Doron Drusinsky

The Temporal Rover and the ATG Rover

The Temporal Rover is a specification based verification tool for applications written in C, C++, Java, Verilog and VHDL. The tool combines formal specification, using Linear-Time Temporal Logic (LTL) and Metric Temporal Logic (MTL), with conventional simulation/execution based testing. The Temporal Rover is tailored for the verification of complex protocols and reactive systems where behavior is time dependent. The Temporal Rover generates executable code from LTL and MTL assertions written as comments in the source code. This executable source code is compiled and linked as part of the application under test. During application execution the generated code validates the executing program against the formal temporal specification requirements. Using MTL, real time and relative time constraints can be validated. A special code generator supports validation of such constraints in the field, on an embedded target.

Using statecharts for hardware description and synthesis

Statecharts have been proposed recently as a visual formalism for the behavioral description of complex systems. They extend classical state diagrams in several ways, while retaining their formality and visual nature. The authors argue that statecharts can be beneficially used as a behavioral hardware description language. They illustrate some of the main features of the approach, including: hierarchical decomposition, multilevel timing specifications and flexible concurrency and synchronization capabilities. The authors also present a VLSI synthesis methodology by which layer area and delay periods can be reduced relative to the conventional finite-state-machine (FSM) synthesis method. >

On the power of bounded concurrency I: finite automata

We investigate the descriptive succinctness of three fundamental notions for modeling concurrency: nondeterminism and pure parallelism, the two facets of alternation, and bounded cooperative concurrency, whereby a system configuration consists of a bounded number of cooperating states. Our results are couched in the general framework of finite-state automata, but hold for appropriate versions of most concurrent models of computation, such as Petri nets, statecharts or finite-state versions of concurrent programming languages. We exhibit exhaustive sets of upper and lower bounds on the relative succinctness of these features over &Sgr;* and &Sgr;ω, establishing that: (1) Each of the three features represents an exponential saving in succinctness of the representation, in a manner that is independent of the other two and additive with respect to them. (2) Of the three, bounded concurrency is the strongest, representing a similar exponential saving even when substituted for each of the others. For example, we prove exponential upper and lower bounds on the simulation of deterministic concurrent automata by AFAs, and triple-exponential bounds on the simulation of alternating concurrent automata by DFAs.

Experimental Evaluation of Verification and Validation Tools on Martian Rover Software

We report on a study to determine the maturity of different verification and validation technologies (V&V) applied to a representative example of NASA flight software. The study consisted of a controlled experiment where three technologies (static analysis, runtime analysis and model checking) were compared to traditional testing with respect to their ability to find seeded errors in a prototype Mars Rover controller. What makes this study unique is that it is the first (to the best of our knowledge) controlled experiment to compare formal methods based tools to testing on a realistic industrial-size example, where the emphasis was on collecting as much data on the performance of the tools and the participants as possible. The paper includes a description of the Rover code that was analyzed, the tools used, as well as a detailed description of the experimental setup and the results. Due to the complexity of setting up the experiment, our results cannot be generalized, but we believe it can still serve as a valuable point of reference for future studies of this kind. It confirmed our belief that advanced tools can outperform testing when trying to locate concurrency errors. Furthermore, the results of the experiment inspired a novel framework for testing the next generation of the Rover.

Monitoring Temporal Rules Combined with Time Series

Run-time monitoring of temporal properties and assertions is used for testing and as a component of execution-based model checking techniques. Traditional run-time monitoring however, is limited to observing sequences of pure Boolean propositions. This paper describes tools, which observe temporal properties over time series, namely, sequences of propositions with constraints on data value changes over time. Using such temporal logic with time series (LTLD) it is possible to monitor important properties such as stability, monotonicity, temporal average and sum values, and temporal min/max values. The paper describes the Temporal Rover and the DBRover, which are in-process and remote run-time monitoring tools, respectively, that support linear time temporal logic (LTL) with real-time (MTL) and time series (LTLD) constraints.

Semantics and Runtime Monitoring of TLCharts: Statechart Automata with Temporal Logic Conditioned Transitions

This paper describes the semi-formal semantics and a run-time monitoring technique for TLCharts, a visual specification language that combines the visual and intuitive appeal of non-deterministic Harel Statecharts with formal specifications written in Linear-time (Metric) Temporal Logic (LTL and MTL). We describe an automata-theoretic semantics for non-deterministic statecharts with negation and state overlapping and extend it to cater for temporally annotated transitions, thereby providing a simple automata theoretic semantics for TLCharts. We also describe a run-time monitoring technique for TLCharts.

A Visual Tradeoff Space for Formal Verification and Validation Techniques

Numerous techniques exist for conducting computer-assisted formal verification and validation. The cost associated with these techniques varies, depending on factors such as ease of use, the effort required to construct correct requirement specifications for complex real-world properties, and the effort associated with instrumentation of the software under test. Likewise, existing techniques differ in their ability to effectively cover the system under test and its associated requirements. To aid software engineers in selecting the appropriate technique for the formal verification or validation task at hand, we introduce a three-dimensional tradeoff space encompassing both cost and coverage.

On the power of cooperative concurrency

The framework of finite-state systems is used to investigate the relative power of three fundamental notions: nondeterminism and pure parallelism, the two facets of alternation, and cooperative concurrency, whereby configurations consist of states between which communication can occur. To formalize cooperative concurrency, which appears to be the closest finite-state analog to real-world distributed concurrency, we use the recent statecharts, though our results hold for many other approaches, such as Petri nets, CSP or CCS. We exhibit an exhaustive set of upper and lower bounds on the ability to inter-simulate these features over Σ*, and an almost exhaustive set for the Σω case, establishing that (a) each of the three features represents an exponential saving in succinctness of the representation, in a manner that is independent of the other two and additive with respect to them, and (b) of the three, cooperative concurrency is the strongest, representing a similar exponential saving when it is substituted for each of the others. For example, we prove an exponential lower bound on the simulation of deterministic statecharts by AFAs and a triple-exponential lower bound on the simulation of alternating statecharts by DFAs.

Validating UML Statechart-Based Assertions Libraries for Improved Reliability and Assurance

In this paper we present a new approach for developing libraries of temporal formal specifications. Our approach is novel in its use of UML statechart-based assertions for formal specifications and its emphasis on validation testing, including an emphasis on the inclusion of validation test scenarios as an integral part of a formal specification library. Validation test scenarios are needed to ensure a robust validation process and to improve the reliability and assurance of the specification and resulting software.

Creating and Validating Embedded Assertion Statecharts

Integrating formal assertions into the modeling, implementation, and testing of statechart-based designs can enhance a rapid system prototyping systems robustness by providing runtime monitoring and recovery from assertion failures. An iterative process for developing and verifying statechart prototype models augmented with statechart assertions using the StateRover tool lets system designers write formal specifications using statechart assertions. It also enables them to use JUnit-based simulation to validate statechart assertions and to test statechart prototype models augmented with statechart assertions. A case study using a safety-critical computer assisted resuscitation algorithm software prototype for a casualty intravenous fluid infusion pump illustrates the process.