Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

MVP 2 1

Model Requirements and JAVA

Programs

MVP 2 2

Traditional Software

Development

The Waterfall Model

Analysis Design

Implementation

Testing

♦Costly wrt time and money.

♦Errors are found too late (or maybe never).

Problem Area Runn ing Syste m REV IEW S REV IEW S SPIN/PROMELA JAVA MVP 2 3

Introducing, detecting and repairing

errors

Liggesmeyer 98

MVP 2 4

Formal Verification &

Validation

Design Model Specification

Verification & Validation

?

MVP 2 5

Objective

+

Design= behaviour Requirement= desired or forbidden behaviour Xspin Yes/No! Simulation Deadlock? Livelock? Requirement violation? MVP 2 6

What is a state?

X=5 Y=7 Z=3 37 38 a

A state is characterized by: •Values of local/global variables •Channel(s) contents

•State of each process (=program location)

MVP 2 7

What is a state (continued)?

A state is the cross-product between the state of all processes (+ variable values + channel contents): A _B A1 A2 A3 B1 B2 (A1,B1) (A1,B2) (A2,B1) (A3,B1) MVP 2 8

Interleaving example from MVP1

byte s = 1

proctype A(){s==1 -> s++} proctype B() {s==1 -> s--} init {run A(); run B()}

Transition systems:

A B <s=2> <s=1> <s=1> s==1 s++ s==1 s--<s=1> <s=1> <s=0> MVP 2 9

Combined (interleaved) transition

system (state graph) of (

A

||B)

1 1 1 1 1 1 1 1 1 2 2 2 0 0 0

Each trace = a program execution (behaviour) SPIN checks all traces

state==1 state==1 state==1 state==1 state++ state++ _state++ state++ state++ state--state-- state--MVP 2 10

Correctness Requirements to

Promela models

• Behaviour: The set of all execution sequences in the state graph • Sequences may be finite or infinite

•Two kinds of requirements: • State requirements:

•Boolean conditionson some (or all) system states

• Temporal requirements:

• Requirements to a certain orderingof boolean conditions on states

MVP 2 11

Correctness Analysis: Analysis of

the State Graph

Promela

Program StateGraph

Each state is described by: • Values of all variables • Contents of allchannels • Location counters for all processes

MVP 2 12

Assertions

proctype A() { . . assert(condition) . .}

When this location is part of the system state, the condition must be true!

Note: assert(. . .) isalways executable

Result of analysis

No error: condition is true for all

possible executions

Error: there exists at least one execution, where the condition is false

MVP 2 13

Simple counter example

1 byte state=1; 2 3 proctype A() 4 { state==1 -> state++; 5 assert (state==2) 6 } 7 8 proctype B() 9 { state==1 -> state--; 10 assert (state==0) 11 } 12

13 init {run A(); run B()}

preparing trail, please wait...done

1: proc 0 (:init:) line 13 "pan_in" (state 1) [(run A())] 2: proc 0 (:init:) line 13 "pan_in" (state 2) [(run B())] 3: proc 2 (B) line 9 "pan_in" (state 1) [((state==1))] 4: proc 1 (A) line 4 "pan_in" (state 1) [((state==1))] 5: proc 2 (B) line 9 "pan_in" (state 2) [state = (state-1)] 6: proc 2 (B) line 10 "pan_in" (state 3) [assert((state==0))] 7: proc 2 terminates

8: proc 1 (A) line 4 "pan_in" (state 2) [state = (state+1)] spin: line 5 "pan_in", Error: assertion violated

spin: text of failed assertion: assert((state==2))

MVP 2 14

Combined (interleaved) transition

system of (A||B)

1 1 1 1 1 1 1 1 1 2 2 2 0 0 0

Each trace = a program execution SPIN checks all traces

state==1 state==1 state==1 state==1 state++ state++ _state++ state++ state++ state--state-- state--MVP 2 15

Invariant properties

p p p p p p p p p pis always true Ù p is an invariantÙ

assert(P) must be evaluated for all

system states

One way of expressing an invariant: Define a dedicated process: proctype monitor(){assert(p)}

MVP 2 16

Invariant: Simple counter revisited

intx; active proctypeP(){ do :: x<200 --> x=x+1 od} active proctypeQ(){ do :: x>0 --> x=x-1 od} active proctypeR(){ do ::x==200 --> x=0 od}

active proctype invariant(){ assert(x>=-1 && x<=200)} intx; active proctypeP(){ do :: x<200 --> x=x+1 od} active proctypeQ(){ do :: x>0 --> x=x-1 od} active proctypeR(){ do ::x==200 --> x=0 od}

active proctype invariant(){ assert(x>=-1 && x<=200)}

Whichvalues may x take ?

count200-inv

MVP 2 17

Linear Temporal Logic (LTL)

LTL can express requirements on the ordering of state conditions (predicates):

<>p ”Eventually p”

[]p ”Always/invariantly p”

p U q ” p untilq”

A formula must hold for ALL traces _{MVP 2 18}

LTL example

#define p (state==2)

#define q (state==3) byte state=1; active proctype A(){ do :: state=2 od} active proctype B(){ do :: state=3 od} <>q ? pUq ? [](p -> <>q) ? Ltl/ltl1 example

MVP 2 19

Implementing processes

Modelingprocessesas

finite state machines using Promela

Implementing threadsin Java.

