Modeling, Verification, and Testing Using Timed and Hybrid Automata 42713.8 Conclusions Embedded systems consist of hardware and software embedded in a ical environment with continuous dy
Trang 11.5 2 2.5 3
FIGURE 13.25
Results obtained using gRRT (a) and hRRT (b), with the same number ofvisited states
Suppose that we have sampled a discrete state qgoal = q Since all the
stay-ing sets are boxes, the staystay-ing setI q is denoted by the boxB and called the
bounding box
As mentioned earlier, the coverage estimation is done using a box tion of the state spaceB, and sampling of a continuous goal state can be done
parti-by two steps: first, sample a goal box bgoalfrom the partition, second,
“uni-formly” sample a point xgoalin bgoal Guiding is thus done in the goal boxsampling process by defining, at each iteration of the test generation algo-rithm, a probability distribution over the set of the boxes in the partition.Essentially, we favor the selection of a box if adding a new state in this boxallows to improve the coverage of the visited states This is captured by a
potential influence function, which assigns to each elementary box b in the
partition a real number that reflects the change in the coverage if a new state
is added in b The current coverage estimation is given in form of a lower
and an upper bound In order to improve the coverage, both the lower andthe upper bounds need to be reduced (see more details in [32])
The hRRT algorithm for hybrid automata in which the goal statesampling is done using this coverage-guided method is now called thegRRT algorithm (which means “guided hRRT”) To illustrate the coverage-efficiency of gRRT, Figure 13.25 shows the results obtained by the hRRT andthe gRRT on a linear system after 50,000 iterations We can see that the gRRTalgorithm has a better coverage result Indeed with the “same number ofstates,” the states visisted by the gRRT are more equi-distributed over thereachable set than those visisted by hRRT
These algorithms were implemented in the prototype tool HTG, whichwas successfully applied to treat a number of benchmarks in control appli-cations and in analog and mixed-signal circuits [31,79]
Trang 2Modeling, Verification, and Testing Using Timed and Hybrid Automata 427
13.8 Conclusions
Embedded systems consist of hardware and software embedded in a ical environment with continuous dynamics To model such systems, timedand hybrid automata models have been developed and studied extensively
phys-in the past two decades In this chapter we have reviewed the basics ofthese models and methods of exhaustive or partial verification, as well astesting for these models We hope that our overview will motivate embed-ded system designers to use these models in their applications, and that theywill find them useful Timed and hybrid automata are still an active field
of research, and we refer the readers to the numerous papers published onthese topics, in addition to those referenced in our bibliography section
Acknowledgments
We would like to thank Eugene Asarin, Olivier Bournez, Saddek Bensalem,Antoine Girard, Moez Krichen, Oded Maler, Tarik Nahhal, Sergio Yovine,and other colleagues for their collaborations and their contributions to theresults presented in this chapter
References
1 N Abed, S Tripakis, and J.-M Vincent Resource-aware verification
using randomized exploration of large state spaces In SPIN’08, Los Angeles, CA, LNCS, 5156, 2008.
2 K Altisen and S Tripakis Implementation of timed automata: An issue
of semantics or modeling? In P Pettersson and W Yi (editors), 3rd International Conference on Formal Modeling and Analysis of Timed Sys- tems (FORMATS’05), Uppsala, Sweden, LNCS, 3829:273–288, September
2005, Springer, Berlin, Heidelberg
3 R Alur Timed automata NATO-ASI 1998 Summer School on tion of Digital and Hybrid Systems, 1998
Verifica-4 R Alur, C Courcoubetis, N Halbwachs, D.L Dill, and H Wong-Toi
Minimization of timed transition systems In Third Conference on rency Theory CONCUR ’92, Stony Brook, NY, LNCS, 630:340–354, 1992,
Concur-Springer-Verlag, New York
Trang 35 R Alur, C Courcoubetis, N Halbwachs, T Henzinger, P Ho,
X Nicollin, A Olivero, J Sifakis, and S Yovine The algorithmic
analy-sis of hybrid systems Theoretical Computer Science, 138:3–34, 1995.
