Lecture Notes in Computer Science 7684 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Corina S. Pa˘sa˘reanu Gwen Salaün (Eds.) Formal Aspects of Component Software 9th International Symposium, FACS 2012 MountainView,CA,USA,September12-14,2012 Revised Selected Papers 1 3 VolumeEditors CorinaS.Pa˘sa˘reanu NASAAmesResearchCenter MailStop269-2 MoffettField,CA94035,USA E-mail:[email protected] GwenSalaün INRIAGrenoble-Rhône-Alpes/CONVECS 655,avenuedel’Europe 38330MontbonnotSaint-Martin,France E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-35860-9 e-ISBN978-3-642-35861-6 DOI10.1007/978-3-642-35861-6 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2012954531 CRSubjectClassification(1998):D.2.4,D.2,F.4,F.3,H.3.5,D.3,D.1,K.6.3 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ©Springer-VerlagBerlinHeidelberg2013 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface This volume contains the papers presentedat FACS 2012,the 9th International Symposium on Formal Aspects of Component Software held during September 12–14,2012,inMountainView,California.ThiswasthefirstinternationalFACS Symposium held outside Europe. The symposium featured a strong technical programconsistingofpeer-reviewedpresentations,twoinvitedtalks,andapanel. The eventwasorganizedby CarnegieMellonUniversity,Silicon Valley,and was held on the grounds of the NASA Ames Research Park. The component-based software development approach has emerged as a promising paradigm to cope with the complexity of present-day software sys- tems by bringing sound engineering principles into software engineering. The FACS Symposium is concerned with how formal methods can be used to make component-based software development succeed. The symposium targets chal- lenging issues such as mathematical models for components, composition and adaptation, and rigorous approaches to verification, deployment, testing, and certification for component software. FACS 2012 addressed the applications of formal methods in all aspects of software components and services. The first invited talk was titled “Analyzing Interactions of Asynchronously Communicating Software Components” and was given by Tevfik Bultan from theUniversityofCaliforniaatSantaBarbara.Thesecondinvitedtalkwastitled “Safe Programmingof Asynchronous Interaction: Can We Do It for Real?” and was given by Shaz Qadeer from Microsoft Research. The panel was led by Natarajan Shankar, from the Stanford Research In- stitute, and it addressed the impact of emerging technologies, such as cloud computing, cyber-physical, biological and distributed systems, on component software. The panel participants were Dimitra Giannakopoulou (from NASA Ames Research Center), Shaz Qadeer, Natarajan Shankar, and the two Pro- gram Chairs. There were 40 submissions. Each submission was reviewed by at least three Program Committee members. The committee decided to accept 16 papers. The submission and reviewing of the papers was done via EasyChair. We would like to thank Javier Camara, for his work as publicity chair, and GuyPower,HectorRastrulloandJoseMiguelRojasSilesfortheirhelpwiththe local organization. September 2012 Corina S. Pa˘s˘areanu Gwen Salau¨n Organization Program Committee Erika Abraham RWTH Aachen University, Germany Farhad Arbab CWI and Leiden University, The Netherlands Christian Attiogbe University of Nantes, France Christel Baier Technical University of Dresden, Germany Luis Barbosa Universidade do Minho, Portugal Roberto Bruni Universita` di Pisa, Italy Carlos Canal University of Ma´laga, Spain Frank De Boer CWI, The Netherlands Jos´e Luiz Fiadeiro University of Leicester, UK Carlo Ghezzi Politecnico di Milano, Italy Rolf Hennicker Ludwig-Maximilians-Universita¨tMu¨nchen, Germany Zhiming Liu United Nations University - International Institute for Software Technology, Macao Markus Lumpe Swinburne University of Technology, Australia Eric Madelaine INRIA, France John Mullins Ecole Polytechnique de Montreal, Canada Peter Olveczky University of Oslo, Norway Corina Pasareanu CMU/NASA Ames Research Center, USA Frantisek Plasil Charles University, Prague, Czech Republic PascalPoizat Universit´e d’Evry Val d’Essonne and CNRS, France Shaz Qadeer Microsoft, USA John Rushby SRI International, USA Gwen Salaun Grenoble INP - INRIA - LIG, France Bernhard Schatz TU Mu¨nchen, Germany Nishant Sinha NEC Labs, USA Marjan Sirjani Reykjavik University, Iceland Volker Stolz University of Oslo, Norway Meng Sun Peking University, China Carolyn Talcott SRI International, USA Oksana Tkachuk Fujitsu Laboratories of America Sebastian Uchitel University of Buenos Aires and Imperial College London, Argentina