Formal Methods for Software Engineering

1
Formal Methods for Software Engineering

• Lecture 5, Part II
• FSP

2
Contents

• FSP language features
• Sequential processes
• Indexing parameterization guards
• Parallel composition synchronization
• Process labelling sharing
• Relabelling hiding
• Structured error detection
• example

3
Sequential operators

• Inaction
• defining absence of behaviour
• Action-prefix
• after action a process behaves like B
• Choice
• after a process behaves like B, after c like C

STOP
(a -gt B)
(b -gt Bc -gtC)
4
Example
STOP state incoming actions only
process definition
EX (one -gt STOP one -gt two -gt STOP two
-gt three -gt STOP).
Actions always in lowercase processes start with
uppercase
5
Process Definitions
RECEIVER (rec -gt OUT), OUT (out -gt ack
-gt WAIT), WAIT (rec -gt OUT ack
-gt WAIT).
6
Indexed Actions
range B0..1 BUFFER (indD -gt outd -gt
BUFFER).
We can define finite ranges as data domains
7
Indexed Processes
range D1..2 range B0..1 BUFFER (inbBdD
-gt FULLbd), FULLbBdD (outbd -gt
BUFFER).

• Only local process definitions can be indexed.
• Multiple indexing is possible.

8
Constants Parameters
const N3 range D1..N range B0..1 BUFFER
(inbBdD -gt FULLbd), FULLbBdD
(outbd -gt BUFFER).
Constants can be seen as global specification
parameters they make it easier to produce
specifications for different values of the
constants.
9
Constants Parameters
range B0..1 BUFFER(N3) (ind1..N -gt
FULLd), FULLd1..N (outd -gt
BUFFER). MEDIUM (BUFFER(2)BUFFER(2)).

• Parameters can be defined for non-local process
  definitions only
• They can be seen as constants local to the
  definition and must always be instantiated
• In parallel applications of the process the
  parameters can be set to new values

10
Guards
11
Parallel Composition
BUFFER1 (in -gt out-gtBUFFER1).
BUFFER2 (get -gt put-gtBUFFER2).
SYSTEM ( BUFFER1 BUFFER2).
Parallel composition of processes with disjoint
actions produces the product transition system of
the component systems.
12
Synchronization

• Parallel components synchronize on identical
  actions
• Synchronization reduces the reachable states and
  transitions of the product transition system

13
Synchronization Example
MACHINE(pay-gtSELECT), SELECT(c-gtcoffee-gtMACHINE
t-gttea-gtMACHINE).
CONTROL (c-gtt-gtCONTROL).
ALTMACH (CONTROLMACHINE).
14
Formal Definition

• Let T(ST,LT,-gtT,t) and U(SU,LU,-gtU,u) be
  labelled transitions systems.Then
• TU (STxSU,LT?LU,-gt,(t,u))
• with -gt defined by
• If s1-a-gtTs1 and a? LT?LU then
  (s1,s2)-a-gt(s1,s2)
• If s2-a-gtUs2 and a? LT?LU then
  (s1,s2)-a-gt(s1,s2)
• If s1-a-gtTs1 and s2-a-gtUs2 then
  (s1,s2)-a-gt(s1,s2)
• -gt contains no other transitions than implied by
  rules 1-3
• The state space STxSU of TU is usually
  restricted to (s1,s2) that can be reached from
  (t,u) via transitions in -gt, i.e. the reachable
  state space.

15
Alphabets

• The alphabet ?P of a process P is the set of
  actions L of the corresponding transition system
• In principle, the ?P is identical to the set of
  actions in which the process P can engage.

16
Alphabet Example
MACHINE (pay-gtSELECT), SELECT
(c-gtcoffee-gtMACHINE t-gttea-gtMACHINE).
?MACHINE pay,c,t,coffee,tea
CONTROL (c-gtt-gtCONTROL).
?CONTROL c,t.
?ALTMACH pay,c,t,coffee,tea
ALTMACH (CONTROLMACHINE).
CONTROL2 (c-gtCONTROL2).
?CONTROL2 c.
However, (CONTROL2MACHINE) has a transition
system identical to that of (CONTROLMACHINE).
Why?
Because ?CONTROL2??MACHINEc) the action t of
MACHINE is not constrained in
(CONTROL2MACHINE).
17
Alphabet Extension
Extension can be any finite set of actions

• We can extend the alphabet of CONTROL2 so that it
  constrains both c and t actions.

Must be a non-local process definition
CONTROL2 (c-gtCONTROL2).
CONTROL2 (c-gtCONTROL2)t.
(CONTROL2MACHINE) is now equivalent with SYS
(pay -gt c -gt coffee -gt SYS).
18
Process Labelling

• Often copies of a process must be put in
  independent parallel composition
• In such cases the alphabets of the different
  copies must be disjoint
• This can be done by prefixing the actions of each
  copy with a new label

aP prefixes each action name in ?P with label a.
19
Labelling Examples
20
Process Sharing
Suppose we have two user processes that share a
resource
USER (acquire -gt use -gt release -gt
USER). USERS (aUSER bUSER). RESOURCE
(acquire -gt release -gt RESOURCE).
How can we make RESOURCE communicate with both
users?
21
Process Sharing
a1,,anP replaces every transition s-b-gtt in
P by s-a1.b-gtt, , s-an.b-gtt
RESOURCE_SHARE (USERSa,bRESOURCE).
22
Relabelling
Relabelling changes the names of the actions of a
process The general format is
P/newlabel1/oldlabel1,, newlabeln/oldlabeln
CLIENT (call-gtwait-gtcontinue-gtCLIENT). SERVER
(request-gtservice-gtreply-gtSERVER). CLIENT_SERVER
(CLIENT SERVER)
/call/request,reply/wait.
23
Hiding
Hiding relabels observable actions to the
internal action tau. Its general format is
P\a1,,an. The complementary operator
P_at_a1,,an hides all actions not in the set
a1,,an.
USER (acquire-gtuse-gtrelease-gtUSER)\use.
or USER (acquire-gtuse-gtrelease-gtUSER_at_acquire,re
lease).
24
Hiding Synchronization
As tau does not belong to any process alphabet it
cannot be synchronized upon. Hiding an
action makes removes it from the alphabet, and no
longer constrains its occurrence in the
environment.
AB (a-gtb-gtAB). BA (b-gta-gtBA). AorB
(a,b-gtAorB). S1 (AorBABBA). T
(AorBAB)\a. S2 (TBA).
25
Modelling Analysis Example

• A museum has two entrances where visitors enter
  and leave.
• The number of visitors in the museum is counted
  by increasing (decreasing) a central counter when
  a visitor enters (leaves).
• There should never be more than MAX visitors
  inside the museum at a time.

26
Modelling a Visitor
// Visitors queue at the museum and then enter //
or wait their turn after entering they leave //
at some future time. VISITOR (queue -gt
WAIT), WAIT (enter -gt leave -gt VISITOR
wait -gt WAIT).
27
Modelling Concurrent Visitors
// We create a set of concurrent visitors by
prefixing // the generic actions with an
identifying prefix vi. range
V1..MAX1 VISITORS (viVVISITOR). //
Allow visitors to use both museum entrances
(east,west). MVISITORS east,westVISITORS.

One more than MAX to test the admission protocol
Wait at one entrance and enter another??
28
Modelling a Museum Gate
ENTER (viV.queue -gt WAITi), // when
visitor vi has queued get counter number when
less // than MAX admit visitor and inc counter,
else let him wait. WAITiV (getnR -gt
(when (nltMAX) vi.enter -gt inc -gt ENTER
when (nMAX) vi.wait -gt
WAITi)). // a visitor can always leave. LEAVE
(viV.leave -gt decr -gt LEAVE). GATE
(ENTER LEAVE).
29
Modelling a Counter
range R0..MAX COUNTER COUNTER0, COUNTERnR
(getn -gt COUNTERn when
(ngt0) decr -gt COUNTERn-1 when
(nltMAX) inc -gt COUNTERn1 ).
30
Museum Visitors
// Museum consists of two gates and a shared
counter process. MUSEUM (eastGATE
westGATE east,westCOUNTER).
OPENMUSEUM (MVISITORS MUSEUM).
Is this system correct?
31
Analysis
We introduce a TEST process
LTSA safety option checks whether ERROR is
reachable in TEST inthis composition
TEST TEST0, TESTiR (leave -gt TESTi-1
enter -gt TESTi1).
-1 indicates an ERROR state
CORRECT (OPENMUSEUM
east,west.viVTEST).
32
Analysis
Trace to property violation in east.v.1,east.v.2
,east.v.3,west.v.1,west.v.2,west.v.3TEST east
.v.1.queue west.v.2.queue east.get.0 east.v.1.e
nter east.inc east.v.3.queue east.get.1 east.v
.3.enter west.get.1 west.v.2.enter Analysed in
40ms
visitor 2 enters before the inc for visitor 3 has
occurred!
33
Solution
We make sure that between reading the COUNTER
and incrementing by a GATE, the other GATE cannot
access it.
ENTER2 (viV.queue -gt WAIT2i), WAIT2iV
(lock -gt getnR -gt
(when(nltMAX) vi.enter -gt inc -gt release
-gt ENTER2 when(nMAX)
release -gt vi.wait -gt
WAIT2i)). GATE2 (ENTER2 LEAVE).
34
Solution
The process LOCK is shared by the GATE
processes and thus makes sure that at most one of
them has access to the COUNTER at a time.
LOCK (lock -gt release -gt LOCK). MUSEUM2 (
eastGATE2 westGATE2
east,westCOUNTER
east,westLOCK).
35
Correctness
Analysing... Depth 28 -- States 4564
Transitions 15864 Memory used 2683K No
deadlocks/errors Analysed in 70ms
Fewer states transitions!
36
Question
Why dont we need locks on leaving visitors and
COUNTER decrements? Or do we?