towards the analysis of xuml models using an smt solver
play

Towards the analysis of xUML models using an SMT solver Osmar - PowerPoint PPT Presentation

Feb 16, 2023 •295 likes •657 views

Towards the analysis of xUML models using an SMT solver Osmar Marchi dos Santos Jim Woodcock Richard Paige Department of Computer Science The University of York Summary The INESS Project Towards the use of an SMT solver xUML

  1. Towards the analysis of xUML models using an SMT solver Osmar Marchi dos Santos Jim Woodcock Richard Paige Department of Computer Science The University of York

  2. Summary  The INESS Project  Towards the use of an SMT solver  xUML models of Interlockings  Translation strategy  Next steps

  3. The INESS Project  IN tegrated E uropean S ignalling S ystem (INESS) – Integration of different signalling systems within Europe  Led by the U nion I nternational des C hemins de Fer (UIC) – Composed of 30 different partners from Industry and Universities

  4. The INESS Project “With INESS, the trains will be able to cross all the borders in Europe without any trackside compatibility interference, something which has not been possible until now, particularly considering the various different national signalling systems”

  5. The INESS Project  Define a common core of properties for the different signalling systems within Europe and explore from a functional point-of-view  Define models of this integrated system – Notion of (executable) specification – Defined in Executable UML (Artisan xUML tool) – Models can be analysed via simulation (Cassandra tool)

  6. The INESS Project (Universities)  Only simulation is available, Universities to provide strategies that enable the formal analysis of xUML models  Universities include: – University of York – LaQuSo  Technical University of Eindenhoven  University of Twente – University of Southampton

  7. The INESS Project (Universities)  Generate code (or specification) that is suitable for formal verification – Input to a formal verification analysis tool  Different formal verification languages/tools – PROMELA (York) – µ CRL2 (LaQuSo) – UML-B (Southampton)

  8. The INESS Project (Universities)  Formal verification strategy – Next talk in terms of µ CRL2 xUML model of the Translates to Obtain signalling system formal verification scenario verification code results Verification results in terms of xUML (depends on how properties of interest can be formalized and represented at the correct level)

  9. Towards the use of an SMT solver  Initial translation to PROMELA (SPIN model checker) was defined – Published at FMCO last year  Simple interlocking scenarios lead to state- explosion problems using model checking – Nevertheless, interesting verification results were obtained using µ CRL2 (third INESS talk)

  10. Towards the use of an SMT solver  Scalability issues will arise – A large xUML model of an interlocking is composed of dozens of components  Try to use new technologies for analysing concurrent software – Initial focus on automated theorem-proving (using an SMT solver)

  11. Towards the use of an SMT solver  Look at languages that could be used to automatically generate input to an SMT solver  In particular, the use of Microsoft technology – State-of-the-art SMT solver (Z3) – SPEC# language being automatically translated

  12. Towards the use of an SMT solver (SPEC# overview)  Extends C# with contracts – Pre-conditions ( requires ) – Post-conditions ( ensures )  Definition of assertions over the program and loop invariants

  13. Towards the use of an SMT solver (SPEC# overview)  Provides a modular verification strategy – Only parts of the code that have been specified with pre/post-conditions are analysed – Analysis is generic  Run-time checking is also supported – Like simulation, by executing the application

  14. Towards the use of an SMT solver (SPEC# overview)  The verification works by: – Translating code to Boogie (intermediate language) – Use Boogie to generate the Z3 model and analyse  We would like to encode xUML in Boogie/Z3

  15. xUML models of Interlockings  Use of class diagrams and state machines – Every class diagram has an associated state machine – Inheritance is allowed  State machines describe the behaviour of the associated class

  16. xUML models of Interlockings (Class diagrams)  Constructs used include, for instance: – Declaration of simple types, like integers – Declaration of derived attributes – Use of references  Derived attributes allows to track the behaviour of different object states (defined by the state machine)

  17. xUML models of Interlockings (Class diagrams)  For example, use of keywords like “forall” and “exists” in the definition of derived attributes: – Where the state(s) of one or more objects should be in a particular location (forall) – Where the state(s) of at least one object should be in a particular location (exists)

  18. xUML models of Interlockings (Class diagrams)  Simple example of a (toy) Micro Interlocking:

  19. xUML models of Interlockings (State machines)  Transitions include: – Signal transitions – Time transitions (can be seen as non- deterministic choices, following the notion of time in the Cassandra simulator being used) – Change transitions (“when” expressions, that can use combinations together with derived attributes)

  20. xUML models of Interlockings (State machines)  States include: – Initial and simple – Composite (sequential and concurrent)  States can include actions ( enter and exit )  Transitions as well

  21. xUML models of Interlockings (State machines)  Since inheritance is supported, different state machines could be executing concurrently  With respect to execution, a special “application” class (with associated state machine) is used – Actions are used to create the analysis scenario – There is no dynamic creation of objects

  22. xUML models of Interlockings (State machines)

  23. xUML Models of Interlockings (Behaviour) Considering the transitions, the behaviour in the Cassandra simulator is defined as follows: Whilst “change transitions” (“when” expressions) are enabled in the model, execute change transitions If no “change transition” is enabled, execute “signal transitions” or “time transitions” (one at a time, since new “change transitions” may become enabled – due to the change of state in a different object)

  24. Translation Strategy  Initial work considered the generation of executable code in terms of SPEC#  For instance, every UML class would become a SPEC# class  Objects would be translated to threads and transitions would become methods (with pre and post conditions)

  25. Translation Strategy  For instance, a transition would be defined as follows (over variables defined in the class): public void transition_idle_to_preparing() requires route_state == STATE.idle; ensures route_state == STATE.active; ensures route_state_active == STATE.preparing; { // Actions (send messages, change state) }

  26. Translation Strategy  However, SPEC# does not take into consideration the execution of the threads for the verification  Instead, run-time checks with simulation could be used

  27. Translation Strategy  In order to use the verification, we started focusing on building a simulation mechanism  Every object becomes a simulation object  Like in bounded verification, we want to be able to analyse the possible interactions within N steps (in a loop)

  28. Translation Strategy  Approach does not work, since loops in SPEC# need loop invariants  And the way loops are translated to Boogie do not maintain the execution sequence

  29. Translation Strategy  Current approach we are looking at uses the notion of Context-Bound Analysis (CBA) (by Qadeer and Wu 2004; Lal and Reps 2009)  Focuses on the idea of generating a sequential model that incorporates the concurrent behaviour of the model

  30. Translation Strategy  CBA has gained attention in recent years, due to its use with SMT solvers  Analysis of the model is done within K steps, which also describe the possible context- switches (interactions) of the system

  31. Translation Strategy  We are adopting the following translation strategy: – Build a simulator, where each object becomes a component and states are defined globally – The random type in SPEC# is used to introduce non-determinism for selecting context-switches – The K execution steps are NOT implemented inside a loop construct

  32. Translation strategy  A structure like this follows: object_n = rnd.Next(); MESSAGENAME msg; if (step < K) { if (object_n == route1) { if (state_space[route].route_state == STATE.idle) { // Do actions // Other transitions; other objects

  33. Translation strategy  Still working on how to deal with the priority given by the simulator regarding change transitions and how to encode efficiently the state space of the application – Because memory is shared, dealing with complex constructs, like “forall” and “exists”, found in the Interlocking models are easier to handle (compared to message passing)

  34. Next steps  Finish implementing the current proposed translation and generate example for the Micro Interlocking  Look at other CBA approaches in the literature and how they can be implemented – Reducing the number of context-switches – Applying other optimisations

  35. Next steps  Compare results between: – Different CBA approaches – Against model checking  Test scalability of the work  Eventually provide a translation from xUML models directly in terms of Boogie or Z3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy Lessons makes better models. Christopher Jefferson Minion already imposes this on you, University of Oxford through its low-level input

598 views • 27 slides
a project by Approach I: Model-based computing time reduction Solver parameters Solver-based

a project by Approach I: Model-based computing time reduction Solver parameters Solver-based

Methods to reduce computing times of linear energy system optimization models IAEE 2019, Ljubljana Yvonne Scholz , Karl Kin Cao, Manuel Wetzel, Kai von Krbek DLR German Aerospace Center, Department of Energy Systems Analysis Daniel

594 views • 22 slides
with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle

with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle

IIW Annual Assembly 2011 SG212: the physics of welding Electric welding arc modeling with the 3D solver OpenFOAM - A comparison of different electromagnetic models - Isabelle Choquet, Alireza J. Shirvan, and Hkan Nilsson University

1.47k views • 81 slides
Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better performance: e.g. airfoil, combustor, rotor blade, ducts, body shape, etc. by optimising a certain characteristic CFD has the capability to explore

426 views • 24 slides
KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for

KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for

KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for solving constrained optimization problems. For example, the goal could be to minimize the amount of material used to make the can while keeping the

209 views • 18 slides
Kodkod: A Constraint Solver for Relational Logic Emina Torlak LaSh 2010 Edinburgh, UK

Kodkod: A Constraint Solver for Relational Logic Emina Torlak LaSh 2010 Edinburgh, UK

Kodkod: A Constraint Solver for Relational Logic Emina Torlak LaSh 2010 Edinburgh, UK July 15, 2010 A constraint solver for software engineering Alloy4 Miniatur design code Karun analysis checking MemSAT ExUML Analyzer

987 views • 83 slides
SAT Solver as coNP Solver Beyond Resolution Norbert Manthey International Center for

SAT Solver as coNP Solver Beyond Resolution Norbert Manthey International Center for

SAT Solver as coNP Solver Beyond Resolution Norbert Manthey International Center for Computational Logic Technische Universit at Dresden Germany Motivation Propositional Logic and Satisfiability Proof Theory and SAT Solving

640 views • 49 slides
Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik Bultan Computer Science Department University of California, Santa Barbara (UCSB) Joint work with: Abdulbaki Aydin, Lucas Bang, UCSB Corina

1.1k views • 91 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models Probability/Statistical Models: Theory prob/math stats Simulation samples of y ( | ) p y Statistical analysis: Computation: Likelihood

250 views • 11 slides
- Poisson CCD22 solver by Craig Lage https://github.com/craiglagegit/Poisson_CCD22 Low-level

- Poisson CCD22 solver by Craig Lage https://github.com/craiglagegit/Poisson_CCD22 Low-level

Documenting and validating imSim sensor models Sergey Karpov Institute of Physics, Czech Academy of Sciences Sensor Characterization, Analysis and Simulation Aug 14, 2018 #lsst2018 #lsst2018 LSST Project and Community

641 views • 16 slides
Implementation of multiple deltaTs for the multi-region solver based on chtMultiRegionFoam Yuzhu

Implementation of multiple deltaTs for the multi-region solver based on chtMultiRegionFoam Yuzhu

Outline Introduction The chtMultiRegionFoam solver Loop modification Test the new solver Pressure coupled B.C. Summary and Implementation of multiple deltaTs for the multi-region solver based on chtMultiRegionFoam Yuzhu Pearl Li Department

757 views • 38 slides
Systerel Smart Solver Forum Mthodes Formelles October 2014 S3 S3 for C Systerel Smart Solver

Systerel Smart Solver Forum Mthodes Formelles October 2014 S3 S3 for C Systerel Smart Solver

Systerel Smart Solver Forum Mthodes Formelles October 2014 S3 S3 for C Systerel Smart Solver S3 for Scade cS3 for Scade 2 Systerel Smart Solver Family of Model Checking solutions SAT based largely automatic

348 views • 6 slides
Automatic Solver Configuration and Solver Portfolios Meinolf Sellmann IBM Research Watson AI

Automatic Solver Configuration and Solver Portfolios Meinolf Sellmann IBM Research Watson AI

Automatic Solver Configuration and Solver Portfolios Meinolf Sellmann IBM Research Watson AI for Optimization Why Tune Algorithms? Develops Pretunes Expert Documents Parameters Algorithm Tune Instances Users AI for Optimization CP

1.15k views • 82 slides
precise solver for chemical ODEs Fan Feng, Zifa Wang GTC 2016 San Jose, USA, 04-07 Apr. 2016

precise solver for chemical ODEs Fan Feng, Zifa Wang GTC 2016 San Jose, USA, 04-07 Apr. 2016

NVIDIA Technology Center MBE --- A GPU-based, fast, robust and precise solver for chemical ODEs Fan Feng, Zifa Wang GTC 2016 San Jose, USA, 04-07 Apr. 2016 Contents Motivation of MBE solver Introduction of MBE solver

591 views • 19 slides
Growing Solver-Aided Languages with ROSETTE Emina Torlak &amp; Rastislav Bodik U.C. Berkeley

Growing Solver-Aided Languages with ROSETTE Emina Torlak &amp; Rastislav Bodik U.C. Berkeley

Growing Solver-Aided Languages with ROSETTE Emina Torlak &amp; Rastislav Bodik U.C. Berkeley solver-aided domain-specific language Solver-aided DSL (SDSL) Noun 1. A high-level language in which partially implemented programs can be executed

910 views • 62 slides
Machine Learning Climate Model Dynamics: Offline versus Online Performance Noah Brenowitz,

Machine Learning Climate Model Dynamics: Offline versus Online Performance Noah Brenowitz,

VULCAN CLIMATE MODELING Machine Learning Climate Model Dynamics: Offline versus Online Performance Noah Brenowitz, Brian Henn, Jeremy McGibbon, Spencer Clark, Anna Kwa, Andre Perkins, Oli Watt-Meyer, Chris Bretherton Climate models help

406 views • 15 slides
Cornerstone interlocking blocks for unique childrens forts 6 ? Customer Need No

Cornerstone interlocking blocks for unique childrens forts 6 ? Customer Need No

ORANGE B Cornerstone interlocking blocks for unique childrens forts 6 ? Customer Need No large-scale childrens blocks use a physical interlocking mechanism No current methods to press fit blocks at multiples of 30 degrees

297 views • 7 slides
News of railML- Interlocking parts 24th meeting Susanne Wunsch railML.org Paris, September

News of railML- Interlocking parts 24th meeting Susanne Wunsch railML.org Paris, September

Outline Interlocking schema proposal Signal aspect integration Outlook End News of railML- Interlocking parts 24th meeting Susanne Wunsch railML.org Paris, September 18th, 2013 Susanne Wunsch railML.org News of railML- Interlocking

479 views • 9 slides
Segmentation of Objects in Images and Videos Alexandre X. Falc ao and Thiago V. Spina

Segmentation of Objects in Images and Videos Alexandre X. Falc ao and Thiago V. Spina

Introduction Region and Bounday-Based Segmentation using IFT A Comparison Between IFT and Min-Cut/Max-Flow Fuzzy Object Models and Video Segmentation Segmentation of Objects in Images and Videos Alexandre X. Falc ao and Thiago V. Spina

1.45k views • 124 slides
More Abstrac,on Laurent Voisin, Systerel 2-6 July 2012, Dagstuhl AI Meets

More Abstrac,on Laurent Voisin, Systerel 2-6 July 2012, Dagstuhl AI Meets

More Abstrac,on Laurent Voisin, Systerel 2-6 July 2012, Dagstuhl AI Meets Formal Software Development 1 About Systerel So6ware development Embedded Safety-cri,cal

222 views • 10 slides
presents docsoc.co.uk/education for all resources Some errors have been fixed Feedback

presents docsoc.co.uk/education for all resources Some errors have been fixed Feedback

presents docsoc.co.uk/education for all resources Some errors have been fixed Feedback form is now correct I will be posting code examples too jackel119/python102 on GitHub Classes and Objects: Person Class A class has

506 views • 40 slides
Synchronization Prof. Sirer and Van Renesse CS 4410 Cornell University Threads share global

Synchronization Prof. Sirer and Van Renesse CS 4410 Cornell University Threads share global

Synchronization Prof. Sirer and Van Renesse CS 4410 Cornell University Threads share global memory When a process contains multiple threads, they have n Private registers and stack memory (the context switching mechanism saves and

934 views • 78 slides
Andrew Brown September 29 th , 2015 Background We build integrated, secure, end-to-end telemetry

Andrew Brown September 29 th , 2015 Background We build integrated, secure, end-to-end telemetry

Andrew Brown September 29 th , 2015 Background We build integrated, secure, end-to-end telemetry and analytics solutions for the Internet of Things Intel Cloud HVAC energy sensors Analytics &amp; UI Customer Cloud We need a way to flexibly

319 views • 6 slides

More recommend