Download - Compositional Design and Verification of Real-time Systems II · Compositional Design and Veriﬁcation of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke

CompositionalDesign andVerificationof Real-timeSystems IIAndrzej WasowskiIT University of Copenhagen

Bourke A. David LarsenLegay Møller Nyman RavnSkou L.-M. Traonouez

Specification Theories

Specifications

Implementations

Boolean formulæ

satisfying assignments


Specifications

Implementations

Verifications

Consistency

?orS = S

Common Implementation and Compatibility

S2S1 ?orS1 S2

Refinement

S1 S1S2 ?orS2

TransformationsConjunction

TransformationsParallel Composition

S

Parallel Composition S ‖ T


T

S



S

T

S | T


TransformationsQuotient

S

Quotient X = S \\T is an adjoint of parallel composition


S

T



S

TS \\T


Main LawsExpected from a specification theory

Law. Logical Conjunction

J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod

Law. Compositional Design with Structural Composition

I sat S and J sat T then I ‖ J sat S ‖ T

Law. Quotient

S ‖ X ≤ T then X ≤ T \\S

Law. Completeness of Refinement

If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T

I Part I: Timed SystemsThe Model of Timed Automata and Its PropertiesThe Model of Timed GamesWhat all this has to do with compositional design?

I Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & Verification

Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol

I Part III: Loosing Ideals. Going Robust

AGENDA

Syntax, Semanticsof specifications and implementations

A

X

S = JAKsem

P = JX Ksem

|= |=

J ·Ksem

J ·Ksem

timed I/Otransition systems

(infinite)

timed I/Oautomata

(finite)

spec

ifica

tions

(im

plem

enta

tions

)m

odel

s

Semantics of SpecificationAre input enabled deterministic timed games

Def. Timed I/O Transition System

I S = (StS, s0,ΣS,−→S)

I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS

i ⊕ ΣSo

I −→S : StS × (ΣS ∪R≥0)× StS

I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′

I time reflexivity: s 0−→Ss for all s ∈ StS

I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS

I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′

for each i ∈ ΣSi exists state s′ such that s i?−→Ss′

ImplementationsAre ’completely specified’ specifications

Def. Implementation

I A specification P = (StP ,p0,ΣP ,−→P)

I Output urgency:∀p′,p′′ ∈ StP if p o!−−→Pp′ and p d−→Pp′′ then d = 0

I Independent progress:either (∀d ≥ 0.p d−→P) or ∃d ∈R≥0. ∃o!∈ΣP

o .p d−→p′ and p′ o!−−→P .




AGENDA

Refinement (between Specifications)

Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );

S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R

strategy of output for S can be played in the context of T

strategy of input for T can be played against S

Def. Satisfaction. Let I be an implementation and S a spec

I I sat S iff I ≤ SI J S Kmod = {I | I sat S}

Thm. Completeness of Refinement

J S Kmod ⊆ J T Kmod iff S ≤ T

Refinement (between Specifications)Satisfaction (between Specification and Implementations)

Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );

S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R

strategy of output for S can be played in the context of T

strategy of input for T can be played against S

Def. Satisfaction. Let I be an implementation and S a spec

I I sat S iff I ≤ SI J S Kmod = {I | I sat S}

Thm. Completeness of Refinement

J S Kmod ⊆ J T Kmod iff S ≤ T

Refinement & SatisfactionQuestion: are these refinements? which is an implementation?Refinements, Implementations, Consistency

Extreme SpecificationsInconsistent & Universal

Refinement (example)

A (S)INC

T

B (T)

UNI

Refinement (example)

A (S)INC

T

B (T)

UNI

Thm.

1 There is no implementation satisfying INC: ∀I.¬(I sat INC)

2 Any (signature compatible) system implements UNI: ∀I. I sat UNI

We use UNI to model unpredictability (error).

Refinement as a Timed Safety GameExample for S ≤ T

So we can use the engine of Uppaal TIGA to check it!

Consistency VerificationA simple safety game. Consistency

S

Err = Definitions

0Err = { | . . } d os d s o s

(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]

Theorem f ( ) A specificiation (state) s is

inconsistentiffff

s ∈ μX. π(X) errS ={s

∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}

Consistency VerificationA simple safety game. Pruning as a maximum strategy findingConsistency

S

Err = Definitions

0Err = { | . . } d os d s o s



inconsistentiffff

s ∈ μX. π(X)

Consistency

S

0 5 10

y

0 5 10

0 5 10

y

6

y

0 5 10

y

(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s

Pruned VersionerrS ={s

∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}

Consistency VerificationA simple safety game. Pruning as a maximum strategy findingConsistency

S

Err = Definitions

0Err = { | . . } d os d s o s



inconsistentiffff

s ∈ μX. π(X)

Consistency

S

0 5 10

y

0 5 10

0 5 10

y

6

y

0 5 10

y


Pruned Version

Consistency

S

0 5 10

y

0 5 10

0 5 10

y

6

yPruned Version

0 5 10

y


errS ={s∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}

Specification is consistent iff the result of pruning is non-empty




AGENDA

Conjunction of SpecificationsConjunction, SÆTIA

A

ghl

o!

IA

TheoremSÆ T ≤ SSÆ T ≤ TCl

gi

a?… sl

ri

SÆ T ≤ T(U≤ S) and (U≤ T) ⇒ U≤ (SÆ T)

AiA,B

S IA Æ IB

Bvm

IB gi Æ uj

a? o!

hl Æ vm

Dmuj

a?

o!…tj

pm ri ∪ tj sl ∪ pm

Bj Ai,BjT Cl,Dm

tj

Conjunction of Specifications (2)Definition

Def. Product of S = (StS, sS0 ,Σ,−→S) and T = (StT , sT

0 ,Σ,−→T )

S × T = (StS × StT , (sS0 , s

T0 ),Σ,−→), where:

s a−→Ss′ t a−→T t ′ a ∈ Σ ∪R≥0

(s, t) a−→(s′, t ′)

A result of the product may be locally inconsistent, or inconsistent.Apply a consistency check and pruning to the result.

Example of ConjunctionConjunction, Ex.

S T

S Æ T

ClearlyInconsistent !

Optimistic Parallel CompositionPruning wrt to input strategiesComposition, S|T

teaMachine Researcher

i ? b!

cof

TheoremTheorem

coin? pub!

If A1 ≤ B1 andA2≤ B2

th

If A1 ≤ B1 andA2≤ B2

ththenA1|A2 ≤ B1|B2

thenA1|A2 ≤ B1|B2

Classical rules forComposition of I/O transition

Systems

Composability – as a game

Administration

grant patent

coin pub

grant


cof

Is it possible for the user to use the Small Universitycomponent without

Researcher entering the UNI ?

control: A[] ! UNI

ECDAR Demo

Demo ExampleTimed Systems Specifications =Timed I/O Automata

Administration

grantpatent

grant

Input: control. ( i d)

Input: control. ( i d)

coinpub (required)

Output: uncontrol.(allowed)

(required)Output:

uncontrol.(allowed)

t

Machine Researcher

tea

cof

Overall SpecificationOverall Specification

grant patent

AdministrationAdministration

grant patent

≥coin pub


?

cof

End of Demo

Quotient Quotienting, T\SI …

Ahi

o !

IA oX!kiqi

Ei

oS! Cigi

i?

oS!… si

ri

i?X Ai T

ri

…

Bvj

IB oX?wjæj

…

Ei

S

oX!

Djuj

vj

i?

oS!…t

pj

ToX!

Bj S

tj

Quotienting, T\SoS!

I …

S

i? XA

hio !

IA oX!kiqi

Ei

T

S

oX!Ci

gi

i?

oS!… si

ri

UNI

Ai Tri

…

A\B i?INC

hi vjgi,uj i?

ri tj

Bvj

IB oX?wjæj

…

Fi

hi,vj

os? ¬ H ,vj

ki,wjox!

qi ,æj

ri ,tj

Ai\ Bj

Djuj

vj

i?

oS!…t

pjos? ¬ V

os?

qi , j

Ei\ Fj

si,pj

Bj S

tjCi\ Dj

INC UNI

Ei\ Fj

T\S

Quotient

QuotientingoS!

I …

S

i? XA

hio !

IA oX!kiqi

Ei

T

S

oX!Ci

gi

i?

oS!… si

ri

UNI

TheoremTheoremAi T

ri

…

A\B i?INC

hi vjgi,uj i?

ri tj

Theorem

( | ) ff ( )

Theorem

( | ) ff ( )B

vj

IB oX?wjæj

…

Fi

hi,vj

os? ¬ H ,vj

ki,wjox!

qi ,æj

ri ,tj

Ai\ Bj

(S | X) ≤ T iff X ≤ (T\S)(S | X) ≤ T iff X ≤ (T\S)

Djuj

vj

i?

oS!…t

pjos? ¬ V

os?

qi , j

Ei\ Fj

si,pj

Bj S

tjCi\ Dj

INC UNI

Ei\ Fj

T\S

Quotient




AGENDA

Why should I bother?

Combating State Space Explosion

Compositional Refinement Checking

Leader Election in a RingRing Structure

Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.

Leader Election in a Ring (2)The Protocol. Synchronous Example

Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.

Template of a Single NodeParameters: id, pr

send[id][e]?

send[id][pr]?

leader[id]!

send[id][e]?

send[id][e]?

send[(id+1)%N][cur]!

send[id][e]?

x<=MaxD

Leader

x=0

e<=cur &&!(e==pr)

cur=e

e>curI Initially cur = pr

I Receives on channelssend[id][e]? where e is a priority

I Sends on channelssend[(id+1)%N][e] to next in ring

I If the received priority is largerthan current, store it.

I Ignore it otherwise

I If received own priority, broadcast’I-am-the-leader’ immediately

VerificationTwo simple properties

I left S: if leader is reported, it is a correct one (soundness)

I right T : a leader is reported within a deadline (termination)

leader[0]!

ECDAR Verification Queries

refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= S

VerificationTwo simple properties

I left S: if leader is reported, it is a correct one (soundness)I right T : a leader is reported within a deadline (termination)

leader[0]!

leader[e]!

leader[e]!

x<=(N+1)*MaxD

ECDAR Verification Queries

refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= S

refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= T

Compositional Verification

I Combat state-space explosion for larger numbers of nodes

I We introduce abstractions for sub-rings: checks:

refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5

I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.


I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:

refinement: ( S1 || N0 ) <= S

refinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5




refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1

refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5




refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2

refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5




refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3

refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5




refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4

refinement: N5 <= S5




refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5


Compositional Verification (3)Template Si . Parameters: i, S

send[0][e]!

send[i][e]?

leader[e]!

S[e]==0

send[i][e]?

send[i][e]?send[0][e]!

S[e]==1

e>=i

I The sub-specification Si

I Nodes (NN , . . . ,Ni ) candeclare themselves leaderafter receiving a prioritycovered by Si

I If priority received is notcovered, ignore it.

I If it is covered, then you candeclare leadership.

I S[e] is an auxiliary arrayflagging priorities covered by

I The above template suffices to prove soundness inductivelyI Timed termination can be proven inductively using a more

complex template

Performance ComparisonCompositional vs Monolithic

5 10 15 20 25 30 35 40

Nodes

00:00

00:20

00:40

01:00

01:20

Tim

e (

mm

:ss)

S_cS_mT_cT_m

Timing of verification of S and T




AGENDA

I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust

AGENDA

Thank You for Today!

visuals by

Alexandre DavidPatricia Bouyer-Decitre

Ulrik NymanKim Guldstrand LarsenLouis-Marie Traonouez

Yours Truly

Download - Compositional Design and Verification of Real-time Systems II · Compositional Design and Veriﬁcation of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke

Top Related