Laser 1-background

Development of dynamically evolving and
self-adaptive software
1. Background
LASER 2013
Isola d’Elba, September 2013

Carlo Ghezzi
Politecnico di Milano
Deep-SE Group @ DEIB

1
Tuesday, September 10, 13

Requirements
• Functional requirements refer to services that the
•

system shall provide
Non-functional requirements constrain how such
services shall be provided
Non-Functional Requirement

Quality of Service

Compliance

Architectural Constraint Development Constraint

Accuracy
Safety Security Reliability Performance Interface

Installation Distribution Cost

Deadline Variability

Cost
ConﬁdentialityIntegrity Availability Time Space

Maintainability

User
Device
Software
interaction interaction interoperability

Subclass link
Usability Convenience

van Lamsweerde, Requirements Engineering, J. Wiley & Sons 2009
2

Models
• During software development, software engineers

often build abstractions of the system in the form of
models
•  [noun]
A system or thing used as an example to
follow or imitate
•  a simplified description, esp. a
mathematical one, of a system or process,
to assist calculations or predictions
Oxford American Dictionaries

3

Why do we use models?
•

To communicate

-

-

•
•

They embody a shared lexicon

Mathematics makes reasoning formal
Through models we can predict properties of the real system
before it exists

✓E.g., state, transition
To simplify descriptions and help focus, ignoring details that
distract from the essence of the problem
To reason about the modeled system

4

What makes a good model?
•
•

A model is good if it carries the right amount of information
you need

-

A model abstracts from details

-

•
•

It is at the right level of abstraction
Make sure that they are details, not the essence
Be aware of the approximations

A model serves a purpose

-

Different models for different purposes (views)

Expert judgment always needed!!!

5

From model(s) to implementation
•
•
•
•

Model driven development tries to support a development
process that goes through correctness-preserving
transformations
Ideally, once correct models are developed, implementation is
correct by construction
Reality still far from the ideal world....
However, focus on models and veriﬁcation important to
achieve better quality products

6

Models
• Perhaps the most used (and useful) models are ﬁnitestate models given as Labelled Transition Systems of
some kind
OFF
0

1
ON

7

Labeled Transition System (Kripke Structure)
x ~p
k p
Transitions
represent execution
steps

y ~p
h ~p
h

State labels represent
predicates true in the state

z ~p

8

Definition
•

An LTS is a tuple ⟨S, I, R, AP, L⟩ where

-

S is a set of states;
I ⊆ S is the set of initial states;
R ⊆ S×S is the set of transitions;
AP is a set of atomic propositions;
L : S → 2AP is a labelling function.

A (maximal) path from a state s0 is either a finite sequence of
states that ends in a terminal state or an infinite sequence of
states

-

π = s0, s1, s2,...
such that (si, si+1) ∈ R, for all i ≥ 0.

9

An example
•
•

Two process mutual exclusion with shared semaphore
Each process has three states

-

•
•

Non-critical (N)
Trying (T)
Critical (C)

Semaphore can be available (S0) or taken (S1)
Initially both processes are in N and the semaphore is available
--- N1 N2 S0
N1
→ T1
T1 ∧ S0 → C1 ∧ S1
C1
→ N 1 ∧ S0

||

N2
→ T2
T2 ∧ S0 → C2 ∧ S1
C2
→ N 2 ∧ S0

10

Consider the following model
Does a system behaving like this LTS satisfy our expectations in
terms of mutual exclusion:
Never a state where both C1 and C2 hold can be reached
N1N2S0
T1N2S0

N1T2S0
T1T2S0

C1N2S1

C1T2S1

N1C2S1

T1C2S1

11

How can requirements be specified?
•

For example, we need to formalize statements like:

-

•

No matter where you are, there is always a way to get to the initial
state

Temporal logic to formally express properties

-

In classical logic, formulae are evaluated within a single fixed world

✓For example, a proposition such as “it is raining” must be either

true or false
✓Propositions are then combined using operators such as ∧, ¬, etc.

-

In temporal logic, evaluation takes place within a set of “worlds”,
corresponding to time instants

✓“it is raining” may be satisfied in some worlds, but not in others
The set of worlds correspond to moments in time

12

Temporal logic
•

Linear Time

-

Every moment has a
unique successor
Inﬁnite sequences (words)
Linear Time Temporal
Logic (LTL)

•

Branching Time

-

Every moment has several
successors
Inﬁnite tree
Computation Tree Logic
(CTL)

13

LTL: syntax and semantics
φ ::= true | a | φ1 ∧ φ2 | ¬φ | oφ | φ1 U φ2
oφ also written Xφ
true U φ also written Fφ and also ◊♢φ

¬F¬φ also written Gφ and also oφ
An LTL property stands for a property of a path
For a state s, a formula φ is satisﬁed if all paths exiting s satisfy
the formula
Model checking
Given an LTS and a formula, verify that initial states satisfy it

14

Mutual exclusion
Always at least one process is not in the critical section
N1N2S0
T1N2S0

N1T2S0
T1T2S0

C1N2S1

C1T2S1

(not C1

N1C2S1

T1C2S1

not C2)

15

CTL
•

State formulae:
ϕ ::= true | a | ϕ1 ∧ ϕ2 | ¬ϕ | ∃φ | ∀φ

•

Path formulae:
φ ::= o ϕ | ϕ1 U ϕ2
X (o), F (♢) and G (o) can be introduced as for LTL

∃, ∀ often also written as E, A
Mutual exclusion in CTL: ∀G(¬C1 ∨ ¬C2)
Note: CTL and LTL have incomparable expressiveness
16

Quantitative modelling
•
•
•

LTSs support qualitative modelling
Often we need to model quantitative aspects, such as the cost
of a certain action or the probability that a certain event
occurs
Here we review Markov models, an important and useful
extension of LTSs

17

Discrete-time Markov Chains
A DTMC is deﬁoned by a tuple (S, s0, P, AP, L) where

•
•
•
•
•

S is a ﬁnite set of states
s0 ∈ S is the initial state

•

The modelled process must satisfy the Markov property, i.e., the
probability distribution of future states does not depend on past
states; the process is memoryless

P: S×S→[0;1] is a stochastic matrix
AP is a set of atomic propositions
L: S→2AP is a labelling function.

18

An#example#
!A simple communication protocol operating with a channel!
start

S
D
T
L

1
1
delivered

0.9

0.1

try

lost

S
0
1
0
0

D
0
0
0.9
0

T
1
0
0
1

L
0
0
0.1
0

matrix representation

1
Note: sum of probabilities for transitions leaving a given state equals 1
C. Baier, JP Katoen, “Principles of model checking” MIT Press, 2008

19

Discrete Time Markov Reward Models
•

Like a DTMC, plus

-

•

labelling states with a state reward
labelling transitions with a transition reward (we just use state
rewards)

Rewards can be any real-valued, additive, non negative
measure; we use non-negative real functions

Usage in modelling:
rewards represent energy consumption, average execution time,
outsourcing costs, pay per use cost, CPU time

20

Reward DTMC
•

A R-DTMC is a tuple (S, s0, P, AP, L, µ), where S, s0, P, L are
deﬁned as for a DTMC, while µ is deﬁned as follows:

-

µ : S→R≥0 is a state reward function assigning a non-negative real
number to each state

✓... at step 0 the system enters the initial state s0. At step 1, the
system gains the reward µ(s0) associated with the state and
moves to a new state...

21

Which model(s) should we use?
• Different models provide different viewpoints from
which a system can be analyzed
• Focus on non-functional properties leads to models where
we can deal with uncertainty and specify quantitative
aspects
• Examples
– DTMCs for reliability
– CTMCs for performance
– Reward DTMCs for energy/cost/performance

22

Quantitative requirements specification
•
•
•
•

Specification can be qualitative (“the system shall do ...”) or
quantitative (“average response time shall be less than xxx”)
LTL, CTL temporal logic are typical examples of qualitative
specification languages
Non-functional requirements ask for quantitative specification
Quantitative specs then require quantitative verification

23

PCTL
•
•
•
•

Probabilistic extension of CTL
In a state, instead of existential and universal quantiﬁers over
paths we can predicate on the probability for the set of
paths (leaving the state) that satisfy property
In addition, path formulas also include step-bounded until
ϕ1 U≤k ϕ2

::=
::=

•

|

|

|

|

|¬

|P

An example of a reachability property
- P>0.8 [◊(system state = success)]

( )

1

absorbing state

24

R-PCTL
•

Reward-Probabilistic CTL for R-DTMC

|

::=

|

::=
::=
R (

=

)

=

|

|

|

|¬

|P

( ) |R

( )

|
R (

)

