Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying Properties of Process Definitions Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research.

Similar presentations


Presentation on theme: "Verifying Properties of Process Definitions Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research."— Presentation transcript:

1 Verifying Properties of Process Definitions Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research University of Massachusetts Amherst Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee

2 Outline Process Example Process Analysis of the Process Conclusions

3 What is a Process? Complex Task Resources Artifacts Agents Examples: Design Configuration Management e-commerce

4 Example: An Auction Need to coordinate bidders and auctioneer These may be distributed over a network May be human users or computer programs Want an process definition that describes how to conduct an auction

5 A process definition language Graphical language Has rigorous formal semantics specified Supports Concurrency Resource Management Exceptions Choice steps to give humans users flexibility Pre- and post-requisites

6 Little-JIL Step Step Name Interface Resources Used Exceptions Thrown Parameters Pre-requisite Post-requisite Exception Handling Control Flow Substep Sequencing

7 Accept One Bid Submit Bid BidIsHigher Accept Bids From Bidder Update Best Bid BidIsBetter Sequencing Badges : Sequential Parallel Choice Try Open-Cry Auction AuctionNotClosed Accept One Bid Accept Bids From Bidder Close Auction

8 NoMoreBidders AuctionClosed Accept One Bid Submit Bid BidIsHigher Accept Bids From Bidder Update Best Bid BidIsBetter Sequencing Badges : Sequential Parallel Choice Try Open-Cry Auction AuctionNotClosed Accept One Bid Accept Bids From Bidder Exception Badges: Rethrow Continue Complete Restart NoMoreBidders AuctionClosed BidNotHigher BidNotBetter DeadlineExpired Close Auction

9 Modeling Processes This process is intuitively easy to understand However, it still has complicated control structures These constructs can mask erroneous behavior Even high-level process definitions need to be validated

10 Auction Concerns Are late bids considered? Does the highest bidder win the auction? Is the auction vulnerable to fraud?

11 FLow Analysis for VERification of Systems Can verify concurrent and sequential software Uses an efficient state propagation algorithm Worst case bounds: O(N 2 ·S) Relatively language independent: Ada, Java, C++, Jovial Can incrementally add information to the analysis to improve precision

12 FLAVERS Overview Property Specification Software Software Translator TFG State Propagation Property Translator Property FSA Constraint FSA... Results s Little-JIL Human Translator

13 FLAVERS Model A Trace Flow Graph (TFG) Derived from labeled Control Flow Graphs (CFG) Labels represent events of interest Need CFG models for Little-JIL constructs

14 Leaf Step Model

15 A Choice Step Do B Choice Do ADo C Do ADo CDo B A Completed Do BDo C Choice A Terminated Choice Completed … … … …

16 Choice Step Model

17 Properties Checked No Late Bids Accepted Checked on the Open-Cry Auction Inconclusive Results Several process experts studied the example in detail without noticing the fault Need to add an “AuctionNotClosed” prerequisite to “Update Best Bid”

18 Race Condition Property Another property involved data flow There is a variable best that keeps track of the best bid seen so far Can be used by multiple steps concurrently Want to ensure there is no race condition

19 Race Condition Can Exist Determined a race condition can exist Auctioneer could be considering two bids at the same time Two updates to best occur The final value of best depends on the order of the updates

20 No Race Condition Need to ensure proper access to variable best Requires knowledge of agent behavior Proved that if no access control, a race condition can occur Proved that with a lock on best, no race condition can occur

21 Analysis Results The Little-JIL program had 8 steps

22 Conclusions Process models have strengths and weaknesses Leads to intuitive understanding Can mislead people into believing they understand the process Our example illustrates how important it it to validate processes FLAVERS successfully analyzed the Little-JIL process There is a tension between expressiveness and analyzability Humans require flexibility, leading to more complex analysis


Download ppt "Verifying Properties of Process Definitions Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research."

Similar presentations


Ads by Google