Your SlideShare is downloading.
×

Text the download link to your phone

Standard text messaging rates apply

Like this presentation? Why not share!

- Specs2 3.4 by Eric Torreborre 271 views
- Developing multi agent systems with... by Ajib Hanani 3503 views
- T4 Introduction to the modelling an... by EASSS 2012 371 views
- Web Service Choreography Interface ... by awesomesos 1047 views
- Behaviour change reference_report_t... by Marketingfacts 4988 views
- Behavioural climate change by Carmen Delgado Ma... 1558 views
- World View of Disorders and Culture... by Imran Waheed 3670 views
- Causation in ir by kripa86 2950 views
- Data-in-the-Cloud City by ecomplexcity 320 views
- Powerpoint Slides Letitia by luettelekay 690 views
- Anxiety disorders an_introduction_t... by Marcelo Araya Gon... 21900 views
- Anxiety disorders an_introduction_t... by Marcelo Araya Gon... 7351 views

Like this? Share it with your network
Share

312

Published on

Slides used in IFM09

Slides used in IFM09

No Downloads

Total Views

312

On Slideshare

0

From Embeds

0

Number of Embeds

1

Shares

0

Downloads

1

Comments

0

Likes

1

No embeds

No notes for slide

- 1. 01 Property Speciﬁcations for Workﬂow Modelling Peter Wong, University of Oxford, UK (Joint work with Jeremy Gibbons) February 2009
- 2. 02 Overview • Process Semantics for BPMN in CSP (ICFEM08, QSIC08) • Augmented with relative timing information (FOCLASA08) • BPMN is not a speciﬁcation language • Consider a generalisation of Dwyer et al.’s Property Speciﬁcation Patterns (PSP) • Deﬁne a language PL to capture generalised PSP • Translate into Lowe’s Bounded, Positive fragment of LTL (BTL) • Translate BTL into CSP for reﬁnement checks (FDR) see: Example
- 3. 03 Problems BPMN... • describes the performance of behaviour • diﬃcult to describe refusal of behaviour in a context while allowing its availability outside that context Example requirement should also permit behaviour such as Request Cancel before Book Seat! see: Example
- 4. 04 Content • Property Speciﬁcation Patterns (PSP) • Generalised PSP • Our Approach • Bounded Positive fragment of LTL (BTL) • Refusal Traces Model and Semantics of BTL • A Property Speciﬁcation Language PL – Patterns of Behaviour – Property Speciﬁcation • Revisiting the Example
- 5. 05 Property Speciﬁcation Patterns PSPs describe the structure of commonly occurring requirements on the permissible patterns of behaviour in ﬁnite states systems Here we only consider occurrence patterns.
- 6. 06 Occurrence Patterns • Absence – A given event does not occur within a scope • Universality – A given event occurs at all times within a scope • Existence – A given event occurs at least once within a scope • Bounded Existence – A given event occurs a bounded number of times within a scope
- 7. 07 Scopes • Always – throughout all possible executions • Before p – before the occurrence of the event p • After q – after the occurrence of the event q • Between p and q – between the occurrence of the events p and q • After p until q – after the occurrence of the event p until q, but q need not happen
- 8. 08 Issue • Patterns have been expressed in a range of formalisms (LTL,CTL...) but not for reﬁnement setting (CSP). • We provide a generalisation of the patterns in process-algebraic settings For example: The parallel execution of task A and either task D or task E cannot happen after task B and before task C
