Formal methods & Tools Ed Brinksma University of Twente, Netherlands ISSTA/Wosp Rome, July 24 th, 2002 Qualitative and Quantitative Analysis of Software.

Slides:

Advertisements

Similar presentations

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Advertisements

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

The design process IACT 403 IACT 931 CSCI 324 Human Computer Interface Lecturer:Gene Awyzio Room:3.117 Phone:

© Chinese University, CSE Dept. Software Engineering / Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

1 Towards formal manipulations of scenarios represented by High-level Message Sequence Charts Loïc Hélouet Claude Jard Benoît Caillaud IRISA/PAMPA (INRIA/CNRS/Univ.

May 9, 2008IPA Lentedagen, Rhenen1 Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains Hichem Boudali 1, Pepijn Crouzen 2, and Mariëlle.

Automated Model-Based Testing of Hybrid Systems Michiel van Osch PROSE January 25,

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

Systems Engineering for Automating V&V of Dependable Systems John S. Baras Institute for Systems Research University of Maryland College Park

Model-based Testing of Hybrid Systems Michiel van Osch IPA Spring Days on Testing 19 April – 21 April 2006.

Model checking dynamic states in GROOVE Arend Rensink Formal Methods and Tools University of Twente.

1 Jan Tretmans Embedded Systems Institute Eindhoven Radboud University Nijmegen Model-Based Testing.

1 A Framework for Measurement Valérie Paulus, Miguel Lopez, Gregory Seront, Simon Alexandre.

Analysis Stage (Phase I) The goal: understanding the customer's requirements for a software system. n involves technical staff working with customers n.

1 Jan Tretmans University of Nijmegen © Jan Tretmans University of Nijmegen Model Based Testing Property Checking for Real.

1 IFM 2005 – November 30, 2005 EXP.OPEN 2.0 A flexible tool integrating partial order, compositional, and on-the-fly verification methods Frédéric Lang.

1 Jan Tretmans Radboud University Nijmegen (NL) © Jan Tretmans Radboud University Nijmegen together with: University of Twente Enschede.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Describing Syntax and Semantics

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.

Introduction to Software Design Chapter 1. Chapter 1: Introduction to Software Design2 Chapter Objectives To become familiar with the software challenge.

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

1 Jan Tretmans Embedded Systems Institute Eindhoven, NL Radboud University Nijmegen, NL Model-Based Testing with Labelled Transition.

Teaching Teaching Discrete Mathematics and Algorithms & Data Structures Online G.MirkowskaPJIIT.

Requirements Expression and Modelling

-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.

Chapter 8 Architecture Analysis. 8 – Architecture Analysis 8.1 Analysis Techniques 8.2 Quantitative Analysis  Performance Views  Performance.

Design Science Method By Temtim Assefa.

1 Chapter 9 Database Design. 2 2 In this chapter, you will learn: That successful database design must reflect the information system of which the database.

Process Algebra (2IF45) Probabilistic Branching Bisimulation: Exercises Dr. Suzana Andova.

Testing with Formal Methods Ed Brinksma course 2004 A Formal Framework.

SOFTWARE DESIGN.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

SDS Foil no 1 Process Algebra Process Algebra – calculating with behaviours.

Decision Making.

Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.

Modeling and simulation of systems Model building Slovak University of Technology Faculty of Material Science and Technology in Trnava.

Model Based Testing Group 7  Nishanth Chandradas ( )  George Stavrinides ( )  Jeyhan Hizli ( )  Talvinder Judge ( )  Saajan.

Reactive systems – general

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 1 CCS: Operational Semantics And Process Algebra Mads Dam Reading: Peled 8.3, 8.4, 8.6 – rest of ch. 8.

The roots of innovation Future and Emerging Technologies (FET) Future and Emerging Technologies (FET) The roots of innovation Proactive initiative on:

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.

Conformance Test Suites, Extensionally Arend Rensink University of Twente Dutch Workshop on Formal Testing Techniques University of Twente 13 September.

