Formally verified animation for RoboChart using interaction trees

RoboChart is a core notation in the RoboStar framework. It is a timed and probabilistic domain-specific and state machine-based language for robotics. RoboChart supports shared variables and communication across entities in its component model. It has formal denotational semantics given in CSP. The semantic technique of Interaction Trees (ITrees) represents behaviours of reactive and concurrent programs interacting with their environments. Recent mechanisation of ITrees, ITree-based CSP semantics and a Z mathematical toolkit in Isabelle/HOL bring new applications of verification and animation for state-rich process languages, such as RoboChart. In this paper, we use ITrees to give RoboChart novel operational semantics, implement it in Isabelle, and use Isabelle’s code generator to generate verified and executable animations. We illustrate our approach using an autonomous chemical detector and patrol robot models, exhibiting nondeterminism and using shared variables. With animation, we show two concrete scenarios for the chemical detector when the robot encounters different environmental inputs and three for the patrol robot when its calibrated position is in other corridor sections. We also verify that the animated scenarios are trace refinements of the CSP denotational semantics of the RoboChart models using FDR, a refinement model checker for CSP. This ensures that our approach to resolve nondeterminism using CSP operators with priority is sound and correct

InRob-UML : a method for tests of interoperability and robustness for real time embedded systems using UML models

Orientador: Eliane MartinsDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: O processo de validação da interoperabilidade entre subsistemas de tempo real embarcados e a garantia de robustez do seu software são críticos para o bom funcionamento de um sistema. Mesmo que cada um dos módulos funcione corretamente de forma isolada, a interação entre eles pode gerar informações fora da especificação ou sofrer interferências do canal de comunicação, como a corrupção de dados ou a violação dos requisitos de tempo, principalmente se eles forem desenvolvidos por equipes diferentes, o que pode levar o sistema a uma situação catastrófica, gerando perdas financeiras ou de vidas. Em um trabalho prévio foi proposto um método para testes de interoperabilidade e robustez para sistemas embarcados de tempo real, InRob. Neste trabalho é proposta uma extensão do InRob que acrescenta, entre outros aspectos: i) o uso de modelos da UML (Unified Modeling Language), por ser amplamente utilizado tanto no meio acadêmico quanto comercial, para a geração de casos de teste baseados em modelos e ii) a introdução de um modelo do comportamento de um canal de comunicação falho entre dois subsistemas que devem interoperar. Esse comportamento do canal de comunicação foi adicionado à modelagem como uma entidade independente, que interliga os subsistemas em teste e interfere na troca de mensagens entre eles, afetando seus funcionamentos. Esse modelo representa o comportamento de um "Emulador de Defeitos" (FEM), e especifica as interferências que ele deve efetuar durante a aplicação dos testes. Com isso, a partir de um modelo de falhas que um canal de comunicação pode exercer na interação entre dois subsistemas, podemos selecionar testes que direcionem as ações do FEM na avaliação da interoperabilidade e robustez entre eles. O método foi aplicado a um sistema genérico de controle de uma cancela, que libera o acesso a um cruzamento ferroviário, e a um subsistema real de satélite científico desenvolvido pelo INPE, para captura e armazenamento de imagensAbstract: The process of validating interoperability between embedded real-time subsystems and ensuring the robustness of its software are critical to the proper work of a system. Even if each module works properly in isolation, interaction between them can generate out-of-specification information or suffer interference from the communication channel such as data corruption or time requirements violation, especially if they are developed by different teams, what can lead the system to a catastrophic situation, generating financial or life losses. In a previous work, a method for interoperability and robustness testing for real-time embedded systems was proposed, InRob. In this work, an extension of InRob is proposed that adds, among other aspects: i) the use of models of the Unified Modeling Language (UML), for being widely used in academic and commercial environments for the generation of model-based test cases and ii) introducing a model of behavior of a failed communication channel between two subsystems that must interoperate. This behavior of the communication channel has been added to the modeling as an independent entity, which interconnects the subsystems under test and interferes on the exchange of messages between them, affecting their functioning. This model represents the behavior of a "Failure Emulator Mechanism" (FEM), and specifies the interference that it must make during the test application. Thereby, from a failure model that a communication channel can exert in the interaction between two subsystems, we can select tests that guide the actions of FEM in the evaluation of interoperability and robustness between them. The method was applied to a generic gate control system, which gives access to a railroad crossing, and to a real scientific satellite subsystem, developed by INPE for image capture and storageMestradoCiência da ComputaçãoMestre em Ciência da Computaçã

Verifying model oriented specifications through animation

In this paper we demonstrate how light weight tools can be used to increase the level of confidence in Z specifications. In particular we outline the Pipedream approach to exploring Z specifications through animation, and illustrate the range of analyses that can be performed. We argue that, while a light weight approach does not give the same levels of assurance that an automated reasoning system would, it does give levels of assurance which are adequate for most projects and with significantly less overhead. We illustrate how animation can be used to perform verification using the example of a simple dependency management system. 1