Скачать презентацию CS 290 C Formal Models for Web Software
650ec262710277ea22555d9baf58cea2.ppt
- Количество слайдов: 18
Скачать презентацию CS 290 C Formal Models for Web Software
Скачать презентацию CS 290 C Formal Models for Web Software
CS 290 C: Formal Models for Web Software Lecture 5: Modeling and Verification of Adaptive Navigation Instructor: Tevfik Bultan
Modeling Navigation with Session State • We discussed navigation for statically linked pages • However, nowadays many web applications use dynamically created pages • Moreover, based on the status of the session, the links that are available for an application can change • The following paper discusses modeling navigation in such cases: “Modeling and Verification of Adaptive Navigation in Web Applications” Minmin Han & Christine Hofmeister, ICWE 2006 • What the authors call adaptive navigation is basically navigation with session state
Navigation and the Session State • Based on the state of the session, navigation sequence may change • For example – Clicking on a link may send the user to the login page if the user is not logged in yet – If the user is logged in the destination page may be shown • Navigation can also be influenced by the session history • For example – After the login page the next page that will be shown may depend on what the previous action was
How to Model Navigation with Session State • Use statecharts • Model session state as AND-sub-states • For example, – we can have a sub-state that keeps track of the login status – Another sub-state can store the last action that was requested • These states can be combined with the state machine that models the navigation links
Example: Blockbuster website Navigation model Page navigation Login status Previous request
![Example: Blockbuster website Login status Page navigation Movie list queue[in Logged-in] Queue Logged-in logged-in](https://present5.com/presentation/650ec262710277ea22555d9baf58cea2/image-6.jpg "Example: Blockbuster website Login status Page navigation Movie list queue[in Logged-in] Queue Logged-in logged-in")
Example: Blockbuster website Login status Page navigation Movie list queue[in Logged-in] Queue Logged-in logged-in queue[in Logged-out] logged-out Login login-success/logged-in Loggedout
Navigation Model Verification • After generating the navigation model we would like to verify it • We discussed the Spin model checker in the last lecture • SMV is another model checking tool that can be used for verification of navigation constraints
Navigation constraints in CTL • SMV is a CTL model checker • To verify the navigation model using SMV we have to write navigation properties in CTL • Some CTL formulas that can be used for navigation verification AG p: p holds on all states of all paths from the initial state (equivalently, p holds on all states that are reachable from the initial state) EF p: p holds on at some point on some path from the initial state (equivalently, p is reachable from the initial state) AG EF p: for every state that is reachable from the initial state, there exists a path on which at some point p holds
Navigation constraints in CTL AG (p => AX q) : For all reachable states, if p holds, then in the next state q holds AG (p => EX q) : For all reachable states, if p holds, then there exists a next state where q holds AG(p => AF q): For all reachable states, if p holds, then eventually q will hold AG(p => EF q): For all reachable states, if p holds, then there exists a path on which eventually q holds
![SMV [Mc. Millan 93] • • BDD-based symbolic model checker Finite state Temporal logic:](https://present5.com/presentation/650ec262710277ea22555d9baf58cea2/image-10.jpg "SMV [Mc. Millan 93] • • BDD-based symbolic model checker Finite state Temporal logic:")
SMV [Mc. Millan 93] • • BDD-based symbolic model checker Finite state Temporal logic: CTL Focus: hardware verification – Later applied to software specifications, protocols, etc. • SMV has its own input specification language – concurrency: synchronous, asynchronous – shared variables – boolean and enumerated variables – bounded integer variables (binary encoding) • SMV is not efficient for integers, but that can be fixed – fixed size arrays
SMV language • SMV specificaitons consist of a set of modules – There is always a main module • Variables are initialized using the init construct • The next values of the variables are assigned using the next construct • Case statements are used for assigning next values of variables – First case condition that evaluates to true determines the next value of the case expression • Assignments in a module are executed synchronously • Multiple modules can be executed asynchronously
SMV language MODULE main VAR request: boolean; state : {ready, busy}; ASSIGN init(state) : = ready; next(state) : = case state = ready & request : busy; 1 : {ready, busy}; esac; SPEC AG(request -> AF state = busy);
Example Mutual Exclusion Protocol Two concurrently executing processes are trying to enter a critical section without violating mutual exclusion Process 1: while (true) { out: a : = true; turn : = true; wait: await (b = false or turn = false); cs: a : = false; } || Process 2: while (true) { out: b : = true; turn : = false; wait: await (a = false or turn); cs: b : = false; }
Example Mutual Exclusion Protocol in SMV MODULE process 1(a, b, turn) VAR pc: {out, wait, cs}; ASSIGN init(pc) : = out; next(pc) : = case pc=out : wait; pc=wait & (!b | !turn) : cs; pc=cs : out; 1 : pc; esac; next(turn) : = case pc=out : 1; 1 : turn; esac; next(a) : = case pc=out : 1; pc=cs : 0; 1 : a; esac; next(b) : = b; FAIRNESS running MODULE process 2(a, b, turn) VAR pc: {out, wait, cs}; ASSIGN init(pc) : = out; next(pc) : = case pc=out : wait; pc=wait & (!a | turn) : cs; pc=cs : out; 1 : pc; esac; next(turn) : = case pc=out : 0; 1 : turn; esac; next(b) : = case pc=out : 1; pc=cs : 0; 1 : b; esac; next(a) : = a; FAIRNESS running
Example Mutual Exclusion Protocol in SMV MODULE main VAR a : boolean; b : boolean; turn : boolean; p 1 : process 1(a, b, turn); p 2 : process 2(a, b, turn); SPEC AG(!(p 1. pc=cs & p 2. pc=cs)) -- AG(p 1. pc=wait -> AF(p 1. pc=cs)) & AG(p 2. pc=wait -> AF(p 2. pc=cs)) Here is the output when I run SMV on this example to check the mutual exclusion property % smv mutex. smv -- specification AG (!(p 1. pc = cs & p 2. pc = cs)) is true resources used: user time: 0. 01 s, system time: 0 s BDD nodes allocated: 692 Bytes allocated: 1245184 BDD nodes representing transition relation: 143 + 6
Example Mutual Exclusion Protocol in SMV The output for the starvation freedom property: % smv mutex. smv -- specification AG (p 1. pc = wait -> AF p 1. pc = cs) & AG. . . is true resources used: user time: 0 s, system time: 0 s BDD nodes allocated: 1251 Bytes allocated: 1245184 BDD nodes representing transition relation: 143 + 6
Example Mutual Exclusion Protocol in SMV Let’s insert an error change pc=wait & (!b | !turn) : cs; to pc=wait & (!b | turn) : cs;
% smv mutex. smv -- specification AG (!(p 1. pc = cs & p 2. pc = cs)) is false -- as demonstrated by the following execution sequence state 1. 1: a = 0 b = 0 turn = 0 p 1. pc = out p 2. pc = out [stuttering] state 1. 2: [executing process p 2] state 1. 3: b = 1 p 2. pc = wait [executing process p 2] state 1. 4: p 2. pc = cs [executing process p 1] state 1. 5: a = 1 turn = 1 p 1. pc = wait [executing process p 1] state 1. 6: p 1. pc = cs [stuttering] resources used: user time: 0. 01 s, system time: 0 s BDD nodes allocated: 1878 Bytes allocated: 1245184 BDD nodes representing transition relation: 143 + 6
Скачать презентацию CS 290 C Formal Models for Web Software
650ec262710277ea22555d9baf58cea2.ppt