Скачать презентацию Hierarchical Design and Analysis of Reactive Systems Radu Скачать презентацию Hierarchical Design and Analysis of Reactive Systems Radu

c3392a71a4801bd112d45cece1eb6910.ppt

  • Количество слайдов: 63

Hierarchical Design and Analysis of Reactive Systems Radu Grosu Stony Brook University www. cs. Hierarchical Design and Analysis of Reactive Systems Radu Grosu Stony Brook University www. cs. sunysb. edu/~radu

Reactive Systems Computer based reactive systems are Household Commercial Telecommunication becoming an integral part Reactive Systems Computer based reactive systems are Household Commercial Telecommunication becoming an integral part of nearlydevices every Aircraft engineered product. They control: Automobiles Nuclear Power Medical devices Plants

Super Computers with Wings Has The Boeing 777 > 4 M lines of code Super Computers with Wings Has The Boeing 777 > 4 M lines of code > 1 K embedded processors in order to - control subsystems - aid pilots in flight mngmnt. One of the greatest challenges in software engineering: "Companies that exploit information technology most • hard real-time deadlines, effectively will be the most likely to dominate the aerospace • mission and safety-critical, landscape in the 21 st century" [Aviation Week, 12/98]. • complex and embedded within another complex system, • interacts with humans in a sophisticated way.

Talk Outline Introduction Ü Modeling reactive systems • Mode diagrams • From statecharts to Talk Outline Introduction Ü Modeling reactive systems • Mode diagrams • From statecharts to mode diagrams • Modular reasoning • Model checking • Wrap-up ü

Why Building Models? • To understand the problem better, • To communicate withwidely used Why Building Models? • To understand the problem better, • To communicate withwidely used in all customers, Modeling is a technique engineering disciplines. • To find errors or omissions, • To plan out the design, In particular, for reactive systems it allows: • To generate code.

Modeling Reactive Systems Software Engineering Methods (e. g. UML, UML-RT) • mixed visual/textual notations, Modeling Reactive Systems Software Engineering Methods (e. g. UML, UML-RT) • mixed visual/textual notations, • speedup the development cycle, Currently there /developermain methods are two communication • improve customer • for modeling reactive systems: testing, restricted analysis by simulation and • restricted confidence in the modeled system. 1. Software engineering methods, Formal 2. Formal (e. g. Model Checkers) Methods methods. • • mathematical models of reactive systems, speedup specification/prototyping, allow a thorough analysis of the modeled system, high confidence in the modeled system.

Software Engineering Methods Successfully applied in • Automotive, aerospace and telecommunications • Logic design Software Engineering Methods Successfully applied in • Automotive, aerospace and telecommunications • Logic design Tools • SDL, ROOM, Statemate, Rhapsody, UML-RT • Cierto VC Co. Design, State. CAD/State. Bench Companies • Telelogic, Verilog, Objec. Time, i. Logix, Rational • Cadence, Visual Software Solutions

Model Checkers model yes No longer an academic research only. error Model Checker temporal Model Checkers model yes No longer an academic research only. error Model Checker temporal trace property ". . . model checking will be the second most Advantage if not the most important, tool important, Fully automated tool verification, in • the verificationformal suite. “ [Cadence Web] • Effective debugging tool Standard approaches • Enumerative search with reduction heuristics • Symbolic search using BDDs

Model Checkers Successfully applied in • Hardware design and analysis • Finding bugs in Model Checkers Successfully applied in • Hardware design and analysis • Finding bugs in cache coherence protocols, video graphics image chips (>96 processors) Tools • Spin, Murf, Mocha, LMC, XMC, … • Formal. Check, Cospan, VERDICT, SMV, VIS, … Companies • Cadence, Lucent, Intel, IBM, Motorola, Siemens

Unfortunately 1. There is a considerable gap between the software engineering and the formal Unfortunately 1. There is a considerable gap between the software engineering and the formal methods. 2. Scalability is still a challenge formal analysis tools.

Fortunately Long Term Research Program 1. Close the gap between the software engineering and Fortunately Long Term Research Program 1. Close the gap between the software engineering and the formal methods, 2. Scale up the analysis tools by exploiting the software engineering artifacts.

Talk Outline ü Introduction ü Modeling reactive systems Ü Mode diagrams • From statecharts Talk Outline ü Introduction ü Modeling reactive systems Ü Mode diagrams • From statecharts to mode diagrams • Modular reasoning • Model checking • Wrap-up

Mode Diagrams 1. Visual language for hierarchic reactive machines • • • hierarchic modes, Mode Diagrams 1. Visual language for hierarchic reactive machines • • • hierarchic modes, mode sharing, group transitions, history, mixed and/or hierarchies. 2. Observational trace semantics • • mode refinement, modular reasoning. 3. Model checker • • exploits the hierarchy information, exploits the type information.

Telephone Exchange: Architecture ti 1 to 1 tin ton Tel. I = tk | Telephone Exchange: Architecture ti 1 to 1 tin ton Tel. I = tk | on. H | off. H | dig(int) Tel. Exchange Tel. O = tk | dt. B | dt. E | rt. B | rt. E Characteristics ti 1, …, tin : Tel. I; to 1, …, ton : Tel. O; • Description is hierarchic. ti 1 to 1 tin ton Tel. Sw 1 … Tel. Swn bo 1 bi 1 bon bin Bus Tel. Exchange • Well defined interfaces. • Supports black-box view. Model checking • Modular reasoning. • E. g. in SMV, Mocha, …

Telephone Exchange: Behavior read ti : Tel. I, bi : Bus. I; write to Telephone Exchange: Behavior read ti : Tel. I, bi : Bus. I; write to : Tel. O, bo : Bus. O; local nr : (0. . n) ti 1 to 1 tin on. H ton call on. Hook Tel. Sw 1 … Tel. Swn bo 1 bi 1 bon ti? on. H answ off. Hook rt. B bin Bus Tel. Exchange on. H call ok off. H call idle getting. No connecting rt. B off. H ringing rt. E answ rt. B on. H ok answ talking rt. B

Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams Ü From statecharts to Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams Ü From statecharts to mode diagrams • Modular reasoning • Model checking • Wrap-up ü

Statecharts Formalism • Introduced: 1987 by David Harel, • Related notations: Rsml, Modecharts, Roomcharts, Statecharts Formalism • Introduced: 1987 by David Harel, • Related notations: Rsml, Modecharts, Roomcharts, • Key component in OO Methods: UML, ROOM, OMT, etc. Software • ILogix, Objec. Time, Rational, etc. Application Area • Automotive industry, avionics, telecommunications, etc. Semantics • Many attempts (more than 24 semantics), • All operational: no trace semantics, no refinement rules.

From Statecharts to Modes Obstacles in achieving modularity connect deep points (control • Regular From Statecharts to Modes Obstacles in achieving modularity connect deep points (control • Regular transitions -> Entry/exitnested modes. interface) • Group transitions implicitly connect deep (control modes. -> Default points nested interface) • Nested state references break of variables (data interface) State reference -> Scoping encapsulation. H ini idle off. H rt. B on. Hook rt. E off. H rt. B ringing on. Hook on. H call answ getting. No ok connecting off. Hook ok talking off. Hook rt. B tel. Sw

Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to mode diagrams Ü Modular reasoning • Model checking • Wrap-up ü

Operational Semantics dx e 1 e 2 t 1 sm 1 t 2 m Operational Semantics dx e 1 e 2 t 1 sm 1 t 2 m sm 2 t 3 t 4 t 6 sm 3 t 5 x 1 x 2 de Macro transitions (m. T) • • Form (e, s) -> (x, t) Obtained: (e 0, s 0)-> (c 1, s 1)->… -> (en, sn) Operational semantics • Control points, variables, macro transitions.

Denotational Semantics Execution of m • • • (e 0, s 0)-> (x 0, Denotational Semantics Execution of m • • • (e 0, s 0)-> (x 0, t 0)-> (e 1, s 1)-> (x 1, t 1)->… -> (xn, tn) For even i, (ei, si)-> (xi, ti) is in m. T For odd i, si[Vp] = si+1[Vp] Set of Traces Lm of m • Projection of executions on global variables. Denotational semantics • Control points, global vars, Lm. Refinement m < n • Inclusion of the sets of traces Lm Ln

Modular Reasoning N M < N’ M N N’ M Sub-mode refinement N M’ Modular Reasoning N M < N’ M N N’ M Sub-mode refinement N M’ < M M’ M < M’ N M’ Super-mode refinement N’ N N N < M’ N’ < N’ N M’ N’ Assume/guarantee reasoning

Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to mode diagrams ü Modular reasoning Ü Model checking • Wrap-up ü

Symbolic Search R 0 A R 1 R 2 Rk Ok+1 = Rk+1 – Symbolic Search R 0 A R 1 R 2 Rk Ok+1 = Rk+1 – Rk Rk+1 = Rk | (Ok & T)

Model Checking Graphical editor and both an enumerative and a symbolic model checker. Reachability Model Checking Graphical editor and both an enumerative and a symbolic model checker. Reachability analysis exploits the structure: • Reached state space indexed by control points • Transition relation is indexed by control points • Transition type exploited • Mode definitions are shared among instances.

Example: Generic Hierarchic System local c : (0. . 2) c skp z local Example: Generic Hierarchic System local c : (0. . 2) c skp z local z : (0. . n) inc w 0 z w 1 skp id v 3 skp (c=1 & w 1=n) | c=2 -> skip; w 1 inc skp inc local v 3 : (0. . n) c=1 & z c: =0; z: =z+1; inc v 2 v 3 skp local w 1 : (0. . n)

The Reached Set z c skp inc R(c, z) The reached set is indexed The Reached Set z c skp inc R(c, z) The reached set is indexed by control points: w 0 z w 1 • Each reached control point has an associated id inc R(c, z, w 1, v 3, h multi valued binary decision diagram (mdd), w 1) R(c, z, w 1, v 3, hw 1, hz) v 3 • The set of variables of an mdd depends on w 1 scope of the control point. inc R(c, z, w 1) skp the inc skp inc v 2 v 3 skp R(c, z, w 1, v 3)

The Transition Relation hz = 2 z gcs The transition relation is indexedskp control The Transition Relation hz = 2 z gcs The transition relation is indexedskp control by skp inc points (> conjunctively partitioned mdds): w 0 z w 1 • Each transition has an associated mdd, id inc c, v 3. ( • The set of variables z = an mdd depends on h’ of 1 w 1. ( R(c, z, w 1, v 3) & the scope inc(c, c’, v 3’) v 3 )[c’, v 3’: =c, v 3] of the transition, w 1 • skp Type information: no identity skp v 2 R(c, z, w 1) & skp(c, w 1)) inc extension necessary, v 3 skp • Variable scoping enables early quantification. inc c=1 & v 3

Results As expected, the model checker for modes is superior to current model checkers Results As expected, the model checker for modes is superior to current model checkers when: • sequential behavior is hierarchical, • modes have local variables.

GHS Space Requirements GHS Space Requirements

GHS Time Requirements GHS Time Requirements

Wrap-Up Hierarchic Reactive Machines • Compositional semantics [CSD’ 98, POPL’ 00] • Model checking Wrap-Up Hierarchic Reactive Machines • Compositional semantics [CSD’ 98, POPL’ 00] • Model checking [CAV’ 00] Bridging the gap between software Hybrid Systems engineering and formal methods provides a • Compositional semantics [FTRTFT’ 98, WRTP’ 98], wealth of research opportunities: • Hybrid mode diagrams in CHARON [HSCC’ 00] Message Sequence Charts • Semantics [CSI’ 98, OOPSLA’ 97] • Automatic translation to SM [DIPES’ 00, GP 19837871], • Hybrid sequence charts [WORDS’ 99, ISORC’ 00]

Wrap-Up Automating Modular Reasoning • Refinement check of asynchronous systems [FMCAD’ 00] Modeling Mobile Wrap-Up Automating Modular Reasoning • Refinement check of asynchronous systems [FMCAD’ 00] Modeling Mobile Systems • Dynamic reconfiguration [Amast’ 96, NWPT’ 96], • Mobility [HICSS’ 98] Formal Foundation of OO Methods • UML [TAA’ 98, ECOOP’ 97] • UML-RT [JUCS’ 00, JOOP’ 00, OOPSLA’ 98, BSBS’ 99]

Mocha Tool Mode diagrams will be integrated in Mocha itself is currently recoded in Mocha Tool Mode diagrams will be integrated in Mocha itself is currently recoded in Java for a better support for: • software engineering aspects, • modular reasoning.

Semantics of Modes Game Semantics • Environment round: from exit points • Mode round: Semantics of Modes Game Semantics • Environment round: from exit points • Mode round: to entry points. from entry points to exit points. The set of traces of a mode • Constructed solely from the traces of the sub-modes and the mode’s transitions. Refinement • Defined as usual by inclusion of trace sets. • Is compositional w. r. t. mode encapsulation.

Wrap-up • Consider alternative state space representation for mode diagrams (e. g. indexing the Wrap-up • Consider alternative state space representation for mode diagrams (e. g. indexing the mdds by modes), • Allow optional compilation of modes to their macro transition relation, • Automate modular reasoning for mode diagrams, • Fully integrate mode diagrams with Mocha, • Consider abstraction mechanisms for modes, • Consider applications of and/or mode hierarchies, • Extension to hybrid mode diagrams, • Integration with sequence diagrams,

Modeling in UML Structural View • Class Diagrams • Object Diagrams Implement View • Modeling in UML Structural View • Class Diagrams • Object Diagrams Implement View • Component Diagrams Modeling in UML consists of building User View several models according to five views: • Use Case Diagrams • Sequence Diagrams • Collaboration Diagrams • Statechart Diagrams • Deployment Diagrams • Activity Diagrams Behavioral View Environment View

Modeling in UML Structural View • Class Diagrams • Object Diagrams Implement View • Modeling in UML Structural View • Class Diagrams • Object Diagrams Implement View • Component Diagrams User View • Use Case Diagrams • Sequence Diagrams • Collaboration Diagrams • Statechart Diagrams • Deployment Diagrams • Activity Diagrams Behavioral View Environment View

Motivation Scalable analysis demands modular reasoning: • modeling language has to support syntactically and Motivation Scalable analysis demands modular reasoning: • modeling language has to support syntactically and semantically modular constructs, • model checking has to exploit modular design. Close the gap between: • software design languages (UML, Statecharts, Rsml), • model checking languages (Spin, SMV, Mocha).

Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to mode diagrams Ü Modular reasoning • Conjunctive modes • Implementation • Wrap-up ü

Modular Reasoning Terminology • Compositional and assume/guarantee reasoning based on observable behaviors. Application area Modular Reasoning Terminology • Compositional and assume/guarantee reasoning based on observable behaviors. Application area • Only recently is being automated by model checkers, • Until now restricted to architecture hierarchies. Compositional Reasoning • Central to many formalisms: CCS, I/O Automata, TLA, etc. Circular Assume/Guarantee Reasoning • Valid only when the interaction of a module with its environment is non-blocking.

Compositional Reasoning N N M < < G N’ M N N’ M Sub-mode Compositional Reasoning N N M < < G N’ M N N’ M Sub-mode refinement M < < G M’ N M’ Super-mode refinement

Assume/Guarantee Reasoning N’ M < N N’ N M’ M’ N M < N’ Assume/Guarantee Reasoning N’ M < N N’ N M’ M’ N M < N’ N M’

Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to Talk Outline Introduction ü Modeling reactive systems ü Mode diagrams ü From statecharts to mode diagrams ü Modular reasoning Ü Conjunctive modes • Implementation • Wrap-up ü

Conjunctive Modes Synchronous semantics i 1 M 1 o 1 p 1 i 2 Conjunctive Modes Synchronous semantics i 1 M 1 o 1 p 1 i 2 M 2 p 2 o 2 Parallel composition of reactive modules read i , p , p ; 2 State o 1 , o , p 1 , p 2 ; write 1 2 s = (i 1, i 2, o 1, o 2, p 1, p 2) s 1 Execution M 1 s 11 syst read i 1, p 2; M 1 M write o 1, p 1; 2 M 2 syst read i , p ; M 1 M 22 1 write o 2, p 2; s 0 s 11 s 2 … sk sk 1 sk+1 Translation with modes env

And/Or Hierarchies expl. WNHO look. FGU look. FHO head. TT look. FS The ability And/Or Hierarchies expl. WNHO look. FGU look. FHO head. TT look. FS The ability to express conjunctive modes is important for the construction of arbitrary and/or hierarchies. found search approach sonar. M done pick Consider a motion. C hypothetical search and rescue transport robot operating on a battle field: Search&rescue head. TKL look. FEC

Mocha Tool Architecture Text. Editor Vis. Editor Parser Beh. Model Arch. Model Specification Integrated Mocha Tool Architecture Text. Editor Vis. Editor Parser Beh. Model Arch. Model Specification Integrated Development Environment Manager h. RM DB Proofs DB Model. Checker Specs DB BDD Packs Reduction Algs Rules DB Simulator Tacticals DB Proof Manager

Wrap-up Structural View • Class Diagrams Bridging the Allow between software gap to express Wrap-up Structural View • Class Diagrams Bridging the Allow between software gap to express architectural • Object Diagrams engineering and design patterns: provides a formal methods • add process arrays, wealth of research opportunities: • • • exploit symmetry, add abstraction mechanisms, automate modular reasoning, add dynamic architectures, architecture algebra.

Wrap-up Popular in requirements capture and testing: • • • sequence diagrams for shared Wrap-up Popular in requirements capture and testing: • • • sequence diagrams for shared memory, sequence diagrams for hybrid systems, automatic translation to mode diagrams, analysis of sequence diagrams, consistency of sequence/mode diagrams, interaction algebra. • Sequence Diagrams • Collaboration Diagrams Behavioral View

Wrap-up Essential component in all methods: • • explore alternative representations, optional compilation of Wrap-up Essential component in all methods: • • explore alternative representations, optional compilation of modes, explore better sharing schemes, automate modular reasoning, add abstraction mechanisms, consider implications of and/or hierarchies, integrate with architecture diagrams, behavior algebra. • Statechart Diagrams Behavioral View

Wrap-up Consider differential equations for activities: • • • Hybrid hierarchic modes, Avionics, robotics, Wrap-up Consider differential equations for activities: • • • Hybrid hierarchic modes, Avionics, robotics, automotive industry. Global and modular symulation, Exploit hierarchy in analysis, Relate to hybrid sequence diagrams. • Activity Diagrams Behavioral View

Wrap-up Modeling and analysis of: • Distributed reactive systems, • Mobile reactive systems. • Wrap-up Modeling and analysis of: • Distributed reactive systems, • Mobile reactive systems. • Deployment Diagrams Environment View

A Macro Step gcs Ek+1 skp z skp inc w 0 z id Xk A Macro Step gcs Ek+1 skp z skp inc w 0 z id Xk w 1 inc

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id Xk inc w 1 inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id v 3 skp inc Xk inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id v 3 skp inc Xk inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id v 3 skp inc Xk inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id v 3 skp inc Xk inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id v 3 skp inc Xk inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id v 3 skp inc Xk inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id inc Xk | X’k+1 v 3 skp inc w 1 skp inc v 2 v 3 skp

A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 A Macro Step gcs Ek+1 skp z skp inc w 0 z w 1 id inc Xk | X’k+1 | X”k+1 v 3 skp inc w 1 skp inc v 2 v 3 skp