FMSE Lecture 4

Download Report

Transcript FMSE Lecture 4 

Formal Methods
for
Software Engineering
Part II:
Modelling & Analysis of
System Behaviour
Contents Part I
In Part I we used Z as a formalism to model the
static aspects of software systems, i.e.
 definition of system states & data structures
 definition of operations & preconditions
The tool Z-Eves was used for specification
support and analysis.
Ed Brinksma
FMSE, Lecture 4
Contents Part II
In this part we introduce FSP as a formalism to
model the dynamic aspects of software
systems, i.e.
 definition of system behaviour (control flow)
 definition of control distribution (concurrency)
We introduce the tool LTSA for modelling
support and analysis.
Ed Brinksma
FMSE, Lecture 4
FSP and LTS
Models are described using state machines,
known as Labelled Transition Systems. These
are described textually as Finite State
Processes and displayed and analysed by the
LTSA analysis tool.
 LTS - graphical form
 FSP - algebraic form
Ed Brinksma
FMSE, Lecture 4
LTS: a definition
A labelled transition system T consists of the
following ingredients:
1. a set S of states
2. a set L of actions
3. a set -> of transitions of the form s-a->t with
s,tS and aL or a=tau
4. an initial state s0 S
We also write T=(S,L,->, s0 ).
Ed Brinksma
FMSE, Lecture 4
Modelling Processes
A process is modelled as a finite LTS which transits
from state to state by executing a sequence of
atomic actions.
on
0
1
a light
switch LTS
off
onoffonoffonoff …
Ed Brinksma
FMSE, Lecture 4
a sequence of
actions or trace
A Simple Transmission Protocol
SENDER =
(in -> send -> getack
-> SENDER).
in
0
send
1
2
getack
RECEIVER =
(rec -> out -> ack
-> RECEIVER).
rec
0
out
1
2
ack
BUFFER =
(get -> put
-> BUFFER).
get
0
1
put
Ed Brinksma
FMSE, Lecture 4
Composing the System
in
getack
Sender
send
Buffer2
Buffer1
ack
out
Receiver
rec
Medium
||MEDIUM =
(a:BUFFER||b:BUFFER)
/{send/a.get,rec/a.put,ack/b.get,getack/b.put}.
||SYSTEM =
(SENDER || MEDIUM ||RECEIVER).
Ed Brinksma
FMSE, Lecture 4
The System Behaviour
 parallel composition with synchronized communication
 equivalent single process can be calculated (with LTSA)
in
0
send
1
rec
2
out
3
getack
Ed Brinksma
FMSE, Lecture 4
ack
4
5
Observable Behaviour
Observable behaviour abstracts away from
internal system actions .
in
out
getack
Sender
ack
Medium
Receiver
rec
send
||SYSTEM = (SENDER||MEDIUM||RECEIVER).
Ed Brinksma
FMSE, Lecture 4
Observable Behaviour
Observable behaviour abstracts away from
internal system actions .
in
Sender
out
System
Medium
Receiver
||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}.
Ed Brinksma
FMSE, Lecture 4
Observable Behaviour
Observable behaviour abstracts away from
internal system actions .
in
0
tau
1
tau
2
out
3
tau denotes
internal action
tau
4
5
tau
||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}.
Ed Brinksma
FMSE, Lecture 4
Observable Behaviour
Observable behaviour abstracts away from
internal system actions .
Same LTS as:
SYS=(in->out->SYS).
in
0
1
out
minimise SYSTEM
Ed Brinksma
FMSE, Lecture 4
Behavioural Equivalence
In what sense is the minimized
process SYS comparable to
SYSTEM@{in,out}?
When can we identify
system states?
Ed Brinksma
FMSE, Lecture 4
Bisimulation
Idea: identify states that
1. can imitate each other’s observable steps
leading to
2. states that again can be identified
An observable step consists of either
1. observing nothing, or
2. observing a non-internal action
Ed Brinksma
FMSE, Lecture 4
Example
in
0
tau
1
tau
2
out
3
tau
Ed Brinksma
FMSE, Lecture 4
tau
4
5
Observable Steps
 Observing nothing:
s==>t: s=t or s-tau->…-tau->t
i.e. s reaches t by doing nothing, or by
executing internal actions only.
 Observing non-internal action:
s=a=>t: s==>s’-a->t’==>t for some s’,t’
i.e. s reaches t by doing a, possibly
preceeded or followed by some internal
actions
Ed Brinksma
FMSE, Lecture 4
Examples
a
0
•0==>0,
•1==>1,
•2==>2,
•3==>3,
Ed Brinksma
tau
1
b
2
c
3
b
0=a=>1, 0=a=>2
1==>2, 1=b=>3, 1=c=>2
2=c=>2
3=b=>3
FMSE, Lecture 4
Weak Bisimulation Relations
Let R be a relation between states,then R is a weak
bisimulation relation iff for all (s,t)R and all
observable actions a:
1.
if for some s’: s==>s’
then for some t’: t==>t’ such that (s’,t’)R
2.
if for some s’: s=a=>s’
then for some t’: t=a=>t’ such that (s’,t’)R
3.
if for some t’: t==>t’
then for some s’: s==>s’ such that (s’,t’)R
4.
if for some t’: t=a=>t’
then for some s’: s=a=>s’ such that (s’,t’)R
Ed Brinksma
FMSE, Lecture 4
Equivalent Transition Systems
Two transition systems T and U are
observably equivalent iff there is a
weak bisimulation relation R with
(t0,u0)R with t0 and u0 their
respective initial states.
Ed Brinksma
FMSE, Lecture 4
Example
c
a
S
tau
b
c
T
a
a
tau
c
Ed Brinksma
b
b
c
FMSE, Lecture 4
b
Negative Example
c
a
b
0
1
2
3
b
?
c
c
a
2
b
a
0
1
3
4
b
Ed Brinksma
FMSE, Lecture 4
c
Traces Again
Let T=(S,L,->,s0) be a labelled transition
system.
 Traces(T) is the set of strings a1…anL*
such that there is an sL with
s0=a1=>…=an=>s
 Two LTSs T and U are trace equivalent iff
Traces(T)=Traces(U)
Ed Brinksma
FMSE, Lecture 4
Example
a
0
tau
1
b
2
c
Traces:
•(empty trace),
•a,ab,abb,abbb,abbbb,…
•a,ac,acc,accc,acccc,…
Ed Brinksma
FMSE, Lecture 4
3
b
(Non)determinism
An LTS T=(S,L,->,s0) is deterministic iff for
every trace  of T there is a unique state sS
with s0==>s.
Trace
sets are
identical!
deterministic
c
a
b
0
1
2
3
b
c
nondeterministic
c
a
2
b
a
0
0=a=>1 and 0=a=>2
1
3
4
b
Ed Brinksma
FMSE, Lecture 4
c
FACTS
Let T and U be LTSs.
 If T and U are observation equivalent then T and
U are trace equivalent.
 If T and U are trace equivalent then T and U
generally are not observation equivalent.
 If T and U are deterministic then they are trace
equivalent iff they are observation equivalent.
Do we need nondeterministic processes?
Ed Brinksma
FMSE, Lecture 4
Nondeterminism
What happens with our protocol
if a Buffer can lose data?
nondeterminism
BUFFER =
(get -> put -> BUFFER
|get -> BUFFER).
Compiled: SENDER
Deadlock state
Compiled: BUFFER
Compiled: RECEIVER
tau
Composition:
in || MEDIUM.a:BUFFER
tau
out || RECEIVER
SYSTEM = SENDER
|| MEDIUM.b:BUFFER
State Space:
2
3
4
3 * 2 *02 * 3 = 36 1
Composing
potential DEADLOCK
tau
States Composed: 7 Transitions: 8 in 0ms
SYSTEM minimising....
tau
Minimised States: 5 in 60ms
Ed Brinksma
FMSE, Lecture 4
Revision 1
Keep sending until a
getack is received
Keep sending acks until a
rec is received
Ed Brinksma
SENDER = (in -> send -> WAIT),
WAIT
= (getack -> SENDER
|send -> WAIT).
RECEIVER = (rec ->
OUT
= (out ->
WAIT
= (rec ->
|ack ->
FMSE, Lecture 4
OUT),
ack -> WAIT),
OUT
WAIT).
Analysis
This cannot be equivalent
to the 2-state Sys
process with
Sys=(in->out->Sys).
Compiled: SENDER
Compiled: BUFFER
Compiled: RECEIVER
Composition:
SYSTEM = SENDER || MEDIUM.a:BUFFER ||
RECEIVER
State Space:
3 * 2 * 2 * 4 = 48
Reason:
There is no difference
between send
actions
MEDIUM.b:BUFFER
||
that are repeated and
those related to a new in
action.
Composing
States Composed: 34 Transitions: 57 in 50ms
SYSTEM minimising.....
Minimised States: 17 in 110ms
Ed Brinksma
FMSE, Lecture 4
Revision 2
Alternating Bit Protocol: send along a bit that is flipped to
distinguish old and new data and acknowledgements.
range B= 0..1
SENDER = (in -> SENDING[0]),
SENDING[b:B] = (send[b] -> SENDING[b]
|getack[1-b] -> SENDING[b]
|getack[b] -> in -> SENDING[1-b]).
RECEIVER = (rec[0] -> out -> ACKING[0]),
ACKING[b:B] = (ack[b] -> ACKING[b]
|rec[b] -> ACKING[b]
|rec[1-b] -> out -> ACKING[1-b]).
BUFFER = (get[b:B] -> put[b] -> BUFFER
|get[b:B] -> BUFFER).
||MEDIUM = (a:BUFFER || b:BUFFER)
/{send/a.get,rec/a.put,ack/b.get,getack/b.put}.
||SYSTEM = (SENDER || MEDIUM || RECEIVER)@{in,out}.
Ed Brinksma
FMSE, Lecture 4
Does It Work?
Composition:
SYSTEM = SENDER || MEDIUM.a:BUFFER ||
MEDIUM.b:BUFFER || RECEIVER
State Space:
5 * 3 * 3 * 6 = 270
Composing
States Composed: 45 Transitions: 86 in 0ms
tau
tau
tau
tau
in
tau
tau
tau
tau
tau
tau
tau tau
tau
in tau
in
tau tau
intau
tau
outtautau
tauintautau
outtautau
tau
tau
tautauintautau
tau
tau
outtau
tau
tautau
tauintautau
tau
tau
out
in
tauintau
012345678910
112
11
31
41
56
11
71
89
22
02
123
22
42
56
22
72
83
90
33
13
233
43
53
67
33
84
94
01
44
24
34
tau
tau
tau tau
tau
tau
tau
tau
out
out
tau
tau
tautau
tau
tau
tau
tau
out
Ed Brinksma
tau
tau
out
out
tau
tau
tautau
out
FMSE, Lecture 4
tau
Minimization
in
0
1
out
The Alternating Bit system (service) is
observational equivalent with a 1-place buffer
Ed Brinksma
FMSE, Lecture 4
Summary
 Dynamic system behaviour can be modelled
by LTS/FSP specifications
 LTS/FSP models can composed and analysed
using the LTSA tool
 LTS/FSP models can be minimized to
observational equivalent behaviours using
bisimulations
 Nondeterminism is an essential modelling
feature for system behaviours
Ed Brinksma
FMSE, Lecture 4