Upload
everett-lindsey
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 11Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
1. AutoFocus: Concepts2. Model Description Techniques3. Consistency Checks4. Simulation5. Project Quest: Validation6. Model Checking & Abstraction7. Testcase generation8. Verification9. Summary
Contents:
Introduction toIntroduction to
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 22Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Conceps of AConceps of AUTOUTOFFOCUSOCUS/Quest/Quest
formal, logical foundation: FOCUS, mathematical models and methods for distributed systems based on traces and stream processing functions (combine functions & states)
view orientation: different views of a semantic model
modularity: hierarchic views
orthogonal concepts
integration: close connection to other languages and tools
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 33Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Contributions of AContributions of AUTOUTOFFOCUSOCUS/Quest/Quest software engineering
structure systems modular consistency validation integration into process (requirements, design, implementation, test)
formal methods & tools application evaluation integration into SWE process improve (faciliate) inputs (and outputs) to formal tools
teaching & research plattform for experimentation (case studies, prototypes, research, ...) teach students practitcal SWE & programing
industry create spin-off company: Validas AG provide support and introduction to highest software quality
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 44Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Modeling with AModeling with AUTOUTOFFOCUSOCUS
description techniques (views) structure: System Structure Diagrams (SSDs) behaviour: State Transition Diagrams (STDs) interaction: Extended Event Traces (EETs) data: Data Type Definitions (DTDs)
common attributes of views hierarchy conceptual & semantic model integration
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 55Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Example: Traffic LightsExample: Traffic Lights lights for pedestrians and cars request buttons and indicators for pedestrians task: developm correct controller for lights
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 66Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
System Structure Diagram (SSD)System Structure Diagram (SSD) structure and interfaces
network of distributed components typed, directed data flow channels ports for interfaces (I/O) local variables
hierachy sub-SSDs in components ports connect views
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 77Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
State Transition Diagram (STD)State Transition Diagram (STD) behaviour of components
states transitions with:
• precondition: x>0• input: set?x• output: timeout!• actions: t=x-1• label starting
hierachy substates described with STDs interface points for interlevel transitions
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 88Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Extended Event Trace (EET)Extended Event Trace (EET)
DetCLOSE DetOPEN Split Compare_Logic
1 - *
SelectHighIWLTrigger.Present
SelectHighIWLTrigger1.Present
SelectHighIWLTrigger2.Present
SelectHighIWLTrigger3.Present
notCLOSE.Present
OWL3.S25
Initialization
communication of components axis: for each component messages: with port patterns: ticks: x=0 modiefiers: indicate repetition
hierachy boxes: contain alternative EETs component hierachy
applications requirements test cases counter examples protocols of simulation
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 99Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Data Type Definition (DTD)Data Type Definition (DTD) define types and functions for
channels, ports and variables
define values (terms) and patterns for transitions, messages and properties
hierachy: DTDs import DTDs types use other types
// type of car´s lightsdata CarColor = Red | RedYellow | Green(Int) | Yellow;// type of signalsdata Signal = Present;// function for switchingconst TG = 10;fun switching(Red) = RedYellow | switching(RedYellow) = Green(TG) | switching(Green(0)) = Yellow | switching(Green(n)) = Green(n-1) | switching(Yellow) = Red; None;
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1010Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Conceptual ModelsConceptual Models
model:
views:
Ports
Component
0..*
1
OutChannels SourcePort
0..* 1
InChannel DestinationPort
0..1 1
SubComponents
SuperComponent
0..*
0..1
Channels0..*
1
0..1
0..*
SuperComponent
SubComponents
1
0..*
Component
Channels 0..*
Component
Ports
10..*
SourcePortOutChannels
10..1
DestinationPortInChannel
Component
-Name:String
Channel
-Name:String
-Type:MIFType
Port
-Name:String
-Direction:Direction
-Type:MIFType
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1111Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Consistency ChecksConsistency Checks inter and intra view checks based on conceptual model user defineable example: every channel has two ports with
the same type
