Hierarchical Design and Analysis of Reactive Systems

1
Hierarchical Design and Analysis of Reactive
Systems
Radu Grosu Stony Brook University
www.cs.sunysb.edu/radu
2
Reactive Systems
Computer based reactive systems are becoming an
integral part of nearly every engineered product.
They control
3
Super Computers with Wings
"Companies that exploit information technology
most effectively will be the most likely to
dominate the aerospace landscape in the 21st
century" Aviation Week, 12/98.
4
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Model checking
• Wrap-up

5
Why Building Models?

• To understand the problem better,
• To communicate with customers,
• To find errors or omissions,
• To plan out the design,
• To generate code.

Modeling is a technique widely used in all
engineering disciplines. In particular, for
reactive systems it allows
6
Modeling Reactive Systems

• Software Engineering Methods (e.g. UML, UML-RT)
• mixed visual/textual notations,
• speedup the development cycle,
• improve customer /developer communication
• restricted analysis by simulation and testing,
• restricted confidence in the modeled system.
• Formal Methods (e.g. Model Checkers)
• mathematical models of reactive systems,
• speedup specification/prototyping,
• allow a thorough analysis of the modeled system,
• high confidence in the modeled system.

• Currently there are two main methods
• for modeling reactive systems
• Software engineering methods,
• Formal methods.

7
Software Engineering Methods

• Successfully applied in
• Automotive, aerospace and telecommunications
• Logic design
• Tools
• SDL, ROOM, Statemate, Rhapsody, UML-RT
• Cierto VC CoDesign, StateCAD/StateBench
• Companies
• Telelogic, Verilog, ObjecTime, iLogix, Rational
  
• Cadence, Visual Software Solutions

8
Model Checkers
Model Checker
No longer an academic research only. "... model
checking will be the second most important, if
not the most important, tool in the verification
tool suite. Cadence Web

• Advantage
• Fully automated formal verification,
• Effective debugging tool
• Standard approaches
• Enumerative search with reduction heuristics
• Symbolic search using BDDs

9
Model Checkers

• Successfully applied in
• Hardware design and analysis
• Finding bugs in cache coherence protocols, video
  graphics image chips (gt96 processors)
• Tools
• Spin, Murf, Mocha, LMC, XMC,
• FormalCheck, Cospan, VERDICT, SMV, VIS,
• Companies
• Cadence, Lucent, Intel, IBM, Motorola, Siemens

10
Unfortunately ?

• There is a considerable gap between the software
  engineering and the formal methods.
• Scalability is still a challenge for formal
  analysis tools.

11
Fortunately ? Long Term Research Program

1. Close the gap between the software engineering
   and the formal methods,
2. Scale up the analysis tools by exploiting the
   software engineering artifacts.

12
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Model checking
• Wrap-up

13
Mode Diagrams

• Visual language for hierarchic reactive machines
• hierarchic modes, mode sharing,
• group transitions, history,
• mixed and/or hierarchies.

• 2. Observational trace semantics
• mode refinement,
• modular reasoning.

• 3. Model checker
• exploits the hierarchy information,
• exploits the type information.

14
Telephone Exchange Architecture

• Characteristics
• Description is hierarchic.
• Well defined interfaces.
• Supports black-box view.
• Model checking
• Modular reasoning.
• E.g. in SMV, Mocha,

15
Telephone Exchange Behavior
16
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Model checking
• Wrap-up

17
Statecharts

• Formalism
• Introduced 1987 by David Harel,
• Related notations Rsml, Modecharts, Roomcharts,
• Key component in OO Methods UML, ROOM, OMT, etc.

• Software
• ILogix, ObjecTime, Rational, etc.

• Application Area
• Automotive industry, avionics,
  telecommunications, etc.

• Semantics
• Many attempts (more than 24 semantics),
• All operational no trace semantics, no
  refinement rules.

18
From Statecharts to Modes
Obstacles in achieving modularity

• Regular transitions connect deep nested modes.

• Group transitions implicitly connect deep nested
  modes.

• State reference -gt Scoping of variables (data
  interface)

• Nested state references break encapsulation.

19
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Model checking
• Wrap-up

20
Operational Semantics

• Macro transitions (mT)
• Form (e,s) -gt (x,t)
• Obtained (e0,s0)-gt (c1,s1)-gt -gt (en,sn)
• Operational semantics
• Control points, variables, macro transitions.

21
Denotational Semantics

• Execution of m
• (e0,s0)-gt (x0,t0)-gt (e1,s1)-gt (x1,t1)-gt -gt
  (xn,tn)
• For even i, (ei,si)-gt (xi,ti) is in mT
• For odd i, siVp si1Vp
• Set of Traces Lm of m
• Projection of executions on global variables.
• Denotational semantics
• Control points, global vars, Lm.
• Refinement m lt n
• Inclusion of the sets of traces Lm ? Ln

22
Modular Reasoning
23
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Model checking
• Wrap-up

24
Symbolic Search
A
R0
Ok1 Rk1 Rk Rk1 Rk (Ok T)
25
Model Checking

• Graphical editor and both an enumerative and a
  symbolic model checker.
• Reachability analysis exploits the structure
• Reached state space indexed by control points
• Transition relation is indexed by control points
• Transition type exploited
• Mode definitions are shared among instances.

26
Example Generic Hierarchic System
27
The Reached Set

• The reached set is indexed by control points
• Each reached control point has an associated
• multi valued binary decision diagram (mdd),
• The set of variables of an mdd depends on
• the scope of the control point.

28
The Transition Relation

• The transition relation is indexed by control
• points (gt conjunctively partitioned mdds)
• Each transition has an associated mdd,
• The set of variables of an mdd depends on
• the scope of the transition,
• Type information no identity extension
  necessary,
• Variable scoping enables early quantification.

29
Results

• As expected, the model checker for modes is
  superior to current model checkers when
• sequential behavior is hierarchical,
• modes have local variables.

30
GHS Space Requirements
31
GHS Time Requirements
32
Wrap-Up

• Hierarchic Reactive Machines
• Compositional semantics CSD98, POPL00
• Model checking CAV00
• Hybrid Systems
• Compositional semantics FTRTFT98, WRTP98,
• Hybrid mode diagrams in CHARON HSCC00
• Message Sequence Charts
• Semantics CSI98, OOPSLA97
• Automatic translation to SM DIPES00,
  GP19837871,
• Hybrid sequence charts WORDS99, ISORC00

Bridging the gap between software engineering and
formal methods provides a wealth of research
opportunities
33
Wrap-Up

• Automating Modular Reasoning
• Refinement check of asynchronous systems
  FMCAD00
• Modeling Mobile Systems
• Dynamic reconfiguration Amast96, NWPT96,
• Mobility HICSS98
• Formal Foundation of OO Methods
• UML TAA98, ECOOP97
• UML-RT JUCS00, JOOP00, OOPSLA98, BSBS99

34
(No Transcript)
35
Mocha Tool

• Mode diagrams will be integrated in Mocha.
• Mocha itself is currently recoded in Java
• for a better support for
• software engineering aspects,
• modular reasoning.

36
Semantics of Modes

• Game Semantics
• Environment round from exit points to entry
  points.
• Mode round from entry points to exit
  points.

• The set of traces of a mode
• Constructed solely from the traces of the
  sub-modes and the modes transitions.

• Refinement
• Defined as usual by inclusion of trace sets.
• Is compositional w.r.t. mode encapsulation.

37
Wrap-up

• Consider alternative state space representation
  for mode diagrams (e.g. indexing the mdds by
  modes),
• Allow optional compilation of modes to their
  macro transition relation,
• Automate modular reasoning for mode diagrams,
• Fully integrate mode diagrams with Mocha,
• Consider abstraction mechanisms for modes,
• Consider applications of and/or mode
  hierarchies,
• Extension to hybrid mode diagrams,
• Integration with sequence diagrams,

38
Modeling in UML

• Class Diagrams
• Object Diagrams

• Component Diagrams

Modeling in UML consists of building several
models according to five views

• Use Case Diagrams

• Sequence Diagrams
• Collaboration Diagrams
• Statechart Diagrams
• Activity Diagrams

• Deployment Diagrams

39
Modeling in UML

• Class Diagrams
• Object Diagrams

• Component Diagrams

• Use Case Diagrams

• Sequence Diagrams
• Collaboration Diagrams
• Statechart Diagrams
• Activity Diagrams

• Deployment Diagrams

40
Motivation

• Scalable analysis demands modular reasoning
• modeling language has to support syntactically
  and semantically modular constructs,
• model checking has to exploit modular design.

• Close the gap between
• software design languages (UML, Statecharts,
  Rsml),
• model checking languages (Spin, SMV, Mocha).

41
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Conjunctive modes
• Implementation
• Wrap-up

42
Modular Reasoning

• Terminology
• Compositional and assume/guarantee reasoning
  based on observable behaviors.

• Application area
• Only recently is being automated by model
  checkers,
• Until now restricted to architecture hierarchies.

• Compositional Reasoning
• Central to many formalisms CCS, I/O
  Automata,TLA, etc.

• Circular Assume/Guarantee Reasoning
• Valid only when the interaction of a module with
  its environment is non-blocking.

43
Compositional Reasoning
44
Assume/Guarantee Reasoning
45
Talk Outline

• Introduction
• Modeling reactive systems
• Mode diagrams
• From statecharts to mode diagrams
• Modular reasoning
• Conjunctive modes
• Implementation
• Wrap-up

46
Conjunctive Modes
Synchronous semantics State s (i1, i2, o1,
o2, p1, p2) Execution
s0

47
And/Or Hierarchies
The ability to express conjunctive modes
is important for the construction of
arbitrary and/or hierarchies. Consider a
hypothetical search and rescue robot operating
on a battle field
48
Mocha Tool Architecture
Integrated Development Environment Manager
49
Wrap-up
Bridging the gap between software engineering and
formal methods provides a wealth of research
opportunities

• Allow to express architectural design patterns
• add process arrays,
• exploit symmetry,
• add abstraction mechanisms,
• automate modular reasoning,
• add dynamic architectures,
• architecture algebra.

50
Wrap-up

• Popular in requirements capture and testing
• sequence diagrams for shared memory,
• sequence diagrams for hybrid systems,
• automatic translation to mode diagrams,
• analysis of sequence diagrams,
• consistency of sequence/mode diagrams,
• interaction algebra.

• Sequence Diagrams
• Collaboration Diagrams

51
Wrap-up

• Essential component in all methods
• explore alternative representations,
• optional compilation of modes,
• explore better sharing schemes,
• automate modular reasoning,
• add abstraction mechanisms,
• consider implications of and/or hierarchies,
• integrate with architecture diagrams,
• behavior algebra.

• Statechart Diagrams

52
Wrap-up

• Consider differential equations for activities
• Hybrid hierarchic modes,
• Avionics, robotics, automotive industry.
• Global and modular symulation,
• Exploit hierarchy in analysis,
• Relate to hybrid sequence diagrams.

• Activity Diagrams

53
Wrap-up

• Modeling and analysis of
• Distributed reactive systems,
• Mobile reactive systems.

• Deployment Diagrams

54
A Macro Step
Ek1
gcs
inc
skp
z
id
Xk
55
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
56
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
w1
inc
v2
v3
skp
57
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc
58
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc
59
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc
60
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc
61
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc
62
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk Xk1
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc
63
A Macro Step
Ek1
z
gcs
skp
inc
skp
w0
w1
z
id
inc
Xk Xk1 Xk1
v3
w1
inc
skp
skp
v2
v3
skp
inc
inc