May 2003 1 University of Glasgow Generalising Feature Interactions in Email Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.

Slides:

Advertisements

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

UPPAAL Introduction Chien-Liang Chen.

Remote Procedure Call (RPC)

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Interface Automata 29-September Modeling Temporal Behavior of Component Component behaves with Environment Traditional (pessimistic) approach –

1 Complexity of Network Synchronization Raeda Naamnieh.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Architecture-driven Modeling and Analysis By David Garlan and Bradley Schmerl Presented by Charita Feldman.

28/6/05 ICFI05 1 A generic approach for the automatic verification of featured, parameterised systems Alice Miller and Muffy Calder University of Glasgow.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

Review of the automata-theoretic approach to model-checking.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

More on RDT Robert John Walters. RDT – a reprise A Graphically based formal modelling language Models represented as diagrams (not text) Communications.

Automating Checking of Models Built Using a Graphically Based Formal Language Robert John Walters.

Evaluating a Formal Methods Technique via Student Assessed Exercises Alastair Donaldson, Alice Miller University of Glasgow.

CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.

Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

University of Kansas Electrical Engineering Computer Science Jerry James and Douglas Niehaus Information and Telecommunication Technology Center Electrical.

Erlang/QuickCheck Thomas Arts, IT University John Hughes, Chalmers University Gothenburg.

Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 15 More Advanced Program Properties: Temporal logic and jSpin John Gurd,

Advanced Computer Networks Topic 2: Characterization of Distributed Systems.

A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

Temporal Logic Model-checking with SPIN

Modelling Reactive Systems 4 Professor Muffy Calder Dept. of Computing Science University of Glasgow

Several sets of slides by Prof. Jennifer Welch will be used in this course. The slides are mostly identical to her slides, with some minor changes. Set.

AMQP, Message Broker Babu Ram Dawadi. overview Why MOM architecture? Messaging broker like RabbitMQ in brief RabbitMQ AMQP – What is it ?

Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.

Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.

Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.

On Implementing High Level Concurrency in Java G Stewart von Itzstein Mark Jasiunas University of South Australia.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.

Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

Channels. Models for Communications Synchronous communications – E.g. Telephone call Asynchronous communications – E.g. .

Gokul Kishan CS8 1 Inter-Process Communication (IPC)

6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.

1 8.4 Extensions to the Basic TM Extended TM’s to be studied: Multitape Turing machine Nondeterministic Turing machine The above extensions make no increase.

Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,

Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova.

Formal verification in SPIN

Model Checking for an Executable Subset of UML

An explicit state model checker

Formal Methods in software development

COMP60621 Designing for Parallelism

CSE 503 – Software Engineering

Presentation transcript:

May University of Glasgow Generalising Feature Interactions in Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow

May Motivation property based approach to feature interaction analysis interaction analysis should  be automated  generalise to systems containing any number of components based on Hall’s model from FIW’00

May system Client server architecture basic + features at client or server encrypt -- key of intended recipient decrypt – key of actual recipient filter – msgs from address forward –msgs to address autorespond –to first incoming msgs

May system initial send mail specify recipient specify msg process msg specify sender deliver mail process msg client process specify recipient specify msg mailer process send msg

May Promela implementation Clients and the Mailer are processes. communication is asynchronous channels associated with each client and the mailer delivery of mail takes precedence over sending busy waiting tension between atomicity/number of variables/level of abstraction

May Property based approach Example Properties in linear temporal logic: messages are delivered to intended recipients [](p||q) where p = (last_del_to i _to = i) q = (last_del_to i _to = M) messages are forwarded, client i has forwarding to client j  <>(¬(p||q) where p = (last_del_to j _to = M) q = (last_del_to j _to = j) (i.e. client j can receive mail not addressed to j) observation variables: last_del_to i _to, last_del_to i _body, last_sent_from i _to

May Property based approach Feature interaction analysis based on: for example: f 0 || System |=  but f 0 || f 1 || System |=  Client 0 || Client 1 || Client 2 || Client 3 || Mailer |=  but Client’ 0 || Client 1 || Client 2 || Client 3 || Mailer |= 

