Modeling Notations
CS 4271 lecture 2

Abhik Roychoudhury
National University of Singapore
http://www.comp.nus.edu.sg/~abhik/

Different kinds of ES Validation

Hardware
Informal
Requirements
System Model
Partition
Communication
Validation
Software
Functionality
Performance
Validation
Model Validation

What is a system design model?
- We first clarify the following terms
  - System Architecture: Inter-connection among the system components.
  - System behavior: How the components change state, by communicating among themselves.
- System Design Model = Architecture + Behavior
  - More precise definition later:

Criteria for a Design Model
- Provides **structure** as well as **behavior** for the system components.
- **Complete**
  - Complete description of system behavior.
- Based on **well-established** modeling notations.
  - We use UML.
  - Preferably **executable**
  - Can simulate the model, and get a feel for how the constructed system will behave!

Running Example - ATC

Overall System Structure, Behavior not shown.
On system behavior

- Consider a "scenario"
  - Client1 sends "connect" request to ATC
  - Client2 sends "connect" request to ATC
  - ATC sends weather information to Client1, Client2.
- No need to capture "weather info." in model.
- OK to abstract this info. from the requirements while constructing the model, provided
  - No decisions are made in the system based on weather info.
- Model is "complete" at a certain level of abstraction.

ATC – the example control sys.

- NASA CTAS
  - Automation tools for managing large volume arrival air traffic in large airports.
  - Final Approach Spacing Tool
    - Determine speed and trajectory of incoming aircrafts on their final approach.
    - Master controller updates weather info to "clients"
      - controllers using inputs to compute aircraft trajectories.

Behavior of ATC example

- Two standard behaviors
  - Client initialization
  - Weather update
- Abstracted Information
  - Weather information types
  - Clients types
    - Internal computation on weather information
- For simplified requirements: textbook Chap 2.3
What do the requirements look like?

A weather update controller consists of a weather control panel (WCP), a number of weather-aware clients, and a communication manager (ATC) which controls the interactions between the WCP and all connected clients. Initially, the WCP is enabled for manually weather updating, the ATC is at its idle status, and all the clients are disconnected. Two standard behaviors of this system are as follows.

Sample Initialization Requirements

- A disconnected weather-aware client can establish a connection by sending a connecting request to the CM.
- If the ATC's status is idle when the connecting request is received, it will set both its own status and the connecting client's status to preinitializing, and disable the weather control panel so that no manual updates can be made by the user during the process of client initialization.
- Otherwise (ATC's status is not idle), the ATC will send a message to the client to refuse the connection, and the client remains disconnected.

Organization

- So Far
  - What is a Model!
  - ATC – Running Example
    - Informal Req at a lab scale.
    - Has subtle deadlock error (see textbook chap 2.3)
  - Now, how to model/validate such requirements
    - Modeling Notations
      - Finite State Machines

Issues in system modeling ...

- ... using FSMs
  - Unit step: How much computation does a single transition denote?
  - Hierarchy: How to visualize a FSM model at different levels of details?
  - Concurrency: How to compose the behaviors of concurrently running subsystems (of a large sys.)
    - Each subsystem is modeled as an FSM!

Finite State Machines

- \( M = (S, I, \rightarrow) \)
  - \( S \) is a finite set of states
  - \( I \subseteq S \) is the set of initial states
  - \( \rightarrow \subseteq S \times S \) is the transition relation.

What’s in a step?

- For hardware systems
  - A single clock cycle
- For software systems
  - Atomic execution of a “minimal” block of code
    - A statement or an instruction?
    - Depends on the level at which the software system is being modeled as an FSM!
Example
1. \( v = 0; \)
2. \( v++; \)
3. \( \ldots \)
- What are the states?
  - (value of \( pc \), value of \( v \))
- How many initial states are there?
  - No info, depends on the type of \( v \)
- Draw the states and transitions corresponding to this program.

Hierarchy
- Choice of steps at different levels of details also promotes hierarchical modeling.

Basic Concurrent Composition
- \( M_1 = (S_1, I_1, \rightarrow_1) \)
- \( M_2 = (S_2, I_2, \rightarrow_2) \)
- Define
  - \( M_1 \times M_2 = (S_1 \times S_2, I_1 \times I_2, \rightarrow) \)
  - Where \((s_1, s_2) \rightarrow (t_1, t_2)\) provided
    - \( s_1 \in S_1, t_1 \in S_1, \)
    - \( s_2 \in S_2, t_2 \in S_2, \)
    - \( (s_1 \rightarrow_1 t_1) \text{ OR } (s_2 \rightarrow_2 t_2) \)
- Defines control flow of the composed FSM as an arbitrary interleaving of flows from components.
- Interleaving of independent flows, what about comm?

Communicating FSM
- Basic FSM
  - \( M = (S, I, \rightarrow) \)
    - \( S \) is a finite set of states
    - \( I \subseteq S \) is the set of initial states
    - \( \rightarrow \subseteq S \times S \) is the transition relation.

- Communicating FSM
  - \( M = (S, I, \Sigma, \rightarrow) \)
    - \( S \) is a finite set of states
    - \( I \subseteq S \) is the set of initial states
    - \( \Sigma \) is the set of action names that it takes part in
    - \( \rightarrow \subseteq S \times \Sigma \times S \) is the transition relation.
    - Communication across FSMs via action names.

Composition of comm. FSMs
- \( M_1 = (S_1, I_1, \Sigma_1, \rightarrow_1) \)
- \( M_2 = (S_2, I_2, \Sigma_2, \rightarrow_2) \)
- Define
  - \( M_1 \times M_2 = (S_1 \times S_2, I_1 \times I_2, \Sigma_1 \cup \Sigma_2, \rightarrow) \)
  - \( \Sigma_1 \) is the set of action names that \( M_1 \) can perform
  - \( \Sigma_2 \) is the set of action names that \( M_2 \) can perform
  - \( \rightarrow \) is the transition relation
  - Communication across \( M_1 \) and \( M_2 \) via action names.
Example - basic composition

Example - composition of comm. FSMs

Example - data communication

Example: Concurrent Program

Example Concurrent Program: States

Wrap-up of FSMs
MSC based Models

- MSC = Message Sequence Chart
- Labeled partial order of events
  - Highlights inter-process communications
  - While, FSMs highlight intra-process control flow.

MSC partial order

- **How is the partial order constructed**
  - Time flows from top to bottom along each vertical line.
  - Each message receive must occur after the corresponding send.
  - Apply these rules over and over again to find out which event takes place before which other event.

Conventional use of MSCs

- **Describe sample scenarios of system interaction**
  - Appears in requirement documents
  - Do not describe “complete” system behavior

Interface Resource User

User Interface Resource

User Interface Resource

User Interface Resource

User Interface Resource

MSC concatenation

- **Synchronous:** All events in M2 ≤ All events in M3
- **Asynchronous:** All events in process p of M2 ≤ All events in process p of M3

Interface and Resource processes can finish M3 while User process is still in M2 – provided asynchronous concatenation is considered.
**MSC-based design model?**

- **Complete**
  - Complete description of system behavior.
  - MSG achieves this criterion.
- **Based on well-established modeling notations.**
  - We use UML Sequence Diagrams, which is OK.
- **Preferably executable**
  - Can simulate the model and get a feel for how the constructed system will behave.
  - Global simulation of MSG is possible.
  - But not per-process execution!!

---

**Why not executable?**

At the end of M1, all the processes agree together to execute either M2 or M3.
One process may go ahead of the others (under asynchronous concatenation).
However, the decision of which MSC to execute next must be consistent.
Difficult to generate per-process code to capture this joint decision.

---

**Example MSG**

Generates behavior of the form

\[(\text{Ch1} \circ (\text{Ch2} + \text{Ch3}))^*\]

---

**Per-process FSMs**

---

**Implied Scenario**

Supposed to generate behavior of the form

\[(\text{Ch1} \circ (\text{Ch2} + \text{Ch3}))^*\]

---

**Putting the notations together**

- So, far we have studied 2 notational styles
  - Intra-process style FSM modeling notations
  - Inter-process style MSC-based modeling notation.
- In actual system modeling from English requirements
  - How do they fit together?
  - What roles do they play?
  - Are they both used in parallel?
### Informal System Requirements (in English)
- Sample Scenarios (as MSCs)
- MSC-based System Model (say HMSC)

#### Relatively easy
- Generating test cases in the absence of a MSC-based system model

#### Hard manual step
- Need to automate due to implied scenarios

### System Implementation
- Generating test spec. in the absence of a MSC-based system model
- Generating test suite

### Local FSMs for the processes in the system
- Refer back to test results

### System Implementation
- Automatically generate tests
- Automatically generate test suite

### Organization
- **So Far**
  - What is a Model?
  - ATC – Running Example
    - Informal Req. at a lab scale.
    - Has subtle deadlock error (see textbook chap 2.3)
  - How to model such requirements
    - Modeling Notations
      - Finite State Machines
      - MSC based models
    - Now, how to validate the models
      - Simulations

### FSM Simulations
- **Monolithic FSM simulation**
  - A random walk through the FSM’s graph.
- **Simulating a composition of FSMs**
  - Need to consider the definition of concurrent composition.
  - Keep track of local states of the individual processes.
- **Simulating more complex notations**
  - UML State Diagrams
  - MSC-based models

### The big picture - recapitulate
- System Requirements (Dream)
- System Model (Rough Idea)
- Simulate
- Properties to Satisfy (caution)
- Checking Method (Automated)
- Counter-examples
- Refine the model

### Example – State Diagrams
- Processor P
- Bus Controller BC

#### Processor and Bus Controller – what does the example do?
- write / P->deny()
- accept() / BC->req()
- deny()/ BC->req()
- req() / P-> accept()addr_data()

#### Sample scenarios of the State Diagram shown in the previous slide.
- Super-step:
  - On encountering a write, the sequence of method calls executed is write, req, deny, req*, accept, addr_data

#### This is what the example does
- write, P
- req
- BC
- REQ
- deny
- accept
- addr_data

---

*Copyright 2012 by Abhik Roychoudhury*
Simulation – State Diagrams

Model simulation

- So far
  - FSMs and State Diagrams – Intra component style modeling
  - MSCs and MSGs – Inter component style modeling
  - Simulation of FSMs and State Diagrams

- How to simulate MSCs?
  - Generate a trace of events which satisfies the partial order denoted by a given MSC.
  - Always maintain a “cut” to denote the progress in each process – while simulating a given MSC.
  - The whole question now is how to advance a cut.
  - Let us look at this matter visually!

Recap on MSC semantics

- For a sequence of MSCs --- M1, M2
  - Synchronous concatenation: All events in M1 ≤ All events in M2
  - Asynchronous concatenation: All events in process p of M1 ≤ All events in process p of M2
  - For any msg. m sent from process p to process q
    - Synchronous message passing: Send and receive happens in the form of a hand-shake.
    - Asynchronous message passing: Sender sends message which is stored in a queue, picked up by receiver later.

- Simulating a sequence of MSCs will need to follow the concatenation & message passing semantics.

Simulating a sequence of MSCs

Simulating MSCs

Copyright 2012 by Abhik Roychoudhury
Simulation requires unbounded memory?

In the next lecture

- So Far
  - What is a Model?
  - ATC – Running Example
  - How to model such requirements

- How to validate the models
  - So far: Simulations
  - In the next lecture
    - Model-based testing