Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

Size: px

Start display at page:

Download "Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?"

Agnes Lang
8 years ago
Views:

1 Mel Requirements and JAVA Programs MVP The Waterfall Mel Problem Area Traditional Software Develoment Analysis REVIEWS Design Costly wrt time and money. Errors are found too late (or maybe never). SPIN/PROMELA JAVA Imlementation Testing REVIEWS MVP Running System Intrucing, detecting and reairing errors Liggesmeyer 98 Formal Verification & Validation? Design Mel Secification Verification & Validation MVP 3 MVP 4 Objective What is a state? Design= behaviour + Requirement= desired or forbidden behaviour X=5 Y=7 Z=3 a Xsin Yes/No! Simulation Deadlock? Livelock? Requirement violation? MVP 5 A state is characterized by: Values of local/global variables Channel(s) contents State of each rocess (=rogram location) MVP 6

SPIN/PROMELA JAVA Imlementation Testing REVIEWS MVP Running System Intrucing, detecting and reairing errors Liggesmeyer 98 Formal Verification & Validation?

2 What is a state (continued)? A state is the cross-ruct between the state of all rocesses (+ variable values + channel contents): A B A A A3 MVP 7 B B (A,B) (A,B) (A,B) (A3,B) Interleaving examle from MVP byte s = roctye A(){s== -> s++ roctye B() {s== -> s-- init {run A(); run B() Transition systems: A <s=> s== s++ <s=> <s=> MVP 8 B <s=> s== <s=> s-- <s=> Combined (interleaved) transition system (state grah) of (A B) state++ state== MVP 9 state== state== state== state-- state++ state-- state++ state-- state-- state++ state-- state++ Each trace = a rogram execution (behaviour) SPIN checks all traces Correctness Requirements to Promela mels Behaviour: The set of all execution sequences in the state grah Sequences may be finite or infinite Two kinds of requirements: State requirements: Boolean conditions on some (or all) system states Temoral requirements: Requirements to a certain ordering of boolean conditions on states MVP Correctness Analysis: Analysis of the State Grah Promela Program Each state is described by: Values of all variables Contents of all channels Location counters for all rocesses State Grah MVP roctye A() {.. assert(condition).. Result of analysis Assertions When this location is art of the system state, the condition must be true! Note: assert(...) is always executable No error: condition is true for all ossible executions Error: there exists at least one execution, where the condition is false MVP Assert examle

-> s++ roctye B() {s== -> s-- init {run A(); run B() Transition systems: A <s=> s== s++ <s=> <s=> MVP 8 B <s=> s== <s=> s-- <s=> Combined (interleaved) transition system (state grah) of (A B) state++

3 byte state=; 3 roctye A() 4 { state== -> state++; 5 assert (state==) roctye B() 9 { state== -> state--; assert (state==) 3 init {run A(); run B() Simle counter examle rearing trail, lease wait...ne : roc (:init:) line 3 "an_in" (state ) [(run A())] : roc (:init:) line 3 "an_in" (state ) [(run B())] 3: roc (B) line 9 "an_in" (state ) [((state==))] 4: roc (A) line 4 "an_in" (state ) [((state==))] 5: roc (B) line 9 "an_in" (state ) [state = (state-)] 6: roc (B) line "an_in" (state 3) [assert((state==))] 7: roc terminates 8: roc (A) line 4 "an_in" (state ) [state = (state+)] sin: line 5 "an_in", Error: assertion violated sin: text of failed assertion: assert((state==)) MVP 3 Combined (interleaved) transition system of (A B) state== state++ state== state== state-- state++ state-- state++ state-- state-- state++ state-- state++ Each trace = a rogram execution SPIN checks all traces MVP 4 state== Invariant roerties is always true is an invariant assert(p) must be evaluated for all system states One way of exressing an invariant: Define a dedicated rocess: roctye monitor(){assert() Invariant: Simle counter revisited int int x; x; roctye roctye P(){ P(){ x< x< x=x+ x=x+ roctye roctye Q(){ Q(){ x> x> x=x- x=x- roctye roctye R(){ R(){ x== x== x= x= roctye roctye invariant(){ invariant(){ assert(x>=- assert(x>=- && && x<=) x<=) Which values may x take? count-inv MVP 5 MVP 6 Linear Temoral Logic (LTL) LTL examle LTL can exress requirements on the ordering of state conditions (redicates): <> Eventually [] Always/invariantly U q until q #define (state==) #define q (state==3) byte state=; roctye A(){ state= roctye B(){ state=3 <>q? Uq? []( -> <>q)? Ltl/ltl examle MVP A formula must hold for ALL traces 7 MVP 8 3

[((state==))] 5: roc (B) line 9 "an_in" (state ) [state = (state-)] 6: roc (B) line "an_in" (state 3) [assert((state==))] 7: roc terminates 8: roc (A) line 4 "an_in" (state ) [state = (state+)] sin:

