Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Related Work
Conclusions
References
All Topics
Computer Science
Information Systems

Modular refinement of hierarchic reactive machines

Profile image of Radu GrosuRadu Grosu

2000

https://doi.org/10.1145/325694.325746
visibility

description

30 pages

link

1 file

Abstract

Scalable formal analysis of reactive programs demands integration of modular reasoning techniques with existing analysis tools. Modular reasoning principles such as abstraction, compositional refinement, and assume-guarantee reasoning are well understood for architectural hierarchy that describes the communication structure between component processes, and have been shown to be useful. In this paper, we develop the theory of modular reasoning for behavior hierarchy that describes control structure using hierarchic modes. From Statecharts to UML, behavior hierarchy has been an integral component of many software design languages, but only syntactically. We present the hierarchic reactive modules language that retains powerful features such as nested modes, mode reuse, exceptions, group transitions, history, and conjunctive modes, and yet has a semantic notion of mode hierarchy. We present an observational trace semantics for modes that provides the basis for mode refinement. We show the refinement to be compositional with respect to the mode constructors, and develop an assume-guarantee reasoning principle.

Related papers

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive Systems
Tommi Mikkonen

Foundations of Aspect-Oriented Languages, 2004

In order to provide better alignment between conceptual requirements and aspect-oriented implementations, formal specification methods should enable the encapsulation of logical abstractions of systems. In this paper we argue that horizontal architectures, consisting of such logical abstrac- tions, can provide better separation of concerns over con- ventional ones while supporting incremental development for more common units of modularity such as

View PDFchevron_right
Modal Action Logics for Reasoning about Reactive Systems
Jan Broersen

Faraday Discuss, 2003

View PDFchevron_right
On composing and proving the correctness of reactive behavior
Gera Weiss

2013 Proceedings of the International Conference on Embedded Software (EMSOFT), 2013

We present a method and a tool for composing a reactive system and for accompanying the development and documentation process with a proof of its correctness. The approach is based on behavioral programming (BP) and the Z3 SMT solver. We show how program verification can be automated and streamlined by combining properties of individual modules, specified and verified separately, with application-independent specifications both of the BP semantics and of general theories. The method may yield an exponential acceleration of the verification process when compared with model-checking the composite application. We show that formalization of properties of independent modules in preparation for the correctness proofs can be useful as documentation for future development. We view this work as a further step towards making formal correctness proofs standard practice in the development of reactive systems, and carried out by programmers at large.

View PDFchevron_right
On Modularity in Reactive Control Architectures, with an Application to Formal Verification
Mohammad Zamani

ACM Transactions on Cyber-Physical Systems, 2022

Modularity is a central principle throughout the design process for cyber-physical systems. Modularity reduces complexity and increases reuse of behavior. In this article we pose and answer the following question: how can we identify independent “modules” within the structure of reactive control architectures? To this end, we propose a graph-structured control architecture we call a decision structure and show how it generalizes some reactive control architectures that are popular in Artificial Intelligence (AI) and robotics, specifically Teleo-Reactive programs (TRs), Decision Trees (DTs), Behavior Trees (BTs), and Generalised Behavior Trees ( k -BTs). Inspired by the definition of a module in graph theory [ 16 ] we define modules in decision structures and show how each decision structure possesses a canonical decomposition into its modules, which can be found in polynomial time. We establish intuitive connections between our proposed modularity and modularity in structured progra...

View PDFchevron_right
A Logical Characterization of a Reactive System Language
Robert Kowalski

Lecture Notes in Computer Science, 2014

Typical reactive system languages are programmed by means of rules of the form if antecedent then consequent. However, despite their seemingly logical character, hardly any reactive system languages give such rules a logical interpretation. In this paper, we investigate a simplified reactive system language KELPS, in which rules are universally quantified material implications, and computation attempts to generate a model that makes the rules true. The operational semantics of KELPS is similar to that of other reactive system languages, and is similarly incomplete. It cannot make a rule true by making its antecedent false, or by making its consequent true whether or not its antecedent becomes true. In this paper, we characterize the reactive models computed by the operational semantics. Informally speaking, a model is reactive if every action in the model is an instance of an action in the consequent of a rule whose earlier conditions are true.

View PDFchevron_right
A Framework and Patterns for the Support of Reactive Specifications
Leonor Barroca

cse.wustl.edu

We defend the need of a dual approach for representing reactive systems and reasoning about their timing properties; this dual approach uses a notation for the specification of behaviour (preferably a graphical one), and a temporal logic to express formally, and reason about, this behaviour. The combination of two representation schemes forms the basis of a generic framework that can be instantiated for different choices of notations. Two instantiations of the framework, illustrating its use, are discussed. To describe in detail one of the instantiations (ArchSM method) we use design patterns.

View PDFchevron_right
Thorium: A Language for Bounded Verification of Dynamic Reactive Objects
Kevin Baldor

2023

Developing reliable reactive software is notoriously di cult -particularly when that software reacts by changing its behavior. Some of this di culty is inherent; software that must respond to external events as they arrive tends to end up in states that are dependent on the value of that input and its order of arrival. This results in complicated corner cases that can be challenging to recognize. However, we nd that some of the complexity is an accident of the features of the programming languages widely used in industry. The loops and subroutines of structured programming are well-suited to data transformation, but poorly capture -and sometimes obscure -the ow of data through reactive programs developed using the inversion-of-control paradigm; an event handler that modi es the data ow tends to be declared closer to the de nition of the event that activates it than to the initial denition of the data ow that it modi es. This paper approaches both challenges with a language inspired by the declarative modules of languages SIGNAL and Lustre and the semantics of the SodiumFRP Functional Reactive Programming library with a declarative mechanism for self modi cation through module substitution. These language features lead to software with a code structure that closely matches the ow of data through the running program and thus makes software easier to understand. Further, we demonstrate how those language features enable a bounded model checking approach that can verify that a reactor meets its requirements or present a counterexample trace, a series of states and inputs that lead to a violation. We analyze the runtime performance of the veri er as a function of model size and trace length. CCS Concepts: • Software and its engineering → Data ow languages.

View PDFchevron_right
Concepts of behavioral subtyping and a sketch of their extension to component-based systems
Gary Leavens

2000

Object-oriented systems are able to treat objects indirectly by message passing. This allows them to manipulate objects without knowing their exact runtime type. Behavioral subtyping helps one reason in a modular fashion about such programs. That is, one can reason based on the static types of expressions in a program, provided that static types are upper bounds of the runtime types in a subtyping preorder, and that subtypes satisfy the conditions of behavioral subtyping. We survey various notions of behavioral subtyping proposed in the literature for objectoriented programming. We also sketch a notion of behavioral subtyping for objects in component-based systems, where reasoning about the events that a component can raise is important.

View PDFchevron_right
Synchronous Formalism and Behavioral Substitutability in Component Frameworks
Jean-Paul Rigault

2005

When using a component framework, developers need to respect the behavior implemented by the components. Static information about the component interface is not sufficient. Dynamic information such as the description of valid sequences of operations is required. In this paper we propose a mathematical model obeying the Synchronous hypothesis and a formal language to describe the knowledge about behavior. We focus on extension of components, owing to the notion of behavioral substitutability. A formal semantics for the language is defined and a compositionality result allows us to get modular model-checking facilities. From the language and the model, we can draw practical design rules that are sufficient to preserve behavioral substitutability. Associated tools may ensure correct (re)use of components, as well as automatic simulation and verification, code generation, and runtime checks.

View PDFchevron_right
Behavioural Models for Hierarchical Components
Tomas Barros

Lecture Notes in Computer Science, 2005

We describe a method for the specification and verification of the dynamic behaviour of component systems. Building applications using a component framework allows the developers to specify the architecture, the deployment, the life-cycle of the system with well-defined formalisms, and to gain productivity by reusing existing components. But then one wants to make sure that the application built from existing components is safe, in the sense that its parts fit together appropriately and behave together smoothly. Each component must be adequate to its assigned role within the system, and the update or replacement of a component should not cause deadlock or failure of the rest of the system. The usual notion of type compatibility of interfaces is not sufficient; we need to capture the dynamic interaction between components, and typically to avoid deadlocks or unexpected behaviours in the system. In this work, we focus on hierarchical component systems. We describe both the functional behaviour and the non-functional features (life-cycle management) of components in terms of synchronised transition systems; we define a notion of correct component composition; then we show how we can prove, using (compositional) model-checking techniques, temporal properties of a component system. Transformations of a system, for example replacement of a sub-component, are expressed as transformations of its behavioural semantics, allowing to prove preservation of some properties, or the validity of new properties after transformation.

View PDFchevron_right

References (32)

  1. Abadi, M. and Lamport, L. 1995. Conjoining specifications. ACM TOPLAS 17, 507-534.
  2. Alur, R., de Alfaro, L., Grosu, R., Henzinger, T., Kang, M., Majumdar, R., Mang, F., Kirsch, C., and Wang, B. 2001. Mocha: A model checking tool that exploits design structure. In Proceedings of 23rd International Conference on Software Engineering. 835-836.
  3. Alur, R., Grosu, R., and McDougall, M. 2000. Efficient reachability analysis of hierarchical reactive machines. In Computer Aided Verification: 12th International Conference. LNCS 1855. Springer, 280-295.
  4. Alur, R. and Henzinger, T. 1999. Reactive modules. Formal Methods in System Design 15, 1, 7-48. Invited submission to FLoC'96 special isuue. A preliminary version appears in Proc. 11th LICS, 1996.
  5. Alur, R. and Wang, B. 2001. Verifying network protocol implementations by symbolic refine- ment checking. In Computer Aided Verification: 13th International Conference. LNCS 2102. Springer, 169-181.
  6. Alur, R. and Yannakakis, M. 1998. Model checking of hierarchical state machines. In Proceed- ings of the Sixth ACM Symposium on Foundations of Software Engineering. 175-188.
  7. Behrmann, G., Larsen, K., Andersen, H., Hulgaard, H., and Lind-Nielsen, J. 1999. Verifica- tion of hierarchical state/event systems using reusability and compositionality. In TACAS '99: Fifth International Conference on Tools and Algorithms for the Construction and Analysis of Software. LNCS 1579. Springer, 163-177.
  8. Bhargavan, K., Gunter, C., Gunter, E., Jackson, M., Obradovic, D., and Zave, P. 1998. The village telephone system: A case study in formal software engineering. In Theorem Proving in Higher Order Logics: 11th International Conference. LNCS 1479. Springer, 49-66.
  9. Booch, G., Jacobson, I., and Rumbaugh, J. 1997. Unified Modeling Language User Guide. Addison Wesley.
  10. Chan, W., Anderson, R., Beame, P., Burns, S., Modugno, F., Notkin, D., and Reese, J. 1998. Model checking large software specifications. IEEE Transactions on Software Engineering 24, 7, 498-519.
  11. Clarke, E. and Emerson, E. 1981. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proc. Workshop on Logic of Programs. LNCS 131. Springer, 52-71.
  12. Clarke, E. and Kurshan, R. 1996. Computer-aided verification. IEEE Spectrum 33, 6, 61-67.
  13. Grosu, R., Stefanescu, G., and Broy, M. 1998. Visual formalisms revisited. In CSD'98, International Conference on Application of Concurrency to System Design. IEEE, 41-51.
  14. Grümberg, O. and Long, D. 1994. Model checking and modular verification. ACM Transactions on Programming Languages and Systems 16, 3, 843-871.
  15. Harel, D. 1987. Statecharts: A visual formalism for complex systems. Science of Computer Programming 8, 231-274.
  16. Harel, D. and Naamad, A. 1996. The statemate semantics of statecharts. ACM Trans. Software Engin. Methods 5, 4, 293-333.
  17. Harel, D., Pnueli, A., Schmidt, J., and Sherman, R. 1987. On the formal semantics of state- charts. In Proc. 2nd IEEE Symposium on Logic in Computer Science. 54-64.
  18. Henzinger, T., Qadeer, S., and Rajamani, S. 1998. You assume, we guarantee: Methodology and case studies. In CAV 98: Computer-aided Verification. LNCS 1427. Springer, 521-525.
  19. Holzmann, G. 1997. The model checker SPIN. IEEE Trans. on Software Engineering 23, 5, 279-295.
  20. Huber, F., Schtz, B., Schmidt, A., and Spies, K. 1996. Autofocus -a tool for distributed systems specification. In Proceedings FTRTFT'96 -Formal Techniques in Real-Time and Fault-Tolerant Systems. Springer Verlag, LNCS 1135, 467-470.
  21. Jahanian, F. and Mok, A. 1987. A graph-theoretic approach for timing analysis and its imple- mentation. IEEE Transactions on Computers C-36, 8, 961-975.
  22. Lamport, L. 1994. The temporal logic of actions. ACM Transactions on Programming Languages and Systems 16, 3, 872-923.
  23. Leveson, N., Heimdahl, M., Hildreth, H., and Reese, J. 1994. Requirements specification for process control systems. IEEE Transactions on Software Engineering 20, 9, 684-707.
  24. Lüttgen, G., van der Beeck, M., and Cleaveland, R. 2000. A compositional approach to Statecharts semantics. In Proceedings of the Eighth International Symposium on Foundations of Software Engineering. 120-129.
  25. Lynch, N. and Tuttle, M. 1987. Hierarchical correctness proofs for distributed algorithms. In Proceedings of the Seventh ACM Symposium on Principles of Distributed Computing. 137-151.
  26. McMillan, K. 1993. Symbolic model checking: an approach to the state explosion problem. Kluwer Academic Publishers.
  27. McMillan, K. 1997. A compositional rule for hardware design refinement. In CAV 97: Computer- Aided Verification. LNCS 1254. 24-35.
  28. Milner, R. 1980. A Calculus of Communicating Systems. LNCS 92. Springer.
  29. Pnueli, A. and Shalev, M. 1991. What is in a step: On the semantics of statecharts. In Proc. Symposium on Theoretical Aspects of Computer Software. LNCS 526. Springer, 244-264.
  30. Selic, B., Gullekson, G., and Ward, P. 1994. Real-time object oriented modeling and design. J. Wiley.
  31. Stark, E. 1985. A proof technique for rely-guarantee properties. In FST & TCS 85, Foundations of Software Technology and Theoretical Computer Science. LNCS 206. Springer, 369-391.
  32. Uselton, A. and Smolka, S. 1994. A compositional semantics for statecharts using labeled transition systems. In CONCUR'94: Concurrency Theory, Fifth International Conference. LNCS 836. Springer, 2-17.

Related papers

A logic for the stepwise development of reactive systems
Alexandre Madeira

Theoretical Computer Science, 2018

D ↓ is a new dynamic logic combining regular modalities with the binder constructor typical of hybrid logic, which provides a smooth framework for the stepwise development of reactive systems. Actually, the logic is able to capture system properties at different levels of abstraction, from high-level safety and liveness requirements, to constructive specifications representing concrete processes. The paper discusses its semantics, given in terms of reachable transition systems with initial states, its expressive power and a proof system. The methodological framework is in debt to the landmark work of D. Sannella and A. Tarlecki, instantiating the generic concepts of constructor and abstractor implementations by standard operators on reactive components, e.g. relabelling and parallel composition, as constructors, and bisimulation for abstraction.

View PDFchevron_right
Towards formalizing behavioral substitutability in component frameworks
Jean-paul Rigault

Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004., 2004

Dynamic information such as the description of valid sequences of operations is required. In this paper we propose a mathematical model and a formal language to describe the knowledge about behavior. We rely on a hierarchical model of deterministic finite state-machines. The execution model of these state-machines follows the Synchronous Paradigm. We focus on extension of components, owing to the notion of behavioral substitutability. A formal semantics for the language is defined and a compositionality result allows us to get modular model-checking facilities. From the language and the model, we can draw practical design rules that are sufficient to preserve behavorial substitutability. Associated tools may ensure correct (re)use of components, as well as automatic simulation and verification, code generation, and run-time checks.

View PDFchevron_right
A novel paradigm for programming reactive systems centered on naturally specified modular behavior
Gera Weiss

sPeLLing oUT The requirements for a software system under development is not an easy task, and translating captured requirements into correct operational software can be even harder. Many technologies (languages, modeling tools, programming paradigms) and methodologies (agile, test-driven, model-driven) were designed, among other things, to help address these challenges. One widely accepted practice is to formalize requirements in the form of use cases and scenarios. Our work extends this approach into using scenarios for actual programming. Specifically, we propose scenario-coding techniques and design approaches for constructing reactive systems 28 incrementally from their expected behaviors. The work on behavioral programming began with scenario-based programming, a way to create executable specifications of reactive systems, introduced through the language of live sequence charts (LSC) and its Play-Engine implementation. The initial purpose was to enable testing and refining spe...

View PDFchevron_right
Efficient Reachability Analysis of Hierarchical Reactive Machines
Radu Grosu

2000

Hierarchical state machines is a popular visual formalism for software specifications. To apply automated analysis to such specifications, the traditional approach is to compile them to existing model checkers. Aimed at exploiting the modular structure more effectively, our approach is to develop algorithms that work directly on the hierarchical structure. First, we report on an implementation of a visual hierarchical language with modular features such as nested modes, variable scoping, mode reuse, exceptions, group transitions, and history. Then, we identify a variety of heuristics to exploit these modular features during reachability analysis. We report on an enumerative as well as a symbolic checker, and case studies.

View PDFchevron_right
Contract-based compositional analysis for reactive systems in RTEdge TM , an AADL-based language
Ernesto Posse

2013

This report investigates compositional reasoning techniques for RTEdge TM [Ghe11, Pos13a], a language for modelling real-time embedded systems based on AADL [SAE12] and developed by Edgewater Computer Systems Inc. The RTEdge TM platform supports formal verification of software models as described in [Ghe11], but it performs a monolithic analysis, by model-checking the entire model at once. To avoid or alleviate the state explosion problem, we propose the use of assume/guarantee contract-based reasoning, a family of compositional analysis semi-automatic techniques which leverage the structure of the model under consideration. In particular, we adapt the generic theoretical framework for assume/guarantee contracts proposed in [BDH`12a] to the RTEdge TM setting where contracts would be specified using the Property Specification Language (PSL) [IEE05] an IEEE standard. In this report we describe: 1) how PSL could be adapted to specify contracts for RTEdge TM models, 2) how to establish the consistency and conformance of specifications and contracts between different language elements such as protocols, interfaces and capsules, 3) how the framework from [BDH`12a] can be used with PSL to perform compositional analysis, including quotienting, i.e., finding a specification that can "complete" a model and 4) a description of the tool support required to implement this framework with a quick survey of available tools that could be used.

View PDFchevron_right

Related topics

  • Information Systems
  • Control Structure

    • Cited by

    Modular Specification of Hybrid Systems in CHARON
    Insup Lee

    2000

    We propose a language, called Charon, for modular specification of interacting hybrid systems. For hierarchical description of the system architecture, Charon supports building complex agents via the operations of instantiation, hiding, and parallel composition. For hierarchical description of the behavior of atomic components, Charon supports building complex modes via the operations of instantiation, scoping, and encapsulation. Features such as weak preemption, history retention, and externally defined Java functions, facilitate the description of complex discrete behavior. Continuous behavior can be specified using differential as well as algebraic constraints, and invariants restricting the flow spaces, all of which can be declared at various levels of the hierarchy. The modular structure of the language is not merely syntactic, but can be exploited during analysis. We illustrate this aspect by presenting a scheme for modular simulation in which each mode can be compiled solely based on the locally declared information to execute its discrete and continuous updates, and furthermore, submodes can integrate at a finer time scale than the enclosing modes.

    View PDFchevron_right
    And/Or Hierarchies and Round Abstraction
    Radu Grosu

    Lecture Notes in Computer Science

    Sequential and parallel composition are the most fundamental operators for incremental construction of complex concurrent systems. They reflect the temporal and respectively the spatial properties of these systems. Hiding temporal detail like internal computation steps supports temporal scalability and may turn an asynchronous system to a synchronous one. Hiding spatial detail like internal variables supports spatial scalability and may turn a synchronous system to an asynchronous one. In this paper we show on hand of several examples that a language explicitly supporting both sequential and parallel composition operators is a natural setting for designing heterogeneous synchronous and asynchronous systems. The language we use is Shrm, a visual language that backs up the popular and/or hierarchies of statecharts with a well defined compositional semantics.

    View PDFchevron_right
    Hierarchical and Recursive State Machines with Context-Dependent Properties
    Margherita Napoli

    Lecture Notes in Computer Science, 2003

    Hierarchical and recursive state machines are suitable abstract models for many software systems. In this paper we extend a model recently introduced in literature, by allowing atomic propositions to label all the kinds of vertices and not only basic nodes. We call the obtained models context-dependent hierarchical/recursive state machines. We study on such models cycle detection, reachability and Ltl modelchecking. Despite of a more succinct representation, we prove that Ltl model-checking can be done in time linear in the size of the model and exponential in the size of the formula, as for standard Ltl model-checking. Reachability and cycle detection become NP-complete, and if we place some restrictions on the representation of the target states, we can decide them in time linear in the size of the formula and the size of the model.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved