5.4 tcas – model checking large scale software systems · model checking large scale software...
TRANSCRIPT
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
5.4 TCAS – Model Checking large scale software systems
Modellbasierte Softwareentwicklung 26.01.2015
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
2
TCAS
• Traffic Alert and Collision Avoidance System • Planes crossing the USA with more than 10 people must
be equipped with TCAS • Integrated with other systems in the cockpit • Informs pilots about the relative position and speed of
other planes • Alerts the pilot, if other planes are coming to close
(Traffic Advisory (TA)) • Gives evasive maneuvers
(Resolution Advisory (RA))
⇒ Safety critical program
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
3
Model Checking TCAS
W. Chan, R. J. Anderson, P. Beame, S. Burns, F. Modugno, D. Notkin, and J. D. Reese. 1998. Model Checking Large Software Specifications. IEEE Trans. Softw. Eng. 24, 7 (July 1998), 498-520.
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
4
Operating
Sys Alt-Layer
High Low
Mid
t1: u[alt ≥ 9950]/w
t5: u[alt < 9950]/w
t2: u[1950 ≤ alt ≤ 10050]/w
t3: u[alt ≤ 2050]/w
t6: u[alt > 2050]/w
t4: u[alt > 10050]/w t7: u[alt < 1950]/w
Alarm
Shutdown
Mode
On Off
t10: w[c]
t11: w[¬in Low]
1 2
Volume t12: v
t13: v
t14: u[switch=test]
t8: u[switch=up]
t9: u[switch=down]
• Requirement State Machine Language • Statechart (after Harel)
RSML
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
5
Operating
Sys Alt-Layer
High Low
Mid
t1: u[alt ≥ 9950]/w
t5: u[alt < 9950]/w
t2: u[1950 ≤ alt ≤ 10050]/w
t6: u[alt > 2050]/w
t4: u[alt > 10050]/w t7: u[alt < 1950]/w
Alarm
Shutdown
Mode
On Off
t10: w[c]
t11: w[¬in Low]
1 2
Volume t12: v
t13: v
t14: u[switch=test]
t8: u[switch=up]
t9: u[switch=down]
Sys
Alt-Layer Alarm
Operating
Mode Volume
High Mid Low
Off On 1 2
Shutdown
RSML
t3: u[alt ≤ 2050]/w
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
6
Operating
Sys Alt-Layer
High Low
Mid
t1: u[alt ≥ 9950]/w
t5: u[alt < 9950]/w
t2: u[1950 ≤ alt ≤ 10050]/w
t3: u[alt ≤ 2050]/w
t6: u[alt > 2050]/w
t4: u[alt > 10050]/w t7: u[alt < 1950]/w
Alarm
Shutdown
Mode
On Off
t10: w[c]
t11: w[¬in Low]
1 2
Volume t12: v
t13: v
t14: u[switch=test]
t8: u[switch=up]
t9: u[switch=down]
Inputs from the environment: • alt – variable saving the flight level • switch – alert control
RSML
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
7
Synchronization by events: • u – external event, raised perdiodically • v – external event, raised, if the pilot changes volume • w – internal event, for internal synchronization
Operating
Sys Alt-Layer
High Low
Mid
t1: u[alt ≥ 9950]/w
t5: u[alt < 9950]/w
t2: u[1950 ≤ alt ≤ 10050]/w
t3: u[alt ≤ 2050]/w
t6: u[alt > 2050]/w
t4: u[alt > 10050]/w t7: u[alt < 1950]/w
Alarm
Shutdown
Mode
On Off
t10: w[c]
t11: w[¬in Low]
1 2
Volume t12: v
t13: v
t14: u[switch=test]
t8: u[switch=up]
t9: u[switch=down]
RSML
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
8
Operating
Sys Alt-Layer
High Low
Mid
t1: u[alt ≥ 9950]/w
t5: u[alt < 9950]/w
t2: u[1950 ≤ alt ≤ 10050]/w
t3: u[alt ≤ 2050]/w
t6: u[alt > 2050]/w
t4: u[alt > 10050]/w t7: u[alt < 1950]/w
Alarm
Shutdown
Mode
On Off
t10: w[c]
t11: w[¬in Low]
1 2
Volume t12: v
t13: v
t14: u[switch=test]
t8: u[switch=up]
t9: u[switch=down]
Transitions: Id: trigger[constraint]/action t1: u[alt ≥ 9950] / w
RSML
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
9
Operating
Sys Alt-Layer
High Low
Mid
t1: u[alt ≥ 9950]/w
t5: u[alt < 9950]/w
t2: u[1950 ≤ alt ≤ 10050]/w
t3: u[alt ≤ 2050]/w
t6: u[alt > 2050]/w
t4: u[alt > 10050]/w t7: u[alt < 1950]/w
Alarm
Shutdown
Mode
On Off
t10: w[c]
t11: w[¬in Low]
1 2
Volume t12: v
t13: v
t14: u[switch=test]
t8: u[switch=up]
t9: u[switch=down]
RSML
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
10
RSML – Step Semantics
Microstep: Execute maximum amount of non-conflicting transitions After the execution of a transition all events that haven‘t been
generated disappear Stability: execute microsteps until no more transitions can be
triggered by the generated internal events After that the system is stable
Step: sequence of the microsteps from the arrival of the external events until the point where the system is stable
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
11
Problems (1/2)
Contingent on TCAS II: Specification: 400sided Document in RSML ⇒ only partly specified (30%, mostly Own-Aircraft) Modeled one other plane only
Contingent on BDDs: Range of numerical inputs must be bounded No efficient method for multiplication on BDDs ⇒ Abstraction needed
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
12
Problems (2/2)
Contingent on SMV Model Checker: SMV works inefficiently on integers
BDDs of 200 MB size One additional bit for variables: 10 h instead of 10 min runtime Uses inefficient BDD representation:
X = Y with X = xn-1xn-2…x0 and Y = yn-1yn-2…y0 comparison: xn-1xn-2…x0 = yn-1yn-2…y0
better: xn-1 = yn-1 ∧ xn-2 = yn-2 ∧ … ∧ x0 = y0
Finding counterexamples takes much longer than the evaluation of the formula
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
13
0 2500 ft/min -2500 ft/min Max(Own-Track- Alt-Rate, 1500 ft/min) Min(Own-Track- Alt-Rate, -1500 ft/min) Prev(Displayed- Model-Goal)
/* Case 1 */ /* Case 4*/ /* Case 5*/ /* Case 6 */ /* Case 7 */ /* Case 8*/
Function Displayed-Model-Goal Case differentiation with 8 cases, excluding each other analysis result: false Reason: error in the abstraction
If New-Increase-Climb
If New-Increase-Descend
If Increase-Climb- Cancelled and …
If Increase-Descend- Cancelled and …
Otherwise
Analysis Results: Function Consistence
AG (Composite-RA-Evaluated-Event -> !((Case-1 & Case-2) |(Case-1 & Case-3) | … (Case-6 & Case-7)))
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
14
Analysis Results: Descend“/“Increase-Descend“ Prohibition
1. Flight level < 1000 ft ⇒ all descent commands are prohibited
2. Flight level ≤ 1450 ft ⇒ all commands increasing the descent rate are prohibited
Analysis results:
1. True
2. False Reason: The specification stated > instead of ≤
AG ((stable & Radio-Altimeter-Status = Valid & Own-Alt-Radio <= 1450) -> !Increase-Descend)
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
15
Analysis Result: Output Conformance
time event command t0 Second plane appears.
Instruction to descent. DMG: ≤ -1500 ft/min RA: Descend
t1 > t0 Increase of descent rate neccessary DMG: -2500 ft/min RA: Increase-Descend
t1+1 Climb increases safety more than descent
DMG: -1500 ft/min RA: Climb
Two outputs with instructions for the pilot: Displayed-Model-Goal (DMG) and Composite-RA (RA)
⇒ Outputs must conform
Analysis result: False
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
16
Analysis Results
Properties Result time (sec) Amount of BDD-nodes
Memory-occupancy
(MB) Generate Transition Relation
N/A 46.6 124618 7.1
Transition Consistence False 387.0 717275 16.4
Function Consistence False 289.5 387167 11.5
Step Termination True 57.5 142937 7.4
„Descend“ Prohibition True 166.8 429983 11.8
„Increase-Descend“ Prohibition
False 193.7 282694 9.9
Output False 325.6 376716 11.6
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
Zusammenfassung der Vorlesung
Modellbasierte Softwareentwicklung 26.01.2015
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
18 Modellbasierte Softwareentwicklung 26.01.2015
Überblick
Motivation für Modellbasierte Softwareentwicklung Entwicklung komplexer, häufig sicherheitskritischer Systeme Teil I: Spezifikationstechniken für Analyse und Design 1. Struktur-orientierte Techniken
Beschreibungssprachen wie z.B. UML-Klassendiagramme Design Patterns nach Gamma et al.
2. Operationale Techniken Zustandsmaschinen, Timed Automata: Syntax und Semantik Graphgrammatiken: Syntax und Semantik
3. Deskriptive Techniken: Z, Verfeinerungsschemata
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
19 Modellbasierte Softwareentwicklung 26.01.2015
Überblick
Teil II Codegenerierung 4. Code-Generierung für Klassendiagramme (insb. Assoziationen),
Zustandsmaschinen, Story-Diagramme
Teil III Validation und Verifikation 5. Testen (White Box, Black Box, Überdeckungstests, Äquivalenzklassen) 6. Model Checking (explizites, symbolisches, CTL, TCTL, Kripke-
Strukturen, BDDs)
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
20
Weiterführende Veranstaltungen SS 2015
Bachelor Vorlesungen: Softwaremodellierung mit formalen Methoden (Wehrheim) Grundlagen Wissensbasierter Systeme (Kleine Büning)
Proseminare: Modellbasierte Softwareentwicklung für intelligente
technische Systeme (Priesterjahn)
Modellbasierte Softwareentwicklung 26.01.2015
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
21
Weiterführende Veranstaltungen SS 2015
Master Vorlesungen: Software Quality Assurance (Engels) Propositional Proof Systems (Kleine Büning)
Modellbasierte Softwareentwicklung 26.01.2015
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
22
Erinnerung: Tutoren für das SWTPra / SoPra SS 2015
Wir suchen Tutoren für das SS 2015 zur Betreuung von Gruppen im Softwaretechnik-Praktikum (SWTPra) Softwarepraktikum (SoPra)
SHK-Vertrag 9,5 h/Woche (oder 19 h/Woche), 4 Monate Chance auf längerfristige Beschäftigung als SHK in
Forschungsprojekten der Fachgruppe Kontakt: Christian Brenner [email protected] Büro ZM1.02-13
Modellbasierte Softwareentwicklung 26.01.2015
© F
achg
ebie
t Sof
twar
etec
hnik
, Hei
nz N
ixdo
rf In
stitu
t, U
nive
rsitä
t Pad
erbo
rn
23 Modellbasierte Softwareentwicklung 26.01.2015
Klausur-Vorbereitung
Folien durchgehen & lernen ggf. Literatur dazu holen (siehe Webseite)
Übungsaufgaben wiederholen (& selbst lösen)
In Gruppen lernen, gemeinsam Fragen beantworten …und jetzt Fragen stellen! (oder per Mail an [email protected])