S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis with context constraints. ACM Software Engineering Notes, 18(5):115--125, December 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Despite being an essential property of PDS, deadlock freedom is not easy to verify. The reason being the large number of states that must usually be analysed to guarantee that a system never enters a deadlocked state, where all processes block trying to communicate. Some techniques [22] have been proposed aiming to reduce the number of states that must be analysed but in general this still means that many states must be checked. An important objective of a design method is to assist in improving the quality. It is obvious that correctness is an essential quality. Our method ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis with context constraints. ACM Software Engineering Notes, 18(5):115--125, December 1993.

....the Lts of each process separately may lead to state explosion, whereas the generation of the whole system of concurrent processes might succeed if processes constrain each other when composed in parallel. This issue has been addressed by re ned compositional veri cation approaches [GS90, CK93, Yeh93, CK95, CK96, GSL96, KM97, Che98, Gia99] which allow to generate the Lts of each separate process by taking into account interface constraints (also known as environment constraints or context constraints) These constraints express the behavioral restrictions imposed on each process by ....

S. C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. In Proceedings of the 1st ACM SIGSOFT International Symposium on the Foundations of Software Engineering (Los Angeles, CA, USA), pages 115-125. ACM Press, December 1993. INRIA SVL: a Scripting Language for Compositional Verication 33

....the quotient S=R can easily be generated with a so called compositional approach: it consists of (repeatedly) generating the Lts S 0 associated with a given sub expression, and replacing this sub expression in the initial one by the quotient S 0 =R. This approach has been widely studied [GS90,CK93,Val96,KM97] and has already been applied in some succesfull case studies. However, most of this works was done in the context of synchronous communicating systems (described for instance using process algebras like Lotos [ISO87] or Csp [Hoa85] In this paper we propose a way to efficiently ....

.... is to correctly handle the effect of the environment (i.e. the rest of the system) in order to restrict the generation of a given subset of components (otherwise the model obtained for this subset may be larger than the one corresponding to the whole system) This problem was addressed in [GS90,CK93,KM97] by expressing the constraints provided from the environment in terms of process interfaces, allowing to cut off some parts of a component behaviour. Unfortunately, this solution is not applicable in case of asynchronous communications, since the effects of the external buffers cannot ....

S.C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. In Proceedings of the 1st ACM International Symposium on the Foundations of Software Engineering, pages 115--125, Los Angeles, California, December 1993.

....of very large programs will undoubtedly require compositional techniques, which exploit the modularity of the program to reduce the complexity of the analysis. 1 2 J. C. CORBETT AND G. S. AVRUNIN Several techniques for compositional reachability analysis have already been proposed (e.g. [4, 5, 15]) The basic strategy of these techniques is to divide a large system into smaller subsystems, verify each subsystem, and then combine the results of these analyses to verify the full system. For concurrent processes, this is typically accomplished by decomposing the system into subsystems with ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis using context constraints. In Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 115--125, Dec. 1993.

.... the target user community, and favors greater user involvement in development, and hence, greater p satisfaction with the final product (see e.g. 35, 36] We share the view that this is only true in data rich, processing oor application domains where objects are intuitive and easy to identify [3], and where most of the processing consists m of associative data access; these are domains where more traditional data modeling techniques are already known to be ore appropriate than process oriented techniques [46] In control intensive applications, objects are synthetic (artificial) u ....

....or suboptimal (incomplete) 56] t Some aspects of object oriented analysis have also been criticized for hindering reuse or for under using the poten ial of object orientation for reusability. One of the thorniest problems resides in the specification of inter object behavior t m (see e.g. [3, 46, 158]) An unspoken corollary of object orientation is that any behavior that an object system may exhibi ust be attached to an object class within the system. This forces us to specify and implement the interaction g t between two objects as an operation on one of the two, i.e. it forces us to ....

[Article contains additional citation context not shown here]

S. C. Cheung and J. Kramer, "Enhancing Compositional Reachability Analysis with Context Constraints," . P Software Engineering Notes, vol. 18, no. 5, pp. 115-125, Los Angeles, California, USA, December 7-10, 1993 roceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering 3

.... represented in the model [27] Another widely used method for alleviating the state explosion, especially for hardware designs, is symbolic model checking [4, 5, 28] which involves representing the states symbolically, usually with Ordered Binary Decision Diagrams (OBDDs) Compositional methods [7, 8, 35] exploit modularity in a system by dividing it into smaller subsystems, verifying each subsystem, and then combining the results of these analyses to verify the full system. There are also methods based on dataflow analysis [16, 26] and integer programming [2,29] As we mentioned in Section 7, our ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis using context constraints. In Proceedings of the first ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 115--125, Dec. 1993.

....5.2 (Image process theorem) Let P; T be two totally defined processes, and T 0 be the image process of T , where ffT ffP . Then P k T 0 does not have undefined traces iff tr(P ffT ) tr(T ) 2 The transparence theorem is an extended version of the interface theorem as presented in [4]. The image process theorem has been stated and used in [3, 6] The full presentations and proofs of theorems 5.1 and 5.2 are provided in appendix A. 5.3 Inclusion of context constraints Let S be a system P k Q where Q is the context of subsystem P . Then an interface I for P is a totally ....

....the interfaces they generate for efficiency. Even so, there exists yet no such algorithm that proves efficient in all cases. We have proposed a simple algorithm that is an effective and practical means of constructing interfaces from contexts composed of small or medium size elementary components [4]. The algorithm constructs interfaces that are deterministic and free of action . Interfaces created in this way have also proven to satisfy the second condition of the transparence theorem. Every interface constructed by the algorithm is therefore guaranteed to be correct. Secondly, ....

S.C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. In Proc. of the 1st ACM International Symposium on the Foundations of Software Engineering, Los Angeles, California, December 1993.

....of fully implemented components of a system, researchers generally have not addressed the problem of constructing such representations from real software. Corbett [7, 9, 10] has developed models for concurrent Ada programs that represent these detailed timing properties. A number of authors (e.g. [11 13]) have proposed methods for doing compositional analysis by decomposing a concurrent system into subsystems with simple interfaces and replacing some of the subsystems by simpler processes that have the same interfaces to their environments. In most of this work, however, the simpler processes ....

S. C. Cheung and J. Kramer, "Enhancing compositional reachability analysis with context constraints," in Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, David Notkin, Ed., Dec. 1993, pp. 115--125.

....with the size of the program. Analysis of very large programs will undoubtedly require compositional techniques, which exploit the modularity of the program to reduce the complexity of the analysis. Several techniques for compositional reachability analysis have already been proposed (e.g. [5, 6, 19]) The basic strategy of these techniques is to divide a large system into smaller subsystems, verify each subsystem, and then combine the results of these analyses to verify the full system. For concurrent processes, this is typically accomplished by decomposing the system into subsystems with ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis with context constraints. In D. Notkin, editor, Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, Dec. 1993. Appeared as ACM Software Engineering Notes, volume 18, December 1993.

....advantage of symmetries in the state space. Symbolic model checking [4, 32] uses a symbolic representation of a system s states, which is sometimes much more compact than an explicit enumeration. These techniques have proven especially successful in verifying hardware. Compositional techniques [5,7,43] exploit modularity in a system by dividing it into smaller subsystems, verifying each subsystem, and then combining the results of these analyses to verify the full system. If the subsystems have simple interfaces, such a hierarchical analysis can be quite effective. Abstraction [6] reduces the ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis using context constraints. In Proceedings of the first ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 115--125, Dec. 1993.

....of fully implemented components of a system, researchers generally have not addressed the problem of constructing such representations from real software. Corbett [7,9,10] has developed models for concurrent Ada programs that represent these detailed timing properties. A number of authors (e.g. [11 13]) have proposed methods for doing compositional analysis by decomposing a concurrent system into subsystems with simple interfaces and replacing some of the subsystems by simpler processes that have the same interfaces to their environments. In most of this work, however, the simpler processes ....

