Formal Methods for Software Engineering Part II: Modelling & Analysis of System Behaviour
Ed BrinksmaFMSE, Lecture 4 Contents Part I In Part I we used Z as a formalism to model the static aspects of software systems, i.e. ndefinition of system states & data structures ndefinition of operations & preconditions The tool Z-Eves was used for specification support and analysis.
Ed BrinksmaFMSE, Lecture 4 Contents Part II In this part we introduce FSP as a formalism to model the dynamic aspects of software systems, i.e. ndefinition of system behaviour (control flow) ndefinition of control distribution (concurrency) We introduce the tool LTSA for modelling support and analysis.
Ed BrinksmaFMSE, Lecture 4 FSP and LTS Models are described using state machines, known as Labelled Transition Systems. These are described textually as Finite State Processes and displayed and analysed by the LTSA analysis tool. LTS - graphical form FSP - algebraic form
Ed BrinksmaFMSE, Lecture 4 LTS: a definition A labelled transition system T consists of the following ingredients: 1. a set S of states 2. a set L of actions 3. a set -> of transitions of the form s-a->t with s,t S and a L or a=tau 4. an initial state s 0 S We also write T=(S,L,->, s 0 ).
Ed BrinksmaFMSE, Lecture 4 Modelling Processes A process is modelled as a finite LTS which transits from state to state by executing a sequence of atomic actions. a light switch LTS on off on off on off … a sequence of actions or trace on 01 off
Ed BrinksmaFMSE, Lecture 4 A Simple Transmission Protocol SENDER = (in -> send -> getack -> SENDER). insend getack 012 recout ack 012 RECEIVER = (rec -> out -> ack -> RECEIVER). get put 01 BUFFER = (get -> put -> BUFFER).
Ed BrinksmaFMSE, Lecture 4 Composing the System ||MEDIUM = (a:BUFFER||b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}. ||SYSTEM = (SENDER || MEDIUM ||RECEIVER). Sender Receiver Buffer 1 Buffer 2 in send rec out ack getack Medium
Ed BrinksmaFMSE, Lecture 4 The System Behaviour insendrecoutack getack u parallel composition with synchronized communication u equivalent single process can be calculated (with LTSA)
Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. Sender Receiver in send rec out ack getack Medium ||SYSTEM = (SENDER||MEDIUM||RECEIVER).
Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. Sender Receiver in out Medium ||SYSTEM = System
Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. ||SYSTEM = intau outtau tau denotes internal action
Ed BrinksmaFMSE, Lecture 4 Observable Behaviour Observable behaviour abstracts away from internal system actions. minimise SYSTEM in out 01 Same LTS as: SYS=(in->out->SYS).
Ed BrinksmaFMSE, Lecture 4 Behavioural Equivalence In what sense is the minimized process SYS comparable to When can we identify system states?
Ed BrinksmaFMSE, Lecture 4 Bisimulation Idea: identify states that - can imitate each other’s observable steps leading to - states that again can be identified An observable step consists of either - observing nothing, or - observing a non-internal action
Ed BrinksmaFMSE, Lecture 4 Example intau outtau
Ed BrinksmaFMSE, Lecture 4 Observable Steps lObserving nothing: s==>t: s=t or s-tau->…-tau->t i.e. s reaches t by doing nothing, or by executing internal actions only. lObserving non-internal action: s=a=>t: s==>s’-a->t’==>t for some s’,t’ i.e. s reaches t by doing a, possibly preceeded or followed by some internal actions
Ed BrinksmaFMSE, Lecture 4 Examples atau b cb ==>0, 0=a=>1, 0=a=>2 1==>1, 1==>2, 1=b=>3, 1=c=>2 2==>2, 2=c=>2 3==>3, 3=b=>3
Ed BrinksmaFMSE, Lecture 4 Weak Bisimulation Relations Let R be a relation between states,then R is a weak bisimulation relation iff for all (s,t) R and all observable actions a: - if for some s’: s==>s’ then for some t’: t==>t’ such that (s’,t’) R - if for some s’: s=a=>s’ then for some t’: t=a=>t’ such that (s’,t’) R - if for some t’: t==>t’ then for some s’: s==>s’ such that (s’,t’) R - if for some t’: t=a=>t’ then for some s’: s=a=>s’ such that (s’,t’) R
Ed BrinksmaFMSE, Lecture 4 Equivalent Transition Systems Two transition systems T and U are observably equivalent iff there is a weak bisimulation relation R with (t 0,u 0 ) R with t 0 and u 0 their respective initial states.
Ed BrinksmaFMSE, Lecture 4 Example c T a a c tau b cb S a b b c
Ed BrinksmaFMSE, Lecture 4 Negative Example ab c bc 0123 a a b c bc ?
Ed BrinksmaFMSE, Lecture 4 Traces Again Let T=(S,L,->,s 0 ) be a labelled transition system. nTraces(T) is the set of strings a 1 …a n L* such that there is an s L with s 0 =a 1 =>…=a n =>s nTwo LTSs T and U are trace equivalent iff Traces(T)=Traces(U)
Ed BrinksmaFMSE, Lecture 4 Example atau b cb 0123 Traces: (empty trace), a,ab,abb,abbb,abbbb,… a,ac,acc,accc,acccc,…
Ed BrinksmaFMSE, Lecture 4 (Non)determinism An LTS T=(S,L,->,s 0 ) is deterministic iff for every trace of T there is a unique state s S with s 0 = =>s. ab c bc 0123 a a b c bc deterministic nondeterministic 0=a=>1 and 0=a=>2 Trace sets are identical!
Ed BrinksmaFMSE, Lecture 4 FACTS Let T and U be LTSs. nIf T and U are observation equivalent then T and U are trace equivalent. nIf T and U are trace equivalent then T and U generally are not observation equivalent. nIf T and U are deterministic then they are trace equivalent iff they are observation equivalent. Do we need nondeterministic processes?
Ed BrinksmaFMSE, Lecture 4 Nondeterminism What happens with our protocol if a Buffer can lose data? BUFFER = (get -> put -> BUFFER |get -> BUFFER). nondeterminism Compiled: SENDER Compiled: BUFFER Compiled: RECEIVER Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 3 * 2 * 2 * 3 = 36 Composing potential DEADLOCK States Composed: 7 Transitions: 8 in 0ms SYSTEM minimising.... Minimised States: 5 in 60ms in tau out tau Deadlock state
Ed BrinksmaFMSE, Lecture 4 Revision 1 Keep sending until a getack is received SENDER = (in -> send -> WAIT), WAIT = (getack -> SENDER |send -> WAIT). Keep sending ack s until a rec is received RECEIVER = (rec -> OUT), OUT = (out -> ack -> WAIT), WAIT = (rec -> OUT |ack -> WAIT).
Ed BrinksmaFMSE, Lecture 4 Analysis Compiled: SENDER Compiled: BUFFER Compiled: RECEIVER Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 3 * 2 * 2 * 4 = 48 Composing States Composed: 34 Transitions: 57 in 50ms SYSTEM minimising..... Minimised States: 17 in 110ms This cannot be equivalent to the 2-state Sys process with Sys=(in->out->Sys). Reason: There is no difference between send actions that are repeated and those related to a new in action.
Ed BrinksmaFMSE, Lecture 4 Revision 2 Alternating Bit Protocol: send along a bit that is flipped to distinguish old and new data and acknowledgements. range B= 0..1 SENDER = (in -> SENDING[0]), SENDING[b:B] = (send[b] -> SENDING[b] |getack[1-b] -> SENDING[b] |getack[b] -> in -> SENDING[1-b]). RECEIVER = (rec[0] -> out -> ACKING[0]), ACKING[b:B] = (ack[b] -> ACKING[b] |rec[b] -> ACKING[b] |rec[1-b] -> out -> ACKING[1-b]). BUFFER = (get[b:B] -> put[b] -> BUFFER |get[b:B] -> BUFFER). ||MEDIUM = (a:BUFFER || b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}. ||SYSTEM = (SENDER || MEDIUM ||
Ed BrinksmaFMSE, Lecture 4 Does It Work? Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 5 * 3 * 3 * 6 = 270 Composing States Composed: 45 Transitions: 86 in 0ms intau out tau in tau out tau in tau outtau in tau intau out tau out tau out tau out tau in tau intau out
Ed BrinksmaFMSE, Lecture 4 Minimization in out 01 The Alternating Bit system (service) is observational equivalent with a 1-place buffer
Ed BrinksmaFMSE, Lecture 4 Summary lDynamic system behaviour can be modelled by LTS/FSP specifications lLTS/FSP models can composed and analysed using the LTSA tool lLTS/FSP models can be minimized to observational equivalent behaviours using bisimulations lNondeterminism is an essential modelling feature for system behaviours