Interface Theories in Practice Luca de Alfaro UC Santa Cruz GDV 2006.

Slides:

Advertisements

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Advertisements

Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.

Partial Order Reduction: Main Idea

Interface Theories With Component Reuse Laurent DoyenEPFL Thomas HenzingerEPFL Barbara JobstmannEPFL Tatjana PetrovEPFL.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

White Box and Black Box Testing Tor Stålhane. What is White Box testing White box testing is testing where we use the info available from the code of.

1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.

Justification-based TMSs (JTMS) JTMS utilizes 3 types of nodes, where each node is associated with an assertion: 1.Premises. Their justifications (provided.

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

1 MDV, April 2010 Some Modeling Challenges when Testing Rich Internet Applications for Security Kamara Benjamin, Gregor v. Bochmann Guy-Vincent Jourdan,

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

10 Software Engineering Foundations of Computer Science ã Cengage Learning.

UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.

CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Interface-based design Philippe Giabbanelli CMPT 894 – Spring 2008.

Prototyping of Real-time Component Based Systems by the use of Timed Automata Trevor Jones Lancaster University, UK

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Planning under Uncertainty

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

Interface Automata 29-September Modeling Temporal Behavior of Component Component behaves with Environment Traditional (pessimistic) approach –

Interface-based Design of Embedded Systems Thomas A. Henzinger University of California, Berkeley.

Ordering and Consistent Cuts Presented By Biswanath Panda.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Type System, March 12, Data Types and Behavioral Types Yuhong Xiong Edward A. Lee Department of Electrical Engineering and Computer Sciences University.

Models and Theory of Computation (MTC) EPFL Dirk Beyer, Jasmin Fisher, Nir Piterman Simon Kramer: Logic for cryptography Marc Schaub: Models for biological.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Catriel Beeri Pls/Winter 2004/5 type reconstruction 1 Type Reconstruction & Parametric Polymorphism  Introduction  Unification and type reconstruction.

Rich Interface Theories for Component-based Design Dirk Beyer ┼, Arindam Chakrabarti *, Luca de Alfaro **, Thomas A Henzinger * ┼, Marcin Jurdziński *,

An Extensible Type System for Component-Based Design

Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,

Department of Electrical Engineering and Computer Sciences University of California at Berkeley System-Level Types for Component-Based Design Edward A.

Department of Electrical Engineering and Computer Sciences University of California at Berkeley Concurrent Component Patterns, Models of Computation, and.

System-Level Types for Component-Based Design Paper by: Edward A. Lee and Yuhong Xiong Presentation by: Dan Patterson.

Models of Computation as Program Transformations Chris Chang

1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,

Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1.

Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.

1Computer Sciences Department. Book: INTRODUCTION TO THE THEORY OF COMPUTATION, SECOND EDITION, by: MICHAEL SIPSER Reference 3Computer Sciences Department.

Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.

Summer Computing Workshop. Session 3 Conditional Branching  Conditional branching is used to alter the normal flow of execution depending on the value.

Verification & Validation By: Amir Masoud Gharehbaghi

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Hwajung Lee. Well, you need to capture the notions of atomicity, non-determinism, fairness etc. These concepts are not built into languages like JAVA,

Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,

CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.

Chapter 8 Asynchronous System Model by Mikhail Nesterenko “Distributed Algorithms” by Nancy A. Lynch.

Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science.

Condition Testing. Condition testing is a test case design method that exercises the logical conditions contained in a program module. A simple condition.

CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 16: Distributed Shared Memory 1.

CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Assumption-based Truth Maintenance Systems: Motivation n Problem solvers need to explore multiple contexts at the same time, instead of a single one (the.

Model Checking Lecture 1: Specification Tom Henzinger.

CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.

Condition Testing.

Input Space Partition Testing CS 4501 / 6501 Software Testing

Program Synthesis is a Game

CSEP590 – Model Checking and Automated Verification

Presentation transcript:

Interface Theories in Practice Luca de Alfaro UC Santa Cruz GDV 2006

Theory (In theory, many things work...) Collaborators: Tom Henzinger Marielle Stoelinga

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Transition systems: 1 decision Closed systems: 1 actor –Output: hat outputs can be generated? Games: 2 decisions Open Systems: 2 actors: –Input: what inputs to give next? –Output: what outputs to generate next? Model open systems as games, rather than transition systems.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Transition systems: 1 decision Closed systems: 1 actor –Output: hat outputs can be generated? Games: 2 decisions Open Systems: 2 actors: –Input: what inputs to give next? –Output: what outputs to generate next? Model open systems as games, rather than transition systems.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Transition systems: 1 decision Closed systems: 1 actor –Output: hat outputs can be generated? Games: 2 decisions Open Systems: 2 actors: –Input: what inputs to give next? –Output: what outputs to generate next? Model open systems as games, rather than transition systems.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send! msg? send! ack? nack? fail! ok! ack?nack? ok! fail! A Game Model Input moves: the inputs that are allowed. Output moves: the outputs that can be generated.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send! msg? send! ack? nack? fail! ok! ack? nack? msg? *? ack?nack? ok!fail! send! msg? send! ack? nack? fail! ok! ack?nack? ok! fail! A Game Model Input moves: the inputs that are allowed. Output moves: the outputs that can be generated. A Transition-System Model Output moves: the outputs that can be generated. Input moves: always accepted (input enabled).

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send! msg? send! ack? nack? fail! ok! ack? nack? msg? *? ack?nack? ok!fail! send! msg? send! ack? nack? fail! ok! ack?nack? ok! fail! A Game Model A Transition-System Model What is the difference?? Refinement Composition

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Refinement (closed systems) ¹ µ Classical definition: behavioral subset (trace containment, simulation) choices µ

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) (Closed) Refinement applied to open systems ¹ µ Often used for input-enabled systems. = input enabled choices µ no choices here

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) ¹ * Whoops, it does not hold... = input enabled (Closed) Refinement applied to open systems - in practice

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) ¹ Whoops, it does not hold... We forgot an environment assumption! Env µ (Closed) Refinement applied to open systems - in practice

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) ¹ In practice, transition system refinement is used between closed systems. Env µ (Closed) Refinement applied to open systems - in practice

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Simulation as Open System Refinement? Q ¹ P µ µ

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Simulation as Open System Refinement? Often, it is defined as transition system refinement. However: If P accepts fewer inputs, it is usable in fewer ways. Indeed, we cannot plug P for Q in a design. Q ¹ P µ µ ?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Simulation as Open System Refinement? Often, it is defined as transition system refinement. However: If P accepts fewer inputs, it is usable in fewer ways. Indeed, we cannot plug P for Q in a design. Q ¹ P µ µ ? Simulation is not the proper notion of refinement for open systems!

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) To define open-system refinement, lets look at type theory Dom( ) Im( ) ¹ µ µ Subtyping is Domain/Image contravariant

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Open System Refinement ¹ µ µ This is alternating simulation, the notion of refinement for games! [Alur,K,Henzinger,V CONCUR98]

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) TS: Simulation Spec Impl

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) TS: Simulation Spec Impl

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) TS: Simulation Spec Impl All behaviors of the implementation are allowed by the specification

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Games: Alternating Simulation Spec Impl InputsOutputs The implementation accepts all the specification inputs, and produces a subset of the outputs. The implementation can be substituted for the specification.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Alternating Simulation: Example send!nack? msg? ok! fail! ack? msg?send! ack? nack? fail! ok! send!nack? msg? ok! fail! ack? msg?send! ack? nack? fail! ok! once? send! ack? done! once?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Alternating Simulation Example send! msg? send! ack? nack? fail! ok! ack?nack? ok! fail! send! msg? send! ack? nack? fail! ok! ack?nack? ok! fail! done! once? send! ack? done!

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Types: Composition Dom( ) Im( ) Condition: Dom( ) Im( ) Im( ) µ Dom( )

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Types: Composition Dom( ) Im( ) What if Dom( ) Im( ) Im( ) µ Dom( ) ?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Types: Composition Dom( ) Im( ) What if Dom( ) Im( ) Im( ) µ Dom( ) ? Can we restrict Dom( ) to Dom( ), to ensure Im( ) µ Dom( ) ? YES ) Compatible, type derivation NO ) Incompatible

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) int x int x=0 ! y=0 int x y z Types: Composition

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) int Compatible? Types: Composition int x int x=0 ! y=0 int x y z

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) int x 0 int x Compatible? Yes! Outcome: Compatible: Are there inputs for which it works? New type: most general restrictions under which it works. Types: Composition int int x int x=0 ! y=0 int x y z

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Behaviors: Composition a? b? c? a! b! c! µ

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Behaviors: Composition a? b? c? a! b! µ

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Behaviors: Composition a? b? c? a! b! a! b!

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Behaviors: Composition b? c? a! b! µ

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Behaviors: Composition b? c? a! b!

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Process Algebra b? c? a! b! Not for us!

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send!nack? msg? ok! fail! ack? msg?send! ack? nack? fail! ok! Example: Interface Automata Composition msg! ok? msg!fail?ok? Local incompatibility: Here, fail? cannot be accepted fail! generated

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send!nack? msg! ok! fail! ack? msg!send! ack? nack? ok! Example: Interface Automata Composition Local incompatibility

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send!nack? msg! ok! fail! ack? msg!send! ack? nack? ok! Example: Interface Automata Composition Can we restrict the inputs to avoid the local incompatibility?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send!nack? msg! ok! fail! ack? msg!send! ack? nack? ok! Example: Interface Automata Composition Can we restrict the inputs to avoid the local incompatibility? YES.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send!nack? msg! ok! fail! ack? msg!send! ack? nack? ok! Example: Interface Automata Composition The resulting interface automaton.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Game composition propagates constraints The top-level game could not accept failure Therefore, in the composite game, the network layer cannot fail twice in a row. send!nack? msg! ok! fail! ack? msg!send! ack? nack? ok! msg! ok? send! fail? ok?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Transition SystemsGames (interfaces) ModelOutputInput, Output RefinementSimulation Alternating simulation Composition Input enabled, Consensus Game composition (Ouput does, Input must accept) Verification Does it work? LTL, CTL,... Can it work? LTL, CTL, control ¶ I O I O ¶ ClosedOpen I O I O = ¶

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Practice: The Ticc Tool GPL licence Collaborators: Marco Faella Vishwanath Raman Pritam Roy Axel Legay Bo Adler Leandro Dias Da Silva

Intended Application:

? Compatibility checking.

Modeling - Desiderata Synchronization (actions) one-to-one, one-to-many, many-to-many Shared state (local + global variables) Communication (actions can update variables) one-to-one, one-to-many, many-to-many ) Sociable Interfaces [FROCOS 2005] Implemented in Ticc.

A Simple Fire-Detector Example fire? fd! smoke1? fire! smoke1? fire! fd! Control unit Detector 1

Many-to-One Synchronization? fire? fd! smoke1? fire! smoke2? fire! ? Control unit Detector 1 Detector 2

Many-to-One Synchronization? smoke2? fire! ? smoke1? fire! fd! Detector 2

Many-to-One Synchronization? smoke2? fire! smoke1? fire! fd! Incompatible: fire! can be generated by both, accepted by neither.

Many-to-One Synchronization does not work in Interface Automata a?a!

Many-to-One Synchronization does not work in Interface Automata a! Incompatible: neither can accept a!.

Ticc uses Sociable Interfaces For a in the language: a? a! a is not generated as output, but a can be accepted as input. a can be generated as output, but it cannot be accepted as input. a can neither be generated as output, nor accepted as input. [dA, Faella, et al. FROCOS 05]

Ticc uses Sociable Interfaces For a in the language: a? a! a? a! a can be generated as output, and a can be accepted as input. a is not generated as output, but a can be accepted as input. a can be generated as output, but it cannot be accepted as input. a can neither be generated as output, nor accepted as input. [dA, Faella, et al. FROCOS 05] new in sociable interfaces

Product of sociable interfaces 1 3 a? A B 1A 3B a?

1 2 a! A B a? 1A 2B a! Product of sociable interfaces

1 3 a? 2 a! A B a? 1A 3B a? 2B a! Product of sociable interfaces

1 3 a? 2 a! A C 1A 3C a! a! from 1 has no corresponding a? from A locally incompatible state Product of sociable interfaces

1 3 a? 2 a! A B a? C a! 1A 3B a? 3C a! 2B a! Product of sociable interfaces

X Incompatible fire? fd! smoke1? fire! Control unit Detector 1 smoke2? fire! Detector 2

X Incompatible fire? fd! smoke1? fire! Control unit Detector 1 smoke2? fire! Detector 2 Not accepted by all other components

X Compatible fire? fd! smoke1? fire! Control unit Detector 1 smoke1? fire? smoke1? fire? smoke2? fire! Detector 2 smoke2? fire? smoke2? fire?

Ticc Model t=0 t=1 t=2 smoke2? fire! Detector 2 smoke2? fire? smoke2? fire? module FireDetector2: var t: [0..2] initial: t=0 input smoke2: { local: t=0 ==> t':=1 else true ==> // do nothing } output fire: { t=1 ==> t'=2 } input fire: { } // disregard endmodule

What feedback should Ticc give? Naive belief: Ticc will tell us when components are incompatible. Reality: Most components are compatible: in an environment that does nothing, often nothing (bad) happens. ) We need more diagnostic information...

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Example: A detector that can be disabled s=0 s=1 s=2 fire? fd! t=0 t=1 t=2 smoke1? fire! Detector s=3 disable? Control Unit disable?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) What happens if we forget the disable? s=0 s=1 s=2 fire? fd! t=0 t=1 t=2 smoke1? fire! Detector s=3 disable? Control Unit disable?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) s=0 s=1 s=2 fire? fd! t=0 t=1 t=2 smoke1? fire! Detector s=3 disable? Control Unit What happens if we forget the disable?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) s=0 s=1 s=2 fire? fd! t=0 t=1 t=2 smoke1? fire! Detector s=3 disable? Control Unit s=0, t=0 s=0, t=1 s=1, t=2 smoke1? fire! fd! s=3, t=0 s=3, t=1 smoke1? disable? fire! The control unit cannot accept fire! once disabled (s=3) What happens if we forget the disable?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) s=0, t=0 s=0, t=1 s=1, t=2 smoke1? fire! fd! s=3, t=0 s=3, t=1 smoke1? disable? fire! Is there an environment where the components work together? ) does Input have a strategy s.t., whatever Output does, the incompatibility does not occur? What happens if we forget the disable? Locally incompatible state

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) s=0, t=0 s=0, t=1 s=1, t=2 smoke1? fire! fd! s=3, t=0 s=3, t=1 smoke1? disable? Is there an environment where the components work together? ) does Input have a strategy s.t., whatever Output does, the incompatibility does not occur? YES. (Compatibility does not give us information here) What happens if we forget the disable? Locally incompatible state

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) s=0, t=0 s=0, t=1 s=1, t=2 smoke1? fire! fd! s=3, t=0 s=3, t=1 smoke1? disable? The interesting question is: What has become impossible? (What environment inputs are no longer enabled?) What question should we ask? Locally incompatible state

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) s=0, t=0 s=0, t=1 s=1, t=2 smoke1? fire! fd! s=3, t=0 s=3, t=1 smoke1? disable? Given an action, e.g., smoke?, Ticc gives a path such that: Ticc Feedback 1.Starts from an initial state 2.Goes to the action taking only good steps. 3.Takes an instance of the action that has become prohibited. 4. Continues, taking only output steps, until an incompatibility is reached.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Ticc Feedback Restriction of action a: a? Input and output actions, in the good states. Output actions only, in the pruned states. Locally incompatible state

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) send!msg! ok! ack? nack? Ticc Feedback s=0s=1s=2s=3s=4 s=6 s=5 send! ack? nack?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Games and Global Variables are a difficult mix a! may want to update a global variable x. The module emitting a! can communicate a value to other modules by writing into x. a? may want to update a local variable y. The module receiving a? may want to update its internal state as a consequence. But, when a! and a? synchronize, only one of Input/Output should be able to take decisions (otherwise, not a game). ) Updates by input actions are deterministic.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Output Actions: Global + Local Update localglobal localglobal Current state Next state a! updates

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Input Actions: Global Assumptions Current state localglobal Next state localglobal Assumption on how action a!, emitted from another module, can update the global variables. assumption a?

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Current state localglobal Next state localglobal The module receiving a? can look at the current state, and at the new values of the global variables, to update its local variables (communication). The update must be deterministic. a? Input Actions: Local Update update (det)

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) I/O Synchronization and Communication local of Pglobal local of Pglobal local of Q Check that gupd implies gasm (the output update satisfies the input assumption) P || Q a! gupdgasm a? lupd

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) I/O Synchronization and Communication local of Pglobal local of Pglobal local of Q P || Q a! gupdgasm a? lupdupdate (det) All new values are determined by the emitter of a! (the result is an Output move).

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) A House Repair Example Many things can break, repair-people are called to fix them. Repair people want to work alone in a room: before starting, they check that the room is not busy, and assume others do the same. Except, a rude electrician does not care if anyone is already working on the kitchen. K itchen L ivingRm B athRm Bed R m Electrical Floors Walls Dirt Plumbing breaks fixes

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Ticc: Features and Capabilities Additional features: CTL model-checking, (soon ATL), simulation,... The tool is written in Ocaml, it relies on the MDD package cudd/glu [Somenzi et al.] Efficient: uses saturation techniques for symbolic exploration [Ciardo, Yu CHARME 2005] GPL licence, lots (we hope) of documentation.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Does it work in practice? Certainly better than not having input assumptions. –One can use *: { } as the everything-goes assumption. –Gives guidance, very little to lose. Efficient –Many problems reduce to reachability, saturation works great. Sometimes weak guidance –When Ticc complains, there is a good reason. –But at times, it does not catch problems until several components are composed. Uses its own input language. –The language is flexible for composition, but poor (right now) for datatype support (boolean and integer range). –Will anyone code in it? If the ideas are useful, others will implement them in industrial tools.

Taormina, June 30, 2003L. de Alfaro - Intl. Symp. on Verification (Theory and Practice) Future work Better guidance Local checks –Check compatibility pairwise, or in small groups of components. Real-time implementation –Its in the works... Sat-based algorithms –They would be a good fit! Come and use the tool, hack its code, modify it, etc etc! Its fun!