t Elena Giachino r A - Reiner Hähnle e h Frank S. de Boer t - f Marcello M. Bonsangue (Eds.) o y -e e v t ar u t SS Formal Methods 6 6 for Components 8 7 S C and Objects N L 11th International Symposium, FMCO 2012 Bertinoro, Italy, September 2012 Revised Lectures 123 Lecture Notes in Computer Science 7866 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Elena Giachino Reiner Hähnle FrankS.deBoer MarcelloM.Bonsangue(Eds.) Formal Methods for Components and Objects 11th International Symposium, FMCO 2012 Bertinoro, Italy, September 24-28, 2012 Revised Lectures 1 3 VolumeEditors ElenaGiachino UniversityofBologna,Dept.ofComputerScience MuraAnteoZamboni,7,40127Bologna,Italy E-mail:[email protected] ReinerHähnle TechnicalUniversityofDarmstadt,Dept.ofComputerScience Hochschulstr.10,64289Darmstadt,Germany E-mail:[email protected] FrankS.deBoer CentreforMathematicsandComputerScience,CWI SciencePark123,1098XGAmsterdam,TheNetherlands E-mail:[email protected] MarcelloM.Bonsangue LeidenUniversity,LeidenInstituteofAdvancedComputerScience(LIACS) P.O.Box9512,2300RALeiden,TheNetherlands E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-40614-0 e-ISBN978-3-642-40615-7 DOI10.1007/978-3-642-40615-7 SpringerHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2013946244 CRSubjectClassification(1998):D.2.4,D.2,F.3,F.4,D.3,D.1 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ©Springer-VerlagBerlinHeidelberg2013 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand executedonacomputersystem,forexclusiveusebythepurchaserofthework.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’slocation, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissionsforuse maybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliabletoprosecution undertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication, neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe materialcontainedherein. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Modern software systems are complex and often structured as a composition of a high number of components or objects. In order to construct such complex systems in a systematic manner, the focus in development methodologies is on structural issues: Both data and functions are encapsulated into software units thatareintegratedintolargesystemsbymeansofvarioustechniquessupporting reusabilityandmodifiability.Thisencapsulationprincipleisessentialtoboththe object-oriented and the component-based software engineering paradigms. Formal methods for component- and object-oriented systems are needed to ensure behavioral and security guarantees, with special emphasis on specifica- tion, modeling and validation techniques supporting the concepts of reusability, adaptability and evolvability of the systems, with which the systems can cope withchangesintheenvironmentaswellaswithmodifiedandnewrequirements. The 11th Symposium on Formal Methods for Components and Objects (FMCO2012)washeldduringSeptember24–28,2012,asaninternationalschool atCentroResidenzialeUniversitario(CRU)oftheUniversityofBologna,located in Bertinoro, a small medieval hilltop town in Italy. FMCO 2012 was organized by the European project HATS (Highly Adaptable and Trustworthy Software using Formal Models), a European Integrated Project within the FET Forever Yours programme, in agreement with the EternalS Coordination Action (CA) thatcoordinatesresearchamongthefourprojectsoftheForeverYours initiative: LivingKnowledge, HATS, Connect, and SecureChange. FMCO2012featuredlecturesbyworld-renownedexpertsintheareaofformal models for objects and components. This volume contains the revised papers submitted by the lecturers. The proceedings of the previous editions of FMCO have been published as volumes 2852, 3188, 3657, 4111, 4709, 5382, 5751, 6286, 6957,and7542ofSpringer’sLectureNotesinComputerScience.Webelievethat this volume and all previous proceedings provide a unique combination of ideas on software engineering and formal methods that reflect the expanding body of knowledge on modern software systems. Finally, we thank all authors for the high quality of their contributions, and the reviewers for their help in improving the papers in this volume. June 2013 Frank de Boer Marcello Bonsangue Elena Giachino Reiner H¨ahnle Organization FMCO 2012 was organized by the University of Bologna, Italy, in close col- laboration with the Technical University of Darmstadt, Germany, the Centrum voor Wiskunde en Informatica (CWI), Amsterdam, and Leiden University, The Netherlands. Program Organizers Einar Broch Johnsen University of Oslo, Norway Reiner H¨ahnle Technical University of Darmstadt, Germany Arnd Poetzsch-Heffter Technical University of Kaiserslautern, Germany German Puebla Universidad Politecnica de Madrid, Spain Davide Sangiorgi University of Bologna, Italy Local Organizers Mario Bravetti University of Bologna, Italy Elena Giachino University of Bologna, Italy Davide Sangiorgi University of Bologna, Italy Sponsoring Institutions European project HATS (FP7-231620) European Coordination Action EternalS Table of Contents The Abstract Behavioral Specification Language: A Tutorial Introduction..................................................... 