From Interaction Overview Diagrams to Temporal Logic

Transcription

1 From Interaction Overview Diagrams to Temporal Logic Politecnico di Milano Dipartimento di Elettronica e Informazione Luciano Baresi, Angelo Morzenti, Alfredo Motta, Matteo Rossi {baresi morzenti motta elet.polimi.it

2 Outline Overview UML Interaction Overview Diagrams (IODs) TRIO and Zot An example of formal semantics for IODs Conclusions Alfredo Motta, ACES-MB-10, 04/10/2010 2

3 IODs are User-friendly and intuitive Simple enough to be used by domain experts with little background on modeling software-based systems Well suited for the design of complex, heterogeneous, embedded systems Alfredo Motta, ACES-MB-10, 04/10/2010 3

4 Overview We provide (part of) a formal semantics for IODs The semantic is based on temporal logic Tool supported verification technique The modeling and verification technique is discussed through the aid of an example system Alfredo Motta, ACES-MB-10, 04/10/2010 4

5 IOD Specification TRIO Formal Specification System Property expressed in TRIO + temporal bound ZOT Property Satisfied/ Property NOT Satisfied Alfredo Motta, ACES-MB-10, 04/10/2010 5

6 Interaction Overview Diagrams Special and restricted kind of UML Activity Diagrams (ADs) Provide a high-level view of the possible interactions in a system Semantically more complex than ADs May have different interpretations Alfredo Motta, ACES-MB-10, 04/10/2010 6

7 IODs Operators Alfredo Motta, ACES-MB-10, 04/10/2010 7

8 TRIO TRIO is a first-order linear temporal logic Can exploit both discrete and dense time In this work we use a discrete time domain The TRIO specification of a system consists of a set of TRIO formulae The formulae state how items are constrained and how they vary over time Alfredo Motta, ACES-MB-10, 04/10/2010 8

9 Alfredo Motta, ACES-MB-10, 04/10/2010 9

10 ZOT A bounded satisfiability checker that supports verification of discrete-time TRIO models Verifies whether stated properties hold for the system being analyzed If a property does not hold, Zot produces a counterexample that violates it Alfredo Motta, ACES-MB-10, 04/10/

11 Formal Semantics of IODs The example system used to show the formalization is a telephone system. The telephone system has three units ConnectionUnit is in charge of checking for the arrival of new SMSs on the Server and of handling new calls coming from the Server TransmissionUnit is used by the ConnectionUnit to download the SMSs and to handle the call's data coming from the Server Server Alfredo Motta, ACES-MB-10, 04/10/

12 Formal Semantics of IODs The example system used to show the formalization is a telephone system. Class diagram plus IOD. The model is translated in TRIO temporal logic. The model is verified with ZOT against some properties. Alfredo Motta, ACES-MB-10, 04/10/

13 Telephone System Alfredo Motta, ACES-MB-10, 04/10/

14 The system is in charge of: - Download SMSs. - Receive calls. The ConnectionUnit checks for SMSs and waits for incoming calls. Phone call data and SMS data are then exchanged by the TransmissionUnit. 14

15 TRIO Formalization The formalization is organized into sets of formulae Each set corresponds to one of the SDs in the IOD The formalization is generated (manually) from the IOD Axioms are parametric They are instantiated on the base of the current IOD we are analyzing Alfredo Motta, ACES-MB-10, 04/10/

16 Structure of Formalization CheckingSMS Diagram-related formulae Message-related formulae Component-related formulae waitingcall Diagram-related formulae Message-related formulae Component-related formulae delegatecall Diagram-related formulae Message-related formulae Component-related formulae Alfredo Motta, ACES-MB-10, 04/10/

17 Diagram-related formulae Specifies the messages that sign the beginning and end of a certain diagram Dx A ms. me B Alfredo Motta, ACES-MB-10, 04/10/

18 Diagram-related formulae Alfredo Motta, ACES-MB-10, 04/10/

19 Diagram-related formulae Specifies the condition for a certain diagram to start Alfredo Motta, ACES-MB-10, 04/10/

20 Diagram-related formulae Alfredo Motta, ACES-MB-10, 04/10/

21 Message-related formulae Specifies that each message implies the following one and it is activated by the previous one A mi mj B Alfredo Motta, ACES-MB-10, 04/10/

22 Message-related formulae Alfredo Motta, ACES-MB-10, 04/10/

23 Component-related formulae It is needed to ensure that each entity in the system can only do one operation at time A mi mj B Alfredo Motta, ACES-MB-10, 04/10/

24 24

25 Property 1 If no SMS is received in the future, then nothing will ever be downloaded False: Zot returns a textual counterexample SMS downloadsms t Alfredo Motta, ACES-MB-10, 04/10/

26 Property 2 If no SMS has been received yet, for the next 3 instants there will not be an SMS download True: the property is valid Alfredo Motta, ACES-MB-10, 04/10/

27 Property 3 Between the request for an SMSToken and its reception, no call data can be received False: Zot returns a textual counterexample Alfredo Motta, ACES-MB-10, 04/10/

28 Conclusions This is a first step towards a technique to Modeling and verify embedded systems Using an intuitive UML-based notation The basic constructs of IODs have been given a formal semantics Based on temporal logic Supported by an automated tool To verify temporal properties of the system Alfredo Motta, ACES-MB-10, 04/10/

29 Future works Provide a tool that Automatically translates IODs into temporal logic Keep modeling simple Shows analysis results in a user-friendly way Avoids writing temporal properties in logic Add modeling features like MARTE UML Profile State diagrams Quantitative properties Alfredo Motta, ACES-MB-10, 04/10/

30 Thank you! Alfredo Motta, ACES-MB-10, 04/10/