and the INTEL IXP1200 Network Processor implementation will be included in. Seppo Virtanens PhD thesis. The Uva While there exists a fair number of partial ...
Ralph-Johan Back | Kaisa Sere
CR ST Centre for Reliable Software Technology
Progress Report 2002-2003 Turku Centre for Computer Science
TUCS General Publication No 37, November 2004
CR ST Centre for Reliable Software Technology
Progress Report 2002-2003 Ralph-Johan Back Kaisa Sere
TUCS General Publication No 37, November 2004
Abstract The Formal Methods in Programming research group at ˚ Abo Akademi University was elected as a Centre of Excellence in Research by the Academy of Finland for the six year period 2002-07. The present document is a progress report on the research done at the Centre since its start. We focus in this report on the research activities at the centre since its start. We have organized the presentation along the lines of our original reserach plan for the Centre. This plan is given in Appendix A. We also report on other professional activities of the personnel of the Centre for 2003. These other professional activities for 2002 as well as the organisational developement of the Centre were described in our previous annual report (Centre for Reliable Software Technology, Progress Report 2003 Back, Ralph-Johan and Bos, Victor ISBN 951-29-2301-7 TUCS General Publication Number 24).
Keywords: CREST Progress Report, Formal Methods in Programming, Centre of Excellence (CoE)
TUCS Laboratory CREST: Distributed Systems Laboratory, Embedded Systems Laboratory, Mechanised Reasoning Laboratory, and Software Construction Laboratory
1
Introduction
The Formal Methods in Programming research group at ˚ Abo Akademi University was elected as a Centre of Excellence in Research by the Academy of Finland for the six year period 2002-07. The present document is a progress report on the research done at the Centre since its start. We focus in this report on the research activities at the centre since its start. We have organized the presentation along the lines of our original reserach plan for the Centre. This plan is given in Appendix A. We also report on other professional activities of the personnel of the Centre for 2003. These other professional activities for 2002 as well as the organisational developement of the Centre were described in our previous annual report (Centre for Reliable Software Technology, Progress Report 2003 Back, Ralph-Johan and Bos, Victor ISBN 951-29-2301-7 TUCS General Publication Number 24) and are not repeated here. The Centre of Excellence consists of four research laboratories • Distributed Systems Laboratory, lead by Kaisa Sere, Professor of Computer Engineering • Embedded Systems Laboratory, lead by Johan Lilius, Professor of Computer Engineering • Mechanised Reasoning Laboratory, lead by Joakim von Wright, Professor of Computer Science • Software Construction Laboratory, lead by Ralph Back, Academy Professor, and Ivan Porres, Acting Professor of Computer Science as well as the Gaudi Software Factory. Together these five units form CREST, Centre for Reliable Software Technology. The leaders of the laboratories form the steering committee for the Centre of Excellence and for CREST. Ralph Back is the director for CREST. Kaisa Sere is the vice-director as well as research manager for the Centre. The research in the Centre of Excellence is focused on using formal methods for the construction of software based systems. The research can be categorised into the following main areas, which were already identified in the original research plan of the centre of excellence: • theoretical foundations of programming languages and programming methods, • extending formal methods to new areas, • building computer supported tools for formal methods, • studying the use of formal methods in the software construction process as a whole, and • case studies on how to apply formal methods. 1
Within CREST we have, however, broadened the scope of the research extensively during the past years, and several new areas cannot anymore directly be classified under formal methods. This is especially true for our research within the software processes and tool development. The new, but related areas that we work on are software engineering, computer networks, VLSI design, process control and automation, optimisation of embedded software as well as educational aspects of mathematics and programming. Many of these developments are carried out in cooperating with researchers outside the CREST laboratories. We consider this research to be part of CREST, but not always part of the Centre of Excellence. The emphasis on methods for constructing reliable software and hardware systems remains the central focus of our research. The research within CREST is described below in Chapter 2. In Chapter 3 we describe other professional activities by CREST personnel. Here we also describe our seminars as well as our financial matters. Finally, Chapter 4 is devoted to the presentations of the CREST participating laboratories.
2
Research within CREST
In this chapter we reports on the work carried out within the five research areas mentioned in the previous chapter. We describe the research activities of the entire CREST and hence, work specifically on formal methods as well as work on other kind of methods will be described.
2.1
Foundations of programming
The research on foundations has primarily concentrated on exploring and deepening the foundations of refinement calculus. There has also been some research on the foundations of imperative programs in a process algebra framework. The research on the foundations on the Refinement Calculus is continuing as a long-term project. The work on writing a sequel to ”Refinement Calculus: A Systematic Introduction”, Springer-Verlag 1998, is progressing well. We are concentrating in this second book on the issue of modelling and constructing large software systems using the refinement calculus paradigm. In particular, we are interested in the modelling power of refinement calculus and in the support for incremental software system construction. Much of the present work on refinement calculus centers around the notion of a contract. This was introduced in the refinement calculus book as the central intuitive notion behind the calculus. We are now pursuing this line of research quite actively, and are finding a lot of further developments and applications for this fundamental notion. An example is the inclusion of angelic nondeterminism as a model of user interaction, using the notion of agents and contracts. Parts of this foundational theory has also beenformalised in the logic of the HOL theorem prover by von Wright and Laibinis. This formalisation work has become an important source of feedback and ideas for fine-tuning the theory. Modelling temporal properties with contract The theory for contracts as described in refinement calculus book only considers the question of whether 2
a specified goal (postcondtion) can be achieved by some coalition of agents when a given contract is carried out. Back and von Wright have extended this theory in [21] to also consider achievement of temporal goals. They refer to this as the ability of a coalition of agents to enforce a temporal property during the execution of a contract. They have shown that enforcement of temporal properties can indeed be formalized quite nicely in the refinement calculus. Moreover, it turns out that enforcement can be expressed as achievement of goals in a suitably enhanced contract, so enforcement does not require any substantial extensions to the original refinement calculus framework. This is crucially based on the fact that refinement calculus also allows to talk about successful and failed executions, in addition to normally terminating and nonterminating computations. Compositional refinement of action system Concurrent systems are modelled in the refinement calculus as action systems. As such, there is a simple notion of refinement of action systems that we get for free from the refinement calculus: refining (or data refining) one or more actions in an action system. In general, this is allowed provided some simple side conditions are respected (exit conditions must match, and the refinement should not introduce divergence). However, when we refine two different actions in an action system one after the other, then the second refinement (the implementation) uses the refined version of the first action as its environment, rather than the original action (the specification). If the implementation is much more complex than specification, then this is a drawback of the approach. Back and von Wright study this problem in [20, 19], with the intention of capturing the rely-guarantee paradigm for refinement of components, where each component is refined in the context of the specification of the other components. In the paper, it is shown how to carry out rely-guarantee refinements (or, as they call them, compositional refinements) of action systems. The design of components and component-based design has also been a central concern in the research carried out by Sere et al. . Initially, this topic came up within projects on asynchronous circuit design when Plosila investigated the modeling of asynchronous communication protocols within and between circuit boards. Motivated by this, Ruksenas has studied the refinement of components and their interfaces including the communication protocols between components within Action Systems via so called rely actions. The key practical obstacle in building systems from rely-guarantee specifications of components is in ensuring that the concrete components do satisfy their abstract interface specifications. To solve the problem, Ruksenas [64] (conditionally accepted for publication in Science of Computer Programming) proposes a notion of compositional refinement of action systems based on context-sensitive simulations where a component is refined together with its environment. The work focuses on the interface between the refined component and its envirinment. Algebraic structures for refinement While developing the foundations of the Refinement Calculus, Back and von Wright described an iteration algebra based on fixpoint reasoning. It turned out that this algebra in fact is a varia3
tion on Kleene Algebra with Tests, developed by Kozen. This abstract algebra is small and clean, but still expressive enough to permit reasoning about nonterminating programs, total correctness, and refinement. During the past two years, von Wright and Solin have developed an axiomatisation of a Demonic Refinement Algebra and shown its usefulness in program reasoning (von Wright presented this work at the MPC Conference in Germany in July 2002 [89] and he visited the Kleene Algebra group at the University of Augsburg in June 2003) [90]. Kim Solin has started working on a PhD within this field, investigating the properties of this algebra and its applications to action system reasoning (he gave a presentation of this work at the Nordic Workshop on Programming Theory in Turku in October 2003). Program variable models In [20, 19], Back and von Wright extended the program variable model proposed in the Refinement Calculus book to a more flexible model for adding and deleting new program variables. This is needed in order to get a simple treatment of local variables, in particular for recursive procedures. This research has been continued by Back and Preoteasa [18], where a somewhat different model for program variables is described. This model is shown to allow a more algebraic reasoning style for recursive procedures with parameters and local variables. A predicate transformer semantics for recursive procedures is given, and refinement rules for introducing recursive procedure calls, procedure parameters, and local variables are proved. Based on the refinement rules, Hoare total correctness rules for recursive procedures, and parameters are also proved. These results were presented at the Merlin 2003 conference in Uppsala, August 2003, for which a journal version is in preparation. Preoteasa has also implemented the program variable theory in the PVS theorem prover, in order to check the logic behind the theory. Probabilistic refinement Professor Mingshen Ying worked as a visiting researcher at CREST in the spring of 2002. Dring this period, he worked on one of the central theorems in the refinement calculus book, the so-called winning strategy theorem that links the predicate transformer semantics of contracts to the operational semantics of contracts as a game between the angel and the demon. He showed how to extend this theorem to the probabilistic refinement calculus that has been developed by Morgans and McIver, using also a probabilistic (rather than ordinary two-valued) logic as the basic framework. This result was published both as a technical report [100] and later as a journal article. Imperative programs as process algebras Our process algebra team is not very big in CREST, but quite active. It consists mainly of Victor Bos, originally a post doc student from the Technical University of Eindhoven, and now working as researcher at CREST. Most of his work is done in cooperation with Jos Baeten in Eindhoven. Bos has used process algebras to provide new ways to analyze software systems. He has formalized programming variables, assignments, and scoping, all known from conventional imperative programming languages, in a process algebraic framework. This results in an equational 4
theory about imperative sequential programs. Many laws about programming language constructs (like ”if-then-else” and ”while” statements) are proven in this theory. The main results are presented in [22]. Furthermore, correctness proofs of several small programs are given. Although this report is about sequential programs, the approach has potential to be applied to parallel programs, as concurrency is one of the main subjects process algebras were designed to describe precisely.
2.2
Extending formal methods to new areas
The research on extensions focuses on the Refinement Calculus and the Action Systems formalisms and methodologies around these. However, these are not our sole vehicles, we also study other methods like the B Method, process algebras as well as the interplay between formal and some semi formal methods in modeling. 2.2.1
Refinement calculus extensions and applications
Refinement for games and interactive systems Back and von Wright are currently investigating an approach to interactive systems based on action systems and games. These investigations include both a predicate-transformer based semantics and a corresponding proof theory for a game temporal logic, as describe above in the section on foundations for programming. This logic is an extension of traditional temporal logic to a situation where different agents have different goals, and a proof for satisfaction of a property has to take into accountboth cooperating and hostile agents. Based on this theory, Orieta Celiku is working on methods for reasoning about game-like programs. This has been done successfully for programs with angelic nondeterminism, resulting in a tool for verifying correctness of annotated programs using automated theorem proving and a method for implementing angelic nondeterminism [39]. Quantitative program logic For her PhD research, Orieta Celiku has also worked together with Annabelle McIver (Macquarie University, Sydney, Australia) on mechanising formal techniques for analyzing cost-based properties of probabilistic programs. This has included implementing a quantitative program logic using the HOL theorem prover. The quantitative program logic (of Carroll Morgan et al) is a generalization of weakest preconditions which allows quantitative properties to be expressed via real- rather than boolean-valued terms. A semantic efficiency operator was formalised, which allows reasoning about upper bounds on the expected running times of probabilistic programs. A verification condition generator for efficiency analysis was also implemented. The work also includes adapting the technique of data refinement to the probabilistic context in order to be able to abstract the essential probabilistic properties underlying program termination leaving a simpler program which is more amenable to direct efficiency analysis. Orieta Celiku visited the Macquarie University in April-May 2003, and she presented this work at the Nordic Workshop on Programming Theory in Turku in October 2003). Currently, Celiku and McIver are working on generalizing the efficiency theory, and mechanizing the connection of efficiency operators to quantitative temporal logic operators.[37, 39, 36] 5
Reasoning about dynamic data structures Pointers are an important programming concept. They are used explicitly or implicitly in many programming languages. In particular, the semantics of object-oriented programming languages relies on pointers. Back, Preoteasa and Xiaocong have studied the semantics for pointer structures, and have reported some initial results in [14, 15]. They use a semantics where pointers are seen as indexes and pointer fields are functions from these indexes to values. This semantics has been used in different contexts earlier, and seems to provide a very simple bridge to formalizing pointer algorithms in the refinement calculus. Using this semantics all pointer operations are turned into simple array assignments. They use refinement calculus techniques to construct as a case study a pointer manipulating program that checks whether or not a single linked list ends in a loop. An induction principle on pointer structures is also introduced in order to reduce the complexity of the proofs. The theory underlying the derivation has been formalized and proved in PVS. 2.2.2
Action systems and refinement
Continuous action systems Hybrid systems model continuous processes controlled by discrete computations. They are useful when studying systems where a computer supervises and controls a physical phenomenon from the real world, like the movement of an elevator or a chemical plant. These processes evolve in real time and their state is often best represented using continuous mathematical equations rather than discrete data types. Back, Cershi-Secelanu and Westerholm have studied how to simulate the behavior of hybrid systems that are modeled as continuous action systems (CAS), a recently introduced time based extension of the action systems formalism [12]. The simulation technique that they use is symbolic, that is, given the simulation parameters, they construct the exact analytic functions that describe the behavior of the hybrid system over time, rather than just numeric approximations of the behavior. For this purpose, they have built a tool that allows CAS models to be simiulated in Mathematica automatically. Besides providing symbolic solutions to the time varying behavior of the hybrid system, Mathematica also provides good facilities for visualizing the system evolution as graphs. Their simulation method is not dependent on choosing a fixed sampling interval, in stead it proceeds from one interesting time point to the next. These interesting time points can be very dense in times when the behavior changes rapidly, and be sparse at other times. The approach works also well for non-linear systems (provided that Mathematica can handle the differential equations that describe these non-linear equations). The simulation technique has been applied to a small collection of hybrid models, including a model for a nuclear reactor with two cooling rods. More substantial case studies are in the works now, in cooperation with professors Hannu Toivonen (Control Theory) and Henrik Saxen (Chemical Engineering) at Abo Akademi University. The designing of reactive systems is the central topic also in [40]. They focus on how to model behavior while preserving modularity. Reactive systems are studied from a formal point of view, within the framework of action systems. 6
The traditional interleaving paradigm is completed with a new barrier synchronization mechanism. This is achieved by the introduction of a new parallel composition operator, applicable to both discrete and hybrid models. While offering improvements with respect to control and modularity, the approach remains within the correctness preserving environment provided by the action system framework. Action systems in modeling Traditional action systems remains the main modeling and specification language for research carried out at CREST. Action systems have been extended lately to several areas, like circuit design (Plosila, Seceleanu, Sere) [56], object-oriented design (Bonsangue, Kok, Petre, Sere) [52], component-based design (Plosila, Ruksenas, Sere) [57] as well as design of hybrid systems (Ronkko, Ravn, Sere) [63]. This has usually meant proposing dedicated language constructs with associated refinement rules within the Refinement Calculus as described earlier. Ruksenas [65] proposes a notation for action systems that allows one to view them as abstract rely-guarantee specifications of concurrent components. The notation also ensures that the composition of two such specifications is a component specification itself (extension to [64]). In combination with the proposed notion of compositional refinement of action systems, this provides a framework for component-based development of concurrent systems. Sere et al. have proposed design flows based on two main steps in action system construction, decomposition and superposition refinement. This has been applied to the design of distributed systems in general, and also to the design of control systems [35] and to circuit design [54] in particular. An action system model is decomposed into meaningful entities in such a way that the designer can concentrate on parts of the design at a time. The system can always be recomposed and decomposed anew when needed. They have developed the superposition principle further into a practical way to introduce new features and detail into the design in a controlled manner. Distributed networks The team consisting of Bostrom, Lofman, Sere, and Yan are developing application platforms and middleware for Internet and other network based systems. Central until now have been peer-to-peer (P2P) and ad hoc networks and their architectural issues as well as the formal design aspects. Related to this, Ilic and Troubitsyna are investigating the formal basis for model driven design in connection of certain routing protocols for ad hoc networks. This is work in progress. The team is also studying general networks structures focusing here on Quality of Service (QoS) issues. Bostrom and Walden have started to investigate grid-based network structures, while Lofman is interested in QoS routing in Internet. In his thesis work, Yan proposes a formal framework for developing applications for peer-to-peer systems and arbitrary networks. The system components are specified via Action Systems or with the B method, and the interactions and message communications between components is modelled with UML diagrams. The main contribution until now is a novel architecture, integrating P2P and ad hoc networks technologies together, to reduce the dependence of networking 7