Note:to avoid confusion, we use the term processwhen referring to the models, and threadwhen referring to the implementation in Java.

MVP 2 20

Two basic object invokation

methods

• call-return (caller waits for callee)

– Efficient

– Callee is protected from caller

– Callee is a passive object • start-stop (caller and callee

continues)

– Expensive calling sequence – Callee is not protected from

caller

– Callee becomes an active object (a thread)

start-stop call-return

one thread two threads

MVP 2 21

JVM with threads

State 1 State 2 State 3 State 4 JVM

Four Thread States – each consisting of Program Counter & Object addresses Fundamental problems:

Scheduling, Protection, Synchronization

MVP 2 22

Threads in Java

A Thread class manages a single sequential thread of control. Threads may be created and deleted dynamically.

Thread

run()

MyThread

run()

The Thread class executes instructions from its method run(). The actual code executed depends on the implementation provided for run() in a derived class.

classMyThread extends Thread { public void run() {

//... }

}

Thread x = new MyThread();

MVP 2 23

Threads in Java

Since Java does not permit multiple inheritance, we often implement the run()method in a class not derived from Thread but from the interface Runnable.

run()

public abstractvoid run();

public

Thread public interfaceRunnable { }

classMyRunimplementsRunnable{ void run() { //... } } Runnable MyRun run() target

Thread x = new Thread(new MyRun());

MVP 2 24

thread life-cycle in Java

An overview of the life-cycle of a thread as state transitions:

Created Alive Terminated new Thread() start() failure, or run() returns

The predicateisAlive()can be used to test if a thread has been started but not terminated. Once terminated, it cannot be restarted (cf. mortals).

start()causes the thread to call its run() method.

MVP 2 25

Thread alive states in Java

Once started, an alivethread has a number of substates :

Runnable notify() Non-Runnable

yield() Running dispatch wai_t() start() failure, or run() returns sle ep() timeout MVP 2 26

Summary of thread methods

• Dummy: yield

• Blocking: wait, wait(msec), sleep,

sleep(msec), join, join(msec)

• Unblocking: notify, notifyall, interrupt

• State inquiry: isAlive, isInterrupted

• Priority: getPriority, setPriority

MVP 2 27

CountDown timer example

• Develop a JAVA applet which can:

– Count down once per second from some constant number

– Display the current count value – Stop after count down to zero or when

requested by system (e.g. window change)

•

Model in Promela?

MVP 2 28

CountDown timer - Promela

Properties?

#define dummy 1 #define N 5 chan beep = [0] of {bit}; chan tick = [0] of {bit}; chan stop = [0] of {bit}; chan start = [0] of {bit}; byte count=0; active proctype counter() { byte i;

if :: start?dummy -> i=N; do

:: i>0 -> tick!dummy; i--:: i==0 -> beep!dummy; break :: stop?dummy -> break od

fi }

active proctype system() { start!dummy; stop!dummy } active proctype display() { do :: tick?dummy -> count++ :: beep?dummy -> break :: timeout -> break od } MVP 2 29

CountDown timer - properties

• Count down to zero should be possible

• The system should be able to terminate

before count down to zero (at system stop)

MVP 2 30

CountDown timer - Promela

Implementation in Java?

#define dummy 1 #define N 5 chan beep = [0] of {bit}; chan tick = [0] of {bit}; chan stop = [0] of {bit}; chan start = [0] of {bit}; byte count=0; active proctype counter() { byte i;

if :: start?dummy -> i=N; do

:: i>0 -> tick!dummy; i--:: i==0 -> beep!dummy; break :: stop?dummy -> break od

fi }

active proctype system() { start!dummy; stop!dummy } active proctype display() { do :: tick?dummy -> count++ :: beep?dummy -> break :: timeout -> break od }

MVP 2 31

CountDown timer - class diagram

The classCountDownderives from Appletand contains the implementation of the run()method which is required by Thread. Applet init() start() stop() run() tick() beep() Runnable CountDown NumberCanvas setvalue() Thread counter display target The class NumberCanvasprovides the display canvas.

MVP 2 32

CountDown class

public class CountDown extends Applet implements Runnable {

Thread counter; int i; final static int N = 10; AudioClip beepSound, tickSound; NumberCanvas display;

public void init() {...} public void start() {...} public void stop() {...} public void run() {...} private void tick() {...} private void beep() {...} }

MVP 2 33

CountDown class - start(), stop() and run()

public void start() {

counter = new Thread(this); i = N; counter.start(); }

public void stop() { counter = null; }

public void run() { while(true) {

if (counter == null) return; if (i>0) { tick(); --i; } if (i==0) { beep(); return;} }

}

COUNTDOWNModel

active proctype counter() { byte i;

if :: start?dummy -> i=N; do

::i>0 -> tick!dummy; i--::i==0 ->

beep!dummy;break ::stop?dummy -> break od

fi }

MVP 2 34

CountDown class – tick() and beep()

private void tick(){

display.setvalue(i); tickSound.play(); try{ Thread.sleep(1000);

}

catch (InterruptedException e){} }

private void beep(){

display.setvalue(i); beepSound.play(); }

MVP 2 35

Summary

• Concepts

–process- unit of concurrency, execution of a program

• Models

–Promelato model processes as state machines -sequences of atomic actions

• Practice

–Java threadsto implement processes

–Thread lifecycle - created, running, runnable, non-runnable, terminated