Upload
jonas-nash
View
222
Download
2
Tags:
Embed Size (px)
Citation preview
ECDAR Composition ofReal-Time
Specifications— Revisited
Kim Guldstrand LarsenAalborg University, DENMARK
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Observations
Kim G Larsen 2
1993
1995
1988
1994
1991
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Observational Equivalence – Revisited
Kim G Larsen 3
CWB
TemporalLogic ofActions
TLC
Calculus of CommunicatingSystems
Need for sound compositional specification formalisms
supporting step-wise development and design of
concurrent real-time systems
Kim G Larsen 4Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Context Dependent Bisimulation
Modal Transition Systems
Probabilistic MTSInterval Markov Chains
Timed MTS
UPPAAL
Parameterized MTSWeighted MTS
Dual-Priced MTSModal Contracts
1986
1988
1991
1995
2009
2005
ECDAR2011
Constraint Markov Chains 2010
APAC2012
Bisimulation
CWBTAU
Kim G Larsen 5Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Context Dependent Bisimulation
Modal Transition Systems
Probabilistic MTSInterval Markov Chains
Timed MTS
UPPAAL
Parameterized MTSWeighted MTS
Dual-Priced MTSModal Contracts
1986
1988
1991
1995
2009
2005
ECDAR2011
Constraint Markov Chains 2010
APAC2012
Bisimulation
CWBTAU
Specification Theory
SpecImpsat
where
sat) Spec,(Imp, SPF
Formalism ionSpecificat
Imp: set of implementationsLabelled Transition Systems
}SsatI:I{|S|
Refi nement:
S T iff |S| |T|
Ø |T||S|
Ø |S|
:yConsistenc
Spec: set of specifications
Kim G Larsen 7Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Operations on Specifications
Structural Composition: Given S1 and S2 construct S1 par S2 such that
| S1 par S2 | = |S1| par |S2| · should be precongruence wrt par to allow for
compositional analysis !
Logical Conjunction: Given S1 and S2 construct S1ÆS2 such that
|S1 ÆS2| = |S1|Å|S2|
Quotienting: Given overall specification T and component
specification S construct the quotient specification T\S such that
S par X · T iff X · T\S
Kim G Larsen 8Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Modal Transition Systems
MTS is an automata-based specification formalism
MTS allow to express that certain actions may or must happen in their implementation
MTS supports all the required operations on specifications (conjunction, parallel composition, quotienting).
Applications in component-based software development, interface theories, modal abstractions and program analysis.
[L. & Thomsen 88Boudol & L. 90]
Kim G Larsen 9Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Example – Tea-Coffee Machines
cointea coffee cointea coffee
cointea coffee
cointeacoin
Specifications
Refinement
Implementations
coin coincoffee
tea
tea
Kim G Larsen 10Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
MTS Definition
An MTS is a triple (P,, }) where P is a set of states and µ } µ P£ Act £ P
If = } then the MTS is an implementation.
R µ P£ P is a modal refinement iff whenever (S,T)2R then i) whenever S-a->} S’ then T-a->}T’ for some T’ with (S’,T’)2 R ii) whenever T-a-> T’ then S-a-> S’ for some S’ with (S’,T’)2 R
We write S ≤mT whenever (S,T)2R for some modal refinement R.
Kim G Larsen 11Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Example – Tea-Coffee Machines
cointea coffee cointea coffee
cointea coffee
cointea coin coincoffee
tea
coin
Specifications
Refinement
Implementations
≤
≤≤
≤tea
Kim G Larsen 12Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
MTS Operators
s1 || s2
s1\ s2
SynchronousParallel Composition
Quotienting
Conjunctions1 Æ s2
Refinment & Consistency Checking arePTIME-complete
Kim G Larsen 13Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Context Dependent Bisimulation
Modal Transition Systems
Probabilistic MTSInterval Markov Chains
Timed MTS
UPPAAL
Parameterized MTSWeighted MTS
Dual-Priced MTSModal Contracts
1986
1988
1991
1995
2009
2005
ECDAR2011
Constraint Markov Chains 2010
APAC2012
Bisimulation
CWBTAU
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
SEMANTICS:
(A,x=0) – 3.14 (A,x=3.14) - a? (B,x=3.14) (A,x=0) - 5.23 (A,x=5.23) - a? (B,x=5.23) (ERROR, x=5.23)
Extended
Kim G Larsen 14
ClocksChannelsNetworksInteger variablesStructure variables, clocks, channelsUser defined types and functíons
Timed Automata
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Timed Automata
int UT (int X, int Y){ return (X+1)*Y;}