6 R Alur, C Courcoubetis, T.A Henzinger, and P.-H Ho Hybridautomata: An algorithmic approach to the specification and verification
of hybrid systems In Hybrid Systems, pp 209–229, 1992.
7 R Alur, T Dang, J Esposito, Y Hur, F Ivan, C Kumar, I Lee, P Mishra,
G Pappas, and O Sokolsky Hierarchical modeling and analysis ofembedded systems Proceedings of the IEEE, 91(1):11–28, 2003
8 R Alur, T Dang, and F Ivancic Counter-example guided
predi-cate abstraction of hybrid systems Theoretical Computer Science (TCS),
quan-(editors), Hybrid Systems: Computation and Control, Rome, Italy, LNCS,
2034:63–75, 2001, Springer-Verlag, Berlin, Heidelberg
11 E Asarin, O Bournez, T Dang, and O Maler Approximate bility analysis of piecewise-linear dynamical systems In B Krogh and
reacha-N Lynch (editors), Hybrid Systems: Computation and Control, Pittsburg,
PA, LNCS, 1790:20–31, 2000, Springer-Verlag, Berlin, Heidelberg.
12 E Asarin, T Dang, and A Girard Hybridization methods for the
anal-ysis of nonlinear systems Acta Informatica, 43(7):451–476, 2007.
13 E Asarin, T Dang, and O Maler The d/dt tool for verification of hybrid
systems In Computer Aided Verification, Copenhagen, Denmark, LNCS,
2404:365–370, 2002, Springer-Verlag, Berlin, Heidelberg
14 E Asarin and G Schneider Widening the boundary between decidable
and unde- cidable hybrid systems In CONCUR, Irno, Czech Republic,
2002
15 J Beck and W W L Chen Irregularities of distribution In Acta metica, Cambridge, U.K., 1997 Cambridge University Press.
Arith-16 B Berthomieu and M Menasche An enumerative approach for
analyz-ing time Petri nets IFIP Congress Series, 9:41–46, 1983.
17 A Bhatia and E Frazzoli Incremental search methods for reachability
analysis of continuous and hybrid systems In HSCC, Philadelphia, PA,
pp 142–156, 2004
Trang 4Modeling, Verification, and Testing Using Timed and Hybrid Automata 429
18 S Bornot, J Sifakis, and S Tripakis Modeling urgency in timedsystems In W.P de Roever, H Langmaack, and A Pnueli (edi-
tors), Compositionality: The Significant Difference, International Symposium (COMPOS’97), Bad Malente, Germany, LNCS, 1536:103–129, September
1998, Springer, Berlin, Heidelberg
19 D Bosnacki Digitization of timed automata In Proceedings of the Fourth International Workshop on Formal Methods for Industrial Critical Systems (FMICS ’99), Berlin, Germany, pp 283–302, 1999.
20 O Botchkarev and S Tripakis Verification of hybrid systems with ear differential inclusions using ellipsoidal approximations In B Krogh
lin-and N Lynch (editors), Hybrid Systems: Computation lin-and Control, burg, PA, LNCS, 1790:73–88, 2000, Springer-Verlag, Berlin, Heidelberg.
Pitts-21 O Bournez, O Maler, and A Pnueli Orthogonal polyhedra: resentation and computation In F Vaandrager and J van Schup-
Rep-pen (editors), Hybrid Systems: Computation and Control, Bergen Dal, the Netherlands, LNCS, 1569:46–60, 1999, Springer-Verlag, Berlin,
Heidelberg
22 P Bouyer Forward analysis of updatable timed automata Formal ods in System Design, 24(3):281–320, 2004.
Meth-23 P Bouyer, C Dufourd, E Fleury, and A Petit Are timed automata
updatable? In CAV’00, Chicago, IL, LNCS, 1855, 2000.
24 M Bozga, O Maler, and S Tripakis Efficient verification of timedautomata using dense and discrete time semantics In L Pierre and
T Kropf (editors), Correct Hardware Design and Verification Methods, 10th IFIP WG 10.5 Advanced Research Working Conference (CHARME ’99), Bad Herrenalb, Germany, LNCS, 1703:125–141, September 1999, Springer,
26 K Cerans and J Viksna Deciding reachability for planar
multi-polynomial systems In Hybrid Systems, pp 389–400, 1995.
