Xiaosong LuTogashi LaboratoryDepartment of Computer ScienceShizuoka University

Ａｐｒｉｌ 1999

Specification and Verificationof Hierarchical Reactive SystemsSpecification and Verificationof Hierarchical Reactive Systems

* Research Background and Objective

* System Properties and Requirements

* Formal Specifications

* Soundness and Completeness

* Synthesis of Formal Specifications

* Compositional Verification

* Reflection

IntroductionIntroduction

* Statecharts (Modechart, RSML)* Visual Formalism* State Hierarchy and broadcast communication

* SDL: Communicating finite-state machines

* Petri Net: Event-driven, one-level concurrency

* CCS, CSP: algebraic nature, recursion, nested concurrency, naming, channel communication ...

Related WorkRelated Work

* A New Methodology for Reactive Systems* System requirements: Declarative language* Formal specifications: Hierarchical state

machines

* A Flexible Development Environment * Stepwise Refinement* Reflection

* Automatic Synthesis and Verification

* Support of Modularity and Reusability

Research ObjectiveResearch Objective

System Requirements

Synthesis System

Formal Specifications

Compiler

ProgramsPrograms

Requirement Acquisition

Verifier

Simulator

Present system

Reflection System

System OverviewSystem

Overview

* SPS = < P, L, D, L0 >* P: all atomic propositions* L: partition of P* D L×L: partial order relation⊆* L0: topmost level propositions

Hierarchical System Properties Hierarchical System Properties

SPS of a Radio/Tape PlayerSPS of a Radio/Tape Player

OnOn

Radio, TapeRadio, Tape StereoStereo

Am, FmAm, Fm Play, Pause Play, Pause

P

Lo

D

L

* ρ = < id, a, fin, o, fout >* id: name* a: input symbol* fin: pre-condition* o: output symbol* fout: post-condition

* Power on : ￢ On On : ⇒* < Power on, Power, ￢ On, , On >

Function Requirement Function Requirement

Power

* A Requirement Module of the Player

* RM = < id, F, γ0, B, Σ, O, TF >

System Requirement ModuleSystem Requirement Module

RM1 ￢ On Power

￢ On On,⇒Power

TF : Temporal logic formulae

BName γ0 Σ Ο

On ⇒ ￢ OnPower

PowerPower

Other Requirement ModulesOther Requirement Modules

RM2 Radio RT

Radio Tape,⇒RT

TF : Temporal logic formulae

On

RTTape Radio⇒

RM3 Stereo S

Stereo ⇒ ￢ Stereo, S

TF : Temporal logic formulae

On

S￢ Stereo Stereo ⇒

Radio/TapeRadio/Tape

StereoStereo

Other Requirement ModulesOther Requirement Modules

RM4PlayPause

￢ Play Play⇒

(TF : Temporal logic formulae)

PL,PAStop

Tape

Play∧ ￢ Pause Pause, Play Pause ⇒ ∧ ⇒ ￢ Pause

Play ⇒ ￢ Play∧ ￢ Pause

PA

RM5 Am,Fm AF

Am Fm, Fm Am⇒ ⇒

(TF : Temporal logic formulae)

Radio

TapeTape

RadioRadio

* R = < RM, RM0, ＞ , C >

* System Requirement of the Player

System RequirementSystem Requirement

RM1 - PowerRM1 - Power

RM2 - Radio/TapeRM2 - Radio/Tape RM3 - StereoRM3 - Stereo

RM5 - Radio RM5 - Radio RM4 - Tape RM4 - Tape

RM0

＞

* TM = < id, Q, Σ, O, →, q0, B >

* A State Transition Module of the Player

State Transition ModuleState Transition Module

PowerPower

￢ On￢ On OnOn

Power

Power QΣ

→

q0

* M = < TM, 》 , TM0 >

* TM: state transition modules* 》 : partial order relation of state transition

modules* TM0 TM: initial state transition modules ⊆

Formal SpecificationFormal Specification

Formal Specification of the PlayerFormal Specification of the Player

￢ On￢ On OnOnPower

Power

RadioRadio TapeTape

RT

RTStereoStereo ￢ Stereo￢ Stereo

S

S

￢ Play∧ ￢ Pause￢ Play∧ ￢ PausePL

Play∧ ￢ PausePlay∧ ￢ Pause

Play Pause∧Play Pause∧PA

StopStop

PAAmAm FmFm

AF

AF

TM0

》

Sub-states, Sub-transition, DefaultSub-states, Sub-transition, Default

￢ On￢ On OnOnPower

Power

RadioRadio TapeTape

RT

RTStereoStereo ￢ Stereo￢ Stereo

S

S

￢ Play∧ ￢ Pause￢ Play∧ ￢ PausePL

Play∧ ￢ PausePlay∧ ￢ Pause

Play Pause∧Play Pause∧PA

StopStop

PAAmAm FmFm

AF

AF

TM0

》

Substates(Tape)

