A probabilistic extension of UML statecharts: specification and verification

This paper is the extended technical report that corresponds to a published paper [14]. This paper introduces means to specify system randomness within UML statecharts, and to verify probabilistic temporal properties over such enhanced statecharts which we call probabilistic UML statecharts. To achieve this, we develop a general recipe to extend a statechart semantics with discrete probability distributions, resulting in Markov decision processes as semantic models. We apply this recipe to the requirements-level UML semantics of [8]. Properties of interest for probabilistic statecharts are expressed in PCTL, a probabilistic variant of CTL for processes that exhibit both non-determinism and probabilities. Verification is performed using the model checker Prism. A model checking example shows the feasibility of the suggested approach

Semantic mutation testing

This is the Pre-print version of the Article. The official published version can be obtained from the link below - Copyright @ 2011 ElsevierMutation testing is a powerful and flexible test technique. Traditional mutation testing makes a small change to the syntax of a description (usually a program) in order to create a mutant. A test suite is considered to be good if it distinguishes between the original description and all of the (functionally non-equivalent) mutants. These mutants can be seen as representing potential small slips and thus mutation testing aims to produce a test suite that is good at finding such slips. It has also been argued that a test suite that finds such small changes is likely to find larger changes. This paper describes a new approach to mutation testing, called semantic mutation testing. Rather than mutate the description, semantic mutation testing mutates the semantics of the language in which the description is written. The mutations of the semantics of the language represent possible misunderstandings of the description language and thus capture a different class of faults. Since the likely misunderstandings are highly context dependent, this context should be used to determine which semantic mutants should be produced. The approach is illustrated through examples with statecharts and C code. The paper also describes a semantic mutation testing tool for C and the results of experiments that investigated the nature of some semantic mutation operators for C

A Holistic Approach in Embedded System Development

We present pState, a tool for developing "complex" embedded systems by integrating validation into the design process. The goal is to reduce validation time. To this end, qualitative and quantitative properties are specified in system models expressed as pCharts, an extended version of hierarchical state machines. These properties are specified in an intuitive way such that they can be written by engineers who are domain experts, without needing to be familiar with temporal logic. From the system model, executable code that preserves the verified properties is generated. The design is documented on the model and the documentation is passed as comments into the generated code. On the series of examples we illustrate how models and properties are specified using pState.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

Non-null Infinitesimal Micro-steps: a Metric Temporal Logic Approach

Many systems include components interacting with each other that evolve with possibly very different speeds. To deal with this situation many formal models adopt the abstraction of "zero-time transitions", which do not consume time. These however have several drawbacks in terms of naturalness and logic consistency, as a system is modeled to be in different states at the same time. We propose a novel approach that exploits concepts from non-standard analysis to introduce a notion of micro- and macro-steps in an extension of the TRIO metric temporal logic, called X-TRIO. We use X-TRIO to provide a formal semantics and an automated verification technique to Stateflow-like notations used in the design of flexible manufacturing systems.Comment: 20 pages, 2 figures, submitted to the conference "FORMATS: Formal Modelling and Analysis of Timed Systems" 201

Specification languages for embedded systems : a survey

Requirements specification is an important part of the software development process. Use of well developed techniques, tools, and languages during requirements specification is especially crucial for complex embedded software systems. Four langauges appropriate for the specification of software requirements for complex embedded systems (RSL, PAISLey, Statecharts, and SCR) are reviewed in detail here. In addition, other representation languages with features relevant to the embedded software systems domain are mentioned. Conclusions about the current status of embedded systems requirements specification and indications of further research are given

Semantics and Verification of UML Activity Diagrams for Workflow Modelling

This thesis defines a formal semantics for UML activity diagrams that is suitable for workflow modelling. The semantics allows verification of functional requirements using model checking. Since a workflow specification prescribes how a workflow system behaves, the semantics is defined and motivated in terms of workflow systems. As workflow systems are reactive and coordinate activities, the defined semantics reflects these aspects. In fact, two formal semantics are defined, which are completely different. Both semantics are defined directly in terms of activity diagrams and not by a mapping of activity diagrams to some existing formal notation. The requirements-level semantics, based on the Statemate semantics of statecharts, assumes that workflow systems are infinitely fast w.r.t. their environment and react immediately to input events (this assumption is called the perfect synchrony hypothesis). The implementation-level semantics, based on the UML semantics of statecharts, does not make this assumption. Due to the perfect synchrony hypothesis, the requirements-level semantics is unrealistic, but easy to use for verification. On the other hand, the implementation-level semantics is realistic, but difficult to use for verification. A class of activity diagrams and a class of functional requirements is identified for which the outcome of the verification does not depend upon the particular semantics being used, i.e., both semantics give the same result. For such activity diagrams and such functional requirements, the requirements-level semantics is as realistic as the implementation-level semantics, even though the requirements-level semantics makes the perfect synchrony hypothesis. The requirements-level semantics has been implemented in a verification tool. The tool interfaces with a model checker by translating an activity diagram into an input for a model checker according to the requirements-level semantics. The model checker checks the desired functional requirement against the input model. If the model checker returns a counterexample, the tool translates this counterexample back into the activity diagram by highlighting a path corresponding to the counterexample. The tool supports verification of workflow models that have event-driven behaviour, data, real time, and loops. Only model checkers supporting strong fairness model checking turn out to be useful. The feasibility of the approach is demonstrated by using the tool to verify some real-life workflow models

Dependability checking with StoCharts: Is train radio reliable enough for trains?

Performance, dependability and quality of service (QoS) are prime aspects of the UML modelling domain. To capture these aspects effectively in the design phase, we have recently proposed STOCHARTS, a conservative extension of UML statechart diagrams. In this paper, we apply the STOCHART formalism to a safety critical design problem. We model a part of the European Train Control System specification, focusing on the risks of wireless communication failures in future high-speed cross-European trains. Stochastic model checking with the model checker PROVER enables us to derive constraints under which the central quality requirements are satisfied by the STOCHART model. The paper illustrates the flexibility and maturity of STOCHARTS to model real problems in safety critical system design

Automatic Safety mechanisms implementation in Software Model-Based Development

International audienceModel Based Development (MBD) is now a common approach for the automotive industry. Using modeling tools to simulate the behavior of a system before developing the corresponding product(s) through automatic code generation has proven its efficiency. The Road vehicles — Functional safety — ISO 26262 standard (Part6 ) [2] identifies MBD as a recommended approach especially for software architecture design with semi-formal notation and software verification with back-to-back testing through Model in the Loop (MIL) , Software in the Loop (SIL) and Processor in the Loop (PIL). Regarding error detection the standard recommends a certain number of monitoring methods such as “Range checks of input and output data”, “Plausibility check”, “Control flow monitoring”, but does not give any concrete recommendation for software implementation of those methods and therefore how to test through fault injection. In the MBD approach, since code is generated automatically, safety mechanisms must be introduced at model level