[PDF] - aal 2k: Small T utorial Upp 16 Otob er 2002 1 In tro PDF Document

SLIDE 1 Upp aal2k: Small T utorial

16

O tob er 2002 1 In tro du tion This do umen t is in tended to b e used b y new

mers

to Upp aal and v eri ation. Studen ts

r

engineers with little ba kground in formal metho ds should b e able to use Upp aal for pra ti al purp

ses

after this tutorial. Se tion t w

des rib

es Upp aal and se tion three is the tutorial itself. 2 Upp aal Upp aal is a to

l

b

x

for v alidation (via graphi al sim ulation) and v eri ation (via automati mo del- he king)

f

real-time systems. It

nsists
f

t w

main

parts: a graphi al user in terfa e and a mo del- he k er engine. The user in terfa e is implemen ted in Ja v a and is exe uted

n

the users w

rk

station. It requires that Ja v a 1.2

r

higher is installed

n

the

mputer.

The engine part is b y default exe uted

n

the same

mputer

as the user in terfa e, but an also run

n

a more p

w

erful serv er. The idea is to mo del a system using timed-automata, sim ulate it and then v erify prop erties

n

it. Timed-automata are nite state ma hines with time. A system

nsists
f

a net w

rk
f

pro esses that are

mp
sed
f

lo ations. T ransitions b et w een these lo ations dene ho w the system b eha v es. The sim ulation step

nsists
f

running in tera tiv ely the system to he k that it w

rks

as in tended. Then w e an ask the v erier to he k rea habilit y prop erties, i.e. if a ertain state is rea hable

r

not. This is alled mo del- he king and it is basi ally an exhaustiv e sear h that

v

ers all p

ssible

dynami b eha viours

f

the system. More pre isely , the engine uses

n-the-y

v eri ation

m

bined with a symb

li

te hnique redu ing the v eri ation problem to that

f

solving simple

nstr

aint systems [YPD94 , LPY95 ℄. The v erier he ks for simple in v arian ts and rea habilit y prop erties for eÆ ien y reasons. Other prop- erties ma y b e he k ed b y using testing automata [JLS96 ℄

r

the de orated system with debugging information [LPY97 ℄. 3 Learning Upp aal Upp aal is based

n

timed automata, that is nite state ma hine with lo ks. The lo ks are the w a y to handle time in Upp aal. Time is

n

tin uous and the lo ks measure time progress. It is allo w ed to test the v alue

f

a lo k

r

to reset it. Time will progress globally at the same pa e for the whole system. A system in Upp aal is

mp
sed
f
n urren

t pro esses, ea h

f

them mo deled as an automaton. The automaton has a set

f

lo ations. T ransitions are used to hange lo ation. T

n

trol when to re a transition, it is p

ssible

to ha v e a guard and a syn hronization. A guard is a

n-

dition

n

the v ariables and the lo ks sa ying when the transition is enabled. The syn hronization me hanism in Upp aal is a hand-shaking syn hronization: t w

pro

esses tak e a transition at the

This

des ription

v

ers v ersion 3.2.11 1

SLIDE 2 same time,

ne

will ha v e a a! and the

ther

a a?, a b eing the syn hronization hannel. When taking a transition a tions are p

ssible:

assignmen t

f

v ariables

r

reset

f

lo ks. The follo wing examples will mak e y

u

familiar with this short des ription. 3.1 Ov erview Upp aal main windo w (gure 1) has t w

main

parts: the men u and the tabs. Figure 1: Ov erview

f

Upp aal. The men u is des rib ed in the in tegrated help, a essible through the help men u. The help des rib es the GUI in detail, so this tutorial will fo us

n

ho w to use the to

l.

The three tabs giv e a ess to the three

mp
nen

ts

f

Upp aal that are the e ditor, the simulator and the verier. Figure 1 sho ws the editor view. The idea is to dene templates (lik e in C++) for pro esses that are instan tiated to ha v e a

mplete

system. The motiv ation for the templates is that system

ften

ha v e sev eral pro esses that are v ery alik e. The

n

trol stru ture (i.e. the lo ations and edges) is the same,

nly

some

nstan

t

r

v ariable is dieren t. Therefor templates an ha v e sym b

li

v ariables and

nstan

ts as parameters. A template ma y also ha v e ha v e lo al v ariables and lo ks.

start end

Figure 2: Y

ur

rst automaton. 2

SLIDE 3 T

get

a rst

n

ta t with Upp aal, double li k in the dra wing area to get a lo ation, rep eat this, y

u

ha v e t w

.

