Trace Focussed and Data Focussed Specification: Complementary, Competing, Combined? Wolfgang Ahrendt Chalmers University of Technology, Gothenburg, Sweden A Shared Challenge in Behavioural Specification Dagstuhl Nov. 2017 Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 1
5 Years ago ... ◮ ... I participated in Dagstuhl seminar ‘Divide and Conquer: the Quest for Compositional Design and Analysis’ ◮ In effect, it was (more or less): ‘Model Checking meets Deductive Verification’ ◮ Was nice, but: We did not come any close on properties of interest (Not to speak of formalisms) Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 2
Trace Focus vs. Data Focus (the following is deliberately simplified) Static V. Runtime V. Properties Specifications temporal logics, Runtime Model valid traces automata, Trace Checking regular languages (+ some data) Checking (+ extensions) Runtime valid data in first-order Deductive Assertion specific states assertion languages Verification Checking (+ some trace info) (+ extensions) Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 3
Observations ◮ Property languages are technology driven ◮ Properties are technology driven ◮ To analyse one system with different methods , we end up specifying in different fomalisms , specifying disconnected views ◮ Example: TwoFormalisms.pdf Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 4
Example of Trace Focused Formalism: DATE connDrop ↓ | c == 5 �→ unreliable ! start connDrop ↓ | c < 5 �→ c ++ foreach transfer : receive ↓ |�→ start ↓ ( transfer ) |�→ unreliable ? |�→ start bad end ↓ ( transfer ) |�→ receive ↓ |�→ In general: ◮ communicating automata, event-triggered transitions, timers ◮ events: method entry/exit, timer events, synchronising events Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 5
Example of Data Focused Formalism: JML ✐♥t [] arr; /*@ ♣✉❜❧✐❝ ♥♦r♠❛❧❴❜❡❤❛✈✐♦r @ r❡q✉✐r❡s a != ♥✉❧❧ ; @ ❡♥s✉r❡s (\ ❢♦r❛❧❧ ✐♥t j; j >= 0 && j < arr.length; @ arr[j] <= \ r❡s✉❧t ); @ ❡♥s✉r❡s a.length > 0 ==> @ (\ ❡①✐sts ✐♥t j; j >= 0 && j < arr.length; @ arr[j] == \ r❡s✉❧t ); @*/ ♣✉❜❧✐❝ ✐♥t max() { ✐♥t hwm = arr[0]; ❢♦r ( ✐♥t i = 1; i < arr.length; ++i) { ✐❢ ( arr[i] > hwm ) hwm = arr[i]; } r❡t✉r♥ hwm; } Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 6
Community Effort? Are the following points desirable? Are we in the position to move there? ◮ Integrated/coordinated specification of trace and data focused aspects ◮ Front-ends mapping divers aspects of the specification to tool/method-oriented formats ◮ Delegate tasks to tools ◮ Delegate tasks to static or dynamic analysis ◮ Integration of analysis results Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 7
Related Issues ◮ We may offer well defined extension mechanisms for our favourite specification language ◮ Take semantics seriously Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 8
Example of Integrated Language: ppDATE add(o) ↓ | contains(o) �→ duplicate! q q ′ τ ( q ) = { { size < capacity } add(o) {∃ i . arr[ i ] = o } } ◮ Hoare triples are described using JML-like notation Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 9
Trace Semantics System: ◮ Σ � is the set of all entry and exit events ◮ Θ is the set of valuations of program variables Monitor: ◮ Q is the set of automaton states ◮ V is the of valuations of monitor variables ( q , ν ) w ⇒ ( q ′ , ν ′ ) = System trace w ∈ (Σ � × Θ) ∗ shifts monitor from configuration ( q , ν ) ∈ Q × V to configuration ( q ′ , ν ′ ) ∈ Q × V Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 10
Violating Traces ppDATE trace w ∈ (Σ � × Θ) ∗ is a counter example if either ◮ ( q 0 , v 0 ) w = ⇒ ( q , v ) and q ∈ BadStates + � ( m ↓ + � ( m ↑ ◮ w = w 1 + id , θ 1 ) � + + w 2 + id , θ 2 ) � such that: w 1 1. ( q 0 , v 0 ) = ⇒ ( q , v ) 2. τ ( q ) ∋ { pre } m { post } 3. θ 1 | = pre 4. θ 2 �| = post Every extension of a counter example is a violating trace Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 11
Case Study: Electronic purse application Initial transfer_initialise (f,t,v,mbox) / f.name != t.name && ret == SUCCESS start_to / pto.equals(t) && / pfrom = f; pto = t; pvalue = v; ret == SUCCESS && Awaiting both start_from / pfrom.equals(f) && m.id == pto.name ret == SUCCESS && m.id == pfrom.name Awaiting from Awaiting to start_from / pfrom.equals(f) && start_to / pto.equals(t) && ret == SUCCESS && ret == SUCCESS && m.id == pfrom.name m.id == pto.name Parties initialised req / pfrom.equals(f) && req / pfrom.equals(f) && ret == SUCCESS && ret == SUCCESS && m.id == pfrom.name && m.paydetails.value == pvalue && m.id == pfrom.name && pvalue <= pfrom.balance m.paydetails.value == pvalue && pvalue > pfrom.balance Money deducted val / pto.equals(t) && ret == SUCCESS && BAD STATE m.id == pto.name && m.paydetails.value == pvalue Money deposited ack / pfrom.equals(f) && ret == SUCCESS && m.id == pfrom.name Awaiting end end_transfer GOOD STATE Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 12
Case Study: Electronic purse application Hoare triples in state Money deducted : ◮ { checkSameTransaction() == SUCCESS && transaction.value <= (ShortMaxValue - balance); } val_operation { \ r❡s✉❧t == SUCCESS && (balance == \ ♦❧❞ (balance) + transaction.value); } ◮ { checkSameTransaction() == SUCCESS && transaction.value <= balance } req_operation { \ r❡s✉❧t == IGNORED; } Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 13
Example of Integration of Methods: StaRVOOrS Static V. Runtime V. Properties Specifications temporal logics, Runtime Model valid traces automata, Trace Checking regular languages (+ some data) Checking (+ extensions) Runtime valid data in first-order Deductive Assertion specific states assertion languages Verification Checking (+ some trace info) (+ extensions) Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 14
Recommend
More recommend
