software engineering tools and methods - unipi.it...interpreters. debuggers. 6 software testing...
TRANSCRIPT
30/11/2012
1
11 1
Corso di Laurea Magistralein
Ingegneria Informatica
Module B-Software Systems Engineeringa.a. 2012-2013
Gigliola Vaglini
2
Software Engineering Tools and Methods
Lecture 12
30/11/2012
2
3
Software engineering tools Software development tools are the computer-
based tools that are intended to assist the software life cycle processes.
Tools are often designed to support particular software engineering methods and allow well-defined actions to be automated.
4
Software Requirements Tools Tools for dealing with software requirements
have been classified into two categories: modeling and traceability tools.– Requirements modeling tools are used for eliciting,
analyzing, specifying, and validating software requirements
– Requirement traceability tools are becoming increasingly important as the complexity of software grows. Since they are also relevant in other life cycle processes, they are presented separately from the requirements modeling tools.
30/11/2012
3
5
Software Design and Construction Tools
They are tools for – creating and checking software designs.– to produce and translate program representation
(for instance, source code) which is sufficiently detailed and explicit to enable machine execution. Examples are Program editors. Compilers and code generators. Interpreters. Debuggers.
6
Software Testing Tools Test generators that assist in the development of test
cases. Test execution frameworks that enable the execution
of test cases in a controlled environment. Test evaluation tools that support the assessment of
the results of test execution, helping to determine whether or not the observed behavior conforms to the expected behavior.
Test management tools that provide support for all aspects of the software testing process.
Performance analysis tools that are used for measuring and analyzing software performance.
30/11/2012
4
7
Software Maintenance Tools Two categories are identified:
– Comprehension tools that assist in the human comprehension of programs. Examples include visualization tools such as animators.
– Reengineering tools. Reengineering is defined as the examination and alteration of a software product to reconstitute it in a new form, and includes the subsequent implementation of the new form. Reengineering tools support that activity. Reverse engineering tools assist the process by working
backwards from an existing product to create artifacts such as specification and design descriptions, which then can be transformed to generate a new product from an old one.
8
Software Engineering Management Tools
Software engineering management tools are subdivided into three categories: project planning and tracking, risk management, and measurement.– Project planning and tracking tools are used
in effort measurement and cost estimation.– Risk management tools are used in
identifying, estimating, and monitoring risks.– Measurement tools assist in performing the
activities related to the software measurement program.
30/11/2012
5
9
Software Quality Tools Quality tools are divided into two
categories: inspection and analysis tools.– Review and audit tools. These tools are used
to support reviews and audits.– Static analysis tools. These tools are used to
analyze software artifacts, such as syntactic and semantic analyzers, as well as data, control flow, and dependency analyzers. Such tools are intended for checking software artifacts for conformance or for verifying desired properties.
10
Formal Methods Formal methods, dealing with mathematically based
approaches, can be used for performing static analysis Various aspects of formal methods can be pointed out
– Specification languages and notations, i.e., the specification notation or language used; specification languages can be, for example, property-oriented, or behavior-oriented.
– The way in which the method refines (or transforms) the specification into a form which is closer to the desired final form of an executable program.
– Verification/proving properties, i.e., the way in which the system properties are proved, for example through model checking.
30/11/2012
6
11
Specification and verification
The concurrent systems case
12
•
System specification
The description of the system is abstracted from implementative details but it must be:
comprehensible unambiguous expressive
A formal system specification is written in a rigorous language and is based on a sound theory
30/11/2012
7
13
Formal methods Formal methods are mathematical approaches
to solving software (and hardware) problems at the requirements, specification and design levels.
Various formal specification notations are available, in particular Finite State Machine based methodologies allow executable software specification .
Formal methods are most likely to be applied particularly where the software is safety critical. Software safety assurance standards demand formal methods.
