Scenario Synthesis from Imprecise Requirements Bill Mitchell, Robert Thomson, Paul Bristow
Jan 19, 2016
Scenario Synthesis from Imprecise Requirements
Bill Mitchell, Robert Thomson, Paul Bristow
Enterprise Development Process
Feature
High Level Designs
Detailed Designs
Technical Marketing Requirements
Functional Requirements
System
ArchitectureRequirements
Standards
System Requirements
Component Requirements
Groups
Technical Marketing
Feature Teams
Box Teams
Integration Teams
Testing Teams
Customers
Telecoms Example
• Network provider deploying 3G.
• Placing order for handsets.
• One of the many features included will be access to network Java game repository.
User InterfaceJava Game Menu
Network Infrastructure
Java GameRepository
Initial Customer Requirements
User Handset Network
Menu Key
Options
SelectFetch
Resource
Java Game
Confirmation
Technical Marketing Scenarios
Signal Battery
Default ScreenDisplay
B1 B2 B3
B4 B5 B6
Power Java Ack
Ph. Bk Menu Hold
Java Key Press
Each eventmodifies functionalityand UI configuration
Signal Battery
Java Games
B1 B2 B3
B4 B5 B6
Power Java Ack
Back Menu Select
•Doom 8•Quake 9•etc......
Customer Scenariobroken down intosequence of atomicevents, which changeinterface functionality.
Functional Requirements
Technical Marketing ScenariosNormative scenarios are very focused on isolated behaviour of
feature in these requirements:• What if voice or data call received during download?• If memory is expandable (as with some PIM-phone hybrids)
how should the mem-full error be handled if the user could add extra memory with, say, a USB flash memory stick?
• What if during the download the network service provider tries to update the phone configuration via the air interface for enhanced game play?
Need to synthesise model of system from all MSC requirements scenarios for simulation and analysis.Problem: • Practitioners use states imprecisely• Different engineering groups define scenarios differently• Legacy requirements
Deadlock example from TETRA PPT
A B
S0
S2
a
c
S0
S1
S3S2
!a
FSA for A
S1
A B
S0
S3
b
d
S1
!b
!c ?d
S0
S1
S3S2
?a
FSA for B
?b
?c !d
S0
S1
S2
S0
S1
S3
ruthless pre-empt
agreed pre-empt
Example Deadlock Avoided
A B
S0
S2
a
c
S1
A B
S0
S3
b
d
S1
S0
S1 S2!a !b
!c
Extended DFSA for A
S3
?d
A B
S0
S2
a
c
S1
A B
S0
S3
b
d
S1
S0
S1
S2
S0
S1
S3
ruthless pre-empt
agreed pre-empt
Too Weak to ever give any interactions!
Composite States• Anonymous internal states• Multiple entry/exit states
Example, Call Waiting from paper in FIW 2000
Sys B C D
call_setup[B]
call(B)
accept(D)
hang_up_on(C)
ack_accept(D)
disconnect(B)
call_active(B)
call_active[B,D]
idle
call_active[B,C]
Example, RBWF, from paper in FIW 2000
A Sys B
call_setup[B]
call(B)
rbwf(B)
call_active[B,C]
hang_up_on(C)idle
ring(A,B)
ring(A,B)
rbwf_call_progressing[A,B]
Example, FI from paper in FIW 2000
A Sys B C
call_setup[B]
call(B)
rbwf(B)
D
call_setup[B]idle call(B)
accept(D)
hang_up_on(C)
ack_accept(D)
disconnect(B)
call_active(B)
call_active[B,D]
idle
call_active[B,C]
call_active[B,C]
Whenever in these composite states CWcan happen
Trace semantics for states
S0 S2
u v w x y!a ?b !c ?d
S1
State x is (In, Out), where In and Out are sets of traces.
u x t1
For every trace t1 of In there is a path
some initial state u
x y t2
For every trace t2 of Out there is a path
some accepting state y
Deterministic trace semantics
S0 S2
u v w x y!a ?b !c ?d
S1
u x t1
For any t1 of In if there is a path
for some initial state u
x y t2
then for every trace t2 of Out there is a path
for some accepting state y
MSC trace semantics for exit/entry states
S0 S2
u v w x y!a ?b !c ?d
S1
u x t1
For any t1 if there is a path
for any state u
x y t2
then there is a path
for some state y
Every MSC trace t can be split into pairs (t1,t2) wheret1 leads to exit state.
State semantics
S0 S1
v’ w’ x’?b !c
S3
y’?e
S0: ?b S0: !c S1: ?e
Overlapping Processes, continued
S0 S2
u v w x y!a ?b !c ?d
Scenario 1, machine for A
S0 S1 S3
v’ w’ x’ y’?b !c ?e
Scenario 2, machine for A
S1
S0: !aS0: ?bS0: !c
S0: ?bS0: !c
Match
Overlapping Composition of Processes
P trace simulates Q when:given any (state annotated) execution traces t1 and t2:
P P1 t1
Q Q1 t2
where t1 matches t2, then P1 must be able to simulate Q1
Livelock from naive composite state semantics
A B
S0
a
a
S1
b
b
x
!a
?b
S0
S1
DFSA for A
y!a
?b
?b
!a
S0
S1
Exit State transition matching
P trace simulates Q when:given any (state annotated) execution traces t1 and t2:
P P1 t1
Q Q1 t2
where t1 matches t2, and t1, t2 have reached exit states
then P1 must be able to simulate Q1.
where t1 matches t2, and t1, t2 have reached entry states
then P1 must be able to simulate Q1.
Temporal contexts for defining matching traces
Composite state Event
LTL semantics for execution trace
LTL formula defining context
Download File with Browser
Overlap of Java Game and Browser Download
Error Check
Will have universal scopeover exit states
Overlap Java App + Browser + Error Check
Questions