Xiaosong Lu Togashi Laboratory Department of Computer Science Shizuoka University April 1999

1
Specification and Verificationof Hierarchical
Reactive Systems
Xiaosong LuTogashi LaboratoryDepartment of
Computer ScienceShizuoka UniversityApril 1999
2
Introduction

• Research Background and Objective
• System Properties and Requirements
• Formal Specifications
• Soundness and Completeness
• Synthesis of Formal Specifications
• Compositional Verification
• Reflection

3
Related Work

• Statecharts (Modechart, RSML)
• Visual Formalism
• State Hierarchy and broadcast communication
• SDL Communicating finite-state machines
• Petri Net Event-driven, one-level concurrency
• CCS, CSP algebraic nature, recursion, nested
  concurrency, naming, channel communication ...

4
Research Objective

• A New Methodology for Reactive Systems
• System requirements Declarative language
• Formal specifications Hierarchical state
  machines
• A Flexible Development Environment
• Stepwise Refinement
• Reflection
• Automatic Synthesis and Verification
• Support of Modularity and Reusability

5
System Overview
Present system
Reflection System
Programs
6
Hierarchical System Properties

• SPS lt P, L, D, L0 gt
• P all atomic propositions
• L partition of P
• D?LL partial order relation
• L0 topmost level propositions

7
SPS of a Radio/Tape Player
Lo
On
P
D
Radio, Tape
Stereo
L
Am, Fm
Play, Pause
8
Function Requirement

• ? lt id, a, fin, o, fout gt
• id name
• a input symbol
• fin pre-condition
• o output symbol
• fout post-condition
• Power on ?On ? On
• lt Power on, Power, ?On, , On gt

Power
9
System Requirement Module

• A Requirement Module of the Player
• RM lt id, F, ?0, B, S, O, TF gt

Power
10
Other Requirement Modules
Radio/Tape
Stereo
11
Other Requirement Modules
Tape
Radio
12
System Requirement

• R lt RM, RM0, gt, C gt
• System Requirement of the Player

RM0
RM1 - Power
gt
RM2 - Radio/Tape
RM3 - Stereo
RM5 - Radio
RM4 - Tape
13
State Transition Module

• TM lt id, Q, S, O, ?, q0, B gt
• A State Transition Module of the Player

S
Power
q0
Power
Q
?On
On
Power
?
14
Formal Specification

• M lt TM, , TM0 gt
• TM state transition modules
• partial order relation of state transition
  modules
• TM0?TM initial state transition modules

15
Formal Specification of the Player
TM0
Power

?On
On
S
Power
Stereo
?Stereo
RT
S
Radio
Tape
RT
?Play??Pause
PL
Stop
Stop
AF
Play??Pause
Am
Fm
PA
PA
AF
Play?Pause
16
Sub-states, Sub-transition, Default
TM0
Power

?On
On
S
Power
Stereo
?Stereo
Default(On)
RT
S
Radio
Tape
Substates(Tape)
RT
?Play??Pause
PL
Stop
Stop
AF
Play??Pause
Am
Fm
PA
PA
AF
Play?Pause
Sub-transition(Radio)
17
Global Behavior of the Player
?On
18
Global Transition System
Power
?On
On, Radio Am
Power
Power
Power
Power
RT
AF
RT
On, Radio Fm
AF
On, Tape ?Play,?Pause
RT
RT
Stop
PL
Stop
On, Tape Play,Pause
On, Tape Play,?Pause
Power
PA
S
PA
Stereo
?Stereo
S
19
Soundness

• Transition Function Requirement
• Transition Module Requirement Module
• Formal Specification System Requirement

20
Completeness

• M is Complete w.r.t. R
• M is sound w.r.t. R
• ?sound M w.r.t. R,
• ?homomorphism ? M?M
• Standard System of R
• sound
• complete
• unique

21
Synthesis of Formal Specification

• Synthesis System
• Theorem on Synthesis
• The derived system is standard.

system requirement module
State transition module
System Requirement
Formal Specification
22
Compositional Verification

• Verification of Linear-time Properties
• reachability analysis
• liveness, fairness and safeness verification
• trace analysis
• Verification with Branching-time Logic
• TCTL
• partial model checker
• further discussion

23
Reachability Analysis

• Bottom-up Algorithm
• Time Complexity O(TlogsM)

3. Until initial module reached On
Power
2. Find upper module, analyze Tape
Radio/Tape
Stereo
Radio
Tape
1. Analyze local reachability Play, Pause
24
Liveness, Fairness, Safeness

• Liveness every state is in a circle
• local liveness
• upper state liveness
• Fairness strongly connected
• initial module local fairness
• all states reachable
• Safeness absence of deadlock
• deadlock detection

25
Branching-time Logic TCTL

• Syntax
• p, a, o are TCTL formulae
• ?f1, f1?f2, AXf1, EXf1, Af1Uf2, Ef1Uf2 are
  TCTL formula
• f \P, f \A, f \O are TCTL formulae
• Trace-based Semantics

26
Partial Model Checker

• Partial verification
• hierarchical structure based
• sequential portion of formal specification
• any level specification
• Partial Model Checker
• obtain list of all subformulas of f to be
  verified
• label states with formulas on the hierarchical
  structure
• backwards search for EX and EU

27
Further Discussion on Verification

• Compositional Verification with Proof
• Compositional Minimization
• Symbolic Model Checking

28
Reflection

• Transition Addition/Deletion/Modification
• State Addition/Deletion
• Nonexecutable Function Detection

System Requirement
Formal Specification
29
Conclusion

• A Methodology for Specification and Verification
  of Reactive Systems
• Future Work
• Real-time, Predicate logic
• Extensions on compositional verification
• An integrated support environment