UNIVERSITE´ DE NICE-SOPHIA ANTIPOLIS Ecole´ Doctorale STIC Sciences et Technologies de l'Information et de la Communication THESE` pour l'obtention du titre de Docteur en Sciences Mention Informatique pr´esent´eeet soutenue par Oleksandra Kulankhina A framework for rigorous development of distributed components: formalisation and tools Th`esedirig´eepar Eric Madelaine et co-encadr´eepar Ludovic Henrio Soutenue le 14 Octobre 2016 Jury Rapporteurs Radu Mateescu Inria Grenoble - Rh^one-Alpes Frantiˇsek Pla´ˇsil Charles University, Prague Examinateurs Fr´ed´eric Mallet Universit´eNice Sophia Antipolis Simon Bliudze EPFL Directeur de th`ese Eric Madelaine Inria Sophia Antipolis Co-directeur de th`ese Ludovic Henrio CNRS Invit´e Rab´ea Ameur-Boulifa T´el´ecomParisTech ii iii ... iv v R´esum´e Dans cette th`ese,nous proposons une approche rigoureuse pour la conception et le d´eveloppement de syst`emes`abase de composants hi´erarchiques distribu´es.L'id´eede base du travail pr´esent´eest de combiner les techniques de conception de logiciels dirig´eespar les mod`eles,bien connues des programmeurs, avec des m´ethodes de v´erificationformelles puissantes, capables d'assurer les propri´et´esfonctionnelles d'un syst`emedistribu´eet de d´etecterles erreurs d`esle stade de la conception. Tout d'abord, nous introduisons un formalisme graphique bas´esur UML pour l'architecture et le comportement des composants hi´erarchiques de mod´elisation. Deuxi`emement, nous sp´ecifionsformellement un ensemble de contraintes qui assurent la correction de la composition des composants, en mettant l'accent sur la s´eparation entre les aspects fonctionnels et non-fonctionnels. Troisi`emement, nous expliquons comment nos mod`elesgraphiques peuvent ^etretraduits automatiquement dans le formalisme d'entr´eed'un model-checker. Nous nous concentrons ensuite sur le codage des fonctionnalit´esavanc´eesde composants distribu´es,comme communications de 1 vers N, la reconfiguration et les communications asynchrones bas´eessur les appel de proc´eduresdistants. Enfin, nous mettons en œuvre cette approche dans une plateforme int´egr´eeorient´e mod`elequi comprend un ensemble d'´editeursgraphiques, un module de validation de la d´ecisioncorrecte de l'architecture statique, un module traduisant le mod`ele conceptuel dans une entr´eepour la plateforme de v´erificationCADP, et enfin un g´en´erateurde code ex´ecutable vi Abstract In this thesis we introduce an approach for rigorous design and development of distributed hierarchical component-based systems. The core idea of the presented work is to combine the well-known among the programmers techniques for model- driven software design and the powerful formal verification methods able to ensure the functional properties of a distributed system and to detect errors at the early design stage. First, we introduce a UML-based graphical formalism for modelling architecture and behaviour of hierarchical components. Second, we formally specify a set of con- straints that ensure the correct components composition with a focus on separation between the functional and non-functional aspects. Third, we explain how the graph- ical models can be automatically translated into an input for a model-checker. For this aim, we rely on a formally specified intermediate structure encoding the se- mantics of components behaviour as a network of synchronised parametrised label transition systems. We focus here on encoding the advanced features of distributed components such as one-to-many communications, reconfiguration, and asynchronous communications based on request-reply. Finally, we implement the approach in an integrated model-driven environment which comprises a set of graphical editors, an architecture static correctness validation plug-in, a plug-in translating the conceptual model into an input for a verification toolsuite CADP, and a generator of the implementation code. Acknowledgements vii viii Table of Contents List of Figures xiii List of Listings xv List of Tables xvii 1 Introduction 1 1.1 Motivation and objectives . .1 1.2 Contribution . .7 1.3 Outline . 10 2 Context 13 2.1 The Grid Component Model . 14 2.1.1 GCM overview . 14 2.1.2 GCM/ADL . 17 2.1.3 GCM/ProActive . 18 2.2 Parameterised networks of synchronised automata . 24 2.2.1 Term algebra and notations . 24 2.2.2 The pNets model . 25 2.2.3 Observation and flow of information . 27 2.2.4 Adequacy of pNets for modelling GCM components . 28 2.3 CADP . 29 2.4 The Fiacre specification language . 32 2.5 Model-Driven Engineering . 33 2.5.1 Unified Modelling Language . 34 2.5.2 Eclipse Modeling Framework . 35 2.5.3 Obeo Designer . 36 2.6 VerCors . 37 ix x TABLE OF CONTENTS 3 An overview of the VerCors platform 41 3.1 The core functionalities of VerCors . 41 3.2 Diagrams for architecture and behaviour specification . 44 3.2.1 An illustrative example . 44 3.2.2 Architecture specification . 45 3.2.3 Behaviour specification . 48 3.3 The architecture of VerCors . 51 3.4 Discussion . 55 4 Well-formed component architecture 59 4.1 Formalisation of component structure . 60 4.2 Auxiliary functions . 61 4.3 Interceptors . 63 4.4 Well-formed component architecture . 65 4.4.1 Core . 65 4.4.2 Non-functional aspects . 68 4.4.3 Collective communications . 70 4.4.4 Additional rules . 71 4.5 Properties . 71 4.6 Architecture static analysis in VerCors . 74 4.7 Discussion and Related work . 74 5 Verification and execution of distributed components 79 5.1 From application design to pNets . 80 5.1.1 Semantics of primitive components . 81 5.1.2 Semantics of composite components . 92 5.1.3 Implementation . 100 5.2 From pNets to CADP . 108 5.2.1 Preparing the input: generating Fiacre, EXP and auxiliary scripts108 5.2.2 Model-checking with CADP . 112 5.3 Code generation and execution . 115 5.3.1 ADL generation . 116 5.3.2 Java generation . 118 5.3.3 Code execution . 123 5.4 Discussion . 124 5.4.1 On the verification . 124 5.4.2 On the executable code generation . 125 TABLE OF CONTENTS xi 6 Advanced features 127 6.1 Non-functional components and interceptors . 129 6.1.1 From application design to pNets . 129 6.1.2 Implementing pNet generation and integration with CADP . 134 6.1.3 Code generation . 134 6.2 Component attributes and attribute controllers . 135 6.2.1 Graphical specification . 136 6.2.2 From application design to pNets . 137 6.2.3 Implementing pNet generation and integration with CADP . 138 6.2.4 Code generation . 139 6.3 Reconfigurable multicast interfaces . 140 6.3.1 Graphical specification . 141 6.3.2 From application design to pNets . 142 6.3.3 Implementing pNet generation and integration with CADP . 155 6.3.4 Code generation . 157 6.4 Reconfiguring multicasts from NF components . 157 6.4.1 Graphical specification . 157 6.4.2 From application design to pNets . 158 6.4.3 Implementing pNet generation and integration with CADP . 158 6.4.4 Code generation . 159 6.5 Examples . 161 6.5.1 Composite pattern . 161 6.5.2 Springoo . 171 6.6 Discussion . 173 7 Related work 177 7.1 The SOFA 2 project . 178 7.2 The BIP Component Framework . 181 7.3 Rebeca formal modelling language and development tools . 183 7.4 ABS . 188 7.5 Other frameworks . 191 7.5.1 Component models and tools . 192 7.5.2 Verification platforms . 196 7.6 Summary . 200 7.6.1 On the verification tools . 200 7.6.2 On the component development frameworks . 200 xii TABLE OF CONTENTS 8 Conclusion 203 8.1 Summary . 203 8.2 Perspectives . 206 8.2.1 Modelling and analysis of parameterised architectures . 206 8.2.2 Modelling and analysis of multi-threaded components . 207 8.2.3 Modelling and analysis of reconfigurable systems . 208 8.2.4 Extending the pNet generator . 210 8.2.5 Properties specification and visualising the results of model- checking . 211 8.2.6 Static analysis and type-checking of state machines . 211 8.2.7 Other ideas of the future work . 213 List of Figures 2.1 A GCM application . 15 2.2 Request-reply by futures . 19 2.3 Request treatment by GCM/ProActive components . 20 2.4 UML class diagram . 35 2.5 UML state machine diagram . 35 2.6 EMF example . 36 3.1 VerCors workflow . 42 3.2 Screenshot of VerCors . 43 3.3 VerCors component diagram . 46 3.4 A component diagram of Peterson's leader election use-case example . 48 3.5 VerCors class diagram . 49 3.6 State machine diagram . 51 3.7 Scenario state machine . 51 3.8 Architecture of VerCors . 52 4.1 Internal interfaces of a membrane . 63 4.2 An input chain of interceptors . 64 4.3 Examples of architecture constraint violations . 73 4.4 Architecture static correctness validation in VerCors . 75 5.1 An example of a primitive component . 82 5.2 pNet for the PrimExample component from Figure 5.1 . 83 5.3 Graphical representation of the behaviour of the Body . 88 5.4 pLTSs for the Future Proxies.