Efficient Reachability Analysis of Hierarchic Reactive Modules

  • View
    19

  • Download
    1

Embed Size (px)

DESCRIPTION

Efficient Reachability Analysis of Hierarchic Reactive Modules. R. Alur, R.Grosu, M.McDougall University of Pennsylvania www.cis.upenn.edu/~alur,grosu,mmcdougall. Motivation. Scalable analysis demands modular reasoning: - PowerPoint PPT Presentation

Text of Efficient Reachability Analysis of Hierarchic Reactive Modules

  • Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall

    University of Pennsylvaniawww.cis.upenn.edu/~alur,grosu,mmcdougall

  • Motivation Scalable analysis demands modular reasoning: modeling language has to support syntactically and semantically modular constructs, model checking has to exploit modular design.Close the gap between: software design languages (UML,Statecharts,Rsml,), model checking languages (Spin, SMV, Mocha,).

  • Talk OutlineMotivationMode diagramsFrom statecharts to mode diagramsModel checkingWrap-up

  • Mode Diagrams Visual language for hierarchic reactive machineshierarchic modes, mode sharing, group transitions, history, mixed and/or hierarchies.2. Observational trace semantics mode refinement,modular reasoning.3. Model checker exploits the hierarchy information,exploits the type information.

  • Telephone Exchange: ArchitectureCharacteristics Description is hierarchic. Well defined interfaces. Supports black-box view.

    Model checking Modular reasoning. E.g. in SMV, Mocha.

  • Telephone Exchange: Behavior

  • StatechartsFormalism Introduced: 1987 by David Harel, Related notations: Rsml, Modecharts, Roomcharts, Key component in OO Methods: UML, ROOM, OMT, etc.Difficulties No denotational trace semantics (no refinement notion), No scoping for variables.

    Previous attempts compile statecharts to flat diagrams.

  • From Statecharts to ModesObstacles in achieving modularity State reference -> Scoping of variables (data interface) Group transitions implicitly connect deep nested modes. Nested state references break encapsulation. Regular transitions connect deep nested modes.

  • Model CheckingGraphical editor and both an enumerative and a symbolic model checker.

    Reachability analysis exploits the structure:Reached state space indexed by control points,Transition relation is indexed by control points,Transition type exploited in mdd construction,Mode definitions are shared among instances.

  • Example: Generic Hierarchic System

  • Enumerative Model Checker Transitions Traversed in a depth first way, Indexed by control points, Shared among instances of the same definition.States States are stored as a stacks, Stacks share common elements, States (stacks) are entries of a hash table, States are compressed as bitstrings.

  • The reached set is indexed by control points:

    Each reached control point has an associated multi valued binary decision diagram (mdd),

    The set of variables of an mdd depends on the scope of the control point.Symbolic MC: The Reached Set

  • The transition relation is indexed by control points (> conjunctively partitioned mdds):

    Each transition has an associated mdd,

    The set of variables of an mdd depends on the scope of the transition,

    Type information: no identity extension necessary,

    Variable scoping enables early quantification.

    Symbolic MC: The Transition Relation

  • Hierarchy and Concurrency

  • As expected, the model checker for modes is superior to current model checkers when: sequential behavior is hierarchical, modes have local variables.Results

  • GHS Space Requirements

    Chart1

    27587482

    42591729

    54166891

    86317967

    cMocha

    Hrm

    Size of variables type

    Number of nodes

    Sheet1

    nodesCMonodesHrmtimeCMotimeHrmvalues

    27587482925

    425917292146

    5416689171118

    8631796710002610

    Sheet1

    cMocha

    Hrm

    Size of variables type

    Number of nodes

    Sheet2

    cMocha

    Hrm

    Size of variables type

    Time in minutes

    Sheet3

  • GHS Time Requirements

    Chart2

    92

    214

    7111

    100026

    cMocha

    Hrm

    Size of variables type

    Time in minutes

    Sheet1

    nodesCMonodesHrmtimeCMotimeHrmvalues

    27587482925

    425917292146

    5416689171118

    8631796710002610

    Sheet1

    cMocha

    Hrm

    Size of variables type

    Number of nodes

    Sheet2

    cMocha

    Hrm

    Size of variables type

    Time in minutes

    Sheet3

  • Project HeRMesCurrent status: visual language for behavior hierarchy, compositional semantics, modular refinement rules, model checking exploits hierarchic structure.

    Future work: improve heuristics exploiting hierarchy, improve use of sharing, integrate/automate modular reasoning, collaboration with NEC on case studies, connection to Rational Rose/ObjecTime.

  • Demos at CAVjMocha v2.0 (released soon): joint project U.C. Berkeley & UPenn, a new version written in java, several new features: MSC-like simulator, proof manager, script language.

    HeRMes v1.0 (prototype): developed at UPenn, supports mode diagrams in this talk,Demos: Tuesday morning, Wednesday afternoon.

  • Modular Reasoning

  • A Macro Step A macro step is a breadth first traversalof the hierarchic mode graph starting at:

    the default entry point of the top level mode

    and ending at:

    the default exit point of the top level mode or

    inside the mode if no new states are produced.

  • Semantics of ModesGame Semantics Environment round: from exit points to entry points. Mode round: from entry points to exit points.The set of traces of a mode Constructed solely from the traces of the sub-modes and the modes transitions.Refinement Defined as usual by inclusion of trace sets. Is compositional w.r.t. mode encapsulation.

  • Modular ReasoningCompositional Reasoning Central to many formalisms: CCS, I/O Automata,TLA, etc.Circular Assume/Guarantee Reasoning Valid only when the interaction of a module with its environment is non-blocking.Terminology Compositional and assume/guarantee reasoning based on observable behaviors.Application area Only recently is being automated by model checkers, Until now restricted to architecture hierarchies.

  • Conjunctive ModesSynchronous semantics

    State s = (i1, i2, o1, o2, p1, p2)

    Executions0

  • And/Or HierarchiesThe ability to express conjunctive modes isimportant for the construction of arbitraryand/or hierarchies.

    Consider a hypothetical search and rescue robot operating on a battle field:

  • Integrated Development Environment ManagerMocha Tool Architecture

  • Wrap-up

    Activity DiagramsConsider differential equations for activities: Hybrid hierarchic modes, Avionics, robotics, automotive industry. Global and modular symulation, Exploit hierarchy in analysis, Relate to hybrid sequence diagrams.