Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel

Published byKenneth Stevenson Modified over 5 years ago

Similar presentations

Presentation on theme: "Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel"— Presentation transcript:

1 Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel
Implementation and Verification of Implicit Invocation Systems Using Source Transformation Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel Software Technology Laboratory School of Computing, Queen’s University Kingston, Ontario, Canada SCAM 2005 SUPPORTED BY

2 Verification and Validation
Testing and model checking Certification gap: Testing uses execution artifacts (code) directly Model checking uses separate, hand-constructed models and properties Bridged by hand: Either code-to-model or model-to-code Disjoint, error prone With the growing size and complexity of software systems, software verification and validation (V&V) is becoming increasingly important. Testing and model checking belong to the two categories of software V&V: testing/ inspection and formal methods. While testing focuses on the actual behavior of the program, model checking focuses on the mathematical model. In fact, there is often a large semantic gap between the software developer artifacts that are tested and the artifacts that are SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

3 Implicit Invocation Implicit invocation (II) systems
Concurrent, loosely coupled components Communicate using events (external / internal) Increasingly popular for service integration (web) Particularly difficult to certify Prone to deadlock, race conditions, etc. Good candidate for comparing, contrasting and unifying testing and model checking With the growing size and complexity of software systems, software verification and validation (V&V) is becoming increasingly important. Testing and model checking belong to the two categories of software V&V: testing/ inspection and formal methods. While testing focuses on the actual behavior of the program, model checking focuses on the mathematical model. In fact, there is often a large semantic gap between the software developer artifacts that are tested and the artifacts that are SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

4 Our Approach: IIL Custom language and system for uniform testing and model checking of II systems Custom implicit invocation language - IIL Clear, transparent expression of paradigm including verification constraints Executable for testing, automatic modelling for verification of constraints Implementation of both execution and modelling using formal source transformations To alleviate the semantic artifact gap, II systems feature a lot of non-determinism due to concurrent execution of components. This high degree of non-determinism makes II systems challenging to test and model check. Additionally, II has become increasingly popular as an integration mechanism for loosely coupled components. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

5 II Language (IIL) Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

6 II Language (IIL) Event Declarations
Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

7 Component Declarations
II Language (IIL) Component Declarations Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

8 II Language (IIL) Announce Statements
Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

9 Dispatcher Declaration
II Language (IIL) Dispatcher Declaration Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

10 Event-method Declarations
II Language (IIL) Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. Event-method Declarations SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

11 Property Declarations
II Language (IIL) Special features in II language: Event declarations. Component declarations. Announce statements. Dispatcher declaration. Event-method bindings. Property declarations. Property Declarations SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

12 Implementation of IIL Source transformation framework using TXL
Experiment in both V&V and source transformation Formal, verifiable SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

13 Execution & Testing IIL Programs
Turing Plus Efficiently executable concurrent programming language with random scheduling SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

14 Execution & Testing IIL Programs
Turing Plus concurrent language with random scheduling concurrency simulation Need execution model of IIL (distributed, implicit) in Turing Plus (monolithic, explicit) In our Turing Plus model, we take this approach and use three steps of explicit invocation to implement II (see Figure 4). That is, an explicit method call is used in event announcement, event delivery and bound method invocation. The three main elements of our implementation of II in Turing Plus are: 1. A system event warehouse, a set of queues, is built to receive all the announced events. When components announce an event or an environment event is generated, it will be sent to the system event warehouse. 2. The dispatcher removes the events in the system event warehouse and delivers them. Environment events will be delivered immediately. Local events will be delivered according to the delivery policy. The dispatcher delivers the events in the system event warehouse by calling the bound component to receive the event. 3. Each component has a component event warehouse to receive the events delivered by the dispatcher. The component will invoke the bound method after it receives the delivered events. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

15 Transforming IIL to Turing Plus
Nontrivial local/global, global/local, coupled transformation II to Turing Plus Transformation The transformation is divided into four steps: Component transformation. Dispatcher transformation. System and environment setup. Re-ordering of the system body. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

16 Transforming IIL to Turing Plus
Component Transformation II to Turing Plus Transformation The transformation is divided into four steps: Component transformation. Dispatcher transformation. System and environment setup. Re-ordering of the system body. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

17 Transforming IIL to Turing Plus
Dispatcher Transformation SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

18 Transforming IIL to Turing Plus
System and Environment Setup SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

19 Transforming IIL to Model
We currently check properties written in LTL. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

20 Transforming IIL to XML IL
Two step TXL transformation from IIL to XML intermediate modelling language of Garlan & Khershonsky Step 1: Normalization of IIL to reorder, simplify and reduce semantics to meet constraints of XML intermediate language (in IIL syntax) Step 2: Syntactic translation of normalized simplified IIL to XML intermediate language To model check systems written in IIL we use the existing approach we previously presented in [2]. This approach is an extension of an II model checking system originally developed by Garlan and Khersonsky in [6, 7]. This approach focuses on the automatic analysis of II by representing an II system in an XML parameterized representation. Once the XML input has been created, a Java transformation tool converts the information into a set of finite state machines. This set of state machines can then be checked using the Cadence SMV model checker [14]. We currently check properties written in LTL. A major drawback to our model checking work presented in [2] was that it was not completely automatic since user interaction was required in developing the XML representation. The approach presented in this paper overcomes this deficiency and completely bridges the gap between artifacts by automating the process of generating finite state models for software systems written in IIL. 5.1. Transformation of IIL to XML Originally, due to the verbose nature of XML, IIL started out as a replacement to the XML intermediate language that would be easier to read and write. In addition to improving the syntax, IIL evolved into a special-purpose language that includes notational conveniences such as variable declarations in methods, the use of for loops and the use of switch statements. As with the transformation to Turing Plus, our transformation from IIL to XML is done using an automatic transformation tool written in TXL. The transformation from IIL to XML involves two steps. In the first step the notational conveniences of IIL are removed. For example, for loops are unrolled. The program is also reorganized to follow the program order required by the XML representation. After the first step the IIL program is a statement-by-statement match to the XML representation. The second step of the transformation involves the syntax translation from IIL to XML. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

21 Transforming XML IL to Model
SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

22 Transforming XML IL to Model
Use existing Java automatic transformation tool from XML IL to finite state machine model modified from Garlan & Khershonsky Resulting model then checked using Cadence SMV model checker to verify properties specified in original IIL program To model check systems written in IIL we use the existing approach we previously presented in [2]. This approach is an extension of an II model checking system originally developed by Garlan and Khersonsky in [6, 7]. This approach focuses on the automatic analysis of II by representing an II system in an XML parameterized representation. Once the XML input has been created, a Java transformation tool converts the information into a set of finite state machines. This set of state machines can then be checked using the Cadence SMV model checker [14]. We currently check properties written in LTL. A major drawback to our model checking work presented in [2] was that it was not completely automatic since user interaction was required in developing the XML representation. The approach presented in this paper overcomes this deficiency and completely bridges the gap between artifacts by automating the process of generating finite state models for software systems written in IIL. 5.1. Transformation of IIL to XML Originally, due to the verbose nature of XML, IIL started out as a replacement to the XML intermediate language that would be easier to read and write. In addition to improving the syntax, IIL evolved into a special-purpose language that includes notational conveniences such as variable declarations in methods, the use of for loops and the use of switch statements. As with the transformation to Turing Plus, our transformation from IIL to XML is done using an automatic transformation tool written in TXL. The transformation from IIL to XML involves two steps. In the first step the notational conveniences of IIL are removed. For example, for loops are unrolled. The program is also reorganized to follow the program order required by the XML representation. After the first step the IIL program is a statement-by-statement match to the XML representation. The second step of the transformation involves the syntax translation from IIL to XML. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

23 Experiments Three “guinea pigs”
Set-Counter, a standard toy example II system with sychronization constraints Active Badge Location System (ABLS), an II system for a realistic application with liveness constraints Unmanned Vehicle Control System (UVCS), a realistic simulated II system with safety constraints Turing Plus 3-5 times as big and Our evaluation of each example involved modeling the example in the IIL language and verifying that our transformation tools from IIL to Turing Plus and from IIL to XML worked correctly. Our evaluation of our automatic transformation tools also demonstrated that the semantics was well preserved during all of the transformations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

24 Results Systems executed and traced over hundreds of random test runs
System properties verified as specified using Cadence SMV Demonstrated errors discovered independently using both testing and model checking Turing Plus 3-5 times as big and Our evaluation of each example involved modeling the example in the IIL language and verifying that our transformation tools from IIL to Turing Plus and from IIL to XML worked correctly. Our evaluation of our automatic transformation tools also demonstrated that the semantics was well preserved during all of the transformations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

25 Experiences with Source Transformation
Verifiable - formal independent rewrite rules, pure first order functional application Efficient - max 3 seconds per program Effort - where did project time go? Not into source transformation: actual implementation of transformations smaller part of effort Turing Plus 3-5 times as big and Our evaluation of each example involved modeling the example in the IIL language and verifying that our transformation tools from IIL to Turing Plus and from IIL to XML worked correctly. Our evaluation of our automatic transformation tools also demonstrated that the semantics was well preserved during all of the transformations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

26 Experiences with Source Transformation
Saved: Design and implementation of IIL compiler / interpreter Design and implementation of IIL concurrency kernel and simulation library Design and implementation of IIL modeller Did not save: Design and understanding time for language framework and concurrency model Turing Plus 3-5 times as big and Our evaluation of each example involved modeling the example in the IIL language and verifying that our transformation tools from IIL to Turing Plus and from IIL to XML worked correctly. Our evaluation of our automatic transformation tools also demonstrated that the semantics was well preserved during all of the transformations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

27 Conclusion Transformational framework for specifying, testing, and model checking II systems IIL language Automatic implementation and modelling by source transformation IIL to Turing Plus for execution and testing IIL to SMV model for model checking Test bed for studying relationship and synergies between testing and model checking Turing Plus 3-5 times as big and Our evaluation of each example involved modeling the example in the IIL language and verifying that our transformation tools from IIL to Turing Plus and from IIL to XML worked correctly. Our evaluation of our automatic transformation tools also demonstrated that the semantics was well preserved during all of the transformations. SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

28 Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel
Implementation and Verification of Implicit Invocation Systems Using Source Transformation Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel Software Technology Laboratory School of Computing, Queen’s University Kingston, Ontario, Canada SCAM 2005 SUPPORTED BY

29 Future Work: Testing vs Model Checking
To what extent can parallel testing be used to increase confidence in model checking results and correctness of the model checker? How can testing be used to simplify or optimize model checking and vice-versa? Can we use similar transformation techniques to automatically derive run-time monitors for temporal safety properties? Can model checking be used to evaluate the coverage offered by the test suite? SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

30 Future Work: Generalization of IIL
IIL currently restricted to a subset of II systems Centralized event dispatcher with static bindings We would like to expand our framework to more general forms of II systems Dynamic bindings, multiple dispatchers, and additional concurrency models What other generalizations are interesting? SCAM 2005, Budapest, Sept 2005 © 2005 J. Bradbury & J.R. Cordy

Download ppt "Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel"

Similar presentations

Jeremy S. Bradbury, James R. Cordy, Juergen Dingel, Michel Wermelinger

Jeremy S. Bradbury, James R. Cordy, Juergen Dingel, Michel Wermelinger
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
© Chinese University, CSE Dept. Software Engineering / 1 - 1 Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.

© Chinese University, CSE Dept. Software Engineering / Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Presenter: PCLee – 2011.03.02. This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
© Janice Regan, CMPT 102, Sept. 2006 0 CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
Discrete-Event Simulation: A First Course Steve Park and Larry Leemis College of William and Mary.

Discrete-Event Simulation: A First Course Steve Park and Larry Leemis College of William and Mary.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.

Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Operational Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Operational Semantics.
Introduction and Syntax. Course objectives Discuss features of programming languages. Discuss how the features are implemented in a simple computer architecture.

Introduction and Syntax. Course objectives Discuss features of programming languages. Discuss how the features are implemented in a simple computer architecture.
Describing Syntax and Semantics

Describing Syntax and Semantics
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.

Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.
Software Engineering Tools and Methods Presented by: Mohammad Enamur Rashid(2009-1-96-04) Mohammad Rashim Uddin(2009-1-96-008) Masud Ur Rahman(2009-1-96-009)

Software Engineering Tools and Methods Presented by: Mohammad Enamur Rashid( ) Mohammad Rashim Uddin( ) Masud Ur Rahman( )
What Exactly are the Techniques of Software Verification and Validation www.softwaretestinggenius.com A Storehouse of Vast Knowledge on Software Testing.

What Exactly are the Techniques of Software Verification and Validation A Storehouse of Vast Knowledge on Software Testing.
Basic Concepts The Unified Modeling Language (UML) SYSC 3100 - System Analysis and Design.

Basic Concepts The Unified Modeling Language (UML) SYSC System Analysis and Design.

Similar presentations

Ads by Google