Lecture Notes in Computer Science 4709 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MassachusettsInstituteofTechnology,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA MosheY.Vardi RiceUniversity,Houston,TX,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Frank S. de Boer Marcello M. Bonsangue Susanne Graf Willem-Paul de Roever (Eds.) Formal Methods for Components and Objects 5th International Symposium, FMCO 2006 Amsterdam, The Netherlands, November 7-10, 2006 Revised Lectures 1 3 VolumeEditors FrankS.deBoer CentreforMathematicsandComputerScience,CWI Kruislaan413,1098SJAmsterdam,TheNetherlands E-mail:[email protected] MarcelloM.Bonsangue LeidenUniversity LeidenInstituteofAdvancedComputerScience 2300RALeiden,TheNetherlands E-mail:[email protected] SusanneGraf VERIMAG 2AvenuedeVignate,38610Grenoble-Gières,France E-mail:[email protected] Willem-PauldeRoever UniversityofKiel InstituteofComputerScienceandAppliedMathematics Hermann-Rodewald-Str.3,24118Kiel,Germany E-mail:[email protected] LibraryofCongressControlNumber:Appliedfor CRSubjectClassification(1998):D.2,D.3,F.3,D.4 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ISSN 0302-9743 ISBN-10 3-540-74791-5SpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-74791-8SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springer.com ©Springer-VerlagBerlinHeidelberg2007 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12119530 06/3180 543210 Preface Large and complex software systems provide the necessary infrastructure in all industriestoday.Inordertoconstructsuchlargesystemsinasystematicmanner, thefocusinthedevelopmentmethodologieshasswitchedinthelasttwodecades from functional issues to structural issues: both data and functions are encap- sulated into software units which are integrated into large systems by means of various techniques supporting reusability and modifiability. This encapsulation principleisessentialtoboththeobject-orientedandthemorerecentcomponent- based software engineering paradigms. Formalmethodshavebeenappliedsuccessfullytotheverificationofmedium- sized programs in protocol and hardware design. However, their application to the developmentoflargesystems requiresmoreemphasis onspecification,mod- eling and validation techniques supporting the concepts of reusability and mod- ifiability, and their implementation in new extensions of existing programming languages like Java. The fifth international symposium on Formal Methods for Components and Objects (FMCO 2006) was held in Amsterdam, The Netherlands, June 7–11, 2007.Theprogramconsistedofinvitedkeynotelecturesandtutoriallecturesse- lected through a correspondingopen-call. The latter provide a tutorial perspec- tiveonrecentdevelopments.Incontrasttomanyexistingconferences,abouthalf of the program consisted of invited keynote lectures by top researchers sharing theirinterestintheapplicationordevelopmentofformalmethodsforlarge-scale softwaresystems (objectorcomponentoriented).FMCO doesnotfocus onspe- cificaspectsoftheuseofformalmethods,butratheritaimsatasystematicand comprehensiveaccountoftheexpandingbodyofknowledgeonmodernsoftware systems. This volume contains the contributions submitted after the symposium by boththeinvitedandselectedlecturers.TheproceedingsofFMCO2002,FMCO 2003, FMCO 2004 and FMCO 2005 have already been published as volumes 2852,3188,3657,and4111ofSpringer’sLectureNotes in Computer Science.We believethattheseproceedingsprovideauniquecombinationofideasonsoftware engineeringand formalmethods which reflectthe expanding body ofknowledge on modern software systems. Finally, we thank all authors for the high quality of their contributions, and the reviewers for their help in improving the papers for this volume. June 2007 Frank de Boer Marcello Bonsangue Susanne Graf Willem-Paul de Roever Organization The FMCO symposia are organized in the context of the project Mobi-J, a project founded by a bilateral research program of The Dutch Organization forScientificResearch(NWO)andtheCentralPublicFundingOrganizationfor AcademicResearchinGermany(DFG).ThepartnersoftheMobi-Jprojectsare: the Centrum voor Wiskunde en Informatica, the Leiden Institute of Advanced Computer Science, and the Christian-Albrechts-Universita¨tKiel. This project aims at the development of a programming environment which supports component-based design and verification of Java programs annotated with assertions. The overall approach is based on an extension of the Java lan- guage with a notion of component that provides for the encapsulation of its internal processing of data and composition in a network by means of mobile asynchronous channels. Sponsoring Institutions The Dutch Organizationfor Scientific Research (NWO) The Royal Netherlands Academy of Arts and Sciences (KNAW) The Dutch Institute for Programming research and Algorithmics (IPA) The Centrum voor Wiskunde en Informatica (CWI), The Netherlands TheLeidenInstitute ofAdvancedComputerScience(LIACS), TheNetherlands Table of Contents Testing Model-Based Testing of Environmental Conformance of Components ... 1 Lars Frantzen and Jan Tretmans Exhaustive Testing of Exception Handlers with Enforcer .............. 