Self view to MBT and using self model and to-Spin model transformations
25
МОДЕЛЬ ПРОГРАММЫ В ВИДЕ МОДЕЛЬ ПРОГРАММЫ В ВИДЕ МНОГОПОТОЧНОГО МНОГОПОТОЧНОГО СТОХАСТИЧЕСКОГО АВТОМАТА И ЕЕ СТОХАСТИЧЕСКОГО АВТОМАТА И ЕЕ ЭКВИВАЛЕНТНОЕ ЭКВИВАЛЕНТНОЕ ПРЕОБРАЗОВАНИЕ В МОДЕЛЬ НА ПРЕОБРАЗОВАНИЕ В МОДЕЛЬ НА ЯЗЫКЕ PROMELA ЯЗЫКЕ PROMELA MODEL OF A PROGRAM AS MULTI- MODEL OF A PROGRAM AS MULTI- THREADED STOCHASTIC AUTOMATON THREADED STOCHASTIC AUTOMATON AND ITS EQUIVALENT AND ITS EQUIVALENT TRANSFORMATION TO PROMELA MODEL TRANSFORMATION TO PROMELA MODEL Staroletov Sergey, Altai STU Staroletov Sergey, Altai STU International Workshop on Program Understanding International Workshop on Program Understanding
Transcript
МОДЕЛЬ ПРОГРАММЫ В ВИДЕ МОДЕЛЬ ПРОГРАММЫ В ВИДЕ МНОГОПОТОЧНОГО МНОГОПОТОЧНОГО
СТОХАСТИЧЕСКОГО АВТОМАТА И ЕЕ СТОХАСТИЧЕСКОГО АВТОМАТА И ЕЕ ЭКВИВАЛЕНТНОЕЭКВИВАЛЕНТНОЕ
ПРЕОБРАЗОВАНИЕ В МОДЕЛЬ НА ПРЕОБРАЗОВАНИЕ В МОДЕЛЬ НА ЯЗЫКЕ PROMELAЯЗЫКЕ PROMELA
MODEL OF A PROGRAM AS MULTI-MODEL OF A PROGRAM AS MULTI-THREADED STOCHASTIC AUTOMATON THREADED STOCHASTIC AUTOMATON
AND ITS EQUIVALENT AND ITS EQUIVALENT TRANSFORMATION TO PROMELA MODELTRANSFORMATION TO PROMELA MODEL
Staroletov Sergey, Altai STUStaroletov Sergey, Altai STU
International Workshop on Program UnderstandingInternational Workshop on Program Understanding
Model based developing and testing Model based developing and testing
Model based developing – is amodern technology to developing softwarewhich are firstly focuses on the model developing, not on algorithmic and computationconcepts
Model based testing – technology ofsoftware testing bases on comparation the model and systemunder test during the work, generationtest cases by the model,and changingthe system to the model for studying itsproperties.
Finite automatonFinite automatonMathematical abstraction, which model discrete changing of statesfrom finite set depends of input symbol or event
* Graph Theory Techniques in Model-Based Testing. Harry Robinson
How we can describe automaton-The graph of transitions-The table of transitions-As a set of the sets and transition functions-As a set of cooperating classes(object oriented way)
Applying:-Syntax analysis-Regular expressions matching-Modeling of logic of the work ofalgorithm for imperative language
(*)
Windows Workflow foundationWindows Workflow foundationProjecting the program on the basis of assigning statesObject oriented realization of finite automaton“Switch-technology”“Automaton programming”
Example of control programterminal for payments(course work)
Extending of finite automatonExtending of finite automatonWhy to extend finite automaton?
Model is bigger and complex=> describe the system more adequate => we can study more properties of a model
● Kripke structureExtend of automaton by adding the set of atomic predicates Which are true in statesApplying: backend в ModelChecking
● Probability automaton Extend of automaton with adding transitions with probabilities Applying: modeling of users's work
● Extended automaton with support of events, messaging, threading andblocking common resourses.Author's extend for modeling component of modern interoperable systemfor low level of abstraction
Author's model featuresAuthor's model features
- Following to principles MDD and MBT- Extended finite automaton as a model of component of system, our extends includesmulti-threading, sending and receiving themessages,blocking and unblocking common resourses- The system is set of automatons, each of them modeling component of the system- Possibility to object-oriented realization of automaton to projecting program firstly based ofThe states- Designed for testing.
