Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hierarchical Design and Analysis of Reactive Systems Radu Grosu Stony Brook University www.cs.sunysb.edu/~radu.

Published byDeirdre Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Hierarchical Design and Analysis of Reactive Systems Radu Grosu Stony Brook University www.cs.sunysb.edu/~radu."— Presentation transcript:

1 Hierarchical Design and Analysis of Reactive Systems Radu Grosu Stony Brook University www.cs.sunysb.edu/~radu

2 Reactive Systems Computer based reactive systems are becoming an integral part of nearly every engineered product. They control: Commercial Aircraft Medical devices Household devices Telecommunication Nuclear Power Plants Automobiles

3 Super Computers with Wings The Boeing 777 Has > 4M lines of code > 1K embedded processors in order to - control subsystems - aid pilots in flight mngmnt. interacts with humans in a sophisticated way. One of the greatest challenges in software engineering: hard real-time deadlines, mission and safety-critical, complex and embedded within another complex system, "Companies that exploit information technology most effectively will be the most likely to dominate the aerospace landscape in the 21st century" [Aviation Week, 12/98].

4 Talk Outline Introduction  Modeling reactive systems Mode diagrams From statecharts to mode diagrams Modular reasoning Model checking Wrap-up

5 Why Building Models? To understand the problem better, To communicate with customers, To find errors or omissions, To plan out the design, To generate code. Modeling is a technique widely used in all engineering disciplines. In particular, for reactive systems it allows:

6 Software Engineering Methods (e.g. UML, UML-RT) mixed visual/textual notations, speedup the development cycle, improve customer /developer communication restricted analysis by simulation and testing, restricted confidence in the modeled system. Formal Methods (e.g. Model Checkers) mathematical models of reactive systems, speedup specification/prototyping, allow a thorough analysis of the modeled system, high confidence in the modeled system. Modeling Reactive Systems Currently there are two main methods for modeling reactive systems: 1.Software engineering methods, 2.Formal methods.

7 Successfully applied in Automotive, aerospace and telecommunications Logic design Tools SDL, ROOM, Statemate, Rhapsody, UML-RT Cierto VC CoDesign, StateCAD/StateBench Companies Telelogic, Verilog, ObjecTime, iLogix, Rational Cadence, Visual Software Solutions Software Engineering Methods

8 Advantage Fully automated formal verification, Effective debugging tool Standard approaches Enumerative search with reduction heuristics Symbolic search using BDDs model temporal property Model Checkers Model Checker yes error trace No longer an academic research only. "... model checking will be the second most important, if not the most important, tool in the verification tool suite.“ [Cadence Web]

9 Model Checkers Successfully applied in Hardware design and analysis Finding bugs in cache coherence protocols, video graphics image chips (>96 processors) Tools Spin, Mur , Mocha, LMC, XMC,… FormalCheck, Cospan, VERDICT, SMV, VIS,… Companies Cadence, Lucent, Intel, IBM, Motorola, Siemens

10 Unfortunately  1.There is a considerable gap between the software engineering and the formal methods. 2.Scalability is still a challenge for formal analysis tools.

11 1.Close the gap between the software engineering and the formal methods, 2.Scale up the analysis tools by exploiting the software engineering artifacts. Fortunately Long Term Research Program

12 Talk Outline Introduction Modeling reactive systems  Mode diagrams From statecharts to mode diagrams Modular reasoning Model checking Wrap-up

13 Mode Diagrams 1.Visual language for hierarchic reactive machines hierarchic modes, mode sharing, group transitions, history, mixed and/or hierarchies. 2. Observational trace semantics mode refinement, modular reasoning. 3. Model checker exploits the hierarchy information, exploits the type information.

14 Characteristics Description is hierarchic. Well defined interfaces. Supports black-box view. Model checking Modular reasoning. E.g. in SMV, Mocha,… Telephone Exchange: Architecture TelI = tk | onH | offH | dig(int) TelO = tk | dtB | dtE | rtB | rtE ti 1,…,ti n : TelI; to 1,…,to n : TelO; TelExchange ti 1 to 1 ti n to n TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n …

15 TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n … onHookoffHook onH call answ rtB Telephone Exchange: Behavior ti?onH onH connecting talking ok call rtB gettingNo ok rtB answ onH idle ringing rtB rtE rtB call offH answ read ti : TelI, bi : BusI; write to : TelO,bo : BusO; local nr : (0..n)

16 Talk Outline Introduction Modeling reactive systems Mode diagrams  From statecharts to mode diagrams Modular reasoning Model checking Wrap-up

17 Statecharts Formalism Introduced: 1987 by David Harel, Related notations: Rsml, Modecharts, Roomcharts, Key component in OO Methods: UML, ROOM, OMT, etc. Software ILogix, ObjecTime, Rational, etc. Application Area Automotive industry, avionics, telecommunications, etc. Semantics Many attempts (more than 24 semantics), All operational: no trace semantics, no refinement rules.

18 rtB onH connecting talking ok gettingNo ok idle ringing rtB rtE rtB offH onHookoffHook From Statecharts to Modes Obstacles in achieving modularity State reference -> Scoping of variables (data interface) Group transitions implicitly connect deep nested modes. Regular transitions -> Entry/exit points (control interface) call answ Nested state references break encapsulation. Group transitions -> Default points (control interface) Regular transitions connect deep nested modes. telSw offHookonHook rtB onH answ call ini

19 Talk Outline Introduction Modeling reactive systems Mode diagrams From statecharts to mode diagrams  Modular reasoning Model checking Wrap-up

20 Operational Semantics Macro transitions (mT) Form (e,s) -> (x,t) Obtained: (e 0,s 0 )-> (c 1,s 1 )->… -> (e n,s n ) Operational semantics Control points, variables, macro transitions. de dx sm2 sm3 t4 sm1 t2 m e1 e2 t1 t6 t5 t3 x1 x2

21 Denotational Semantics Execution of m (e 0,s 0 )-> (x 0,t 0 )-> (e 1,s 1 )-> (x 1,t 1 )->… -> (x n,t n ) For even i, (e i,s i )-> (x i,t i ) is in mT For odd i, s i [V p ] = s i+1 [V p ] Set of Traces L m of m Projection of executions on global variables. Denotational semantics Control points, global vars, L m. Refinement m < n Inclusion of the sets of traces L m  L n

22 Modular Reasoning N N’ < N M M < Sub-mode refinement M <N<N M’ N M < N Super-mode refinement M M’ N’ < N N M < M’ N’ M’ N’ N < N Assume/guarantee reasoning

23 Talk Outline Introduction Modeling reactive systems Mode diagrams From statecharts to mode diagrams Modular reasoning  Model checking Wrap-up

24 A RkRk R2R2 Symbolic Search R1R1 O k+1 = R k+1 – R k R k+1 = R k | (O k & T) R0R0

25 Model Checking Graphical editor and both an enumerative and a symbolic model checker. Reachability analysis exploits the structure: Reached state space indexed by control points Transition relation is indexed by control points Transition type exploited Mode definitions are shared among instances.

26 Example: Generic Hierarchic System v2 inc skp v3 w1 w0 inc skp w1 z incskp z id c incskp inc v3 local c : (0..2) local v3 : (0..n) (c=1 & w1=n) | c=2 -> skip; local w1 : (0..n) c=1 & z c:=0; z:=z+1; local z : (0..n)

27 v2 inc skp v3 w1 incskp z id c incskp inc v3 inc w0 skp w1 z R(c,z,w1,v3) The reached set is indexed by control points: Each reached control point has an associated multi valued binary decision diagram (mdd), The set of variables of an mdd depends on the scope of the control point. The Reached Set R(c,z,w1,v3,h w1,h z ) R(c,z,w1,v3) R(c,z,w1,v3,h w1 ) R(c,z) R(c,z,w1)

28 v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z c=1 & v3<n & c’=0 & v3’=v3+1 The transition relation is indexed by control points (> conjunctively partitioned mdds): Each transition has an associated mdd, The set of variables of an mdd depends on the scope of the transition, Type information: no identity extension necessary, Variable scoping enables early quantification. The Transition Relation (c=1 & w1=n) | c=2 h z = 2 h’ z = 1  c,v3.( R(c,z,w1,v3) & inc(c,c’,v3,v3’) )[c’,v3’:=c,v3]  w1.( R(c,z,w1) & skp(c,w1))

29 As expected, the model checker for modes is superior to current model checkers when: sequential behavior is hierarchical, modes have local variables. Results

30 GHS Space Requirements

31 GHS Time Requirements

32 Hierarchic Reactive Machines Compositional semantics [CSD’98, POPL’00] Model checking [CAV’00] Hybrid Systems Compositional semantics [FTRTFT’98, WRTP’98], Hybrid mode diagrams in CHARON [HSCC’00] Message Sequence Charts Semantics [CSI’98, OOPSLA’97] Automatic translation to SM [DIPES’00, GP19837871], Hybrid sequence charts [WORDS’99, ISORC’00] Wrap-Up Bridging the gap between software engineering and formal methods provides a wealth of research opportunities:

33 Automating Modular Reasoning Refinement check of asynchronous systems [FMCAD’00] Modeling Mobile Systems Dynamic reconfiguration [Amast’96, NWPT’96], Mobility [HICSS’98] Formal Foundation of OO Methods UML [TAA’98, ECOOP’97] UML-RT [JUCS’00, JOOP’00, OOPSLA’98, BSBS’99] Wrap-Up

34

35 Mocha Tool Mode diagrams will be integrated in Mocha. Mocha itself is currently recoded in Java for a better support for: software engineering aspects, modular reasoning.

36 Semantics of Modes Game Semantics Environment round: from exit points to entry points. Mode round: from entry points to exit points. The set of traces of a mode Constructed solely from the traces of the sub-modes and the mode’s transitions. Refinement Defined as usual by inclusion of trace sets. Is compositional w.r.t. mode encapsulation.

37 Wrap-up Consider alternative state space representation for mode diagrams (e.g. indexing the mdds by modes), Allow optional compilation of modes to their macro transition relation, Automate modular reasoning for mode diagrams, Fully integrate mode diagrams with Mocha, Consider abstraction mechanisms for modes, Consider applications of and/or mode hierarchies, Extension to hybrid mode diagrams, Integration with sequence diagrams,

38 Modeling in UML Structural View Implement View Behavioral View Environment View Class Diagrams Object Diagrams Sequence Diagrams Collaboration Diagrams Statechart Diagrams Activity Diagrams Component Diagrams Deployment Diagrams User View Use Case Diagrams Modeling in UML consists of building several models according to five views:

39 Modeling in UML Structural View Implement View Behavioral View Environment View Class Diagrams Object Diagrams Sequence Diagrams Collaboration Diagrams Statechart Diagrams Activity Diagrams Component Diagrams Deployment Diagrams User View Use Case Diagrams

40 Motivation Scalable analysis demands modular reasoning: modeling language has to support syntactically and semantically modular constructs, model checking has to exploit modular design. Close the gap between: software design languages (UML, Statecharts, Rsml), model checking languages (Spin, SMV, Mocha).

41 Talk Outline Introduction Modeling reactive systems Mode diagrams From statecharts to mode diagrams  Modular reasoning Conjunctive modes Implementation Wrap-up

42 Modular Reasoning Compositional Reasoning Central to many formalisms: CCS, I/O Automata,TLA, etc. Circular Assume/Guarantee Reasoning Valid only when the interaction of a module with its environment is non-blocking. Terminology Compositional and assume/guarantee reasoning based on observable behaviors. Application area Only recently is being automated by model checkers, Until now restricted to architecture hierarchies.

43 Compositional Reasoning N N’ < G M < G M’ N M N’ M < Sub-mode refinement N M < N M’ Super-mode refinement

44 Assume/Guarantee Reasoning MM’ N’ < N N M < M’ N’ N M’ N’ N < N

45 Talk Outline Introduction Modeling reactive systems Mode diagrams From statecharts to mode diagrams Modular reasoning  Conjunctive modes Implementation Wrap-up

46 Conjunctive Modes Synchronous semantics State s = (i 1, i 2, o 1, o 2, p 1, p 2 ) Execution M2M2 M2M2 s0s0 env s1s1 syst s2s2 env sksk … syst s k+1 M1M1 s 11 M1M1 s k1 Parallel composition of reactive modules M2M2 i2i2 i1i1 o2o2 o1o1 p1p1 p2p2 M1M1 Translation with modes M2M2 M1M1 s1s1 s 11 s2s2 read i 1,i 2,p 1,p 2 ; write o 1,o 2,p 1,p 2 ; read i 1,p 2 ; write o 1,p 1 ; read i 2,p 1 ; write o 2,p 2 ;

47 searchapproach found transport Search&rescue pickdone And/Or Hierarchies lookFSheadTT The ability to express conjunctive modes is important for the construction of arbitrary and/or hierarchies. Consider a hypothetical search and rescue robot operating on a battle field: lookFGUexplWNHO lookFHO lookFECheadTKL motionCsonarM

48 Integrated Development Environment Manager Specs DB hRM DB Proofs DB Rules DB Proof Manager Tacticals DB Simulator TextEditor VisEditor Parser Specification BehModel TextEditor VisEditor Parser ArchModel TextEditor VisEditor Parser ModelChecker BDD Packs Reduction Algs Mocha Tool Architecture

49 Wrap-up Structural View Class Diagrams Object Diagrams Bridging the gap between software engineering and formal methods provides a wealth of research opportunities: Allow to express architectural design patterns: add process arrays, exploit symmetry, add abstraction mechanisms, automate modular reasoning, add dynamic architectures, architecture algebra.

50 Wrap-up Behavioral View Sequence Diagrams Collaboration Diagrams Popular in requirements capture and testing: sequence diagrams for shared memory, sequence diagrams for hybrid systems, automatic translation to mode diagrams, analysis of sequence diagrams, consistency of sequence/mode diagrams, interaction algebra.

51 Wrap-up Behavioral View Statechart Diagrams Essential component in all methods: explore alternative representations, optional compilation of modes, explore better sharing schemes, automate modular reasoning, add abstraction mechanisms, consider implications of and/or hierarchies, integrate with architecture diagrams, behavior algebra.

52 Wrap-up Behavioral View Activity Diagrams Consider differential equations for activities: Hybrid hierarchic modes, Avionics, robotics, automotive industry. Global and modular symulation, Exploit hierarchy in analysis, Relate to hybrid sequence diagrams.

53 Wrap-up Environment View Deployment Diagrams Modeling and analysis of: Distributed reactive systems, Mobile reactive systems.

54 incskp z id gcs w0 inc skp w1 z A Macro Step E k+1 XkXk

55 v2 inc skp v3 w1 incskp z id gcs w0 inc skp w1 z A Macro Step E k+1 XkXk

56 v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z A Macro Step E k+1 XkXk

57 inc skp inc v3 A Macro Step incskp z id gcs w0 inc skp w1 z v2 inc skp v3 w1 E k+1 XkXk

58 inc skp inc v3 A Macro Step incskp z id gcs w0 inc skp w1 z v2 inc skp v3 w1 E k+1 XkXk

59 v2 inc skp v3 w1 inc skp inc v3 A Macro Step incskp z id gcs w0 inc skp w1 z E k+1 XkXk

60 v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z A Macro Step E k+1 XkXk

61 v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z A Macro Step E k+1 XkXk

62 v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z A Macro Step E k+1 X k | X’ k+1

63 v2 inc skp v3 w1 incskp z id gcs inc skp inc v3 w0 inc skp w1 z A Macro Step E k+1 X k | X’ k+1 | X” k+1

Download ppt "Hierarchical Design and Analysis of Reactive Systems Radu Grosu Stony Brook University www.cs.sunysb.edu/~radu."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Embedded System, A Brief Introduction

Embedded System, A Brief Introduction
Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania www.cis.upenn.edu/~alur,grosu,mmcdougall.

Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.

Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.

Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
SDRL and GRASP University of Pennsylvania 6/27/00 MoBIES 1 Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F33615-00-C-1707.

SDRL and GRASP University of Pennsylvania 6/27/00 MoBIES 1 Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F C-1707.
Unified Modeling (Part I) Overview of UML & Modeling

Unified Modeling (Part I) Overview of UML & Modeling
Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania www.cis.upenn.edu/~alur/

Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania
The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,

The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,
© Copyright Eliyahu Brutman Programming Techniques Course.

© Copyright Eliyahu Brutman Programming Techniques Course.
DIVES Alur, Lee, Kumar, Pappas: University of Pennsylvania  Charon: high-level modeling language and a design environment reflecting the current state.

DIVES Alur, Lee, Kumar, Pappas: University of Pennsylvania  Charon: high-level modeling language and a design environment reflecting the current state.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI 48019-2122.

End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI
By Ryan Mowry.  Graphical models of system  Entire system or just parts  Complex systems easier to understand  “Capture key requirements and demonstrate.

By Ryan Mowry.  Graphical models of system  Entire system or just parts  Complex systems easier to understand  “Capture key requirements and demonstrate.

Similar presentations

Ads by Google