const int N = 10;const int D = 30;const int d = 4;typedef int[0,N-1] id_t;
broadcast chan rec[N];broadcast chan w[N];
Extended
ClocksChannelsNetworksInteger variablesStructure variables, clocks, channelsUser defined types and functíons
Kim G Larsen 15
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
S
Real-Time version of Milner’s Scheduler
N0
N1
N2
Ni
Ni+1
w0
w1
w2
wi
wi+1
rec1
rec2
reci
reci+1
rec0
Kim G Larsen 16
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Simulation & Verification
A[] not Env.ERROR
A[] forall (i:id_t) forall (j:id_t) ( Node(i).Token and Node(j).Token imply
i==j) Kim G Larsen 17
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Compositional Verification
SubSpec1
SubSpec2
SubSpec3
A[] not Env.ERROR
A[] forall (i:id_t) forall (j:id_t) ( Node(i).Token and Node(j).Token imply
i==j) Kim G Larsen 18
Kim G Larsen 19Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Context Dependent Bisimulation
Modal Transition Systems
Probabilistic MTSInterval Markov Chains
Timed MTS
UPPAAL
Parameterized MTSWeighted MTS
Dual-Priced MTSModal Contracts
1986
1988
1991
1995
2009
2005
ECDAR2011
Constraint Markov Chains 2010
APAC2012
Bisimulation
CWBTAU
Kim G Larsen 20Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Timed MTS, Refinements & Implementations
[CAV93] Karlis Cerans, Jens Chr. Godskesen, Kim Guldstrand Larsen: Timed Modal Specification - Theory and Tools. CAV 1993[EMSOFT02] Luca de Alfaro, Thomas A. Henzinger, Mariëlle Stoelinga: Timed Interfaces. EMSOFT 2002
An ImplementationInconsistent
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Timed Game Automata & Synthesis
Problems to be considered:- Does there exist a winning strategy?- If yes, compute one (as simple as possible)
controllable
uncontrollable
Kim G Larsen 21
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Computing Winning States
Kim G Larsen 22
Backwards Fixed-Point Computation
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Reachability GamesBackwards Fixed-Point Computation
Theorem:The set of winning states is obtained as the least fixpoint of the function: X a p(X) [ Goal
cPred(X) = { q2Q | 9 q’2 X. q c q’}uPred(X) = { q2Q | 9 q’2 X. q u q’}Predt(X,Y) = { q2Q | 9 t. qt2X and 8 s·t. qs2YC }
p(X) = Predt[ X [ cPred(X) , uPred(XC) ]
Definitions
X
YPredt(X,Y)
Kim G Larsen 23
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Decidability of Timed Games
Theorem [AMPS98,HK999]Reachability and safety timed games are decidable and EXPTIME-complete. Futhermore memoryless and ”region-based” strategies are sufficient.
Theorem [AM99,BHPR07,JT07]Optimal-time reachability timed games are decidable and EXPTIME-complete.
Algorithm [CDFLL05,BCDFLL07]Efficient ”zone-based”, on-the-fly synthesis algorithm for (optimal-time) rechability and safety timed games. (UPPAAL Tiga)
[AM99] Asarin, Maler: As soon as possible: time optimal control for timed automata. HSCC99.[BHPR07] Brihaye, Henziunger, Prabhu, Raskin: Minimum-time reachability in timed-games. ICALP07.[JT07] Jurdzinski, Trivedi: Rechability-time games on timed automata. ICALP07.[CDFLL05] Cassez, David, Fleury, Larsen, Lime: Efficient On-the-Fly Algorithms for the Analysis of Timed Games. CONCUR 2005[BCDFLL07] Behrmann, Cougnard, David, Fleury, Larsen, Lime: UPPAAL-Tiga: Time for Playing Games! CAV 2007
Kim G Larsen 24
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Timed I/O Aut.: A Modern University
coinpub
tea
cof
Machine Researcher
Administration
grantpatent
UNIVERSITY
Input: control. (required)Output: uncontrol. (allowed)
Input: control. (required)Output: uncontrol. (allowed)
Kim G Larsen 25
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Overall Specification
coin pub
tea
cof
Machine Researcher
Administration
grantpatent
grant patent
¸?
Kim G Larsen 26
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Timed I/O Transition Systems
oiActand
StActStwhere
ActSt
:TIOTS
)(:
),,(
d
i
Time determinism(d )
s ' ' ' ' ' '
I nput enabledness
. s
d
i
if s and s s then s s
f or all s and i
St
touch?
dim!
1.4
off!
0
0
o
Output Urgency
s
I ndependent Progress
.
, .
d
d
d o
whenever
then s implies d
Either d s
or d o s
''''''s
)Act(amDeterminisa ssthenssandsif a
Implementations
Kim G Larsen 27
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Refinement =Timed Alternating Simulation
Intuition:S leaves less choices than T for an implementation.
Intuition:S leaves less choices than T for an implementation.
SISsatI
Definition
:|T| |S|thenTSWhenever
Theorem
Theorem:
Whenever |S| |T| then S T
T'S'withT'TthenS'Siii.
T'S'withT'TthenS'Sii.
T'S'withS'SthenT'Ti.
iffTS
TIOGA.beTandSLet
dd
o!o!
i?i?
Kim G Larsen 28
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Refinement (example)
T
A (S)
B (T)
INC
UNI
T'S'withT'TthenS'Siii.
T'S'withT'TthenS'Sii.
T'S'withS'SthenT'Ti.
iffTS
TIOGA.beTandSLet
dd
o!o!
i?i?
Kim G Larsen 29
Timed Game
''''.
''''.
''''.
.
!!
??
TSwithTTthenSSiii
TSwithTTthenSSii
TSwithSSthenTTi
iffTS
TIOGAbeTandSLet
dd
oo
ii
Refinement as a Game
A
Ai
Cl
gi
hl
a?
o!
……
B
Bj
Dm
uj
vm
a?
o!
…
…
IA
IB
S
T
sl
ri
tj
pm
not A · B
iffAxB sat control: A<> Error
not A · B
iffAxB sat control: A<> Error
Error
IA : IB
UU
A,B
uj
a?tj
hl
o!sl
gi
a?
ri
vm
o!
pm
: G
: V
Ai,Bj Cl,Dm
…
…
…
…
FORMATS09Optimized Refinement Algorithm
Timed I/O Automata
refuter
verifier
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Kim G Larsen 30
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Refinement in ECDAR
Kim G Larsen 31
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
More Refinement .. In ECDAR
coin pub
tea
cof
Machine Researcher
Administration
grantpatent
grant patent
· ?????
Kim G Larsen 32
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Consistency
Consistency:
Does there exist I such that
I S ?
S1 S3S2
S4
Kim G Larsen 33
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Consistency
p(X) = Err [ Predt[ X [ iPred(X) , oPred(XC) ]
0
Err =
{ | . . } d os d s o s
Theorem A specificiation (state) s is inconsistentiff
s 2 ¹X. ¼(X)
Definitions
Pruned Version
S
Kim G Larsen 34
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Conjunction, SÆT
A
Ai
Cl
gi
hl
a?
o!
……
B
Bj
Dm
uj
vm
a?
o!…
…
IA
IB
A,B
Ai,Bj
gi Æ uj
a?
S
T
o!
hl Æ vm
Cl,Dm
sl
ri
tj
pmri [ tj
IA Æ IB
sl [ pm
Theorem SÆT · S SÆT · T (U·S) and (U·T) ) U · (SÆT)
Kim G Larsen 35
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Conjunction, Ex.
S T
S Æ T
ClearlyInconsistent !
Kim G Larsen 36
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Composition, S|T
1 21 10
1 2 1 2
1 21 1
1 2 1 2
1 21 1 2 2
1 2 1 2
1 1 2 2
1 2 1 2
i
ii
o
o io
a a
o ia
d d
d
s si
s s s s
s so
s s s s
s s s sa
s s s s
s s s sd
s s s s
?
?
!
!
! ?
!
'
| ' |
'
| ' |
' '
| ' ' | '
' '
| ' ' | 'Classical rules for
Composition of I/O transitionSystems
Theorem
If A1 · B1 and A2· B2 then A1|A2 · B1|B2
Theorem
If A1 · B1 and A2· B2 then A1|A2 · B1|B2
coin? pub!
tea
cof
Machine Researcher
Kim G Larsen 37
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Quotienting, T\S
T
S
i?X
oX!
oS!
A
Ai
Ci
gi
hi
i?
oS!
…
…
B
Bj
Dj
uj
vj
i?
oS!…
…
IA
IB
T
S
si
ri
tj
pj
oX!kiqi
…
Ei
oX?wjæj
…
Fi
Kim G Larsen 38
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Quotienting, T\S
T
S
i? X
oX!
oS!
A
Ai
Ci
gi
hi
i?
oS!
…
…
B
Bj
Dj
uj
vj
i?
oS!…
…
IA
IB
T
S
si
ri
tj
pj
oX!kiqi
…
Ei
oX?wjæj
…
Fi
A\BIA
Æ : IB
§ UNI
IB Æ : IAi?
INC
hi,vj
os?
Ci\ Dj
: H ,vj
os?
INC
: V
os?
UNI
ki,wj
ox!
qi ,æj
Ei\ Fj
gi,uj i?
si,pj
ri ,tj
Ai\ Bj
T\SKim G Larsen 39
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Quotienting, T\S
T
S
i? X
oX!
oS!
A
Ai
Ci
gi
hi
i?
oS!
…
…
B
Bj
Dj
uj
vj
i?
oS!…
…
IA
IB
T
S
si
ri
tj
pj
oX!kiqi
…
Ei
oX?wjæj
…
Fi
A\BIA
Æ : IB
§ UNI
IB Æ : IAi?
INC
hi,vj
os?
Ci\ Dj
: H ,vj
os?
INC
: V
os?
UNI
ki,wj
ox!
qi ,æj
Ei\ Fj
gi,uj i?
si,pj
ri ,tj
Ai\ Bj
Theorem
(S | X) · T iff X · (T\S)
T\SKim G Larsen 40
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Quotienting, ”Application”
coin pub
tea
cof
Machine Researcher
Administration
grantpatent
grant patent
Specification
·
coin pub
tea
cof
Machine Researcher
Spec \ Adm
·IFF
Spec\Adm
u·20
u·20
u·20
Kim G Larsen 41
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Compositional Refinement Checking
… ·C1 C2 CnC3
…C2 CnC3
S
S \ C1
·iffP( S \ C1 )
iff …CnC3
·P( P(S C1) \C2 )
iff … …
Andersen: Partial MC & Laroussinie, L.: CMC Tool
Kim G Larsen 42
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Assume-Guarantee
ButA
ButB
Good
Bad
Guarantee Assumption
A>>G = (A | G) \ A
Kim G Larsen 43
Properties (A | G) · ¸
(A | A>>G )
A>>G ¸ G
A · A’ ) A>>G ¸ A’>> G
G · G’ ) A>>G · A>>G’
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Assume-Guarantee Reasoning
A, G
A1, G1 A2, G2
Proof Rule: A>>G ¸ ( A1>>G1 | A2>>G2 )
Kim G Larsen 44
FASE’12: Moving from Specifications to Contracts in Component-Based Design
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Milner’s Scheduler Compositionaly
S
N0
N1
N2
Ni
Ni+1
w0
w1
wi+1
rec1
rec2
reci
reci+1
rec0
w2
wi
Find SSi and verify:
1. N1· SS1
2. SS1 | N2 · SS2
3. SS2 | N3 · SS3
… …n. SSn-1 | Nn · SSn
n+1. SSn | N0 · SPEC
SPECKim G Larsen 45
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Milner’s Scheduler Compositionaly
S
N0
N1
N2
Ni
Ni+1
w0
w1
wi+1
rec1
rec2
reci
reci+1
rec0
w2
wi
Find SSi ……
A1
G
A2
No new rec[1]! untilrec[i+1]?
After rec[1]? then rec[i+1]!within [d*i,D*i]
Kim G Larsen 46
rec[1]! occurs with> N*d time sep.
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Milner’s Scheduler Compositionaly
S
N0
N1
N2
Ni
Ni+1
w0
w1
wi+1
rec1
rec2
reci
reci+1
rec0
w2
wi
A1
G
A2
Take SSi = (A1 & A2)>>G
Kim G Larsen 47
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Milner’s Scheduler Compositionaly
S
N0
N1
N2
Ni
Ni+1
w0
w1
wi+1
rec1
rec2
reci
reci+1
rec0
w2
wi
Take SSi = (A1 & A2)>>G
Kim G Larsen 48
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Experiments
D=30
Kim G Larsen 49
Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
References
LICS88: Kim Guldstrand Larsen, Bent Thomsen: A Modal Process Logic. EMSOFT 2002: Luca de Alfaro, Thomas A. Henzinger, Mariëlle Stoelinga: Timed
Interfaces.
FMCO’09: Methodologies for Specification of Real-Time Systems Using Timed I/O Automata
WADT’10: An Interface Theory for Timed Systems ATVA’10: ECDAR: An Environment for Compositional Design and Analysis of Real
Time Systems HSCC’10:Timed I/O Automata: A Complete Specification Theory for Real-time
Systems STTT’12: Compositional verification of real-time systems using Ecdar
QEST’10: Compositional Design Methodology with Constraint Markov Chains QEST’11: APAC: A Tool for Reasoning about Abstract Probabilistic Automata FASE’12: Moving from Specifications to Contracts in
Component-Based Design FMSD’13:: Weighted modal transition systems. Sci. Comput. Prg ‘14: A modal specification theory for components with data.
www.cs.aau.dk/~adavid/ecdar www.cs.aau.dk/~adavid/tiga
www.uppaal.comKim G Larsen 50
Timed TLA
UPPAAL ECDAR ?
Kim G Larsen 51Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan
Context Dependent Bisimulation
Probabilistic MTSInterval Markov Chains
UPPAAL
1986
1991
2009
2005
2010
APAC2012
Congratulation !!