27 A Chutinan and B.H Krogh Verification of polyhedral invarianthybrid automata using polygonal flow pipe approximations In F Vaan-
drager and J van Schuppen (editors), Hybrid Systems: Computation and Control, Bergen Dal, the Netherlands, LNCS, 1569:76–90, 1999, Springer-
Verlag, Berlin, Heidelberg
Trang 528 E Clarke, A Fehnker, Z Han, B Krogh, J Ouaknine, O Stursberg,and M Theobald Abstraction and counterexample-guided refinement
in model checking of hybrid systems International Journal of Foundations
of Computer Science, 14(4):583–604, 2003.
29 T Dang Reachability-based technique for idle speed control
synthe-sis International Journal of Software Engineering and Knowledge ing IJSEKE, 15(2):397–404, 2005.
Engineer-30 T Dang and O Maler Reachability analysis via face lifting In T.A
Hen-zinger and S Sastry (editors), Hybrid Systems: Computation and Control, Berkeley, CA, LNCS, 1386:96–109, 1998, Springer-Verlag, Berlin, Heidel-
berg
31 T Dang and T Nahhal Using disparity to enhance test generation
for hybrid systems In TESTCOM/FATES, Tokyo, Japan, LNCS, 2008,
Springer, Berlin, Heidelberg
32 T Dang and T Nahhal Model-based testing of hybrid systems cal report, Verimag, IMAG, November 2007
Techni-33 C Daws, A Olivero, S Tripakis, and S Yovine The tool KRONOS In
R Alur, T.A Henzinger, and E.D Sontag (editors), Hybrid Systems III: Verification and Control, LNCS, 1066:208–219, 1996, Springer, New York.
34 C Daws and S Tripakis Model checking of real-time reachability
prop-erties using abstractions In B Steffen (editor), Fourth International ference on Tools and Algorithms for the Construction and Analysis of Sys- tems (TACAS’98), Lisbon, Portugal, LNCS, 1384:313–329, 1998, Springer,
Con-Berlin, Heidelberg
35 D Dill Timing assumptions and verification of finite-state concurrent
systems In J Sifakis (editor), Automatic Verification Methods for Finite State Systems, Grenoble, France, LNCS, 407:197–212, 1989, Springer.
36 A Donzé and O Maler Systematic simulation using sensitivity
analy-sis In HSCC, Gières, France, 174–189, 2007.
37 J Esposito, J W Kim, and V Kumar Adaptive RRTs for validating
hybrid robotic control systems In Proceedings Workshop on Algorithmic Foundations of Robotics, Zeist, the Netherlands, July 2004.
38 J.C Fernandez, C Jard, T Jéron, and G Viho Using on-the-fly
veri-fication techniques for the generation of test suites In CAV’96, New Brunswick, NJ, LNCS, 1102, 1996, Springer.
39 G Frehse, B Krogh, R Rutenbar, and O Maler Time domain
verifica-tion of oscillator circuit properties Electronics Notes on Theoretical puter Science, 153(3):9–22, 2006.
Trang 6Com-Modeling, Verification, and Testing Using Timed and Hybrid Automata 431
40 A Girard Reachability of uncertain linear systems using zonotopes
In Hybrid Systems: Computation and Control, Zurich, Switzerland, LNCS,
3414:291–305, 2005, Springer, Berlin, Heidelberg
41 A Girard and C Le Guernic Zonotope/hyperplane intersection for
hybrid systems reachability analysis In Hybrid Systems: Computation and Control HSCC, St Louis, MU, 2008, Springer, Berlin, Heidelberg.
42 A Girard, C Le Guernic, and O Maler Efficient computation of
reach-able sets of linear time-invariant systems with inputs In Hybrid Systems: Computation and Control HSCC, Santa Barbara, CA, LNCS, 3927:257–271,
2006, Springer, Berlin, Heidelberg
43 A Girard and G Pappas Verification using simulation In HSCC, Santa
Barbara, CA, pp 272–286, 2006
44 P Godefroid, N Klarlund, and K Sen DART: Directed automated
ran-dom testing SIGPLAN Not (PLDI’05), 40(6):213–223, 2005.
45 M.R Greenstreet and I Mitchell Reachability analysis using
polygo-nal projections In F Vaandrager and J van Schuppen (editors), Hybrid Systems: Computation and Control, Bergen Dal, the Netherlands, LNCS,
1569:76–90, 1999, Springer-Verlag, Berlin, Heidelberg
46 R Grosu, X Huang, S.A Smolka, W Tan, and S Tripakis Deep randomsearch for efficient model checking of timed automata In F Kordon
and O Sokolsky (editors), Seventh Monterey Workshop on Composition of Embedded Systems, Paris, France, LNCS, 4888, October 2006, Springer.
47 T Henzinger, P Kopke, A Puri, and P Varaiya What’s decidable about
hybrid automata? In Journal of Computer and System Sciences, 373–382,
1995, ACM Press
48 T Henzinger, Z Manna, and A Pnueli What good are digital clocks?
In ICALP’92, Vienna, Austria, LNCS, 623, 1992.
49 T Henzinger, X Nicollin, J Sifakis, and S Yovine Symbolic model
checking for real-time systems Information and Computation, 111(2):193–
244, 1994
50 T.A Henzinger, P.-H Ho, and H Wong-Toi HyTech: A model checker
for hybrid systems Software Tools for Technology Transfer, 1:110–122,
1997
51 G.J Holzmann An analysis of bitstate hashing In Formal Methods in System Design, Kluwer, 3(3):287–305, 1998.
52 G.J Holzmann The Spin Model Checker-Primer and Reference Manual.
Addison-Wesley, Reading, MA, 2004
Trang 753 S Iman and S Joshi The e-Hardware Verification Language Springer, New
York, 2004
54 C Jard and T Jeron Bounded-memory algorithms for verification
on-the-fly In CAV’91, Aalborg, Denmark, LNCS, 575, 1992, Springer,
Berlin, Heidelberg
55 A A Julius, G E Fainekos, M Anand, I Lee, and G J Pappas Robust
test generation and coverage for hybrid systems In HSCC, Pisa, Italy,
pp 329–342, 2007
56 J Kapinski, B Krogh, O Maler, and O Stursberg On systematic
sim-ulation of open continuous systems In HSCC, Prague, Czech Republic,
pp 283–297, 2003
57 J Kim, J Esposito, and V Kumar Sampling-based algorithm for testing
and validating robot controllers International Journal of Robotics Research,
25(12):1257–1272, 2006
58 D E Kirk Optical control theory: An introduction Dover Publications,May 2004
59 M Kloetzer and C Belta Reachability analysis of multi-affine systems
In Hybrid Systems: Computation and Control, Santa Barbara, CA, pp 348–
362, 2006, Springer, Berlin, Heidelberg
60 M Krichen and S Tripakis Conformance testing for real-time systems.Formal methods in system design, 34(3):238–304, 2009
61 M Krichen and S Tripakis Black-box conformance testing for real-time
systems In S Graf and L Mounier (editors), 11th International SPIN Workshop on Model Checking Software (SPIN’04), Barcelona, Spain, LNCS,
2989:109–126, April 2004, Springer, Berlin, Heidelberg
62 M Krichen and S Tripakis Real-time testing with timed automatatesters and coverage criteria In Y Lakhnech and S Yovine (edi-
tors), Joint International Conference on Formal Modelling and Analysis of Timed Systems and Formal Techniques in Real-Time and Fault-Tolerant Sys- tems, FORMATS/FTRTFT 2004, Grenoble, France, LNCS, 3253:134–151,
September 2004, Springer
63 M Krichen and S Tripakis State identification problems for timed
automata In F Khendek and R Dssouli (editors), 17th IFIP TC6/WG 6.1 International Conference on Testing of Communicating Systems (Test- Com’05), Montreal, QC, LNCS, 3502:175–191, May 2005, Springer, Berlin,
Germany
64 A Kuehlmann, K McMillan, and R Brayton Probabilistic state space
search In ICCAD’99, San Jose, CA, 574–579, 1999.
