Advanced Topics in Software Engineering

Marjan SirjaniTehran University

Faculty of EngineeringECE Department

Tehran, 1383-1384

2

Subjects to be covered Modeling concurrency Formal verification methods Transition systems Petri Nets Process Algebra Actor Model Rebeca: an actor-based model Reo: a coordination language Constraint automata

3

Models of concurrency The Temporal Logic of Reactive and

Concurrent Systems (Specification), Z. Manna, A. Pnueli, Springer-Verlag,

1992 Part one: Models of Concurrency Process algebra Communicating Sequential Processes C.A.R. Hoare, 2004

4

Actors Actors: a Unifying Model for Parallel

and Distributed Computing, Agha G., Kim W., Open Systems Laboratory, 1998. Rebeca  Modeling and Verification of Reactive

Systems using Rebeca, Sirjani M., Movaghar A, Shali A., and de Boer

F., Fundamenta Informaticae, Dec. 2004

5

Coordination languages Reo: A Channel-based Coordination Model

for Component Composition, F. Arbab, Mathematical Structures in Computer Science,

2004 Modeling Component Connectors in Reo by

Constraint Automata, F. Arbab, C. Baier, J.J.M.M. Rutten and M. Sirjani, in Proceedings of FOCLASA'03, Marseille,

France, September 2003, ENTCS, Elsevier Science.

6

Overview

Concurrent and Reactive Systems Formal methods

Modeling language Process algebra, Petri nets, Actor

languages Specification language

Temporal logic, Automata Analysis

Theorem proving, Model checking

7

Models of ConcurrencyManna, chapter 1,2

8

Chapter 1 1.1 The Generic Model 1.2 Model 1: Transition Diagrams 1.3 Model 2: Shared-Variables Text

1.4 Semantics of Shared-Variables Text 1.5 Structural Relations Between Statements 1.6 Behavioral Equivalence 1.7 Grouped Statements 1.8 Semaphore Statements 1.9 Region Statements

1.10 Model 3: Message-Passing Text 1.11 Model 4: Petri-Nets

9

Chapter 1- Basic Models

Programs and systems they control Transformational Reactive

10

Transformational program More conventional Produce final result at the end of a

terminating computation A function from an initial state to a

final state Appropriately specified by properly

characterizing the relation between initial and final states: predicate logic

11

Reactive program Not to produce a final result but to

maintain some ongoing interaction with its environment

12

Reactivity and Concurrency Program and its environment act

concurrently in transformational case, they act

sequentially When we have parallel processes,

even if the whole program has a transformational role, it should be analyzed as a reactive system.

13

Reactive systems

Communication Coordination

14

Communication Shared variables Message passing Remote procedure calls

15

Coordination Semaphores Critical regions Monitors Handshaking Rendezvous Asynchronous transmission

16

The Generic Model

V – Vocabulary E – Expressions A – Assertions I - Interpretations

17

V – Vocabulary A countable set of typed variables.

Data variables Range over data domains used in programs,

such as booleans, integers, or lists. Control variables

Indicate progress in the execution of a program, range over locations in the program.

18

E – Expressions Expressions are constructed from the

variables of V and

constants (such as 0, (empty list), (empty set))to which functions (such as +,•,) and predicates (such as >, null, and ) over the appropriate domains (such as

integers, lists, and sets) are applied.

x+3y hd(u) •tl(v) A B

19

A – Assertions Assertions are constructed out of

boolean expressions using boolean connectives and quantification(,) over some variables that appear in the expressions.

20

I – Interpretation An interpretation I I of a set of

typed variables V V is a mapping that assigns to each variable y V a value I[y] in the domain of y.

If I[]=T, we say I satisfies : I |=

21

Basic Transition System

A basic transition system (,,,), intended to represent a reactive program.

={u1,…,u2} V – a finite set of flexible state variables.

- a set of states. - a finite set of transitions. - an initial condition.

22

={u1,…,u2} V – a finite set of flexible state variables.

Data variables Explicitly declared and manipulated

Control variables Represent progress in the execution

of the program (label of a statement)

23

- a set of states. Each state s in is an

interpretation of , assigning to each variable u in a value over its domain, denoted by s[u].

A state s that satisfies an assertion , i.e., s |= , is sometimes referred to as –state.

24

- a finite set of transitions. Each transition in T represents a

state-transforming action of the system and is defined as a function : 2 that maps a state s in into the (possibly empty) set of states (s) that can be obtained by applying action to state s.

25

- an initial condition. This assertion characterizes the

states at which execution of the program can begin.

A state s that satisfies , i.e., s |= , is called an initial state.

26

The Transition Relation

Each transition is characterized by an assertion, called the transition relation

(,’)

(,’): C () (y’1=e1) … (y’k=ek)

Enabling condition: C ()Conjunction of modification statements

27

Enabled and disabled transitions Idling and diligent transitions Computation: infinite sequence of

steps Computation prefix Reachable states

28

Concrete models

Model 1: Transition Diagram Model 2: Shared-Variables text Model 3: Message-Passing text Model 4: Petri Nets

29

Model 1 : Transition diagrams

Program P, and processes Pi

P::[declaration][P1 || P2 … ||Pm] m>=1

Data variables Y={y1, …, yn} n>=1 Shared for all the processes

30

Declarations At the head of the program

Modes, Types, Initial conditions

mode var, …,var: type where i

Mode: in, local, out Types: basic (int,char), structured (array, list,

set) Assertion i , imposes constraint on the values

of some of the variables in this statement

31

in k,n :integer where 0knlocal y1,y2 : integer where y1=n y2=1

out b : integer where b=1

Data precondition of the program i

: 0kn y1=n y2=1 b=1

32

Processes Each process Pi is represented by a

transition diagram (directed graph) Nodes: locations

For Pi : Li ={li0, li1 , … , liti} Entry and exit locations

Edges: (atomic) instructions Guarded assignment c [(y1, …):=(e1, …)]

State of a program: Control variables (i

current location of control in Pi)+ data variables

33

Diagrams as Basic Transition Systems

State variables States Transition Initial condition

34

State variables All the data and control variables = {1, …, m, y1, … , yn}

States All the possible interpretations that

assign to the state variables values over their respective domains.

Domain of control variable I is the set of locations Li

35

Transition Idling transition I is defined by

transition relation I : T Diligent transitions: labeled edges

that appear within the processes.

36

l l’

C [yi := ei]

is the edge.

: (i =l) c (’i=l’) (yi =ei)

37

Initial condition Program P:

[dcl where ][P1 || … || Pm]

Initial condition : /\i=1

m (i = loi)

A process is enabled, or disabled on a state.

38

Example: Binomial coefficient

( nk ) = (n(n-1)…(n-k+1)) / (1.2….k)

39

Representing Concurrency by Interleaving

X=0,Y=0

X=0,Y=0

X:=1 Y:=1

Y:=1 X:=1

X:=1 Y:=1

Program A Program B

Process P1 Process P2

40

Scheduling

The choice of the enabled transition to be executed next.

A sequence of choices that leads to a complete computation is called a schedule.

41

A short review

42

Chapter 1 1.1 The Generic Model 1.2 Model 1: Transition Diagrams 1.3 Model 2: Shared-Variables Text

1.4 Semantics of Shared-Variables Text 1.5 Structural Relations Between Statements 1.6 Behavioral Equivalence 1.7 Grouped Statements 1.8 Semaphore Statements 1.9 Region Statements

1.10 Model 3: Message-Passing Text 1.11 Model 4: Petri-Nets

43

Model 2: shared-variable text

In transition diagram representation of shared-variables programs We only have guarded assignment

We need structured constructs to allow hierarchical programs readability, modifiability, analysis

44

Shared-variable text language

Basic (simple) statements Grouped statements (atomic

execution) Synchronization statements

Semaphore Region statement

45

Simple statementsBasic steps, atomic Skip: a trivial do-nothing statement

skip Assignment: for ŷ a list of variables

and ē a list of expressions of the same length and corresponding types. ŷ:=ē

Await: for c a boolean expression await c

46

await c c is the guard Wait until c becomes true, and

then terminates.

What happens if in a sequential program we have an await ?

47

In which states is await c enabled?

What about skip and assignment statements?

48

Compound statements

A controlling frame applied to one or more simpler statements (body).

May require several computation steps. Conditional (if then else) Concatenation (sequential composition) Selection (non-deterministic choice) Cooperation (parallel composition) While (while do) Block (a block with local dcls, like in Algol)

49

Conditional If c then S1 else S2

Step1: evaluate c Step 2: execute one of statements

What is the difference between conditional statement and await (await c)?

50

Concatenation S1;S2

Step 1: first step of S1 Subsequent steps: rest of S1 and

then S2 Multiple concatenation statement S

S1;S2; …;Sn Si children of S

51

We define Concatenation await c;Sas when c do Sas an abbreviation.

52

Selection S1 or S2

Step 1: first step of one of S1 or S2 which is enabled.