1 Reiner H¨ahnle Subobject-Oriented Programming.................................. 38 Marko van Dooren, Dave Clarke, and Bart Jacobs Verification of Open Concurrent Object Systems ..................... 83 Ilham W. Kurnia and Arnd Poetzsch-Heffter Automatic Inference of Bounds on Resource Consumption............. 119 Elvira Albert, Diego Esteban Alonso-Blas, Puri Arenas, Jesu´s Correas, Antonio Flores-Montoya, Samir Genaim, Miguel Go´mez-Zamalloa, Abu Naser Masud, German Puebla, Jos´e Miguel Rojas, Guillermo Roma´n-D´ıez, and Damiano Zanardini Separating Cost and Capacity for Load Balancing in ABS Deployment Models ......................................................... 145 Einar Broch Johnsen Composing Distributed Systems: Overcoming the Interoperability Challenge ....................................................... 168 Val´erie Issarny and Amel Bennaceur Controlling Application Interactions on the Novel Smart Cards with Security-by-Contract......................................... 197 Olga Gadyatskaya and Fabio Massacci Formal Aspects of Free and Open Source Software Components........ 216 Roberto Di Cosmo, Ralf Treinen, and Stefano Zacchiroli Author Index.................................................. 241 The Abstract Behavioral Specification Language: (cid:2) A Tutorial Introduction Reiner Hähnle Department of Computer Science, TechnischeUniversität Darmstadt [email protected] Abstract. ABS (for abstract behavioral specification) is a novel lan- guage for modeling feature-rich, distributed, object-oriented systems at an abstract, yet precise level. ABS has a clear and simple concurrency modelthatpermitssynchronousaswellasactor-styleasynchronouscom- munication. ABS abstracts away from specific datatype or I/O imple- mentations, but is a fully executable language and has code generators for Java, Scala, andMaude.ABS goes beyond conventionalprogram- ming languages in two important aspects: first, it embeds architectural concepts such as components or feature hierarchies and allows to con- nect features with theirimplementation in termsof product families. In contrast to standard OO languages, code reuse in ABS is feature-based instead of inheritance-based. Second, ABS has a formal semantics and hasbeendesigned withformal analyzability inmind.Thispapergivesa tutorial introduction to ABS. We discuss all important design features, explain why they are present and how theyare intendedto be used. 1 Introduction Software used to be written for (i) a dedicated purpose to be (ii) deployed in a specific environment and (iii) to be executed on a stand-alone machine. This situation changed drastically: all consumer appliances of a certain complexity, from washing machines via mobile phones to vehicles, contain large amounts of software.Highdiversificationandrapidpaceofchangedictatedbycontemporary market conditions require that this software is able to cope with an extreme degree of variability and adaptability. Planned reuse is not just an option, but a key strategy to staying competitive. Atthesametime,modernsoftwareisnearlyalwaysconcurrentandmostlyalso distributed.Itishardtoimaginestate-of-artbusinesssoftwarethatisnotbased on some notion of distributed services. A more recent trend is virtualization: as more and more software is deployed in the cloud, one consequence is that clients loose to some extent control over the execution environment: the exact architecture, the number of processors, the load, as well as other deployment parameters are typically not available at the time when software is developed. (cid:2) ResearchfundedbytheEUprojectFP7-231620HATS:HighlyAdaptableandTrust- worthy Software using Formal Models (http://www.hats-project.eu). E.Giachinoetal. (Eds.): FMCO2012,LNCS7866,pp. 1–37,2013. ©Springer-VerlagBerlinHeidelberg2013 2 R. Hähnle Because of this, the trend to virtualization leads to a new potential gap in the software development chain between developers and operators. In a software development scenario where one has to deal with extreme vari- ability, with complex distributed computation, and with the need to abstract fromdeploymentissues,theavailabilityofsuitablesoftware modeling languages, as well as powerful tools helping in automation, becomes crucial. Design-orientedandarchitecturallanguages,notablytheUMLfamilyofnota- tions, cannot fulfill this role, because they lack executability and mathematical rigor. Executable formalisms for specifying concurrent behavior, such as state charts[28],processcalculi[38],abstractstatemachines[7],orPetrinets[24],are simply too minimalist to describe industrial systems. In addition, they are not integratedwitharchitecturalnotationsorwithfeaturedescriptionlanguages[45] thatmodelvariability.Thelatter,however,donotprovideaconnectionbetween features and their realization. Refinement-based approaches, such as Event- B [1] require too much rigor in their application for being feasible outside ex- tremelysafety-criticalapplications.Theyalsodonotaddressvariability.Finally, implementation-orientedspecificationlanguages,suchasJML[34](forJava)or SPEC#[6](forC#)inheritallthecomplicationsandidiosyncrasiesoftheirhost languages and are not very good at specifying concurrent behavior. Our brief analysis exhibits a gap in the landscape of software specification and modeling languages. The European FP7 Integrated Project HATS (Highly Adaptable&TrustworthySoftwareUsingFormalModels)developedtheAbstract Behavioral Specification (ABS) language in order to address this issue. ABS is a software modeling language that is situated between architectural, design- oriented, foundational, and implementation-oriented languages,see Fig. 1. 1.1 Structure of This Chapter Inthischapterwegiveatutorialintroductionintothedesignprinciples,language elements, and usage of the ABS language. We discuss the design considerations behind ABS in Sect. 2 and give an architectural overview in Sect. 3. Then we present different language layers, starting with the functional layer in Sect. 4, followedbythe OO-imperativelayerinSect.5,the concurrencylayersinSect.6 and language extensions based on pluggable type systems as well as a foreign language interface (Sect. 7). On top of these layers are language concepts for modeling of software product lines. These are discussed in Sect. 8. We close the tutorial with some general considerations on modeling and a discussion of current limitations of ABS in Sect. 9. 1.2 Further Reading This paper is a tutorial on ABS and not a language specification nor a formal definition.AmoretechnicalandmoredetaileddescriptionofABSanditstoolset iscontainedinthepapertrio[9,25,31].ThemostdetaileddocumentaboutABS thatalsocontainsaformalsemanticsis[17].TheofficialABSLanguageSpecifica- tion is [2]. The main web resourcesfor ABS are http://www.hats-project.eu The Abstract Behavioral Specification Language: A Tutorial Introduction 3 Design-oriented, architectural, structural UML, FDL, etc. + executability Abstract Behavioral Realistic Specification Abstract ABS + verifiability + usability Implementation level Minimalist foundational Java/JML, C#/SPEC#, etc. π-calculus, ambient c., etc. Fig.1. The gap in thelandscape of software modeling languages and www.abs-models.org. Finally, for several case studies done with ABS, one can have a look at the public HATS Deliverable D5.3 [19]. ItisstressedatseveralplacesinthistutorialthatABShasbeendesignedwith the goal of permitting automatic static analyses of various kinds. This tutorial concentrates on the ABS language and its development environment. In the paper by Albert et al. in this volume [4] automated resource analysis for ABS is explained in detail. Information on deadlock analysis and formal verification of ABS can be found in [18]. The chapter by Kurnia & Poetzsch-Heffter in this volume [33] contains a general discussion of verification of concurrent open systems such as ABS models. 1.3 Installation of the ABS Eclipse Plugin For trying out the examples provided in this tutorial you will need the ABS Eclipse plugin. To install it, follow the simple instructions at http://tools. hats-project.eu/eclipseplugin/installation.html.You willneed atleast Eclipse version 3.6.2 and it is recommended to work with a clean installation. Theexampleprojectusedthroughoutthistutorialisavailableasanarchivefrom http://www.hats-project.eu/sites/default/files/TutorialExample.zip. Toinstall,unzipthearchivefileintoadirectory/mypath/Account.Thencreatea new ABS Project in Eclipse and import the directory file contents into the workspaceintheusualway.ThisopensautomaticallytheABSModelingPerspec- tive.Afteropeningafewfilesintheeditoryoushouldseeascreensimilartothe oneinFig.2.