150 likes | 232 Views
Modular Refinement of Hierarchic Reactive Machines. Rajeev Alur Radu Grosu University of Pennsylvania www.cis.upenn.edu/~alur,grosu/. Results. Visual language for hierarchic reactive machines hierarchic modes, mode sharing, group transitions, history, mixed and/or hierarchies.
E N D
Modular Refinement of Hierarchic Reactive Machines Rajeev Alur Radu Grosu University of Pennsylvania www.cis.upenn.edu/~alur,grosu/
Results • Visual language for hierarchic reactive machines • hierarchic modes, mode sharing, • group transitions, history, • mixed and/or hierarchies. • 2. Observational trace semantics • mode refinement, • compositional and assume/guarantee reasoning.
Motivation • Scalable analysis demands modular reasoning: • modeling language has to support syntactically and semantically modular constructs, • model checking has to exploitmodular design. • Close the gap between: • software design languages (UML, Statecharts, Rsml), • model checking languages (Spin, SMV, Mocha).
TelI = tk | onH | offH | dig(int) TelO = tk | dtB | dtE | rtB | rtE ti1,…,tin : TelI; to1,…,ton : TelO; ti1 to1 tin ton TelExchange ti1 tin to1 ton TelSw1 TelSwn … bon bo1 bi1 bin Bus TelExchange Telephone Exchange: Architecture • Characteristics • Description is hierarchic. • Well defined interfaces. • Supports black-box view. • Model checking • Compositional reasoning. • Assume/guarantee reasoning. • E.g. in SMV, Mocha.
Telephone Exchange: Behavior read ti : TelI; write to : TelO; local nr : (0..n) onH call onHook offHook TelSw1 TelSwn rtB … ti1 tin to1 ton answ bon bin Bus onH onH bo1 bi1 tel?onH ok offH TelExchange call gettingNo idle connecting call rtB rtB rtE ok rtB offH answ rtB ringing talking answ
Hierarchic Behavior Diagrams • Formalism • Introduced: 1987 by David Harel asStatecharts, • Related notations: Rsml, Modecharts, Roomcharts, • Key component in OO Methods: UML, ROOM, OMT, etc. • Software • ILogix, ObjecTime, Rational, etc. • Application Area • Automotive industry, avionics, etc. • Semantics • Many attempts (more than 24 semantics), • All operational: no trace semantics, no refinement rules.
From Statecharts to Modes • Regular transitions connect deep nested modes. • Regular transitions ->Entry/exit points(control interface) • Group transitions ->Default points(control interface) onH onH ini call onHook offHook call offH ok idle gettingNo connecting rtB rtE ok answ answ offH ringing talking rtB onHook offHook rtB rtB telSw Obstacles in achieving modularity • Group transitions implicitly connect deep nested modes. • State reference ->Scoping of variables(data interface) • Nested state references break encapsulation.
Semantics of Modes • Game Semantics • Environment round: from exit points to entry points. • Mode round: from entry points to exit points. • The set of traces of a mode • Constructed solely fromthe traces of the sub-modes and the mode’s transitions. • Refinement • Defined as usual by inclusion of trace sets. • Is compositional w.r.t. mode encapsulation.
Modular Reasoning • Terminology • Compositional and assume/guarantee reasoning based on observable behaviors. • Application area • Only recently is being automated by model checkers, • Until now restricted to architecture hierarchies. • Compositional Reasoning • Central to many formalisms: CCS, I/O Automata,TLA, etc. • Circular Assume/Guarantee Reasoning • Valid only when the interaction of a module with its environment is non-blocking.
G < G < N’ N M M’ < N’ N N < N M M M M’ Sub-mode refinement Super-mode refinement Compositional Reasoning
N’ N’ N’ N < < N N M’ M’ M M’ N’ N < N M M’ Assume/Guarantee Reasoning
read i1,i2; write o1,o2,p1,p2; local p’1; • Synchronous semantics • State • s = (i1, i2, o1, o2, p1, p2) • Execution i1 i2 M’1 sv rs M1 M2 M2 syst syst syst p1 := p’1; o1 p1 p2 o2 • s1 s2 s3 s4 … sk … p’1 := p1; Translation with modes env env Conjunctive Modes Parallel composition of reactive modules
Ongoing Work Both an enumerativeandasymbolicmodel checker. Reachability analysis exploits the structure: • Transition relation is indexed by control points • speeds up enumerative search, • generalization of conjunctively partitioned bdds, • Transition type exploited • to flush the stack in the enumerative search, • for early quantification in the symbolic search, • Reached state space indexed by control points • pool of variables is not global, • Mode definitions are shared among instances.
Roadmap • Architecture diagrams • Mode diagrams • From statecharts to modes • Semantics and refinement • Compositional and assume/guarantee rules • Conjunctive modes • Implementation
Telephone Exchange: Behavior read ti : TelI; write to : TelO; local nr : (0..n) tel?onH • Characteristics • Description is hierarchic. • group transitions, history. • Well defined interfaces. • data & control interfaces • black-box view. • Model checking • Compositional reasoning. • Assume/guarantee reasoning. • in Mocha onH call onHook offHook answ rtB onH call rtB ok gettingNo connecting ok talking rtB answ