Verification Finite-state process modeling and reachability analysis

Similar documents
Lecture 2: Modeling Introduction

Concurrent Execution

CSCI 5828: Foundations of Software Engineering

CSCI 5828: Foundations of Software Engineering

Processes & Threads. Concepts: processes - units of sequential execution.

CSCI 5828: Foundations of Software Engineering

Chapter 2. Processes & Threads. Concurrency: processes & threads 1. Magee/Kramer

Concurrent processes. Processes and Threads. Processes and threads. Going back to Concurrency. Modelling Processes. Modeling processes

Communications Software Engineering Analysis Model

Concurrent processes. Processes and Threads. A question asked by your friend. Warm-up exercises at beginning of Lecture 3. My question for you

LTSA User Manual.

Introduction to modelling in FSP (Finite State Processes) and its application for analysis of Java Mutex problems

Chapter 9. Labelled Transition Systems. System Composition. specifications. implementations.

CONCURRENT PROGRAMMING - EXAM

2. Concurrency and Java

Answer the first question and two further questions. i. action prefix ( -> ) [3 marks]

[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION

Interaction Testing. Chapter 15

FSP Language Specification

Interaction Testing! Chapter 15!!

Concurrent Execution

THE QUEEN S UNIVERSITY OF BELFAST

Unit 8: Recursion. Dave Abel. April 6th, 2016

Concurrency. State Models and Java Programs. Jeff Magee and Jeff Kramer. Concurrency: introduction 1. Magee/Kramer

Monitors & Condition Synchronization

Concurrency: State Models & Design Patterns

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

CSCI 5828: Foundations of Software Engineering

(Refer Slide Time: 0:19)

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

T Reactive Systems: Kripke Structures and Automata

Validating Distributed Object and Component Designs

Concurrency: State Models & Design Patterns

Model checking and timed CTL

Formal Methods in Software Engineering. Lecture 07

Formal modelling and verification in UPPAAL

Distributed Systems Programming (F21DS1) Formal Verification

Operating Systems 2010/2011

TIETS14 Introduction to Formal Specification

Timo Latvala. January 28, 2004

APPENDIX M INTRODUCTION TO THE UML

Composability Test of BOM based models using Petri Nets

Design and Analysis of Distributed Interacting Systems

Handout 9: Imperative Programs and State

Chapter 4. Capturing the Requirements. 4th Edition. Shari L. Pfleeger Joanne M. Atlee

Lecture 10: Introduction to Semaphores

OMG Modeling Glossary B

Petri Nets ~------~ R-ES-O---N-A-N-C-E-I--se-p-te-m--be-r Applications.

Cyber Physical System Verification with SAL

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Verification of Bakery algorithm variants for two processes

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

VALIDATION LED DEVELOPMENT OF OBJECT-ORIENTED SOFTWARE USING A MODEL VERIFIER

Final Exam -- ELG 7187C

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Unit 8: Recursion. Dave Abel. April 8th, 2016

Received: 16 October 2017; Accepted: 9 January 2018; Published: 12 January 2018

Model checking Timber program. Paweł Pietrzak

Operational Semantics 1 / 13

COS 598D: PATTERNS IN NETWORK ARCHITECTURE

DISCRETE-event dynamic systems (DEDS) are dynamic

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

Concurrent Models of Computation

MAPPING THE IMPACT OF REQUIREMENT CHANGES USING LABELLED TRANSITION SYSTEM FOR REQUIREMENT CHANGE (LTS-RC)

Thread Synchronization: Too Much Milk

The SPIN Model Checker

Taibah University College of Computer Science & Engineering Course Title: Discrete Mathematics Code: CS 103. Chapter 2. Sets

Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems

Fully Automatic and Precise Detection of Thread Safety Violations

SOFTWARE ENGINEERING Prof.N.L.Sarda Computer Science & Engineering IIT Bombay. Lecture #10 Process Modelling DFD, Function Decomp (Part 2)

A Theory of Parallel Computation The π-calculus

Composition of State Machines

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

want turn==me wait req2==0

CS2 Language Processing note 3

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Software Engineering using Formal Methods

Parallel Programming Concepts. Theory of Concurrency - Multicomputer. Peter Tröger

Lightweight formal analysis of Web service flows

Formal Specification and Verification

introduction to Programming in C Department of Computer Science and Engineering Lecture No. #40 Recursion Linear Recursion

To illustrate what is intended the following are three write ups by students. Diagonalization

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Safety & Liveness Properties

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

Programming Languages Third Edition

Software Engineering using Formal Methods

EE249 Discussion Petri Nets: Properties, Analysis and Applications - T. Murata. Chang-Ching Wu 10/9/2007

Introduction to Cryptology. Lecture 2

Slides for Faculty Oxford University Press All rights reserved.

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs. Clifford Wolf Symbiotic EDA

Observable Behaviour Observable behaviour can be defined in terms of experimentation.

On the construction of convergent transfer subgraphs in general labeled directed graphs

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

COMP30112: Concurrency Topics 5.2: Properties

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

A Semantics to Generate the Context-sensitive Synchronized Control-Flow Graph (extended)

Timed Automata: Semantics, Algorithms and Tools

Transcription:

Verification Finite-state process modeling and reachability analysis Topics: Finite-state process modeling Verification through interactive simulation Concurrent composition of processes Verification through (exhaustive) reachability analysis Recall Difficult to verify non-deterministic process New kinds of errors, which may not manifest when exercising traces E.g., concurrent system with multiple threads accessing shared data Non-deterministic execution ordering can mean a test that passes during one trial will fail during another Need to verify process behavior of a system often dominates other design concerns Terminology Verifying operational specs Labeled Transition System Finite State Process Parallel Composition (or just composition) Several techniques available: Interactive simulation Tools that allow designer to execute the spec Good for checking that specific traces are supported May demonstrate failures (e.g., deadlocks, refusals) Reachability analysis Use graph-theoretic algorithms to answer questions about a spec E.g., is a bad state reachable from state? Temporal-logic model checking FSP and LTSA Finite State Processes (FSP) Textual language for expressing behavior of processes in terms of actions, synchronization, and algebraic combining operators Based on CSP Variables limited to finite domains Labeled Transition System Analyzer Performs efficient reachability analysis Specifications written in the FSP language Quick introduction to FSP Two kinds of entities: processes: correspond to states in a state diagram always written using capital letters actions: correspond to events in a state diagram always written beginning with a lower-case letter Predefined process STOP: a.k.a., deadlock the process that can engage in no action whatsoever 1

Action prefixing Programmers may define a new FSP process by prefixing an existing process with some action Formally: If x is an action and P a process then (x-> P) describes a process that initially engages in the action x and then behaves exactly as described by P. s: ONESHOT = once STOP. is the process that can engage in the action once and then continue to behave as the process STOP Prefixing and recursion To specify repetitive behavior, use recursion: SWITCH = OFF, OFF = (on ON), ON = (off OFF). Alternatively: SWITCH = (on off SWITCH). Choice in FSP FSP also allows the specification of choice More formally: If x and y are actions then (x P y Q) describes a process which initially engages in either of the actions x or y. After the first action has occurred, the subsequent behavior is described by P if the first action was x and Q if the first action was y. : SLOT = (nickel SLOT dime SLOT). FSP specification of vending machine VM = START, START = ( -> TWENTYFIVECENTS ), TWENTYFIVECENTS = ( -> FIFTYCENTS -> START ), FIFTYCENTS = ( -> START -> TWENTYFIVECENTS ). Using LTSA to simulate spec The LTSA tool provides a graphical interface for: interactively simulating an FSP spec displaying the LTS denoted by the spec << [VM.FSP] >> Guarded actions Actions may also be guarded with conditions More formally: The choice (when B x P y Q) means that when the guard B is true then the actions x and y are both eligible to be chosen, otherwise if B is false then the action x cannot be chosen. : COUNT (N=3) = COUNT[0], COUNT[i:0..N] = ( when(i<n) inc COUNT[i+1] when(i>0) dec COUNT[i-1] ). 2

Alternative spec of vending machine Concurrent composition VM(N=2) = MACHINE[0], MACHINE[i:0..N] = ( when (i < 2) -> MACHINE[i+1] when (i > 0) -> MACHINE[i-1] when (i > 1) -> MACHINE[i-2] ). << : [VM2.FSP] >> New processes may be defined by concurrently executing other processes More formally: If P and Q are processes then (P Q) represents the concurrent execution of P and Q. The operator is the parallel composition operator. : ITCH = (scratch STOP). CONVERSE = (think talk STOP). CONVERSE_ITCH = (ITCH CONVERSE). Shared actions of shared actions If processes in a composition have actions in common, these actions are said to be shared. Shared actions are the way that process interaction is modeled. While unshared actions may be arbitrarily interleaved, a shared action must be executed at the same time by all processes that participate in the shared action. Consider a system that independently models resource production and use MAKER = (make ready MAKER). USER = (ready use USER). MAKER_USER = (MAKER USER). What are some traces of MAKER_USER? Modeling handshaking protocols Handshake is an action acknowledged by others MAKERv2 = (make ready used MAKERv2). USERv2 = (ready use used USERv2). MAKER_USERv2 = (MAKERv2 USERv2). Notice how interaction constrains the behavior What are some traces of MAKER_USERv2? <,> 3

<,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> 4

Composition using LTSA << [DetComposition.FSP] >> Restricting to a set of traces Composition can also be used to restrict a rich specification to a smaller set of traces <,> <,> <,> <,> <,> <,> <,> 5

<,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> <,> Question Question What would you expect to happen when we compose the non-deterministic vending machine with the scenario? What would you expect to happen when we compose the non-deterministic vending machine with the scenario? If this were a more complex specification, how would you know when you have sufficiently simulated the spec to guarantee that it would not deadlock? 6

C1 C2 C1 C2 <,> <,> <,> C1 C2 C1 C2 <,> <,> <,> <,> <C1,> C1 C2 C1 C2 <,> <,> <C1,> <,> <,> <C1,> <C2,> <C2,> Deadlock!!! 7

C1 C2 C1 C2 <,> <,> <C1,> <,> <,> <C1,> ERROR ERROR C1 C2 C1 C2 <,> <,> <C1,> <,> <,> <C1,> ERROR ERROR Reachability of ERROR state The composed state diagram tells us something about how the system supports the given trace Using LTSA to detect deadlock << [NonDetComposition.FSP] >> If ERROR is reachable, then it is possible for the system to deadlock on this trace! Thus, composing the processes and checking for the possibility of deadlock provides more certainty than does simulation 8

Reachability analysis Technique for reasoning about operational specifications Treats specification as a directed graph Analyzes the graph to determine: whether certain desired (or undesired) nodes are reachable from the node whether certain actions or sequences of actions are enabled infinitely often ---ie., that the system never gets into a state where it can deny them Useful for proving properties of an operational spec E.g., does spec S support trace t? E.g., might a system that implements spec S deadlock? Multi-party synchronization MAKE_A = (makea->ready->used->make_a). MAKE_B = (makeb->ready->used->make_b). ASSEMBLE = (ready->assemble->used- >ASSEMBLE). FACTORY = (MAKE_A MAKE_B ASSEMBLE). 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback