Formal Methods for Software Engineering Part II: Modelling & Analysis of System Behaviour

Contents Part I In Part I we used Z as a formalism to model the static aspects of software systems, i.e. definition of system states & data structures definition of operations & preconditions The tool Z-Eves was used for specification support and analysis. Ed Brinksma FMSE, Lecture 4

Contents Part II In this part we introduce FSP as a formalism to model the dynamic aspects of software systems, i.e. definition of system behaviour (control flow) definition of control distribution (concurrency) We introduce the tool LTSA for modelling support and analysis. Ed Brinksma FMSE, Lecture 4

FSP and LTS Models are described using state machines, known as Labelled Transition Systems. These are described textually as Finite State Processes and displayed and analysed by the LTSA analysis tool. LTS - graphical form FSP - algebraic form Ed Brinksma FMSE, Lecture 4

LTS: a definition A labelled transition system T consists of the following ingredients: a set S of states a set L of actions a set -> of transitions of the form s-a->t with s,tS and aL or a=tau an initial state s0 S We also write T=(S,L,->, s0 ). Ed Brinksma FMSE, Lecture 4

Modelling Processes A process is modelled as a finite LTS which transits from state to state by executing a sequence of atomic actions. on a light switch LTS 1 off a sequence of actions or trace onoffonoffonoff … Ed Brinksma FMSE, Lecture 4

A Simple Transmission Protocol in send getack 1 2 SENDER = (in -> send -> getack -> SENDER). RECEIVER = (rec -> out -> ack -> RECEIVER). rec out 1 2 ack get put 1 BUFFER = (get -> put -> BUFFER). Ed Brinksma FMSE, Lecture 4

Composing the System Buffer2 Sender Receiver Buffer1 Medium in send out ack getack Medium ||MEDIUM = (a:BUFFER||b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}. ||SYSTEM = (SENDER || MEDIUM ||RECEIVER). Ed Brinksma FMSE, Lecture 4

The System Behaviour parallel composition with synchronized communication equivalent single process can be calculated (with LTSA) in send rec out ack getack 1 2 3 4 5 Ed Brinksma FMSE, Lecture 4

||SYSTEM = (SENDER||MEDIUM||RECEIVER). Observable Behaviour Observable behaviour abstracts away from internal system actions . in out getack ack Sender Medium Receiver send rec ||SYSTEM = (SENDER||MEDIUM||RECEIVER). Ed Brinksma FMSE, Lecture 4

||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}. Observable Behaviour Observable behaviour abstracts away from internal system actions . in out System Sender Medium Receiver ||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}. Ed Brinksma FMSE, Lecture 4

||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}. Observable Behaviour Observable behaviour abstracts away from internal system actions . tau denotes internal action in tau out 1 2 3 4 5 ||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}. Ed Brinksma FMSE, Lecture 4

SYS=(in->out->SYS). Observable Behaviour Observable behaviour abstracts away from internal system actions . Same LTS as: SYS=(in->out->SYS). in out 1 minimise SYSTEM Ed Brinksma FMSE, Lecture 4

Behavioural Equivalence In what sense is the minimized process SYS comparable to SYSTEM@{in,out}? When can we identify system states? Ed Brinksma FMSE, Lecture 4

Bisimulation Idea: identify states that can imitate each other’s observable steps leading to states that again can be identified An observable step consists of either observing nothing, or observing a non-internal action Ed Brinksma FMSE, Lecture 4

Example in tau tau out tau 1 2 3 4 5 tau Ed Brinksma FMSE, Lecture 4

Observable Steps Observing nothing: Observing non-internal action: s==>t: s=t or s-tau->…-tau->t i.e. s reaches t by doing nothing, or by executing internal actions only. Observing non-internal action: s=a=>t: s==>s’-a->t’==>t for some s’,t’ i.e. s reaches t by doing a, possibly preceeded or followed by some internal actions Ed Brinksma FMSE, Lecture 4

Examples 0==>0, 0=a=>1, 0=a=>2 tau b c 1 2 3 0==>0, 0=a=>1, 0=a=>2 1==>1, 1==>2, 1=b=>3, 1=c=>2 2==>2, 2=c=>2 3==>3, 3=b=>3 Ed Brinksma FMSE, Lecture 4

Weak Bisimulation Relations Let R be a relation between states,then R is a weak bisimulation relation iff for all (s,t)R and all observable actions a: if for some s’: s==>s’ then for some t’: t==>t’ such that (s’,t’)R if for some s’: s=a=>s’ then for some t’: t=a=>t’ such that (s’,t’)R if for some t’: t==>t’ then for some s’: s==>s’ such that (s’,t’)R if for some t’: t=a=>t’ then for some s’: s=a=>s’ such that (s’,t’)R Ed Brinksma FMSE, Lecture 4