and UK Gianluigi Zavattaro University of Bologna, Italy VIII Organization Additional Reviewers Andre, Pascal Kupke, Clemens Blech, Jan Olaf Lanoix, Arnaud Cengarle, Mar´ıa Victoria Lascu, Tudor Chesani, Federico Lauer, Micha¨el Corzilius, Florian Loup, Ulrich Dan, Li Malkis, Alexander Faber, Johannes Malohlava, Michal Filieri, Antonio Mayer, Philip Gerostathopoulos, Ilias Melgratti, Hernan Greenyer, Joel Meriem, Ouederni Izadi, Mohammad Nellen, Johanna Izadi, Mohammad-Javad Proenca, Jose Jaghoori,Mohammad Mahdi Qamar, Nafees Jancik, Pavel Rensink, Arend Jansen, Nils Rot, Jurriaan Khamespanah, Ehsan Salvaneschi, Guido Klueppelholz, Sascha Savu, Alexandra Knapp, Alexander Schorp, Konstantin Kofron, Jan Srba, Jiri Koss, Dagmar Stahl, Christian Krause, Christian Tuosto, Emilio Table of Contents Formal Patterns for Multi-rate Distributed Real-Time Systems ........ 1 Kyungmin Bae, Jos´e Meseguer, and Peter Csaba O¨lveczky Component Interfaces with Contracts on Ports ...................... 19 Sebastian Bauer, Rolf Hennicker, and Axel Legay Avoiding Diamonds in Desynchronization ........................... 36 Harsh Beohar and Pieter J.L. Cuijpers The Tale of SOLOIST: A Specification Language for Service Compositions Interactions......................................... 55 Domenico Bianculli, Carlo Ghezzi, and Pierluigi San Pietro A Categorical Approach to Structuring and Promoting Z Specifications.................................................. 73 Pablo F. Castro, Nazareno Aguirre, Carlos Gustavo Lo´pez Pombo, and Tom Maibaum Assume-Guarantee Reasoning for Safe Component Behaviours ......... 92 Chris Chilton, Bengt Jonsson, and Marta Kwiatkowska A Petri Net Based Analysis of Deadlocks for Active Objects and Futures ......................................................... 110 Frank S. de Boer, Mario Bravetti, Immo Grabe, Matias Lee, Martin Steffen, and Gianluigi Zavattaro Run-Time Verification of Black-Box Components Using Behavioral Specifications: An Experience Report on Tool Development ........... 128 Frank S. de Boer and Stijn de Gouw Symbolic Counterexample Generation for Discrete-Time Markov Chains ......................................................... 134 Nils Jansen, Erika A´brah´am, Barna Zajzon, Ralf Wimmer, Johann Schuster, Joost-Pieter Katoen, and Bernd Becker Xcd – Modular, Realizable Software Architectures ................... 152 Christos Kloukinas and Mert Ozkaya LOVER:Light-WeightfOrmalVerification ofadaptivE Systems at Run Time ........................................................... 170 Amir Molzam Sharifloo and Paola Spoletini X Table of Contents A Calculus for Quality............................................ 188 Hanne Riis Nielson, Flemming Nielson, and Roberto Vigo Model Checking of Qualitative Sensitivity Preferences to Minimize Credential Disclosure............................................. 205 Zachary J. Oster, Ganesh Ram Santhanam, Samik Basu, and Vasant Honavar IBOS: A Correct-By-ConstructionModular Browser.................. 224 Ralf Sasse, Samuel T. King, Jos´e Meseguer, and Shuo Tang Guided Search for Deadlocks in Actor-Based Models ................. 242 Steinar Hugi Sigurdarson, Marjan Sirjani, Yngvi Bjo¨rnsson, and Arni Hermann Reynisson Assumption Generation for Asynchronous Systems by Abstraction Refinement...................................................... 260 Qiusong Yang, Edmund M. Clarke, Anvesh Komuravelli, and Mingshu Li Author Index.................................................. 277 Formal Patterns for Multi-rate Distributed (cid:2) Real-Time Systems Kyungmin Bae1, Jos´e Meseguer1, and Peter Csaba O¨lveczky2 1 University of Illinois at Urbana-Champaign 2 University of Oslo Abstract. Distributedreal-timesystems(DRTSs),suchasavionicsand automotive systems, are very hard to design and verify.Besides thedif- ficulties of asynchrony, clock skews, and network delays, an additional sourceofcomplexitycomesfrom themultiratenatureofmanysuchsys- tems, which must implement severallevels of hierarchical control at dif- ferentrates.Inthisworkwepresentseveralsimplemodeltransformations and a multirate extension of the PALS pattern which can be combined to reduce the design and verification of a virtually synchronous multi- rate DRTSto themuchsimpler task of specifying and verifyingasingle synchronoussystem.Weillustratetheideaswithamultiratehierarchical controlsystemwhereacentralcontrollerorchestratescontrolsystemsin theailerons and tail of an airplane to perform turning maneuvers. 