Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 2003 1 University of Glasgow Generalising Feature Interactions in Email Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.

Published byAvis Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "May 2003 1 University of Glasgow Generalising Feature Interactions in Email Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow."— Presentation transcript:

1 May 2003 1 University of Glasgow Generalising Feature Interactions in Email Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow

2 May 2003 2 Motivation property based approach to feature interaction analysis interaction analysis should  be automated  generalise to systems containing any number of components based on Hall’s email model from FIW’00

3 May 2003 3 Email system Client server architecture basic email + features at client or server encrypt -- key of intended recipient decrypt – key of actual recipient filter – msgs from address forward –msgs to address autorespond –to first incoming msgs

4 May 2003 4 Email system initial send mail specify recipient specify msg process msg specify sender deliver mail process msg client process specify recipient specify msg mailer process send msg

5 May 2003 5 Promela implementation Clients and the Mailer are processes. communication is asynchronous channels associated with each client and the mailer delivery of mail takes precedence over sending busy waiting tension between atomicity/number of variables/level of abstraction

6 May 2003 6 Property based approach Example Properties in linear temporal logic: messages are delivered to intended recipients [](p||q) where p = (last_del_to i _to = i) q = (last_del_to i _to = M) messages are forwarded, client i has forwarding to client j  <>(¬(p||q) where p = (last_del_to j _to = M) q = (last_del_to j _to = j) (i.e. client j can receive mail not addressed to j) observation variables: last_del_to i _to, last_del_to i _body, last_sent_from i _to

7 May 2003 7 Property based approach Feature interaction analysis based on: for example: f 0 || System |=  but f 0 || f 1 || System |=  Client 0 || Client 1 || Client 2 || Client 3 || Mailer |=  but Client’ 0 || Client 1 || Client 2 || Client 3 || Mailer |= 

8 May 2003 8 Reasoning Use model-checker (SPIN) for reasoning Results take the form M(p 0 || p 1 || p 2 || p 3 || mailer) |=  (0,1,…,t) where –p 0 … p 3 are instances of a parameterised process p - p 0 … p 3 are not, in general, isomorphic  is temporal logic formula containing free variables indexed by 0,1,…,t 0<t<3 -M(….) is the model (Kripke structure) of the concurrent processes

9 May 2003 9 model checking proctype A() proctype B() {x=1;y=2} {x=3} program: byte x,y; init {run A(); run B()} init x==3 y==? x==1 y==2 init x==1 y==? init x==1 y==? x==3 y==? x==1 y==2 x==3 y==? x==1 y==? x==1 y==2 x==3 y==2 A program/system is the asynchronous interleaving product of the automata. Reason about satisfaction of LTL formula by considering synchronous product of system with never claim.

10 May 2003 10 overall approach property Promela code LTL “client i has filter from client j ” [](¬(last_del_to i _from==j) Answer: 0 errors or counter-example Answer: 0 errors or counter-example SPIN Mailer and client basic behaviour 9 features parameters Configuration of features mailer client

11 May 2003 11 automation pair of features set of feature params property set of property params model model-checking runs up to 5 client processes required for this feature set 111 feasible parameter sets, after symmetry reduction via perl scripts

12 May 2003 12 interactions the usual! both single user and multiple user multiple user agree with Hall results The interesting question is.. do results scale? do they hold for 7 processes, 8 processes, … ? for every problem, we eventually run out of memory (or patience) –usually around 6 processes

13 May 2003 13 Generalisation What we really want is to show is  n. M(p 0 || p 1 || p 2 || … || p n-1 || mailer) |=  (0,1,…,t) Not possible with model checking Undecidable (Apt + Kozen, 1986) Induction is very hard Is abstraction possible?

14 May 2003 14 Abstraction What do we mean by abstraction? - not an abstraction of one system, but of a family of systems –Choose appropriate constant m such that t<m-1 p 0, p 1.. p m-1 are concrete p m, p m+1.. p n-1 are abstract –Represent the most general, observable behaviour of the abstract processes p m || p m+1 ||… || p n-1 by a process Abs -Modify the interaction between concrete and abstract processes, i.e. modify the concrete processes. All processes should be generated automatically from p.

15 May 2003 15 concrete abstract processes process p m … p n-1 p 0 p 1 p 2 … p m-1 Abstract approach Observable communication represented by Communication amongst m-1 as before Communication represented by virtual channel Abs

16 May 2003 16 Abstract approach: email concrete abstract clients client client m … client n-1 client 0 client 1 … client m-1 mailer Abs Only “read” behaviour from Abs. (Choice rather than actual read) mailer “writes” to Abs if not blocked. (Choice). Not strictly a conservative extension. Abs can send mail if there is mail to to be delivered. Does not affect functional behaviour.

17 May 2003 17 Results Checking done with perl scripts. No new interactions (not surprising, given feature set). Complexity lies between that of m and m+1 (concrete) clients. m depends on feature parameters and property parameters (essentially union).

18 May 2003 18 Soundness The p m, p m+1, …,p n-1 need not be isomorphic, or even observationally equivalent, but we make some assumptions  about both concrete and abstract processes: 1.All interaction is through communication channels. 2.All processes are open symmetric – behave the same with respect to isomorphic processes - no integer literals or constants in boolean conditions g?x; x==9 => goto label NO g?x; x==var i => goto label YES

19 May 2003 19 Theorem M(client 0 || client 1 || … || client m-1 || mailer’ || Abs) |=  (0,1,…,t) =>  n. M(client 0 || client 1 || … || p n-1 || mailer) |=  (0,1,…,t). Proof Show simulation. Depends on way we construct Abs and mailer’: consider how to match - concrete process reads from abstract channel - concrete process write to abstract channel … - abstract process reads from concrete channel - abstract process writes to abstract channel

20 May 2003 20 Conclusions property based approach to interaction analysis automated using perl scripts – to tailor model and generate runs. abstraction to generalise results about infinite families of communicating processes processes are not isomorphic. generation of abstract model is straightforward implemented in perl scripts lower bound for m for this feature set abstraction approach is tractable. further work – is the abstraction approach constructing an invariant?

Download ppt "May 2003 1 University of Glasgow Generalising Feature Interactions in Email Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Interface Automata 29-September-2011. Modeling Temporal Behavior of Component Component behaves with Environment Traditional (pessimistic) approach –

Interface Automata 29-September Modeling Temporal Behavior of Component Component behaves with Environment Traditional (pessimistic) approach –
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.

Similar presentations

Ads by Google