A DSL to feedback formal verification results

1/33
V&V and MDE Formal language V&V for DSML Current state FeVeReL Conclusion & Perspectives
A DSL to feedback formal veriﬁcation results
Faiez ZALILA 1
Xavier CREGUT 2
Marc PANTEL 2
1IRT Saint-Exupéry, Toulouse, France
2
University of Toulouse, IRIT-CNRS
October 3, 2016

2/33
Goals: Improve the development of critical systems
Resources
Model-driven engineering
Formal verification
model
model
model
represented by
represented by
represented by
conforms to
conforms to
conforms to
Model-Driven EngineeringLanguage Engineering
editors
Language
expert
Domain
expert
simulators
User
verifiers
generators
DSML
editors
simulators
User
verifiers
generators
DSML
editors
simulators
User
verifiers
generators
DSML
Language
expert
Domain
expert
Language
expert
Domain
expert

3/33
Formal model verification
model-checking
tools
DSML
model
Formal
model
Formal
properties
Formal
verification
results
DSML
verification
results
DSML
end-user
defines
obtains
defines/uses
DSML
behavioral
properties
DSML Verifier

3/33
Formal model verification
model-checking
tools
DSML
model
Formal
model
Formal
properties
Formal
verification
results
DSML
verification
results
DSML
end-user
defines
obtains
defines/uses
DSML
behavioral
properties
model-checking
tools
Formal
model
Formal
properties
Formal
verification
results
DSML Verifier

3/33
Translational approach
model-checking
tools
DSML
model
Formal
model
Formal
properties
Formal
verification
results
DSML
verification
results
DSML
end-user
defines
obtains
defines/uses
DSML
behavioral
properties
model-checking
tools
Formal
model
Formal
properties
Formal
verification
results
Translational
semantics
Domain
expert
Language
expert
specifies implements
DSML Verifier

3/33
DSML Verifier: Reuse formal tools
model-checking
tools
DSML
model
Formal
model
Formal
properties
Formal
verification
results
DSML
verification
results
DSML
end-user
defines
obtains
defines/uses
DSML
behavioral
properties
model-checking
tools
Formal
model
Formal
properties
Formal
verification
results
Translational
semantics
Domain
expert
Language
expert
Properties
generation
Feedback
verification
results
DSML Verifier

3/33
Defining a translational semantics
model-checking
tools
DSML
model
Formal
model
Formal
properties
Formal
verification
results
DSML
verification
results
DSML
end-user
defines
obtains
DSML
behavioral
properties
model-checking
tools
Formal
model
Formal
properties
Formal
verification
results
Translational
semantics
Domain
expert
Language
expert
Properties
generation
Feedback
verification
results
Missing
DSML Verifier

3/33
Completing the integration
model-checking
tools
DSML
model
Formal
model
Formal
properties
Formal
verification
results
DSML
verification
results
DSML
end-user
defines
obtains
DSML
behavioral
properties
model-checking
tools
Formal
model
Formal
properties
Formal
verification
results
Translational
semantics
Domain
expert
Language
expert
Properties
generation
Feedback
verification
results
Ad-hoc
DSML Verifier

4/33
Outline
1 Integrating V&V in MDE
2 Introducing the formal language
3 Integrating the verification activity for DSML
4 Feedback of verification results to the DSML level: Current state
5 Feedback Verification Results Language (FeVeReL)
6 Conclusion & Perspectives

5/33
Outline

6/33
Defining a DSML
Software & Systems Process Engineering Metamodel (SPEM)
2
finishToFinish
2 2
finishToFinish
Programming
Documenting
TestCaseWriting
Designing
startToStart
finishToStart
startToStart
Developer
---------------
count = 3
2
1
Designer
---------------
count = 2
2
1
Computer
---------------
count = 3
1
startToStart
startToStart
startToFinish
finishToStart
finishToFinish
<<enumeration>>
WSType
name: String
minTime : Int
maxTime : Int
Process
name : String
minTime : Int
maxTime : Int
WorkDefinition
linkType : WSType
WorkSequence
quantity: Int
Parameter name : String
count : Int
Resource
0 .. * workDefinitions
1 successor
0 .. * workSequences
1 predecessor linkToSuccessor 0 .. *
linkToPredecessor 0 .. *
0..* parameters
1 workDefinition
1 resource 0..* resources
conforms to

