Verifying Properties of Process Definitions

1
Verifying Properties of Process Definitions

• Jamieson M. Cobleigh, Lori A. Clarke, and Leon J.
  Osterweil
• Laboratory for Advanced Software Engineering
  Research
• University of Massachusetts Amherst
• http//laser.cs.umass.edu/

Thanks to Aaron Cass, Sandy Wise, and Hyungwon Lee
2
Outline

• Process
• Example Process
• Analysis of the Process
• Conclusions

3
What is a Process?

• Agents

Complex Task

• Examples
• Design
• Configuration Management
• e-commerce

4
Example An Auction

• Need to coordinate bidders and auctioneer
• These may be distributed over a network
• May be human users or computer programs
• Want an process definition that describes how to
  conduct an auction

5

• A process definition language
• Graphical language
• Has rigorous formal semantics specified
• Supports
• Concurrency
• Resource Management
• Exceptions
• Choice steps to give humans users flexibility
• Pre- and post-requisites

6
Little-JIL Step
Interface Resources Used Exceptions Thrown
Parameters
Pre-requisite
Post-requisite
Step Name
Substep Sequencing
Exception Handling Control Flow
7

8

NoMoreBidders
9
Modeling Processes

• This process is intuitively easy to understand
• However, it still has complicated control
  structures
• These constructs can mask erroneous behavior
• Even high-level process definitions need to be
  validated

10
Auction Concerns

• Are late bids considered?
• Does the highest bidder win the auction?
• Is the auction vulnerable to fraud?

11

• FLow Analysis for VERification of Systems
• Can verify concurrent and sequential software
• Uses an efficient state propagation algorithm
• Worst case bounds O(N2S)
• Relatively language independent Ada, Java, C,
  Jovial
• Can incrementally add information to the analysis
  to improve precision

12
FLAVERS Overview
s
Property Translator
Property Specification
Property FSA
Software Translator
Software
TFG
State Propagation
Results
13
FLAVERS Model

• A Trace Flow Graph (TFG)
• Derived from labeled Control Flow Graphs (CFG)
• Labels represent events of interest
• Need CFG models for Little-JIL constructs

14
Leaf Step Model
15
A Choice Step
Choice
Do A
Do C
Do B


A Completed
A Terminated
Do B
Do C
Choice Completed


16
Choice Step Model
17
Properties Checked

• No Late Bids Accepted
• Checked on the Open-Cry Auction
• Inconclusive Results
• Several process experts studied the example in
  detail without noticing the fault
• Need to add an AuctionNotClosed prerequisite to
  Update Best Bid

18
Race Condition Property

• Another property involved data flow
• There is a variable best that keeps track of the
  best bid seen so far
• Can be used by multiple steps concurrently
• Want to ensure there is no race condition

19
Race Condition Can Exist

• Determined a race condition can exist
• Auctioneer could be considering two bids at the
  same time
• Two updates to best occur
• The final value of best depends on the order of
  the updates

20
No Race Condition

• Need to ensure proper access to variable best
• Requires knowledge of agent behavior
• Proved that if no access control, a race
  condition can occur
• Proved that with a lock on best, no race
  condition can occur

21
Analysis Results
The Little-JIL program had 8 steps
22
Conclusions

• Process models have strengths and weaknesses
• Leads to intuitive understanding
• Can mislead people into believing they understand
  the process
• Our example illustrates how important it it to
  validate processes
• FLAVERS successfully analyzed the Little-JIL
  process
• There is a tension between expressiveness and
  analyzability
• Humans require flexibility, leading to more
  complex analysis