Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Formal Specification of Automata- based Programs via Specification Patterns Spring/Summer Young Researchers' Colloquium on Software Engineering.

Published byGyles Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Formal Specification of Automata- based Programs via Specification Patterns Spring/Summer Young Researchers' Colloquium on Software Engineering."— Presentation transcript:

1 On the Formal Specification of Automata- based Programs via Specification Patterns Spring/Summer Young Researchers' Colloquium on Software Engineering 2010, Nizhny Novgorod Andrey Klebanov, SPb SU ITMO supervised by Oleg Stepanov, PhD, SPb SU ITMO and JetBrains

2 2 On the Formal Specification of Automata-based Programs via Specification Patterns Agenda Automata-based programming (AP) Obstacles in formal specification Spec patterns (SP) SP applicability analysis for AP Specification process Conclusion

3 3 On the Formal Specification of Automata-based Programs via Specification Patterns Automata-based programming (AP) AP is not about using FSMs for specific problems AP is a software development paradigm used to design and implement entities with complex behaviour

4 4 On the Formal Specification of Automata-based Programs via Specification Patterns Automated controlled entity

5 5 On the Formal Specification of Automata-based Programs via Specification Patterns Automata-based programming book http://is.ifmo.ru/books/

6 6 On the Formal Specification of Automata-based Programs via Specification Patterns Agenda Automata-based programming Obstacles in formal specification Spec patterns SP applicability analysis for AP Specification process Conclusion

7 7 On the Formal Specification of Automata-based Programs via Specification Patterns Problem overview Model checking could be successfully applied to automata-based programs But defining formal specification as a temporal logic formula is an error-prone and time-consuming task Hard to understand Hard to specify correctly

8 8 On the Formal Specification of Automata-based Programs via Specification Patterns Example of the problem Between the time an elevator is called at a floor and the time it opens its doors at that floor, the elevator can arrive at that floor at most twice []((call & <>open) -> ((!atfloor & !open) U (open | ((atfloor & !open) U (open | ((!atfloor & !open) U (open | ((atfloor & !open) U (open | (!atfloor U open)))))))))) M.B. Dwyer, G.S. Avrunin, J.C. Corbett, “Patterns in Property Specifications for Finite-state Verification,” Proc. 21st Int’l. Conf. Software Engineering. 1999

9 9 On the Formal Specification of Automata-based Programs via Specification Patterns Existing solutions (non AP) Different graphical notations: Helps to understand, but still useless for specification assistance!

10 10 On the Formal Specification of Automata-based Programs via Specification Patterns Existing solution (AP) Contracts: Pros: Simple Cons: Limited expressive power Labour-intensive for state groups A. Borisenko, P. Fedotov, O. Stepanov, A. Shalyto, “Reliable Software with Complex Behavior Development,” Proc. 5th Central and Eastern European Software Engineering Conf. in Russia. 2009

11 11 On the Formal Specification of Automata-based Programs via Specification Patterns Suggested solution Express verifiable requirements in a controlled natural language

12 12 On the Formal Specification of Automata-based Programs via Specification Patterns Solution details The language is defined by a formal grammar No need in NLP Customizable for different domains The grammar is based on the set of specification patterns (SP) For each requirement equivalent verifiable formal mapping exists

13 13 On the Formal Specification of Automata-based Programs via Specification Patterns Significance of SP in AP … it is important to consider temporal properties patterns (structures) which are most suitable and appropriate for automata- based programs verification. Existence of such patterns would allow focusing on classes of temporal properties of automata models which definitely would facilitate flow chart development for automata-based programs verification K.A. Vasileva, E.V. Kuzmin, “LTL Verification of Automaton Programs,” Modeling and Analysis of Information Systems, vol. 14, no. 1, pp. 3–14, 2007. (in Russian)

14 14 On the Formal Specification of Automata-based Programs via Specification Patterns Agenda Automata-based programming Obstacles in formal specification Spec patterns SP applicability analysis for AP Specification process Conclusion

15 15 On the Formal Specification of Automata-based Programs via Specification Patterns Spec patterns SP is a generalized description (both formal and in natural language) of a commonly occurring requirement on a permissible state sequences in a finite-state model of a system Formally describes some aspect of a system’s behaviour M.B. Dwyer, G.S. Avrunin, J.C. Corbett, “Patterns in Property Specifications for Finite-state Verification,” Proc. 21st Int’l. Conf. Software Engineering. 1999.

16 16 On the Formal Specification of Automata-based Programs via Specification Patterns Spec patterns Property = SP + Scope

17 17 On the Formal Specification of Automata-based Programs via Specification Patterns Spec patterns Scope – an extent of the system execution over which the property should hold

18 18 On the Formal Specification of Automata-based Programs via Specification Patterns Spec patterns Globally Before Q After Q Between Q and R After Q until R State sequence Q R Q R Q Scope

19 19 On the Formal Specification of Automata-based Programs via Specification Patterns Spec patterns Property patterns Occurrence Order Absence Bounded existence Universality Existence Precedence Response Chain precedence Chain response

20 20 On the Formal Specification of Automata-based Programs via Specification Patterns “Absence” pattern IntentTo describe a portion of a system's execution that is free of certain events or states. Also known as “Never”. MappingLTLScopeMapping Globally [](!P) Before R <>R -> (!P U R) After Q [](Q -> [](!P)) Between Q and R []((Q & !R & <>R) -> (!P U R)) After Q until R [](Q & !R -> (!P W R)) CTLScopeMapping Globally AG(!P) …… After Q until R AG(Q & !R -> A[!P W R]) Example and known uses This pattern could be used to specify either entire model properties or state group properties. To specify a safety property the pattern should be used with a “Global” scope. For example when it’s required to specify a property: “Automaton A never gets into the state s.” Relationships with other patterns …

21 21 On the Formal Specification of Automata-based Programs via Specification Patterns Agenda Automata-based programming Obstacles in formal specification Spec patterns SP applicability analysis for AP Specification process Conclusion

22 22 On the Formal Specification of Automata-based Programs via Specification Patterns Applicability analysis SP were extracted from some spec (500+) for traditionally (non-AP) developed programs Is it worth using SP for AP formal specification? I.e. is it possible to express requirements for AP via SP?

23 23 On the Formal Specification of Automata-based Programs via Specification Patterns Intermediate results organization №RequirementOriginal formal mapping Pattern, Scope Source 1717If either heater of one of the valves failure has happened, then coffee machine (automaton A0) will mandatory change its state to the state 5. AG((y 31 = 4 | y 32 = 4 | y 2 = 4) & y 0 = 2 → A(y 0 = 2 U y 0 = 5))) Response (constrained), Globally AG(P → A(S)), P: (y 31 = 4 | y 32 = 4 | y 2 = 4) & y 0 = 2, S: y 0 = 2 U y 0 = 5 2

24 24 On the Formal Specification of Automata-based Programs via Specification Patterns Applicability analysis 77 requirements for 13 programs from 15 sources 87% could be expressed via 5 (out of 8) patterns NB: data is outdated (110+ requirements)

25 25 On the Formal Specification of Automata-based Programs via Specification Patterns Inexpressible properties Issues in the model? SP (“Absence” pattern) : [](Q & !R -> (!P W R)) Q: Resource is hold P: Resource is free R: Resource is released If the resource is hold, then it’s not free until it’s released. o1.x1 W o1.z1 & G (o1.z2 -> (o1.x1 W o1.z1) & o1.z1 -> (!o1.x1 W o1.z2))

26 26 On the Formal Specification of Automata-based Programs via Specification Patterns SP adaptation for AP Examples and Known Uses The most common example is mutual exclusion. In a state-based model, the scope would be global and P would be a state formula that is true if more than one process is in its critical section. Examples and Known Uses This pattern could be used to specify either entire model properties or state group properties. To specify a safety property the pattern should be used with a “Global” scope. For example when it’s required to specify a property: “Automaton A never gets into the state s.” Original example for the “Absence” pattern: Adapted example:

27 27 On the Formal Specification of Automata-based Programs via Specification Patterns Agenda Automata-based programming Problem overview Spec patterns SP applicability analysis for AP Specification process Conclusion

28 28 On the Formal Specification of Automata-based Programs via Specification Patterns Grammar (an extract) ::= ::= «For all the states holds that» | «Before the state where Q, holds that» | «After the state where Q, holds that» | «Between the states where Q and R, holds that» | «After the state where Q, before the state where R, holds that» ::= | | | | | | | … ::= «never P.» …… ::= «always if P, then eventually S.» …… is a start nonterminal symbol

29 29 On the Formal Specification of Automata-based Programs via Specification Patterns Specification process Informal algorithm: 1. Extract property (generally some simple model predicate) 2. Select pattern and scope 3. Perform derivation 4. Based on the step 1 and step 2 data get formal mapping for model checking

30 30 On the Formal Specification of Automata-based Programs via Specification Patterns Example (Original property) Coffee machine control system never gets into the state where it doesn’t respond to either system timer events, or buttons “OK” or “Cancel” E.V. Kuzmin, V.A. Sokolov, “Modeling, Specification, and Verification of Automaton Programs,” Programming and Computer Software, vol. 34, no. 1, pp. 38–60, 2008

31 31 On the Formal Specification of Automata-based Programs via Specification Patterns Example (Step 1) Coffee machine control system never gets to the state where it doesn’t respond to either system timer events, or buttons “OK” or “Cancel” act = end

32 32 On the Formal Specification of Automata-based Programs via Specification Patterns Example (Step 2) Adverb “never” implies using “Absence” pattern with “Global” scope

33 33 On the Formal Specification of Automata-based Programs via Specification Patterns Example (Step 3) → → For all the states holds → For all the states holds → For all the states holds that never P

34 34 On the Formal Specification of Automata-based Programs via Specification Patterns Example (Step 4) For all the states holds that never act = end Formal expressions for model checking are: AG(! act = end) and □(!act = end)

35 35 On the Formal Specification of Automata-based Programs via Specification Patterns Agenda Automata-based programming Obstacles in formal specification Spec patterns SP applicability analysis for AP Specification process Conclusion

36 36 On the Formal Specification of Automata-based Programs via Specification Patterns Summary Significant obstacle exists in formal specification SP facilitates specifying formal properties SP are applicable for AP, light adaption of the original system is required SP could be a basis of the grammar-driven specification process

37 37 On the Formal Specification of Automata-based Programs via Specification Patterns Open issues Theoretical side: Inexpressible properties analysis (also absent in the original SP paper) New patterns Practical side: Tool support and integration Wizard for the specification process

38 38 On the Formal Specification of Automata-based Programs via Specification Patterns Thank you! Andrey Klebanov SPb SU ITMO klebanov.andrey@gmail.com

Download ppt "On the Formal Specification of Automata- based Programs via Specification Patterns Spring/Summer Young Researchers' Colloquium on Software Engineering."

Similar presentations

Creation of Automaton Classes from Graphical Models and Automatic Solution for Inverse Problem Yuri A. Gubin student of SPb SU ITMO supervised by Anatoly.

Creation of Automaton Classes from Graphical Models and Automatic Solution for Inverse Problem Yuri A. Gubin student of SPb SU ITMO supervised by Anatoly.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Towards a DecSerFlow mapping to SCIFF Federico Chesani, Paola Mello, Marco Montali, Sergio Storari.

Towards a DecSerFlow mapping to SCIFF Federico Chesani, Paola Mello, Marco Montali, Sergio Storari.
IT Requirements Capture Process. Motivation for this seminar Discovering system requirements is hard. Formally testing use case conformance is hard. We.

IT Requirements Capture Process. Motivation for this seminar Discovering system requirements is hard. Formally testing use case conformance is hard. We.
LASER From Natural Language Requirements to Rigorous Property Specifications Lori A. Clarke Work done in collaboration with Rachel L. Smith, George S.

LASER From Natural Language Requirements to Rigorous Property Specifications Lori A. Clarke Work done in collaboration with Rachel L. Smith, George S.
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐

SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐
Visual Tools for Temporal Reasoning G. Kutty, L.K. Dillon, L.E. Moser, P.M. Melliar-Smith, and Y.S. Ramakrishna.

Visual Tools for Temporal Reasoning G. Kutty, L.K. Dillon, L.E. Moser, P.M. Melliar-Smith, and Y.S. Ramakrishna.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Specification Chris Patel Vinay Viswanathan.

Temporal Specification Chris Patel Vinay Viswanathan.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking.

Similar presentations

Ads by Google