4 Imlementing rocesses Meling rocesses as finite state machines using Promela Imlementing threads in Java. Note: to avoid confusion, we use the term rocess when referring to the mels, and thread when referring to the imlementation in Java. MVP 9 Two basic object invokation meths call-return (caller waits for callee) Efficient Callee is rotected from caller Callee is a assive object start-sto (caller and callee continues) Exensive calling sequence Callee is not rotected from caller Callee becomes an object (a thread) call-return one thread start-sto two threads MVP Fundamental roblems: Scheduling, Protection, Synchronization JVM with threads JVM State State State 3 State 4 Four Thread States each consisting of Program Counter & Object addresses MVP Threads in Java A Thread class manages a single sequential thread of control. Threads may be created and deleted dynamically. Thread MyThread The Thread class executes instructions from its meth. The actual ce executed deends on the imlementation rovided for in a derived class. class MyThread extends Thread { ublic void { //... Thread x = new MyThread(); MVP Threads in Java Since Java es not ermit multile inheritance, we often imlement the meth in a class not derived from Thread but from the interface Runnable. Runnable target Thread ublic interface Runnable { ublic abstract void ; MyRun class MyRun imlements Runnable{ ublic void { //... Thread x = new Thread(new MyRun()); MVP 3 An overview of the life-cycle of a thread as state transitions: thread life-cycle in Java new Thread() Created The redicate isalive() can be used to test if a thread has been started but not terminated. Once terminated, it cannot be restarted (cf. mortals). start() causes the thread to call its meth. start() Alive failure, or returns Terminated MVP 4 4

MVP 9 Two basic object invokation meths call-return (caller waits for callee) Efficient Callee is rotected from caller Callee is a assive object start-sto (caller and callee continues) Exensive

5 Thread alive states in Java Once started, an alive thread has a number of substates : Summary of thread meths start() yield() Running Runnable disatch slee() wait() notify() timeout Non-Runnable failure, or returns Dummy: yield Blocking: wait, wait(msec), slee, slee(msec), join, join(msec) Unblocking: notify, notifyall, interrut State inquiry: isalive, isinterruted Priority: getpriority, setpriority MVP 5 MVP 6 CountDown timer examle Develo a JAVA alet which can: Count wn once er second from some constant number Dislay the current count value Sto after count wn to zero or when requested by system (e.g. winw change) Mel in Promela? CountDown timer - Promela #define dummy #define N 5 chan bee = [] of {bit; chan tick = [] of {bit; chan sto = [] of {bit; chan start = [] of {bit; byte count=; roctye counter() { byte i; if start?dummy -> i=n; i> -> tick!dummy; i-- i== -> bee!dummy; break sto?dummy -> break fi roctye system() { start!dummy; sto!dummy roctye dislay() { tick?dummy -> count++ bee?dummy -> break timeout -> break Proerties? MVP 7 MVP 8 CountDown timer - roerties Count wn to zero should be ossible The system should be able to terminate before count wn to zero (at system sto) CountDown timer - Promela #define dummy #define N 5 chan bee = [] of {bit; chan tick = [] of {bit; chan sto = [] of {bit; chan start = [] of {bit; byte count=; roctye counter() { byte i; if start?dummy -> i=n; i> -> tick!dummy; i-- i== -> bee!dummy; break sto?dummy -> break fi roctye system() { start!dummy; sto!dummy roctye dislay() { tick?dummy -> count++ bee?dummy -> break timeout -> break Imlementation in Java? MVP 9 MVP 3 5

setpriority MVP 5 MVP 6 CountDown timer examle Develo a JAVA alet which can: Count wn once er second from some constant number Dislay the current count value Sto after count wn to zero or when

6 CountDown timer - class diagram Alet CountDown init() start() sto() tick() bee() counter dislay Runnable target The class NumberCanvas rovides the dislay canvas. Thread NumberCanvas setvalue() The class CountDown derives from Alet and contains the imlementation of the meth which is required by Thread. MVP 3 CountDown class ublic class CountDown extends Alet imlements Runnable { Thread counter; int i; final static int N = ; AudioCli beesound, ticksound; NumberCanvas dislay; ublic void init() {... ublic void start() {... ublic void sto() {... ublic void {... rivate void tick() {... rivate void bee() {... MVP 3 CountDown class - start(), sto() and ublic void start() { counter = new Thread(this); i = N; counter.start(); ublic void sto() { counter = null; ublic void { while(true) { if (counter == null) return; if (i>) { tick(); --i; if (i==) { bee(); return; COUNTDOWN Mel roctye counter() { byte i; if start?dummy -> i=n; i> -> tick!dummy; i-- i== -> bee!dummy;break sto?dummy -> break fi MVP 33 CountDown class tick() and bee() rivate void tick(){ dislay.setvalue(i); ticksound.lay(); try{ Thread.slee(); catch (InterrutedExcetion e){ rivate void bee(){ dislay.setvalue(i); beesound.lay(); MVP 34 Summary Concets rocess - unit of concurrency, execution of a rogram Mels Promela to mel rocesses as state machines - sequences of atomic actions Practice Java threads to imlement rocesses Thread lifecycle - created, running, runnable, nonrunnable, terminated MVP 35 6

MVP 3 CountDown class ublic class CountDown extends Alet imlements Runnable { Thread counter; int i; final static int N = ; AudioCli beesound, ticksound; NumberCanvas dislay; ublic void init() {.

Overview of Lecture 3. Model Checking with SPIN. First attempt (revisited) Linear Temporal Logic (LTL) CDP #3

Overview of Lecture 3. Model Checking with SPIN. First attempt (revisited) Linear Temporal Logic (LTL) CDP #3 Concurrent and Distributed Programming htt://fmt.cs.utwente.nl/courses/cd/ Mel Checking with SPIN CDP #3 Overview of Lecture 3 Ch. 4 - Verification of Concurrent Programs linear temoral logic (LTL) deductive