uml&fm 2012
TRANSCRIPT
Formal Semantics of Extended Hierarchical
State Transition Matrix (EHSTM) by CSP
Y. Yamagata, W. Kong, A. Fukuda,
T. Nguyen, H. Ohsaki, K. Tagucni
AIST and Kyushu University
Cnam Paris, August 27th, 2012
Table vs. Chart
EHSTM
• Table based
• Event/state hierarchy
• Pros
– All combination of events
and states must be
considered
• Cons
– Less intuitive
– Tables tend to be very
large
State chart
• Chart based
• Composite state
• Pros
– Intuitive
• Cons
– Possibility of overlooking a
combination of a state and
an event.
ZIPC (1)
• ZIPC uses EHSTM as a modeling method
• ZIPC provides
– simulation of models
– code generation to C/C++
ZIPC C/C++
Tables Simulation
Code generation
ZIPC (2)
• Market share in Japan
– among non-UML based modeling tools
42
34
55
ZIPC
MATLAB/Simlink
Rational Test RealTime
Rational Rose RealTime
Garakabu2 (3)
ZIPC C/C++
EHSTMSimulation
Formulas
CVC3 (SMT solver)
Justification?Complexity of translation
No formal justification
Our approach
ZIPC C/C++
SimulationEHSTM
CSP language
PAT Verifier
High-level specification language
Relatively simple translation
State-of-the-art model checker for CSP
Related works
Formal semantics of state-chart
• Uselton 1994, Harel, Naamad 1996
Translation from state-chart to CSP
• Fuhrmann 1998,
• Sun, et.al 2005, 2008,
• Zhang and Liu 2010
Previous works on EHSTM
• Kong et.al 2011, 2011
CSPTerminate abnormally
Terminate successfully
Prefix
Boolean choice
Parallel composition
Sequential composition
interrupt
Hiding
Choice
Translation
EHSTM CSP
System Process
Task Process
Hierarchy of matrices Parallel composition
Matrix Process
State Global variable
Event virtual frame Sequence of events
Event Event
Expression Expression
Hierarchical Matrix
T0 S1 S2
e1S2
…□T1
e2 … …
.state?ST |
) | T S2; : .stateT );call(T (q?e .state?ST T
20
0011100
SKIP .return T .start T )call(T 111
Hierarchical Matrix
T1 S3 S4
e3S4 S3
P1 return
e4 … …
'Tstart.TT
...)|T'start.TreturnTq?e( .state?ST |
) | ... (q?e .sate?ST 'T
111
111.341
3311
Experiments
Experiment 1
• Test the interpretation of hierarchical matrices
• Compare the result with Garakabu2
Experiment 2
• Motivating example in Kong 2011
• Check the performance of the translation
Experiments - results
Experiment 1
• Both report deadlock as supposed.
Experiment 2
• PAT is >1000 times faster than Garakabu2
• This is most likely because
• PAT does explicit model checking, while
• Garakabu2 uses a SMT solver.
Experiment 1 - model□0 S0 S1 S2
e0==0
S1
x
S0
e0=1□0.1
e0=1
e0==1S1 S2
x□0.2 e0=0
□0.1 S01 S02
e1==0
S02
xe1=1
e1==1 returnS01
e1=1
□0.2 S011 S012 S013
e2==0
S012 S013
returne2=1 e2=1
e2==1 xe2=0;
tmp=0;
S011
tmp=1;
e2=1;
Experiment 2 – properties
• Deadlock-free
• STC1≡□(returner==ret⇒changer==wait_money_taken)
• STC2≡□(changer==wait_request⇒returner==wait)
• DYN≡□((changer==wait_requiest
&& X changer== wait_money_taken)⇒
X returner==ret)
Experiment 2 – results(1)
PropertiesPAT
result
PAT
Time
Garakabu2
result
Garakabu2
time
Deadlock Invalid 0.0013 Invalid 93
STC1 Invalid 0.011 Invalid 14
STC2 Invalid 0.0016 Invalid 16
DYN Invalid 0.0016 Invalid 4
Example with bug
Experiment 2 – results(2)
PropertiesPAT
result
PAT
time
Garakabu2
result
Garakabu2
time
Deadlock Valid 0.077 Valid 1239
STC1 Valid 0.053 Valid 511
STC2 Valid 0.039 Valid 735
DYN Valid 0.056 Valid 3211
Example without bug
Summary
• Simple translation from EHSTM to CSP
– Give a rigorous model of EHSTM
• Verification of translated model using PAT
– The result coincides with that of Garakabu2
– Faster than using Garakabu2