automating verification of state machines with reactive designs and isabelle… · 2018. 10....

Automating Verification of State Machines withReactive Designs and Isabelle/UTP

Simon Foster, James Baxter, Ana Cavalcanti,Alvaro Miyazawa, Jim Woodcock

Wednesday 10th October, 2018

Simon Foster et al. Verifying State Machines with Isabelle/UTP Wednesday 10th October, 2018 1 / 24

Outline

1 Background

2 Verifying Reactive Programs

3 RoboChart to Reactive Programs

4 Conclusion and Future Work


Outline

1 Background





Autonomous Robots

autonomous robots are safety critical systems

hence, we want to be able to make guarantees about their behaviour

challenge: how do we assure safety of autonomous robots?

we believe formal methods can meet part of this challenge


Formal Verification of Robotic Controllers

RoboCalc (EP/M025756/1)http://www.cs.york.ac.uk/circus/RoboCalc

5-year EPSRC project at University of York

formal modelling and verification for mobile and autonomous robots

RoboChart: graphical notation for controller design

formal semantics based in CSP process calculus

RoboTool: Eclipse-based development environment for RoboChart

support for model checking with FDR4

model-based testing and code generation under development


RoboChart State Machines

statechart-like notation for robotic controllersreactive: state machines communicate via (a)synchronous channelsformally defined action language for states and transitionscurrent model checking techniques limited to finite statesthis paper develops theorem proving facilities using Isabelle/UTP


Isabelle/UTP

a toolkit for building practical verification tools in Isabelle/HOLbased on Hoare and He’s Unifying Theories of Programming (UTP)formal semantics through fundamental computational theories

I functional, concurrent, object oriented, mobile, real-time, hybrid ...

computational theories⇒ semantic models⇒ verification calculimaximises use of Isabelle/HOL proof automation via VCGhighly extensible to tackle a variety of languages and paradigms


Verification Approach for RoboChart

State Machine Diagram

RoboChart Meta-Model

RoboTool (Eclipse)

Isabelle/HOL

RoboChart DSL

State Machine Graph

Reactive ProgramRefinementChecking

(RAMICS 2018)


Outline

1 Background





Reactive Programs

sequential programs calculate a final state from an initial state

reactive programs pause for interaction with the environment

the environment can direct the choices an agent makes

mechanised reactive language with state updates and communication


Reactive Programming Operators

x := v – assignment

P ; Q – sequential composition

c?x – await input on channel c; place value in x

c!v – output v on channel c

b & P – deadlocks when ¬ b, otherwise behaves as P

P 2 Q – external choice; resolves when P or Q performs an event

b~P – iteration of P with condition b

[b] – assumption; miraculous when ¬b

Example (Reactive Buffer)

buf := 〈〉 ; true ~

(inp?x ; buf := buf a 〈x 〉 2

#buf > 0 & out !hd(buf ) ; buf := tl(buf )

)


Basic Verification Technique

reactive programs are denoted as reactive predicates

characterise the possible traces, refusals, and state updates

verification of properties expressed using refinement:

[S1 |- S2 | S3 ] v P

reactive contract S specifies implementation P

automated verification in Isabelle/UTP follows three steps:1 calculate reactive contract for program: P =⇒ [P1 |-P2 |P3]2 show S v P by (S1 ⇒ P1), (S1 ∧ P2)⇒ S2, and (S1 ∧ P3)⇒ S33 discharge three proof obligations with rel-auto and sledgehammer

allows model checking of programs with infinite state


Specialised Technique for State Machines

extend reactive program signature with guarded iteration (Dijkstra)

do b1 _ P1 | · · · | bn _ Pn od

if bi is true, then Pi is activated; iterate following execution

if no bi is true, then terminate

refinement law to eliminate iteration with initialiser I for invariant S

Theorem (Iteration Induction)

∀ i ∈ A • P(i) is Productive S v I ; [∧

i∈A (¬b(i))]

∀ i ∈ A • S v I ; [b(i)] ; P(i) ∀ i ∈ A • S v S ; [b(i)] ; P(i)

S v I ; do i ∈ A • b(i) _ P(i)od

productive: P(i) must perform an event before terminating


Outline

1 Background





Static Semantics

simplified RoboChart meta-model implemented in Isabelle/HOL

represents state machine graph consisting of states and transitions

well-formedness conditions formalised and automatically checked

record type generated for state space; algebraic data type for events


Dynamic Semantics (1)

semantic function generates reactive program from state graph

algebraic laws of reactive programs used to simplify definitions

state machines specified using guarded iteration:

do actv = s1 → (t1 2 · · · 2 tk ) | · · · | actv = sn → · · ·od

auxiliary variable actv stores the presently active state

name-space r for user state variables

each state contains an external choice over outgoing transitions

each transition can have a guard, event, and action associated

termination when a final state is reached



Example (GasAnalysis Dynamic Semantics)

actv := InitState ;doactv = InitState → ε ; r:gs := 〈〉 ; r:anl := 0 ; actv := NoGas

| actv = NoGas → gas?r:gs ; actv := Analysis

| actv = Analysis →

r:sts := analysis(r:gs) ;(

r:sts = noGas & ε ; resume ; actv := NoGas2 r:sts = gasD & ε ; actv := GasDetected

)| actv = GasDetected → r:ins := intensity(r:gs) ; goreq(ins, thr) & ε ; stop ; actv := FinalState

2 (¬goreq(ins, thr)) & ε ; r:anl := location(r:gs) ;turn!(r:anl) ; actv := Reading

| actv = Reading → gas?r:gs ; actv := Analysis

od


Automated Verification

proof tactic to apply refinement introduction and generate VCs

need to show that every transition preserves the property of interest

dlockf is a specification of deadlock-freedom

in this case, all proof obligations can be automatically discharged


Outline

1 Background





Conclusions

we demonstrated a prototype verification tool for RoboChart

employs a denotational semantics based in the UTP

fully automated in Isabelle/UTP utilising sledgehammer

allows checking properties with a large or infinite state-space

illustrates the use of UTP in building practical verification tools


Future Work

handle further features of RoboChart (e.g. hierarchy)

efficient proof support for parallel composition and hiding

more substantial examples; comparison with model checking

integration of real-time, probabilistic, and hybrid features

CyPhyAssure: computer-assisted assurance for autonomous robots


Multi-ModelSemantics

?

Multi-ModelSemantics

?


Resources and Publications

Isabelle/UTP: https://www.cs.york.ac.uk/circus/isabelle-utp/

CyPhyAssure: https://www.cs.york.ac.uk/circus/CyPhyAssure/

RoboCalc: https://www.cs.york.ac.uk/circus/RoboCalc/

S. Foster, K. Ye, A. Cavalcanti, J. Woodcock. Calculational Verification ofReactive Programs with Reactive Relations and Kleene Algebra. RAMICS2018.

S. Foster, A. Cavalcanti, J. Woodcock, F. Zeyda. Unifying Theories of Timewith Generalised Reactive Processes. Information Processing Letters,Volume 135. 2018.

S. Foster, A. Cavalcanti, S. Canham, J. Woodcock, F. Zeyda. UnifyingTheories of Reactive Design Contracts. Submitted to Theoretical ComputerScience Journal, December 2017. Preprint: https://arxiv.org/abs/1712.10233

S. Foster, F. Zeyda, J. Woodcock. Unifying Heterogeneous State-Spaceswith Lenses. Proc. 13th Intl. Colloq. on Theoretical Aspects of Computing(ICTAC 2016).


automating verification of state machines with reactive designs and isabelle… · 2018. 10....

Documents