Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design...
-
date post
21-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design...
![Page 1: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/1.jpg)
Tools for Formal ModelingAnd Verification:
MOCHA, HeRMes, CHARON
Rajeev Alur Systems Design Research LabUniversity of Pennsylvaniawww.cis.upenn.edu/~alur/
![Page 2: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/2.jpg)
Is Formal Verification Relevant toDeveloping Reliable Software?
Challenges:
Model checking does not scale!
There is a gap between model and code
Model
Code
Model-Based DesignRefinement
Code generation
Model ExtractionAbstraction
![Page 3: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/3.jpg)
Promise of Model-Based Design
Standard engineering practice in control applications
Growing acceptance of modeling tools such as RationalRose, Simulink
But no formal semantics / analysis
Ad-hoc features
Increasingly powerful verification tools Formal modeling by itself is useful for
modularity, reusability, rapid prototyping
![Page 4: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/4.jpg)
Talk Outline
MOCHA: Exploiting architectural hierarchy for modular model checking
HeRMes
CHARON
![Page 5: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/5.jpg)
MOCHA Team
U PennRajeev AlurMinsu KangBow-yaw Wang
SUNY Stony BrookRadu Grosu
UC BerkeleyLuca de AlfaroTom HenzingerChristoph KirschFreddy Mang
![Page 6: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/6.jpg)
Overview of MOCHA
GoalsExploit design structure for scalable model checkingCoherent integration of techniques
Key features Compositional modeling language: Reactive ModulesRefinement checking by assume-guarantee rulesGame-theoretic requirements of open systems: ATL
Hierarchical compression of internal transitions
![Page 7: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/7.jpg)
Why Modular Reasoning?
Behavior of a component can be computed from behaviors of its parts
Components can be analyzed in isolation
Assume-guarantee rules -> Scalable analysisMocha Theme: Modular model checking!
![Page 8: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/8.jpg)
Refinement CheckingProblem
Given modules Imp and Spec, check if every behavior of Imp is allowed by Spec: Imp < Spec
Why relevant ? Writing Spec as another module may be easier than
listing all temporal logic formulas of interestPromotes hierarchical design by successive
refinements
ExamplesCache-coherent memory < Abstract serial memoryPipelined implementation < ISA spec
Network protocol code < RFC spec
![Page 9: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/9.jpg)
Refinement Verification
Goal: Given two models Imp and Spec, verify that Imp refines Spec
Methodology:Step 1: Using compositional rules, generate
simpler subgoals Step 2: For each subgoal I < S, introduce a
witness module W, and reduce the check to reachability analysis of I || W
Step 3: Apply an efficient reachability check
![Page 10: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/10.jpg)
Point-to-Point Protocol
Popular networking protocol for establishing connections remotely
Goal: To verify the actual implementation
Specification: RFC 1661 (standard) Specified in tabular format
Implementation: ppp version 2.4.0 available in various Linux distributions C code
![Page 11: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/11.jpg)
PPP Verification
Focus on option negotiation aspect of protocol
Manually constructed module I from C-code
Manually translated RFC spec to module S
Goal: To verify I < S Result: Discovered an inconsistency in
the code wrt specification
![Page 12: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/12.jpg)
Assume Guarantee Reasoning
GOAL:
I0 I1 < S0 S1
LINK
REDUCES TO
I0 S1 < S0
LINK
Basis: formal compositional semantics of Reactive Modules
![Page 13: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/13.jpg)
Classical Temporal Requirements
Safety propertiesMutual exclusion
Deadlock freedom
Liveness properties Every request is followed by response
Every reachable state has a path to reset state
Classical Temporal logic Linear-time (LTL) vs Branching-time (CTL)
Sample formulas:[] (pc1=cs -> pc2!=cs)
[] (req -> <> response)
![Page 14: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/14.jpg)
Alternating Temporal Logic
Suitable for requirements of open systemsexplicit distinction between choices of system vs env
Sample game: system and env take turns
EF p AG p <sys> F p
![Page 15: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/15.jpg)
Alternating Temporal Logic
In Mocha, multiple players that execute concurrently
Sample property <A,B> G pcan agents A and B collaborate to maintain invariant p?
existential over choices of A & B, universal over others
Can specify games and controllability
Recent application: Security protocols
More expressive than CTL
model checking via symbolic fixpoint computation
![Page 16: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/16.jpg)
Talk Outline
MOCHA
HeRMes: Exploiting behavior hierarchy for formal verification
CHARON
![Page 17: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/17.jpg)
Hermes Team
Rajeev AlurRadu GrosuMichael
McDougallJames Yang
![Page 18: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/18.jpg)
Hierarchical State MachinesFormalism Introduced: 1987 by David Harel as Statecharts, Related notations: RSML, Modecharts, Roomcharts, Key component in OO Methods: UML, ROOM, OMT, etc.Software ILogix, ObjecTime, Rational, etc.
Application Area Automotive industry, avionics, etc.
Motivation for our work Statecharts semantics unclear Analysis cannot exploit hierarchical structure
![Page 19: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/19.jpg)
Research Summary
Complexity bounds for model checking Analysis possible without flattening
Succinctness of hierarchical constructs Provably exponential
Formal compositional semantics Assume-guarantee proof calculus for
modes Hermes tool for Model checking
![Page 20: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/20.jpg)
Reachability Analysis
What is the cost of concurrency and hierarchy ?
