Medicine, Science & Technology

A General Framework for Formalizing Object-Oriented Modeling Techniques. Acknowledgements

Description
A General Framework for Formalizing Object-Oriented Modeling Techniques Betty H. C. Cheng Software Engineering and Network Systems Laboratory Department of Computer Science and Engineering Michigan State
Published
of 31
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
A General Framework for Formalizing Object-Oriented Modeling Techniques Betty H. C. Cheng Software Engineering and Network Systems Laboratory Department of Computer Science and Engineering Michigan State University East Lansing, Michigan Acknowledgements Joint work with the following people: Robert Bourdeau Laura Campbell William McUmber Enoch Wang Ryan Stephenson Sponsored in part by: National Science Foundation Grants: (CCR , CCR , EIA ) DARPA Grant (EDCS Program): F Motorola Eaton Corporation Siemens Automotive Detroit Diesel Corporation 2 1 Bridge the Gap Between Informal and Formal Methods Object-Oriented Blueprints Informal specifications, + graphical models, + easy for humans to formulate, - may be inconsistent and incomplete. Apply Formalization Framework Formal Representations Formal Methods: Well-defined language Set of rules for reasoning Formal Specifications: + Automated Analysis Consistency, completeness Rapid Prototyping Behavior Simulation + Design Transformations + Automated Test Case generation - May be difficult to construct/modify 3 Overview Introduction Background Formalization Framework Validation: Tool Support Case Study Related Work Conclusions and Future Investigations 4 2 Objectives and Results Overarching goals: Broaden base of developers who can use rigorous software engineering techniques Provide palatable path to more rigorous SE techniques Leverage existing expertise and technology Specific Goals Enable use of intuitive diagrammatic notations (UML) for embedded system design Provide path from UML to existing formal languages Existing user base Support Tools Enable automated analyses of model Simulation Model checking 6 Domain: Embedded Systems 7 3 Background: Embedded Systems Code difficult to design and analyze Time-dependent difficult to instrument often highly concurrent High level of robustness required control real-world, physical processes 8 Informal Modeling Notation 9 4 Background: UML Unified Modeling Language General-purpose visual modeling language de facto Standard (At least) nine different diagrams use case, class, state, interaction (2), implementation (2), etc Diagrams described by metamodels: A graphical model that describes syntax of model Therefore, nine different metamodels 10 UML Class Diagram type of indicator Class A Talks-to Named association Class X Class A1 Class A2 Class A3 multiplicities Contains aggregations of Class B Class B Contains components 11 5 UML Metamodel Metamodel defines UML syntax using class diagram notation. Semantics not defined by metamodel Note: Any language or diagram syntax can be defined with a metamodel 12 Example Metamodel Program 0..* Block Compound Statement Simple Statement 13 6 Metamodel - Diagram - System Relationship Metamodel Constrains syntax syntax UML Diagram Instance Specifies aspect aspect of of System Uses class diagram notation to describe diagram component relationships Specific diagram shows some aspect of the system being constructed 14 Target Formalization Languages 15 7 Background: VHDL IEEE standard language Intended for abstract description of hardware Uses multiple, concurrent, communicating processes Communication through signals Syntax is Ada-like, procedural in nature Models can be executed in simulation. 16 Background: Promela (SPIN) Promela is language for SPIN model checker Simulation and model checking of concurrent systems SPIN: commonly used in telecommunication domain Developed by Bell Labs (now Lucent part) Protocol verification Guarded Command Language + CSP + C Collection of processes, channels, and variables 18 8 Background: Promela Example declarations initial procedure Guarded statement Proctype declaration do-od loop if-fi block typdef A_type { int x; int y; bool unused; mtype vals; } chan queue=[3] of {mtype}; A_type A; mtype={on, off, none}; init { atomic {A.x = 1; A.y = 2} run abc() } proctype abc() { int I; do :: A.x 1 - A.y = A.y + 1; A.x = A.x + 1; od; queue!on; if :: queue?vals :: A.y 4 - goto skip1 fi} structure typedef Channel declaration Instantiation of A_type Executed as one stmt Proctype instantiation Basic proctype Channel write Channel read 19 General Formalization Framework 20 9 Homomorphisms Preserve operations, hence structure and semantics h( a b) = h( a) h( b) With the mapped objects This operation in this system with these objects (a & b) Does the same thing as this operation in this system 21 Metamodel mapping UML UML metamodel Homomorphism Formal Formal language metamodel Describes instance Produces mapping Describes instance UML UML diagram Mapping Rules Formal Formal description of of system system 22 10 Unified Class/Dynamic Metamodel Class related Dynamic related Model Model Behavior Class Class Relationships State State Vertex Vertex Transition Instance Variables Aggregation Association Generalization Rest of dynamic model 23 Dynamic Model Portion of Unified Metamodel To Class 1 State Vertex Behavior 1..