0 Lecture 11: Safe Realisability Joost-Pieter Katoen Lehrstuhl fr - PowerPoint PPT Presentation

Theoretical Foundations of the UML 0 Lecture 11: Safe Realisability Joost-Pieter Katoen Lehrstuhl für Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ss-20/fuml/ May 25, 2020 Joost-Pieter Katoen Theoretical Foundations of the UML 1/18

Outline of MSG set Safe realisability ✓ 1 Msc - L t w Closure and inference revisited 2 Characterisation and complexity of safe realisability 3 t sufficient and necessary condition Joost-Pieter Katoen Theoretical Foundations of the UML 2/18

Overview Safe realisability 1 Closure and inference revisited 2 Characterisation and complexity of safe realisability 3 Joost-Pieter Katoen Theoretical Foundations of the UML 3/18

From requirements to implementation Realisability problem Input : a set of MSCs Output : a CFM A such that L ( A ) equals the set of input MSCs. ? to realise bility check Questions: or ? I 1 Is this possible? (That is, is this decidable?) 2 If so, how complex is it to obtain such CFM? 3 If so, how do such algorithms work? Joost-Pieter Katoen Theoretical Foundations of the UML 4/18

Problem variants (1) Realisability problem Input : a set of MSCs - Output : a CFM A such that L ( A ) equals the set of input MSCs. inputs # Di ff erent forms of requirements In , Mk ) Consider finite sets of MSCs, given as an enumerated set. * , , . . . . - Consider MSGs, that may describe an infinite set of MSCs. Consider MSCs whose set of linearisations is a regular word language. Consider MSGs that are non-local choice. Joost-Pieter Katoen Theoretical Foundations of the UML 5/18

Problem variants (2) Realisability problem Input : a set of MSCs Output : a CFM A such that L ( A ) equals the set of input MSCs. outputs Di ff erent system models Consider CFMs without synchronisation messages. Allow CFMs that may deadlock. Possibly, a realisation deadlocks. Forbid CFMs that deadlock. No realisation will ever deadlock. Consider CFMs that are deterministic. tf bounded - ✓ Consider CFMs that are bounded. \ I bounded . . . . . . - Joost-Pieter Katoen Theoretical Foundations of the UML 6/18

Today’s lecture Today’s setting Realisation of a finite set of MSCs by a deadlock-free weak CFM. ( data no sync simpler + acceptance condition IT F Fp = PGP Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

Today’s lecture Today’s setting Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

Today’s lecture Today’s setting Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability. - Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

Today’s lecture Today’s setting Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability. This is the setting of the previous lecture, but now focusing on deadlock-free CFMs so safe ( Results: 1 Conditions for realisability of a finite set of MSCs by a deadlock-free weak CFM. - Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

Today’s lecture Today’s setting Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability. This is the setting of the previous lecture, but now focusing on deadlock-free CFMs Results: 1 Conditions for realisability of a finite set of MSCs by a deadlock-free weak CFM. 2 Checking safe realisability by deadlock-free CFMs is in P. Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

Today’s lecture Today’s setting Realisation of a finite set of MSCs by a deadlock-free weak CFM. Realisation of a finite set of well-formed words (= language) by a deadlock-free weak CFM. This is known as safe realisability. This is the setting of the previous lecture, but now focusing on deadlock-free CFMs Results: 1 Conditions for realisability of a finite set of MSCs by a deadlock-free weak CFM. 2 Checking safe realisability by deadlock-free CFMs is in P. (Realisability for weak CFMs that may deadlock is co-NP complete.) Joost-Pieter Katoen Theoretical Foundations of the UML 7/18

Safe realisability Possibly a set of MSCs is realisable only by a CFM that may deadlock msc msc p q p q a a b b 2 process p and q have to agree on either a or b Realisation of { M 1 , M 2 } by a weak CFM: real is able !( p, q, b ) !( q, p, b ) safe f realise ble I not . • !( p, q, a ) ?( p, q, b ) !( q, p, a ) ?( q, p, b ) Deadlock occurs when, e.g., p sends a and q sends b ?( p, q, a ) ?( q, p, a ) @ . AE Ap Joost-Pieter Katoen Theoretical Foundations of the UML 8/18

Safe realisability Definition (Safe realisability) 1 MSC M is safely realisable whenever { M } = L ( A ) for some deadlock-free CFM A . 2 A finite set { M 1 , . . . , M n } of MSCs is safely realisable whenever { M 1 , . . . , M n } = L ( A ) for some deadlock-free CFM A . 3 MSG G is safely realisable whenever L ( G ) = L ( A ) for some deadlock-free CFM A . Phrased using linearisations L ⊆ Act ∗ is safely realisable if L = Lin ( A ) for some deadlock-free CFM A . Note: Safe realisability implies realisability, but the converse does not hold. Joost-Pieter Katoen Theoretical Foundations of the UML 9/18