S. C. Cheung and J. Kramer, "Enhancing compositional reachability analysis with context constraints," in Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, David Notkin, Ed., Dec. 1993, pp. 115--125.

....Systems are often specified as parallel compositions of several processes. It is well known that the LTS of such a system may be huge. Therefore, several methods have been suggested for the construction of a (partially) reduced equivalent LTS without explicitly constructing the full LTS (e.g. [BFH91, ChK93, GrS91, SLU89, VaC91, Val92, Val93]) Any such method which is valid for a strong equivalence is automatically valid for all strictly weaker equivalences. Furthermore, weak equivalences allow the use of other, perhaps more powerful methods, because they allow throwing more information away. For instance, Val92] presents an ....

Cheung, S. C. & Kramer, J.: Enhancing Compositional Reachability Analysis with Context Constraints. Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, ACM Software Engineering Notes Vol. 18 Nr 5, Dec. 1993, pp. 115--125.

....of fully implemented components of a system, researchers generally have not addressed the problem of constructing such representations from real software. Corbett [7, 9, 10] has developed models for concurrent Ada programs that represent these detailed timing properties. A number of authors (e.g. [11 13]) have proposed methods for doing compositional analysis by decomposing a concurrent system into subsystems with simple interfaces and replacing some of the subsystems by simpler processes that have the same interfaces to their environments. In most of this work, however, the simpler processes ....

S. C. Cheung and J. Kramer, \Enhancing compositional reachability analysis with context constraints," in Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, David Notkin, Ed., Dec. 1993, pp. 115-125.

....has been directed towards techniques for reducing the size of the model that gets constructed while applying model checking. Reduction techniques have generally followed one of two paths: 1) to avoid generating the entire structure, and instead to perform the check compositionally or locally [5, 8, 17, 18]; or (2) to form the whole structure, but encode it symbolically to reduce its size [2] We have taken the compositional approach, albeit with several unique twists. 1 Computation Tree Logic a branching time temporal logic. First, we negate a user entered invariant, and then search for its ....

S. C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. Proceedings FSE'93, ACM SIGSOFT, 115--125, December 1993.

....execution sequences, forbidden by the synchronizations expected by the rest of the composition expression (its environment) In the worst cases, the size of S 0 may even exceed the one of S, leading to a failure of this approach. A solution to this problem has been proposed in [GS90,GLS96] and [CK93,CK95] for composition expressions based on the Csp [Hoa78] parallel operator. Intuitively, it consists in expressing the environment of a subexpression by an interface, i.e. an Lts representing a set of authorized execution sequences that can be performed by this sub expression. Thus, using a ....

....The main objective of this work is to evaluate this compositional generation method on realistic case studies, in order to compare its efficiency with respect to some other existing solutions for the state explosion problem. To this purpose, we have generalized the results of [GS90] and [CK93] to the Lotos language [ISO88] an international Iso standard for the description of communication protocols. In particular a new projection operator named semi composition has been defined, able to deal either with user given interfaces (as in [GS90] or with automatically computed ones ....

[Article contains additional citation context not shown here]

S.C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. In Proceedings of the 1st ACM International Symposium on the Foundations of Software Engineering, pages 115--125, Los Angeles, California, December 1993.

....of fully implemented components of a system, researchers generally have not addressed the problem of constructing such representations from real software. Corbett [6 8] has developed models for concurrent Ada programs that represent these detailed timing properties. A number of authors (e.g. [4,5,22]) have proposed methods for doing compositional analysis by decomposing a concurrent system into subsystems with simple interfaces and replacing some of the subsystems by simpler processes that have the same interfaces to their environments. In most of this work, however, the simpler processes ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis with context constraints. In D. Notkin, editor, Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 115--125, Dec. 1993.

....Analysis of very large programs 2 J. C. CORBETT AND G. S. AVRUNIN will undoubtedly require compositional techniques, which exploit the modularity of the program to reduce the complexity of the analysis. Several techniques for compositional reachability analysis have already been proposed (e.g. [4, 5, 15]) The basic strategy of these techniques is to divide a large system into smaller subsystems, verify each subsystem, and then combine the results of these analyses to verify the full system. For concurrent processes, this is typically accomplished by decomposing the system into subsystems with ....

S. C. Cheung and J. Kramer. Enhancing compositional reachability analysis using context constraints. In Proceedings of the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 115--125, Dec. 1993.

....As a result, these LTSs may be excessively large 4 and contain many spurious traces. As such, the state explosion problem could be exacerbated. Contextual reachability analysis is a promising technique to alleviate the problem by including context constraints in compositional minimisation [1, 5, 16]. These constraints can be derived algorithmically [1] but may be too weak to adequately constrain the compositional analysis. Users may therefore wish to provide their own constraints based on their knowledge and intuition about the target system. This approach was studied by Graf [5] and Yeh ....

....contain many spurious traces. As such, the state explosion problem could be exacerbated. Contextual reachability analysis is a promising technique to alleviate the problem by including context constraints in compositional minimisation [1, 5, 16] These constraints can be derived algorithmically [1] but may be too weak to adequately constrain the compositional analysis. Users may therefore wish to provide their own constraints based on their knowledge and intuition about the target system. This approach was studied by Graf [5] and Yeh [16] The technique of Graf allows users to specify ....

[Article contains additional citation context not shown here]

S. C. Cheung and J. Kramer, "Enhancing Compositional Reachability Analysis with Context Constraints," in Proc. 1st ACM International Symposium on the Foundations of Software Engineering, Los Angeles, California, December 1993.

....global reachability graph generated using our technique is shown to be observationally equivalent to that generated by CRA without the inclusion of context constraints. The technique is illustrated with a clients server system. 1 This paper is an extended and revised version of our previous paper [8] presented in the First International Symposium on the Foundations of Software Engineering (December 1993) The research is partially sponsored by the Croucher Foundation, the Swiss Bank and the DTI (Grant Ref: IED 410 36 2) 3 1 INTRODUCTION Behaviour analysis is useful at all stages in the ....

S.C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. In Proc. 1st ACM International Symposium on the Foundations of Software Engineering, ACM SIGSOFT, Los Angeles, California, December 1993, pp. 115-125.

....the global LTS based on the subsystem hierarchy in Figure 14 after modification. Pump activate start1, start2 finish1 charge1 finish2 charge2 Figure 20: The Modified Pump 21 GasStation prepay1, prepay2 Figure 21: The Global LTS of GasStation 4. 5 Correctness of the Global LTS In previous work [4], it has been shown that the overall behaviour of a system Z remains unchanged after the addition of a process Ifc if Z and Ifc satisfy the three criteria in an interface theorem (Figure 22) Let Z L be a target system and Ifc be an image property automaton specified by users. Using the ....

....that the analysis technique should be further improved before it can handle realistic systems. A possible way to reduce the computational costs is to combine the technique with various state space reduction mechanisms, such as those proposed by Godefroid [14] and the previous work of the authors [4, 9]. #Customers Before the inclusion of the two property automata in Figure 13 After the inclusion of the two property automata in Figure 13 2 0.6 0.7 3 1.5 2.1 4 7.8 19.0 5 80.1 290.3 6 1,003.5 5,068.3 Figure 23: Computational Time (in seconds) Required to Evaluate the Global LTS of the Faulty Gas ....

[Article contains additional citation context not shown here]

S. C. Cheung and J. Kramer, "Enhancing Compositional Reachability Analysis with Context Constraints," presented at 1st ACM SIGSOFT International Symposium on the Foundations of Software Engineering, Los Angeles, California, December 1993, SEN 18(5).

....are made impossible by the context constraints of Client 1 . Thus, Context Client 1 presents a better picture of how Client 1 behaves in the clients server system. In addition, Context Client 1 can be used as a substitute of Client 1 in the construction of the global behaviour of CltSvr [4]. ans 1 req 1 req 2 req 2 rep 1 rep 1 Context Client 1 ans 1 req 2 req 1 req 1 ans 1 rep 1 ans 1 ans 1 req 2 req 2 req 2 rep 1 state forbidden by the context transition forbidden by the context Client 1 Figure 11a. Contextual Behaviour of Client 1 Figure 11b. Standalone ....

....As a result, the computational costs can be dramatically reduced if these simplified LTSs are used to substitute the original subsystems in subsequent analysis of the entire system. Contextual local analysis for disjoint subsystems can be carried out independently (e.g. Client 1 and Server) [4]. The simplified LTS obtained in independent contextual local analysis can be freely used to replace the original subsystem. For instance, we can obtain a new system, which is strongly bisimular to the old one, by replacing Context Client 1 for Client 1 and Context Server for Server. ....

[Article contains additional citation context not shown here]

S.C. Cheung and J. Kramer. Enhancing Compositional Reachability Analysis with Context Constraints. In Proc. 1st ACM International Symposium on the Foundations of Software Engineering, ACM SIGSOFT, Los Angeles, California, December 1993, pp. 115-125.

....2: An LTS Description of a Process which and how safety properties are violated. We have found no similar work of providing this feature in the framework of CRA. The proposed mechanism is adapted from the techniques of employing context constraints to alleviate the state explosion problem of CRA [4, 9]. Context constraints was originally proposed by Graf [9] to abstract behaviour restrictions imposed on a subsystem by its neighbouring processes due to the need for co ordination. To enhance the mechanism of CRA, the state machine formalism is augmented with a special undefined state p. The ....

....global LTS. If the LTS is free from state p, it represents the overall behaviour of the system; otherwise the mechanism indicates which safety properties are violated and how they happen. The mechanism can be further optimised by augmenting the CRA technique with the concept of context constraints [4]. These constraints capture behavioural restriction imposed on subsystems by their neighbouring processes. A prototype supporting the technique has been built. To further explore the potential of the technique, we are applying it to more complex examples, implementing support tools on ....

S. C. Cheung and J. Kramer, "Enhancing Compositional Reachability Analysis with Context Constraints," in Proc. 1st ACM International Symposium on the Foundations of Software Engineering, Los Angeles, California, December 1993.

....of the enclosing (sub)system. Analysing a system in such a compositional way fits well with a constructive approach to software development [17] However, the state explosion problem could be exacerbated as subsystems are locally minimised without considering their contexts or local environments [3, 9]. A locally minimised subsystem may contain a large number of behavioural traces forbidden by its context. In view of this problem, Sabnani et al. 29] suggested that a good composition order is essential in applying such a CRA technique. However, there is no systematic method or set of rules for ....

....we briefly present an effective method (section 5) to alleviate this problem by including context constraints in the composition of subsystems. These constraints can either be specified by users or 2 automatically derived by a simple algorithm (section 5. 4) Details of the method can be found in [2, 3]. 1.2 Dataflow Analysis Another alternative is to side step the state explosion problem in reachability analysis by relaxing the accuracy of the analysis. Approximate techniques using dataflow analysis have been proposed [4, 21, 27, 28, 33] These techniques approximate a system behaviour using ....

[Article contains additional citation context not shown here]

S.C. Cheung and J. Kramer, "Enhancing Compositional Reachability Analysis with Context Constraints," in the First ACM SIGSOFT Symposium on the Foundations of Software Engineering, ACM SIGSOFT, Los Angeles, California, December 1993, pp. 115-125.

....Currently we have focused on the use of Milner s work on the p calculus [3] as a means for defining the semantics of our configuration language. More recently, we have been working on the use of labelled transition systems (similar to state transition systems) to describe component behaviour [4, 5]. Reachability analysis is then provided using an approximate but tractable technique for flow analysis of distributed programs and an improved exhaustive technique for compositional analysis. Both techniques are supported by automated software tools. The integration of these 3 phases of software ....

S.C. Cheung and J. Kramer. "Enhancing Compositional Reachability Analysis Tools and Environments 30 with Context Constraints", in the 1st ACM SIGSOFT Symposium on the Foundation of Software Engineering, ACM SIGSOFT, Los Angeles, California, December 1993, pp 115-125.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC