Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
UML&FM 2012
1. Formal Semantics of Extended Hierarchical
State Transition Matrix (EHSTM) by CSP
Y. Yamagata, W. Kong, A. Fukuda,
T. Nguyen, H. Ohsaki, K. Tagucni
AIST and Kyushu University
Cnam Paris, August 27th, 2012
4. Table vs. Chart
EHSTM State chart
• Table based • Chart based
• Event/state hierarchy • Composite state
• Pros • Pros
– All combination of events – Intuitive
and states must be • Cons
considered
– Possibility of overlooking a
• Cons combination of a state and
– Less intuitive an event.
– Tables tend to be very
large
5. ZIPC (1)
• ZIPC uses EHSTM as a modeling method
• ZIPC provides
– simulation of models
– code generation to C/C++
Tables Simulation
Code generation
ZIPC C/C++
6. ZIPC (2)
• Market share in Japan
– among non-UML based modeling tools
5
5
ZIPC
MATLAB/Simlink
42
Rational Test
RealTime
34
Rational Rose
RealTime
9. Garakabu2 (3)
CVC3 (SMT solver)
Formulas
Justification?
Complexity of translation
No formal justification
EHSTM
Simulation
ZIPC C/C++
10. Our approach
PAT Verifier State-of-the-art model checker for CSP
CSP language High-level specification language
Relatively simple translation
EHSTM
Simulation
ZIPC C/C++
11. Related works
Formal semantics of state-chart
• Uselton 1994, Harel, Naamad 1996
Translation from state-chart to CSP
• Fuhrmann 1998,
• Sun, et.al 2005, 2008,
• Zhang and Liu 2010
Previous works on EHSTM
• Kong et.al 2011, 2011
13. Translation
EHSTM CSP
System Process
Task Process
Hierarchy of matrices Parallel composition
Matrix Process
State Global variable
Event virtual frame Sequence of events
Event Event
Expression Expression
16. Experiments
Experiment 1
• Test the interpretation of hierarchical
matrices
• Compare the result with Garakabu2
Experiment 2
• Motivating example in Kong 2011
• Check the performance of the translation
17. Experiments - results
Experiment 1
• Both report deadlock as supposed.
Experiment 2
• PAT is >1000 times faster than Garakabu2
• This is most likely because
• PAT does explicit model checking, while
• Garakabu2 uses a SMT solver.
18. Experiment 1 - model
□0 S0 S1 S2
S1 S0
e0==0 x □0.1
e0=1
e0=1
S1 S2
e0==1 x
□0.2 e0=0
□0.2 S011 S012 S013
□0.1 S01 S02
S012 S013
S02
e2==0 return
e1==0 x e2=1 e2=1
e1=1
S011
S01 e2=0;
e1==1 return e2==1 x tmp=1;
e1=1 tmp=0;
e2=1;
19. Experiment 1 - results
• Garakabu2 and PAT report deadlock
• Time required < 1s
21. Experiment 2 – properties
• Deadlock-free
• STC1≡□(returner==ret⇒changer==wait_money_taken)
• STC2≡□(changer==wait_request⇒returner==wait)
• DYN≡□((changer==wait_requiest
&& X changer== wait_money_taken)⇒
X returner==ret)
22. Experiment 2 – results(1)
Example with bug
PAT PAT Garakabu2 Garakabu2
Properties
result Time result time
Deadlock Invalid 0.0013 Invalid 93
STC1 Invalid 0.011 Invalid 14
STC2 Invalid 0.0016 Invalid 16
DYN Invalid 0.0016 Invalid 4
23. Experiment 2 – results(2)
Example without bug
PAT PAT Garakabu2 Garakabu2
Properties
result time result time
Deadlock Valid 0.077 Valid 1239
STC1 Valid 0.053 Valid 511
STC2 Valid 0.039 Valid 735
DYN Valid 0.056 Valid 3211
24. Summary
• Simple translation from EHSTM to CSP
– Give a rigorous model of EHSTM
• Verification of translated model using PAT
– The result coincides with that of Garakabu2
– Faster than using Garakabu2
25. Future work
• Support more functionality of EHSTM
– Hierarchical states
– Interrupt
• PAT plugin
– Mechanize translation