This chapter presents two runtime error detection techniques for UML 2.0 statechart implementations. The first technique aims at detecting errors caused by model refinement faults (introduced in early phases of the development) by proposing a temporal logic language to be used for defining and checking temporal correctness criteria on statecharts. The second solution is a watchdog structure aiming at detection of errors caused by implementation faults. The solutions can detect a subset of errors emerging from operational fault as well.
Introduction
The two dominating trends in modern software industry are the increasing complexity and the ever higher dependence of the society on the correct operation of IT systems. Complexity is to be ruled by high-level visual modeling languages like UML, while achieving software dependability is aimed by model checking, code generation, runtime error detection techniques and fault tolerance solutions. This chapter presents two techniques for runtime detection of errors in the behavior of software specified by UML statecharts. Error detection is a prerequisite of error recovery, fault handling and continuation of service.
There have been multiple proposals published in the literature aiming at the detection of faults in the implementation of algorithms based on asserting pre-and postconditions in functions or using some sort of software di-versification techniques. Assertions are a viable solution for sanity checking the input provided to functions or results of numeric computations but are not applicable for checking the complex state-based behavior specified by a statechart. Diversification techniques (N-version programming, recovery block, etc.) are based on parallel execution of multiple diverse implementations of the same algorithm and comparing/checking the results delivered by them; the obvious drawback of these solutions is the high resource consumption emerging from having to execute multiple implementations of the same algorithm. In this chapter we will propose a watchdog architecture derived from the formal operational semantics of UML statecharts for runtime detecting semantic errors in the implementation of the statechart (e.g., selecting an invalid set of transitions for firing on the reception of a trigger, errors in the maintenance of the configuration, incorrect initialization etc.).
Modeling faults introduced during early phases of the development are usually addressed by model checking, e.g., for detecting invalid refinement of a draft statechart to a more elaborated version violating this way some dependability requirements. Unfortunately, it is widely recognized that model checking is a complicated task and may be even infeasible in case of complex systems. This drawback results in a need for runtime detection of erroneous behavior. There is an inherent semantic contradiction in the detection of errors caused by faults in the abstract model: we can not check the behavior of the application against its fully elaborated statechart model (as in case of implementation faults) since we are aiming at handling faults in the model itself. In this chapter we present a technique for bridging this semantic gap by proposing a temporal logic language to be used for defining temporal correctness criteria in the context of statecharts prepared in early development phases (before the possibly faulty model refinement process) and a method for runtime detection of violating these requirements.
The discussion is structured as follows. Since both error detection approaches require a formal operational semantics for UML 2.0 statecharts, we present the semantics used by us in Sec. 2; we will focus on statecharts that honor some well-formedness and semantic consistency criteria called precise statecharts (PSC). Our propositional linear temporal logic for precise statecharts (PSC-PLTL) is presented in Sec. 3, the method for evaluating PSC-PLTL expressions on execution traces of statechart implementations (PSC-PLTL checker) is outlined in Sec. 4. Our watchdog architecture for precise statecharts (PSC-WD) is discussed in Sec. 5. The error detection capabilities of our solutions are experimentally evaluated in Sec. 6. Finally Sec. 7 concludes the discussion and outlines the directions of future research. 
A Formal Semantics for UML 2.0 Statecharts
This section outlines a formal operational semantics for UML 2.0 statecharts that was introduced by us primarily for code generation and error detection purposes. As the entire discussion including the detailed formalism [1] would be too lengthy, below we will focus on those aspects that are inevitable for understanding our error detection techniques. In order to rule the complexity we distinguished two sets of modeling facilities: basic concepts are the ones that represent some fundamental artifacts of finite state-transition systems while advanced concepts are shorthand notations that make the visual modeling more comfortable but do not increase the expressive power of the language. We considered junction and choice pseudostates, history vertices and facilities for embedding state machines as advanced constructs and defined a set of formal transformation rules for their substitution with basic concepts [1] . From this point on, we will focus on those statecharts that contain basic constructs only (or are transformed to this form using the transformations mentioned above) and we will call these statecharts as precise statecharts (PSC). The metamodel of precise statecharts is shown in Fig. 1 . The remaining differences between the PSC and the original UML 2.0 statechart metamodel are as follows: (i) the ambiguously defined "do activity" and "deferred trigger" concepts were removed and (ii) termination of execution is represented by "termination states" (newly introduced metaclass TerminationState derived from the metaclass State) instead of terminate pseudostates (this modification was needed for fixing the semantic inconsistency in the standard i.e., representing a terminated status by a transient vertex.
It is easy to see that transitions can not be considered in isolation since, e.g., a transition connecting a fork and a join pseudostate is practically meaningless without the transitions targeting the join and originating in the fork vertex. Thus below we will identify six transition conglomerate (Fig. 2 ) and refer to these classes as sets TC a , TC b , . . . TC f respectively; we will use the TC = TC a ∪ TC b ∪ TC c ∪ TC d ∪ TC e ∪ TC f set for referring to all transition conglomerates in the actual model.
Class A and B represent local and internal transitions respectively. The remaining classes correspond to external transitions (external transitions are the most common ones, while internal and local transitions can be seen as rare cases that are not even supported by many modeling tools). Class C corresponds to simple transitions originating in a state and targeting another state (maybe the same state) i.e., no pseudostate vertices are involved. Class D represents compound transition paths consisting of multiple t in ∈ T in transitions originating in s src ∈ S src concurrent source states targeting a join vertex j, the join pseudostate itself and the single transition t originating in j and targeting the state s trg . Classes E and F can be defined similarly using the notation of Fig. 2 .
It is easy to see that the usual concepts like source and target states, trigger, guard and least common ancestor (LCA) can be defined in the context of transition conglomerates derived from the corresponding properties of individual transitions building up the conglomerate. Based on these concepts the notion of enabled conglomerates can be introduced (i.e., ones whose source states are active, triggered by the currently processed trigger and guard evaluates to true) and priority relations can be specified according to the standard (for formal definitions see [1] ). Below we will use the function Enabled(C, t) that selects enabled transition conglomerates i.e., ones that are triggered by t, set of source states is active in the configuration C (set of active states) and guard evaluates to true. The function Frbl(C, t) selects fireable transition conglomerates i.e., ones that are enabled and are not overpowered by another conglomerate of higher priority.
The effect of firing a conglomerate can be defined by a compound activity structure possibly consisting of multiple effects with various subsequence relations amongst them. In [1] we generalized the concept of compound activity structures to a flexible formalism based on PERT graphs. PERT graphs are used similarly to represent the activities to be performed on firing one or multiple transition conglomerates involving any number of exit and entry activities and transition effects. We will use the function FireSingle for calculating the states left and entered by a single conglomerate and the PERT graph of activities to be performed on firing. The higher level function Fire will be used for calculating the state sets and the PERT graph corresponding to firing multiple transition conglomerates in parallel. (Due to space restrictions the discussion below is restricted to the maintenance of configuration and selecting transitions to be fired, for a detailed discussion involving formalism for extended variables and PERT graphs see [1] ). Having outlined the basic concepts we can define the operational semantics of PSCs by a Kripke transition system (KTS).
Definition 2.1. Let P be a precise statechart. The operational semantics of P is specified by a Kripke transition system B KTS = (S, ⇒, L S ) over the A S set of state labels and A T set of transition labels, where (i) S is the set of states, (ii) ⇒ is the labeled transition relation and (iii) L S is a composite state labeling function.
The S state set of B KTS corresponds to statuses of the precise statechart P . The status concept is a compound representation of (i) the actual configuration of P and (ii) the actual phase of the operation. These concepts are mapped to compound state labels: A S ⊆ 2 State × Phs (for a s = (C, p) ∈ A S : C is the actual configuration and p is the actual phase of the operation). The I ⊆ S set of initial states contains a single state:
The labeling function L S : S → A S is used for associating the state labels to elements of S. For simplicity reasons we will decompose L S into two individual labeling functions L State assigns the actual configuration of P or the empty set representing the "uninitialized configuration" to S; for the single initial state s α : L S Cnf (s α ) = ∅, for any other states ∀s ∈ (S \ I) : L S Cnf (s) = ∅ and (ii) L S Phs : S → Phs assigns one of four labels to states in S indicating the phase of operation: Phs α if P is in the uninitialized configuration, Phs S if P is in a stable configuration (i.e., idle between RTC steps), Phs U if P is actually performing an RTC step (i.e., the configuration is considered to be unstable) and (iv) Phs ω if P is terminated; for the single initial state s α : L S Phs (s α ) = Phs α . The entire L S : S → A S labeling function can be seen as being composed of these functions:
KTS indicate the possible steps between statuses of P (note that we are talking about the transitions of the KTS and not about ones in the statechart). Steps are initiated by one or zero triggers and result in firing zero or more transition conglomerates. These concepts are mapped to the set of compound transition labels:
TC where for a a t = (t, TC f ) ∈ A T , t is the trigger and TC f is the set of transition conglomerates fired. We use the special symbol t ∅ ∈ Trigger for indicating the "empty trigger" (i.e., not a valid trigger in the statechart just a symbol used for indicating that no trigger is processed in the step). The labeled transition relation ⇒ indicates the possible steps between states of B KTS :
The members of the tuple represent the following concepts: (i) source state of the step, (ii) the label of the transition (including the trigger consumed in the step and the set of transition conglomerates fired in the step) and (iii) the target state of the step. For simplicity reasons we will decompose ⇒ into six subsets:
=⇒ and
drop =⇒ representing initialization, opening runto-completion (RTC) steps, internal steps, closing RTC steps, termination and dropping a trigger respectively.
In the initialization step the statechart enters the initial configuration while opening an RTC step means receiving a trigger and performing one or multiple transitions resulting in a new configuration. Initialization and opening an RTC step result in states of unstable phase indicating that the RTC step of the statechart has not yet been finished and transitions without triggers may still be fired. Firing these transitions is done in internal steps; internal steps also result in states of unstable phase since the number of subsequent internal steps is not restricted. The series of internal steps ends if there are no transition conglomerates without triggers that can be fired; this is represented by the closing an RTC step operation (obviously resulting in a state of stable phase). The operation terminates in a state of unstable phase if the configuration contains a termination state (termination steps end in states of terminated phase). Finally a trigger is dropped in a state of stable phase if none of the transitions triggered by it can be fired. Below we give the formal definition of opening RTC steps, internal and closing RTC steps; the remaining steps can be specified similarly:
Fig. 3. Processing a Trigger
The meaning of sub-expressions in the definition of open =⇒ are as follows: (i) s s is a stable state, (ii) the set of fireable transition conglomerates (with respect to the actual configuration and trigger t) is TC f (iii) TC f is a nonempty set, (iv) firing the set TC f results in leaving the set of states S l and entering the set of states S e and (v) the labeling of the target state s u indicates that it represents the configuration obtained by removing S l from the original configuration and adding S e and s u is unstable. The meaning of sub-expressions in the definition of inter =⇒ is as follows: (i) s u is an unstable state, (ii) there are no active termination states in the configuration, (iii) the set of transition conglomerates that have no triggers and can be fired (with respect to the actual configuration) is TC f , (iv) TC f is a non-empty set, (v) firing the set TC f results in leaving the set of states S l and entering the set of states S e and (vi) the labeling of the target state s u indicates that it represents the configuration obtained by removing S l from the original configuration and adding S e and s u is still unstable. The meaning of subexpressions in the definition of close =⇒ is as follows: (i) s u is an unstable state, (ii) there are no active termination states in the configuration, (iii) there are no transition conglomerates that have no triggers and can be fired and (iv) the labeling of the target state s s indicates that it represents the same configuration as s u and s s is stable.
Having defined B KTS we have outlined a formal semantics for UML 2.0 statecharts. The example shown in Fig. 3 presents the entire processing of a trigger t 1 received in the state s c . States of the KTS are indicated by rectangles with the actual configuration of the statechart indicated in them (active states are filled with a dashed pattern). Transition conglomerates are indicated by small callouts attached to s c , labels of KTS states are shown in callouts above the corresponding rectangles, labels of KTS transitions are written under the arrows. The reception of the trigger is indicated by a Fig. 4 . This high-level view will be the basis for constructing the watchdog in Sec. 5.
A Temporal Logic Language for UML 2.0 Statecharts
This section presents the PSC-PLTL temporal logic language defined by us for reasoning about temporal correctness of PSC implementations. After an overview on temporal logic languages, we derive the finite state-transition model of PSC-PLTL from the KTS used for defining PSC semantics in Sec. 2 and finally we present the syntax and semantics of PSC-PLTL.
According to our knowledge there were relatively few proposals about mapping temporal logic (TL) languages to artifacts of statecharts. Sowmya and Ramesh proposed the FNLOG language [2] based on predicate calculus and TL for proving various dependability criteria on statecharts primarily aiming at model checking. Drusinsky proposed TLCharts [3] , that are extensions of Harel statecharts allowing TL to be used in guard predicates.
Temporal logic languages were originally suggested by Pnueli [4] for reasoning about concurrent programs. Since then several researchers have used TL variants for checking and proving temporal correctness of software, communication protocols and HW devices. The core concept of checking temporal criteria is to define a finite state-transition system representing an abstraction of the system and check that specific propositions hold for execution traces of the system. This abstraction is usually presented by a Kripke-structure (KS). A KS consists of simple states, transitions and labels assigned to states. Definition 3.1 (Kripke-Structure). Having a label set P a Kripkestructure is a three-tuple: K = (S, T, L) where S is the set of states, T ⊆ S × S is the state transition relation and L is the labeling function that assigns labels to states: L : S → 2 P .
Definition 3.2 (Finite Trace, Trace Suffix).
A Π = (s 0 , s 1 , . . . , s n−1 ) finite trace of the KS is a sequence of states connected by the state transition relation:
Execution traces may be considered to be finite or infinite; as we would like to use our TL language for reasoning about programs that may be terminated, in the definition above we defined finite traces (infinite trace semantics is primarily used in model checking and requires different approaches for evaluating TL expressions). Temporal logic languages can be classified according to the following criteria: (i) with respect to the operator set a temporal logic may be propositional (temporal and Boolean operators may be used) or first order (first order operators may also be used); (ii) the evaluation of temporal operators may be focused to atomic points of time or to time intervals; (iii) with respect to the granularity of time there are discrete time and continuous time temporal logics; (iv) the notion of subsequence may be simply interpreted over a linear timeline or, in branching time temporal logics, the life of a system is considered as a tree of states where states may have multiple subsequent states and (v) the temporal operators may refer to the future of the system or the past or both.
As the goal of our approach is to define a language for runtime error detection in PSC implementations, the following decisions were drawn: (i) since we can observe only the actual (single) execution of the system, we need a propositional TL; (ii) as statecharts operate in RTC steps, temporal operators are to be evaluated at atomic points of time and (iii) the granularity of time is a discrete; (iv) as we observe a single execution we cannot reason about all execution traces hence will use of linear timeline semantics; (v) whether temporal operators refer to the past or the future is of secondary importance, we choose the future-time syntax because most of TL languages follows this approach. To put together: we need a propositional linear temporal logic language (PLTL) of discrete time semantics.
Below we present the syntax for a PLTL language and introduce the notion of a formula φ being true at a trace suffix Π i denoted by Π i |= φ.
Π |= ¬e iff Π |= e is not true (Boolean not) (2) Π |= e 1 ∧ e 2 iff Π |= e 1 and Π |= e 2 (Boolean and) (3)
Informally: An atomic proposition p ∈ P is true if the p label is a member of the labeling set of the first step of the trace suffix; the meaning of Boolean operators is obvious, X refers to the next suffix of the trace, e 1 U e 2 requires the condition e 1 to hold until e 2 becomes true. We will also use the usual Boolean constants ( and ⊥), the or (∨) and implication (→) operators according to their usual semantics and the finally F and globally G temporal operators: φ = F e is a shorthand notation for φ = U e representing that there is a suffix for which e holds; and φ = G e is a shorthand notation for φ = ¬ F ¬e representing that e holds for all suffixes of the trace.
The fact that we are presenting a finite trace semantics can be captured in the definition of the X next-time and U operators: (i) for X e being true at a trace suffix Π we require that the trace is longer than 1 i.e., that the trace actually has a next state (Eq. 4) and (ii) for U e being true we require that e should evaluate to true before the end of the trace.
The first step for specifying our PSC-PLTL language is defining the KS model of the language. Since the operational semantics of PSCs was defined by a KTS, we do not have to build the KS model from scratch, our only task is to transform the KTS into a KS. The transformation is nearly just a syntactic rewriting as follows. Let a KTS S KTS be specified by the tuple S KTS = (S, ⇒, I) over the AP set of state labels and Act set of transition labels where S is the set of states, ⇒⊆ S × Act × S is the labeled transition relation and I : S → 2 AP is the state labeling function. As we would like to construct a KS that represents the same semantics as the KTS, we have to move the information on KTS transition labels into the KS state labels by using s, a t pairs as states where s is an original state of the KS and a t is the label of a transition targeting s. This way the KS is specified by the tuple S KS = (S × Act, R, I ) over AP ∪ Act state labels where the transition relation is R = {( s, a , s , a )|(s, a , s ) ∈⇒} and the state labeling function is I ( s, a ) = I(s) ∪ {a} (the similar rewriting of B KTS to B KS is shown in Tab. 1). As we have moved the transition labeling information into the state labeling functionL, state labels are now four-tuples. Similarly to the def- Kripke transition system Kripke structure
inition of the KTS we decompose the composite labeling function to four sub-functions below for obtaining the (i) configuration (Eq. 6) and (ii) phase of operation (Eq. 7) from the original state labeling and (iii) the trigger that initiated the step (Eq. 8) and (iv) the set of transition conglomerates fired in the step (Eq. 9) from the original transition labeling.
Definition of the temporal logic language PSC-PLTL consists of the definition of the Boolean and temporal operators used and the atomic propositions. We use the Boolean not and and operators and the temporal nexttime and until operators according to their usual syntax and semantics as discussed above (Eq. 2, 3, 4, and 5 respectively). Atomic propositions are derived from state labels of the KS: (i) the predicateP Cnf (C) is true if all states in C are active in the actual configuration of the statechart (Eq. 10), (ii)P Phs (p) is true if the actual phase of operation is p (Eq. 11), (iii)P Trigger (t) is true if the step ending in the actual status was initiated by the trigger t (Eq. 12) and (iv)P TC (TC f ) is true if during the step ending in the actual status, all transition conglomerates in TC f were fired (Eq. 13).
Having specified the model of computation with the syntax and semantics of operators and atomic propositions the definition of PSC-PLTL is complete. For convenience we will also use the Boolean and temporal shorthand operators (∨, →, F and G) defined above.
Efficient Evaluation of Temporal Logic Formulae
For the implementation of the PSC-PLTL checker we needed a method for evaluation of PSC-PLTL formulae over finite execution traces. As PSC-PLTL is bound to statecharts only in the interpretation of atomic predicates, any method for evaluating PLTL formulae is applicable for our purposes (correspondingly below we will discuss PLTL languages in general without restricting our approach for PSC-PLTL).
The most straightforward naive approach is based on iterative rewriting of formulae. We can establish a tree of expression nodes rooting in the original expression to be evaluated: leaves of the evaluation tree are atomic propositions to be evaluated on the label set of the corresponding step of trace while internal nodes are Boolean operators (¬ or ∧) and next-time subexpressions (i.e., ones in the X φ form); until subexpressions are to be moved into the scope of an X operator according to the (Π |= e 1 U e 2 ) ↔ (Π |= e 2 ∨ (e 1 ∧ X (e 1 U e 2 ))) rewriting:
The tree resulting from the naive iterative decomposition of G(r → (p U d)) is shown in part a of Fig. 5 . The root of the tree is the G(r → (p U d)) expression (represented without shorthand operators as U(r ∧ ¬(p U d)); the expression is rewritten to (¬(r∧(¬d∧¬(p∧X (p U d))))∧¬( ∧X ( U(r∧ ¬(p U d))))) resulting in two next-time expressions X (p U d) and X ( U(r ∧ ¬(p U d))) (indicated by white rounded boxes) that yield expressions p U d and U(r ∧ ¬(p U d)) to be evaluated in the next trace suffix Π 1 (orange rounded boxes). It is easy to see that the naive iterative rewriting starts the evaluation of p U d for each suffixes resulting in ever growing number of expressions to be evaluated; let L n e be the number of leaves in the tree built for expression e for a trace of length n and N n e be the number of all nodes in the tree built for the same case. It is easy to see that
Fig. 5. Efficient Evaluation of Temporal Logic Formulae
The idea of our solution is shown in part b of Fig. 5 . We introduced the concept of evaluation nodes as straightforward hardware analogy for (i) encapsulating a piece of evaluation logic and (ii) collecting the next-time subexpressions to be evaluated in the next suffix. The atomic predicates to be evaluated on the set of labels assigned to the actual step of trace appear on left interfaces of evaluation nodes while next-time subexpressions appear on bottom interfaces. This solution prevents the explosion of expression set to be evaluated as in case of the naive approach. We implemented a code generator that derives the interfaces and internal logic of evaluation nodes from a root expression and synthesizes source code implementing the evaluation nodes as C++ classes. The solution is discussed in-depth in [5] ; we reported significant reduction of time needed for evaluating PLTL expressions on finite traces as compared to approaches published previously in the literature. This method was used for implementing our PSC-PLTL checker: as PSC-PLTL is bound to statechart artifacts only by its atomic propositions, the source code synthesized by our code generator was usable for evaluating PSC-PLTL formulae over execution traces of statechart implementations after a simple preprocessing phase.
A Watchdog Architecture for UML 2.0 Statecharts
This section presents PSC-WD, a watchdog architecture for detecting errors in the implementation of a precise statechart. Our solution was inspired by traditional watchdog approaches that observe the control flow of a software running on the main CPU and signal an error if it deviates from the correct control flow graph synthesized from the source code of the application. Our method elevates this scheme to the abstraction level of statecharts by observing the runtime behavior of a statechart implementation and checking whether it actually corresponds to the statechart with respect to the semantics defined in Sec. 2. After a short introduction to watchdogs proposed previously in the literature we will discuss the representation of runtime and reference information in PSC-WD and outline the implementation.
The structure of a program can be described by the control flow graph (CFG) whose nodes represent branch-free blocks of subsequent instructions and directed edges represent branch instructions, function calls etc.
Hardware elements or software applications that aim at detection of control flow errors are usually called watchdogs for historical reasons. Watchdog circuits attached to interfaces of devices were originally used for detecting such lethal conditions as loss of clock signal, power outage or lack of some life signals. The more advanced watchdog processors (WP) [6] are able to perform more sophisticated checks on the operation of the main processor: the WP observes the actual behavior of the program and checks it against the correct CFG. A WP can be characterized by the solutions chosen for (i) describing of the correct control flow (called the reference information), (ii) observing the actual behavior (called the runtime information and (iii) the actual implementation of the WP.
Runtime information is represented by compacted pieces of observed behavior called signatures (e.g., address of the actually fetched instruction without the actual operation code and arguments). The WP can obtain the runtime signatures in two ways: (i) observing the system buses (called derived signatures) or (ii) explicitly receiving messages from the program (called assigned signatures). Although the application of derived signatures promises totally non-intrusive observation, predictive prefetching, instruction caching, pipeline organization, out of order execution etc. applied in modern CPUs prevents the WP from unambiguously observing the execution by bus signals and renders assigned signatures the only viable solution.
There were three solutions proposed in the literature for the representation of the reference information: (i) storing the correct CFG in a database in the WP, (ii) executing a watchdog program on the WP that accepts correct runs of the main program or (iii) the reference information can be embedded in signatures themselves. The stored database approach uses an adjacency matrix or adjacency list for storing the directed control flow graph; unfortunately this approach may result in significant memory consumption (e.g., large, sparse adjacency matrix) or time-consuming lookup operations (e.g., searching for an edge in the adjacency list). The watchdog program approach considers the valid executions of the main program as sentences of a language where the words are signatures of execution; the watchdog program is a language parser that accepts valid sequences of signatures, i.e., valid executions of the main program; it is easy to see that having built the valid CFG of the main program, it is relatively easy to automatically synthesize such an automaton that accepts valid runs. The embedded signatures approach uses composite signatures whose first part identifies the actual point of execution and the second part identifies the set of signatures that may follow the actual one in a correct execution.
There were proposals for all combinations of representing runtime and reference information mentioned above. Derived signatures were used together (i) with stored database in the Asynchronous Signatured Instruction Stream approach by Eifert et al. [7] , (ii) with watchdog program by Michel et al. [8] and (iii) with embedded signatures in Path Signature Analysis approaches of Namjoo [9] Assigned signatures were used together (i) with stored database in the Extended Structural Integrity Checking approach by Michel and Hohl [10] , (ii) with watchdog program in Lu's Structural Integrity Checking method [11] and (iii) with embedded signatures in the Signature Encoded Instruction Stream (SEIS) approach by Majzik et al. [12] .
The actual implementation of the WP can be (i) a real physical processor, but there were approaches proposed in the literature for (ii) utilizing the unused resources of the main processor for emulating the WP [13] and (iii) integrating watchdog processors into multiprocessor systems [14] .
Having introduced the key concepts related to WPs, we can reason about choosing the most appropriate solutions for mapping CFG concepts to statecharts, the representation of runtime and reference information and the implementation of PSC-WD. To put together: we would like to construct a watchdog that observes the execution of an application and checks whether the actual behavior corresponds to the statechart specification, e.g., after the reception of a trigger a valid set of transition conglomerates is selected to be fired and the resulting configuration is reached correctly. The concepts of CFGs seamlessly map to the KTS specified in Sec. It is important to highlight that tuples transmitted to PSC-WD are not necessarily members of the ⇒ set; in contrary: we would like to detect those cases where the tuple ⇒ x describing the actual step violates a semantic rule, i.e., ⇒ x ∈⇒. As an illustration: in traditional WP schemes the application sends a signature s to the WP to check whether the state represented by s is a valid successor of the previous state; in our approach the application sends a tuple ⇒ x to PSC-WD to check whether ⇒ x is valid, i.e., ⇒ x ∈⇒.
Storing the reference information in a database (e.g., adjacency matrix) is surely not viable since this requires flattening the statechart and precalculating all possible steps; due to orthogonal state decomposition the size of the flattened statechart may be an exponential function of the original. The application of embedded signatures is not an option again since embedding a "fragment of possible future behavior" seems to be semantically even more complicated than the definition of the entire statechart semantics itself. Thus we will present an approach similar to watchdog program approaches: we will synthesize an automaton from the KTS that accepts correct runs of the application with respect to the statechart specification. The watchdog automaton will run in synchrony with the observed application, and check the validity of its steps.
Since our watchdog has to perform quite complex checks, we will implement it purely in software; PSC-WD can run as a stand-alone application connected to the observed application by some IPC mechanisms or embedded in the observed application in a self-checking configuration. For simplicity reasons we will focus on checking a single object specified by the statechart but our approach can be extended to checking any number of objects specified by any number of statecharts as discussed in [15] .
According to our knowledge there were no elaborated solutions proposed in the literature for runtime error detection in statechart implementations. A combination of the SEIS approach with a statechart-based high level specification was suggested in [16] . In their approach statecharts are flattened and the reference information is stored in an adjacency matrix; state exit and entry activities are considered to be implemented by functions and the execution of these functions is checked by the SEIS WD scheme. The solution uses statecharts for ensuring that functions are called in a valid order. Unfortunately due to the lack of a formal semantics for statecharts their approach can not exploit most of the description power of statecharts, the proposed solution is primarily an extension of the SEIS approach instead of a WP for statechart implementations.
In our approach we will construct a watchdog automaton W that accepts the correct runs of a statechart implementation. We will assume that the ⇒ x steps of the implementation can be observed (through a monitor interface or by instrumentation). The task of building W can be characterized as a computer linguistics problem: we would like to build an automaton that accepts valid sentences of a language: (i) the grammar of the language is specified by the actual statechart with respect to the semantics discussed in Sec. 2, (ii) words of the language are the ⇒ i steps, and (iii) sentences are the S = (⇒ 0 , ⇒ 1 , . . . ) step sequences. For a step sequence S i we have to decide whether S i is valid according to the statechart and the operation semantics i.e., S i is a valid sentence of the language.
Let us imagine the implementation as an automaton shown in Fig. 4 . In this aspect we can consider the implementation as another automaton that writes the ⇒ i ∈⇒ words to its output as indicated by the labels on arrows (e.g., writing ⇒ i ∈ init =⇒ in case of "Initialization" etc.). Initially let us consider that W can only see the type of the step taken by the implementation (i.e., whether ⇒ i belongs to init =⇒ or open =⇒, etc.), but does not investigate the internal semantics of ⇒ i = (s, (t, TC f ), s ) tuples. Let us assign observation states in W for phases of operations in the implementation (e.g., Obs α for Phs α , Obs U for Phs U etc.). Constructing an automaton that observes the actual phase of operation in the implementation is easy since a source phase-step type pair unambiguously determines the target phase. The observer automaton should be obviously started from the Obs α state corresponding to the initial phase Phs α .
Until this point our watchdog automaton W can only indicate those abnormal situations when the implementation performs a step whose type is invalid in the actual phase (e.g., opening an RTC step in the uninitialized phase). The next step is adding more intelligence to W by enabling it to check the internal semantics of ⇒ i = (s, (t, TC f ), s ) tuples. The automaton extended this way is shown as a UML statechart in Fig. 6 : W has two top states: Observing (the watchdog is currently observing the behavior of the implementation and has not detected any inconsistencies) and Error (an error was detected). The observer automaton is implemented as sub- From this point our remaining work is only to specify the guard predicates that check whether a ⇒ i = (s, (t, TC f ), s ) tuple is a valid instance of the corresponding step type according to the semantics. The six guard predicates can be directly derived from the definitions of init =⇒, open =⇒, etc. Below we will present the formal definitions of guards OpenOK, InterOK and CloseOK, the remaining ones can be derived similarly.
The last observation to be considered before presenting the definitions is the following: the selection of fireable transition conglomerates involves the evaluation of guard predicates that possibly refer to variables of the application; since the WP does not know these values, all transition conglomerates whose source states are active and are triggered by the actual transition are considered to be possibly fireable i.e., if the application selects them for firing, then the watchdog will accept them. In the definitions we will use the symbol TC pf representing possibly fireable transition conglomerates as discussed above and S The conflict of transition conglomerates tc 1 and tc 2 is indicated as tc 1 #tc 2 , the fact that tc l is of higher priority that tc h is indicated as tc l ≺ tc h .
The meaning of subexpressions in OpenOK is as follows: (i) the step consumed a trigger (i.e., not the empty trigger), (ii) there were one or more transition conglomerates fired, (iii) the source configuration was not empty, (iv) there were no termination states in the source configuration, (v) the transition conglomerates fired in the step were in the set of possibly fireable ones, (vi) none of the transition conglomerates fired in the step were disabled by priority relations, (vii) there were no conflicting transition conglomerate pairs fired, (viii) the resulting configuration is derived from the source configuration by removing S and (ix) the resulting phase is unstable. The meaning of subexpressions in InterOK is as follows: (i) the step did not consume any trigger, (ii) there were one or more transition conglomerates fired, (iii) the source configuration was not empty, (iv) there were no termination states in the source configuration, (v) the transition conglomerates fired in the step were in the set of possibly fireable ones, (vi) none of the transition conglomerates fired in the step were disabled by priority relations, (vii) there were no conflicting transition conglomerate pairs fired, (viii) the resulting configuration is derived from the source configuration by removing S and (ix) the resulting phase is unstable. The meaning of subexpressions in CloseOK is as follows: (i) the step did not consume any trigger, (ii) there were no transition conglomerates fired, (iii) the source configuration was not empty, (iv) there were no termination states in the source configuration, (v) the configuration was not modified and (vi) the resulting phase is stable.
The statechart in Fig. 6 coupled with formal definitions of guard predicates above defines the operation of PSC-WD. We implemented a prototype of PSC-WD as a stand-alone application that reads the statechart model of an application (using the XML metadata interchange format supported by most modeling environments), processes a trace of execution and signals an error on the violation of the behavioral specification.
Experimental Evaluation of Error Detection Capabilities
In order to demonstrate the error detection capabilities of our two solutions (PSC-PLTL checker and PSC-WD) we carried out a fault injection experiment campaign. This section outlines the goal of the analysis, the experiment setup and presents the results.
By definition, fault injection corresponds to artificial insertion of faults into a real target system [17] . A fault injection campaign is characterized by its goal, the system under investigation, and the input and output domains.
Fault injection experiments can aim at achieving the following goals: (i) understanding of the effects of faults in the system, (ii) assessing the efficiency of fault tolerance mechanisms and (iii) enhancement of fault tolerance mechanisms. The goal of our experiments is to experimentally assess the efficiency of our error detection techniques.
We used a desktop calculator application [18] as system under investigation. First we defined a draft statechart of the calculator (Fig. 7) , specified some temporal correctness criteria in the context of the initial statechart, prepared the elaborated version of the calculator's statechart (Fig. 8) finally generated the source code of the application.
The input domain [19] corresponds to (i) the F set of injected faults, called the faultload and (ii) the W set of activities the system has to perform during the experiment, called the workload. In our experiments we used both model refinement faults (a transition was removed from model before code generation), implementation faults (two key functions were substituted by faulty implementations) and physical faults (a software-implemented fault injection (SWIFI) tool was used for enforcing bit flips in the memory) as faultload. The calculator had to perform calculations of various complexity as workload: (i) a "small" workload with three accumulated additions, (ii) a "medium" consisting of an addition, a percent calculation and a multiplication (−0.123 + 4.56% * −23.45 =) and (iii) a "complex" containing multiple operations (note that since percent calculation takes the statechart to ready state, the medium workload does not contain accumulated operations).
The output domain corresponds to the R set of readouts that are collected to characterize the target system behavior in the presence of faults. The outcome of fault injection experiments is called the measures that are derived from the analysis and processing of the F , W and R sets. The direct readouts in our experiments were as follows: (i) everything written to the standard output (containing the result of computation), (ii) everything written to the standard error stream (possibly containing the error messages), (iii) the entire execution trace to be processed by PSC-WD and PSC-PLTL checker and (iv) errors detected by the operating system or the executer environment (e.g., occurrence of timeouts, signals delivered to the process etc.). Based on the raw readouts the following higher-level measures were derived: (i) failures delivered by the system (by comparing the con- The initial statechart of the system (desktop calculator) is shown in Fig. 7 . We defined the φ temporal correctness criterion in the context of the initial statechart: "the calculator should correctly handle operators i.e., pushing an operator button in any of states operand 1 or operand 2 should take the calculator to opEntered":
The (correct) elaborated statechart of the calculator is shown in Fig. 8 . We simulated model refinement faults by omitting the transition originating in operand 2 , triggered by operEvent and targeting opEntered preventing this way the accumulation of operations in small and complex workloads.
Implementation faults were simulated by preparing faulty implementations of functions Enabled (collecting enabled transition conglomerates) and FireSingle (calculating the set of states left and entered when firing a transition conglomerate). The faulty version of Enabled was modified to return an invalid set of enabled transition conglomerates by first calculating the correct set than substituting an enabled transition conglomerate with a non enabled one. The faulty version of FireSingle was modified to return an invalid set of states left by adding a state to the correctly calculated set that should not be left. Both faulty implementations were prepared is such a way that the faulty behavior is exposed only once during the execution after a sufficiently long correct operation.
Physical faults were simulated by a custom SWIFI tool that was used for inverting bits in the code section targeting the binary implementation of Enabled and FireSingle functions.
The entire fault injection campaign consisted of over 180000 experiments (we used various slightly different options for code generation, building the binaries etc.) and resulted in a raw data set of over 10GB. The data set was processed and stored in a relational database. The results obtained by submitting queries to the database are shown in Tab. 2.
We were expecting refinement faults to be detected by the PSC-PLTL checker and remaining hidden from both PSC-WD and HW/OS mechanisms. The corresponding cells of Tab. 2 (highlighted by bold fonts) indicate that all errors caused by refinement faults that were forced to be activated by the workload were detected by the PSC-PLTL checker and there were no errors detected by PSC-WD or HW/OS mechanisms. It is important to highlight that the PSC-PLTL checker may detect errors only if (i) the PSC-PLTL predicate is violated (i.e., it is important to formally define all requirements that are to be checked) and (ii) the workload actually forces the application to expose faulty behavior (e.g., the omitted transition is not triggered by the medium workload therefore no error detection occurred).
We were expecting implementation faults to be detected by the PSC-WD and remaining hidden from the PSC-PLTL checker and HW/OS mechanisms. The corresponding cells of Tab. 2 (highlighted by bold fonts) indicate that a very high percentage of errors caused by implementation faults that were forced to be activated by the workload were detected by PSC-WD (87.5% of errors in case of the small workload and the FireSingle function and 100% of all other implementation errors and workloads). It was also indicated that some OS signals also occurred: taking a closer look on these signals we concluded that these were SIGABORT signals implementing standard ANSI-C assertions i.e., in these cases serious inconsistencies were detected by the application itself resulting in abortion of execution.
As our solutions were developed for detecting errors caused by refinement and implementation faults, in case of physical faults we were expecting low error detection potential from both the PSC-PLTL checker and PSC-WD and predicted better error detection potential for HW/OS mechanisms. Indeed: the corresponding cells of Tab. 2 indicate that the PSC-PLTL checker detected less than 2% of errors, the efficiency of PSC-WD fall into the [3.40% . . . 7.12%] interval while HW/OS mechanisms detected [53% . . . 83%] of faults in the code segment. The explanation for the high error detection ratio is as follows: bit inversions in the code section are likely to result in invalid operation codes or illegal memory addresses that are detected by the CPU or the memory management unit resulting in HW exceptions mapped to UNIX signals (e.g., segmentation violation, etc.).
It is interesting to outline the efforts needed for integrating our solutions into a software development process. In case of a UML-based devel-opment (where the delivered software is a result of subsequent iterative model refinement steps and finally the implementation), draft statecharts are constructed in early modeling phases while the implementation (manual programming or automatic code generation) is based on fully elaborated statecharts. This way the reference models of PSC-WD (elaborated statecharts) are already available without modifying the process, while the application of the PSC-PLTL checker still requires the definition of temporal correctness criteria in PSC-PLTL; the definition of requirements in temporal logic requires some practice in the mathematical formalism indeed, but on one hand this can be achieved with a minor effort, on the other hand the rigorous definition of temporal correctness and the corresponding communication with users is clearly beneficial for the entire process.
The prototype implementation of the LTL checker was used in the testing of a safety-critical railway application. Our industrial partner in this project was the Prolan Process Control Co. We are planning to port the PSC-PLTL checker and PSC-WD to the mitmót modular embedded platform [20] developed at the Embedded Information Technology Research Group of the Hungarian Academy of Sciences and Budapest University of Technology and Economics in order to prove the applicability of our solutions in resource constrained embedded platforms.
Conclusions and Future Work
This chapter has proposed two techniques for runtime detection of errors in the behavior of UML 2.0 statechart implementations. The main contributions are (i) outlining a formal semantics for statecharts that forms a solid foundation for reasoning about implementation, observation of behavior and runtime error detection; (ii) proposing the PSC-PLTL language for defining temporal correctness criteria in the context of statecharts and the corresponding evaluation method that enables the detection of errors caused by model refinement faults introduced during the development; (iii) presenting the PSC-WD architecture for detecting errors caused by faults in the implementation of statechart-based behavior and (iv) the experimental evaluation of our solutions that indicated the viability of our approaches. In our future work we would like to integrate these error detection techniques into a fault tolerance framework where errors detected by these techniques appear as high-level exceptions enabling the initiation of system-level recovery and fault tolerance measures.
