Specification Patterns
-
Upload
kiayada-olson -
Category
Documents
-
view
37 -
download
0
description
Transcript of Specification Patterns
![Page 1: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/1.jpg)
Specification Patterns
• Early taxonomy for property specifications– safety properties: nothing bad will ever happen– liveness properties: something good will
eventually happen
![Page 2: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/2.jpg)
Property Patterns
Property Patterns
Occurrence
Absence
Universality
Existence
Order Compound
Precedence Response
![Page 3: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/3.jpg)
Relationships
• Note that a Precedence property is like a converse of a Response property. Precedence says that some cause precedes each effect, and Response says that some effect follows each cause. They are not equivalent, because Response allows effects to occur without causes (Precedence similarly allows causes to occur without subsequent effects).
![Page 4: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/4.jpg)
Occurrence Patterns
• Absence: A given state/event does not occur within a scope. Also known as Never.
• Existence: A given state/event must occur within a scope. This pattern is also known as Future and Eventuality. A variant: Bounded Existence: exactly k times, at least k times, at most k times.
![Page 5: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/5.jpg)
Occurrence Patterns
• Universality: A given state/event occurs throughout a scope. Also known as Globally, Always, Henceforth.
![Page 6: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/6.jpg)
Ordering Patterns
• Precedence: A given state/event must always be preceded by a state/event Q within a scope.
• Response: A state/event P must always be followed by a state/event Q within a scope. Also known as Follows and Leads-to. A mixture of Existence and Precedence.
![Page 7: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/7.jpg)
Some background
• A scope is the extent of a program’s execution over which a formula must hold. There are five basic kinds of scopes: global, before, after, between, after-until.
![Page 8: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/8.jpg)
Some background
• scope – global (the entire program execution), – before (the execution up to a given state),– after (the execution after a given state)– between (any part of the execution from one
given state to another given state)– after-until (like between even if the second state
does not occur)
![Page 9: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/9.jpg)
Some background
• A scope itself should be interpreted as optional; if the scope delimiters are not present in an execution then the specification will be true.
![Page 10: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/10.jpg)
Global
Before Q
After Q
Between Q and R
State Sequence
Q R Q Q R
Four Formula Scopes
![Page 11: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/11.jpg)
Specification Pattern System
• Precedence Property Pattern: S precedes P. P is the consequent and S is the enabling state/event.– Globally
• A[!P U (S | AG(!P))]: for all paths, P does not hold until S holds or P will never hold
![Page 12: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/12.jpg)
Precedence: Traversal application
• For all traversals which start at an X-object, any visit to a P-object is preceded by a visit to an S-object.
• P uses information produced in S.
![Page 13: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/13.jpg)
Specification Pattern System
• Precedence Property Pattern: S precedes P. P is the consequent and S is the enabling state/event.– Before R
• A[!P U (S | R | AG(!P) | AG(!R))]: for all paths, P does not hold until S holds or R holds or P will never hold or R will never hold. When P holds S must have been true earlier if R has not happened.
![Page 14: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/14.jpg)
Precedence: Traversal application
• For all traversals which start at an X-object, any visit to a P-object is preceded by a visit to an S-object provided no R-object has been visited.
• P uses information produced in S or R.
![Page 15: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/15.jpg)
Specification Pattern System
• Precedence Property Pattern: S precedes P. P is the consequent and S is the enabling state/event.– After Q
• A[!Q U (AG(!Q) | (Q & A[!P U (S | AG(!P))]))] : for all paths, Q does not hold until Q never holds or Q holds and for all paths P does not hold until S holds or P will never hold.
![Page 16: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/16.jpg)
Precedence: Traversal application
• For all traversals which start at an X-object, any visit to a P-object is preceded by a visit to an S-object provided a Q-object has been visited first.
• Q-object initializes information used by S-object and P-object. S-object computes information used by P-object.
![Page 17: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/17.jpg)
CTL formulas for Absence
• P is false– Globally: AG(!P)
![Page 18: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/18.jpg)
CTL formulas for Absence
• P is false– Before R: A[!P U (R or AG(!R))]– P is false until R holds or until R will never hold
![Page 19: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/19.jpg)
Absence: Traversal application
• For all traversals which start at an X-object, there can be no visit to a P-object while R is false (e.g., before an R-object is visited).
• While R is false, P can not participate in collaboration.
![Page 20: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/20.jpg)
CTL formulas for Absence
• P is false– After Q: AG(Q => AG(!P))– For all paths the following condition holds at
every state: If Q holds at a state then for all paths from that state !P holds globally.
![Page 21: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/21.jpg)
Absence: Traversal application
• For all traversals which start at an X-object, after visiting a Q-object we will never visit a P-object.
![Page 22: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/22.jpg)
CTL formulas for Absence
• P is false– Between Q and R: A G(Q => A[!P U (R or A
G (!R))])– Globally, if Q holds at a state s then P is false
until R holds or R is false globally from s.
![Page 23: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/23.jpg)
CTL formulas for Response
• S responds to P: (P is the cause, S the effect)– AFTER Q: AG(Q=>AG(P=>AF(S))) :
Globally, if Q holds, then if P holds, eventually S will hold.
![Page 24: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/24.jpg)
CTL formulas for Response
• S responds to P: (P is the cause, S the effect)– GLOBALLY : AG(P=>AF(S)): Globally, if P holds
then S will eventually hold.
![Page 25: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/25.jpg)
CTL formulas for Response
• S responds to P: (P is the cause, S the effect)– BEFORE R: A[(P=>A[!R U ((S and !R) or AG(!
R))]) U (R or AG(!R))]– Amazing how complex it is to express BEFORE.– Until R holds or R never holds, if P holds then for
all paths until (S and !R) holds or R never holds, not R holds.
![Page 26: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/26.jpg)
1-2 Response Chain Property Pattern
• Intent: To describe a relationship between a stimulus event (P) and a sequence of two response events (S,T) in which the occurrence of the stimulus event must be followed by an occurrence of the sequence of response events within the scope.
![Page 27: Specification Patterns](https://reader035.fdocuments.in/reader035/viewer/2022062517/56813655550346895d9dddf1/html5/thumbnails/27.jpg)
1-2 Response Chain Property Pattern
• S,T responds to P:– Globally
• AG(P -> AF(S & AX(AF(T))))
– Before R• A[(P -> A[!R U (S & !R & A[!R U T])]) U (R |
AG(!R))]
– After Q• AG(Q -> AG(P -> AF(S & AX(AF(T)))))