Trang 8Modeling, Verification, and Testing Using Timed and Hybrid Automata 433
65 J Kuffner and S LaValle RRT-connect: An efficient approach to
single-query path planning In Proceedings of the IEEE International ence on Robotics and Automation (ICRA’2000), San Francisco, CA, April
Confer-2000
66 A Kurzhanski and I Valyi Ellipsoidal Calculus for Estimation and Control.
Birkhauser, Boston, MA, 1997
67 A.B Kurzhanski and P Varaiya Ellipsoidal techniques for
reachabil-ity analysis In Hybrid Systems: Computation and Control, Pittsburgh, PA,
2000
68 A A Kurzhanskiy and P Varaiya Ellipsoidal toolbox (et) In ings of the 45th IEEE Conference on Decision and Control, San Diego, CA,
Proceed-2006
69 M Kvasnica, P Grieder, M Baoti, and M Morari Multi-parametric
toolbox (mpt) In Hybrid Systems: Computation and Control, Philadelphia,
PA, LNCS, 2993:448–462, 2004, Springer, Berlin, Heidelberg.
70 K Larsen, P Petterson, and W Yi Uppaal in a nutshell Software Tools for Technology Transfer, 1(1/2):134–152, October, 1997.
71 S LaValle and J Kuffner Rapidly-exploring random trees: Progress and
prospects, 2000 In Workshop on the Algorithmic Foundations of Robotics.
72 S LaValle Planning Algorithms Cambridge University Press, New York,
2006
73 D Lee and M Yannakakis Principles and methods of testing finite state
machines - A survey Proceedings of the IEEE, 84:1090–1126, 1996.
74 J Lygeros, K Johansson, S Sastry, and M Egerstedt the existence of
executions of hybrid automata In IEEE Conference on Decision and trol, Phoenix, AZ, 1999.
Con-75 M Mihail and C H Papadimitriou On the random walk method for
protocol testing In D L Dill (editor), Proceedings of the Sixth national Conference on Computer-Aided Verification CAV, Stanford, CA, LNCS, 818:132–141, 1994, Springer, London, U.K.
Inter-76 O Maler and A Pnueli Reachability analysis of planar multilinear
systems In Proceedings of the 4th Computer-Aided Verification, Elounda,
Greece, volume 697 Springer, 1993
77 I M Mitchell and J A Templeton A toolbox of Hamilton-Jacobi solversfor analysis of nondeterministic continuous and hybrid systems In
Hybrid Systems: Computation and Control, Zurich, Switzerland, LNCS.
Springer-Verlag, 2005, to appear
Trang 978 N Kitchen and A Kuehlmann Stimulus generation for constrained
ran-dom simulation In ICCAD 2007, San Jose, CA, pp 258–265, 2007.
79 T Nahhal and T Dang Test coverage for continuous and hybrid
sys-tems In CAV, Berlin, Germany, pp 454–468, 2007.
80 X Nicollin, A Olivero, J Sifakis, and S Yovine An approach to the
description and analysis of hybrid systems In Hybrid Systems, pp 149–
178, 1992
81 J Ouaknine and J Worrell Revisiting digitization, robustness, and
decidability for timed automata In LICS 2003, Ottawa, ON, 2003, IEEE
CS Press, Washington, DC
82 R Paige and R Tarjan Three partition refinement algorithms SIAM Journal on Computing, 16(6):973–989, 1987.
83 G Pappas, G Lafferriere, and S Yovine A new class of decidable
hybrid systems In F Vaandrager and J van Schuppen (editors), Hybrid Systems: Computation and Control, Bergen Dal, the Netherlands, LNCS,
1569:29–31, 1999, Springer-Verlag, Berlin, Heidelberg
84 R Pelanek and I Cerna Enhancing random walk state space
explo-ration In Proc of Formal Methods for Industrial Critical Systems (FMICS’05), Lisbon, Portugal, 98–105, 2005, ACM Press, New York.
