Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 40 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
40
Dung lượng
750,26 KB
Nội dung
144 5 Testing Theory and the Linear Time – Branching Time Spectrum pairs, where the elements of each pair are a trace and a refusal. However, the two are isomorphic formulations and one can trivially be regained from the other. For example, the following function will map a LOTOS-style trace- refusals characterisation to a CSP-style set of failures, where T is a set of traces and Ref is a function from traces to sets of refusal sets. toF ((T,Ref )) σ∈T { (σ, X) | X ∈ Ref (σ) } We present a series of examples to illustrate the LOTOS trace-refusals con- cept. 5.1.2.1 Example 1 P 1 := stop ❏ P 1 ❑ tr = {}, Ref P 1 ()=P(L) The deadlock behaviour will perform nothing and refuse everything. 5.1.2.2 Example 2 P 2 := x ; y ; stop assuming L = {x, y} ❏ P 2 ❑ tr = {, x, xy}, Ref P 2 ()={∅, {y}} Ref P 2 (x)={∅, {x}} Ref P 2 (xy)={∅, {x}, {y}, {x, y}} = P(L) As suggested by this example, refusal sets are subset closed, because, if a set of actions is refused, clearly, all subsets of the set of actions will also be refused. 5.1.2.3 Example 3 P 3 := x ;(y ; stop [] z ; stop ) assuming L = {x, y, z} ❏ P 3 ❑ tr = {, x, xy, xz}, Ref P 3 ()=P(L\{x}) Ref P 3 (x)={∅, {x}} Ref P 3 (xy)=Ref P 3 (xz)=P(L) At a choice point, e.g. after the trace x, every action, apart from the actions offered in the choice, are refused. 5.1 Trace-refusals Semantics 145 5.1.2.4 Example 4 P 4 := ( x ; y ; stop )[](x ; z ; stop ) assuming L = {x, y, z} ❏ P 4 ❑ tr = {, x, xy, xz}, Ref P 4 ()=P(L\{x}) Ref P 4 (x)={∅, {x}, {y}, {z}, {x, y}, {x, z}} Ref P 4 (xy)=Ref P 4 (xz)=P(L) This illustrates that choice points are distinguished, because the refusals of P 3 and P 4 are different (notice their trace sets are the same). The two behaviours are differentiated by the refusals after the trace x. P 3 only refuses x,whereas P 4 refuses all subsets of {x, y} and {x, z}.ThisisbecausetherefusalsofP 4 after the trace x are a composite of the refusals at the two states that can be reached after the trace x. So, after a particular trace, a behaviour might be able to get into a number of different states and a refusal at each of these states is a refusal of the behaviour after the trace. This is an important point, which generates much of the subtlety of refusals. Such situations are characteristic of nondeterministic behaviour. However, the set {y,z} is not a refusal of P 4 after x, because if the environment offers both y and z, one of them will be able to be performed and thus, a deadlock will not result. In addition, note that actions can be both performed and refused after a particular trace; e.g. y canbeofferedafterx, but it can also be refused. We postpone considering examples of how internal behaviour is represented until we have presented the trace-refusals concept formally. 5.1.3 Deriving Trace-refusal Pairs There are basically two approaches to deriving trace-refusals pairs from pbLO- TOS specifications. The first is via labelled transition systems and the second is through a direct semantics. We consider these in turn. 5.1.3.1 Deriving Trace-refusals from Labelled Transition Systems The standard semantics for LOTOS are labelled transition systems; this is the semantic model presented in the defining standard [104]. Thus, a natural approach is to derive trace-refusals semantics indirectly via labelled transition systems. Thus, LOTOS specifications are first mapped to labelled transition systems and then a trace-refusals characterisation is derived from the labelled transition system. In fact, this is the standard approach for deriving trace- refusals for LOTOS. The heart of the labelled transition system to trace-refusals mapping is the double arrow transition relation defined in Section 3.3.2.3, which was used there to generate trace sets from labelled transition systems. Our approach here is a natural extension of the mapping of Section 3.3.2.3. 146 5 Testing Theory and the Linear Time – Branching Time Spectrum An important mapping used in constructing trace-refusals is after,which is defined as, B after σ { B | B σ =⇒ B } which denotes the set of all states reachable from B, after performing the trace σ. Using this mapping, we can define the refusals of a behaviour after a particular trace: Ref B (σ) { X |∃B ∈ B after σs.t.∀x ∈ X, B x =⇒} This denotes the set of all sets, X say, such that a state can be reached after σ,atwhichallactionsinX are refused. It is important to notice that this is a set of sets; i.e. all possible refusals after performing the trace σ. Also notice that, as indicated earlier, the refusals after a particular trace are a composite of the refusals at each state reachable after that trace. 5.1.3.2 Direct Denotational Semantics The failures semantics for CSP are defined using a direct denotational se- mantics [171]. Thus, the effect of each operator on the traces and refusals is defined directly. Leduc [120] attempts to give a similar direct semantics for LOTOS, however, it is important to note that the modelling of divergence in his semantics is very different from that employed in the CSP semantics (as discussed in the next section). In particular, he seeks to give a noncatas- trophic interpretation of divergence, which is in accordance with the standard LOTOS interpretation of the concept. However, this turns out to be prob- lematic and Leduc shows that the LOTOS hiding operator cannot be fully modelled in this setting. The problem is that it is very hard to see how to give hiding a compositional semantics. Due to this complexity we do not present a direct denotational semantics here; the interested reader is referred to Leduc’s thesis [120]. 5.1.4 Internal Behaviour The handling of internal behaviour in trace-refusals semantics leads to much of the subtlety and power of the approach. This section presents examples of how pbLOTOS behaviours with internal actions map to trace-refusals models. These follow on from the examples presented in Section 5.1.2. The pbLOTOS behaviours: P 1 := i ; i ; x ; y ; stop P 2 := x ; i ; y ; stop P 3 := x ; stop [] y ; stop P 4 := ( i ; x ; stop )[](i ; y ; stop ) P 5 := ( i ; x ; stop )[](y ; stop ) 5.1 Trace-refusals Semantics 147 with L = {x, y}, have the following trace-refusals characterisations. ❏ P 1 ❑ tr = { , x, xy} Ref P 1 ()={∅, {y}} Ref P 1 (x)={∅, {x}} Ref P 1 (xy)=P(L) ❏ P 2 ❑ tr = { , x, xy} Ref P 2 ()={∅, {y}} Ref P 2 (x)={∅, {x}} Ref P 2 (xy)=P(L) ❏ P 3 ❑ tr = { , x, y} Ref P 3 ()={∅} Ref P 3 (x)=Ref P 3 (y)=P(L) ❏ P 4 ❑ tr = { , x, y} Ref P 4 ()={∅, {x} , {y}} Ref P 4 (x)=Ref P 4 (y)=P(L) ❏ P 5 ❑ tr = { , x, y} Ref P 5 ()={∅, {y}} Ref P 5 (x)=Ref P 5 (y)=P(L) We discuss each of these in turn. 1. The trace-refusals characterisation of P 1 isthesameasthetrace-refusals characterisation for x ; y ; stop;thisisbecausetheinternalactionsdonot create any nondeterminism. Also, because refusals are defined in terms of the =⇒ transition relation, the internal actions guarding x will be skipped over and all states reachable after the empty trace; i.e. i ; i ; x ; y ; stop, i ; x ; y ; stop and x ; y ; stop, will have the same refusals; i.e. ∅ and {y}. 2. The point to note here is that the trace-refusals of P 2 are identical to those of P 1 , because once again, the internal action does not affect the observable behaviour. 3. P 3 is included as a point of comparison with the refusals of P 4 and P 5 . Notice in particular that, after the empty trace, P 3 does not refuse any actions. This is because both actions in the alphabet of the behaviour are offered. 4. In contrast, P 4 offers a symmetric nondeterministic choice created through internal behaviour. Thus, we would expect that P 4 would have a different refusal characterisation after the empty trace to P 3 . In explaining the refusal sets derived, you should first notice that P 4 after contains three 148 5 Testing Theory and the Linear Time – Branching Time Spectrum states: the initial state, which we reference as P 4 , x ; stop and y ; stop. This is because P 4 =⇒ can map to any of these states. Thus, a refusal at any one of these states will be a refusal of P 4 after .Intheinitial state, only the empty set can be refused, because P 4 x =⇒ and P 4 y =⇒ .So, the initial state does not contribute any “proper” refusals. However, in state x ; stop, both the empty set and {y} are refusals and, similarly, in state y ; stop both the empty set and {x} are refusals. Thus, these are all members of Ref P 4 (). What this refusal characterisation is modelling is the fact that, after the empty trace, P 4 couldbeinastatewhereitrefuses {x} anditcouldbeinastatewhereitrefuses{y}. However, it cannot be in a state where it refuses {x, y}. 5. Our final example is that of an asymmetric nondeterministic choice. Once again the interesting refusals are those after the empty trace. Notice that P 5 after will contain two states: P 5 and x ; stop. As was the case for P 4 , P 5 has no proper refusals, but y can be refused at state x ; stop. In understanding refusal characterisations of nondeterministic behaviour you should remember that we are working in an untimed setting. Thus, it is as- sumed, that, if an environment / tester is offering a particular action, this offer will wait for any finite period necessary for the behaviour being observed to complete any internal evolution. Thus, in P 5 , the action x cannot be refused after the empty trace, because any tester will wait an arbitrarily long period for P 5 to evolve to state x ; stop. In a similar vein, consider the following processes with cyclic behaviour, transition systems for which are shown in Figure 5.2. (1) z y i x z y (3) x z i y (2) Q 1 Q 2 Q 3 x Fig. 5.2. Processes with Cyclic Behaviour 1. Q 1 := x ; Q and Q := y ; Q [] z ; stop 5.1 Trace-refusals Semantics 149 2. Q 2 := x ; Q and Q := y ; i ; Q [] z ; stop 3. Q 3 := x ; Q and Q := i ; y ; Q [] z ; stop Assuming L = {x, y, z} and that Y is the set of all (nonempty) sequences containing a finite repetition of y; i.e. y, yy, yyy, . . . , we have the following trace-refusals characterisations. ❏ Q 1 ❑ tr = ❏ Q 2 ❑ tr = ❏ Q 3 ❑ tr = { , x}∪{xσ | σ ∈ Y }∪{xσz | σ ∈ Y } Ref Q 1 ()=Ref Q 2 ()=Ref Q 3 ()={∅, {y} , {z} , {y, z}} Ref Q 1 (x)=Ref Q 2 (x)={∅, {x}} Ref Q 3 (x)={∅, {x} , {z} , {x, z}} ∀σ ∈ Y, Ref Q 1 (xσ)=Ref Q 2 (xσ)={∅, {x}} ∀σ ∈ Y, Ref Q 3 (xσ)={∅, {x} , {z} , {x, z}} ∀σ ∈ Y, Ref Q 1 (xσz)=Ref Q 2 (xσz)=Ref Q 3 (xσz)=P(L) Thus, Q 1 and Q 2 are indistinguishable in trace-refusals semantics. This is because the internal action in Q 2 does not create nondeterminism, thus, it is important to note that after performing xσ (for σ ∈ Y ), Q 2 is either in state Q or i ; Q and neither of these states can refuse z. However, the state y ; Q ,reachablebyQ 3 after performing xσ (for σ ∈ Y ), and actually also after performing x, refuses z. Consequently, an observer that, for example, wishes to perform the trace xyyyzδ, will always manage to reach δ (here used as a signal of successful completion of an observation) with Q 1 or Q 2 , whereas, with Q 3 , it may deadlock attempting to perform the z and thus, not reach the δ. Much of the difference between alternative refusal-based semantic models is associated with the interpretation of infinite internal behaviour. This, for example, is a major difference between the CSP failures model and LOTOS trace-refusals, which we discuss in some depth in Section 7.2.6. However, as a precursor to that discussion, here we consider the nature of the LOTOS trace-refusals interpretation of cyclic internal behaviour. The first point to note is that, unlike many other approaches (see [192] and especially CSP [171]), there is no extra semantic item, such as a set of di- vergences, added to the basic trace-refusals pair. Thus, divergence; i.e. infinite internal behaviour, is semantically handled by the trace-refusals structure. This is best understood by example. Consider the following behaviours, transition systems for which are shown in Figure 5.3. 1. R 1 := x ; stop 2. R 2 := x ; R and R := i ; R 3. R 3 := x ; R and R := i ; i ; R 4. R 4 := x ; i ; R and R := i ; R 150 5 Testing Theory and the Linear Time – Branching Time Spectrum 5. R 5 := x ; y ; stop 6. R 6 := x ; R and R := ( y ; stop )[](i ; R ) 7. R 7 := x ; R and R := ( i ; y ; stop )[](i ; R ) x x i i x i x i i x y x y i x i y i (1) (2) (3) (4) (5) (6) (7) R 1 R R R R R 2 R 3 4 5 6 7 Fig. 5.3. Processes with Infinite Internal Behaviour 5.1 Trace-refusals Semantics 151 Now, assuming that L = {x}, we have the following trace-refusals characteri- sations for the first four processes. ❏ R 1 ❑ tr = ❏ R 2 ❑ tr = ❏ R 3 ❑ tr = ❏ R 4 ❑ tr = { , x} Ref R 1 ()=Ref R 2 ()=Ref R 3 ()=Ref R 4 ()={∅} Ref R 1 (x)=Ref R 2 (x)=Ref R 3 (x)=Ref R 4 (x)=P(L) So, these four behaviours are indistinguishable by LOTOS trace-refusals. Thus, with regard to the notion of observability inherent in these semantics, the internal behaviour included fails to render R 2 , R 3 or R 4 distinguishable from R 1 . The intuition for this is that, although a process may be infinitely evolving internally, this is not externally visible and is, thus, indistinguishable from a process that has deadlocked. Now, assuming that L = {x, y}, we have the following trace-refusals char- acterisations for the final three processes above. ❏ R 5 ❑ tr = ❏ R 6 ❑ tr = ❏ R 7 ❑ tr = { , x, xy} Ref R 5 ()=Ref R 6 ()=Ref R 7 ()={∅, {y}} Ref R 5 (x)=Ref R 6 (x)=Ref R 7 (x)={∅, {x}} Ref R 5 (xy)=Ref R 6 (xy)=Ref R 7 (xy)=P(L) So, again, including divergent loops is not detectable in these processes ac- cording to LOTOS trace-refusals. For example, the reason that R 5 and R 7 are indistinguishable is that, although, after performing trace x, R 7 may be in a state where y is not immediately offered, it will eventually (i.e. in a finite period of time) evolve into a state where y is offered. This intuition of eventu- ally evolving into a state in which an action is offered, is encapsulated in the =⇒ transition relation, as used in the definition of Ref ; see Section 5.1.3.1. Thus, according to the intuition of untimed semantics, whereby, effectively, the observer is always willing to wait as long as necessary, an observer wishing to perform a y after an x will be as satisfied with R 7 as with R 5 .Inother words, they are indistinguishable and consequently, they both yield the same trace-refusals characterisation. A theoretical key to the handling of divergence in LOTOS trace-refusals is a fairness assumption, which states that, if there is a path out of a tau cycle, 1 as is the case in R 6 and R 7 , then that path cannot be infinitely often ignored. In other words, if an action is repeatedly enabled, a process cannot infinitely often refuse to take that path. This is commonly called Kooman’s Fair Ab- straction property [8] and it is an issue we return to when we compare the LOTOS and the CSP handling of divergence, the latter of which is typically described as a catastrophic interpretation of divergence. 1 Internal actions are denoted τ in CCS; consequently, the term tau cycle has been inherited from this earlier process calculus and is used in preference to the term i cycle. 152 5 Testing Theory and the Linear Time – Branching Time Spectrum 5.1.5 Development Relations: Equivalences We can identify a number of development relations, which are defined in terms of trace-refusals semantics. We begin by considering equivalence. The basic equivalence induced by trace-refusals semantics is testing equiv- alence. Definition 33 (Testing Equivalence) Behaviours B and B are testing equivalent, denoted BteB , if and only if, • ❏ B ❑ tr = ❏ B ❑ tr and •∀σ ∈ ❏ B ❑ tr , Ref B (σ)=Ref B (σ) Proposition 7 te is an equivalence relation. Proof The result is clear from the properties of set equality. So, specifications are testing equivalent if they have the same trace-refusals characterisation; in other words, if they have the same trace and deadlock properties. A particularly interesting aspect of testing equivalence is how it relates to weak bisimulation equivalence. First, let us consider the example that we identified at the start of this section. P := x ; x ; y ; stop [] x ; x ; z ; stop and Q := x ;(x ; y ; stop [] x ; z ; stop ) It is clear that P and Q are trace equivalent, but, in addition, after any trace, they have the same refusals. The crucial point is the refusals after the trace x: in both cases, everything apart from x is refused. Trace-refusals identify these behaviours because these semantics are not as distinguishing with regard to branching as bisimulations. In this respect, trace-refusals seem a more realistic semantic interpretation. The following are all examples of specifications that are testing equivalent, but not weak bisimilar; (1) is taken from [104] and (2) is taken from [120]. (1) P 1 := x ;(x ; x ; stop [] x ; stop )and Q 1 := ( x ; x ; x ; stop )[](x ; x ; stop ) (2) P 2 := x ; y ; stop [] x ; z ; stop , Q 2 := i ; x ; y ; stop [] i ; x ; z ; stop and R 2 := x ;(i ; y ; stop [] i ; z ; stop ) (3) P 3 := i ; x ; stop [] y ; stop and Q 3 := i ; x ; stop [] i ;(x ; stop [] y ; stop ) 5.1 Trace-refusals Semantics 153 These examples demonstrate that te ⊆≈. However, it is a well-known result that ≈⊆te [52]. Thus, we have the following important relationship between bisimulation equivalences and testing equivalences. Theorem 5.1. ≈⊂te However, unfortunately, testing equivalence is not a congruence. As was the case with weak bisimulation, choice is an offending context. For example, x ; stop and i ; x ; stop are testing equivalent, but it is not the case that the following are testing equivalent. x ; stop [] y ; stop and i ; x ; stop [] y ; stop In addition, Leduc has shown [120] that hiding contexts that create divergence are not always substitutive. For example, consider P and Q,depictedinfigure 5.4 and defined as follows, P := x ; P 1 [] x ; P 2 where P 1 := w ; P 1 [] y ; stop and P 2 := w ; P 2 [] z ; stop Q := x ; Q 1 [] x ; Q 2 where Q 1 := w ; Q 2 [] y ; stop and Q 2 := w ; Q 1 [] z ; stop P and Q are testing equivalent. In particular, after either the trace x or xσ (where σ is a finite repetition of w), the refusals of both P and Q are {∅, {x} , {y} , {z} , {x, y} , {x, z}}, noticing especially that although y and z can be refused individually, they cannot be refused together, because both of the states in P after x and P after xσ (and Q after x and Q after xσ) can perform one or the other of these actions. However, P and Q , defined as follows, and depicted in Figure 5.4, are not testing equivalent. P := hide w in P and Q := hide w in Q It is important to note that after the trace x, P can refuse y and it can refuse z (although, it cannot refuse the two together), but Q can refuse neither action. As we discuss in Section 7.2.6, it turns out that a catastrophic interpreta- tion of divergence (as found in CSP) does not suffer substitutivity difficulties in hiding contexts such as these. Thus, in this sense, enforcement of Kooman’s fair abstraction property [8] leads to a theoretically less clean handling of divergent behaviour. Although, there may, nonetheless, be good conceptual reasons for sticking with the property and indeed we believe there are such reasons. [...]... These were defined by Brinksma and co-workers [50 ], [52 ] and [53 ] We consider each of these relations in turn 5. 1.6.1 Conformance This relation was devised as a formal instantiation of the conformance testing process It is defined as follows Definition 34 (Conformance) ∀B, B ∈ pbLOT OS, B conf B iff ∀σ ∈ J B Ktr , RefB (σ) ⊆ RefB (σ) 5. 1 Trace-refusals Semantics 155 Thus, B conforms to B if and only if,... implies P2 |[G]| P =⇒≈ stop Proof See [52 ] Thus, extension only ensures that deadlocks are not added when restricting to traces of the abstract specification 5. 3 Testing Theory in General and the Linear Time – Branching Time Spectrum As should be becoming clear, testing theory is a rich and extensively investigated branch of concurrency theory [2, 153 ,192] Testing theory systematically 3 σ σ That is, S... Processes 166 5 Testing Theory and the Linear Time – Branching Time Spectrum which are depicted in Figure 5. 5, are distinguished by HML, but not by RSL .5 A formula / observation that distinguishes the two is as follows T |=HM L ψ, but U |=HM L ψ, where ψ = x(xyT rue ∧ ¬(xzT rue)) The fact that HML distinguishes more processes than RSL is, of course, consistent with Proposition 5 of Section 3.3.3.2 5. 4 Applications... 154 5 Testing Theory and the Linear Time – Branching Time Spectrum P Q x x x x w w w w y z y z P’ x Q’ x x x i i i i y z y z Fig 5. 4 Testing Equivalence Is Not a Congruence in the Hiding Context 5. 1.6 Nonequivalence Development Relations A number of development relations based on trace-refusals semantics that are not equivalences have been defined... equivalent) if and only if, the observations of P1 and P2 are the same 4 Note, tree-based testing formulations that use refusals, rather than ready sets can also be given; see [192] 5. 3 Testing Theory in General and the Linear Time – Branching Time Spectrum 1 65 Bisimulation The move from sequence-based testing to tree-based testing corresponded to an increased capacity of the tester to observe the... [1 85] ) We can give the following examples of reduction Consider the behaviours: • P1 := x ; stop • P2 := x ; stop [] x ; y ; stop • P3 := i ; x ; stop [] y ; stop • P4 := x ; stop [] y ; stop • P5 := i ; x ; stop [] i ; y ; stop • P6 := y ; stop The following relationships can be determined, P1 red P2 P1 red P3 P4 red P3 P4 red P5 P3 red P5 ¬(P1 red P4 ) ¬(P6 red P3 ) ¬(P3 red P4 ) ¬(P5 red P3 ) ¬(P5... of X Indeed, of course, the 170 5 Testing Theory and the Linear Time – Branching Time Spectrum same criticism can be levelled at all solely trace-based correctness relations, including trace preorder Reduction As discussed earlier in this chapter, reduction adds consideration of liveness properties to trace preorder; see Section 5. 1.6.2 Indeed, Theorem 5. 2 in Section 5. 2 ensures the deadlock property... refusals-based tool environment: the FDR (Failures Divergences Refinement) suite [171] Although, as should now be clear, differences between CSP and LOTOS, in particular, in respect of handling divergence, mean that LOTOS specifications cannot be mapped to this framework without a good deal of care 160 5 Testing Theory and the Linear Time – Branching Time Spectrum 5. 2 Testing Justification for Trace-refusals... because it concerns 156 5 Testing Theory and the Linear Time – Branching Time Spectrum the one-step mapping from a specification to a real physical implementation Thus, incremental development is not an issue The term implementation relation is often associated with development relations such as conf, which are concerned with relating specifications directly to real implementations [120] 5. 1.6.2 Reduction... LOTOS testing theory applied to modern Object-Oriented (OO) distributed systems: (1) a basic relating of OO concepts to LOTOS; (2) the behavioural subtyping problem; and (3) viewpoint models of distributed systems and consistency-checking These are discussed in the next three sections One reason for including this material is to illustrate application of the theory highlighted in this chapter 5. 4.1 Relating . R ) x x i i x i x i i x y x y i x i y i (1) (2) (3) (4) (5) (6) (7) R 1 R R R R R 2 R 3 4 5 6 7 Fig. 5. 3. Processes with Infinite Internal Behaviour 5. 1 Trace-refusals Semantics 151 Now, assuming that L = {x}, we have the following trace-refusals. {y}} Ref P 4 (x)=Ref P 4 (y)=P(L) ❏ P 5 ❑ tr = { , x, y} Ref P 5 ()={∅, {y}} Ref P 5 (x)=Ref P 5 (y)=P(L) We discuss each of these in turn. 1. The trace-refusals characterisation of P 1 isthesameasthetrace-refusals characterisation. Spectrum As should be becoming clear, testing theory is a rich and extensively investi- gated branch of concurrency theory [2, 153 ,192]. Testing theory systematically 3 That is, S |[G]| P σ =⇒≈