Embed Size (px)
DESCRIPTION
Verifying Properties of Process Definitions. Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research University of Massachusetts Amherst http://laser.cs.umass.edu/. Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee. Outline. Process - PowerPoint PPT Presentation
Citation preview
Verifying Properties of Process Definitions
Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. OsterweilLaboratory for Advanced Software Engineering Research
University of Massachusetts Amherst
http://laser.cs.umass.edu/
Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee
Outline Process Example Process Analysis of the Process Conclusions
What is a Process?
Complex Task
Complex Task
Resources
Artifacts
Agents
Examples:•Design•Configuration Management•e-commerce
Example: An Auction Need to coordinate bidders and
auctioneer These may be distributed over a
network May be human users or computer
programs Want an process definition that
describes how to conduct an auction
A process definition language
Graphical language Has rigorous formal semantics specified Supports
Concurrency Resource Management Exceptions Choice steps to give humans users flexibility Pre- and post-requisites
Little-JILLittle-JIL
Little-JIL Step
Step Name
Interface Resources Used Exceptions Thrown Parameters
Pre-requisite
Post-requisite
Exception Handling Control Flow
Substep Sequencing
Accept One BidSubmit Bid
BidIsHigher
Accept Bids From Bidder
Update Best BidBidIsBetter
Sequencing Badges:
Sequential Parallel Choice
Try
Open-Cry Auction
AuctionNotClosed Accept One Bid Accept Bids From Bidder
Close Auction
NoMoreBiddersAuctionClosed
Accept One BidSubmit Bid
BidIsHigher
Accept Bids From Bidder
Update Best BidBidIsBetter
Sequencing Badges:
Sequential Parallel Choice
Try
Open-Cry Auction
AuctionNotClosed Accept One Bid Accept Bids From Bidder
Exception Badges: Rethrow Continue Complete Restart
NoMoreBidders
AuctionClosedBidNotHigherBidNotBetterDeadlineExpired
Close Auction
Modeling Processes This process is intuitively easy to
understand However, it still has complicated
control structures These constructs can mask erroneous
behavior Even high-level process definitions
need to be validated
Auction Concerns Are late bids considered? Does the highest bidder win the
auction? Is the auction vulnerable to fraud?
FLow Analysis for VERification of Systems Can verify concurrent and sequential
software Uses an efficient state propagation
algorithm Worst case bounds: O(N2·S) Relatively language independent: Ada, Java, C+
+, Jovial Can incrementally add information to the
analysis to improve precision
FLAVERS
FLAVERS Overview
Property Specification
Software Software Translator
TFG State Propagation
Property Translator
Property FSA
Constraint FSA
. . .
Results
s
Little-JIL Human Translator
FLAVERS Model A Trace Flow Graph (TFG)
Derived from labeled Control Flow Graphs (CFG)
Labels represent events of interest
Need CFG models for Little-JIL constructs
Leaf Step Model
A Choice Step
Do B
Choice
Do A Do C
Do A
Do C
Do B
A Completed
Do B
Do C
Choice
A Terminated
Choice Complete
d … …
… …
Choice Step Model
Properties Checked No Late Bids Accepted
Checked on the Open-Cry Auction Inconclusive Results
Several process experts studied the example in detail without noticing the fault
Need to add an “AuctionNotClosed” prerequisite to “Update Best Bid”
Race Condition Property Another property involved data flow There is a variable best that keeps
track of the best bid seen so far Can be used by multiple steps
concurrently Want to ensure there is no race
condition
Race Condition Can Exist Determined a race condition can
exist Auctioneer could be considering two
bids at the same time Two updates to best occur The final value of best depends on
the order of the updates
No Race Condition Need to ensure proper access to
variable best Requires knowledge of agent
behavior Proved that if no access control, a
race condition can occur Proved that with a lock on best, no
race condition can occur
Analysis Results
Property TFG Nodes TFG Edges Result Time (s)No Late Bids Accepted 216 11,837 Inconclusive - fault 6.56No Late Bids Accepted 316 30,881 Conclusive 41.10Possible Race Condition 327 35,788 Inconclusive - fault 143.25No Race Condition (no lock) 189 7,710 Inconclusive - fault 15.07No Race Condition (with lock) 269 20,910 Conclusive 17.52
The Little-JIL program had 8 steps
Conclusions Process models have strengths and weaknesses
Leads to intuitive understanding Can mislead people into believing they understand the
process Our example illustrates how important it it to
validate processes FLAVERS successfully analyzed the Little-JIL
process There is a tension between expressiveness and
analyzability Humans require flexibility, leading to more complex
analysis
