Presentation is loading. Please wait.

Presentation is loading. Please wait.

CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software.

Published byMorgan Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software."— Presentation transcript:

1 CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software Luigi Lavazza CEFRIEL Politecnico di Milano Marco Mauri CEFRIEL Vieri Del Bianco CEFRIEL Politecnico di Milano

2 ICECCS 2002© Luigi Lavazza 2002 2 Acknowledgment This work was partly funded by MURST project DESS (Software Development Process for Real-Time Embedded Software Systems ) as part of the ITEA/Eureka programme. More on DESS at http://www.dess-itea.org

3 ICECCS 2002© Luigi Lavazza 2002 3 Context and problems Context: requirements modelling and specification of real-time systems. Problems: Formal methods are available and work fine, but they are not much used in industry (too difficult?!). Informal notations like UML are popular, but do not support well the activities (like proof of properties, simulations, test case generation, etc.) which are required in the development of real-time systems. UML is not adequate for modelling real-time systems.

4 ICECCS 2002© Luigi Lavazza 2002 4 Goals Strategic goal: high quality, efficient development process  Facilitate the usage of formal methods by hiding their inherent complexity from the user.  Extend UML in order to make it usable for modelling RT systems.  Use UML (or a suitable extension of UML) as a front- end for formal methods.

5 ICECCS 2002© Luigi Lavazza 2002 5 The envisaged environment UML CASE tool UML model (XMI) Model (formal notation1) Model checker Analyst Model (formal notation2) Translator Test case gen. Model (formal notation3) Simulator Results of model checking Results of simulation Test cases

6 ICECCS 2002© Luigi Lavazza 2002 6 Contents of the presentation Previous work/motivations A case study Real-time modelling with UML Translation of UML models Validation Conclusions

7 ICECCS 2002© Luigi Lavazza 2002 7 Previous work Lavazza, Quaroni, Venturelli: Combining UML and formal notations for modeling real-time systems, ESEC/FSE 2001. UML extended for dealing with time TRIO temporal logic as a formal notation TRIO history checker applied successfully Problem: analysis is not fully automatic, because of TRIO expressiveness

8 ICECCS 2002© Luigi Lavazza 2002 8 Which formal notation? Goal: fully automated verification of specification properties. Timed automata [Alur and Dill, A theory of timed automata, Theoretical Computer Science, n.126, 1994] allow the modeler to specify dynamic behaviour of systems and real-time (quantitative) constraints. Several model checkers for timed automata are available. We adopted Kronos [Yovine, Kronos: A verification tool for real-time systems. Int. J. of Software Tools for Technology Transfer, 1997]

9 ICECCS 2002© Luigi Lavazza 2002 9 Extensions for real-time: UML+ UML+ provides: Timed transitions; Transitions triggered by concurrent events; Negated events; References to transitions occurrence time in guards; Synchronous semantics. Its formal semantics is defined in terms of Timed statecharts [Kesten and Pnueli, Timed and Hybrid Statecharts and their Textual Representation, FTRTFT’92]

10 ICECCS 2002© Luigi Lavazza 2002 10 A case study: the CSMA/CD protocol Transmitting station (class sender) CD Wait Retry Transmitting Send [bus.busy()=false]/^bus.begin(i) [ ; ] / ^bus.end(i) [0,  ) CD Send [bus.busy()=true] [0,2*  CD [0,2*  [bus.busy()=true] [0,2*  [bus.busy()=false] begin(i)

11 ICECCS 2002© Luigi Lavazza 2002 11 The CSMA/CD protocol The bus (class bus) [;][;] begin endTrans [0;  ] / ^sender.CD Idle Collision Active Busy [0,  ) begin

12 ICECCS 2002© Luigi Lavazza 2002 12 Converting into equivalent T.A. Transmitting station {CD} Wait i TRUE Retry i X i  2  Transmitting i X i  {Send i begin_not_busy i }, X i :=0 X i = {end i } 0  X i  2  {Send i busy i }, X i :=0 0  X i  2  {CD}, X i :=0 0  X i  2  {busy i }, X i :=0 0  X i   {CD}, X i :=0 0  X i  2  {begin_not_busy i }, X i :=0

13 ICECCS 2002© Luigi Lavazza 2002 13 Converting into equivalent T.A. Bus X=  {begin_not_busy i }, X:=0 endTrans i Idle TRUE Collision X   Active X   Busy TRUE X <  {begin_not_busy i }, X:=0 busy i 0  X i   {CD}

14 ICECCS 2002© Luigi Lavazza 2002 14 Modelling and translation UML+ models can be edited using an enhanced version of ARGO/UML. The output of the tool is a file having an extended XMI format. XMI was extended to contain the information carried by UML+ models. Such XMI-like files are converted into Kronos timed- automata by a translator.

15 ICECCS 2002© Luigi Lavazza 2002 15 Limits for the translation Some UML+ models cannot be mapped onto timed automata: Negated events cannot be represented in Kronos timed automata. UML+ allows the specification of variable time intervals associated with transitions. However, Kronos does not accept guards of the type ck1 # ck2 - ck3 (where # is one of the relations, , etc.). Statecharts including such constructs cannot be translated into equivalent timed automata.

16 ICECCS 2002© Luigi Lavazza 2002 16 Verifying properties Bounded delay for collision detection init impl ab (TRANSMITTING1 and TRANSMITTING2) impl ad{<=26} (RETRY1 and RETRY2)    Transm1  Transm2    Retr1  Retr2  Successful transmission possible init impl ab ((TRASMITTING1 and X1=0 and (not COLLISION)) impl ed{<=26} (ad{<=782} WAIT1))     Transmitting1  X1=0   Collision)        Wait1)) or     Transmitting1  X1=0   Collision)      Wait1)) Both properties were proved by Kronos.

17 ICECCS 2002© Luigi Lavazza 2002 17 Further validation We modelled the control SW of the step motor of ACL8000, an automated blood analysis machine. The program developed by TXT e-solutions has to drive the motor and program timers controlling the acquisition of data while respecting several constraints. More on this in the CEFRIEL Technical Report 01002, 18/12/01, V. Del Bianco, L. Lavazza, M. Mauri, “An introduction to the DESS approach to the specification of real-time software” Available at http://www.cefriel.it

18 ICECCS 2002© Luigi Lavazza 2002 18 Evaluation of the proposed approach The approach is relatively straightforward and economic. The extended UML model was easily created by experienced UML users. The automatic translation made it possible to apply Kronos. Problem: writing properties in TCTL is not easy. But the resulting confidence that the model is correct with respect to the requirements largely rewarded developers for the additional effort required for writing TCTL statements. Problem: when a property does not hold, the user is presented the output of Kronos, which is not easy to read.

19 ICECCS 2002© Luigi Lavazza 2002 19 Conclusions It is possible to model RT systems using UML+, an extension of a subset of UML. We exploited the Timed Statecharts-based semantics of UML+ to translate models into timed automata. This allows the application of model checking, which would not be applicable directly to UML models. We achieved higher quality specifications at a little additional cost.

Download ppt "CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Chapter 16 : KRONOS (Model Checking of Real-time Systems)

Chapter 16 : KRONOS (Model Checking of Real-time Systems)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.

CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.
Timed Automata.

Timed Automata.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Presenter: PCLee – 2011.03.02. This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Similar presentations

Ads by Google