Formal Verification of UML Statecharts with Real-Time Extensions M. - - PowerPoint PPT Presentation

formal verification of uml statecharts with real time
SMART_READER_LITE
LIVE PREVIEW

Formal Verification of UML Statecharts with Real-Time Extensions M. - - PowerPoint PPT Presentation

Aug 09, 2023 89 likes •367 views

Formal Verification of UML Statecharts with Real-Time Extensions M. Oliver M Alexandre David oller Wang Yi Uppsala University BRICS Arhus

slide-1
SLIDE 1

Formal Verification of UML Statecharts with Real-Time Extensions

  • Alexandre David
  • M. Oliver M¨
  • ller
  • Wang Yi
Uppsala University ✁

BRICS ª

Arhus

✂☎✄✆✂✞✝✠✟✞✄☛✡✌☞✠✟ ✍✆✄☎✎✑✏☎✒☛✓✕✔☎✔✖✓✗✒✙✘ ✎✙✚✛✎✆✘☎✜✆✜☎✘✆✢☎✍✙✣✛✢✛✟✆✏☎✒☛✓✌✄✙✤

Outline: 1 UML, Statecharts, and Time 2 Semantics for Formal Verification 3 Verifying a Pacemaker with UPPAAL

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 1

slide-2
SLIDE 2

Unified Modeling Language (UML)

Born from unification of other methods (Booch, OMT, OOSE) Different views of a system: A) user view - use case diagrams B) structural view - class diagrams C) behavioral view - statecharts D) environmental view - deployment diagrams E) implementation view - component diagrams An evolving standard: 1.3 finished 2000 1.4 finished 2001 2.0 work in progress (4 RFP issued May/Sept)

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 2

slide-3
SLIDE 3

The Statechart Formalism

✥ ✦ ✧✩★✫✪✭✬✯✮✰✧✲✱✳✬✴✧✲✵

Features hierarchical state machines parallelism (on any level) history event communication powerful synchronization mechanisms inter-level transitions actions that are dependent on states actions on entry/exit ...

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 3

slide-4
SLIDE 4

Restricted Statechart Formalism

✶✸✷✺✹✼✻✸✽✰✶✲✾✳✻✴✶✲✿ ❀ ❁

Current restricted features hierarchical state machines ✔ parallelism (on any level) ✔ history ✔ no event communication no sync states no inter-level transitions no actions that are dependent on states no actions on entry/exit instead: hand-shake style synchronization shared variables

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 4

slide-5
SLIDE 5

Real-Time Extensions Clocks (timed) Guards Invariants

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 5

slide-6
SLIDE 6

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 6

slide-7
SLIDE 7

A Word on Semantics

UML-statecharts: informal (textual) semantic statements ambiguity of text variations over 1.3 / 1.4 / 2.0 implementations make user-driven choices

  • ur formalism:

rule-based, formal semantic unambiguous not identical, makes clear choices any given formal statechart semantic should be “easy” to translate into it

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 7

slide-8
SLIDE 8

Semantic Rules (example)

configuration: with control locations valuation of integer variables valuation of clocks history

  • peration:

.

❂❄❃❆❅✰❃❈❇❉❃❈❊

a transition JoinEnabled Inv

❋ ❋

EXIT action

  • NWPT’01

10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 8

slide-9
SLIDE 9

Model Checking

: description of the system : desired property easier than proving a general theorem completely automatic (’yes’ or counterexample) efficient algorithms tailored for classes of problems

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 9

slide-10
SLIDE 10

Real-Time Model Checking with UPPAAL

A B x <= 5 x := 0 x == 5 count := count +1

C D count == 4

✏✞✜✆✎✛✏■✤ ❏▲❑ ✟■▼✆◆ ✏✞✎✙✔☎▼✆◆

Only subset of TCTL supported:

❖◗P❙❘

reachability

❚❱❯❳❲

safety (invariantly )

❖ ❯❳❲

possibly always

❚ P❙❘

inevitably

❚❱❯❳❲ ❚ P❙❘

unbounded response propositional formula over locations and (existing) clocks

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 10

slide-11
SLIDE 11

From (timed) Statecharts to UPPAAL

Rhapsody timed Statechart HTA model

TA model flatten(

❨ )

hierarchical model TA-close hierarchy MODEL-CHECK informal description formal semantics formal semantics

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 11

slide-12
SLIDE 12

From (timed) Statecharts to UPPAAL

Rhapsody timed Statechart HTA model

TA model flatten(

❨ )

hierarchical model TA-close hierarchy MODEL-CHECK informal description formal semantics formal semantics NORMALIZATION simplification of data (safe) omission of c-code FLATTENING auxiliary locations auxiliary variables Guiding Principle: Make it easy to adjust to small changes

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 12

slide-13
SLIDE 13

Soundness &Correctness

Translations introduce slack. Thus

flatten

flatten but

flatten

❩ ❬❪❭❴❫❛❵❝❜❡❞❣❢❛❤✸✐ ❥ flatten

timed transition system timed flatten( ) traces

give rise to project to

❦ ❨

timed

traces match timed

traces

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 13

slide-14
SLIDE 14

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 14

slide-15
SLIDE 15

Outline of the Flattening

3 phases to flatten a hierarchical structure:

  • 1. Collect instantiations

every superstate becomes one (flat) timed automaton

  • 2. Compute global joins

mimic synchronization-on-exit in the the flat automata principle: use counters & and add threshold-guard

  • 3. Post-process channel communication

a transitions may not synchronize with its own superstate principle: duplicate channels & restrict scope

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 15

slide-16
SLIDE 16

Example: Flattening the Model of a Human Heart

❧✭♠♦♥q♣sr✭t ✉ ♠♦♥q♣sr✭t ✈①✇③②❙④ ✈①✇③②❙④ ⑤ ⑥ ✈❙⑦⑨⑧✭⑩❷❶ ❧✼❸ ❧❷❹✼❺ ⑩✭❻ ✉ ✈❼⑦✑⑧✭⑩❷❶ ❧✼❸ ❧❷❹✼❺ ⑩✭❻ ❧ ✈❽②✭②❽❾ r❷❿✼♥➁➀ ♥✼➂ ✈ rs➃ ❧ ✈❼⑦➅➄➇➆➈➄ ♣➈➃➇➉ ✈ ➉✭♣s♥❷❿ ➊➇r✭♥➁➃ ✈➌➋➍✈♦➆➈➎ ❹ ❶ ❧✭❺ ❶➇➏➍➐✭⑩ ✈①✇③②❙④ ✈❽②✭②❽❾ r❷❿✼♥➁➀ ♥✼➂ ✈ rs➃ ✉ ✈➑✇③②➒④ ✈①✇③②➒④ ✈❽②✭②➓➄➇➆➈➄ ♣➈➃➇➉ ✈ ➉✭♣s♥❷❿ ➊➇r✭♥s➃ ✈➌➋➍✈♦➆➈➎ r ➄❷✈ ➃✼➀ ❧ r ➄❷✈ ➃✼➀ ✉ ✉♦➔ r ➄→➋ r❡➣ ❿❷➉ ➋➍✈ r ➄ ➉ ➄❷↔❪②✭②❄↕ ✈❼⑦➙④ ✈❙⑦➛④ ➜➞➝❈➟➡➠➤➢➡➥➦➝➧➥➞➨❳➩❈➩❳➫ VContraction HEART_TIME <= 0 AContraction HEART_TIME <= 0 After_V_Contraction HEART_TIME <= HEART_DELAY_AFTER_V_CONTRACTION After_A_Contraction HEART_TIME <= HEART_DELAY_AFTER_A_CONTRACTION Stopped HEART_TIME <= HEART_ALLOWED_STOP_TIME FLATLINE S_IDLE enter_S_in_X_via_A? enter_S_in_X_via_V? HEART_TIME == HEART_DELAY_AFTER_A_CONTRACTION HEART_TIME := 0 V_listening == 0 V_listening == 1 VentricularChamberSense! HEART_TIME == HEART_DELAY_AFTER_V_CONTRACTION HEART_TIME := 0 HEART_TIME := 0 HEART_TIME == HEART_ALLOWED_STOP_TIME HEART_TIME := 0 xtSgnl_NR_5? xtSgnl_NR_5? xtSgnl_NR_5? xtSgnl_NR_5? xtSgnl_NR_5? xtSgnl_NR_5?

inner superstate

S_ACTIVE_in_X X_IDLE X_AUX_S_V X_AUX_S_A CONNECT_A CONNECT_V enter_S_in_X_via_V! enter_S_in_X_via_A! enterTop? HEART_TIME := 0 APace? HEART_TIME := 0 xtSgnl_NR_5! VPace? HEART_TIME := 0 xtSgnl_NR_5!

  • uter superstate

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 16

slide-17
SLIDE 17

Communication Conflict

A B c! c? A B c_1! c_2?

cannot keep c cannot remove c rename c inside rename c outside modify other transitions: either choose one of c 1, c 2

  • r duplicate transition (allow both)

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 17

slide-18
SLIDE 18

Model-Checking a Pacemaker

➭➲➯➦➳➤➵➺➸➲➻ ➼➤➯➦➳➤➵➺➸➲➻ ➽➚➾➶➪➘➹ ➽➚➾➶➪➘➹ ➴ ➷ ➽✫➬✰➮➤➱➲✃ ➭➺❐ ➭➲❒➲❮ ➱➺❰ ➼ ➽✺➬✰➮➤➱➲✃ ➭➺❐ ➭➲❒➲❮ ➱➺❰ ➭ ➽❛➪➲➪ÐÏ ➸➲Ñ➲➳➞Ò ➳➺Ó ➽ ➸➞Ô ➭ ➽✺➬✰Õ×Ö❈Õ ➵❈Ô×Ø ➽ Ø➲➵➺➳➲Ñ Ù×➸➲➳➞Ô ➽➦Ú➞➽➦Ö❈Û ❒ ✃ ➭➲❮ ✃ÝÜ③Þ➲➱ ➽✗➾➶➪Ð➹ ➽Ð➪➲➪ÐÏ ➸➲Ñ➲➳➞Ò ➳➺Ó ➽ ➸➞Ô ➼ ➽➚➾➶➪➘➹ ➽✗➾➶➪Ð➹ ➽Ð➪➲➪❛Õ×Ö❈Õ ➵❈Ô×Ø ➽ Ø➲➵➺➳➲Ñ Ù×➸➲➳➞Ô ➽➦Ú➞➽➦Ö❈Û ➸ Õ➤➽ Ô➲Ò ➭ ➸ Õ➤➽ Ô➲Ò ➼ ➼➦ß➤➸ ÕÝÚ ➸✼à Ñ➤Ø Ú➞➽ ➸ Õ Ø Õ➤áâ➪➲➪❝ã ➽✺➬✳➹ ➽✫➬❉➹ äæåèç éëê ì➧å ìæí❷îèîqï

Waiting Pacing Refractory Ventricular Waiting Pacing Refractory Ventricular A_Pacing Refractory Waiting A_Pacing Refractory Waiting Sensed Off ToOff? ToOn? inAVI RefractDone! ToTriggered? Triggered Inhibited t:=0 ToAVI?

Ventricular

ToInhibited? APace! VPace? APace? inIdle ToIdle?

AVI

t==Pulse_Width VPace! t:=0 t==senseTime V_Sense! t==RefTime t:=0 V_Sense?

Atrial

RefractDone? sense? x:=0 x<=0

ð③ñóòæô õ ô ò ö ð➶÷➲ø➲ùëúóùæûæô➧ñ õ ô ò ö ü➞ýèù þ❈þÝô ý➞ô➧ñ

Human Heart Pacemaker

Idle Random Modeswitch ModeswitchDelay PROGRAMMER_TIME <= MODE_SWITCH_DELAY IDLE PrgrmmrMdswtchENTRYtrprgrmmrsm3? triggerVar1 := triggerVar1 + 1 PrgrmmrRdmENTRYtrprgrmmrsm3? PrgrmmrIdlENTRYtrprgrmmrsm3? commandedOn! ALLOW_SWITCH_OFF == 1 commandedOff! toInhibited! toTriggered! toInhibited! PROGRAMMER_TIME :=0, triggerVar1 := triggerVar1 - 1 toTriggered! PROGRAMMER_TIME :=0, triggerVar1 := triggerVar1 - 1 ALLOW_SWITCH_OFF == 1 commandedOff! PROGRAMMER_TIME :=0, triggerVar1 := triggerVar1 - 1 commandedOn! PROGRAMMER_TIME :=0, triggerVar1 := triggerVar1 - 1 toAVI! PROGRAMMER_TIME :=0, triggerVar1 := triggerVar1 - 1 ALLOW_SWITCH_OFF == 1 toIdle! PROGRAMMER_TIME :=0, triggerVar1 := triggerVar1 - 1 PROGRAMMER_TIME == MODE_SWITCH_DELAY triggerVar1 := triggerVar1 + 1 xtSglNR3? triggerVar1 := triggerVar1 - 1

Medic

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 18

slide-19
SLIDE 19

Flattening of the Pacemaker Model

HTA model UPPAAL model # XML tags 564 1191 # proper control locations 35 45 # pseudo-states / committed locations 33 63 # transitions 47 177 # variables and constants 33 72 # formal clocks 6 6

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 19

slide-20
SLIDE 20

Model-Checking the Pacemaker

DEADLOCK: possible (if heart stops) SAFETY:

ÿ✁✄✂ ☎ ✘☎✂✆✢✞◆ ✒➓◆✛✎✝✆ ✒
  • nly true for ’good’ medic

LIVENESS:

ÿ✁✄✂ ✞ ✏✙✎✞▼☎◆✑✢☎✂✑✏■◆ ✟✡✠ ÿ☞☛ ✠ ÿ ✏✙✎✞▼✆◆✛✢☎✂✑✏■◆

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 20

slide-21
SLIDE 21

Model-Checking the Pacemaker

DEADLOCK: possible (if heart stops) SAFETY:

ÿ✁✄✂ ☎ ✘☎✂✆✢✞◆ ✒➓◆✛✎✝✆ ✒
  • nly true for ’good’ medic

LIVENESS:

ÿ✁✄✂ ✞ ✏✙✎✞▼☎◆✑✢☎✂✑✏■◆ ✟✡✠ ÿ☞☛ ✠ ÿ ✏✙✎✞▼✆◆✛✢☎✂✑✏■◆

Parameters:

✌✎✍✎✏✎✌✒✑✔✓✖✕✔✗✖✌✎✘✚✙✖✕✔✛✖✜✎✍ ✢ ✣✒✤ ✥ ✍✎✦ ✥ ✍✔✙✖✕✔✛✖✜✎✍✚✗✖✧✎✕ ✢ ★✩✣ ✪✎✍✎✫✎✑✒✘✔✙✖✑✎✏✎✕✎✍✒✌✔✙✖✬ ✢ ✣✎✤ ✪✎✍✎✫✎✑✒✘✔✙✖✑✎✏✎✕✎✍✒✌✔✙✖✑ ✢ ✣ ✭✎✍✎✑✎✌✒✕✔✙✖✑✎✫✎✫✔✗✩✮✎✍✎✪✔✙ ✥ ✕✔✗✩✯✔✙✖✕✔✛✖✜✎✍ ✢ ★✖✰✎✣ ✜✔✗✖✪✎✍✚✙ ✥ ✮✔✛✖✕✔✓✩✭✔✙✖✪✎✍✎✫✎✑✎✘ ✢ ✱✎✱

E.g. for

✲☞✳✝✴✶✵✸✷✶✹✻✺✽✼✿✾✸❀✻❁✸✷✻✴✡✵☞❂ ÿ✶❃ ✟ ❄✶❅ , ÿ✁✄✂ ☎ ✘☎✂✆✢✞◆ ✒➓◆✛✎✻✆✠✒ is violated

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 21

slide-22
SLIDE 22

Related Work

Variations of the statechart formalism e.g., in 1994, von der Beeck lists 21 different statecharts and distinguishes them in 26 criteria Timed extension of statecharts e.g., work of Kesten/Pnueli, Petersohn, and others UML profile for Schedulability, Performance and Time general time model, both discrete and continuous no progress notion with invariants realizations of UML, that extend the standard e.g., the Rhapsody tool has timers

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 22

slide-23
SLIDE 23

Our Formalism in the European WOODDES Project

Workshop for Object-Oriented Design and Development of Embedded Systems

Partners: PSA Mecel CEA I-Logix Intracom Offis Uppsala Aalborg Objectives: UML Real-Time profile WOODDES methodology & tool platform

I n tools owned by project partners RHAPSODY OBJECTEERI NG TAU / OBJECTGEODE TAU / UML Suite REPOSI TORY AIT−WOODDES Model exchange via XMI Public API s I nternal exchange Format Analysis Design Sim ulation (V&V) Code Gen. Test Gen. TEST COMPOSER AGATHA RATIONAL ROSE ACCORD UPPAAL MODEL CHECKER

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 23

slide-24
SLIDE 24

Conclusions & Future Work

Status ✔ XML grammar ✔ semantics ✔ flattening Future Work formal proof for semantic correspondence implementation of an hierarchical editor integrate HTAs in the UPPAAL tool

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 24

slide-25
SLIDE 25

References

[AD94] R. Alur and D.L. dill. A Theory of Timed Automata. In Theoretical Computer Science, number 125, 1994 [vdB94] Michael von der Beeck. A Comparison of Statechart Variants. In de Roever Langmaack and Vytopil, editors, Formal Techniques in RealTime and Fault- Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 128–148. Springer-Verlag, 1994. [D99] Bruce Powel Douglass. Real-Time UML, Second Edition - Developing Efficient Objects for Embedded Systems. Addison-Wesley, 1999 [DM01] Alexandre David and M. Oliver M¨

  • ller.

From Hierarichcal Timed Automata to

UPPAAL.

Research Series RS-01-11, BRICS, Depart- ment of Computer Science, University of Aarhus, March 2001. see

❆❈❇❈❇❊❉●❋■❍❊❍❑❏❈❏❊❏●▲◆▼❈❖◗P❙❘❈❚❯▲❲❱❑❳❨❍❙❩❨❬❈❍❊❭❨❪❑❍❫❪❈❪❑❍❫P❵❴❫❱❈❛❑❜❝▲❞❆❈❇❊❡❨❢ .

[OMG] Unified Modeling Language, version 1.4. Download from http://www.omg.org [WOODDES] WOODDES web page: http://wooddes.intranet.gr

NWPT’01 10 OCTOBER 2001 OLIVER M ¨

OLLER:

FORMAL VERIFICATION OF UML STATECHARTS WITH REAL-TIME EXTENSIONS 25