Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 1999, 2003, 2008 G.v. Bochmann 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.

Published byLucy Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright 1999, 2003, 2008 G.v. Bochmann 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann."— Presentation transcript:

1 Copyright 1999, 2003, 2008 G.v. Bochmann 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann School of Information Technology and Engineering University of Ottawa, Canada Chapter 3 System models based on communicating finite state machines first version: Feb. 1999, revised 2000, 2003 and 2008

2 Copyright 1999, 2003, 2008 G.v. Bochmann 2 1. Communicating finite state machines The model of communicating finite state machines is like the model of IOA, except that communication is asynchronous: –each machine has an input queue, and the output interactions produced by one machine are placed into the input queues of the destination machines before they are taken as input by a transition of the receiving machine. Generally, the queues are of unlimited length and have FIFO discipline. Notes: –If a given state of a machine M1 has a self-loop producing an output o for another machine M2, there is no limit on the number output messages that may be placed in the input queue of M2 before they are processed. In general, one does not assume any flow control on the number of message that may be placed within a queue. –However, for an implementation of the specified system, it is important to consider how such situations are handled, possibly blocking the sending process when the corresponding input queue is full (however, one has to be careful not to introduce deadlocks).

3 Copyright 1999, 2003, 2008 G.v. Bochmann 3 The Mealy FSM model Formal definition of an FSM (Mealy machine) A =  S, I, O, , s 0  S : set of states I : set of inputs O : set of outputs  : transition function  : S  I  S  O can be decomposed into the following two parts: –“nextstate” function  S : S  I  S –output function  O : S  I  O Note: In the so-called Moore machine, the output only depends on the state of the FSM.

4 Copyright 1999, 2003, 2008 G.v. Bochmann 4 Resource =  S, I, O, , Free  where S = {Free, R, RR, W} I = {RReq, WReq, RRel, WRel} O = {yes, no, null} and  is represented by the following diagram Example: Resource written as an FSM Free RRR W RRel/null RReq/yes RRel/null WRel/null RReq/yes WReq/yes RReq/no WReq/no

5 Copyright 1999, 2003, 2008 G.v. Bochmann 5 Different representations of FSMs transition diagrams (“normal” notation, or UML, or SDL, etc.) transition tables as a program: while true do case state of state1: case input of i1: begin state := “  S (state1, i1)”; output (“  O (state1, i1)”) end; case input of i2: begin state :=...; output (...) end;... case state of state2: case input of i1: begin state :=...; output (...) end;... in Z (exercice) in the trace formalism of [Hoffman **] –Note: The normal form traces provide a coverage of the states. If one takes a minimal coverage with prefixe property (each prefix of a normal trace is normal), one can write: T.i  if T  S 0 then  S (S 0, i) else if T  S 0... et V(T.i) = if... as abstract data type (exercice)

6 Copyright 1999, 2003, 2008 G.v. Bochmann 6 Partial definitions Specifications of FSMs are often partial, that is,  is not defined for all pairs (s,i). Different interpretations are possible: –undefined behavior (assumption-guarantee semantics of IOAs): the behavior of the specified component is not defined when i is received in state s. This interpretation assumes that the environment will not generate this input when the component is in this state. –blocking behavior (basic LTS semantics): the input in question is not accepted by the automaton (if the input is from a queue, the input will remain in the queue; if the input is in rendezvous, the automata blocks for this input; this is the semanics of Estelle). A variation of this is realized in SDL, where an input may be explicitly “SAVEd” in a given state, which means that it is blocked, but the next input in the queue may be considered. –dropping the input: the input is consumed, and the automaton remains in the same state. This interpretation is made by SDL, but it has certain disadvantages).

7 Copyright 1999, 2003, 2008 G.v. Bochmann 7 Spontaneous transitions etc. Sometimes, one allows for spontaneous transitions. These are transitions without any input, and possibly no output. Such a transition may be executed when the FSM is in the corresponding state. –Note: Spontaneous transitions may introduce nondeterminism. LTS representation of FSMs: Often Mealy-FSMs are represented as LTS (or better as IOA), where each FSM transition is represented as two transitions (one input and one output transition) with some additional intermediate state. –This allows more flexibility, e.g. a spontaneous output transition is a simple LTS transition, some FSM transitions may not have any output. –See example on next page (to be compared with with FSM Resource above)

8 Copyright 1999, 2003, 2008 G.v. Bochmann 8 Example: Resource (with "input" and "output" transitions) Resource =  S, I, O, , Free  where S = {Free, R, RR, W, R*, RR*, W*, x1, x2, x3 } I = {RReq, WReq, RRel, WRel} O = {yes, no, null} and  is represented by the following diagram. Free RRR W RRel RReq RRel WRel RReq WReq RReq WReq yes no RReq WReq no R*RR* W* x1 x2x3

9 Copyright 1999, 2003, 2008 G.v. Bochmann 9 Communicating FSMs Important note: Mealy machines are not "compositional", that is, the composition of two Mealy machines is not necessarily a Mealy machine (because there may be infinite internal loops without producing an external output). Several FSMs may be composed using different communication mechanisms: –Enabling conditions depending on state of other machine: A transition of one machine may be associated with an additional enabling condition which requires that another machine is in a particular state. –Rendezvous interaction (also called "direct coupling"): Using the LTS representation for the FSMs, each output transition of one machine is jointly executed with a corresponding input transition of the machine that receives the output of the former. –Message passing with queuing: There are two options »Common queue: each machine has a "common" queue into which all outputs from other machines, destined to the machine in question, is placed (in a first-come-first-served order). The machine takes input for transitions from the common queue. »Similar, but separate queues for different input sources.

10 Copyright 1999, 2003, 2008 G.v. Bochmann 10 Assumptions and guarantees (Note: We take here the undefined behavior interpretation of partial definitions, and use the LTS representation of FSMs) Simple view: –assumption: for each input in the execution trace, the specification has a defined transition –guarantee: each output produced by the machine corresponds to a specified output transition For the example M1 below: “input sequence of M1 of the form (c, d)* “ implies “output sequence of M1 of the form (a, b)* “ c / a d / b M1

11 Copyright 1999, 2003, 2008 G.v. Bochmann 11 This simple interpretation is not quite satisfactory: –Consider the example of two communicating FSMs M1 and M2 where initially the input queue of M2 contains the message a and the other queue is initially empty –The semantics of M1: “input sequence of M1 of the form (c, d)* “ implies “output sequence of M1 of the form (a, b)* “ –The semantics of M2: “input sequence of M2 of the form (a, b)* “ implies “output sequence of M2 of the form (c, d)* “ –The behavior of the composition is given by the conjunction of these two properties. However, no useful property can be derived, since there is circular argumentation. (suite) a, b c, d c / a d / b a / d b / c M1M2

12 Copyright 1999, 2003, 2008 G.v. Bochmann 12 (suite 2) The solution to this problem is to consider the construction of the trace, one interaction after the other. Instead of using the “imply” operator between assumption and guarantee, one uses the operator “implies guarantee for output” (sometimes written => + ) as follows: –For each prefixe of a (finite) execution trace, if the prefix satisfies the assumption and the following interaction is an output of the specified component then it is guaranteed that this output satisfies the guarantee. –Note: Nothing needs to be guaranteed for any input interaction –Note: One sees that the distinction between input and output is crucial. This observation is more general than the FSM model (see for instance [Misra and Chandy, 1980] and TLA [Abad 95]).

13 Copyright 1999, 2003, 2008 G.v. Bochmann 13 (suite 3) We consider again the same example: –Initially: Q12 =, Q21 = <> and both machines are in their initial state 1 –Consider any execution trace t. Because of the initialzation, we can assume that the trace starts with “M2 inputs a”. –The semantics of M2 then implies the guarantee for the output, namely that “M2 outputs d”. The FIFO properties of the queues imply that the next element of the trace must be “M1 inputs d”. –The semantics of M1 then implies the guarantee for the output, namely that “M1 outputs b”. The FIFO properties of the queues imply that the next element of the trace must be “M2 inputs b”. –Etc. for M2, etc. for M1, and we are back to the element of the trace “M2 inputs a” as at the beginning, and both machines in the same state. Therefore we can deduce by induction that the same behavior will repeat itself indefinitely. a, b c, d c / a d / b a / d b / c M1M2 2 1 21

14 Copyright 1999, 2003, 2008 G.v. Bochmann 14 2. Reachability analysis for FSMs communicating with queues A state of a system consisting of several FSMs that communicate through queues (we consider here separate queues for each pair of FSMs) can be represented by a square matrix which contains on the main diagonal the states of all the FSMs and on the other positions the content of the queues, as shown in the following example: A B C S A Q AB Q AC Q BA S B Q BC Q CA Q CB S C Representation of a system state (Notation: S x = state of subsystem X, Q xy = queue from X to Y

15 Copyright 1999, 2003, 2008 G.v. Bochmann 15 Suite: communicating FSMs Notation: To avoid ambiguities, it is in general necessary to indicate what the other involved subsystem is: the source of an input, or the destination of an output. In certain languages, one can indicate communication channels or ports through which the messages pass. –For instance, one could use the notation "-X to Y" to indicate an output X to the subsystem Y, and "+X from Y" for an input X from subsystem Y. Example: +x from A -y to A -x to B +y from B Y P Q R System ASystem B i -y to A

16 Copyright 1999, 2003, 2008 G.v. Bochmann 16 Suite: Reachability analysis for FSMs In a given state of the global system, the following transitions are be possible: –For any pair of FSMs X and Y, if the queue Qxy is not empty, then Y can make a (local) transition consuming the message at the head of the queue (if such a transition is defined in the given state of Y; otherwise see below) and placing the output of the transition into the input queue of the appropriate destination FSM. –For any FSM X, if X can perform a spontaneous transition in its present state, this transition may be performed. Reachability analysis consist of exploring all accessible states of the global system.. –Note: A system of communicating FSMs is not necessarily finite. See for instance the example of the previous page where the number of possible states is infinite (the length of the queue Q BA may become infinite). –Note: The method of reachability analysis may be extended to other kinds of transition systems if the enabling conditions and post-conditions are of a relatively simple form. This is the case of Petri nets, for example. Example: See [Boch 78] for the analysis of the alternating bit protocol

17 Copyright 1999, 2003, 2008 G.v. Bochmann 17 General properties for communicating FSMs The following properties (independent of the particular system which is specified) are often considered desirable (see e.g. [Zafi 80]): Absence of the following situations (considered “errors”): –Deadlock (accessible state without any transition enabled): If all queues are empty, this is a “global deadlock”; it could be the desired final state. If one of the queues contains an input, but the receiving FSM does not have a transition to consume it, this falls under the category of “unspecified receptions” (see below). One call a “local deadlock” a situation where certain FSMs are blocked forever, but other FSMs continue operations.

18 Copyright 1999, 2003, 2008 G.v. Bochmann 18 Suite: General properties –Unspecified reception: If a global state is accessible where one FSM receives a particular input in a state where no transition is specified for that input (the FSM is partially specified), this is called an “unspecified reception”. Depending on the interpretation of unspecified cases (see previous Chapter), one has one of the following cases (see above): »undefined behavior: the definition of the FSM is incomplete in the context in which it is used; the unspecified reception is considered a design error. »blocking behavior: there is no problem, however, the FSM in question is temporarily blocked until it receives another message over another input queue for which a transition is defined (this may lead to a new state in which the temporarily blocked input may be consumed). If the FSM remains blocked forever (which depends on the other FSM in its environment) this is probably a design error. – Note: In SDL, one may specify that a certain input is SAVEed in a given state, which means that this input cannot be consumed in this state; it remains in the common input queue until another input interaction will lead the process into another state where the input is not SAVEed. »dropping the input: this means, an implicit transition to the same state is defined; in fact, this is not really an unspecified reception. Note: This is the interpretation of SDL (for input that is not SAVEed and has no defined transition). –Non-executable transition: a transition of a given FSM is called “non-executable” if there is no reachable global state in which it could be taken. The system would behavior identically if this transition was removed from the FSM (making it less defined).

