prof. Natarajan Shankar, SRI International Computer Science Laboratory, USA Biography: Prof. Natarajan Shankar is a Distinguished Scientist at the SRI Interna- tional Computer Science Laboratory. He is the co-developer of a number of cutting-edge tools (http:github.com/SRI-CSL) for automated reasoning and formal verification spanning interactive proof (PVS), model checking (SAL), SMT solving (Yices), and probabilistic inference (PCE). Prof. Shankar is an SRI Fellow and a co-recipient of the 2012 CAV Award. Overview: Formalization plays a key role in computing in disciplines ranging from hardwareanddistributedcomputingtoprogramminglanguagesandhybridsystems.In thiscourse,weexploretheuseofSRI’sPrototypeVerificationSystem(PVS,seehttp:// pvs.csl.sri.com) in formal specification and interactive proof construction. PVS and other proof assistants, like ACL2, Coq, HOL, HOL Light, Isabelle, and Nuprl, have been used to formalize significant tracts of mathematics and verify complex hardware and software systems. In the lectures, we explored the formalization of both intro- ductory and advanced concepts from mathematics and computing. We use PVS to interactively construct proofs and to define new proof strategies. Software Model Checking with Automizer Lecturer: Prof. Andreas Podelski, University of Freiburg, Germany Biography: Prof. Andreas Podelski works in the area of programming languages, specifically, on program analysis and verification. He is an associate editor of the journals ToPLaS, FMSD, JAR, and STTT. He has served as the chair or as a member oftheprogramcommitteeofover50conferencesandhehasbeentheinvitedspeakerat over 20 conferences. He did his Masters studies in Münster, Germany, his Ph.D. in Paris, France, and postdoctoral research in Berkeley, California, USA. He holds the Chair of Software Engineering at the University of Freiburg since 2006. He has spent sabbaticals for research at Microsoft Redmond, ENS Paris, Microsoft Cambridge, and Stanford Research Institute (SRI). Overview:Wepresentedanewapproachtotheverificationofprograms.Theapproach was embodied in the tool Automizer. Automizer won this year’s gold medal at SV-Comp(thesecondtimeinarow).Wewereabletodecomposethesetofbehaviors of the given program (whose correctness we wanted to prove) according to sets of behaviorsforwhichwealreadyhadaproof.Wewereabletoconstructaprogramfrom VIII Preface thecorrectnessproofofasequenceofstatements.Asequenceofstatementsisasimple caseofaprogram(astraight-lineprogram).Atthesametime,asequenceofstatements isawordoverafinitealphabet(awordthatcanbeacceptedbyanautomaton).Justas weaskedwhetherawordhadanacceptingrun,wewereabletoaskwhetherasequence of statements had a correctness proof (of a certain form). The automaton accepted exactlythesequencesthatdid.Weconstructedprogramsfromproofs,repeatedly,until theconstructedprogramstogethercoveredallpossiblebehaviorsofthegivenprogram (whose correctness we wanted to prove). A crucial step here was the covering check. Thisstepwasbasedonalgorithmsforautomata(inclusiontest,minimization,etc.).We explained the approach for a wide range of verification problems: safety, termination, liveness; with (possibly recursive) procedures, multi-threaded, with possibly unboundedly many threads. Writing Programs and Proofs Lecturer: Dr. Rustan Leino, Amazon, USA Biography: Rustan Leino is a senior principal engineer at Amazon Web Services. He was previously a principal researcher in the Research in Software Engineering (RiSE) group at Microsoft Research, Redmond, and has been a visiting professor in the Department of Computing at Imperial College London. He is known for his work on programmingmethodsandprogramverificationtoolsandisaworldleaderinbuilding automated program verification tools. One of these tools is the language and verifier Dafny. Leino is an ACM Fellow. Prior to Microsoft Research, Leino worked at DEC/Compaq SRC. He received his Ph.D. from Caltech (1995), but before doing so, he already designed and wrote object-oriented software as a technical lead in the Windows NT group at Microsoft. Leino collects thinking puzzles on a popular web page and hosts the Verification Corner channel on YouTube. Overview: Reasoning about programs and understanding how to write proofs are important skills for software engineers. In this course, students learned techniques of howtoreasonaboutprograms,bothimperativeprogramsandfunctionalprograms.For imperativeprograms,thisincludedtheconceptsofassertions,pre-andpostconditions, andloopinvariants.Forfunctionalprograms,thisadditionallyincludedlemmas,proof calculations, and mathematical induction. Throughout the course, the Dafny language and verifier was used. Engineering Self-adaptive Software-Intensive Systems Lecturer: Prof. Xiaoxing Ma, Nanjing University, China Biography: Xiaoxing Ma is a professor and the deputy director of the Institute of Computer Software at Nanjing University. His research interests include self-adaptive software systems, software architectures, and middleware systems. Xiaoxing Preface IX co-authored more than 60 peer-reviewed papers, some of which were published in major software engineering conferences and journals, such as FSE, ICSE, ASE and IEEE TSE, TC, TPDS. He has directed and participated in over a dozen research projects funded by the National Natural Science Foundation and the Ministry of Sci- ence and Technology of China. He has also served actively in technical program committees of various international conferences and workshops. Overview: Modern software-intensive systems often need to dynamically adapt to the changes in the environment in which they are embedded and to the requirements theymustsatisfy.Engineeringself-adaptationinsoftwareischallengingduetothelack ofsystematicengineeringmethodsandproperenablingtechniques.Inthistutorial,we discussedsomerecentadvancesinsoftwareengineeringforself-adaptivesystems,with topics covering the sensing and understanding of systems’ environmental context, the model-based and control theory-based approaches to adaptation decision making, and the actuation of adaptation decisions through dynamic software updating. Seminars Agents that Get the Right Information to the Right People in the Right Way Lecturer: Prof. Maarten de Rijke, University of Amsterdam, The Netherlands Biography: Maarten de Rijke, professor at the University of Amsterdam, The Netherlands, leads the prestigious Information Language Processing and System (ILPS)laboratoryinthefieldofinformationretrieval.Hehaspublishedmorethan670 articles in the top conferences and journals of information retrieval, machine learning, natural language processing and data mining, including SIGIR (CCF A), WWW (CCF A),KDD(CCFA),ICML(CCF)CCFA),NIPS(CCFA),ACL(CCFA),WSDM(CCF B), CIKM (CCF B), ACM Transactions on Information Systems (TOIS, CCF A) and IEEETransactionsonKnowledgeandDataEngineering(TKDE,CCFA).Especiallyin the field of expert finding, online learning, modal logic, and community-based answering. According to the Google Scholar, he has over 20,000 citations and an h-indexof65.ProfessorMaartendeRijkehasservedaschairmanoftheconferenceor programcommitteeforvariousmeetingsinthefieldofinformationretrieval,including SIGIR, WWW, WSDM and CIKM. He is currently the director of the Amsterdam Data Science Center and the director of the Ad de Jonge Intelligence and Safety Center in theNetherlands,aswellasthedirectoroftheMasterofArtificialIntelligenceprogram at the University of Amsterdam. Professor Maarten de Rijke isalso the editor-in-chief of several top journals in the field of information retrieval and information systems, including ACM Transactions on Information Systems (TOIS CCF A). Abstract:Interactionwithinformationisafundamentalactivityofthehumancondition. Interactions with search systems play an important role in the daily activities of many people,soastoinformtheirdecisionsandguidetheiractions.Formanyyears,thefield of IR has accepted “the provision of relevant documents” as the goal of its most
Description: