advises tutorials: ico tutorial - irit tutorial.pdf · 1 advises tutorials: ico tutorial...

1

ADVISES Tutorials:ICO Tutorial

LIIHS-IRIT, University Toulouse 3

Rémi Bastide, David NavarrePhilippe Palanque

2

Overview

Introduction to Petri netsprinciplesexemples & exercisesverification techniques

Introduction to the ICOsprinciplesexemple & exercisetool support

3

Development process

Qualitative analysis

ith

iteration

System modelling

Quantitative analysis

CheckObjectives

Improve thesystem model

OkNot Ok

Maintain task and systemmodels consistency

TowardsUsabilityTesting

ith

iteration

Task modelling

ith

iteration

Requirements modelling

Maintain conformance torequirements

Performanceevaluation

Complexityevaluation

Models

Activities

4

ICO Tutorial - Petri Nets

5

Content

Introduction

An intuitive introduction to Petri Nets

The five Petri Nets Principles

Introduction to Analysis Techniques

Conclusion

6

An intuitive introduction : two racing cars (1)

7


T1: car a; send ready sign

T2: car a; start race

T3: starter; give start sign

T4: car b; send ready sign

T5: car b; start race

P1: car a; preparing for startP2: car a; waiting for startP3: car a; runningP4: ready sign of car aP5: start sign for car aP6: starter; waiting for ready signsP7: starter; start sign givenP8: car b; preparing for startP9: car b; waiting for startP10: car b; runningP11: ready sign of car bP12: start sign for car b

List of actionsList of actions List of conditionsList of conditions

8


P1 car a; preparing for start

P2=true car a; waiting for start

P3 car a; running

P4=true ready sign of car a

P5 start sign for car a

P6=true starter; waiting for ready s.

P7 starter; start sign given

P8=true car b; preparing for start

P9 car b; waiting for start

P10 car b; running

P11 ready sign of car b

P12 start sign for car b

car a; preparing for start P1=true

car a; waiting for start P2

car a; running P3

ready sign of car a P4

start sign for car a P5

starter; waiting for ready s. P6=true

starter; start sign given P7

car b; preparing for start P8=true

car b; waiting for start P9

car b; running P10

ready sign of car b P11

start sign for car b P12

T1

9




P3 car a; running





P8=true car b; preparing for start

P9 car b; waiting for start

P10 car b; running

P11 ready sign of car b




car a; running P3







car b; running P10



T1

10




P3 car a; running





P8 car b; preparing for start

P9=true car b; waiting for start

P10 car b; running

P11=true ready sign of car b




car a; running P3







car b; running P10



T1

T4

11

The five Petri Nets Principles

The principle of DualityThe principle of LocalityThe principle of ConcurrencyThe principle of Graphical RepresentationThe principle of Algebraic Representation

12

The Principle of Duality

Two sets of elements

places : passive elements of the representation places : passive elements of the representation of the real worldof the real world

transitions : active elements of the transitions : active elements of the representation of the real worldrepresentation of the real world

13

The Principle of Locality

The behaviour of transitions depends only on their input and output places.

14

The Principle of Concurrency

Transitions having disjoint locality occur independently i.e. true concurrency

15

The Principle of Graphical Representation : Definition

Places are represented by rounded graphical symbols

Transitions are represented by edged graphical symbols

Arcs connect a transition to its locality

Additionally, there may be inscriptions like names, tokens, expressions or guards

16

The Principle of Graphical Representation : An example

A Petri Net for the car a

P1

P5P4

P3T2P2T1

17

Graphical Representation

P1

P5P4

P3T2P2T1

P8

P12P11

P10T5P9T4

P6 P7T3

18

The Principle of Algebraic Representation

To each graphical representation an equivalent algebraic representation is associated

Generally a matrix

19

An algebraic Representation (1)

54321

100000100121

pre

ppppp

tt

=

54321

000110010021

post

ppppp

tt

=

=

−

+

=−+=

01010

00001

01010

00001

)1()1(0 1 tpretpostmm

=

00001

m0

20

An algebraic Representation (2)

54321

10011011

0121

pre -post C

ppppp

tt

−

−−

==

=

−

+

=+=

01010

01011

00001

)1(01 tCmm

=

00001

m0

21

Introduction to Analysis Technique

Several behaviours of a mousedrag’n’dropdrag’n’dropclick and double clickclick and double click

Requirementsno defectno defectno dead branchno dead branch

22

The Drag’n’Drop part

mD

uE

d

Idle

mB

Down

Moving

mD

uE

d; u; d

Idle

mCB

Second_Down

Moving

23

Click and Double-Click parts

du / StartTimer

mC,M

uDC

Idle DownOne_Click Second_Down

tC

tC

d

24

Complete View of the Mouse

du / StartTimer

mC,M

uDC

Idle DownOne_Click Second_Down

tC

tC

mD

uE

d

mB

Moving

mC,B

25

Analysis techniques

Aimslook for defectsverify fulfilment of requirements

Various techniquesalgebraic verificationtopological analysisgraph theory analysis on the marking graph

Optimisation : reduction technique

26

Petri Nets Reduction : implicit transition

t1

t5

t4t3

t2

p1 p4 p5

p2

p3

t11

t10

t9

t8t7t6

27

Petri Nets Reduction : Fusion of transitions

t5

t4t3

t2

p1 p4 p5

p2

p3

t11

t10

t9

t8t7t6

28

Petri Nets Reduction : Fusion of places

t5

t4t3

t2

p1 p4 p5

p2

p3

t11

t9 & 10

t8t7t6

29

Petri Nets Reduction : Fusion of places (2)

t5

t4

t2

p1 & 2 p4 p5p3

t11

t9 & 10

t8t7t6

30

Petri Nets Reduction : Fusion of places (3)

t5

t4

t2

p1 & 2 & 3 p4 p5

t11

t9 & 10

t8t7

31

Petri Nets Reduction :Final Steps

t5

t2

p1 & 2 & 3 & 4 p5

t11 t9 & 10

t8

t5

t2

p1 & 2 & 3 & 4p5

t11

t8

t5

t2

p1 & 2 & 3 & 4 & 5

t11

T

p

32

Conclusion

allow designers to model –– control structurecontrol structure–– concurrency (parallelism and synchronisation)concurrency (parallelism and synchronisation)–– time modelling (time on places, transitions and arcs)time modelling (time on places, transitions and arcs)

graphical representation, mathematically foundedstructuring mechanisms –– hierarchical refinement (macro and fusion)hierarchical refinement (macro and fusion)–– composition mechanisms (clientcomposition mechanisms (client--server protocol, communication)server protocol, communication)

however lack of –– methodological structuring (how to break down the system model)methodological structuring (how to break down the system model)–– handling of data structure handling of data structure

objects, maybe?objects, maybe?

33

Requirements mouse

What are the expected properties of the system ?⌧There is no influence between uses.⌧There is no dead branch in the specification.

34

Transposition into Petri nets theory

These above requirements can be proved directly on Petri nets thanks to algebra and / or markings graph

Liveness (potential fireability in all reachable markings ) → Commoner theorem + ‘Traps & siphons’ algorithm

Reversibility (recoverability of the initial marking from any reachable markings) → Markings graph or using traps.

35

Tool support for analysisTool support for analysis

36

Tool support (2)Tool support (2)

1 0 0 0 0

0 0 1 0 0

0 1 0 0 0 0 0 0 1 0

0 0 0 0 1

M1

M2

M3M4

M5

T4

T8

T9

T7

T5

T2

T1

T6

T10

T3

Markings graph build from matrix

37

Description of properties How to represent properties: Temporal logic CTL*Every property is equivalent to some combination of safety property and liveness property.⌧Safety property: ‘ Nothing bad ever happens’ ⌧Liveness property: ‘ Something good will eventually happen’

Verification of prropertiesBuild the markings graph associated the model system (model by Petri nets)Check these properties in each node of the marking graph (model checking)

Automatic verificationAutomatic verification

Requirements System??

38

Temporal logic CTL* (1)Temporal logic CTL* (1)

CTL* (Computational Tree Logic Star)1 state has one or more successor:1 state has one or more successor:Model: infinite treeModel: infinite tree

OperatorsOperators::⌧A (all possible future); E (one possible future) + {F, G, X, U}

Connectors logic:Connectors logic:⌧∧ (and); ∨ (or); (not); ⇒ (implication)

39

Graphical interpretationGraphical interpretation


si |= AGp si |= AFp

si si

The formulae p (resp. q) is true at the red (resp. blue) state and false at the white state

si |= EGp

si

si |= EFp

si

40

Graphical interpretationGraphical interpretation


si |= AXp si |= EXp

si si

si

si |= A(p U q) si |= E(p U q)

si

41

Case study: cash dispenserCase study: cash dispenser

Insert CardInsert Code (maxi. 3 tests)Select AmountTake out Credit cardTake out Money

Display (Code ?)Display (Amount ?)Exit Credit cardDistribute MoneyReinitialize

User actions System

42

Cash dispenser: requirementsCash dispenser: requirements

Requirements and specification in CTL*The system reinitialises after the end of operatorsThere is no dead branchWell pin number is necessary to continue operators: AG(Code = Ok ⇒ AX(Display (‘ Code ? ’)) ⇔ AG(IncorrectCode ⇒ AX CardIn)Only entering pin numbers three times is legal, beyond the system reinitialises: AG(f ∧ (X f ∧ (X f)) ⇒ AX (Reinitialise)) f:= Display(‘Code ?’) ∧ (Code = Ok) ⇔ AG(Counter=3 ⇒AX(Idle))

43

Cash dispenser: modelled by Cash dispenser: modelled by Petri netPetri net

InsertCard

CardIn

InsertCode<C,Code>

CodeIn

Idle

C.Code<>CorrectCode

<C,Code>

<c>

<Code>

<c>

<c>

InsertAmount<Amount>

<c>

32

Incorrect Code

Counter

P3

P4

P5

T1 T2

T3

T4

Reinitialize

C.Code=CorrectCode

<C,Code>

Three entering pin numbers for cash dispenser modeled by

ordinary Petri net

InsertCard

CardIn

InsertCode<C,Code,n>

CodeIn

Idle

C.Code<>BonCode C.Code=BonCode

<Code,n>

<c>

<Code>

<c,n>

<c,n>

TestCode

n:=0

n:=n+1

<n>

n<3 n=3

<n>

<n> <n>

T1_2 T3

Three entering pin numbers for cash dispenser modeled by

Object Petri net

44

Cash dispenser: verification of Cash dispenser: verification of propertiesproperties

Cash dispenser (three entering pin numbers): Liveness and boudness property

Verification of two last properties need a model checking. Verification of two first properties can be proved directly on the structure of Petri nets thanks to markings graph, reversible and liveness properties

45

Case study: cash dispenser (3)Case study: cash dispenser (3)

Reachable markings Markings ‘graph’ (shape of matrix)

46

Case study: cash dispenser (4)Case study: cash dispenser (4)

1 0 0 0 0 0 2 0

0 1 0 0 0 0 2 0

0 0 1 0 0 0 2 0

0 0 0 1 1 0 2 0 0 0 0 0 0 1 2 1

0 1 0 0 1 0 1 0

0 0 1 0 1 0 1 0

0 0 0 1 2 0 1 0 0 0 0 0 1 1 1 1

0 1 0 0 2 0 0 0

0 0 1 0 2 0 0 0

0 0 0 1 3 0 0 0 0 0 0 0 2 1 0 1

M1

M2

M3

M4 M5

M6

M7

M8 M9

M10

M11

M12

M13

T1 (InsertCard)

T2 (InsertCode)

T3 T4

T6

T8

T7 (Reinitialize)

T3T4 (Code Ok)

T6

T3 (Code Not Ok)T4 (Code Ok)

T5

T5

(Code not Ok) (Code Ok)

(Code not Ok)

T2 (InsertCode)

T2 (InsertCode)

Cash dispenser (three entering pin numbers): Markings graph from matrix result

Number of nodes in each level of the graph

47

Conclusions and prospectsConclusions and prospects

Model checking shows satisfaction between the system model (modelled by generalised Petri nets) and system properties (specified in CTL*)

Size of model and of markings graph is considerableDirections

Object Petri nets: easier to model, the size of model will be reduced⌧relationship between generalised and object Petri nets⌧Analysis of OOPN: Symbolic graph, P, T-invariants

High level temporal logic: adapts to Object Petri nets⌧property specification will be less complex

48

System modelling

One single formalism the Interactive Cooperative Objects (based on Petri nets and the OO approach)OO constructs for structuring, Petri nets for dynamicsSpecial components for interface design (for input and for output)

activation functionrendering part (places and transitions)

49

Why using OO constructs ?

structuring of systems in an efficient wayeasier to manage–– to test, to adapt, to reuse to test, to adapt, to reuse =>=> loosely coupled and highly coherent componentsloosely coupled and highly coherent components

easier to understand –– data and actions gathereddata and actions gathered–– information information hiddinghidding => => close to the objects of the real wordclose to the objects of the real word

however, –– control structure of the system distributed among the objects control structure of the system distributed among the objects –– handling of concurrent objects by breaking them downhandling of concurrent objects by breaking them down

50

Why Petri nets ?

deal with–– concurrency (parallelism and synchronisation)concurrency (parallelism and synchronisation)–– time time modelingmodeling (time on places, transitions and arcs)(time on places, transitions and arcs)

mathematically founded & GR–– static analysis (intrinsic properties of models)static analysis (intrinsic properties of models)–– dynamic analysis (simulation, execution)dynamic analysis (simulation, execution)

structuring mechanisms–– hierarchical refinement (macro and fusion)hierarchical refinement (macro and fusion)–– composition mechanisms (clientcomposition mechanisms (client--server protocol, communication)server protocol, communication)

however lack of –– methodological structuring (how to break down the system model)methodological structuring (how to break down the system model)–– handling of data structurehandling of data structure

51

Objects inside Petri nets–– places are the state variables of places are the state variables of

the system, their value is a set of the system, their value is a set of objects (system state=current objects (system state=current marking and current marking and current marking=set of objects marking=set of objects references)references)

–– arcs arcs aresares labelled by variables, labelled by variables, stating the flow of objects stating the flow of objects references in the netreferences in the net

–– transitions model state changes transitions model state changes in the system in the system

» use and modify objects’ value by requesting methods

» feature preconditions testing the value of the objects in the incoming places

Trash

RadarViewPlanes

<p,values>

Shoot<p,values>

values=100

Strips : <p: planes; value: tuple>; RadarView, Planes : <p:planes>;

Strips

52

The ICO formalism: Presentation part

Rendering in placestoken entered token entered token removedtoken removedtoken resettoken reset

Rendering in transitionsStart actionStart actionStop actionStop action

53

A short example: The ATM

Only several servicesOnly part of the presentationComplete behaviour

54

OO representation of the ATM

Class ATM

Selectamount

Insertcard

Withdrawcard

Withdrawcash

innerstate

EnterPin

55

OO representation of the ATM 2

Class ATMAttributesa, b: Real; c: Card;r: {CANCEL, RETRY};

MethodsOk <a,b:real> : Boolean;Avail <c:Card> : Real;Visible commands

DisplayCardIn, DisplayAmount, DisplayCashCardAvail, DialogWindow, DisplayCardRemoved, DisplayCashRemoved,

ServicesInsertCard <c:Card>;

Select <a: Real>;GetCash; GetCard;

EnterPin <n:Integer>;

ObCSPresentation

LayoutActivationRendering

56

ICO modelling of the ATM '1

Layout

57


Widget User's actions ServicePushbutton InsertCard Click InsertCardPushbutton "£ 20" Click SelectPushbutton "£ 40" Click SelectPushbutton "£ 60" Click Select… … SelectPushbutton "£ 160" Click SelectPushbutton Cash Click GetCashPushbutton Card Click GetCardPushbutton Cancel Click User CancelPushbutton Retry Click User Retry

Activation RenderingObCS's transitions MethodInsertCard DisplayCardInEnter Pin DisplayPinSelect DisplayAmountT4 DisplayCashCardAvailT5 DialogWindowT8 DisplayCardRemovedT9 DisplayCashRemovedOthers No specific Rendering

58


No Card

InsertCard

Card inMachine

Ready to select

Select

<a>

<a>

<a><a>







b:=Avail(c)

<c>

<c>

<c>

Not Ok(a,b)Ok(a,b)r:=User.choice

<r>

<r> <r>

r=RETRYr=CANCEL

GetCashGetCard

P0

P2 P3

T0

T2 T3

P4 P5

T4 T5

P6

P7 P8

P9 P10

Completed

RetryCancelT6 T7

T8 T9

T10

Choice

AmountSelected

BalanceCalculated

Ready for Pin

EnterPin

<c> P1

T1

<a><c>

ObCS

59

A short example the SuperPie

A button "Up" (not available if p >= 100)A button "Down" (not available if p=0)A text widget to type-in pA Chart widget for selecting p

60

OO representation of the SP

Class SuperPiechart

ServicesStart; Stop; Up; Down;

SetPercentage <x:Int>

Mup; Mdown; Mmove <x,y:Int>;

Key <x:Int>

ObCS // Definition of the places’ type

Idle, Running, Dragging, NotDragging: <Boolean>

Percentage: <Int>

61

ICO modelling of the SP

Upn:=n+1

Start

Downn:=n-1

Stop

MMoven:=P_CalcInput(x,y)

<n> <n>Percentage

Idle

Running

MUp

<n><n>

MDown

Dragging

Not Dragging

SetPercentagen:=value

Keyn:=P_CalcKey(key)

<value>

<n>

<key>

<x,y>

n < 100n > 0

62

ICO modelling of the SP '2Widgets Graphical

representationEvents Service

ButtonStart Click Start

ButtonStop Click Stop

ButtonUp Click Up

ButtonDown Click Down

TextZone Keypress Key

MouseMove MMove

MouseDown MDown

PieChart

MouseUp MUp

63

ICO modelling of the SP '3

ObCS element RenderingIdle All arcs No renderingRunning All arcs No rendering

Token entered N/A (No incoming arc)Token removed N/A (No outgoing arc)

Percentage

Token resetSystem state renderingDisplay percentage in the TextZoneand PieChart widgets

Token entered Dialogue renderingSet mouse cursor to cross

Token removed Dialogue renderingSet mouse cursor to normal

Dragging

Token reset No rendering

Places

NotDragging All arcs No rendering

64

Tool support

Aim : Integrate the ObCS with external UI components and toolsApproach : based on the Model-View-Controller model

Model : the core entity, Model : the core entity, independantindependant of any user of any user interfaceinterfaceView : how the model is presented to the userView : how the model is presented to the userController : how the user triggers actions on the Controller : how the user triggers actions on the modelmodel

65

ICO and MVC

Model : the ObCS netView : rendering of the state of the net

Fireability of transitions maps to enabling of buttons, menu items ...Marking of the places maps to display using text boxes, labels, colors, sound, whatever

Controller : UI components can trigger fireable transitions in the ObCS

66

Implementation

Based on Java and SwingGraphic editing and debugging of netsEmbedded Petri net interpretor

Allows instantaneous testing of the net under designAllows instantaneous testing of the net under design

Seamless integration of analysis algorithmsGenerates non-visual java « beans » (i.e. components) that can be integrated in any component-based UIMS (BeanBox, Visual Basic)Uses CORBA for object communication, enables distributed and multi-language application prototyping

advises tutorials: ico tutorial - irit tutorial.pdf · 1 advises tutorials: ico tutorial...

Documents