R (

)

25

Example
R (

=

)

Expected state reward to be gained in the state entered at step k
along the paths originating in the given state

“The expected cost gained after exactly 10 time steps is
less than 5”

R< (

=

)

26

Example
R (

)

T Expected cumulated reward within k time steps ext
Text
“The expected energy consumption within the ﬁrst 50 time units of
operation is less than 6 kwh”

R< (

)

27

Example
R (

)

Expected cumulated reward until a state satisfying is reached
Text
Text

“The average execution time until a user session is complete is
lower than 150 s”

R<

(

)

28

A bit of theory
• Probability for a ﬁnite path ⇡ = s0 , s1 , s2 , . . . to be
Q|⇡| 2
traversed is 1 if |⇡| = 1 otherwise
k=0 P (sk , sk+1 )
• A state sj is reachable from state si if a ﬁnite path exists
leading to sj from si
• The probability of moving from si to sj in exactly 2 steps
P
pix · pxj which is the entry (i, j) of P 2
is sx 2S
• The probability of moving from si to sj in exactly k steps
is the entry (i, j) of P k

29

A bit of theory
• A state is recurrent if the probability that it will be eventually
visited again after being reached is 1; it is otherwise transient
(a non-zero probability that it will never be visited again)
• A recurrent state sk where pk,k = 1 is called absorbing
• Here we assume DTMCs to be well-formed, i.e.
- every recurrent state is absorbing
- all states are reachable from initial state
- from every transient state it is possible to reach an
absorbing state

30

An example

0.5

1

2

1

0
0.2

0.3
3

0

0 1
B 0.2 0
B
@ 0 0
0 0

0
0.5
1
0

1

0
0.3 C
C
0 A
1

Probability of reaching an absorbing state (e.g., 2)
2 can be reached by reaching 1 in 0, 1, 2,...∞ steps and then 2 with prob .5
(1+0.2+0.22+0.23+ ... ) x 0.5 = ( ∑ 0.2n) x 0.5 = (1/(1-0.2)) x 0.5 = 0.625
Similarly, for state 3, (1/(1-0.2)) x 0.3 = 0.375
Notice that an absorbing state is reached with prob 1
31

A bit of theory
• Consider a DTMC with r absorbing and t transient states
• Its matrix can be restructured as
✓
◆
Q R
P =
(1)
0 I
- Q is a nonzero t × t matrix
- R is a t × r matrix
- 0 is a r × t matrix
- I is a r × r identity matrix
Qk ! 0 as k ! 1
• Theorem
- In a well-formed Markov chain, the probability of the process
to be eventually absorbed is 1
32

Focus on reachability properties
• A reachability property has the following form
P./p (⌃ )

states that the probability of reaching a state where
holds matches the constraint ./ p
• Typically, they refer to reaching an absorbing state
(denoting success/failure for reliability analysis)
• It is a ﬂat formula (i.e. no subformula contains P./p (·))
• These properties are the most commonly found

33

A bit of theory
Consider again ◆
✓

Q R
P =
0 I
1
X
1
2
3
k
N = I + Q + Q + Q + ··· =
Q

(1)

k=0

ni,k expected # of visits of transient state sk from si, i.e.,
the sum of the probablities of visiting it 0, 1, 2, ...times
1
Theorem: The geometric series converges to (I Q)
Consider B = N ⇥ R . The probability of reaching
X
absorbing state sk from si is bik =
nij · rjk
k=0..t 1

34

Proving reachability properties

Pr(◊ s = End ) =

∑n

0, j

⋅ rj , End

j

n0,j is the sum of the probabilities to reach state j
in 1, 2, 3, ... ∞ steps
35

Model checking tools
•
•
•

SPIN (Holzmann) analyzes LTL properties for LTSs expressed
in Promela
(Nu)SMV (Clarke et al, Cimatti et al.) can also analyze CTL
properties and uses a symbolic representation of visited
states (BDDs) to address the “state explosion problem”
PRISM (Kwiatkowska et al.) and MRMC (Katoen et al.) support
Markov models and perform probabilistic model checking

36

Question

• How do modelling notations and verification
fit software evolution?
- A modification to an existing system
viewed as a new system
- No support to reasoning on the changes
and their effects

37

Laser 1-background

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (17)

Semelhante a Laser 1-background

Semelhante a Laser 1-background (20)

Último

Último (20)

Laser 1-background