Transcript ｽﾗｲﾄﾞ ﾀｲﾄﾙなし - Norsk Regnesentral

Specification and Verification
of Hierarchical Reactive Systems
Xiaosong Lu
Togashi Laboratory
Department of Computer Science
Shizuoka University
Ａｐｒｉｌ 1999
Introduction
*
*
*
*
*
*
*
Research Background and Objective
System Properties and Requirements
Formal Specifications
Soundness and Completeness
Synthesis of Formal Specifications
Compositional Verification
Reflection
Related Work
* Statecharts (Modechart, RSML)
* Visual Formalism
* State Hierarchy and broadcast communication
* SDL: Communicating finite-state machines
* Petri Net: Event-driven, one-level concurrency
* CCS, CSP: algebraic nature, recursion, nested
concurrency, naming, channel communication ...
Research Objective
* A New Methodology for Reactive Systems
* System requirements: Declarative language
* Formal specifications: Hierarchical state
machines
* A Flexible Development Environment
* Stepwise Refinement
* Reflection
* Automatic Synthesis and Verification
* Support of Modularity and Reusability
System
Overview
Present system
Requirement
Acquisition
System
Requirements
Synthesis
System
Verifier
Simulator
Formal
Specifications
Compiler
Programs
Reflection
System
Hierarchical System Properties
* SPS = < P, L, D, L0 >
*
*
*
*
P: all atomic propositions
L: partition of P
D⊆L×L: partial order relation
L0: topmost level propositions
SPS of a Radio/Tape Player
Lo
On
P
Radio, Tape
D
Stereo
L
Am, Fm
Play, Pause
Function Requirement
* ρ = < id, a, fin, o, fout >
*
*
*
*
*
id: name
a: input symbol
fin: pre-condition
o: output symbol
fout: post-condition
Power
* Power on : ￢On ⇒ On :
* < Power on, Power, ￢On, , On >
System Requirement Module
* A Requirement Module of the Player
* RM = < id, F, γ0, B, Σ, O, TF >
Power
Name γ0
RM1 ￢On
B
Σ
Power
Power
Power
￢On ⇒ On, On ⇒ ￢ On
TF : Temporal logic formulae
Ο
Other Requirement Modules
Radio/Tape
RM2 Radio
On
RT
RT
RT
Radio ⇒ Tape, Tape ⇒ Radio
TF : Temporal logic formulae
Stereo
RM3
On
S
Stereo
S
S
Stereo ⇒ ￢ Stereo, ￢ Stereo ⇒ Stereo
TF : Temporal logic formulae
Other Requirement Modules
Tape
RM4
Play
Pause
Tape
PL,PA
Stop
￢Play ⇒ Play
PA
Play∧￢Pause ⇒ Pause, Play∧Pause ⇒ ￢Pause
Play⇒ ￢ Play∧￢Pause
(TF : Temporal logic formulae)
Radio
RM5
Am,Fm
Radio
AF
Am ⇒ Fm, Fm ⇒ Am
(TF : Temporal logic formulae)
System Requirement
* R = < RM, RM0, ＞, C >
* System Requirement of the Player
＞
RM1 - Power
RM2 - Radio/Tape
RM5 - Radio
RM0
RM3 - Stereo
RM4 - Tape
State Transition Module
* TM = < id, Q, Σ, O, →, q0, B >
* A State Transition Module of the Player
Σ
Power
q0
Power
￢On
→
Q
On
Power
Formal Specification
* M = < TM, 》, TM0 >
* TM: state transition modules
* 》: partial order relation of state transition
modules
* TM0⊆TM: initial state transition modules
Formal Specification of the Player
TM0
Power
￢On
Power
》
On
S
Stereo
S
RT
Radio
RT
Tape
￢Play∧￢Pause
PL
AF
Am
Fm
AF
￢Stereo
Play∧￢Pause
PA
Stop
PA
Play∧Pause
Stop
Sub-states, Sub-transition, Default
TM0
Power
￢On
Power
Default(On)
》
On
S
Stereo
S
RT
Radio
RT
Tape
Substates(Tape)
￢Play∧￢Pause
PL
AF
Am
￢Stereo
Fm
AF
Sub-transition(Radio)
Play∧￢Pause
PA
Stop
PA
Play∧Pause
Stop
Global Behavior of the Player
Power
￢On
Power
On
Stereo
Radio
RT
Tape
￢Play∧￢Pause
PL
Am
Play∧￢Pause
Global Transition System
S
Stereo
S
Power
￢On Power
Power
On, Radio
Power
Am
Power
RT
AF
RT
AF
On, Radio
RT
Fm
On, Tape
￢Play,￢Pause
RT
Stop
PL
Stop
Power
On, Tape
On, Tape
PA
Play,Pause
Play,￢Pause
PA
￢Stereo
Soundness
* Transition ├ Function Requirement
* Transition Module ├ Requirement Module
* Formal Specification ├ System Requirement
Completeness
* M is Complete w.r.t. R
* M is sound w.r.t. R
* ∀sound M’ w.r.t. R,
* ∃homomorphism ξ: M’→M
* Standard System of R
* sound
* complete
* unique
Synthesis of Formal Specification
* Synthesis System
*
system
requirement
module
State
transition
module
System
Requirement
Formal
Specification
* Theorem on Synthesis:
* The derived system is standard.
Compositional Verification
* Verification of Linear-time Properties
* reachability analysis
* liveness, fairness and safeness verification
* trace analysis
* Verification with Branching-time Logic
* TCTL
* partial model checker
* further discussion
Reachability Analysis
* Bottom-up Algorithm
* Time Complexity: O(|T|・logs|M|)
3. Until initial
module reached
[On]
Power
2. Find upper
module, analyze
[Tape]
Radio/Tape
Stereo
Radio
Tape
1. Analyze local
reachability
[Play, Pause]
Liveness, Fairness, Safeness
* Liveness: every state is in a circle
* local liveness
* upper state liveness
A
D
B
C
A
D
B
C
A
D
B
C
* Fairness: strongly connected
* initial module local fairness
* all states reachable
* Safeness: absence of deadlock
* deadlock detection
Branching-time Logic: TCTL
* Syntax
* p, a, o are TCTL formulae
* ￢f1, f1∧f2, AXf1, EXf1, A[f1Uf2], E[f1Uf2] are
TCTL formula
* f ＼P, f ＼A, f ＼O are TCTL formulae
* Trace-based Semantics
Partial Model Checker
* Partial verification
* hierarchical structure based
* sequential portion of formal specification
* any level specification
* Partial Model Checker
* obtain list of all subformulas of f to be verified
* label states with formulas on the hierarchical
structure
* backwards search for EX and EU
Further Discussion on Verification
* Compositional Verification with Proof
* Compositional Minimization
* Symbolic Model Checking
Reflection
* Transition Addition/Deletion/Modification
* State Addition/Deletion
* Nonexecutable Function Detection
System
Requirement
Formal
Specification
Conclusion
* A Methodology for Specification and
Verification of Reactive Systems
* Future Work
* Real-time, Predicate logic
* Extensions on compositional verification
* An integrated support environment