Outline
advertisement
Specification and Refinement by Probabilistic Sequence
Diagrams
Knut Eilif Husa, Atle Refsdal
SARDAS 20040510 Slide 1
Knut Eilif Husa, Atle Refsdal
Outline
•
•
•
•
•
•
•
•
Motivation
Probabilistic sequence diagrams: notation and intuition
Semantics of events and traces
Composition of traces
Semantics of probabilistic sequence diagrams
Automatic Teller Machine example
Refinement
Further work
SARDAS 20040510 Slide 2
Knut Eilif Husa, Atle Refsdal
1
Motivation
• Sequence diagrams are frequently used
• By introducing probabilities the expressive power of
sequence diagrams is increased:
• Probabilistic behavior
• Games
• Security
• Abstraction
• Complex behavior
• System environment
• “Users type a wrong password in 10% of the cases”
• Integration of “soft” and/or “non-functional” requirements
in the models
• availability, dependability
SARDAS 20040510 Slide 3
Knut Eilif Husa, Atle Refsdal
Motivation: Why formal
semantics?
• Avoid misunderstandings and conflicting interpretations
• Prove/verify that requirements are met and properties hold
• Allow tool support
SARDAS 20040510 Slide 4
Knut Eilif Husa, Atle Refsdal
2
Notation and intuition
Probability
predicate on an
event
No explicit
probability
predicate:
Shorthand for
(0≤x≤1)
Probability
predicate on
alternatives
Alternatives
”Black dot
predicate”:
Shorthand for z=1
SARDAS 20040510 Slide 5
Knut Eilif Husa, Atle Refsdal
Interpretation of UML
Sequence Diagrams
• Existential interpretation
(scenarios, partial
specifications)
• Universal interpretation
(behaviour present in all
executions)
SARDAS 20040510 Slide 6
Knut Eilif Husa, Atle Refsdal
3
Why the intuition may fool
you
• Trace probabilities in diagram does not sum up to one
⇒existential interpretation
• Trace probabilities in diagram sum up to one
⇒universal interpretation
• Probabilities can only be regarded as conditional on the
trace prefix in diagrams where the trace probabilities sum
up to one
• If the sum of trace probabilities is less than one the
probabilities are conditional on both the trace prefix and
postfix (applies in the context they are placed)
SARDAS 20040510 Slide 7
Knut Eilif Husa, Atle Refsdal
Semantics of events and traces
• A message m is a triple (s, tr, re) where
•
•
•
•
s is a signal,
tr is a transmitter and
re is a receiver
both tr and re are lifelines
• An event is a pair (k, m) where
• k is a kind: either ! (transmit) or ? (receive)
• m is a message
• Example of an event: (!, (hello, Alice, Bob)) denotes the
transmission of the signal ”hello” from Alice to Bob.
• Often abbreviated to !hello in discussions
• A trace is a finite sequence of events such that every
transmit event occurs before the corresponding receive
event (if both are present)
SARDAS 20040510 Slide 8
Knut Eilif Husa, Atle Refsdal
4
Composition of traces:
Parallell merge
• t1║t2 = T, where T is the set of all traces such that
• all events from t1 and t2 are included (and no other events)
• the ordering of events from t1 and from t2 are preserved
• Example: Let
• t1=‹!a ?a› and t2=‹!b ?b›
• the transmitter of a = the transmitter of b
• the receiver of a = the receiver of b
• ..then t1║t2 =
{‹!a ?a !b ?b›, ‹!a !b ?a ?b›, ‹!b ?b !a ?a›, ‹!b !a ?b ?a›}
SARDAS 20040510 Slide 9
Knut Eilif Husa, Atle Refsdal
Composition of traces: Weak
sequencing
• t1 ≿ t2 = T, where T is the set of all traces that such that
• all events from t1 and t2 are included (and no other events)
• the ordering of events on t1 and on t2 are preserved
• events on a lifeline from t1 come before events from t2 on the
same lifeline
• Example: Let
• t1=‹!a ?a› and t2=‹!b ?b›
• the transmitter of a = the transmitter of b
• the receiver of a = the receiver of b
• ..then t1 ≿ t2 ={‹!a ?a !b ?b›, ‹!a !b ?a ?b›}
• Note that weak sequencing degenerates to parallel
composition if there are no common lifelines
SARDAS 20040510 Slide 10
Knut Eilif Husa, Atle Refsdal
5
Composition of trace sets
• The composition operators for traces are extended to sets
of traces:
• T1 ≿ T2 = ∪t1∈T1 ∪t2∈T2 t1 ≿ t2
• T1 ║ T2 = ∪t1∈T1 ∪t2∈T2 t1 ║ t2
SARDAS 20040510 Slide 11
Knut Eilif Husa, Atle Refsdal
Semantics of probabilistic
sequence diagrams
• The semantics is defined in terms of a function〚_〛that
for every diagram d yields a pair〚d〛= (T,F) where
• T is a set of finite traces
• F is a set of functions f : U→[0,1] assigning probabilities to all finite
traces.
• U is the universe of all finite traces
• We call T the described traces
• A trace t such that ∀f∈F:f(t)=0 correspond to a
invalid/negative trace in the UML sense
• A trace t such that ∀f∈F:f(t)>0 represents mandatory
behaviour
• Non-deterministic choice between elements in F
• If F contains only one function then the specification is fully
probabilistic (no non-determinism)
SARDAS 20040510 Slide 12
Knut Eilif Husa, Atle Refsdal
6
psd semantics: Single event
diagram
probability
predicate
event
f is a probability
distribution on
U
〚(!hello ; 0.5 > x > 0.8)〛= (T,F)
where
• T={‹!hello›}
• F={f | 0.5 > f(‹!hello›)>0.8 ∧
∑t∈Uf(t)=1}
SARDAS 20040510 Slide 13
Knut Eilif Husa, Atle Refsdal
psd semantics: Sequential
composition
Let〚d1〛= (T1,F1),
〚d2〛= (T2,F2)
Probabilities are distributed
on the set t1 ≿ t2
⇒ non-determinism
SARDAS 20040510 Slide 14
Knut Eilif Husa, Atle Refsdal
7
psd semantics: Parallell
composition
• Exactly like sequential composition, except that ≿ is
replaced by ║ everywhere it occurs
SARDAS 20040510 Slide 15
Knut Eilif Husa, Atle Refsdal
Par: Example
• Let〚d1〛= (T1,F1),〚d2〛= (T2,F2) where
•
•
•
•
T1={t1, t3}, t1=‹!a›, t3=‹!a !b›
F1={f1}
T2={t2, t4}, t2=‹!b !c›, t4=‹!c›
F2={f2}
• Let〚d1 par d2〛= (T,F)
G(t1, t2) ={g | ∑t∈t1║t2g(t) = f1(t1)*f2(t2)}
G(t3, t4) ={g | ∑t∈t3║4g(t) = f1(t3)*f2(t4)}
t1║t2
Contribution only
from G(t1, t2)
t3║t4
‹!b !c !a›
‹!b !a !c›
‹!c !a !b›
‹!a !b !c›
‹!a !c !b›
Contribution only
from G(t3, t4)
Contribution from both
G(t1, t2) and G(t3, t4)
SARDAS 20040510 Slide 16
Knut Eilif Husa, Atle Refsdal
8
psd semantics: Probabilistic
alternative
SARDAS 20040510 Slide 17
Knut Eilif Husa, Atle Refsdal
Example: atm
No assumptions are made
regarding the client’s behavior in
the inital phase
Two possible continuations after
the initial phase:
-starting with correct PIN: p>90%
- starting with incorrect PIN: p<10%
- nothing else can happen
Many possible continuations after
a correct PIN has been entered:
- withdrawing 20 euros: 20%<p<40%
- withdrawing 50 euros: 40%<p<70%
- something else might happen
SARDAS 20040510 Slide 18
Knut Eilif Husa, Atle Refsdal
9
Refinement: Motivation
• Precise interpretation of the steps in incremental system
development
• From a fuzzy, rough sketch to a precise and detailed description
• Removing underspecification
• The refined (more detailed) description conforms to the
original
• ⇒ Certain properties are preserved
• Earlier analysis results remain relevant
• Probabilistic Sequence Diagrams + refinement:
• ⇒ A development process where probabilistic (soft)
requirements are integrated from the start
SARDAS 20040510 Slide 19
Knut Eilif Husa, Atle Refsdal
Refinement: Definition
All described traces remain described
through a refinement
New probabilities cannot be
assigned to old traces
SARDAS 20040510 Slide 20
T
F
T’
T
;
ΠT.F
T’
F’
ΠT.F’
Knut Eilif Husa, Atle Refsdal
10
Refinement: Example
The acceptable range of
probability for some
traces has been reduced
x≥0.99 & y≤0.01
New traces have been
added
-withdrawing 100 euros
SARDAS 20040510 Slide 21
Knut Eilif Husa, Atle Refsdal
Further work
• Add time
• The loop
• How do we handle undecidability?
• F is not countable
• f(t) have a infinite number of decimals
• Proofs
• Is refinement monotonic with respect to composition
• Associativity of seq and par
• Commutativity of par
• Relationship to probabilistic state machines
• Suitable language for expressing properties
SARDAS 20040510 Slide 22
Knut Eilif Husa, Atle Refsdal
11