- 9. 09 Occurrence Patterns (generalised) • Absence – A given pattern of behaviour does not occur within a scope • Universality – A given pattern of behaviour occurs at all times within a scope • Existence – A given pattern of behaviour occurs at least once within a scope • Bounded Existence – A given pattern of behaviour occurs a bounded number of times within a scope
- 10. 10 Scopes (generalised) • Always – throughout all possible executions • Before p – before the occurrence of the pattern of behaviour p • After q – after the occurrence of the pattern of behaviour q • Between p and q – between the occurrence of the patterns of behaviour p and q • After p until q – after the occurrence of the pattern of behaviour p until q, but q need not happen
- 11. 11 Our Approach • Deﬁne a small property speciﬁcation language PL to capture generalised PSP • Translate from PL to bounded, positive fragment of LTL (BTL) • BTL can be automatically translated into CSP for simple reﬁnement checks
- 12. 12 Content √ • Property Speciﬁcation Patterns (PSP) √ • Generalised PSP √ • Our Approach ⇒ • Bounded Positive fragment of LTL (BTL) • Refusal Traces Model and Semantics of BTL • A Property Speciﬁcation Language PL • Patterns of Behaviour • Property Speciﬁcation • Revisiting the Example
- 13. 13 Bounded, Positive Fragment of LTL (BTL) The grammar of BTL (for all a ∈ Σ) e, f ∈ BTL ::= e ∧ f | e ∨ f | e | Pe | e R f | a | ¬a | available a | true | false | live | deadlocked • a – the event a is available to be performed initially, and no other events may be performed; • available a – the event a must not be refused initially, and other events may be performed; • live and deadlock – the system is live (equivalent to a) a∈Σ or deadlocked (equivalent to a∈Σ ¬a), respectively; • true and false – logical formulae with their normal meanings. N.B. Does not capture eventually ( ) and until (U) and negation (¬).
- 14. 14 Semantics of BTL for Reﬁnement Checks • Stable Failures is not suitable • Requires a ﬁner model – Refusal Traces RT [Mukarram 93] • P |= e where e is a BTL expression, if and only if Spec(e) RT P where Spec(e) is the CSP speciﬁcation for e. A refusal trace is an alternating sequence of refusal information and events, of the form X 1, a1, X 2, a2, . ., Xn, an, Σ where each Xi is a refusal set, and each ai is an event: this represents that the process can refuse X 1, perform a1, refuse X 2, perform a2, etc. see: Failures and Eventually
- 15. 15 Content √ • Property Speciﬁcation Patterns (PSP) √ • Generalised PSP √ • Our Approach √ • Bounded Positive fragment of LTL (BTL) √ • Refusal Traces Model and Semantics of BTL ⇒ • A Property Speciﬁcation Language PL • Patterns of Behaviour • Property Speciﬁcation • Revisiting the Example
- 16. 16 Patterns of Behaviour SPL – A Sublanguage of PL P ∈ SPL ::= P P |P P | a → P | End where a ∈ AF ::= e | available e | live where e ∈ Σ AF • speciﬁes nondeterministic systems • introduces the nondeterministic interleaving ( ) operator • End has empty semantics – RT SPL [[End ]] = ∅
- 17. 17 Nondeterministic Interleaving In CSP for any events a and b: a → Skip b → Skip a → Skip RT but not a → Skip ||| b → Skip a → b → Skip RT Since a → Skip ||| b → Skip ≡ a → b → Skip P b → a → Skip • Need an operator to specify concurrent behaviour without determining their orders • Especially useful when applying in our relative timed model of BPMN.
