Hierarchical State Machines - Incomplete Property Checking for Asynchronous Reactive Systems

The state machine of a UML RT capsule may have a hierarchical structure as illustrated in Figure 8.1. The figure shows a state machine modeling a simple

handheld device display. The device has two function units: a phone call man-ager and a music player. When the device is switched on, the display is in the standby mode (the statestandBy). Pressing any key on the device triggers the display to go to the active mode (taking the transition anyKey). The active mode is represented in the state machine as a composite state active which contains an inner state machine. It is the first time that the state active is entered, so the main menu is displayed. This is captured in the state machine by passing the control from the composite stateactive to its initial sub-state mainMenu. Now, the user can switch to the phone book display, or to the music player display, or back to the main menu by pressing proper keys. This corre-sponds to firing the transitions inside the stateactive. Moreover, if no key has been pressed for a certain period of time, the device switches to the standby mode as represented by the firing of the transitiontimeout. The device returns to the active mode as soon as any key is pressed (anyKey). In this case, the device should remember what was displayed at the last time when the active mode was exited. For instance, if the active mode was disabled while the user was listening to music, then the display shows the music player interface when the device is activated again. The knowledge of the most recently active display is maintained by the history node on the boundary of activewhich connects to the transitionanyKey.

Figure 8.1: A UML RT hierarchical state machine.

In summary, a state in a hierarchical state machine may be either non-composite or composite. A composite state contains inside an inner state ma-chine. A group transition is a transition leaving or entering a composite state such as the transitions anyKeyand timeoutin the above example. There are two cases when a group transition entering a composite statesis taken. Ifsis entered for the first time, then the control is passed to the initial state insides.

Otherwise, the control is re-directed to the most recently visited sub-state ins, i.e., the sub-state that was active whenswas exited at the last time.

CFSM systems have only flat state machines. In order to approximate hi-erarchical state machines using CFSM systems, we may take any of the follow-ing approaches: Either (1) flatten the hierarchical state machines in the UML model, or (2) modify the CFSM formalism to allow for hierarchies. The two approaches are discussed in the subsequent subsections in the context of the buffer boundedness and the livelock freedom tests, during which we will argue that the non-flattening approach is more efficient.

8.2.1 Flattening Hierarchical State Machines

A simple way to flatten UML hierarchical state machine is as follows. Re-call that, for any group transition t entering a composite state s, firingt may lead to entering one of the sub-states in s. Moreover, which sub-state is to be entered depends on the history and therefore unknown statically. As a safe over-approximation, we may assume that any sub-state ofs can be entered. Then, for each of the sub-statess^′ ofs, we add a transition from the source state oft tos^′and then deletetfrom the state machine. This procedure is repeated until there is no more group transition entering a composite state. Next, we deal with all group transitions leaving a composite state in a similar way. Given an outgoing transitiontfrom a composite states, for each sub-states^′ins, we add a transition froms^′ to the destination state oft. When there is no more group transition in the state machine, we can then remove all the composite states.

For the UML RT state machine in Figure 8.1, a flattening approach as described above will leave us with a flat state machine as in Figure 8.2. Note that each of the states mainMenu, phoneBook, and musicPlayerhas two respective transi-tions to (or from) the statestandBy. The size of the resulting flat state machine is not drastically increased. We even have fewer states in the flat state machine than in the hierarchical state machine. The number of transitions is increased in the flat state machine but bounded byt·n²wheretis the number of transitions in the hierarchical state machine andnis the number of non-composite states:

the worst case is when allnnon-composite states are within one composite state and all transitions are self-transitions of this composite state.

Figure 8.2: The flattened state machine of the state machine in Figure 8.1.

However, the above flattening approach results in a coarse flat state machine.

In the above example, the flat state machine allows the device to awake and switch back to the phone book display even if the music player interface was shown when the device left the active mode at the last time. Such spurious behavior is introduced as a consequence of disregarding history information in the flattening procedure. Certainly, the introduction of spurious behavior may make the future analysis to become less imprecise.

Based on the above discussion, we can overcome the imprecision problem by maintaining the history information in the flat state machine. Based on this idea, a finer approach can be as follows: We add a new type of variables whose domain is the set of all non-composite states in the hierarchical state machine. For each composite state s, we add a new variable hs of this type to the respective capsule class. Suchhsvariable stores the history information related to the states, and is initially set to the initial non-composite sub-state

inside s. Furthermore, for any transition t^′ leaving a state s^′ in the flat state machine, ift^′corresponds to a group transition leaving a composite states, then we include an extra action fort^′ to set the variablehstos^′. For any transition t^′ entering a state s^′ in the flat state machine, if t^′ corresponds to a group transition entering a composite states, then we include an extra condition for the firing oft^′ as h(s) =s^′.

The above finer approach does not lose the history information and therefore results in a flat state machine behaviorally equivalent to the original hierarchical state machine. However, as explained in Chapter 5 and Chapter 6, the variables in a model are completely abstracted away in the code abstraction procedure in both the buffer boundedness and livelock freedom tests. The resulting CFSM system is consequently not different than the CFSM system obtained using the coarser flattening approach. Certainly, we may always come back to the flat-tened original model to regain the information ofhsvariables in the refinement procedure. However, it causes extra overhead in the future analysis.

As we see from the above discussion, flattening approaches either result in imprecise abstractions, or cause extra overhead to fix the imprecision problem.

As an alternative approach, we may consider revising the definition of CFSM systems to allow for hierarchical structures. In this way, transforming a UML RT state machine into a CFSM state machine becomes straightforward. While taking this approach, the only remaining question is how to collect control flow cycles in a hierarchical CFSM state machine, which will be discussed in 13.2.1.

8.2.2 Hierarchical Communicating Finite State Machines

[15] has extended the notion of CFSM systems, calledCommunicating Hierar-chical State Machines, to have hierarHierar-chical structures. The extension does not only allow for hierarchies but also nested concurrency, i.e., a composite state may contain a set of concurrent regions and each region is a state machine. The state machines of all concurrent regions are executed in parallel once the con-taining composite state is entered. However, the concept of nested concurrency is not supported in the UML RT language. On the contrary, transitions across state boundaries and different hierarchical levels and the concept of histories in UML RT are not supported by Communicating Hierarchical State Machines.

Therefore, we devise our notion of Hierarchical Communicating Finite State Machinesto better support our analysis.

Definition 8.1(Hierarchical Communicating Finite State Machines). A system ofhierarchical communicating finite state machines(HCFSM) is a quadruple

(P, M, B,succ) where

• M,B, and succ are defined as the same as in Definition 3.1.

• P is a finite set of processes pi. Each pi is a triple (Si,subi, Ii, sⁱ₀) such that

– Si is a finite set ofstatesofpi.

– subi is a function Si → P(Si). Ifs^′∈subi(s), thens^′ is achild of s and sis theparent ofs^′. A states^′ is anoffspringofs if (1)s^′ is a child ofs, or (2) there is an offspring s^′′ of ssuch thats^′ is a child of s^′′. Ifs^′ is an offspring ofs, thensis anancestor ofs^′. We have the following restrictions on subi: (1) no two states share a same child; (2) no state is an offspring of itself; and (3) all states have a unique common ancestorst such that stis not a child of any other states. Furthermore, we call a statesacompositestate ifsubi(s)6=∅.

Otherwise,sis a non-composite state.

– Ii⊆Si is a set of non-composite states as initial states. We put the restrictions on Ii that for every composite state s there exists one and only one child s^′ ofssuch thats^′∈Ii.

– sⁱ₀∈Ii is the initial state ofst.

– Finally, we put the restriction that Si∩Sj =∅, i.e., Si and Sj are disjoint.

The semantics of HCFSM systems is defined by making several modifications to the semantics of CFSM systems with respect to the newly introduced subi

functions. First, aconfiguration of a HCFSM system (P, M, B,succ) is a tuple hs¹, . . . , s^|P^|, q¹, . . . , q^|B|iwhere each sⁱ is a non-composite state of the process pi∈P and eachqⁱ is a queue of messages exchangeable in the bufferbi ∈B. A configurationc =hs¹, . . . , s^|P|, q¹, . . . , q^|B|iis an initial configuration if (1) for eachsi we have that si =sⁱ₀, and (2) eachqi is an empty queue. Let the set f(s) ={s} ∪ {s^′|s^′ is an ancestor ofs}contains the non-composite statesand all its ancestors. An execution of the system is defined recursively as follows:

(1)hc0iis an execution of the system ifc0 is an initial configuration; (2) Ifr is an execution, thenr.hc2iis an execution if and only if the following are satisfied, assuming that the last configuration inr isc1 =hs¹₁, . . . , s^|P|₁ , q₁¹, . . . , q₁^|B|iand c=hs¹₂, . . . , s^|P|₂ , q¹₂, . . . , q^|B|₂ i:

• For some i, there exist two states s ∈ f(sⁱ₁) and s^′ ∈ f(sⁱ₂) such that (s, l, s^′)∈succ for some labell. Moreover, ifs^′ is a composite state, then sⁱ₂∈Ii when there is no offspring ofs^′ in r. This corresponds to the case whens^′ is entered for the first time. Otherwise,sⁱ₂is the same as the last non-composite offspring ofs^′ that occurs inr.

• For any otheri6=j, we have thats^j₁=s^j₂.

• Message queues are updated as in the semantics of CFSM systems.

In our implementation of the buffer boundedness and livelock freedom tests, we take the approach of using HCFSM systems. It is efficient because the hierarchical structures of the original UML RT model can be directly mapped to the hierarchical structures of the abstract HCFSM system. We also give an efficient cycle detection algorithm for HCFSM systems, which is presented in Section 13.2.1.

Im Dokument Incomplete Property Checking for Asynchronous Reactive Systems (Seite 112-117)