Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modular Refinement of Hierarchic Reactive Machines Rajeev Alur Radu Grosu University of Pennsylvania www.cis.upenn.edu/~alur,grosu/

Published byJessie Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "Modular Refinement of Hierarchic Reactive Machines Rajeev Alur Radu Grosu University of Pennsylvania www.cis.upenn.edu/~alur,grosu/"— Presentation transcript:

1 Modular Refinement of Hierarchic Reactive Machines Rajeev Alur Radu Grosu University of Pennsylvania www.cis.upenn.edu/~alur,grosu/

2 Results 1.Visual language for hierarchic reactive machines hierarchic modes, mode sharing, group transitions, history, mixed and/or hierarchies. 2. Observational trace semantics mode refinement, compositional and assume/guarantee reasoning.

3 Motivation Scalable analysis demands modular reasoning: modeling language has to support syntactically and semantically modular constructs, model checking has to exploit modular design. Close the gap between: software design languages (UML, Statecharts, Rsml), model checking languages (Spin, SMV, Mocha).

4 Characteristics Description is hierarchic. Well defined interfaces. Supports black-box view. Model checking Compositional reasoning. Assume/guarantee reasoning. E.g. in SMV, Mocha. Telephone Exchange: Architecture TelI = tk | onH | offH | dig(int) TelO = tk | dtB | dtE | rtB | rtE ti 1,…,ti n : TelI; to 1,…,to n : TelO; TelExchange ti 1 to 1 ti n to n TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n …

5 TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n … onHookoffHook onH call answ rtB Telephone Exchange: Behavior tel?onH onH connecting talking ok call rtB gettingNo ok rtB answ onH idle ringing rtB rtE rtB call offH answ read ti : TelI; write to : TelO; local nr : (0..n)

6 Hierarchic Behavior Diagrams Formalism Introduced: 1987 by David Harel as Statecharts, Related notations: Rsml, Modecharts, Roomcharts, Key component in OO Methods: UML, ROOM, OMT, etc. Software ILogix, ObjecTime, Rational, etc. Application Area Automotive industry, avionics, etc. Semantics Many attempts (more than 24 semantics), All operational: no trace semantics, no refinement rules.

7 rtB onH connecting talking ok gettingNo ok idle ringing rtB rtE rtB offH onHookoffHook From Statecharts to Modes Obstacles in achieving modularity State reference -> Scoping of variables (data interface) Group transitions implicitly connect deep nested modes. Nested state references break encapsulation. Regular transitions -> Entry/exit points (control interface) call answ Group transitions -> Default points (control interface) Regular transitions connect deep nested modes. telSw offHookonHook rtB onH answ call ini

8 Semantics of Modes Game Semantics Environment round: from exit points to entry points. Mode round: from entry points to exit points. The set of traces of a mode Constructed solely from the traces of the sub-modes and the mode’s transitions. Refinement Defined as usual by inclusion of trace sets. Is compositional w.r.t. mode encapsulation.

9 Modular Reasoning Compositional Reasoning Central to many formalisms: CCS, I/O Automata,TLA, etc. Circular Assume/Guarantee Reasoning Valid only when the interaction of a module with its environment is non-blocking. Terminology Compositional and assume/guarantee reasoning based on observable behaviors. Application area Only recently is being automated by model checkers, Until now restricted to architecture hierarchies.

10 Compositional Reasoning N N’ < G M < G M’ N M N’ M < Sub-mode refinement N M < N M’ Super-mode refinement

11 Assume/Guarantee Reasoning MM’ N’ < N N M < M’ N’ N M’ N’ N < N

12 M2M2 M’ 1 svrs Translation with modes Conjunctive Modes read i 1,i 2 ; write o 1,o 2,p 1,p 2 ; local p’ 1 ; p’ 1 := p 1 ;p 1 := p’ 1 ; M2M2 i2i2 M1M1 i1i1 o2o2 o1o1 p1p1 p2p2 Parallel composition of reactive modules Synchronous semantics State s = (i 1, i 2, o 1, o 2, p 1, p 2 ) Execution s 1 s 2 s 3 s 4 … s k … syst env

13 Ongoing Work Both an enumerative and a symbolic model checker. Reachability analysis exploits the structure: Transition relation is indexed by control points speeds up enumerative search, generalization of conjunctively partitioned bdds, Transition type exploited to flush the stack in the enumerative search, for early quantification in the symbolic search, Reached state space indexed by control points pool of variables is not global, Mode definitions are shared among instances.

14 Roadmap 1.Architecture diagrams 2.Mode diagrams 3.From statecharts to modes 4.Semantics and refinement 5.Compositional and assume/guarantee rules 6.Conjunctive modes 7.Implementation

15 Characteristics Description is hierarchic. group transitions, history. Well defined interfaces. data & control interfaces black-box view. Model checking Compositional reasoning. Assume/guarantee reasoning. in Mocha Telephone Exchange: Behavior onH connecting talking ok call gettingNo ok rtB answ onHookoffHook onH call answ rtB tel?onH read ti : TelI; write to : TelO; local nr : (0..n)

Download ppt "Modular Refinement of Hierarchic Reactive Machines Rajeev Alur Radu Grosu University of Pennsylvania www.cis.upenn.edu/~alur,grosu/"

Similar presentations

Embedded System, A Brief Introduction

Embedded System, A Brief Introduction
Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.

Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
State Charts Mehran Najafi. Reactive Systems A reactive, event-driven, object is one whose behavior is best characterized by its response to events dispatched.

State Charts Mehran Najafi. Reactive Systems A reactive, event-driven, object is one whose behavior is best characterized by its response to events dispatched.
Modeling Main issues: What do we want to build How do we write this down.

Modeling Main issues: What do we want to build How do we write this down.
Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania www.cis.upenn.edu/~alur,grosu,mmcdougall.

Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Design Concepts and Principles

Design Concepts and Principles
Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.

Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.
Modeling Main issues: What do we want to build How do we write this down ©2008 John Wiley & Sons Ltd. www.wileyeurope.com/college/van vliet.

Modeling Main issues: What do we want to build How do we write this down ©2008 John Wiley & Sons Ltd. vliet.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
® IBM Software Group © 2006 IBM Corporation Rational Software France Object-Oriented Analysis and Design with UML2 and Rational Software Modeler 04. Other.

® IBM Software Group © 2006 IBM Corporation Rational Software France Object-Oriented Analysis and Design with UML2 and Rational Software Modeler 04. Other.
Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.

Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.
Fault-Tolerant Real-Time Networks Tom Henzinger UC Berkeley MURI Kick-off Workshop Berkeley, May 2000.

Fault-Tolerant Real-Time Networks Tom Henzinger UC Berkeley MURI Kick-off Workshop Berkeley, May 2000.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
CS 425/625 Software Engineering System Models

CS 425/625 Software Engineering System Models
SDRL and GRASP University of Pennsylvania 6/27/00 MoBIES 1 Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F33615-00-C-1707.

SDRL and GRASP University of Pennsylvania 6/27/00 MoBIES 1 Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F C-1707.
Basic OOP Concepts and Terms

Basic OOP Concepts and Terms
University of Pennsylvania 1 SDRL CHARON SDRL and GRASP University of Pennsylvania Funded by DARPA ITO.

University of Pennsylvania 1 SDRL CHARON SDRL and GRASP University of Pennsylvania Funded by DARPA ITO.
Unified Modeling (Part I) Overview of UML & Modeling

Unified Modeling (Part I) Overview of UML & Modeling
Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania www.cis.upenn.edu/~alur/

Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania

Similar presentations

Ads by Google