# compositional design and verification of real-time systems ii ?· compositional design and...

Post on 02-Jul-2019

212 views

Embed Size (px)

TRANSCRIPT

CompositionalDesign andVerificationof Real-timeSystems IIAndrzej WasowskiIT University of Copenhagen

Bourke A. David LarsenLegay Mller Nyman RavnSkou L.-M. Traonouez

Specification Theories

Specifications

Implementations

Boolean formul

satisfying assignments

Specification Theories

Specifications

Implementations

Specification Theories

Specification Theories

Verifications

Consistency

?orS = S

Common Implementation and Compatibility

S2S1 ?orS1 S2

Refinement

S1 S1S2 ?orS2

Verifications

Consistency

?orS = S

Common Implementation and Compatibility

S2S1 ?orS1 S2

Refinement

S1 S1S2 ?orS2

Verifications

Consistency

?orS = S

Common Implementation and Compatibility

S2S1 ?orS1 S2

Refinement

S1 S1S2 ?orS2

TransformationsConjunction

TransformationsConjunction

TransformationsConjunction

TransformationsConjunction

TransformationsParallel Composition

S

Parallel Composition S T

TransformationsParallel Composition

T

S

Parallel Composition S T

TransformationsParallel Composition

S

T

S | T

Parallel Composition S T

TransformationsQuotient

S

Quotient X = S \\T is an adjoint of parallel composition

TransformationsQuotient

S

T

Quotient X = S \\T is an adjoint of parallel composition

TransformationsQuotient

S

TS \\T

Quotient X = S \\T is an adjoint of parallel composition

Main LawsExpected from a specification theory

Law. Logical Conjunction

J S1 S2 Kmod = J S1 Kmod J S2 Kmod

Law. Compositional Design with Structural Composition

I sat S and J sat T then I J sat S T

Law. Quotient

S X T then X T \\S

Law. Completeness of Refinement

If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

Main LawsExpected from a specification theory

Law. Logical Conjunction

J S1 S2 Kmod = J S1 Kmod J S2 Kmod

Law. Compositional Design with Structural Composition

I sat S and J sat T then I J sat S T

Law. Quotient

S X T then X T \\S

Law. Completeness of Refinement

If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

Main LawsExpected from a specification theory

Law. Logical Conjunction

J S1 S2 Kmod = J S1 Kmod J S2 Kmod

Law. Compositional Design with Structural Composition

I sat S and J sat T then I J sat S T

Law. Quotient

S X T then X T \\S

Law. Completeness of Refinement

If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

Main LawsExpected from a specification theory

Law. Logical Conjunction

J S1 S2 Kmod = J S1 Kmod J S2 Kmod

Law. Compositional Design with Structural Composition

I sat S and J sat T then I J sat S T

Law. Quotient

S X T then X T \\S

Law. Completeness of Refinement

If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

I Part I: Timed SystemsThe Model of Timed Automata and Its PropertiesThe Model of Timed GamesWhat all this has to do with compositional design?

I Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & Verification

Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

I Part III: Loosing Ideals. Going Robust

AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & Verification

Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

I Part III: Loosing Ideals. Going Robust

AGENDA

Syntax, Semanticsof specifications and implementations

A

X

S = JAKsem

P = JX Ksem

|= |=

J Ksem

J Ksem

timed I/Otransition systems

(infinite)

timed I/Oautomata

(finite)

spec

ifica

tions

(im

plem

enta

tions

)m

odel

s

Semantics of SpecificationAre input enabled deterministic timed games

Def. Timed I/O Transition System

I S = (StS, s0,S,S)I StS a set of states, s0 St initial state,I S = Si SoI S : StS (S R0) StS

I time determinism: s dSs and s dSs implies s=s

I time reflexivity: s 0Ss for all s StS

I time additivity: for all s, s StS and all d1,d2 R0 we haves d1+d2Ss iff s d1Ss and s d2Ss for an s StS

I Deterministic, input-enabled.s aSs and s aSs implies s=sfor each i Si exists state s such that s i?Ss

Semantics of SpecificationAre input enabled deterministic timed games

Def. Timed I/O Transition System

I S = (StS, s0,S,S)I StS a set of states, s0 St initial state,I S = Si SoI S : StS (S R0) StS

I time determinism: s dSs and s dSs implies s=s

I time reflexivity: s 0Ss for all s StS

I time additivity: for all s, s StS and all d1,d2 R0 we haves d1+d2Ss iff s d1Ss and s d2Ss for an s StS

I Deterministic, input-enabled.s aSs and s aSs implies s=sfor each i Si exists state s such that s i?Ss

Semantics of SpecificationAre input enabled deterministic timed games

Def. Timed I/O Transition System

I S = (StS, s0,S,S)I StS a set of states, s0 St initial state,I S = Si SoI S : StS (S R0) StS

I time determinism: s dSs and s dSs implies s=s

I time reflexivity: s 0Ss for all s StS

I time additivity: for all s, s StS and all d1,d2 R0 we haves d1+d2Ss iff s d1Ss and s d2Ss for an s StS

I Deterministic, input-enabled.s aSs and s aSs implies s=sfor each i Si exists state s such that s i?Ss

ImplementationsAre completely specified specifications

Def. Implementation

I A specification P = (StP ,p0,P ,P)I Output urgency:p,p StP if p o!Pp and p dPp then d = 0

I Independent progress:either (d 0.p dP) or d R0. o!Po .p dp and p o!P .

I Part I: Timed SystemsI Part II: Compositional Design & Verification

Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

I Part III: Loosing Ideals. Going Robust

AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & Verification

I Part III: Loosing Ideals. Going Robust

AGENDA

Refinement (between Specifications)

Def. Refinement btw S = (StS, s0,,S) and T = (StT, t0,,T );

ST iff exists RStSStTcontaining (s0, t0), and (s, t) R implies:I whenever t i?T t then s i?Ss and (s, t )RI whenever s o!Ss then t o!T t and (s, t ) RI whenever s dSs then t dT t and (s, t ) R

strategy of output for S can be played in the context of T

strategy of input for T can be played against S

Def. Satisfaction. Let I be an implementation and S a spec

I I sat S iff I SI J S Kmod = {I | I sat S}

Thm. Completeness of Refinement

J S Kmod J T Kmod iff S T

Refinement (between Specifications)Satisfaction (between Specification and Implementations)

Def. Refinement btw S = (StS, s0,,S) and T = (StT, t0,,T );

ST iff exists RStSStTcontaining (s0, t0), and (s, t) R implies:I whenever t i?T t then s i?Ss and (s, t )RI whenever s o!Ss then t o!T t and (s, t ) RI whenever s dSs then t dT t and (s, t ) R

strategy of output for S can be played in the context of T

strategy of input for T can be played against S

Def. Satisfaction. Let I be an implementation and S a spec

I I sat S iff I SI J S Kmod = {I | I sat S}

Thm. Completeness of Refinement

J S Kmod J T Kmod iff S T

Refinement (between Specifications)Satisfaction (between Specification and Implementations)

Def. Refinement btw S = (StS, s0,,S) and T = (StT, t0,,T );

ST iff exists RStSStTcontaining (s0, t0), and (s, t) R implies:I whenever t i?T t then s i?Ss and (s, t )RI whenever s o!Ss then t o!T t and (s, t ) RI whenever s dSs then t dT t and (s, t ) R

strategy of output for S can be played in the context of T

strategy of input for T can be played against S

Def. Satisfaction. Let I be an implementation and S a spec

I I sat S iff I SI J S Kmod = {I | I sat S}

Thm. Completeness of Refinement

J S Kmod J T Kmod iff S T

Refinement & SatisfactionQuestion: are these refinements? which is an implementation?Refinements, Implementations, Consistency

Extreme SpecificationsInconsistent & Universal

Refinement (example)

A (S)INC

T

B (T)

UNI

Refinement (example)

A (S)INC

T

B (T)

UNI

Thm.

1 There is no implementation satisfying INC: I.(I sat INC)2 Any (signature compatible) system implements UNI: I. I sat UNI

We use UNI to model unpredictability (error).

Extreme SpecificationsInconsistent & Universal

Refinement (example)

A (S)INC

T

B (T)

UNI

Refinement (example)

A (S)INC

T

B (T)

UNI

Thm.

Recommended