efficient reachability analysis of hierarchic reactive modules r. alur, r.grosu, m.mcdougall...
TRANSCRIPT
Efficient Reachability Analysis of Hierarchic
Reactive Modules
R. Alur, R.Grosu, M.McDougall
University of Pennsylvaniawww.cis.upenn.edu/
~alur,grosu,mmcdougall
Motivation
Scalable analysis demands modular reasoning:
• modeling language has to support syntactically and semantically modular constructs,
• model checking has to exploit modular design.Close the gap between:
• software design languages (UML,Statecharts,Rsml,…),
• model checking languages (Spin, SMV, Mocha,…).
Talk Outline
Motivation
• Mode diagrams
• From statecharts to mode diagrams
• Model checking
• Wrap-up
Mode Diagrams 1. Visual language for hierarchic reactive
machines• hierarchic modes, mode sharing, • group transitions, history, • mixed and/or hierarchies.
2. Observational trace semantics • mode refinement,• modular reasoning.
3. Model checker • exploits the hierarchy information,• exploits the type information.
Characteristics
• Description is hierarchic.
• Well defined interfaces.
• Supports black-box view.
Model checking
• Modular reasoning.
• E.g. in SMV, Mocha.
Telephone Exchange: Architecture
TelExchange
ti1 to1 tin ton
TelSw1
TelExchange
Bus
TelSwn
bo1 bi1 bon bin
ti1 to1 tin ton
…
TelSw1
TelExchange
Bus
TelSwn
bo1 bi1 bon bin
ti1 to1 tin ton
… onHook offHook
onH
call
answrtB
Telephone Exchange: Behavior
ti?onH
onH
connecting
talking
ok
call rtBgettingNook
rtBansw
onH
idle
ringing
rtBrtE
rtB
calloffH
offH answ
read ti : TelI, bi : BusI;write to : TelO,bo : BusO;local nr : (0..n)
Statecharts
Formalism• Introduced: 1987 by David Harel,
• Related notations: Rsml, Modecharts, Roomcharts,
• Key component in OO Methods: UML, ROOM, OMT, etc.Difficulties• No denotational trace semantics (no refinement notion),
• No scoping for variables.
Previous attempts compile statecharts to flat diagrams.
rtB
onH
connecting
talking
ok
gettingNook
idle
ringing
rtBrtE
rtB
offH
offH
onHook offHook
From Statecharts to ModesObstacles in achieving modularity
• State reference -> Scoping of variables (data interface)
• Group transitions implicitly connect deep nested modes.
• Regular transitions -> Entry/exit points (control interface)
call
answ
• Nested state references break encapsulation.
• Group transitions -> Default points (control interface)
• Regular transitions connect deep nested modes.
telSw
offHookonHook
rtB
onH
answ
call
ini
Model Checking
Graphical editor and both an enumerative and a symbolic model checker.
Reachability analysis exploits the structure:
• Reached state space indexed by control points,
• Transition relation is indexed by control points,
• Transition type exploited in mdd construction,
• Mode definitions are shared among instances.
Example: Generic Hierarchic System
v2
inc
skpv3
w1
w0
inc
skp
w1
z
incskp
z
id
c
incskpskp
inc
v3
local c : (0..2)
local v3 : (0..n)
(c=1 & w1=n) | c=2 -> skip;
local w1 : (0..n)
c=1 & z<n ->c:=0; z:=z+1;
local z : (0..n)
Enumerative Model Checker
w0
inc
skp
w1
z
incskp
z
id
cc
c
w1z
c
w0z
zc
c = 1
w0 = 0z = 0
c = 1z = 0
c = 1
w1 = 1z = 0
w0 = 0
c = 1z = 0
w1 = 1
stored as
Transitions
• Traversed in a depth first way,
• Indexed by control points,
• Shared among instances of the same definition.
States
• States are stored as a stacks,
• Stacks share common elements,
• States (stacks) are entries of a hash table,
• States are compressed as bitstrings.
v2
inc
skpv3
w1
incskp
z
id
c
incskpskp
inc
v3
inc
w0
skp
w1
z
R(c,z,w1,v3)
The reached set is indexed by control points:
• Each reached control point has an associated multi valued binary decision diagram (mdd),
• The set of variables of an mdd depends on the scope of the control point.
Symbolic MC: The Reached Set
R(c,z,w1,v3)
R(c,z,w1,v3,hw1)
R(c,z,w1)
The transition relation is indexed by control points (> conjunctively partitioned mdds):
• Each transition has an associated mdd,
• The set of variables of an mdd depends on the scope of the transition,
• Type information: no identity extension necessary,
• Variable scoping enables early quantification.
