Development of dynamically evolving and self-adaptive software. 1. Background

Similar documents
Software Modeling and Verification

Formal Verification and Linear-time Model Checking

Introduction to Software Verification

Model Checking: An Introduction

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Model Checking II Temporal Logic Model Checking

Algorithmic Software Verification

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Temporal Logics. Computation Tree Logic

Validated Templates for Specification of Complex LTL Formulas

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

DiPro - A Tool for Probabilistic Counterexample Generation

Formal Verification by Model Checking

Probabilistic Model Checking at Runtime for the Provisioning of Cloud Resources

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Formal Verification of Software

Testing LTL Formula Translation into Büchi Automata

Automata-based Verification - I

Software Engineering using Formal Methods

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

Software Verification and Testing. Lecture Notes: Temporal Logics

Average System Performance Evaluation using Markov Chain

Static Program Transformations for Efficient Software Model Checking

CISC422/853: Formal Methods

Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

From Workflow Design Patterns to Logical Specifications

Copyright. Network and Protocol Simulation. What is simulation? What is simulation? What is simulation? What is simulation?

Introducing Formal Methods. Software Engineering and Formal Methods

Fundamentals of Software Engineering

1. (First passage/hitting times/gambler s ruin problem:) Suppose that X has a discrete state space and let i be a fixed state. Let

Master s Theory Exam Spring 2006

Exam Introduction Mathematical Finance and Insurance

tutorial: hardware and software model checking

The Model Checker SPIN

T Reactive Systems: Introduction and Finite State Automata

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Lecture Note 1 Set and Probability Theory. MIT Spring 2006 Herman Bennett

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

A Classification of Model Checking-based Verification Approaches for Software Models

Rigorous Software Development CSCI-GA

The Course.

Coding and decoding with convolutional codes. The Viterbi Algor

Software Model Checking: Theory and Practice

Policy Modeling and Compliance Verification in Enterprise Software Systems: a Survey

LECTURE 4. Last time: Lecture outline

Fixed-Point Logics and Computation

Lecture 9 verifying temporal logic

An Innocent Investigation

Monitoring Metric First-order Temporal Properties

Model Checking of Software

Formal Verification Toolkit for Requirements and Early Design Stages

Reinforcement Learning

5 INTEGER LINEAR PROGRAMMING (ILP) E. Amaldi Fondamenti di R.O. Politecnico di Milano 1

Tool Support for Model Checking of Web application designs *

Chapter 4 Lecture Notes

2 Temporal Logic Model Checking

Model Checking LTL Properties over C Programs with Bounded Traces

Business Process Verification: The Application of Model Checking and Timed Automata

CHAPTER 7 GENERAL PROOF SYSTEMS

CS Master Level Courses and Areas COURSE DESCRIPTIONS. CSCI 521 Real-Time Systems. CSCI 522 High Performance Computing

Feature Specification and Automated Conflict Detection

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

Handout #1: Mathematical Reasoning

Overview. Essential Questions. Precalculus, Quarter 4, Unit 4.5 Build Arithmetic and Geometric Sequences and Series

A computational model for MapReduce job flow

Verifying Real-Time Embedded Software by Means of Automated State-based Online Testing and the SPIN Model Checker Application to RTEdge Models

Formal verification of contracts for synchronous software components using NuSMV

9.2 Summation Notation

TEACHING MODEL CHECKING TO UNDERGRADUATES

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

LTL Model Checking with Logic Based Petri Nets

[Refer Slide Time: 05:10]

Semantics and Verification of Software

MODEL CHECKING CONCURRENT AND REAL-TIME SYSTEMS: THE PAT APPROACH. LIU YANG (B.Sc. (Hons.), NUS)

Reinforcement Learning

Specification and Analysis of Contracts Lecture 1 Introduction

IEOR 6711: Stochastic Models, I Fall 2012, Professor Whitt, Final Exam SOLUTIONS

EFFICIENT KNOWLEDGE BASE MANAGEMENT IN DCSP

Cassandra. References:

Third Party Data Session Control in the Evolved Packet System

Optimizing Description Logic Subsumption

Introduction to Promela and SPIN. LACL, Université Paris 12

Single item inventory control under periodic review and a minimum order quantity

Path Querying on Graph Databases

4. CLASSES OF RINGS 4.1. Classes of Rings class operator A-closed Example 1: product Example 2:

Transcription:

Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1

Requirements Functional requirements refer to services that the system shall provide Non-functional requirements constrain how such services shall be provided Non-Functional Requirement Quality of Service Compliance Architectural Constraint Development Constraint Accuracy Safety Security Reliability Performance Interface Installation Distribution Cost Maintainability Cost Deadline Variability Confidentiality Integrity Availability Time Space User interaction Device interaction Software interoperability Subclass link Usability Convenience van Lamsweerde, Requirements Engineering, J. Wiley & Sons 2009 2

Models During software development, software engineers often build abstractions of the system in the form of models [noun] A system or thing used as an example to follow or imitate a simplified description, esp. a mathematical one, of a system or process, to assist calculations or predictions Oxford American Dictionaries 3

Why do we use models? To communicate - They embody a shared lexicon E.g., state, transition To simplify descriptions and help focus, ignoring details that distract from the essence of the problem To reason about the modeled system - Mathematics makes reasoning formal - Through models we can predict properties of the real system before it exists 4

What makes a good model? A model is good if it carries the right amount of information you need - It is at the right level of abstraction A model abstracts from details - Make sure that they are details, not the essence - Be aware of the approximations A model serves a purpose - Different models for different purposes (views) Expert judgment always needed!!! 5

From model(s) to implementation Model driven development tries to support a development process that goes through correctness-preserving transformations Ideally, once correct models are developed, implementation is correct by construction Reality still far from the ideal world... However, focus on models and verification important to achieve better quality products 6

Models Perhaps the most used (and useful) models are finitestate models given as Labelled Transition Systems of some kind OFF 0 1 ON 7

Labeled Transition System (Kripke Structure) x ~p k p Transitions represent execution steps y ~p h ~p State labels represent predicates true in the state z ~p 8

Definition An LTS is a tuple S, I, R, AP, L where - S is a set of states; - I S is the set of initial states; - R S S is the set of transitions; - AP is a set of atomic propositions; - L : S 2 AP is a labelling function. A (maximal) path from a state s0 is either a finite sequence of states that ends in a terminal state or an infinite sequence of states - π = s0, s1, s2,... such that (si, si+1) R, for all i 0. 9

An example Two process mutual exclusion with shared semaphore Each process has three states - Non-critical (N) - Trying (T) - Critical (C) Semaphore can be available (S0) or taken (S1) Initially both processes are in N and the semaphore is available --- N1 N2 S0 N 1 T 1 T 1 S 0 C 1 S 1 C 1 N 1 S 0 N 2 T 2 T 2 S 0 C 2 S 1 C2 N 2 S 0 10

Consider the following model Does a system behaving like this LTS satisfy our expectations in terms of mutual exclusion: Never a state where both C1 and C2 hold can be reached N 1 N 2 S 0 T 1 N 2 S 0 N 1 T 2 S 0 C 1 N 2 S 1 T 1 T 2 S 0 N 1 C 2 S 1 C 1 T 2 S 1 T 1 C 2 S 1 11

How can requirements be specified? For example, we need to formalize statements like: - No matter where you are, there is always a way to get to the initial state Temporal logic to formally express properties - In classical logic, formulae are evaluated within a single fixed world For example, a proposition such as it is raining must be either true or false Propositions are then combined using operators such as,, etc. - In temporal logic, evaluation takes place within a set of worlds, corresponding to time instants it is raining may be satisfied in some worlds, but not in others - The set of worlds correspond to moments in time 12

Temporal logic Linear Time - Every moment has a unique successor - Infinite sequences (words) - Linear Time Temporal Logic (LTL) Branching Time - Every moment has several successors - Infinite tree - Computation Tree Logic (CTL) 13

LTL: syntax and semantics φ ::= true a φ1 φ2 φ oφ φ1 U φ2 oφ also written Xφ true U φ also written Fφ and also φ F φ also written Gφ and also o φ An LTL property stands for a property of a path For a state s, a formula φ is satisfied if all paths exiting s satisfy the formula Model checking Given an LTS and a formula, verify that initial states satisfy it 14

Mutual exclusion Always at least one process is not in the critical section N 1 N 2 S 0 T 1 N 2 S 0 N 1 T 2 S 0 C 1 N 2 S 1 T 1 T 2 S 0 N 1 C 2 S 1 C 1 T 2 S 1 T 1 C 2 S 1 (not C1 not C2) 15

CTL State formulae: ϕ ::= true a ϕ1 ϕ2 ϕ φ φ Path formulae: φ ::= o ϕ ϕ1 U ϕ2 X (o), F ( ) and G (o ) can be introduced as for LTL, often also written as E, A Mutual exclusion in CTL: G( C1 C2) Note: CTL and LTL have incomparable expressiveness 16

Quantitative modelling LTSs support qualitative modelling Often we need to model quantitative aspects, such as the cost of a certain action or the probability that a certain event occurs Here we review Markov models, an important and useful extension of LTSs 17

Discrete-time Markov Chains A DTMC is defioned by a tuple (S, s0, P, AP, L) where S is a finite set of states s0 S is the initial state P: S S [0;1] is a stochastic matrix AP is a set of atomic propositions L: S 2 AP is a labelling function. The modelled process must satisfy the Markov property, i.e., the probability distribution of future states does not depend on past states; the process is memoryless 18

An#example#!A simple communication protocol operating with a channel! 1 start 1 0.1 S D T L S 0 0 1 0 D 1 0 0 0 T 0 0.9 0 0.1 L 0 0 1 0 delivered try lost 0.9 1 matrix representation Note: sum of probabilities for transitions leaving a given state equals 1 C. Baier, JP Katoen, Principles of model checking MIT Press, 2008 19

Discrete Time Markov Reward Models Like a DTMC, plus - labelling states with a state reward - labelling transitions with a transition reward (we just use state rewards) Rewards can be any real-valued, additive, non negative measure; we use non-negative real functions Usage in modelling: rewards represent energy consumption, average execution time, outsourcing costs, pay per use cost, CPU time 20

Reward DTMC A R-DTMC is a tuple (S, s0, P, AP, L, µ), where S, s0, P, L are defined as for a DTMC, while µ is defined as follows: - µ : S R 0 is a state reward function assigning a non-negative real number to each state... at step 0 the system enters the initial state s0. At step 1, the system gains the reward µ(s0) associated with the state and moves to a new state... 21

Which model(s) should we use? Different models provide different viewpoints from which a system can be analyzed Focus on non-functional properties leads to models where we can deal with uncertainty and specify quantitative aspects Examples DTMCs for reliability CTMCs for performance Reward DTMCs for energy/cost/performance 22

Quantitative requirements specification Specification can be qualitative ( the system shall do... ) or quantitative ( average response time shall be less than xxx ) LTL, CTL temporal logic are typical examples of qualitative specification languages Non-functional requirements ask for quantitative specification Quantitative specs then require quantitative verification 23

PCTL Probabilistic extension of CTL In a state, instead of existential and universal quantifiers over paths we can predicate on the probability for the set of paths (leaving the state) that satisfy property In addition, path formulas also include step-bounded until ϕ1 U k ϕ2 ::= P ( ) ::= An example of a reachability property - P>0.8 [ (system state = success)] 1 absorbing state 24

R-PCTL Reward-Probabilistic CTL for R-DTMC ::= P ( ) ::= R ( ) ::= = R ( = ) R ( ) R ( ) 25

Example R ( = ) Expected state reward to be gained in the state entered at step k along the paths originating in the given state The expected cost gained after exactly 10 time steps is less than 5 R < ( = ) 26

Example R ( ) T Expected cumulated reward within k time steps ext Text The expected energy consumption within the first 50 time units of operation is less than 6 kwh R < ( ) 27

Example R ( ) Expected cumulated reward until a state satisfying is reached Text Text The average execution time until a user session is complete is lower than 150 s R < ( ) 28

A bit of theory Probability for a finite path traversed is 1 if otherwise to be A state sj is reachable from state si if a finite path exists leading to sj from si The probability of moving from si to sj in exactly 2 steps is which is the entry of The probability of moving from si to sj in exactly k steps is the entry =1 of = s 0,s 1,s Q 2,... 2 k=0 P (s k,s k+1 ) Ps x 2S p ix p xj (i, j) P 2 (i, j) P k 29

A bit of theory A state is recurrent if the probability that it will be eventually visited again after being reached is 1; it is otherwise transient (a non-zero probability that it will never be visited again) A recurrent state sk where pk,k = 1 is called absorbing Here we assume DTMCs to be well-formed, i.e. - every recurrent state is absorbing - all states are reachable from initial state - from every transient state it is possible to reach an absorbing state 30

An example 1 0 1 0.2 0.5 0.3 2 0 B @ 0 1 0 0 0.2 0 0.5 0.3 0 0 1 0 0 0 0 1 1 C A 3 Probability of reaching an absorbing state (e.g., 2) 2 can be reached by reaching 1 in 0, 1, 2,... steps and then 2 with prob.5 (1+0.2+0.2 2 +0.2 3 +... ) x 0.5 = ( 0.2 n ) x 0.5 = (1/(1-0.2)) x 0.5 = 0.625 Similarly, for state 3, (1/(1-0.2)) x 0.3 = 0.375 Notice that an absorbing state is reached with prob 1 31

A bit of theory Consider a DTMC with r absorbing and t transient states Its matrix can be restructured as Q R P = 0 I - Q is a nonzero t t matrix - R is a t r matrix - 0 is a r t matrix - I is a r r identity matrix Q k! 0 as k!1 Theorem - In a well-formed Markov chain, the probability of the process to be eventually absorbed is 1 (1) 32

Focus on reachability properties A reachability property has the following form P./p ( ) states that the probability of reaching a state where holds matches the constraint./ p Typically, they refer to reaching an absorbing state (denoting success/failure for reliability analysis) It is a flat formula (i.e. no subformula contains P./p ( )) These properties are the most commonly found 33

A bit of theory Consider again P = Q ni,k expected # of visits of transient state sk from si, i.e., the sum of the probablities of visiting it 0, 1, 2,...times Theorem: The geometric series converges to Consider R 0 I N = I + Q 1 + Q 2 + Q 3 + = B = N R absorbing state sk from si is 1X k=0 Q k (1). The probability of reaching b ik = X k=0..t 1 n ij r jk (I Q) 1 34

Proving reachability properties = Pr( s = End ) j n r 0, j j, End n0,j is the sum of the probabilities to reach state j in 1, 2, 3,... steps 35

Model checking tools SPIN (Holzmann) analyzes LTL properties for LTSs expressed in Promela (Nu)SMV (Clarke et al, Cimatti et al.) can also analyze CTL properties and uses a symbolic representation of visited states (BDDs) to address the state explosion problem PRISM (Kwiatkowska et al.) and MRMC (Katoen et al.) support Markov models and perform probabilistic model checking 36

Question How do modelling notations and verification fit software evolution? - A modification to an existing system viewed as a new system - No support to reasoning on the changes and their effects 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information