Equivalent Transition Systems Two transition systems T and U are observably equivalent iff there is a weak bisimulation relation R with (t0,u0)R with t0 and u0 their respective initial states. Ed Brinksma FMSE, Lecture 4

Example c T a c tau b S Ed Brinksma FMSE, Lecture 4

Negative Example a b c 1 2 3 4 ? Ed Brinksma FMSE, Lecture 4

Traces Again Let T=(S,L,->,s0) be a labelled transition system. Traces(T) is the set of strings a1…anL* such that there is an sL with s0=a1=>…=an=>s Two LTSs T and U are trace equivalent iff Traces(T)=Traces(U) Ed Brinksma FMSE, Lecture 4

Example Traces: (empty trace), a,ab,abb,abbb,abbbb,… tau b c 1 2 3 Traces: (empty trace), a,ab,abb,abbb,abbbb,… a,ac,acc,accc,acccc,… Ed Brinksma FMSE, Lecture 4

Trace sets are identical! (Non)determinism An LTS T=(S,L,->,s0) is deterministic iff for every trace  of T there is a unique state sS with s0==>s. deterministic a b c 1 2 3 4 Trace sets are identical! nondeterministic 0=a=>1 and 0=a=>2 Ed Brinksma FMSE, Lecture 4

Do we need nondeterministic processes? FACTS Let T and U be LTSs. If T and U are observation equivalent then T and U are trace equivalent. If T and U are trace equivalent then T and U generally are not observation equivalent. If T and U are deterministic then they are trace equivalent iff they are observation equivalent. Do we need nondeterministic processes? Ed Brinksma FMSE, Lecture 4

Nondeterminism nondeterminism BUFFER = (get -> put -> BUFFER |get -> BUFFER). What happens with our protocol if a Buffer can lose data? in tau out 1 2 3 4 Compiled: SENDER Compiled: BUFFER Compiled: RECEIVER Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 3 * 2 * 2 * 3 = 36 Composing potential DEADLOCK States Composed: 7 Transitions: 8 in 0ms SYSTEM minimising.... Minimised States: 5 in 60ms Deadlock state Ed Brinksma FMSE, Lecture 4

Revision 1 Keep sending until a getack is received SENDER = (in -> send -> WAIT), WAIT = (getack -> SENDER |send -> WAIT). Keep sending until a getack is received RECEIVER = (rec -> OUT), OUT = (out -> ack -> WAIT), WAIT = (rec -> OUT |ack -> WAIT). Keep sending acks until a rec is received Ed Brinksma FMSE, Lecture 4

Sys=(in->out->Sys). Analysis This cannot be equivalent to the 2-state Sys process with Sys=(in->out->Sys). Reason: There is no difference between send actions that are repeated and those related to a new in action. Compiled: SENDER Compiled: BUFFER Compiled: RECEIVER Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 3 * 2 * 2 * 4 = 48 Composing States Composed: 34 Transitions: 57 in 50ms SYSTEM minimising..... Minimised States: 17 in 110ms Ed Brinksma FMSE, Lecture 4

Revision 2 Alternating Bit Protocol: send along a bit that is flipped to distinguish old and new data and acknowledgements. range B= 0..1 SENDER = (in -> SENDING[0]), SENDING[b:B] = (send[b] -> SENDING[b] |getack[1-b] -> SENDING[b] |getack[b] -> in -> SENDING[1-b]). RECEIVER = (rec[0] -> out -> ACKING[0]), ACKING[b:B] = (ack[b] -> ACKING[b] |rec[b] -> ACKING[b] |rec[1-b] -> out -> ACKING[1-b]). BUFFER = (get[b:B] -> put[b] -> BUFFER |get[b:B] -> BUFFER). ||MEDIUM = (a:BUFFER || b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}. ||SYSTEM = (SENDER || MEDIUM || RECEIVER)@{in,out}. Ed Brinksma FMSE, Lecture 4

Does It Work? Composition: SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVER State Space: 5 * 3 * 3 * 6 = 270 Composing States Composed: 45 Transitions: 86 in 0ms in tau out 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Ed Brinksma FMSE, Lecture 4

Minimization in out 1 The Alternating Bit system (service) is observational equivalent with a 1-place buffer Ed Brinksma FMSE, Lecture 4

Summary Dynamic system behaviour can be modelled by LTS/FSP specifications LTS/FSP models can composed and analysed using the LTSA tool LTS/FSP models can be minimized to observational equivalent behaviours using bisimulations Nondeterminism is an essential modelling feature for system behaviours Ed Brinksma FMSE, Lecture 4