Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional...
Transcript of Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional...
![Page 1: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/1.jpg)
Compositional Software Model Checking
Dan R. Ghica
Oxford University Computing Laboratory
October 18, 2002
![Page 2: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/2.jpg)
Outline of talk
• program verification issues
• the semantic challenge — programming languages
• the logical challenge — specification logics
• specialised quantifiers — a model-checking friendly logic
Dan R. Ghica, Compositional software model checking 1
![Page 3: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/3.jpg)
Program verification I — inferential
• programming logics:
– Hoare logic; specification logic (Reynolds); dynamic logic
(Harel)
• common features:
– ‘exogenous’; compositional; sound; excruciating;
– (partially) automated with proof checkers/assistants
– can prove (partial) correctness; cannot find bugs
Dan R. Ghica, Compositional software model checking 2
![Page 4: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/4.jpg)
Program verification II — semantic
• temporal logics (many)
• common features:
– ‘endogenous’; non-compositional; unsound (‘semantic
gap’); fun
– algorithmic semantics
– fully automated with model checkers (Slam, Bandera)
– cannot prove correctness; can find bugs
Dan R. Ghica, Compositional software model checking 3
![Page 5: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/5.jpg)
Program verification desiderata
• unify the two approaches: ‘compositional model checking’
• inference rules
– correctness, compositionality
• algorithmic semantics of program and logic
– automated model-checking, find counterexamples
• fewer inferential steps
Dan R. Ghica, Compositional software model checking 4
![Page 6: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/6.jpg)
The semantic challenge
• an algorithmic semantics of programming languages with
procedures
• program (fragment) code ⇒ finite model
• difficult problem
Dan R. Ghica, Compositional software model checking 5
![Page 7: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/7.jpg)
Games semantics
• Hyland & Ong and (independently) Abramsky, Jagadeesan& Malacaria and (independently) Nickau (93–94):
Full abstraction for PCF
• Abramsky & McCusker (96–97):
Full abstraction of Idealised Algol
• many more important results followed
A complex combinatorial account of programming language se-mantics.
Dan R. Ghica, Compositional software model checking 6
![Page 8: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/8.jpg)
Regular-language semantics
Observation: for certain languages, if higher-order functions andrecursion are omitted then much of the game-theoretic formalapparatus can be also omitted
• second-order Idealised Algol can be modeled using regularlanguages (Ghica & McCusker 2000)
• second-order reduced ML can be modeled using regular lan-guages (Ghica 01)
• third-order Idealised Algol can be modeled using deterministiccontext-free languages (Ong 02)
A practicable algorithmic model.
Dan R. Ghica, Compositional software model checking 7
![Page 9: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/9.jpg)
The programming language IA
Data sets:
booleans, bounded integers
Ground types:
variables, expressions, commands;
Imperative features:
assignment, branching, iteration, local variables;
Functional features:
first-order functions (uniformly on all types), call-by-name;
Dan R. Ghica, Compositional software model checking 8
![Page 10: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/10.jpg)
Semantic valuations
JΓ ` M :θK : Term → Regular Language
Helpful notation
JΓ ` E:intK =∑
nq · LΓ ` E:intMn · n
JΓ ` C:comK = run · LΓ ` C:comM · done
JΓ ` V :varK =∑
nread · LΓ ` V :varMreadn · n+
∑nwrite(n) · LΓ ` V :varMwrite
n · ok
Dan R. Ghica, Compositional software model checking 9
![Page 11: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/11.jpg)
RL interpretation
Language constants:
Jskip:comK = run · done Jn:intK = q · n Jloop:comK = ∅
Imperative features:
LC;C′M = LCM · LC′M
Lif B then C else C′M = LB:boolMtt · LCM + LB:boolMff · LC′M
Lwhile B do CM =(LBMtt · LCM
)∗ · LBMff
Dan R. Ghica, Compositional software model checking 10
![Page 12: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/12.jpg)
A simple example
Γ ` while true do C ≡ loop
Lwhile true do CM =(LtrueMtt · LCM
)∗ · LtrueMff=
(ε · LCM
)∗ · ∅= ∅ = LloopM
Because: LtrueMtt = ε, LtrueMff = ∅.
Dan R. Ghica, Compositional software model checking 11
![Page 13: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/13.jpg)
Free identifiers
Jc:com ` c:comK = run · runc · donec · done
Jf :com→ com ` f :com→ comK= run · runf · (runf1 · run1 · done1 · donef1)∗ · donef · done
E.g.
Jf(skip)K = run · runf · (runf1 · donef1)∗ · donef · done
Dan R. Ghica, Compositional software model checking 12
![Page 14: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/14.jpg)
Variables
Assignment:
LV := EM =∑
nLEMn · LV Mwriten
Dereferencing (reading):
L!V : intMn = LV : varMreadn
Obs: no causal relation between read and write actions:
let v be y :=!y + 1; y in · · ·
Dan R. Ghica, Compositional software model checking 13
![Page 15: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/15.jpg)
Local (block) variables
Only local variables are guaranteed to be well behaved:
· · ·writex(n) · okx · · · readx · nx · · · readx · nx · · ·Interpretation of block variables:
LΓ ` int x in CM =(LΓ, x:var ` CM ∩ γ̃x
)¹ Ax
Where γx =(∑
n writex(n) · okx · (readx · nx)∗)∗
• Ax the alphabet of moves not tagged by x,
• γ̃x = γx q (Ax)∗ (shuffle)
• ¹ is restriction.
Dan R. Ghica, Compositional software model checking 14
![Page 16: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/16.jpg)
An example
c:com ` int x in c ≡ c
First proved using possible-worlds-style functor categories.
Lc:com ` int x in cM =(Lc:com, x:var ` cM ∩ γ̃x
)¹ Ax
=(runc · donec ∩ γ̃x
)¹ Ax
= runc · donec
= Lc:com ` cM
Dan R. Ghica, Compositional software model checking 15
![Page 17: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/17.jpg)
The semantic gap is bridged.
• algorithmic regular-language based model
• sound and complete (fully abstract)
• decidable (for most properties)
Dan R. Ghica, Compositional software model checking 16
![Page 18: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/18.jpg)
And now for something completely different...
...specification logic.
Dan R. Ghica, Compositional software model checking 17
![Page 19: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/19.jpg)
Common specification idiom
In Hoare-logic
{P} C {Q}
In (Reynolds) spec. logic, with non-local procedures
∀p : σ • Sproc(p) → Sprog(p)
E.g.
∀c : comm • {v = v0} c {v = v0 + 1} → {v = z} c; c {v = z + 2}
Dan R. Ghica, Compositional software model checking 18
![Page 20: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/20.jpg)
A problem
Specification logic is undecidable
• boolean, recursion-free, first-order fragment
Questionable suitability for model checking
Dan R. Ghica, Compositional software model checking 19
![Page 21: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/21.jpg)
Equational theory of IA is undecidable
φ ::= ∀x : σ.φ | ∃x : σ.φ | φ ∧ φ | φ ∨ φ | φ → φ | ¬φ | M ≡ N
We can encode polynomials: p−q : N[X] → IA.
pXq = x : comm→ comm
p0q = λc.skip
psucc(n)q = λc.(pnq)c; c
pm + nq = λc.(pnq)c; (pmq)cpm× nq = λc.(pnq)((pmq)c)
Dan R. Ghica, Compositional software model checking 20
![Page 22: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/22.jpg)
Equational theory of IA is undecidable (cont’d)
Hilbert’s 10th problem corresponds to proving
∃~x : comm→ comm.pP1q ≡ pP2q, Pi ∈ N[X].
Spec. logic of IA is also undecidable
(∀p:assert.{true} c1 {p} ↔ {true} c2 {p}
)↔ c1 ≡ c2.
Dan R. Ghica, Compositional software model checking 21
![Page 23: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/23.jpg)
A solution
Common idiom:
∀p : σ • Sproc(p) → Sprog(p)
Relativised quantifiers (syntactic):
∀p : Sproc • Sprog(p)
Specialised quantifiers (semantic):
Ψp : Sproc • Sprog(p)
Dan R. Ghica, Compositional software model checking 22
![Page 24: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/24.jpg)
Example: “effects quantifier”
Ψc : {v = v0} c {v = v0 + 1}︸ ︷︷ ︸Sproc
• {v = z} c; c {v = z + 2}︸ ︷︷ ︸Sprog
All the variables above are global, distinct.
Dan R. Ghica, Compositional software model checking 23
![Page 25: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/25.jpg)
Another useful quantifier: “stability quantifier”
CBN+computational side-effects breaks arithmetic: x 6= x
Context: let x be v := !v + 1; !v in · · ·
Obs: this is in general a difficult problem (Boehm 82)
∇x : σ.S
E.g. ∇x : exp.x = x is always true.
Semantics: similar to block variables (· · · ∩ γxσ) ¹ Ax
Dan R. Ghica, Compositional software model checking 24
![Page 26: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/26.jpg)
A more generalised stability quantifier
∇x/~y : σ.S
Interpretation: x is stable but the actions of identifiers in ~y may
change its value.
E.g.
∇y.∇x/y • x + x = 2× x is true
∇y.∇x/y • x + y = y + x is not necessarily true
Dan R. Ghica, Compositional software model checking 25
![Page 27: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/27.jpg)
Our example, this time formally
∇v/c.Ψc : ∇v0.{v = v0} c {v = v0 + 1} • ∇z.{v = z} c; c {v = z + 2}
• no need to restrict to global variables
• more abstract formulations
∇e/c.Ψc : ∇e0.{e = e0} c {e = e0 + 1} • ∇z.{e = z} c; c {e = z + 2}
Dan R. Ghica, Compositional software model checking 26
![Page 28: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/28.jpg)
Why does it work? — a discussion
• no true universal quantifier in the logic
– no quantification over languages
– (no quantification over opponent behaviours)
• specialised quantifiers are tamer
– regular-language interpretation
– (encode a strategy for the opponent)
Dan R. Ghica, Compositional software model checking 27
![Page 29: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/29.jpg)
A bit of quantifier theory
introduced by Mostowski (57) and extended by Lindstroem (66);
called “generalised” quantifiers;
extend expressiveness without increasing order
• “for uncountably many”
• “for all connected graphs”
applications to descriptive complexity theory
Dan R. Ghica, Compositional software model checking 28
![Page 30: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/30.jpg)
What is a generalised quantifier?
any collection of structures closed under isomorphism
type of a generalised quantifier (n1, n2, . . . , nk)
ni identifiers are bound in the ith formula
e.g. of type (1,1) quantifier:
Ψx, y : there are as many x with P (x) as there are y with Q(y)
strict hierarchy (Hella et.al. 96)
(1) < (1,1) < · · · < (2) < (2,1) < (2,1,1) · · · < (2,2) < · · · < (3) · · ·
Dan R. Ghica, Compositional software model checking 29
![Page 31: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/31.jpg)
Proof theory of generalised quantifiers
substructural logics—substitution subject to extra conditions
Ψ~x1 : P1 . . . ~xk : Pk • S Pi( ~Mi) Mi #S, Mi #Mj, i 6= j
S[~xi/ ~Mi]
we call # non-interference
work done by Alechina & Lambalgen (96)
Dan R. Ghica, Compositional software model checking 30
![Page 32: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/32.jpg)
Example
Ψc : {v = v0} c {v = v0 + 1} • {v = z} c; c {v = z + 2}{v = v0} v := v + 1 {v = v0 + 1}
{v = z} v = v + 1; v = v + 1; {v = z + 2}
Or
Ψc : {v = v0} c {v = v0 + 1} • {v = z} c; c {v = z + 2}{v = v0} v := v + 1; k := k + 1 {v = v0 + 1}
{v = z} v = v + 1; k := k + 1; v = v + 1; k := k + 1 {v = z + 2}
But not
Ψc : {v = v0} c {v = v0 + 1} • {v = z} c; c {v = z + 2}{v = v0} v := v + 1; z := z + 1 {v = v0 + 1}
{v = z} v = v + 1; z := z + 1; v = v + 1; z := z + 1 {v = z + 2}
Dan R. Ghica, Compositional software model checking 31
![Page 33: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/33.jpg)
Non-interference
C #S
C does not write to the ‘protected’ variables of S and vice versa.
Dan R. Ghica, Compositional software model checking 32
![Page 34: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/34.jpg)
Higher-type quantifiers and substitution
In the previous example we actually have a type (1,1) quantifier
(∇e/c
Ψc : ∇e0.{e = e0} c {e = e0 + 1})• ∇z.{e = z} c; c {e = z + 2}
Elimination must be simultaneous
∇v.∇(!v)
∇v.∇e0.{!v = e0} v := !v + 1 {!v = e0 + 1}
∇v.∇z.{!v = z} v := !v + 1; v := !v + 1 {!v = z + 2}
Dan R. Ghica, Compositional software model checking 33
![Page 35: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/35.jpg)
Highlights of the logical system
• effects and stability quantifiers for ground and first order
types
• quantifiers of type (1,1, · · · ,1)
• regular-language semantics, decidable
• quantifiers discharged through substitution
• also, Hoare axioms
Dan R. Ghica, Compositional software model checking 34
![Page 36: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/36.jpg)
Drawback
“algebraic” specifications involve quantifiers of higher type:
∇x/do, undo∇y.{x = y} do; undo {x = y}∇y.{x = y} undo; do {x = y}
• · · · .
has type (1,2), does not (?) have a RL semantics.
Dan R. Ghica, Compositional software model checking 35
![Page 37: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/37.jpg)
Conclusion
• RL semantics, inference — compositional model checking
• non-interference conditions — syntactic or semantic
• challenging programming language — semantic and logic
• not very complicated (?) — avoid “low level” axioms
• some drawbacks
• no verification tool yet
Dan R. Ghica, Compositional software model checking 36
![Page 38: Compositional Software Model Checkingpszgmh/appsem-slides/ghica.pdfDan R. Ghica, Compositional software model checking 6 Regular-language semantics Observation: for certain languages,](https://reader033.fdocuments.in/reader033/viewer/2022041811/5e581d2f44e67826aa1ffe22/html5/thumbnails/38.jpg)
Related work
Interface automata, de Alfaro & Henzinger (2001)
• emphasis on the automata model
• the discharge of the interface — “refinement”
Dan R. Ghica, Compositional software model checking 37