on wired and wireless infrastructure, thus extending the reachability of todays’ networks and increasing their resilience to disasters and attacks. Another contribution of the work is that it is the first architecture-centric approach for the construction of overlay network applications that allows us to define a unified networking environment, taking advantages from both P2P and ad hoc networks technologies [93, 99]. Yan also shows how to design peer-to-peer systems to work with different kinds of firewalls within the object-oriented action systems framework by combining formal and informal methods [97]. Currently, Yan and Sere are developing means to reason about context-aware systems within this and the action systems framework. Architectures of dependable systems Troubitsyna has studied how to ensure dependability in a component-based system development. Often dependable systems are parallel systems composed of unreliable components. In [78] she presented a formal derivation of a novel algorithm for error detection and recovery in parallel systems. The algorithm proposes an elegant way to structure the specifications of component systems and introduce fault tolerance mechanisms at the architectural level. While in [78] the focus was on how to guarantee dependability of a system composed of faulty components, in [77] she investigated how to formally specify and refine fault tolerant components for reuse. She proposed a general model of a component which besides proving its intended functionality can also detect errors in its functioning as well as perform error recovery. Action Systems and SoC design We have continued and heavily expanded our research on using software–based methods to derive digital circuits. Initially, we used Action Systems and the decomposition principle to derive asynchronous circuits (Back, Plosila, Sere), but subsequently mixed synchronous/asynchronous circuits became the focus of interest (Plosila, Seceleanu). This line of research has developed into the design of modern system on chip designs where our strong tradition in designing parallel and distributed systems has turned out to be very fruitful [54, 55, 70, 91, 68, 69, 56]. In large, the research focuses on digital system-on-chip specification, design, and verification using the Action Systems formalism. The goal is to develop a formal correctness-preserving design flow for complex globally asynchronous locally synchronous (GALS) systems which can contain several distinct clock domains combined with synchronous or asynchronous (self-timed) communication mechanisms. Such systems can be viewed as general systems, a conventional globally synchronous architecture being just a special case containing only a single clock domain. Recent research activities include inter-module communication channel and system bus modeling and refinement, asynchronous and synchronous system modeling and synthesis, enhancement of the Action Systems language for efficient hierarchical system modeling and design, and tool support development for the Action Systems-based design flow. Plosila, Sere and Walden [57] propose a component-based method to organise a large system derivation within the B Method via its facilities provided by the tools. Action Systems are used as the formal framework for system design. The 8
designer proceeds from an abstract high-level specification via correctness preserving transformation steps towards an implementable architecture of library components which communicate asynchronously. At each step a pre-defined component is extracted and the correctness of the step is proved using the tool support of the B Method. The method above has been further refined by Plosila et al. As they assume that there is an implementation in the library for each component they concentrate on the specification of a component in terms of its interface model. The model is given in terms of interface variables and captures their types as well as the asynchronous communication protocols used to interact with the component. They apply a stepwise synthesis process on the interface model where they systematically introduce new asynchronous channels and decompose the protocols. In each step they extract a library component with a pre-defined and -verified hardware or software implementation. This work has been submitted for publication in Science of Computer Programming. 2.2.3
The theory of heterogenous systems
A model of computation is a domain specific, often intuitive, understanding of how the computations in that domain are done: it encompasses the designer’s notion of physical processes, and a heterogenous system is thus described through a number of models of computation. This work has mainly been conducted by Johan Lilius and Dag Bjrklund. It will be fnalised in Dag Borklunds PhD thesis. Rialto Lilius and Bjorklund work on a unified theory of models of computation has resulted in the definition of a language that called Rialto [26]. The name connotes the idea that they are interested in building a system by describing it with different models of computation and to be able to do this they need to bridge between these, something that the Rialto language aims to do. They have had as a starting point the observation that many language constructs are common to different languages, but their semantics differ due to the computational model. E.g. parallelism in UML has a very different semantics from parallelism in ESTEREL. This can be seen as decoupling an abstract syntax from the model of computation, i.e. that a language, or a set of languages, with a given abstract syntax, can be used to model very different things depending on the semantics and the model of computation connected to the syntax. In the context of UML this phenomenon can be observed e.g. with statecharts and activity diagrams. An activity diagram can be interpreted as a statechart where all computation is done in state activities and the transitions are triggered by completion events. Activity diagrams therefore can be said to have data-flow as their underlying model of computation. It is this interaction between language constructs and models of computation that is the focus of research and their motivation to introduce Rialto. The language is defined through a set of operational rules that determine the semantics of each atomic statements, and a set of scheduling policies that are used to model different models of computation. 9
Semantics of and code-generation for UML Diagrams The focus for Lilius et al. has been on using Rialto to define a unified semantics for the different behavioral diagrams of UML (UML Statecharts, Collaboration Diagrams and Activity Diagrams). They can take a UML Collaboration diagram whose objects have behaviors defined using statecharts and/or activity diagrams, translate this into Rialto, thus giving the diagrams a formal semantics. The Rialto language has a code generator from which they can now generate C code for the whole set of diagrams. This work has been published in [29]. The paper was also selected to appear in the “best of FDL’03” book [30]. They have also extended the work to translate Rialto to VHDL [25]. A redefinition of the semantics of Rialto in B [27]. One of the problems of Rialto is that its semantics is defined using “ad-hoc mathematics”. To be able to formally prove properties about the semantics, or about programs, there is a need to rewrite the semantics in a formal language with tool support. Lilius and Bjorkvist have used B for this purpouse. They are not only able to give the semantics of Rialto in B, but the semantics actually is a template for giving language semantics in B. The semantics is split into a number of statemachines. One trivial that describes structure of the program, one for describing the SOS rules of the statements, and one statemachine for each policy. The same principle can be used to define the semantics of other languages in B. A new code-generator for SDF diagrams [24]. In this work Lilius et al present a novel approach for efficient code synthesis from Synchronous Dataflow specifications. The method avoids duplication of code blocks when compiling SDF graphs regardless of whether a single appearance schedule can be found for the graph or not. This also means that they can use schedules that require minimal buffer memory, but are not single appearance schedules. The optimization technique presented in the paper can also be used without the Rialto language. 2.2.4
High-school mathematics
Within the formal methods community, the writing of proofs has always been considered important. The calculational proof style developed by Dijkstra and Feijen was extended by Back and von Wright into a format of structured derivations, which was consistently used in the book on the foundations of the Refinement Calculus. Structured derivations allow large proofs to be written in a logically rigorous way which is still readable to a human. The format turned out to be useful for writing mathematical solutions in general, giving structure to mathematical arguments and making solutions objects that can be discussed and manipulated. This sparked the idea of making structured derivations part of a method for teaching mathematics with more emphasis on logical rigour and proof presentation that what is common today. Teaching structured derivation in high school After some initial experiments where the proof format was tested on sample problems and prototype tools for browsable derivations were developed, a research project and field test 10
was started in 2001. This is a joint project with the University of Turku and the Kupittaa High School in Turku. It involves the development and use of methods, materials, and tools, with structured derivations as the common denominator. Leaders of the project are Back and von Wright together with professor Tapio Salakoski from the University of Turku. The teaching experiment is carried out by Mia Peltom¨aki (mathematics teacher at the Kupittaa high school and PhD student at the University of Turku). Browsable derivations and tool support have been developed by Martin Nylund. Tanja Kavander, a PhD students from the University of Turku is also involved in the project. The initial results of the project are very encouraging. The first two years of experiment with one test group and one control group are currently being evaluated by Mia Peltom¨aki. The teaching experiments were extended in the autumn 2003. The teaching experiments will continue in 2004. [7, 9] Book project Motivated by the good results for teaching structured derivations in high school math, Back and von Wright have started to work on a book that presents this approach to teaching mathematics in high school. This book is intended to serve two purposes. First, it would provide a tutorial on how to apply structured derivations in high school mathematics curriculum, by explaining the basic theory and providing a wealth of examples. Secondly, the book can also be used as a one or two semester course on structured calculational derivations. The latter has already been tested by von Wright in a special high-school math course given in the autumn of 2003 in a high school in Vasa. 2.2.5
Process algebra modelling of factory production
Process algebras have been also used to formalize a simulation technique for production systems. The core of this simulation technique is the modeling language Chi [32]. It has been used successfully to model and analyze factories, production lines, and machines. The paper describes the decisions made for the formalisation of Chi and it explains the result: a Chi variant called Chi-sigma. Chi-sigma has a formal operational semantics in so-called Plotkin-style. Several properties known from process algebras like CCS, CSP, and ACP, are shown to hold for Chi-sigma as well. The operational semantics and the properties derived from it can be used to make statements with a precise mathematical meaning about (models of) production systems. A prototype simulator and model checker for Chi-sigma have been implemented and used in small case studies. Bos et al. present in [33] a revised and extended version of this work. The operational semantics of Chi-sigma is explained in more detail and some examples illustrating characteristic properties of Chi-sigma are discussed.
2.3
Computer Supported Tools
Work within computer supported tools has proceeded in several directions. First of all, we have a long tradition in building tools based on the HOL system. Secondly, we have been using existing tools to support our design methodologies. Examples of these are the tools around the B Method as well as the UML tools. 11
Finally, we have started a new line of research where we build tools to support more generally model based design. In this work the modeling languages do not always fall within the languages studied in formal methods. Refinement Calculator During the late 1990’s, von Wright developed the Refinement Calculator, an interactive GUI-driven tool for program refinement built on top of the HOL theorem prover. The Refinement Calculator was intended as a prototype tool and it has been used to study the feasibility of theory developments as well as interactive and semiautomatic reasoning in various calculi. It is not actively developed any more, but it is occasionally used as a basis for more specialised tool developments. Recent work of Celiku and von Wright on reasoning methods for recursion and for angelic nondeterminism [39, 37] has included extensions to the Refinement Calculator tool. Ruksenas has been using and extending the HOL theorem prover and window inference for reasoning about components [66]. He describes a theorem prover based environment which supports stepwise compositional refinement of action systems. The tool is based on the window inference style of reasoning within the Refinement Calulator. Ruksenas also describes the generalisations of the window inference paradigm developed for action system refinement but applicable in a broader context as well. UML to B transformation Within Matisse, Walden was involved in the development of the Atelier B tool towards a tool supporting distributed systems as well as the U2B tool from Southampton (Snook, Butler). The latter transforms certain UML diagrams to B machines automatically [75]. Snook and Walden have further developed the tool U2B to assist in the whole design process. The informal requirements are expressed as UML-diagrams which are refined during the development. They are then translated to the UML specification as well as the UML refinements to B-action systems with the tool U2B [73]. Plosila, Sere, and Walden have some promising results on using the B Method for design of asynchronous circuits and components [57]. Mathematical Derivations Editor The Math Editor (MathEd) is an outlining editor for carrying out structured calculational derivations. The team working on the editor consists of Back, Bos, Johannes Eriksson, and Preoteasa. MathEd can be used as a basic text editor but also as a programming editor with syntax highlighting and support for mathematical derivations. Presently the team is extending the editor to combine these two features together so it is possible to support both writing a program and carrying out a proof that the program is correct, in the same document. MathEd is by now the largest piece of software that has systematically been built using the Stepwise Feature Introduction method, and now consists of 14 layers with a total of 65 000 lines of Python code. Systems Modelling Workbench The System Modeling Workbench (SMW) is a collection of tools to create, analyse and verify software models. The main tool is a graphical UML editor that can be extended using a profile mechanism. 12
This tool allows us to create small scripts to transform models and generate derived artifacts from a model, such as program code or a formal specification. The tool is based on the current OMG standards and can be used with the Unified Modeling Language (UML) and other user-defined languages based on the Meta Object Facility (MOF). The team working on this project consists of Porres and Alanen. The basic ideas behind the System Modeling Workbench were presented in [61]. SMW is presently been going through a major revision, aimed at a major efficiency improvement, and will be renamed Coral. Model analysis and transformation tools SMW can be used to define model to model transformations [58, 59]. This research is carried out by Porres, in collaboration with Alanen. The goal is to use advanced tools to transform step by step a model describing the requirements and problem domain of a system to be built into a detailed implementation model that can be executed. Another application of model transformation is model refactoring. In this case, Porres et al. do not transform a model to make it more concrete but to simplify and improve its design. The tool does not prove that an actual transformation is a refinement, i.e. that a transformation preservers the correctness of a model, but it can verify that a transformation is well-formed with respect to the rules of the modeling language. M odel transformation is just one of the possible uses of a model-driven software development tool. There are many other applications that do not transform an existing model but generate a derived text-based artifact. This is the case of generation of program code, tests cases, metrics, a specification in a formal language or an input model for a verification tool or a performance analysis tool. There are other applications that do not even generate new artifacts, but are mainly used to analyze a model. An example is to check if a model is consistent with respect to the rules of its modeling language or with respect to user-defined rules such as architectural, design or implementation guidelines. All these applications can be constructed in SMW as a combination of scripts that can be executed by SMW. These scripts are customized to our particular application domain, software development process, target platform or testing procedures. The construction of these tools is not trivial. Most designers and researchers are familiar with UML as a pictorial language. However, UML models are stored internally as a complex graph. Software models as data structures are seldom discussed in the literature, however there is a need for new algorithms to perform basic operations on models such as duplication of part of a model [62], or comparison and merge of models [2]. An industrial project with Nokia Research Center is now starting up with the aim of utilizing SMW in this way for the companys internal research. Model repository If we plan to use models instead of source code as the main and most important description of our software, we need to keep all models up to date. Also, in any non trivial project there will be different developers working simultaneously on the same models. There will be also different versions of the same model, targeted to different platforms, customer requirements, and 13
evolution and maintenance will be carried out over the models. This implies that we need to use a proper version control system to keep track of our models that comprise the final product. Alanen and Porres have studied and implemented such a system, as reported in [4]. In this work, they discuss why source codeand XML-based repositories cannot be used to manage models and present alternative solutions that take into account specific details of MOF languages. System Construction Workbench The System Construction Workbench is an extension of the System Modeling Workbench that provided a graphical environment to develop software using the Stepwise feature introduction method [11, 6]. It also has support for automatic code and unit testing generation from UML models. This system has also been built itself using the Stepwise Feature Introduction method. The team working on SCW consists of Back, Milovanov and Norrgrann. Combining model checking with simulation Bos has studied the benefits of integrating formal methods with simulation techniques in order to analyze production systems in [31]. Simulation of models of production systems provides information about performance of these systems, i.e. cycle times, throughput, etc. However, it cannot provide information about properties like deadlock and livelock. Formal methods, in particular automated formal methods like model checking, can deal very well with such behavioral properties. The paper describes integration of model checking with a particular simulation tool. The potential of the resulting combined technique is illustrated by several small case examples. The Rialto compiler The work on the semantics of Rialto and the translations of UML diagrams have been integrated into a compiler. The UML translations are implemented as filters, that read an XMI-file (a textual representation of UML models) and produce Rialto code. This code is then compiled and optimized by the Rialto compiler. There are several different code-generators that the user can choose from. It is possible to generate C code for a statemachine intepreter, which is useful in an embedded environment where space is at premium. It is also possible to generate optimized C code using S-graphs, where similar parts of code are shared. This code is optimized for speed. Finally there is also a code generator that generates VHDL. Rialto compiler and SMW integration [28]. The code for the UML to Rialto translator and the corresponding code-generations have been integrated into SMW. This work also includes a SMW profile for graphically displaying SDF graphs. The TACO tool Virtanen Lundstrom, and Lilius have developed a tool for supporting the TACO design flow [85]. It consists of a GUI written in Java that interfaces to Matlab for physical estiamtion, to the Cadence VHDL synthesis tool for physical synthesis, and to the SystemC simulator for debugging and initial evaluation of TACO programs. 14
Verification of heterogenous systems The aim of this work is to develop verification techniques for systems that are described using several models of computation. Max Soderstrom (M.Sc. Eng student) has been working on a reimplementation of the vUML tool within the new SMW environment. The goal is to extend vUML from Statecharts to also cover the other behavioral models of UML. The resulting tool will translate UML models into PROMELA, the input language of SPIN. The work on the Rialto to B translation can also be seen as step towards verification of heterogenous systems, although the present approach still has some problems in its practical applicability, due to the small amount of proof obligations that the current B tools can discharge automatically.
2.4
Software process and architecture
A considerable portion of CREST research falls within the area of software engineering and especially software processes. Here we have a two-fold view on the field, partly we work on integrating formal methods within the world of software processes and partly we propose new processes, with or without formal methods, which contribute to the production of reliable software.
