Lecture Notes in Computer Science 6527 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Jim Davies Leila Silva Adenilso Simao (Eds.) Formal Methods: Foundations and Applications 13th Brazilian Symposium on Formal Methods, SBMF 2010 Natal, Brazil, November 8-11, 2010 Revised Selected Papers 1 3 VolumeEditors JimDavies OxfordUniversity,DepartmentofComputerScience OxfordOX13QD,UK E-mail:[email protected] LeilaSilva UniversidadeFederaldeSergipe DepartamentodeCiênciadaComputaçãoeEstatística CEP49100-000,Aracaju,SE,Brazil E-mail:[email protected] AdenilsoSimao AvenidaTrabalhadorSão-Carlense,400Centro 13566-590,SãoCarlos,SP,Brazil E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-19828-1 e-ISBN978-3-642-19829-8 DOI10.1007/978-3-642-19829-8 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2011922662 CRSubjectClassification(1998):D.2.4,D.2,F.3,D.3,D.1,K.6,F.4 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ©Springer-VerlagBerlinHeidelberg2011 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface This volume contains the papers presented at SBMF 2010: the 13th Brazilian SymposiumonFormalMethods,organizedduringtheweekofNovember8,2010. Theconferencewasheld,forthesecondtime,inthecityofNatal,RioGrandedo Norte,Brazil,co-locatedwith ICTSS2010,the 22ndIFIP InternationalConfer- enceonTestingSoftwareandSystems,andSAST 2010,the BrazilianWorkshop on Systematic and Automated Software Testing. The conference programme included three invited talks, given by Constance Heitmeyer (Naval ResearchLab, USA), Bill Roscoe (University of Oxford, UK) andDavidNaumann(StevensInstituteofTechnology,USA).Italsoincludedtwo workshops: Using BOOGIE 2 in the Verification of Spec# Programs, organized byK.RustanM.Leino(MicrosoftResearch)andRosemaryMonahan(National Universityof Ireland),andWorkshop on B Dissemination (WOBD),chairedby Thierry Lecomte (ClearSy, France) on behalf of the DEPLOY project. There was also an accompanying doctoralresearchsymposium, with presen- tations from research students working on new developments in the theory and practice of formal methods, and a special session on the development of the formal methods curriculum. Awardsweremadeto:WojciechMostowskiandErikPoll,forthebestpaper, “MidletNavigationGraphsinJML”;toAlexandraSilva,forthebestpaperpre- sentation; to Giselle Reis, for the best doctoral presentation; to Tiago Massoni, for the best use of presentation technology; and to Rolf Hennicker, for the best contribution to the discussions that followed each author’s presentation. Atotalof18researchpapers werepresentedatthe conference,selectedfrom 55 submissions, and included in revised form in this volume. We are grateful to the Programme Committee, and the additional reviewers, for their hard work in evaluating submissions and suggesting improvements. The papers were pre- sented, by their authors, in seven separate sessions; these sessions were well attended, and we are grateful to the many participants who made additional, thoughtful contributions between, during, and after the paper presentations. Wearegratefultotheorganizersofthisyear’sconference,theDepartamento de Inform´atica e Matem´atica Aplicada of Rio Grande do Norte (UFRN) and the Brazilian Computer Society (SBC), and also to the sponsors: CNPq, the Brazilian Scientific and Technological Research Council; CAPES, the Brazilian Higher Education Funding Council; The Federal University of Rio Grande do Norte (UFRN); Miranda Computac¸˜ao e Com´ercio Ltda; SETIRN. December 2010 Jim Davies Leila Silva Adenilso Sima˜o Organization Programme Committee Aline Andrade Stephan Merz David Aspinall Alvaro Moreira Luis Barbosa Anamaria Moreira Roberto Bigonha Carroll Morgan Michael Butler Alexandre Mota Andrew Butterfield Arnaldo Moura Ana Cavalcanti David Naumann Marcio Cornelio Daltro Jose Nunes Andrea Corradini Jose Oliveira Jim Davies (Co-chair) Marcel Oliveira (Local Chair) David Deharbe Alberto Pardo Ewen Denney Alexandre Petrenko Clare Dixon Montr´eal, Canada Rohit Gheyi Leila Ribeiro Rolf Hennicker Augusto Sampaio Juliano Iyoda Leila Silva (Co-chair) Zhiming Liu Adenilso Sima˜o (Co-chair) Gerald Luettgen Heike Wehrheim Patricia Machado Jim Woodcock Ana de Melo Additional Reviewers Ludwig Adam Charles Morisset Renato Alexandre Silva Regina Motz Wilkerson L. Andrade Stan Rosenberg Tigran Avanesov Asieh Salehi Fathabadi Sebastian Bauer Paulo Salem da Silva Karine Birnfeld Luis Sierra Filippo Bonchi Volker Stolz Adilson Bonifa´cio Ivan Tierno Florent Bouchy Jan Tobias Muehlberg Alexander Ditter Walter Vogler Arnaud Dury Shuling Wang Adriano Gomes James Welch Bruno Gomes Mar Yah Said Rolf Hennicker Sanaz Yeganefard Giovanny Lucero Jiaqi Zhu Hugo Macedo Table of Contents Directed Model Checking for B: An Evaluation and New Techniques.... 1 Michael Leuschel and Jens Bendisposto Midlet Navigation Graphs in JML ................................. 17 Wojciech Mostowski and Erik Poll Runtime Verification for Generic Classes with ConGu2............... 33 Pedro Crispim, Ant´onia Lopes, and Vasco T. Vasconcelos A High-Level Language for Modeling Algorithms and Their Properties....................................................... 49 Sabina Akhtar, Stephan Merz, and Martin Quinson A Formal Environment Model for Multi-Agent Systems ............... 64 Paulo Salem da Silva and Ana C.V. de Melo A Modal Interface Theory with Data Constraints .................... 80 Sebastian S. Bauer, Rolf Hennicker, and Michel Bidoit Synchronizing Model and ProgramRefactoring ...................... 96 Tiago Massoni, Rohit Gheyi, and Paulo Borba A Type-Theoretic Framework for Certified Model Transformations ..... 112 Daniel Calegari, Carlos Luna, Nora Szasz, and A´lvaro Tasistro Simulating Truly Concurrent CSP.................................. 128 Moritz Kleine and J.W. Sanders Statistical Verification of Probabilistic Properties with Unbounded Until ........................................................... 144 H˚akan L.S. Younes, Edmund M. Clarke, and Paolo Zuliani Reasoning about Assignments in Recursive Data Structures ........... 161 Alejandro Tamalet and Ken Madlener Specification of a Localization Component Driven by a Goal-Based Approach: Some Lessons We Learned............................... 177 Abderrahman Matoussi, Fr´ed´eric Gervais, and R´egine Laleau A Formal Framework for Specifying and Analyzing Logs as Electronic Evidence........................................................ 194 Eduardo Mazza, Marie-Laure Potet, and Daniel Le M´etayer VIII Table of Contents Formal Development of a Cardiac Pacemaker: From Specification to Code......................................................... 210 Artur O. Gomes and Marcel V.M. Oliveira A Decision Procedure for Bisimilarity of Generalized Regular Expressions ..................................................... 226 Marcello Bonsangue, Georgiana Caltais, Eugen-Ioan Goriac, Dorel Lucanu, Jan Rutten, and Alexandra Silva Normalization of Linear Horn Clauses .............................. 242 Thomas Martin Gawlitza, Helmut Seidl, and Kumar Neeraj Verma A Graph-Based Implementation for Mechanized Refinement Calculus of OO Programs ................................................. 258 Zhiming Liu, Charles Morisset, and Shuling Wang Automating Refinement of Circus Programs ......................... 274 Frank Zeyda and Ana Cavalcanti Author Index.................................................. 291 Directed Model Checking for B: An Evaluation and New Techniques Michael Leuschel and Jens Bendisposto Institutfu¨r Informatik, Universit¨at Du¨sseldorf Universit¨atsstr. 1, D-40225 Du¨sseldorf {leuschel,bendisposto}@cs.uni-duesseldorf.de Abstract. ProBisamodelcheckerforhigh-levelformalismssuchasB, Event-B,CSPandZ.ProBusesamixeddepth-first/breadth-firstsearch strategy,andinpreviousworkwehavearguedthatthiscanperformbet- terinpracticethanpuredepth-firstorbreadth-firstsearch,asemployed by low-level model checkers. In this paper we present a thorough em- pirical evaluation of this technique, which confirms our conjecture. The experimentswereconductedonawidevarietyofBandEvent-Bmodels, includingseveralindustrialcasestudies.Furthermore,wehaveextended ProB to be able to perform directed model checking, where each state is associated with a priority computed by a heuristic function. We eval- uate various heuristic functions, on a series of problems, and find some interestingcandidatesfordetectingdeadlocksandfindingspecifictarget states. Keywords:ModelChecking,B-Method,ToolSupport,DirectedModel Checking, Search, Industrial Case Studies, spin. 1 Introduction Many model checking tools, such as smv [21,3] and spin [11,13,2], work on relatively low-level formalisms. Recently, however, there have also been model checkerswhichworkonhigher-levelformalisms,suchastlc[25]forTLA+,fdr [9] for CSP and alloy [16] for a formalism of the same name (although the latter two are strictly speaking not model checkers). Another example is ProB [19,20] which accepts B [1]. Itisrelativelyclearthatahigherlevelspecificationformalismenablesamore convenient modelling. On the other hand, conventional wisdom would dictate thatalower-levelformalismwillleadtomoreefficientmodelchecking.However, our own experience has been different. During previous teaching and research activities, we have accumulated anecdotal evidence that using a high-level for- malismsuchasBcan bemuchmoreproductivethanusingalow-levelformalism such as Promela. The study [24,23] examined the elaboration of B models for ProB and Promela models for spin on ten different problems. Unsurprisingly, the time required to develop the Promela models was markedly higher than for the B models, (andsome models could not be fully completed in Promela).The J.Davies,L.Silva,andA.Sim˜ao(Eds.):SBMF2010,LNCS6527,pp.1–16,2011. (cid:2)c Springer-VerlagBerlinHeidelberg2011 2 M. Leuscheland J. Bendisposto study also found out that in practice both model checkersProB and spin were comparable in model checking performance, despite ProB working on a much higher-level input language and being much slower when looking purely at the numberofstatesthatcanbestoredandprocessedpertimeunit.Otherindepen- dentexperimentalevaluationsalsoreportgoodperformanceofProBcompared against SMV [15]. In[17]wefirsttriedtoanalyseandunderstandthiscounter-intuitivefact.One explanation was that pure depth-first as employed by spin and other low-level model checkers fares very badly in the context of large state spaces. Similarly, a pure breadth-first strategy has problems in detecting long counter examples. We argued in [17] that ProB’s mixed depth-first/breadth-first search enabled it to effectively find a largerclass of errors.In this paper we test this conjecture empirically on a largenumber of B specifications.In addition, we presenta new directed model checking algorithm for ProB: rather than randomly choosing betweendoingadepth-firstorbreadth-firststep,weassociateprioritieswiththe pendingstatesofthemodelchecker.Wethenevaluatevariouswaysofcomputing priorities on the same specifications. In Section 2 we present the motivation for mixed depth-first/breadth-first search in more detail, and in Section 3 we perform a thorough empirical eval- uation. In Section 4 we present the new directed model checking algorithm of ProB,alongwith arangeofheuristic functions withtheirempiricalevaluation. We finish with more related work and a conclusion in Section 5. 2 Combining Depth-First and Breadth-First for Improved Model Checking In [17] we first tried to analyse and understand the counter-intuitive behaviour described above. Below, we recall some of the conclusions from [17]. One tricky issue is the much finer granularity of low-level models. If one is not careful, the numberofreachablestatescanexplodeexponentially,comparedtoacorrespond- inghigh-levelmodel.WhenwritingPromelamodels,forexample,greatcarehas tobetakentomakeuseofatomic(orevendstep)primitivesandresettingdead temporary variables to default values. However, restrictions of atomic make it sometimesverydifficultorimpossibletohidealloftheintermediatestates.More details can be found in [17]. SearchingforErrorsinLargeStateSpaces. Letusdisregardthegranularityissue and let us look at simple problems, with simple datatypes, which can be easily translated from B to Promela, so that we have a one-to-one correspondence of thestatesofthemodels.Insuchasetting,onewouldassumethatthespinmodel checker for Promela will outperform ProB by several orders of magnitude. In- deed, spin generates a specialised model checker in C which is then compiled, whereas ProB uses an interpreter written in Prolog.Furthermore,spin has ac- cruedmany optimisations overthe years,suchas partialorder reduction [14,22] Directed Model Checking for B: AnEvaluation and New Techniques 3 and bitstate hashing [12]. However, even in this setting, this advantage of spin does not necessarily translate into better performance for real-life scenarios, in particularwhenusingthemodelcheckerasadebuggingtoolforsoftwaresystems, i.e., trying to find errors in a very large state space. Oneexperimentreportedonin[17]istheNastyVendingMachine.Ithasavery largestatespace,wherethereisasystematicerrorinoneoftheoperationsofthe model(aswellasadeadlockwhenallticketshavebeenwithdrawn).Todetectthe error,itisimportanttoexercisethisoperationrepeatedly.Itisnotimportantto generatelongtracesofthe system,butit is importantto systematicallyexecute combinationsoftheindividualoperations.Thisexplainswhydepth-firstbehaves sobadly onthis model,as itwillalwaystry toexercisethe firstoperationofthe model first. Note that a very large state space is a typical situation in software verification (sometimes the state space is even infinite). Fortunately, spin provides a breadth-first option, with which it then finds the above error very quickly. However, for another class of problems, breadth- first fares badly. Indeed, in a corrected non-deadlocking model of the vending machine in [17], with again a large state space, the error occurs if the system runslongenough:itisnotverycriticalinwhichorderoperationsareperformed, as long as the system is running long enough. This explains why for this model breadth-firstwasperformingbadly,asitwasnotgeneratingtracesofthesystem which were long enough to detect the error. Inordertodetectbothtypesoferrorswithasinglemodelcheckingalgorithm, ProB has been using a mixed depth-first and breadth-first search [20]. More precisely,ateverystepof the modelchecking,ProBrandomlychoosesbetween a depth-first and a breadth-first step. In summary, the motivation behind ProB’s heuristic is that many errors in software models fall into one of the following two categories: – Someerrorsareduetoanerrorinaparticularoperationofthesystem;hence it makes sense to perform some breadth-first exploration to exercise all the available functionality. In the early development stages of a system model, this kind of error is very common. – Some errors happen when the system runs for a long time; here it is often not so important which path is chosen, as long as the system is running long enough. An example of such an error is when a system fails to recover resources which are no longer used, hence leading to a deadlock in the long run. Thus, if the state space is very large, depth-first search can perform very badly as it fails to systematically test combinations of the various operations of the system. Even partial order reduction and bitstate hashing often do not help. Similarly, breadth-first search can perform badly, failing to locate errors that require the system to run for very long.We have arguedthat ProB’s combined depth-first breadth-first search with a random component does not have these pitfalls. In the next section, we will validate this claim empirically.