- 18. 18 Nondeterministic Interleaving The process P Q communicates events from both P and Q nondeterministically. If P = p → P and Q = q → Q then Q = (p → (P (q → (P P Q)) Q )) [ -step] also: End Q =Q [ -End] Note is both commutative and associative and is deﬁned in terms of and →.
- 19. 19 From SPL to BTL • translate SPL to BTL∗ inductively pattern : SPL → BTL∗ • BTL∗ is BTL augmented with the atomic formula ∗ (RT SPL [[End ]] = RT BTL∗ [[ ∗ ]] = ∅) • convert BTL∗ back to BTL, we simply remove ∗ according to the following equivalences: φ∨∗≡φ ∗∧φ≡φ φ∧ ∗≡φ see: Formalising SPL in Temporal Logic
- 20. 20 Example Given a pattern of behaviour (a → End ) (b → End ) we get the following BTL expression φ = (a ∧ b) ∨ (b ∧ a), which can be automatically translated into CSP: Spec = let Spec0 = b → Spec2 Spec1 = a → Spec3 Spec2 = a → Spec4 Spec3 = b → Spec4 Spec4 = Stop ( x : Σ • x → Spec4) in Spec0 Spec1 Moreover, a → b → Stop Spec RT a → Stop ||| b → Stop Spec RT
- 21. 21 Content √ • Property Speciﬁcation Patterns (PSP) √ • Generalised PSP √ • Our Approach √ • Bounded Positive fragment of LTL (BTL) √ • Refusal Traces Model and Semantics of BTL ⇒ • A Property Speciﬁcation Language PL √ • Patterns of Behaviour ⇒ • Property Speciﬁcation • Revisiting the Example
- 22. 22 Property Speciﬁcation Language – PL for all p ∈ SPL, n ∈ N1 , b ∈ Bound and s ∈ Scope • Abs(p, s) – absence of behaviour p in scope s • Un(p, s) – universality of behaviour p in scope s • Ex(p, n, s) – existence of behaviour p within subsequent n states from the start of scope s • BEx(p, b, s) – existence of behaviour p with bound b in scope s N.B. state is in the sense of a transition system of a CSP process describing a BPMN diagram: a graph showing the states it can go through and actions, each denoted by a single CSP event, that it takes to get from one to another.
- 23. 23 Scopes • always – throughout all possible execution • before(p, n) – before behaviour p if p happens in nth state from the start. • after p – after of behaviour p • between p and (q, n) – between behaviour p and q if q happens in nth state after p • from p until (q, n) – after behaviour p and before q if q happens (not necessary) in nth state after p see: Bounded Existence
- 24. 24 Content √ • Property Speciﬁcation Patterns (PSP) √ • Generalised PSP √ • Our Approach √ • Bounded Positive fragment of LTL (BTL) √ • Refusal Traces Model and Semantics of BTL √ • A Property Speciﬁcation Language PL √ • Patterns of Behaviour √ • Property Speciﬁcation ⇒ • Revisiting the Example
- 25. 25 Revisiting the Example Use the absence pattern “the absence of p between some behaviour q and r ” Abs(Cancel , between bookseat → End and(sendinvoice → End , 2)) where the pattern of behaviour Cancel is deﬁned as follows: Cancel = requestcancel → End reservetimeout → End See if the diagram satisﬁes this property by checking the following refusal traces reﬁnement assertion using the FDR tool. Agent N Spec RT where N = Σ { bookseat, requestcancel , reservetimeout, sendinvoice } see: Travel Agent, Requirement and Spec
- 26. 26 Summary • Generalised PSP to specify patterns of behaviour • Deﬁned PL to capture the generalised PSP • Translated PL into BTL • Implemented a prototype in Haskell
- 27. 27 Thank You Web site: http://www.comlab.ox.ac.uk/peter.wong/ Email: peter.wong@comlab.ox.ac.uk
- 28. 28 Summary • Overview • Problems • Content • Property Speciﬁcation Patterns • Occurrence Patterns • Scopes • Issue • Occurrence Patterns (generalised) • Scopes (generalised) • Our Approach • Content • Bounded, Positive Fragment of LTL (BTL)
- 29. 29 • Semantics of BTL for Reﬁnement Checks • Content • Patterns of Behaviour • Nondeterministic Interleaving • Nondeterministic Interleaving • From SPL to BTL • Example • Content • Property Speciﬁcation Language – PL • Scopes • Content • Revisiting the Example • Summary
- 30. 30 • CSP • CSP • CSP • CSP • Travel Agent • Requirement • Requirement • Unsuitability of the stable failures • Impossibility of eventually , U and negation • Formalising SPL in Temporal logic • Formalising SPL in Temporal logic • Bounded Existence – Preliminaries • Bounded Existence
- 31. 31 • Bounded Existence • Example – “The bounded existence of p after q” • Corresponding CSP speciﬁcation...
- 32. 32 Index 2 Overview 3 Problems 4 Content 5 Property Speciﬁcation Patterns 6 Occurrence Patterns 7 Scopes 8 Issue 9 Occurrence Patterns (generalised) 10 Scopes (generalised) 11 Our Approach 12 Content 13 Bounded, Positive Fragment of LTL (BTL)
- 33. 33 14 Semantics of BTL for Reﬁnement Checks 15 Content 16 Patterns of Behaviour 17 Nondeterministic Interleaving 18 Nondeterministic Interleaving 19 From SPL to BTL 20 Example 21 Content 22 Property Speciﬁcation Language – PL 23 Scopes 24 Content 25 Revisiting the Example 26 Summary
- 34. 34 28 Summary 29 Index 30 CSP 31 CSP 32 CSP 33 CSP 34 Travel Agent 35 Requirement 36 Requirement 37 Unsuitability of the stable failures Impossibility of eventually , U and negation 38 39 Formalising SPL in Temporal logic 40 Formalising SPL in Temporal logic
- 35. 35 41 Bounded Existence – Preliminaries 42 Bounded Existence 43 Bounded Existence 44 Example – “The bounded existence of p after q” 45 Corresponding CSP speciﬁcation...
- 36. 36 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • Skip, Stop - termination, deadlock;. • e → P - preﬁxing; • P o Q - sequential composition. 9
- 37. 37 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • P ||| Q - interleaving; • P |[ A ]| Q - partial interleaving; •P Q - parallel composition.
- 38. 38 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • P A - hiding; •P Q - interrupt; • P P Q - external choice. •P Q - internal choice.
- 39. 39 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • We write P i : { 1 . . n } • P (i ) to denote P (1) P . . P P (n), similarly for operators , ||| and ; • Our semantic deﬁnition uses Stable Failures F; • Formal veriﬁcation via reﬁnement checks; • FDR - automated CSP model checker.
- 40. 40 Travel Agent see: Introduction and Revisit
- 41. 41 Requirement Property : Agent must not allow cancellation after booking if invoice is to be sent. see: Introduction, Problems and Revisit
- 42. 42 Requirement Property : Agent must not allow cancellation after booking if invoice is to be sent. Try checking this: Agent N Requirement ? F see: Introduction and Problems
- 43. 43 Unsuitability of the stable failures F[[available a]] = { ( , X ) | a ∈ X } ∪ { (tr , X ) | tr = ∧ X ∈ PΣ} / F[[ available a]] = { ( b , X ) | b ∈ Σ ∧ a ∈ X } ∪ { (tr , X ) | #tr = 1 ∧ X ∈ P Σ } / F[[available a ∨ available a]] = F[[available a]] ∪ F[[ available a]] = { (tr , X ) | tr ∈ Σ∗ ∧ X ∈ P } i.e. available a ∨ available a is satisﬁed by every process! see: Semantics of BTL