Stepwise feature introduction A central problem in constructing large software systems is how to manage complexity. The larger the system becomes, the more difficult it is to extend the system and adapt it to changing requirements. For this purpose, we have been experimenting with an incremental software architecture and software construction process that we refer to as stepwise feature introduction [11, 6]. The essential idea here is that a software system is built in very thin layers, where each layer adds just one new feature (unit of functionality) to the system. The extension mechanism is class inheritance. A layer will usually consist of more than one class, where most classes are extensions of corresponding classes in earlier layers. The guiding princple has been here an attempt to keep the class invariant as simple as possible, and to use the superposition refinement principle that our group has worked out earlier for extending software systems. We have used this approach in a number of practical experiments in software construction, and the experience has been very encouriging. Two of the three main Gaudi software projects are based of stepwise feature introduction (MathEd and SCW). Stepwise feature introduction seems to go very well with the notion of short iteration cycles that is championed in Extreme programming, and usually we apply a combination of these two techniques in our software construction. We have reported on some early experiences in using this method in [8]. We have mainly used Python as our programming language, a dynamically typed object oriented programming language. We have, however, also carried out two other case studies, one using Java (the Nokia case study [5]) and one using Eiffel (Fipla [16]). 15
Extreme Programming Different agile software processes have emerged in recent years. Although it may seem that it is contradictory to merge agile software methods with formal methods, we consider that both approaches have important benefits that complement each other. Of special interest is to use methods such as Extreme Programming to plan and execute small experiments in software development in a university setting. Back, Milovanov, Porres and Preoteasa show the results from our first of the series of experiments with Extreme Programming (XP) in [17] and discuss how Extreme Programming (XP) can be used as the base software development method for practical experiments in software engineering. They show how use of the main features of XP helped to minimize some of the problems and difficulties that appear when trying to perform such experiments in a university environment. The focus of another experiment, reported in [16] by Back, Hirkman and Milovanov, was to evaluate the XP customer model and Design by Contract. The experiment indicates that the XP emphasis on having an on-site customer available during the project substantially improves the communication between customers and the programming team, and markedly decreases the number of false features and feature misses. It also indicates that the systematic use of Design by Contract leads to a very low post-release defect rate for the software system built. Model Driven Development Alanen, Lilius, Porres, and Truscan are studying how to define and provide tool support for model-based software development processes [1]. In a model-based process, most artifacts describing our software are constructed using a modeling language rather than natural language and program code. The benefits of this approach are based on the assumption that modeling languages are more precise than natural languages and more abstract than program code. Also, it is simpler to define development steps and automate them as model transformations. The Model Driven Architecture (MDA) as supported by the Object Management Group (OMG) describes the structural requirements of an engineering discipline where models, instead of source code, comprise the primary artifact. Model Driven Engineering (MDE), as outlined by Stuart Kent, brings forth the dynamic aspects of engineering, where process adherence and rigorous commitment to analysis are equally important. As such, MDE has a broader scope than the OMG Model Driven Archicteture initative. The basic idea of this research is very simple. The goal is a design flow using UML (and extensions), which defines a number of models that need to be developed. The development of these models is done using transformations. These transformations may be ad-hoc (done by hand editing of the model), or they may be automated. They have developed a set of transformations that go from a use-case model to an initial object diagram. After editing this objectdiagram by hand, it can be transformed into a data-flow diagram. Again this data-flow diagram can be edited by hand. Finally the dataflow diagram can be transformed into either an object-diagram, or a class-diagram. The work on the relationship between data-flow and object-oriented models have been 16
presented in technical reports [44, 43, 83]. The work has now been accepted for publication [42, 82]. The work will be summarised in Dragos Truscan PhD thesis, which hopefully will be submitted before the end of this year. UML based design Though UML is lacking a formal semantics, it has become de facto industry standard for modeling various systems, many of which are safety-critical. UML promotes a use case driven development process, meaning that use cases are the primary artefacts for establishing the desired behavior of the system, verifying and validating it. Troubitsyna [80] demonstrates how to integrate safety analysis in use case modeling. She argues that to guarantee a high level of dependability, both inductive and deductive safety techniques are needed. She proposes an approach to integrating results of Functional Hazard Analysis and FMEA in a model–driven development of dependable systems with use cases. One of the objectives of Plosila et al. is to develop a design methodology for systems and especially hardware which would combine the Action Systems and UML frameworks [71, 67]. A UML profile for Action Systems has been created based on UML class diagrams, closely accompanied by a novel graphical notation for Action Systems constructs. Object Constraint Language (OCL), a textual extension of UML, provides an interface between UML and Action Systems, allowing specification of logical constraints, properties and refinement rules for system component models. Control systems Modeling control systems has been one of the topics under intensive study during the past years. Within Matisse, Walden has been developing design methodologies for such systems using Action Systems embedded in the B Method [34, 53]. This work is based on the early work on Butler, Sekerinski, and Sere on developing control systems. The methodology has been further developed and enhanced e.g. with safety analysis techniques (Troubitsyna) and the use of UML in describing a complicated B model (Petre and Sere) and also using UML to get inspiration for future refinements of the model. The work within the Matisse project is gathered in the MATISSE Handbook1 . Following the Matisse work, Petre [52] proposes a systematic, seven-step development method for control systems components and demonstrates it with a detailed case study of the sorting hub of a fast courier service. A central point in this method is the modeling of system components on two different levels: informally as UML diagrams and formally as action system-based specifications. Petre develops the formal specifications (using refinement and decomposition techniques) in parallel with the UML diagrams. In the early stateges of the development, the formal specifications are built based on the informal ones, while in the later stages, the formal specifications can be documented as UML diagrams. Since the UML, diagrams mirror the formal part of the development, an informal refinement of such diagrams is actually carried out. 1 MATISSE Handbook for Correct Systems Construction. EU-project MATISSE: Methodologies and Technologies for Industrial Strength Systems Engineering, IST-1999-11345, 2003. http://www.esil.univ-mrs.fr/ spc/matisse/Handbook
17
Safety issues Troubitsyna has continued on her work on safety issues in software development. Of course, much of the work on formal methods fall within the category of fault avoidance, but when working with systems, faults must be handled. Her approach is to do hazard and safety analysis hand–in–hand with the modeling of the required functionality of systems. Hence, one develops a formal specification that includes results of those analyses. Troubitsyna has adopted a system approach, i.e. the entire system is modelled, not only software. One can now reason about fault tolerance rigorously, one way being to formalise the CCA (coordinated atomic actions) approach, which is an informal technique for developing fault tolerant parallel and distributed systems (Romanowsky, Troubitsyna). Traditional engineering techniques used in safety analysis are not well integrated into software development process. However fulfilling requirements resulting from safety analysis is vital for ensuring dependability of the overall system. Troubitsyna [76] proposes an approach to incorporating results of the well-known safety technique Failure Mode and Effect Analysis (FMEA) into a formal specification of dependable system. She demonstrates how to extend the traditional representation of the results of FMEA to facilitate elicitation of software requirements. The requirements are captured in a formal specification. Further extension and validation of the proposed approach is reported in [79]. Fault tolearance in software development An application of formal methods helps us to gain confidence in building correct software, i.e., focuses on fault prevention. On the other hand, to achieve overall system dependability we need to build fault tolerant software, i.e., software which is not only fault-free but also able to withstand faults of other system components. Troubitsyna and Walden [81] proposed a formal methodology for modeling fault tolerance in UML. They demonstrate how abstract fault tolerance mechanisms can be represented in state and class diagrams. Moreover, they outline a formal approach to modeldriven development of fault tolerant control system with the B-Action system support. A formal derivation of fault tolerant feedback control system in the B method is studied by Laibinis and Troubitsyna [45]. They demonstrate how to introduce detailed representation of error detection, error recovery and redundancy by refinement. They propose an approach which allows us to specify a control system in such a way that fault tolerance mechanisms become an intrinsic part of the controller behaviour. On the basis of safety analysis they formulate a safety invariant. They showe that by refining a specification with fault tolerance mechanisms we can arrive at an executable code of a controller which is safe and fault tolerant by construction. While in the previous work they focused on structuring safety requirements by refinement, here they study how to use refinement to specify general fault tolerance mechanisms. The TACO design flow This work is pursued by Dragos Truscan and Seppo Virtanen under the leadership of Lilius. The Telecommunications Laboratory at the University of Turku is also involved in the project, their focus being on the physical estimation models. The idea is to develop protocol processing soft18
ware and hardware for a specific processor architecture. The architecture that is chosen is a modified Transport Triggered Architeture (TTA), that is called TACO. A TACO processor is an application specific processor that consists of a control unit, a number of functional units, that define the capabilities of the processor, and one or more interconnection busses. A TACO processor has a single instruction MOVE, which moves data from one functional unit to another over the busses. Implementing an application on a TACO processor then involves not only the design of the program, i.e. sequencing of MOVE’s, but also the identification of the right set of functional units that are implented in hardware. Designing a TACO processor is a traditional HW/SW codesing problem. The main design problem is the identification of functionalities that can be mapped into hardware. This “low-level flow” is relatively well developed and documented [49, 87, 84, 88]. Parts of the work have also now been accepted for journal publication [86]. It is beeing summarised in Seppo Virtanens PhD thesis, which is expected to be submitted this spring. Design methods for heterogenous systems The focus of this effort is to try to answer the question “what is the right way to design systems with heterogenous models of computation”. A design flow is understood as a method that is used from the beginning to the final physical realisation of the product. Clearly this involves traditional software engineering issues like requirements description, and project management. However in this context the focus is not on these but on the development of a methodology, i.e. a language and a set of relatively well defined steps and transformation that are done to different artifacts. Truscan and Lilius have developed a prototype design flow, based on UML, that they have used to develop a TACO processor for IPv6 routing [47, 48]. It starts with a use-case description of the requirements, and goes through a number of well-defined stages that define the initial model, then a domain specific, but platform independent model, and finally a domain specific platform dependent model. The final model is then mapped to the SystemC simulation framework, and provides the input to the TACO low-level design flow. This work is continued in the context of MDE presented elsewhere in this report. The relationship of Data-Flow and Object-Orientation One issue that arose during the design of the IPv6 router, was whether object-orientation is a good way to design embedded systems, and whether UML contains all the appropriate diagrams. Fernandes, Lilius, and Truscan are not convinced that it is so in general, or that at least there are other aspects in an embedded system that also need to be described in the design process. Indeed it isn their observation when working with the IPv6 router, that the top-level functionality was more intuitively described as a data-flow diagram, than as a collaboration diagram. On the other hand, when the design progressed, there was a natural mapping of objects to functional units in the TACO processor. This has prompted them to look more closely at the use of data-flow in embedded system design. Work on the relationship between data-flow and object-oriented models have been presented in technical reports [44, 43, 83]. The work has now been accepted for publication [42, 82]. 19
2.5
Case studies
Quite a lot of the work in CREST is driven and demonstrated by case studies. Some of the case studies are smaller while others are already of inustrial strength. Below we describe work in this latter category. Distributed systems and mobility Sere et al. have a long tradition on designing algorithms and systems for distributed networks. Earlier, the network topology was mainly static, but sometimes also dynamic with failing links. The object oriented action systems formalism (Bonsangue, Kok, Sere) turned out to be very suitable for modeling e.g. code and data mobility as well as component in arbitrary networks (Petre, Sere, Walden). Recently, our interest here has moved towards networks where the topology is initially not known, like in ad hoc networks [92, 93]. Several masters theses works have been carried out within this area. Yan and Sere show how to design peer-to-peer systems within the action systems framework by combining UML diagrams. They present the approach via a case study of stepwise development of a Gnutella-like peer-topeer system. and extend the approach to deal with different kinds of firewalls providing connectivity through firewalls [97, 95]. Applying formal methods on industrial systems Within the MATISSE project Walden et al. have studied the use of formal methods in combination with a graphical interface to achieve a better acceptance of formal methods by industry. An industrial size case study on a liquid handling workstation Fillwell developed at Wallac was conducted within the project [34]. They used B Action Systems as the theoretical framework and relied on the Action System formalism for developing distributed systems, as well as on the mechanical tool support provided by the B Method. The graphical interface to the B Action Systems was provided by UML using the tool support developed for automatic translation from UML to B (U2B-tool). The above case study inspired them to conduct another case study where they also considered implementation issues for control systems of industrial size [35]. Also in the latter case study they used the Fillwell workstation as the industrial example. With the implementation method introduced for control systems they achieved a precise mapping from the specification to the code executed on the computer. Gaudi factory software case studies One of the principles of the Gaudi software factory is to validate our research by performing case studies using methods and tools developed in our basic research. Sometimes, the planing and execution of such cases studies are a research problem on their own. As we have discussed previously, we have found that a agile process helped us to set up and run small projects with students [17]. In other projects, the problem has been the lack of proper tool support to perform non-trivial case studies. The development of a framework for model transformation has helped us to create studies using new modeling languages and methods that are not supported by commercial modeling tools [10]. Within Gaudi, we have developed three larger 20
case studies, MathEd, SMW and SCW. These have been described above, under the tool section, so we will not repeat the description here. Nokia case study A case study on building software for a mobile platform using stepwise feature introduction was carried out in a project with Nokia Mobile Phones. All the participants in this project were from this company, except Back, who served as the project manager. The group was also interested in appling user centric desing, and in studying how this design method could be combined with stepwise feature introduction. The combined method was refered to as the Ladder process. The specific application that was built was a teenage girl diary intended to run on a Nokia Communicator 9210. The results were very encouraging, and resulted in running prototypes that could be demonstrated. The project also showed the value in not only building the software in a layered fashion, but also designing it in a layered fashioned. The design and implementation layers roughly corresponded to each other, but not always exactly. The results of the project have been presented at the main human interface conference (HICS) as an invited presentation. Financial planner A case study for testing the on-site customer model in extreme programming, while at the same time trying to improve software reliability by using design by contract techniques and the Eiffel language, was carried out in the summer of 2003. This was a joint project with the Information Systems department at Abo Akademi (Barbro Back and Pia Hirkman) and the Software Construction Lab (Ralph Back and Milovanov) [16]. The case study demonstrated both the desirability of the customer model and the qualitative improvements in the design that it brought with it, as well as the marked increase in software reliability that was achieved by using design by contract specification and testing for software modules. The application itself was rather simple, a personal financial planner, that allowed keeping track of ones incomes and expenses by bank account and by spending categories. The IPv6 Router In the context of the research on design flows for heterogenous systems and in the context of the TACO design flow the implementation of an IPv6 router has been taken as a case study. The IPv6 router design exists as a set of UML models, as well as a set of SystemC and VHDL components for the TACO environment. The IPv6 router has also been implemented on a INTEL IXP1200 Network processor. A comparison of the TACO implementation and the INTEL IXP1200 Network Processor implementation will be included in Seppo Virtanens PhD thesis. The Uva While there exists a fair number of partial solutions to enabling dynamic updating in arbitrary applications, none of them have proved to be superior. The Updateable Virtual Machine is a virtual machine which is largely compatible with a Java virtual machine but has improved support for updatability, evolution and flexibility. The foundation for the machine are a number of concepts that potentially improve both dynamic and static updatability 21
markedly: the sequence model for dealing with code, and entity-oriented programming for dealing with data and object-orientation. The concepts have been discovered through an analysis of “what dynamic updating and static evolution is all about”. Some of the previous work in the field has developed dynamic updating systems by refining some existing programming language. The Uva is different and novel, because it constructs the whole programming language from ground up based on updatability demands. To ensure that this language is useful enough, it is made to superficially look like popular object-oriented languages. The Uva could form a basis for approaches that rival Java and outperform it in evolvability and updatability. This work has been done by Osterberg and Lilius [51].
3
Other Activities
In this chapter we describe other professional activities at CREST and give a list of publications for the year 2003. Also the financial situation of CREST will be explained.
3.1
CREST seminars
CREST seminars are organised to provide CREST researchers with an opportunity to discuss work-in-progress. Moreover, the visitors at CREST commonly present their work at a CREST seminar. During 2003, Niklas Holsti, Space Systems Finland, Pekka Abrahamsson, VTT Electronics, and Professor Ian Hayes, University of Queensland, gave guest lectures at the seminar. CREST seminars are usually organised every second week. Below is a list of seminars of year 2003. 23.01.2003 Specification Variables: Between the Angel and the Demon. Linas Laibinis. A Grand Challenge for CREST. Ralph Back. 06.02.2003 Static Analysis of Program Execution Time. Niklas Holsti. Guest speaker from Space Systems Finland Ltd. Finland. Reasoning about Recursive Procedures with Parameters. Viorel Preoteasa. 20.02.2003 Fast Evaluation of Protocol Processor Architectures for IPv6 Routing. Dragos Truscan. Using Process Algebra to Reason about Imperative Programs. Victor Bos. 06.03.2003 Model Based Development. Ivan Porres Rule-based Transformation in SMW. Miika Hakala 27.03.2003 Component-Based Development of Action Systems. Rimvydas Ruksenas. Action Systems Profile for UML. Tiberiu Seceleanu. 03.04.2003 A connection between Refinement and Hoare Logic for recursive procedures. Viorel Preoteasa. 22
Techniques for Low Power Optimization of Software—Ongoing work on energy consumption of embedded java applications. S´ebastien Lafond. Discussion topic: Bad Research Career, see http://crest.abo.fi/files/ BadCareer3.ppt. 24.04.2003 3D collision detection. Henrik Enqvist. Discussion about Eiffel. Ivan Porres and Ralph Back. 15.05.2003 CREST seminar on Agile Methods external speaker: Pekka Abrahamsson, VTT Electronics (http://www. vtt.fi/). internal speakers: Ivan Porres and Ralph Back. material: Agile software development methods available at http://www. vtt.fi/inf/pdf/publications/2002/P478.pdf. 22.05.2003 Concerning web based mathematics. Martin Nylund. The TACO Design Tool. Tomas Lundstr¨om. 12.06.2003 Integrating Safety Analysis into Formal Specification of Dependable Systems. Elena Troubitsyna. Guest speaker: Testing in the Refinement Calculus. Bernards Aichernigen, United Nations University, Macau, China; Graz University of Technology, Austria ¨ Rethinking Software Updating. Dan Osterberg. 20.08.2003 Guest speaker: Real-time Refinement Calculus. Professor Ian Hayes, Leader, Systems and Software Engineering Research School of Information Technology and Electrical Engineering University of Queensland, Brisbane, Australia. 04.09.2003 Formal Development of Control Systems. Pontus Bostr¨om. A Framework for UML Animation. Petri Manilla. 18.09.2003 Building Reliable Peer-to-Peer Systems with Formal Methods. Lu Yan. An Experiment on Design by Contract and XP Customer Model. Piia Hirkman and Luka Milovanov. 02.10.2003 Cost-based analysis of probabilistic programs mechanised in HOL. Orieta Celiku. Architecture, Design and Implementation of a Mathematical Derivation Editor. Johannes Eriksson. 16.10.2003 Introduction to SystemC. Seppo Virtanen. TUCS Digital Television lab and its techniques. Jerker Bj¨orkqvist. 13.11.2003 Implementing Angelic Nondeterminism. Orieta Celiku. Reasoning about Pointers in Refinement Calculus. Viorel Preoteasa. 27.11.2003 Domain Operators in Refinement Algebra. Kim Solin. Formal Analysis of a Local Segmented Bus Arbiter. Tomi Westerlund. 23
11.12.2003 Model-based development of embedded systems. Dragos Truscan. Scannerless Earley Parsing. Victor Bos. For more information about the seminars, we refer to the CREST website http: //crest.abo.fi/.
3.2
Professional activities
The professional activities of the individual researches are given here. Raph-Johan Back • Director of this center of excellence and of CREST • Academy professor at the Academy of Finland, leave of absence from ordinary professorship at Abo Akademi University, 2002-2007 • Participated in the evaluation committees for Computer Science in Sweden 2002 and for Computer Science in the Netherlands 2003. • Participated in the appointment committee for a professorship in telecommunications, Royal Insititute of Technology, Sweden. • Member of the Academia Europea, the Finnish Society for Science (Suomen tiedeakatemia) and the Swedish society for technical sciences in Finland (Svenska tekniska vetenskapsakademin) • Member of IFIP WG 2.3 • Chairman of the board of TUCS (Turku Center for Computer Science) 2002 –, director of TUCS 1993-2001. • Particpated in a number of program committees. • Invited lecture series at summer schools in Tunis (Tunis, 2003) , and Marktoberdorf (Germany, 2004). • Invited keynote talks at conference in Oulu (2003) • Member of the building committee for the new IT house at Turku (CS departments for all three universitites in Turku, and for Turku Polytechnic) • Member of the steering committee for EEF (European Educational Forum) Johan Lilius • Head of department • Chairman of the Educational work group for Computer Engineering at TUCS, 1.8.2003• Member of the Faculty board of the Faculty of Chemical Engineering 200124
• Member of the delegation of the Foundation of New Technology (Stiftelsen for Ny Teknologi) 2003• Member of the Steering group of the Computing Centre at ˚ Abo Akademi (Datacentralens direktion) 2003• Chairman of the Steering group for the Software Development Center 2002-2003 • Member of PC, DATE 2003, International conference On Applications and Theory of Petri Nets, 2004, International Conference on Application of Concurrency to System Design (ACSD), 2004, • Academic Co-Chair for International Conference on Application of Concurrency to System Design (ACSD), 2003 • Preliminary examiner: Vesa Hirvisalo, Helsinki University of Technology, Thesis title ”Using static program analysis to compile fast cache simulations” (preliminary examiner) • Opponent for Licenciate thesis, Ulf Nordqvist, A Programmable Network Interface Accelerator, Linkoping Universitet Kaisa Sere • Vice director of this Centre of Excellence Abo Akademi University (deputy) (2001-2005) • Board of˚ Abo Akademi University • Vice dean of the Faculty of chemical engineering ˚ (2001-31.08.2003) Abo kademi University (2001• Board of the Faculty of chemical engineering ˚ 31.08.2003) • Vice director of Turku Centre for Computer Science (2002-2005) • Board of Turku Centre for Computer Science (TUCS)(2002-2005) • Chair and member of a committee to evaluate master programs in Norway, Norgesnettradet 2000-203. • Member of the steering committee of European Educational Forum (EEF) 1999 -. • Member of a committee to evaluate the ICT2010 basic research programme on computer science in Norway, Research council 2003. • Member of two evaluation commitees for professorships in Univertity of Oslo, Norway • Opponent in a Ph.D. defence (Aletta Nylen), University of Uppsala, Uppsala, Sweden, December 2003 25
• External evaluator of Ph.D. thesis (Amjad Hudaib), Universita di Pisa, Pisa, Italy, January 2003 • Invited talk: University of Linkoping, Linkoping, Sweden, March 2003 • Member and vice chair of the Research Council for Natural and Technical Sciences of the Academy of Finland, 2004-2006. • Served in several program committees, refereeing tasks etc. Marina Walden • Co-organizer of the 15th Nordic Workshop in Programming Theory, NWPT’03 , Organizer of the 3rd International Conference of B and Z Users, ZB2003, • Co-chair of the B Programme Committee for ZB2003. • Member of the Steering Committee of the B International Conferences (Association de Pilotage des Conferences Internationales B). Joakim von Wright • Member, IFIP Working Group 2.3 • Program Committee: RelMiCS (7th International Seminar on Relational Methods in Computer Science and 2nd International Workshop on Applications of Kleene Algebra) 2003 • External examiner of PhD thesis: Jamie Shield, University of Queensland • Invited lecture: University of Augsburg, June 2003
3.3
Events
The researchers of CREST have been active in organizing conferences and workshops as well as serving in various programme committees during the recent years. In Turku, we organised several events. Marina Walden had the responsibility for the ZB2003 conference. In conjunction with the ZB2003 conference, we organised the RCS’03 workshop, the 2nd International Workshop on Refinement of Critical Systems: Methods, Tools and Developments on June 3rd, 2003 in Turku, Finland. Moreover, the 15th Nordic Workshop on Programming Theory was again organised by us on 2003. Sere and Walden are in the process of editing a special issue of the Nordic Journal of Computing based on this workshop. Lilius organised the Transport Triggered Architectures Workshop in October 2003 and the Static Analysis workshop on 3rd Nov 2003. Currently, Sere and Plosila are organizing the next ACiD-WG workshop on asynchronous circuit design to be held in Turku summer 2004. Lilius and Porres are organising several workshops and conferences on 2004, 11th Nordic Workshop on Programming and Software Development Tools and Techniques 11th Nordic Workshop on Programming and Software Development Tools and Techniques NWPER2004 and NWUML2004: The 2nd Nordic Workshop on 26
UML, Modeling, Methods and Tools, both organised in Turku summer 2004. They are also involved in organising the MOMPES workshop colocated with ACSD2004 in Canada.
3.4
CREST Financing
Funding for CREST comes basically from three sources: • via the Centre of Excellence funding, • from the involved universities and • from TUCS. The major part of the equipment and facilities for CREST are financed via the universities. Therefore we concetrate here on the personnel. The personnel budget for CREST is about 900.000 EUR per year. One third of this comes via the Centre of Excellence financing, which is divided between Academy of Finland (150.000 EUR), Technology Development Center of Finland (50.000 EUR) and ˚ Abo Akademi University (80.000 EUR). Another third comes from the Academy of Finland via our research projects (80.000 EUR) and via the academy professor funding (100.000 EUR) as well as funding from TUCS for the graduate students (140.000 EUR). The final third comes from the universities via the salaries of the senior researchers (300.000 EUR). Here we have been optimistic and estimated that a professor uses 50 procent of his or her time for research, supervision or teaching within CREST related areas while for assitant professor this amounts to 70 procent. The Academy of Finland projects during 2003, not included in the Centre of Excellence financing, were the SPROUT project (Ralph Back) and the FOSSE project (Kaisa Sere). Both of these projects will end in 2004. Additional funding in 2003 was received via EU for the Matisse project, which ended in the beginning of the year as well as for the ACiD-WG project, which supported our travelling costs to events organised by the network.
3.5
Publications 2003
publist Journal articles Ralph-Johan Back and Joakim von Wright. Compositional action system refinement. Formal Aspects of Computing, 15(2):103–117, 2003 Victor Bos and Jeroen Klein. Redesign of a systems engineering language formalisation of chi. Formal Aspects of Computing, 15(4):370–389, Dec 2003 Ivan Porres. A toolkit for model manipulation. Springer International Journal on Software and Systems Modeling, 2(4), 2003 Lu Yan, Kaisa Sere, and Xinrong Zhou. Peer-to-peer networking with firewalls. WSEAS Transactions on Computers, 2:566 – 571, Jul 2003 27
Proceedings Didier Bert, Jonathan Bowen, Steve King, and Marina Wald´en, editors. ZB2003: Formal Specification and Development in Z and B, number 2651 in Lecture Notes in Computer Science, Heidelberg, Germany, Jun 2003. Springer-Verlag Johan Lilius, Felice Balarin, and Ricardo J. Machado, editors. Third International Conference on Application of Concurrency to System Design (ACSD’03). IEEE Computer Society, 2003 Kaisa Sere and Marina Wald´en, editors. Proceedings of the 15th Nordic Workshop on Programming Theory (NWPT’03), number 34 in ˚ Abo Akademi, Reports on Computer Science and Mathematics, Oct 2003 Articles in proceedings Marcus Alanen and Ivan Porres. Difference and union of models. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 - The Unified Modeling Language, volume 2863 of Lecture Notes in Computer Science, pages 2–17. Spinger-Verlag, Oct 2003 Ralph Back, Dag Bj¨orklund, Johan Lilius, Luka Milovanov, and Ivan Porres. A workbench to experiment on new model engineering applications. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 - The Unified Modeling Language, volume 2863 of Lecture Notes in Computer Science, San Francisco , CA, USA, Oct 2003 Ralph Back, Dag Bj¨orklund, Johan Lilius, Luka Milovanov, and Ivan Porres. A workbench to experiment on new model engineering applications. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 - The Unified Modeling Language, volume 2863 of Lecture Notes in Computer Science, San Francisco , CA, USA, Oct 2003 Ralph-Johan Back, Xiaocong Fan, and Viorel Preoteasa. Reasoning about pointers in refinement calculus. In Proceedings of the Tenth Asia-Pacific Software Engineering Conference (APSEC’03), Dec 2003 Dag Bj¨orklund, Johan Lilius, and Ivan Porres. A unified approach to code generation from behavioral diagrams. In Proceedings of the Forum on Specification and Design Languages FDL’03, Sep 2003 Dag Bj¨orklund, Johan Lilius, and Ivan Porres. Rialto profile in the SMW toolkit. In Proceedings of the Third International Conference on Application of Concurrency to System Design ACSD 2003. IEEE Computer Society, Jun 2003 Pontus Bostr¨om and Marina Wald´en. A case study: Implementation of control systems using b-action systems. In K. Sere and M. Wald´en, editors, Proceedings of the 15th Nordic Workshop on Programming Theory, number 34 in Ser. B,, pages 51–53, Oct 2003 Orieta Celiku and Joakim von Wright. Implementing angelic nondeterminism. In 10th Asia-Pacific Software Engineering Conference (APSEC 2003), 10-12 December 2003, Chiang Mai, Thailand. IEEE Computer Society, Dec 2003 28
Johan Lilius, Dragos Truscan, and Seppo Virtanen. Fast evaluation of protocol processor architectures for IPv6 routing. In Proceedings of Design, Automation, and Test in Europe 2003 (DATE’03), volume Designer’s Forum. IEEE Computer Society, Mar 2003 Juha Plosila, Kaisa Sere, and Marina Wald´en. Design with asynchronously communicating components. In Frank S. de Boer, Marcello M. Bonsangue, Susanne Graf, and Willem-Paul de Roever, editors, FMCO 2002: First International Symposium on Formal Methods for Components and Objects, number 2852 in Lecture Notes in Computer Science, pages 424–442. Springer-Verlag, 2003 Ivan Porres and Marcus Alanen. Generic deep copy algorithm for MOF-based models. In Arend Rensink, editor, Model Driven Architecture:, pages 49–60. University of Twente, Jul 2003. http://trese.cs.utwente.nl/mdafa2003 Ivan Porres. Model refactorings as rule-based update transformations. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 - The Unified Modeling Language, 6th International Conference, volume 2863 of Lecture Notes in Computer Science, San Francisco , CA, USA, Oct 2003. Springer Tiberiu Seceleanu and Tomi Westerlund. Segment arbiter as action systems. In Proceedings of IEEE International Symposium on Signals, Circuits & System, SCS, volume 1, pages 249–252. IEEE, Jul 2003 Colin Snook, Leonidas Tsiopoulos, and Marina Wald´en. A case study in requirement analysis of control systems using UML and b. In Traian Muntean and Kaisa Sere, editors, Proceedings of RCS’03 - International workshop on Refinement of Critical Systems: Methods, Tools and Experience, http://www.esil.univmrs.fr/%7Espc/rcs03/rcs03.html, Jun 2003. Electronic proceedings Dragos Truscan, Seppo Virtanen, and Johan Lilius. SystemC simulation framework of protocol processing architectures for IPv6 routing. In The International Symposium on Signals, Circuits and Systems SCS 2003, pages 309–312, Jul 2003 Elena Troubitsyna. Developing fault-tolerant control systems composed of selfchecking components in the action systems formalism. In H.D. Van and Z. Liu, editors, Proceedings of the Workshop on Formal Aspects of Component Software FACS’03, Pisa, Italy, Sep 2003 Elena Troubitsyna. Developing fault tolerant software using statecharts and FMEA. In N.C. Debnath, G. A. Montejano, and D.E. Riesco, editors, Proceedings of the International Conference on Computer Science, Software Engineering, Information Technology, e-Business, and applications (CSITeA 03), Rio de Janeiro, Brazil, pages 27–33, Jun 2003 Elena Troubitsyna. Integrating safety analysis into formal specification of dependable systems. In Proceedings of Annual IEEE Workshop on Fault-Tolerant Parallel and Distributed Systems. Nice, France, Apr 2003 Seppo Virtanen, Jani Paakkulainen, Tero Nurmi, and Jouni Isoaho. NoC interface for a protocol processor. In Proceedings of the 21st IEEE NORCHIP Conference, pages 31–34, Riga, Latvia, Nov 2003 Tomi Westerlund and Tiberiu Seceleanu. Formal analysis of a local segmented bus arbiter. In Proceedings of the 21st NORCHIP Conference, pages 268–271, Nov 2003 29
Lu Yan, Jincheng Ni, and Kaisa Sere. Towards a systematic design for ad hoc network applications. In K. Sere and M. Wald´en, editors, Proceedings of the 15th Nordic Workshop on Programming Theory, number 34 in Ser. B, Oct 2003 Lu Yan and Kaisa Sere. Stepwise development of peer-to-peer systems. In Electronic Workshops in Computing (eWiC), editor, Proceedings of the 6th International Workshop in Formal Methods (IWFM’03). British Computer Society (BCS), Jul 2003 Lu Yan and Kaisa Sere. Developing peer-to-peer systems with formal and informal methods. In Traian Muntean and Kaisa Sere, editors, Proceedings of RCS’03: 2nd International Workshop on Refinement of Critical Systems: Methods, Tools and Developments, Jun 2003 Technical reports Marcus Alanen, Johan Lilius, Ivan Porres, and Dragos Truscan. Realizing a model driven engineering process. Technical Report 565, TUCS, Nov 2003 Marcus Alanen and Ivan Porres. Difference and union of models. Technical Report 527, TUCS - Turku Centre for Computer Science, Apr 2003 Marcus Alanen and Ivan Porres. Issues on the design of an XML-based configuration management system for model driven engineering. Technical Report 567, TUCS, Nov 2003 Ralph-Johan Back, Cristina Cerschi Seceleanu, and Jan Westerholm. Symbolic simulation of hybrid systems. Technical Report 503, TUCS - Turku Centre for Computer Science, Jan 2003 Ralph-Johan Back, Piia Hirkman, and Luka Milovanov. Evaluating the XP customer model and design by contract. Technical Report 585, TUCS, Dec 2003 Ralph-Johan Back and Viorel Preoteasa. Reasoning about recursive procedures with parameters. Technical Report 500, TUCS - Turku Centre for Computer Science, TUCS, Lemminkaisenkatu 14A, 20520 Turku, Finland, Jan 2003 Ralph-Johan Back, Xiaocong Fan, and Viorel Preoteasa. Reasoning about pointers in refinement calculus. Technical Report 543, TUCS, Jul 2003 Cristina Cerschi Seceleanu and Tiberiu Seceleanu. On designing for modularity. Technical Report 534, TUCS - Turku Centre for Computer Science, 2003 Orieta Celiku and Joakim von Wright. Correctness and refinement of dually nondeterministic programs. Technical Report 516, TUCS - Turku Centre for Computer Science, Mar 2003 Henrik Enqvist and Johan Lilius. Region based allocation in java. Technical Report 510, TUCS - Turku Centre for Computer Science, Aug 2003 Jo˘ao M. Fernandes. Functional and object-oriented modeling of embedded software. Technical Report 512, TUCS - Turku Centre for Computer Science, Feb 2003 Joakim Isaksson, Dragos Truscan, and Johan Lilius. A MOF-based metamodel for SA/RT. Technical Report 555, TUCS, Sep 2003 30
Johan Lilius and Dragos Truscan. UML-driven TTA-based protocol processor design. Technical Report 518, TUCS - Turku Centre for Computer Science, Apr 2003 ¨ Dan Osterberg and Johan Lilius. Rethinking software updating; concepts for improved updatability. Technical Report 550, TUCS, Sep 2003 ¨ Dan Osterberg and Johan Lilius. The uva virtual machine. Technical Report 551, TUCS, Sep 2003 Ivan Porres. Model refactorings as rule-based update transformations. Technical Report 525, TUCS - Turku Centre for Computer Science, Apr 2003 Rimvydas Ruksenas. Component-oriented development of action systems. Technical Report 544, TUCS, Jul 2003 Colin Snook, Leonidas Tsiopoulos, and Marina Wald´en. A case study in requirement analysis of control systems using UML and b. Technical Report 533, TUCS - Turku Centre for Computer Science, Jun 2003 Dragos Truscan, Jo˘ao Miguel Fernandes, and Johan Lilius. Tool support for DFD to UML model-based transformations. Technical Report 519, TUCS Turku Centre for Computer Science, Apr 2003 Seppo Virtanen, Dragos Truscan, and Johan Lilius. TACO IPv6 router - a case study in protocol processor design. Technical Report 528, TUCS - Turku Centre for Computer Science, Apr 2003 Lu Yan and Kaisa Sere. Stepwise development of peer-to-peer systems. Technical Report 522, TUCS - Turku Centre for Computer Science, Mar 2003 Lu Yan, Kaisa Sere, and Xinrong Zhou. Peer-to-peer networking with firewalls. Technical Report 554, TUCS, 2003
4
CREST Laboratories
The four laboratories of CREST as well as the Gaudi Sotware Factory are described in this chapter. We give a general overview of the research directions of each laboratory as well as personnel and other resources when revelant.
