Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?



Similar documents
Software Model Checking: Theory and Practice

Concurrent programming in Java

ENFORCING SAFETY PROPERTIES IN WEB APPLICATIONS USING PETRI NETS

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Fundamentals of Software Engineering

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Software Engineering using Formal Methods

Lecture 9 verifying temporal logic

Introduction to Promela and SPIN. LACL, Université Paris 12

Formal Verification by Model Checking

Concurrent Program Synthesis Based on Supervisory Control

The Model Checker SPIN

Mutual Exclusion using Monitors

Extending your Qt Android application using JNI

1 Gambler s Ruin Problem

INF5140: Specification and Verification of Parallel Systems

Lecture 8: Safety and Liveness Properties

CS11 Java. Fall Lecture 7

Java Virtual Machine Locks

Chapter 8 Implementing FSP Models in Java

Threads & Tasks: Executor Framework

Outline of this lecture G52CON: Concepts of Concurrency

Verification of Agent Behavioral Models

Stylianos Basagiannis

Threads 1. When writing games you need to do more than one thing at once.

JAVA - MULTITHREADING

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Topics. Producing Production Quality Software. Concurrent Environments. Why Use Concurrency? Models of concurrency Concurrency in Java

Lecture 6: Introduction to Monitors and Semaphores

University of Twente. A simulation of the Java Virtual Machine using graph grammars

CISC422/853: Formal Methods

Temporal Logics. Computation Tree Logic

3C03 Concurrency: Condition Synchronisation

Software safety - DEF-STAN 00-55

Software Cognitive Complexity Measure Based on Scope of Variables

Java Memory Model: Content

A Classification of Model Checking-based Verification Approaches for Software Models

PRIME NUMBERS AND THE RIEMANN HYPOTHESIS

Formal Verification of Software

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

OBJECT ORIENTED PROGRAMMING LANGUAGE

Monitors & Condition Synchronization

Design of A Knowledge Based Trouble Call System with Colored Petri Net Models

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

Model Checking based Software Verification

Applying Model Checking to Destructive Testing and Analysis of Software System

Web Application Scalability: A Model-Based Approach

Introducing the Dezyne Modelling Language

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Programming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions

Deadlock Victim. dimanche 6 mai 12

Model Checking LTL Properties over C Programs with Bounded Traces

Multithreaded Programming

Safety evaluation of digital post-release environment sensor data interface for distributed fuzing systems

FDA CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES

Failure Behavior Analysis for Reliable Distributed Embedded Systems

Monitors, Java, Threads and Processes

Massachusetts Institute of Technology 6.005: Elements of Software Construction Fall 2011 Quiz 2 November 21, 2011 SOLUTIONS.

A Hoare Logic for Monitors in Java

Point Location. Preprocess a planar, polygonal subdivision for point location queries. p = (18, 11)

C-Bus Voltage Calculation

Comparing Dissimilarity Measures for Symbolic Data Analysis

International Journal of Software Engineering and Knowledge Engineering Vol. 11, No. 3 (2001) World Scientific Publishing Company

Memory management. Chapter 4: Memory Management. Memory hierarchy. In an ideal world. Basic memory management. Fixed partitions: multiple programs

Java Concurrency Framework. Sidartha Gracias

Chapter 6, The Operating System Machine Level

tutorial: hardware and software model checking

Formal Verification and Linear-time Model Checking

Algorithmic Software Verification

Software Quality Exercise 1

Software Verification and Testing. Lecture Notes: Temporal Logics

6.042/18.062J Mathematics for Computer Science December 12, 2006 Tom Leighton and Ronitt Rubinfeld. Random Walks

Hoare-Style Monitors for Java

Business Process Verification: The Application of Model Checking and Timed Automata

Built-in Concurrency Primitives in Java Programming Language. by Yourii Martiak and Mahir Atmis

Validated Templates for Specification of Complex LTL Formulas

Data Link Layer(1) Principal service: Transferring data from the network layer of the source machine to the one of the destination machine

Automata-based Verification - I

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

SHARED HASH TABLES IN PARALLEL MODEL CHECKING

Integrated Error-Detection Techniques: Find More Bugs in Java Applications

Simple Cooperative Scheduler for Arduino ARM & AVR. Aka «SCoop»

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

It is the thinnest layer in the OSI model. At the time the model was formulated, it was not clear that a session layer was needed.

