Efficient Reachability Analysis of Hierarchic

Reactive Modules

R. Alur, R.Grosu, M.McDougall

University of Pennsylvaniawww.cis.upenn.edu/

~alur,grosu,mmcdougall

Motivation

Scalable analysis demands modular reasoning:

• modeling language has to support syntactically and semantically modular constructs,

• model checking has to exploit modular design.Close the gap between:

• software design languages (UML,Statecharts,Rsml,…),

• model checking languages (Spin, SMV, Mocha,…).

Talk Outline

Motivation

• Mode diagrams

• From statecharts to mode diagrams

• Model checking

• Wrap-up

Mode Diagrams 1. Visual language for hierarchic reactive

machines• hierarchic modes, mode sharing, • group transitions, history, • mixed and/or hierarchies.

2. Observational trace semantics • mode refinement,• modular reasoning.

3. Model checker • exploits the hierarchy information,• exploits the type information.

Characteristics

• Description is hierarchic.

• Well defined interfaces.

• Supports black-box view.

Model checking

• Modular reasoning.

• E.g. in SMV, Mocha.

Telephone Exchange: Architecture

TelExchange

ti1 to1 tin ton

TelSw1

TelExchange

Bus

TelSwn

bo1 bi1 bon bin

ti1 to1 tin ton

…

TelSw1

TelExchange

Bus

TelSwn

bo1 bi1 bon bin

ti1 to1 tin ton

… onHook offHook

onH

call

answrtB

Telephone Exchange: Behavior

ti?onH

onH

connecting

talking

ok

call rtBgettingNook

rtBansw

onH

idle

ringing

rtBrtE

rtB

calloffH

offH answ

read ti : TelI, bi : BusI;write to : TelO,bo : BusO;local nr : (0..n)

Statecharts

Formalism• Introduced: 1987 by David Harel,

• Related notations: Rsml, Modecharts, Roomcharts,

• Key component in OO Methods: UML, ROOM, OMT, etc.Difficulties• No denotational trace semantics (no refinement notion),

• No scoping for variables.

Previous attempts compile statecharts to flat diagrams.

rtB

onH

connecting

talking

ok

gettingNook

idle

ringing

rtBrtE

rtB

offH

offH

onHook offHook

From Statecharts to ModesObstacles in achieving modularity

• State reference -> Scoping of variables (data interface)

• Group transitions implicitly connect deep nested modes.

• Regular transitions -> Entry/exit points (control interface)

call

answ

• Nested state references break encapsulation.

• Group transitions -> Default points (control interface)

• Regular transitions connect deep nested modes.

telSw

offHookonHook

rtB

onH

answ

call

ini

Model Checking

Graphical editor and both an enumerative and a symbolic model checker.

Reachability analysis exploits the structure:

• Reached state space indexed by control points,

• Transition relation is indexed by control points,

• Transition type exploited in mdd construction,

• Mode definitions are shared among instances.

Example: Generic Hierarchic System

v2

inc

skpv3

w1

w0

inc

skp

w1

z

incskp

z

id

c

incskpskp

inc

v3

local c : (0..2)

local v3 : (0..n)

(c=1 & w1=n) | c=2 -> skip;

local w1 : (0..n)

c=1 & z<n ->c:=0; z:=z+1;

local z : (0..n)

Enumerative Model Checker

w0

inc

skp

w1

z

incskp

z

id

cc

c

w1z

c

w0z

zc

c = 1

w0 = 0z = 0

c = 1z = 0

c = 1

w1 = 1z = 0

w0 = 0

c = 1z = 0

w1 = 1

stored as

Transitions

• Traversed in a depth first way,

• Indexed by control points,

• Shared among instances of the same definition.

States

• States are stored as a stacks,

• Stacks share common elements,

• States (stacks) are entries of a hash table,

• States are compressed as bitstrings.

v2

inc

skpv3

w1

incskp

z

id

c

incskpskp

inc

v3

inc

w0

skp

w1

z

R(c,z,w1,v3)

The reached set is indexed by control points:

• Each reached control point has an associated multi valued binary decision diagram (mdd),

• The set of variables of an mdd depends on the scope of the control point.

Symbolic MC: The Reached Set

R(c,z,w1,v3)

R(c,z,w1,v3,hw1)

R(c,z,w1)

The transition relation is indexed by control points (> conjunctively partitioned mdds):

• Each transition has an associated mdd,

• The set of variables of an mdd depends on the scope of the transition,

• Type information: no identity extension necessary,

• Variable scoping enables early quantification.

