Formal Methods for Software EngineeringPart II: Modelling & Analysis of System Behaviour

FMSE, Lecture 4

Contents Part IIn Part I we used Z as a formalism to model the static aspects of software systems, i.e.definition of system states & data structuresdefinition of operations & preconditions

The tool Z-Eves was used for specification support and analysis.

FMSE, Lecture 4

Contents Part IIIn this part we introduce FSP as a formalism to model the dynamic aspects of software systems, i.e.definition of system behaviour (control flow)definition of control distribution (concurrency)

We introduce the tool LTSA for modelling support and analysis.

FMSE, Lecture 4

FSP and LTSModels are described using state machines, known as Labelled Transition Systems. These are described textually as Finite State Processes and displayed and analysed by the LTSA analysis tool. LTS - graphical form FSP - algebraic form

FMSE, Lecture 4

LTS: a definitionA labelled transition system T consists of the following ingredients:1. a set S of states2. a set L of actions3. a set -> of transitions of the form s-a->t with s,tS and aL or a=tau4. an initial state s0 S

We also write T=(S,L,->, s0 ).

FMSE, Lecture 4

Modelling Processes A process is modelled as a finite LTS which transits from state to state by executing a sequence of atomic actions.a light switch LTSonoffonoffonoff a sequence of actions or traceonoff

FMSE, Lecture 4

A Simple Transmission ProtocolSENDER = (in -> send -> getack -> SENDER).recoutack012RECEIVER = (rec -> out -> ack -> RECEIVER).BUFFER = (get -> put -> BUFFER).

FMSE, Lecture 4

Composing the System

FMSE, Lecture 4

The System Behaviour parallel composition with synchronized communication equivalent single process can be calculated (with LTSA)

FMSE, Lecture 4

Observable BehaviourObservable behaviour abstracts away frominternal system actions .SenderReceiverinsendrecoutackgetackMedium||SYSTEM = (SENDER||MEDIUM||RECEIVER).

FMSE, Lecture 4

Observable BehaviourObservable behaviour abstracts away frominternal system actions .SenderReceiverinoutMedium||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}.

FMSE, Lecture 4

Observable BehaviourObservable behaviour abstracts away frominternal system actions .||SYSTEM = (SENDER||MEDIUM||RECEIVER)@{in,out}.

FMSE, Lecture 4

Observable BehaviourObservable behaviour abstracts away frominternal system actions .minimise SYSTEMSame LTS as:SYS=(in->out->SYS).

FMSE, Lecture 4

Behavioural EquivalenceIn what sense is the minimized process SYS comparable to SYSTEM@{in,out}?When can we identifysystem states?

FMSE, Lecture 4

BisimulationIdea: identify states that - can imitate each others observable steps leading to - states that again can be identifiedAn observable step consists of either- observing nothing, or- observing a non-internal action

FMSE, Lecture 4

Exampleintautauouttautau012345

FMSE, Lecture 4

Observable StepsObserving nothing: s==>t: s=t or s-tau->-tau->ti.e. s reaches t by doing nothing, or by executing internal actions only.Observing non-internal action:s=a=>t: s==>s-a->t==>t for some s,ti.e. s reaches t by doing a, possibly preceeded or followed by some internal actions

FMSE, Lecture 4

Examples0==>0, 0=a=>1, 0=a=>21==>1, 1==>2, 1=b=>3, 1=c=>22==>2, 2=c=>23==>3, 3=b=>3

FMSE, Lecture 4

Weak Bisimulation RelationsLet R be a relation between states,then R is a weak bisimulation relation iff for all (s,t)R and all observable actions a:- if for some s: s==>s then for some t: t==>t such that (s,t)R- if for some s: s=a=>s then for some t: t=a=>t such that (s,t)R- if for some t: t==>t then for some s: s==>s such that (s,t)R - if for some t: t=a=>t then for some s: s=a=>s such that (s,t)R

FMSE, Lecture 4

Equivalent Transition SystemsTwo transition systems T and U are observably equivalent iff there is a weak bisimulation relation R with (t0,u0)R with t0 and u0 their respective initial states.

