Formal Verification of UML Statecharts with Real-Time Extensions M. - PowerPoint PPT Presentation

� ✁ � ✁ Formal Verification of UML Statecharts with Real-Time Extensions M. Oliver M¨ Alexandre David oller Wang Yi � Uppsala University BRICS ª Arhus ✂☎✄✆✂✞✝✠✟✞✄☛✡✌☞✠✟ ✍✆✄☎✎✑✏☎✒☛✓✕✔☎✔✖✓✗✒✙✘ ✎✙✚✛✎✆✘☎✜✆✜☎✘✆✢☎✍✙✣✛✢✛✟✆✏☎✒☛✓✌✄✙✤ Outline: 1 UML, Statecharts, and Time 2 Semantics for Formal Verification 3 Verifying a Pacemaker with U PPAAL O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 1

Unified Modeling Language (UML) Born from unification of other methods ( Booch, OMT, OOSE) Different views of a system: A) user view - use case diagrams B) structural view - class diagrams C) behavioral view - statecharts D) environmental view - deployment diagrams E) implementation view - component diagrams An evolving standard : 1.3 finished 2000 1.4 finished 2001 2.0 work in progress (4 RFP issued May/Sept) O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 2

✦ ✥ The Statechart Formalism Features hierarchical state machines parallelism (on any level) history event communication powerful synchronization mechanisms inter-level transitions actions that are dependent on states ✧✩★✫✪✭✬✯✮✰✧✲✱✳✬✴✧✲✵ actions on entry/exit ... O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 3

❀ ❁ Restricted Statechart Formalism Current restricted features hierarchical state machines ✔ parallelism (on any level) ✔ history ✔ no event communication no sync states no inter-level transitions no actions that are dependent on states no actions on entry/exit ✶✸✷✺✹✼✻✸✽✰✶✲✾✳✻✴✶✲✿ instead: hand-shake style synchronization shared variables O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 4

Real-Time Extensions Clocks (timed) Guards Invariants O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 5

O LIVER M ¨ 6 NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS

A Word on Semantics UML-statecharts: informal (textual) semantic statements ambiguity of text variations over 1.3 / 1.4 / 2.0 implementations make user-driven choices our formalism: rule-based, formal semantic unambiguous not identical, makes clear choices any given formal statechart semantic should be “easy” to translate into it O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 7

● ❋ ❋ ● Semantic Rules (example) configuration: with control locations valuation of integer variables valuation of clocks history operation: . ❂❄❃❆❅✰❃❈❇❉❃❈❊ a transition JoinEnabled Inv EXIT action O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 8

❍ Model Checking : description of the system : desired property easier than proving a general theorem completely automatic (’yes’ or counterexample) efficient algorithms tailored for classes of problems O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 9

❖ ❚ ❚ Real-Time Model Checking with U PPAAL x := 0 C A B count == 4 x <= 5 D x == 5 count := count +1 ✏✞✜✆✎✛✏■✤ ❏▲❑ ✟■▼✆◆ ✏✞✎✙✔☎▼✆◆ Only subset of TCTL supported: ❖◗P❙❘ reachability ❚❱❯❳❲ safety (invariantly ) ❯❳❲ possibly always P❙❘ inevitably ❚❱❯❳❲ P❙❘ unbounded response propositional formula over locations and (existing) clocks O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 10

❨ From (timed) Statecharts to U PPAAL Rhapsody timed Statechart HTA model TA model flatten ( ❨ ) hierarchical model TA-close hierarchy MODEL-CHECK informal description formal semantics formal semantics O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 11

❨ From (timed) Statecharts to U PPAAL Rhapsody timed Statechart HTA model TA model flatten ( ❨ ) hierarchical model TA-close hierarchy MODEL-CHECK informal description formal semantics formal semantics NORMALIZATION FLATTENING simplification of data auxiliary locations (safe) omission of c-code auxiliary variables Guiding Principle: Make it easy to adjust to small changes O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 12

❩ ❩ ❩ ❨ ❩ ❦ ❩ ❩ Soundness &Correctness Translations introduce slack. Thus flatten flatten but ❥ flatten flatten ❬❪❭❴❫❛❵❝❜❡❞❣❢❛❤✸✐ timed flatten ( timed transition system ) traces give rise to project to match timed traces timed traces O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 13

O LIVER M ¨ 14 NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS

Outline of the Flattening 3 phases to flatten a hierarchical structure: 1. Collect instantiations every superstate becomes one (flat) timed automaton 2. Compute global joins mimic synchronization-on-exit in the the flat automata principle: use counters & and add threshold-guard 3. Post-process channel communication a transitions may not synchronize with its own superstate principle: duplicate channels & restrict scope O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 15

❹ ✉ ❧ ❶ ✈ ✈ ✉ ✈ ❧ r ❧ r ✉ ✈ r r ➄ ⑥ ⑤ ➉ ✉ Example: Flattening the Model of a Human Heart HEART_TIME <= HEART_DELAY_AFTER_V_CONTRACTION VentricularChamberSense! ❿❷➉ ➋➍✈ ➄❷↔❪②✭②❄↕ After_V_Contraction V_listening == 1 HEART_TIME <= 0 ✉♦➔ r❡➣ ➄→➋ ✈❼⑦➙④ VContraction V_listening == 0 ❧✼❸ ❧❷❹✼❺ ✈❙⑦⑨⑧✭⑩❷❶ ⑩✭❻ HEART_TIME == HEART_DELAY_AFTER_V_CONTRACTION ✈①✇③②❙④ xtSgnl_NR_5? ➜➞➝❈➟➡➠➤➢➡➥➦➝➧➥➞➨❳➩❈➩❳➫ ✈①✇③②❙④ xtSgnl_NR_5? HEART_TIME := 0 HEART_TIME := 0 enter_S_in_X_via_V? ♣➈➃➇➉ ➉✭♣s♥❷❿ ➊➇r✭♥s➃ ✈❽②✭②➓➄➇➆➈➄ ✈➌➋➍✈♦➆➈➎ ➃✼➀ ➄❷✈ ♠♦♥q♣sr✭t xtSgnl_NR_5? HEART_TIME <= HEART_ALLOWED_STOP_TIME ✈➑✇③②➒④ Stopped ✈❽②✭②❽❾ r❷❿✼♥➁➀ ♥✼➂ rs➃ S_IDLE HEART_TIME == HEART_ALLOWED_STOP_TIME ✈①✇③②➒④ ♣➈➃➇➉ ➉✭♣s♥❷❿ ➊➇r✭♥➁➃ xtSgnl_NR_5? ➃✼➀ ✈❼⑦➅➄➇➆➈➄ ✈➌➋➍✈♦➆➈➎ HEART_TIME := 0 ❧✭♠♦♥q♣sr✭t ➄❷✈ ❧✭❺ ❶➇➏➍➐✭⑩ r❷❿✼♥➁➀ ♥✼➂ rs➃ ✈❽②✭②❽❾ FLATLINE enter_S_in_X_via_A? xtSgnl_NR_5? ✈①✇③②❙④ HEART_TIME := 0 xtSgnl_NR_5? HEART_TIME == HEART_DELAY_AFTER_A_CONTRACTION ❧✼❸ ❧❷❹✼❺ ✈❼⑦✑⑧✭⑩❷❶ ⑩✭❻ ✈❙⑦➛④ AContraction HEART_TIME <= 0 After_A_Contraction HEART_TIME <= HEART_DELAY_AFTER_A_CONTRACTION inner superstate enter_S_in_X_via_A! S_ACTIVE_in_X enter_S_in_X_via_V! X_AUX_S_A X_AUX_S_V xtSgnl_NR_5! VPace? APace? enterTop? HEART_TIME := 0 xtSgnl_NR_5! HEART_TIME := 0 HEART_TIME := 0 X_IDLE CONNECT_A CONNECT_V outer superstate O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 16

Communication Conflict A A B B c! c_1! c? c_2? cannot keep c rename c inside cannot remove c rename c outside modify other transitions: either choose one of c 1, c 2 or duplicate transition (allow both) O LIVER M ¨ NWPT’01 10 O CTOBER 2001 OLLER : F ORMAL V ERIFICATION OF UML S TATECHARTS WITH R EAL -T IME E XTENSIONS 17