Compositional Design and Verification of Real-time Systems II · Compositional Design and...
Transcript of Compositional Design and Verification of Real-time Systems II · Compositional Design and...
CompositionalDesign andVerificationof Real-timeSystems IIAndrzej WasowskiIT University of Copenhagen
Bourke A. David LarsenLegay Møller Nyman RavnSkou L.-M. Traonouez
Specification Theories
Specifications
Implementations
Boolean formulæ
satisfying assignments
Specification Theories
Specifications
Implementations
Specification Theories
Specification Theories
Verifications
Consistency
?orS = S
Common Implementation and Compatibility
S2S1 ?orS1 S2
Refinement
S1 S1S2 ?orS2
Verifications
Consistency
?orS = S
Common Implementation and Compatibility
S2S1 ?orS1 S2
Refinement
S1 S1S2 ?orS2
Verifications
Consistency
?orS = S
Common Implementation and Compatibility
S2S1 ?orS1 S2
Refinement
S1 S1S2 ?orS2
TransformationsConjunction
TransformationsConjunction
TransformationsConjunction
TransformationsConjunction
TransformationsParallel Composition
S
Parallel Composition S ‖ T
TransformationsParallel Composition
T
S
Parallel Composition S ‖ T
TransformationsParallel Composition
S
T
S | T
Parallel Composition S ‖ T
TransformationsQuotient
S
Quotient X = S \\T is an adjoint of parallel composition
TransformationsQuotient
S
T
Quotient X = S \\T is an adjoint of parallel composition
TransformationsQuotient
S
TS \\T
Quotient X = S \\T is an adjoint of parallel composition
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
I Part I: Timed SystemsThe Model of Timed Automata and Its PropertiesThe Model of Timed GamesWhat all this has to do with compositional design?
I Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
Syntax, Semanticsof specifications and implementations
A
X
S = JAKsem
P = JX Ksem
|= |=
J ·Ksem
J ·Ksem
timed I/Otransition systems
(infinite)
timed I/Oautomata
(finite)
spec
ifica
tions
(im
plem
enta
tions
)m
odel
s
Semantics of SpecificationAre input enabled deterministic timed games
Def. Timed I/O Transition System
I S = (StS, s0,ΣS,−→S)
I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS
i ⊕ ΣSo
I −→S : StS × (ΣS ∪R≥0)× StS
I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′
I time reflexivity: s 0−→Ss for all s ∈ StS
I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′
for each i ∈ ΣSi exists state s′ such that s i?−→Ss′
Semantics of SpecificationAre input enabled deterministic timed games
Def. Timed I/O Transition System
I S = (StS, s0,ΣS,−→S)
I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS
i ⊕ ΣSo
I −→S : StS × (ΣS ∪R≥0)× StS
I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′
I time reflexivity: s 0−→Ss for all s ∈ StS
I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′
for each i ∈ ΣSi exists state s′ such that s i?−→Ss′
Semantics of SpecificationAre input enabled deterministic timed games
Def. Timed I/O Transition System
I S = (StS, s0,ΣS,−→S)
I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS
i ⊕ ΣSo
I −→S : StS × (ΣS ∪R≥0)× StS
I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′
I time reflexivity: s 0−→Ss for all s ∈ StS
I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′
for each i ∈ ΣSi exists state s′ such that s i?−→Ss′
ImplementationsAre ’completely specified’ specifications
Def. Implementation
I A specification P = (StP ,p0,ΣP ,−→P)
I Output urgency:∀p′,p′′ ∈ StP if p o!−−→Pp′ and p d−→Pp′′ then d = 0
I Independent progress:either (∀d ≥ 0.p d−→P) or ∃d ∈R≥0. ∃o!∈ΣP
o .p d−→p′ and p′ o!−−→P .
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
Refinement (between Specifications)
Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );
S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R
strategy of output for S can be played in the context of T
strategy of input for T can be played against S
Def. Satisfaction. Let I be an implementation and S a spec
I I sat S iff I ≤ SI J S Kmod = {I | I sat S}
Thm. Completeness of Refinement
J S Kmod ⊆ J T Kmod iff S ≤ T
Refinement (between Specifications)Satisfaction (between Specification and Implementations)
Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );
S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R
strategy of output for S can be played in the context of T
strategy of input for T can be played against S
Def. Satisfaction. Let I be an implementation and S a spec
I I sat S iff I ≤ SI J S Kmod = {I | I sat S}
Thm. Completeness of Refinement
J S Kmod ⊆ J T Kmod iff S ≤ T
Refinement (between Specifications)Satisfaction (between Specification and Implementations)
Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );
S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R
strategy of output for S can be played in the context of T
strategy of input for T can be played against S
Def. Satisfaction. Let I be an implementation and S a spec
I I sat S iff I ≤ SI J S Kmod = {I | I sat S}
Thm. Completeness of Refinement
J S Kmod ⊆ J T Kmod iff S ≤ T
Refinement & SatisfactionQuestion: are these refinements? which is an implementation?Refinements, Implementations, Consistency
Extreme SpecificationsInconsistent & Universal
Refinement (example)
A (S)INC
T
B (T)
UNI
Refinement (example)
A (S)INC
T
B (T)
UNI
Thm.
1 There is no implementation satisfying INC: ∀I.¬(I sat INC)
2 Any (signature compatible) system implements UNI: ∀I. I sat UNI
We use UNI to model unpredictability (error).
Extreme SpecificationsInconsistent & Universal
Refinement (example)
A (S)INC
T
B (T)
UNI
Refinement (example)
A (S)INC
T
B (T)
UNI
Thm.
1 There is no implementation satisfying INC: ∀I.¬(I sat INC)
2 Any (signature compatible) system implements UNI: ∀I. I sat UNI
We use UNI to model unpredictability (error).
Refinement as a Timed Safety GameExample for S ≤ T
So we can use the engine of Uppaal TIGA to check it!
Refinement as a Timed Safety GameExample for S ≤ T
So we can use the engine of Uppaal TIGA to check it!
Consistency VerificationA simple safety game. Consistency
S
Err = Definitions
0Err = { | . . } d os d s o s
(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]
Theorem f ( ) A specificiation (state) s is
inconsistentiffff
s ∈ μX. π(X) errS ={s
∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}
Consistency VerificationA simple safety game. Pruning as a maximum strategy findingConsistency
S
Err = Definitions
0Err = { | . . } d os d s o s
(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]
Theorem f ( ) A specificiation (state) s is
inconsistentiffff
s ∈ μX. π(X)
Consistency
S
0 5 10
y
0 5 10
0 5 10
y
6
y
0 5 10
y
(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s
Pruned VersionerrS ={s
∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}
Consistency VerificationA simple safety game. Pruning as a maximum strategy findingConsistency
S
Err = Definitions
0Err = { | . . } d os d s o s
(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]
Theorem f ( ) A specificiation (state) s is
inconsistentiffff
s ∈ μX. π(X)
Consistency
S
0 5 10
y
0 5 10
0 5 10
y
6
y
0 5 10
y
(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s
Pruned Version
Consistency
S
0 5 10
y
0 5 10
0 5 10
y
6
yPruned Version
0 5 10
y
(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s
errS ={s∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}
Specification is consistent iff the result of pruning is non-empty
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
Conjunction of SpecificationsConjunction, SÆTIA
A
ghl
o!
IA
TheoremSÆ T ≤ SSÆ T ≤ TCl
gi
a?… sl
ri
SÆ T ≤ T(U≤ S) and (U≤ T) ⇒ U≤ (SÆ T)
AiA,B
S IA Æ IB
Bvm
IB gi Æ uj
a? o!
hl Æ vm
Dmuj
a?
o!…tj
pm ri ∪ tj sl ∪ pm
Bj Ai,BjT Cl,Dm
tj
Conjunction of Specifications (2)Definition
Def. Product of S = (StS, sS0 ,Σ,−→S) and T = (StT , sT
0 ,Σ,−→T )
S × T = (StS × StT , (sS0 , s
T0 ),Σ,−→), where:
s a−→Ss′ t a−→T t ′ a ∈ Σ ∪R≥0
(s, t) a−→(s′, t ′)
A result of the product may be locally inconsistent, or inconsistent.Apply a consistency check and pruning to the result.
Conjunction of Specifications (2)Definition
Def. Product of S = (StS, sS0 ,Σ,−→S) and T = (StT , sT
0 ,Σ,−→T )
S × T = (StS × StT , (sS0 , s
T0 ),Σ,−→), where:
s a−→Ss′ t a−→T t ′ a ∈ Σ ∪R≥0
(s, t) a−→(s′, t ′)
A result of the product may be locally inconsistent, or inconsistent.Apply a consistency check and pruning to the result.
Example of ConjunctionConjunction, Ex.
S T
S Æ T
ClearlyInconsistent !
Optimistic Parallel CompositionPruning wrt to input strategiesComposition, S|T
teaMachine Researcher
i ? b!
cof
TheoremTheorem
coin? pub!
If A1 ≤ B1 andA2≤ B2
th
If A1 ≤ B1 andA2≤ B2
ththenA1|A2 ≤ B1|B2
thenA1|A2 ≤ B1|B2
Classical rules forComposition of I/O transition
Systems
Composability – as a game
Administration
grant patent
coin pub
grant
teaMachine Researcher
cof
Is it possible for the user to use the Small Universitycomponent without
Researcher entering the UNI ?
control: A[] ! UNI
ECDAR Demo
Demo ExampleTimed Systems Specifications =Timed I/O Automata
Administration
grantpatent
grant
Input: control. ( i d)
Input: control. ( i d)
coinpub (required)
Output: uncontrol.(allowed)
(required)Output:
uncontrol.(allowed)
t
Machine Researcher
tea
cof
Overall SpecificationOverall Specification
grant patent
AdministrationAdministration
grant patent
≥coin pub
teaMachine Researcher
?
cof
End of Demo
Quotient Quotienting, T\SI …
Ahi
o !
IA oX!kiqi
Ei
oS! Cigi
i?
oS!… si
ri
i?X Ai T
ri
…
Bvj
IB oX?wjæj
…
Ei
S
oX!
Djuj
vj
i?
oS!…t
pj
ToX!
Bj S
tj
Quotienting, T\SoS!
I …
S
i? XA
hio !
IA oX!kiqi
Ei
T
S
oX!Ci
gi
i?
oS!… si
ri
UNI
Ai Tri
…
A\B i?INC
hi vjgi,uj i?
ri tj
Bvj
IB oX?wjæj
…
Fi
hi,vj
os? ¬ H ,vj
ki,wjox!
qi ,æj
ri ,tj
Ai\ Bj
Djuj
vj
i?
oS!…t
pjos? ¬ V
os?
qi , j
Ei\ Fj
si,pj
Bj S
tjCi\ Dj
INC UNI
Ei\ Fj
T\S
Quotient
QuotientingoS!
I …
S
i? XA
hio !
IA oX!kiqi
Ei
T
S
oX!Ci
gi
i?
oS!… si
ri
UNI
TheoremTheoremAi T
ri
…
A\B i?INC
hi vjgi,uj i?
ri tj
Theorem
( | ) ff ( )
Theorem
( | ) ff ( )B
vj
IB oX?wjæj
…
Fi
hi,vj
os? ¬ H ,vj
ki,wjox!
qi ,æj
ri ,tj
Ai\ Bj
(S | X) ≤ T iff X ≤ (T\S)(S | X) ≤ T iff X ≤ (T\S)
Djuj
vj
i?
oS!…t
pjos? ¬ V
os?
qi , j
Ei\ Fj
si,pj
Bj S
tjCi\ Dj
INC UNI
Ei\ Fj
T\S
Quotient
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
Why should I bother?
Combating State Space Explosion
Combating State Space Explosion
Compositional Refinement Checking
Leader Election in a RingRing Structure
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
Template of a Single NodeParameters: id, pr
send[id][e]?
send[id][pr]?
leader[id]!
send[id][e]?
send[id][e]?
send[(id+1)%N][cur]!
send[id][e]?
x<=MaxD
Leader
x=0
e<=cur &&!(e==pr)
cur=e
e>curI Initially cur = pr
I Receives on channelssend[id][e]? where e is a priority
I Sends on channelssend[(id+1)%N][e] to next in ring
I If the received priority is largerthan current, store it.
I Ignore it otherwise
I If received own priority, broadcast’I-am-the-leader’ immediately
VerificationTwo simple properties
I left S: if leader is reported, it is a correct one (soundness)
I right T : a leader is reported within a deadline (termination)
leader[0]!
ECDAR Verification Queries
refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= S
VerificationTwo simple properties
I left S: if leader is reported, it is a correct one (soundness)I right T : a leader is reported within a deadline (termination)
leader[0]!
leader[e]!
leader[e]!
x<=(N+1)*MaxD
ECDAR Verification Queries
refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= S
refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= T
Compositional Verification
I Combat state-space explosion for larger numbers of nodes
I We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= S
refinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1
refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2
refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3
refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4
refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
Compositional Verification (3)Template Si . Parameters: i, S
send[0][e]!
send[i][e]?
leader[e]!
S[e]==0
send[i][e]?
send[i][e]?send[0][e]!
S[e]==1
e>=i
I The sub-specification Si
I Nodes (NN , . . . ,Ni ) candeclare themselves leaderafter receiving a prioritycovered by Si
I If priority received is notcovered, ignore it.
I If it is covered, then you candeclare leadership.
I S[e] is an auxiliary arrayflagging priorities covered by
I The above template suffices to prove soundness inductivelyI Timed termination can be proven inductively using a more
complex template
Compositional Verification (3)Template Si . Parameters: i, S
send[0][e]!
send[i][e]?
leader[e]!
S[e]==0
send[i][e]?
send[i][e]?send[0][e]!
S[e]==1
e>=i
I The sub-specification Si
I Nodes (NN , . . . ,Ni ) candeclare themselves leaderafter receiving a prioritycovered by Si
I If priority received is notcovered, ignore it.
I If it is covered, then you candeclare leadership.
I S[e] is an auxiliary arrayflagging priorities covered by
I The above template suffices to prove soundness inductivelyI Timed termination can be proven inductively using a more
complex template
Performance ComparisonCompositional vs Monolithic
5 10 15 20 25 30 35 40
Nodes
00:00
00:20
00:40
01:00
01:20
Tim
e (
mm
:ss)
S_cS_mT_cT_m
Timing of verification of S and T
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust
AGENDA
Thank You for Today!
visuals by
Alexandre DavidPatricia Bouyer-Decitre
Ulrik NymanKim Guldstrand LarsenLouis-Marie Traonouez
Yours Truly
Thank You for Today!
visuals by
Alexandre DavidPatricia Bouyer-Decitre
Ulrik NymanKim Guldstrand LarsenLouis-Marie Traonouez
Yours Truly