FMSE, Lecture 4

Examplec

FMSE, Lecture 4

Negative Example?

FMSE, Lecture 4

Traces AgainLet T=(S,L,->,s0) be a labelled transition system.Traces(T) is the set of strings a1anL* such that there is an sL with s0=a1=>=an=>sTwo LTSs T and U are trace equivalent iff Traces(T)=Traces(U)

FMSE, Lecture 4

ExampleTraces:(empty trace),a,ab,abb,abbb,abbbb,a,ac,acc,accc,acccc,

FMSE, Lecture 4

(Non)determinismAn LTS T=(S,L,->,s0) is deterministic iff for every trace of T there is a unique state sS with s0==>s.Trace sets are identical!

FMSE, Lecture 4

FACTSLet T and U be LTSs.If T and U are observation equivalent then T and U are trace equivalent.If T and U are trace equivalent then T and U generally are not observation equivalent.If T and U are deterministic then they are trace equivalent iff they are observation equivalent.Do we need nondeterministic processes?

FMSE, Lecture 4

NondeterminismWhat happens with our protocolif a Buffer can lose data?BUFFER = (get -> put -> BUFFER|get -> BUFFER).nondeterminismCompiled: SENDERCompiled: BUFFERCompiled: RECEIVERComposition:SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVERState Space: 3 * 2 * 2 * 3 = 36Composing potential DEADLOCKStates Composed: 7 Transitions: 8 in 0msSYSTEM minimising....Minimised States: 5 in 60ms

FMSE, Lecture 4

Revision 1Keep sending until a getack is receivedSENDER = (in -> send -> WAIT),WAIT = (getack -> SENDER |send -> WAIT).Keep sending acks until a rec is receivedRECEIVER = (rec -> OUT),OUT = (out -> ack -> WAIT),WAIT = (rec -> OUT |ack -> WAIT).

FMSE, Lecture 4

AnalysisCompiled: SENDERCompiled: BUFFERCompiled: RECEIVERComposition:SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVERState Space: 3 * 2 * 2 * 4 = 48ComposingStates Composed: 34 Transitions: 57 in 50msSYSTEM minimising.....Minimised States: 17 in 110ms

FMSE, Lecture 4

Revision 2Alternating Bit Protocol: send along a bit that is flipped to distinguish old and new data and acknowledgements.

range B= 0..1

SENDER = (in -> SENDING[0]),SENDING[b:B] = (send[b] -> SENDING[b] |getack[1-b] -> SENDING[b] |getack[b] -> in -> SENDING[1-b]).

RECEIVER = (rec[0] -> out -> ACKING[0]),ACKING[b:B] = (ack[b] -> ACKING[b] |rec[b] -> ACKING[b] |rec[1-b] -> out -> ACKING[1-b]).

BUFFER = (get[b:B] -> put[b] -> BUFFER |get[b:B] -> BUFFER).

||MEDIUM = (a:BUFFER || b:BUFFER) /{send/a.get,rec/a.put,ack/b.get,getack/b.put}.

||SYSTEM = (SENDER || MEDIUM || RECEIVER)@{in,out}.

FMSE, Lecture 4

Does It Work?Composition:SYSTEM = SENDER || MEDIUM.a:BUFFER || MEDIUM.b:BUFFER || RECEIVERState Space: 5 * 3 * 3 * 6 = 270ComposingStates Composed: 45 Transitions: 86 in 0ms

FMSE, Lecture 4

MinimizationThe Alternating Bit system (service) is observational equivalent with a 1-place buffer

FMSE, Lecture 4

SummaryDynamic system behaviour can be modelled by LTS/FSP specificationsLTS/FSP models can composed and analysed using the LTSA toolLTS/FSP models can be minimized to observational equivalent behaviours using bisimulationsNondeterminism is an essential modelling feature for system behaviours

FMSE, Lecture 4