Experiences with the Omega tool set in the context of the MARS case - - PowerPoint PPT Presentation

experiences with the omega tool set in the context of the
SMART_READER_LITE
LIVE PREVIEW

Experiences with the Omega tool set in the context of the MARS case - - PowerPoint PPT Presentation

Sep 20, 2022 122 likes •521 views

OMEGA OMEGA IST-2001 - Project 33522 IST-2001-33522 Experiences with the Omega tool set in the context of the MARS case study Yuri Yushtein Jozef Hooman Radboud University Nijmegen Embedded Systems Institute, Eindhoven

slide-1
SLIDE 1

OMEGA Workshop - Grenoble, 17 February 2005 1

OMEGA OMEGA

IST-2001-33522

IST-2001 - Project 33522

Experiences with the Omega tool set in the context of the MARS case study Yuri Yushtein Jozef Hooman

Radboud University Nijmegen Embedded Systems Institute, Eindhoven

slide-2
SLIDE 2

OMEGA Workshop - Grenoble, 17 February 2005 2

OMEGA OMEGA

IST-2001-33522

Topic

Report about experiences with main part of Omega tool set on industrial case study, Medium Altitude Reconnaissance System (MARS)

  • f Dutch National Aerospace Laboratory (NLR)

Note:

Not addressing all features of the tools, Not showing full power of tools Not always based on latest, current version of tool,

but often experience with preliminary version during development within Omega See other talks and demos for more details of tools

slide-3
SLIDE 3

OMEGA Workshop - Grenoble, 17 February 2005 3

OMEGA OMEGA

IST-2001-33522

Overview

Introduction MARS case study Relevant part Omega tool set, used on MARS:

LSCs (Weizmann) Untimed Verification using UVE (OFFIS) Timed Verification using IF (Verimag) Interactive Verification using PVS (RUN, Weizmann, CAU)

Redesign to facilitate compositional techniques and

to investigate combined use of tools

Summary

Yuri Jozef

slide-4
SLIDE 4

OMEGA Workshop - Grenoble, 17 February 2005 4

OMEGA OMEGA

IST-2001-33522

MARS overview

Purpose: counteract image quality degradation caused by forward motion of aircraft

slide-5
SLIDE 5

OMEGA Workshop - Grenoble, 17 February 2005 5

OMEGA OMEGA

IST-2001-33522

MARS overview (2)

Case study scope

DatabusManager

  • controllerStatus : int

+controllerStatusOK(): :DatabusController <<Actor>>

1

  • msgERROR : int
  • msgCount : int
  • timeoutCount : int

:AltitudeDataSource <<Actor>>

1

  • currentStatusOK : int
  • previousStatusOK : int

:ControllerMonitor

1

  • msgERROR : int
  • msgCount : int
  • timeoutCount : int

:NavigationDataSource

<<Actor>>

1

  • AltMsgTimeoutCount : int
  • NavMsgTimeoutCount : int
  • NavMsgCount : int
  • AltMsgCount : int

:MessageReceiver

1

1 1 1 1

slide-6
SLIDE 6

OMEGA Workshop - Grenoble, 17 February 2005 6

OMEGA OMEGA

IST-2001-33522

MARS environment constraints

Data sources provide data with the 25 ms cycle and

a jitter of ±5 ms

The data sources are independent and are not

synchronised

The data messages may occasionally be lost due to

the transmission errors

The Data-bus Controller may exhibit built-in-test

errors

5 25

slide-7
SLIDE 7

OMEGA Workshop - Grenoble, 17 February 2005 7

OMEGA OMEGA

IST-2001-33522

MARS properties subject to verification

Timely detection of Data-bus Controller error,

based on built-in-test facility of controller, and proper recovery

Timely detection of Data-bus error,

based on data message arrival monitoring, and proper recovery

slide-8
SLIDE 8

OMEGA Workshop - Grenoble, 17 February 2005 8

OMEGA OMEGA

IST-2001-33522

Relevant Part Omega Tool Set

UML- based CASE tool Timed Omega Kernel Untimed Model Checking UVE Timed Model Checking IF Interactive Verification PVS XMI LSC Play-in Play-out

slide-9
SLIDE 9

OMEGA Workshop - Grenoble, 17 February 2005 9

OMEGA OMEGA

IST-2001-33522

Scenario-based requirements modelling

Tool support

Modelling with LSCs, PlayEngine tool Play-In facility – automated LSC capturing Play-Out facility – model simulation Model verification based on SMV model checker Property specification with existential or universal

LSCs

slide-10
SLIDE 10

OMEGA Workshop - Grenoble, 17 February 2005 10

OMEGA OMEGA

IST-2001-33522 Scenario-based requirements modelling (2)

UML Sequence Diagram example (camera control)

ControlPanel AvionicsDatabus RCU Trigger & Exposure module Camera navigation data altitude data compute framerate compute FMC framerate value FMC value Cyclical airdata start filming activate exposures trigger pulses FMC signal

  • rdering

relating diagrams atomic sequences timing, conditions, constraints, etc.

slide-11
SLIDE 11

OMEGA Workshop - Grenoble, 17 February 2005 11

OMEGA OMEGA

IST-2001-33522 Scenario-based requirements modelling (3)

External data sources

pre-chart timing constraint non-deterministic choice

slide-12
SLIDE 12

OMEGA Workshop - Grenoble, 17 February 2005 12

OMEGA OMEGA

IST-2001-33522 Scenario-based requirements modelling (4)

Data processing and transfer

condition forbidden element

slide-13
SLIDE 13

OMEGA Workshop - Grenoble, 17 February 2005 13

OMEGA OMEGA

IST-2001-33522 Scenario-based requirements modelling (5)

LSC representation of the properties

slide-14
SLIDE 14

OMEGA Workshop - Grenoble, 17 February 2005 14

OMEGA OMEGA

IST-2001-33522 Scenario-based requirements modelling (6)

Conclusions

Possibility to verify high-level (timed) requirements More effective for transaction-based systems Play-Out and verification for autonomous systems Play-Out – early system simulation Play-In effective for “human-in-the-loop” systems GUI Play-In is artificial for autonomous systems Play-In can be used to capture anti-scenarios No model export/connection to other tools GUI development for Play-In relies on VB

slide-15
SLIDE 15

OMEGA Workshop - Grenoble, 17 February 2005 15

OMEGA OMEGA

IST-2001-33522

Untimed UML modelling and verification

Tool Support

UML modelling with Rhapsody tool Verification with UML Verification Environment (UVE) UVE performs untimed model checking A system run is seen in terms of run-to-completion

steps

Property specification with propositional logic and

temporal logic patterns

Counterexamples are given as discrete-time timing

diagrams and LSC traces

slide-16
SLIDE 16

OMEGA Workshop - Grenoble, 17 February 2005 16

OMEGA OMEGA

IST-2001-33522 Untimed UML modelling and verification (3)

ControllerError BusError Operational evAltDataMsg/AltMsgTimeoutCount = 0; [NavMsgTimeoutCount == 3 || AltMsgTimeoutCount == 3]/NavMsgCount = 0; AltMsgCount = 0; evAltDataMsgTimeout/AltMsgCount = 0; evNavDataMsgTimeout/NavMsgCount = 0; evNavDataMsg/NavMsgTimeoutCount = 0; [NavMsgCount >= 2 && AltMsgCount >= 2]/NavMsgTimeoutCount = 0; AltMsgTimeoutCount = 0; evAltDataMsgTimeout/AltMsgTimeoutCount += 1; evNavDataMsgTimeout/NavMsgTimeoutCount += 1; evControllerError evAltDataMsg/AltMsgCount += 1; evControllerError evControllerOK/NavMsgTimeoutCount = 0; AltMsgTimeoutCount = 0; evNavDataMsg/NavMsgCount += 1; /NavMsgTimeoutCount = 0; AltMsgTimeoutCount = 0;

Statechart of the MessageReceiver

Class behaviour modelling

slide-17
SLIDE 17

OMEGA Workshop - Grenoble, 17 February 2005 17

OMEGA OMEGA

IST-2001-33522 Untimed UML modelling and verification (4)

*** *** T he Prop e rty 'inv_P_imp lie s_fina lly_Q_B__imme d ia te ' with *** *** P = root->p _Da ta b usMa na ge r->itsDa ta b usControlle r->IS_IN(Error) *** Q = root->p _Da ta b usMa na ge r->itsMe ssa ge Re c e ive r->IS_IN(Controlle rError) *** ma x_X_Va l = 4 *** *** und e r the a ssump tions 'first_P_imp lie s_glob a lly_Q__imme d ia te ' with *** *** P = root->p _Da ta b usMa na ge r->itsDa ta b usControlle r->IS_IN(Error) *** Q = root->p _Da ta b usMa na ge r->itsDa ta b usControlle r->IS_IN(Error) *** *** a nd a ssump tion 'inv_fina lly_P_B__imme d ia te ' with *** *** P = ES_e vPollControlle r(ENV, root->p _Da ta b usMa na ge r->itsControlle rMonitor) *** ma x_X_Va l = 5 *** *** with 'nd e t'-mod e e xte rna l e ve nt list *** *** root->p _Da ta b usMa na ge r->itsDa ta b usControlle r, e vControlle rBIT _OK *** root->p _Da ta b usMa na ge r->itsDa ta b usControlle r, e vControlle rBIT _ERROR *** root->p _Da ta b usMa na ge r->itsControlle rMonitor, e vPollControlle r *** root->p _Da ta b usMa na ge r->itsNa vig a tionDa ta Sourc e , e vSe nd Msg(0) *** root->p _Da ta b usMa na ge r->itsNa vig a tionDa ta Sourc e , e vSe nd Msg(1) *** root->p _Da ta b usMa na ge r->itsAltitud e Da ta Sourc e , e vSe nd Msg(0) *** root->p _Da ta b usMa na ge r->itsAltitud e Da ta Sourc e , e vSe nd Msg(1) *** *** d oe s not hold . *** *** A c ounte re xa mp le tra c e is ge ne ra te d . Ple a se sta nd b y... ***

Verification example

property specification specification of assumptions non-deterministic external event trace verification result

slide-18
SLIDE 18

OMEGA Workshop - Grenoble, 17 February 2005 18

OMEGA OMEGA

IST-2001-33522

Untimed UML modelling and verification (5)

*** *** T he Pro p e rty 'inv_P_im p lie s_fina lly_Q_B__im m e d ia te ' with *** *** P = ro o t->p _Da ta b usMa na g e r->itsDa ta b usCo ntro lle r->IS_IN(Erro r) *** Q = ro o t->p _Da ta b usMa na g e r->itsMe ssa g e Re c e ive r->IS_IN(Co ntro lle rError) *** m a x_X_Va l = 5 *** *** und e r the a ssum p tio ns 'first_P_im p lie s_g lo b a lly_Q __im m e d ia te ' with *** *** P = ro o t->p _Da ta b usMa na g e r->itsDa ta b usCo ntro lle r->IS_IN(Erro r) *** Q = ro o t->p _Da ta b usMa na g e r->itsDa ta b usCo ntro lle r->IS_IN(Erro r) *** *** a nd a ssum p tio n 'inv_fina lly_P_B__im m e d ia te ' with *** *** P = ES_e vPo llCo ntro lle r(ENV, ro o t->p _Da ta b usMa na g e r->itsCo ntro lle rMo nito r) *** m a x_X_Va l = 5 *** *** with 'nd e t'-m o d e e xte rna l e ve nt list *** *** ro o t->p _Da ta b usMa na g e r->itsDa ta b usCo ntro lle r, e vCo ntro lle rBIT _OK *** ro o t->p _Da ta b usMa na g e r->itsDa ta b usCo ntro lle r, e vCo ntro lle rBIT _ERROR *** ro o t->p _Da ta b usMa na g e r->itsCo ntro lle rMo nito r, e vPo llCo ntro lle r *** ro o t->p _Da ta b usMa na g e r->itsNa vig a tio nDa ta So urc e , e vSe nd Msg (0) *** ro o t->p _Da ta b usMa na g e r->itsNa vig a tio nDa ta So urc e , e vSe nd Msg (1) *** ro o t->p _Da ta b usMa na g e r->itsAltitud e Da ta So urc e , e vSe nd Msg (0) *** ro o t->p _Da ta b usMa na g e r->itsAltitud e Da ta So urc e , e vSe nd Msg (1) *** *** ho ld s. ***

property specification specification of assumptions non-deterministic external event trace verification result

slide-19
SLIDE 19

OMEGA Workshop - Grenoble, 17 February 2005 19

OMEGA OMEGA

IST-2001-33522 Untimed UML modelling and verification (6)

Results of the experiments

Property violation found and corrected Several new features added to the tool, e.g.

transient properties

Several tool issues identified and corrected

slide-20
SLIDE 20

OMEGA Workshop - Grenoble, 17 February 2005 20

OMEGA OMEGA

IST-2001-33522

Untimed UML modelling and verification (7)

Conclusions

Verification of high-level models, or partial models

  • f critical parts only

Verification of small UML models, with non-

deterministic environment stimuli

Significant decrease in performance for complex

properties

LSC facility for transaction-oriented designs Discrete timing – run-to-completion step varies

depending on circumstances

slide-21
SLIDE 21

OMEGA Workshop - Grenoble, 17 February 2005 21

OMEGA OMEGA

IST-2001-33522

Timed UML modelling and verification

Tool support

UML modelling with Rhapsody tool IFx tool reads UML models in XMI format Model simulation and verification Timed model checking Uses OMEGA UML time extensions Based on IF tool from VERIMAG Property specification based on observers Counterexample scenarios can be simulated

slide-22
SLIDE 22

OMEGA Workshop - Grenoble, 17 February 2005 22

OMEGA OMEGA

IST-2001-33522

Timed UML modelling and verification (2)

Statechart of the AltitudeDataSource, NavigationDataSource is identical

Environment behaviour modelling

slide-23
SLIDE 23

OMEGA Workshop - Grenoble, 17 February 2005 23

OMEGA OMEGA

IST-2001-33522

Timed UML modelling and verification (3)

Observer specification example

slide-24
SLIDE 24

OMEGA Workshop - Grenoble, 17 February 2005 24

OMEGA OMEGA

IST-2001-33522

Timed UML modelling and verification (4)

Compositional observer class diagram example

slide-25
SLIDE 25

OMEGA Workshop - Grenoble, 17 February 2005 25

OMEGA OMEGA

IST-2001-33522

Timed UML modelling and verification (5)

Results of the experiments

Property violation found and corrected Modelling issue with start-up synchronisation Performance bottleneck in tool implementation

found and resolved

New features introduced: informal actions, inter-

  • bserver communication

Current shortcoming: inability to generate shortest

counterexample

slide-26
SLIDE 26

OMEGA Workshop - Grenoble, 17 February 2005 26

OMEGA OMEGA

IST-2001-33522

Timed UML modelling and verification (6)

Conclusions

Timed UML modelling and property specification Specification of timing non-determinism Timed verification of small UML models Handled model with up to 8 non-deterministic

elements

Time-bounded non-determinism is the foremost

cause of verification complexity growth

slide-27
SLIDE 27

OMEGA Workshop - Grenoble, 17 February 2005 27

OMEGA OMEGA

IST-2001-33522

Interactive Verification

Tool support

PVS: general purpose interactive theorem prover,

tool developed by SRI; free available

PVS specification language: higher-order typed logic hierarchies of parameterized theories, with

declarations, definitions, axioms, theorems

large amount of predefined theories PVS proof engine can be used to prove theorems:

to prove goal, user invokes proof commands proof, includes powerfull decision procedures and rewrite strategies

slide-28
SLIDE 28

OMEGA Workshop - Grenoble, 17 February 2005 28

OMEGA OMEGA

IST-2001-33522

UML formalization in PVS

PVS representation PVS property PVS Semantics preprocessing PVS proof engine XMI representation UML model OCL property

slide-29
SLIDE 29

OMEGA Workshop - Grenoble, 17 February 2005 29

OMEGA OMEGA

IST-2001-33522

Specification Message Receiver

Desired (generalized) properties: 1) Receiver shall move to bus error location if and only if

  • ne of data sources misses N consecutive signals

2) Receiver shall recover from error if and only if both data sources send K consecutive signals Implementation of NLR: N = 3, K = 2

slide-30
SLIDE 30

OMEGA Workshop - Grenoble, 17 February 2005 30

OMEGA OMEGA

IST-2001-33522

Spec in PVS

Prop1(tr) : bool = FORALL i, j : i < j AND (LongTimeOut(d1, i, j)(tr) OR LongTimeOut(d2, i, j)(tr)) AND NOT Error(d1, j)(tr) AND NOT Error(d2, j)(tr) IMPLIES AfterWithin(err, j, DeltaErr)(tr) Trace: sequence of events and time stamps Never(d2,i,j)(tr) AND T(tr)(j) - T(tr)(i) >= K * C + 2 * J EXISTS i: i >= j AND (err@i)(tr) AND T(tr)(i) - T(tr)(j) <= DeltaErr

slide-31
SLIDE 31

OMEGA Workshop - Grenoble, 17 February 2005 31

OMEGA OMEGA

IST-2001-33522

Verification of Message Receiver

Untimed version: absence of data as separate events

  • First basic verification in PVS, finding suitable

invariants

  • Redone in TLPVS, reducing user interaction by

strategies [UML’04] Timed version: verification in PVS of simple case

  • Only sender and receiver N = 1 and K = 1
  • One safety property proved (~ 50 PVS lemmas)
  • Required relations between parameters identified:

S < C/2, max(PN, PA) < C – 2*S, N*C + S < Tout < (N + 1)*C – S

slide-32
SLIDE 32

OMEGA Workshop - Grenoble, 17 February 2005 32

OMEGA OMEGA

IST-2001-33522

Interactive Verification Results of the experiments

Combination of UML features, e.g.

synchronous operation calls, asynchronous signals, threads, hierarchical state machines, makes interactive verification very complicated

In PVS modularization of semantic definitions is important

to allow use of minimal semantics for features needed

For scalability, compositionality and abstraction are

essential, but this often requires redesign see MARS example

slide-33
SLIDE 33

OMEGA Workshop - Grenoble, 17 February 2005 33

OMEGA OMEGA

IST-2001-33522

Compositional verification

To enable compositional verification on MARS: specify message receiver for single data source parameterized by events d, ok, and err

d

  • k

err Message Receiver

slide-34
SLIDE 34

OMEGA Workshop - Grenoble, 17 February 2005 34

OMEGA OMEGA

IST-2001-33522

Message receiver for two data sources Obtain original message receiver by composition

d1

  • k1

err1 Message Receiver d2

  • k2

err2 Message Receiver Error Logic

  • k

err

Note: allows generalization to more data sources

slide-35
SLIDE 35

OMEGA Workshop - Grenoble, 17 February 2005 35

OMEGA OMEGA

IST-2001-33522

PVS work on decomposition

Declarative specifications of

Message receiver for two data sources TDS Message receiver for one source MR Error Logic EL

To validate MR, specify various senders S and show in PVS: S || MR desired properties Correctness decomposition in PVS: MR1 || MR2 || EL TDS Next parts can be implemented and checked in isolation

slide-36
SLIDE 36

OMEGA Workshop - Grenoble, 17 February 2005 36

OMEGA OMEGA

IST-2001-33522

Implementation Message Receiver

Message Receiver can be implemented by single state machine or by parallel composition of processes For instance, R || M where

  • R implemented by timed state machine (with time-out)

suitable for timed model checking

  • M implemented by untimed state machine

(counts the number of messages needed to recover) suitable for untimed model checking Error Logic is untimed; suitable for untimed model checking

slide-37
SLIDE 37

OMEGA Workshop - Grenoble, 17 February 2005 37

OMEGA OMEGA

IST-2001-33522

Recovery Problem

Problem (found by Verimag): err signal not good for recovery, because any data miss requires restart of counting Note: condition for re-entering correct state is stronger than condition for staying Solution 1: signals parameterized by bit string representing presence of last N data messages Solution 2: additional miss signal to indicate miss of single data message

slide-38
SLIDE 38

OMEGA Workshop - Grenoble, 17 February 2005 38

OMEGA OMEGA

IST-2001-33522

Omega techniques on MARS

MARS Spec Application to original model Compositional approach UVE OFFIS Patterns LSC Propositional formulas Untimed verification of model with 2 senders Modular verification of parts, using assume/promise approach, untimed IF Verimag Observers Abstract spec for simulations Timed verification of model with 2 synchronized senders Compositional approach using abstractions timed PVS RUN Weizmann Declarative, higher-order logic Untimed verification, use of TLPVS Timed: small instance Compositional verification, timed LSC Weizmann LSCs Requirements modeling, untimed model checking, timing partly Synthesis of parts from LSCs & Generic specs

slide-39
SLIDE 39

OMEGA Workshop - Grenoble, 17 February 2005 39

OMEGA OMEGA

IST-2001-33522

Concluding Remarks

One of the main issues is scalability Also combinations of tools important; but remodeling to meet different levels of abstraction reformulation of specifications for different tools

additional burden for industrial development process

Growing need for accessible industrial-grade

UML-based formal verification tools: use of formal methods is expected to become mandatory in avionics development standards; but requires

better integration with commercial UML modelling tools human-tool interaction on UML model level