UHD::3320::CH121 DESIGN PHASE Chapter 12. UHD::3320::CH122 Design Phase Two Aspects –Actions which operate on data –Data on which actions operate Two.

Lyra – A service-oriented and component-based method for the development of communicating systems (by Sari Leppänen, Nokia/NRC) Traditionally, the design,

Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1.

FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.

Software Engineering - Abdul Majeed. What is software? Definition of Software Engineering Software Process Generic view of Software Engineering Software.

Software Design Process

Ed Brinksma Course 2004 TorX : A Test Generation Tool.

HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.

LSR Test purposes: adapting the notion of specification to testing Yves Ledru, L. du Bousquet, P. Bontron, O. Maury, C. Oriat, M.-L. Potet LSR/IMAG Grenoble,

International Telecommunication Union © ITU-T Study Group 17 Integrated Application of SDL Amardeo Sarma NEC Europe Ltd.

Test Generation for Input/Output Transition Systems Ed Brinksma Course 2004.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.

Sub-fields of computer science. Sub-fields of computer science.

Formal Methods for Software Engineering

Chapter3:Software Processes

OPERATING SYSTEMS CS 3502 Fall 2017

PREPARED BY G.VIJAYA KUMAR ASST.PROFESSOR

Software Design Methodology

Presentation transcript:

Formal methods & Tools Ed Brinksma University of Twente, Netherlands ISSTA/Wosp Rome, July 24 th, 2002 Qualitative and Quantitative Analysis of Software Systems: a Model-based View on Integrated Analysis

July 24, 2002ISSTA/Wosp, Rome2 MOTIVATION Can the qualitative and quantitative aspects of reactive systems be modelled and analysed within one compositional framework? Central Issue  increasing importance of quantitative behaviour  need for integrated design disciplines  cross-fertilization  theory of approximate correctness

July 24, 2002ISSTA/Wosp, Rome3 Contents  Analysis, validation, and modelling  Design, composition, and algebra  Model-based test generation  Integrated performance analysis  Conclusions & perspective

July 24, 2002ISSTA/Wosp, Rome4 Modelling  science vs. engineering  software programs as models  models of software systems  the role of experimentation

July 24, 2002ISSTA/Wosp, Rome5 The Empirical Cycle Formal world Physical world induction validation phenomenon experiment model analyse

July 24, 2002ISSTA/Wosp, Rome6 Methodology of Science  a normative procedure: when is a theory is acceptable?  models are refined by iteration  models play a descriptive role (Vienna Circle: Carnap et al.)

July 24, 2002ISSTA/Wosp, Rome7 Engineering  models (specs) are prescriptive  deals with artefacts

July 24, 2002ISSTA/Wosp, Rome8 The Design Cycle Formal world Physical world realization validation artefact experiment model analyse

July 24, 2002ISSTA/Wosp, Rome9 Methodology of Engineering  design cycle is  design cycle is normative, a posteriori is refined by  artefact is refined by iteration employ theory of  can employ theory of underlying cycles empirical cycles

July 24, 2002ISSTA/Wosp, Rome10 The formal nature of software Formal world Physical world implementation validation behaviour programspecification compilation verification

July 24, 2002ISSTA/Wosp, Rome11 Programming as mathematics  programs are formal models of their realizations.  program derivation and verification are mathematical activities, subject to proofs  validation can be achieved through reliable compilation/interpretation (Dijkstra, Hoare et al.)

July 24, 2002ISSTA/Wosp, Rome12 Limits of the Mathematical Paradigm Formal world Physical world implementation validation physical system software system specification realization verification incomplete combinatorial explosion large & incomplete unreliable

July 24, 2002ISSTA/Wosp, Rome13 System Modelling Formal world Physical world physical system software system specification system model verificationvalidation specification fragment validation

July 24, 2002ISSTA/Wosp, Rome14 System Modelling  Abstract models of software  Interpolation specs and programs  Basis for verification  Basis for validation like traditional engineering models

July 24, 2002ISSTA/Wosp, Rome15 System Model Validation  Top-down: specification refinement  Bottom-up: implementation abstraction  Formally: by proof or by construction  Empirically: by experimentation

