aal 2k: Small T utorial Upp � 16 O tob er 2002 1 In tro du tion This do umen t is in tended to b e used b y new omers to and v eri� ation. Studen ts or Upp aal engineers with little ba kground in formal metho ds should b e able to use for pra ti al Upp aal purp oses after this tutorial. Se tion t w o des rib es and se tion three is the tutorial itself. Upp aal 2 Upp aal is a to ol b o x for v alidation (via graphi al sim ulation) and v eri� ation (via automati Upp aal mo del- he king) of real-time systems. It onsists of t w o main parts: a graphi al user in terfa e and a mo del- he k er engine. The user in terfa e is implemen ted in Ja v a and is exe uted on the users w ork station. It requires that Ja v a 1.2 or higher is installed on the omputer. The engine part is b y default exe uted on the same omputer as the user in terfa e, but an also run on a more p o w erful serv er. The idea is to mo del a system using timed-automata, sim ulate it and then v erify prop erties on it. Timed-automata are �nite state ma hines with time. A system onsists of a net w ork of pro esses that are omp osed of lo ations. T ransitions b et w een these lo ations de�ne ho w the system b eha v es. The sim ulation step onsists of running in tera tiv ely the system to he k that it w orks as in tended. Then w e an ask the v eri�er to he k rea habilit y prop erties, i.e. if a ertain state is rea hable or not. This is alled mo del- he king and it is basi ally an exhaustiv e sear h that o v ers all p ossible dynami b eha viours of the system. More pre isely , the engine uses on-the-�y v eri� ation om bined with a te hnique re- symb oli du ing the v eri� ation problem to that of solving simple [YPD94 , LPY95 ℄. The onstr aint systems v eri�er he ks for simple in v arian ts and rea habilit y prop erties for eÆ ien y reasons. Other prop- erties ma y b e he k ed b y using testing automata [JLS96 ℄ or the de orated system with debugging information [LPY97 ℄. 3 Learning Upp aal is based on timed automata, that is �nite state ma hine with lo ks. The lo ks are the Upp aal w a y to handle time in aal . Time is on tin uous and the lo ks measure time progress. It is Upp allo w ed to test the v alue of a lo k or to reset it. Time will progress globally at the same pa e for the whole system. A system in Upp aal is omp osed of on urren t pro esses, ea h of them mo deled as an automa- ton. The automaton has a set of lo ations. T ransitions are used to hange lo ation. T o on trol when to �re a transition, it is p ossible to ha v e a guard and a syn hronization. A guard is a on- dition on the v ariables and the lo ks sa ying when the transition is enabled. The syn hronization me hanism in Upp aal is a hand-shaking syn hronization: t w o pro esses tak e a transition at the � This des ription o v ers v ersion 3.2.11 1
same time, one will ha v e a a! and the other a a? , a b eing the syn hronization hannel. When taking a transition a tions are p ossible: assignmen t of v ariables or reset of lo ks. The follo wing examples will mak e y ou familiar with this short des ription. 3.1 Ov erview main windo w (�gure 1) has t w o main parts: the men u and the tabs. Upp aal Figure 1: Ov erview of Upp aal . The men u is des rib ed in the in tegrated help, a essible through the help men u. The help des rib es the GUI in detail, so this tutorial will fo us on ho w to use the to ol. The three tabs giv e a ess to the three omp onen ts of Upp aal that are the e ditor , the simulator and the veri�er . Figure 1 sho ws the editor view. The idea is to de�ne templates (lik e in C++) for pro esses that are instan tiated to ha v e a omplete system. The motiv ation for the templates is that system often ha v e sev eral pro esses that are v ery alik e. The on trol stru ture (i.e. the lo ations and edges) is the same, only some onstan t or v ariable is di�eren t. Therefor templates an ha v e sym b oli v ariables and onstan ts as parameters. A template ma y also ha v e ha v e lo al v ariables and lo ks. start end Figure 2: Y our �rst automaton. 2
T o get a �rst on ta t with aal , double li k in the dra wing area to get a lo ation, rep eat Upp this, y ou ha v e t w o. Double li k on these lo ations to rename them to start and end . Cli k on the Transition Mode button, li k on the start lo ation and on the end lo ation. Righ t li k on the start lo ation and mark it as initial. A small ir le app ears inside the state. Y ou ha v e y our �rst automaton ready , as depi ted in �gure 2. Cli k on the Simulator tab to start the sim ulator, li k on the yes button that will p op up and y ou are ready to run y our �rst system. Figure 3: A snapshot of the graphi al sim ulator. Figure 3 sho ws the sim ulator view. On the left y ou will �nd the on trol part where y ou an ho ose the transitions (upp er part) and repla y/sa v e/load a tra e (lo w er part). In the middle are the v ariables and on the righ t the system itself. T o sim ulate our trivial system pi k one of the enabled transitions in the list in the upp er left part of the s reen. Of ourse there is only one transition in our example. Cli k Next . The pro ess view to the righ t will hange (the red dot indi ating the urren t lo ation will mo v e) and the sim ulation tra e will gro w. W e ha v e no w sim ulated our system and will pro eed with v eri� ation. Cli k on the Verifier tab. The v eri�er view as in Figure 4 is displa y ed. The upp er se tion allo w y ou to sp e ify queries to the system. The lo w er part logs the omm uni ation with the mo del- he king engine. En ter the text E<>P.end in the Query �eld b elo w the Ov erview. This is the Upp aal notation for the temp oral logi form ula 9 � P :end and should b e understo o d as \is it p ossible to rea h the lo ation end in pro ess P". Cli k Model Che k to let the engine v erify this. The bullet in the o v erview will turn green indi ating that he prop ert y indeed is satis�ed. The goal of the rest of this do umen t is to explore some k ey p oin ts of Upp aal though examples. 3.2 Mutual Ex lusion Algorithm W e will study no w the kno wn P etterson's m utual ex lusion algorithm to see ho w w e an deriv e a mo del as an automaton from a program/algorithm and he k prop erties related to it. The algorithm for t w o pro esses is as follo ws in C: 3
Figure 4: A snapshot of the v eri�er view. Pro ess 1 Pro ess 2 req1=1; req2=1; turn=2; turn=1; while(turn!=1 && req2!=0); while(turn!=2 && req1!=0); // riti al se tion // riti al se tion job1(); job2(); req1=0; req2=0; Y ou will onstru t the orresp onding automata. Noti e that the proto ol is symmetri , so w e ma y use a template of Upp aal to simplify the mo del. First reset the system ( New system ) to lear the \Hello W orld" example. Rename the default template P to mutex . W e will abstra t the a tual w ork in the riti al se tion sin e it has no in terest here. The proto ol has four states that ome dire tly from the des rib ed algorithm, similar to goto lab els: Pro ess 1 idle: req1=1; w an t: turn=2; w ait: while(turn!=1 && req2!=0); CS: // riti al se tion job1(); //and return to idle req1=0; Dra w the automaton as depi ted in �gure 5. No w y ou will de�ne it as a template: double li k on the paren thesis b elo w the template name. There y ou an de�ne the template parameters. T yp e int[0,1℄ req1,req2 ; onst me whi h 4
Recommend
More recommend