4.1
Distributed Systems Laboratory
The Distributed Systems Laboratory is involved in several curricula at the departments in TUCS. Together with the Software Construction Laboratory, we are responsible for the Software Engineering education in both the Master of Science and Master of Science (Engineering) curricula. We give courses at the Telecommunications Software area and are heavily involved within the Electronics and Computer Engineering education at the University of Turku. Moreover, we have the responsibility of the continuing education in Computer Science at the department. One of the main research directions within the Laboratory is the construction and use of formal specifications, and for this reason, modeling and the analysis of models. The central techniques that we have developed and investigated within 31
this context are model decomposition and feature introduction in layers mainly using the superposition principle. These techniques were formalised within the Action Systems/Refinement Calculus framework by Back and Sere early 1990. The work on modeling has lead to the study of software and systems construction processes with formal specification as a central artifact with very good results. The prime examples of this are our work within the EU FP5 IST Matisse project, lead at our site by Marina Walden and the recent Ph.D. thesis of Mauno Ronkko on modeling and analyzing hybrid systems. The work within Matisse will be reported in the Matisse Handbook, the main deliverable of the project while the thesis was awarded the title of the best Ph.D. thesis in all computer science in Finland 2001. Recently, the work on model decomposition has been applied within the field of computer networks. We are investigating the design of reliable peer-to-peer architectures and ad hoc networks as well as other network systems based on these ideas. In connection to modeling and constructing formal specifications, we have particularly been studying the integration of certain informal (or semi-formal) techniques within the construction process. The Unified Modeling Language, UML, has been central to this as well as the use of hazard and safety analysis techniques. Moreover, within the Matisse project we have investigated the integration of two formal methods within the process, namely that of Action Systems and the B Method of Abrial. The basic reason for this has been the door that has opened to using the quite excellent administration, analysis and proof tools supporting the method. Component-based systems are becoming more important within our design machinery. We are studying the formal specification and refinement of components, their interfaces and communication protocols. In addition to refinement, software architectural issues are of importance when creating systems based on some library of components. We have been following the s.c. coordination ideas here, separating the correctness issues of components from the efficiency issues of their communication when studying systems and software architectures. These ideas have been particularly important when developing design abstractions for e.g. distributed and mobile components as well as digital circuits. Indeed, formal modeling of communication channels in digital circuits and modern system-on-chip designs is one of our central research issues at the Laboratory currently. We have a tradition of validating our methods and techniques with case studies of various sizes. These case studies also give us inspiration for future research. Especially within the Matisse project we have investigated the design of control systems with our industrial partner, a company that manufactures equipment for drug recovery for the pharmaceutical industry. We have been studying both discrete and hybrid control systems. Another important class of case studies comes from the area circuit design. This research is continued and heavily expanded. Here we have recently focused on tools and on modeling communication on circuit boards. Finally, we have started to investigate different protocols for peer-to-peer networking as well as routing in ad hoc networks and architectural issues of the networks. 32
Personnel and facilities The research group consists of both senior level researchers and young Ph.D. students. As a matter of fact, most of our current Ph.D. students just recently started. Moreover, several Masters students do their thesis works within the group some of them continuing subsequently with their doctoral studies. The following senior researchers have been active within the laboratory during 2002–present: • Kaisa Sere, Ph.D., Professor, leader of the laboratory, • Zheng Liang, Ph.D., post doctoral researcher • Juha Plosila, Ph.D., Assistant Professor (University of TUrku, electronics and digital systems), • Mauno Ronkko, Ph.D., post doctoral researcher (now Acting Professor at University of Kuopio), • Tiberiu Seceleanu, Ph.D., Assistant Professor (University of Turku, electronics and digital systems), • Elena Troubitsyna, Ph.D., Assistant Professor (computer science and engineering), • Marina Walden, Ph.D., Assistant Professor (computer science) The following Ph.D. students have been working within the laboratory during 2002present (supervisor within parenthesis): • Pontus Bostrom, M.Sc.(Eng.) (Walden), • Dubravka Ilic, M.Sc.(Eng.), (Troubitsyna), • Robert Lofman, M.Sc., (Sere), • Luigia Petre, M.Sc., Assistant Professor (telecommunication software) (on maternity leave) (Sere, Back), • Rimvydas Ruksenas, M.Sc. (thesis under evaluation), (Sere), • Leonidas Tsiopoulos, M.Sc., (Plosila, Sere), • Tomi Westerlund, M.Sc., (Plosila, Seceleanu), • Lu Yan, M.Sc., (Sere) Additionally, several research assistants have been working with their theses in the laboratory during 2003–preseet: • Fredrik Degerholm, M.Sc. student (Sere), • Nayyar Iqbal, M.Sc., (Yan), • Micaela Jansson, M.Sc.(Eng.) student (Walden), • Markus Kemi, M.Sc.(Eng.) student (Sere, Walden), 33
• Mats Neovius, M.Sc. student (Sere), • Jincheng Ni, M.Sc., (Yan), • Sajid Khan Niazi, M.Sc. student (Troubitsyna) • Sophia Nyg˚ ard, M.Sc. student (Yan) Moreover, we have an active international cooperation with Aalborg (Anders P. Ravn), Southampton (Michael Butler, Colin Snook), Newcastle (Alexander Romanowsky), McMasters (Emi Sekerinski), and Leiden (Marcello Bonsangue, Joost N. Kok) among others. The senior researchers are financed by their respective university while many of the Ph.D. students are funded via the graduate school of TUCS. Moreover, Marina Walden held a post doctoral position at Academy of Finland during 1999-2002. The main facilities of the laboratory are situated in DataCity, 4th and 5th floor.
4.2
Embedded Systems Laboratory
There are two central research topics in the laboratory: modelling languages and design methods for embedded systems, and proactive devices. The research on modelling languages and design methods is split into 3 topics: the theory of heterogeneous computing, design methods for heterogeneous systems, and verification of heterogeneous systems. UML has a central role in this research and we are cooperating with the Software Construction laboratory by participating in the design and implementation of the SMW toolkit. The laboratory is involved in the administration of the department, as the leader of the laboratory prof. Johan Lilius is the head of the department, and the laboratory manager of the laboratory, M.Sc. (Eng.) Robert Gyllenberg, is in charge of the technical administration of the department. The administrative workload has increased during 2003, because of several new projects have started within ˚ Abo Akademi these include the planning of the new ICT house, and the restructuring of the Curricula to a common European standard (“The Bologna Process”). Personnel and facilities The following senior researchers are working within the laboratory during 1.4.2003-31.3.2004 • Johan Lilius, D.Sc. (Tech), professor, leader of laboratory. • Jerker Bjorqvist, D.Sc. (Tech), assistant professor The following Ph.D. students are pursuing their studies within the lab: • Robert Gyllenberg, M.Sc. (Eng.) laboratory manager • Dag Bjorkqvist, Ph.D. student • Henrik Enqvist, Ph.D. student (1.1-31.12.2003, left for industry) 34
• Sebastien Lafond, Ph.D. student • Dragos Truscan, Ph.D. student • Seppo Virtanen, Ph.D. student (ass. prof. at Turun Yliopisto) • Dan Osterberg, M.Sc. (Eng.) student (1.1-31.8, accepted as TUCS PhD Student 1.9-, but left for industry) Additionally, several M.Sc. students and a laboratory technician are active within the laboratory: • Johnny Lindroos, M.Sc. student (1.1-31.8) • Patrik Dahl, M.Sc. student (1.1-31.3) • Tomas Nordsstrom, M.Sc. (Eng.) student (1.1-30.6) • Peter Luoma, M.Sc. student (1.1-31.8.2003) • Max Soderstrom, M.Sc. student (1.6.2003-) • Jukka-Pekka Suominen, M.Sc. student (1.9.2003-) • Asim Pervez Zaka, M.Sc. student (1.10.2003-) • Patrik Ljunqvist, M.Sc. student (1.1.2004-) • Tony Storback, M.Sc. student (1.1.2004-) • Marat Vagapov, laboratory technician
4.3
Mechanized Reasoning Laboratory
The research within the Mechanised Reasoning Laboratory is focused around methods and tools for formal reasoning, based on mathematics and logic. The starting point for this work was the problem of formalising the Refinement Calculus as a theory in the HOL theorem proving system. The direct result of this work, which started in the late 1980’s, was a mechanised Refinement Calculus theory and a refinement tool based on theorem proving. However, it also contributed to extended research in reasoning methods for program development, based on higher-order logic, and to the development of more general tool support for formal methods. The Mechanised Reasoning Lab has close cooperation with the Software Construction Lab within CREST. At the same time, it is a part of the TUCS Learning and Reasoning Lab, which is generally focused on educational technology and the development of Computer Science curricula and learning material. A main long-term research topic within the Mechanised Reasoning Lab is extending and applying the Refinement Calculus. This is work in cooperation with the Software Construction Lab. The focus of this work is on developing programming logics and algebras with applications to the Refinement Calculus. 35
The aim is to provide logical and algebraic reasoning methods that can be applied to extensions of the original theory to distributed and interactive systems, using concepts of game theory and temporal logic. An important part of the Refinement Calculus theory development, together with Back, has been the development of structured derivations, a proof format suited to reasoning about stepwise developments, combining logical rigour with human-readability. An interesting spin-off of this research is a project on applying logical reasoning and presentation methods in high-school mathematics teaching. The second main research topic within the lab is the development of theoremproving support for program refinement. This includes developing theoremproving infrastructure as well as formalising programming logics and program development strategies within a theorem prover. This work is closely related to the development of the Refinement Calculus, since theorem proving can be used both to check the soundness and logical implications of new theory developments and to test the feasibility of formally based tools. On the other hand, formalisations within a theorem prover can lead to new insights that act as input to the theory development. The main accomplishment within this area was the development of the Refinement Calculator, an interactive GUI-driven tool for program refinement built on top of the HOL theorem prover. The Refinement Calculator was a prototype tool and it is not actively developed, but it is used as a basis for more specialised tool developments. Personnel and Facilities The Mechanised Reasoning Lab is the smallest of the four labs in CREST, and its personnel situation has been fairly stable over the past few years. It has for a long time been hard to attract Finnish students to PhD studies, but this seems to be changing and we now have a suitable balance between Finnish and foreign nationals in the lab. During 2003 Joakim von Wright has been part-time employed (on leave of absence from his departmental position). The following seneir researchers have been working within the laboratory: • Joakim von Wright, PhD, professor, leader of the laboratory • Linas Laibinis, PhD, assistant professor The following Ph.D. sstudents are working within the laboratory: • Orieta Celiku, MSc, PhD student • Chang Li, MA, PhD student (until 31.8.2003) • Martin Nylund, MSc, PhD student (until 31.8.2003) • Kim Solin, MSc, PhD student The lab occupies office spaces on the 4th floor of DataCity A. 36
4.4
Software Construction Laboratory
The research of the Software Construction Laboratory centers on techniques and methods for software development. This includes software analysis, design, programming methods, languages and environments and the software construction process at large. Particular emphasis is put on the construction of highly reliable and functionally correct software systems. The main research topics in the laboratory are: • Programming logics and formal methods in programming: program correctness, semantics, program refinement, process algebras. • Different kinds of programming paradigms with special emphasis on the design, semantics and correctness of object-oriented systems and hybrid systems. • Software development processes and software process improvement. • Software modeling and model driven software development. • Software development tools Most of these topics have been part of the research in the laboratory since its foundation. The newest research direction in the laboratory is the study of different software development processes and Software process improvement. The laboratory staff has not changed much during 2002, except that our three Chinese post docs have moved on. A new post doc, Victor Bos from the Netherlands, has joined us instead in the beginning of 2002 and new Ph.D. student, Herman Norrgrann, joined the laboratory at the end of the year 2003. The biggest change has been the appointment of Ralph Back to Academy professor, which means that he is on leave of absence from his ordinary professorship for a five year period, starting in August 2002. Ivan Porres, who got his Ph.D. under Backs supervision in November 2001, is now acting professor and responsible for the undergraduate and M.Sc. level teaching and supervision in the lab. Back and Porres share the leadership for the lab, and Back continues with Ph.D. supervision and the other research related duties. The following Senior researcher are presently employed or have been employed for a longer time in the lab during 2002-03: • Ralph-Johan Back, Ph.D., Academy professor, leader of the lab • Ivan Porres, Ph.D., Acting professor, leader of the lab • Victor Bos, Ph.D., post doctoral researcher and Crest research manager • Li Bixin, Ph.D., post doctoral researcher (has now moved to Norway) • Fan Xiaocong, Ph.D., post doctoral researcher (has now moved to the U.S.) • Mingshen Ying, Ph.D., professor (has returned to Beijing) 37
The following Ph.D. students are working towards their theses within the laboratory: • Markus Alanen, M.Sc., Ph.D. student • Cristina Cershi, M.Sc., Ph.D. student • Luka Milovanov, M.Sc., Ph.D. student • Herman Norrgrann, M.Sc., PhD. student • Luigia Petre, M.Sc., Ph.D. student • Viorel Preoteasa, M.Sc., Ph.D. student In addition, there are a number of undergraduate students that write their master thesis in the laboratory while helping in the main research tasks. Currently there are six undergraduate students. The average time to complete a master thesis is 6 to 8 months. The laboratory is also responsible for the students at the Gaudi Software Factory, usually some 12-15 students at a time, working for full or half time on software projects. The main facilities for the lab are situated in DataCityA, 4th floor.
4.5
Gaudi Software Factory
The Gaudi Software Factory is a place to build software. It is an environment where researchers and students collaborate to construct software products in a controlled environment. It tries to tackle two problems simultaneously: First, the current lack in the industry and academia of rigorous and controlled experiments on software engineering. Secondly, the lack in our department of the necessary infrastructure to build software tools in the context of a research project. Many of the newest methods and practises for developing software are based on the experiences obtained by running large projects in private companies. Unfortunately, the details about the actual projects are seldom published and therefore the experiments are not repeatable. We consider that in order to perform proper research on software engineering it is necessary to perform practical experiments involving the construction and maintenance of non-trivial software products by a team of developers. These experiments can provide a large amount of input to discover new issues, formulate research hypothesis and validate them. On the other hand, it is not uncommon that a researcher envisions a software tool as the application of his theoretical work. However, the construction of this kind of software is not viable without a proper infrastructure. Most of the times, such software is constructed as a one-person effort in heroic programming, a situation that cannot be sustained in the long term. The Gaudi software factory provides the infrastructure to develop large software following a welldefined software process during a sustained period of time. The Gaudi Factory has its own premises in the 4th floor of DatacityB with an available space of 280m2 . The rooms are furnished according to the guidelines given in the Extreme Programming method and up to four developers can 38
collaborate in the same project and work comfortably. The factory has its own computers and standard development tools. Gaudi projects and products The objective of the Gaudi Software Factory is to provide a platform to build new software and to test new ways to develop software. This is accomplished by running actual software projects in a controlled environment. The factory follows a well-defined software process that is optimised in each project. All Gaudi software projects should involve either the development of a completely new product based on new research ideas or the development of a more conventional product using new or unusual development techniques. The ongoing projects are evaluated constantly to measure if the software process and development techniques are appropriated to develop that kind of product. The long-term objective of the laboratory is to find best software practises that improve the overall quality of the software. Each project develops a product: a piece of software that works and solves a concrete problem. In most cases, the final product will be freely available as open source. This allows us to find external users that can help us to measure the usability of the product or its fitness for a certain task, fill in bug reports, etc. Each project has a project leader that defines the structure, personnel and organisation of the project. Most of the projects have a length of three or four months. Once a project is finished, both the product and the development methods used are evaluated. If needed, it is possible to develop a large product using several iterations of three or four months each. The programming tasks in a project are performed by students employed full or half-time as programmers. The programmers are supervised and coached constantly by the project leader and other researchers. They help the programmers with the development tasks and also make sure that the different development methods used in a project are applied correctly. Another important role in each project is the customer. The customer is a person who wants the factory to build a concrete software product. The customer defines the requirements for the application and commits himself to validate the application delivered by the development team. The customer finances part of cost of the project. There can be several customers in a project, but they must be sure that their requirements and goals are not contradictory. We are developing three different products using the facilities provided by Gaudi: The Math Editor (MathEd), the System Modeling Workbench and the System Construction Workbench. • The Math Editor is an outlining editor. It can be used as a basic text editor but also as a programming editor with syntax highlighting and support for mathematical derivations. We are extending the editor to combine these two features together so it is possible to write a program and a proof that the program is correct in the same document. • The System Modeling Workbench is a collection of tools to create, analyse and verify software models. The main tool is a graphical UML editor that 39
can be extended using a profile mechanism. We are integrating many of our research ideas in this tool, including the transformation tool for UML models and the vUML project, focused on verification of Statecharts. • The System Construction Workbench is a profile for the System Modeling Workbench that provided a graphical environment to develop software using the Stepwise feature introduction method. It also has support for automatic code and unit testing generation from UML models. These three products are software development tools that are being constructed to validate and demonstrate the research carried out by the Software Construction Laboratory. The development of each product has been carried out by groups of four programmers employed during three to six months, and each product has been developed by 3-4 iterations of such projects. In addition, we have carried out a number of other one-shot projects. In total, we have now carried out 15 Gaudi projects since the start of the laboratory.
