Model Checking for an Executable Subset of UML

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Verified Systems by Composition from Verified Components Fei Xie and James C. Browne.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Integrated State Space Reduction for Model Checking Executable Object-oriented Software System Designs Fei Xie and James C. Browne Dept. of Computer Sciences.
Model Driven Generative Programming Reza Azimi February 6, 2003 ECE1770: Trends in Middleware Systems.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
The cardiac pacemaker – SystemJ versus Safety Critical Java Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic. University of Auckland, NZ.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Formal Modelling of Reactive Agents as an aggregation of Simple Behaviours P.Kefalas Dept. of Computer Science 13 Tsimiski Str Thessaloniki Greece.
Timed Automata.
Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
ObjectCheck: A Model Checking Tool for Executable Object-oriented Software System Designs Fei Xie and James C. Browne Dept. of Computer Sciences Univ.
An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.
Model Checking Large-Scale Software Natasha Sharygina Carnegie Mellon University Software Engineering Institute.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Component-Interaction Automata for Specification and Verification of Component Interactions P. Vařeková and B. Zimmerova Masaryk University in Brno Czech.
Component-Based Abstraction and Refinement Juncao Li 1, Xiuli Sun 2, Fei Xie 1, and Xiaoyu Song 2 1 Dept. of Computer Science 2 Dept. of ECE Portland State.
Component-Based Abstraction Juncao Li Dept. of Computer Science Portland State University.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Presenter : Cheng-Ta Wu Vijay D’silva, S. Ramesh Indian Institute of Technology Bombay Arcot Sowmya University of New South Wales, Sydney.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
Verification Case Studies with ObjectCheck Fei Xie (Joint work with James C. Browne, Robert P. Kurshan, and Vladimir Levin) Presentation at Microsoft Research,
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
Contract Specification of Pipelined Designs Alexander Kamkin Institute for System Programming of RAS
CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software.
Copyright 2002 Prentice-Hall, Inc. Chapter 2 Object-Oriented Analysis and Design Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey.
- 1 - Embedded Systems - SDL Some general properties of languages 1. Synchronous vs. asynchronous languages Description of several processes in many languages.
CS6133 Software Specification and Verification
Timed Use Case Maps Jameleddine Hassine Concordia University, Montreal, Canada URN Meeting, Ottawa, January 16-18, 2008.
Software Engineering Prof. Ing. Ivo Vondrak, CSc. Dept. of Computer Science Technical University of Ostrava
Verification of behavioural elements of UML models using B Truong, Ninh-Thuan and Souquieres, Jeanine In Proceedings of the 2005 ACM Symposium on.
1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.
BY OKAY ASLAN CMPE 516 FAULT TOLERANT COMPUTING A Formal Object-Oriented Analysis for Software Reliability: Design for Verification.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
Qusay H. Mahmoud CIS* CIS* Service-Oriented Computing Qusay H. Mahmoud, Ph.D.
Parallel and Distributed Systems Laboratory Paradise: A Toolkit for Building Reliable Concurrent Systems Trace Verification for Parallel Systems Vijay.
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
SystemC Semantics by Actors and Reduction Techniques in Model Checking Marjan Sirjani Formal Methods Lab, ECE Dept. University of Tehran, Iran MoCC 2008.
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
Complexity Relief Techniques for Model Checking METU, Aug SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,
Wolfgang Runte Slide University of Osnabrueck, Software Engineering Research Group Wolfgang Runte Software Engineering Research Group Institute.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Formal methods: Lecture
Definition CASE tools are software systems that are intended to provide automated support for routine activities in the software process such as editing.
GRASP: Visibility and Design
Unified Modeling Language
Chapter 8 – Software Testing
Parallel Programming By J. H. Wang May 2, 2017.
J. Michael, M. Shing M. Miklaski, J. Babbitt Naval Postgraduate School
Timed Automata II CS 5270 Lecture Lecture5.
Parallel and Distributed Simulation Techniques
Web Ontology Language for Service (OWL-S)
Formally Specified Monitoring of Temporal Properties
Gabor Madl Ph.D. Candidate, UC Irvine Advisor: Nikil Dutt
The Extensible Tool-chain for Evaluation of Architectural Models
System Sequence Diagrams
Over-Approximating Boolean Programs with Unbounded Thread Creation
Group Truck Technology, Powetrain Engineering, Control Systems dept.
An explicit state model checker
Hints for Building Self-. Systems Vijay K
Chapter 7 Software Testing.
Presentation transcript:

Model Checking for an Executable Subset of UML Fei Xie1, Vladimir Levin2, and James C. Browne1 1Dept. of Computer Sciences, UT at Austin 2Bell Laboratories, Lucent Technologies Our project is to provide model checking support for an executable subset of UML.

Motivations Executable subsets of UML Widely applied to model software system designs; Have well-defined execution semantics; Enable early verification of design models. Model checking can potentially improve the reliability of executable design models. The motivations behind our project are: First, software system designs modeled in executable subsets of UML are fully executable; Second, model checking can potentially improve the reliability of executable design models.

xUML: An Executable Subset of UML A system consists of interacting class instances; Class instances communicate mainly through asynchronous message passing with buffering; State models are extended with state actions; State transitions are enabled by messages; System executions follow asynchronous interleaving semantics. The executable UML subset we select is xUML, which is industrially supported and applied. It has well defined action semantics and executable semantics.

A Sample xUML State Model State Transition State Action Here is a sample xUML state model. A state model is composed of states, state actions, and state transitions. A state action is associated with a state and is executed upon entry to the state. A state transition is enabled by a message. For instance, the state transition from State 4 to State 1 is enabled by a message of the type J9. Message Type State

Model Checking xUML Models xUML Query xUML Level Error Report xUML-to-S/R Translation Error Report Generation The figure shows how we model check xUML models. An xUML models and an xUML level queries are automatically translated into an S/R model and an S/R query. The S/R query is checked on the S/R model by the COSPAN model checker. Upon the detection of a bug, the error track generated by COSPAN is automatically mapped into an xUML level error report. S/R Model S/R Query S/R Query COSPAN Error Track Model Checking with COSPAN Model Checker Legend: Input Output Data Process

COSPAN Model Checker and S/R Automaton Language COSPAN is a synchronous model checker and inputs models and queries formulated in S/R. In S/R, a system is a synchronous parallel composition of its components modeled as processes. Process Process Output COSPAN is an industrial model checker. COSPAN inputs the S/R automaton language. In S/R, a system is a parallel composition of processes. Each process has a state space, outputs, and inputs. S/R has a clock-driven synchronous semantics. In the first stage of each logic clock cycle, each process sets its outputs. In the second stage of the logic clock cycle, each process inputs from some outputs of other processes and moves to a new state upon the inputs. Process Input Process State Space

xUML Level Query Formulation Proposition Semantic Constructs of xUML Model DECLARE Joint_2_in_Move_EE <<Joint 2>> $Move_EE; DECLARE Recovery_Called <<Recovery 1>> recovery_status = 1; NEVER (Joint_2_in_Move_EE AND Recovery_Called); Writing queries in S/R is tedious and hard to learn. Therefore, we support query specification on the xUML level. This slide shows an xUML level query. The first line defines a proposition on an xUML model, which is true if and only if Joint 2 is in the Move_EE state. The second line defines another proposition in the same way. The third line instantiates a temporal template in the logic with the two propositions. As a whole, the query claims that the two propositions are never true at the same time. Instantiation of Temporal Template

xUML-to-S/R Model Translation Maps class instances to S/R processes; Models asynchrony with synchrony; An S/R process as global execution scheduler; Message buffers by separate S/R processes; Simulates dynamic creation of class instances; Bounds infinite state spaces of xUML models. The asynchronous interleaving semantics of xUML and the synchronous parallel semantics of S/R make the translation from xUML to S/R a non-trivial process. Class instances are translated into S/R processes. The asynchrony is modeled by synchrony. The dynamic creation of class instances is also simulated. Additionally, for some xUML models, we have to bound their infinite state spaces. This requires some inputs from the designers.

State Space Reductions in Model Translation Static partial order reduction (SPOR); Translating static attributes to constants; Reducing the send and consumption of a self message into a single state transition; Ranging variables to facilitate symbolic model checking (SMC). State space reductions are another focus of our research. We embed several reductions in the translation.

Error Trace Analysis Support Visualize errors via simulation driven by error traces. As I mentioned, an error track generated by COSPAN can be automatically mapped to an error report on the xUML level. To make debugging easier, we also support visualization of a design error. A test case can be automatically generated from the error track and used to drive a simulation in a visual simulator provided by the xUML visual editor.

Effectiveness of State Space Reductions A liveness property to be checked on online ticket sale system; xUML model translated to two S/R models with SPOR on or off; Two S/R models checked by COSPAN with SMC on or off. SPOR SMC Memory Usage Time Usage Off Out of Memory N/A On 113.73M 44736.5S 17.3M 6668.3S 74.0M 1450.3S Case studies demonstrated the effectiveness of state space reductions we applied. The slide shows the statistics of checking a liveness property on an online ticket sale system. The xUML model of the system is translated into two S/R models, one with SPOR on and the other with SPOR off. The two S/R models are checked by COSPAN with SMC on or off. It can be observed that both SPOR and SMC achieved significant reduction on the model checking complexity. The combined application of SPOR and SMC achieved the best time usage.

Conclusions and Future Work An approach to model checking of xUML models is defined and implemented. Non-trivial xUML models have been checked. A robot control system; An online ticket sale system. Integrated state space reduction that supports verifying larger models is being developed. Two major case studies have been conducted, one on a robot control system and the other on an online ticket sale system. Currently, we are working on an integrated state space reduction framework, which, we hope, will enable us to verify larger xUML models.