1 / 22

Verifying Properties of Process Definitions

Verifying Properties of Process Definitions. Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research University of Massachusetts Amherst http://laser.cs.umass.edu/. Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee. Outline. Process

asher-wells
Download Presentation

Verifying Properties of Process Definitions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying Properties of Process Definitions Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. Osterweil Laboratory for Advanced Software Engineering Research University of Massachusetts Amherst http://laser.cs.umass.edu/ Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee

  2. Outline • Process • Example Process • Analysis of the Process • Conclusions

  3. Artifacts Resources What is a Process? Agents Complex Task • Examples: • Design • Configuration Management • e-commerce

  4. Example: An Auction • Need to coordinate bidders and auctioneer • These may be distributed over a network • May be human users or computer programs • Want an process definition that describes how to conduct an auction

  5. A process definition language • Graphical language • Has rigorous formal semantics specified • Supports • Concurrency • Resource Management • Exceptions • Choice steps to give humans users flexibility • Pre- and post-requisites

  6. Little-JIL Step Interface Resources Used Exceptions Thrown Parameters Pre-requisite Post-requisite Step Name Substep Sequencing Exception Handling Control Flow

  7. Sequencing Badges: Open-Cry Auction Sequential Parallel Choice Try Close Auction Accept Bids From Bidder Accept Bids From Bidder AuctionNotClosed Accept One Bid BidIsBetter Submit Bid Update Best Bid Accept One Bid BidIsHigher

  8. Sequencing Badges: Open-Cry Auction Sequential Parallel Choice Try Exception Badges: Rethrow Close Auction Accept Bids From Bidder Continue Complete NoMoreBidders Restart AuctionClosed Accept Bids From Bidder AuctionNotClosed Accept One Bid AuctionClosed BidNotHigher BidNotBetter DeadlineExpired BidIsBetter Submit Bid Update Best Bid Accept One Bid BidIsHigher NoMoreBidders

  9. Modeling Processes • This process is intuitively easy to understand • However, it still has complicated control structures • These constructs can mask erroneous behavior • Even high-level process definitions need to be validated

  10. Auction Concerns • Are late bids considered? • Does the highest bidder win the auction? • Is the auction vulnerable to fraud?

  11. FLow Analysis for VERification of Systems • Can verify concurrent and sequential software • Uses an efficient state propagation algorithm • Worst case bounds: O(N2·S) • Relatively language independent: Ada, Java, C++, Jovial • Can incrementally add information to the analysis to improve precision

  12. Constraint FSA . . . Little-JIL Human Translator FLAVERS Overview s Property Translator Property Specification Property FSA Software Translator Software TFG State Propagation Results

  13. FLAVERS Model • A Trace Flow Graph (TFG) • Derived from labeled Control Flow Graphs (CFG) • Labels represent events of interest • Need CFG models for Little-JIL constructs

  14. Leaf Step Model

  15. Choice Do A Do B Do C A Choice Step Choice Do A Do B Do C … … A Completed A Terminated Do B Do C Choice Completed … …

  16. Choice Step Model

  17. Properties Checked • No Late Bids Accepted • Checked on the Open-Cry Auction • Inconclusive Results • Several process experts studied the example in detail without noticing the fault • Need to add an “AuctionNotClosed” prerequisite to “Update Best Bid”

  18. Race Condition Property • Another property involved data flow • There is a variable best that keeps track of the best bid seen so far • Can be used by multiple steps concurrently • Want to ensure there is no race condition

  19. Race Condition Can Exist • Determined a race condition can exist • Auctioneer could be considering two bids at the same time • Two updates to best occur • The final value of best depends on the order of the updates

  20. No Race Condition • Need to ensure proper access to variable best • Requires knowledge of agent behavior • Proved that if no access control, a race condition can occur • Proved that with a lock on best, no race condition can occur

  21. Analysis Results The Little-JIL program had 8 steps

  22. Conclusions • Process models have strengths and weaknesses • Leads to intuitive understanding • Can mislead people into believing they understand the process • Our example illustrates how important it it to validate processes • FLAVERS successfully analyzed the Little-JIL process • There is a tension between expressiveness and analyzability • Humans require flexibility, leading to more complex analysis

More Related