May Reasoning Use model-checker (SPIN) for reasoning Results take the form M(p 0 || p 1 || p 2 || p 3 || mailer) |=  (0,1,…,t) where –p 0 … p 3 are instances of a parameterised process p - p 0 … p 3 are not, in general, isomorphic  is temporal logic formula containing free variables indexed by 0,1,…,t 0<t<3 -M(….) is the model (Kripke structure) of the concurrent processes

May model checking proctype A() proctype B() {x=1;y=2} {x=3} program: byte x,y; init {run A(); run B()} init x==3 y==? x==1 y==2 init x==1 y==? init x==1 y==? x==3 y==? x==1 y==2 x==3 y==? x==1 y==? x==1 y==2 x==3 y==2 A program/system is the asynchronous interleaving product of the automata. Reason about satisfaction of LTL formula by considering synchronous product of system with never claim.

May overall approach property Promela code LTL “client i has filter from client j ” [](¬(last_del_to i _from==j) Answer: 0 errors or counter-example Answer: 0 errors or counter-example SPIN Mailer and client basic behaviour 9 features parameters Configuration of features mailer client

May automation pair of features set of feature params property set of property params model model-checking runs up to 5 client processes required for this feature set 111 feasible parameter sets, after symmetry reduction via perl scripts

May interactions the usual! both single user and multiple user multiple user agree with Hall results The interesting question is.. do results scale? do they hold for 7 processes, 8 processes, … ? for every problem, we eventually run out of memory (or patience) –usually around 6 processes

May Generalisation What we really want is to show is  n. M(p 0 || p 1 || p 2 || … || p n-1 || mailer) |=  (0,1,…,t) Not possible with model checking Undecidable (Apt + Kozen, 1986) Induction is very hard Is abstraction possible?

May Abstraction What do we mean by abstraction? - not an abstraction of one system, but of a family of systems –Choose appropriate constant m such that t<m-1 p 0, p 1.. p m-1 are concrete p m, p m+1.. p n-1 are abstract –Represent the most general, observable behaviour of the abstract processes p m || p m+1 ||… || p n-1 by a process Abs -Modify the interaction between concrete and abstract processes, i.e. modify the concrete processes. All processes should be generated automatically from p.

May concrete abstract processes process p m … p n-1 p 0 p 1 p 2 … p m-1 Abstract approach Observable communication represented by Communication amongst m-1 as before Communication represented by virtual channel Abs

May Abstract approach: concrete abstract clients client client m … client n-1 client 0 client 1 … client m-1 mailer Abs Only “read” behaviour from Abs. (Choice rather than actual read) mailer “writes” to Abs if not blocked. (Choice). Not strictly a conservative extension. Abs can send mail if there is mail to to be delivered. Does not affect functional behaviour.

May Results Checking done with perl scripts. No new interactions (not surprising, given feature set). Complexity lies between that of m and m+1 (concrete) clients. m depends on feature parameters and property parameters (essentially union).

May Soundness The p m, p m+1, …,p n-1 need not be isomorphic, or even observationally equivalent, but we make some assumptions  about both concrete and abstract processes: 1.All interaction is through communication channels. 2.All processes are open symmetric – behave the same with respect to isomorphic processes - no integer literals or constants in boolean conditions g?x; x==9 => goto label NO g?x; x==var i => goto label YES

May Theorem M(client 0 || client 1 || … || client m-1 || mailer’ || Abs) |=  (0,1,…,t) =>  n. M(client 0 || client 1 || … || p n-1 || mailer) |=  (0,1,…,t). Proof Show simulation. Depends on way we construct Abs and mailer’: consider how to match - concrete process reads from abstract channel - concrete process write to abstract channel … - abstract process reads from concrete channel - abstract process writes to abstract channel

May Conclusions property based approach to interaction analysis automated using perl scripts – to tailor model and generate runs. abstraction to generalise results about infinite families of communicating processes processes are not isomorphic. generation of abstract model is straightforward implemented in perl scripts lower bound for m for this feature set abstraction approach is tractable. further work – is the abstraction approach constructing an invariant?