14
System Verification
Does the system respect a given property?– The property can be verified on the system
specification– The verification can be carried on in an
automatic way in the verification environment – The verification can be formal, i.e., Properties are formally defined Proofs are rigourous
30/11/2012
8
15
•
Concurrent Systems
Concurrent systems are characterized by the existence of
– Parallel events– Communicating events– Nondeterministic occurrence of events
16
P1: R=R+1;P2: R=R*2; P1|| P2
The program result depends on the relative speed of the concurrent activities
The functional semantics (input/output) of the sequential languages is not suitable
P1 P2R
Parallelism
30/11/2012
9
17
• A new kind of semantics is given to concurrent programsbased on automata theory :• machine state• state transition (an action\event can cause
a state transition)• program semantics= state machine
y:3y =y+1;
y:4
Operational semantics
18
Semantic description of concurrency
Interleaving– The concurrent execution of action a and
action b produces an effect equivalent to any sequential execution of a and b, i.e. ab or ba
True concurrency– The concurrent execution of action a and
action b can produce an effect equivalent neither to ab nor to ba
30/11/2012
10
19
R:1 R:2
R:3
R:2
R:4
P2
P1
P2P1
P1: R=R+1; P2: R=R*2;
P1|| P2
Interleaving semantics
20
R:1 R:2
P2
P1
P1: R=R+1; P2: R=R*2;
P1|| P2
True concurrency semantics
30/11/2012
11
21
Specification languages Algebraic languages
– Algebra = data + operators on data
Process algebra– Data=processes– Operators= parallel composition,
nondeterministic choice, communication…
22
Calculus of Communicating Systems (CCS) (Milner ‘89)
Structural operational semantics (SOS) Concurrency as interleaving Sinchronous communication Several process equivalences are
defined
30/11/2012
12
23
Model checking
Properties verification through model checking
Si verificano proprietà della specifica su una struttura (sistema a stati finiti) che è la sua semantica La verifica avviene tramite un algoritmo,
non con theorem proving
24
Model checking vs Theorem proving
MC is semantics based: si viaggia sulla struttura e in ogni stato deve essere soddisfatta una sottoproprietà
Per proprietà non ricorsive la complessità degli algoritmi esistenti è lineare (n+m)
TP is syntax based: si cercano di costruire tutti i programmi che hanno una certa proprietà.
La strategia è fornita dall’utente (non automatizzabile)
Ci sono infiniti programmi che hanno la proprietà voluta……
30/11/2012
13
25
P ::= nil | .P | P+P | P|P | P\L | P[f] | C
A = {a, b, .. } input actions
Vis = A ‘A observable actions non observable action
Act = Vis U {} action alphabet
‘A = {‘a, ‘b .. } output actions
C := P process definition
L Vis f : Act Act
CCS syntax
26
Outputchannels
Inputchannels
P‘a
‘b
c
d..
.
.
Process interface
30/11/2012
14
27
Each process P is associated with a labeled transition system, LTS(P), that defines the behavior of P
• states = process• initial state = P• labels Act
CCS semantics
28
P := a.b.P + c. (a.d.P + c.’e.Q)Q := c.Q + ‘b.P
ab
a
‘e
c
d
c
‘bc
P
LTS(P)
Example
30/11/2012
15
29
• it is defined by structural induction on the syntax• inference rules are used to define the transition relation
premiseconclusion
Structural operational semantics of CCS
30
nil • no action is executed• no inference rule is needed• this constant expresses the process termination
(success or failure/deadlock)
.P • the prefix of the term is an action• no premise needs• it expresses the sequentiality: the action
a is executed and after the behavior of P is followed
.P P act
SOSCCS
30/11/2012
16
31
a b
LTS(a.b.nil)
a.b.nil b.nil nila.b.nila.b.nilba
(cont.)
a.b.nil b.nila
act
Proof of the transition:It exists a sequence of rule applicationsthat leads from a.b.nil to b.nil
a.b.nil b.nil a
32
sum_1P P’
P+ Q P’
sum_2P+ Q Q’
Q Q’
sum_1
P + Q • this process can behave as P or as Q• the choice is non deterministic• the operator + is associative
Nondeterministic choice
30/11/2012
17
33
a
a.nil + b.nila.nil + b.nilba
ba.nil+b.nil ni
l
(cont.)
a.nil + b.nil nila
a.nil nil a
act
sum_1
Proof of the transition a.nil + b.nil nila
34
c. ( a.nil + b.nil ) ca b
a
ba.nil+b.nil ni
lc.(a.nil+b.nil)c
LTS(c.(a.nil+b.nil))
(cont.)
30/11/2012
18
35
X P’ con
P P’ if X:= P
X • process name or constant definition• it expresses recursion• the meaning of X is that of the associated process
Process name
36
SEMp
SEM := p. ‘v. SEM
‘vSEM
p
‘v
‘v. SEM
semaforo
(cont.)
CLOCK
‘tick ‘tick.CLOCK CLOCK‘tick
actCLOCK := ‘tick.CLOCK
CLOCK CLOCK‘tick
con
CLOCKCLOCK‘ticktimer
30/11/2012
19
37
• the actions of P and Q are interleaved • it is possible to perform a synchronous communication through an input action of P and an output action of Q (and vice versa)
• the operator is associative
P | Q
Parallelism
38
(cont.)
par_1P P’
P | Q P’ | Q
par_2P | Q P | Q’
Q Q’
comP P’
P | Q P’ | Q’
Q Q’ ‘
interleaving
synchronization
Vis
30/11/2012
20
39
• and ‘ are corresponding actions
• processes can communicate or behave independently
• when communicating P and Q perform the non observable action
• communication is always synchronous and between a pair of processes
(cont.)
40
The parallel operator composes processes through channels with corresponding names
P‘a
Qa b
P‘a
Qa b
P | Q
(cont.)
30/11/2012
21
41
a.b.nil| ‘b.nil
b.nil | ‘b.nil
nil | nil
a.b.nil | nil
b.nil | nilnil | ‘b.nil
a
‘b
‘bb
‘b
a
b
LTS (a.b.nil | b’.nil)
(a.b.nil | ‘b.nil)(a.b.nil | ‘b.nil)a
‘b
b
Example
42
P\L P’\Lres
P P’ se (L ‘L )
P\L • L Vis• P can perform visible actions in L•P\L cannot perform visible actions in L• if P is a parallel process, its communication channels become local
Restriction
30/11/2012
22
43
(a.nil + b.nil)\{a}(a.nil + b.nil)\{a}b
(a.nil + b.nil)(a.nil + b.nil)b a
Examples
((a.nil + b.nil)| ‘a.nil)((a.nil + b.nil)| ‘a.nil) ((a.nil + b.nil) | ‘a.nil)\{a}
((a.nil + b.nil) | ‘a.nil)\{a}
a
b
‘a
b
44
P[f] P’[f]rel
P P’
f
f() = bi se = ai per qualche i
altrimenti
Proprietà:
f() =
P [f] • f: Act Act by which all the actions of Act are relabeled
• it can be used to manage modularity
Relabeling
30/11/2012
23
45
CCS is Turing-equivalent
• infinite state processes exist
properties are decidable if the transition systemis finite
• syntactic restrictions assure that LTS is finite•Note: LTS(p) is finite, not p
CCS expressiveness
46
X | b.nil| b.nil | b.nil
X
X | b.nil a.X | nil
X | nilX | b.nil| b.nila
a
a
a
a b
b
b
b. . . . .
. . . . .
X:= a.X | b.nil
No finite state automata behaves as LTS(X)
Infinite LTS
30/11/2012
24
47
a.P
Pact
P+Q P’sum1
P P’P+Q Q’
sum2 Q Q’
P|Q P’|Qpar1
P P’
P|Q P|Q’par2
Q Q’
P|Q
P’|Q’com
P P’ Q‘a
Q’
P\L P’\Lres
P P’ (L ‘L)P[f] f P’[f]
relP P’
X P’con
P P’ X:=P
SOSCCS
48
Process equivalence
Equivalent processes exhibit the same “behavior”
30/11/2012
25
49
LTS Equivalence (LTS)
LTS
Processes P and Q, are LTS equivalent (P LTS Q) iff LTS(P) = LTS(Q)
a.nil | b.nil
nil|b.nil a.nil|nil
nil|nil
a.nil|b.nil
a
a
b
b
a.b.nil + b.a.nil
b.nil a.nil
nil
a
a
b
b
a.b.nil + b.a.nil
50
LTS problems
a.nil | b.nil LTS a.b.nil + b.a.nil
X:= a.a.X, Y:=a.Y X LTS Y
This equivalence is too low level
30/11/2012
26
51
String Equivalence (S)Two processes are string equivalent if they can perform the same sequences of actions
W S Z
X :=a.a.X
Y
Y := a.YX S Y
a.X
X
a a Y a
Z:= a.(b.nil + c.nil)
cb
Za
W := a.b.nil +a.c.nil
W aa
cb
52
S problems1. Terminating processes
2. Non determinism
3. Non observable action
c
P aa
cb
Qa
b
P:= a.b.nil+a.c.nil Q := a.(b.nil+c.nil)
P S Q
aQ nilP a P:=a..nil Q:=a.nil
P S Q
aP nila Q a
P:=a.nil +a.P
Q:=a.Q
P S Q
30/11/2012
27
53
Strong Equivalence (~)
• P e Q are “strong equivalent” if it is not possible to distinguish their external behaviors
• This equivalence solves problem 1 (termination) & 2 (non determinism)
54
Strong Equivalence (cont.)B P x P è una bisimulazione forte se
(P,Q) B e Act
a) P P’ implica che Q’: Q Q’ e (P’,Q’) B
b) Q Q’ implica che P’: P P’ e (P’,Q’) B
30/11/2012
28
55
Strong Equivalence (Definizione)
P ~ Q sse una bisimulazione forte B: (P,Q) B
56
Esempi
P ~ Q B1 = { (P,Q), (A,C), (B,D), (A,E) }
B2 = { (P,Q), (A,C), (B,D), (B,E) }
~P
BAa a
EC D
Qa a a
a
P
Aa Q
a
NO
N eB = { (P,Q), (A,Q)}
NON e’ una bis. forte
30/11/2012
29
57
Esempi (cont.)
