Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright 2001-2004, Matt Dwyer, John Hatcliff,

Published byAshlie Stokes Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright 2001-2004, Matt Dwyer, John Hatcliff,"— Presentation transcript:

1 CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright 2001-2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 CIS 842: Spec Basics and Observables 2 Objectives To understand the goals and basic elements of every formal specification formalism To understand the variety in ways that aspects of program behavior can be observed

3 CIS 842: Spec Basics and Observables 3 Outline What is a specification? Why write specifications? What are the building blocks of specs? What kinds of variation is there across specification languages? How can we define the execution behavior of a system that is relevant from the point of view of a specification? What do we want to observe?

4 CIS 842: Spec Basics and Observables 4 What is a Specification? A detailed, exact statement of particulars, especially a statement prescribing materials, dimensions, and quality of work for something to be built, installed, or manufactured. American Heritage Dictionary 2000 needs to be precise describes what is to be done

5 CIS 842: Spec Basics and Observables 5 What is a Formal Specification? A formal specification is the expression, in some formal language and at some level of abstraction, of a collection of properties that some system should satisfy Axel van Lamsweerde, Future of Software Engineering, 2000 formal language => precise properties … system should satisfy is a prescription!

6 CIS 842: Spec Basics and Observables 6 Why Write Specifications? To drive the implementation of a system Rare - usually driven from informal requirements Would require a complete specification - expensive To provide a redundant description of intent so we can check an implementation against something Generate tests Perform rigorous inspections Model check

7 CIS 842: Spec Basics and Observables 7 A Spec for Spec Languages Concise : if the spec is as large and complex as the system, you lose Understandable : spec needs to be right, so you better be able to read it General : want to be able to describe a wide range of system characteristics (here we stick to functionality) Think Different : forces you to express properties differently than solutions

8 CIS 842: Spec Basics and Observables 8 What’s a Good Spec? Consistent : no internal contradictions Unambiguous : has a clear meaning Complete : captures all of the essential aspects of the problem that are described elsewhere Minimal : doesn’t state irrelevant or implementation-specific properties

9 CIS 842: Spec Basics and Observables 9 Essential Parts of a Specification Components of the system that are related to the property (related to abstraction) x Constraints define what is demanded, desired, or restricted of the components x>0 Order describes how, if at all, the constrained- components related to one another if x>0 then after x++, x>0

10 CIS 842: Spec Basics and Observables 10 An Example Think about making a phone call What components of the phone are relevant? What characteristics of those components do we care about? How does the order in which components attain those characteristics influence the making of a phone call?

11 CIS 842: Spec Basics and Observables 11 Variations in Specification Style State-based : a condition or mode of being phone is off the hook call is connected Event-based : something that happens at a given place and time phone is lifted number 3 is dialed

12 CIS 842: Spec Basics and Observables 12 For You To Do Consider the property: Dial 532-6350 to connect to CIS Give a state-based specification Give an event-based specification Don’t forget to mention any implicit parts or constraints that are relevant

13 CIS 842: Spec Basics and Observables 13 States and Events Changes in state are caused by events x==5 x==6 Not all events cause a change in state x==5 x++ x=x+0

14 CIS 842: Spec Basics and Observables 14 Mixed States and Events When the door is open and the key is not in the ignition, the alarm beeps. door==open ignitionKey!=in beep Assigning x to 7 makes x greater than 0. x=7 x>0

15 CIS 842: Spec Basics and Observables 15 Variations in Specification Style Allowable behavior : define what a correctly functioning system is able to do offhook, number 7, connected Violations : define what a correctly functioning system can never do onhook, … anything but offhook …, connected

16 CIS 842: Spec Basics and Observables 16 Observing System Behavior A specification may observe the value of a component an operation applied to a component The language of value comparisons and operations is System description-language dependent, e.g., Java, BIRLite

17 CIS 842: Spec Basics and Observables 17 BIR-lite Observables Currently BIR-lite supports only 2 state observables Global variables any legal boolean-valued BIR expression may be used to define the constraints on a variable that are observed Existential thread program counter Property.existsThread(, ) there exists an instance of the named thread that is about to execute the guarded comment with the given label Need this (in part) because there is no explicit PC variable for a thread

18 CIS 842: Spec Basics and Observables 18 Example : BIR-lite system TwoDiningPhilosophers { extension Property for edu.ksu.cis.projects.bogor.ext.Property { expdef boolean existsThread(string, string); } boolean fork1; boolean fork2; thread Philosopher1() { loc loc0: live {} when !fork1 do { fork1 := true; } goto loc1; loc loc1: live {} when !fork2 do { fork2 := true; } goto loc2; loc loc2: live {} do { fork2 := false; } goto loc3; loc loc3: live {} do { fork1 := false; } goto loc0; } thread Philosopher2() {…} main thread Main() { loc loc0: do { assert(!(Property.existsThread("Philosopher1", "loc1") && !fork1))); } return; }

