Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Slides:

Advertisements

Similar presentations

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Verified Systems by Composition from Verified Components Fei Xie and James C. Browne.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Integrated State Space Reduction for Model Checking Executable Object-oriented Software System Designs Fei Xie and James C. Browne Dept. of Computer Sciences.

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Lecture # 2 : Process Models

LIFE CYCLE MODELS FORMAL TRANSFORMATION

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

ObjectCheck: A Model Checking Tool for Executable Object-oriented Software System Designs Fei Xie and James C. Browne Dept. of Computer Sciences Univ.

Integration of Model Checking into Software Development Processes Fei Xie.

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.

Ordering and Consistent Cuts Presented By Biswanath Panda.

Model Checking Large-Scale Software Natasha Sharygina Carnegie Mellon University Software Engineering Institute.

Component-Based Abstraction and Refinement Juncao Li 1, Xiuli Sun 2, Fei Xie 1, and Xiaoyu Song 2 1 Dept. of Computer Science 2 Dept. of ECE Portland State.

Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.

Component-Based Abstraction Juncao Li Dept. of Computer Science Portland State University.

Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Formal Service-Oriented Development of Fault Tolerant Communicating Systems Linas Laibinis, Elena Troubitsyna, Johan Lilius, Qaisar Malik (Åbo Akademi)

By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

UML - Development Process 1 Software Development Process Using UML (2)

Verification Case Studies with ObjectCheck Fei Xie (Joint work with James C. Browne, Robert P. Kurshan, and Vladimir Levin) Presentation at Microsoft Research,

Composing Models of Computation in Kepler/Ptolemy II

Parser-Driven Games Tool programming © Allan C. Milne Abertay University v

A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.

Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.

CS6133 Software Specification and Verification

Joseph Cordina 1/11 The Use of Model-Checking for the Verification of Concurrent Algorithms Joseph Cordina Department of C.S.&A.I.

Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.

Pattern-directed inference systems

Verification of behavioural elements of UML models using B Truong, Ninh-Thuan and Souquieres, Jeanine In Proceedings of the 2005 ACM Symposium on.

BY OKAY ASLAN CMPE 516 FAULT TOLERANT COMPUTING A Formal Object-Oriented Analysis for Software Reliability: Design for Verification.

Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.

1 Checking Interaction Consistency in MARMOT Component Refinements Yunja Choi School of Electrical Engineering and Computer Science Kyungpook National.

Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Reasoning about the Behavior of Semantic Web Services with Concurrent Transaction Logic Presented By Dumitru Roman, Michael Kifer University of Innsbruk,

Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University

Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.

An Object-Z / CSP Based Approach for the Specification of Architectural Connectors Mourad Maouche Philadelphia University Jordan Mohamed Bettaz MESRS Algeria.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,

Formal methods: Lecture

Web Ontology Language for Service (OWL-S)

Analysis of Communication Models in Web Service Compositions Marco Pistore University of Trento Joint work with Raman Kazhamiakin.

Software Design Methodology

Logical architecture refinement

Model Checking for an Executable Subset of UML

Translating Linear Temporal Logic into Büchi Automata

Program correctness Model-checking CTL

Presentation transcript:

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems

2 Agenda Motivations Translation-Based Compositional Reasoning An Realization of TBCR Applications Conclusions

3 Software Model Checking Improves reliability of software systems; Often applied through –Translation of software systems to directly model-checkable formalisms; –Or abstraction first, then translation. Requires Compositional Reasoning to check large-scale software systems.

4 Compositional Reasoning How it works –Decompose a system into components; –Verify component properties; –Derive system properties from component properties. To support it, what need be done –Establish a compositional reasoning rule; –Prove the correctness of the rule; –Implement the rule.

5 Problem to be addressed How to support compositional reasoning in software model checking through translation?

6 Problem Context Software systems are often model checked through translation. Formulation and reasoning of properties are more naturally accomplished in the software semantics. Direct proof of compositional reasoning rules in software semantics is often difficult. Rules have been established, proven, and implemented for widely used formal semantics.

7 Agenda Motivations Translation-Based Compositional Reasoning An Realization of TBCR Applications Conclusions

8 Rule Establishment and Proof Software Semantics Formal Semantics (1)Establish a compositional reasoning rule (4) Prove the rule based on the mapping and proof of the corresponding rule in formal semantics (3) Prove the corresponding rule or reuse existing proof (2) Map the rule to its corresponding rule in the formal semantics Semantics Translation

9 Background: General Form of Rule Premises –Verification of component properties; –Validation of circular dependencies; –Derivation of system properties from component properties. Conclusion –System properties hold on the system.

10 Rule Implementation and Application Software System Formal Representation (1)Formulation of premises for applying the rule (2) Translation of the premises. (4) Establishment of conclusion according to the proven rule. (3) Discharge of the premises

11 Agenda Motivations Translation-Based Compositional Reasoning An Realization of TBCR Applications Conclusions

12 Translation Context Semantics Conformance Semantics Conformance AIM Semantics  -automaton Semantics Semantics Translation xUMLS/R xUML-to-S/R Translation xUML: An executable dialect of UML; S/R: Input language of COSPAN model checker.

13 Realization of TBCR Rule Establishment Rule Proof Rule Implementation and Application

14 AIM Semantics Asynchronous Interleaving Message-passing –A system consists of a finite set of processes. –Processes execute asynchronously. –At any moment, only one process executes. –Interactions via asynchronous message-passing. Systems, components, and properties are all specified as AIM processes.

15 Definitions Let P and Q be two AIM processes; L(P), the language of P; P implements Q, P |= Q, if L(P)  L(Q); –Language containment; –Basic model checking algorithm; P // Q is a composition of P and Q; CL(P) is the safety closure of P.

16 Rule Establishment Adapting existing rules in other semantics –Reuses previous efforts; Devising new rules –Customizes to special semantics requirement.

17 Rule AENT [ Amla, Emerson, Namjoshi, and Trefler ] Has been adapted to AIM semantics. To show P 1 //P 2 |= Q, find Q 1 and Q 2 that satisfy: C1: P 1 //Q 2 |= Q 1 and P 2 //Q 1 |= Q 2 {Verifying component properties assuming properties of other components hold} C2: Q 1 //Q 2 |= Q {Deriving system property from component properties} C3: Either P 1 //CL(Q) |= (Q + Q 1 + Q 2 ) Or P 2 //CL(Q) |= (Q + Q 1 + Q 2 ) {Validating circular dependencies among component properties} Conclusion Premises

18 Why validate circular dependencies between component properties? Eventually (A)Eventually (B) Eventually (A) and Eventually (B) ? C1C2 XX A = FALSE B = FALSE

19 Realization of TBCR Rule Establishment Rule Proof Rule Implementation and Application

20 Translation from AIM Semantics to  -automaton semantics AIM Semantics  -automaton Semantics I/O-automaton Semantics

21 Preservation of Language Containment L(A)  L(B) iff L(Trans(A))  L(Trans(B)); Theorem 1: –Translation from AIM semantics to I/O-automaton semantics preserves language containment. Theorem 2: –Translation from I/O-automaton semantic to  -automaton semantics preserves language containment. Theorem 3: –Translation from AIM Semantic to  -automaton semantics preserves language containment.

22 Proof via Semantics Translation Proof sketch for Rule AENT: –Assume that C1, C2, and C3 hold; –By Theorem 3,  -automaton translations of C1, C2, C3 hold; –By  -automaton counterpart of Rule AENT,  -automaton translation of P 1 //P 2 |= Q holds; –By Theorem 3, P 1 //P 2 |= Q holds.

23 Realization of TBCR Rule Establishment Rule Proof Rule Implementation and Application

24 Model Checking of xUML Model Property Specification InterfacexUML IDEError Visualizer xUML-to-S/R TranslatorError Report Generator COSPAN Model Checker S/R ModelS/R Query Error ReportError TrackDesigner xUML Model Property AIM Semantics  -automaton Semantics

25 Application of Rule AENT Given a system and a property in xUML: On xUML level: –The system is decomposed; –Premises of Rule AENT are formulated. Premises are translated into S/R. On S/R level –Premises are discharged with COSPAN model checker. On xUML level –Conclude that the property holds on the system if the premises are successfully discharged.

26 Agenda Motivations Translation-Based Compositional Reasoning Realization of TBCR Applications Conclusions

27 Two Major Applications Integrated state space reduction framework Verification of component-based systems

28 Verification of Component-based Systems Temporal properties are specified, verified, and packaged with components. Larger components are composed incrementally. Component reuse considers component properties. Verification of a property of a composed component –Reuses verified properties of its sub-components; –Follows abstraction-refinement paradigm; –Is based on compositional reasoning.

29 Case Study: TinyOS [Hill, et. al, `00] A run-time system for network sensors from UC Berkeley; Component-based –Different requirements of sensors; –Physical limitations of sensors; High reliability required –Concurrency-intensive operations; –Installation to many sensors.

30 Sensor Component Output message Type Input message Type Component Boundary AIM Process

31 Properties of Sensor Component Property Q1 (Output repeatedly): Repeatedly (Output); Property Q2 (Output handshake correctly handled): After (Output) Never (Output) UntilAfter (OP_Ack); After (Done) Eventually (Done_Ack); Never (Done_Ack) UntilAfter (Done); After (Done_Ack) Never (Done_Ack) UntilAfter(Done);

32 Network Component

33 Properties of Network Component Property Q3 (Transmit repeatedly if input repeatedly): IfRepeatedly (Data) Repeatedly (RFM.Pending); IfRepeatedly (Data) Repeatedly (Not RFM.Pending); Property Q4 (Input handshake correctly handled): After (Data) Eventually (Data_Ack); Never (Data_Ack) UntilAfter (Data); After (Data_Ack) Never (Data_Ack) UntilAfter (Data); After (Sent) Never (Sent) UntilAfter (Sent_Ack);

34 Verification of Primitive Components Q1 and Q2 were verified on the Sensor component assuming Q4. Q3 and Q4 were verified on the Network component assuming Q2. Discharge of Premise C1 of Rule AENT.

35 Sensor-to-Network (SN) Component Property Q (Transmit repeatedly) : Repeatedly (RFM.Pending); Repeatedly (Not RFM.Pending);

36 Verification of Q on SN Q is checked on an abstraction of SN. The abstraction consists of sub-component properties that are –Enabled (whose assumptions hold); –Not involved in invalid circular dependencies. Q1, Q2, Q3, and Q4 are not included due to circular dependencies between Q2 and Q4.

37 Verification of Q on SN (cont.) Circular dependency between Q2 and Q4 is validated. (Discharge of Premise C3 of Rule AENT. ) The abstraction is refined by including Q1 and Q3. Q is verified on the refined abstraction. (Discharge of Premise C2 of Rule AENT.) Conclusion: Q holds on Sensor-to-Network.

38 Agenda Motivations Translation-Based Compositional Reasoning Realization of TBCR Applications Conclusions

39 Conclusions Translation-Based Compositional Reasoning –Simple and effective; –Suitable for compositional reasoning in software model checking through translation; –Simplifies proof of compositional reasoning rules; –Reuses existing compositional reasoning rules.