Post on 03-Jan-2016
description
1
Checking Interaction Checking Interaction Consistency in MARMOT Consistency in MARMOT Component RefinementsComponent Refinements
Yunja Choi
School of Electrical Engineering and Computer Science
Kyungpook National University
2
OverviewOverview
MARMOT methodologyComponent and refinements
Interaction consistency A general framework for consistency checkingCase example
Model checking elevator system
Performance improvement through abstraction Discussion
3
MARMOT MARMOT MethodologyMethodology
Branched from KobrA by Atkinson et. alDesigned for the development of embedded systems
High quality system through systematic, structured developmentComponents are the focus of entire development process
Tree-structured hierarchy of components Flexibility and reuse of components
5
MARMOT Component MARMOT Component Statecharts
Class Diagram
OperationSchemata
Class DiagramSequenceDiagram
ObjectDiagram
(Architecture)
Specification
Realization
Refined componen
t
Refining componen
t
6
Recursive Recursive DevelopmentDevelopment
SpecificationRealization
Identification
Kpt A
Kpt B
Kpt D
Kpt C
ComponentReuse
COTS Component
7
Example: elevator Example: elevator systemsystem
maintenance(from Context)
<<role>>
Help_Center
notify()
(from Context)
elevator_service
move(Up, Down)callhelp()start()stop()
main_service(from Context)
floor(from Context)elevator_context
current_positionelevator_statusdoor_statusmoving_direction
move()selectFloor()hold()close()help()startElevator()stopElevator()
supporting_service(from Context)
request_for_moving
entry/ floor::location := CHOOSE { 1..5 }exit/ Call Elevator_Context::move(floor::location)...
[ Elevator_Context::elevator_status = Normal ]
get_into_elevator
[ Elevator_Context::current_position = floor::location and Elevator_Context::door_status = Open ]
hold_door
in_elevator get_out
select_destination
close_door
entry/ Call Elevator_Context::close()
[ else ]
[ Elevator_Context::current_position = user::destination and
Elevator_Context::door_status = Open ]
8
Specifying externally visible Specifying externally visible behaviorbehavior
Off Starting
Halt
operational
suspended
closing_door
holding_door
select_des
tination
Elevator_Context::moveElevator_Context::stopElevator / RETURN SUCCESS
Elevator_Context::move
Elevator_Context::close
Elevator_Context::hold
[ else ]
[ Elevator_Context::elevator_status
= Normal ] / RETURN SUCCESS[ Elevator_Context::elevator_status
= Abnormal ] / RETURN FAIL
Elevator_Context::startElevator()
ELSE_IGNORE
[ Elevator_Context::moving_direction = Halt ]
/ Elevator_Context::door_status := Open
Elevator_Context::selectFloor
Elevator_Context::callHelp
[ Elevator_Context::elevator_status
= Abnormal ]
[
Elevator_Context::elevator_
status = Normal ]
[
Elevator_Context::door_s
tatus = Open ]
[ Elevator_Context::door_status = Closed ]
Elevator_Context::hold[
Elevator_Context::door_
status = Open ]
9
Quality ControlQuality Control
MAMOT supports systematic identification and refinements of a component
the principle of “separation of concerns”: specification vs. realizationIterative decomposition and refinements
There can be many issues in consistencyStructural consistencyBehavioral consistency
Behavioral consistency between the realization of refined component and the specification of its refining components
10
Interaction Interaction ConsistencyConsistency
at ith refinement step, the realization of the refined component constrains the environment of the refining componentsA system is consistent with its environment in its behavior if it either terminates normally or runs infinitely under the infinite sequence of stimuli generated from its environment
A system is inconsistent with its environment in its behavior if it terminates abnormally under the infinite sequence of stimuli generated from its environment
11
Process modelProcess model
A component and its environment are specified as two processes P and E, where each of them is represented as a labeled transition system (Sp, Lp, Rp, Ip, Tp) and (Se, Le, Re, Ie, Te)A restricted form of process composition of P and E is defined as P↑E = (Sp× Se, Lp∪ Le, Rp× Re, Ip× Ie, Tp× Te) where
12
Consistency ModelConsistency Model
external internal
external internal
behavior
attribute
operation
structure
external internal
external internal
behavior
attribute
operation
structure
component
component
+refined
+refining
component model at i_th level
component model at (i+1)_th level
component model at (i-1)_th level
A compositonal process forming an environment
Process P_1 from refining component 1
Process P_2 from refining component 2
Process P_i from refining component i
actions generated by the environment change of states
consistency model
13
Formal definitionsFormal definitions
TerminationTerminate(P(s))↑E : P terminates to a state s that belongs to the pre-defined set of terminal states T under the environment EP(s) ∧ s ∈T, If P is a compositional process, P = P1∥ P2∥.. ∥ Pn
Terminate(P(s)) ↑E if and only if ∀i, Terminate(Pi(si)) ↑Ei , where Ei = E ∥ P1∥ P2∥.. Pi-1 ∥ Pi+1 ∥ … ∥ Pn
14
Formal definitionsFormal definitions
ProgressivenessProgress(P(s)) ↑E : eventually, there is a transition out of the state s under the environment E
Interaction ConsistencyConsistent(P(s)) ↑E = Terminate(P(s))↑E ∨ Progress(P(s)) ↑E
15
Model checking Model checking consistencyconsistency
Based on the exhaustive search of system state-spaceFully automated
SPIN: invalid-endstate checkingSMV: we can formulate the consistency property in temporal logic and use model checker to verify it
Provide counter-examplesNeed translation to PROMELA or SMV input language
A number of translation approaches are available
16
model checking consistencymodel checking consistency- Framework -- Framework -
consistency model
original model
UML model (tool & version
dependent)
model in xml format
UML 2.0. metamodel library
UML abstract syntax tree (tool
& version independent)
SMV metamodel library
XMI export
generate abstract syntax
tree
xml DTD/Schema
mapping
JDOM
PROMELA metamodel library
PROMELA consistency
model
UML-to-SMV translation
UML-to-PROMELA translation
SMV consistency
model
17
Consistency Model in Consistency Model in PROMELAPROMELA
/* message channel */chan event = [10] of {mtype, byte};
/* cabin statechart */active proctype cabin(){ mtype signal ; byte param; byte location;
non_operational : do :: event[0]?[eval(cabin_start)] -> event?signal,param; goto ready; od; ready: do :: event[0]?[eval(cabin_getDestination)] -> event?signal,param; destination = param; if :: destination < location -> goto moving_down; :: destination > location -> goto moving_up; fi; :: event[0]?[eval(cabin_help)] -> event?signal,param; goto emergency; :: event[0]?[eval(cabin_stop)] -> event?signal,param; goto non_operational; od; moving_down: ... moving_up: ... emergency: ... end_state: skip;
}
/* representing the composition of action systems */active proctype env(){ bool started =0; initial_state: start_activity(); started = 1;
operational: /* non-deterministic invocation of actions */ do :: 1 -> moveup(); :: 1 -> wait(); :: 1 -> movedown(); :: 1 -> stop(); :: 1 -> terminate(); started = 0; break; :: 1 -> help_activity(); od; goto initial_state;}
inline moveup(){ event!moveUp,0; event!getLocation,0;
CabinArrived; event!cabin_getDestination,destination; event!controller_getDestination,destination;
event!moveCabin,0; DestinationReached; }
18
Performance issuePerformance issue
Model Search depth States Transitions Memory Time
elevator1 422,314 3e+06 6e+06 106.62 M 2 min.
elevator2 (e) 999,999 7e+07 1.5e+08 540.8 M 24 min.
elevator0 1,040 1,053 1,377 5.5 M < 1 min.
1,999,999 1.5e+08 2.3e+08 614.1 M 42 min.elevator2 (b)
19
Abstraction Abstraction techniquestechniques
Trigger-based abstractionAbstract the environment so that it contains all the transitions generating a triggering event for the process P, and all the transitions from the initial state leading to the transition
Transition reduction collapse several transitions into one if the intermediate transitions do not generate triggering actions for the process P
s0 s1 s2 si Si+1
ti /ai
s0 si Si+1
ti /ai
20
Performance Performance ImprovementImprovement
Model Search depth States Transitions Memory Time
elevator3 (e) 250,388 5e+06 1.2e+07 210.4 M 4 min.
elevator3 (b) 277,059 7e+06 1.7e+07 287.4 M 4 min.
elevator5 (e) 402,022 8e+06 2.6e+07 626+ M 8 min.
elevator5 (b) 3,460,587 3.8e+07 1.2e+08 505 M 23 min.
21
DiscussionDiscussion
Formal methods can be effective and useful when integrated into development process
Our work focuses on the seamless integration
There are a number of existing works on UML consistency, refinements, CBD methodology, and the use of model checking
However, they mostly focus on one of the issues separately.Hardly any of the earlier works concerns on performance issue when using model checkingEnvironment constraints have been manually identified in the previous works
More investigation is needed on optimization and automation
Translation and abstraction
22
Thank you!