Refinement calculus for reactive systems

Transcription

1 Refinement calcls for reactive systems Stavros Tripakis UC Berkeley and Aalto University Joint work with Viorel Preoteasa (Aalto), Ben Lickly (Berkeley), Thomas Henzinger (IST Astria), and Edward Lee (Berkeley) Spported by NSF projects COSMOI and ExCAPE ExCAPE PI meeting Jne 21 22, 2015

2 Motivations Component based design Incremental design and verification Behavioral type theories Atomatic synthesis of abstractions Tripakis 2

3 Incremental verification A steer by wire system: v [ v min, v max ] A B C latency 10ms Tripakis 3

4 Incremental verification v [ v min, v max ] A B C latency 10ms Z Tripakis 4

5 Incremental verification How to ensre properties are preserved? v [ v min, v max ] A Z C latency 10ms Tripakis 5

6 Refinement theories (e.g., interface theories [Alfaro, Henzinger et al.]) Interface = component abstraction Interface composition: A B = C Interface refinement: A A Theorems: (1) If A A and A satisfies P then A satisfies P. (2) If A A and B B, then A B A B. Tripakis 6

7 Incremental verification with refinement theories A B C Z B: Z refines B A Z C (1) If A A and A satisfies P then A satisfies P. (2) If A A and B B, then A B A B. Z B and (1) and (2) => sbstittability! Tripakis 7

8 Refinement theories (e.g., interface theories [Alfaro, Henzinger et al.]) Interface = component abstraction Interface composition: A B = C Interface refinement: A A Theorems: (1) If A A and A satisfies P then A satisfies P. (2) If A A and B B, then A B A B. Note: composition is partial => can specify compatibility (local property) Tripakis 8

9 Motivation #2: refinement theories = behavioral type theories Type checking: A very sccessfl, light weight analysis No specification reqired Contrast to verification Standard practice in software Bt relatively limited types Tripakis 9

10 Type checking in Simlink no sqrt of <0? no division by 0? doble doble Tripakis 10

11 Earlier work: [ACM TOPLAS 2011] relational interfaces (behavioral, richer types) x doble -> doble standard type 0 x 2 relational interface (behavioral type) Tripakis 11

12 Earlier work: [ACM TOPLAS 2011] relational interfaces (behavioral, richer types) x doble -> doble standard type 0 x Note: this is conjnction, not implication Tripakis 12

13 Catching incompatibility 1 0 caght by taking simply the conjnction of the two formlas Tripakis 13

14 What abot this example? tre 0 this is not jst conjnction of formlas Tripakis 14

15 Catching incompatibility x tre 0 x 2 game Tripakis 15

16 In general: demonic serial composition φ x φ1 y y φ2 z Standard: : 1 2 Demonic : : in( ) : z : ( y 2 wp( 1, in( 2 )) : 1 in( Tripakis 16 2 )) Compting can often be avoided or delayed [SPIN 2013]

17 Bottom p interface synthesis = atomatic abstraction P B A C Given interfaces for A, B, C, synthesize atomatically new interface for P (and also check compatibility in the process) Tripakis 17

18 Inferring new constraints on inpts v v 1 v 1 0 Tripakis 18

19 Handling components with state x x s s s :state variable Tripakis 19

20 Finite state relational interface write read 1 place bffer fll empty Static interface: (holds at every rond) (empty ( write empty fll fll read read write ) ) Dynamic (state dependent) interface: write s0 empty write read read Tripakis 20 s1 fll

21 Recent work: refinement calcls for reactive systems [EMSOFT 2014] Relational interfaces limited to safety properties What abot liveness? Answer: refinement calcls for reactive systems Tripakis 21

22 Refinement calcls for reactive systems Example: Are blocks A and B compatible? Yes! New constraint inferred: Tripakis [EMSOFT 2014] 22

23 Refinement calcls for reactive systems Inspired from Refinement Calcls: Well established theory for seqential programs [Dijkstra, Ralph J. Back, ] Semantics: weakest preconditions Programs = predicate transformers Given set of post states, retrn set of pre states Reactive systems = property transformers: given set of infinite seqences of otpts, retrn set of infinite seqences of inpts Implementation in Isabelle pblicly available Tripakis 23

24 Refinement (behavioral sbtyping) A B C Z B: Z refines B A Z C (1) If A A and A satisfies P then A satisfies P. (2) If A A and B B, then A B A B. Z B and (1) and (2) => sbstittability Tripakis 24

25 Refinement ' = def in ( ) ( in ( ) in ' ( ' ) ) in () = def otpts: Refinement <=> sbstittability: A can replace A in any context iff A A. i.e., refinement both necessary and sfficient condition for sbstittability. Previos similar notions (e.g., Liskov Wing behavioral sbtyping) are sfficient bt not necessary. Tripakis 25

26 Conclsions Refinement calcls for reactive systems: generic framework for compositional reasoning Components described by formlas (I/O predicates, LTL, symbolic transition systems, ) Illegal inpts => Compatibility checking Refinement = sbstittability Implementation Theory available in Isabelle theorem prover Simlink front end nder implementation Tripakis 26