Submodule construction for specifications with I/O, Nov. 2002 1 Gregor v. Bochmann, University of Ottawa Submodule construction for specifications with.

Slides:



Advertisements
Similar presentations
Copyright 1999, 2003 G.v. Bochmann CN-FM ch.2 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.
Advertisements

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
An Introduction to Markov Decision Processes Sarah Hickmott
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.
Formal Languages and Automata Theory Applied to Transportation Engineering Problem of Incident Management Neveen Shlayan Ph.D. Candidate.
Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.
Languages. A Language is set of finite length strings on the symbol set i.e. a subset of (a b c a c d f g g g) At this point, we don’t care how the language.
61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.
An Introduction to Input/Output Automata Qihua Wang.
Equivalence, DFA, NDFA Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 2 Updated and modified by.
Regular Languages Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 3 Comments, additions and modifications.
Goldstein/Schnieder/Lay: Finite Math & Its Applications, 9e 1 of 86 Chapter 2 Matrices.
Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.
Unified Modeling (Part I) Overview of UML & Modeling
Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio Montesi and Gianluigi.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Models of Computation for Embedded System Design Alvise Bonivento.
Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio.
25/06/2015Marius Mikucionis, AAU SSE1/22 Principles and Methods of Testing Finite State Machines – A Survey David Lee, Senior Member, IEEE and Mihalis.
A Denotational Semantics For Dataflow with Firing Edward A. Lee Jike Chong Wei Zheng Paper Discussion for.
CS5371 Theory of Computation Lecture 6: Automata Theory IV (Regular Expression = NFA = DFA)
Database Management Systems, R. Ramakrishnan and J. Gehrke1 Relational Algebra Chapter 4, Part A.
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.
Languages. A Language is set of finite length strings on the symbol set i.e. a subset of (a b c a c d f g g g) At this point, we don’t care how the language.
1 Relational Algebra and Calculus Yanlei Diao UMass Amherst Feb 1, 2007 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
Software Testing and QA Theory and Practice (Chapter 10: Test Generation from FSM Models) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory.
Relational Algebra, R. Ramakrishnan and J. Gehrke (with additions by Ch. Eick) 1 Relational Algebra.
Synthesis of Communication Systems, August Gregor v. Bochmann, University of Ottawa Synthesis of communication systems Gregor v. Bochmann School.
Ch.2 Part A: Requirements, State Charts EECE **** Embedded System Design.
Comparison of methods for supervisory control and submodule construction 1 Gregor v. Bochmann, University of Ottawa Comparison of methods for supervisory.
Zvi Kohavi and Niraj K. Jha 1 Capabilities, Minimization, and Transformation of Sequential Machines.
1 Relational Algebra and Calculus Chapter 4. 2 Relational Query Languages  Query languages: Allow manipulation and retrieval of data from a database.
Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.
An Introduction to Software Architecture
DECIDABILITY OF PRESBURGER ARITHMETIC USING FINITE AUTOMATA Presented by : Shubha Jain Reference : Paper by Alexandre Boudet and Hubert Comon.
The Integers. The Division Algorithms A high-school question: Compute 58/17. We can write 58 as 58 = 3 (17) + 7 This forms illustrates the answer: “3.
Ch. 2. Specification and Modeling 2.1 Requirements Describe requirements and approaches for specifying and modeling embedded systems. Specification for.
Real Time Event Based Communication Team Abhishekh Padmanabhan CIS 798 Final Presentation.
Database Management Systems, R. Ramakrishnan and J. Gehrke1 Relational Algebra.
CS 367: Model-Based Reasoning Lecture 5 (01/29/2002) Gautam Biswas.
Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1.
1 Relational Algebra and Calculas Chapter 4, Part A.
Relational Algebra.
ICS 321 Fall 2011 The Relational Model of Data (i) Asst. Prof. Lipyeow Lim Information & Computer Science Department University of Hawaii at Manoa 8/29/20111Lipyeow.
By, Venkateswara Reddy. Tallapu Reddy. 1.Introduction. 2.What is X-Machine Testing..?? 3.Methods of X-Machine Testing. 4.Variants of X- Machine. 5.Stream.
Submodule construction in logics 1 Gregor v. Bochmann, University of Ottawa Using First-Order Logic to Reason about Submodule Construction Gregor v. Bochmann.
MA/CSSE 474 Theory of Computation Decision Problems DFSMs.
1 Relational Algebra Chapter 4, Sections 4.1 – 4.2.
Fall 2004EE 3563 Digital Systems Design EE 3563 VHSIC Hardware Description Language  Required Reading: –These Slides –VHDL Tutorial  Very High Speed.
1 Black-box conformance testing for real-time systems Stavros Tripakis VERIMAG Joint work with Moez Krichen.
Copyright © Cengage Learning. All rights reserved.
Database Management Systems, R. Ramakrishnan1 Relational Algebra Module 3, Lecture 1.
Chapter 3 Regular Expressions, Nondeterminism, and Kleene’s Theorem Copyright © 2011 The McGraw-Hill Companies, Inc. Permission required for reproduction.
CompSci 102 Discrete Math for Computer Science February 7, 2012 Prof. Rodger Slides modified from Rosen.
G.v. Bochmann, revised Jan Comm Systems Arch 1 Different system architectures Object-oriented architecture (only objects, no particular structure)
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Copyright 1999, 2003, 2008 G.v. Bochmann 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.
Review n System dynamics : A sequence of state transition n model : A set of rules for state transition System S X Y Discrete event system FSM (Automata)
Model Checking Lecture 1: Specification Tom Henzinger.
Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.
Internet Security CSCE 813 Communicating Sequential Processes.
Sequential Flexibility
Equivalence, DFA, NDFA Sequential Machine Theory Prof. K. J. Hintz
Kleene’s Theorem Muhammad Arif 12/6/2018.
Event-Based Architecture Definition Language
An Introduction to Software Architecture
Synthesizing Controllers for Multi-Lane Traffic Maneuvers
Recap lecture 40 Recap of example of PDA corresponding to CFG, CFG corresponding to PDA. Theorem, HERE state, Definition of Conversion form, different.
Presentation transcript:

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Submodule construction for specifications with input assumptions and output guarantees Gregor v. Bochmann School of Information Technology and Engineering (SITE) University of Ottawa FORTE conference, Houston, November 2002

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Thanks I would like to express my thanks to Philip Merlin with whom I did the first work in this area in 1969 My PhD students Tao and Drissi whose work was on equation solving Nina Yevtushenko for some joint work in this area and for identifying the generalization as a goal My colleague Cory Butz who gave a talk on stochastic databases during which I saw that databases provide a very general framework for equation solving

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Equation solving: Integer division Multiplication: R 1 * R 2 = ? Equation solving: R 1 * X = R 3 What is the value of X ? Solution: definition of the division operation Written “ X = R 3 / R 1 ” What does it mean ? X = biggest Y such that R 1 * X ≤ R 3 Note: in many cases, there is no exact solution, that is, there is no X such that R 1 * X = R 3 For instance: 7 / 3 = 2, and 3 * 2 = 6 ≤ 7

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Context of this talk Multiplication  Machine composition Division  Submodule construction (“equation solving”) Example: R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 ? a1a1 a2a2 a3a3 R2R2

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Overview Machine composition and equation solving Applications Solution formulas A generalization: Relational databases The cases of labelled transition systems (LTS) and synchronous LTS The case of specifications based on assumptions and guarantees: e.g. synchronous FSMs, IO- Automata and asynchronous FSMs Conclusions

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Equation solving for machines Given machine R 1 and specification R 3 for the behavior of the composition of R 1 with X, find a behavior of machine X such that hide a3 in (R 1 ∞ X) ≤ R 3 Meaning of ≤ : set inclusion of possible execution sequences (“traces”, i.e. sequences of interactions ), also called trace inclusion R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Applications of machine equation solving Communication protocols Protocol design (Merlin-Bochmann, 1980) Design of communication gateways Controller design for discrete event systems Component reuse, e.g. in software engineering Embedded testing

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Communication protocol design Protocol entities PE 1 and PE 2 use the underlying service S and provide the service R 3 to the users of the protocol PE 1 and S are given PE 2 is to be found R 1 corresponds to (PE 1 ∞ S) PE 1 R3R3 a1a1 a2a2 S PE 2 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Communication gateways Given desired end-to-end communication service E2E Protocols in the two networks (different) To be found: gateway behavior (shown by red box) PE 1 R3R3 a1a1 a2a2 S PE 2 PE’ 1 R’3R’3 a1a1 a2a2 S’ PE’ 2 adapter E2E

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Controller design Applications in process control, robotics, etc. Also called “Discrete event systems” (a separate research community, e.g. [Ramage-Wonham, 1989] and many subsequent papers) Distinction between non-controllable and controllable interactions (like input/output) System to be controlled Controller Desired properties a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Component reuse A given submodule does not completely correspond to the specification of the system to be built An additional submodule to be built (and designed throught equation solving) makes up the “difference” Submodule to be re-used New subm. to be built Module to be built a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Embedded testing If internal interactions (i.e. a 3 ) are not visible, only the properties of the composed system can be observed The most general behavior of the SUT that leads to conforming behavior for the composed system, is the solution of submodule construction. This behavior is often more general than the specification for the SUT; the difference can not be observed. Component assumed correct Component under test Properties of composed system a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Equation solving for labelled transition systems Rendezvous interactions a 3 : between R 1 and X a 2 : between R 1 and environment a 1 : between X and environment Behavior definition set of allowed execution sequences e.g. for X: execution sequences over interactions at a 3 or a 1 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa The problem and its solution Problem: Find most general X (largest set of execution sequences) such that hide a 3 in (R 1 ∞ X) ≤ R 3 Solution: X = (a 1 U a 3 )* \ (minus) any sequence that could lead to an observable execution sequence not in R 3, i.e. hide a 2 in (R 1 ∞ ( (a 1 U a 2 )* \ R 3 ) ) R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa A comment Since all execution sequences of X must go in interaction with R 1 and R 3, we may replace the chaos for X with all sequences that are obtained by the composition of R 1 and R 3, that is [Merlin and Bochmann, 1980] Solution: X = hide a 2 in (R 1 ∞ R 3 ) \ (minus) hide a 2 in (R 1 ∞ ( (a 1 U a 2 )* \ R 3 ) ) R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Equation solving for synchronous automata Synchronous communication Simultaneous interactions at all interfaces; at each clock pulse, there is a vector of interactions Behavior definition set of allowed sequences of interaction vectors e.g. for X: the interaction vectors include interactions at a 3 and a 1 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Solution of equation solving Identical form of formulas Meaning of operators have changed ∞ : synchronous composition hide operator ignores a component of the vector [Yevtushenko et al., 1999]

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Relational database (intro) A DB is a set of relations A relation is a table Each column is an attribute Each row is an “object” An element at position (a i, o k ) in the table represents the value that object o k takes for attribute a i With each attribute a i is associated a set of possible values D i

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Relational database concepts Formal definitions: Attributes: A = {a 1, a 2, … a n } Attribute values: D = U D i Relation over A r (A r  A), written R[A r ]: (possibly infinite) set of mappings T: A r  D with T( a i ) ε D i Note: each mapping corresponds to a row

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Example NameAgeSalary Fred Paul Alice Suzanne Bob NameProject FredBigOne AliceBigOne FredSmallOne SuzanneSmallOne R1 R2

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Relational operators Projection Given R[A r ] and A x  A r, the projection of R[A r ] onto A x, written proj Ax (R), is a relation over A x with T ε proj Ax (R) iff exists T’ ε R s.t.  a i ε A x : T(a i ) = T’(a i ) Join Given R 1 [A 1 ] and R 2 [A 2 ], the join of R 1 and R 2, written R 1 ∞ R 2, is a relation over A 1 U A 2 with T ε (R 1 ∞ R 2 ) iff proj A1 (T) ε R 1 and proj A2 (T) ε R 2 Chaos Given A x  A, the chaos over A x, written Ch[A x ], is the relation which includes all mappings T: A x  D with T( a i ) ε D i

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Example Proj {Project} (R2) = R1 ∞ R2 = NameAgeSalary Fred Paul Alice Suzanne Bob NameProject FredBigOne AliceBigOne FredSmallOne SuzanneSmallOne R1 R2 Project BigOne SmallOne NameAgeSalaryProject Fred BigOne Fred SmallOne Alice BigOne Suzanne SmallOne

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Equation solving for relational databases We consider Three attributes a 1, a 2, a 3 Two relations R 1 [{a 3, a 2 }], R 3 [{a 1, a 2 }] Problem: What is the biggest relation X [{a 1, a 3 }] satisfying proj {a1, a2 } (R 1 ∞ X)  R 3 Solution: X = Ch[{a 1, a 3 }] \ proj {a1, a3 } (R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) ) Proof: see paper Greneralization to more complex attribute structures is also easy R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa D 1 = {  } D 2 = {aa, ab, ba, bb} D 3 = {c, d} X = Ch[{a 1, a 3 }] \ proj {a1, a3 } (R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) ) An example R1R1 X R3R3 a1a1 a2a2 a3a3 a1a1 a2a2  ab R3R3 R1R1 a2a2 a3a3 c d aad a1a1 a3a3  c  d Ch[{a 1, a 3 }] a1a1 a2a2  aa  ba  bb Ch[{a 1, a 2 }] \ R 3 ) R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) a1a1 a2a2 a3a3  aad a1a1 a3a3  c X

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa A special case: Trace specifications Attributes  Interfaces D i = I i * that is, all finite sequences of elements of I i, the possible interactions at the interface a i (the “alphabet” at interface a i ) Machine behavior  Relation Each row (DB object) represents a possible execution history (“trace”) ; the value for each attribute describes the interaction sequence occurring at the corresponding interface during that trace Synchrony constraint: The interaction sequences at the different interfaces for a given trace are of equal length

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Two sub-cases: - synchronous operation (as above) - interleaving semantics (below) Attributes  Interfaces D i = (I i U {null} ) * (as synchronous case, except that there is a real interaction at only one interface at a time; “interleaving semantics” ) Machine behavior  Relation As in synchronous case, except that the “interleaving constraint” is satisfied for all mappings of a relation, that is, for any j, the j-th element of T(a i ) is non-null for at most one attribute a i

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Algorithms for equation solving Solution: X = Ch[{a 1, a 3 }] \ proj {a1, a3 } (R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) ) Algorithms for operations ∞, \, proj In general not possible (infinite sets of mappings) For finite state models : Polynomial complexity for ∞, proj proj introduces non-determinism \ requires conversion to deterministic models, which has exponential complexity

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Example R1R1 X R3R3 a1a1 a2a2 a3a3 {a, b, n} {c, d, n} {n}

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Systems with input and output Nature of input/output (non-rendezvous) Output: time and parameters of an interaction are determined by the system component producing the output Input: The component receiving the interaction cannot influence the time nor parameter values Specification of component behavior Output: The specification gives guarantees about timing and parameter values Input: The specification may make assumptions about timing of inputs and the received parameter values

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Specification paradigms with hypothesis and guarantees Software Pre- and postconditions of a procedure call They define hypotheses on input parameters, and guarantees on output parameters, respectively Finite state machines (state-deterministic) Unspecified input: hypothesis about the behavior of the environment: this input will not occur when the machine is in this state

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Component specification and interconnection Each attribute of a relation is either input or output Constraint on component interconnection No output conflicts: For each interface, there is only one connected component for which the corresponding attribute is output For trace specifications: Unit delay constraint Output(s) at time t depend only on previous interactions of the same component (not on the input received at time t) [e.g. Broy, Lamport] In FSM context: corresponds to Moore machine

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Conformance to specifications Given a specification R and a trace T Either T  R (we say T conforms to R) or … T has wrong input: all prefixes of T up some time t conform to R, but there is wrong input at time (t+1) T has wrong output: similarly T has wrong input and output at the same time instant A component conforms to a specification R iff no trace T in which the component participates has wrong output in respect to R Note: if a trace has wrong input, nothing can be assumed about wrong output at a later time instance

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Equation solving for trace specifications with input/output Find most general specification X such that any trace T of the composition of R 1 and X has the following properties: proj {a1, a2} (T) conforms to R 3 If proj {a1, a2} (T) has no wrong input in respect to R 3 then proj {a2, a3} (T) has no wrong input in resp. to R 1 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Solution formula Notation: R WO(t) = set of traces that have wrong output in respect to R at time instant t R WI(t) : similarly for wrong input U t : union over all values of t Solution: X = Ch[{a 1, a 3 }] \ proj {a1, a3 } U t ( R 1 ∞ R 3 WO(t) U R 1 WI(t) ∞ R 3 U R 1 WI(t) ∞ R 3 WO(t) )

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Solution algorithms for I/O Synchronous FSMs Can be easily derived from above formula The special case of completely defined, deterministic machines was already solved by Kim et al. Interleaving semantics Simplification: Never wrong input and output at the same time instant IO-Automata Jawad Drissi (PhD thesis) Communicating FSMs Yevtushenko and Petrenko

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Extensions of the specification formalisms More powerful specification languages Petri nets, CSP, LOTOS, etc. Different conformance relations Safeness Trace semantics (as discussed here) Liveness - progress (some good interaction will occur) Liveness [Thistle] Absense of blockings [Tao, PhD thesis] Optional and required progress [Drissi, PhD thesis] Real-time aspects Timed automata [Grenoble; work on DES; Drissi, PhD thesis]

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Conclusions (i) New results presented here: Solution formula for equation solving in the context of relational databases Equation solving for component composition based on trace semantics (synchronous and interleaving case) as special cases Solution formula for trace semantics with input and output

Submodule construction for specifications with I/O, Nov Gregor v. Bochmann, University of Ottawa Conclusions (ii) Application areas: Protocol design (Merlin-Bochmann, 1980) Design of communication gateways Controller design Component reuse, e.g. in software engineering Embedded testing Future work More powerful specification paradigms e.g. interaction parameters Tools Practical design methodology based on formal methods

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.