Symbolic MC: The Transition Relation

v2

inc

skpv3

w1

incskp

z

id

gcs

inc

skpskp

inc

v3

w0

inc

skp

w1

z

c=1 & v3<n &c’=0 & v3’=v3+1

hz = 2

h’z = 1(c,v3. R(c,z,w1,v3) & inc(c,c’,v3,v3’))[c’,v3’:=c,v3]

w1. R(c,z,w1) & skp(c,w1)

y

inc

z v

inc

w

x u

Hierarchy and Concurrency

P(x,y) & (Q(u,v) | R(u,w))

As expected, the model checker for modes is superior to current model checkers when:

• sequential behavior is hierarchical,

• modes have local variables.

Results

GHS Space Requirements

0

20000

40000

60000

80000

100000

Size of variables type

Num

ber

of

nodes

cMocha

Hrm

cMocha 27587 42591 54166 86317

Hrm 482 729 891 967

5 6 8 10

GHS Time Requirements

0

200

400

600

800

1000

1200

Size of variables type

Tim

e in

min

utes

cMocha

Hrm

cMocha 9 21 71 1000

Hrm 2 4 11 26

5 6 8 10

Project HeRMes

Current status:• visual language for behavior hierarchy,• compositional semantics,• modular refinement rules,• model checking exploits hierarchic structure.

Future work:• improve heuristics exploiting hierarchy,• improve use of sharing,• integrate/automate modular reasoning,• collaboration with NEC on case studies,• connection to Rational Rose/ObjecTime.

Demos at CAV

jMocha v2.0 (released soon):• joint project U.C. Berkeley & UPenn,• a new version written in java,• several new features:

• MSC-like simulator, proof manager, script language.

HeRMes v1.0 (prototype):• developed at UPenn,• supports mode diagrams in this talk,

Demos:• Tuesday morning,• Wednesday afternoon.

Modular Reasoning

M M’

N’N’ <N

NM < M’

N’

M’M’

N’N <N

Assume/guarantee reasoning

N N’<N

MN’

M<Sub-mode refinement

NM < N

M’

Super-mode refinement

M M’<N

A Macro Step

A macro step is a breadth first traversalof the hierarchic mode graph starting at:

• the default entry point of the top level mode

and ending at:

• the default exit point of the top level mode or

• inside the mode if no new states are produced.

Semantics of Modes

Game Semantics• Environment round: from exit points to entry points.• Mode round: from entry points to exit points.

The set of traces of a mode• Constructed solely from the traces of the sub-modes and the mode’s transitions.

Refinement• Defined as usual by inclusion of trace sets.

• Is compositional w.r.t. mode encapsulation.

Modular Reasoning

Compositional Reasoning• Central to many formalisms: CCS, I/O Automata,TLA, etc.Circular Assume/Guarantee Reasoning• Valid only when the interaction of a module with its environment is non-blocking.

Terminology• Compositional and assume/guarantee reasoning based on observable behaviors.

Application area• Only recently is being automated by model checkers,

• Until now restricted to architecture hierarchies.

Conjunctive Modes

Synchronous semantics

State

s = (i1, i2, o1, o2, p1, p2)

Execution

M2 M2

s0

env

s1

syst

s2

env

sk…

syst

sk+1

M1

s11

M1

sk1Parallel composition ofreactive modules

M2

i2i1

o2o1 p1 p2

M1

Translation with modes

M2M1

s1 s11 s2

read i1,i2 ,p1,p2;write o1,o2,p1,p2;

read i1,p2;write o1,p1;

read i2,p1;write o2,p2;

search approachfound

transport

Search&rescue

pickdone

And/Or Hierarchies

lookFSheadTTThe ability to express conjunctive modes isimportant for the construction of arbitraryand/or hierarchies.

Consider a hypothetical search and rescue robot operating on a battle field:

lookFGUexplWNHO

lookFHO

lookFECheadTKL

motionCsonarM

Integrated Development Environment ManagerIntegrated Development Environment Manager

Specs DBSpecs DB

hRM DBhRM DB Proofs DBProofs DB Rules DBRules DB

Proof ManagerProof ManagerTacticals DBTacticals DB

SimulatorSimulator

TextEditorTextEditor VisEditorVisEditor

ParserParser

SpecificationSpecificationBehModelBehModel

TextEditorTextEditor VisEditorVisEditor

ParserParser

ArchModelArchModel

TextEditorTextEditor VisEditorVisEditor

ParserParser

ModelCheckerModelChecker

BDD PacksBDD Packs

Reduction AlgsReduction Algs

Mocha Tool Architecture

Wrap-up

Behavioral View

• Activity Diagrams

Consider differential equations for activities:

• Hybrid hierarchic modes,• Avionics, robotics, automotive industry.• Global and modular symulation,• Exploit hierarchy in analysis,• Relate to hybrid sequence diagrams.