(Meta)model s a nd t ransformation s ! thinking aids for the engineer - a case study

(Meta)models and transformations ! thinking aids for the engineer -

a case study

András Pataricza

Budapest University of Technology and EconomicsDepartment of Measurement and Information Systems

[email protected]

Budapest University of Technology and EconomicsDepartment of Measurement and information Systems 2

Abstract State Machines


References


Methodology


Guideline


Contents

Qualitative fault

modeling

Motivation

Semantics definition

UML activity diagrams

Qualitative modeling

Summary

ASM foundations

UML 2.0

foundations

fault modeling

error propagation

Application to UML AD

ASM based modeling

Extended modeling

Formal semantics for UML diagrams

UML 2.0 provides only a verbal semantics definition.

How can a formal semantics derived from it ?


Qualitative fault

modeling

Motivation




Summary

ASM foundations


Requirements for a specification language

Scope

Preciseness

Easy to understand• Programming language-like notations, auto-documentation• No enforced details• Hierarchical modeling, refinement

Transformability• Support of verification and validation• Support of implementation

Something in between or better SIMULTANEOUSLY mathematics and programming language


ASM Basics

Signature (vocabulary) finite collection of function names.

Each function name f:• Arity, a non-negative integer.

– Nullary: „constant”

Function names: • static or • dynamic.

Static constants{undef , true, false} 2 every ASM signature .


Function scheme

Function f1

Location

Location

Location

Variableassignement

Content

f(a1 ... an)

f(a’1...a’n)

f(a”1...a”n) undef

(x1,x2...xn)


Constant

Input variable

False

Undef

Constant

True

Function name

Signature

1..*

0..1

0..*

#arity 0..*0..10

Function f1

Location

Boolean algebra

Restriction of the domains


Function types

Shared (INOUT)

Monitored (IN)

Basic

Controlled

Derived

OUT

DynamicStatic

Functions


Static function

Shared (INOUT)

Monitored (IN)

Basic

Controlled

Derived

OUT

DynamicStatic

Functions

Function f1

Location

Location

Location


Function typesSystem

Monitored

Shared

Out

fshared(x)

fmonitored(x)

fout(x)

fcontrolled(x)

dynamic

fcontrolled(x)

staticControlled

Controlled


State

A state A for a signature • Superuniverse: a set |A| ;• Interpretation fA of each function name f

– if f is a constant fA 2 |A|– if f is a n-ary function name: fA: |A|n £ |A|


Update

Elementary update: a pair (l,v) l is a location

v 2 |A| is the designated new value at l

Trivial update: v=A(l) i.e. the new vaule is the same as the old one

U update set: set of updates

U consistent update set:No clashing updates:

8 l, 8 v,w: if (l,v) 2 U and (l,w) 2 U then v=w


Firing

Execution of upgrades • simultaneously from the (consistent) update set, • content of the locations not included: unaltered

Consistent update set UInitial state: AFiring: A ) (A + U)New state: (A + U)Contents: (A + U)(l) = if (l,v) 2 U then v

else A(l)


ASM

Abstract State Machine M

• signature • initial states for • rule declarations

• main rule name of the machine– arity zero


ASM machine


Basic ASM constructs


Formal semantics


Run of an ASM

A finite or infinite sequence of states such

• the initial state is A0

• either for all n 2 N+ a consistent update results in a An ! An+1 move

• or there is no more consistent update set and An is the final state


Isomorphism


Refinement and abstraction

Equivalence of states

Correctness: each refined has an abstract counterpart

Completeness: each abstract has a refined counterpart

Example: Dataflow models

A natural way for algorithm design


Basic structure

DFN nodeinput channels

output channelsFSM

non-deterministicfiring rules

FIFO

DFN nodeFIFO

FIFO


Definition of a dataflow node


Definition of the FIFO


ASM program of the FIFO

length

tail head

Previous processed


ASM program of a node

Compile time


ASM program of a node Interpretation is defined by:

number(headi)

¸ Xin,r(i)

Interpreted DFN models:• Coloured tokens• Number of tokens – vector• Comparison – by vector components

Non-interpreted DFN:• Simple tokens• Numbers and comparison scalars


Abstraction - refinement

In order to show correctness:

Only to show, that• Total number of tokens is a homomorphism• Comparison as a relation is a homomorphism

5

2

3

4

6

20

2

1

1

5

3

12≥

≥

≥

≥

≥

≥

Uninterpreted

Interpreted


Some conclusions on ASM programs• Non-procedural programs• Simultaneously executed blocks

and not the order of instructions• Resemble to HDLs• Signals– Interaction of modules– Synchronization

• Refinement/ abstraction : correctness / completeness proven by the check of attributes of the elements


Case study: how effective is ASM based modeling

Done for UML 1.x by Börger et al.

AUTOMATED DERIVATION OF ERROR PROPAGATION MODELS FROM UML MODELS?


Qualitative fault

modeling

Motivation




Summary

UML 2.0


Activity diagram

Basically: a data flow network (DFN). • representation of data and control information.• directed graph

– hierarchical composition of activity nodes • activity• action

– activity edges – coloured token flows

• Partitions

• Interruptible regions and exceptions


Activity models

Coordination between the lower-level behaviors

• event oriented , – termination of an action producing output tokens, – events from the outside environment generating tokens at interface nodes,– arrival of data or control at an action component

• Option: reentrant


Nodes


Activity levels in UML 2.0

Control sequencing

No concurrency

Fork, join

Object nodes

object flows, multicast, xform of

tokens, edge weights

interruptible regions,

exceptions

Structured programming

Structured hierarchies


Actions• Primitive functions:

– user defined transformations on data

• Invocations of behavior – other activities – other types of behavior

• Invocation hierarchies invoking– other activities.– inter-behavior communication by signals (multicast / multireceive).

• Read, write create and delete operations on • variables, • objects • links

• Flow-of-control


Example:variable actions


Example: invocation

actions


Basic action node frame

ActionNode(n) =

FSM(n; action; next(n)) where

action = if active(n) and guard and correctMultiplicity(n) then

act

forall L 2 dynArgs(n) with guard(L) = true do act(L)


Control nodes


Decision node

Selection from alternatives

node ( in; (condi) i · k ; (outi) i · k )

ASM:

DecisionNode(n) =

FSM(n; test; next (n; min {i · k | condi}))

where test = if active (n) then skip


Object node

Intermediate buffer • objects and data between activity or action nodes. • Selection policies

– Simplest case: multiset– CompleteActivities:

• FIFO, LIFO, user defined- a behavior associated to the object node);

• Optional upper bound on the number of tokens in the node (capacity bounded Petri-nets) • Specification of the state of tokens required • A special case: DataStoreNode,

– central buffer node for non-transient information.


Short summary

UML diagrams can be captured by ASMs• A few of frames• Mapping of non-graphical constructs to ASMs

– Guards– Additional user defined behavioral specification

• Elementary proofs for standards compliance1 phrase ) 1 simple proof (trace)

• Future: – MDA– Microsoft provides technology for .net

Qualitative fault modeling

A natural way for abstraction in diagnosis problems

CAN WE DERIVE ERROR PROPAGATION MODELS IN AN AUTOMATED WAY FROM ASM MODELS?


Qualitative fault

modeling

Motivation




Summary

foundations

fault modeling

error propagation

Application to UML AD

ASM based modeling

Extended modeling


Basic idea of qualitative fault modeling


ObjectiveBasic idea: • keep only, wheter the actual and reference values are identical • non-deterministic modeling

– IF-THEN-ELSE ) CHOOSE

Design• frequently incomplete specification• preliminary estimation of fault / error effectsAnalysis• complexity problems

– interpreted 10120

– uninterpreted 101600


Applications

Origins: mid-nineties (York, TUB)

A few qualitative values (good, faulty, early, late)

Applications: • industrial models (Daimler-xxx)• railway interlocking systems (Yellow book of the BR)• e-Business processes

Experiences:• effective both in modelling and analysis• Consistency between the qualitative and refined model ?• Automated derivation / checking ?


Example: e-Business

trip announcement

Log in

Program selection

Displaying program details

/Data: Program list

/Data: Username/Organisation: Tour

operator

/Data: Profit calculations

/Data: Password

Bad username or password

Login OK

Specifying trip details

/Data: Departure time

/Data: Price

/Infrastructure: Bus

Deficit

Profitable

Announce trip

/Organisation: Touroperator

/Organisation: Touroperator

/Data: Min. #ofParticipants

Resource allocation/Organisation: Tour

operator

/Infr.: Restaurant

/Infr.: Travel guide


Abstraction and analysis

Mostly correctness, but no completeness• Conclusion:

the abstract model covers non-existing refined ones


Principle of semi-decisions


Model construction

Basic idea:• fault modeling: resources• error propagation:

– simultaneous tracing of the reference and erroneous runs

– both propagate through the same (fault-free) components

– reduction of the (reference, erroneous) value pair to a single value {identical, different}

– domain reduction from n2 to 2 at each node !

Fault modeling


UML General Resource ModelResourceUsage

StaticUsage DynamicUsage

Client

QoSValue+RequiredQoS

1..*

0..*

ResourceInstance1..*

+usedResources

1..*

+OfferedQoS

0..*

0..*

QoScharacteristic

+instance0..*

+type

*

Scenario

ResourceInstance

1..*

+usedResources1..*

ResourceServiceInstance

1

1..*

+OfferedQoS

0..*

0..*

QoSValue

ActionExecution

1

+step (ordered)1..*

+RequiredQoS

1..*

0..*

1..*

+usedServices

1..*

+instance0..*

+type

*

+successor

0..*

+predecessor

0..*


Fault modeling by GRM

Architecture design

+op1()::qualitative()

-attr_11::qualitative : Class1 = good

Class1

+op_21()::qualitative()

-attr_12::qualitative : int = good

Class2

Resources (GRM)

Resource1Resource2

«uses» «uses»

Resource_instance (state good/faulty)

Resource_manager

-ctrl*

-reacts*

Fault injector

Fault selection and activation

• Model of the inter-actions with resources via GRM• Insertion of (qualitative) faults at the resources• Error propagation through the scenarios

Modeling of error propagation


Interpreted statechart

State1

State21

e1 [x>26 & y<112] / on(light(x))

State22

e2 [x<=26] / off(light(x-1))

e33

[x>21] / on(light(x))


Non-interpreted

State1

State21

e1 [max(x,y)=potentially_faulty] / on(light(x))

State22

e2 [x=potentially_faulty] / off(light(x))

e33

[x=potentially_faulty] / on(light(x))

Illegale1 [max(x,y)=illegal]

[x=illegal]e2 [x=potentially_faulty]

e1 [max(x,y)=potentially_faulty]


Error propagation analysisError

propagation

Functional description(fault free case)

ASMphysicalcarrier

ASMcomputation

value


Error propagation – different valuesError

propagation


Valueconstraint

Valueconstraint

ASMphysicalcarrier

Valueconstraint

ASMcomputation

value


Simplification into a single modelError

propagation


Valueconstraint

ASMphysicalcarrier

ASMqualitative

Valueconstraint

Valueconstraint

ASMcomputation

value

Reduction:• do not trace the exact values• difference between the reference and erroneous run


Diagnosis problem single reference, single observation


(FT) scenario check –single reference – multiple erroneous runs

Qual itative model

Detail ed model

Qualitative run

Different DifferentDifferent

Equal Equal

{Erroneous run}

Reference run


Architecture FT analysis –multiple references – multiple erroneous runs


Basic idea of the transformation

Transformation of the model:• Transformation of individual ASM constructs

Example: Update ) Qualitative update


Basic ASM constructs


Qualitative transformation of the basic ASM constructs

Can be done for individual variables:• selected data

– what if the date is wrong– what if the price is wrong

• selected control states– the system is a wrong state


Basic action node frame qualification

ActionNode(n) =

FSM(n; action; next(n)) where

action = if active(n) and guard and correctMultiplicity(n) then

act

forall L 2 dynArgs(n) with guard(L) = true do act(L)


„Impressions” on activity diagrams

Majority of the elements:• Transformation type – propagation• Manipulation of data structures - multiple errors• Propagation through object nodes

– multiple paths – equivalent to fanout at the gate level)

• Decision - randomization• Individual analysis for primitive actions

Exended model of error propagation


Extended qualitative model


Qualitative values


Qualitative fault

modeling

Motivation




Summary


Summary

A precise semantics • supports derivation

– any derived modeling problem – solvable in an algorithmic way

• solution at the language level– elementary transformation steps– objective appears as transformation object selection

• variety of modelling goals – embedded into the transformation

Documents

(Meta)model s a nd t ransformation s ! thinking aids for the engineer - a case study