Double li k

n

these lo ations to rename them to start and end. Cli k

n

the Transition Mode button, li k

n

the start lo ation and

n

the end lo ation. Righ t li k

n

the start lo ation and mark it as initial. A small ir le app ears inside the state. Y

u

ha v e y

ur

rst automaton ready , as depi ted in gure 2. Cli k

n

the Simulator tab to start the sim ulator, li k

n

the yes button that will p

p

up and y

u

are ready to run y

ur

rst system. Figure 3: A snapshot

f

the graphi al sim ulator. Figure 3 sho ws the sim ulator view. On the left y

u

will nd the

n

trol part where y

u

an ho

se

the transitions (upp er part) and repla y/sa v e/load a tra e (lo w er part). In the middle are the v ariables and

n

the righ t the system itself. T

sim

ulate

ur

trivial system pi k

ne
f

the enabled transitions in the list in the upp er left part

f

the s reen. Of

urse

there is

nly
ne

transition in

ur

example. Cli k Next. The pro ess view to the righ t will hange (the red dot indi ating the urren t lo ation will mo v e) and the sim ulation tra e will gro w. W e ha v e no w sim ulated

ur

system and will pro eed with v eri ation. Cli k

n

the Verifier tab. The v erier view as in Figure 4 is displa y ed. The upp er se tion allo w y

u

to sp e ify queries to the system. The lo w er part logs the

mm

uni ation with the mo del- he king engine. En ter the text E<>P.end in the Query eld b elo w the Ov erview. This is the Upp aal notation for the temp

ral

logi form ula 9

P

:end and should b e understo

d

as \is it p

ssible

to rea h the lo ation end in pro ess P". Cli k Model Che k to let the engine v erify this. The bullet in the

v

erview will turn green indi ating that he prop ert y indeed is satised. The goal

f

the rest

f

this do umen t is to explore some k ey p

in

ts

f

Upp aal though examples. 3.2 Mutual Ex lusion Algorithm W e will study no w the kno wn P etterson's m utual ex lusion algorithm to see ho w w e an deriv e a mo del as an automaton from a program/algorithm and he k prop erties related to it. The algorithm for t w

pro

esses is as follo ws in C: 3

SLIDE 4 Figure 4: A snapshot

f

the v erier view. Pro ess 1 Pro ess 2 req1=1; req2=1; turn=2; turn=1; while(turn!=1 && req2!=0); while(turn!=2 && req1!=0); // riti al se tion // riti al se tion job1(); job2(); req1=0; req2=0; Y

u

will

nstru t

the

rresp
nding

automata. Noti e that the proto

l

is symmetri , so w e ma y use a template

f

Upp aal to simplify the mo del. First reset the system (New system) to lear the \Hello W

rld"

example. Rename the default template P to mutex. W e will abstra t the a tual w

rk

in the riti al se tion sin e it has no in terest here. The proto

l

has four states that

me

dire tly from the des rib ed algorithm, similar to goto lab els: Pro ess 1 idle: req1=1; w an t: turn=2; w ait: while(turn!=1 && req2!=0); CS: // riti al se tion job1(); //and return to idle req1=0; Dra w the automaton as depi ted in gure 5. No w y

u

will dene it as a template: double li k

n

the paren thesis b elo w the template name. There y

u

an dene the template parameters. T yp e int[0,1℄ req1,req2 ;

nst

me whi h 4

SLIDE 5

idle want wait CS req1:=1 turn:=(me==1 ? 2 : 1) turn==me req2==0 req1:=0

Figure 5: Mutex template means that y

u

dene three v ariables for instan tiation

f

t yp e in teger, b

unded

b et w een and 1, b

lean

in fa t. The last parameter will b e a

nstan

t. As y

u

guess no w from y

ur

dra wing, t w

instan es
f

the t yp e P1:=mutex(req1, re q2, 1) ; and P2:=mutex(req2,re q1 ,2) ; will do the job. Examine ho w the expression (lik e C syn tax) turn:=(me==1 ? 2 : 1) will ev aluate. T

reate

the instan es

p

en the Pro ess assignment lab el in the Pro je t tree and t yp e the de larations ab

v

e. Something is still missing: the v ariables, they ha v e to b e de lared. Cli k

n

the Global de larations lab el and de lare: int[0,1℄ req1,req2; and int[1,2℄ turn; W e ha v e to dene the system no w: li k

n

the System definition lab el and dene there system P1,P2;. No w y

u

ha v e dened y

ur

template, instan tiated them, used the instan tiations in the system and de lared prop er v ariables. As y

u

noti ed the v ariables de lared are global! This is used for turn that is

mmon.

The s op e

f

the name de laration are lo al rst and then global: y

u

noti e this

n

the parameters

f

the templates and the name

f

the global v ariables. The names in the mo del are hosen to b e the same in the dieren t pla es

n

purp

se

to sho w ho w it w

rks.

No w li k

n

the Simulator tab and examine ho w the t w

automata

w ere instan tiated. Lo

k

parti ularly at the names

f

the t w

automata

that are symmetri . Y

u

an sim ulate y

ur

system b y ho

sing

in tera tiv ely the transitions. T ry to rea h the riti al se tion in b

th

pro esses at the same time . . . w ell y

u

annot, a b etter idea is to use the v erier to b e sure

f

this. Cli k

n

the Verifier tab, li k

n

the Insert button, li k in the Query text area and write the m utual ex lusion prop ert y: A[℄ not (P1.CS and P2.CS). Press the Model Che k button and y

u

are done. There should b e a green button ligh ted

n,

whi h means that the prop ert y w as v eried. If the button w ere red it w

uld

mean that the prop ert y w as not v eried. The prop ert y A[℄ is a safet y prop ert y: y

u

he k that not (P1.CS and P2.CS) is alw a ys true. Another t yp e

f

prop ert y , the E<> ma y b e used for rea habilit y prop erties. F

r

example insert a new prop ert y E<> P1.CS, that he ks if pro ess P1 ma y rea h the riti al se tion. If the system w as not

rre t

Upp aal an return an diagnosti tra e. First hange the mo del so it is fault y . E.g. hange the guard req2==0 to req2==1. Then go to the Options men u and he k the Diagnosti Tra e, sele t the m utual ex lusion prop ert y , then press the Model Che k button. No w this prop ert y should not b e satised and y

u

will get a dialog windo w asking to sa v e the tra e, answ er y es and return to the sim ulator. Y

u

an go through the found tra e, press Replay for this. Y

u

ha v e no w mo deled, sim ulated and v eried a simple m utual ex lusion proto

l.

In the 5

SLIDE 6 demo folder in the distribution dire tory there are a few

ther

simple examples. F

r

example the le s her

n

tains another m utual ex lusion proto

l.

3.3 Time in Upp aal This sub-se tion in tends to explain in tuitiv ely the

n ept
f

time in Upp aal. The time mo del in Upp aal is

n

tin uous time. T e hni ally , it is implemen ted as regions and the states are th us sym b

li ,

whi h means that at a state w e do not ha v e an y

n rete

v alue for the time, but rather dieren es [AD94℄. T

grasp

ho w the time is handled in Upp aal w e will study a simple example. W e will use an

bserver

to sho w the dieren es. Normally an

bserv

er is an add-on automaton in harge

f

dete ting ev en ts without p erturbing the

bserv

ed system. In

ur

ase the reset

f

the lo k (x:=0) is delegated to the

bserv

er to mak e it w

rk,

the

riginal

b eha viour with the reset dire tly

n

the transition loop to itself is not hanged a tually . Figure 6 sho ws the rst mo del with its

bserv

er. Time is used through lo ks. In the example x is a lo k de lared as lo k x; in the Global de larations lab el. A hannel is used for syn hronization with the

bserv

er. The hannel syn hronization is a hand-shaking b et w een reset! and reset? in

ur

example. So in this example the lo k ma y b e reset after 2 time units. The

bserv

er dete ts this and a tually p erforms the reset.

loop x>=2 reset!

idle taken reset? x:=0

Figure 6: First example with the

bserv

er. Dra w the mo del, name the automata P1 and Obs, dene them in the system. Noti e that the state taken

f

the

bserv

er is

f

t yp e

mmit.

If y

u

sim ulate the system y

u

will not see m u h. T

train

to in terpret what y

u

see w e will use queries and mo dify the system progressiv ely . The exp e ted b eha viour

f
ur

system is depi ted in gure 7. De lare the hannel with han reset; in the global v ariables se tion.

2 4 6 8 2 4 "time" clock x

Figure 7: Time b eha viour

f

the rst example: this is

ne

p

ssible

run. T ry these prop erties to exhibit this b eha viour: 6

SLIDE 7

A[℄

Obs.taken imply x>=2 : all fall-do wn

f

the lo k v alue (see urv e) are ab

v

e 2. This query means: for all states, b eing in the lo ation Obs.taken implies that x>=2.

E<>

Obs.idle and x>3 : this is for the w aiting p erio d, y

u

an try v alues lik e 30000 and y

u

will get the same result. This question means: is it p

ssible

to rea h a state where Obs is in the lo ation idle and x>3. Add no w an in v arian t to the loop state as sho wn in gure 8.

loop x<=3 x>=2 reset!

2 4 6 8 2 4 "time" clock x

Figure 8: Adding an in v arian t: the new b eha viour. The in v arian t is a progress

ndition:

the system is not allo w ed to sta y in the state more than 3 time units, so the transition has to b e tak en and the lo k reset in

ur

example. T

see

the dieren e, try the prop erties:

A[℄

Obs.taken imply (x>=2 and x<=3) to sho w that the transition is tak en when in the in terv al 2-3.

E<>

Obs.idle and x>2 : it is p

ssible

to tak e the transition in the in terv al 2-3.

A[℄

Obs.idle imply x<=3 : to sho w that the upp er b

und

is resp e ted. The former prop ert y E<> Obs.idle and x>3 no longer holds. Remo v e the in v arian t and hange the guard to x>=2,x<=3. Y

u

ma y think that it is the same as b efore but it is not! The system has no progress

ndition,

just a new

ndition
n

the guard no w. Figure 9 sho ws the new system.

loop x>=2,x<=3 reset!

2 4 6 8 2 4 "time" clock x

Figure 9: No in v arian t and a new guard: the new b eha viour. As y

u

an see the system ma y tak e the same transitions as b efore, but there is no w a deadlo k: the system ma y b e stu k if it do es not tak e the transition after 3 time units. T

see

what happ ens 7

SLIDE 8 Retry the same prop erties, the last

ne

do es not hold no w. A tually y

u

an see the deadlo k with the follo wing prop ert y: A[℄ x>3 imply not Obs.taken, that is after 3 time units the transition is not tak en an y more. 3.4 Urgen t/Committed Lo ations W e will no w lo

k

at the dieren t kind

f

lo ations

f

Upp aal. Y

u

already sa w the t yp e

mmit

in the previous example. There are three dieren t t yp es

f

lo ations in Upp aal that are normal lo ations with

r

without in v arian ts (the x<=3), urgen t lo ations and

mmitted

lo ations. Dra w the automata depi ted in gure 10. Dene the lo ks lo ally to try this feature:

p

en the sub-tree

f

the automata, y

u

will see a De larations lab el under the template. Cli k

n

it and dene lo k x;.

S0 S1 S2 x:=0 S0 S1 S2 x:=0 S0 S1 S2

Figure 10: Automata with normal, urgen t and

mmit

states. Name the automata P0, P1 and P2 resp e tiv ely . The state mark ed U is urgen t and the

ne

mark ed C is

mmitted.

T ry them in the sim ulator and noti e that when in the

mmit

state, the

nly

p

ssible

transition is alw a ys the

ne

going

ut
f

the

mmit

state. The

mmit

state has to b e left immediately . T

see

the dieren e b et w een normal and urgen t state, go to the v erier and try the prop erties:

E<>

P0.S1 and P0.x>0 : it is p

ssible

to w ait in S1.

A[℄

P1.S1 imply P1.x==0 : it is not p

ssible

to w ait in S1. Time ma y not pass in an urgen t state, but in terlea vings with normal states are allo w ed as y

u

an see in the sim ulator. 3.5 V erifying prop erties In the examples ab

v

e w e ha v e used the v erier sev eral times. W e will no w giv e a more

mplete

treatmen t

f

the language that the v erier understand. In summary , the queries a v ailable in the v erier are:

E<>

p: there exists a path where p ev en tually hold.

A[℄

p: for all paths p alw a ys hold. 8

SLIDE 9

E[℄

p: there exists a path where p alw a ys hold.

A<>

p: for all paths p will ev en tually hold.

p
->

q: whenev er p holds q will ev en tually hold. where p and q are state form ulas

f

the form: (P1. s and x<3). The full grammar

f

the query language is a v ailable in the

n-line

help. Note the useful sp e ial form A[℄ not deadlo k that he ks for deadlo ks. 3.6 Some Mo deling T ri ks Upp aal

ers

ur gent hannels that are syn hronization that m ust b e tak en when the transition is enabled, without dela y . Clo k

nditions
n

these transitions are not allo w ed. It is p

ssible

to en o de \urgen t transitions" with a guard

n

a v ariable, i.e. busy w ait

n

a v ariable, b y using urgen t hannels. Use a dumm y pro ess with

ne

state lo

ping

with

ne

transition read!. The urgen t transition will b e x>0 read? for example. There is no v alue passing though the hannels but this is easily en o ded b y shared v ariable: dene globally a v ariable x, and use it to write and read it. Noti e that it is not lean to do read! x:=3; and read? y:=x; but it is b etter to use a

mmit

state: read?

mmit

state and y:=x;. There is no broad ast

mm

uni ation: syn hronization is

nly

b y pairs. T

get

broad ast use a series

f
mmit

states. The sequen e will b e t ypi ally: go1!

mmit

go2!

mmit

go3! and three automata ha ving the

rresp
nding

go1?, go2? and go3?. Sev eral solutions are p

ssible.

Arra ys

f

in tegers ma y b e useful, de lare them as int a[3℄; to ha v e an arra y indexable from to 2. The index an b e an

ther

v ariable i t ypi ally int[0,2℄ i; to b e lean. T

k

eep a mo del manageable,

ne

has to pa y atten tion to some p

in

ts:

The

n um b er

f

lo ks has an imp

rtan

t impa t

n

the

mplexit

y .

The

use

f
mmitted

lo ations an redu e signi an tly the state spa e, but

ne

has to b e areful with this feature b e ause it an p

ssibly

tak e a w a y relev an t states.

The

n um b er

f

v ariables pla ys an imp

rtan

t role as w ell and more imp

rtan

tly their range. One should b e areful that the in teger will not use all the v alues from

32000

to 32000 for example. In parti ular a v

id

un b

unded

lo

ps
n

in tegers sin e the v alues will then span

v

er the full range. Referen es [YPD94℄ W ang Yi, P aul P ettersson, and Mats Daniels. Automati V eri ation

f

Real-Time Com- m uni ating Systems By Constrain t-Solving. In Pr

.
f

the 7th International Confer en e

n

F

rmal

Des ription T e hniques, 1994. [LPY95℄ Kim G. Larsen, P aul P ettersson, and W ang Yi. Mo del-Che king for Real-Time Sys- tems. In Pr

.
f

F undamentals

f

Computation The

ry,

v

lume

965

f

L e tur e Notes in Computer S ien e, pages 62{88, August 1995. [JLS96℄ H.E. Jensen, K.G. Larsen, and A. Sk

u.

Mo delling and Analysis

f

a Collision Av

idan e

Proto

l

Using SPIN and Upp aal. In Pr

.
f

2nd International Workshop

n

the SPIN V eri ation System, pages 1{20, August 1996. 9

SLIDE 10 [LPY97℄ Magn us Lindahl, P aul P ettersson, and W ang Yi. F

rmal

Design and Analysis

f

a Gear- Bo x Con troller: an Industrial Case Study using Upp aal. In preparation, 1997. [AD94℄ R. Alur and D. Dill. A Theory for Timed Automata In The

r

eti al Computer S ien e, v

lume

125, pages 183{235, 1994. V ersion history Mar h 2001 First v ersion b y Alexandre Da vid. 28 Apr 2001 Corre tions b y Alexandre Da vid. Bug in a requiremen t, added: han de laration, bug in de larations: in t[0,1℄ req1,req2, turn; turn is in t, not in t[0,1℄! 17 De 2001 Up dates b y Alexandre Da vid. Added ho w to mark initial states (b e ause the new UPP AAL do es not mak e the rst state initial b y default an ymore). 16 0 t 2002 Up dates b y T

bias

Amnell. Changed s reen-sho

ts

to re en t v ersion (3.2.11), added v eri ation w alk-through in start-end example, added se tion

n

query language plus text up dates

n

sev eral pla es. 10