Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Methods for Software Engineering Part II: Modelling & Analysis of System Behaviour.

Published byBrook Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "Formal Methods for Software Engineering Part II: Modelling & Analysis of System Behaviour."— Presentation transcript:

1 Formal Methods for Software Engineering Part II: Modelling & Analysis of System Behaviour

2 Ed BrinksmaFMSE, Lecture 4 Contents Part I In Part I we used Z as a formalism to model the static aspects of software systems, i.e. ndefinition of system states & data structures ndefinition of operations & preconditions The tool Z-Eves was used for specification support and analysis.

3 Ed BrinksmaFMSE, Lecture 4 Contents Part II In this part we introduce FSP as a formalism to model the dynamic aspects of software systems, i.e. ndefinition of system behaviour (control flow) ndefinition of control distribution (concurrency) We introduce the tool LTSA for modelling support and analysis.

4 Ed BrinksmaFMSE, Lecture 4 FSP and LTS Models are described using state machines, known as Labelled Transition Systems. These are described textually as Finite State Processes and displayed and analysed by the LTSA analysis tool.  LTS - graphical form  FSP - algebraic form

5 Ed BrinksmaFMSE, Lecture 4 LTS: a definition A labelled transition system T consists of the following ingredients: 1. a set S of states 2. a set L of actions 3. a set -> of transitions of the form s-a->t with s,t  S and a  L or a=tau 4. an initial state s 0  S We also write T=(S,L,->, s 0 ).

6 Ed BrinksmaFMSE, Lecture 4 Modelling Processes A process is modelled as a finite LTS which transits from state to state by executing a sequence of atomic actions. a light switch LTS on  off  on  off  on  off  … a sequence of actions or trace on 01 off

7 Ed BrinksmaFMSE, Lecture 4 A Simple Transmission Protocol SENDER = (in -> send -> getack -> SENDER). insend getack 012 recout ack 012 RECEIVER = (rec -> out -> ack -> RECEIVER). get put 01 BUFFER = (get -> put -> BUFFER).

8 Ed BrinksmaFMSE, Lecture 4 Composing the System ||MEDIUM = (a:BUFFER||b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}. ||SYSTEM = (SENDER || MEDIUM ||RECEIVER). Sender Receiver Buffer 1 Buffer 2 in send rec out ack getack Medium

9 Ed BrinksmaFMSE, Lecture 4 The System Behaviour insendrecoutack getack 012345 u parallel composition with synchronized communication u equivalent single process can be calculated (with LTSA)

10 Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. Sender Receiver in send rec out ack getack Medium ||SYSTEM = (SENDER||MEDIUM||RECEIVER).

11 Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. Sender Receiver in out Medium ||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}. System

12 Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. ||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}. intau outtau 012345 tau denotes internal action

13 Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. minimise SYSTEM in out 01 Same LTS as: SYS=(in->out->SYS).

14 Ed BrinksmaFMSE, Lecture 4 Behavioural Equivalence In what sense is the minimized process SYS comparable to SYSTEM@{in,out}? When can we identify system states?

15 Ed BrinksmaFMSE, Lecture 4 Bisimulation Idea: identify states that - can imitate each other’s observable steps leading to - states that again can be identified An observable step consists of either - observing nothing, or - observing a non-internal action

16 Ed BrinksmaFMSE, Lecture 4 Example intau outtau 012345

17 Ed BrinksmaFMSE, Lecture 4 Observable Steps lObserving nothing: s==>t: s=t or s-tau->…-tau->t i.e. s reaches t by doing nothing, or by executing internal actions only. lObserving non-internal action: s=a=>t: s==>s’-a->t’==>t for some s’,t’ i.e. s reaches t by doing a, possibly preceeded or followed by some internal actions

18 Ed BrinksmaFMSE, Lecture 4 Examples atau b cb 0123 0==>0, 0=a=>1, 0=a=>2 1==>1, 1==>2, 1=b=>3, 1=c=>2 2==>2, 2=c=>2 3==>3, 3=b=>3

19 Ed BrinksmaFMSE, Lecture 4 Weak Bisimulation Relations Let R be a relation between states,then R is a weak bisimulation relation iff for all (s,t)  R and all observable actions a: - if for some s’: s==>s’ then for some t’: t==>t’ such that (s’,t’)  R - if for some s’: s=a=>s’ then for some t’: t=a=>t’ such that (s’,t’)  R - if for some t’: t==>t’ then for some s’: s==>s’ such that (s’,t’)  R - if for some t’: t=a=>t’ then for some s’: s=a=>s’ such that (s’,t’)  R

20 Ed BrinksmaFMSE, Lecture 4 Equivalent Transition Systems Two transition systems T and U are observably equivalent iff there is a weak bisimulation relation R with (t 0,u 0 )  R with t 0 and u 0 their respective initial states.

21 Ed BrinksmaFMSE, Lecture 4 Example c T a a c tau b cb S a b b c

22 Ed BrinksmaFMSE, Lecture 4 Negative Example ab c bc 0123 a a b c bc 01 2 34 ?

23 Ed BrinksmaFMSE, Lecture 4 Traces Again Let T=(S,L,->,s 0 ) be a labelled transition system. nTraces(T) is the set of strings a 1 …a n  L* such that there is an s  L with s 0 =a 1 =>…=a n =>s nTwo LTSs T and U are trace equivalent iff Traces(T)=Traces(U)

24 Ed BrinksmaFMSE, Lecture 4 Example atau b cb 0123 Traces:  (empty trace), a,ab,abb,abbb,abbbb,… a,ac,acc,accc,acccc,…

25 Ed BrinksmaFMSE, Lecture 4 (Non)determinism An LTS T=(S,L,->,s 0 ) is deterministic iff for every trace  of T there is a unique state s  S with s 0 =  =>s. ab c bc 0123 a a b c bc 01 2 34 deterministic nondeterministic 0=a=>1 and 0=a=>2 Trace sets are identical!

26 Ed BrinksmaFMSE, Lecture 4 FACTS Let T and U be LTSs. nIf T and U are observation equivalent then T and U are trace equivalent. nIf T and U are trace equivalent then T and U generally are not observation equivalent. nIf T and U are deterministic then they are trace equivalent iff they are observation equivalent. Do we need nondeterministic processes?

27 Ed BrinksmaFMSE, Lecture 4 Nondeterminism What happens with our protocol if a Buffer can lose data? BUFFER = (get -> put -> BUFFER |get -> BUFFER). nondeterminism Compiled: SENDER Compiled: BUFFER Compiled: RECEIVER Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 3 * 2 * 2 * 3 = 36 Composing potential DEADLOCK States Composed: 7 Transitions: 8 in 0ms SYSTEM minimising.... Minimised States: 5 in 60ms in tau out tau 01234 Deadlock state

28 Ed BrinksmaFMSE, Lecture 4 Revision 1 Keep sending until a getack is received SENDER = (in -> send -> WAIT), WAIT = (getack -> SENDER |send -> WAIT). Keep sending ack s until a rec is received RECEIVER = (rec -> OUT), OUT = (out -> ack -> WAIT), WAIT = (rec -> OUT |ack -> WAIT).

29 Ed BrinksmaFMSE, Lecture 4 Analysis Compiled: SENDER Compiled: BUFFER Compiled: RECEIVER Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 3 * 2 * 2 * 4 = 48 Composing States Composed: 34 Transitions: 57 in 50ms SYSTEM minimising..... Minimised States: 17 in 110ms This cannot be equivalent to the 2-state Sys process with Sys=(in->out->Sys). Reason: There is no difference between send actions that are repeated and those related to a new in action.

30 Ed BrinksmaFMSE, Lecture 4 Revision 2 Alternating Bit Protocol: send along a bit that is flipped to distinguish old and new data and acknowledgements. range B= 0..1 SENDER = (in -> SENDING[0]), SENDING[b:B] = (send[b] -> SENDING[b] |getack[1-b] -> SENDING[b] |getack[b] -> in -> SENDING[1-b]). RECEIVER = (rec[0] -> out -> ACKING[0]), ACKING[b:B] = (ack[b] -> ACKING[b] |rec[b] -> ACKING[b] |rec[1-b] -> out -> ACKING[1-b]). BUFFER = (get[b:B] -> put[b] -> BUFFER |get[b:B] -> BUFFER). ||MEDIUM = (a:BUFFER || b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}. ||SYSTEM = (SENDER || MEDIUM || RECEIVER)@{in,out}.

31 Ed BrinksmaFMSE, Lecture 4 Does It Work? Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 5 * 3 * 3 * 6 = 270 Composing States Composed: 45 Transitions: 86 in 0ms intau out tau in tau out tau in tau outtau in tau intau out tau out tau out tau out tau in tau intau out 01234567891011121314151617181920212223242526272829303132333435363738394041424344

32 Ed BrinksmaFMSE, Lecture 4 Minimization in out 01 The Alternating Bit system (service) is observational equivalent with a 1-place buffer

33 Ed BrinksmaFMSE, Lecture 4 Summary lDynamic system behaviour can be modelled by LTS/FSP specifications lLTS/FSP models can composed and analysed using the LTSA tool lLTS/FSP models can be minimized to observational equivalent behaviours using bisimulations lNondeterminism is an essential modelling feature for system behaviours

Download ppt "Formal Methods for Software Engineering Part II: Modelling & Analysis of System Behaviour."

Similar presentations

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
Theory of Computing Lecture 23 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 23 MAS 714 Hartmut Klauck.
Formal Methods for Software Engineering Lecture 5, Part II: FSP.

Formal Methods for Software Engineering Lecture 5, Part II: FSP.
Theory Of Automata By Dr. MM Alam

Theory Of Automata By Dr. MM Alam
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Concurrency: introduction1 ©Magee/Kramer 2 nd Edition Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.

Concurrency: introduction1 ©Magee/Kramer 2 nd Edition Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.
CSC321 §6 Modelling Processes using FSP 1 Section 6 Modelling Processes using FSP.

CSC321 §6 Modelling Processes using FSP 1 Section 6 Modelling Processes using FSP.
Process Algebra (2IF45) Probabilistic Process Algebra Suzana Andova.

Process Algebra (2IF45) Probabilistic Process Algebra Suzana Andova.
Process Algebra (2IF45) Probabilistic Process Algebra Suzana Andova.

Process Algebra (2IF45) Probabilistic Process Algebra Suzana Andova.
Introduction to Computability Theory

Introduction to Computability Theory
1 Introduction to Computability Theory Lecture2: Non Deterministic Finite Automata Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture2: Non Deterministic Finite Automata Prof. Amos Israeli.
A testing scenario for probabilistic automata Marielle Stoelinga UC Santa Cruz Frits Vaandrager University of Nijmegen.

A testing scenario for probabilistic automata Marielle Stoelinga UC Santa Cruz Frits Vaandrager University of Nijmegen.
1 The SOCK SAGA Ivan Lanese Computer Science Department University of Bologna Italy Joint work with Gianluigi Zavattaro.

1 The SOCK SAGA Ivan Lanese Computer Science Department University of Bologna Italy Joint work with Gianluigi Zavattaro.
An Introduction to Input/Output Automata Qihua Wang.

An Introduction to Input/Output Automata Qihua Wang.
Introduction to the Theory of Computation John Paxton Montana State University Summer 2003.

Introduction to the Theory of Computation John Paxton Montana State University Summer 2003.
Semantics of LOTOS Answering the question: Which processes are equivalent? Basic LOTOS: ignore ! and ?...pure synchronization Dining philosophers example:

Semantics of LOTOS Answering the question: Which processes are equivalent? Basic LOTOS: ignore ! and ?...pure synchronization Dining philosophers example:
Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio Montesi and Gianluigi.

Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio Montesi and Gianluigi.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Similar presentations

Ads by Google