The Darwin Game 2.0 Programming Guide

CABRS CELLULAR AUTOMATON BASED MRI BRAIN SEGMENTATION

Static and Dynamic Properties of Small-world Connection Topologies Based on Transit-stub Networks

Monitoring Frequency of Change By Li Qin

Lecture 8: Synchronous Digital Systems

Building a Multi-Threaded Web Server

Transcription:

Mel Requirements and JAVA Programs MVP The Waterfall Mel Problem Area Traditional Software Develoment Analysis REVIEWS Design Costly wrt time and money. Errors are found too late (or maybe never). SPIN/PROMELA JAVA Imlementation Testing REVIEWS MVP Running System Intrucing, detecting and reairing errors Liggesmeyer 98 Formal Verification & Validation? Design Mel Secification Verification & Validation MVP 3 MVP 4 Objective What is a state? Design= behaviour + Requirement= desired or forbidden behaviour X=5 Y=7 Z=3 a 38 37 Xsin Yes/No! Simulation Deadlock? Livelock? Requirement violation? MVP 5 A state is characterized by: Values of local/global variables Channel(s) contents State of each rocess (=rogram location) MVP 6

What is a state (continued)? A state is the cross-ruct between the state of all rocesses (+ variable values + channel contents): A B A A A3 MVP 7 B B (A,B) (A,B) (A,B) (A3,B) Interleaving examle from MVP byte s = roctye A(){s== -> s++ roctye B() {s== -> s-- init {run A(); run B() Transition systems: A <s=> s== s++ <s=> <s=> MVP 8 B <s=> s== <s=> s-- <s=> Combined (interleaved) transition system (state grah) of (A B) state++ state== MVP 9 state== state== state== state-- state++ state-- state++ state-- state-- state++ state-- state++ Each trace = a rogram execution (behaviour) SPIN checks all traces Correctness Requirements to Promela mels Behaviour: The set of all execution sequences in the state grah Sequences may be finite or infinite Two kinds of requirements: State requirements: Boolean conditions on some (or all) system states Temoral requirements: Requirements to a certain ordering of boolean conditions on states MVP Correctness Analysis: Analysis of the State Grah Promela Program Each state is described by: Values of all variables Contents of all channels Location counters for all rocesses State Grah MVP roctye A() {.. assert(condition).. Result of analysis Assertions When this location is art of the system state, the condition must be true! Note: assert(...) is always executable No error: condition is true for all ossible executions Error: there exists at least one execution, where the condition is false MVP Assert examle

byte state=; 3 roctye A() 4 { state== -> state++; 5 assert (state==) 6 7 8 roctye B() 9 { state== -> state--; assert (state==) 3 init {run A(); run B() Simle counter examle rearing trail, lease wait...ne : roc (:init:) line 3 "an_in" (state ) [(run A())] : roc (:init:) line 3 "an_in" (state ) [(run B())] 3: roc (B) line 9 "an_in" (state ) [((state==))] 4: roc (A) line 4 "an_in" (state ) [((state==))] 5: roc (B) line 9 "an_in" (state ) [state = (state-)] 6: roc (B) line "an_in" (state 3) [assert((state==))] 7: roc terminates 8: roc (A) line 4 "an_in" (state ) [state = (state+)] sin: line 5 "an_in", Error: assertion violated sin: text of failed assertion: assert((state==)) MVP 3 Combined (interleaved) transition system of (A B) state== state++ state== state== state-- state++ state-- state++ state-- state-- state++ state-- state++ Each trace = a rogram execution SPIN checks all traces MVP 4 state== Invariant roerties is always true is an invariant assert(p) must be evaluated for all system states One way of exressing an invariant: Define a dedicated rocess: roctye monitor(){assert() Invariant: Simle counter revisited int int x; x; roctye roctye P(){ P(){ x< x< x=x+ x=x+ roctye roctye Q(){ Q(){ x> x> x=x- x=x- roctye roctye R(){ R(){ x== x== x= x= roctye roctye invariant(){ invariant(){ assert(x>=- assert(x>=- && && x<=) x<=) Which values may x take? count-inv MVP 5 MVP 6 Linear Temoral Logic (LTL) LTL examle LTL can exress requirements on the ordering of state conditions (redicates): <> Eventually [] Always/invariantly U q until q #define (state==) #define q (state==3) byte state=; roctye A(){ state= roctye B(){ state=3 <>q? Uq? []( -> <>q)? Ltl/ltl examle MVP A formula must hold for ALL traces 7 MVP 8 3

Imlementing rocesses Meling rocesses as finite state machines using Promela Imlementing threads in Java. Note: to avoid confusion, we use the term rocess when referring to the mels, and thread when referring to the imlementation in Java. MVP 9 Two basic object invokation meths call-return (caller waits for callee) Efficient Callee is rotected from caller Callee is a assive object start-sto (caller and callee continues) Exensive calling sequence Callee is not rotected from caller Callee becomes an object (a thread) call-return one thread start-sto two threads MVP Fundamental roblems: Scheduling, Protection, Synchronization JVM with threads JVM State State State 3 State 4 Four Thread States each consisting of Program Counter & Object addresses MVP Threads in Java A Thread class manages a single sequential thread of control. Threads may be created and deleted dynamically. Thread MyThread The Thread class executes instructions from its meth. The actual ce executed deends on the imlementation rovided for in a derived class. class MyThread extends Thread { ublic void { //... Thread x = new MyThread(); MVP Threads in Java Since Java es not ermit multile inheritance, we often imlement the meth in a class not derived from Thread but from the interface Runnable. Runnable target Thread ublic interface Runnable { ublic abstract void ; MyRun class MyRun imlements Runnable{ ublic void { //... Thread x = new Thread(new MyRun()); MVP 3 An overview of the life-cycle of a thread as state transitions: thread life-cycle in Java new Thread() Created The redicate isalive() can be used to test if a thread has been started but not terminated. Once terminated, it cannot be restarted (cf. mortals). start() causes the thread to call its meth. start() Alive failure, or returns Terminated MVP 4 4

Thread alive states in Java Once started, an alive thread has a number of substates : Summary of thread meths start() yield() Running Runnable disatch slee() wait() notify() timeout Non-Runnable failure, or returns Dummy: yield Blocking: wait, wait(msec), slee, slee(msec), join, join(msec) Unblocking: notify, notifyall, interrut State inquiry: isalive, isinterruted Priority: getpriority, setpriority MVP 5 MVP 6 CountDown timer examle Develo a JAVA alet which can: Count wn once er second from some constant number Dislay the current count value Sto after count wn to zero or when requested by system (e.g. winw change) Mel in Promela? CountDown timer - Promela #define dummy #define N 5 chan bee = [] of {bit; chan tick = [] of {bit; chan sto = [] of {bit; chan start = [] of {bit; byte count=; roctye counter() { byte i; if start?dummy -> i=n; i> -> tick!dummy; i-- i== -> bee!dummy; break sto?dummy -> break fi roctye system() { start!dummy; sto!dummy roctye dislay() { tick?dummy -> count++ bee?dummy -> break timeout -> break Proerties? MVP 7 MVP 8 CountDown timer - roerties Count wn to zero should be ossible The system should be able to terminate before count wn to zero (at system sto) CountDown timer - Promela #define dummy #define N 5 chan bee = [] of {bit; chan tick = [] of {bit; chan sto = [] of {bit; chan start = [] of {bit; byte count=; roctye counter() { byte i; if start?dummy -> i=n; i> -> tick!dummy; i-- i== -> bee!dummy; break sto?dummy -> break fi roctye system() { start!dummy; sto!dummy roctye dislay() { tick?dummy -> count++ bee?dummy -> break timeout -> break Imlementation in Java? MVP 9 MVP 3 5

CountDown timer - class diagram Alet CountDown init() start() sto() tick() bee() counter dislay Runnable target The class NumberCanvas rovides the dislay canvas. Thread NumberCanvas setvalue() The class CountDown derives from Alet and contains the imlementation of the meth which is required by Thread. MVP 3 CountDown class ublic class CountDown extends Alet imlements Runnable { Thread counter; int i; final static int N = ; AudioCli beesound, ticksound; NumberCanvas dislay; ublic void init() {... ublic void start() {... ublic void sto() {... ublic void {... rivate void tick() {... rivate void bee() {... MVP 3 CountDown class - start(), sto() and ublic void start() { counter = new Thread(this); i = N; counter.start(); ublic void sto() { counter = null; ublic void { while(true) { if (counter == null) return; if (i>) { tick(); --i; if (i==) { bee(); return; COUNTDOWN Mel roctye counter() { byte i; if start?dummy -> i=n; i> -> tick!dummy; i-- i== -> bee!dummy;break sto?dummy -> break fi MVP 33 CountDown class tick() and bee() rivate void tick(){ dislay.setvalue(i); ticksound.lay(); try{ Thread.slee(); catch (InterrutedExcetion e){ rivate void bee(){ dislay.setvalue(i); beesound.lay(); MVP 34 Summary Concets rocess - unit of concurrency, execution of a rogram Mels Promela to mel rocesses as state machines - sequences of atomic actions Practice Java threads to imlement rocesses Thread lifecycle - created, running, runnable, nonrunnable, terminated MVP 35 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information