1

Checking Interaction Checking Interaction Consistency in MARMOT Consistency in MARMOT Component RefinementsComponent Refinements

Yunja Choi

School of Electrical Engineering and Computer Science

Kyungpook National University

2

OverviewOverview

MARMOT methodologyComponent and refinements

Interaction consistency A general framework for consistency checkingCase example

Model checking elevator system

Performance improvement through abstraction Discussion

3

MARMOT MARMOT MethodologyMethodology

Branched from KobrA by Atkinson et. alDesigned for the development of embedded systems

High quality system through systematic, structured developmentComponents are the focus of entire development process

Tree-structured hierarchy of components Flexibility and reuse of components

5

MARMOT Component MARMOT Component Statecharts

Class Diagram

OperationSchemata

Class DiagramSequenceDiagram

ObjectDiagram

(Architecture)

Specification

Realization

Refined componen

t

Refining componen

t

6

Recursive Recursive DevelopmentDevelopment

SpecificationRealization

Identification

Kpt A

Kpt B

Kpt D

Kpt C

ComponentReuse

COTS Component

7

Example: elevator Example: elevator systemsystem

maintenance(from Context)

<<role>>

Help_Center

notify()

(from Context)

elevator_service

move(Up, Down)callhelp()start()stop()

main_service(from Context)

floor(from Context)elevator_context

current_positionelevator_statusdoor_statusmoving_direction

move()selectFloor()hold()close()help()startElevator()stopElevator()

supporting_service(from Context)

request_for_moving

entry/ floor::location := CHOOSE { 1..5 }exit/ Call Elevator_Context::move(floor::location)...

[ Elevator_Context::elevator_status = Normal ]

get_into_elevator

[ Elevator_Context::current_position = floor::location and Elevator_Context::door_status = Open ]

hold_door

in_elevator get_out

select_destination

close_door

entry/ Call Elevator_Context::close()

[ else ]

[ Elevator_Context::current_position = user::destination and

Elevator_Context::door_status = Open ]

8

Specifying externally visible Specifying externally visible behaviorbehavior

Off Starting

Halt

operational

suspended

closing_door

holding_door

select_des

tination

Elevator_Context::moveElevator_Context::stopElevator / RETURN SUCCESS

Elevator_Context::move

Elevator_Context::close

Elevator_Context::hold

[ else ]

[ Elevator_Context::elevator_status

= Normal ] / RETURN SUCCESS[ Elevator_Context::elevator_status

= Abnormal ] / RETURN FAIL

Elevator_Context::startElevator()

ELSE_IGNORE

[ Elevator_Context::moving_direction = Halt ]

/ Elevator_Context::door_status := Open

Elevator_Context::selectFloor

Elevator_Context::callHelp

[ Elevator_Context::elevator_status

= Abnormal ]

[

Elevator_Context::elevator_

status = Normal ]

[

Elevator_Context::door_s

tatus = Open ]

[ Elevator_Context::door_status = Closed ]

Elevator_Context::hold[

Elevator_Context::door_

status = Open ]

9

Quality ControlQuality Control

MAMOT supports systematic identification and refinements of a component

the principle of “separation of concerns”: specification vs. realizationIterative decomposition and refinements

There can be many issues in consistencyStructural consistencyBehavioral consistency

Behavioral consistency between the realization of refined component and the specification of its refining components

10

Interaction Interaction ConsistencyConsistency

at ith refinement step, the realization of the refined component constrains the environment of the refining componentsA system is consistent with its environment in its behavior if it either terminates normally or runs infinitely under the infinite sequence of stimuli generated from its environment

A system is inconsistent with its environment in its behavior if it terminates abnormally under the infinite sequence of stimuli generated from its environment

11

Process modelProcess model

A component and its environment are specified as two processes P and E, where each of them is represented as a labeled transition system (Sp, Lp, Rp, Ip, Tp) and (Se, Le, Re, Ie, Te)A restricted form of process composition of P and E is defined as P↑E = (Sp× Se, Lp∪ Le, Rp× Re, Ip× Ie, Tp× Te) where

12

Consistency ModelConsistency Model

external internal

external internal

behavior

attribute

operation

structure

external internal

external internal

behavior

attribute

operation

structure

component

component

+refined

+refining

component model at i_th level

component model at (i+1)_th level

component model at (i-1)_th level

A compositonal process forming an environment

Process P_1 from refining component 1

Process P_2 from refining component 2

Process P_i from refining component i

actions generated by the environment change of states

consistency model

13

Formal definitionsFormal definitions

TerminationTerminate(P(s))↑E : P terminates to a state s that belongs to the pre-defined set of terminal states T under the environment EP(s) ∧ s ∈T, If P is a compositional process, P = P1∥ P2∥.. ∥ Pn

Terminate(P(s)) ↑E if and only if ∀i, Terminate(Pi(si)) ↑Ei , where Ei = E ∥ P1∥ P2∥.. Pi-1 ∥ Pi+1 ∥ … ∥ Pn

14

Formal definitionsFormal definitions

ProgressivenessProgress(P(s)) ↑E : eventually, there is a transition out of the state s under the environment E

Interaction ConsistencyConsistent(P(s)) ↑E = Terminate(P(s))↑E ∨ Progress(P(s)) ↑E

15

Model checking Model checking consistencyconsistency

Based on the exhaustive search of system state-spaceFully automated

SPIN: invalid-endstate checkingSMV: we can formulate the consistency property in temporal logic and use model checker to verify it

Provide counter-examplesNeed translation to PROMELA or SMV input language

A number of translation approaches are available

16

model checking consistencymodel checking consistency- Framework -- Framework -

consistency model

original model

UML model (tool & version

dependent)

model in xml format

UML 2.0. metamodel library

UML abstract syntax tree (tool

& version independent)

SMV metamodel library

XMI export

generate abstract syntax

tree

xml DTD/Schema

mapping

JDOM

PROMELA metamodel library

PROMELA consistency

model

UML-to-SMV translation

UML-to-PROMELA translation

SMV consistency

model

17

Consistency Model in Consistency Model in PROMELAPROMELA

/* message channel */chan event = [10] of {mtype, byte};

/* cabin statechart */active proctype cabin(){ mtype signal ; byte param; byte location;

non_operational : do :: event[0]?[eval(cabin_start)] -> event?signal,param; goto ready; od; ready: do :: event[0]?[eval(cabin_getDestination)] -> event?signal,param; destination = param; if :: destination < location -> goto moving_down; :: destination > location -> goto moving_up; fi; :: event[0]?[eval(cabin_help)] -> event?signal,param; goto emergency; :: event[0]?[eval(cabin_stop)] -> event?signal,param; goto non_operational; od; moving_down: ... moving_up: ... emergency: ... end_state: skip;

}

/* representing the composition of action systems */active proctype env(){ bool started =0; initial_state: start_activity(); started = 1;

operational: /* non-deterministic invocation of actions */ do :: 1 -> moveup(); :: 1 -> wait(); :: 1 -> movedown(); :: 1 -> stop(); :: 1 -> terminate(); started = 0; break; :: 1 -> help_activity(); od; goto initial_state;}

inline moveup(){ event!moveUp,0; event!getLocation,0;

CabinArrived; event!cabin_getDestination,destination; event!controller_getDestination,destination;

event!moveCabin,0; DestinationReached; }

18

Performance issuePerformance issue

Model Search depth States Transitions Memory Time

elevator1 422,314 3e+06 6e+06 106.62 M 2 min.

elevator2 (e) 999,999 7e+07 1.5e+08 540.8 M 24 min.

elevator0 1,040 1,053 1,377 5.5 M < 1 min.

1,999,999 1.5e+08 2.3e+08 614.1 M 42 min.elevator2 (b)

19

Abstraction Abstraction techniquestechniques

Trigger-based abstractionAbstract the environment so that it contains all the transitions generating a triggering event for the process P, and all the transitions from the initial state leading to the transition

Transition reduction collapse several transitions into one if the intermediate transitions do not generate triggering actions for the process P

s0 s1 s2 si Si+1

ti /ai

s0 si Si+1

ti /ai

20

Performance Performance ImprovementImprovement

Model Search depth States Transitions Memory Time

elevator3 (e) 250,388 5e+06 1.2e+07 210.4 M 4 min.

elevator3 (b) 277,059 7e+06 1.7e+07 287.4 M 4 min.

elevator5 (e) 402,022 8e+06 2.6e+07 626+ M 8 min.

elevator5 (b) 3,460,587 3.8e+07 1.2e+08 505 M 23 min.

21

DiscussionDiscussion

Formal methods can be effective and useful when integrated into development process

Our work focuses on the seamless integration

There are a number of existing works on UML consistency, refinements, CBD methodology, and the use of model checking

However, they mostly focus on one of the issues separately.Hardly any of the earlier works concerns on performance issue when using model checkingEnvironment constraints have been manually identified in the previous works

More investigation is needed on optimization and automation

Translation and abstraction

22

Thank you!