Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania

Motivation Scalable analysis demands modular reasoning: modeling language has to support syntactically and semantically modular constructs, model checking has to exploit modular design. Close the gap between: software design languages (UML,Statecharts,Rsml,…), model checking languages (Spin, SMV, Mocha,…).

Talk Outline Motivation Mode diagrams From statecharts to mode diagrams Model checking Wrap-up

Mode Diagrams 1.Visual language for hierarchic reactive machines hierarchic modes, mode sharing, group transitions, history, mixed and/or hierarchies. 2. Observational trace semantics mode refinement, modular reasoning. 3. Model checker exploits the hierarchy information, exploits the type information.

Characteristics Description is hierarchic. Well defined interfaces. Supports black-box view. Model checking Modular reasoning. E.g. in SMV, Mocha. Telephone Exchange: Architecture TelExchange ti 1 to 1 ti n to n TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n …

TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n … onHookoffHook onH call answ rtB Telephone Exchange: Behavior ti?onH onH connecting talking ok call rtB gettingNo ok rtB answ onH idle ringing rtB rtE rtB call offH answ read ti : TelI, bi : BusI; write to : TelO,bo : BusO; local nr : (0..n)

Statecharts Formalism Introduced: 1987 by David Harel, Related notations: Rsml, Modecharts, Roomcharts, Key component in OO Methods: UML, ROOM, OMT, etc. Difficulties No denotational trace semantics (no refinement notion), No scoping for variables. Previous attempts compile statecharts to flat diagrams.

rtB onH connecting talking ok gettingNo ok idle ringing rtB rtE rtB offH onHookoffHook From Statecharts to Modes Obstacles in achieving modularity State reference -> Scoping of variables (data interface) Group transitions implicitly connect deep nested modes. Regular transitions -> Entry/exit points (control interface) call answ Nested state references break encapsulation. Group transitions -> Default points (control interface) Regular transitions connect deep nested modes. telSw offHookonHook rtB onH answ call ini

Model Checking Graphical editor and both an enumerative and a symbolic model checker. Reachability analysis exploits the structure: Reached state space indexed by control points, Transition relation is indexed by control points, Transition type exploited in mdd construction, Mode definitions are shared among instances.

Example: Generic Hierarchic System v2 inc skp v3 w1 w0 inc skp w1 z incskp z id c incskp inc v3 local c : (0..2) local v3 : (0..n) (c=1 & w1=n) | c=2 -> skip; local w1 : (0..n) c=1 & z c:=0; z:=z+1; local z : (0..n)

Enumerative Model Checker w0 inc skp w1 z incskp z id c c c w1 z c w0 z z c c = 1 w0 = 0 z = 0 c = 1 z = 0 c = 1 w1 = 1 z = 0 w0 = 0 c = 1 z = 0 w1 = 1 stored as Transitions Traversed in a depth first way, Indexed by control points, Shared among instances of the same definition. States States are stored as a stacks, Stacks share common elements, States (stacks) are entries of a hash table, States are compressed as bitstrings.

v2 inc skp v3 w1 incskp z id c incskp inc v3 inc w0 skp w1 z R(c,z,w1,v3) The reached set is indexed by control points: Each reached control point has an associated multi valued binary decision diagram (mdd), The set of variables of an mdd depends on the scope of the control point. Symbolic MC: The Reached Set R(c,z,w1,v3) R(c,z,w1,v3,h w1 ) R(c,z,w1)

The transition relation is indexed by control points (> conjunctively partitioned mdds): Each transition has an associated mdd, The set of variables of an mdd depends on the scope of the transition, Type information: no identity extension necessary, Variable scoping enables early quantification. Symbolic MC: The Transition Relation v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z c=1 & v3<n & c’=0 & v3’=v3+1 h z = 2 h’ z = 1 (  c,v3. R(c,z,w1,v3) & inc(c,c’,v3,v3’) )[c’,v3’:=c,v3]  w1. R(c,z,w1) & skp(c,w1)

y inc zv w xu Hierarchy and Concurrency P(x,y) & (Q(u,v) | R(u,w))

As expected, the model checker for modes is superior to current model checkers when: sequential behavior is hierarchical, modes have local variables. Results

GHS Space Requirements

GHS Time Requirements

Project HeRMes Current status: visual language for behavior hierarchy, compositional semantics, modular refinement rules, model checking exploits hierarchic structure. Future work: improve heuristics exploiting hierarchy, improve use of sharing, integrate/automate modular reasoning, collaboration with NEC on case studies, connection to Rational Rose/ObjecTime.

Demos at CAV jMocha v2.0 (released soon): joint project U.C. Berkeley & UPenn, a new version written in java, several new features: MSC-like simulator, proof manager, script language. HeRMes v1.0 (prototype): developed at UPenn, supports mode diagrams in this talk, Demos: Tuesday morning, Wednesday afternoon.

Modular Reasoning M M’ N’ < N N M < M’ N’ M’ N’ N < N Assume/guarantee reasoning N N’ < N M M < Sub-mode refinement N M < N M’ Super-mode refinement M M’ < N

A Macro Step A macro step is a breadth first traversal of the hierarchic mode graph starting at: the default entry point of the top level mode and ending at: the default exit point of the top level mode or inside the mode if no new states are produced.

Semantics of Modes Game Semantics Environment round: from exit points to entry points. Mode round: from entry points to exit points. The set of traces of a mode Constructed solely from the traces of the sub-modes and the mode’s transitions. Refinement Defined as usual by inclusion of trace sets. Is compositional w.r.t. mode encapsulation.

Modular Reasoning Compositional Reasoning Central to many formalisms: CCS, I/O Automata,TLA, etc. Circular Assume/Guarantee Reasoning Valid only when the interaction of a module with its environment is non-blocking. Terminology Compositional and assume/guarantee reasoning based on observable behaviors. Application area Only recently is being automated by model checkers, Until now restricted to architecture hierarchies.

Conjunctive Modes Synchronous semantics State s = (i 1, i 2, o 1, o 2, p 1, p 2 ) Execution M2M2 M2M2 s0s0 env s1s1 syst s2s2 env sksk … syst s k+1 M1M1 s 11 M1M1 s k1 Parallel composition of reactive modules M2M2 i2i2 i1i1 o2o2 o1o1 p1p1 p2p2 M1M1 Translation with modes M2M2 M1M1 s1s1 s 11 s2s2 read i 1,i 2,p 1,p 2 ; write o 1,o 2,p 1,p 2 ; read i 1,p 2 ; write o 1,p 1 ; read i 2,p 1 ; write o 2,p 2 ;

searchapproach found transport Search&rescue pickdone And/Or Hierarchies lookFSheadTT The ability to express conjunctive modes is important for the construction of arbitrary and/or hierarchies. Consider a hypothetical search and rescue robot operating on a battle field: lookFGUexplWNHO lookFHO lookFECheadTKL motionCsonarM

Integrated Development Environment Manager Specs DB hRM DB Proofs DB Rules DB Proof Manager Tacticals DB Simulator TextEditor VisEditor Parser Specification BehModel TextEditor VisEditor Parser ArchModel TextEditor VisEditor Parser ModelChecker BDD Packs Reduction Algs Mocha Tool Architecture

Wrap-up Behavioral View Activity Diagrams Consider differential equations for activities: Hybrid hierarchic modes, Avionics, robotics, automotive industry. Global and modular symulation, Exploit hierarchy in analysis, Relate to hybrid sequence diagrams.