Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Similar documents
arxiv: v2 [cs.lo] 8 Feb 2018

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Towards a Mechanised Denotational Semantics for Modelica

PSL Model Checking and Run-time Verification via Testers

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Abstractions and Decision Procedures for Effective Software Model Checking

Bridging the Gap between Reactive Synthesis and Supervisory Control

The State Explosion Problem

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

An Introduction to Hybrid Systems Modeling

Causality Interfaces and Compositional Causality Analysis

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

The TLA + proof system

EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo

Timo Latvala. March 7, 2004

EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016

Testing System Conformance for Cyber-Physical Systems

Linking Duration Calculus and TLA

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Automata-Theoretic Model Checking of Reactive Systems

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Benefits of Interval Temporal Logic for Specification of Concurrent Systems

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Synthesis of Designs from Property Specifications

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

A Logical Basis for Component-Based Systems Engineering *

An Algebra of Hybrid Systems

Algebraic Trace Theory

Lecture 16: Computation Tree Logic (CTL)

A Monad For Randomized Algorithms

A Logic Primer. Stavros Tripakis University of California, Berkeley. Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 A Logic Primer 1 / 35

Language Stability and Stabilizability of Discrete Event Dynamical Systems 1

Co-simulation of embedded systems: a PVS-Simulink integrated environment

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

TR : Binding Modalities

A Logic Primer. Stavros Tripakis University of California, Berkeley

Program Analysis Part I : Sequential Programs

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Timed Automata VINO 2011

Clocked Synchronous State-machine Analysis

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Course Runtime Verification

Unifying Theories of Programming

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Lecture 2: Axiomatic semantics

IC3 and Beyond: Incremental, Inductive Verification

The Underlying Semantics of Transition Systems

Linear Temporal Logic and Büchi Automata

T Reactive Systems: Temporal Logic LTL

Chapter 5: Linear Temporal Logic

Coinductive big-step semantics and Hoare logics for nontermination

Hashing Techniques For Finite Automata

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction

Automata Theory and Formal Grammars: Lecture 1

Efficient Verification of Multi-Property Designs. The benefit of wrong assumptions (E. Goldberg, M. Güdemann, D. Kroening, R.

A Symbolic Approach to Safety LTL Synthesis

(INTER-)ACTION REFINEMENT: THE EASY WAY 1

Math From Scratch Lesson 28: Rational Exponents

Seamless Model Driven Development and Tool Support for Embedded Software-Intensive Systems

Logic Model Checking

Models for Efficient Timed Verification

Groupe de travail. Analysis of Mobile Systems by Abstract Interpretation

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

The Earlier the Better: A Theory of Timed Actor Interfaces

Model checking (III)

AN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions

A Simplified Approach for Testing Real-Time Systems Based on Action Refinement

Formal verification of IA-64 division algorithms

Timo Latvala. February 4, 2004

Efficient Algorithm for Reachability Checking in Modeling

CPSA and Formal Security Goals

- Introduction to propositional, predicate and higher order logics

HRML: a hybrid relational modelling language. He Jifeng

Algebraic Trace Theory

Synthesis weakness of standard approach. Rational Synthesis

Formal Methods for Probabilistic Systems

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Finite Automata - Deterministic Finite Automata. Deterministic Finite Automaton (DFA) (or Finite State Machine)

Runtime Verification. Grigore Roşu. University of Illinois at Urbana-Champaign

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Predicate Abstraction: A Tutorial

On Safety Properties and Their Monitoring

Recall that the expression x > 3 is not a proposition. Why?

Revising Distributed UNITY Programs is NP-Complete

Semantics and Verification

Lecture Notes on Inductive Definitions

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

An Overview of Residuated Kleene Algebras and Lattices Peter Jipsen Chapman University, California. 2. Background: Semirings and Kleene algebras

Reasoning about Time and Reliability

On the Design of Adaptive Supervisors for Discrete Event Systems

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

On Real-time Monitoring with Imprecise Timestamps

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Programming Languages and Compilers (CS 421)

Timed Test Generation Based on Timed Temporal Logic

Lecture 11 Safety, Liveness, and Regular Expression Logics

CHAPTER 2 INTRODUCTION TO CLASSICAL PROPOSITIONAL LOGIC

Transcription:

Relational Interfaces and Refinement Calculus for Compositional System Reasoning Viorel Preoteasa Joint work with Stavros Tripakis and Iulia Dragomir 1

Overview Motivation General refinement Relational interfaces Refinement calculus for reactive systems Liveness properties Modeling Simulink Diagrams 2

Motivation Is the system correct? Can we replace a subsystem by another subsystem, preserving the functionality? Compatibility. Is the composition of two systems meaningful? Can we model liveness properties? We are interested in reactive systems systems that repeatedly take some input from the environment and produce some output 3

Refinement Refinement (denoted A B): System A is refined by system B or Informally: B can replace A in any context Formally: 1. If A satisfies a property P then B satisfies P 2. If A A and B B then A B A B A B denotes some composition of systems A and B 4

Refinement Correctness: Specification Implementation Substitutability: If we have B B, then A B C A B C The system A B C satisfies all properties satisfied by A B C (In)Compatibility: A B = Fail or A B Fail where Fail = while true do skip, or Fail = unhandled exception, or Fail = assertion on input is false for every input 5

Interface theories Interface theories can express some of the properties presented above, but not liveness Relational interface introduced by Tripakis et al, A Theory of Synchronous Relational Interfaces, ACM TOPLAS, 2011 Interface automata introduced by Alfaro et al, Interface Automata, FSE, ACM, 2009 On the other hand there are frameworks capable of expressing liveness properties, but they cannot express compatibility of systems. Focus framework, Broy et al, Specification and development of interactive systems: focus on streams interfaces and refienemt, Springer, 2001 6

Relational Interfaces - Example Division component: x y Divide z Contract: y 0 z = x/y The condition y 0 introduces a requirement on input y If input y = 0, then Divide fails (this is different from Fail = fails for all inputs). 7

Relational Interfaces Composition Output of one component becomes the input of the second component a b y = a + b x > 10 x y y 0 z = x/y z The requirement on y is propagated to a and b Choosing a and b properly we can ensure y 0 The composition fails if a = b (the composition is not Fail) 8

Relational Interfaces - Incompatibility The two systems are incompatible a True x y y 0 z = x/y The component True produces nondeterministically values x and y By controlling a there is no possibility of ensuring y 0 The composition of these systems is Fail, because the composition fails for every input. z 9

Relational Interfaces Limitations Relational interfaces cannot model liveness properties Semantics of relational interfaces: prefix closed sets of finite input output traces 10

Reactive systems A reactive system is a machine that takes as input an infinite sequence x 0, x 1, x 2, and it outputs an infinite sequence y 0, y 1, y 2, Assume a system that counts and outputs how many input values seen so far are true. Then Input: 0,1,0,0,1,1,1,0,0, Output: 0,1,1,1,2,3,4,4,4, 11

Our Goal A compositional theory for reactive systems with both safety and liveness A x (x 0) B (x = 1) A specifies that its output x is always greater or equal than zero B requires that its input is infinitely often equal to one. The output of A is connected to the input of B. In our framework: these components are incompatible We want to be able to use LTL formulas in specifications 12

Refinement Calculus for Reactive Systems Monotonic property transformers Functions mapping sets of infinite output sequences into sets of output sequences Property = set of infinite sequences A system A applied to a set of output sequences Q is the set of all input sequences that do not fail and produce an output sequence in Q. Based on Refinement Calculus introduced by Back, On the correctness of refinement in program development, 1978 13

Refinement Calculus for Reactive Systems This semantics enables reasoning about all features that we mentioned at the beginning: Correctness Substitutability Compatibility And also liveness properties 14

Reactive systems Operations The operations on reactive systems are defined in the same way as for predicate transformers Sequential composition = function composition: A B Q = A B Q where Q is a set of infinite sequences. Refinement = point-wise subset: A B ( Q A Q B(Q)) Fail(Q) = 15

Simulink Example x x z z 0 y x/z y Delay a u z u x z z t = 0: x 0 ; u 0 a; z 0 u 0 x 0 ; y 0 x 0 /z 0 ; z 0 = u 0 x 0 0 t = 1: x 1 ; u 1 y 0 ; z 1 u 1 x 1 ; y 1 x 1 /z 1 ; z 1 = u 1 x 1 0 16

Simulink Example The variable u after the delay is calculated by: u 0 a; The output is given by: z n un xn u n + 1 x n /(un xn) The input x n must satisfy the following property: ( n u n xn) 17

Simulink Example as Property Transformer Our tool produces the following property transformer { u: (u 0 = a) n u n + 1 = x n u n xn ( n un xn)} [z u u = a (u 1 = x u x z = u x)] 18

Simulink Example as Property Transformer Using Linear Temporal Logic { u u = a u 1 = x u x (u x)} [z u u = a (u 1 = x u x z = u x)] 19

Conclusions We can model a number of desired features Correctness Substitutability Compatibility Liveness properties and many more We can use linear temporal logic to specify and reason about these systems We built a tool that translates Simulink models to property transformers. The results were formalized in Isabelle theorem prover 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback