Simple enough to be used by domain experts with little background on ... data coming from the Server. â Server. Alfredo Motta, ACES-MB-10, 04/10/2010. 11 ...
From Interaction Overview Diagrams to Temporal Logic Politecnico di Milano Dipartimento di Elettronica e Informazione Luciano Baresi, Angelo Morzenti, Alfredo Motta, Matteo Rossi {baresi | morzenti | motta | rossi} @ elet.polimi.it
Outline • • • • •
Overview UML Interaction Overview Diagrams (IODs) TRIO and Zot An example of formal semantics for IODs Conclusions
Alfredo Motta, ACES-MB-10, 04/10/2010
2
IODs are • User-friendly and intuitive • Simple enough to be used by domain experts with little background on modeling software-based systems • Well suited for the design of complex, heterogeneous, embedded systems
Alfredo Motta, ACES-MB-10, 04/10/2010
3
Overview • We provide (part of) a formal semantics for IODs – The semantic is based on temporal logic – Tool supported verification technique • The modeling and verification technique is discussed through the aid of an example system
Alfredo Motta, ACES-MB-10, 04/10/2010
4
IOD Specification
TRIO Formal Specification
System Property expressed in TRIO + temporal bound
Property Satisfied/ Property NOT Satisfied
ZOT
Alfredo Motta, ACES-MB-10, 04/10/2010
5
Interaction Overview Diagrams • Special and restricted kind of UML Activity Diagrams (ADs) • Provide a high-level view of the possible interactions in a system • Semantically more complex than ADs • May have different interpretations
Alfredo Motta, ACES-MB-10, 04/10/2010
6
IODs Operators
Alfredo Motta, ACES-MB-10, 04/10/2010
7
TRIO • TRIO is a first-order linear temporal logic – Can exploit both discrete and dense time – In this work we use a discrete time domain • The TRIO specification of a system consists of a set of TRIO formulae – The formulae state how items are constrained and how they vary over time
Alfredo Motta, ACES-MB-10, 04/10/2010
8
Alfredo Motta, ACES-MB-10, 04/10/2010
9
ZOT • A bounded satisfiability checker that supports verification of discrete-time TRIO models – Verifies whether stated properties hold for the system being analyzed – If a property does not hold, Zot produces a counterexample that violates it
Alfredo Motta, ACES-MB-10, 04/10/2010
10
Formal Semantics of IODs • The example system used to show the formalization is a telephone system. • The telephone system has three units – ConnectionUnit is in charge of checking for the arrival of new SMSs on the Server and of handling new calls coming from the Server – TransmissionUnit is used by the ConnectionUnit to download the SMSs and to handle the call's data coming from the Server – Server
Alfredo Motta, ACES-MB-10, 04/10/2010
11
Formal Semantics of IODs • The example system used to show the formalization is a telephone system. – Class diagram plus IOD. – The model is translated in TRIO temporal logic. – The model is verified with ZOT against some properties.
Alfredo Motta, ACES-MB-10, 04/10/2010
12
Telephone System
Alfredo Motta, ACES-MB-10, 04/10/2010
13
• The system is in charge of: - Download SMSs. - Receive calls. • The ConnectionUnit checks for SMSs and waits for incoming calls. • Phone call data and SMS data are then exchanged by the TransmissionUnit.
14
TRIO Formalization • The formalization is organized into sets of formulae – Each set corresponds to one of the SDs in the IOD • The formalization is generated (manually) from the IOD – Axioms are parametric – They are instantiated on the base of the current IOD we are analyzing
Alfredo Motta, ACES-MB-10, 04/10/2010
15
Structure of Formalization • CheckingSMS – Diagram-related formulae – Message-related formulae – Component-related formulae • waitingCall – Diagram-related formulae – Message-related formulae – Component-related formulae • delegateCall – Diagram-related formulae – Message-related formulae – Component-related formulae
Alfredo Motta, ACES-MB-10, 04/10/2010
16
Diagram-related formulae • Specifies the messages that sign the beginning and end of a certain diagram Dx
A
B ms
…. me
Alfredo Motta, ACES-MB-10, 04/10/2010
17
Diagram-related formulae
Alfredo Motta, ACES-MB-10, 04/10/2010
18
Diagram-related formulae • Specifies the condition for a certain diagram to start
Alfredo Motta, ACES-MB-10, 04/10/2010
19
Diagram-related formulae
Alfredo Motta, ACES-MB-10, 04/10/2010
20
Message-related formulae • Specifies that each message implies the following one and it is activated by the previous one A
B mi mj
Alfredo Motta, ACES-MB-10, 04/10/2010
21
Message-related formulae
Alfredo Motta, ACES-MB-10, 04/10/2010
22
Component-related formulae • It is needed to ensure that each entity in the system can only do one operation at time A
B mi mj
Alfredo Motta, ACES-MB-10, 04/10/2010
23
24
Property 1 • If no SMS is received in the future, then nothing will ever be downloaded
• False: Zot returns a textual counterexample
SMS
downloadSMS
t
Alfredo Motta, ACES-MB-10, 04/10/2010
25
Property 2 • If no SMS has been received yet, for the next 3 instants there will not be an SMS download
• True: the property is valid
Alfredo Motta, ACES-MB-10, 04/10/2010
26
Property 3 • Between the request for an SMSToken and its reception, no call data can be received
• False: Zot returns a textual counterexample
Alfredo Motta, ACES-MB-10, 04/10/2010
27
Conclusions • This is a first step towards a technique to – Modeling and verify embedded systems – Using an intuitive UML-based notation • The basic constructs of IODs have been given a formal semantics – Based on temporal logic – Supported by an automated tool – To verify temporal properties of the system
Alfredo Motta, ACES-MB-10, 04/10/2010
28
Future works • Provide a tool that – Automatically translates IODs into temporal logic – Keep modeling simple • Shows analysis results in a user-friendly way • Avoids writing temporal properties in logic
• Add modeling features like – MARTE UML Profile – State diagrams – Quantitative properties
Alfredo Motta, ACES-MB-10, 04/10/2010
29
Thank you!
Alfredo Motta, ACES-MB-10, 04/10/2010
30