Subsequent steps: the rest of the selected statement.

What if S1 and S2 are both enabled? Non-deterministic choice

What if none is enabled? The statement is disabled

53

Multiple selection statement S1 or S2 or … or Sn

Abbreviated to ORin=1 Si

Si children of the selection statement.

54

Dijkstra’s guarded command: if c1 S1 c2 S2 … cn Sn fi

How to write it in our language (using or)? [when c1 do S1] or … [when cn do Sn]

55

First step: arbitrary choosing an i such that ci is currently true, and passing the guard ci.

Subsequent steps: execute the selected Si

The order of the list does not imply priority.

56

Non-exclusive ci s are not exclusive, not necessarily ci (cj) for every i j

Non-exhaustive ci s are not exhaustive, not always \/i

n=1 ci is true.

QUESTIONS: Non-exclusiveness allows ??

nondeterminism Non-exhaustiveness allows ??

Possibility of deadlock

57

Cooperation S1 || S2

Parallel execution of S1 and S2

Step 1: entry step, setting the stage for the parallel execution of S1 and S2

Subsequent steps: steps from S1 and S2

Last step: an additional exit step that close the parallel execution.

58

Multiple cooperation statement S1 || S2 … || Sn

Si children of the cooperation statement

QUESTION: In [S1 || S2 ]; S3 , when does S3 start?

After both S1 and S2 are terminated.

59

While

while c do S

First step: evaluation of guard c Subsequent steps:

C true: at least one more repetition of the body S

C false: terminating the execution of while

60

Question What are the differences between:

while c do S when c do S ?

61

Block

[local dcl; S] S is the body of the block. Local dcl:

Local variable, …,variable: type where

: yi = ei yi declared in this statement, ei depends on

program’s input variables is the initialization of variables Once, at the beginning of the program

(static) and not every time we enter the block.

62

Statement S may refer to variables which are declared at the head of the program or at the head of a block containing S.

63

Programs P:: [dcl; [P1::S1 || … || Pm::SM]]

S1, …,Sm : top-level processes of the program [P1::S1 || … || Pm::SM] : body of the program Names of the program and top-level

processes are optionalQUESTION: body of a program is like which statement??

a cooperation statement (allow m=1) Uniformity

64

declarations: mode variable, …, variable: type

where mode: in , local, out Assertion : restrict the initial values

of the variables on entry to the program

65

Labels: Statements in the body may be

labeled. We use them in our discussions and

specifications. No statement refer to the labels.

66

Examples

Binomial coefficient Greatest common divisor

P. 27, 28

67

Labels in Text Program

Pre-label, post-label of statements Two important roles:

Unique identification and reference to the statements

Serve as a possible sites of control in a way similar to nodes in a transition diagram

68

The label equivalence relation P. 30

Locations in the text language P. 32

69

Semantics of Shared-Variables Text

Giving the semantics of Shared-Variables Text:

Establishing the correspondence between text programs

and the generic model of basic transition systems (,,,) Identifying the components of a basic

transition system in text programs

70

State variables, : (,,,) = {Y, } Y is the set of data variables,

explicitly declared (input, output, local)

is single control variable: ranges over sets of locations All the locations of the program that are

currently active (statements candidate for execution)

71

Example out x: integer where x=0 L0: [l1 : x:= x+1; l2: x:=2; l3: x:=x+2]:l’0

QUESTION: = ??

Note: adequately labeled (equivalence classes) Instead of {[l1], …} we represent it by {l1, …}

72

States, : (,,,) All possible interpretations that

assign to the state variables values over their respective domains.

Question: States of the previous example? Reachable states of it? (p.34)

73

Transitions (,,,) The transition relation for idling

transition I =

The transition relations for diligent transitions l , shall be defined for each statement.

p. 34 – p. 37

l : skip : l’, l : ŷ:=ē : l’, (Assignment) l : await c : l’, l : if c then [ l1: S1 ] else [ l2: S2 ], l : when c do [l’ : S ] l : [while c do [l1 : S ]]: l’, l : [[l1 : S1 : l’1] || … || [lm : Sm : l’m]] : l’, (Cooperation)---------------------------------- Concatenation: S= [S1;S2] Selection: S= [S1 or S2 or … or Sn] Block: S= [local dcl; S’]

75

The Initial Condition

[dcl; [P1 :: [lm : S1] || … || Pm::[lm : Sm ]]]

is the data precondition of the program.

: (={l1, …, lm}

76

Computation

77

Subscripted Variables

78

Structural Relations Between Statements