Formal Methods

John Fitzgerald
Constance Heitmeyer
Stefania Gnesi
Anna Philippou (Eds.)

LNCS 9995

FM 2016:
Formal Methods
21st International Symposium
Limassol, Cyprus, November 9–11, 2016
Proceedings

123


Lecture Notes in Computer Science
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison, UK
Josef Kittler, UK
Friedemann Mattern, Switzerland
Moni Naor, Israel
Bernhard Steffen, Germany
Doug Tygar, USA

Takeo Kanade, USA
Jon M. Kleinberg, USA
John C. Mitchell, USA
C. Pandu Rangan, India
Demetri Terzopoulos, USA
Gerhard Weikum, Germany

Formal Methods
Subline of Lectures Notes in Computer Science
Subline Series Editors
Ana Cavalcanti, University of York, UK
Marie-Claude Gaudel, Université de Paris-Sud, France

Subline Advisory Board
Manfred Broy, TU Munich, Germany
Annabelle McIver, Macquarie University, Sydney, NSW, Australia
Peter Müller, ETH Zurich, Switzerland
Erik de Vink, Eindhoven University of Technology, The Netherlands
Pamela Zave, AT&T Laboratories Research, Bedminster, NJ, USA

9995


More information about this series at />

John Fitzgerald Constance Heitmeyer
Stefania Gnesi Anna Philippou (Eds.)
•

•


FM 2016:
Formal Methods
21st International Symposium
Limassol, Cyprus, November 9–11, 2016
Proceedings

123


Editors
John Fitzgerald
Newcastle University
Newcastle upon Tyne
UK

Stefania Gnesi
ISTI-CNR
Pisa
Italy

Constance Heitmeyer
US Naval Research Laboratory
Washington, DC
USA

Anna Philippou
University of Cyprus
Nicosia
Cyprus


ISSN 0302-9743
ISSN 1611-3349 (electronic)
Lecture Notes in Computer Science
ISBN 978-3-319-48988-9
ISBN 978-3-319-48989-6 (eBook)
DOI 10.1007/978-3-319-48989-6
Library of Congress Control Number: 2016956000
LNCS Sublibrary: SL2 – Programming and Software Engineering
© Springer International Publishing AG 2016
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.
Printed on acid-free paper
This Springer imprint is published by Springer Nature
The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland


Preface


Over nearly three decades since its foundation in 1987, the “FM” Symposium has
become a central part of the intellectual and social life of the Formal Methods community. We are therefore delighted to present the proceedings of FM 2016, the 21st
symposium in the series, held in Limassol, Cyprus, during November 9–11, 2016.
Throughout these years, Springer has supported the symposium through its Lecture
Notes in Computer Science (LNCS) series. It is therefore with particular pleasure that
we present this year’s proceedings as the first volume in the new LNCS subline on
Formal Methods. The creation of this subline reflects the maturity and growing significance of the discipline.
The 2016 symposium received 162 submissions to the main track – the largest
number of contributions to a regular symposium in the FM series to date. Review of
each submission by at least three Program Committee members followed by a discussion phase led to the selection of 43 papers – an acceptance rate of 0.265. These
proceedings also contain six papers selected by the Program Committee of the Industry
Track chaired by Georgia Kapitsaki (University of Cyprus), Tiziana Margaria
(University of Limerick and Lero, Ireland), and Marcel Verhoef (European Space
Agency, The Netherlands).
We were honored that three of the most creative and respected members of our
community – Manfred Broy (Technical University of Munich), Peter O’Hearn
(University College London, and Facebook), and Jan Peleska (University of Bremen
and Verified Software International) – accepted our invitation to give keynote presentations at the symposium. Also scheduled during FM 2016 were four workshops
selected by the Workshop Chairs, Nearchos Paspallis (University of Central Lancashire
in Cyprus) and Martin Steffen (University of Oslo), eight tutorials selected by the
Tutorial Chairs, Dimitrios Kouzapas (Glasgow University) and Oleg Sokolsky
(University of Pennsylvania), and eight papers to be presented at a Doctoral Symposium
organized by Andrew Butterfield (Trinity College Dublin) and Matteo Rossi (Politecnico di Milano). The resulting FM 2016 program reflects the breadth and vibrancy of
both research and practice in formal methods today.
As in previous years, FM 2016 attracted submissions from all over the world: 299
authors from 22 European countries, 126 authors from eight Asian countries, 64
authors from North America, 24 authors from five countries in South America, 16
authors from Australia and New Zealand, and five authors from two African countries,
Algeria and Tunisia. The largest number of authors from a single country were from
China (58), the second largest number of authors came from France (56), the third

largest number of authors were from the UK (53), and the fourth largest number of
authors were from the USA (45).
Last year, the FM community mourned the passing of Prof. Peter Lucas, a former
chair of the FME Association and a founding figure of the formal methods discipline.


VI

Preface

This year, as a symposium highlight, we celebrated Peter’s achievements by presenting
the first Lucas Award for a highly influential paper in formal methods.
We are grateful to all involved in FM 2016, particularly the Program Committee
members, subreviewers, and other committee chairs. The excellent local organization
and publicity groups, chaired by Yannis Dimopoulos, Chryssis Georgiou, and George
Papadopoulos (University of Cyprus), deserve special thanks.
Much of the symposium’s activity would be impossible without the support of our
sponsors. We gratefully acknowledge the support of: Springer, the Cyprus Tourism
Organization, the University of Cyprus, and DiffBlue.
September 2016

John S. Fitzgerald
Stefania Gnesi
Constance Heitmeyer
Program Co-chairs
Anna Philippou
General Chair


Organization


Program Committee
Erika Abraham
Bernhard K. Aichernig
Myla Archer
Gilles Barthe
Nikolaj Bjorner
Michael Butler
Andrew Butterfield
Ana Cavalcanti
David Clark
Frank De Boer
Ewen Denney
Jin Song Dong
Javier Esparza
John Fitzgerald
Vijay Ganesh
Diego Garbervetsky
Dimitra Giannakopoulou
Stefania Gnesi
Wolfgang Grieskamp
Arie Gurfinkel
Anne E. Haxthausen
Ian Hayes
Constance Heitmeyer
Thai-Son Hoang
Jozef Hooman
Laura Humphrey
Ralf Huuck
Fuyuki Ishikawa

Einar Broch Johnsen
Cliff Jones
Georgia Kapitsaki
Joost-Pieter Katoen
Gerwin Klein
Laura Kovacs
Thomas Kropf
Peter Gorm Larsen

RWTH Aachen University, Germany
TU Graz, Austria
Naval Research Laboratory, USA
IMDEA Software Institute, Spain
Microsoft Research, USA
University of Southampton, UK
Trinity College, University of Dublin, Ireland
University of York, UK
UCL, UK
CWI, The Netherlands
SGT/NASA Ames, USA
National University of Singapore, Singapore
Technical University of Munich, Germany
Newcastle University, UK
University of Waterloo, Canada
Universidad de Buenos Aires, Argentina
NASA Ames, USA
ISTI-CNR, Italy
Google, USA
University of Waterloo, Canada
Technical University of Denmark, Denmark

University of Queensland, Australia
Naval Research Laboratory, USA
University of Southampton, UK
TNO-ESI and Radboud University Nijmegen,
The Netherlands
Air Force Research Laboratory, USA
UNSW/SYNOPSYS, Australia
National Institute of Informatics, Japan
University of Oslo, Norway
Newcastle University, UK
University of Cyprus, Cyprus
RWTH Aachen University, Germany
NICTA and UNSW, Australia
Vienna University of Technology, Austria
Bosch, Germany
Aarhus University, Denmark


VIII

Organization

Thierry Lecomte
Yves Ledru
Rustan Leino
Elizabeth Leonard
Martin Leucker
Michael Leuschel
Zhiming Liu
Tiziana Margaria

Mieke Massink
Annabelle McIver
Dominique Mery
Peter Müller
Tobias Nipkow
Jose Oliveira
Olaf Owe
Sam Owre
Anna Philippou
Nico Plat
Elvinia Riccobene
Judi Romijn
Grigore Rosu
Andreas Roth
Augusto Sampaio
Gerardo Schneider
Natasha Sharygina
Marjan Sirjani
Ana Sokolova
Jun Sun
Kenji Taguchi
Stefano Tonetta
Marcel Verhoef
Aneta Vulgarakis
Alan Wassyng
Heike Wehrheim
Michael Whalen
Jim Woodcock
Fatiha Zaidi
Gianluigi Zavattaro

Jian Zhang
Lijun Zhang

ClearSy, France
Université Grenoble Alpes, France
Microsoft Research, USA
Naval Research Laboratory, USA
University of Lübeck, Germany
University of Düsseldorf, Germany
Southwest University, China
University of Limerick and Lero, Ireland
CNR-ISTI, Italy
Macquarie University, Australia
Université de Lorraine, LORIA, France
ETH Zürich, Switzerland
TU München, Germany
Universidade do Minho, Portugal
University of Oslo, Norway
SRI International, USA
University of Cyprus, Cyprus
Thanos and West IT Solutions, The Netherlands
University of Milan, Italy
Movares, The Netherlands
University of Illinois at Urbana-Champaign, USA
SAP Research, Germany
Federal University of Pernambuco, Brazil
Chalmers University of Gothenburg, Sweden
University of Lugano, Switzerland
Reykjavik University, Iceland
University of Salzburg, Austria

Singapore University of Technology and Design,
Singapore
AIST, Japan
FBK-irst, Italy
European Space Agency, The Netherlands
Ericsson, Sweden
McMaster University, Canada
University of Paderborn, Germany
University of Minnesota, USA
University of York, UK
University of Paris-Sud, France
University of Bologna, Italy
Chinese Academy of Sciences, China
Chinese Academy of Sciences, China


Organization

Additional Reviewers
Aestasuain, Fernando
Aguirre, Nazareno
Ait Ameur, Yamine
Almeida, José Bacelar
Alt, Leonardo
Ambrona, Miguel
Andronick, June
Antignac, Thibaud
Arcaini, Paolo
Arming, Sebastian
Asadi, Sepideh

Azadbakht, Keyvan
Bagheri, Maryam
Bai, Guangdong
Bak, Stanley
Bandur, Victor
Bartocci, Ezio
Basile, Davide
Bertrand, Nathalie
Berzish, Murphy
Bonacina, Maria Paola
Bornat, Richard
Bourke, Timothy
Braghin, Chiara
Bravetti, Mario
Bright, Curtis
Bubel, Richard
Calinescu, Radu
Carvalho, Gustavo
Cassez, Franck
Castaño, Rodrigo
Chawdhary, Aziem
Chen, Xiaohong
Chen, Xin
Ciancia, Vincenzo
Ciriani, Valentina
Colom, José Manuel
Colvin, Robert
Cremers, Cas
Dalvandi, Mohammadsadegh
Dang, Thao

Decker, Normann
Dehnert, Christian

Delzanno, Giorgio
Demasi, Ramiro
Dghaym, Dana
Dimovski, Aleksandar S.
Dobrikov, Ivaylo
Dodds, Mike
Donat-Bouillud, Pierre
Dong, Naipeng
Dutertre, Bruno
Díaz, Gregorio
Engelmann, Björn
Fantechi, Alessandro
Fedyukovich, Grigory
Fokkink, Wan
Foster, Simon
Fox, Anthony
Freitas, Leo
Ghassabani, Elaheh
Habli, Ibrahim
Herbelin, Hugo
Heunen, Chris
Holzer, Andreas
Huisman, Marieke
Hyvärinen, Antti
Höfner, Peter
Immler, Fabian
Inoue, Jun

Jacob, Jeremy
Jafari, Ali
Jakobs, Marie-Christine
Jansen, Nils
Jegoure, Cyrille
Johansen, Christian
Junges, Sebastian
Katis, Andreas
Khamespanah, Ehsan
Kotelnikov, Evgenii
Kremer, Gereon
Kretinsky, Jan
Krämer, Julia Désirée
Kumar, Ramana
Laarman, Alfons
Lallali, Mounir

IX


X

Organization

Lanese, Ivan
Laporte, Vincent
Li, Qin
Li, Xiaoshan
Li, Ximeng
Lienhardt, Michael

Lochau, Malte
Luttenberger, Michael
Ma, Feifei
Macedo, Hugo Daniel
Macedo, Nuno
Mallouli, Wissam
Marescotti, Matteo
Markin, Grigory
Martinelli, Fernan
Matheja, Christoph
Matichuk, Daniel
Mattarei, Cristian
Melgratti, Hernan
Melquiond, Guillaume
Menéndez, Héctor
Mohaqeqi, Morteza
Mori, Akira
Mota, Alexandre
Mu, Chunyan
Mu, Kedian
Nakata, Akio
Nejati, Saeed
Nguyen, Huu Nghia
Nogueira, Sidney C.
Núñez, Manuel
Olmedo, Federico
Park, Daejun
Pavese, Esteban
Perez, Gervasio
Petke, Justyna

Plat, Nico
Popescu, Andrei
Prabhakar, Pavithra
Proenca, Jose
Rabehaja, Tahiry
Radoi, Cosmin
Rakamaric, Zvonimir
Ratschan, Stefan
Ray, Sayak
Rezazadeh, Abdolbaghi

Ritter, Eike
Rizkallah, Christine
Robillard, Simon
Sangnier, Arnaud
Savicks, Vitaly
Scheffel, Torben
Schoepe, Daniel
Schumi, Richard
Schupp, Stefan
Serbanuta, Traian Florin
Sharifi, Zeinab
Shaver, Chris
Shi, Ling
Silva, Alexandra
Singh, Neeraj
Smetsers, Rick
Smith, Graeme
Snook, Colin
Spagnolo, Giorgio Oronzo

Spoletini, Paola
Stefanescu, Andrei
Steffen, Martin
Steinhorst, Sebastian
Strub, Pierre-Yves
Subramanyan, Pramod
Suda, Martin
Summers, Alexander J.
Sun, Meng
T. Vasconcelos, Vasco
Tan, Tian Huat
Tappler, Martin
Teixeira, Leopoldo
Ter Beek, Maurice H.
Thoma, Daniel
Thüm, Thomas
Timm, Nils
Tiwari, Ashish
Toews, Manuel
Travkin, Oleg
Urban, Caterina
Vafeiadis, Viktor
Van Eijck, Jan
Varshosaz, Mahsa
Velykis, Andrius
Voelzer, Hagen
Voisin, Frederic


Organization


Volk, Matthias
Wilkinson, Toby
Wimmer, Ralf
Winter, Kirsten
Wolff, Burkhart
Wong, Peter
Wu, Xi
Wu, Zhilin
Yadav, Maneesh

Yamagata, Yoriyuki
Yatapanage, Nisansala
Yovine, Sergio
Yu, Ingrid Chieh
Zeyda, Frank
Zhao, Hengjun
Zhao, Liang
Zoppi, Edgardo
Zulkoski, Ed

XI


Abstracts of Invited Talks


A Logical Approach to Systems Engineering
Artifacts: Semantic Relationships
and Dependencies beyond Traceability - From

Requirements to Functional
and Architectural Views

Manfred Broy
Institut für Informatik, Technische Universität München, 80290 Munich,
Germany

Abstract. Not only system assurance drives a need for semantically richer
relationships across various artifacts, work products, and items of information
than are implied in the terms “trace and traceability” as used in current standards
and textbooks. This paper deals with the task of working out artifacts in software
and system development, their representation, and the analysis and documentation of the relationships between their logical contents - herein referred to as
tracing and traceability; this is a richer meaning of traceability than in standards
like IEEE STD 830. Among others, key tasks in system development are as
follows: capturing, analyzing, and documenting system level requirements, the
step to functional system specifications, the step to architectures given by the
decomposition of systems into subsystems with their connections and behavioral
interactions. Each of these steps produces artifacts for documenting the development, as a basis for a specification and a design rationale, for documentation,
for verification, and impact analysis of change requests. Crucial questions are
how to represent and formalize the content of these artifacts and how to relate
their content to support, in particular, system assurance. When designing multifunctional systems, key artifacts are system level requirements, functional
specifications, and architectures in terms of their subsystem specifications. Links
and traces between these artifacts are introduced to relate their contents.
Traceability has the goal to relate artifacts. It is required for instance in standards
for functional system safety such as the ISO 26262. An approach to specify
semantic relationships is shown, such that the activity of creating and using
(navigating through) these relationships can be supported with automation.


Moving Fast with Program Verification

Technology

Peter W. O’Hearn
Facebook

Abstract. Catching bugs early in the development process improves software
quality and saves developer time. At Facebook, we are building Infer
(fbinfer.com), an open-source static analyzer for Android, iOS, and C++ code
which has its roots in program verification research. In this talk, I will discuss
the challenges we have faced in developing techniques that can cope with
Facebook’s scale and velocity, the challenges of different modes of deployment,
and some lessons we have learned that might be relevant to formal methods
research. Most importantly, adapting to Facebook’s fast-paced engineering
culture – illustrated by the “Move Fast and Break Things” and similar posters
adorning its office walls – has taught us that if verification technology can move
fast, in tune with programmers’ workow, then it will fix more things.


Industrial-Strength Model-Based Testing
of Safety-Critical Systems
Jan Peleska1,2(&) and Wen-ling Huang2
1

Verified Systems International GmbH, Bremen, Germany
2
Department of Mathematics and Computer Science,
University of Bremen, Bremen, Germany
{jp,huang}@cs.uni-bremen.de

Abstract. In this article we present an industrial-strength approach to automated

model-based testing. This approach is applied by Verified Systems International
GmbH in safety-critical verification and validation projects in the avionic, railway, and automotive domains. The SysML modelling formalism is used for
creating test models. Associating SysML with a formal behavioural semantics
allows for full automation of the whole work flow, as soon as the model including
SysML requirements tracing information has been elaborated. The presentation
highlights how certain aspects of formal methods are key enablers for achieving
the degree of automation that is needed for effectively testing today’s safety
critical systems with acceptable effort and the degree of comprehensiveness
required by the applicable standards. It is also explained which requirements
from the industry and from certification authorities have to be considered when
designing test automation tools fit for integration into the verification and validation work flow set up for complex system developments. From the collection
of scientific challenges the following questions are addressed. (1) What is the
formal equivalent to traceable requirements and associated test cases? (2) How
can requirements based, property-based, and model-based testing be effectively
automated? (3) Which test strategies provide guaranteed test strength, independent on the syntactic representation of the model?


Contents

Invited Presentations
Industrial-Strength Model-Based Testing of Safety-Critical Systems. . . . . . . .
Jan Peleska and Wen-ling Huang

3

Research Track
Counter-Example Guided Program Verification. . . . . . . . . . . . . . . . . . . . . .
Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Bui Phi Diep

25


Tighter Reachability Criteria for Deadlock-Freedom Analysis . . . . . . . . . . . .
Pedro Antonino, Thomas Gibson-Robinson, and A.W. Roscoe

43

Compositional Parameter Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lacramioara Aştefănoaei, Saddek Bensalem, Marius Bozga,
Chih-Hong Cheng, and Harald Ruess

60

Combining Mechanized Proofs and Model-Based Testing in the Formal
Analysis of a Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hanno Becker, Juan Manuel Crespo, Jacek Galowicz, Ulrich Hensel,
Yoichi Hirai, César Kunz, Keiko Nakata, Jorge Luis Sacchini,
Hendrik Tews, and Thomas Tuerk
A Model Checking Approach to Discrete Bifurcation Analysis . . . . . . . . . . .
Nikola Beneš, Luboš Brim, Martin Demko, Samuel Pastva,
and David Šafránek
State-Space Reduction of Non-deterministically Synchronizing Systems
Applicable to Deadlock Detection in MPI . . . . . . . . . . . . . . . . . . . . . . . . .
Stanislav Böhm, Ondřej Meca, and Petr Jančar

69

85

102


Formal Verification of Multi-Paxos for Distributed Consensus . . . . . . . . . . .
Saksham Chand, Yanhong A. Liu, and Scott D. Stoller

119

Validated Simulation-Based Verification of Delayed Differential Dynamics. . . .
Mingshuai Chen, Martin Fränzle, Yangjia Li, Peter N. Mosaad,
and Naijun Zhan

137

Towards Learning and Verifying Invariants of Cyber-Physical Systems
by Code Mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Yuqi Chen, Christopher M. Poskitt, and Jun Sun

155


XX

Contents

From Electrical Switched Networks to Hybrid Automata . . . . . . . . . . . . . . .
Alessandro Cimatti, Sergio Mover, and Mirko Sessa

164

Danger Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cristina David, Pascal Kesseli, Daniel Kroening, and Matt Lewis


182

Local Planning of Multiparty Interactions with Bounded Horizons . . . . . . . .
Mahieddine Dellabani, Jacques Combaz, Marius Bozga,
and Saddek Bensalem

199

Finding Suitable Variability Abstractions for Family-Based Analysis . . . . . . .
Aleksandar S. Dimovski, Claus Brabrand, and Andrzej Wąsowski

217

Recovering High-Level Conditions from Binary Programs . . . . . . . . . . . . . .
Adel Djoudi, Sébastien Bardin, and Éric Goubault

235

Upper and Lower Amortized Cost Bounds of Programs Expressed as Cost
Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Antonio Flores-Montoya

254

Exploring Model Quality for ACAS X. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dimitra Giannakopoulou, Dennis Guck, and Johann Schumann

274

Learning Moore Machines from Input-Output Traces . . . . . . . . . . . . . . . . . .

Georgios Giantamidis and Stavros Tripakis

291

Modal Kleene Algebra Applied to Program Correctness . . . . . . . . . . . . . . . .
Victor B.F. Gomes and Georg Struth

310

Mechanised Verification Patterns for Dafny . . . . . . . . . . . . . . . . . . . . . . . .
Gudmund Grov, Yuhui Lin, and Vytautas Tumas

326

Formalising and Validating the Interface Description in the FMI Standard . . .
Miran Hasanagić, Peter W.V. Tran-Jørgensen, Kenneth Lausdahl,
and Peter Gorm Larsen

344

An Algebra of Synchronous Atomic Steps . . . . . . . . . . . . . . . . . . . . . . . . .
Ian J. Hayes, Robert J. Colvin, Larissa A. Meinicke, Kirsten Winter,
and Andrius Velykis

352

Error Invariants for Concurrent Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Andreas Holzer, Daniel Schwartz-Narbonne, Mitra Tabaei Befrouei,
Georg Weissenbacher, and Thomas Wies


370

An Executable Formalisation of the SPARCv8 Instruction Set Architecture:
A Case Study for the LEON3 Processor. . . . . . . . . . . . . . . . . . . . . . . . . . .
Zhe Hou, David Sanan, Alwen Tiu, Yang Liu, and Koh Chuen Hoa

388


Contents

Hybrid Statistical Estimation of Mutual Information for Quantifying
Information Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Yusuke Kawamoto, Fabrizio Biondi, and Axel Legay

XXI

406

A Generic Logic for Proving Linearizability . . . . . . . . . . . . . . . . . . . . . . . .
Artem Khyzha, Alexey Gotsman, and Matthew Parkinson

426

Refactoring Refinement Structure of Event-B Machines . . . . . . . . . . . . . . . .
Tsutomu Kobayashi, Fuyuki Ishikawa, and Shinichi Honiden

444

Towards Concolic Testing for Hybrid Systems . . . . . . . . . . . . . . . . . . . . . .

Pingfan Kong, Yi Li, Xiaohong Chen, Jun Sun, Meng Sun,
and Jingyi Wang

460

Explaining Relaxed Memory Models with Program Transformations . . . . . . .
Ori Lahav and Viktor Vafeiadis

479

SpecCert: Specifying and Verifying Hardware-Based Security Enforcement . . .
Thomas Letan, Pierre Chifflier, Guillaume Hiet, Pierre Néron,
and Benjamin Morin

496

Automated Verification of Timed Security Protocols with Clock Drift . . . . . .
Li Li, Jun Sun, and Jin Song Dong

513

Dealing with Incompleteness in Automata-Based Model Checking . . . . . . . .
Claudio Menghi, Paola Spoletini, and Carlo Ghezzi

531

Equivalence Checking of a Floating-Point Unit Against a High-Level C
Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rajdeep Mukherjee, Saurabh Joshi, Andreas Griesmayer,
Daniel Kroening, and Tom Melham


551

Battery-Aware Scheduling in Low Orbit: The GOMX–3 Case . . . . . . . . . . . .
Morten Bisgaard, David Gerhardt, Holger Hermanns, Jan Krčál,
Gilles Nies, and Marvin Stenger

559

Discounted Duration Calculus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Heinrich Ody, Martin Fränzle, and Michael R. Hansen

577

Sound and Complete Mutation-Based Program Repair . . . . . . . . . . . . . . . . .
Bat-Chen Rothenberg and Orna Grumberg

593

An Implementation of Deflate in Coq . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Christoph-Simon Senjak and Martin Hofmann

612


XXII

Contents

Decoupling Abstractions of Non-linear Ordinary Differential Equations . . . . .

Andrew Sogokon, Khalil Ghorbal, and Taylor T. Johnson

628

Regression Verification for Unbalanced Recursive Functions . . . . . . . . . . . .
Ofer Strichman and Maor Veitsman

645

Automated Mutual Explicit Induction Proof in Separation Logic . . . . . . . . . .
Quang-Trung Ta, Ton Chanh Le, Siau-Cheng Khoo, and Wei-Ngan Chin

659

Finite Model Finding Using the Logic of Equality with Uninterpreted
Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Amirhossein Vakili and Nancy A. Day

677

GPUexplore 2.0: Unleashing GPU Explicit-State Model Checking . . . . . . . .
Anton Wijs, Thomas Neele, and Dragan Bošnački

694

Approximate Bisimulation and Discretization of Hybrid CSP . . . . . . . . . . . .
Gaogao Yan, Li Jiao, Yangjia Li, Shuling Wang, and Naijun Zhan

702


A Linear Programming Relaxation Based Approach for Generating Barrier
Certificates of Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Zhengfeng Yang, Chao Huang, Xin Chen, Wang Lin, and Zhiming Liu

721

Industry Track
Model-Based Design of an Energy-System Embedded Controller Using
TASTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Roberto Cavada, Alessandro Cimatti, Luigi Crema, Mattia Roccabruna,
and Stefano Tonetta
Simulink to UPPAAL Statistical Model Checker: Analyzing Automotive
Industrial Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Predrag Filipovikj, Nesredin Mahmud, Raluca Marinescu,
Cristina Seceleanu, Oscar Ljungkrantz, and Henrik Lönn
Safety-Assured Formal Model-Driven Design of the Multifunction Vehicle
Bus Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Yu Jiang, Han Liu, Houbing Song, Hui Kong, Ming Gu, Jiaguang Sun,
and Lui Sha
Taming Interrupts for Verifying Industrial Multifunction Vehicle Bus
Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Han Liu, Yu Jiang, Huafeng Zhang, Ming Gu, and Jiaguang Sun

741

748

757

764



Contents

Rule-Based Incremental Verification Tools Applied to Railway Designs
and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bjørnar Luteberget, Christian Johansen, Claus Feyling,
and Martin Steffen

XXIII

772

RIVER: A Binary Analysis Framework Using Symbolic Execution
and Reversible x86 Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Teodor Stoenescu, Alin Stefanescu, Sorina Predut, and Florentin Ipate

779

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

787


Invited Presentations


Industrial-Strength Model-Based Testing
of Safety-Critical Systems
Jan Peleska1,2(B) and Wen-ling Huang2

1

Verified Systems International GmbH, Bremen, Germany
2
Department of Mathematics and Computer Science,
University of Bremen, Bremen, Germany
{jp,huang}@cs.uni-bremen.de

Abstract. In this article we present an industrial-strength approach
to automated model-based testing. This approach is applied by Verified
Systems International GmbH in safety-critical verification and validation
projects in the avionic, railway, and automotive domains. The SysML
modelling formalism is used for creating test models. Associating SysML
with a formal behavioural semantics allows for full automation of the
whole work flow, as soon as the model including SysML requirements
tracing information has been elaborated. The presentation highlights
how certain aspects of formal methods are key enablers for achieving the
degree of automation that is needed for effectively testing today’s safety
critical systems with acceptable effort and the degree of comprehensiveness required by the applicable standards. It is also explained which
requirements from the industry and from certification authorities have
to be considered when designing test automation tools fit for integration
into the verification and validation work flow set up for complex system
developments. From the collection of scientific challenges the following
questions are addressed. (1) What is the formal equivalent to traceable
requirements and associated test cases? (2) How can requirements based,
property-based, and model-based testing be effectively automated? (3)
Which test strategies provide guaranteed test strength, independent on
the syntactic representation of the model?
Keywords: Model-based testing
Complete testing theories


1

· Equivalence class partition testing ·

Introduction

Model-Based Testing. Model-based testing (MBT) can be implemented using
different approaches; this is also expressed in the current definition of MBT
presented in Wikipedia1 .
Model-based testing is an application of model-based design for designing
and optionally also executing artifacts to perform software testing or system testing. Models can be used to represent the desired behaviour of a
1

2016-07-11.

c Springer International Publishing AG 2016
J. Fitzgerald et al. (Eds.): FM 2016, LNCS 9995, pp. 3–22, 2016.
DOI: 10.1007/978-3-319-48989-6_1


4

J. Peleska and W. Huang

System Under Test (SUT), or to represent testing strategies and a test
environment.
In this paper, we follow the variant where formal models represent the desired
behaviour of the SUT, because this promises the maximal return of investment
for the effort to be spent on test model development.

– Test cases can be automatically identified in the model.
– If the model contains links to the original requirements (this is systematically
supported, for example, by the SysML modelling language [19]), test cases can
be automatically traced back to the requirements they help to verify.
– Since the model is associated with a formal semantics, test cases can be represented by means of logical formulas representing reachability goals, and concrete test data can be calculated by means of constraint solvers.
– Using model-to-text transformations, executable test procedures, including
test oracles, can be generated in an automated way.
– Comprehensive traceability data linking test results, procedures, test cases,
and requirements can be automatically compiled.
Objectives. This paper is about model-based functional testing of safetycritical embedded systems. The test approach discussed here is black box, as
typically performed during HW/SW integration testing or system testing. The
main message of this contribution is twofold.
– Effective automated model-based testing is possible and ready for application
in an industrial context, when specialising on particular domains like safetycritical embedded systems. Here “effective” means both “high test strength”
and “can be realised with acceptable effort”.
– The considerable test strength that can be achieved using MBT-based testing
strategies can only be exploited when full automation is available. The underlying algorithms are too complex and the number of test cases is too high to
be handled in a manual way.
The methods described in this paper have been implemented in the
model-based testing component of Verified Systems’ test automation tool RTTester [21]. They are applied in testing campaigns for customers from the avionic,
railway, and automotive domains. As of today, the applicable standards [5,14,36]
do not yet elaborate on how MBT should be integrated into the workflow of
development, validation, and verification campaigns for safety-critical systems.
The description in this paper, however, is consistent with the general test-related
requirements that can be found in these standards.
Overview. In Sect. 2, the workflow of typical testing campaigns in industry
is compared to the extended workflow required for using MBT in practise. In
Sect. 3, the development of test models with SysML is described, and a simple example is presented. In Sect. 4, we outline the underlying formal concepts



Industrial-Strength Model-Based Testing

5

enabling the automated test case identification and compilation of traceability
data linking test cases to requirements. The question of test strength is discussed
in Sect. 5, and the underlying theory that has been implemented in RT-Tester
is described. In Sect. 6, three different perspectives for approaching MBT are
described. Conclusions are presented in Sect. 7.
References to related work are given throughout the text. Notable overview
material on MBT can be found in [1,29,34].

2

Conventional Testing Workflow vs. MBT Workflow

The workflow of conventional industrial test campaigns is shown in Fig. 1.
All standards related to safety-critical systems verification emphasise that
requirements-based testing should be the main focus of each campaign. Requirements are typically specified in natural language, but preferably as “atomic”
statements that do not need to be decomposed into further sub-requirements. All
of our customers use requirements managements systems, where dependencies
among requirements can be recorded. Optionally, links to further development
and V&V artefacts, such as design documents, source code, and test cases and
results can be established. Due to the informal nature of requirements, there is
no possibility to generate test cases directly from requirements.
As a first step of the test campaign, test cases are developed, so that each
requirement is verified by at least one test case. Test cases and requirements are
in n : m-relationship: one test case can help to test several requirements, and
one requirement may need more than one test case to check it thoroughly. The
relationship between requirements and test cases is documented in a traceability

matrix.
Test cases are usually specified first in an abstract way, that is, the logical conditions to be fulfilled for each test step are described, but the concrete
sequence of input vectors and the associated output sequences to be expected
from the SUT are not yet identified. Therefore a further step is required to
compute the concrete test data to be used or checked against when executing a
concrete test case in a test procedure.
Next, test procedures are programmed, each procedure executing one or more
concrete test cases. The procedures are executed against the SUT, and the results
are documented and evaluated. Finally, the traceability matrix is extended to
record the relationships between test cases and implementing procedures and
the results obtained in the procedure executions.
According to the current state of practise, test execution, documentation,
and compilation of traceability data are typically automated steps, but the initial
steps from test case identification to test procedure programming (and frequently
debugging . . . ) need to be performed manually.
A coverage analysis checks the code portions that have been covered by the
requirements-based test cases so far. If uncovered code still exists, either the code
has to be removed because it does not contribute to the functionality of the SUT,
or requirements have to be added, specifying the SUT behaviour implemented
by the code uncovered so far. This leads to additional test cases to be executed.