Real-TimeVericationofStatemateDesigns. applicationsraisesthedemandforprovingtheircorrectness.becauseverication



Similar documents



Reinforcing Cyber Security -- Taiwan s Roadmap. 張 善 政 S-C (Simon) Chang 行 政 院 副 院 長 Vice Premier Aug. 26 th, 2015

P R O C E S S O L I C I T A T Ó R I O n º / E D I T A L D E P R E G Ã O P R E S E N C I A L n º. 0010/


How To Check If A Shipyard Is Asbestos Free

TDRS / MUST. and. what it might do for you

Angelika Mader Veri cation of Modal Properties Using Boolean Equation Systems EDITION VERSAL 8

Number of objects k 2k 4k 8k 16k 32k 64k 128k256k512k 1m 2m 4m 8m

Global Big Data Analytics Market for Test and Measurement

ALIGARH MUSLIM UNIVERSITY

threads threads threads

Cross Network Customer Care Form

Program Integrity CURRENT FRAUD AND ABUSE INITIATIVES IN NORTH CAROLINA

LogiX WEB ERP Software

NormalizingIncompleteDatabases

Plus91 Technologies Pvt. Ltd. Adding Value to Healthcare. MediXcel - Your Clinic Information Managed

SC14404 Complete Baseband Processor for DECT Handsets

Flying NZ - Aero Club Safety Management System Checklist

BROCHURE. KenCloud TM Hospital Management System. Brochure- KenCloud TM HMS. Swash Convergence Technologies Limited

Preparing for Bank Reconciliations

HEALTH MANAGEMENT SYSTEM RESISTANCE EXERCISE MODULE TABLE OF CONTENTS

CUSTOMER RELATIONSHIP MANAGEMENT INFORMATION SYSTEM ST BORROMEUS HOSPITAL

The BASW Degree. At California State University San Bernardino. Accredited by the Council on Social Work Education

Need a system to deliver consistent, efficient and reliable IT services? Use an ISO/IEC compliant management system.

How To Build An Online School Management System (Edsine)

timeout StoR!msg0 RtoS?ack0

Configuring Logging. Configuring application logging with the LoggingConfigurator class.

thek-aryn-cubestructure. 1

INSTRUCTIONS FOR USE. Cal. ETA ¾ x 11½ Cal. ETA x 11½. English

How To Validate Synchronous Reactivesystems

MOBILE HOSPITAL MANAGEMENT SYSTEM ipad/iphone

New. Introducing the new. Solar Powered Fresh Air skylight

University of Alberta

Gaining Customer Insight through Big Data Analytics

How To Study At North West University

SC14425 Complete Baseband processor for DECT Base Stations. with Caller-id and Handsfree PRELIMINARY. General Description. Features.

Comparison of two calculation methods used to estimate cooling energy demand and indoor summer temperatures

USER MANUAL FOR STUDENTS

CODES FOR PHARMACY ONLINE CLAIMS PROCESSING

Remote Monitoring Solutions for Noise, Vibration and others.

Life Start Student Account - For Registered Students

Remote management of industrial equipment. Monitor and control field equipment over the web

Plus91 Technologies Pvt. Ltd. Adding Value to Healthcare. MediXcel - Your Clinic Information Managed

Vehicle to Flight Recorder Reference Chart

How Your Staffing Firm Can Sell More, Faster

Plainfield Public Schools. Websites for Teaching and Learning

Shaping Your Strategic Roles In A Multichannel Environment for Knowledge Enhancement & Solutions Conference 2015

Remote management for power generators Save time, save energy, save resources!

HOSPITAL MANAGEMENT SYSTEM

Welcome to Mobile Banking. Sunflower Bank Mobile Banking Personal User Guide

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

[ ] Tax relief for new start-up companies

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

INTRODUCTION. In connection to this, we have come up with this manual to assist and guide you in your use of the Service Request Form.

MyMobileAPI. mymobileapi.com. to SMS

How do you buy SMS Bundles on Cellphone Banking?

This document is a preview generated by EVS

Developing Leaders Who Deliver Results

Java Programming (10155)

Practical exploitation of rounding vulnerabilities in internet banking applications

Little Cherub Set. LW3046

Training Program. By: Cameron Jennings BHMSc; Level 1 Cycling Coach; Masters of Sports Coaching jn


Carrier Network Outsourcing A realistic Alternative or a new Hype?

Monash Health Self Service

Error and Confirmation Codes

MyMobileAPI. mymobileapi.com. to SMS - Alternate sending option

May 20, Do Purchase Alerts reference my Visa card number?

How To Use Netbiter

EPSON Stylus COLOR 740. USB Software Installation Guide (Windows 98/iMac ) USB Setup Guide (imac)


Prosodie and Salesforce: Front End solution. Nicolas Aidoud and Ronan Souberbielle

Transcription:

Real-TimeVericationofStatemateDesigns vericationofstatemate1designs.statemateisawidelyuseddesign Abstract.Thispaperpresentsanapproachtowardsreal-time toolforembeddedcontrolunits.theseembeddedcontrolunitsare email:fbrockmeyer,wittichg@offis.uni-oldenburg.de OFFIS,Escherweg2,26121Oldenburg,Germany UdoBrockmeyerandGunnarWittich? usuallycontainedinindustrialproductsandoftenimplementconcurrent translatedintountimedkripkestructureswhichareoptimizedand systems.inourapproachdesignsincludingalltiminginformationare thenveriedbysymbolicmodel-checking.real-timerequirementsare Fax:++494417982145 1Introduction touseactlmodel-checkerforthevericationtask.someexperimental resultswiththeunderlyingtoolsetaregiven. Keywords.Statemate,TCTL,model-checking,real-time expressedbytctlformulaeinterpretedoverdiscretetime.areduction Growingcomplexityandwideusageofconcurrentsystemsinsafetycritical fromtctlmodel-checkingtoctlmodel-checkingispresentedinorder applicationsraisesthedemandforprovingtheircorrectness.becauseverication designanddocumentationofconcurrentreal-timesystems.tocopewiththe systems.thestatematetoolsetcapturesthephasesofspecication,analysis, withtheoremprovers[18]isadiculttaskevenforexperts,automatic complexityofreallifeapplications,asystemunderdevelopment(sud)maybe inuenceinthedevelopmentofindustrialapplications. areusuallycontainedinindustrialproductsandoftenimplementconcurrent vericationtechniques,inparticularmodel-checking[5,6],aregainingincreasing specicationtoolforembeddedcontrolunits.theseembeddedcontrolunits ofstatematedesigns[12,13,15].statemateisawidelyusedgraphical describedgraphicallyfromthreedierentviewpointswithinstatemate.they coverstructural(module-charts),functional(activity-charts)andbehavioral Inthispaperwepresentanapproachtowardsreal-timeverication implementationofadesignmeetsitsrequirementspecicationrepresentedbya (Statecharts[11])aspectsofaSUD. model-checking.model-checkingisanautomaticmethodforprovingthatagiven?partofthisworkhasbeenfundedbythecommissionoftheeuropeancommunities 1Statemateisaregisteredtrademarkofi-LogixInc. KORSYS,grantnumber01-IS-519-E-0 undertheespritproject20897,sacresandthegermanbmbfproject Forthereal-timevericationofStatematedesignsweusethetechniqueof

in[2]restrictedtoadiscretetimedomain.ourtctlmodel-checkingprocedure temporallogicformula.asspecicationlanguage,weusetctlasintroduced newcomponents:rstatranslationofstatematedesignsintountimedkripke aimsatreuseofanindustrialctlmodel-checker[10]andcontainstwomajor TCTLmodel-checkingtoCTLmodel-checkingbyextendinggenerateduntimed problemintoctlmodel-checking.weperformanautomaticreductionfrom StructuresandsecondanembeddingofthediscretetimeTCTLmodel-checking KripkeStructureswithaboundedclockandbytranslatingTCTLformulae intoctlformulae.asimilarreductionforaderivateofdensetimetctlis givenin[16].unlikeasintheapproachin[16],whereadditionaltimetransitions betweentransitionsofthesystemareintroduced,weavoidthisblowupby wecanreducethenumberofstepsperformedbythemodel-checkerwhiledoing itsworksignicantly.incontrasttotheverustool[7]whereeachtransition extendingctl(andthusthemodel-checker,too)byachooseoperator.thus, toolsfortranslatingstatematedesignsintountimedkripkestructures[4] correspondstoonetimeunit,ourtransitionscanbezerodelayed,too. asrequiredasinputbythemodel-checker[10].thesemanticalfoundation ofthetranslationcanbefoundin[9].aworkthatiscloselyrelatedtoour workcanbefoundin[17].thereaformalsemanticsforanuntimedsubsetof Ourenvironmentsupportsreal-timevericationforthesynchronous(step) Statechartsisgivenwhichisbasedonthebasicstepalgorithmasdenedin [13].Alsoanexperimentalcompilerforconnectingamodel-checkerispresented. semanticsaswellasfortheasynchronous(super-step)semanticsprovidedby TobeabletoverifyStatematedesigns,wehaveimplementedasetof languageofactivity-chartsisalsocoveredbyourtoolset. Furthermore,inadditiontoalmostthecompletelanguageofStatecharts,the thestatematesimulatorandthereforeforbothofthesemanticsgivenin[13]. timemodel-checkingonsomecasestudies.twoofthemareindustrialsized applicationsprovidedbyourprojectpartners.therstoneoriginatesfrom thesacresprojectandisprovidedbybritishaerospace.itisastorage monitorsengineandfuelparameters. thekorsysproject.thiscasestudyisahelicoptermonitoringsystemwhich ManagementSystemofanaircraft.ThesecondonewasprovidedbyESG2in Inthispaperwedemonstratethefeasibilityofourapproachtoreal- Section5concludesthispaperwithanoutlookonourfuturework. 2ModelingReal-TimeFeaturesofStatemate withactlmodel-checker.insection4wepresentsomeexperimentalresults. elaboratessomeofitsconcepts.inadditionthemodelingoftimeispresented. Section3givesthetheoreticalbackgroundweuseforreal-timemodel-checking Thispaperisorganizedasfollows.Section2overviewsStatemateand First,keyissuesofthesemanticsarepointedout.Thenextsubsectiondiscusses Inthissectionanintroductiontothereal-timesemanticsofStatemateisgiven. 2ElekronikSystemeGmbH,Munich,Germany 2

theconceptsoftimeavailableinstatemate.thelastsubsectiondescribes [11,14].SeveralsemanticsforStatechartshavebeeninvestigatedinthepast oursemanticalmodelingofreal-timefeaturesinordertoperformreal-time [19].Statematealsoincorporatesseveralsemanticsforitslanguages.Wecan designanddocumentationofreal-timeembeddedsystems.designersdescribe behaviorofcomponentsusingtheestablishedvisualformalismofstatecharts TheStatematetoolset[12,13,15]capturesthephasesofspecication,analysis, 2.1SemanticsofStatemate vericationofstatematedesigns. thesesemanticscanbefoundin[13].arigorousandformaldenitionofthe super-stepsemanticscanbefoundin[9]. rstacceptnewexternalstimuliafterterminationofeverysynchronousstep thegeneratedcodeforc-,ada-,vhdl-andverilog.informalexplanationsof yieldingnewstatecongurationsandnewvaluationsofvariables.asudcan asynchronoussimulationsemantics(super-stepsemantics)andthesemanticsof InthissemanticsallactivecomponentsofaSUDperformstepssynchronously, distinguishbetweenthesynchronoussimulationsemantics(stepsemantics),the andthenperformanotherstep,thusexecutionproceedsincycles.asynchronous discretetimeschemeisassumedinwhichawholesud,i.e.allactivecomponents, byonetimeunit.thestepsemanticsismainlyusedforclockeddesigns. executesasinglestepeverytimeunit,henceineachcycletimeisincremented Thestepsemanticsisbasedonthebasicstepalgorithmasdenedin[13]. computationiscalledastep.incontrasttothestepsemantics,stepsinsucha andreturningintoastateofequilibriumareperformedinnitelyfast,hencethe discretevirtualsimulationclockisnotincrementedbeforeasuper-stephasbeen chaindonotconsumetime.allcomputationsbetweenstimulationofsuchasud stateisreachedagain.acompletechainiscalledasuper-step,whileeverysingle externalstimulustoasudbeinginastablestate,itstartsachainofstepsuntil itreachesastablestateagain.stablemeans,thatfurtherstepsareimpossible withoutnewexternalstimuli.alongchainofreactionsispossibleuntilastable Thebasicideaofthesuper-stepsemanticsis,thatafterhavinggivenan nextrelevantpointintime.apointintimeisrelevantifascheduledaction nished.aftercompletionofasuper-steptheclockwillbeadvancedtothe asudworksynchronouslyandcommunicateaftereverystep.thesuper-step semanticsismainlyusedforasynchronousdesigns. hastobeexecuted,ifatimeouteventhasexpired,orifasudistriggered againbyanewexternalstimulus.thissemanticsconstrainstheinteractionof theenvironmentwithasudtosuper-stepboundaries,butallactivitiesinside stepsemantics.underthestepsemantics,eachstepofasudcorresponds toexactlyonetimeunit,timeincreasesuniformlyandtheenvironmentcan inuencethevaluationofvariablesateverystep.incontrast,thesuper-step statethesystemcanincreasetimersandcanacceptnewstimuli. semanticsneedsadditionalbookkeepingtoindicatestability.onlyinastable Thisoverviewshowsthatthestepsemanticsismuchsimplerthanthesuper- 3

Statemateprovidestwowaystointroduceexplicittiminginformationintoa clock.therstalternativeallowstotriggertransitionsbytimeoutevents. 2.2ConceptsofTimeinStatemate Statechartwhichbothrelateeventsandactionstothediscretevirtualsimulation expressionsevent-exprandinteger(time)expressionstime-expr.atimeoutevent Syntactically,timeouteventsareoftheformtm(event-expr,time-expr)forevent denesanewevent,whichwilloccurtime-exprunitsafterthelatestoccurrenceof event-expr.thus,timeoutsallowtomonitorelapsedtimesincealastoccurrence ofevent-expr.tomeasuretheelapsedtimeunitsforeverytimeoutexpression Statemateinternallyintroducesanintegerclockwhichisreseteveryinstant event-exproccurs. clockisintroducedbystatemate.e.g.ifatransitionislabeledwithsc!(v:=1,5) timeuntilaction-exprisexecuted.becausethesameactioncanbescheduledat presenttime.again,statemateinternallyintroducesaclocktomeasurethe severaltimeinstances,foreachexecutionofthescheduledactionanew(internal) Ascheduledactiondelaystheexecutionofaction-exprfortime-exprunitsfrom action.syntactically,scheduledactionsareoftheformsc!(action-expr,timeexpr)foractionexpressionsaction-exprandinteger(time)expressionstime-expr. ThesecondalternativeforintroducingtiminginformationintoaStatechart allowstodelaytheexecutionofactionsforsometimeunitsbyascheduled thus,aftertime-exprstepstimeouteventsaregeneratedandscheduledactions areexecuted.inthesuper-stepsemanticstimeisincrementedonlyafterreaching super-stepsemantics.inthestepsemanticstimeisincrementedwitheverystep, actionsareexecuted. isexecutedattimeinstant5andtimeinstant7. numberofstepsispossibleuntiltimeouteventsaregeneratedandscheduled astablestateagain.individualstepsareexecutedinzerotime,hencealarge andthistransitionisexecutedattimeinstant0andtimeinstant2,thenv:=1 Timeouteventsandscheduledactionsarehandleddierentlyinstepand translatesdesignsintwosteps.astatematedesignisrsttranslatedintoan intermediatelanguagecalledsmi(statemateintermediate).wedenedsmi 2.3TranslatingReal-TimeFeaturesofStatemate Inasecondphase,thegeneratedSMIcodeistranslatedintoaKripkeStructure Inordertoperformreal-timevericationofStatemate,designshaveto data-typesandexpressionlanguageofsmiarepowerfulenoughtocovera modelhierarchy,parallelism,andnondeterminismofstatematedesigns.the formodel-checking. betranslatedintoaformatinterpretablebythemodel-checker.ourtoolset asalanguageforthetranslationofhigh-levelformalismsintokripkestructures3. 3Inotherprojects,wetranslateVHDL,asubclassofPetri-Nets,andasubclassof OCCAMintoSMI SMIisasimpleimperativeprogramminglanguagecontainingconceptsto 4

clockvariablesfortimeouteventsandscheduledactions.allclocksarerunning atcompiletime,nitedomainsfortheclockscanbedetermined.forevery synchronously.becausewerequirealltimeexpressionstoevaluatetoaconstant representingthecyclicbehaviorofastatematedesign.oneexecutionofthis loopcorrespondstoexactlyonestepofthedesign.insmiallcontrolinformation, allvariablesandalleventsofthestatematedesignareencodedbyvariables. widerangeofstatematetypes.smicodeconsistsofanon-terminatingloop ispossibletosharetheclockvariablewheretmmaxissettothemaximumof timeouteventweintroduceoneclockvariablerangingfromzerotothevalue thevaluesofthetimeexpressions.forscheduledactionsthevalueofthetime itreachesitsupperbound.iftwotimeoutshaveidenticaleventexpressions,it ofitstimeexpressionplusone(tmmax).theclockstartsatzeroandstopsif Tocopewithtimingaspectsofadesignthetranslationprocessintroduces tothefactthatthenumberoftimeouteventsandscheduledactionsisxedby thedesignandtheuseofshiftregisterstorepresentscheduledactionswithin intimewhereeventexpressionsoccurandscheduledactionsareexecuted.due aglobalclockinourmodels,becauseallclocksareresetrelativetothepoints theactionisexecuteditherightmostbitoftheregisterisset.wedonotneed ofthecorrespondingbit,incrementingtimemeansright-shiftingtheregisterand exactlyoneshiftregisterwithscmaxbits.schedulinganactionmeanssetting expressiondeterminesthenumberofnecessaryclocks,allrangingfromzeroto SMI,thenumberofclocksweintroduceislimited.Togetherwiththefactthat thevalueofitstimeexpressionplusone(scmax).weencodetheseclocksby ofsmi. allclocksarebounded,thisenablesustogeneratenitekripkestructuresout timeexpression,thecorrespondingtimeouteventtmeisgeneratedandadded tothesetofgeneratedevents.likeallevents,itisvisibleexactlyonestepforall componentsofthestatechart.ifattheendofastepashiftregisterindicatesthat maybeinconict,too. conictwiththem.nospecialtreatmentisnecessary,becauseundelayedactions thetimetoexecuteanactionhasexpiredthecorrespondingactionisexecuted. Thisactionbehaveslikeallotheractionsexecutedinthisstepandmaybein Ifattheendofastepaclockvariableforatimeoutreachesthevalueofits thetimeoutthetranslationprocesshasto sc!(v:=1,3)whereeisaneventandvisanboundedintegervariable.within byconsideringanexample.supposeastatechartwithatransitionfromstates1 tostates2,triggeredbytimeouteventtm(e,2)andexecutingscheduledaction SMIthestatesS1andS2areencodedbybooleanvariablesstS1andstS2.For 1.introduceaclocktm0rangingfromzerototmmax(tmmax=3), 2.introduceatimeouteventtmEV0, Weclarifytheconceptsforthetranslationofreal-timefeaturesofStatemate 6.generatethetimeouteventtmEV0iftheclockreachesthevalueofthetime 4.resettheclockifeventEhasbeengenerated, 5.incrementtheclockifitdoesnotequaltmmaxandtimeprogresses, 3.translatetheeventexpressionintoabooleanexpressioninSMI, expression(tm0=2). 5

Forthescheduledactionthetranslationhasto 1.introduceashiftregistersc0containingscmaxbits(scmax=4), 2.translatetheactionexpressionintoanexpressioninSMI, 3.setbittime-exproftheshiftregister(sc0[3]:=1), 4.performaright-shiftoftheregisteriftimeprogresses(asr(sc0)), 5.executetheactionexpressioniftherightmostbitisset. InSMInondeterministicbranchesareusedtomodelthetriggeringoftransitions. Nondeterminismcanoccurifmorethanonetransitionisenabledandtransitions areinconict.thepieceofcodefortransitionringinthisexamplelookslike: NDCASE%non-deterministicbranchtomodelconflictingtransitions [](st_s1=trueandtmev_0=true):%firsttransition;[]meansnewbranch st_s1:=false; %exitstates1 st_s2:=true; %enterstates2 sc_0[3]:=1; %setbit3intheshiftregister []%secondtransition... []%lasttransition NDESAC Thepieceofcodeforsynchronization(SYNC-PART)lookslike: %Handletimeouts DCASE%deterministicbranchfor'eventEisgeneratedornot' [](E=true): tm_0:=0;%resettheclockforthetimeout []not(e=true): DCASE%deterministicbranchfor'clockdoesnotequaltm_max' [](tm_0<3): tm_0:=tm_0+1;%incrementclock []not(tm_0<3): tm_0:=tm_0;%clockremainsunchanged DESAC; DESAC; %Handlescheduledactions sc_0:=asr(sc_0);%performright-shiftonsc_0 DCASE [](sc_0[0]=1):%rightmostbitofsc_0isset V:=1;%executeaction []not(sc_0[0]=1): SKIP;%executenulloperation DESAC; Whilethepieceofcodefortransitionringisthesameinbothsemantics, thisisnotthecaseforthesynchronizationcode.inthestepsemanticstime isincrementedaftereverystep,thusthesynchronizationcodeforresetting andincrementingclocksisexecutedineverycycle.ifsuper-stepsemanticsis used,thecompilerintroducesaspecialvariableasync(forasynchronous)to indicateinstabilityofthesystem.onlyifasyncequalsfalse,asuper-stephas terminatedandthesynchronizationactionstakeplace.thesynchronizationcode forthissemanticslookslike: 6

[](ASYNC=true):%systemisnotstable;clocksarenotincremented DCASE%deterministicbranchfor'systemisstableornot' DCASE%deterministicbranchfor'eventEisgeneratedornot' %Handletimeouts DESAC; []not(async=true):%systemisstable;clocksareincremented []not(e=true): SYNC-PART%seepage6forsynchronizationcode %codeforresettingandincrementingclocksfollows [](E=true): DESAC; BecauseafterthetranslationofaStatematedesignintoSMIallnecessary SKIP;%executenulloperation tm_0:=0;%resettheclockforthetimeout untimedkripkestructurescanbegeneratedoutofthecode4.theconstruction clocksarerepresentedbyanitenumberofboundedmodelvariables,nite issuchthatonestepofthekripkestructurecorrespondstooneexecutionof thecompleteloop-bodyofthesmicode.thus,instepsemanticsineachstate ofthekripkestructureexactlyonetimeunitpasses.insuper-stepsemantics, timeprogressesonlyincertainstates,whileinallotherstatestimeremains unchanged.thestatesinwhichtimepassesarecharacterizedbyanexpression C.IncaseofstepsemanticsthistimeconditionCequalstrue,insuper-step time.vericationisperformedbytranslatingtctlintoctlandmodelcheckingasuitableextendedmodelagainsttheresultingformulaewithactl semanticscequalsasync=false. model-checker. thenitedomainoft.letinpbeanitesetofinputvariablesandvarbea 3Real-TimeModelChecking nitesetofstatevariables.foreachv2inp[varlettype(v)denotethetypeof checkingprocedure.asspecicationlogicweusetctlinterpretedoverdiscrete Inthissectionwepresentthetheoreticalbackgroundofourreal-timemodel- variablev2inpavalueinthedomaindom(type(v)).let[[expr]]beamapping thedomaindom(type(v)).aninputisamappingthatassignstoeveryinput v.astateisamappingthatassignstoeverystatevariablev2varavaluein thatassignstoabooleanexpressionexproverthevariablesofinp[varaset ofinputsandstates(theinputsandstatessatisfyingtheexpression). TCTLasdenedindenition1belowwasintroducedbyAlur,Courcoubetis LetTypesdenoteasetoftypes.Foreachtypet2Typesletdom(t)denote anddill[2]. Denition1(TCTL).ThesyntaxofTCTLformulaeisinductivelydened by: 4WegeneratefunctionalKripkeStructuresbyeliminatingallnon-determinismby introducingadditionalinputvariables7 ::=exprj:1j1^2j91uc2j81uc2

whereexprisabooleanexpression,1,2aretctlformulae,isoneofthe ourtranslationfromtctltoctl. Inourcontext,thesemanticsofTCTLformulaeisdenedoverKripke Remark1.Byomittingthetimeconstraintscindenition1wegetthe usualdenitionofctlwithoutthenextoperator.intheremainderweextend CTLbythechooseoperator:IfisanCTLformulaandv2Varthen v:isactlformula,too.theoperatorinctlisessentiallyneededfor binaryrelations;<;=;>;andcisanaturalnumber. Structures. Denition2(KripkeStructure).AKripkeStructureisatupleK= (Inp;Var;f;I)with: Denition3(Path).LetKbeaKripkeStructure,()nasequenceofinputs and()nasequenceofstates.thesequence()nwithi:=(i;i)foralli0 iscalledapathofkii+1=f(i;i)foralli0.forthepath()nwecall ()nthecorrespondinginputsequenceand()nthecorrespondingstatesequence {Inpisanitesetofinputvariables of()n.inthefollowingweusetheabbreviation()n=(()n;()n)todenote {Varisanitesetofstatevariables that()nisthecorrespondinginputsequenceand()nisthecorrespondingstate {Iisasetofinitialstates {fisafunctionmappingeachtupleofinputandstatetoa"next"state sequenceofpath()n.foraninputandastate,apathisa(;)-pathi Denition4(SemanticsofTCTL).LetK=(Inp;Var;f;I)beaKripke statesofthekripkestructuresinwhichtimepasses. 0=(;). OursemanticsofTCTLformulaeoverKripkeStructuresisdenedwrt.thetime Structure,exprandCexpressions,aninput,astate,1and2TCTL conditionc.asdescribedinsubsection2.3theexpressionccharacterizesthe formulae.thesemanticsoftctlisinductivelydenedby: (K;(;))j=91Uc2:,9(;)-path()n=(()n;()n)9i0: (K;(;))j=:1 (K;(;))j=1^2:,(K;(;))j=1and(K;(;))j=2 (K;(;))j=expr:,(;)2[[expr]] :,(K;(;))6j=1 WeusetheabbreviationKj=for882I:(K;(;))j=. (K;(;))j=81Uc2:,8(;)-path()n=(()n;()n)9i0: 3:jfjjji^(K;j)j=Cgjc 1:8j<i:(K;j)j=1 2:(K;i)j=2 8

Remark2.Byomittingthetimeconstraintscinthepathformulaeandthe thirdconditionsindenition4wegettheusualsemanticsofctlformulaeover extensionofctl:letk,,and1beasaboveandletv2var.then: KripkeStructures.Furthermorewedenethesemanticsoftheoperatorofour isincrementedwhenevertimeprogresses.thesestatesarecharacterizedby Remark3.InROBDDbasedCTLmodel-checkersthechooseoperatorcan easilybeimplementedbyperformingexistentialquanticationovertherobdd variablesrepresentingvariablevinv:1. thekripkestructurebyaddinganadditionalspecicationclocksclkwhich Tomodel-checkaTCTLformulawithaCTLmodel-checker,wetransform (K;(;))j=v:1:,9x2dom(type(v)):(K;(;[v=x]))j=1 KripkeStructureandletCbeatimecondition.ThecorrespondingtimedKripke letnbethegreatesttimeconstraintofplusone.letk=(inp;var;f;i)bea Denition5(TimedKripkeStructure).LetbeanTCTLformulaand In[2]itisshownthatthisupperboundforthespecicationclockissucient. thetctlformulatobeveried.theupperboundofthespecicationclockis countingtheelapsedtimeonapathforcomparisonwiththetimeconstraintsof determinedbythegreatesttimeconstraintofthegiventctlformulaplusone. theabovementionedtimeconditionc.thespecicationclockisnecessaryfor StructureK0=(Inp0;Var0;f0;I0)isdenedby: {Inp0=Inp Bydenition,thesclkisincrementedonlyintheshadedstates. Figure1showsapathofatimedKripkeStructure.Thestatessatisfyingthe timeconditioncareshaded.belowthestatesthevaluationofsclkisgiven. {I0=f0j92I:0jVar=g {f0(;)(v):=8<:f(;jvar)(v)v6=sclk {Var0=Var[fsclkgwithdom(type(sclk))=f0;:::;ngwheresclk=2Var min(n;(v)+1)v=sclk^(k;(;f(;jvar)))j=c v=sclk^(k;(;f(;jvar)))6j=c timedkripkestructurethantheapproachin[16]. ThefollowinglemmashowsthatpathsofaKripkeStructureKandpathsof InatimedKripkeStructure,independentoftheprogressoftime,allsteps correspondtosystemsteps.thusweneedlessstepswhilemodel-checkinga First,ifapathofKsatisesatimeconstraintcinitsithstate,thenthere Notethatwedonotdistinguishbetweentimeandsystemstepsinourapproach. thecorrespondingtimedkripkestructurek0arerelatedinthefollowingway. Fig.1.ApathofatimedKripkeStructure 9 s_clk 0 1 1 1 2 2 3 3 3 3 4 4

ofthelemmastatesthatifapathofk0,onwhichsclkequalszeroinitsrst andstatesofthetwopathsareequalmodulosclk.analogous,thesecondpoint Lemma1.LetK=(Inp;Var;f;I)beaKripkeStructureandletK0= satisestheconditionsclkcintheithstateandthevaluationofallinputs stateandsatisesaconstraintsclkcinitsithstate,thenthereexistsapath existsexactlyonepathofk0onwhichsclkequalszerointherststate,sclk ofkwhichsatisesthetimeconstraintcintheithstateandthevaluation (Inp0;Var0;f0;I0)thecorrespondingtimedKripkeStructurewrt.aTCTL formulaandatimeconditionc.let2f<;;=;;>gandletcbeanatural ofallinputsandstatesofthetwopathsareequalmodulosclk. numbersuchthatc+12dom(type(sclk)).then: ofthespecicationclocksclk. Proof(sketch).FollowsbythedenitionofK0andthechoiceofthedomain 2.Let(0)nbeapathofK0,i0with0(sclk)=0^0i(sclk)c 1.Let()nbeapathofK,i0withjfjjji^(K;j)j=Cgjc Denepath()ninKwith8j:j=(0j;0jjVar) 0i(sclk)c Then()nisapathofKwithjfjjji^(K;j)j=Cgjc Then91path(0)nofK0with0(sclk)=0^8j:j=(0j;0jjVar)^ ThenextdenitiongivesthetranslationofTCTLintoCTL.Thetime Denition6(TranslationofTCTLintoCTL).Letexprbeanexpression overvarandlet1;2betctlformulae.thetranslationofantctl formulaintoanctlformulaisinductivelydenedby: constraintsoftctlaretranslatedintoconditionsonthespecicationclock KripkeStructureswithaCTLmodel-checkersupportingthechooseoperator. sclkinctl.theresultingctlformulaecanbemodel-checkedovertimed (expr):=expr sclkc)themodel-checkerrstcomputesthesetofstatessatisfyingthis thecorrespondingtimedkripkestructurewilldothefollowing:thetranslation ofapathformulacontainsthreeparts.fortherightmostpart(e.g.91u(2^ Remark4.ACTLmodel-checkerappliedtoatranslatedTCTLformulaand (81Uc2):=sclk:((sclk=0)^(8(1)U((2)^sclkc))) (91Uc2):=sclk:((sclk=0)^(9(1)U((2)^sclkc))) (1^2):=(1)^(2) (:1) :=:(1) thecomputedsetofstatesisintersectedwiththesetofstatesinwhichthe intheuntimedkripkestructure.next,bytheconjunctionwith(sclk=0) andthetimeconstraintcofthetctlformulainthetimedkripkestructure. subformula.modulosclkthisisexactlythesetofstatessatisfying91u2 Hence,modulosclkthisisthesetofstatessatisfyingtheTCTLformulainthe specicationclockevaluatesto0.theresultisthesetofstatessatisfying91u2 10

arbitrarystateintheset,allstatesthatdieronlyinthevaluationofsclkare KripkeStructureandmodel-checkingthetranslatedCTLformulaoverthe intheset,too. Theorem1statestheequivalenceofmodel-checkingaTCTLformulaovera untimedkripkestructure.third,applyingtheoperatorforsclkonthisset ofstates,themodel-checkercomputesanextendedsetofstates.astateisin Theorem1.LetKbeaKripkeStructure,aTCTLformulaandK0bethe thissetindependentlyofitsparticularvaluationofsclk.inotherwords:foran Proof(sketch).Theproofisdonebyinductionoverthestructureof.For correspondingtimedkripkestructure.then: Inparticularstate[sclk=0]2.Thispropertyholds,becausestateformulae stateformulaethereisnothingtodo.forpathformulaethefollowingproperty isneeded.foreverycomputedsetofstatessatisfyingatranslatedsubformula ofthefollowingconditionholds: 2)8x2dom(type(sclk)):[sclk=x]2 Kj=,K0j=() donotrefertosclkandthetranslatedpathformulaeextendcomputedsetsof statesbyapplyingthechooseoperatortothespecicationclocksclk.based resultswereevaluatedonasunsparc20runningat60mhz. Themodel-checkerweuseistheROBDD[1,3]basedassumption/commitment stylectlmodel-checkerprovidedbyourprojectpartnersiemens[10].all onthisproperty,lemma1canbeapplied. Inthissectionwepresentsomeexperimentalresultsobtainedwithourtools. 4ExperimentalResults Modelstm2smismi2fsm#ofbits#ofBDDMC TLC2:560:4518=33 SMS4:826:4113=53 HMS6:781:6032=103 insinsinput/statenodesins 248512:1 328411:6 providedbyourprojectpartnerbritishaerospace.finally,wemodel-checkeda ManagementSystem(SMS)ofanaircraft.Thisindustrialsizedapplicationwas wellknowntraclightcontrollerenhancedbytiminginformationmodelingthe delayofchangingthelights.thesecondexampleisacomponentofastorage Table1overviewstheresultsforthreeexaminedcasestudies.TheTLCisthe Table1.Experimentalresults419587:4 HelicopterMonitoringSystem(HMS)whichwasprovidedbyourprojectpartner 11

ESG.Thesecondcolumncontainsthetimesneededforthetranslationfrom StatemateintoSMI.Thethirdcolumnshowsthetimestogeneratenite KripkeStructures.Columnfourandveareindicatingthecomplexityofthe timepropertiesonthegivenmodelsarepresented. studies.finally,inthemccolumn,timesformodel-checkingofrelevantreal- designsagainsttctlformulae,wealreadyhaveveryencouragingresultson verifyingsubstantiallylargertimedstatematedesignsagainstctlformulae. Someoftheseresultsarepresentedin[4].Therewehaveshown,thatourtools areverypowerfulingeneratingkripkestructuresandperformingctlmodelchecking.industrialsizedapplicationswithseveralhundredstatebitscouldbe additionalspecicationclocksclkhastobeadded,wewillapplyourtoolseton handled.thesemodelscontainallclocksthatmodeltimeoutsandscheduled actionsofstatematedesigns.becausefortctlmodel-checkingonlythe BeyondtheseexperienceswithverifyingmoderatelysizedStatemate ofconcurrentsystemswasdemonstrated.furthermore,areductionfromtctl thesedesigns,too,andweexpecttobeabletoverifyrelevantreal-timeproperties model-checkingtoctlmodel-checkingtoperformthevericationtaskwas againsttctlformulaehasbeenpresentedanditsusabilityonsomecasestudies Inthispaperanapproachforreal-timevericationofStatematedesigns forthem. introduced.becauseofthecomplexityofstatemate,therearesomerareused featuresnotyetcoveredbyourtools.ourfutureworkisaboutclosingthisgapin 5ConclusionsandFutureWork FurthermorewethankWernerDammandMartinFranzleforhelpfuldiscussions. SIEMENSandi-Logixforprovidingthetools,casestudiesandfordiscussions. ordertosupporteventhesefeatures.also,wehavealotofideasforoptimizations Acknowledgment.WethankourprojectpartnersBritishAerospace,ESG, Statematedesigns.Someoftheseideashavealreadybeenimplementedand thatcanbeperformedinordertogeneratesmallerkripkestructuresoutof References beabletoverifyreal-timepropertiesofmuchbiggerdesignsinthenearfuture. resultshavebeenpresentedin[4].applyingtheseoptimizations,weexpectto 2.R.Alur,C.CourcoubetisandD.Dill.Model-CheckingforReal-TimeSystems.In 1.S.B.Akers.Binarydecisiondiagrams.InTransactionsonComputers,No.6in 4.U.BrockmeyerandG.Wittich.Tamagotchisneednotdie{Vericationof 3.K.S.Brace,RichardL.RudellandRandalE.Bryant.Ecientimplementationof Vol.C-27,pages509-516,IEEE,1978 ofsystems(tacas'98),march199812 StatemateDesigns.ToolsandAlgorithmsfortheConstructionandAnalysis Orlando,Florida,1990.ACM/IEEE. Proceedingsofthe5thSymposiumonLogicinComputerScience,pages414-425, Philadelphia,June1990. abddpackage.inproceedings27thdesignautomationconference,pages40-45,

6.J.R.Burch,E.M.Clarke,K.L.McMillan,D.L.DillandJimHwang.Symbolic 5.J.R.Burch,E.M.Clarke,K.L.McMillan,andD.L.Dill.Sequentialcircuit 7.S.Campos,E.M.Clarke,M.Minea.TheVerusTool:AQuantitativeApproach modelchecking:1020statesandbeyond.inproceedingsofthefifthannualieee SymposiumonLogicinComputerscience,June1990 Conference,1990. vericationusingsymbolicmodelchecking.inacm/ieeedesignautomation 10.T.Filkorn,SIEMENSAG.ApplicationsofFormalVericationinIndustrial 8.W.Damm,U.Brockmeyer,H.J.Holberg,G.WittichandM.Eckrich.Einsatz 9.W.Damm,H.Hungar,B.JoskoandA.Pnueli.ACompositionalReal-Time totheformalvericationofreal-timesystems.inproceedingsofcav'97,edt. O.Grumberg,LNCS1254,1997 VDI/VWGemeinschaftstagung,1997 formalermethodenzurerhohungdersicherheiteingebettetersystemeimkfz. SemanticsofSTATEMATEDesigns.InProceedingsofCOMPOS97,edt.H. AutomationandTelecommunication.InProceedings,WorkshoponFormal LangmaackandW.P.deRoever,SpringerVerlag,toappear1998 13.D.HarelandA.Naamad.TheStatemateSemanticsofStatecharts.InACM 12.D.Harel,H.Lachover,A.Naamad,A.Pnueli,M.Politi,R.Sherman,A.Shtull{ 11.D.Harel.Statecharts:AVisualFormalismforComplexSystems.Scienceof transactionsonsoftwareengineeringandmethodology,vol5no4,1996 Engineering,16:403{414,1990 developmentofcomplexreactivesystems.inieeetransactionsonsoftware TrauringandM.Trakhtenbrot.STATEMATE:Aworkingenvironmentforthe ComputerProgramming8,1987. DesignofSafetyCriticalEmbeddedSystems,April1997 14.D.Harel,A.Pnueli,J.P.SchmidtandR.Sherman.OntheFormalSemantics 15.D.HarelandM.Politi.ModelingReactiveSystemswithStatecharts:The ofstatecharts.inproceedingfirstieee,symposiumonlogicincomputer Science,1987. 18.S.Owre,N.ShankarandJ.M.Rushby.ATutorialonSpecicationand 17.E.Mikk,Y.Lakhnech,C.PetersohnandM.Siegel.OnFormalSemanticsof 16.T.A.HenzingerandO.Kupferman.FromQuantitytoQuality.InProceedingsof StatemateApproach.i{LOGIXINC.,ThreeRiversideDrive,Andover,MA 19.M.vonderBeek.AComparisonofStatechartVariants.InFormalTechniquesin VericationUsingPVS.InComputerScienceLaboratory,SRIInternational,1993 01810,June1996.PartNo,D{1100{43 Real-TimeandFault-TolerantSystems,number863inLectureNotesinComputer Science,1993 HybridandReal-TimeSystems(HART'97),March1997 FormalMethodsWorkshop,1997 StatechartsasSupportedbyStatemate.InProceedingsofBCS-FACSNorthern 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information