design and analysis of executable software models · design and analysis of executable software...
TRANSCRIPT
![Page 1: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/1.jpg)
Design and Analysis of Executable Software Models:An Introduction and Overview
Reiner Hahnlejoint work with Antonio F. Montoya, Richard Bubel, Crystal C. Din and many others!
Technical University of [email protected]
14th International School on Formal Methodsfor the Design of Computer, Communication and Software Systems:
Executable Software Models
Bertinoro, 16th June 2014
http://www.envisage-project.euR. Hahnle (TUD) Analysis of ESMs 0 / 54
![Page 2: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/2.jpg)
Part I
The ABS Modeling Language
R. Hahnle (TUD) Analysis of ESMs 1 / 54
![Page 3: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/3.jpg)
What ABS Is All About
Consequences of design time decisions often realized only at runtime
I Modern SW development oftenmodel-/feature-driven
I Most modeling languages do notaddress behavior rigorously
I Mismatch among artefacts fromanalysis and coding phases
I “Built-in” disconnect betweenanalysts and implementors
I Complicating factors:product variability, concurrency
R. Hahnle (TUD) Analysis of ESMs 2 / 54
![Page 4: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/4.jpg)
What ABS Is All About
Consequences of design time decisions often realized only at runtime
I Modern SW development oftenmodel-/feature-driven
I Most modeling languages do notaddress behavior rigorously
I Mismatch among artefacts fromanalysis and coding phases
I “Built-in” disconnect betweenanalysts and implementors
I Complicating factors:product variability, concurrency
R. Hahnle (TUD) Analysis of ESMs 2 / 54
![Page 5: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/5.jpg)
Main Design Goals of ABS
ABS is designed with analysis/code generation tools in mind
I Expressivity carefully traded off with analysability• enables incremental/compositional static and dynamic analyses
I State-of-art programming language concepts• ADTs + functions + objects• type-safety, data race-freeness by design• modules, components• pluggable type systems, annotations
I Layered concurrency model
Upper tier: asynchronous, no shared state, actor-basedLower tier: synchronous, shared state, cooperative multitasking
I Modeling of variability/deployment with first-class language support• feature models, delta-oriented programming• deployment components
I Not only code analysis, but also code generation/model mining
R. Hahnle (TUD) Analysis of ESMs 3 / 54
![Page 6: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/6.jpg)
ABS Design Principles
I Uniform, formal semantics
I Layered architecture: simplicity, separation of concerns
I Includes standard class-based, imperative and functional sublanguages
I Executability: simulation, rapid prototyping, visualization
I Abstraction: underspecification, non-determinism
I Realistic, yet language-independent concurrency model
I Module system (aka packages)
R. Hahnle (TUD) Analysis of ESMs 4 / 54
![Page 7: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/7.jpg)
Layered ABS Language Design
Real-Time ABSDeploymentComponents
FeatureModeling
RuntimeComponents
Local Contracts, Assertions
Behavioral Interface Specs
Syntactic Modules
Asynchronous Communication
Concurrent Object Groups (COGs)
Imperative Language
Object Model
Pure Functional Programs
Algebraic (Parametric) Data Types
Core ABS
Full ABS
R. Hahnle (TUD) Analysis of ESMs 5 / 54
![Page 8: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/8.jpg)
Built-In Data Types and Operators
Built-In Data Types
data Bool = True | False;data Unit = Unit;data Int; // 4, 2323, −23data String; // ”Hello World”
Built-In Operators (Java-like Syntax)
I All types: == !=
I Bool: ˜ && ||
I Int: + - * / % < > <= >=
I String: +
R. Hahnle (TUD) Analysis of ESMs 6 / 54
![Page 9: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/9.jpg)
Built-In Data Types and Operators
Built-In Data Types
data Bool = True | False;data Unit = Unit;data Int; // 4, 2323, −23data String; // ”Hello World”
Built-In Operators (Java-like Syntax)
I All types: == !=
I Bool: ˜ && ||
I Int: + - * / % < > <= >=
I String: +
R. Hahnle (TUD) Analysis of ESMs 6 / 54
![Page 10: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/10.jpg)
User Defined Algebraic Data Types
User-Defined Data Types
data Fruit = Apple | Banana | Cherry;data Juice = Pure(Fruit) | Mixed(Juice, Juice);type Saft = Juice; // type synonym
Parametric Data Types
data List<T> = Nil | Cons(T, List<T>);
Selectors
data Person = Person(String name, Int age, String address);// if selector names present, they implicitly define selector functionsdef String name(Person p) = ... ;
R. Hahnle (TUD) Analysis of ESMs 7 / 54
![Page 11: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/11.jpg)
User Defined Algebraic Data Types
User-Defined Data Types
data Fruit = Apple | Banana | Cherry;data Juice = Pure(Fruit) | Mixed(Juice, Juice);type Saft = Juice; // type synonym
Parametric Data Types
data List<T> = Nil | Cons(T, List<T>);
Selectors
data Person = Person(String name, Int age, String address);// if selector names present, they implicitly define selector functionsdef String name(Person p) = ... ;
R. Hahnle (TUD) Analysis of ESMs 7 / 54
![Page 12: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/12.jpg)
User Defined Algebraic Data Types
User-Defined Data Types
data Fruit = Apple | Banana | Cherry;data Juice = Pure(Fruit) | Mixed(Juice, Juice);type Saft = Juice; // type synonym
Parametric Data Types
data List<T> = Nil | Cons(T, List<T>);
Selectors
data Person = Person(String name, Int age, String address);// if selector names present, they implicitly define selector functionsdef String name(Person p) = ... ;
R. Hahnle (TUD) Analysis of ESMs 7 / 54
![Page 13: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/13.jpg)
Functions and Pattern Matching
def Int length(IntList list) = // function names lower−casecase list { // definition by case distinction and matching
Nil => 0 ;Cons(n, ls) => 1 + length(ls) ; // data contructor pattern
=> 0 ; // underscore pattern (anonymous variable)} ;
def A head<A>(List<A> list) = // parametric functioncase list {
Cons(x, xs) => x; // unbound variable used to extract value} ;
R. Hahnle (TUD) Analysis of ESMs 8 / 54
![Page 14: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/14.jpg)
ABS Standard Library
ABS Standard Library
module ABS.StdLib;export ∗;
data Maybe<A> = Nothing | Just(A);data Either<A, B> = Left(A) | Right(B);data Pair<A, B> = Pair(A, B);data List<T> = ...;data Set<T> = ...;data Map<K,V> = ...;
...def Int size<A>(Set<A> xs) = ...def Set<A> union<A>(Set<A> set1, Set<A> set2) = ......
R. Hahnle (TUD) Analysis of ESMs 9 / 54
![Page 15: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/15.jpg)
Object Model: Interfaces
Interfaces
I Provide types of objects (implementation abstraction)
I Multiple inheritance
I Subinterfaces
interface Baz { ... }interface Bar extends Baz {
// method signaturesUnit m();Bool foo(Bool b);}
R. Hahnle (TUD) Analysis of ESMs 10 / 54
![Page 16: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/16.jpg)
Object Model: Classes
Classes
I Only for object construction
I No type
I No code inheritance (instead delta-oriented programming is used)
// class declaration with parameters, implicitly defines constructorclass Foo(T x, U y) implements Bar, Baz {
// field declarationsBool flag = False; // primitive types must be initializedU g; // object type field initialization optional{ // optional class initialization block
g = y;}Unit m() { } // method implementationsBool foo(Bool b) { return ˜b; }}
R. Hahnle (TUD) Analysis of ESMs 11 / 54
![Page 17: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/17.jpg)
Active Classes
Active Classes
I Characterized by presence of run() method
I Objects from active classes start activity after initialization
I Passive classes react only to incoming calls
Unit run() {// active behavior ...}
R. Hahnle (TUD) Analysis of ESMs 12 / 54
![Page 18: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/18.jpg)
Imperative Constructs
Sequential Control Flow
Loop while (x) { ... }
Conditional if (x == y) { ... } [else { ... }]
Synchronous method call x.m()
Local State Update and Access (Assignment)
Object creation new Car(Blue);
Field read x = [this.]f; (only on this object)
Field assignment [this.]f = 5; (only on this object)
Blocks
I Sequence of variable declarations and statements
I Data type variables are initialized, reference types default to null
I Statements in block are scope for declared variables
R. Hahnle (TUD) Analysis of ESMs 13 / 54
![Page 19: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/19.jpg)
Concurrency Model
Layered Concurrency Model
Upper tier: asynchronous, no shared state, actor-based
Lower tier: synchronous, shared state, cooperative multitasking
Concurrent Object Groups (COGs)
I Unit of distribution
I Own heap of objectsI Cooperative multitasking inside COGs
• One processor, several tasks• Intra-group communication by synchronous/asynchronous method calls• Multiple tasks originating from asynchronous calls within COG
I Inter-group communication only via asynchronous method calls
R. Hahnle (TUD) Analysis of ESMs 14 / 54
![Page 20: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/20.jpg)
Cooperative Multitasking inside COGs
Multitasking
I A COG can have multiple tasks
I Only one is active, all others are suspended
I Asynchronous calls create new tasksI Synchronous calls block caller thread
• Java-like syntax: target.methodName(arg1, arg2, ...)
Scheduling
I Cooperative by special scheduling statements• Explicit decision of modeller• No preemptive scheduling ⇒ no data races within COGs
I Non-deterministic otherwise• User-defined configuration of schedulers via annotations
R. Hahnle (TUD) Analysis of ESMs 15 / 54
![Page 21: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/21.jpg)
ABS Concurrency Model
Method calls with shared heap access encapsulated in COGs
Distributed computation: asynch. calls/message passing/separate heap
COG
I One activity at a time
I One lock
I Cooperative scheduling
I Callbacks (recursion) ok
I Shared access to data
COG′COG′′
asynchr.call
message passing
no reentrance
insame thread
this:A new B(); this:A b:B
this:A new cog B(); this:A b:B
R. Hahnle (TUD) Analysis of ESMs 16 / 54
![Page 22: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/22.jpg)
ABS Concurrency Model
Method calls with shared heap access encapsulated in COGs
Distributed computation: asynch. calls/message passing/separate heap
···
···
···
Heap
Lock >
COG′COG′′
asynchr.call
message passing
no reentrance
insame thread
this:A new B(); this:A b:B
this:A new cog B(); this:A b:B
R. Hahnle (TUD) Analysis of ESMs 16 / 54
![Page 23: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/23.jpg)
ABS Concurrency Model
Method calls with shared heap access encapsulated in COGs
Distributed computation: asynch. calls/message passing/separate heap
···
···
···
Heap
Lock >
COG′COG′′
asynchr.call
message passing
no reentrance
insame thread
this:A new B(); this:A b:B
this:A new cog B(); this:A b:B
R. Hahnle (TUD) Analysis of ESMs 16 / 54
![Page 24: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/24.jpg)
Asynchronous Method Calls
Asynchronous Method Calls
I Syntax: target ! methodName(arg1, arg2, ...)
I Creates new task in COG of targetI Caller continues execution and allocates a future to store the result
• Fut<T> v = o!m(e);
Conditional Scheduling (Waiting for the Future)
I await g, where g is a polling guard
I Yields task execution until guard is true
Reading Futures
I f.get - reads future f and blocks execution until result is available
I Deadlocks possible (use static analyzer for detection)I Programming idiom: await f? prevents blocking (safe access)
• Fut<T> v = o!m(e);...; await v?; r = v.get;
R. Hahnle (TUD) Analysis of ESMs 17 / 54
![Page 25: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/25.jpg)
Asynchronous Method Calls
Asynchronous Method Calls
I Syntax: target ! methodName(arg1, arg2, ...)
I Creates new task in COG of targetI Caller continues execution and allocates a future to store the result
• Fut<T> v = o!m(e);
Conditional Scheduling (Waiting for the Future)
I await g, where g is a polling guard
I Yields task execution until guard is true
Reading Futures
I f.get - reads future f and blocks execution until result is available
I Deadlocks possible (use static analyzer for detection)I Programming idiom: await f? prevents blocking (safe access)
• Fut<T> v = o!m(e);...; await v?; r = v.get;
R. Hahnle (TUD) Analysis of ESMs 17 / 54
![Page 26: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/26.jpg)
Asynchronous Method Calls
Asynchronous Method Calls
I Syntax: target ! methodName(arg1, arg2, ...)
I Creates new task in COG of targetI Caller continues execution and allocates a future to store the result
• Fut<T> v = o!m(e);
Conditional Scheduling (Waiting for the Future)
I await g, where g is a polling guard
I Yields task execution until guard is true
Reading Futures
I f.get - reads future f and blocks execution until result is available
I Deadlocks possible (use static analyzer for detection)I Programming idiom: await f? prevents blocking (safe access)
• Fut<T> v = o!m(e);...; await v?; r = v.get;
R. Hahnle (TUD) Analysis of ESMs 17 / 54
![Page 27: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/27.jpg)
Part II
Resource Analysis Of ABS Models
R. Hahnle (TUD) Analysis of ESMs 18 / 54
![Page 28: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/28.jpg)
Introduction
Static resource analysis attempts to infer upper bounds on the amount ofresources that can be consumed by a system
Some typical measured resources:
I Time (Computational complexity)
I Space (Memory comsumption)
Related to distributed systems and ABS models
I Bandwidth
I Executed instructions per component (COG)
R. Hahnle (TUD) Analysis of ESMs 19 / 54
![Page 29: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/29.jpg)
A ABS model fragment
An example that we want to analyze:class DBImpl implements DB {List<Account> as = Nil;Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}...
}
I A method getAccount thatsearches an Account aid
I It iterates over a field as
I For each account a in as, callgetAid and block executionuntil result is ready
I If id is the account we arelooking for, store it in result
R. Hahnle (TUD) Analysis of ESMs 20 / 54
![Page 30: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/30.jpg)
A ABS model fragment
An example that we want to analyze:class DBImpl implements DB {List<Account> as = Nil;Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}...
}
I A method getAccount thatsearches an Account aid
I It iterates over a field as
I For each account a in as, callgetAid and block executionuntil result is ready
I If id is the account we arelooking for, store it in result
R. Hahnle (TUD) Analysis of ESMs 20 / 54
![Page 31: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/31.jpg)
A ABS model fragment
An example that we want to analyze:class DBImpl implements DB {List<Account> as = Nil;Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}...
}
I A method getAccount thatsearches an Account aid
I It iterates over a field as
I For each account a in as, callgetAid and block executionuntil result is ready
I If id is the account we arelooking for, store it in result
R. Hahnle (TUD) Analysis of ESMs 20 / 54
![Page 32: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/32.jpg)
A ABS model fragment
An example that we want to analyze:class DBImpl implements DB {List<Account> as = Nil;Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}...