85 E Plaku, L Kavraki, and M Vardi Hybrid systems: From verification
to falsification In W Damm and H Hermanns (editors), International Conference on Computer Aided Verification (CAV), Berlin, Germany, LNCS,
4590:468–481, 2007, Springer-Verlag, Heidelberg, Berlin, Germany
86 S Prajna and A Jadbabaie Safety verification of hybrid systems using
barrier certificates In R Alur and G J Pappas (editors), Hybrid Systems: Computation and Control, Philadelphia, PA, LNCS, 2993:477–492, 2004,
Springer, Berlin, Heidelberg
87 S Prajna, A Papachristodoulou, P Seiler, and P A Parrilo SOSTOOLS: Sum of Squares Optimization Toolbox for MATLAB, 2004.
88 A Puri Dynamical properties of timed automata Discrete Event Dynamic Systems, 10(1–2):87–113, 2000.
89 A Puri and P Varaiya Decidability of hybrid systems with rectangular
differential inclusions In D L Dill (editor), Proceedings of the Sixth national Conference on Computer-Aided Verification CAV, Stanford, CA, LNCS, 818:95–104, 1994 Springer-Verlag, Berlin, Heidelberg.
Inter-90 S Ratschan and Z She Safety verification of hybrid systems by
con-straint propagation-based abstraction refinement ACM Transactions on Embedded Computer Systems, 6(1): 2007.
Trang 10Modeling, Verification, and Testing Using Timed and Hybrid Automata 435
91 S Sankaranarayanan, T Dang, and F Ivancic Symbolic model checking
of hybrid systems using template polyhedra In TACAS’08 — Tools and Algorithms for the Construction and Analysis of Systems, Budapest, Hun-
gary, 2008, Springer
92 S Shyam and V Bertacco Distance-guided hybrid verification with
GUIDO In DATE ’06: Proceedings of the Conference on Design, Automation and Test in Europe, pp 1211–1216 European Design and Automation
Association, Munich, Germany, 2006
93 J Sifakis and S Yovine Compositional specification of timed systems
In 13th Annual Symposium on Theoretical Aspects of Computer Science, STACS’96, Grenoble, France, LNCS, 1046, 1996, Spinger-Verlag, Berlin,
Heidelberg
94 O Stursberg and B Krogh Efficient representation and computation of
reachable sets for hybrid systems In Hybrid Systems: Computation and Control HSCC, Prague, Czech Republic, LNCS, 482–497, 2003, Springer,
Berlin, Heidelberg
95 L Tan, J Kim, O Sokolsky, and I Lee Model-based testing and
moni-toring for hybrid embedded systems In Proceedings of IEEE Internation Conference on Information Reuse and Integration (IRI’04), Los Vegas, NV,
2004
96 A Tiwari Formal semantics and analysis methods for Simulink flow models Technical report, SRI International, 2002
State-97 A Tiwari and G Khanna Nonlinear systems: Approximating reach
sets In Hybrid Systems: Computation and Control, Philadelphia, PA, LNCS, 2993:600–614, 2004, Springer, Berlin, Heidelberg.
98 C Tomlin, I Mitchell, A Bayen, and M Oishi Computational
tech-niques for the verification of hybrid systems Proceedings of the IEEE,
91(7):986–1001, 2003
99 F Torrisi and A Bemporad HYSDEL—A tool for generating
computa-tional hybrid models IEEE Transactions on Control Systems Technology,
102 S Tripakis Fault diagnosis for timed automata In W Damm and
E.-R Olderog (editors), Formal Techniques in Real Time and Fault
Trang 11Tolerant Systems, Seventh International Symposium (FTRTFT’02), burg, Germany, LNCS, 2469:205–224, September 2002, Springer, Berlin,
Olden-Heidelberg
103 S Tripakis Folk theorems on the determinization and minimization of
timed automata Information Processing Letters, 99(6):222–226, September
2006
104 S Tripakis What is resource-aware verification? Unpublished ment, 2008 Available from the author’s web page
docu-105 S Tripakis and C Courcoubetis Extending promela and spin for
real time In T Margaria and B Steffen (editors), Second International Workshop on Tools and Algorithms for Construction and Analysis of Sys- tems (TACAS’96), Passav, Germany, LNCS, 1055:329–348, March 1996,
Springer, Berlin, Heidelberg
106 S Tripakis and S Yovine Analysis of timed systems using
time-abstracting bisimulations Formal Methods in System Design, 18(1):25–68,
January 2001
107 A van der Schaft and H Schumacher An Introduction to Hybrid ical Systems LNCIS, 251, 2000, Springer, Berlin, Germany.