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1212Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Create Consistency ChecksCreate Consistency Checks
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1313Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Apply Consistency ChecksApply Consistency Checks
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1414Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Semantic ModelSemantic Model simple synchronous model (no buffers) global takt for all components all components synchronously do
read their inputs from channels execute transitions write outputs to channels start new cycle
main application area: embedded systems
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1515Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
SimulationSimulation
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1616Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Multimedia AnimationMultimedia Animation in addition to the generated environment advantages
easy handling (click buttons) user-definable graphical animation easy integration to other programs
example: Formula Graphics Animation
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1717Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Implementation of AnimationImplementation of AnimationAUTOFOCUS-Simulation
AUTOFOCUS-Environment
Simulation server multimedia client
Device-Dependent
Java-RMI-Interface
RMI
Multimedia Application
Windows-Messages
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1818Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
The Project The Project client: German Information Security Agency (BSI) goal: improve quality of software way: combine CASE tool with formal methods
connect to tools: VSE, SMV, SATO, CTE generate test cases
partners in the project: TUM, DFKI, DC, ist duration: 1997-1999 casestudy: emergeny closing system Oostershelde
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 1919Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Structure of Structure of
Eng1
Eng {Engine}
Fuel
Eng2
Eng1
Eng {Engine}
f irst {PAlarm}
Fuel
Eng1
Eng {Engine}
Eng2
Nil
Temp
Alarmlist e
alarmlist e
f irst {PAlarm}
Eng2
Cons
Eng1
Eng {Engine}
rest {List {PAlarm}}
Nil
Temp
PonR
Eng2
Cons
rest {List {PAlarm}}
PonR Nil Cons
1
2
3
4
5
6
7
8
9
10
11
Classification Tree Editor
CTE
JavaProgram
SMVSPEC AF ( AG ((closeHappend & Consider_OPEN &
A [!FORBIDOpen U OPENpuls] &
A [notCLOSE U OPEN]) -> AF OPEN ))
-- specification is true
resources used:user time: 0.67 s, system time 0.03 sBDD nodes allocated: 39050Bytes allocated: 1703936BDD nodes representing transition relation: 24820 + 13
FOCUS
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2020Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Model Checking ProcessModel Checking Process
modelmodel propertyproperty++ verifiedverified
counter examplecounter examplefalsefalse
timeout
timeout
SMVSMV
SMVSMV
false(k)false(k)SATOSATO
SATOSATOtrue(k)true(k)
true(max)true(max)
??
tootoocomplex complex modelmodel
time
outtim
eout
refinerefine refinerefinecorrectcorrect
abstract & abstract & reduce modelreduce model
correctnesscorrectness conditionsconditions
truetrue
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2121Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
AbstractionsAbstractions abstract (simple) and concrete (complex) models check abstract model and relay on concrete one generate proof conditions for selected properties proving correctness is quite simple finding abstractions (for certain properties) is not!
“Abstraction Chooser“ supports user (type correctness)
example: Int -> Bool, 0->False, 1->True, 2->...
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2222Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
PropertiesProperties
simple temporal logic describe the model user support
specification pattern model-based editor consistency checks
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2323Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Model Checking Run Model Checking Run
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2424Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Testsequence GenerationTestsequence Generation based on models (conceptual & semantic)
reach all states of STD execute all transitions of STD test all communications between components produce certain output (e.g. withdraw money
from a modeled ATM)
classify variables of model using CTE according to definition of their type
execute test: EET <-> Java class
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2525Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Classification with CTEClassification with CTE
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2626Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Selection of Test CasesSelection of Test Cases
ClassificationtreeClassificationtree
Combination-Combination-tabelletabelle
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2727Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Example: TransitionstourExample: Transitionstour