7/33
Defining a DSML
SPEM as a DSML
startToStart
startToFinish
finishToStart
finishToFinish
<<enumeration>>
WSType
name: String
minTime : Int
maxTime : Int
Process
name : String
minTime : Int
maxTime : Int
WorkDefinition
linkType : WSType
WorkSequence
quantity: Int
count : Int
Resource
1 successor
0..* parameters
1 workDefinition
1 resource 0..* resources
Abstract syntax Well-formedness properties
Workdefinitions names uniqueness
context Process
inv names_uniqueness:
self.workDefinitions
->forAll(wd1, wd2|wd1 <> wd2
implies wd1.name <> wd2.name)
Graphical concrete syntax Textual concrete syntax Execution semantics

8/33
The executable DSML pattern
Explicit the execution semantics
The executable DSML pattern (Combemale et al.)
A general approach to assist in the definition of an execution semantics for a DSML
Make explicit the various concerns for the execution of DSMLs
<<import>>
<<merge>>DDMM
EDMM
SPEMEvent
WorkDefinitionEvent
StartWD FinishWD
TM3
Scenario
Trace
name : String
date : Int
Internal : Boolean
RuntimeEvent
startToStart
startToFinish
finishToStart
finishToFinish
<<enumeration>>
WSType
name: String
minTime : Int
maxTime : Int
Process
name : String
minTime : Int
maxTime : Int
WorkDefinition
linkType : WSType
WorkSequence
count : Int
Resource
1 successor
0..* parameters
1 workDefinition
1 ressource 0..* ressources
0 .. * tracesruntimeEvents 0..*
1 workDefinition
SDMM
state: ExecutionState
WorkDefinition
notStarted
running
finished
<<enumeration>>
ExecutionState
0..* dynamic_wds
<<merge>>
<<merge>>

8/33
<<import>>
<<merge>>DDMM
EDMM
SPEMEvent
StartWD FinishWD
TM3
Scenario
Trace
name : String
date : Int
Internal : Boolean
RuntimeEvent
startToStart
startToFinish
finishToStart
finishToFinish
<<enumeration>>
WSType
name: String
minTime : Int
maxTime : Int
Process
name : String
minTime : Int
maxTime : Int
WorkDefinition
linkType : WSType
WorkSequence
count : Int
Resource
1 successor
0..* parameters
1 workDefinition
1 workDefinition
SDMM
WorkDefinition
notStarted
running
finished
<<enumeration>>
ExecutionState
0..* dynamic_wds
<<merge>>
<<merge>>
States

8/33
<<import>>
<<merge>>DDMM
EDMM
SPEMEvent
StartWD FinishWD
TM3
Scenario
Trace
name : String
date : Int
Internal : Boolean
RuntimeEvent
startToStart
startToFinish
finishToStart
finishToFinish
<<enumeration>>
WSType
name: String
minTime : Int
maxTime : Int
Process
name : String
minTime : Int
maxTime : Int
WorkDefinition
linkType : WSType
WorkSequence
count : Int
Resource
1 successor
0..* parameters
1 workDefinition
1 workDefinition
SDMM
WorkDefinition
notStarted
running
finished
<<enumeration>>
ExecutionState
0..* dynamic_wds
<<merge>>
<<merge>>
StatesEvents
StartWD Designing
FinishWD Designing
StartWD TestCaseWriting
...
...
..

8/33
<<import>>
<<merge>>DDMM
EDMM
SPEMEvent
StartWD FinishWD
TM3
Scenario
Trace
name : String
date : Int
Internal : Boolean
RuntimeEvent
startToStart
startToFinish
finishToStart
finishToFinish
<<enumeration>>
WSType
name: String
minTime : Int
maxTime : Int
Process
name : String
minTime : Int
maxTime : Int
WorkDefinition
linkType : WSType
WorkSequence
count : Int
Resource
1 successor
0..* parameters
1 workDefinition
1 workDefinition
SDMM
WorkDefinition
notStarted
running
finished
<<enumeration>>
ExecutionState
0..* dynamic_wds
<<merge>>
<<merge>>
StatesTracesEvents
StartWD Designing
FinishWD Designing
StartWD TestCaseWriting
...
...
..

9/33
DSML verification
Behavioral properties
SPEM behavioral properties
Can the process finish?
OCL fit for simple cases
context WorkDefinition
inv not_reflexive:
self.predecessor <> self.successor
TestCaseWriting
startToStart
Does the model behaves as expected during the execution?
=⇒ Model execution is required
Translational semantics
Define a translational semantics
FIACRE as formal semantics
State/Event Linear Temporal Logic (SE-LTL) to express properties
The pattern as a support to formalize the translational semantics

10/33
Outline

11/33
The FIACRE language
Intermediate Format for the Architectures of Embedded Distributed
Components
Formal intermediate model to describe embedded and distributed systems
Process= basic component
Describe the behaviour of sequential components
a set of control states and transitions
Data handling
Communication (messages, shared variables)
Component= compositions + constraints
Describe the composition of processes
Associate timing constraints with communications
Deﬁne priority between communication events

12/33
The FIACRE language
Example: Alternating bit protocol
type seqno is bool
type packet is seqno
process Buffer [pin: in packet, pout: out packet] is states idle
var buff : queue 1 of packet := {||}, pkt: packet
from idle
select
pin?pkt; on not (full buff);buff := enqueue (buff,pkt); to idle
[]
on not (empty buff); pout!first buff; buff := dequeue buff; to idle
[]
wait [0,1]; on not (empty buff); buff := dequeue buff; to idle
end
process Sender [mbuff: out packet, abuff: in packet] is states idle, send, waita
var ssn, n: seqno := false
from idle to waita
from send mbuff! ssn; to waita
from waita
select
abuff? n; if n=ssn then ssn := not ssn; to idle else to idle end
[]
wait ]4,5]; to send
end

12/33
The FIACRE language
Example: Alternating bit protocol
process Receiver [mbuff: in packet, abuff: out packet] is states rcve, ack
var rsn: seqno := false, m: packet := true
from rcve
mbuff? m;
if m = rsn then rsn := not rsn; to ack else to ack end
from ack abuff! m; to rcve
/* Main component */
component abp is
port minp : packet in [0,0],
mout : packet in [0,1],
ainp : packet in [0,2],
aout : packet in [0,1]
par * in
Sender [minp, aout]
|| Buffer [minp, mout]
|| Buffer [ainp, aout]
|| Receiver [mout, ainp]
end
/* Entry point */
abp
Receiver
Buffer
Sender
Buffer
minp
aout
mout
ainp

13/33
The FIACRE language
Works around FIACRE
AADL2Fiacre
Fiacre: an Intermediate Language for Model Verification in the Topcased Environment
Berthomieu B., Bodeveix J.-P., Farail P., Filali M., Garavel H., Gaufillet P., Lang F., Vernadat
F. ERTS 2008
BPEL2Fiacre
Verification of Timed BPEL 2.0 Models.
Elie Fares, Jean-Paul Bodeveix, Mamoun Filali.
BPMDS 2011
Formal Requirement Verification for Timed Choreographies.
Nawal Guermouche, Silvano Dal Zilio
Ladder2Fiacre
A model-driven engineering approach to formal verification of PLC programs.
de Queiroz, M.H., da Rocha, V.G., Carpes, A.M.M., Vernadat, F.,Cregut, X.
ETFA 2011

14/33
The FIACRE language
Fiacre tooling
Front: front-end (common for ﬂac and frac)
Parser & Typing control
Typing, initialisations, communications, ...
Frac: back-end pour Tina-TTS
Reducing derived constructions (select, any, etc)
Static composition of components
Optimisations
Variables analysis
Transitions normalisation
Code generation
.tts = PetriNet (.net) + Data processing (.c, API TTS)

15/33
Outline

16/33
Deﬁning DSML queries
Formalization behavioral properties
-- Does the process finish? (P1 requirement)
context SPEM!Process
inv willFinish:
eventually self.isFinished()
-- The process will never finish (P2 requirement)
inv willNeverFinish:
not (eventually self.isFinished())
Formalization of queries
-- Composite queries
def: isFinished(): String =
self.workDefinitions->forAll(wd | wd.isFinished());
-- Primitive queries
context SPEM!WorkDefinition
def : isFinished(): String =
deferred;

17/33
Defining the translational semantics
process Documenting [Start: sync, Finish : sync] (& wds: WDsQueries)
is
states notStarted, Running, Finished
from notStarted
if ( wds[$(DesigningId)].isStarted)
then
Start;
wds[$(DocumentingId)].isStarted:= true;
to Running
else
loop
end if
from Running
if ( WorkDefinition[$(DesigningId)].isFinished )
then
Finish;
WorkDefinition[$(DocumentingId)].isFinished:= true;
to Finished
else
loop
end if
component Process is
var wds: WDsQueries := [{isStarted=false,isFinished=false},
{isStarted=false,isFinished=false},
{isStarted=false,isFinished=false},
{isStarted=false,isFinished=false}]
port DesigningStart : sync in [0,0],
DesigningFinish : sync in [0,0],
ProgrammingStart : sync in [0,0],
ProgrammingFinish : sync in [0,0],
DocumentingStart : sync in [0,0],
DocumentingFinish : sync in [0,0],
TestCaseWritingStart : sync in [0,0],
TestCaseWritingFinish : sync in [0,0]
par * in
Designing [DesigningStart, DesigningFinish](&wds)
||
Programming [ ProgrammingStart, ProgrammingFinish](&wds)
||
Documenting [ DocumentingStart, DocumentingFinish](&wds)
||
TestCaseWriting [ TestCaseWritingStart, TestCaseWritingFinish](&wds)
end
finishToFinish
finishToFinish
ProgrammingDocumenting TestCaseWriting
Designing
startToStart
finishToStart startToStart
startToStart
Process2Component
WorkSequence2ConditionalStatement
WorkDefinition2Process

18/33
Update SPEM primitive queries
Update the primitive queries
context SPEM!WorkDefinition
def : isFinished(): String =
’Main/1/value WorkDefinition[$(’ + self.name + ’id)].isFinished’;
Generated Fiacre properties
property w i l l F i n i s h is l t l
<> ( Main / 1 / value WorkDefinition [ $ ( DesigningWD ) ] . isFinished
and Main / 1 / value WorkDefinition [ $ (ProgrammingWD ) ] . isFinished
and Main / 1 / value WorkDefinition [ $ ( DocumentingWD ) ] . isFinished
and Main / 1 / value WorkDefinition [ $ ( TestCaseWritingWD ) ] . isFinished
)
property willNeverFinish is l t l
( not ( <> ( Main / 1 / value WorkDefinition [ $ ( DesigningWD ) ] . isFinished
and Main / 1 / value WorkDefinition [ $ (ProgrammingWD ) ] . isFinished
and Main / 1 / value WorkDefinition [ $ ( DocumentingWD ) ] . isFinished
and Main / 1 / value WorkDefinition [ $ ( TestCaseWritingWD ) ] . isFinished
) ) )

19/33
Leveraging formal verification for DSMLs: goals
Resolved issues
Lack of semantics of the MDE =⇒ Applying the metamodeling pattern
The unfitness for model analysis =⇒ Connecting TINA toolbox to the DSML
Lack of expressing DSML behavioral propoerties =⇒ Defining the TOCL language
Lack of generating automatically formal properties =⇒ Proposing an automatic
transformation of DSML behavioral properties
DSML end-user expectations
DSML verifier that hides formal aspects
=⇒ Obtain verification results in the domain side
Domain expert and Language expert expectations
Tools for building seamless verification toolchain
=⇒ Manage the feedback of verification results for each DSML

20/33
Leveraging formal verification for DSMLs: missing elements
SPEM
model
SPEM2Fiacre
translational
semantics
SPEM2Fiacre
properties
generation
Fiacre
model
Fiacre
properties
Fiacre
verification
results
Fiacre verifier
Fiacre2SPEM
feedback
verification
results
SPEM
verification
results
SPEM verifier
SPEM
behavioral
properties

21/33
Outline

22/33
Current problem
Verification results generated in the formal side
Difficult to
understand
Formal verification results generated by the model-checker
Hard to use for the DSML end-user

23/33
Current problem
Ad-hoc solutions
Backward transformation
Write the backward transformation manually
Bidirectional model transformation
Combine both transformations (both translational semantics and backward transformation)
Drawbacks
Implementation-speciﬁc solutions
Hard-coded solutions
Do not favor the deﬁnition of generative tools
Do not ease the integration of tools for new DSMLs

24/33
Outline

25/33
Prerequisites
Motivations
Executable
DSML
<<import>>
<<merge>>
DDMM
Domain
Definition
MetaModel
QDMM
Queries
Definition
MetaModel
EDMM
Events
Definition
MetaModel
TM3
Trace
Managment
MetaModel
<<merge>>
SDMM
States
Definition
MetaModel
<<merge>>
<<merge>>
<<implement>>
Language
expert
Model
transformation
TOCL
editor
FeVeReL
editor
uses
<<uses>>
<<uses>>
<<uses>>
uses
uses
uses
FeVeReL: Feedback Verification Results Language

26/33
Prerequisites
Introduce runtime extensions for Fiacre
<<import>>
<<merge>>DDMM
EDMM
FiacreEvent
PortEvent
StateEvent
VariableEvent
TM3
Scenario
Trace
name : String
date : Int
Internal : Boolean
RuntimeEvent
0..* runtimeEvents
<<merge>>
SDMM
currentState: StateDeclaration
InstanceDeclaration
currentValue: Expression
VariableDeclaration
0..* traces
<<merge>>
PortDeclaration
StateDeclaration TagDeclaration
VariableDeclaration
port
state
variable
tag
TagEvent
ProcessDeclaration
ComponentDeclaration
ModelDeclaration
0..*
declarations
...
...
...

27/33
Implementation of SPEM-Fiacre mappings using FeVeReL
FeVeReL architecture
ATL.ecoreDSPL
FeVeReL
Language
ocl
Object
Constraint
Language
atl
Atlas
Transformation
Language
FeVeReL2ATL.atl
piggyback pattern
source-to-source pattern

28/33
FeVeReL architecture
FeVeReL
model
FormalScenario
2DSMLScenario
Formal language
metamodel
Formal language
semantics metamodel
DSML metamodel
DSML semantics
metamodel
<<extends>><<extends>>
Formal
scenario
<<conformsTo>>
Formal
model
<<refersTo>>
<<conformsTo>>
DSML
scenario
<<conformsTo>>
DSML
model
<<refersTo>>
<<conformsTo>>
usesproduces
Language
expert
DSML
end-user
<<deﬁnes>>
<<obtains>>
<<deﬁnes>>
FeVeReL2ATL
uses
uses
uses
uses

29/33
Deﬁne events mappings between SPEM and Fiacre
Events mappings
events mapping swd2t :
DSMLEvent swd : DSMLSemantics . StartWD (
date <− ev1 . date
)
maps
FormalEvent ev1 : FormalSemantics . EnterEvent (
ev1 . state .name = ’ running ’ and
FormalAS ! Model . allInstances ()−> f i r s t ( ) . root . body . blocks
−>indexOf ( ev1 . path . instances −> f i r s t ( ) )
=
DSML! Process . allInstances ()−> f i r s t ( ) . workDefinitions
−>indexOf (swd . w o r k d e f i n i t i o n )
)
end events mapping
events mapping fwd2te :
DSMLEvent fwd : DSMLSemantics . FinishWD (
date <− ev2 . date
)
maps
FormalEvent ev2 : FormalSemantics . EnterEvent (
ev2 . state .name = ’ fin is he d ’ and
FormalAS ! Model . allInstances ()−> f i r s t ( ) . root . body . blocks
−>indexOf ( ev2 . path . instances −> f i r s t ( ) )
=
DSML! Process . allInstances ()−> f i r s t ( ) . workDefinitions
−>indexOf ( fwd . w o r k d e f i n i t i o n )
)
end events mapping

30/33
Deﬁne states mappings between SPEM and Fiacre
States mappings
states mapping wdnotStarted2vd :
DSMLState wd:DSMLMM. WorkDefinition ( state <− #notStarted )
observed as
FormalState vd : FormalMM . VariableDeclaration (
vd .name= ’ WorkDefinition ’ and
vd . value . values−>at (wd. getIndex ( ) ) . f i e l d s
−>at ( 0 ) . value . oclIsTypeOf (FormalMM ! F a l s e L i t e r a l )
)
end states mapping
states mapping wdrunning2vd :
DSMLState wd:DSMLMM. WorkDefinition ( state <− #running )
observed as
−>at ( 0 ) . value . oclIsTypeOf (FormalMM ! T r u e L i t e r a l )
and
−>at ( 1 ) . currentValue . oclIsTypeOf (FormalMM ! F a l s e L i t e r a l )
)
end states mapping
states mapping wdfinished2vd :
DSMLState wd:DSMLMM. WorkDefinition ( state <− # fin is he d )
observed as
−>at ( 1 ) . currentValue . oclIsTypeOf (FormalMM ! T r u e L i t e r a l )
)
end states mapping

31/33
SPEM end-user overview
P1
P2

31/33
SPEM end-user overview
Computer
---------------
count = 4
P1
P2
P1
P2

32/33
Outline

33/33
Review
Presented Work
Propose a DSL to specify mappings between DSML and formal language runtime
information
Current and Future Work
Extend the FeVereL language to support sophisticated mappings
Experiment the FeVeReL language with other veriﬁcation toolchains (AADL2Fiacre,
LADDER2 FIacre)

A DSL to feedback formal verification results

Recommended

Recommended

More Related Content

Similar to A DSL to feedback formal verification results

Similar to A DSL to feedback formal verification results (20)

Recently uploaded

Recently uploaded (20)

A DSL to feedback formal verification results