1 Introduction Many cyber-physical systems such as cars, airplanes, and networked medical devices are virtually synchronous distributed real-time systems (DRTSs), where many components interact asynchronously through a network, yet must obey hard real-time synchronization constraints which are essential to their correct- ness. As these systems grow in complexity before our eyes, their safety-critical natureandassociatedcertificationrequirementsmaketheirdevelopmentincreas- ingly challenging, to the point where verificationefforts caneasily dominate the costofsystemdevelopment.Thecomplexitiesofconcurrency,networkcommuni- cation, clock skews, hard real-time constraints, and synchronization constraints make verification a daunting task. To make things worse, formal verification by automatic methods such as model checking is all but impossible even for small systems, due to the state space explosion caused by asynchrony. For these rea- sons, a component-based, modular approachto DRTS design based on reusable complexity-reducing formal patterns that can drastically reduce the effort and costinvolvedinDRTSdesign,implementation,andverificationissorelyneeded. Severalsuchformalpatternshavebeenproposed.Theyofferimpressivereduc- tionsinsystemcomplexityandmakeautomaticverificationpossiblewhereitwas impossiblebefore.ForDRTSsthatmustobeyvirtualsynchrony,boththePALS (cid:2) This work was partially supported by Boeing Corporation Grant C8088 and NSF Grant CCF 09-05584. C.S.Pa˘s˘areanuandG.Salau¨n(Eds.):FACS2012,LNCS7684,pp.1–18,2013. (cid:2)c Springer-VerlagBerlinHeidelberg2013 2 K. Bae, J. Meseguer, and P.C. O¨lveczky (“PhysicallyAsynchronousLogicallySynchronous”)patterndevelopedwithour colleaguesatUIUCandRockwell-Collins[11,10],andtheTTApatternsproposed in [8,15] can greatly reduce system complexity and make verification much eas- ier. For example, for an avionics case study considered in [10], the number of systemstatesinthesimplestpossibledistributedversionwithperfectclocksand no network delays was 3,047,832, but the PALS pattern reduced the number of states to be analyzed to a mere 185. This is certainly helpful; but the problem stillremainsthatpatternssuchasPALSandTTAassumeasingleperiod forthe virtually synchronous system. This excludes many DRTSs, in fact the majority, which are multirate. It is a fact of life that different sensors and effectors need to operate at different rates; and that this necessitates using slower rates in the distributedcontrolhierarchiesthatorchestrateandsynchronizetheir actionsin, say, a car or an airplane. The goal of the present work is to propose Multirate PALS as a formalized mathematical model providing a formal pattern that can drastically reduce the complexity of designing, verifying, and implementing multirate DRTSs. In par- ticular, we prove that the entire DRTS design as a concurrent system of asyn- chronouscomponentscommunicationonanetworkisbisimilar toanenormously simplersynchronous multirateensemble ofstatemachines.Thisbisimilaritypro- vides a very drastic reduction on the number of states, making model checking verification possible in many cases where it is unfeasible for the original DRTS. As weexplaininmoredetail inSection6, ourworksharesthe samecomplexity- reducing goals as those of our colleagues in [1], who have made a similar, but substantially different, proposal of a multirate PALS architecture expressed in termsoftheAADL modelinglanguage.Wedifferfrom[1]notonlyonthemodel of Multirate PALS that is actually proposed, but more importantly in provid- ing mathematical foundations for the Multirate PALS model, its asynchronous counterpart, and the bisimulation relation between both not available in [1]. Ourapproach,formalizedintheReal-TimeMaudespecificationlanguage[13], is highly modular and consists of expressing Multirate PALS itself as the com- positionofseveralsimpleformalpatterns,includingamodifiedversionofPALS. Based on those patterns, we give a formal specification of Multirate PALS as a modeltransformation(E,T,Γ)(cid:2)→MA(E,T,Γ),whichmapsamultirateensem- ble E, where E is a mathematical model of a collection of interconnected state machinesrunningatdifferentrates,yetsynchronouslyintermsoftheirhyperpe- riodT,andperformanceparametersΓ,toasemanticallyequivalentspecification of distributed components MA(E,T,Γ). In summary, the new contributions of this work are: 1. The mathematical definitions of a number of simple formal patterns, and of a multirate ensemble E and its synchronous composition MRSC(E) . 2. ThemathematicaldefinitionofMultiratePALSasatransformation(E,T,Γ) (cid:2)→ MA(E,T,Γ), and a bisimulation theorem, proving that the state ma- chine MRSC(E) and the real-time system Stable(MA(E,T,Γ)) associated to MA(E,T,Γ) are bisimilar and satisfy the same CTL∗ formulas.