July 24, 2002ISSTA/Wosp, Rome16 Empirical Validation Formal world Non-formal world validation system description query system model analyse induction system design physical system experimentation & modification

July 24, 2002ISSTA/Wosp, Rome17 Contents  Analysis, validation, and modelling  Design, composition, and algebra  Model-based test generation  Integrated performance analysis  Conclusions & perspective

July 24, 2002ISSTA/Wosp, Rome18 Design and Complexity  Divide and conquer: distribute functionality  Hierarchical design: different abstraction levels Modelling formalism must support compositionality and abstraction

July 24, 2002ISSTA/Wosp, Rome19 Navigating the Design Graph Abstraction level Alternatives Modelling formalism must support model transformation

July 24, 2002ISSTA/Wosp, Rome20 Process Algebra  abstract process modelling  compositionality  abstraction  transformation laws  operational interpretation

July 24, 2002ISSTA/Wosp, Rome21 Basic Process Algebraic Operators  inaction: 0  action-prefix: a.B, .B  choice: B + C,  I B i  composition: B || A C  hiding: B \ A  definition: p = def B  application: p

July 24, 2002ISSTA/Wosp, Rome22 mid |[mid]| hide mid in || {mid} A very basic example  A simple one place buffer Buf = def in. out. Buf  Two instances of this buffer outin Buf[out/mid] Buf[in/mid] Buf out in midout in out  Buf in Buf out

July 24, 2002ISSTA/Wosp, Rome23 A very basic example II  A two place buffer Buf2 = def in.Half Half = def in.Full + out.Buf2 Full = def out.Half out in Buf2 out in

July 24, 2002ISSTA/Wosp, Rome24 Equivalence two place Two ways to represent a two place buffer: out in  by enumerating the detailled behaviour Buf2 out in out in out  mid Buf in Buf out  by coupling two one place buffers equivalences examples for the need to study equivalences

July 24, 2002ISSTA/Wosp, Rome25 Equivalence Process algebraic equivalences are based on different answers to the question: What is an observable part of the behaviour of a process ?  Various notions have been studied (see [van Glabbeek])  trace equivalences  testing equivalences  bisimulation equivalences

July 24, 2002ISSTA/Wosp, Rome26 Algebraic Laws Equivalences (congruences) induce algebraic laws + = + B + C = C + B (+ ) + = + (+ ) (B + C) + D = B + (C + D) + 0 = B + 0 = B + = B + B = B || A = || A B || A C = C || A B (|| A ) || A = || A (|| A ) (B || A C) || A D = B || A (C || A D)

July 24, 2002ISSTA/Wosp, Rome27 Expansion Laws Parallelism can be removed step by step:  Let B =  k a k. B k and C =  l c l. C l B || A C =  {a k. (B k || A C ) | a k  A } +  {c l. (B || A C l ) | c l  A } +  {d. (B k || A C l ) | d = a k =c l  A } Example: a. 0 ||  c. 0 = a. c. 0 + c. a. 0 a c a c

July 24, 2002ISSTA/Wosp, Rome28 Expansion Laws  move between abstraction levels  (de)compose functionality  stepwise simulation These laws are crucial for the success of process algebraic modelling

July 24, 2002ISSTA/Wosp, Rome29 Contents  Analysis, validation, and modelling  Design, composition, and algebra  Model-based test generation  Integrated performance analysis  Conclusions & perspective

July 24, 2002ISSTA/Wosp, Rome30 Testing With Formal Methods Advantages formal approach:  algorithmic generation of sound tests  formal validation of tests tests specification implementation test generator test executor verdict (pass/fail) implements formal modelcorrectness relation

July 24, 2002ISSTA/Wosp, Rome31 Correctness Relations synchronous communication :  testing preorder (De Nicola & Hennessy, 1984)  conformance preorder (Brinksma 1987)  refusal testing (Phillips 1987, Langerak 1990) asynchronous communication :  queue-based testing (Brinksma & Tretmans 1992)  I/O-based testing (Phalippou,Tretmans,Segala 1993)  repetitive quiescence (Tretmans 1996)  multiple I/O (Heerink & Tretmans 1997)

July 24, 2002ISSTA/Wosp, Rome32 formal model: IUT ( || Env)/A Asynchronous Test Contexts implementation under test test engine test environment interaction input output  operating system  test method  communication buffers compositionality

July 24, 2002ISSTA/Wosp, Rome33 Formal Correctness I ioco S = def   Straces(s): out(I after  )  out(S after  ) ? x (x >= 0) !  x ? x (x < 0) ! -  x S ioco Example: equation solver for y 2 =x ? x (x >= 0) !  x ? x (x < 0) ? x I Intuition : I ioco-conforms to S iff 1.if I produces output x after trace , then S can produce x after  2.if I cannot produce any output after trace , then S cannot produce any output after  (quiescence)

July 24, 2002ISSTA/Wosp, Rome34 Nondeterministic algorithm Generate a test case t(S) from a transition system model with S a set of states (initially S = {s 0 }) Formal Test Generation 1. end test case PASS Apply the following steps recursively, nondeterministically 2. supply input supply ?a t(S after ?a)t(S after !x 1 ) 3. observe output FAIL t(S after !x 2 ) FAIL allowed outputs forbidden outputs !y1!y1 !x1!x1 !x2!x2 !x3!x3 t(S after !x 3 ) !y2!y2

July 24, 2002ISSTA/Wosp, Rome35 Test Generation Example Equation solver for y 2 =x Test ! 9 ! 4 ? -2 ? 2 PASS otherwise FAIL ? -3 PASS otherwise ? 3 FAIL Model ? x (x >= 0) !  x ? x (x < 0) ! -  x Note: to cope with non deterministic behaviour, tests are not linear traces, but trees

July 24, 2002ISSTA/Wosp, Rome36 Exhaustiveness for each ioco-incorrect implementation a test can be generated that detects it I ioco S implies  T such that I fails T Validity of Test Generation For every set of tests T generated with the algorithm: Soundness generated test will never fail with ioco-correct implementation I ioco S implies I passes T

July 24, 2002ISSTA/Wosp, Rome37 Test Generation Tools for ioco  TVEDA (CNET - France Telecom)  derives TTCN tests from SDL specification  developed from practical experiences  TGV (IRISA - Rennes)  derives tests in TTCN from LOTOS or SDL  uses test purposes  TorX (Côte de Resyste)  on-the-fly test generation and execution  uses LOTOS and Promela

July 24, 2002ISSTA/Wosp, Rome38 on the fly batch test generation TTCN batch test execution TTCN TorX Tool Architecture explorerprimerdriveradapterIUT bits bytes states transitions abstract actions transition concentrate on on-the-fly testing Expansion laws

July 24, 2002ISSTA/Wosp, Rome39 TorX Application Highway Tolling System

July 24, 2002ISSTA/Wosp, Rome40 Results  Test results : Errors found during model validation (design error) and during testing (coding error)  Automated testing :  beneficial: high volume and reliability  very flexible: adaptation and many configurations  Real-time :  How to cope with real time constraints ?  Efficient computation for on-the-fly testing ?  Lack of theory: quiescence vs. time-out

July 24, 2002ISSTA/Wosp, Rome41 Contents  Analysis, validation, and modelling  Design, composition, and algebra  Model-based test generation  Integrated performance analysis  Conclusions & perspective

July 24, 2002ISSTA/Wosp, Rome42 Markovian Process Algebra basic idea:  incorporate delays that follow exponential distributions into process algebra  MEMORYLESS Two distinct approaches:  associate delays to actions TIPP, PEPA, EMPA,...  introduce delays as orthogonal entities IMC (also MLOTOS)

July 24, 2002ISSTA/Wosp, Rome43  inaction: 0  prefix: a. B, . B  choice: B + C or  I B i  composition: B || A C  hiding: B \ A or hide A in B  definition: p = def B  application: p Interactive Markov Chains ( ). B,  inaction: 0  prefix: a. B, . B  choice: B + C or  I B i  composition: B || A C  hiding: B \ A or hide A in B  definition: p = def B  application: p supports phase type distributions  

July 24, 2002ISSTA/Wosp, Rome44 Algebraic Laws for IMC These are the algebraic laws for strong Markovian bisimulation, a straightforward combination of strong bisimulation and lumpability.  + = +  B + C = C + B  (+ ) + = + (+ )  (B + C) + D = B + (C + D)  + 0 =  B + 0 = B  + =  a. B + a. B = a. B  + = +  ( ). B + (  ). B = ( +  ). B

July 24, 2002ISSTA/Wosp, Rome45 Interleaving Law The interleaving law holds for IMC : ( ). B ||  (  ). C = ( ). (  ). (B ||  C) + (  ). ( ). (B ||  C) Example :   This does not hold for general distributions!

46 hide enter,serve in CUSTOMER |[enter]| QUEUE(0) |[serve]| SERVER  arriving customers  queue  service clerk Queuing Systems in IMC CUSTOMER = def ( ). enter. CUSTOMER QUEUE(i) = def [i enter. QUEUE(i+1) [i>0]-> serve. QUEUE(i-1) SERVER = def serve. (  ). SERVER        

47 hide enter,serve in CUSTOMER |[enter]| QUEUE(0) |[serve]| SERVER Queuing Systems in IMC          ?

48 hide enter,serve in CUSTOMER |[enter]| QUEUE(0) |[serve]| SERVER Queuing Systems in IMC          weak Markovian bisimulation        

July 24, 2002ISSTA/Wosp, Rome49 A telephony system  Original specification developed by P. Ernberg (SICS), further studied in the French/Canadian Eucalyptus project: more than 1500 lines of LOTOS.  Extensively verified using state-of-the-art techniques  model checking  equivalence checking         

July 24, 2002ISSTA/Wosp, Rome50 Performance analysis of the telephony system  Takes the original specification without changes.  Stochastic delays are incorporated  in a compositional way, i.e. as additional constraints imposed on the specification.  exponential, Erlang and phase-type distributions.  Weak bisimulation is used to factor out nondeterminism.  State space > 10 7 leads to a Markov Chain of 720 states with a highly irregular structure.          using a dedicated operator, time constraints

51  A particular phone:  The time it takes to pick up the phone:  The phone with time constraints:  Time constraints ringT_on pick_phone ringT_off      on ringT_on delay pick_phone in by ringT_off   ringT_on pick_phone ringT_off    

July 24, 2002ISSTA/Wosp, Rome52 Analysis results  14 different time constraints incorporated.  Compositional minimisation to avoid state space explosion.  Here: two subscribers phoning each other.

July 24, 2002ISSTA/Wosp, Rome53 Tools used  CAESAR/ALDEBARAN  original specification,  first minimisation steps.  TIPPtool  time constraints,  final minimisations,  numerical analysis.

July 24, 2002ISSTA/Wosp, Rome54 Contents  Analysis, validation, and modelling  Design, composition, and algebra  Model-based test generation  Integrated performance analysis  Conclusions & perspective

July 24, 2002ISSTA/Wosp, Rome55 Conclusions  software engineering & analysis need modelling, like in traditional engineering  modelling formalisms must support composition, abstraction & transformation  process algebra provides theoretical framework & tool support (expansion laws)  integrated quantitative & qualitative modelling & analysis by embedding models in specialized contexts (extending theory where needed)

July 24, 2002ISSTA/Wosp, Rome56 otherperformance Analytic Contexts testing model

July 24, 2002ISSTA/Wosp, Rome57 Perspectives  Extending specialized contexts  Existing: testing, soft & hard real-time  Future: dependability, security  Extending scope of analysis techniques  Model checking CTMCs (ETMCC tool)  Non-Markovian analysis  Hard real-time testing (STRESS = TorX + Uppaal)  Soft real-time testing  Integrated modelling and tool support  MoDest language and tools project