26 Cyrille Artho, Armin Biere, and Shinichi Honiden Model-Based Test Selection for Infinite-State Reactive Systems ........ 47 Bertrand Jeannet, Thierry J´eron, and Vlad Rusu Program Verification Verifying Object-Oriented Programswith KeY: A Tutorial ............ 70 Wolfgang Ahrendt, Bernhard Beckert, Reiner Ha¨hnle, Philipp Ru¨mmer, and Peter H. Schmitt Rebeca: Theory, Applications, and Tools............................ 102 Marjan Sirjani Learning Meets Verification ....................................... 127 Martin Leucker Trust and Security JACK—A Tool for Validation of Security and Behaviour of Java Applications..................................................... 152 Gilles Barthe, Lilian Burdy, Julien Charles, Benjamin Gr´egoire, Marieke Huisman, Jean-Louis Lanet, Mariela Pavlova, and Antoine Requet Towards a Formal Framework for Computational Trust ............... 175 Vladimiro Sassone, Karl Krukow, and Mogens Nielsen Models of Computation On Recursion, Replication and Scope Mechanisms in Process Calculi ... 185 Jesu´s Aranda, Cinzia Di Giusto, Catuscia Palamidessi, and Frank D. Valencia Bounded Session Types for Object Oriented Languages ............... 207 Mariangiola Dezani-Ciancaglini, Elena Giachino, Sophia Drossopoulou, and Nobuko Yoshida VIII Table of Contents Distributed Programming Reflecting on Aspect-Oriented Programming, Metaprogramming, and Adaptive Distributed Monitoring................................... 246 Bill Donkervoet and Gul Agha Links: Web Programming Without Tiers............................ 266 Ezra Cooper, Sam Lindley, Philip Wadler, and Jeremy Yallop Author Index.................................................. 297 Model-Based Testing of Environmental Conformance of Components Lars Frantzen1,2 and Jan Tretmans2,3 1 Institutodi Scienza eTecnologie della Informazione “Alessandro Faedo” Consiglio Nazionale delle Ricerche, Pisa – Italy [email protected] 2 Institutefor Computing and Information Sciences RadboudUniversity Nijmegen – The Netherlands {lf,tretmans}@cs.ru.nl 3 EmbeddedSystems Institute Eindhoven– The Netherlands [email protected] Abstract. In component-based development, the correctness of a sys- temdependsonthecorrectnessoftheindividualcomponentsandontheir interactions. Model-based testingis away of checkingthecorrectness of a component by means of executing test cases that are systematically generated from a model of the component. This model should include thebehaviourof how thecomponent can beinvoked,as well as howthe component itself invokes other components. In many situations, how- ever, only a model that specifies how others can use the component, is available. In this paper we present an approach for model-based testing of components where only these available models are used. Test cases fortestingwhetheracomponentcorrectlyreactstoinvocationsaregen- erated from this model, whereas the test cases for testing whether a component correctly invokes other components, are generated from the models of these other components. A formal elaboration is given in the realm of labelled transition systems. This includes an implementation relation,calledeco,whichformallydefineswhenacomponentiscorrect withrespecttothecomponentsituses,andasoundandexhaustivetest generation algorithm for eco. 1 Introduction Software testing involves checking of desired properties of a software product by systematically executing the software, while stimulating it with test inputs, andobserving andchecking the executionresults.Testing is a widely used tech- nique to assess the quality of software, but it is also a difficult, error-prone, and labor-intensive technique. Consequently, test automation is an important area of researchand development: without automation it will not be feasible to testfuture generationsofsoftwareproducts inaneffective andefficientmanner. Automation of the testing process involves automation of the execution of test cases, automation of the analysis of test results, as well as automation of the generation of sufficiently many and valid test cases. F.S.deBoeretal.(Eds.):FMCO2006,LNCS4709,pp.1–25,2007. (cid:2)c Springer-VerlagBerlinHeidelberg2007 2 L. Frantzen and J. Tretmans Model-Based Testing. One of the emerging and promising techniques for test automation is model-based testing. In model based testing, a model of the desiredbehavioroftheimplementation undertest (IUT)isthestartingpointfor test generation and serves as the oracle for test result analysis. Large amounts of test cases can, in principle, be algorithmically and completely automatically generated from the model. If this model is valid, i.e., expresses precisely what the implementation under test should do, all these tests are valid, too. Model- basedtesting has recently gainedincreasedattention with the popularizationof modeling itself. Most model-based testing methods deal with black-box testing of functional- ity.This implies thatthe kindofpropertiesbeing tested concernthe functional- ity of the system.Functionality propertiesexpress whether the systemcorrectly doeswhatitshoulddointermsofcorrectresponsestogivenstimuli,asopposed to,e.g.,performance,usability,orreliabilityproperties.Inblack-boxtesting,the specification is the starting point for testing. The specification prescribes what the IUT should do, and what it should not do, in terms of the behavior observ- able at its external interfaces. The IUT is seen as a black box without internal detail,asopposedtowhite-boxtesting,wherethe internalstructureofthe IUT, i.e.,the programcode,is the basisfor testing.Also in this paper we will restrict ourselves to black-box testing of functionality properties. Model-based testing with labelled transition systems. One of the formal theo- ries for model-based testing uses labelled transition systems as models, and a formal implementation relation called ioco for defining conformance between an IUT and a specification [10,11]. A labelled transition system is a structure with states representing the states of the system, and with transitions between states representing the actions that the system may perform. The implementa- tionrelationiocoexpressesthatanIUT conformsto its specificationifthe IUT never produces an output that cannot be produced by the specification. In this theory, an algorithm for the generation of test cases exists, which is provably sound for ioco-conformance, i.e., generated test cases only detect ioco errors, and exhaustive, i.e., all potential ioco errors can be detected. Testing of Components. Incomponent-baseddevelopment,systemsarebuilt by gluing components together. Components are developed separately, often by different manufacturers, and they can be reused in different environments. A componentis responsible for performinga specific task, orfor delivering a spec- ifiedservice.Auserrequestingthisservicewillinvokethe componenttoprovide its service. In doing so, the component may, in turn, invoke other components for providing their services, and these invokedcomponents may again use other components. A component may at the same time act as a service provider and as a service requester. Adeveloperwhocomposesasystemfromseparatecomponents,willonlyknow about the services that the components perform, and not about their internal details. Consequently, clear and well-specified interfaces play a crucial role in Model-Based Testing of Environmental Conformance of Components 3 component technology, and components shall correctly implement these inter- face specifications. Correctness involves both the component’s role as a service providerand its role as a service requester:a componentmust correctlyprovide its specified service, as well as correctly use other components. Component-based testing. In our black-box setting, component-based testing concernstestingofbehaviorasitisobservedatthecomponent’sinterfaces.This applies to testing of individual components as well as to testing of aggregate systemsbuilt fromcomponents,anditapplies to testingofprovidedservices,as well as to testing of how other services are invoked. Whentestingaggregatedsystemsthiscanbedone”bottom-up”,i.e.,starting with testing the components that do not invoke other components, and then addingcomponentstothesystemthatusethecomponentsalreadytested,andso forth, until the highest levelhas been reached.Another approachis to use stubs to simulate components that are invoked, so that a component can be tested without having the components available that are invoked by the component under test. Model-based testing of components. For model-based testing of an individual component, we, in principle, need a complete model of the component. Such a modelshouldspecifythebehaviorattheserviceprovidinginterface,thebehavior attheservicerequestinginterface,andthemutualdependenciesbetweenactions atbothinterfaces.Suchacompletemodel,however,isoftennotavailable.Spec- ifications of components are usually restricted to the behavior of the provided services. The specification of how other components are invoked is considered an internal implementation detail, and, from the point of view of a user of an aggregate system, it is. Goal. Theaimofthispaperistopresentanapproachformodel-basedtestingof acomponentatboththeserviceprovidinginterfaceandtherequestinginterface in a situation where a complete behavior model is not available. The approach assumes that a specification of the provided service is available for both the componentunder test,andforthe componentsbeinginvokedbythe component undertest.Testcasesfortheprovidedservicearederivedfromthecorresponding servicespecification.Testcasesforcheckinghowthecomponentrequestsservices from other components are derived from the provided service specifications of these other components. The paper builds on the ioco-test theory for labelled transition systems, it discusses where this theoryis applicable for testing components, andwhere it is not. A new implementation relation is introduced called environmental confor- mance –eco.Thisrelationexpressesthatacomponentcorrectlyinvokesanother component according to the provided service specification of that other compo- nent. A complete (sound and exhaustive) test generation algorithm for eco is given. Overview. Section 2 starts with recalling the most important concepts of the ioco-test theory for labelled transition systems, after which Section 3 sets the
Description: