Kim Guldstrand Larsen DENMARK

Size: px

Start display at page:

Download "Kim Guldstrand Larsen DENMARK"

Anastasia McCormick
5 years ago
Views:

1 Quantitative Modal Transition Systems Kim Guldstrand Larsen Aalborg University Aalborg University, DENMARK

2 The Early Days Edinburgh Kim Larsen [2] Milner Symposium, Edinburgh, April 16-18, 2012

3 Original Aim Need for sound compositional specification formalisms supporting step-wise development and design of concurrent systems Components are specified in a formal way at a certain abstraction level. Specifications are gradually refined until a concrete system is produced. If the refinement steps preserve certain properties, the final system will as well. STILL HIGHLY RELEVANT! 3

4 Bisimulation Context Dependent Bisimulation Probabilistic MTS Interval Markov Chains Modal Transition Systems 1991 TAU 1995 CWB UPPAAL Constraint Markov Chains 2010 APAC Timed MTS 2009 ECDAR 2011 Parameterized MTS Weighted MTS Dual-Priced MTS Modal Contracts 4

5 Bisimulation [Park according to Milner] R Pr Pr is a (strong) bisimulation iff whenever (P,Q) R then i) whenever P-a-> P then Q-a->Q for some Q with (P,Q ) Q) R ii) whenever Q-a-> Q then P-a->P for some P with (P,Q ) R P Q iff (P,Q) R for some bisimulation R is a congruence relation 5

6 Compositionality Properties of a combined program should be obtained from properties of component! Correctness problem: SYS SPEC Compositional Verification 1. Decompose: SYS = C[SYS 1,,SYS n ] 2. Verify: SYS i SPEC i 3. Combine: SPEC C[SPEC 1,,SPEC n ] Problem: how to obtain simple subspecification? 6

7 A Simple Scheduler d da D cd C bc c A = a! ab! da? A B = ab? b! bc! B C = bc? c! cd! C D = cd? d! da! D a A ab B b SPEC = a! b! c! d! SPEC ( A B C D ) SPEC 7

8 Compositional Verification d da D cd C bc c A = a! ab! da? A B = ab? b! bc! B C = bc? c! cd! C D = cd? d! da! D SPEC = a! b! c! d!. SPEC a A ab B b SYS 1 = D C SYS 2 = A B SPEC 1 = bc? c! d! da! SPEC 1 SPEC 2 = a! b! bc! da? SPEC 2 However SYS i SPEC i 8

9 Compositional Verification d D cd C c SYS 1 = D C SYS 2 = A B da bc SPEC 1 = bc? c! d! da! SPEC 1 SPEC 2 = a! b! bc! da? SPEC 2 A B ab a b da? Clearly SYS 2 SPEC 2 In fact no hope for a a! b! bc! simple SPEC 2 A B bc! bc! da? da? b! a! a! b! However SYS 2 E SPEC 2 where E is an environment capturing behaviour relevant in the context ( [] C D) 9

10 Compositional Verification d D cd C c SYS 1 = D C SYS 2 = A B da bc SPEC 1 = bc? c! d! da! SPEC 1 SPEC 2 = a! b! bc! da? SPEC 2 A B ab a b da? Clearly SYS 2 SPEC 2 In fact no hope for a a! b! bc! simple SPEC 2 A B bc! bc! da? da? b! a! a! b! 10

11 Bisimulation Context Dependent Bisimulation Probabilistic MTS Interval Markov Chains Modal Transition Systems UPPAAL Constraint Markov Chains 2010 APAC Timed MTS 2009 ECDAR 2011 Parameterized MTS Weighted MTS Dual-Priced MTS Modal Contracts 11

12 Environments E = ( Env, Act, ) P E Q E a-> E : E allows (can consume) the action a and become E P -a-> P : P can produce the action a and become P Special Environments O : (O a->) for all actions a. Thus we expect P O Q for all P and Q U : U a-> U for any action a. Thus we expect P U Q iff P Q. 12

13 Environment d D cd C c Environment should cover the behaviour allowed by the context ( [] C D )??? da bc Only a!, b!, da?, bc!, No restrictions ti on a!, b!, a Inhabitant b bc! E a!, b!, da?, E bc! U a!, b!, 13

14 Parameterized Bisimulation Let E =( Env, Act, ). An E-parameterized bisimulation is an Envindexed family R = { R E : E Env } with R E Pr Pr, such that whenever whenever (P,Q) R E and E-a->E then i) whenever P-a->P then Q-a->Q for some Q with (P,Q) R Q ) R E ii) whenever Q-a->Q then P-a->P for some P with (P,Q ) R E P E Q, whenever (P,Q) R E for some parameterized bisimulation R. 14

15 Compositional Verification Revisited da? SPEC 2 a! b! bc! E a!, b!, da? bc! da?, a! b! bc! E bc! U A B bc! bc! da? da? a!, b!, b! Remaining Question a! a! Does b! SPEC 2 E A B imply (SPEC 2 C D ) ( A B C D ) Semantics of contexts as action transducer! 15

16 The Alternating Bit Protocol 16

17 ABP in the TAU Tool CWB 17

18 ABP in the TAU Tool CWB Tatsuya Hagino Professor, Faculty of Environmental Information, Keio University, Japan 18

19 Bisimulation Context Dependent Bisimulation Probabilistic MTS Interval Markov Chains Modal Transition Systems 1991 TAU 1995 CWB UPPAAL Constraint Markov Chains 2010 APAC Timed MTS 2009 ECDAR 2011 Parameterized MTS Weighted MTS Dual-Priced MTS Modal Contracts 19

20 Operations on Specifications Structural Composition: Given S 1 and S 2 construct S 1 par S 2 such that S 1 par S 2 = S 1 par S 2 should be precongruence wrt par to allow for compositional analysis! Logical Conjunction: Given S 1 and S 2 construct S 1 ÆS 2 such that S 1 ÆS 2 = S 1 Å S 2 Quotienting: Given overall specification T and component specification S construct the quotient specification T\S such that S par X T iff X T\S 20

21 Modal Transition Systems [L. & Thomsen 88 Boudol & L. 90] MTS is an automata-based specification formalism MTS allow to express that certain actions may or must happen in their implementation MTS supports all the required operations on specifications (conjunction, parallel composition, quotienting). Applications in component-based software development, interface theories, modal abstractions and program analysis. 21

22 Example Tea-Coffee Machines Specifications tea coin coffee tea coin coffee Refinement Implementations tea coin coffee tea coin tea coin coin coin coffee 22

23 MTS Definition An MTS is a triple (P,, ) where P is a set of states and P Act P If = then the MTS is an implementation. R P P is a modal refinement iff whenever (S,T) R then i) whenever S-a-> S then T-a-> T for some T with (S,T ) R ii) whenever T-a-> T then S-a-> S for some S with (S,T ) R We write S m T whenever (S,T) R for some modal refinement R. 23

24 Example Tea-Coffee Machines Specifications tea coin coffee tea coin coffee Refinement Implementations tea coin coffee tea coin tea coin coin coin coffee 24

25 Compositional Verification Rerevisited d D da cd C bc c A = a! ab! da? A B = ab? b! bc! B C = bc? c! cd! C D = cd? d! da! D a A ab B b SPEC = a! b! c! d! SPEC A B SPEC da? 2 da? a! b! bc! a! b! bc! bc! bc! da? da? b! a! b! a! da? a! b! bc! da? U da? 25

26 Compositional Verification Rerevisited d D cd C c SPEC = a! b! c! d! SPEC (SPEC 1 SPEC 2 ) m SPEC da bc C D m SPEC 1 a A ab B b A B m SPEC 2 Hence (A B C D) m SPEC SPEC 1 SPEC 2 da! da? bc? c! d! a! b! bc! bc? bc? da? da? c! d! bc? da! U a! b! bc! da? U 26

27 Bisimulation Context Dependent Bisimulation Probabilistic MTS Interval Markov Chains Modal Transition Systems 1991 TAU 1995 CWB Constraint Markov Chains 2010 UPPAAL APAC UPPAAL TIGA Timed MTS 2009 ECDAR 2011 Parameterized MTS Weighted MTS Dual-Priced MTS Modal Contracts 27

28 Probabilistic Process System Markov Chain ( P,, A,,, V ) V: P 2 A : P (P [0,1]) Valuation function Transition probability function Atomic Propositions Processes / States 1 write P 0 1 (P 1 )(P 2 ) = 54/199 (P 0 )(P 2 ) = 0 1 P 2 P 1 P 3 Accept submit reject 54/ /199 28

29 Probabilistic Bisimulation [L., Skou 89] Definition write 1 1 An equivalence relation R on process is a probabilistic bisimulation if whenever P R Q then 1. V(P) = V(Q) 2. For all classes C P/R 1/3 2/3 P C (P)(P ) = P C (Q)(P ) sub 22/199 acc sub write 145/ / /199 45/199 sub 54/199 54/ /199 acc rej rej acc rej 1 29

30 Probabilistic Bisimulation [L., Skou 89] Definition write 1 1 An equivalence relation R on process is a probabilistic bisimulation if whenever P R Q then 1. V(P) = V(Q) 2. For all classes C P/R 1/3 2/3 P C (P)(P ) = P C (Q)(P ) sub 22/199 acc sub write 145/ / /199 45/199 sub 54/199 54/ /199 acc rej rej acc rej 1 30

31 Probabilistic MTS [Jonsson, L. 91] write { 1 } { 1 1 } AUTHOR { 1 } acc sub 54/199 [0.25, 1] 145/199 [0, 0.75] rej write { 1 } { 1 1 } PUBLISHER { 1 } write 1 1 acc sub { 1 } { 1 } [0.25, 0.33] [0.67,0.75] 145/199 rej { 1 } AGREEMENT acc sub [0 54/199, 0.33] 145/199 [0.67,1] rej 31

32 Probabilistic Refinement (Informally) T [1/4,1] acc 1/2 acc S [1/8, 1] 1/2 sub Show [0,3/8] [0,3/8] rej rej p 1 + p 2 + p 3 = 1 p 1 [1/4,1] p 2 [0,3/8] p 3 [0,3/8] 1 1 acc rej [1/8, 1] [0,3/4] sub Witness; should work uniformly for any implementation of T ½ * p 1 [1/8,1] ½ * p 1 [1/8,1] 1*p 2 + 1*p 3 [0,3/4] 32

33 Probabilistic Refinement (Informally) T [1/4,1] acc 1/2 acc S [1/8, 1] 1/2 sub Constraint [0,3/8] Markov [1/8, 1] acc Chains [0,3/8] rej 1 to ensure closure under [0,3/4] sub conjunction and parallel 1 compositions rej rej Show Witness; should work uniformly for any implementation of T [2010] p 1 + p 2 + p 3 = 1 p 1 [1/4,1] ½ * p 1 [1/8,1] p [0,3/8] ½ * p 1 [1/8,1] 2 1*p p 3 [0,3/8] 2 + 1*p 3 [0,3/4] 33

34 Bisimulation Context Dependent Bisimulation Probabilistic MTS Interval Markov Chains Modal Transition Systems 1991 TAU 1995 CWB Constraint Markov Chains 2010 UPPAAL APAC UPPAAL TIGA Timed MTS 2009 ECDAR 2011 Parameterized MTS Weighted MTS Dual-Priced MTS Modal Contracts 34

35 Timed Automata SEMANTICS: (A,x=0) 3.14 (A,x=3.14) -a? (B,x=3.14) Clocks (A,x=0) Channels (A,x=5.23) -a? (B,x=5.23) Networks (ERROR, x=5.23) 35

Structure variables, clocks, channels User defined types and functíons

36 Extended Timed Automata const int N = 10; const int D = 30; const int d = 4; typedef int[0,n-1] id_t; Clocks Channels Networks Integer variables Structure variables, clocks, channels User defined types and functíons broadcast chan rec[n]; broadcast chan w[n]; int UT (int X, int Y) { return (X+1)*Y; } 36

37 Timed MTS, Refinements & Implementations 37

38 Real-Time version of Milner s Scheduler S w 0 rec 0 N rec 1 0 w 1 N 1 w 1 rec 2 w i+1 N i+1 N 2 rec i+1 N i w 2 w i rec i 38

39 Real-Time version of Milner s Scheduler S w 0 rec 0 N rec 1 0 w 1 N 1 w 1 rec 2 w i+1 N i+1 N 2 rec i+1 N i w 2 w i rec i 39

40 Simulation & Verification A[] not Env.ERROR A[] forall (i:id_t) forall (j:id_t) ( Node(i).Token and Node(j).Token imply i==j) 40

41 Milner s Scheduler Compositionaly S w 0 rec 0 N 0 rec 1 w1 Find SS i and verify: N 1 rec 2 1. N 1 SS 1 w i+1 N i+1 2. SS 1 N 2 SS 2 N 2 3. SS rec 2 N 3 SS 3 i+1 w N 2 i rec i n. SS n-1 N n SS n w i n+1. SS n N 0 SPEC 41

42 Milner s Scheduler Compositionaly S rec 0 N 0 w 0 rec 1 N 1 w1 rec 2 w i+1 N i+1 N 2 A 1 rec[1]! occurs with > Find N*D SS time i sep. rec i+1 w N 2 i A 2 w i rec i After rec[1]? then rec[i+1]! Gwithin [d*i i,d*i] No new rec[1]! until rec[i+1]? 42

43 Milner s Scheduler Compositionaly S rec 0 N 0 w 0 rec 1 N 1 w1 rec 2 w i+1 N i+1 N 2 A 1 Take SS i = (A 1 & A 2 )>>G rec i+1 w N 2 i A 2 w i rec i G 43

44 Milner s Scheduler Compositionaly S rec 0 N 0 w 0 rec 1 w1 Take SS i = (A 1 & A 2 )>>G N 1 rec 2 w i+1 N i+1 N 2 rec i+1 w 2 N i w i rec i 44

45 Experiments D=30 45

46 Bisimulation Context Dependent Bisimulation Probabilistic MTS Interval Markov Chains Modal Transition Systems 1991 TAU 1995 CWB UPPAAL Constraint Markov Chains 2010 APAC Timed MTS 2009 ECDAR 2011 Parameterized MTS Weighted MTS Dual-Priced MTS Modal Contracts 46

47 Bisimulation Context Dependent Bisimulation Probabilistic MTS Modal Transition Systems 1989 TAU CWB UPPAAL ChainsParameterized MTS Interval Markov Constraint Markov Chains Weighted MTS 2005 Timed MTS Dual-Priced Pi MTS 2009 ECDAR Modal Contracts 2011 APAC Metrics 47

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University Modelling Real-Time Systems Henrik Ejersbo Jensen Aalborg University Hybrid & Real Time Systems Control Theory Plant Continuous sensors actuators Task TaskTask Controller Program Discrete Computer Science