a
P
A B
C
a b
b
aa
Q
R S
b
a
a
B = { (P,Q), (A,R) , (A,S), (B, ?) …}
a
B = { (P,Q), (A,R) , (A,S), (B, Q), (C,S)} P ~ Q
B Baa
B A
B Cb
Q Qaa
Q R
Q Sb
Q Qaa
Q R
Q Sb
B Baa
B A
B Cb
(B,Q)
implica
implica
implica
implica
implica
implica
P ~ Q?
58
Risultati ~ è una relazione di equivalenza:
1. riflessiva: P ~ P 2. simmetrica: se P ~ Q allora Q ~ P 3. transitiva: se P ~ Q e Q ~ R allora P ~R
P R ......
~ è una congruenza, cioè gode della proprietà di sostitutività
P ~Q
S
Q RS’
~......
30/11/2012
30
59
Risultati (cont)
P ~ Q implica .P ~ .Q P+R ~ Q+R P|R ~ Q|R P\L ~ Q\L P[f] ~ Q[f] se X := P e Y := Q allora X ~ Y
60
Results (cont)
P ~ Q implies P S Q
~ = S on deterministic systems
30/11/2012
31
61
Problemi con ~~ discrima troppo
P := a..nil
P
?
Qa a
Q := a.nil
invisibileP Q
a a
62
Definizione Se L P Q significa
Se = significa….P Q
Esempio:
P Q R S a
P R P S P P P Q
n=1m=0 n = 0n=1,m=1 n = 1
In realtà P si trasforma in QDopo una sequenza di mosse
30/11/2012
32
63
Weak Equivalence B P x P è una bisimulazione debole se
(P,Q) B e Act
a) P P’ implica che Q’: Q Q’ e (P’,Q’) B
b) Q Q’ implica che P’: P P’ e (P’,Q’) B
P Q sse una bisimulazione deboleB : (P,Q) B
64
EsempiP
?a
Qa
Y
B = {(X,1), (W,2), (U,3), (Z,4), (Y,4) }
X
W
ZU
a a
b
43
2
1a
b
30/11/2012
33
65
Esempi (cont.)Q := a..nilP := .a.nil
P
P1 Q1
Q
P2
a
a
B = { (P,Q), (P1,Q), (P2,Q1), (P2,Q2) }
Q2
66
Risultati è una relazione di equivalenza
P ~ Q implica P Q (NON è vero il contrario)
~ coincide con se non ci sono
~ e sono decidibili (se i sistemi sono finiti) in tempo
O(n+m) con n= numero di stati e m= numero di transizioni.
S è decidibile in tempo esponenziale
30/11/2012
34
67
Problemi con 1. non è una congruenza:
P Q non implica P + R Q + R
a.nil .a.nil pero`
a.nil + b.nil .a.nil + b.nil
ba
?b
a
Esempio:
68
Problemi con (cont.)2. non distingue un processo che termina
da uno che va in ciclo
P := .P + a.nil Q := a.nil
Pa
Q
a
30/11/2012
35
69
Examples P:=a.(b.nil+c.nil) Q:=a.b.nil+a.c.nil
PQ
a
cb
a
b c
aStrong
equivalent
P:=a.a.P Q:= a.Q
P Qaaa
Strongequivalent
70
Specification and verification of concurrent systems
The logic languages
30/11/2012
36
71
Systems verification How the introduced concepts can help in verifying
properties of a concurrent system?