FSM : NLogSpace
Concurrent : PSPACEHierarchical: PTIME
Concurrent Hierarchical: EXPSPACE
Well structured: PSPACE
CTL is PSPACE !
![Page 21: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/21.jpg)
The HeRMes Language
Hierarchical Reactive Machines– Graphical language– Processes run concurrently– Communication using shared variables
HRM Modes– Similar to finite state machines– Input, output and local variables– May contain sub-modes– May be re-used in many locations
![Page 22: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/22.jpg)
Language Structure
Points:
Transitions:Guard: x & y
Action: y:=false
Modes: Mode M1
Submode M2
Reads: xWrites: yLocal: z
![Page 23: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/23.jpg)
Exploiting Hierarchy in Enumerative Search
Local variables do not need to be stored when out of scope
Hierarchy gives efficient ways of storing state information
If a mode is used in two places it only needs to be searched once
Mode’s behavior only depends on readable variables - can ignore irrelevant variables
![Page 24: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/24.jpg)
Exploiting Hierarchy in Symbolic Search
Transition relation is indexed by control points• generalization of conjunctively partitioned
bdds, Transition type exploited
• for early quantification in the symbolic search,
Reached state space indexed by control points• pool of variables is not global,
Mode definitions are shared among instances.
![Page 25: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/25.jpg)
v2
inc
skpv3
w1
incskp
z
id
c
incskpskp
inc
v3
w0
inc
skp
w1
z
The Reached Set
R(c,z,w1,v3,hw1,hz)
R(c,z,w1,v3)
R(c,z,w1,v3,hw1)
R(c,z)
R(c,z,w1)
The reached set is indexed by control points:
• Each reached control point has an associated multi valued binary decision diagram (mdd),
• The set of variables of an mdd depends on the scope of the control point.
![Page 26: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/26.jpg)
Talk Outline
MOCHA
HeRMes
CHARON: Hierarchical Hybrid Systems
![Page 27: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/27.jpg)
CHARON Team
Rajeev Alur (CIS)Vijay Kumar (MEAM)Insup Lee (CIS)George Pappas (EE)Harvey Rubin (Med)
Calin BeltaThao DangJoel EspositoRafael FieroRadu Grosu
(StonyBrook)Yerang HurFranjo IvancicPradyumna MisraOleg Sokolsky
![Page 28: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/28.jpg)
What are Hybrid Systems?
State machines
offon
+ Dynamical systems
dx=kxx<70
dx=-k’xx>60
x>68
x<63
![Page 29: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/29.jpg)
Charon
Charon is a high-level modeling language and design environment reflecting state-of-the-art in formal as well as object oriented methods
Autonomous cooperating robots
Goal: Modular design, reusability, formal analysis
![Page 30: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/30.jpg)
Research Summary
Language designFormal semantics
Compositional refinement calculus
Analysis toolsModular simulation
Accurate event detection
Model checking by predicate abstraction
Distributed simulation
Testing …..
![Page 31: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/31.jpg)
Language Summary
Individual components described as agentsComposition, instantiation, and hiding
Individual behaviors described as modesEncapsulation, instantiation, and scoping
Support for concurrencyShared variables as well as message passing
Support for discrete and continuous behavior
Differential as well as algebraic constraints
Discrete transitions can call Java routines
![Page 32: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/32.jpg)
Compositional Semantics
Mode should have a precise interface spec• Control interface: entry/exit points
• Data interface: shared (read/write, discrete/analog vars)
• Behaviors: traces over observables
Which properties are preserved?
Can we restrict reasoning to modified parts of design?
![Page 33: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/33.jpg)
Modular Simulation
x.
y.
z. 1. Hierarchical modes can be
integrated at different time scales 2. Submodes viewed as black-boxes 3. Initial experimental results
encouraging
, x, inv1
,x,y,inv2
Goal: To speed up simulation by exploitingThe modular structure of specification
![Page 34: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/34.jpg)
CHARON Applications
Multiagent robotics (DARPA MARS program)Collision avoidance, coordination, modular design
Automotive control (DARPA Mobies program)Verification/hierarchical design for Powertrain
Biological systems: Protein regulatory networksModeling/simulation of luminiscence in Vibrio Fisheri
Graphics: animation
Multiactor physics-based modeling and simulation
![Page 35: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/35.jpg)
Vision-Based Control: Mode Switching
![Page 36: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/36.jpg)
Motion Controller
Modes in Vision Based Control
Frame Grabber Actuators
AvoidObstacle
CollisionRecovery
EdgeDetector
CollisionDetector
Color BlobFinder
Robot PositionEstimator
TargetDetector
Range Mapper
Wall-Following
Control
![Page 37: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/37.jpg)
Conclusions
Formal modeling and verification tools aimed at exploiting modularity and hierarchy, and automating compositional reasoning
Ongoing basic research
Discrete abstractions of hybrid systems
Compositionality for control systems
Better heuristics for exploiting hierarchy
![Page 38: Tools for Formal Modeling And Verification: MOCHA, HeRMes, CHARON Rajeev Alur Systems Design Research Lab University of Pennsylvania alur](https://reader036.fdocuments.in/reader036/viewer/2022062304/56649d5e5503460f94a3d0d6/html5/thumbnails/38.jpg)
Promising Opportunities
Collaborations
Bandera-style abstractions for hybrid systems
Reachability tools for hybrid systems
Integrating requirement languages (beyond temporal logics)
Case study: Programmable interface allowing formal/verified top-down design for an embedded device (e.g. a microwave oven)