5th NASA LFM Workshop 2000

1
Introduction to
Contents
1. AutoFocus Concepts 2. Model Description
Techniques 3. Consistency Checks 4. Simulation 5.
Project Quest Validation 6. Model Checking
Abstraction 7. Testcase generation 8.
Verification 9. Summary
2
Conceps of AUTOFOCUS/Quest

• formal, logical foundation
• FOCUS, mathematical models and methods for
  distributed systems
• based on traces and stream processing functions
  (combine functions states)
• view orientation
• different views of a semantic model
• modularity
• hierarchic views
• orthogonal concepts
• integration
• close connection to other languages and tools
  
  

3
Contributions of AUTOFOCUS/Quest

• software engineering
• structure systems modular
• consistency
• validation
• integration into process (requirements, design,
  implementation, test)
• formal methods tools
• application
• evaluation
• integration into SWE process
• improve (faciliate) inputs (and outputs) to
  formal tools
• teaching research
• plattform for experimentation (case studies,
  prototypes, research, ...)
• teach students practitcal SWE programing
• industry
• create spin-off company Validas AG
• provide support and introduction to highest
  software quality

4
Modeling with AUTOFOCUS

• description techniques (views)
• structure System Structure Diagrams (SSDs)
• behaviour State Transition Diagrams (STDs)
• interaction Extended Event Traces (EETs)
• data Data Type Definitions (DTDs)
• common attributes of views
• hierarchy
• conceptual semantic model
• integration

5
Example Traffic Lights

• lights for pedestrians and cars
• request buttons and indicators for pedestrians
• task developm correct controller for lights

6
System Structure Diagram (SSD)

• structure and interfaces
• network of distributed components
• typed, directed data flow channels
• ports for interfaces (I/O)
• local variables
• hierachy
• sub-SSDs in components
• ports connect views

7
State Transition Diagram (STD)

• behaviour of components
• states
• transitions with
• precondition xgt0
• input set?x
• output timeout!
• actions tx-1
• label starting
• hierachy
• substates described with STDs
• interface points for interlevel transitions

8
Extended Event Trace (EET)

• communication of components
• axis for each component
• messages with port patterns
• ticks x0
• modiefiers indicate repetition
• hierachy
• boxes contain alternative EETs
• component hierachy
• applications
• requirements
• test cases
• counter examples
• protocols of simulation

9
Data Type Definition (DTD)

• define types and functions for
• channels, ports and variables
• define values (terms) and patterns for
• transitions, messages and properties
• hierachy
• DTDs import DTDs
• types use other types

// type of cars lights data CarColor Red
RedYellow
Green(Int) Yellow // type of signals data
Signal Present // function for switching const
TG 10 fun switching(Red) RedYellow
switching(RedYellow) Green(TG)
switching(Green(0)) Yellow
switching(Green(n)) Green(n-1)
switching(Yellow) Red None
10
Conceptual Models
model
views
11
Consistency Checks

• inter and intra view checks
• based on conceptual model
• user defineable
• example every channel has two ports with the
  same type

12
Create Consistency Checks
13
Apply Consistency Checks
14
Semantic Model

• simple synchronous model (no buffers)
• global takt for all components
• all components synchronously do
• read their inputs from channels
• execute transitions
• write outputs to channels
• start new cycle
• main application area embedded systems

15
Simulation
16
Multimedia Animation

• in addition to the generated environment
• advantages
• easy handling (click buttons)
• user-definable graphical animation
• easy integration to other programs
• example Formula Graphics Animation

17
Implementation of Animation
AUTOFOCUS-Simulation
Multimedia Application
Windows- Messages
Simulation server
multimedia client
18
The Project

• client German Information Security Agency (BSI)
• goal improve quality of software
• way combine CASE tool with formal methods
• connect to tools VSE, SMV, SATO, CTE
• generate test cases
• partners in the project TUM, DFKI, DC, ist
• duration 1997-1999
• casestudy emergeny closing system Oostershelde

19
Structure of
20
Model Checking Process
SMV

verified
true
model
property
refine
correct
refine
SMV
true(max)
timeout
false
SATO
counter example
true(k)
SATO
?
false(k)
timeout
correctness conditions
too complex model
abstract reduce model
21
Abstractions

• abstract (simple) and concrete (complex) models
• check abstract model and relay on concrete one
• generate proof conditions for selected
  properties
• proving correctness is quite simple
• finding abstractions (for certain properties) is
  not!
• Abstraction Chooser supports user (type
  correctness)
• example Int -gt Bool, 0-gtFalse, 1-gtTrue, 2-gt...

22
Properties

• simple temporal logic
• describe the model
• user support
• specification pattern
• model-based editor
• consistency checks

23
Model Checking Run
24
Testsequence Generation

• based on models (conceptual semantic)
• reach all states of STD
• execute all transitions of STD
• test all communications between components
• produce certain output (e.g. withdraw money from
  a modeled ATM)
• classify variables of model using CTE
• according to definition of their type
• execute test EET lt-gt Java class

25
Classification with CTE
26
Selection of Test Cases
27
Example Transitionstour
28
Verifikation using VSE II

• VSE II theorem prover (DFKI) connected
• translation model -gt VSE spec
• VSE II theorems for correctness of abstractions
• (partial) translation VSE spec -gt model
• VSE II
• interactive verification
• TLA-like logic
• good proof management
• visualization of proof structures

29
Screenshot VSE II
30
Case Study Storm Surge Barrier
application
system
model
31
Adequate Models SSDs, STDs
safety critical requirements formulated
AUTOFOCUS
clients model
32
Complete Model
33
Hybrid Model Mars Polar Lander

• explicit model of time
• discretizations of diffential equations
• functions to compute next values
• generation of continuous diagrams

34
Polar Lander The Model
35
Conclusion

• download modelling tool http//autofocus.in.tum.d
  e
• buy validation tools from BSI Validas (10K )
• Validas Spin-Off for support tailoring
  http//validas.de
• pilot users from avionic industry
• todo
• improve user interface (Undo, Zooming,Popups,..)
• integration of security modelling
• support development e.g. combine two
  components/states
• requirements tracing through the models
• integration of constraint handlers solvers