Symbolic MC: The Transition Relation
v2
inc
skpv3
w1
incskp
z
id
gcs
inc
skpskp
inc
v3
w0
inc
skp
w1
z
c=1 & v3<n &c’=0 & v3’=v3+1
hz = 2
h’z = 1(c,v3. R(c,z,w1,v3) & inc(c,c’,v3,v3’))[c’,v3’:=c,v3]
w1. R(c,z,w1) & skp(c,w1)
As expected, the model checker for modes is superior to current model checkers when:
• sequential behavior is hierarchical,
• modes have local variables.
Results
GHS Space Requirements
0
20000
40000
60000
80000
100000
Size of variables type
Num
ber
of
nodes
cMocha
Hrm
cMocha 27587 42591 54166 86317
Hrm 482 729 891 967
5 6 8 10
GHS Time Requirements
0
200
400
600
800
1000
1200
Size of variables type
Tim
e in
min
utes
cMocha
Hrm
cMocha 9 21 71 1000
Hrm 2 4 11 26
5 6 8 10
Project HeRMes
Current status:• visual language for behavior hierarchy,• compositional semantics,• modular refinement rules,• model checking exploits hierarchic structure.
Future work:• improve heuristics exploiting hierarchy,• improve use of sharing,• integrate/automate modular reasoning,• collaboration with NEC on case studies,• connection to Rational Rose/ObjecTime.
Demos at CAV
jMocha v2.0 (released soon):• joint project U.C. Berkeley & UPenn,• a new version written in java,• several new features:
• MSC-like simulator, proof manager, script language.
HeRMes v1.0 (prototype):• developed at UPenn,• supports mode diagrams in this talk,
Demos:• Tuesday morning,• Wednesday afternoon.
Modular Reasoning
M M’
N’N’ <N
NM < M’
N’
M’M’
N’N <N
Assume/guarantee reasoning
N N’<N
MN’
M<Sub-mode refinement
NM < N
M’
Super-mode refinement
M M’<N
A Macro Step
A macro step is a breadth first traversalof the hierarchic mode graph starting at:
• the default entry point of the top level mode
and ending at:
• the default exit point of the top level mode or
• inside the mode if no new states are produced.
Semantics of Modes
Game Semantics• Environment round: from exit points to entry points.• Mode round: from entry points to exit points.
The set of traces of a mode• Constructed solely from the traces of the sub-modes and the mode’s transitions.
Refinement• Defined as usual by inclusion of trace sets.
• Is compositional w.r.t. mode encapsulation.
Modular Reasoning
Compositional Reasoning• Central to many formalisms: CCS, I/O Automata,TLA, etc.Circular Assume/Guarantee Reasoning• Valid only when the interaction of a module with its environment is non-blocking.
Terminology• Compositional and assume/guarantee reasoning based on observable behaviors.
Application area• Only recently is being automated by model checkers,
• Until now restricted to architecture hierarchies.
Conjunctive Modes
Synchronous semantics
State
s = (i1, i2, o1, o2, p1, p2)
Execution
M2 M2
s0
env
s1
syst
s2
env
sk…
syst
sk+1
M1
s11
M1
sk1Parallel composition ofreactive modules
M2
i2i1
o2o1 p1 p2
M1
Translation with modes
M2M1
s1 s11 s2
read i1,i2 ,p1,p2;write o1,o2,p1,p2;
read i1,p2;write o1,p1;
read i2,p1;write o2,p2;
search approachfound
transport
Search&rescue
pickdone
And/Or Hierarchies
lookFSheadTTThe ability to express conjunctive modes isimportant for the construction of arbitraryand/or hierarchies.
Consider a hypothetical search and rescue robot operating on a battle field:
lookFGUexplWNHO
lookFHO
lookFECheadTKL
motionCsonarM
Integrated Development Environment ManagerIntegrated Development Environment Manager
Specs DBSpecs DB
hRM DBhRM DB Proofs DBProofs DB Rules DBRules DB
Proof ManagerProof ManagerTacticals DBTacticals DB
SimulatorSimulator
TextEditorTextEditor VisEditorVisEditor
ParserParser
SpecificationSpecificationBehModelBehModel
TextEditorTextEditor VisEditorVisEditor
ParserParser
ArchModelArchModel
TextEditorTextEditor VisEditorVisEditor
ParserParser
ModelCheckerModelChecker
BDD PacksBDD Packs
Reduction AlgsReduction Algs
Mocha Tool Architecture