* Transition Guard Pseudostate 0..1 CompositeState State 0..1 SimpleState ActionSequence Event Start Join Final History SignalEvent TimeEvent ChangeEvent 24 11 Source Example Metamodel Mapping h: h: Target AA R B B h: hascomp(a,c) h: R B B A A D D CC h: haspart(a,c ) C C 25 Introduction to Mapping Rules VHDL used for embedded systems VHDL contains timing notations Many commercial tools available Comprehensive simulation capability SPIN used in industry Spin provides model simulation and checking Concurrency is a feature of both 26 12 Promela Class Diagram Mapping Rules Classes (objects) map to proctypes. Relationships map to channels. Instance variables map to global typedef structures. 31 Promela Dynamic Model Mapping Rules Simple states map to blocks of Promela statements. Transitions map to goto and run() Composite states map to proctypes Events map to channel writes/receives Pseudo-states map to blocks of various Promela statements 32 13 SPIN Analyses Random simulation Exhaustive search of states State transition system checked by temporal logic assertions Often provides counter-examples (path to problem state) Easier than theorem proving Better than simulation when precise timing not required 33 Summary of Mappings VHDL Ent/Arch Port signature procedure Ent/Arch Write to signal Structure Class Relationship State Composite State Event Promela proctype channels Labeled block of statements proctype Channel assignment 34 14 Tool Support 35 Tool Support Analysis results UML MINERVA HIL Hydra Spec* Analysis Tool* Diagram reports Analysis reports 37 15 Architecture of Minerva Diagram in DoME format Diagram reports UML UML diagram editors Plug-ins HIL Visualization commands Analysis results (processed) Text processing scripts Analysis reports Analysis results (raw) 38 Hydra Translation Tool Uses library and parser to implement rules Modular per formal language Minerva HIL Hydra parser Language Specific Language Class Specific Library Class Library Formal Specifications Implements mapping rules for specific language 39 16 Industrial Case Study 40 Smart Cruise Requirements Desired trail distance Safety zone Coast zone Closing zone About 400 ft - acquires target vehicle. Closing speed low enough to control. Starts coasting to match speed Safe zone Maintain proper trail distance - speeds match This is what we want Closing speed too high. Issues warnings to avoid this condition 42 17 Class - Context Diagram Control Target acquisition target loss distance Radar System boundary Warnings set brakes Car speed throttle control Car Car speed Distance Target Brakes Throttle Control 43 Smart Cruise Class Model Control Target acquisition target loss distance to target Car speed Radar Car speed throttle control Car 44 18 High Level Radar Dynamic Model [target = 400]^target-acquired [target 400] Check distance Car-speed Wait for ack Ack-from-control Get car speed Turn-on Turn-off Off 45 Car Dynamic Model car1 Set cruise speed car3 Get-speed[real=set]^speed Get-speed[real set]/{adjust real speed}^speed updatex Supply speed to radar updatespd Set-speed Supply speed to control Unset cruise speed dogetspd car4 Get-speed^speed dounset car1 Unset speed 46 19 High Level Control Dynamic Model Get speed and distance target Wait for target Check bounds set [exceed bounds] Wait for set Warning or Alarm Ack from car Maintain Trail position [trailing] [closing] Closing on target 47 SPIN Analyses Performed Random simulation State reachability State reachability with assertions Progress loop analysis (cycle checks) Model checking with temporal claim Model checking with temporal claim and nondeterministic execution paths Use of Simulation Check that model runs (does not deadlock) Model appears to achieve basic requirements Model not erratic (simulation is random) Exercise common paths Explore extremes for initial proper behavior Basically, high level debugging strategy 49 State Reachability Analysis Reachability is exhaustive (unlike simulation) For common scenarios, ensure set of states is correct and exception states not entered For exception scenarios, ensure exception states entered 50 21 State Reachability for Normal Scenario = reached (Establish target trail) control dynamic model Get speed and distance target Maintain Trail position Wait for target [trailing] Check bounds set [closing] Closing on target [exceed bounds] Wait for set Warning or Alarm Only unreached state, as expected Ack from car 51 SPIN Progress Loop Analysis Ensures no cycles of only unmarked states. Reports cycles unless state(s) are marked. If nothing marked, reports cycles If known cycles are marked, reports unexpected cycles 52 22 Progress Cycle Analysis of Model Liveness check: Ensure state cycle follow target established Differs from reachability by