References [1] Marcus Alanen, Johan Lilius, Ivan Porres, and Dragos Truscan. Realizing a model driven engineering process. Technical Report 565, TUCS, Nov 2003. [2] Marcus Alanen and Ivan Porres. Difference and union of models. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 - The Unified Modeling Language, volume 2863 of Lecture Notes in Computer Science, pages 2–17. Spinger-Verlag, Oct 2003. [3] Marcus Alanen and Ivan Porres. Difference and union of models. Technical Report 527, TUCS - Turku Centre for Computer Science, Apr 2003. [4] Marcus Alanen and Ivan Porres. Issues on the design of an XML-based configuration management system for model driven engineering. Technical Report 567, TUCS, Nov 2003. [5] Heikki Anttila, Ralph-Johan Back, Pekka Ketola, Katja Konkka, Jyrki Leskel¨a, and Erkki Rys¨a. Combining stepwise feature introduction with user-centric design. Technical Report 495, TUCS - Turku Centre for Computer Science, Dec 2002. [6] R.-J. Back. Software construction by stepwise feature introduction. In ZB2002: Formal Specification and Development in Z and B, volume 2272 of Lecture Notes in Computer Science. Springer, Jan 2002. [7] R.-J. Back, T. Kavander, M. Nylund, M. Peltomaki, T. Salakoski, and J. von Wright. Teaching high-school mathematics with structured derivations in hypertext format. In International Conference on Computer Systems and Technologies – CompSysTech, Sofia, Bulgaria, June 2002. 40
[8] R.-J. Back, L. Milovanov, I. Porres, and V. Preoteasa. An experiment on extreme programming and stepwise feature introduction. Technical Report 451, TUCS - Turku Centre for Computer Science, Dec 2002. [9] R.-J. Back, M. Peltomaki, T. Salakoski, and J. von Wright. Structured derivations supporting high-school mathematics. In Proceedings of the 20th Annual Symposium of the Finnish Mathematics and Science Education Research Association, Helsinki, Finland, 2004. To appear. [10] Ralph Back, Dag Bj¨orklund, Johan Lilius, Luka Milovanov, and Ivan Porres. A workbench to experiment on new model engineering applications. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 The Unified Modeling Language, volume 2863 of Lecture Notes in Computer Science, San Francisco , CA, USA, Oct 2003. [11] Ralph-Johan Back. Software construction by stepwise feature introduction. Technical Report 496, TUCS - Turku Centre for Computer Science, 2002. [12] Ralph-Johan Back, Cristina Cerschi Seceleanu, and Jan Westerholm. Symbolic simulation of hybrid systems. In Paul Strooper and Pornsiri Muenchaisri, editors, Proceedings of the 9th Asia-Pacific Software Engineering Conference (APSEC 2002), number 1530, pages 147–155. IEEE Computer Society, Dec 2002. [13] Ralph-Johan Back, Cristina Cerschi Seceleanu, and Jan Westerholm. Symbolic simulation of hybrid systems. Technical Report 503, TUCS - Turku Centre for Computer Science, Jan 2003. [14] Ralph-Johan Back, Xiaocong Fan, and Viorel Preoteasa. Reasoning about pointers in refinement calculus. Technical Report 543, TUCS, Jul 2003. [15] Ralph-Johan Back, Xiaocong Fan, and Viorel Preoteasa. Reasoning about pointers in refinement calculus. In Proceedings of the Tenth Asia-Pacific Software Engineering Conference (APSEC’03), Dec 2003. [16] Ralph-Johan Back, Piia Hirkman, and Luka Milovanov. Evaluating the XP customer model and design by contract. Technical Report 585, TUCS, Dec 2003. [17] Ralph-Johan Back, Luka Milovanov, Ivan Porres, and Viorel Preoteasa. XP as a framework for practical software engineering experiments. In Proceedings of the Agile Processes in Software Engineering XP2002Third International Confer, May 2002. To appear. [18] Ralph-Johan Back and Viorel Preoteasa. Reasoning about recursive procedures with parameters. Technical Report 500, TUCS - Turku Centre for Computer Science, TUCS, Lemminkaisenkatu 14A, 20520 Turku, Finland, Jan 2003. [19] Ralph-Johan Back and Joakim von Wright. Compositional action system refinement. Formal Aspects of Computing, 15(2):103–117, 2003. 41
[20] R.J.R. Back and J. von Wright. Compositional action system refinement. Technical Report 464, TUCS - Turku Centre for Computer Science, Jun 2002. [21] R.J.R. Back and J. von Wright. Programming methodology. chapter Enforcing behavior with contra. Springer-Verlag, 2002. [22] Jos C.M. Baeten and Victor Bos. Formalizing programming variables in process algebra. TUCS Technical Report 493, TUCS - Turku Centre for Computer Science, Lemmink¨aisenkatu 14 A, Turku, Finland, Dec 2002. [23] Didier Bert, Jonathan Bowen, Steve King, and Marina Wald´en, editors. ZB2003: Formal Specification and Development in Z and B, number 2651 in Lecture Notes in Computer Science, Heidelberg, Germany, Jun 2003. Springer-Verlag. [24] Dag Bj¨orklund. Efficient code synthesis from synchronous dataflow graphs. In Submitted to Formal Methods and Models for Codesign (MEMOCODE’2004), 2004. [25] Dag Bj¨orklund and Johan Lilius. From UML behavioral descriptions to efficient synthesizable VHDL. In Proceedings of the 20th IEEE Norchip Conference, Nov 2002. [26] Dag Bj¨orklund and Johan Lilius. A language for multiple models of computation. In International Symposium on Hardware/Software Codesign, pages 25–30. ACM Press, May 2002. [27] Dag Bj¨orklund and Johan Lilius. Rialto to B: An exercise in formal development of a language for multiple models of computation. In Submitted to Applications of Concurrency to System Design (ACSD’04), 2004. [28] Dag Bj¨orklund, Johan Lilius, and Ivan Porres. Rialto profile in the SMW toolkit. In Proceedings of the Third International Conference on Application of Concurrency to System Design ACSD 2003. IEEE Computer Society, Jun 2003. [29] Dag Bj¨orklund, Johan Lilius, and Ivan Porres. A unified approach to code generation from behavioral diagrams. In Proceedings of the Forum on Specification and Design Languages FDL’03, Sep 2003. [30] Dag Bj?rklund, Johan Lilius, , and Ivan Porres. A unified approach to code generation from behavioral diagrams. In Christph Grimm, editor, Languages for System Specification (Selected Contributions on UML, SystemC, Sytem Verilog, Mixed-Signal Systems, and Property Specification from FDL’03. Kluwer Academic Publishers, 2004, to appear. [31] V. Bos and J.J.T. Kleijn. Formal specification and analysis of production systems. International Journal of Production Research, 40(15):3879–3894, Oct 2002. 42
[32] Victor Bos and Jeroen J.T. Kleijn. Redesign of a systems engineering language. In Gerald Luettgen, Michael Mendler, and Florence Maraninchi, editors, Semantic Foundations of Engineering Design Languages (SFEDL’02), pages 100–118, Grenoble, France, Apr 2002. [33] Victor Bos and Jeroen Klein. Redesign of a systems engineering language - formalisation of chi. Formal Aspects of Computing, 15(4):370–389, Dec 2003. [34] Pontus Bostr¨om and Marina Wald´en. A case study: Implementation of control systems using b-action systems. In K. Sere and M. Wald´en, editors, Proceedings of the 15th Nordic Workshop on Programming Theory, number 34 in Ser. B,, pages 51–53, Oct 2003. [35] Pontus Bostrom and Marina Walden. Implementation of control systems using b action systems: a case study. Technical report, TUCS - Turku Centre for Computer Science, Dec 2003. Submitted for publication. [36] Orieta Celiku and Annabel McIver. Cost-based analysis of probabilistic programs mechanised in hol. In Proc. 15th Nordic Workshop in Programming Theory, Turku, Finland, October 2003. Springer-Verlag. Submitted for publication. [37] Orieta Celiku and Joakim von Wright. Theorem prover support for precondition and correctness calculation. In C. George and H. Miao, editors, 4th International Conference on Formal Engineering Methods, volume 2495 of Lecture Notes in Computer Science, pages 299–310. Springer-Verlag, Oct 2002. [38] Orieta Celiku and Joakim von Wright. Correctness and refinement of dually nondeterministic programs. Technical Report 516, TUCS - Turku Centre for Computer Science, Mar 2003. [39] Orieta Celiku and Joakim von Wright. Implementing angelic nondeterminism. In 10th Asia-Pacific Software Engineering Conference (APSEC 2003), 10-12 December 2003, Chiang Mai, Thailand. IEEE Computer Society, Dec 2003. [40] Cristina Cerschi Seceleanu and Tiberiu Seceleanu. On designing for modularity. Technical Report 534, TUCS - Turku Centre for Computer Science, 2003. [41] Henrik Enqvist and Johan Lilius. Region based allocation in java. Technical Report 510, TUCS - Turku Centre for Computer Science, Aug 2003. [42] Jo?o M. M. Fernandes and Johan Lilius. Functional and object-oriented views in embedded software modeling. In 11th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems (ECBS 2004), May 2004, to appear. 43
[43] Jo˘ao M. Fernandes. Functional and object-oriented modeling of embedded software. Technical Report 512, TUCS - Turku Centre for Computer Science, Feb 2003. [44] Joakim Isaksson, Dragos Truscan, and Johan Lilius. A MOF-based metamodel for SA/RT. Technical Report 555, TUCS, Sep 2003. [45] Linas Laibinis and Elena Troubitsyna. Refinement of fault tolerant control systems in b. Technical report, TUCS - Turku Centre for Computer Science, Dec 2003. Submitted for publication. [46] Johan Lilius, Felice Balarin, and Ricardo J. Machado, editors. Third International Conference on Application of Concurrency to System Design (ACSD’03). IEEE Computer Society, 2003. [47] Johan Lilius and Dragos Truscan. UML-driven TTA-based protocol processor design. In Proceedings of the 2002 Forum on Design and Specification Languages, Sep 2002. [48] Johan Lilius and Dragos Truscan. UML-driven TTA-based protocol processor design. Technical Report 518, TUCS - Turku Centre for Computer Science, Apr 2003. [49] Johan Lilius, Dragos Truscan, and Seppo Virtanen. Fast evaluation of protocol processor architectures for IPv6 routing. In Proceedings of Design, Automation, and Test in Europe 2003 (DATE’03), volume Designer’s Forum. IEEE Computer Society, Mar 2003. ¨ [50] Dan Osterberg and Johan Lilius. Rethinking software updating; concepts for improved updatability. Technical Report 550, TUCS, Sep 2003. ¨ [51] Dan Osterberg and Johan Lilius. The uva virtual machine. Technical Report 551, TUCS, Sep 2003. [52] Luigia Petre. Control systems development a case study. In Jan Jurjens, Maria Victoria Cengarle, Eduardo B. Fernandez, Bernhard Rumpe, and Robert Sandner, editors, Critical Systems Development with UML - Proceedings of the UML’02 Workshop, pages 171–180. Technische Universitat Munchen, Sep 2002. [53] Luigia Petre, Elena Troubitsyna, and Marina Wald´en. A healthcare case study. In M. Butler and T. Muntean, editors, Proceedings of RCS - International Workshop on Refinement of Critical Systems: Methods, Tools and Experience, http://www.esil.univ-mrs.fr/˜spc/rcs02/rcs02.html, Jan 2002. (Electronical proceedings). [54] Juha Plosila and Tiberiu Seceleanu. Specification of an asynchronous onchip bus. In Chris George and Huaikou Miao, editors, Formal Methods and Software Engineering, volume 2495 of LNCS, pages 383–395. Springer, Oct 2002. 44
[55] Juha Plosila and Tiberiu Seceleanu. Specification of an asynchronous onchip bus. Technical Report 461, TUCS - Turku Centre for Computer Science, 2002. [56] Juha Plosila, Tiberiu Seceleanu, and Kaisa Sere. Formal communication modelling and refinement. In J. Nurmi, H. Tenhunen, J. Isoaho, and A. Jantsch, editors, Interconnet centric design for advanced SoC and NoC. Kluwer, 2004. To appear. [57] Juha Plosila, Kaisa Sere, and Marina Wald´en. Design with asynchronously communicating components. In Frank S. de Boer, Marcello M. Bonsangue, Susanne Graf, and Willem-Paul de Roever, editors, FMCO 2002: First International Symposium on Formal Methods for Components and Objects, number 2852 in Lecture Notes in Computer Science, pages 424–442. Springer-Verlag, 2003. [58] Ivan Porres. A framework for model transformations. In Proc. of WITUML 02: Workshop on Integration and Transformation of UML models, Jul 2002. [59] Ivan Porres. Model refactorings as rule-based update transformations. In Perdita Stevens, Jon Whittle, and Grady Booch, editors, UML 2003 - The Unified Modeling Language, 6th International Conference, volume 2863 of Lecture Notes in Computer Science, San Francisco , CA, USA, Oct 2003. Springer. [60] Ivan Porres. Model refactorings as rule-based update transformations. Technical Report 525, TUCS - Turku Centre for Computer Science, Apr 2003. [61] Ivan Porres. A toolkit for model manipulation. Springer International Journal on Software and Systems Modeling, 2(4), 2003. [62] Ivan Porres and Marcus Alanen. Generic deep copy algorithm for MOF-based models. In Arend Rensink, editor, Model Driven Architecture:, pages 49–60. University of Twente, Jul 2003. http://trese.cs.utwente.nl/mdafa2003. [63] Mauno R¨onkk¨o, Anders P. Ravn, and Kaisa Sere. Hybrid action systems. Theoretical Computer Science, 1(290):937–973, Dec 2002. [64] Rimvydas Ruksenas. Component-oriented development of action systems. Technical Report 544, TUCS, Jul 2003. [65] Rimvydas Ruksenas. Formal development of concurrent components. Technical Report xx, TUCS - Turku Centre for Computer Science, Dec 2003. Thesis under evaluation. [66] Rimvydas Ruksenas. A rigorous environment for component-oriented development of action systems. Technical report, TUCS - Turku Centre for Computer Science, Dec 2003. Submitted for publication. 45
[67] Tiberiu Seceleanu and Juha Plosila. Constituent elements of a correntnesspreserving uml design approach. In International Conference on Integrated Formal Methods (IFM2004), Lecture Notes in Computer Science. Spriger Verlag, Apr 2004. To appear. [68] Tiberiu Seceleanu, Juha Plosila, and Pasi Liljeberg. On-chip segmented bus: A self timed approach. In P.R. Mukund, J. Chickanosky, and R.K. Krishnamurthy, editors, 15th Annual IEEE International ASIC/SOC Conference, pages 216–221, Sep 2002. [69] Tiberiu Seceleanu, Juha Plosila, and Pasi Liljeberg. On-chip segmented bus: A self timed approach. Technical Report 462, TUCS - Turku Centre for Computer Science, 2002. [70] Tiberiu Seceleanu and Tomi Westerlund. Segment arbiter as action systems. In Proceedings of IEEE International Symposium on Signals, Circuits & System, SCS, volume 1, pages 249–252. IEEE, Jul 2003. [71] Tiberiu Seceleanu and Tomi Westerlund. Aspects of formal and graphical design of a bus system. In Design Automation and Test in Europe Conference, Feb 2004. [72] Kaisa Sere and Marina Wald´en, editors. Proceedings of the 15th Nordic Workshop on Programming Theory (NWPT’03), number 34 in ˚ Abo Akademi, Reports on Computer Science and Mathematics, Oct 2003. [73] Colin Snook, Leonidas Tsiopoulos, and Marina Wald´en. A case study in requirement analysis of control systems using UML and b. In Traian Muntean and Kaisa Sere, editors, Proceedings of RCS’03 - International workshop on Refinement of Critical Systems: Methods, Tools and Experience, http://www.esil.univ-mrs.fr/%7Espc/rcs03/rcs03.html, Jun 2003. Electronic proceedings. [74] Colin Snook, Leonidas Tsiopoulos, and Marina Wald´en. A case study in requirement analysis of control systems using UML and b. Technical Report 533, TUCS - Turku Centre for Computer Science, Jun 2003. [75] Colin Snook and Marina Wald´en. Use of U2B for specifying b action systems. In M. Butler and T. Muntean, editors, Proceedings of RCS - International Workshop on Refinement of Critical Systems: Methods, Tools and Experience, http://www.esil.univ-mrs.fr/˜spc/rcs02/rcs02.html, Jan 2002. (Electronical proceedings). [76] Elena Troubitsyna. Developing fault-tolerant control systems composed of self-checking components in the action systems formalism. In H.D. Van and Z. Liu, editors, Proceedings of the Workshop on Formal Aspects of Component Software FACS’03, Pisa, Italy, Sep 2003. [77] Elena Troubitsyna. Developing fault tolerant software using statecharts and FMEA. In N.C. Debnath, G. A. Montejano, and D.E. Riesco, editors, 46
Proceedings of the International Conference on Computer Science, Software Engineering, Information Technology, e-Business, and applications (CSITeA 03), Rio de Janeiro, Brazil, pages 27–33, Jun 2003. [78] Elena Troubitsyna. A formal approach to fault tolerance in parallel systems. Technical report, TUCS - Turku Centre for Computer Science, Dec 2003. Submitted for publication. [79] Elena Troubitsyna. Integrating safety analysis into formal specification of dependable systems. In Proceedings of Annual IEEE Workshop on FaultTolerant Parallel and Distributed Systems. Nice, France, Apr 2003. [80] Elena Troubitsyna. Linking safety analysis and use cases. Technical report, TUCS - Turku Centre for Computer Science, Dec 2003. Submitted for publication. [81] Elena Troubitsyna and Marina Walden. Formal development of dependable systems with uml support. Technical report, TUCS - Turku Centre for Computer Science, Dec 2003. Submitted for publication. [82] Dragos Truscan, Jo?o M. Fernandes, and Johan Lilius. Tool support for uml-dfd model-based transformations. In 11th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems (ECBS 2004), May 2004, to appear. [83] Dragos Truscan, Jo˘ao Miguel Fernandes, and Johan Lilius. Tool support for DFD to UML model-based transformations. Technical Report 519, TUCS - Turku Centre for Computer Science, Apr 2003. [84] Dragos Truscan, Seppo Virtanen, and Johan Lilius. SystemC simulation framework of protocol processing architectures for IPv6 routing. In The International Symposium on Signals, Circuits and Systems SCS 2003, pages 309–312, Jul 2003. [85] Seppo Virtanen, Tomas Lundstr¨om, and Johan Lilius. A design tool for the TACO protocol processor development framework. In Proceedings of the 20th IEEE Norchip Conference, pages 177–182, Nov 2002. [86] Seppo Virtanen, Tero Nurmi, Jani Paakkulainen, and Johan Lilius. A system-level framework for designing and evaluating protocol processor architectures. International Journal of Embedded Systems: Special Issue on Hardware-Software Codesign for SoC, 2004, to appear. [87] Seppo Virtanen, Jani Paakkulainen, Tero Nurmi, and Jouni Isoaho. NoC interface for a protocol processor. In Proceedings of the 21st IEEE NORCHIP Conference, pages 31–34, Riga, Latvia, Nov 2003. [88] Seppo Virtanen, Dragos Truscan, and Johan Lilius. TACO IPv6 router a case study in protocol processor design. Technical Report 528, TUCS Turku Centre for Computer Science, Apr 2003. 47
[89] Joakim von Wright. From kleene algebra to refinement algebra. In E. Boiten and B. M¨oller, editors, Mathematics of Program Construction (MPC’02), volume 2386 of Lecture Notes in Computer Science, pages 233– 262. Springer-Verlag, 2002. [90] Joakim von Wright. Towards a refinement algebra. Science of Computer Programming, 2004. accepted for publication. [91] Tomi Westerlund and Tiberiu Seceleanu. Formal analysis of a local segmented bus arbiter. In Proceedings of the 21st NORCHIP Conference, pages 268–271, Nov 2003. [92] Lu Yan, Jincheng Ni, and Kaisa Sere. Towards a systematic design for ad hoc network applications. In K. Sere and M. Wald´en, editors, Proceedings of the 15th Nordic Workshop on Programming Theory, number 34 in Ser. B, Oct 2003. [93] Lu Yan and Jingcheng Ni. Building a formal framework for mobile ad hoc computing. In International Conference on Computational Science (ICCS 2004), Lecture Notes in Computer Science. Springer-Verlag, Jun 2004. To appear. [94] Lu Yan and Kaisa Sere. Developing peer-to-peer systems with formal and informal methods. In Traian Muntean and Kaisa Sere, editors, Proceedings of RCS’03: 2nd International Workshop on Refinement of Critical Systems: Methods, Tools and Developments, Jun 2003. [95] Lu Yan and Kaisa Sere. Stepwise development of peer-to-peer systems. In Electronic Workshops in Computing (eWiC), editor, Proceedings of the 6th International Workshop in Formal Methods (IWFM’03). British Computer Society (BCS), Jul 2003. [96] Lu Yan and Kaisa Sere. Stepwise development of peer-to-peer systems. Technical Report 522, TUCS - Turku Centre for Computer Science, Mar 2003. [97] Lu Yan, Kaisa Sere, and Xinrong Zhou. Peer-to-peer networking with firewalls. WSEAS Transactions on Computers, 2:566 – 571, Jul 2003. [98] Lu Yan, Kaisa Sere, and Xinrong Zhou. Peer-to-peer networking with firewalls. Technical Report 554, TUCS, 2003. [99] Lu Yan, Kaisa Sere, Xinrong Zhow, and Jun Pang. Towards an integrated architecture for peer-to-peer and ad hoc overlay network applications. In 10th IEEE International Workshop on Future Trends in Distributed Computing Systems - FTDCS 2004. IEEE Computer Society, May 2004. To appear. [100] Mingsheng Ying. Reasoning about probabilistic sequential programs in a probabilistic logic. Technical Report 448, TUCS - Turku Centre for Computer Science, 2002. 48
A
Formal Methods in Programming Research Plan 2002–2007
Centre of Excellence application for
Formal Methods in Programming Leader: Ralph-Johan Back Address: Turku Centre for Computer Science (TUCS) Lemminkainenkatu 14, FIN -20520 Turku, Finland tel. +358-2-2154382, fax: + 358-2-2410154, e-mail: backrj@ abo.fi home page: www.abo.fi/˜backrj, TUCS web page: www.tucs.fi
Research plan 2002–2007 The Programming Methods Research Group is one of three largest research groups at TUCS (Turku Centre for Computer Science), with the majority of the researchers coming from the Department of Computer Science at ˚ Abo Akademi. The proposed Center for Formal Methods in Programming would be built around this group. The research leaders in this group are • Ralph-Johan Back, professor of Computer Science, director of TUCS • Johan Lilius, professor of Computer Engineering • Kaisa Sere, professor of Computer Engineering, and • Joakim von Wright, professor of Computer Science. Each research leader has an own research group, but there is also extensive cooperation between the groups. A number of Ph.D. students are supervised jointly by two research leaders. Presently the group has around 15 Ph.D. level researchers and 15 Ph.D. students. It has produced 11 Ph.D. degrees in the last three years. Research area Programming software systems is an activity that has emerged with the advent of computers, requiring skills and techniques that have not been needed earlier. It has also become painfully clear that programming is a very difficult task, for many reasons. Constructing programs in new application areas requires deep insight and skill, and many technological problems have to be solved. Programming is also very error prone, and much time is spent today on finding errors and mistakes in software that almost work. Finally, software systems are often very large, some of them count among the largest and most complex artifacts produced by humans. The sheer size of programs requires new techniques for mastering this added dimension of complexity. There is an 49
urgent need for efficient and systematic programming methods , and for computerized tools to support these methods in order to make the construction of large, reliable software systems feasible. Programming today is more craft than science, and is characterized by large variety in programmer skills. The quality of software is generally acknowledged to be low, and the explosive growth in demand for software that has taken place during the last decades has not helped to improve the quality. Research on finding a more solid, mathematical foundation for programming has gone on for at least thirty years now, and is slowly getting more mature. The term formal methods is used as a catchword for this research, to describe the use of rigorous mathematical and logical reasoning in software construction. Much of the mathematics needed in this research is relatively new, developed in the 20’th century, and is discrete rather than continuous in nature. Formal methods provide the foundations on which one can build computer supported tools that make programming more efficient and the resulting programs more reliable. At the same time, they increase our understanding of how software systems work, and provide guidelines for how to structure the software construction process. The research in our group is focused on the following basic aspects of programming technology: • theoretical foundations of programming languages and programming methods, • extending formal methods to new application areas, • building computer supported tools for formal methods, • studying the use of formal methods in the software construction process as a whole, and • case studies on how to apply formal methods. We will below ellaborate on these research themes, giving some background for our research, describe the present research topics, and what we plan for the period 2002–2007. The list of publications of the group for the period 1995–2000 is given in the References section. 2 Foundations of programming The driving force behind our research is the need to understand and develop both traditional and new methods for software construction, by studying the mathematical and logical foundations for programs and program construction. The research is to a large extent based on the refinement calculus, originally invented by Back in his Ph.D. thesis in 1978. The calculus provides a framework for the stepwise and systematic construction of mathematically correct programs from initial high-level specifications. It is based on higher order logic and lattice theory, and can be seen as an extension 2 Following the guidelines for the application, we only give references to publications in the period 1995–2000. We also do not give detailed credits to all those participating in the research projects, but usually only refer to the research groups.
50
of traditional set theory to an algebraic theory of programs. Refinement calculus is a further development of the predicate transformer approach to proving program correctness that was introduced by Dijkstra in 1976. Back and Sere started to work on the application of the refinement calculus to distributed system construction in the late 80’s. At the same time Back and von Wright started to work on the mathematical and logical basis for the refinement calculus, basing it on higher order logic and lattice theory, instead of the previous infinitary logic formalization. Sere and von Wright completed their Ph.D. thesis on the refinement calculus in 1990. Other researchers also became interested in the refinement calculus in late 80’s. Morgan published a very influential textbook on the refinement calculus in 1990. A large number of papers have now been published on the calculus and its application to different aspects of programming, by many researchers around the world. International workshops are organized on this theme regularly and a substantial number of papers on this topic appears in journals and conferences each year. Our research group is one of the leading centers for research in this area (two other strong research centers are Oxford University and University of Queensland). Much of our recent work on the foundations of programming has centered around two book projects by Back and von Wright. The first book has recently appeared as a Graduate Text in Computer Science, published by Springer Verlag [14]. It presents the mathematical and logical foundations of the calculus and is mainly concerned with so called algorithmic refinement. This book provided the opportunity to collect together different studies in the calculus into a unified framework, and to present this material in a systematic manner. The second book in this series will cover the application of the refinement calculus to the construction of large, modularly structured programs. The central technique used here is data refinement, a method for changing the internal data representation in a program unit. The foundational research needed for the book project has given rise to a large number of new and interesting theoretical questions, which will keep us busy for a long time. Examples of topics that we have arisen from the book project are the notion of categorical products and sums in the refinement calculus [3], how iteration algebra can be used for reasoning about programs [15] and how reasoning strategies for programs can be applied to two-person games [13]. The present research on the refinement calculus is based on a notion of contracts, introduced by Back and von Wright as a general model for software (and hardware) systems [8, 16, 18]. A software system is seen as a collection of agents that operate on a common state, and try to achieve their (possibly conflicting) goals. The interaction between the agents is regulated by a contract, which is executed jointly by the agents. The contracts state what the agents are permitted to do and what they are expected to do. The agents can choose freely among their available options when carrying out the contract. Game theoretic notions can then be used to determine under which conditions a certain goal can be achieved by a certain coalition of agents. It turns out that these questions can be formulated and answered in the refinement calculus in a very natural way. 51
The notion of contracts has turned out to be very fruitful. It has, e.g., provided a simple unification of two different programming paradigms, concurrency (used to model reactive, parallel and distributed systems), and interactivity (used to model event driven systems, graphical user interfaces etc.). This research on using the contract approach to model interactive systems will continue, and we expect it to have a large number of application in modeling different kinds of software systems. The research done on the foundations of programming is very much basic research, and it is difficult to predict exactly what topics will be central in the next seven years. In general, the foundations research has worked in a feed-back loop with the other areas of formal methods research, looking at problems generated when extending formal methods to new application areas, when building computer supported tools and when doing case studies, and generating models and results that have been tried out in these areas. Topics which for the moment seem to generate a lot of new and interesting foundational problems are object-oriented programming, hybrid systems and modularization of software systems. Extending formal methods New programming applications arise from time to time, which require new insights and come with a whole new set of concepts and problems. The application of formal methods to system construction in these new application areas has been one of the main focus in our research. The action systems, originally invented by Back and Kurki-Suonio in 1982, have proved to be very useful for modeling a number of new application areas. Action systems were originally developed as a model for concurrent programs and distributed computer systems. This kind of systems are notoriously difficult to program, because of the many and often surprising interactions that can take place between the processes involved. Distributed systems are also very hard to test, because errors are hard to replicate. The basic idea behind action systems is to describe a distributed computer system in terms of the possible actions that can take place during the life time of the system. This is a simplification of traditional models based on communicating processes, but it pays off in that the correctness of such systems is more easy to analyze, and the systems are easier to synthesize using systematic stepwise refinement methods. Similar approaches to modeling distributed systems have later been developed by Chandy and Misra (UNITY) and Lamport (TLA). The original action system paradigm used temporal logic as the underlying logic. Subsequent work by Back, Sere and von Wright lead to an alternative formalization of action systems within the logical framework of the refinement calculus. This provided a powerful method for the specification and systematic construction of distributed systems [11, 12, 44, 46, 19]. Both formalizations allow the correctness of action systems to be established by mathematical proofs rather than by testing. The action system approach has more recently been extended to a number of other application areas, such as constructing real-time and embedded systems [23, 43], by Sere and Sekerinski, in co-operation with Anders Ravns group at the Technical University of Denmark and Carroll Morgans group at Oxford Univer52
sity. Elena Tributsina published her Ph.D. thesis on this topic in 2000. Reverse engineering [47] and the general problem of co-ordination among independent agents [24, 25] are two other research areas where Sere’s group is now working quite actively, in the latter case in co-operation with Joost Kok’s group at the University of Leiden. We have also studied hybrid systems, where continuous behavior is managed by discrete controlling systems. Work in this area has been carried out by Back and Sere, and has resulted in two different ways of describing hybrid systems as action systems [43, 42]. These models have different properties, and are suitable for different areas of application. The work on hybrid systems has also provided inspiration for more foundational work in the refinement calculus, involving studies of transfinite iteration that is needed in connection with Zenolike behavior in the hybrid system models. A promising application area for the action system paradigm is hardware construction, in particular the design of asynchronous VLSI circuits. These circuits have a number of advantages as compared to traditional synchronous VLSI circuits, such as higher speed and lower power consumption, but they are considered to be more difficult to design than the traditional synchronous (clock-based) circuits. Research on this topic was started by Back and Sere in 1992, in co-operation with Caltech in Pasadena (Alain Martin’s group) and the Electronics Department of University of Turku [7, 41]. Juha Plosila published his PhD thesis on this topic 1999. Currently, the research is carried out mainly in Sere’s group. The methodology is extended to synchronous circuits, to allow mixed-architecture design where part of a system can be synchronous and part of it asynchronous. The group is currently a member of the ACiD-WG working group on asynchronous design which gathers most of the European research laboratories and industries interested in asynchronous circuits. The working group has funding from the European union FP5 for the years 2000-2005. Within the Asynchronous Design of DSP architectures project (2000–2002), funded by the Academy of Finland, the group is looking into the development of digital signal processor architectures within the formal asynchronous world. The future plans in this area are to further strengthen the methodologies as well as industrialise them, to tie them more closely to component-based design techniques for larger system-on-chip designs and to build tool support for this. The group is using the refinement calculator in this context, as well as some VHDL tools and the tools of the B Method for circuit design. Another central research topic has been the extension of the action system framework to support object-oriented design and object-oriented programming, which has been one of the main research topics in Back’s group. Many of the basic notions involved in this programming paradigm have been recently formalized in the refinement calculus. The group has been particularly concerned with basic aspects of object oriented programming, such as methods for designing and documenting reliable class libraries [37, 38]. They have studied the problem of how to specify classes in a class library without revealing the full code of the class, and what kind of extension mechanisms for classes are safe. Anna Mikhajlov and Leonid Mikhajlova published their thesis on this topic, both in 1999. Another topic has been to apply action systems to model ac53
tive objects [4, 21].Component software [3] and design patterns are examples of two new emerging programming paradigms arising within the object oriented programming community that the group is now studying, together with object oriented design methods in general. Martin Buchi’s Ph.D. thesis in 2000 was on this topic. As a further development, and as a spin-off of work carried out in the Socos project (described later), Back is now starting a study in software architecture, in cooperation with prof. Kai Koskimies, at Tampere University of Technology. The topic here is the construction of software in thin hierarchical layers, where each layer introduces one feature of the software at a time. We are studying the software architecture issues that arise from this, in particular the question of how to add a new feature to a collection of classes in such a way that the features already provided by these classes are not compromised. The software construction process that goes on in the Socos project is used as an experimental framework for trying out new architectural ideas. Computer supported tools The use of formal methods for checking correctness of software/hardware systems, as well as for constructing such systems in a systematic fashion that guarantees that no error are introduces, generates large numbers of mathematical propositions that need to be checked for correctness. There are essentially two kinds of mechanized formal tools for proving these propositions: interactive tools (theorem provers), in which the user interacts with a proof engine, and fully automatic tools (such as model checkers), where no user interaction is needed. The first approach can be used for any kind of mathematical theorem, but requires much human effort, while the second one is essentially restricted to finite state systems, but lets the machine do all the work. We are studying both approaches to the analysis of program correctness in our laboratory. Because the number of theorems that are generated when applying formal methods to program construction can be quite large (thousands of theorems already for rather small software systems), computer-supported tools for proving these theorems are essential. Computer support for program derivation and proofs of mathematical propositions is also an extensively investigated topic at our laboratory. The main emphasis is on interactive theorem proving based on higher order logic (primarily using the Cambridge HOL system). The HOL system has traditionally been used for verifying correctness of hardware design, but we have shown how the system can also be used for the verification of programming theories and the construction of correct software. Part of the research at the laboratory has been aimed at analyzing and extending the logical power of the HOL system [50] and using the logic as a tool for modeling different reasoning and programming formalisms [27, 51]. The refinement calculator tool is a large extension to the HOL system that has been developed in von Wright’s group, based on the formalization of the refinement calculus done by Back and von Wright [22, 29]. It supports program derivations in the refinement calculus using an extension of the window inference method. This allows large proofs and derivations to be handled by a mechanism for focusing in and out of proofs in a consistent manner. Linas Laibinis and 54
Thomas L¨engbacka published their Ph.D. thesis on this topic. The basis of this tool is itself a major verification effort: a machine-checked theory of program refinement, embedded in the logic of the HOL system. The group has had extensive cooperation on theorem proving and its applications with the groups of Prof. Michael Gordon at the University of Cambridge and of Prof. Tom Melham at the University of Glasgow. A recent outgrowth of the research on formalizing the refinement calculus within higher order logic is the application of program derivation methods to traditional mathematical reasoning which has been carried out by Back and von Wright. In particular, they have developed a systematic and structured way of finding and presenting mathematical proofs and derivations [6, 17], which can be used for high-school mathematics, requiring the addition of only a small amount of logic to the traditional mathematics curriculum. This work is an extension of previous work on applying formal methods to mathematics initiated by Dijkstra. Another research direction in mechanical verification in our laboratory is model checking. This topic has been particulary studied by Lilius group. Using this enumerative approach a property of the system can be checked automatically. The challenge is how to deal with large number of states in realistic systems, especially if the system models contain timing information. The research has therefore focused on the problem of applying partial-order based reduction techniques to model-checking timed system models [1, 30, 31, 20]. These results are currently being implemented in the form of the Analyzer Component Framework, an object-oriented framework that will allow the easy integration of model checking into other tools. Our research has shown that it is feasible to use computer supported proof tools in the programming process. Future efforts will concentrate on developing more advanced computer supported formal tools that are able to handle the various programming paradigms that we are studying. Parallel to this, our research on theorem proving methods is aimed at providing support for different styles of reasoning that fit different programming paradigms and different application areas. Another important topic is the integration of formal tools with traditional software engineering tools, so that users can use theorem proving and model checking side by side with other methods in large-scale software developments. Software process The construction of software usually follows a certain progression, referred to as the software process. Several models for the software process have been proposed and are in use today. The process is in general divided into a number of phases, where each phase comes with its own activities and design documents that need to be produced. Even though research on the software engineering process has been around for a few decades, this is still an intensive research area. New paradigms like object-oriented analysis, design and programming, component-based software architectures, methods for embedded systems construction, as well as new methods for constructing Internet-based client-server applications, all require their own (adaptation of the) software process. Moreover, the use of formal methods has not been well integrated into these models in spite of their potential for producing high-quality software. 55
Sere started to work on integrating formal methods with the software process as a study in formal system specification, integrating action systems and the Z specification method with the more informal E-R diagrams, dataflow diagrams, and the OMT method of Rumbaugh. Virpi Kasurinen published her thesis on this topic in 1999. Lately, as UML became the de facto standard in this area, these efforts have turned in integrating formal methods and different UML-based approaches as well as providing tool support for this integration. UML (the Unified Modeling Language) puts together a basic set of diagrams and graphical notation for describing different aspects of software systems, and provides methods supporting the use of the diagrams in system analysis and design. UML is unified in the sense that it provides diagrams for describing all aspects of the software process from requirements to final deployment. What the UML is lacking is mathematical rigor, which makes it difficult to reason about UML diagrams. Sere’s group has concentrated on the use of different UML-diagrams as a way to structure action system specifications especially when designing control systems. Moreover, the diagrams are used to give insight into the refinement steps and inspiration for further refinements. Presently her group is working on methods to integrate action systems and UML techniques when developing system specifications. This research will be partly carried out in the IST Framework V project Matisse (Methodologies and Technologies for Industrial Stength System Engineering) during the years 2000–2002. The Socos research project, funded by the Academy of Finland (2000–2002), is another project that studies UML, started by Back and Lilius. This project aims at developing a new description language for software systems which takes UML as its basis. The language will combine the flexibility and versatility of UML with the precision and expressiveness of programming and specification languages. In a first step towards this goal, the group has started formalizing parts of the UML notation. The main emphasis has been on one hand on UML Use cases [10], on the other hand on the behavioral parts such as State charts and Sequence diagrams [32, 33, 34, 35]. In parallel with these tasks we have also started building a tool that currently includes a UML drawing editor, an outlining editor, and a model-checker for UML statecharts. We plan to use the outlining editor as the central user-interface component of the tool. The idea is to produce templates for different task in the software development process, such as templates for class outlines, the final goal being a set of templates for all the artifacts in a software process. In the future we continue our work on the formalization of UML, and integrate the analysis methods we develop into the tool. The integration of formal methods in different phases of the process will change the way we think about it today. The use of these methods is expected to produce error-free code, thus shifting the emphasis and work load from testing towards earlier phases like specification, analysis and design. Hence, ideally, we can vision a process where unit testing is missing. Moreover, as formal methods provide precise specifications for systems and software and the refinement procedure preserves the requirements captured in the specifications, this will aid in the validation task. These are only two points where we can see a 56
direct positive and cost-effective consequence in integrating formal methods in the software process. Our plan for the years 2002–2007 is to develop techniques and tools for this integration and propose alternative software process models where reliability and quality of software does not rely only on testing, but on the standard, every day use of formal design techniques and mathematical analysis of the properties of the system under construction.
Case studies Sere’s group has carried out a number of case studies on the application of formal methods to systems specification of conventional information systems, distributed networks, safety-critical control and embedded systems, etc. The emphasize has been on using the Z specification method [26], the action system formalism and the B-Method [49]. The use of the B Method, in combination with the action system paradigm, has proved to be effective. It extends the applicability of the B-Method to specification of distributed systems, and the tools associated with the B-Method can be used to structure the derivation and to verify properties of the specification mechanically. A book edited by Sere and Sekerinski that reports on these case studies, published by Springer Verlag, appeared in 1998 [45]. Marina Wald´en published her PhD thesis on this topic in 1998. In parallel with the research on UML, Lilius’ group has already done two case studies using UML [39, 40], that were testbeds for analysis methods and tools built in the Socos project. They are currently working on several other case studies that are planned to be incorporate into a monograph. In the future the group plans to cooperate more closely with industry on case studies, for two reasons. First to test the tools on large industrial cases studies, and secondly to understand better how the tool support for informal and formal reasoning should be integrated to be more user-friendly. We hope to increase the number of case studies in formal programming methods quite substantially. This requires a stronger co-operation with industry than what has been possible until now. Currently, Sere’s group is working with a number of industrial case studies within the IST Framework V Matisse project, where formal development techniques and tools combined with standard industrial processes are used to design systems within three industries, the smart card industry, the railway signalling systems industry, and the pharmaceutic industry. We have especially identified a method where the specification is created stepwise in a layered manner [23]. This project will run during the years 2000–2002. As explained under that software process research we need to find ways to incorporate formal methods more tightly into the entire software life cycle and the informal methods mainly applied in the industry. The adaptation of formal methods by software industry has been hampered by the lack of good tools to support these methods (together with training in using the formal methods themselves). However, the industry is now recruiting people in this area at an increasing rate, and the use of formal methods is already becoming quite popular in hardware design. We hope to see a similar expansion of formal methods also in software design in the coming years. 57
Research education The Ph.D. education is planned to be carried on as before, within the TUCS Graduate School. TUCS offers a large number of courses for Ph.D. students, as well as secure funding for at least 4 years of full-time Ph.D. studies. We have regularly seminars and courses intended for all members of the group. Supervision is usually carried out by writing papers in small groups, consisting of a research leader, one or two Ph.D. students and a postdoc student. We have during the last three years had an average of 3–4 Ph.D. degrees per year. We expect this to increase somewhat. In addition, we also plan to expand the enrollment of post doctoral students , so that we would have at least four post docs at the same time for the planned period. Our research groups are very international, with presently some 80% of the students coming from abroad. We also have an extensive post doctoral program, with 2–4 postdocs staying by us at each time, each for a period of half a year to two years. The experience from this post doctoral program has been very positive. The net of our former post docs is now quite extensive, and we have very much cooperation with them also after they have left us to continue in their carrier. This is clearly visible in the reference list, where a large number of the publications are co-authored by former postdoctoral students in our groups: Joost Kok (Leiden U.), Michael Butler (Southampton U.), Qiwen Xu (UNU U. Macao), Hong Shen (Griffiths U.), Jim Grundy (Intel Research), John Harrison (Intel Research), Emil Sekerinski (MacMasters’ U.), Wolfgan Weck (Oberon Microsystems, Zurich), Xuangdon Li(Nanking U.). Some of our recent Ph.D.s are also now working as post docs in our former post docs groups.
Other support The research of the Programming Technology Laboratory is supported by the Ministry of Education, in the form of Ph.D. student positions. We expect that the research will also be funded, as before, by separate projects grants from the Academy of Finland for basic research and from TEKES for applied research. Direct support from the industry is also possible.
References [1] T. Aura and J. Lilius. A Causal Semantics for Time Petri Nets. Theoretical Computer Science, 243(2):409–447, 2000. [2] T. Aura and J. Lilius. Time processes for time nets. In P. Az´ema and G. Balbo, editors, Application and Theory of Petri Nets 1997, volume 1248 of Lecture Notes in Computer Science, pages 138–155. Springer-Verlag, 1997. [3] R.J. Back and M. Butler. Fusion and simultaneous execution in the Refinement Calculus. Acta Informatica, 35, vol. 11, 921-949, 1998. 58
[4] R.J. Back, M. B¨ uchi, and E. Sekerinski. Action-based concurrency and synchronization for objects. In Proc. 4th AMAST Workshop on Real-Time Systems, Concurrent, and Distributed Software. Springer–Verlag, May 1997. [5] R. J. Back and M. B¨ uchi. Compositional Symmetric Sharing in B. In Proc. Formal Methods 99, volume 1709 of Lecture Notes in Computer Science, Toulouse, France, September 1999, pp. 1460-1476. Springer–Verlag. [6] R.J. Back, J. Grundy, and J. von Wright. Structured calculational proof. Formal Aspects of Computing, 9:469–483, 1997. [7] R.J. Back, A.J. Martin, and K. Sere. Specifying the Caltech asynchronous microprocessor. Science of Computer Programming, 26:79–97, 1996. [8] R. J. Back, A. Mikhajlova, and J. von Wright. Reasoning about interactive systems. In Proc. Formal Methods 99, volume 1709 of Lecture Notes in Computer Science, Toulouse, France, September 1999. Springer–Verlag. [9] R.J. Back, A. Mikhajlova, and J. von Wright. Class Refinement as Semantics of Correct Object Substitutability . Formal Aspects of Computing, to appear. [10] R. J. Back, L. Petre and I. Porres-Paltor. Analuyzing UML Use Cases as Contracts. In R. France and B. Rumpe (eds.) UML’99- Second International Conference on the Unified Modeling Language, vol 1723 of Lecture Notes in Computer Science, pp. 518- 533, Springer-Verlag, 1999. [11] R.J. Back and K. Sere. From action systems to modular systems. Software – Concepts and Tools, 17:26–39, 1996. [12] R.J. Back and K. Sere. Superposition refinement of parallel algorithms. Formal Aspects of Computing, 8(3):324–346, 1996. [13] R. J. Back and J. von Wright. Games and winning strategies. Information Processing Letters, 53(3):165–172, February 1995. [14] R.J. Back and J. von Wright. Refinement Calculus: A Systematic Introduction. Springer-Verlag, 1998. [15] R.J. Back and J. von Wright. Reasoning algebraically about loops. Acta Informatica, 36:295–334, 1999. [16] R.J. Back and J. von Wright. Contracts, games and refinement. Information and Computation, 156:25–45, 2000. [17] R. J. Back and J. von Wright. A Method for Teaching Rigorous Mathematical Reasoning. In Proc. Int. Conference on Technology of Mathematics, Univ. of Plymouth, August 1999. [18] R. J. Back and J. von Wright. Contracts as mathematical entities in programming logic. In Proc. Workshop on Refinement and Abstraction, Electronic Notes in Theoretical Computer Science. Elsevier, to appear. 59
[19] R.J. Back and Q. Xu. Refinement of Fair Action Systems. Acta Informatica, 35, 131-165, 1998. [20] J. Bengtsson, B. Jonsson, J. Lilius, and W. Yi. Partial Order Reductions for Timed System. In Davide Sangiorgi and Robert de Simone, editors, CONCUR’98 Concurrency Theory, 9th International Conference, volume 1466 of Lecture Notes in Computer Science, pages 485–500, Berlin, 1998. Springer Verlag. [21] M.M. Bonsangue, J.N. Kok, and K. Sere. An approach to objectorientation in action systems. In Proc. Mathematics of Program Construction (MPC’98), Lecture Notes in Computer Science. Springer–Verlag, June 1998. [22] M.J. Butler, J. Grundy, T. L˚ angbacka, R. Ruksenas, and J. von Wright. The refinement calculator: Proof support for program refinement. In Proc. FMP’97 – Formal Methods Pacific, Discrete Mathematics and Theoretical Computer Science, Wellington, New Zealand, July 1997. Springer-Verlag. [23] M.J. Butler, E. Sekerinski, and K. Sere. An action system approach to the steam boiler problem. In Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control (Lecture Notes in Computer Science 1165). Springer-Verlag, 1996. [24] H. Goeman, J.N. Kok, K. Sere, and R.T. Udink. Coordination in the impunity framework. Science of Computer Programming 1998. [25] E. Hedman, J.N. Kok, and K. Sere. Coordinating action systems. Theoretical Computer Science No 240, 2000. [26] V. Kasurinen and K. Sere. Action systems and Z in a medical system specification. In Proc. Formal Methods Europe (FME ’96), volume 1051 of Lecture Notes in Computer Science, Oxford, UK, March 1996. SpringerVerlag. [27] L. Laibinis. Using lattice theory in higher order logic. In J. von Wright, J. Grundy, and J. Harrison, editors, Proc. 9th International Conference on Theorem Proving in Higher Order Logics, Lecture Notes in Computer Science, pages 315–330, Turku, Finland, August 1996. Springer-Verlag. [28] L. Laibinis and J. von Wright. What’s in a specification. In Proc. IRW/FMP’98 – International Refinement Workshop and Formal Methods Pacific 1998, Discrete Mathematics and Theoretical Computer Science, pages 180–192, Canberra, Australia, September 1998. Springer–Verlag. [29] T. L˚ angbacka and J. von Wright. Refining reactive systems in hol using action systems. In Proc. TPHOLs’97 – Theorem Proving in Higher Order Logics: 10th International Conference, volume 1275 of Lecture Notes in Computer Science, pages 183–197, Murray Hill, N.J., USA, August 1997. Springer-Verlag. 60
[30] X. Li and J. Lilius. Checking Time Petri Nets for Linear Duration Properties. In Manuel Silva Peter Bucholz, editor, Petri Nets and Performance Models )PNPM ’99), pages 218–226. IEEE Computer Society Press, 1999. [31] J. Lilius. Efficient State Space Search for Time Petri Nets. In P. Jancar and M. Kr´etinsk´ y, editors, Proc. of MFCS Workshop on Concurrency, Brno ’98, volume 18 of ENTCS. Elsevier [32] X. Li and J. Lilius. Checking Compositions of UML Sequence Diagrams for Timing Inconsistency. In 7th Asia Pacific Software Engineering Conference (APSEC 2000) Dec. 5-8, Singapore, 2000. [33] X. Li and J. Lilius. Timing Analysis of UML Sequence Diagrams. In Proceedings of UML’99, volume 1723 of Lecture Notes in Computer Science, pages 661–674, Berlin, 1999. Springer Verlag. [34] J. Lilius and I. Porres Paltor. Formalizing UML State Machines for Model Checking. In Proceedings of UML’99, volume 1723 of Lecture Notes in Computer Science, pages 430–445, Berlin, 1999. Springer Verlag. [35] J. Lilius and I. Porres Paltor. vUML: a Tool for Verifying UML models. In Proceedings of ASE’99, pages 255–258. IEEE Computer Society, 1999. [36] J. Lilius and I. Porres Paltor. The Production Cell: An Exercise in Formal Verification of an UML Model. In Proceedings of HICCS’33 [37] L. Mikhajlov and E. Sekerinski. A formal study of the fragile base class problem. In Proc. European Conference on Object-Oriented Programming (ECOOP’98), 1998. [38] A. Mikhajlova and E. Sekerinski. Class refinement and interface refinement in object-oriented programs. In Proc. Formal Methods Europe (FME ’97), volume 1313 of Lecture Notes in Computer Science, Graz, Austria, September 1997. Springer-Verlag. [39] I. Porres Paltor and J. Lilius. Digital Sound Recorder: A Case Study On Designing Embedded Systems Using the UML Notation. Technical Report 234, Turku Centre for Computer Science TUCS, 1999. [40] J. Lilius and I. Porres Paltor. The Production Cell: An Exercise in the Formal Verification of a UML Model. Technical Report 288, Turku Centre for Computer Science TUCS, Turku, Finland, June 1999. [41] J. Plosila and K. Sere. Action systems in pipelined processor design. In Proc. 3rd International Symposium on Advanced Research in Asynchronous Circuits and Systems (Async97), Eindhoven, The Netherlands, April 1997. IEEE Computer Society Press. [42] M. R¨onkk¨o and K. Sere. Refinement and Continuous Behaviour. In Proc. of the Second International Workshop on Hybrid Systems: Computation and Control (HSCC’99), Nijmegen, The Netherlands, March 1999. Lecture Notes in Computer Science 1569. Springer-Verlag. 61
[43] M. R¨onkk¨o, E. Sekerinski, and K. Sere. Control systems as action systems. In Proc. Workshop on Discrete Event Systems (WODES’96), Edinburgh, UK, August 1996. [44] E. Sekerinski and K. Sere. A theory of prioritizing composition. The Computer Journal, 39(8):701–712, 1996. [45] E. Sekerinski and K. Sere, editors. Refinement Case Studies in B. SpringerVerlag, 1998. To appear. [46] K. Sere. Procedures and atomicity refinement. Information Processing Letters, 60:67–74, 1996. [47] K. Sere and M. Wald´en. Reverse engineering distributed algorithms. Journal of Software Maintenance: Research and Practice, 8:117–144, 1996. [48] K. Sere and M. Wald´en. Data refinement and remote procedures. Formal Aspects of Computing To appear. [49] M. Wald´en and K. Sere. Reasoning about action systems using the Bmethod. Formal Methods in System Design. To appear. [50] J. von Wright. Representing higher order logic proofs in HOL. The Computer Journal, 38(2):171–179, 1995. [51] J. von Wright. Extending window inference. In Proc. 11th International Workshop on Higher Order Logic Theorem Proving and its Applications, Volume 1479 of Lecture Notes in Computer Science, pages 17–32, Canberra, Australia, September 1998. Springer–Verlag.
62
Turku Centre for Computer Science TUCS General Publications 12. 13. 14. 15. 16. 17. 18. 20. 21. 22. 23.
24. 25. 26. 27. 28.
29.
30. 31. 32. 33. 34.
35.
36. 37.
Edward M. Roche, Kalle Kangas, Reima Suomi (Eds.), Proceedings of the IFIP WG 8.7 Helsinki Working Conference, 1998 Christer Carlsson and Franck Tétard (Eds.), Intelligent Systems and Active DSS, Abstracts of the IFORS SPC-9 Conference Mats Aspnäs, Ralph-Johan Back, Timo Järvi, Martti Kuutti, Tiina Lehto (Eds.), Turku Centre for Computer Science, Annual Report 1998 Tero Harju and Iiro Honkala (Eds.), Proceedings of the Seventh Nordic Combinatorial Conference Christer Carlsson (Editor), The State of the Art of Information System Applications in 2007 Christer Carlsson (Editor), Information Systems Day Ralph-Johan Back, Timo Järvi, Nina Kivinen, Leena Palmulaakso-Nylund and Thomas Sund (Eds.), Turku Centre for Computer Science, Annual Report 1999 Reima Suomi, Jarmo Tähkäpää (Eds.), Health and Wealth trough Knowledge Johan Lilius, Seppo Virtanen (Eds.), TTA Workshop Notes 2002 Mikael Collan, Investment Planning – An Introduction Mats Aspnäs, Christel Donner, Monika Eklund, Pia Le Grand, Ulrika Gustafsson, Timo Järvi, Nina Kivinen, Maria Prusila, Thomas Sund (Eds.), Turku Centre for Computer Science, Annual Report 2000-2001 Ralph-Johan Back and Victor Bos, Centre for Reliable Software Technology, Progress Report 2003 Pirkko Walden, Stina Störling-Sarkkila, Hannu Salmela and Eija H. Karsten (Eds.), ICT and Services: Combining Views from IS and Service Research Timo Järvi and Pekka Reijonen (Eds.), People and Computers: Twenty-one Ways of Looking at Information Systems Tero Harju and Juhani Karhumäki (Eds.), Proceedings of WORDS'03 Mats Aspnäs, Christel Donner, Monika Eklund, Pia Le Grand, Ulrika Gustafsson, Timo Järvi and Nina Kivinen (Eds.), Turku Centre for Computer Science, Annual Report 2002 João M. Fernandes, Johan Lilius, Ricardo J. Machado and Ivan Porres (Eds.), Proceedings of the 1st International Workshop on Model-Based Methodologies for Pervasive and Embedded Software Mats Aspnäs, Christel Donner, Monika Eklund, Ulrika Gustafsson, Timo Järvi and Nina Kivinen (Eds.), Turku Centre for Computer Science, Annual Report 2003 Andrei Sabelfeld (Editor), Foundations of Computer Security Eugen Czeizler and Jarkko Kari (Eds.), Proceedings of the Workshop on Discrete Models for Complex Systems Peter Selinger (Editor), Proceedings of the 2nd International Workshop on Quantum Programming Languages Kai Koskimies, Johan Lilius, Ivan Porres and Kasper Østerbye (Eds.), Proceedings of the 11th Nordic Workshop on Programming and Software Development Tools and Techniques, NWPER'2004 Kai Koskimies, Ludwik Kuzniarz, Johan Lilius and Ivan Porres (Eds.), Proceedings of the 2nd Nordic Workshop on the Unified Modeling Language, NWUML'2004 Franca Cantoni and Hannu Salmela (Eds.), Proceedings of the Finnish-Italian Workshop on Information Systems, FIWIS 2004 Ralph-Johan Back and Kaisa Sere, CREST Progress Report 2002-2003
Turku Centre for Computer Science
Lemminkäisenkatu 14 A, 20520 Turku, Finland | www.tucs.fi
University of Turku ! Department of Information Technology ! Department of Mathematics
Åbo Akademi University ! Department of Computer Science ! Institute for Advanced Management Systems Research
Turku School of Economics and Business Administration ! Institute of Information Systems Sciences
ISBN 952-12-1437-6 ISSN 1239-1905
