compositional design and verification of real-time systems ii ?· compositional design and...

Download Compositional Design and Verification of Real-time Systems II ?· Compositional Design and Verification…

Post on 02-Jul-2019

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • CompositionalDesign andVerificationof Real-timeSystems IIAndrzej WasowskiIT University of Copenhagen

    Bourke A. David LarsenLegay Mller Nyman RavnSkou L.-M. Traonouez

  • Specification Theories

    Specifications

    Implementations

    Boolean formul

    satisfying assignments

  • Specification Theories

    Specifications

    Implementations

  • Specification Theories

  • Specification Theories

  • Verifications

    Consistency

    ?orS = S

    Common Implementation and Compatibility

    S2S1 ?orS1 S2

    Refinement

    S1 S1S2 ?orS2

  • Verifications

    Consistency

    ?orS = S

    Common Implementation and Compatibility

    S2S1 ?orS1 S2

    Refinement

    S1 S1S2 ?orS2

  • Verifications

    Consistency

    ?orS = S

    Common Implementation and Compatibility

    S2S1 ?orS1 S2

    Refinement

    S1 S1S2 ?orS2

  • TransformationsConjunction

  • TransformationsConjunction

  • TransformationsConjunction

  • TransformationsConjunction

  • TransformationsParallel Composition

    S

    Parallel Composition S T

  • TransformationsParallel Composition

    T

    S

    Parallel Composition S T

  • TransformationsParallel Composition

    S

    T

    S | T

    Parallel Composition S T

  • TransformationsQuotient

    S

    Quotient X = S \\T is an adjoint of parallel composition

  • TransformationsQuotient

    S

    T

    Quotient X = S \\T is an adjoint of parallel composition

  • TransformationsQuotient

    S

    TS \\T

    Quotient X = S \\T is an adjoint of parallel composition

  • Main LawsExpected from a specification theory

    Law. Logical Conjunction

    J S1 S2 Kmod = J S1 Kmod J S2 Kmod

    Law. Compositional Design with Structural Composition

    I sat S and J sat T then I J sat S T

    Law. Quotient

    S X T then X T \\S

    Law. Completeness of Refinement

    If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

  • Main LawsExpected from a specification theory

    Law. Logical Conjunction

    J S1 S2 Kmod = J S1 Kmod J S2 Kmod

    Law. Compositional Design with Structural Composition

    I sat S and J sat T then I J sat S T

    Law. Quotient

    S X T then X T \\S

    Law. Completeness of Refinement

    If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

  • Main LawsExpected from a specification theory

    Law. Logical Conjunction

    J S1 S2 Kmod = J S1 Kmod J S2 Kmod

    Law. Compositional Design with Structural Composition

    I sat S and J sat T then I J sat S T

    Law. Quotient

    S X T then X T \\S

    Law. Completeness of Refinement

    If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

  • Main LawsExpected from a specification theory

    Law. Logical Conjunction

    J S1 S2 Kmod = J S1 Kmod J S2 Kmod

    Law. Compositional Design with Structural Composition

    I sat S and J sat T then I J sat S T

    Law. Quotient

    S X T then X T \\S

    Law. Completeness of Refinement

    If J S Kmod 6= thenJ S Kmod J T Kmod iff S T

  • I Part I: Timed SystemsThe Model of Timed Automata and Its PropertiesThe Model of Timed GamesWhat all this has to do with compositional design?

    I Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

    AGENDA

  • I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

    AGENDA

  • I Part I: Timed SystemsI Part II: Compositional Design & Verification

    Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

    I Part III: Loosing Ideals. Going Robust

    AGENDA

  • I Part I: Timed SystemsI Part II: Compositional Design & Verification

    Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

    I Part III: Loosing Ideals. Going Robust

    AGENDA

  • Syntax, Semanticsof specifications and implementations

    A

    X

    S = JAKsem

    P = JX Ksem

    |= |=

    J Ksem

    J Ksem

    timed I/Otransition systems

    (infinite)

    timed I/Oautomata

    (finite)

    spec

    ifica

    tions

    (im

    plem

    enta

    tions

    )m

    odel

    s

  • Semantics of SpecificationAre input enabled deterministic timed games

    Def. Timed I/O Transition System

    I S = (StS, s0,S,S)I StS a set of states, s0 St initial state,I S = Si SoI S : StS (S R0) StS

    I time determinism: s dSs and s dSs implies s=s

    I time reflexivity: s 0Ss for all s StS

    I time additivity: for all s, s StS and all d1,d2 R0 we haves d1+d2Ss iff s d1Ss and s d2Ss for an s StS

    I Deterministic, input-enabled.s aSs and s aSs implies s=sfor each i Si exists state s such that s i?Ss

  • Semantics of SpecificationAre input enabled deterministic timed games

    Def. Timed I/O Transition System

    I S = (StS, s0,S,S)I StS a set of states, s0 St initial state,I S = Si SoI S : StS (S R0) StS

    I time determinism: s dSs and s dSs implies s=s

    I time reflexivity: s 0Ss for all s StS

    I time additivity: for all s, s StS and all d1,d2 R0 we haves d1+d2Ss iff s d1Ss and s d2Ss for an s StS

    I Deterministic, input-enabled.s aSs and s aSs implies s=sfor each i Si exists state s such that s i?Ss

  • Semantics of SpecificationAre input enabled deterministic timed games

    Def. Timed I/O Transition System

    I S = (StS, s0,S,S)I StS a set of states, s0 St initial state,I S = Si SoI S : StS (S R0) StS

    I time determinism: s dSs and s dSs implies s=s

    I time reflexivity: s 0Ss for all s StS

    I time additivity: for all s, s StS and all d1,d2 R0 we haves d1+d2Ss iff s d1Ss and s d2Ss for an s StS

    I Deterministic, input-enabled.s aSs and s aSs implies s=sfor each i Si exists state s such that s i?Ss

  • ImplementationsAre completely specified specifications

    Def. Implementation

    I A specification P = (StP ,p0,P ,P)I Output urgency:p,p StP if p o!Pp and p dPp then d = 0

    I Independent progress:either (d 0.p dP) or d R0. o!Po .p dp and p o!P .

  • I Part I: Timed SystemsI Part II: Compositional Design & Verification

    Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

    I Part III: Loosing Ideals. Going Robust

    AGENDA

  • I Part I: Timed SystemsI Part II: Compositional Design & Verification

    Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

    I Part III: Loosing Ideals. Going Robust

    AGENDA

  • Refinement (between Specifications)

    Def. Refinement btw S = (StS, s0,,S) and T = (StT, t0,,T );

    ST iff exists RStSStTcontaining (s0, t0), and (s, t) R implies:I whenever t i?T t then s i?Ss and (s, t )RI whenever s o!Ss then t o!T t and (s, t ) RI whenever s dSs then t dT t and (s, t ) R

    strategy of output for S can be played in the context of T

    strategy of input for T can be played against S

    Def. Satisfaction. Let I be an implementation and S a spec

    I I sat S iff I SI J S Kmod = {I | I sat S}

    Thm. Completeness of Refinement

    J S Kmod J T Kmod iff S T

  • Refinement (between Specifications)Satisfaction (between Specification and Implementations)

    Def. Refinement btw S = (StS, s0,,S) and T = (StT, t0,,T );

    ST iff exists RStSStTcontaining (s0, t0), and (s, t) R implies:I whenever t i?T t then s i?Ss and (s, t )RI whenever s o!Ss then t o!T t and (s, t ) RI whenever s dSs then t dT t and (s, t ) R

    strategy of output for S can be played in the context of T

    strategy of input for T can be played against S

    Def. Satisfaction. Let I be an implementation and S a spec

    I I sat S iff I SI J S Kmod = {I | I sat S}

    Thm. Completeness of Refinement

    J S Kmod J T Kmod iff S T

  • Refinement (between Specifications)Satisfaction (between Specification and Implementations)

    Def. Refinement btw S = (StS, s0,,S) and T = (StT, t0,,T );

    ST iff exists RStSStTcontaining (s0, t0), and (s, t) R implies:I whenever t i?T t then s i?Ss and (s, t )RI whenever s o!Ss then t o!T t and (s, t ) RI whenever s dSs then t dT t and (s, t ) R

    strategy of output for S can be played in the context of T

    strategy of input for T can be played against S

    Def. Satisfaction. Let I be an implementation and S a spec

    I I sat S iff I SI J S Kmod = {I | I sat S}

    Thm. Completeness of Refinement

    J S Kmod J T Kmod iff S T

  • Refinement & SatisfactionQuestion: are these refinements? which is an implementation?Refinements, Implementations, Consistency

  • Extreme SpecificationsInconsistent & Universal

    Refinement (example)

    A (S)INC

    T

    B (T)

    UNI

    Refinement (example)

    A (S)INC

    T

    B (T)

    UNI

    Thm.

    1 There is no implementation satisfying INC: I.(I sat INC)2 Any (signature compatible) system implements UNI: I. I sat UNI

    We use UNI to model unpredictability (error).

  • Extreme SpecificationsInconsistent & Universal

    Refinement (example)

    A (S)INC

    T

    B (T)

    UNI

    Refinement (example)

    A (S)INC

    T

    B (T)

    UNI

    Thm.

Recommended

View more >