CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software.

Slides:

Advertisements

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

Advertisements

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

Chapter 16 : KRONOS (Model Checking of Real-time Systems)

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

UPPAAL Introduction Chien-Liang Chen.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.

Timed Automata.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

ISBN Chapter 3 Describing Syntax and Semantics.

CS 355 – Programming Languages

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

VERTAF: An Application Framework for Design and Verification of Embedded Real-Time Software Pao-Ann Hsiung, Shang-Wei Lin, Chih-Hao Tseng, Trong-Yen Lee,

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

Sanjit A. Seshia and Randal E. Bryant Computer Science Department

Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Modeling State-Dependent Objects Using Colored Petri Nets

The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Describing Syntax and Semantics

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI

Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 15 Slide 1 Real-time Systems 1.

Lecture 6 Template Semantics CS6133 Fall 2011 Software Specification and Verification.

Presenter : Cheng-Ta Wu Vijay D’silva, S. Ramesh Indian Institute of Technology Bombay Arcot Sowmya University of New South Wales, Sydney.

02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.

By Manuel C. Salas Advisor: Dr. Bernard P. Zeigler University of Arizona 2008.

Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.

1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.

Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

University of Paderborn Software Engineering Group Prof. Dr. Wilhelm Schäfer Towards Verified Model Transformations Holger Giese 1, Sabine Glesner 2, Johannes.

Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.

16 August Verilog++ Assertion Extension Requirements Proposal.

Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.

1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.

QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs By Koen Claessen, Juhn Hughes ME: Mike Izbicki.

Automata Based Method for Domain Specific Languages Definition Ulyana Tikhonova PhD student at St. Petersburg State Politechnical University, supervised.

1 Overview of the project: Requirement-Driven Development of Distributed Applications School of Information Technology and Engineering (SITE) University.

3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.

ISBN Chapter 3 Describing Semantics.

Chapter 3 Part II Describing Syntax and Semantics.

- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -

® A Proposed UML Profile For EXPRESS David Price Seattle ISO STEP Meeting October 2004.

Verification & Validation By: Amir Masoud Gharehbaghi

Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.

Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.

Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

TESTCOM/FATES Test Plan Generation for Concurrent Real-Time Systems based on Zone Coverage Analysis Farn Wang Dept. of Electrical Eng. National Taiwan.

SAMCAHNG Yun Goo Kim I. Formal Model Based Development & Safety Analysis II. UML (Model) Based Safety RMS S/W Development February KIM, YUN GOO.

Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.

CENG 424-Logic for CS Introduction Based on the Lecture Notes of Konstantin Korovin, Valentin Goranko, Russel and Norvig, and Michael Genesereth.

Gabor Madl Ph.D. Candidate, UC Irvine Advisor: Nikil Dutt

Model Checking for an Executable Subset of UML

CSCI1600: Embedded and Real Time Software

CSCI1600: Embedded and Real Time Software

Presentation transcript:

CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software Luigi Lavazza CEFRIEL Politecnico di Milano Marco Mauri CEFRIEL Vieri Del Bianco CEFRIEL Politecnico di Milano

ICECCS 2002© Luigi Lavazza Acknowledgment This work was partly funded by MURST project DESS (Software Development Process for Real-Time Embedded Software Systems ) as part of the ITEA/Eureka programme. More on DESS at

ICECCS 2002© Luigi Lavazza Context and problems Context: requirements modelling and specification of real-time systems. Problems: Formal methods are available and work fine, but they are not much used in industry (too difficult?!). Informal notations like UML are popular, but do not support well the activities (like proof of properties, simulations, test case generation, etc.) which are required in the development of real-time systems. UML is not adequate for modelling real-time systems.

ICECCS 2002© Luigi Lavazza Goals Strategic goal: high quality, efficient development process  Facilitate the usage of formal methods by hiding their inherent complexity from the user.  Extend UML in order to make it usable for modelling RT systems.  Use UML (or a suitable extension of UML) as a front- end for formal methods.

ICECCS 2002© Luigi Lavazza The envisaged environment UML CASE tool UML model (XMI) Model (formal notation1) Model checker Analyst Model (formal notation2) Translator Test case gen. Model (formal notation3) Simulator Results of model checking Results of simulation Test cases

ICECCS 2002© Luigi Lavazza Contents of the presentation Previous work/motivations A case study Real-time modelling with UML Translation of UML models Validation Conclusions

ICECCS 2002© Luigi Lavazza Previous work Lavazza, Quaroni, Venturelli: Combining UML and formal notations for modeling real-time systems, ESEC/FSE UML extended for dealing with time TRIO temporal logic as a formal notation TRIO history checker applied successfully Problem: analysis is not fully automatic, because of TRIO expressiveness

ICECCS 2002© Luigi Lavazza Which formal notation? Goal: fully automated verification of specification properties. Timed automata [Alur and Dill, A theory of timed automata, Theoretical Computer Science, n.126, 1994] allow the modeler to specify dynamic behaviour of systems and real-time (quantitative) constraints. Several model checkers for timed automata are available. We adopted Kronos [Yovine, Kronos: A verification tool for real-time systems. Int. J. of Software Tools for Technology Transfer, 1997]

ICECCS 2002© Luigi Lavazza Extensions for real-time: UML+ UML+ provides: Timed transitions; Transitions triggered by concurrent events; Negated events; References to transitions occurrence time in guards; Synchronous semantics. Its formal semantics is defined in terms of Timed statecharts [Kesten and Pnueli, Timed and Hybrid Statecharts and their Textual Representation, FTRTFT’92]

ICECCS 2002© Luigi Lavazza A case study: the CSMA/CD protocol Transmitting station (class sender) CD Wait Retry Transmitting Send [bus.busy()=false]/^bus.begin(i) [ ; ] / ^bus.end(i) [0,  ) CD Send [bus.busy()=true] [0,2*  CD [0,2*  [bus.busy()=true] [0,2*  [bus.busy()=false] begin(i)

ICECCS 2002© Luigi Lavazza The CSMA/CD protocol The bus (class bus) [;][;] begin endTrans [0;  ] / ^sender.CD Idle Collision Active Busy [0,  ) begin

ICECCS 2002© Luigi Lavazza Converting into equivalent T.A. Transmitting station {CD} Wait i TRUE Retry i X i  2  Transmitting i X i  {Send i begin_not_busy i }, X i :=0 X i = {end i } 0  X i  2  {Send i busy i }, X i :=0 0  X i  2  {CD}, X i :=0 0  X i  2  {busy i }, X i :=0 0  X i   {CD}, X i :=0 0  X i  2  {begin_not_busy i }, X i :=0

ICECCS 2002© Luigi Lavazza Converting into equivalent T.A. Bus X=  {begin_not_busy i }, X:=0 endTrans i Idle TRUE Collision X   Active X   Busy TRUE X <  {begin_not_busy i }, X:=0 busy i 0  X i   {CD}

ICECCS 2002© Luigi Lavazza Modelling and translation UML+ models can be edited using an enhanced version of ARGO/UML. The output of the tool is a file having an extended XMI format. XMI was extended to contain the information carried by UML+ models. Such XMI-like files are converted into Kronos timed- automata by a translator.

ICECCS 2002© Luigi Lavazza Limits for the translation Some UML+ models cannot be mapped onto timed automata: Negated events cannot be represented in Kronos timed automata. UML+ allows the specification of variable time intervals associated with transitions. However, Kronos does not accept guards of the type ck1 # ck2 - ck3 (where # is one of the relations, , etc.). Statecharts including such constructs cannot be translated into equivalent timed automata.

ICECCS 2002© Luigi Lavazza Verifying properties Bounded delay for collision detection init impl ab (TRANSMITTING1 and TRANSMITTING2) impl ad{<=26} (RETRY1 and RETRY2)    Transm1  Transm2    Retr1  Retr2  Successful transmission possible init impl ab ((TRASMITTING1 and X1=0 and (not COLLISION)) impl ed{<=26} (ad{<=782} WAIT1))     Transmitting1  X1=0   Collision)        Wait1)) or     Transmitting1  X1=0   Collision)      Wait1)) Both properties were proved by Kronos.

ICECCS 2002© Luigi Lavazza Further validation We modelled the control SW of the step motor of ACL8000, an automated blood analysis machine. The program developed by TXT e-solutions has to drive the motor and program timers controlling the acquisition of data while respecting several constraints. More on this in the CEFRIEL Technical Report 01002, 18/12/01, V. Del Bianco, L. Lavazza, M. Mauri, “An introduction to the DESS approach to the specification of real-time software” Available at

ICECCS 2002© Luigi Lavazza Evaluation of the proposed approach The approach is relatively straightforward and economic. The extended UML model was easily created by experienced UML users. The automatic translation made it possible to apply Kronos. Problem: writing properties in TCTL is not easy. But the resulting confidence that the model is correct with respect to the requirements largely rewarded developers for the additional effort required for writing TCTL statements. Problem: when a property does not hold, the user is presented the output of Kronos, which is not easy to read.

ICECCS 2002© Luigi Lavazza Conclusions It is possible to model RT systems using UML+, an extension of a subset of UML. We exploited the Timed Statecharts-based semantics of UML+ to translate models into timed automata. This allows the application of model checking, which would not be applicable directly to UML models. We achieved higher quality specifications at a little additional cost.