Lecture 14: Architecture and Design Patterns 2015-07-02 Prof. Dr. - PDF document

Softwaretechnik / Software-Engineering Lecture 14: Architecture and Design Patterns 2015-07-02 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal – 14 – 2015-07-02 – main – Albert-Ludwigs-Universit¨ at Freiburg, Germany Contents of the Block “Design” (i) Introduction and Vocabulary L 1: 20.4., Mo Introduction T 1: 23.4., Do (ii) Principles of Design L 2: 27.4., Mo Development L 3: 30.4., Do a) modularity Process, Metrics L 4: 4.5., Mo b) separation of concerns T 2: 7.5., Do c) information hiding and data encapsulation L 5: 11.5., Mo d) abstract data types, object orientation - 14.5., Do L 6: 18.5., Mo Requirements (iii) Software Modelling L 7: 21.5., Do Engineering - 25.5., Mo a) views and viewpoints, the 4+1 view - 28.5., Do T 3: 1.6., Mo b) model-driven/based software engineering - 4.6., Do c) Unified Modelling Language (UML) L 8: 8.6., Mo d) modelling structure L 9: 11.6., Do L 10: 15.6., Mo 1. (simplified) class diagrams T 4: 18.6., Do 2. (simplified) object diagrams L 11: 22.6., Mo 3. (simplified) object constraint logic (OCL) Architecture & L 12: 25.6., Do – 14 – 2015-07-02 – Scontents – Design, Software L 13: 29.6., Mo e) modelling behaviour L 14: 2.7., Do Modelling 1. communicating finite automata T 5: 6.7., Mo 2. Uppaal query language L 15: 9.7., Do Quality Assurance 3. basic state-machines L 16: 13.7., Mo L 17: 16.7., Do 4. an outlook on hierarchical state-machines Invited Talks T 6: 20.7., Mo (iv) Design Patterns Wrap-Up L 18: 23.7., Do 2 /51

Contents & Goals Last Lecture: • Networks of CFA, Tool Demo (recording will be reconstructed), Implementable CFA This Lecture: • Educational Objectives: Capabilities for following tasks/questions. • What is the relation between greedy and standard semantics? • What is an Uppaal Query for, e.g., “location ℓ is reachable”? • What’s the difference between CFA and UML State-Machines? • Can each network of UML State-Machines be encoded in CFA? • Explain an example of an architecture (design) pattern. • What is “software entropy”? – 14 – 2015-07-02 – Sprelim – • Content: • Implementable CFA Cont’d • Uppaal Query Language • UML State-Machines • Architecture and Design Patterns (with examples) 3 /51 Implementing CFA Cont’d – 14 – 2015-07-02 – main – 4 /51

Recall: Implementable CFA • Let each automaton in the network C ( A 1 , . . . , A n ) be marked as either environment or controller . We call C implementable if and only if, for each controller A in C , (i) A is deterministic, (ii) A reads/writes only its local variables, may also read variables written by environment automata, but only in modification vectors of edges with input synchronisation, (iii) A is locally deadlock-free , i.e. enabled edges with output-actions are not blocked forever. • The communicating finite automaton A = ( L, B, V, E, ℓ ini ) is called deterministic if and only if • for each location ℓ , • either all edges with ℓ as source location have pairwise different input actions , • or there is no edge with an input action starting at ℓ , and all edges starting at ℓ have pairwise (logically) disjoint guards. – 14 – 2015-07-02 – Simplcont – • Note : implementable (i) and (ii) can be checked syntactically. Property (iii) is a property of the whole network. Can be checked with Uppaal: → ( A .ℓ ′ ) ( A .ℓ ∧ ϕ ) − for each edge ( ℓ, α, ϕ,� r, ℓ ′ ) of A . 5 /51 Recall: Greedy CFA Semantics • Greedy semantics: • each input synchronisation transition (plus: system start) of automaton A is followed by a maximal sequence of internal transitions or output transitions of A . • Maximal : cannot be extended by an internal transition. There may still be interleaving of the internal transitions, but (by forbidding shared variables for controllers) cannot be observed outside of an automaton. Example : A 1 : E? F! G? E : v := v_env n := n + 1 v_env < 10 A 2 , 2 : v_env := v_env + 1 A 2 , 1 : E! G! F! F? G! v_env > -10 v_env := v_env - 1 – 14 – 2015-07-02 – Simplcont – • A 1 is implementable in C ( A 1 , A 2 , 1 , E ) (environment: only E ) • deterministic: ✔ , • only local variables, environment variables with input: ✔ , • locally deadlock-free: ✔ . • A 1 is not implementable in C ( A 1 , A 2 , 2 , E ) . 6 /51

water_selected Recall: Implementing CFA WATER? water_enabled DWATER! idle soft_selected request_sent SOFT? DSOFT! soft_enabled DTEA! TEA? DOK? tea_enabled tea_selected OK! water_enabled := false, soft_enabled := false, half_idle tea_enabled := false st : { idle, wsel, ssel, tsel, reqs, half } ; take event( E : { TAU, WATER, SOFT, TEA, ... } ) { bool stable = 1; switch (st) { case idle : switch (E) { case WATER : if (water enabled) { st := wsel; stable := 0; } ;; – 14 – 2015-07-02 – Simplcont – case SOFT : ... } case wsel: switch (E) { case TAU : send DWATER(); st := reqs; ;; } } 7 /51 Model vs. Implementation • Now an implementable model C ( A 1 , . . . , A n ) has two semantics : • � C � std — standard semantics. • � C � grd — greedy semantics. • Are they related in any way? They are: � C � std ⊇ � C � grd . ( ∗ ) Exercise : prove ( ∗ ) . • What effect does this insight have on Uppaal verification results? • If there is an error in � C � std , will it be in a correct implementation (of � C � grd )? Not necessarily. • If there is no error in � C � std , will a correct implementation (of � C � grd ) be error-free? Yes, definitely. – 14 – 2015-07-02 – Simplcont – Uppaal verification shows no error reports error false negative true positive impl. has error yes true negative false positive no 8 /51

Uppaal Query Language (Larsen et al., 1997; Behrmann et al., 2004) – 14 – 2015-07-02 – main – 9 /51 The Uppaal Query Language Consider N = C ( A 1 , . . . , A n ) over data variables V . • basic formula : atom ::= A i .ℓ | ϕ | deadlock where ℓ ∈ L i is a location and ϕ an expression over V . • configuration formulae : term ::= atom | not term | term 1 and term 2 • existential path formulae : (“ exists finally ”, “ exists globally ”) e - formula ::= ∃ ♦ term | ∃ � term • universal path formulae : (“ always finally ”, “ always globally ”, “ leads to ”) a - formula ::= ∀ ♦ term | ∀ � term | term 1 --> term 2 – 14 – 2015-07-02 – Suppaal – • formulae (or queries ): F ::= e - formula | a - formula 10 /51

Satisfaction of Uppaal Queries by Configurations • The satisfaction relation � � ℓ, ν � | = F between configurations � � ℓ, ν � = � ( ℓ 1 , . . . , ℓ n ) , ν � of a network C ( A 1 , . . . , A n ) and formulae F of the Uppaal logic is defined inductively as follows: • � � ℓ, ν � | = deadlock iff ℓ 0 ,i is a dedlock configuration • � � ℓ, ν � | = A i .ℓ iff ℓ 0 ,i = ℓ • � � ℓ, ν � | = ϕ iff ν | = ϕ – 14 – 2015-07-02 – Suppaal – • � � iff � � ℓ, ν � | = not term ℓ, ν � �| = term • � � iff � � ℓ, ν � | ℓ, ν � | = term 1 and term 2 = term i , i = 1 , 2 11 /51 Satisfaction of Uppaal Queries by Configurations Exists finally : • � � ∃ path ξ of C starting in � � ℓ 0 , ν 0 � | = ∃ ♦ term ℓ 0 , ν 0 � iff ∃ i ∈ N 0 • ξ i | = term “some configuration satisfying term is reachable” Example : ∃ ♦ ϕ � � ℓ 0 , ν 0 � ¬ ϕ λ 1 λ 2 ¬ ϕ ¬ ϕ – 14 – 2015-07-02 – Suppaal – λ 2 , 1 λ 2 , 2 λ 1 , 1 � � ℓ, ν � ¬ ϕ ¬ ϕ ϕ . . . . λ 2 , 2 , 1 λ 2 , 2 , 2 . . ¬ ϕ ¬ ϕ . . . . . . 12 /51

Satisfaction of Uppaal Queries by Configurations Exists globally : • � � ∃ path ξ of C starting in � � ℓ 0 , ν 0 � | = ∃ � term ℓ 0 , ν 0 � iff ∀ i ∈ N 0 • ξ i | = term “all configurations of some computation path satisfy term ” Example : ∃ � ϕ � � ℓ 0 , ν 0 � ϕ λ 1 λ 2 ¬ ϕ ϕ – 14 – 2015-07-02 – Suppaal – λ 2 , 1 λ 2 , 2 λ 1 , 1 � � ℓ, ν � ¬ ϕ ¬ ϕ ϕ . . . . λ 2 , 2 , 1 λ 2 , 2 , 2 . . ¬ ϕ ϕ . . . . . . . . . 13 /51 Satisfaction of Uppaal Queries by Configurations • Always globally : • � � iff � � ℓ 0 , ν 0 � | = ∀ � term ℓ 0 , ν 0 � �| = ∃ ♦ ¬ term • Always finally : • � � iff � � ℓ 0 , ν 0 � | = ∀ ♦ term ℓ 0 , ν 0 � �| = ∃ � ¬ term – 14 – 2015-07-02 – Suppaal – 14 /51

Satisfaction of Uppaal Queries by Configurations Leads to : • � � ∀ path ξ of N starting in � � ℓ 0 , ν 0 � | = term 1 − → term 2 ℓ 0 , ν 0 � iff ∀ i ∈ N 0 • ξ i | ⇒ ξ i | = ∀ ♦ term 2 = term 1 = “on all paths, from each configuration satisfying term 1 , a configuration satifying term 2 is reachable” ( response pattern ) Example : ϕ 1 − → ϕ 2 � � ℓ 0 , ν 0 � ϕ 1 , ¬ ϕ 2 λ 1 λ 2 ¬ ϕ 2 ¬ ϕ 2 – 14 – 2015-07-02 – Suppaal – λ 2 , 1 λ 2 , 2 λ 1 , 1 ¬ ϕ 2 ϕ 1 , ¬ ϕ 2 ϕ 2 . . λ 2 , 2 , 1 λ 2 , 2 , 2 . λ 1 , 1 , 1 ϕ 2 ϕ 2 ϕ 2 . . . . . . . . . 15 /51 CFA Model-Checking • Network satisfies query : • C | = F if and only if C ini | = F . Definition. The model-checking problem for a network C of commu- nicating finite automata and a query F is to decide whether ( C , F ) ∈ | = . – 14 – 2015-07-02 – Suppaal – Proposition. The model-checking problem for communicating finite au- tomata is decidable. 16 /51