19 CIS 842: Spec Basics and Observables 19 Example : BIR-lite system TwoDiningPhilosophers { extension Property for edu.ksu.cis.projects.bogor.ext.Property { expdef boolean existsThread(string, string); } boolean fork1; boolean fork2; thread Philosopher1() { loc loc0: live {} when !fork1 do { fork1 := true; } goto loc1; loc loc1: live {} when !fork2 do { fork2 := true; } goto loc2; loc loc2: live {} do { fork2 := false; } goto loc3; loc loc3: live {} do { fork1 := false; } goto loc0; } thread Philosopher2() {…} main thread Main() { loc loc0: do { assert(!(Property.existsThread("Philosopher1", "loc1") && !fork1))); } return; }

20 CIS 842: Spec Basics and Observables 20 Specification Extensions Extensions are useful for implementing systems and for defining specifications extension Property for edu.ksu.cis.projects.bogor.ext.Property { expdef boolean existsThread(string, string); }

21 CIS 842: Spec Basics and Observables 21 Build Your Own Bogor allows one to define new observables ala extensions Property.allThread(, ) Property.noThread(, ) Property.samePlace( ) Not part of BIR-lite, but this gives you access to the entire state representation Can build powerful observables You’ll learn how to do this later

22 CIS 842: Spec Basics and Observables 22 BIR Functions BIR provides constructs for defining recursive functions over BIR variables fun p() returns boolean = Property.existsThread("Philosopher1", "loc1") && !fork1; This allows us to use named observables which aids readability assert(!p())

23 CIS 842: Spec Basics and Observables 23 Java Observables Value of a local variable Scalars References Value of object fields Explicit Implicit : locks Method call Qualified by parameter values

24 CIS 842: Spec Basics and Observables 24 Naming Instances existsThread(…) is used because threads are anonymous i.e., there is no variable that holds their value This is a general problem for heap allocated data 3 … an array … lenval

25 CIS 842: Spec Basics and Observables 25 Naming Instances It’s easy to talk about global references g.len>0  g.val!=null 3 … an array … lenval Global g

26 CIS 842: Spec Basics and Observables 26 Naming Instances How else can we talk about the instances of this class? All/some of the allocated instances All/some of the instances reachable from g All/some of the instances reachable by a reference chain of the form g.f.h … Need a way of defining these for easy use in specifications Use BIR extensions

27 CIS 842: Spec Basics and Observables 27 Naming Yields Independence Several of these notions of naming heap instances are quite abstract The set of instances of C that are reachable from g These make for good specifications since they are independent of implementation details g points to an array g points to the head of a linked list g points to the root of a tree

28 CIS 842: Spec Basics and Observables 28 Observing The Java Heap Shapes Tree, dag Values Ordered leaves of a tree Approximations Reach containment

29 CIS 842: Spec Basics and Observables 29 Assertions Assertions are a composite specification Implicit location constraint Explicit data constraint loc loc7: do { assert(x 3); } // && PC == loc7 goto loc14; }

30 CIS 842: Spec Basics and Observables 30 Invariants Are constraints that should hold in all system states explicit data constraint location constraints via thread location query extensions You’ve seen the assertion-in-a-thread trick Persistently evaluate the assertion thereby enforcing it in every state

31 CIS 842: Spec Basics and Observables 31 Invariants as Bogor Options It is possible to express invariant checks directly in Bogor If you have a boolean function expression that takes no parameters, e.g., fun p() returns boolean = Property.existsThread("Philosopher1", "loc1") && !fork1; Define an option …Isearcher.invariants=p

32 CIS 842: Spec Basics and Observables 32 Using Invariants An invariant is a very strong specification It says that the constraint is true in every system state e.g., the initial state, the final state, … Often times we only want a constraint to be enforced during some region of the system’s execution We can specify this using an implication as an invariant regionSpec  constraintSpec

33 CIS 842: Spec Basics and Observables 33 Examples Coherent variables e.g., head and tail pointers to a buffer e.g., length and array contents Invariants that describe relationships e.g., tail < head e.g., length = # of non-null elements Want to disable their enforcement when the values are being updated e.g., (!add && !take)  tail < head

34 CIS 842: Spec Basics and Observables 34 Summary Specifications are an essential element of rigorous system analysis Observables are boolean expressions that define constraints on component values that are relevant to a specification Specifications, like assertions and invariants, are built up from observables BIR-lite has primitive support for defining observables and writing specifications Bogor’s extension facility allows one to significantly enrich the spec language

Download ppt "CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright 2001-2004, Matt Dwyer, John Hatcliff,"

Similar presentations

Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Programming Languages and Paradigms

Programming Languages and Paradigms
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.

Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
LASER From Natural Language Requirements to Rigorous Property Specifications Lori A. Clarke Work done in collaboration with Rachel L. Smith, George S.

LASER From Natural Language Requirements to Rigorous Property Specifications Lori A. Clarke Work done in collaboration with Rachel L. Smith, George S.
(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.

©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.
From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.

From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
© Copyright Eliyahu Brutman Programming Techniques Course.

© Copyright Eliyahu Brutman Programming Techniques Course.
Describing Syntax and Semantics

Describing Syntax and Semantics
Common Mechanisms in UML

Common Mechanisms in UML

Similar presentations

Ads by Google