1 A Modularity Assessment Framework for Context-dependent Formal Specifications Naoyasu Ubayashi...
-
Upload
augusta-hardy -
Category
Documents
-
view
213 -
download
0
Transcript of 1 A Modularity Assessment Framework for Context-dependent Formal Specifications Naoyasu Ubayashi...
1
A Modularity Assessment Frameworkfor Context-dependent Formal Specifications
Naoyasu Ubayashi (Kyushu University, Japan)
September 14, 2010
ACoM 2010
Contexts in embedded systems
Many embedded systems not only affect their contexts through actuators but also are affected by their contexts through sensors.
However, traditional PLE is mainly conducted from the viewpoint of system functions, and contexts are only roughly analyzed.
2
Unexpected behavior might emerge in a system if a developer does not recognize any possible conflicting combinations between the system and contexts.
EmbeddedSystem
Actuator
Sensor
Contexts
3
Our approachCD-PLP (context-dependent product line practicewith lightweight formal approaches)
We proposed a new style of PLE that focuses on constructing embedded systems that take into account the contexts.
CD-PLP
Described in a formal specification language (VDM++)
A configuration can be formally checked!
Naoyasu Ubayashi, et al. :Context-dependent Product Line Practice for Constructing Reliable Embedded Systems, SPLC2010
Core assets described in formal languages are effective for constructing reliable product lines.
However, it is not clear which modularity is adequate from the viewpoint of
Context asset descriptioncrosscutting over system assets
Formal specification vs. V&VModel structures are different when the
purpose of the modeling is V&V
Today’s my talk-- Next step of CD-PLP
4
Modularity Assessment Framework
forAdequate Core
Asset Descriptions
Formal specification
V & V
Refinement
Which modularity is adequate ?
Outline
CD-PLP with VDM++ Lesson learned Modularity assessment framework Conclusion
5
CD-PLP WITH VDM++-- QUICK OVERVIEW --
6
7
Example: an electric pot
water level sensor
heater
thermistor liquid
context
system
pot
The pot controls the water temperature by turning on or off the heater.
The pot changes its mode to the heat-retaining mode when the temperature becomes 100 Celsius.
The pot observes the volume from the water level.
8
CD-PLPStep 1: Analyze features:
Boil: () ==> ()Boil() == while thermistor.GetTemperature() <= 100.0 do heater.On();
Step 3: Validate a composed system specification
VDM++
System Line Context Line
Step2: Select a set of features
ControllerHeaterThermistorWater level sensorAir Pressure Low
VDMTools test execution
The boiling point of the water is below 100 Celsius.The controller continues to heat the water.As a result, its volume will be empty.
LESSON LEARNED
9
CD-PLP with VDM++/VDMTool
10
Context assets are formally described !A configuration of system and context assets
can be checked !
However, …
Really modular ?
Core asset developmentusing VDM++
11
Funct
ional
Decom
positio
n !
Context asset descriptionin VDM++
12
-- CONTEXT-liquid
class Liquidinstance variables protected aap : AtmosphericAirPressure; protected boiling_point : map real to real; protected temperature : real; protected amount : real;
operations public GetAap: () ==> AtmosphericAirPressure GetAap() == return aap;
public SetAap: AtmosphericAirPressure ==> () SetAap(a) == aap := a;
public GetBoilingPoint: real ==> real GetBoilingPoint(atm) == return boiling_point(atm);
public GetTemperature: () ==> real GetTemperature() == return temperature;
public SetTemperature: real ==> () SetTemperature(t) == temperature := t;
public AddTemperature: () ==> () AddTemperature() == if temperature < boiling_point(aap.GetAtm()) then temperature := temperature + 1.0 else (temperature := boiling_point(aap.GetAtm()); amount := amount - 1.0 --- evaporation ) pre temperature <= boiling_point(aap.GetAtm()) post temperature <= boiling_point(aap.GetAtm());
public GetAmount: () ==> real GetAmount() == return amount;
public SetAmount: real ==> () SetAmount(a) == amount := a;
end Liquid
Contexts are abstracted as a set of functions (methods).
Is a functional module adequate for describing contexts ?
Additional constraints are introduced to validate a configuration.
These constraints are needed to execute test facilities supported by VDMTool.
Lesson learned
13
VDM++ is useful for asset descriptions.
However, VDM++ is not always satisfactory.
At the same time, there are no formal languages that satisfy all of our needs.
Modularity Assessment Frameworkfor
selecting appropriateformal languages
MODULARITY ASSESSMENT FRAMEWORK
14
Criteria for assessment
Specifications Expressiveness Composability
V & V Testability Abstraction
Refinement from formal specifications to implementation Traceability
15
Check priority !
1. Expressiveness2. Composability3. Testability4. Abstraction5. Traceability
Application to CD-PLP with VDM++
16
Although the adoption of VDMTools/VDM++ has several problems, we think that this selection is valid because a configuration can be tested functionally.
High priority
<Our decision>Functional decompositionOO-based modularity
<Drawback>Not easy to express crosscutting
features of contextsOnly functional checking
17
Major drawback
System features(VDM++)
Context features(VDM++)
featurecomposition
crosscutting
VDM++ cannot modularize a crosscutting feature.
In case of Alloy …
18
Not Acceptable !Traceability
Testability
However, Alloy is a good tool if the traceability is not important.
CONCLUSION
19
Conclusion & Future work
We proposed a modularity assessment framework for selecting appropriate formal languages.
Future work: integrated usage of multiple formal languages.
20
21
Thank you for your attention.