Предлагаемая модель в виде Предлагаемая модель в виде состояний, переходов и операцийсостояний, переходов и операций
A=( S ,Trans ,Op ) , whereS - the set of states, allocated by developer;Trans=S S×E* - mapping, it defines the transitionwith possibility of events generation;E - set of events, is defined by state to whichtransition are performed, and its probability ofoccurrence;Op={ fork , join , send , receive , block ,unblock }×E* - setof operations in extended automaton discussed belowwith possible related events.
OperationsOperationsWe staying in the state. We can
Make transition to another state
Unblock the common resource
Or apply the operation
Create the threadWait the thread
(with some probability)
Send the messageWait for a message
Block the common resourse
fork :P×SS×T
join :P×S×T parent ×S fin×T slave S×T parent
send :S×T×PS×Msg ∨E
receive : S×T×P×Msg S∨E
block :S×T×N×P×ResS×1×Res ∨E
unblock :S×1×Res×PS×N×Res ∨E
Object-oriented model on JavaObject-oriented model on Java
Why we need that model?Describe states, operations and transitions as classes. Model = interoperation of objects with given attributes
The interoperational logic already been realized in classes,The business logic implements as call of user codein states, transitions and operations and interfaces for this have beendescibed.
Features;- States with user's code- Transitions with probabilities),by guard or aswritten in user code- Applying operations in states- Self system to sending-receiving messagesAnd resource blocking- Mapping model threads to Java threads-Support of distributive work with networkthrough XML-RPC
Object-oriented model on JavaObject-oriented model on Javapublic static void main(String[] args) {
//Создать список компонентовList<Component> components=new LinkedList<Component>() ;//Создать состояния, зададим их параметры позжеState state1=new State(),state2=new State(),state3=new State(),state4=new State(),state5=new State() ;//Создать компонент Component component1=new Component() ;//Создать переход в состояние state2, без событий с вероятностью 1.0Transition transition12=new Transition(state2, null, 1.0, "transition 1->2");//Задать параметры состояния: главный поток компонента, название-state1//нет подавтомата, начальное состояние=true, конечное состояние=false//переходы из состояния- transition12, операций из состояния нет. state1.setParams(component1.getMainThread(),"state1", null, true, false, new Transition[] { transition12}, null) ;
//Задать код, выполняющийся в состоянии state1 state1.setCode(new IStateCodeExecutor() {
Thread currentThread, State currentState) {System.out.println("Зашли в состояние "+currentState.getName()) ;}},new IStateCodeExecutor() {public void execute(Component currentComponent,
Thread currentThread, State currentState) {System.out.println("Выходим из состояния "+currentState.getName()) ;}}) ;
//в state2: fork и создание потока с первоначальным состоянием state3, и //продолжением главного потока в state5
//Создать подавтомат для потока с первоначальным состоянием state3//и заключительным в state4SubAutomaton subAutomatonThread2=new SubAutomaton("thread_subautomaton", state3, new State[]{state4},null) ;//создать описание потока thread2, с подавтоматом subAutomatonThread2//и предком в виде главного потока компонента dissertation.Thread thread2=new dissertation.Thread("thread2", subAutomatonThread2,component1.getMainThread()) ;//создать операцию Fork (создание потоков) для потока thread2 c переходом //основного потока в состояние state5
после создания без событий с //вероятностью 1.0Fork operationForkState2=new Fork(new dissertation.Thread[] {thread2}, null,1.0,state5) ;//установить параметры для state2- передать туда операцию создания потокаstate2.setParams(component1.getMainThread(),"state2", null, false, false, null, new Operations[] {operationForkState2}) ;
...//Установить состояния для компонента
XML description of a modelXML description of a modelWe can describe model as XML tags
By XML description from attribute or graphical editor we cancreate graphic notation and generate object oriented automaton code on Java
Abstract state machinesAbstract state machinesASM defines by alphabet (consists of name of functions), initial state (initial
value of a function), transition rules and initial rule.
Transition rules defined as:
1. f s1... sn:=t - in the next state the value of function f on the set of arguments
s1 ... sn is assigned to t .
2. P seqQ - rule P is running after rule Q .
3. P parQ - rules P and Q is running in parallel.
4. if then P elseQ - if =true , proceed to run P , else proceed to run Q .
5. let x=t in P - assign the t value to local variable x and proceed to run P(area of existence x after running P is ended).
6. forall xwith doP - proceed to run P in parallel for all x , satisfies (area ofexistence x after running P is ended).
7. choose xwith fidoP - choose x satisfies non-determinately and proceed torun P .
8. skip - empty rule.
9. r t 1... t n - call of the rule r with parameters t 1... t n .
With using ASM theory we can prove that our object-oriented automaton Java model can model a wide set of algorithmsincluded parallel and distributive algorithms with finite number of processes.Proof: By developing interpreter for ASM machine
*Blass,A. Abstract State Machines Capture Parallel Algorithms: Correction and Extension / Andreas Blass, University of Michigan, Yuri Gurevich, Microsoft Research- http://www.math.lsa.umich.edu/~ablass/corr-final.pdf
Theorem: Every parallel algorithm is behaviorally equivalent to an ASM *
Model checking approach Model checking approach applying to our model applying to our model
Model checking is a static verifying method to check model behavior.
Popular, powerful and highly documented tool that's providingmodel checking approach is SPIN.
SPIN uses special functional language called 'Promela*' as an inputmodel language.
* Concise Promela Reference/ Rob Gerth, 1997. http://spinroot.com/spin/Man/Quick.html
Model checking approach Model checking approach applying to our model applying to our model
SPIN modes:
- Random model activity simulationResolve non-determinism as given seed value- Interactive simulationAsk user for the choice for non-determinism- Guided simulationRe-simulate previous stored simulation or contra-primer by LTL check- LTL(Linear time temporal logic) predicate checkTemporal logic is logic with time, is used toask model to check that's value of predicate with desired variables is true in all states(“globally”) or some predicateis true at least in one state than another predicate is true.Check result: proof that's all ok or return trace with contra-primer
:
Model checking approach Model checking approach applying to our model applying to our model
Research result: for our automaton stochastic model exists equivalent Promela model
XML modelPromela model
Spin verifierObject oriented model
Temporal logic predicate Verification results
Testing environment
Testing process:
Now we go dip into building Promela model from our modelwith states, transitions and operations.
Realization of finite automaton on Realization of finite automaton on Promela languagePromela language
Improving adequacy: if we have transition with probability we can generate that count of the same lines with state changing to make correct probability of transition by the probability definition
Thread creation operationThread creation operationEntities in the Promela language which are running in parallel, are called processes, but in any time any process can run another process, so in fact they are threads.
For main thread in our model we must generate its main process in Promela which will make transitions from states to another states, and its corresponded process must be marked by “active” modifier, which means that this process running at the start of modeling. Other processes must be generated by the threads bodies with logics as subautomatons.
Thread join operationThread join operationPromela has no function to waiting process until it finished. But we may use process pid and capability of message sending/receiving to make signal that process is finished.
In general case, according to operation reduction definition, while staying in some state we can expect several threads to be finished, that's why we use channel with buffer, setting up equal to number of waiting threads.
Messaging,send and receiveMessaging,send and receive
For receiving messages first of all we must create global channel and enumeration type with message identifiers
For ordinary messages synchronous channels (with 0 as the size of buffer) are used. For receiving messages with the “and” type we need buffered channel (as shown in previous example). Sending and receiving process is implemented by standard Promela operators («!» and «?»), and after that operation next state is chosen.
Blocking and unblocking resourceBlocking and unblocking resourceAssume global variable as shared resource. Due to Plomela language thisexpression (r==0)at r≠0 stopped current process until r will not be 0 as a result of anotherprocess that changed this value. BlockResource and UnblockResource arebased on that expression.
Studying model propertiesStudying model properties
Now we can verify some model properties with using static checking
1. All states in model are reachable?
- ∀ si∈S doing Sping LTL formula checking with trying to makea contra-primer for state !=si .
- if contra-primer found, si is reached and we can find the pathfrom initial state to si .
2. Is state reach from some chosen state?
- We like to test, if sx∈S reached from s y∈S
- Trying to make a contra-primer for LTL predicatestate≠s yU G state≠sx , where U - temporal operator “Until”, аndG – temporal operator “Global” (for all states)
- If contra-primer found, we can find the path from s y to sx .
Studying model propertiesStudying model properties
Connectivity point – user's made set of linked sets of statesfrom one automaton/subautomaton/thread body to anotherset of states. cp∈CP :{ sA1 , sA2 , ... sAn}↔{ sB1 , sB2 , ... sBm} .
Checking of connectivity points is verifying LTL predicate G (( stateA== sA1 || stateA== sA2 ||...|| stateA== sAn ) ->