- 44. 44 Impossibility of eventually , U and negation Suppose P |= a if and only if Spec RT P where Spec is the CSP speciﬁcation for a. Spec would have the refusal trace Σ {b}, b n •, a for all n. However RT is preﬁxed-closed therefore it would also have the refusal trace Σ {b}, b n for all n and this is satisﬁed by the process P = b → P ! Also since φ = true U φ and φ = ¬(P¬φ) see: Semantics of BTL
- 45. 45 Formalising SPL in Temporal logic • translate SPL to BTL∗ • convert BTL∗ back to BTL SPL to BTL∗ pattern(End ) = ∗ pattern(a → P ) = atom(a) ∧ (pattern P ) pattern(P Q) = pattern(P ) ∨ pattern(Q) pattern(P Q) = pattern(npar (P , Q)) where atom(available t) = available (event(t)) atom(live) = live atom(t) = event(t) see: SPL
- 46. 46 Formalising SPL in Temporal logic npar (End , End ) = End npar (End , Q) = Q npar (P , End ) = P npar (P , Q) = ( (a, X ) : initials(P ) • a → npar (X , Q)) ( (a, X ) : initials(Q) • a → npar (X , P )) where i : I • P (i ) denotes the nondeterministic choice of a set of indexed terms P (i ) where i ranges over I . initials(P Q) = initials(P ) ∪ initials(Q) initials(P Q) = initials(npar (P , Q)) initials(a → P ) = { (a, P ) } initials(End ) = ∅ see: SPL
- 47. 47 Bounded Existence – Preliminaries We extend BTL to BTLδ to include two new operators ¡ and U £ such that: ψ Un φ = ( nextsi∗states(ψ) (φ ∨ ψ)) ∧ nexts(n−1)∗states(ψ) φ i∈{ 0..n−2 } where • states(φ) returns one minus the furthest state the expression φ i • nextsi ψ = ψ for i ∈ N n • nextφ ψ = ψ where n = states(φ) Note : ¡ n φ = true U n φ £
- 48. 48 Bounded Existence • The global existence p with bound b – bound (p, false, b); • The existence of p with bound b before some behaviour q – ¡ n q ⇒ ¬q U n−getbound(b)∗states(p) bound (p, q, b) £ • The existence of p with bound b after some behaviour q – P(q ⇒ nextq (bound (p, q, b))) • The existence of p with bound b between behaviour q and r – P(q ⇒ (nextq ¡ n r ⇒ (bound (p, r , b) ∧ bound (p, r , b) R ¬r ∧ r R ¬q))) £ where n > getbound (b) ∗ states(p) • The existence of p after behaviour q until r – P(q ⇒ (nextq ¬r U 1 bound (p, r ∨ q, b)))
- 49. 49 Bounded Existence bound (p, q, b) is deﬁned as follows : • (= n) – p) ∧ nextsn∗states(p) (q R ¬p) i∈{ 0..n−1 } (nextsi∗states(p) • (≥ n) – i∈{ 0..n−1 } (nextsi∗states(p) p) • (≤ n) – nextsn∗states(p) (q R ¬p) and getbound (b) for some bound b denotes the number part of the value.
- 50. 50 Example – “The bounded existence of p after q” Property – Either task A or C has to occur followed by either one of them again after Task B has occurred. Spec = let Spec0 = Proceed ({ b }, Spec0 Spec1) Spec1 = b → (Spec2 Spec3) Spec2 = c → (Spec4 Spec5) Spec3 = a → (Spec4 Spec5) Spec4 = c → (Spec6 Spec7) Spec5 = a → (Spec6 Spec7) Spec6 = Proceed ({ a, b, c }, Spec6 Spec7) Spec7 = b → (Spec2 Spec3) in Spec0 Spec1 ( x : Σ X • x → P) where Proceed (X , P ) = Stop Skip
- 51. 51 Corresponding CSP speciﬁcation... Spec0 = Proceed ({ bookseat }, Spec0 Spec1) Spec1 = bookseat → (Spec2 Spec3 Spec4 Spec5 Spec6) Spec2 = Proceed ({ bookseat, sendinvoice }, Spec7 Spec1) Spec3 = sendinvoice → (Spec0 Spec1) Spec4 = bookseat → (Spec2 Spec4 Spec8 Spec9) Spec5 = Proceed ({ bookseat, requestcancel , reservetimeout }, Spec3) Spec6 = bookseat → (Spec3) Spec7 = Proceed ({ bookseat, sendinvoice }, Spec0 Spec1) Spec8 = let poss = { bookseat, requestcancel , reservetimeout, sendinvoice } in Proceed (poss, Spec3) Spec9 = bookseat → (Spec3) Spec = Spec0 Spec1 see: Revisit

Be the first to comment