Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstraction and Compositional Verification Techniques for Asynchronously Communicating Components Marjan Sirjani Tehran University, IPM FMCO’06 Amsterdam.

Published byBernice Booth Modified over 9 years ago

Similar presentations

Presentation on theme: "Abstraction and Compositional Verification Techniques for Asynchronously Communicating Components Marjan Sirjani Tehran University, IPM FMCO’06 Amsterdam."— Presentation transcript:

1 Abstraction and Compositional Verification Techniques for Asynchronously Communicating Components Marjan Sirjani Tehran University, IPM FMCO’06 Amsterdam 7-10 November 2006

2 M. Sirjani, FMCO'062 A joint work with Ali Movaghar Frank de Boer Acknowledgements to Michael Huth Mohammad Reza Mousavi Rebeca Group at Tehran and Sharif Universities

3 M. Sirjani, FMCO'063 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

4 M. Sirjani, FMCO'064 Motivation Establishing a formal verification method, easy to use for practitioners, for developing reliable systems in concurrent and distributed applications. Formal verification method: Modeling language + Verification mechanism

5 M. Sirjani, FMCO'065 The Idea Actor-based modeling language, plus component notion, and formal verification support. Asynchronous message passing in actor-based modeling  makes the verification problem difficult Inherent modularity and encapsulation  provide some solutions: abstraction and modular verification

6 M. Sirjani, FMCO'066 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

7 M. Sirjani, FMCO'067 Actor A reference model for concurrent computation Consisting of concurrent, distributed active objects Proposed by Hewitt as an agent-based language (MIT, 1971) Developed by Agha as a concurrent object- based language (Illinois, since 1984)

8 M. Sirjani, FMCO'068 Rebeca Reactive object language An operational interpretation of actor language Formal semantics Abstraction and Compositional verification approach Model checking tool Introduced by Sirjani and Movaghar, 2001

9 M. Sirjani, FMCO'069 Key Features of Rebeca Actor-based computational model Units of concurrency and distribution: Reactive objects Simple and natural Objects are threads. Formal semantics Labeled transition system A solid basis for verification

10 M. Sirjani, FMCO'0610 Key Features … Asynchronous communication Increases the decoupling Buffers lead to state space explosion in model checking Abstraction and compositional verification approaches Reduce the state space Exploite the actor-based semantics to abstract the model Preserving a set of behavioral specifications in temporal logic

11 M. Sirjani, FMCO'0611 Other Features Object-based language, Java like syntax Encapsulation of data and process, no shared variable Easy to use by software engineers Tool supported Model checking Rebeca code using back-end model checkers Automated abstraction and compositional verification Symmetry and static Partial order reduction

12 M. Sirjani, FMCO'0612 Added Feature Grouping a set of reactive objects as an open component Allow a set of more tightly coupled objects to be grouped as a component A higher level of abstraction in software design Considering a strategy to keep the verification theory sound

13 SMV Promela (NuSMV) (Spin) Back-End Model Checkers Compositional Verification Decomposing the model into components Composing the model from re-usable components Rebeca Language Actor-based Properties Closed model Components Rebeca Verifier Tools Abstraction Modere Rebeca Direct Model Checker Partial order reduction - Symmetry

14 M. Sirjani, FMCO'0614 Rebeca Model Communication: Asynchronous message passing Unbounded message queue for each rebec No explicit receive Computation: Take a message from top of the queue and execute it Event-driven

15 M. Sirjani, FMCO'0615 In the execution of a message server, a rebec may Execute an assignment Evaluate a condition Send a message The messages are asynchronous No-way blocking (sender, receiver) No explicit receive, arrives in the message queue of the receiver

16 M. Sirjani, FMCO'0616 Dynamic Behavior Dynamic topology Dynamic rebec creation (runtime) (not considered in compositional verification)

17 M. Sirjani, FMCO'0617 Operational Semantics The state of a rebec, is the valuation of state variables, and the unbounded buffer (queue) for incoming messages. The state of the system, is the product of local object states A state transition: an atomic execution of a method off the top of the rebec’s queue.

18 M. Sirjani, FMCO'0618 An Example: Bridge Controller There is a two-way bridge. Trains may arrive at each side. At the same time two trains should not be on the bridge. There are green/red lights on each side. A train goes on the bridge if the light is green.

19 Train1 Bridge Controller Train2 Arrive YouMayPass Arrive YouMayPass Leave passed

20 Example: Rebeca code reactiveclass Train { knownobjects {BridgeController controller;} statevars{ … } msgsrv … … } reactiveclass BridgeController { knownobjects{Train t1; Train t2;} statevars{ … } msgsrv … … } main { BridgeController theController (t1, t2); Train t1 (theController); Train t2 (theController); }

21 Trains reactiveclass Train(3) { knownobjects … statevars { boolean onTheBridge; } msgsrv initial() { onTheBridge = false; self. ReachBridge(); } msgsrv YouMayPass(){ onTheBridge = true; self.Passed(); } msgsrv Passed(){ onTheBridge = false; controller.Leave(); self.ReachBridge(); } msgsrv ReachBridge(){ controller.Arrive(); }

22 Bridge Controller reactiveclass BridgeController(3) { knownobjects … statevars { boolean isWaiting1; boolean isWaiting2; boolean signal1; boolean signal2; } msgsrv initial() { signal1 = false;/* red */ signal2 = false;/* red */ isWaiting1 = false; isWaiting2 = false; } msgsrv Arrive(){ … } msgsrv Leave(){ … }

23 M. Sirjani, FMCO'0623 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

24 M. Sirjani, FMCO'0624 Formal Verification Two general approaches Model checking: Algorithmic verification Theorem proving: Deductive verification

25 M. Sirjani, FMCO'0625 Model Checking of Real Systems State explosion problem Solution: Modularity Abstraction

26 M. Sirjani, FMCO'0626 Compositional Verification 1. proving properties of components (as open systems in an arbitrary environment) by model checking, and 2. deducing the whole system’s property from the properties of its components. C |= P C’ |= Q P  Q  R ----------- C || C’ |= R

27 M. Sirjani, FMCO'0627  Useful if the model is inherently modular.  Environment Problem. Note: We need assume-guarantee reasoning. We only consider LTL and ACTL properties.

28 M. Sirjani, FMCO'0628 Inherent Modularity in Rebeca Rebecs are inherently Independent, decoupled, encapsulated Because of Asynchronous message passing no explicit receive statement no shared variables => Leads to natural modularity and abstraction techniques

29 M. Sirjani, FMCO'0629 Rebeca verification approach Exploit the inherent modularity and encapsulation of the model to apply Compositional verification Property preserving abstraction Can be used for any system based on asynchronous message passing and actor-based computation.

30 M. Sirjani, FMCO'0630 Compositional verification details … Decompose a model into components, verify some specific properties for these components, and then deduce the system’s property from the properties of its components. This deduction is sound, due to the weak simulation relation. (between a component in a model and its parallel composition with another arbitrary component in the same model.)

31 M. Sirjani, FMCO'0631 Decompose a model into components: Model the environment as incoming messages (external messages): M={C,E c } Abstracting the environment from its concrete behavior (state variables). Abstract the queue from external messages: C a

32 Decomposing a system into components: Internal messages: coming from internal rebecs External messages: coming from external rebecs.

33 M. Sirjani, FMCO'0633 Semantics of a Component Values for all variables of all internal rebecs. A multi-queue: one message-queue for each internal rebec. A set of external messages always present. Properties: based on rebecs’ state variables.

34 M. Sirjani, FMCO'0634 The Environment: Automatic Generation The Environment of a component C: E C sending all the possible messages to C Nondeterministically Unboundedly E C can be automatically derived from the system. No state variable Servicing no messages Just sending messages to C The composition of C and E C makes a closed model M=(C, E C ).

35 Bridge Controller Example Train1 Bridge Controller Arrive YouMayPass Arrive YouMayPass Leave passed Receiving ‘Arrive’ or ‘Leave’ from the environment, arbitrarily (not blocking the component).

36 Bridge Controller Example

37 M. Sirjani, FMCO'0637 Abstracting the Message Queue No external messages (messages coming from E C ) in the Queue External messages are assumed to be always present and are modeled by transitions of C a.