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2828Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Verifikation using VSE IIVerifikation using VSE II VSE II theorem prover (DFKI) connected:
translation: model -> VSE spec VSE II theorems for correctness of abstractions (partial) translation VSE spec -> model
VSE II: interactive verification TLA-like logic good proof management visualization of proof structures
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 2929Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Screenshot VSE IIScreenshot VSE II
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 3030Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Case Study: Storm Surge BarrierCase Study: Storm Surge Barrier
application systemmodel
Open23Voter
Statemachine
PulseGenerator
Local Variables: Int t = 0
And
FORBIDopen:Signal
OPENallowed:Signal
OPENtrigger:Signal
OTrigger:SignalOPENpuls:Signal
OPEN:Signal
OPENdif1OK:Signal
OPENdif2OK:SignalOPENdif3OK:Signal
OPENdifOK:Signal
notCLOSEtoAND:Signal
notCLOSEtoSM:Signal
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 3131Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Adequate Models: SSDs, STDsAdequate Models: SSDs, STDssafety critical requirements formulatedsafety critical requirements formulated
FORBIDopen?;OPENdifOK?:OPENallowed!Present:
OPENpuls?:OPENtrigger!Present;OPENallowed!Present:
State1 State2
State3
notCLOSEtoSM?;FORBIDopen?:OPENallowed!Present:
FORBIDopen?Present::
OPENdifOK?Present;notCLOSEtoSM?Present;FORBIDopen?:OPENtrigger!Present;OPENallowed!Present:
OPENpuls?Present::
client‘s model: AUTOFOCUS:
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 3232Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Complete ModelComplete Model
HW
D
IWL1:SensorSig
IWL2:SensorSig
IWL3:SensorSig
OWL1:SensorSig
OWL2:SensorSig
OWL3:SensorSig
SelectHighIWLTrigger:Signal FORBIDopen:Signal
OPENallowed:Signal
OPEN:Signal
notCLOSE:Signal
Determine_CLOSE
D
Determine_OPEN
D
Compare_Logic
D
notCLOSE:Sig
OPENallowe
OPEN:Signa
I1OK:Sig
I2OK:Sig
I3OK:Sig
O1OK:Sig
O2OK:Sig
O3OK:Sig
OI1OK:Si
OI2OK:Si
OI3OK:Si
OPENdif1
OPENdif2
OPENdif3
FORBIDopen:SignalSelectHighIWLTrigger:Signal
IWL1:S
IWL2:S
IWL3:Se
OWL1:S
OWL2:S
OWL3:S
notCLOSE2:Signal
IWLlowerTrigger
D
OWLlowerTrigger
D
OWLlowerIWL
D
IWLsubOWLlowerOPENDif
D
IWL1b:SensorSig
OWL2b:SensorSig
OWL3b:Se
IWL2c:SensorSig
IWL3c:SensorSig
I1OK:Signal
I2OK:Signal
I3OK:Signal
O1OK:Signal
O2OK:Signal
O3OK:Signal
OI1OK:Signa
OI2OK:Signa
OI3OK:Signa
OPENdif1OK:Signal
OPENdif2OK:Signal
OPENdif3OK:Signal
OWL1a:SensorSig
SelectHighIWLTrigger:Sign
OWL1b:SensorSig
OWL1c:SensorSigOWL2c:SensorSig
OWL2a:SensorSig
OWL3c:SensorSig
OWL3a:SensorSig
IWL1c:SensorSig
IWL1a:SensorSig
IWL2b:SensorSig
IWL2a:SensorSig
IWL3b:SensorSig
IWL3a:SensorS
IWL23Voter
OWL23Voter
OI23Voter
GE_1
Monostable_multivibrator
And
realNotCLOSE:Signal
I1OK:Signal
I2OK:Signal
I3OK:Signal
O1OK:Signal
O2OK:Signal
O3OK:Signal
OI1OK:Signal
OI2OK:Signal
OI3OK:Signal
IWLlowerTrigger:Signal
OWLlowerTrigger:Sig
OWLlowerIWL:Signal
notCLOSE:Signal
notCLOSEPulse:Signal
realNotCLOSEtoAND:Signal
Open23Voter
Statemachine
PulseGenerator
And
FORBIDopen:Signal
OPENallowed:Signal
OPENtrigger:Signal
OTrigger:Signal
OPENpuls:Signal
OPEN:Signal
OPENdif1OK:Signal
OPENdif2OK:Signal
OPENdif3OK:Signal
OPENdifOK:Signal
notCLOSEtoAND:Signal
notCLOSEtoSM:Signal
CompareIWL1
CompareIWL2
CompareIWL3
SelectHighIWLTrigger1:Signa
I1OK:Signal
I2OK:Signal
I3OK:Signal
IWL1a:SensorSig
IWL2a:SensorSig
IWL3a:SensorSig
SelectHighIWLTrigger2:Signal
SelectHighIWLTrigger3:Signa
CompareOWL1
CompareOWL2
CompareOWL3
O1OK:Signal
O2OK:Signal
O3OK:Signal
OWL1a:SensorSig
OWL2a:SensorSig
OWL3a:SensorSig
CompareOPEN_DIFFERENCE1
CompareOPEN_DIFFERENCE2
CompareOPEN_DIFFERENCE3
IWL1c:SensorSig
OWL1c:SensorSig
IWL2c:SensorSig
OWL2c:SensorSig
IWL3c:SensorSig
OWL3c:SensorSig
OPENdif1OK:Signal
OPENdif2OK:Signal
OPENdif3OK:Signal
CompareIWL_OWL1
CompareIWL_OWL2
CompareIWL_OWL3
IWL1b:SensorSig
OWL1b:SensorSig
IWL2b:SensorSig
OWL2b:SensorSig
IWL3b:SensorSig
OWL3b:SensorSig
OI1OK:Signal
OI2OK:Signal
OI3OK:Signal
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 3333Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Hybrid Model: Mars Polar LanderHybrid Model: Mars Polar Lander explicit model of time discretizations of
diffential equations functions to compute
next values generation of
continuous diagrams
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 3434Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
Polar Lander: The ModelPolar Lander: The Model
5th NASA LFM Workshop 20005th NASA LFM Workshop 2000
Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 3535Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000
ConclusionConclusion download modelling tool http://autofocus.in.tum.de buy validation tools from BSI & Validas (10K $) Validas Spin-Off for support & tailoring http://validas.de pilot users from avionic industry todo:
improve user interface (Undo, Zooming,Popups,..) integration of security modelling support development: e.g. combine two components/states requirements tracing through the models integration of constraint handlers & solvers