Xiaosong Lu Togashi Laboratory Department of Computer Science Shizuoka University April 1999 Specification and Verification of Hierarchical Reactive Systems
* Research Background and Objective * System Properties and Requirements * Formal Specifications * Soundness and Completeness * Synthesis of Formal Specifications * Compositional Verification * Reflection Introduction
* Statecharts (Modechart, RSML) *Visual Formalism *State Hierarchy and broadcast communication * SDL: Communicating finite-state machines * Petri Net: Event-driven, one-level concurrency * CCS, CSP: algebraic nature, recursion, nested concurrency, naming, channel communication... Related Work
* A New Methodology for Reactive Systems *System requirements: Declarative language *Formal specifications: Hierarchical state machines * A Flexible Development Environment *Stepwise Refinement *Reflection * Automatic Synthesis and Verification * Support of Modularity and Reusability Research Objective
System Requirements Synthesis System Formal Specifications Compiler Programs Requirement Acquisition VerifierSimulator Present system Reflection System System Overview
* SPS = * P: all atomic propositions * L: partition of P * D ⊆ L×L: partial order relation * L 0: topmost level propositions Hierarchical System Properties
SPS of a Radio/Tape Player On Radio, Tape Stereo Am, Fm Play, Pause P Lo D L
* ρ = * id: name * a: input symbol * f in : pre-condition * o: output symbol * f out : post-condition * Power on : ¬ On ⇒ On : * Function Requirement Power
* A Requirement Module of the Player * RM = System Requirement Module RM1 ¬ On Power ¬ On ⇒ On, Power TF : Temporal logic formulae BNameγ0 ΣΟ On ⇒ ¬ On Power
Other Requirement Modules RM2Radio RT Radio ⇒ Tape, RT TF : Temporal logic formulae On RT Tape ⇒ Radio RM3 Stereo S Stereo ⇒ ¬ Stereo, S TF : Temporal logic formulae On S ¬ Stereo ⇒ Stereo Radio/Tape Stereo
Other Requirement Modules RM4 Play Pause ¬ Play ⇒ Play (TF : Temporal logic formulae) PL,PA Stop Tape Play ∧¬ Pause ⇒ Pause, Play ∧ Pause ⇒ ¬ Pause Play ⇒ ¬ Play ∧¬ Pause PA RM5Am,Fm AF Am ⇒ Fm, Fm ⇒ Am (TF : Temporal logic formulae) Radio Tape Radio
* R = * System Requirement of the Player System Requirement RM1 - Power RM2 - Radio/Tape RM3 - Stereo RM5 - Radio RM4 - Tape RM0 >
* TM = * A State Transition Module of the Player State Transition Module Power ¬ On On Power Q Σ → q0q0
* M = * TM: state transition modules * 》 : partial order relation of state transition modules *TM 0 ⊆ TM: initial state transition modules Formal Specification
Formal Specification of the Player ¬ On On Power Radio Tape RT Stereo ¬ Stereo S S ¬ Play ∧¬ Pause PL Play ∧¬ Pause Play ∧ Pause PA Stop PA Am Fm AF TM0 》
Sub-states, Sub-transition, Default ¬ On On Power Radio Tape RT Stereo ¬ Stereo S S ¬ Play ∧¬ Pause PL Play ∧¬ Pause Play ∧ Pause PA Stop PA Am Fm AF TM0 》 Substates(Tape) Default(On) Sub-transition(Radio)
Global Behavior of the Player ¬ On Stereo On Radio Am Power RT Tape ¬ Play ∧¬ Pause On Stereo PL Play ∧¬ Pause On Tape Stereo ¬ On Power
Global Transition System Power ¬ On Power AF RT On, Tape ¬ Play, ¬ Pause On, Tape ¬ Play, ¬ Pause PL Stop PA On, Tape Play,Pause On, Tape Play,Pause On, Tape Play, ¬ Pause On, Tape Play, ¬ Pause PA On, Radio Am On, Radio Am On, Radio Fm On, Radio Fm AF RT Power Stereo ¬ Stereo S S
* Transition ├ Function Requirement * Transition Module ├ Requirement Module * Formal Specification ├ System Requirement Soundness
* M is Complete w.r.t. R * M is sound w.r.t. R * ∀ sound M’ w.r.t. R, * ∃ homomorphism ξ: M’→M * Standard System of R * sound * complete * unique Completeness
* Synthesis System * * Theorem on Synthesis: *The derived system is standard. Synthesis of Formal Specification system requirement module system requirement module State transition module State transition module System Requirement System Requirement Formal Specification Formal Specification
* Verification of Linear-time Properties * reachability analysis * liveness, fairness and safeness verification * trace analysis * Verification with Branching-time Logic * TCTL * partial model checker * further discussion Compositional Verification
* Bottom-up Algorithm * Time Complexity: O(|T| ・ log s |M|) Reachability Analysis Power Radio/Tape Stereo Radio Tape 1. Analyze local reachability [Play, Pause] 2. Find upper module, analyze [Tape] 3. Until initial module reached [On]
* Liveness: every state is in a circle *local liveness *upper state liveness * Fairness: strongly connected *initial module local fairness *all states reachable * Safeness: absence of deadlock *deadlock detection Liveness, Fairness, Safeness A A D D C C B B A A D D C C B B A A D D C C B B
* Syntax * p, a, o are TCTL formulae * ¬ f 1, f 1 ∧ f 2, AXf 1, EXf 1, A[f 1 Uf 2 ], E[f 1 Uf 2 ] are TCTL formula * f \ P, f \ A, f \ O are TCTL formulae * Trace-based Semantics Branching-time Logic: TCTL
* Partial verification * hierarchical structure based * sequential portion of formal specification * any level specification * Partial Model Checker * obtain list of all subformulas of f to be verified * label states with formulas on the hierarchical structure * backwards search for EX and EU Partial Model Checker
* Compositional Verification with Proof * Compositional Minimization * Symbolic Model Checking Further Discussion on Verification
* Transition Addition/Deletion/Modification * State Addition/Deletion * Nonexecutable Function Detection Reflection System Requirement System Requirement Formal Specification Formal Specification
* A Methodology for Specification and Verification of Reactive Systems * Future Work * Real-time, Predicate logic * Extensions on compositional verification * An integrated support environment Conclusion