19 Copyright 1999, 2003, 2008 G.v. Bochmann 19 Suite: General properties Bounded queues: If the size of the queues in all reachable global states is bounded by some integer, then the number of reachable states is finite. Whether the queues are bounded for a given set of communicating FSMs is in general non-decidable. Self-stabilization: A system of communicating FSMs is called “self-stabilizing” if for all (arbitrary) initial states, the system will enter, after some finite time, the normal mode of operation. (An example is given in [Boch 78]; recent results in this area have been presented by Gouda). Stable states (called “adjoint states” in [Boch 78]): A state vector (representing the states of all FSMs) is called “stable” if for all reachable global states corresponding to this vector, all queues are empty.

20 Copyright 1999, 2003, 2008 G.v. Bochmann 20 State space explosion There are three reasons why often the number of reachable states is too big to be manageable, even with powerful tools: The number of states of each sub-system is very large because one has introduced supplementary state variables for capturing the behavior of the sub-system, e.g. sequence numbers in protocols. During reachability analysis, one considers the Cartesian product of several sub-systems, which leads to a multiplication of the number of states of all sub-system. An additional “blow-up” could be due to the varying contents of the queues (even if they are often artificially bounded during analysis).

21 Copyright 1999, 2003, 2008 G.v. Bochmann 21 Automated analysis tools Many automatic reachability analysis tools exist (see for instance [Boch 90g]). Some tools combine this with model checking (verifying that the composed system satisfies certain given temporal logic properties). Holzmann proposed a method for minimizing the required memory for remembering which global state has already been analyzed (using only one bit), but also reducing the amount of information which is available. Analysis methods that do not construct the whole reachable global state space, but only travel through the whole space (for instance through a depth-first search) and simultaneously check the interesting properties are called “on-the-fly” analysis methods. In opposition, traditional methods construct the whole state space and then check the interesting properties.

22 Copyright 1999, 2003, 2008 G.v. Bochmann 22 How to avoid the state space explosion The following approaches have been proposed to reduce the effect of the state space explosion: –Problem decomposition (e.g. analyze different operational phases separately) –Reduced reachability analysis: The idea is to reduce the number of different interleavings of concurrent operations that must be considered, but taking care that one still maintains the guarantee that all design errors will be detected –Ad-hoc analytical methods: Ad-hoc methods may be used for showing that certain types of properties are satisfied for certain types of specifications –Analysis using assertions (in the case of automata extended with variables): The idea is the treat the properties related to the variables using program proof methods involving assertions and/or invariants. –Incomplete analysis: For instance »partial exploration of the reachable state space (e.g. random walk [Holz 88]) »statistical exploration corresponding to the probabilities of the real environment »exploration by simulation guided by a user (this is always possible as long as the specification is executable)

23 Copyright 1999, 2003, 2008 G.v. Bochmann 23 3. Extended FSM models An “extended FSM model” is the model of communicating FSMs where there is a finite number of message types and a finite number of so-called “major” states for each FSM, but extended with the following features: –Each type of message may be associated with typed message parameters. –Each FSM may be characterized by additional state variables. –Each transition may be associated with an additional condition which is predicate depending on additional state variables and input parameters. –For each output produced, it is necessary to specify the values of the associated message parameters. –For each transition, there is an additional action which performs an update of the additional state variables.

24 Copyright 1999, 2003, 2008 G.v. Bochmann 24 Extended models (suite) Several specification languages have been defined which are based on the model of E FSM, such as –SDL –Estelle –State Charts, state transition diagrams of UML etc. Similar extensions have also been defined for other types of transition systems, such as –Extended LTSs: LOTOS –Extended Petri nets: attributed or “coloured” Petri nets and other extensions

25 Copyright 1999, 2003, 2008 G.v. Bochmann 25 Reachability analysis for extended models The ideas of reachability analysis can also be applied to extended models, however, the number of states to be explored explodes further, because all different values of interaction parameters must be considered, as well as different values of the internal additional state variables. Therefore, in practice, it is usually not possible to perform a complete reachability analysis for extended FSM models. However, tools such as SPIN (for the language Promela) and the tools for Estelle and SDL include software tools for exhaustive reachability analysis or partial analysis based on Holzmann’s state hashing approach [Holz 88, Holz 91].

26 Copyright 1999, 2003, 2008 G.v. Bochmann 26 4. Comparison of interaction primitives Interaction primitives of different levels of abstraction –rendezvous (each participant may impose enabling conditions, parameter passing in all directions) –synchronous input/output interactions in rendezvous (all participants may impose enabling conditions): this means rendezvous where parameters are only passed from one side (the output side) to the other (the input side). –synchronous input/output interactions, output always possible –asynchronous message passing (messages in transit, before being received), output always possible The “controlability” concept from process control –Certain actions of the component to be controlled are “controllable”, that is, they can be prevented by the controller (the controller can impose an enabling condition). For “uncontrollable” actions must be accepted by the controller at any time (see for instance [Ramadge 1989]). This notion is similar to synchronous input/output with and without flow control.

27 Copyright 1999, 2003, 2008 G.v. Bochmann 27 Difficulty of implementation / verification Implementation –All these primitives can be relatively easily implemented in a centralized environment. However, in a distributed environment the networking protocols usually provide already functions for message passing (e.g. IP - no delivery guarantee - and TCP - delivery guarantee). Therefore the message passing paradigm is easily implemented. The same holds for synchronous input/output without flow control; it can be implemented through a remote procedure call mechanism. –Primitives where both sides may impose enabling conditions are more difficult to implement if we assume that each communicating component has in general several different alternatives for remote interactions in a given state. The difficulty comes from the fact that a global view would be best to make the appropriate choices. However, many algorithms have been designed for the distributed implementation of rendezvous communication. Verification –the verification of specifications using rendezvous is usually easier that the verification of corresponding specifications using message passing (see below).

28 Copyright 1999, 2003, 2008 G.v. Bochmann 28 Comparison: Difficulty of analysis As mentioned above, the model of communicating FSMs is particularly simple to implement in a distributed environment, because the basic communication protocols provide for a reliable message transport service. However, the reachability analysis is much easier for LTS communicating by rendezvous than for communicating –First, the state space is not necessarily finite for FSMs with unlimited queues –Second, rendezvous is a more abstract communication primitive than message passing. Consider the following example, where in a given state two actions are possible, a or b (for instance, to call another object, or to accept a call coming from another object), and these actions could be performed by one or the other of the machines.

29 Copyright 1999, 2003, 2008 G.v. Bochmann 29 Suite: Difficulty of analysis Note: In the case of communicating FSMs, there are states representing a conflict between the two machines; their resolution should be foreseen in the specification. However, such considerations are of relatively low level (if this problem occurs at some internal interface, these details are a matter of implementation). a b 1,1 2,23,3 a b 1 23 a b 1 23 -a +b 1 23 +a -b 1 23 -a -b 1,1 2,11,3 2,2 3,3 +b +a 2,3 -a -b ?? +b +a ?? communicating FSMs LTS with rendezvous

Download ppt "Copyright 1999, 2003, 2008 G.v. Bochmann 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann."

Similar presentations

Copyright 1999, 2003 G.v. Bochmann CN-FM ch.2 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.

Copyright 1999, 2003 G.v. Bochmann CN-FM ch.2 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.
Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,

Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Timed Automata.

Timed Automata.
Network Protocols Dr. Eng Amr T. Abdel-Hamid NETW 703 Winter 2006 Finite State Machines (FSMs)

Network Protocols Dr. Eng Amr T. Abdel-Hamid NETW 703 Winter 2006 Finite State Machines (FSMs)
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Chapter 1 Principles of Programming and Software Engineering.

Chapter 1 Principles of Programming and Software Engineering.
Lesson 6. Refinement of the Operator Model This page describes formally how we refine Figure 2.5 into a more detailed model so that we can connect it.

Lesson 6. Refinement of the Operator Model This page describes formally how we refine Figure 2.5 into a more detailed model so that we can connect it.

Similar presentations

Ads by Google