ensuring cycle exists, not just state visit. Safety check: Ensure no unexpected cycles encountered 53 Progress Loop Checks 1. Green states reported as cycle when unmarked Get speed and distance target Wait for target Check bounds set Wait for set Warning or Alarm shut off system Ack from car Maintain Trail position [trailing] [closing] Closing on target 2. After marked, no other cycles appeared (complement of first check) None of these reported 54 23 Model Checking Tests Car achieves trail position, and stays there. Three checks: Once in idle, model never comes back when target sent, ack replied Remove ack to demonstrate check works Brake application leads to return to idle state. Revealed missed an event on transition 55 Ensure Target is Never Missed Demonstrate Check Works Target acquired Control acknowledgement Radar Remove this message to force claim to fail This check failed (as expected) 60 24 Related Work Object-Orientation and Embedded Systems Formalization of UML Formalization of OO Modeling Techniques 66 Embedded System Methodologies Ad Hoc (frequently used in industry) Structured methods - RTSA [Ward & Mellor, Hatley & Pirbhai] RTSA models semi-formal, uses top-down Hybrid OO -- RTOOSA [Ellis] Still structured, semi-formal - little object use OO, non-uml (ROOM) [Selic, Gullekson] Formal, but unusual OO model OO, UML based [Douglass] Semi-formal. No behavior verification 67 25 Formalization of UML Precise UML (puml) based UML on Z [Evans, Clarks, Bruel, France, Lano] Attempts to provide direct manipulations of diagrams But no dynamic behavior mapping No way to verify behavior or properties, other than potential theorem prover Latella et al Formalized UML state diagram in terms of hybrid automata 68 Other OO Formalizations OCL shown to have problems [Mandel & Cengarle] Fusion well-defined process, but informal semantics [Coleman, et al] TROLL formally defined, but no checkers or simulation capability [Jungclaus, Saake, Hartman, Sernadas] Formalized OMT with rules but no general mapping framework [(Wang & Cheng), (Bourdeau & Cheng)] Rules specific to LOTOS 69 26 Overview of Contributions General framework for providing semantics. Unified UML Class/Dynamic metamodel. Mapping to VHDL and Promela. Means to perform simulation and model checking from semi-formal diagrams. Systematic process for developing OO graphical models for embedded systems. 70 Where does this all fit in Big Picture? 71 27 Meridian: Automating Development of IDAs PIs: B. Cheng, L. Dillon, P. McKinley, K. Stirewalt Interactive Distributed Applications (IDAs) Examples: On-board driver/pilot navigation systems. Computer-supported collaborative work environments. Distributed interactive simulation. Increasing interest fueled by: The World-Wide Web. Middleware technology (e.g., CORBA, DCOM, JavaBeans). New network services and protocols. 72 Meridian Research goals Improve quality of IDAs. Better IDAs (reliable, maintainable, extensible). Better development (faster, cheaper). Advance state of automated software-engineering (ASE) practice. Incorporate ASE techniques into mainstream development. Apply various formal methods in a new domain. Identify end-to-end automation techniques that take advantage of multiple phases of development Meridian Practical goals To have techniques adopted in practice: Must complement existing design methods and notations. Otherwise, acceptance must overcome stiff economic hurdles. Implications: Designers should not reformulate designs in a formal notation. Designers should not have to view the output of a formal analysis tool. We chose (UML) for representing IDA designs. 74 Meridian Vision IDA Models IDA Constraints IDA Interface Requirements IDA Reuse Repository IDA External Parameters Requirements Model Editing User Specifications Specification Analysis Refined Specifications Feedback Design Processing Code Test Cases Testing/ Simulation 75 29 Summary of Contributions General framework for constructing mappings of diagrams to formal target languages Framework enables use of rigorous techniques to establish completeness, consistency, and correctness of mapping rules. A set of rules for generating VHDL and Promela specifications from UML Enable behavior simulation and analysis on informal diagrams via their formal specifications Systematic process for developing OO graphical models for embedded systems 76 Current and Future Research Consider other UML Diagrams: Use Case: provide high-level user goals Interaction Diagrams (Sequence and Collaboration): model behavior of specific scenarios Add temporal and real-time constraints Explore modified UML semantics Adapt semantics to application? 77 30 Current/Future Research Mapping to SMV Different temporal logic (CTL) Different analysis capabilities (e.g., fairness) Explore the use of specification patterns to guide analysis capabilities Domain-specific refinement of UML diagrams Move closer towards implementation Use of Design Patterns and Frameworks 78 Discussion 79 31
Search
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks