Modular Refinement of Hierarchic Reactive Machines

1
Modular Refinement of Hierarchic Reactive
Machines
Rajeev Alur Radu Grosu University of
Pennsylvania www.cis.upenn.edu/alur,grosu/
2
Results

• Visual language for hierarchic reactive machines
• hierarchic modes, mode sharing,
• group transitions, history,
• mixed and/or hierarchies.

• 2. Observational trace semantics
• mode refinement,
• compositional and assume/guarantee reasoning.

3
Motivation

• Scalable analysis demands modular reasoning
• modeling language has to support syntactically
  and semantically modular constructs,
• model checking has to exploit modular design.

• Close the gap between
• software design languages (UML, Statecharts,
  Rsml),
• model checking languages (Spin, SMV, Mocha).

4
Telephone Exchange Architecture

• Characteristics
• Description is hierarchic.
• Well defined interfaces.
• Supports black-box view.
• Model checking
• Compositional reasoning.
• Assume/guarantee reasoning.
• E.g. in SMV, Mocha.

5
Telephone Exchange Behavior
6
Hierarchic Behavior Diagrams

• Formalism
• Introduced 1987 by David Harel as Statecharts,
• Related notations Rsml, Modecharts, Roomcharts,
• Key component in OO Methods UML, ROOM, OMT, etc.

• Software
• ILogix, ObjecTime, Rational, etc.

• Application Area
• Automotive industry, avionics, etc.

• Semantics
• Many attempts (more than 24 semantics),
• All operational no trace semantics, no
  refinement rules.

7
From Statecharts to Modes
Obstacles in achieving modularity

• Group transitions implicitly connect deep nested
  modes.

• State reference -gt Scoping of variables (data
  interface)

• Nested state references break encapsulation.

8
Semantics of Modes

• Game Semantics
• Environment round from exit points to entry
  points.
• Mode round from entry points to exit
  points.

• The set of traces of a mode
• Constructed solely from the traces of the
  sub-modes and the modes transitions.

• Refinement
• Defined as usual by inclusion of trace sets.
• Is compositional w.r.t. mode encapsulation.

9
Modular Reasoning

• Terminology
• Compositional and assume/guarantee reasoning
  based on observable behaviors.

• Application area
• Only recently is being automated by model
  checkers,
• Until now restricted to architecture hierarchies.

• Compositional Reasoning
• Central to many formalisms CCS, I/O
  Automata,TLA, etc.

• Circular Assume/Guarantee Reasoning
• Valid only when the interaction of a module with
  its environment is non-blocking.

10
Compositional Reasoning
11
Assume/Guarantee Reasoning
12
Conjunctive Modes
Parallel composition of reactive modules
13
Ongoing Work
Both an enumerative and a symbolic model checker.
Reachability analysis exploits the structure

• Transition relation is indexed by control points
• speeds up enumerative search,
• generalization of conjunctively partitioned bdds,

• Transition type exploited
• to flush the stack in the enumerative search,
• for early quantification in the symbolic search,

• Reached state space indexed by control points
• pool of variables is not global,

• Mode definitions are shared among instances.

14
Roadmap

• Architecture diagrams
• Mode diagrams
• From statecharts to modes
• Semantics and refinement
• Compositional and assume/guarantee rules
• Conjunctive modes
• Implementation

15
Telephone Exchange Behavior

• Characteristics
• Description is hierarchic.
• group transitions, history.
• Well defined interfaces.
• data control interfaces
• black-box view.
• Model checking
• Compositional reasoning.
• Assume/guarantee reasoning.
• in Mocha

onH
call
onHook
offHook
answ
rtB
onH
call
rtB
ok
connecting
gettingNo
ok
talking
rtB
answ