}
I A method getAccount thatsearches an Account aid
I It iterates over a field as
I For each account a in as, callgetAid and block executionuntil result is ready
I If id is the account we arelooking for, store it in result
R. Hahnle (TUD) Analysis of ESMs 20 / 54
![Page 33: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/33.jpg)
Basic approach (for Sequential Code)
1 Select a cost model• map each instruction to the amount of resources it consumes• dependant on the kind of resource to be measured
Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
3
1 + nth(as, cnt)1 + getAid()
1
1
1
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = as
while(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < n
while(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
R. Hahnle (TUD) Analysis of ESMs 21 / 54
![Page 34: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/34.jpg)
Basic approach (for Sequential Code)
2 Perform size analysis and generate abstract representation• Abstract data structures to an integer representation of their size• Abstract method calls to cost functions
• Generate a cost equation for each block of code
Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
3
1 + nth(as, cnt)1 + getAid()
1
1
1
I The list as is abstracted to its length
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = as
while(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < n
while(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
R. Hahnle (TUD) Analysis of ESMs 21 / 54
![Page 35: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/35.jpg)
Basic approach (for Sequential Code)
2 Perform size analysis and generate abstract representation• Abstract data structures to an integer representation of their size• Abstract method calls to cost functions• Generate a cost equation for each block of code
Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
3
1 + nth(as, cnt)1 + getAid()
1
1
1
I The list as is abstracted to its length
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = as
while(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < n
while(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
R. Hahnle (TUD) Analysis of ESMs 21 / 54
![Page 36: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/36.jpg)
Basic approach (for Sequential Code)
2 Perform size analysis and generate abstract representation• Abstract data structures to an integer representation of their size• Abstract method calls to cost functions• Generate a cost equation for each block of code
Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
3
1 + nth(as, cnt)1 + getAid()
1
1
1
I The list as is abstracted to its length
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = as
while(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < n
while(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
R. Hahnle (TUD) Analysis of ESMs 21 / 54
![Page 37: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/37.jpg)
Basic approach (for Sequential Code)
2 Perform size analysis and generate abstract representation• Abstract data structures to an integer representation of their size• Abstract method calls to cost functions• Generate a cost equation for each block of code
Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
3
1 + nth(as, cnt)1 + getAid()
1
1
1
I The list as is abstracted to its length
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+
if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ n
if(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
R. Hahnle (TUD) Analysis of ESMs 21 / 54
![Page 38: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/38.jpg)
Basic approach (for Sequential Code)
2 Perform size analysis and generate abstract representation• Abstract data structures to an integer representation of their size• Abstract method calls to cost functions• Generate a cost equation for each block of code
Account getAccount(Int aid) {Account result = null;Int n = length(as);Int cnt = 0;while (cnt < n) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
3
1 + nth(as, cnt)1 + getAid()
1
1
1
I The list as is abstracted to its length
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+
if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
R. Hahnle (TUD) Analysis of ESMs 21 / 54
![Page 39: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/39.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + length(as) + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + nth(as, cnt) + getAid(a)+
if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 40: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/40.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + as + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + cnt + 1+
if(cnt, n, aid , id) + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 41: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/41.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + as + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + cnt + 1+
1 + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 42: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/42.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + as + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + cnt + 1+
1 + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 43: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/43.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + as + while(0, n, aid , as) n = aswhile(cnt, n, aid , as) = 4 + cnt + 1+
1 + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 44: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/44.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + as + n2 + 6n n = aswhile(cnt, n, aid , as) = 4 + cnt + 1+
1 + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 45: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/45.jpg)
Basic approach (for sequential models)
3 Solve the system of cost equations:
getAccount(as, aid) = 3 + as + n2 + 6n n = aswhile(cnt, n, aid , as) = 4 + cnt + 1+
1 + while(cnt + 1, n, aid , as) cnt < nwhile(cnt, n, aid , as) = 0 cnt ≥ nif(cnt, n, aid , id) = 1 id = aidif(cnt, n, aid , id) = 0 id 6= aid
Assuming the following costs:
length(as) = asnth(as, cnt) = cntgetAid(a) = 1
I An upper bound of if(cnt, n, aid , id) = 1
I The cost of any iteration of while 6 + cnt is smaller than 6 + n
I while can iterate at most n times
I An upper bound of while(cnt, n, aid , as) = n2 + 6n
I An upper bound of getAccount(as, aid) = as2 + 7as + 3
R. Hahnle (TUD) Analysis of ESMs 22 / 54
![Page 46: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/46.jpg)
Analyzing Concurrent Models
I Concurrency increases the degree of non-determinism
I In ABS, fields can be modified by other methods during release points
Consider the following modification of our example:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Direct comparison with thelength of as
I Wait for idFut withoutblocking the object
I as could be increased during await byanother method
I Then the initial value of as is not abound on the number of iterations
Problems
R. Hahnle (TUD) Analysis of ESMs 23 / 54
![Page 47: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/47.jpg)
Analyzing Concurrent Models
I Concurrency increases the degree of non-determinism
I In ABS, fields can be modified by other methods during release points
Consider the following modification of our example:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Direct comparison with thelength of as
I Wait for idFut withoutblocking the object
I as could be increased during await byanother method
I Then the initial value of as is not abound on the number of iterations
Problems
R. Hahnle (TUD) Analysis of ESMs 23 / 54
![Page 48: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/48.jpg)
Analyzing Concurrent Models
I Concurrency increases the degree of non-determinism
I In ABS, fields can be modified by other methods during release points
Consider the following modification of our example:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Direct comparison with thelength of as
I Wait for idFut withoutblocking the object
I as could be increased during await byanother method
I Then the initial value of as is not abound on the number of iterations
Problems
R. Hahnle (TUD) Analysis of ESMs 23 / 54
![Page 49: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/49.jpg)
Analyzing Concurrent Models
I Concurrency increases the degree of non-determinism
I In ABS, fields can be modified by other methods during release points
Consider the following modification of our example:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Direct comparison with thelength of as
I Wait for idFut withoutblocking the object
I as could be increased during await byanother method
I Then the initial value of as is not abound on the number of iterations
Problems
R. Hahnle (TUD) Analysis of ESMs 23 / 54
![Page 50: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/50.jpg)
Analyzing Concurrent Models: Class Invariants
Use class invariants to capture the required information
Class invariants
An ABS class invariant is a predicate over the fields of a class that holdsat every release point
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Annotate the method with[as<=max(as)] at its releasepoints
I Now it is guaranteed that theloop does not iterate more thanmax(as) times
[as<=max(as)]
[as<=max(as)]
But have to prove that theinvariant holds!
R. Hahnle (TUD) Analysis of ESMs 24 / 54
![Page 51: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/51.jpg)
Analyzing Concurrent Models: Class Invariants
Use class invariants to capture the required information
Class invariants
An ABS class invariant is a predicate over the fields of a class that holdsat every release point
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Annotate the method with[as<=max(as)] at its releasepoints
I Now it is guaranteed that theloop does not iterate more thanmax(as) times
[as<=max(as)]
[as<=max(as)]
But have to prove that theinvariant holds!
R. Hahnle (TUD) Analysis of ESMs 24 / 54
![Page 52: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/52.jpg)
Analyzing Concurrent Models: Class Invariants
Use class invariants to capture the required information
Class invariants
An ABS class invariant is a predicate over the fields of a class that holdsat every release point
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Annotate the method with[as<=max(as)] at its releasepoints
I Now it is guaranteed that theloop does not iterate more thanmax(as) times
[as<=max(as)]
[as<=max(as)]
But have to prove that theinvariant holds!
R. Hahnle (TUD) Analysis of ESMs 24 / 54
![Page 53: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/53.jpg)
Analyzing Concurrent Models: Class Invariants
Use class invariants to capture the required information
Class invariants
An ABS class invariant is a predicate over the fields of a class that holdsat every release point
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Annotate the method with[as<=max(as)] at its releasepoints
I Now it is guaranteed that theloop does not iterate more thanmax(as) times
[as<=max(as)]
[as<=max(as)]
But have to prove that theinvariant holds!
R. Hahnle (TUD) Analysis of ESMs 24 / 54
![Page 54: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/54.jpg)
Analyzing Concurrent Models: Class Invariants
Use class invariants to capture the required information
Class invariants
An ABS class invariant is a predicate over the fields of a class that holdsat every release point
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
I Annotate the method with[as<=max(as)] at its releasepoints
I Now it is guaranteed that theloop does not iterate more thanmax(as) times
[as<=max(as)]
[as<=max(as)]
But have to prove that theinvariant holds!
R. Hahnle (TUD) Analysis of ESMs 24 / 54
![Page 55: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/55.jpg)
Rely-Guarantee Reasoning (for Termination)
Adapt a rely-guarantee approach for proving termination as follows:
I Given a loop, assume its fields are not modified during release points
I Attempt to prove termination of the loop
Observation
If a loop terminates when its fields are not modified, it also terminates ifthe fields are modified a finite number of times
I Prove that the instructions that modify the fields involved in thetermination proof (in between release points) are modified a finitenumber of times
I To do so, use same procedure in the loops that contain suchinstructions
I We fail if we find a circular dependency
A similar approach can be used to obtain upper bounds
R. Hahnle (TUD) Analysis of ESMs 25 / 54
![Page 56: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/56.jpg)
Rely-Guarantee Reasoning: Example
To apply this procedure, we need a complete program—
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
add a main method that:
I creates a database (DBImpl)
I adds 10 new accounts to the database(sequentially)
I calls method getAccount
Assume insertAccount modifies thefield as of the database as expected
R. Hahnle (TUD) Analysis of ESMs 26 / 54
![Page 57: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/57.jpg)
Rely-Guarantee Reasoning: Example
To apply this procedure, we need a complete program—
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
add a main method that:
I creates a database (DBImpl)
I adds 10 new accounts to the database(sequentially)
I calls method getAccount
Assume insertAccount modifies thefield as of the database as expected
R. Hahnle (TUD) Analysis of ESMs 26 / 54
![Page 58: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/58.jpg)
Rely-Guarantee Reasoning: Example
To apply this procedure, we need a complete program—
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
add a main method that:
I creates a database (DBImpl)
I adds 10 new accounts to the database(sequentially)
I calls method getAccount
Assume insertAccount modifies thefield as of the database as expected
R. Hahnle (TUD) Analysis of ESMs 26 / 54
![Page 59: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/59.jpg)
Rely-Guarantee Reasoning: Example
To apply this procedure, we need a complete program—
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
add a main method that:
I creates a database (DBImpl)
I adds 10 new accounts to the database(sequentially)
I calls method getAccount
Assume insertAccount modifies thefield as of the database as expected
R. Hahnle (TUD) Analysis of ESMs 26 / 54
![Page 60: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/60.jpg)
Rely-Guarantee Reasoning: Example
To apply this procedure, we need a complete program—
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
add a main method that:
I creates a database (DBImpl)
I adds 10 new accounts to the database(sequentially)
I calls method getAccount
Assume insertAccount modifies thefield as of the database as expected
R. Hahnle (TUD) Analysis of ESMs 26 / 54
![Page 61: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/61.jpg)
Rely-Guarantee Reasoning: Example
Method applied to to getAccount:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
1 assume as is unmodified during await
2 obtain that as is an upper bound onthe number of iterations
3 examine the program points where ascan be modified
4 all instances of insertAccountmust have finished when we executegetAccount
5 therefore, the upper bound is correctand we are done!
R. Hahnle (TUD) Analysis of ESMs 27 / 54
![Page 62: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/62.jpg)
Rely-Guarantee Reasoning: Example
Method applied to to getAccount:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
1 assume as is unmodified during await
2 obtain that as is an upper bound onthe number of iterations
3 examine the program points where ascan be modified
4 all instances of insertAccountmust have finished when we executegetAccount
5 therefore, the upper bound is correctand we are done!
R. Hahnle (TUD) Analysis of ESMs 27 / 54
![Page 63: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/63.jpg)
Rely-Guarantee Reasoning: Example
Method applied to to getAccount:Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
1 assume as is unmodified during await
2 obtain that as is an upper bound onthe number of iterations
3 examine the program points where ascan be modified
4 all instances of insertAccountmust have finished when we executegetAccount
5 therefore, the upper bound is correctand we are done!
R. Hahnle (TUD) Analysis of ESMs 27 / 54
![Page 64: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/64.jpg)
Rely-Guarantee Reasoning: Example
Method applied to to getAccount:
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
1 assume as is unmodified during await
2 obtain that as is an upper bound onthe number of iterations
3 examine the program points where ascan be modified
4 all instances of insertAccountmust have finished when we executegetAccount
5 therefore, the upper bound is correctand we are done!
R. Hahnle (TUD) Analysis of ESMs 27 / 54
![Page 65: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/65.jpg)
Rely-Guarantee Reasoning: Example
Method applied to to getAccount:
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
1 assume as is unmodified during await
2 obtain that as is an upper bound onthe number of iterations
3 examine the program points where ascan be modified
4 all instances of insertAccountmust have finished when we executegetAccount
5 therefore, the upper bound is correctand we are done!
R. Hahnle (TUD) Analysis of ESMs 27 / 54
![Page 66: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/66.jpg)
Rely-Guarantee Reasoning: Example
Method applied to to getAccount:
Account getAccount(Int aid) {Account result = null;Int cnt = 0;while (cnt < length(as)) {Account a = nth(as,cnt);Fut<Int>idFut = a!getAid();await idFut;Int id=idFut.get;if (aid == id) {result = a;
}cnt = cnt+1;
}return result;
}
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
1 assume as is unmodified during await
2 obtain that as is an upper bound onthe number of iterations
3 examine the program points where ascan be modified
4 all instances of insertAccountmust have finished when we executegetAccount
5 therefore, the upper bound is correctand we are done!
R. Hahnle (TUD) Analysis of ESMs 27 / 54
![Page 67: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/67.jpg)
Rely-Guarantee Reasoning: Example(2)
Consider the following modification:
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
4 without the await, some instances ofinsertAccount might execute inparallel with getAccount
5 we need to prove that the number ofinstances of insertAccount isfinite
6 apply rely-guarantee procedure to thewhile loop in the main block
7 that loop terminates without anyadditional asumptions (it has at most10 iterations)
8 we are done!
R. Hahnle (TUD) Analysis of ESMs 28 / 54
![Page 68: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/68.jpg)
Rely-Guarantee Reasoning: Example(2)
Consider the following modification:
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
4 without the await, some instances ofinsertAccount might execute inparallel with getAccount
5 we need to prove that the number ofinstances of insertAccount isfinite
6 apply rely-guarantee procedure to thewhile loop in the main block
7 that loop terminates without anyadditional asumptions (it has at most10 iterations)
8 we are done!
R. Hahnle (TUD) Analysis of ESMs 28 / 54
![Page 69: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/69.jpg)
Rely-Guarantee Reasoning: Example(2)
Consider the following modification:
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
4 without the await, some instances ofinsertAccount might execute inparallel with getAccount
5 we need to prove that the number ofinstances of insertAccount isfinite
6 apply rely-guarantee procedure to thewhile loop in the main block
7 that loop terminates without anyadditional asumptions (it has at most10 iterations)
8 we are done!
R. Hahnle (TUD) Analysis of ESMs 28 / 54
![Page 70: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/70.jpg)
Rely-Guarantee Reasoning: Example(2)
Consider the following modification:
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
4 without the await, some instances ofinsertAccount might execute inparallel with getAccount
5 we need to prove that the number ofinstances of insertAccount isfinite
6 apply rely-guarantee procedure to thewhile loop in the main block
7 that loop terminates without anyadditional asumptions (it has at most10 iterations)
8 we are done!
R. Hahnle (TUD) Analysis of ESMs 28 / 54
![Page 71: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/71.jpg)
Rely-Guarantee Reasoning: Example(2)
Consider the following modification:
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
4 without the await, some instances ofinsertAccount might execute inparallel with getAccount
5 we need to prove that the number ofinstances of insertAccount isfinite
6 apply rely-guarantee procedure to thewhile loop in the main block
7 that loop terminates without anyadditional asumptions (it has at most10 iterations)
8 we are done!
R. Hahnle (TUD) Analysis of ESMs 28 / 54
![Page 72: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/72.jpg)
Rely-Guarantee Reasoning: Example(2)
Consider the following modification:
{Account a;DB db = new cog DBImpl();Int max = 10;Int i = 1;while(i <= max){a = new cog AccountImpl(i,0);Fut<Unit> aFut =db!insertAccount(a);
await aFut?;i = i+1;
}db!getAccount(3);
}
4 without the await, some instances ofinsertAccount might execute inparallel with getAccount
5 we need to prove that the number ofinstances of insertAccount isfinite
6 apply rely-guarantee procedure to thewhile loop in the main block
7 that loop terminates without anyadditional asumptions (it has at most10 iterations)
8 we are done!
R. Hahnle (TUD) Analysis of ESMs 28 / 54
![Page 73: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/73.jpg)
Part III
Deadlock Analyis of ABS Models
R. Hahnle (TUD) Analysis of ESMs 29 / 54
![Page 74: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/74.jpg)
Introduction
The ABS concurrency model excludes race conditions, but not deadlocks
Definition (Deadlock)
A deadlock situation is a state of a concurrent model in which one or moretasks are waiting for each others’ termination and none of them can makeany progress.
In ABS, the main entities involved in deadlocks are:
I COGs, that represent the units of concurrency (processors)
I Method executions (a.k.a. tasks)
I Synchronization statements (await g and get)
R. Hahnle (TUD) Analysis of ESMs 30 / 54
![Page 75: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/75.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 76: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/76.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 77: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/77.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 78: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/78.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 79: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/79.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 80: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/80.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 81: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/81.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 82: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/82.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 83: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/83.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 84: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/84.jpg)
ABS Deadlock Example
1 B → C .wait
2 A→ B.empt2
3 B.empt2→ B(wait for B’s lock)
4 C .wait → A.empt
5 A.empt → A(wait for A’s lock)
Deadlock!
Dependencies:{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 31 / 54
![Page 85: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/85.jpg)
Idea for Deadlock Analysis
Approximate statically “dependencies” that occur at runtime
Dependencies
Dependencies are created by tasks and COGs that wait for each other atsynchronization points (await g or get)
Which tasks/COGs wait for which other tasks/COGs?
This is our plan:
I Obtain a finite representation (approximation) of all possible objects,COGs and tasks that can be created
I Analyse the future variables dependencies at synchronization points
I Approximate this information through a points-to analysis
R. Hahnle (TUD) Analysis of ESMs 32 / 54
![Page 86: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/86.jpg)
Idea for Deadlock Analysis
Approximate statically “dependencies” that occur at runtime
Dependencies
Dependencies are created by tasks and COGs that wait for each other atsynchronization points (await g or get)
Which tasks/COGs wait for which other tasks/COGs?
This is our plan:
I Obtain a finite representation (approximation) of all possible objects,COGs and tasks that can be created
I Analyse the future variables dependencies at synchronization points
I Approximate this information through a points-to analysis
R. Hahnle (TUD) Analysis of ESMs 32 / 54
![Page 87: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/87.jpg)
Idea for Deadlock Analysis
Approximate statically “dependencies” that occur at runtime
Dependencies
Dependencies are created by tasks and COGs that wait for each other atsynchronization points (await g or get)
Which tasks/COGs wait for which other tasks/COGs?
This is our plan:
I Obtain a finite representation (approximation) of all possible objects,COGs and tasks that can be created
I Analyse the future variables dependencies at synchronization points
I Approximate this information through a points-to analysis
R. Hahnle (TUD) Analysis of ESMs 32 / 54
![Page 88: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/88.jpg)
Abstract Dependencies
Definition (Kinds of dependencies in an abstract representation of ABS)
COG-task dependencies, when a task waits for the termination of anothertask but keeps the COG’s lock (using get)
task-task dependencies, when a task waits for the termination of anothertask with a non-blocking operation (await g) or with ablocking operation (using get)
task-COG dependencies between a task and the COG it belongs to
Cycles within dependencies can indicate deadlock situations
R. Hahnle (TUD) Analysis of ESMs 33 / 54
![Page 89: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/89.jpg)
Abstract Dependencies
Definition (Kinds of dependencies in an abstract representation of ABS)
COG-task dependencies, when a task waits for the termination of anothertask but keeps the COG’s lock (using get)
task-task dependencies, when a task waits for the termination of anothertask with a non-blocking operation (await g) or with ablocking operation (using get)
task-COG dependencies between a task and the COG it belongs to
Cycles within dependencies can indicate deadlock situations
R. Hahnle (TUD) Analysis of ESMs 33 / 54
![Page 90: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/90.jpg)
Building the Abstract Dependency Graph
I main, A, B, and C
Abstract COGs:
I f.get in B
I f.get in A
I await f? in C
Synchronization instructions:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 34 / 54
![Page 91: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/91.jpg)
Building the Abstract Dependency Graph
I main, A, B, and C
Abstract COGs:
I f.get in B
I f.get in A
I await f? in C
Synchronization instructions:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
Bmain
A C
B.blk_c
C .wait
A.empt
B.empt2
A.blk_b
Abstract COGs &tasks
R. Hahnle (TUD) Analysis of ESMs 34 / 54
![Page 92: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/92.jpg)
Building the Abstract Dependency Graph
I main, A, B, and C
Abstract COGs:
I f.get in B
I f.get in A
I await f? in C
Synchronization instructions:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
Bmain
A C
B.blk_c
C .wait
A.empt
B.empt2
A.blk_b
Abstract COGs &tasks
Abstract COGs &tasksCOG-Task
R. Hahnle (TUD) Analysis of ESMs 34 / 54
![Page 93: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/93.jpg)
Building the Abstract Dependency Graph
I main, A, B, and C
Abstract COGs:
I f.get in B
I f.get in A
I await f? in C
Synchronization instructions:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
Bmain
A C
B.blk_c
C .wait
A.empt
B.empt2
A.blk_b
Abstract COGs &tasks
Abstract COGs &tasksCOG-TaskTask-Task
R. Hahnle (TUD) Analysis of ESMs 34 / 54
![Page 94: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/94.jpg)
Building the Abstract Dependency Graph
I main, A, B, and C
Abstract COGs:
I f.get in B
I f.get in A
I await f? in C
Synchronization instructions:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
Bmain
A C
B.blk_c
C .wait
A.empt
B.empt2
A.blk_b
Abstract COGs &tasks
Abstract COGs &tasksCOG-TaskTask-TaskTask-COG
R. Hahnle (TUD) Analysis of ESMs 34 / 54
![Page 95: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/95.jpg)
Building the Abstract Dependency Graph
I main, A, B, and C
Abstract COGs:
I f.get in B
I f.get in A
I await f? in C
Synchronization instructions:
{a=new cog A();b=new cog B();c=new cog C();b!blk_c(c,a);a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
C
Bmain
A C
B.blk_c
C .wait
A.empt
B.empt2
A.blk_b
Abstract COGs &tasks
Abstract COGs &tasksCOG-TaskTask-TaskTask-COGDeadlockCycle
R. Hahnle (TUD) Analysis of ESMs 34 / 54
![Page 96: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/96.jpg)
Abstraction Is Too Coarse
I Dependency cycleremains in abstractgraph
I But program isdeadlock-free
I Not all depen-dencies can occursimultaneously
Add synchronization{a=new A();b=new B();c=new C();f=b!blk_c(c,a);await f?;a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
Cclass C{wait(A a){f=a!empt();await f?;
}}
Cclass C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 35 / 54
![Page 97: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/97.jpg)
May-Happen-in-Parallel Information
Problem Analysis
I Dependencies abstract away from all possible synchronizations
I A cycle only represents a real deadlock risk when synchronizationsmay occur simultaneously
I Annotate each dependency with the program point that causes it
I A may-happen-in-parallel (MHP) analysis tells whether two programpoints can be executed in parallel
Definition (Feasible Cycle)
A cycle (in the abstract dependency graph) is feasible if all program pointsin the edge annotations can happen in parallel.
R. Hahnle (TUD) Analysis of ESMs 36 / 54
![Page 98: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/98.jpg)
May-Happen-in-Parallel Information
Problem Analysis
I Dependencies abstract away from all possible synchronizations
I A cycle only represents a real deadlock risk when synchronizationsmay occur simultaneously
I Annotate each dependency with the program point that causes it
I A may-happen-in-parallel (MHP) analysis tells whether two programpoints can be executed in parallel
Definition (Feasible Cycle)
A cycle (in the abstract dependency graph) is feasible if all program pointsin the edge annotations can happen in parallel.
R. Hahnle (TUD) Analysis of ESMs 36 / 54
![Page 99: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/99.jpg)
Applying MHP to Modified Example
I await f? inmain enforcescompletion ofblk_c in B
I f.get in A 6‖f.get in B
Result of MHP:
{a=new A();b=new B();c=new C();f=b!blk_c(c,a);await f?;a!blk_b(b);
}
main
class A{blk_b(B b){f=b!empt2();f.get;
}empt(){}}
A
class B{blk_c(C c,A a){f=c!wait(a);f.get;
}empt2(){}}
B
class C{wait(A a){f=a!empt();await f?;
}}
Cclass C{wait(A a){f=a!empt();await f?;
}}
Cclass C{wait(A a){f=a!empt();await f?;
}}
C
R. Hahnle (TUD) Analysis of ESMs 37 / 54
![Page 100: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/100.jpg)
Applying MHP to Annotated Dependency Graph
Bmain
A C
B.blk_c
C .wait
A.empt
B.empt2
A.blk_b
f.get in A
f.get in B
The cycle is unfeasible.f.get in A 6‖ f.get in B
R. Hahnle (TUD) Analysis of ESMs 38 / 54
![Page 101: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/101.jpg)
Part IV
Deductive Verification Of ABS Models
R. Hahnle (TUD) Analysis of ESMs 39 / 54
![Page 102: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/102.jpg)
Deductive verification of ABS
Functional verification of complex (first-order) properties
Uses ideas byW. Ahrendt, M. Dylla, and C. Din et al.
Deductive Functional Verification
Based on a program logic for ABS that . . .
I Uses verification paradigma “logic rewriting as symbolic execution”:test generation, visualization, symbolic state debugging, . . .
I Is suitable for open-world verificationhide internal structures of components from each other
R. Hahnle (TUD) Analysis of ESMs 40 / 54
![Page 103: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/103.jpg)
Verification Workflow
�interface�Account
Int deposit(Int x)Int withdraw(Int x)Bool transfer(...)
AccountImpl
Int aid;Int balance;
. . .
Interface Invariant
Class Invariant
Proof-ObligationGenerator
Verifier
ABS DLFormula
X X
R. Hahnle (TUD) Analysis of ESMs 41 / 54
![Page 104: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/104.jpg)
Verification Workflow
�interface�Account
Int deposit(Int x)Int withdraw(Int x)Bool transfer(...)
AccountImpl
Int aid;Int balance;
. . .
Interface Invariant
Class Invariant
Proof-ObligationGenerator
Verifier
ABS DLFormula
X X
Interface invariants express mostly restrictions on the control-flowClass invariants relate the object state to the local system history
R. Hahnle (TUD) Analysis of ESMs 41 / 54
![Page 105: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/105.jpg)
Verification Workflow
�interface�Account
Int deposit(Int x)Int withdraw(Int x)Bool transfer(...)
AccountImpl
Int aid;Int balance;
. . .
Interface Invariant
Class Invariant
Proof-ObligationGenerator
Verifier
ABS DLFormula
X X
R. Hahnle (TUD) Analysis of ESMs 41 / 54
![Page 106: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/106.jpg)
Verification Workflow
�interface�Account
Int deposit(Int x)Int withdraw(Int x)Bool transfer(...)
AccountImpl
Int aid;Int balance;
. . .
Interface Invariant
Class Invariant
Proof-ObligationGenerator
Verifier
ABS DLFormula
X X
R. Hahnle (TUD) Analysis of ESMs 41 / 54
![Page 107: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/107.jpg)
ABS-DL: Dynamic Logic
Dynamic Logic for ABS
Sorted first-order logic + ABS programs + modalities + updates
I 〈p〉φ: Program p terminates and in its final state φ holds.
I [p]φ: If program p terminates then in its final state φ holds.
We consider only partial correctness (box modality)
Core Concepts
I Sequent calculus based on symbolic execution paradigm
I Assumption-commitment/rely-guarantee reasoning style
R. Hahnle (TUD) Analysis of ESMs 42 / 54
![Page 108: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/108.jpg)
ABS-DL: Dynamic Logic
Dynamic Logic for ABS
Sorted first-order logic + ABS programs + modalities + updates
I 〈p〉φ: Program p terminates and in its final state φ holds.
I [p]φ: If program p terminates then in its final state φ holds.
We consider only partial correctness (box modality)
Core Concepts
I Sequent calculus based on symbolic execution paradigm
I Assumption-commitment/rely-guarantee reasoning style
R. Hahnle (TUD) Analysis of ESMs 42 / 54
![Page 109: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/109.jpg)
ABS-DL: Logic Setup
interface Account { ... }class AccountImpl implements Account { ... }
data List = Cons(Int, List) | Nildef List tail(List l) = case l {
Cons(x, l) => l;Nil => Nil;
}
Sorts SFor each
I interface I ,
I abstract datatype T (including built-in ADTs)
there are sorts I , T ∈ S
R. Hahnle (TUD) Analysis of ESMs 43 / 54
![Page 110: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/110.jpg)
ABS-DL: Logic Setup
interface Account { ... }class AccountImpl implements Account { ... }
data List = Cons(Int, List) | Nildef List tail(List l) = case l {
Cons(x, l) => l;Nil => Nil;
}
FunctionsFor each constructor, function of an ADT there is a rigid function symbolof same name and arity in ABS-DL
Calculus contains (automatically generated) rules for:
I different constructors denote different entities
I rewrite rules for each function definition
R. Hahnle (TUD) Analysis of ESMs 43 / 54
![Page 111: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/111.jpg)
ABS-DL: Sequent Calculus
Gentzen-Style Sequent Calculus: Γ⇒ ∆∧γ∈Γ
γ →∨δ∈∆
δ
Propositional Rules (classical logic)
andLeftΓ,A,B ⇒ ∆
Γ,A ∧ B ⇒ ∆andRight
Γ⇒ A,∆ Γ⇒ B,∆
Γ⇒ A ∧ B,∆
impRightΓ,A⇒ B,∆
Γ⇒ A→ B,∆
R. Hahnle (TUD) Analysis of ESMs 44 / 54
![Page 112: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/112.jpg)
ABS-DL: Sequent Calculus
Gentzen-Style Sequent Calculus: Γ⇒ ∆∧γ∈Γ
γ →∨δ∈∆
δ
Propositional Rules (classical logic)
andLeftΓ,A,B ⇒ ∆
Γ,A ∧ B ⇒ ∆andRight
Γ⇒ A,∆ Γ⇒ B,∆
Γ⇒ A ∧ B,∆
impRightΓ,A⇒ B,∆
Γ⇒ A→ B,∆
R. Hahnle (TUD) Analysis of ESMs 44 / 54
![Page 113: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/113.jpg)
ABS-DL: Dynamic Logic and Updates
Symbolic Representation of State TransitionsGeneralization of explicit substitutions
Elementary update (val has no side effects)
loc := val
Same meaning as an assignment
Parallel updateloc1 := val1 || loc2 := val2
Update application
on term: {U}t on formula: {U}φ
Example (Update simplification)
{i := j‖j := i}(i = iold ) ({i := j‖j := i}i) = ({i := j‖j := i}iold ) j = iold
R. Hahnle (TUD) Analysis of ESMs 45 / 54
![Page 114: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/114.jpg)
ABS-DL: Dynamic Logic and Updates
Symbolic Representation of State TransitionsGeneralization of explicit substitutions
Elementary update (val has no side effects)
loc := val
Same meaning as an assignment
Parallel updateloc1 := val1 || loc2 := val2
Update application
on term: {U}t on formula: {U}φ
Example (Update simplification)
{i := j‖j := i}(i = iold ) ({i := j‖j := i}i) = ({i := j‖j := i}iold ) j = iold
R. Hahnle (TUD) Analysis of ESMs 45 / 54
![Page 115: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/115.jpg)
ABS-DL: Dynamic Logic and Updates
Symbolic Representation of State TransitionsGeneralization of explicit substitutions
Elementary update (val has no side effects)
loc := val
Same meaning as an assignment
Parallel updateloc1 := val1 || loc2 := val2
Update application
on term: {U}t on formula: {U}φ
Example (Update simplification)
{i := j‖j := i}(i = iold ) ({i := j‖j := i}i) = ({i := j‖j := i}iold ) j = iold
R. Hahnle (TUD) Analysis of ESMs 45 / 54
![Page 116: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/116.jpg)
ABS-DL: Dynamic Logic and Updates
Symbolic Representation of State TransitionsGeneralization of explicit substitutions
Elementary update (val has no side effects)
loc := val
Same meaning as an assignment
Parallel updateloc1 := val1 || loc2 := val2
Update application
on term: {U}t on formula: {U}φ
Example (Update simplification)
{i := j‖j := i}(i = iold )
({i := j‖j := i}i) = ({i := j‖j := i}iold ) j = iold
R. Hahnle (TUD) Analysis of ESMs 45 / 54
![Page 117: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/117.jpg)
ABS-DL: Dynamic Logic and Updates
Symbolic Representation of State TransitionsGeneralization of explicit substitutions
Elementary update (val has no side effects)
loc := val
Same meaning as an assignment
Parallel updateloc1 := val1 || loc2 := val2
Update application
on term: {U}t on formula: {U}φ
Example (Update simplification)
{i := j‖j := i}(i = iold ) ({i := j‖j := i}i) = ({i := j‖j := i}iold )
j = iold
R. Hahnle (TUD) Analysis of ESMs 45 / 54
![Page 118: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/118.jpg)
ABS-DL: Dynamic Logic and Updates
Symbolic Representation of State TransitionsGeneralization of explicit substitutions
Elementary update (val has no side effects)
loc := val
Same meaning as an assignment
Parallel updateloc1 := val1 || loc2 := val2
Update application
on term: {U}t on formula: {U}φ
Example (Update simplification)
{i := j‖j := i}(i = iold ) ({i := j‖j := i}i) = ({i := j‖j := i}iold ) j = iold
R. Hahnle (TUD) Analysis of ESMs 45 / 54
![Page 119: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/119.jpg)
ABS-DL: Support for Imperative ABS
Assignment Rule
Γ⇒ {U}{x := e} [ω]φ,∆
Γ⇒ {U}[x=e;ω]φ,∆
e side effect free (pure) expression
Conditional Rule
Γ, {U}e ⇒ {U}[p;ω]φ,∆ Γ, {U}¬e ⇒ {U}[q;ω]φ,∆
Γ⇒ {U}[if (e) {p} else {q} ω]φ,∆
I e pure expression
I Rule splits proof in a then and else branch
R. Hahnle (TUD) Analysis of ESMs 46 / 54
![Page 120: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/120.jpg)
ABS-DL: Support for Imperative ABS
Assignment Rule
Γ⇒ {U}{x := e} [ω]φ,∆
Γ⇒ {U}[x=e;ω]φ,∆
e side effect free (pure) expression
Conditional Rule
Γ, {U}e ⇒ {U}[p;ω]φ,∆ Γ, {U}¬e ⇒ {U}[q;ω]φ,∆
Γ⇒ {U}[if (e) {p} else {q} ω]φ,∆
I e pure expression
I Rule splits proof in a then and else branch
R. Hahnle (TUD) Analysis of ESMs 46 / 54
![Page 121: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/121.jpg)
ABS-DL: Heap Modelling
Explicit Heap Model
I Global program variable: heap
I Axiomatized using theory of arrays:
select(store(heap, this, field , 5)︸ ︷︷ ︸this.field = 5;
, this, field)
Advantage
Easy to assign all fields an unknown value
I anonymization of field values at control release
R. Hahnle (TUD) Analysis of ESMs 47 / 54
![Page 122: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/122.jpg)
ABS Dynamic Logic (DL): History Events
Verification of distributed systems achieved by sequential means
⇒ Event Histories: Sequences of Messages [Din et al.]
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)Invocation Reaction
Event (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 123: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/123.jpg)
ABS Dynamic Logic (DL): History Events
Verification of distributed systems achieved by sequential means
⇒ Event Histories: Sequences of Messages [Din et al.]
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)Invocation Reaction
Event (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 124: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/124.jpg)
ABS Dynamic Logic (DL): History Events
Verification of distributed systems achieved by sequential means
⇒ Event Histories: Sequences of Messages [Din et al.]
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)
Invocation ReactionEvent (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
History Event: inEv(bank, acc, fut,withdraw, (amount))
I fut: newly created future for asynchronous message
I (· · · ): list of arguments
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 125: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/125.jpg)
ABS Dynamic Logic (DL): History Events
Verification of distributed systems achieved by sequential means
⇒ Event Histories: Sequences of Messages [Din et al.]
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)Invocation Reaction
Event (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
History Event: inREv(bank, acc, fut,withdraw, (amount))
I event created upon execution of method
I fut: future to be resolved upon completion
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 126: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/126.jpg)
ABS Dynamic Logic (DL): History Events
Verification of distributed systems achieved by sequential means
⇒ Event Histories: Sequences of Messages [Din et al.]
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)Invocation Reaction
Event (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
History Event: compEv(acc, fut,withdraw, r)
I event created upon completion of method
I r: return value of method for future fut
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 127: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/127.jpg)
ABS Dynamic Logic (DL): History Events
Verification of distributed systems achieved by sequential means
⇒ Event Histories: Sequences of Messages [Din et al.]
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)Invocation Reaction
Event (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
History Event: compREv(bank, fut, r)
I event created upon resolving fut
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 128: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/128.jpg)
ABS Dynamic Logic (DL): History Events
bank:Bank acc:AccountImpl
Invocation Event(inEv)
withdraw(amount)Invocation Reaction
Event (inREv)
Completion Event(compEv)return
Completion ReactionEvent (compREv)
History Events: Observations
I Time delay between events and reaction events
I Implicit restrictions on event order
I Need to specify properties of event histories (complex quantifiers)
Many subgoals during verification are concerned with the event order
R. Hahnle (TUD) Analysis of ESMs 48 / 54
![Page 129: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/129.jpg)
ABS-DL: Concurrent Constructs
Messages: Structured Labels/Events
inEv(caller , callee, future,method , args)inREv(caller , callee, future,method , args)compEv(callee, future,method , return value)compREv(receiver , future, return value)
R. Hahnle (TUD) Analysis of ESMs 49 / 54
![Page 130: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/130.jpg)
ABS-DL: Concurrent Constructs
Messages: Structured Labels/Events
inEv(caller , callee, future,method , args)inREv(caller , callee, future,method , args)compEv(callee, future,method , return value)compREv(receiver , future, return value)
History
Represented as program variable of type History
I Standard sequent axiomatisationI Specification predicates and functions:
• wfHist, isCompletionEv , isInvocationEv• getResultFrom(label), etc.
R. Hahnle (TUD) Analysis of ESMs 49 / 54
![Page 131: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/131.jpg)
ABS-DL: Concurrent Constructs
Messages: Structured Labels/Events
inEv(caller , callee, future,method , args)inREv(caller , callee, future,method , args)compEv(callee, future,method , return value)compREv(receiver , future, return value)
Wellformedness predicate wfHist
I invocation event < invocation reaction event << completion event < completion reaction event
I For each reaction event there must be a precursor event
I Only one of each such events for a specific invocation
I Futures are unique and not “reused”
R. Hahnle (TUD) Analysis of ESMs 49 / 54
![Page 132: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/132.jpg)
Example: Invariants of class Account
We can now express:
Balance of class Account always non-negative
\invariants(Seq theHistory, Heap theHeap, ABSAnyInterface self) {nonNegativeBalance : AccountImpl {
int::select(theHeap, self, balance) >= 0}; }
For the above invariant to be preserved, we need also:
Method deposit(Int) is always invoked with non-negative argument
\invariants(Seq theHistory, Heap theHeap, ABSAnyInterface self) {amountOfDepositNonNegative : AccountImpl {\forall Event ev; \forall int i; ( i >= 0 & i < seqLen(theHistory) −>
( ev = Event::seqGet(theHistory, i) &( isInvocationEv(ev) | isInvocationREv(ev)) &getMethod(ev) = Account::deposit −>
int::seqGet(getArguments(ev), 0) >= 0 ) ) ) };
R. Hahnle (TUD) Analysis of ESMs 50 / 54
![Page 133: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/133.jpg)
Example: Invariants of class Account
We can now express:
Balance of class Account always non-negative
\invariants(Seq theHistory, Heap theHeap, ABSAnyInterface self) {nonNegativeBalance : AccountImpl {
int::select(theHeap, self, balance) >= 0}; }
For the above invariant to be preserved, we need also:
Method deposit(Int) is always invoked with non-negative argument
\invariants(Seq theHistory, Heap theHeap, ABSAnyInterface self) {amountOfDepositNonNegative : AccountImpl {\forall Event ev; \forall int i; ( i >= 0 & i < seqLen(theHistory) −>
( ev = Event::seqGet(theHistory, i) &( isInvocationEv(ev) | isInvocationREv(ev)) &getMethod(ev) = Account::deposit −>
int::seqGet(getArguments(ev), 0) >= 0 ) ) ) };
R. Hahnle (TUD) Analysis of ESMs 50 / 54
![Page 134: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/134.jpg)
Asynchronous Method Invocation
Asynchronous Method Call
Γ⇒ {U}(o 6 .= null ∧ wfHist(H)),∆Γ⇒ {U}(futureUnused(frc,H)→{fr := frc ||H := H ◦ inEv(this, o, frc,m, args)}(RI (H, o) ∧ [ω]φ)),∆
Γ⇒ {U}[r = o!m(args);ω]φ,∆
Rule has two premisses . . .
I First premiss: callee is not null and history is wellformedI Second premiss (continuation of symbolic execution):
• new future created as part of invocation event• invocation event appended to history• upon asynchronous call all interface invariants (and preconditions of
method) are established• postcondition φ holds after execution of remaining program
R. Hahnle (TUD) Analysis of ESMs 51 / 54
![Page 135: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/135.jpg)
Asynchronous Method Invocation
Awaiting Completion
Γ⇒ CInv(C )(heap,H, this),∆Γ⇒ {heap := newHeap || H := H ◦ AH ◦ compREv(. . .)}
(CInv(C )(heap,H, this) ∧ EI (H, this) ∧ wfHist(H)→ [ω]φ),∆
Γ⇒ [await r?;ω]φ,∆
Rule has two premisses . . .
I First premiss: class invariant is established (await releases control)I Second premiss (continuation of symbolic execution):
• heap is anonymised• history is extended by an unspecified sequence of events (AH) followed
by the completion reaction event• EI (. . .): assume class invariant & interface invariants
(+ postcondition of method)
R. Hahnle (TUD) Analysis of ESMs 52 / 54
![Page 136: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/136.jpg)
Asynchronous Method Invocation
Awaiting Completion
Γ⇒ CInv(C )(heap,H, this),∆Γ⇒ {heap := newHeap || H := H ◦ AH ◦ compREv(. . .)}
(CInv(C )(heap,H, this) ∧ EI (H, this) ∧ wfHist(H)→ [ω]φ),∆
Γ⇒ [await r?;ω]φ,∆
Rule has two premisses . . .
I First premiss: class invariant is established (await releases control)I Second premiss (continuation of symbolic execution):
• heap is anonymised• history is extended by an unspecified sequence of events (AH) followed
by the completion reaction event• EI (. . .): assume class invariant & interface invariants
(+ postcondition of method)
R. Hahnle (TUD) Analysis of ESMs 52 / 54
![Page 137: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/137.jpg)
Tool support: Current Status
Tool
I Verification tool based on KeY
I Maturity: Late alpha stage
R. Hahnle (TUD) Analysis of ESMs 53 / 54
![Page 138: Design and Analysis of Executable Software Models · Design and Analysis of Executable Software Models: An Introduction and Overview Reiner H ahnle joint work with Antonio F. Montoya,](https://reader035.vdocument.in/reader035/viewer/2022062917/5ed914cf6714ca7f47691d44/html5/thumbnails/138.jpg)
Summary
The ABS Language
I Executable modeling language with formal semanticsI Suitable for modeling distributed and concurrent systemsI Cooperative multitasking + asynchronous calls with futures
Resource Analysis
I Abstract representation of programs: cost equationsI Rely-guarantee reasoning to prove termination of concurrent code
Deadlock Analysis
I Abstract dependency graph captures potential deadlocksI MHP-analysis improves precision
Deductive Verification
I Histories to achieve sequential style (compositional) reasoningI No explicit modeling of process queues or scheduling needed
R. Hahnle (TUD) Analysis of ESMs 54 / 54