ebook img

Abstract State Machines. A Method for High-Level System Design and Analysis PDF

448 Pages·2003·2.75 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Abstract State Machines. A Method for High-Level System Design and Analysis

Egon B¨orger and Robert St¨ark Abstract State Machines A Method for High-Level System Design and Analysis March 11, 2003 Springer-Verlag Berlin Heidelberg NewYork London Paris Tokyo HongKong Barcelona Budapest Preface Quelli che s’innamoran di pratica senza scienzia sono come ’l nocchieri ch’entra in navilio sanza timone o bussola, che mai ha certezza dove si vada.1 — Leonardo da Vinci Ich habe oft bemerkt, dass wir uns durch allzuvieles Symbolisieren die Sprache fu¨r die Wirklichkeit untu¨chtig machen.2 — Christian Morgenstern This is the place to express our thanks. First of all we thank all those who overtheyears haveactivelycontributedtoshapingthenovelsoftwaredesign and analysis method explained in this book. They are too numerous to be mentioned here. They all appear in some way or the other on the following pages, in particular in the bibliographical and historical Chap. 9 which can be read independently of the book. We then thank those who have helped with detailed critical comments on the draft chapters to shape the way our arguments are presented in this book: M. B¨orger (Diron Mu¨nster), I. Craggs (IBMHursley),G.DelCastillo(SiemensMu¨nchen),U.Gla¨sser(SimonFraser University,Vancouver,Canada),J.Huggins(KetteringUniversity,Michigan, USA), B. Koblinger (IBM Heidelberg), P. Pa¨ppinghaus (Siemens Mu¨nchen), A. Preller (Universit´e de Montpellier, France), M.-L. Potet (INP de Greno- ble,France),W.Reisig(Humboldt-Universit¨atzuBerlin,Germany),H.Rust (Universit¨at Cottbus, Germany), G. Schellhorn (Universit¨at Augsburg, Ger- many), B. Thalheim (Universit¨at Cottbus, Germany) and a dozen student generationsatUniversit`adiPisa.WethankM.Barmet(ETHZu¨rich)forher solutions of the exercises in Chap. 8. We also thank L. Logrippo (University of Ottawa, Canada) and D. Beecher (Carleton University, Canada) for their helpwithtranslatingtheaboveobservationbyLeonardo,andF.Capocciand I. Mulvany from Springer-Verlag for their careful copyediting of the typo- script. Egon B¨orger, Robert St¨ark Pisa and Zu¨rich, Christmas 2002 1 Those who fall in love with practice without scientific knowledge or method are like the helmsman who enters a ship without rudder or compass, who is never certain which way it might go. 2 Ihaveoftenobservedthatbyover-symbolizingwemakethelanguageinefficient to use in the real world. Contents 1 Introduction.............................................. 1 1.1 Goals of the Book and Contours of its Method ............. 3 1.1.1 Stepwise Refinable Abstract Operational Modeling ... 3 1.1.2 Abstract Virtual Machine Notation ................. 5 1.1.3 Practical Benefits ................................ 6 1.1.4 Harness Pseudo-Code by Abstraction and Refinement. 8 1.1.5 Adding Abstraction and Rigor to UML Models....... 9 1.2 Synopsis of the Book.................................... 10 2 ASM Design and Analysis Method ....................... 13 2.1 Principles of Hierarchical System Design................... 13 2.1.1 Ground Model Construction (Requirements Capture) . 16 2.1.2 Stepwise Refinement (Incremental Design)........... 20 2.1.3 Integration into Software Practice .................. 26 2.2 Working Definition ..................................... 27 2.2.1 Basic ASMs ..................................... 28 2.2.2 Definition ....................................... 28 2.2.3 Classification of Locations and Updates ............. 33 2.2.4 ASM Modules ................................... 36 2.2.5 Illustration by Small Examples..................... 37 2.2.6 Control State ASMs .............................. 44 2.2.7 Exercises ........................................ 53 2.3 Explanation by Example: Correct Lift Control ............. 54 2.3.1 Exercises ........................................ 62 2.4 Detailed Definition (Math. Foundation) ................... 63 2.4.1 Abstract States and Update Sets ................... 63 2.4.2 Mathematical Logic .............................. 67 2.4.3 Transition Rules and Runs of ASMs ................ 71 2.4.4 The Reserve of ASMs ............................. 76 2.4.5 Exercises ........................................ 82 2.5 Notational Conventions ................................. 85 VIII Contents 3 Basic ASMs .............................................. 87 3.1 Requirements Capture by Ground Models ................. 87 3.1.1 Fundamental Questions to be Asked ................ 88 3.1.2 Illustration by Small Use Case Models .............. 92 3.1.3 Exercises ........................................ 109 3.2 Incremental Design by Refinements ....................... 110 3.2.1 Refinement Scheme and its Specializations........... 111 3.2.2 Two Refinement Verification Case Studies ........... 117 3.2.3 Decomposing Refinement Verifications .............. 133 3.2.4 Exercises ........................................ 134 3.3 Microprocessor Design Case Study........................ 137 3.3.1 Ground Model DLXseq ........................... 138 3.3.2 Parallel Model DLXpar Resolving Structural Hazards. 140 3.3.3 Verifying Resolution of Structural Hazards (DLXpar) . 143 3.3.4 Resolving Data Hazards (Refinement DLXdata) ...... 148 3.3.5 Exercises ........................................ 156 4 Structured ASMs (Composition Techniques).............. 159 4.1 Turbo ASMs (seq, iterate, submachines, recursion).......... 160 4.1.1 Seq and Iterate (Structured Programming) .......... 160 4.1.2 SubmachinesandRecursion(EncapsulationandHiding)167 4.1.3 Analysis of Turbo ASM Steps...................... 174 4.1.4 Exercises ........................................ 178 4.2 Abstract State Processes (Interleaving).................... 180 5 Synchronous Multi-Agent ASMs.......................... 187 5.1 Robot Controller Case Study ............................ 188 5.1.1 Production Cell Ground Model..................... 188 5.1.2 Refinement of the Production Cell Component ASMs . 193 5.1.3 Exercises ........................................ 196 5.2 Real-Time Controller (Railroad Crossing Case Study) ....... 198 5.2.1 Real-Time Process Control Systems................. 198 5.2.2 Railroad Crossing Case Study...................... 201 5.2.3 Exercises ........................................ 205 6 Asynchronous Multi-Agent ASMs ........................ 207 6.1 Async ASMs: Definition and Network Examples ............ 208 6.1.1 Mutual Exclusion ................................ 210 6.1.2 Master–Slave Agreement .......................... 212 6.1.3 Network Consensus............................... 214 6.1.4 Load Balance .................................... 215 6.1.5 Leader Election and Shortest Path.................. 216 6.1.6 Broadcast Acknowledgment (Echo) ................. 218 6.1.7 Phase Synchronization ............................ 220 6.1.8 Routing Layer Protocol for Mobile Ad Hoc Networks . 223 Contents IX 6.1.9 Exercises ........................................ 228 6.2 Embedded System Case Study ........................... 229 6.2.1 Light Control Ground Model....................... 229 6.2.2 Signature (Agents and Their State)................. 231 6.2.3 User Interaction (Manual Control).................. 231 6.2.4 Automatic Control ............................... 236 6.2.5 Failure and Service ............................... 237 6.2.6 Component Structure ............................. 239 6.2.7 Exercises ........................................ 240 6.3 Time–Constrained Async ASMs .......................... 240 6.3.1 Kermit Case Study (Alternating Bit/Sliding Window) 241 6.3.2 Processor-Group-Membership Protocol Case Study ... 252 6.3.3 Exercises ........................................ 259 6.4 Async ASMs with Durative Actions....................... 260 6.4.1 Protocol Verification using Atomic Actions .......... 261 6.4.2 Refining Atomic to Durative Actions................ 268 6.4.3 Exercises ........................................ 271 6.5 Event–Driven ASMs .................................... 271 6.5.1 UML Diagrams for Dynamics ...................... 274 6.5.2 Exercises ........................................ 282 7 Universal Design and Computation Model................ 283 7.1 Integrating Computation and Specification Models.......... 283 7.1.1 Classical Computation Models ..................... 285 7.1.2 System Design Models ............................ 293 7.1.3 Exercises ........................................ 300 7.2 Sequential ASM Thesis (A Proof from Postulates) .......... 301 7.2.1 Gurevich’s Postulates for Sequential Algorithms...... 302 7.2.2 Bounded-Choice Non-Determinism ................. 307 7.2.3 Critical Terms for ASMs .......................... 307 7.2.4 Exercises ........................................ 311 8 Tool Support for ASMs................................... 313 8.1 Verification of ASMs.................................... 313 8.1.1 Logic for ASMs .................................. 314 8.1.2 Formalizing the Consistency of ASMs ............... 315 8.1.3 Basic Axioms and Proof Rules of the Logic .......... 317 8.1.4 Why Deterministic Transition Rules? ............... 326 8.1.5 Completeness for Hierarchical ASMs ................ 328 8.1.6 The Henkin Model Construction ................... 330 8.1.7 An Extension with Explicit Step Information ........ 334 8.1.8 Exercises ........................................ 336 8.2 Model Checking of ASMs................................ 338 8.3 Execution of ASMs ..................................... 340 X Contents 9 History and Survey of ASM Research .................... 343 9.1 The Idea of Sharpening Turing’s Thesis ................... 344 9.2 Recognizing the Practical Relevance of ASMs .............. 345 9.3 Testing the Practicability of ASMs ....................... 349 9.3.1 Architecture Design and Virtual Machines........... 349 9.3.2 Protocols........................................ 351 9.3.3 Why use ASMs for Hw/Sw Engineering? ............ 352 9.4 Making ASMs Fit for their Industrial Deployment .......... 354 9.4.1 Practical Case Studies ............................ 354 9.4.2 Industrial Pilot Projects and Further Applications.... 356 9.4.3 Tool Integration.................................. 362 9.5 Conclusion and Outlook................................. 365 References.................................................... 369 List of Problems.............................................. 431 List of Figures................................................ 433 List of Tables ................................................. 435 Index......................................................... 437 1 Introduction The method. This book introduces a systems engineering method which guidesthedevelopmentofsoftwareandembeddedhardware–softwaresystems seamlessly from requirements capture to their implementation. It helps the designertocopewiththethreestumbling-blocksofbuildingmodernsoftware basedsystems:size,complexityandtrustworthiness.Themethodbridgesthe gap between the human understanding and formulation of real-world prob- lemsandthedeploymentoftheiralgorithmicsolutionsbycode-executingma- chinesonchangingplatforms.Itcoverswithinasingleconceptualframework both design and analysis, for procedural single-agent and for asynchronous multiple-agentdistributedsystems.Themeansofanalysiscompriseasmeth- ods to support and justify the reliability of software both verification, by reasoning techniques, and experimental validation, through simulation and testing. The method improves current industrial practice in two directions: – On the one hand by accurate high-level modeling at the level of abstrac- tiondeterminedbytheapplicationdomain.Thisraisesthelevelofabstrac- tion in requirements engineering and improves upon the loose character of human-centric UML descriptions. – Ontheotherhandbylinkingthedescriptionsatthesuccessivestagesofthe system development cycle in an organic and effectively maintainable chain of rigorous and coherent system models at stepwise refined abstraction levels. This fills a widely felt gap in UML-based techniques. ContrarytoUML,themethodhasasimple scientific foundation,whichadds precision to the method’s practicality. Within the uniform conceptual frame- work offered by the method one can consistently relate standard notions, techniques and notations currently in use to express specific system features or views, each focussed on a particular system aspect, such as its structure, environment,timemodel,dynamics,deployment,etc.(seeSect.7.1).Thereby the method supports a rigorous integration of common design, analysis and documentation techniques formodelreuse(byinstantiatingormodifyingthe abstractions), validation (by simulation and high-level testing), verification (by human or machine-supported reasoning), implementation and mainte- nance (by structured documentation). This improves upon the loose ties 2 1 Introduction between different system design concepts as they are offered by the UML framework. Target audience. This book combines the features of a handbook and of a textbook and thus is addressed to hardware–software system engi- neers (architects, designers, program managers and implementers) and re- searchers as well as to students. As a handbook it is conceived as a Mod- eling Handbook for the Working Software Engineer who needs a practical high-precision design instrument for his daily work, and as a Compendium for Abstract State Machines (ASMs). As a textbook it supports both self- study (providing numerous exercises) and teaching (coming with detailed lectureslidesinpptand/orpdfformatontheaccompanyingCDandwebsite http://www.di.unipi.it/AsmBook/). We expect the reader to have some experience in design or programming of algorithms or systems and some ele- mentaryknowledgeofbasicnotionsofdiscretemathematics,e.g.astaughtin introductory computer science courses. Although we have made an effort to proceed from simple examples in the earlier chapters to more complex ones in the later chapters, all chapters can be read independently of each other and unless otherwise stated presuppose only an understanding of a rather intuitive form of abstract pseudo-code, which is rigorously defined as ASM in Sect. 2.2.2. We have written the text to enable readers who are more in- terested in the modeling and less in the verification aspects to skip the proof sections.1 The hurried reader may skip the numerous footnotes where we re- fer to interesting side issues or to related arguments and approaches in the literature. There is another book through which the reader can learn the ASM method explained in this book, namely [406], which contains the up-to-now most comprehensive non-proprietary real-life ASM case study, covering in every detail ground modeling, refinement, structuring, implementation, veri- fication and validation of ASMs. The focus of that book however is an anal- ysis of Java and its implementation on the Java Virtual Machine (including a detailed definition and analysis of a compiler and a bytecode verifier), as a consequence it uses only basic and turbo ASMs (see Sect. 2.2, 4.1). The present book is an introduction to practical applicationsof the ASM method via small or medium-size yet characteristic examples from various domains: programminglanguages,architectures,embeddedsystems,components,pro- tocols, business processes. It covers also real-time and asynchronous ASMs. In addition it provides the historical and the theoretical background of the method.Wehopethisbookstimulatesfurthertechnologicalandresearchde- velopments,rangingfromindustrialapplicationstotheoreticalachievements. 1 Mentioningthispossibilitydoesnotmeanthatweconsidersystemverificationas anoptional.Itreflectsthesupportthemethodpresentedinthisbookprovidesto systematicallyseparatedifferentconcernswithinawell-definedsingleframework so that one can ultimately tie the different threads together to achieve a design which via its analysis is certifiable as trusted (see Sect. 2.1).

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.