Default(On)

Sub-transition(Radio)

Global Behavior of the PlayerGlobal Behavior of the Player

￢ On￢ On

StereoStereo

OnOn

RadioRadio

AmAm

Power

RT

TapeTape

￢ Play∧ ￢ Pause￢ Play∧ ￢ Pause

OnOn

StereoStereo

PL

Play∧ ￢ PausePlay∧ ￢ Pause

OnOn

TapeTape

StereoStereo

￢ On￢ On

Power

Global Transition SystemGlobal Transition System

Power￢ On￢ On

Power

AF RT

On, Tape￢ Play, ￢ Pause

On, Tape￢ Play, ￢ Pause

PL StopStop

PA On, TapePlay,PauseOn, Tape

Play,PauseOn, Tape

Play, ￢ PauseOn, Tape

Play, ￢ PausePA

On, RadioAm

On, RadioAm

On, RadioFm

On, RadioFm

AFRT

RT

RT

Power

PowerPower

Power

StereoStereo ￢ Stereo￢ Stereo

S

S

* Transition ├ Function Requirement

* Transition Module ├ Requirement Module

* Formal Specification ├ System Requirement

SoundnessSoundness

* M is Complete w.r.t. R * M is sound w.r.t. R* ∀sound M’ w.r.t. R, * ∃homomorphism ξ: M’→M

* Standard System of R* sound* complete* unique

CompletenessCompleteness

* Synthesis System

*

* Theorem on Synthesis: * The derived system is standard.

Synthesis of Formal SpecificationSynthesis of Formal Specification

system requirement

module

system requirement

module

Statetransitionmodule

Statetransitionmodule

System Requirement

System Requirement

Formal Specification

Formal Specification

* Verification of Linear-time Properties* reachability analysis* liveness, fairness and safeness verification* trace analysis

* Verification with Branching-time Logic* TCTL* partial model checker* further discussion

Compositional VerificationCompositional Verification

* Bottom-up Algorithm

* Time Complexity: O(|T| ・ logs|M|)

Reachability AnalysisReachability Analysis

PowerPower

Radio/TapeRadio/Tape StereoStereo

Radio Radio Tape Tape 1. Analyze local

reachability[Play, Pause]

2. Find upper module, analyze

[Tape]

3. Until initial module reached

[On]

* Liveness: every state is in a circle * local liveness* upper state liveness

* Fairness: strongly connected* initial module local fairness* all states reachable

* Safeness: absence of deadlock* deadlock detection

Liveness, Fairness, SafenessLiveness, Fairness, Safeness

AA

DD CC

BB

AA

DD CC

BB

AA

DD CC

BB

* Syntax* p, a, o are TCTL formulae* ￢ f1, f1 f∧ 2, AXf1, EXf1, A[f1Uf2], E[f1Uf2] are

TCTL formula* f ＼ P, f ＼ A, f ＼ O are TCTL formulae

* Trace-based Semantics

Branching-time Logic: TCTLBranching-time Logic: TCTL

* Partial verification* hierarchical structure based* sequential portion of formal specification* any level specification

* Partial Model Checker* obtain list of all subformulas of f to be verified* label states with formulas on the hierarchical

structure* backwards search for EX and EU

Partial Model CheckerPartial Model Checker

* Compositional Verification with Proof

* Compositional Minimization

* Symbolic Model Checking

Further Discussion on VerificationFurther Discussion on Verification

* Transition Addition/Deletion/Modification

* State Addition/Deletion

* Nonexecutable Function Detection

ReflectionReflection

System Requirement

System Requirement

Formal Specification

Formal Specification

* A Methodology for Specification and

Verification of Reactive Systems

* Future Work* Real-time, Predicate logic* Extensions on compositional verification* An integrated support environment

ConclusionConclusion