Dynam-108 B Wile, J Goss, and W Roesner Comprehensive Functional Verification.
Elsevier, San Francisco, CA, 2005
109 M De Wulf, L Doyen, and J.-F Raskin Almost ASAP semantics: From
timed models to timed implementations In Hybrid Systems: Computation and Control (HSCC’04), Philadelphia, PA, LNCS, 2993, 2004, Springer,
Berlin, Heidelberg
110 M Yannakakis and D Lee An efficient algorithm for minimizing
real-time transition systems In Fifth International Conference on Aided Verification, Elounda, Greece, LNCS, 697, June 1993.
Computer-111 J Yuan, C Pixley, and A Aziz Constraint-Based Verification Springer,
New York, 2006
112 H Zhu, P Hall, and J May Software unit test coverage and adequacy
ACM Computing Surveys, 29(4):366–427, 1997.
Trang 12Semantics of Domain-Specific Modeling
Languages
Ethan Jackson, Ryan Thibodeaux, Joseph Porter, and Janos Sztipanovits
CONTENTS
14.1 Introduction 438
14.2 Domain-Specific Modeling Languages 440
14.2.1 DSML Specification: Informal and Formal 440
14.2.2 Framework for Formal Semantics of DSMLs 442
14.3 Specification of Structural Semantics of DSMLs 443
14.3.1 Structural Semantics in DSMLs 444
14.3.2 Formal Foundations 445
14.3.2.1 Signatures and Terms 445
14.3.2.2 Terms with Types 445
14.3.2.3 Expressive Constraints with Logic Programming 446
14.3.3 An Introduction to Domains and Models 449
14.3.3.1 The Type of a Domain 451
14.3.4 Examining the Contents of Models 451
14.3.4.1 Examples of Negation as Failure 452
14.3.4.2 Boolean Composition of Queries 454
14.3.5 Adding Domain Constraints 455
14.3.5.1 Derived Functions and Logic Programs 456
14.3.6 Domains and Compositions of Domains 458
14.3.6.1 Properties of Compositions 460
14.3.7 Summary 461
14.4 Specification of Behavioral Semantics of DSMLs 462
14.4.1 Overview of Semantic Anchoring 464
14.4.2 Semantic Anchoring Example: Timed Automata 466
14.4.2.1 Timed Automata Overview 466
14.4.2.2 Semantic Unit Abstract Data Model 467
14.4.2.3 Operational Semantics 469
14.4.2.4 Composition of Timed Automata 470
14.4.2.5 TASU Modeling Language 473
14.4.2.6 Semantic Anchoring Example: The Timing Definition Language 474
14.4.2.7 Anchoring the TDL Modeling Language to the TASU 475
14.4.3 Conclusion 482
Acknowledgments 482
References 483
Trang 1314.1 Introduction
Perhaps the most fundamental and persistent difficulty in engineering ismisunderstanding between producers and consumers of technology Thecomputing industry is rife with tales of failed software projects Bloatedprojects with obscene cost and schedule overruns mingle with stories ofdramatic functional failures due to subtle bugs, incompatibilities, or incom-petence These problems stand in stark contrast to the requirements ofembedded system designs, many of which operate in environments thatdemand total confidence in their proper and timely function A large num-ber of methodologies claim to address the deficiencies of software design ingeneral [6,26,30,31] Many have been successful in controlling some of thecomplexities of development, though notably far fewer have been tailored toaddress the specific problems of embedded systems design [8,28]
Embedded systems complicate the software development process in anumber of important ways:
• Embedded implementations must operate with proven correctness inmany environments The notion of correctness takes on multiple forms.Both hardware and software must be correctly specified, designed,and constructed for the problem at hand Specifications must cor-rectly characterize the users’ intentions, and the relationships betweenthe behaviors of assembled components must not compromise thoseintentions Designs and implementations must be verified against therequirements Safety-critical embedded systems must also conform toadditional requirements imposed by government standards and certi-fication processes
• Embedded systems are heterogeneous Although we frequently think
of embedded systems in terms of small devices, the end result(which is not always small) is the product of large and complex soft-ware designs Even physical interconnections are many and variedbetween hardware components Embedded systems require diversenotions of time and data values—a sensor may continuously mon-itor a process in order to precisely capture the time of occurrencefor a desired event; an embedded processor may sample and pro-cess discrete streams of data; and analog circuitry may combinewith digital logic and embedded software to implement a standardcommunications protocol The constraints placed on embedded sys-tems designs are also heterogeneous: power, memory, processor load-ing, physical dimensions, bandwidths, numbers of I/O lines, andmany more Distribution adds another dimension to design considera-tions Engineers create functional designs and validate them throughsimulation Implementation of those designs may exhibit unantici-pated (even catastrophic) behavior when distributed over a network
