Trace Focussed and Data Focussed Specification: Complementary, - - PowerPoint PPT Presentation

Trace Focussed and Data Focussed Specification: Complementary, Competing, Combined?

Wolfgang Ahrendt

Chalmers University of Technology, Gothenburg, Sweden

A Shared Challenge in Behavioural Specification Dagstuhl Nov. 2017

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 1

5 Years ago ...

◮ ... I participated in Dagstuhl seminar

‘Divide and Conquer: the Quest for Compositional Design and Analysis’

◮ In effect, it was (more or less):

‘Model Checking meets Deductive Verification’

◮ Was nice, but:

We did not come any close on properties of interest (Not to speak of formalisms)

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 2

Trace Focus vs. Data Focus

(the following is deliberately simplified) Static V. Runtime V. Properties Specifications Model Checking Runtime Trace Checking valid traces

(+ some data)

temporal logics, automata, regular languages

(+ extensions)

Deductive Verification Runtime Assertion Checking valid data in specific states

(+ some trace info)

first-order assertion languages

(+ extensions)

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 3

Observations

◮ Property languages are technology driven ◮ Properties are technology driven ◮ To analyse one system with different methods,

we end up specifying in different fomalisms, specifying disconnected views

◮ Example: TwoFormalisms.pdf

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 4

Example of Trace Focused Formalism: DATE

start connDrop↓ | c == 5 → unreliable! connDrop↓ | c < 5 → c ++

foreach transfer :

start bad start↓(transfer) |→ unreliable? |→ receive↓ |→ end↓(transfer) |→ receive↓ |→

In general:

◮ communicating automata, event-triggered transitions, timers ◮ events: method entry/exit, timer events, synchronising events

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 5

Example of Data Focused Formalism: JML

✐♥t[] arr; /*@ ♣✉❜❧✐❝ ♥♦r♠❛❧❴❜❡❤❛✈✐♦r @ r❡q✉✐r❡s a != ♥✉❧❧; @ ❡♥s✉r❡s (\❢♦r❛❧❧ ✐♥t j; j >= 0 && j < arr.length; @ arr[j] <= \r❡s✉❧t); @ ❡♥s✉r❡s a.length > 0 ==> @ (\❡①✐sts ✐♥t j; j >= 0 && j < arr.length; @ arr[j] == \r❡s✉❧t); @*/ ♣✉❜❧✐❝ ✐♥t max() { ✐♥t hwm = arr[0]; ❢♦r (✐♥t i = 1; i < arr.length; ++i) { ✐❢ ( arr[i] > hwm ) hwm = arr[i]; } r❡t✉r♥ hwm; }

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 6

Community Effort?

Are the following points desirable? Are we in the position to move there?

◮ Integrated/coordinated specification of trace and data focused

aspects

◮ Front-ends mapping divers aspects of the specification to

tool/method-oriented formats

◮ Delegate tasks to tools ◮ Delegate tasks to static or dynamic analysis ◮ Integration of analysis results

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 7

Related Issues

◮ We may offer well defined extension mechanisms for our

favourite specification language

◮ Take semantics seriously

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 8

Example of Integrated Language: ppDATE

q q′ add(o)↓ | contains(o) → duplicate!

τ(q) = { {size < capacity} add(o) {∃ i.arr[i] = o} }

◮ Hoare triples are described using JML-like notation

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 9

Trace Semantics

System:

◮ Σ is the set of all entry and exit events ◮ Θ is the set of valuations of program variables

Monitor:

◮ Q is the set of automaton states ◮ V is the of valuations of monitor variables

(q, ν) w = ⇒ (q′, ν′) System trace w ∈ (Σ × Θ)∗ shifts monitor from configuration (q, ν) ∈ Q × V to configuration (q′, ν′) ∈ Q × V

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 10

Violating Traces

ppDATE trace w ∈ (Σ × Θ)∗ is a counter example if either

◮ (q0, v0) w

= ⇒ (q, v) and q ∈ BadStates

◮ w = w1 +

+ (m↓

id, θ1) +

+ w2 + + (m↑

id, θ2)

such that:

• 1. (q0, v0)

w1

= ⇒ (q, v)

• 2. τ(q) ∋ {pre} m {post}
• 3. θ1 |

= pre

• 4. θ2 |

= post

Every extension of a counter example is a violating trace

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 11

Case Study: Electronic purse application

Awaiting both Money deducted Money deposited val / pto.equals(t) && ret == SUCCESS && req / pfrom.equals(f) && ret == SUCCESS && start_from / pfrom.equals(f) && start_to / pto.equals(t) && start_from / pfrom.equals(f) && start_to / pto.equals(t) && req / pfrom.equals(f) && BAD STATE Parties initialised ack / pfrom.equals(f) && ret == SUCCESS && GOOD STATE Awaiting end end_transfer transfer_initialise (f,t,v,mbox) / f.name != t.name && Awaiting from Awaiting to Initial / pfrom = f; pto = t; pvalue = v; ret == SUCCESS && ret == SUCCESS && ret == SUCCESS && m.id == pto.name m.id == pfrom.name && m.id == pfrom.name && m.paydetails.value == pvalue && m.id == pto.name && m.paydetails.value == pvalue m.id == pfrom.name m.id == pto.name m.id == pfrom.name pvalue > pfrom.balance ret == SUCCESS && ret == SUCCESS m.id == pfrom.name ret == SUCCESS && pvalue <= pfrom.balance m.paydetails.value == pvalue &&

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 12

Case Study: Electronic purse application

Hoare triples in state Money deducted:

◮ { checkSameTransaction() == SUCCESS

&& transaction.value <= (ShortMaxValue - balance); } val_operation { \r❡s✉❧t == SUCCESS && (balance == \♦❧❞(balance) + transaction.value); }

◮ { checkSameTransaction() == SUCCESS

&& transaction.value <= balance } req_operation { \r❡s✉❧t == IGNORED; }

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 13

Example of Integration of Methods: StaRVOOrS

Static V. Runtime V. Properties Specifications Model Checking Runtime Trace Checking valid traces

(+ some data)

temporal logics, automata, regular languages

(+ extensions)

Deductive Verification Runtime Assertion Checking valid data in specific states

(+ some trace info)

first-order assertion languages

(+ extensions)

Dagstuhl Nov. 2017 Trace Focussed and Data Focussed Specification 14