Consider a simple communication protocol where the sender process receives a message from outside and transmits
it to the medium process medium either in turn transmits the message to the receiver
process or loses it, in this case it asks for a retransmission receiver transmits the message outside and acknoledges the
sender for the end of transmission; after the ack sender canaccept a new message.
72
Communication protocol
Sender := in.’sm.Send1Send1 :=lm.’sm.Send1 + ack.SenderMedium := sm.Med1Med1 := ’rm.Medium + .’lm.MediumReceiver := rm.’out.’ack.Receiver
Protocol:= (Sender | Medium |Receiver)\{sm,lm,rm,ack}
30/11/2012
37
73
Protocol
in
smrm
lm
smack
‘out
LTS1
in
74
System properties The protocol should assure that each accepted message
exits the process, even if not immediately.
In terms of equivalence, this could mean that LTS1(from the point of view of the external behavior) beequivalent to another transition system in which onlythe actions in and ‘out are sequentially performedforever.
See LTS2 in the following slide
30/11/2012
38
75
in ‘out
LTS2 LTS1
i.e., the two transition systems should be strong equivalentbut the protocol can loop forever losing messages and thus
LTS2
76
System verification What if the property required for the protocol
is that of having the possibility of transmitting the received message outside?
Strong equivalence is not adequate: but can I define a weaker equivalence for each property?
Choose another line of thought:– Give another different system specification, for
example not operational, and compare the two.
30/11/2012
39
77
Logic languages Logic languages allow the specification of sequential,
concurrent, nondeterministic, reactive, real-timesystems.
Logic languages allow a descriptive specification ofsystem behavior: each formula specifies a property ofthe system.
78
Logic languages– Propositional logic Each formula expresses an absolute truth starting
from known facts.– Il risultato della valutazione di una formula dipende solo
dai valori che assumono i simboli di proposizione.– Predicate logic Each formula expresses a relative truth with
respect to particular sets of the world.– Esiste un x tale che A(x)
– Modal logic Each formula expresses a relative truth with
respect to a world and such truth can change froma world to another in a particular universe.
30/11/2012
40
79
Syntax of a logic language The syntax of a logic language is given
through
– Formulae: correct sequences of symbolsbelonging to a given alphabet
– Inference rules: rules that derive formulaefrom formulae
– Axioms: formulae known true
80
Semantics of a logic language The formula semantics is a truth value
determined through the interpretation.– In the predicate logics an interpretation is a pair
I=(D, )where a associates each symbol (constant, variable,function) with an element (or n-ple of elements) ofD; each proposition or predicate is associated with atruth value.
– In the modal logics an interpretation is a pairI=(W, R),
where W is called universe and is composed of a setof worlds (W1, … ,Wn) linked together through therelation R. Each Wi= (D, ).
30/11/2012
41
81
Examples (ab)(cd)
“x, even(x)” , where even(x)=tt if (x mod 2)=0, else ff
“it is possible” “a b”– This formula can be false independently from the
truth value that the interpretation of one world inthe universe associates with “a b”.
82
Extensional and intensional logics
Classic logics are extensional: the truth value of eachformula derives from that of the sub-formulae and themeaning of the operators.
Modal logic is intensional: the truth value of a formuladoes not necessarily derive from that of the sub-formuae and the meaning of the operators.
The universe changes its characteristics depending on the relation type (a relation is symmetric, another one is transitive, and so on)
30/11/2012
42
83
Modal operators Fundamental modal operators are
[] its meaning is “necessarily”
<> its meaning is “possibly”– The operators are dual: – given the formula , <> = []
84
Modal Logic models. A formula is true in a world Wi, if it is true in Wi and in all worlds
reachable from Wi through R.
A formula is true in an universe if it is true in all worlds in theuniverse.
An interpretation in which all modal axioms are true is called amodel. In the predicate calculus all interpretations are modelssince axioms are true in all interpretations.
The modal axioms define the type of R: a valid formula is true in alluniverses in which R is of a given type (thus not in allinterpretations).