Overview Safe realisability 1 Closure and inference revisited 2 Characterisation and complexity of safe realisability 3 Joost-Pieter Katoen Theoretical Foundations of the UML 10/18

Weak closure Definition (Inference relation and closure) For well-formed L ⊆ Act ∗ , and well-formed word w ∈ Act ∗ , let: L | = w i ff ( ∀ p ∈ P . ∃ v ∈ L. w � p = v � p ) ↳ ? Language L is closed under | = whenever for every w ∈ Act ∗ , it holds: L | = w implies w ∈ L . sure - urn - - , * w Tpz urp Pz i = , Joost-Pieter Katoen Theoretical Foundations of the UML 11/18

Weak closure Definition (Inference relation and closure) For well-formed L ⊆ Act ∗ , and well-formed word w ∈ Act ∗ , let: L | = w i ff ( ∀ p ∈ P . ∃ v ∈ L. w � p = v � p ) Language L is closed under | = whenever for every w ∈ Act ∗ , it holds: L | = w implies w ∈ L . * L L weekly closed f under → is is f closed under Definition (Weak closure) Language L is weakly closed under | = whenever for every well-formed prefix w of some word in L , it holds L | = w implies w ∈ L . " " Weak closure thus restricts closure under | = to well-formed prefixes in L only. So far, closure was required for all w ∈ Act ∗ . Joost-Pieter Katoen Theoretical Foundations of the UML 11/18

Deadlock-free closure For language L , let pref ( L ) = { w | ∃ u. w · u ∈ L } the set of prefixes of L . Definition ((Deadlock-free) Inference relation) For well-formed L ⊆ Act ∗ , and proper word w ∈ Act ∗ , i.e., w is a prefix of a well-formed word, let: f w = d L | i ff ( ∀ p ∈ P . ∃ v ∈ pref ( L ) . w � p is a prefix of v � p ) ( - proper word u Joost-Pieter Katoen Theoretical Foundations of the UML 12/18

Deadlock-free closure For language L , let pref ( L ) = { w | ∃ u. w · u ∈ L } the set of prefixes of L . Definition ((Deadlock-free) Inference relation) For well-formed L ⊆ Act ∗ , and proper word w ∈ Act ∗ , i.e., w is a prefix of a well-formed word, let: f w = d L | i ff ( ∀ p ∈ P . ∃ v ∈ pref ( L ) . w � p is a prefix of v � p ) = d f ) Definition (Closure under | f whenever L | f w implies w ∈ pref ( L ) . = d = d Language L is closed under | . Joost-Pieter Katoen Theoretical Foundations of the UML 12/18

9- I p p a → - ← be ← b - - p Partial MSC

Deadlock-free closure For language L , let pref ( L ) = { w | 9 u. w · u 2 L } the set of prefixes of L . Definition ((Deadlock-free) Inference relation) For well-formed L ✓ Act ∗ , and proper word w 2 Act ∗ , i.e., w is a prefix I I # of a well-formed word, let: . partial MS C f w = d L | i ff ( 8 p 2 P . 9 v 2 pref ( L ) . w � p is a prefix of v � p ) PIE TE = d f ) Definition (Closure under | f whenever L | f w implies w 2 pref ( L ) . = d = d Language L is closed under | - Intuition The closure condition asserts that the set of partial MSCs (i.e., prefixes of L ) can be constructed from the projections of the MSCs in L onto individual processes. Joost-Pieter Katoen Theoretical Foundations of the UML 12/18

Example msc msc p q p q not µ M a a b b 2 t safe able real is , realise ble Example Edf = d f : L = Lin ( { M 1 , M 2 } ) is not closed under | L but w - CL ) w Cf pref w = !( p, q, a )!( q, p, b ) 62 pref ( L ) f w since w is a proper prefix of a well-formed word, and = d But: L | for process p , there exists u 2 L with w � p = !( p, q, a ) 2 pref ( { u � p } ) , and for process q , there exists v 2 L with w � q = !( q, p, b ) 2 pref ( { v � q } ) . ? fee a ) , a) ! Cp , E. a) Carp , a) Coe ! ? , p , u= Note that L is closed under | = . So this shows that closure under | = does not Edf imply = d f . / Joost-Pieter Katoen Theoretical Foundations of the UML 13/18 imply closure under | closure under