38 M. Sirjani, FMCO'0638 Bridge Controller Example Train as a component

39 s0s0 s3s3 s2s2 s1s1 sksk... External messages Internal messages e1 e2 e3 i1 e1e2e3 … i1 slsl i2 Multi-queue Constant set States and Transition

40 Formally speaking: Let ∑(M) be the transition system of M={C,E c } ∑(C a ) be the transition system generated by the transition relation considering queue abstraction ∑(M’) be the transition system of any model M’ containing C We have the following weak simulation relations: ∑(C a ) weakly simulates ∑(M) (Queue Abstraction) ∑(M) weakly simulates ∑(M’) (Component Composition)

41 We have the following weak simulation relations: ∑(C a ) ≤ ∑(M) (Queue Abstraction) ∑(M) ≤ ∑(M’) (Component Composition) And the property preservation theorem Safety properties (LTL-X, ACTL-X) are preserved due to weak simulation. Hence ∑(C a ) |= φ → ∑(M) |= φ, for M={C,E c } ∑(M) |= φ → ∑(M’) |= φ, for an arbitrary model M’ containing C.

42 M. Sirjani, FMCO'0642 Summary Having a model M, and a component C (a sub-model of M), we can derive the environment E C for C. For every safety property, specified by LTL-X or ACTL-X formula, with atomic propositions on variables in C, C a |= P implies C||C’||E C||C’ |= P

43 M. Sirjani, FMCO'0643 Abstraction Techniques: Summary Abstracting environment as external messages Bounded queues Abstracting external messages Queue length in model checking Check overflow, supported by tool Course grained interleaving Method execution as a transition (Atomic method execution) Conventional data abstractions

44 M. Sirjani, FMCO'0644 One more point: Symmetry Reduction Techniques We may use symmetry for state space reduction Like in dining philosophers (Ring-like topologies) The permutation relation shall preserve both rebec types and known-rebec relation.

45 Dining Philosophers Component C1 Component C5 Component C2 Component C3 Component C4  (  i=0,n ¬(phil i.fr  phil i+1.fl))

46 External message from the right fork of philosopher 0 External message from the left fork of philosopher 1 Component C1 Component C1: phil0 || fork0 || phil1 Property:  ( ¬(phil 0.fr  phil 1.fl))

47 M. Sirjani, FMCO'0647 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

48 M. Sirjani, FMCO'0648 What we had: decomposing a model for verification purposes in a top-down manner. What we added: notion of components re-usable parts fixed proven specifications build a system in bottom-up fashion.

49 M. Sirjani, FMCO'0649 Introducing Components Introducing components for modeling purposes, As an additional higher level of abstraction in modeling Enriching the model of computation

50 M. Sirjani, FMCO'0650 Components Components are sets of reactive objects Components interact via broadcasting asynchronous anonymous messages => No need to put a name for a component. No need to know the names of the rebecs inside a component (for communication). Just know the service you want.

51 M. Sirjani, FMCO'0651 In Extended Rebeca Rebecs within a component can be synchronized by handshaking communication mechanism. Components encapsulate tightly coupled reactive objects. Like in Globally Asynchronous Locally Synchronous Systems (GALS)

52 Extended Rebeca Components in Extended Rebeca

53 M. Sirjani, FMCO'0653 Asynchronous anonymous broadcasting (between components) Dispatching the message arrived in a component Internal broadcast to all Nondeterministic choice of one rebec (is selected to keep queue abstraction possible)

54 left-Controllerright-Controller Train1Train2

55 Extended Rebeca code: the controller reactiveclass leftController() { knownobjects { rightController right;} provided { Arrive; } required { YouMayPass; } statevars { int trainsin; } msgsrv initial() { trainsin = 0; } msgsrv Arrive (int TrainNr) { YouMayPass(TrainNr); trainsin = trainsin + 1; receive(passed); } reactiveclass rightController() { knownobjects { leftController left;} provided {Leave; } required { } statevars { int trainsout; } msgsrv initial() { trainsout = 0; } msgsrv Leave () { trainsout = trainsout + 1; left.passed( ); }

56 Extended Rebeca code: trains reactiveclass Train() { knownobjects {} provided { YouMayPass; } required { Arrive; Leave; } statevars { boolean OnTheBridge; } msgsrv initial(int MyTrainNr) { self.ReachBridge(); OnTheBridge = false; } msgsrv YouMayPass(int TrainNr) { if (TrainNr == MyTrainNr) { self.GoOnTheBridge(); OnTheBridge = true; } msgsrv GoOnTheBridge() { Leave(); OnTheBridge = false; self.ReachBridge(); } msgsrv ReachBridge() { Arrive(MyTrainNr); }

57 Extended Rebeca code: instantiating rebecs and declaring components main { Train train1(1); Train train2(2); leftController theLeftCtrl(theRightCtrl); rightController theRightCtrl(theLeftCtrl); Components: {train1}; {train2}; {theLeftCtrl, theRightCtrl}; }

58 M. Sirjani, FMCO'0658 Modular verification: the same approach Environment of a component Queue Abstraction Weak Simulation Property Preservation

59 M. Sirjani, FMCO'0659 Subtleties for queue abstraction: Initial state Internal dispatching of message

60 M. Sirjani, FMCO'0660 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

61 M. Sirjani, FMCO'0661 Rebeca Verifier Tool Enter a model in Rebeca, Translate it into SMV (or Promela), Specify properties at Rebeca source code level (based on state variables), Translate the properties to NuSMV (or Spin) format, Model check using NuSMV (or Spin).

62 M. Sirjani, FMCO'0662 Or Choose a component and then the same scenario … (compositional verification) By Amin Shali, Mahdi Jaghoori and Hamed Iravanchi, 2003-2005

63 M. Sirjani, FMCO'0663 Modere: Rebeca Model Checker Engine Direct model Checking of Rebeca Symmetry and Partial Order Reduction By Mahdi Jaghoori, 2005-2006

64 Automated Modular Verification

65

66

67

68

69 M. Sirjani, FMCO'0669 Case studies Network and Security Protocols CSMA/CD protocol Mitnick and Needham Schroeder attacks Perlman algorithm Security Sub-layer in IEEE 802.16 Hardware/Software Co-designs A pipeline CPU design Examples in TLM library of SystemC

70 M. Sirjani, FMCO'0670 A Real Case Study: ACM Module in SystemC SystemC code specification: 1 module 14 sc_methods 31 Signals (all shared) 18 sc_logic 13 variable size unsigned-int 5 shared variables Total states: 2^165 The code

71 M. Sirjani, FMCO'0671 ACM in Rebeca Stages of modeling the system: Modeling: 14 rebecs for 14 methods with their own variables Optimization: reducing number of rebecs Abstraction: removing insignificant data Compositional verification: model checking the units involved in the given properties

72 M. Sirjani, FMCO'0672 ACM: Model Checking Compositional verification for memory unit: 1 rebec Queue length: one A total of approximately 2^18 states Model checking results: Stored states: 3276 Memory used: 34507 KB Time: less than 1 minute

73 M. Sirjani, FMCO'0673 ACM: Properties Memory read and write signals can never be active at the same time [] ( (flag_start_mem_read == 1)  (flag_start_mem_write == 0) ) violated in certain situations The code Read and write signals to HDLC unit can never be active at the same time [] ( (flag_start_hdlc_read == 1)  (flag_start_hdlc_write == 0) ) violated in certain situations The code When the system starts to save an announce it starts the saving process from the first bit [] ( (flag_save == 0) && (EX(flag_save == 1))  (EX counter == 0) ) Satisfied The code

74 M. Sirjani, FMCO'0674 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

75 M. Sirjani, FMCO'0675 Conclusion Proposing an actor-based language Defining its Formal Semantics Using a Java–based syntax Abstraction and compositional verification approaches using the formal semantics and exploiting the encapsulation and inherent modularity of the model Developing a tool Modeling case studies

76 M. Sirjani, FMCO'0676 Generalizing the verification theorem for a component-based actor language

77 M. Sirjani, FMCO'0677 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

78 Related, Ongoing and Future Work Theory Symmetry in Rebeca Queue abstractions Dynamic features in verification Coordinating rebecs Tool Direct model checking Partial order reduction Rebeca to mCRL to use its model checker SystemC to Rebeca Application Network and security protocols Hardware/software co-design Web services

79 M. Sirjani, FMCO'0679 Questions?

80 Rebec Is a bowed string musical instrument, developed from the Persian instrument, the rabab.rabab Like all good medieval things, the rebec's origins can be traced to the middle east. Around the middle to the end of the ninth century AD, there are several discussions of an instrument called a rabab in Persia …

81 CCS SMV Java C Modeling languages RML I/O Automata Actor model CSP Promela Mocha FDR NuSMV Spin Java PathFinder Bandera SLAM Abstract Mathematical Too heavy Informal Verification Techniques: Deduction Model checking Programming languages Petri net needs high expertise causes state explosion Where are we standing?

Download ppt "Abstraction and Compositional Verification Techniques for Asynchronously Communicating Components Marjan Sirjani Tehran University, IPM FMCO’06 Amsterdam."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.

Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.

ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Similar presentations

Ads by Google