30/11/2012
43
85
Universo W=({W1,W2,W3,W4,W5,W6}, R)
W2 (b)=tt (a)=ff W6 (b)=ff (a)=ff
[] ab e’ falsa in W2
W1
W5W4
W3
W2
W6
86
Temporal logic• Temporal logic is a particular modal logic where the worlds of an
universe are temporal instants connected by a reflexive andtransitive relation R: thus R establishes a partial orderingamong worlds.
• The operators [] e <> mean “forever” e “sometime”,respectively.
• A formula is true if it is true in all instants starting from theinitial one (being R reflexive and transitive, all successiveinstants are reachable).
• Given a system (program), the set of computation of the systemis an universe.
30/11/2012
44
87
System specification through temporal logic
Temporal logic allows the definition of systemproperties that hold during the time.
The semantics of specification languages forcommunicatin systems (CCS for example) is an LTS (P,Act, ).
LTS can be used also to give semantics to formulae ofan action logic.
88
Proof methods To prove that a formula (corresponding to a system
property) is true in the given interpretation it can beused a theorem prover: the prover is based on theaxioms and the inference rules.
This method is complex and not automatable. When the system is finite state it can be verified if a
structure representing the system is a model for thegiven formula by means of an algorithm traversing thestructure and analyzing the related sub-formulae ineach reached state.
This method is called Model checking: it is automatable.
30/11/2012
45
89
Temporal logic models. An LTS that is the semantics of a concurrent system
must be a model for a temporal logic formula.
LTSs give the tree of the system computations.
Temporal logics with LTS as models are called branching time logic, in opposite to linear time logic.
90
BTL vs. LTL
W S Z W ~ ZW := a.b.nil +a.c.nil
W aa
cb
Z:= a.(b.nil + c.nil)
cb
Za
30/11/2012
46
91
Hennessy-Milner Logic (HML)::= tt | ff | 1 2 | 1 2 | [a] | <a>
aAct[a] after each occurrence of action a, the resulting
process must verify property <a> at least an action a is required to occur and the
resulting process must verify property
For example, <a>tt requires the ability of performing a;where [a]ff expresses the inability to perform suchaction.
92
Satisfaction (1) Given a formula , the processes satisfying can be singled out
through the following rules defined on the structure of theformula. Given a process p, p satisfies (written p |═ ) in onethe cases below
p |═ tt , p |═ ff p |═ iff p |═ and p |═ p |═ iff p |═ or p |═ p |═ [a] iff q {p’ : p p’ }. q |═ p |═ <a> iff q {p’ : p p’}. q |═
Note that, from definion of |═ [a]tt is equivalent to tt <a>ff is equivalent to ff
α
α
30/11/2012
47
93
Satisfaction (2) Given the transition system representing the process p, LTS(p)
satisfies property , iff is verified in its initial state. The initial state of LTS(p) is that corresponding to p. LTS(p) represents the universe and from its initial state all other
states are reachable. If and only if two transition systems (or processes) are strong
equivalent, they satisfy the same set of HML formulae. HML is called adequate to strong equivalence since no formula is
able to distinguish two strong equivalent transition system (orprocesses).
Weak?– The operator [] and <> can be applied to K Act so do not distinguish
visible actions from non observable ones..
94
Examples
Are the transition systems LTS(p1) and LTS(q1) models for the formulae , and ? =[a](<b>tt <c>tt)= [a](<b>tt <c>tt)=<a>[b]ff
p1
p2q2 q3
q1
ab ca a
b c
30/11/2012
48
95
Examples (2) And are LTS( p2) and LTS( q1) models for the formulae and ?
=[a](<b>tt <c>tt)=<a>[b]ff
p2 |═ e q1 |═ , mentre p2 |═ e q1 |═ .
p1 q3
q2
b ca
a
a
b c
p2
q1
96
Extensions to HML [K] <K> K Act (if Act is infinite, K can be
infinite too)[K] = ([a1] .. [an]) , ai K<K> = (<a1> .. <an>) , ai K
[-K] <-K> [-K] = ([a1] .. [an]) , ai Act-K<- K> = (<a1> .. <an>) , ai Act-K
[-] <-> [-] = ([a1] .. [an]) , ai Act- <- > = (<a1> .. <an>) , ai Act-
α
α
30/11/2012
49
97
Some hints on the expressivity of HML
[-]ff Termination
<->tt Vitality
<->tt [-a]ff Obligation
The properties above are properties that have no time duration.
Consider the property “action a can always be performed”: Does the formula <a>tt express this property?
98
Some hints on the expressivity of HML (cont.)
<a>tt is true on both the transition systems below
But the second transition system is able to perform a only in the initial state.
I need some form of recursion in the application of the formula to simulate the flowing of the time.
aa
30/11/2012
50
99
Modal -calculus::= tt ff 1 2 1 2 [K] <K>
Z. Z. ZKAct
Z. and Z. are fixed point formulae (greatest and least respectively), where the operators Z e Z bind the occurrences of the variable Z in Closed formulae do not contain free variables. The constants tt and ffcan be obtained also as Z.Z and Z.Z, respectively.
100
Adequacy
-calculus too is adequate to strong equivalence.
To be adequate to weak equivalence too the operators [[K]] and <<K>> must be added to the calculus.
30/11/2012
51
101
Satisfaction p |═ Z iff p V(Z)
– Closed formulae are independent from evaluation
p |═ Z. iff p |═ Zk. for each k p |═ Z . iff p |═ Zk. for some k
To define satisfaction of recursive operators we can apply a technique of syntactic approximation that builds a finite chain of non recursive formulae until that one representing the fixed point of the equation Z= is obtained.
102
Approximants Z0. = tt Zk+1. = [(Zk./Z]
Z0. = ff Zk+1. = [(Zk./Z]
[/Z] substitutes each free occurrence of Z in with .
30/11/2012
52
103
operator Z.means that infinite sequences of actions leading
to the satisfaction of are required. the chain of formulae that approximate the meaning
of Z.<a>Z is Z0.<a>Z=ttZ1.<a>Z=<a>ttZ2.<a>Z=<a><a>tt
…..Thus the formula is satisfied by a transition system that contains at least an infinite path, starting from the initial state, which contains only a infinite number of consecutive a.In other words: “action a can always be performed”:
104
operator Z. means that finite sequences of actions leading to
the satisfaction of are required. the chain of formulae that approximate the meaning of
Z.[a]Z is Z0.[a]Z=ffZ1.[a]Z=[a]ffZ2.[a]Z=[a][a]ff
…..
Thus the formula is satisfied by a transition system that contains paths, starting from the initial state, which contain only a finite number of consecutive a.
30/11/2012
53
105
Some hints on the expressivity (cont.)
The property Z.<a>Z is true on the first trasition system and false on the second one.
Now time duration can be expressed.
a
a
106
Examples 1= Z.(<->tt [-]Z)
Deadlock-freeness 2= Z.([-]ff <->Z)
Can-deadlock 3= Z.(<->tt [-a]Z)
“after a finite amount of time a will be executed” 4= Z.([a]ff [-]Z)
“henceforth a will not be executed “
30/11/2012
54
107
Proprieta’ esprimibili in TL. E’ possibile classificare le formule della logica temporale.
Esistono vari tipi di classificazioni: Sintattica sulla struttura della formula, cioe’ gli operatori
usati. Semantica, in base al significato della proprieta’.
Le proprieta’ di terminazione e obbligatorieta’ viste prima sono individuate in modo sintattico.
Una classificazione semantica dovuta a Lamport e’ la seguente.
108
Liveness e Safety “qualcosa di buono accadra’ prima o poi”
Liveness: ogni cammino del transition system contiene l’azione interessata (buona). Ad esempio 3 e’ una proprieta’ di liveness.
“niente di male accadra’” Safety: nessun cammino del transition system contiene l’azione
interessata (cattiva). Ad esempio 4 e’ una proprieta’ di safety. Queste proprieta’ possono essere indebolite in modo da
riguardare solo alcuni cammini Weak liveness: Z. <->Z Weak safety: Z. (<->Z [-]ff )
e’ una formula che non contiene Z e che esprime la cosa buona o cattiva a cui siamo interessati.
30/11/2012
55
109
Altri esempi di formule
X. (Y.[a]ff [-b]Y) (Z.[a]X [-a]Z) “E’ sempre vero che ogni a e’ preceduto da un b
senza a intermedi”
Z.[a](Y.<->tt [-b]Y) [-]Z “E’ sempre vero che ogni a e’ seguito prima o poi da
un b”
110
Communication protocol
Protocol:= (Sender | Medium |Receiver)\ {sm,lm,rm,ack}Sender := in.’sm.Send1Send1 :=lm.’sm.Send1 + ack.SenderMedium :=sm.Med1Med1 :=‘rm.Medium + t.’lm.MediumReceiver :=rm.’out.’ack.Receiver
30/11/2012
56
111
protocol
in
smrm
lm
smack
‘out
in
112
Properties of the protocol = [in] (Y. <‘out>tt <-’out>Y)
Each message that Sender receives may be output byReceiver.
= [in] (Y. <->tt [-’out]Y) Each message that Sender receives, sooner or later, is
output by Receiver.
is true on protocol , while is false.
30/11/2012
57
113
Railcross
Road:= car. up.’ccross.’down. Road Rail:= train. green.’tcross.’red. Rail Signal:=‘green.red.Signal +’up.down.Signal
(road|rail|signal)\{green,red,up,down}
114
1
2 3
654
7 8 910
11 12
car
car
car
car
train
train
train
train
green
red
green
up
up
down
ccross
ccross
tcross
tcross
down
red
30/11/2012
58
115
Proprieta’ del Railcross
Non e’ mai possibile che una macchinaed un treno siano entrambi abilitati apassare.
(Liveness o Safety?)
Ogni macchina arrivata al Railcross passa inun tempo finito.
(Liveness o Safety?)
116
Proprieta’ del Railcross
Non e’ mai possibile che una macchina ed un treno siano entrambi abilitati a passare.
(Liveness o Safety?)
Z.([tcross]ff [ccross]ff) [-]Z
30/11/2012
59
117
Prova di 1
Z0.= ttZ1.= [tcross]ff [ccross]ffZ2.= ([tcross]ff [ccross]ff)
[-]([tcross]ff [ccross]ff)Z3.= ([tcross]ff [ccross]ff) [-]
(([tcross]ff [ccross]ff)([-]([tcross]ff [ccross]ff)))
118
Proprieta’ del Railcross
Ogni macchina arrivata al Railcross passa in un tempo finito.
(Liveness o Safety?)
2 = Z.[car]. [-car]Z= Y. <ccross>tt <-ccross>Y
3 = Z.[car]. [-car]Z = Y. <->tt [-ccross]Y
30/11/2012
60
119
Prova di
Y0.= ffY1. = <ccross>ttY2. = <ccross>tt <-ccross> <ccross>ttY3. = <ccross>tt <-ccross>
(<ccross>tt <-ccross> <ccross>tt)
120
Prova di 2
Z0.= tt Z1.= [car]
Z2.= [car] [-car][car] Z3.= [car] [-car]([car] [-car][car]
……..
30/11/2012
61
121
Prova di Y0. = ffY1. = <->tt [-ccross]ffY2. = <->tt [-ccross](<->tt [-ccross]ff)Y3. = <->tt [-ccross]
(<->tt [-ccross](<->tt [-ccross]ff))Y4. =…Y5. =…Y6. =..
Si torna in uno stato gia’ attraversato senza incontrare ccross e quindi la formula e’ falsa: esiste un cammino infinito che non contiene ccross.
122
Prova di 3
Per dimostrare che 3 e’ vera devo dimostrare che e’ vera su tutti i cammini che contengono car.
Z0.= ttZ1.= [car] Z2.= [car] [-car] [car] Z3.= [car] [-car]
( [car] [-car] [car] )……
30/11/2012
62
123
Model Checking complexity When recursive operators occur in a formula, their
fixpoints can be computed separately only if theformulae are alternation-free and in this caseverification algorithms have linear complexity.– [in] (Y. <out>tt <-out>Y)– This formula is alternation-free
For formulae with level of alternation bigger than 1,verification algorithms have a complexity exponential inthe alternation level.
124
Model Checking complexity
The complexity of model checking aproperty with dimension m (number oflogic operators) on a transition systemwith dimension n (number of states) is oforder (n x m) in the best case.
30/11/2012
63
125
Model checking environments
They minimize with respect to different equivalencerelations.
They build the LTS for a specification program, CCSprograms or LOTOS programs for example
They include the implementation of model checkingalgorithms for different logics (- calcolus, CTL etc).
126
Problems Parallel composition of processes produces an
exponential growth of the number of states of theresulting transition system
The number of states of the transition systems islimited (but of the order of several hundreds ofthousands).
Constraints are imposed on the structure of theformulae to maintain a low complexity of the modelchecking algorithms