Trang 14Semantics of Domain-Specific Modeling Languages 439
Plant dynamics models
Controller models
Specification implementation interface Controller design
System-level design
Implementation platform design
Code
HW and network configuration
Software architecture models
System-level models
Specification implementation interface
FIGURE 14.1
Simplified design flow for embedded controllers
of independent processing nodes In current practice, these issuesare resolved by costly and time-consuming testing on a physicalprototype
A simplified design flow for embedded control systems is shown inFigure 14.1 Heterogeneity of the design objectives (e.g., dynamics, safety,and power consumption) and the need for mitigating design complexitydictates that design progresses along abstraction layers, or “design plat-forms” [8] The objective of controller design is the construction and verifi-cation of Controller Models that meet performance and safety requirements.This step requires modeling plant dynamics, controller dynamics, and ver-ifying the performance and safety criteria using simulation and verificationtools System-level design takes the next step toward implementation Theobjective is to select (or design) a software component model and a systemarchitecture that are consistent with the implementation requirements in thecontroller design This step requires careful considerations on the effects ofthe selected interaction model of the software component platform and theexecution model of the system platform on the required controller dynam-ics The last stage of the design flow is implementation platform design,which includes code generation for the software components from controllermodels, design of the assignment of the software components and their
Trang 15interactions to the computation, and communication resources in the form
of a Deployment Model and verification of the implemented system
In each of the stages of the design flow, the actual state of the design
is expressed using domain-specific modeling languages (DSML) These guages comprise the required heterogeneous abstractions for expressing con-troller dynamics, software and system architecture, component behavior,and deployment effects The models expressed in these DSMLs need to beprecisely related to each other via the specification/implementation inter-faces They need to be analyzable and their fidelity must be sufficientlyprecise to accurately predict the behavior of the implemented embeddedcontroller In addition, the design flow is supported by heterogeneous toolsincluding modeling tools, formal verification tools, simulators, test genera-tors, language design tools, code generators, debuggers, and performanceanalysis tools that must all cooperate to assist developers and engineersstruggling to construct the required systems If the DSMLs are only infor-mally specified then mismatched tool semantics may introduce mismatchedinterpretations of requirements, models, and analysis results This is par-ticularly problematic in the safety critical real-time and embedded systemsdomain, where semantic ambiguities may produce conflicting results acrossdifferent tools
lan-The goal of this chapter is to discuss the fundamental problems, methods,and techniques for specifying the semantics of DSMLs
14.2 Domain-Specific Modeling Languages
Formal specification of DSMLs promises to extend the reach of DSML-baseddevelopment techniques to ensure consistent analysis of designs, reuse ofmodels between tools, and to increase the extent to which models can beconstructed correctly during design Numerous studies have shown the ben-efits of dealing with design flaws early in the development process [30] As afirst step, we discuss current techniques used for DSML specification, showexamples for the different specification styles, and discuss the key conceptsrequired for the formal specification of DSMLs
14.2.1 DSML Specification: Informal and Formal
Current practice of specifying DSMLs covers a wide range of methodsfrom formal to informal Starting with the conceptualization of Harel and
Rumpe [19], a DSML specification can be expressed as a 5-tuple L =<
A, C, S, M S , M C > consisting of abstract syntax (A), concrete syntax (C), tactic mapping (M C ), semantic domain (S), and semantic mapping (M S)
syn-The abstract syntax A defines the language concepts, their relationships,