Upload
uriah
View
21
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Environment Restriction Slicing of EFSMs. Kelly Androutsopoulos CREST (Center for Research in Evolution, Search and Testing) University College of London Email: [email protected] Joint work with: David Binkley, David Clark, Nicolas Gold, Mark Harman, Kevin Lano and Zheng Li. - PowerPoint PPT Presentation
Citation preview
Environment Restriction Slicing of EFSMs
Kelly AndroutsopoulosCREST (Center for Research in Evolution, Search and Testing)
University College of London
Email: [email protected]
Joint work with: David Binkley, David Clark, Nicolas Gold, Mark Harman, Kevin Lano and Zheng Li
Extended Finite State Machines (EFSMs)
• Widely used to model for e.g. embedded systems, safety critical systems, discrete-event control devices
StimuliSyste
m
Environment
Responses
Reuse with Restricted Operational Environment
1) Example: Car Air Conditioning System• ‘Basic model’ car air conditioning system and
‘luxurious model’ that contains climate control functionality.
2) Example: Vending Machine • Allows a user to insert coins and vends tea with the
option of large cups, small cups, sugar and double sugar. Assume deploying this model in an environment where the sugar button is disabled.
EFSM of Vending Machine
Environment Restriction Slicing (ERS) applied to Vending Machine
Environment Restriction Slicing (ERS) applied to Vending Machine
Aid Property Verification
• State space > 3000
• Assume we want to prove property P: – The feed belt motor is off
if there is a blank on the elevating rotary table.
• P affects only 4 events.
• Model can be reduced by ERS to 4 states and 8 transitions.
Deposit belt
Robot
Feed belt
Elevating Rotary table
Production Cell
ERS definitions
• Definition (Slicing Criterion): – An ignore set I which is a set of events that no longer
occur in the new environment.
• Definition (Event Sequence Set Filter):– Sequence-set filter function
• Definition (Environment Restriction Slice): – A slice of an EFSM M=(S,T,A,Si) for ignore set I is a
reduced EFSM M’ that is semantically indistinguishable from M on all event sequences from fi(A*,I), where A* is all possible event sequences in the environment.
€
fi(X,I) = {E ∈X | E ∩ I =∅}
Weak Semantic Requirement – Stutter-free Event Sequences
• Stuttering event sequence:– a,a,b
• Stutter-free event sequence:– a, b
S1
S2
a
b
ERS Algorithms
1) Slicing algorithm basicSlice
2) Constant propagation algorithm
3) R-merge equivalent states algorithm
4) G-merge equivalent states algorithm
basicSlice Algorithm (A1)
• Slicing criterion: Ignore set I
• Algorithm:– Deletes all transitions whose trigger event corresponds
to events in I.– Then, removes all states and transitions that are no
longer reachable from an initial state.
An Example EFSM Sliced wrt Ignore Set I={a}
After Applying basicSlice
Constant Propagation Algorithm (A2)
• A simple flow insensitive constant propagation algorithm in which variables are mapped to values in a flat lattice.
• Algorithm:– Variables that appear as event parameters are assigned the
value (non-constant).
– All variables are initialised to T (uninitialised).
– Assignments in actions in labels of transitions are considered. If RHS evaluates to a constant, then the value of LHS variable is replaced by the meet of the constant and the variable’s present value. Otherwise, the value is replaced by .
€
⊥
€
⊥
After Applying basicSlice
After Applying Constant Propagation
R-merge Equivalent States Algorithm
• Extends an algorithm by Ilie and Yu for NFA minimisation.
• Algorithm:– Repeatedly merges pairs of R-equivalent states until no further
merging is possible.
• Definition (R-equivalent states): – States s1 and s2 are R-equivalent if, for every transition t from
s1, there is a corresponding transition (with the same label) from s2 leading to the same target as t and vice versa.
After Applying Constant Propagation
After Applying R-merging of States s4 and s5
After Applying R-merging of States s1 and s3
G-merging Equivalent States Algorithm
• More aggressive merge and only preserves weak semantic requirement.
• Algorithm:– It identifies groups of states (≥ 2) that can be merged
into a single state.– A group ss of states can be merged if:
• All transitions in the group have no actions, and• The set of internal triggering events is disjoint from the set of
exiting triggering events.
After Applying R-merging of States s1 and s3
After Applying G-merge, Combining s1,s3 and s4,s5
Empirical Results:
Experimental Models
EFSM Model S T Event
ATM 9 23 12
Cashier 12 21 16
CruiseControl 5 17 10
FuelPump 13 25 16
PrintToken 11 89 11
VendingMachine 8 37 13
DoorController 6 12 11
INRES protocol 8 18 8
TCP 12 57 6
TCSbin 24 65 39
Total 108 364 142
Empirical Results:
Average Slice Size when Ignoring n Events
States Transitions
n=1 n=2 n=4 n=1 n=2 n=4
A1 85.3% 78.8% 49.3% 77.5% 70.3% 33.5%
A2 80.5% 77.2% 47.1% 71.3% 67.1% 31.1%
A3 78.6% 74.6% 45.2% 69.2% 64.1% 30.3%
A4 71.2% 70.7% 41.1% 66.1% 63.2% 29.8%
Empirical Results: All slice sizes with I set to each of the 142 events for algorithms A1-A4
Empirical Results: All slice sizes with I set to each of 1323 pairs of events for algorithms A1-A4
Empirical Results: All slice sizes for algorithms A1-A4 using all possible ignore set containing all but one (n-1) events.
Conclusions
• Defined four algorithms
• Proved the correctness of:– A1, A2, and A3 wrt a strong semantic requirement– A4 wrt a weak semantic requirement
• Tradeoff between precision/performance– For ignore sets of size one, A1 and A2 execution time is
extremely fast, while A3 and A4 not so. (We know A3 – PSPACE complexity).
– For larger ignore sets, the execution time drops.