Page 1
Verifying Properties of Process Definitions
Jamieson M. Cobleigh, Lori A. Clarke, and Leon J. OsterweilLaboratory for Advanced Software Engineering Research
University of Massachusetts Amherst
http://laser.cs.umass.edu/
Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee
Page 2
Outline Process Example Process Analysis of the Process Conclusions
Page 3
What is a Process?
Complex Task
Complex Task
Resources
Artifacts
Agents
Examples:•Design•Configuration Management•e-commerce
Page 4
Example: An Auction Need to coordinate bidders and
auctioneer These may be distributed over a
network May be human users or computer
programs Want an process definition that
describes how to conduct an auction
Page 5
A process definition language
Graphical language Has rigorous formal semantics specified Supports
Concurrency Resource Management Exceptions Choice steps to give humans users flexibility Pre- and post-requisites
Little-JILLittle-JIL
Page 6
Little-JIL Step
Step Name
Interface Resources Used Exceptions Thrown Parameters
Pre-requisite
Post-requisite
Exception Handling Control Flow
Substep Sequencing
Page 7
Accept One BidSubmit Bid
BidIsHigher
Accept Bids From Bidder
Update Best BidBidIsBetter
Sequencing Badges:
Sequential Parallel Choice
Try
Open-Cry Auction
AuctionNotClosed Accept One Bid Accept Bids From Bidder
Close Auction
Page 8
NoMoreBiddersAuctionClosed
Accept One BidSubmit Bid
BidIsHigher
Accept Bids From Bidder
Update Best BidBidIsBetter
Sequencing Badges:
Sequential Parallel Choice
Try
Open-Cry Auction
AuctionNotClosed Accept One Bid Accept Bids From Bidder
Exception Badges: Rethrow Continue Complete Restart
NoMoreBidders
AuctionClosedBidNotHigherBidNotBetterDeadlineExpired
Close Auction
Page 9
Modeling Processes This process is intuitively easy to
understand However, it still has complicated
control structures These constructs can mask erroneous
behavior Even high-level process definitions
need to be validated
Page 10
Auction Concerns Are late bids considered? Does the highest bidder win the
auction? Is the auction vulnerable to fraud?
Page 11
FLow Analysis for VERification of Systems Can verify concurrent and sequential
software Uses an efficient state propagation
algorithm Worst case bounds: O(N2·S) Relatively language independent: Ada, Java, C+
+, Jovial Can incrementally add information to the
analysis to improve precision
FLAVERS
Page 12
FLAVERS Overview
Property Specification
Software Software Translator
TFG State Propagation
Property Translator
Property FSA
Constraint FSA
. . .
Results
s
Little-JIL Human Translator
Page 13
FLAVERS Model A Trace Flow Graph (TFG)
Derived from labeled Control Flow Graphs (CFG)
Labels represent events of interest
Need CFG models for Little-JIL constructs
Page 15
A Choice Step
Do B
Choice
Do A Do C
Do A
Do C
Do B
A Completed
Do B
Do C
Choice
A Terminated
Choice Complete
d … …
… …
Page 16
Choice Step Model
Page 17
Properties Checked No Late Bids Accepted
Checked on the Open-Cry Auction Inconclusive Results
Several process experts studied the example in detail without noticing the fault
Need to add an “AuctionNotClosed” prerequisite to “Update Best Bid”
Page 18
Race Condition Property Another property involved data flow There is a variable best that keeps
track of the best bid seen so far Can be used by multiple steps
concurrently Want to ensure there is no race
condition
Page 19
Race Condition Can Exist Determined a race condition can
exist Auctioneer could be considering two
bids at the same time Two updates to best occur The final value of best depends on
the order of the updates
Page 20
No Race Condition Need to ensure proper access to
variable best Requires knowledge of agent
behavior Proved that if no access control, a
race condition can occur Proved that with a lock on best, no
race condition can occur
Page 21
Analysis Results
Property TFG Nodes TFG Edges Result Time (s)No Late Bids Accepted 216 11,837 Inconclusive - fault 6.56No Late Bids Accepted 316 30,881 Conclusive 41.10Possible Race Condition 327 35,788 Inconclusive - fault 143.25No Race Condition (no lock) 189 7,710 Inconclusive - fault 15.07No Race Condition (with lock) 269 20,910 Conclusive 17.52
The Little-JIL program had 8 steps
Page 22
Conclusions Process models have strengths and weaknesses
Leads to intuitive understanding Can mislead people into believing they understand the
process Our example illustrates how important it it to
validate processes FLAVERS successfully analyzed the Little-JIL
process There is a tension between expressiveness and
analyzability Humans require flexibility, leading to more complex
analysis