a two way path between formal and informal design of
play

A Two-way Path between Formal and Informal Design of Embedded - PowerPoint PPT Presentation

Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Two-way Path between Formal and Informal Design of Embedded Systems Mingshuai Chen


  1. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Two-way Path between Formal and Informal Design of Embedded Systems Mingshuai Chen 1 , Anders P. Ravn 2 , Shuling Wang 1 , Mengfei Yang 3 , Naijun Zhan 1 1 State Key Lab. of Computer Science, Institute of Software, Chinese Academy of Sciences 2 Department of Computer Science, Aalborg University 3 Chinese Academy of Space Technology Reykjavík, June 2016 Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 1 / 41

  2. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Motivations Simulation-Based Design Formal Verification engineers theorists efficient costly incomplete reliable Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 2 / 41

  3. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Motivations Simulation-Based Design Formal Verification engineers theorists efficient costly incomplete reliable Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 3 / 41

  4. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outline Background 1 Translating HCSP Processes to Simulink Diagrams 2 A Case Study on the Control Program of a Lunar Lander 3 Justifying Correctness of the Translation Using UTP 4 Concluding Remarks 5 Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 4 / 41

  5. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outline Background 1 Translating HCSP Processes to Simulink Diagrams 2 A Case Study on the Control Program of a Lunar Lander 3 Justifying Correctness of the Translation Using UTP 4 Concluding Remarks 5 Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 5 / 41

  6. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Architecture Verification Architecture Simulink/Stateflow model Sim2HCSP H2S MARS HCSP model in the form of HHL Specifications HHL prover EHS2PHS Invariant generator Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 6 / 41

  7. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preliminaries Simulink Diagrams A data flow diagram : blocks connected with wires. Example : ˙ v = 1 , ˙ s = v + 2 1 1 1 s Out_v Constant Integrator_v 1 2 2 s Out_s Add Integrator_s Constant1 Blocks are running in parallel by receiving inputs and computing outputs. Sample time : 0/-1/positive value t . Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 7 / 41

  8. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preliminaries Hybrid CSP (HCSP) Syntax : P skip | x := e | ch ? x | ch ! e | P ; Q | B → P | P ⊔ Q | P ∗ ::= | ⟨ F (˙ s , s ) = 0 & B ⟩ | ⟨ F (˙ s , s ) = 0 & B ⟩ ⊵ � i ∈ I ( io i → Q i ) S P | S ∥ S ::= Example : timeout ⟨ F (˙ s , s ) = 0 & B ⟩ ⊵ d Q can be defined by s , s ) = 0 ∧ ˙ t := 0; ⟨ F (˙ t = 1 & t < d ∧ B ⟩ ; t ≥ d → Q Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 8 / 41

  9. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outline Background 1 Translating HCSP Processes to Simulink Diagrams 2 A Case Study on the Control Program of a Lunar Lander 3 Justifying Correctness of the Translation Using UTP 4 Concluding Remarks 5 Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 9 / 41

  10. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subcomponents Arithmetic Expressions e x | c | − e | ( e ) | e + e | e − e | e ∗ e | e / e = � 1 1 1 In_x Out_1 Constant1 2 Add1 In_y 2 Constant2 Add2 Divide1 3.4 Constant3 Figure : x − 1 + y ∗ (( − 2)/3 . 4) Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 10 / 41

  11. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subcomponents Boolean Expressions B ⊤ | ⊥ | e ▷ e | ¬ B | ( B ) | B ∧ B | B ∨ B , ▷ ∈ { <, ≤ , >, ≥ , = , ̸ = } = � 2 Constant2 < 1 Relational Constant1 3 Operator1 AND NOT Constant3 Logical Logical Operator3 Operator2 4 Constant4 OR 1 == OR Logical Out_1 Relational Logical 4 Operator1 0 Operator2 Operator4 Constant5 Constant8 6 Constant6 > Relational 5 Operator3 Constant7 Figure : ⊤ ∧ (2 < 3 ∨ 4 = 4 ∨ 6 > 5) ⇒ ⊥ Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 11 / 41

  12. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subcomponents Differential Equations F s = e | F , F ˙ = � 1 1 1 s Out_v Constant Integrator_v 1 2 2 s Out_s Add Integrator_s Constant1 Figure : ˙ v = 1 , ˙ s = v + 2 Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 12 / 41

  13. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Primitives Skip skip 1 1 In_ok Out_ok ok ′ = ok Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 13 / 41

  14. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Primitives Assignment x := e 1 1 In_ok 1/z Out_ok Unit Delay2 Add1 Unit Delay1 2 1/z 2 > 0 In_x Out_x 3 Switch1 > 0 3 In_y Out_y Divide1 Switch2 4 4 In_z Out_z Figure : x := x + y ∗ z  x ′ ok ∧ ¬ d ( ok )  new , ok ′ = ok x ′ = u ′ = u x , ¬ ok ∧ ¬ d ( ok )  d ( x ′ ) , d ( ok ) Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 14 / 41

  15. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Primitives Continuous Evolution ⟨ F (˙ s , s ) = 0 & B ⟩ NOT AND 1 Out_ok 1 > 0 2 In_ok Out_s AND 1 B In_s Out_1 2 In_s Out_s z In_s Unit Subsystem B Delay Enabled Subsystem F { s ′ ok ok ′ = ok ∧ ¬ d ( B ) s ′ = F , en = ok ∧ d ( B ) s , ¬ ok Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 15 / 41

  16. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compositions Sequential P ; Q In_ok Out_ok In_ok Out_ok 1 1 In_ok Out_ok In_x Out_x In_x Out_x 2 2 In_x Out_x 3 In_y Out_y 3 4 In_z Out_z 4 In_y Out_y In_z Out_z Subsystem Q Subsystem P ok ′ = ok ′ ok P = ok ok Q = ok ′ P Q x ′ = x ′ x P = x x Q = x ′ P Q Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 16 / 41

  17. Background From HCSP to Simulink Case Study Correctness Justification Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compositions Repetition P ∗ 1 AND 1 In_ok 1 Out_ok z 1 AND z n 1 In_ok Out_ok NOT z == In_x Out_x 2 Out_x SubSystem_P >= AND 1 OR -C- z Oracle N > 0 2 In_x ok ′ = ok ∧ ok ′ n = ok × ( d ( n ) + d ( ok ′ P ∧ ¬ d ( ok ′ P ∧ ( n ≥ N ) P ))) { d ( x ′ P ) , n > 0 ok P = ok ∧ ( n == d ( n ) ∨ n ≥ N ) x P = x , n == 0 Mingshuai Chen Institute of Software, CAS Shifting between Formal and Informal Design of ESs Reykjavík, UTP 2016 17 / 41

Recommend


More recommend