Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards a Compositional SPIN Corina Păsăreanu QSS, NASA Ames Research Center Dimitra Giannakopoulou RIACS/USRA, NASA Ames Research Center.

Published byJoshua Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards a Compositional SPIN Corina Păsăreanu QSS, NASA Ames Research Center Dimitra Giannakopoulou RIACS/USRA, NASA Ames Research Center."— Presentation transcript:

1 Towards a Compositional SPIN Corina Păsăreanu QSS, NASA Ames Research Center Dimitra Giannakopoulou RIACS/USRA, NASA Ames Research Center

2 Main objective: An integrated environment that supports software development and verification/validation throughout the lifecycle; detect integration problems early, prior to coding Approach: Compositional (“divide and conquer”) verification, for increased scalability, at design level Use design level artifacts to improve/aid coding, testing and fault containment Compositional Verification TestingDesignCodingRequirementsDeployment C1C1 C2C2 C1C1 C2C2 M1M1 M2M2 models implementations Cost of detecting/fixing defects increases Integration issues handled early Project Overview

3 Towards a Compositional SPIN Learning based compositional analysis for increased scalability [TACAS’03] – LTSA tool Contributions –Generic tool architecture for learning based assume guarantee reasoning Handles multiple components Uses SPIN to answer model checking questions Other tools can be used (e.g. Java PathFinder) –Heuristic for automated generation of interface specifications –Application to realistic resource arbiter for a spacecraft Significant memory gains over “traditional” non-compositional model checking

4 Outline Introduction Background: assume-guarantee reasoning and learning Tool architecture Implementation –Using SPIN for answering learning questions –Promela subset Case study: MER Arbiter model –Description, results, discussion Conclusions and future work

5 Compositional Verification M2M2 M1M1 A satisfies P? Check P on entire system: too many states! Use the natural decomposition of the system into its components to break-up the verification task Check components in isolation: Does M 1 satisfy P? –Typically a component is designed to satisfy its requirements in specific contexts / environments Assume-guarantee reasoning: introduces assumption A representing M 1 ’s “context” Does system made up of M 1 and M 2 satisfy property P?

6 Assume-Guarantee Rules M2M2 M1M1 A satisfies P? Simplest assume-guarantee rule We can also handle symmetric rules “discharge” the assumption 1.  A  M 1  P  2.  true  M 2  A  3.  true  M 1 || M 2  P  How do we come up with the assumption? (usually a difficult manual process) Reason about triples:  A  M  P  The formula is true if whenever M is part of a system that satisfies A, then the system must also guarantee P

7 Approaches Infer assumptions automatically Two solutions developed 1.Algorithmic generation of assumption (controller); knowledge of environment is not required [ASE’02] 2.Incremental assumption computation based on counterexamples, learning and knowledge of environment [TACAS’03, SAVCBS’03 (symmetric rules)]

8 Formalisms Components modeled as finite state machines (FSM) –FSMs assembled with parallel composition operator “||” Synchronizes shared actions, interleaves remaining actions A property P is a FSM –P describes all legal behaviors –P err – determinize & complete P; bad behaviors lead to “error” –Component M satisfies P iff error state unreachable in (M || P err ) Assume-guarantee reasoning –Assumptions and guarantees are FSMs –  A  M  P  holds iff error state unreachable in (A || M || P err ) –The alphabet of A,  A, contains all environment actions that appear in P

9 Example Input insend ack Output outsend ack Order err in out in out ||

10 Computing the Weakest Assumption Given component M, property P, and the interface of M with its environment, generate the weakest environment assumption A such that: assuming A, M ╞ P Weakest means that for all environments E: (E || M ╞ P) IFF E╞ A

11 Learning for Assume-guarantee Reasoning Use an off-the-shelf learning algorithm to build appropriate assumption for the rule Process is iterative Assumptions are generated by querying the system, and are gradually refined Queries are answered by model checking Refinement is based on counterexamples obtained by model checking Termination is guaranteed Extended with symmetric rules 1.  A  M 1  P  2.  true  M 2  A  3.  true  M 1 || M 2  P 

12 Learning with L* L* algorithm by Angluin, improved by Rivest & Schapire Learns an unknown regular language U (over alphabet  ) and produces a DFA A such that L(A) = U Uses a teacher to answer two types of questions Unknown regular language U L* conjecture: A i query: string s true false remove string t add string t output DFA A such that L(A) = U true false is s in U? is L(A i )=U?

13 Learning Assumptions Use L* to generate candidate assumptions  A = (  M 1   P)   M 2 L* query: string s true false  s  M 1  P  conjecture: A i  A i  M 1  P   true  M 2  A i  true error? true false true yes false no remove counterex. add counterex. P holds in M 1 || M 2 P violated 1.  A  M 1  P  2.  true  M 2  A  3.  true  M 1 || M 2  P  Model Checking

14 Characteristics Terminates with minimal automaton A for U Generates DFA candidates A i : |A 1 | < | A 2 | < … < |A| Produces at most n candidates, where n = |A| # queries:  (kn 2 + n logm), –m is size of largest counterexample, k is size of alphabet For n components (M 1 || M 2 || … || M n ) apply algorithm recursively: –  A i  M 1  P  as before –  true  M 2 || … || M n  A i  invokes the framework

15  true  P  A i  Learning Interface Specifications Compute an assumption (as weak as possible) for a component M 1 to guarantee some property P, when environment is not available  A =  P L* query: string s true false  s  M 1  P  conjecture: A i  A i  M 1  P  true counterexample true false return A i counterexample not accurate with respect to !P || !M 1

16 Implementation in SPIN Stand-alone application –Invokes SPIN for queries and conjectures Handles only a Promela subset –Components are processes –Communication through rendezvous channels Safety properties –SPIN trace assertions Checking assume-guarantee triples –Encode assumptions into environment processes that run in parallel with components

17 Case Study Model derived from MER Resource Arbiter –Local management of resource contention between resource consumers (e.g. science instruments, communication systems) –Avoid simultaneous conflicts (e.g. driving while capturing a camera image are mutually incompatible) –Enforce orderly activity in accordance with predefined priorities encoded in a lookup table 5 resources –Comm, Drive, PanCam, Arm, Rat 5 User threads –Non-deterministically decide to use any of the 5 resources ~3000 LOC Checked several safety properties

18 Arbiter Architecture ARB U5U5 U4U4 Request, Cancel U3U3 U2U2 U1U1 Grant, Deny Rescind Property P Mutual exclusion between resources Comm and Drive can not be used at the same time

19 MER Arbiter Property Mutual exclusion between resources Comm and Drive can not be used at the same time PanCam and Arm can not be used at the same time Rat and Arm can not be used at the same time

20 Incremental Property Checking Compute A 1 … A 5 s.t.  A 1  U 1  P   A 2  U 2  A 1   A 3  U 3  A 2   A 4  U 4  A 3   A 5  U 5  A 4   true  ARB  A 5  Result P holds on U 1 ||.. || U 5 || ARB Two techniques –Recursive invocation –Interface specification Comparison with non-compositional analysis U1U1 U2U2 P A2A2 A1A1 ARB A1A1 U3U3 U4U4 A2A2 A4A4 A3A3 A3A3 U5U5 A5A5 A4A4 A5A5

21 AnalysisMemoryState SpaceTime t model t compile t run Assumption Size Monolithic544 MB3.9e+060.02s 0.8s 33.7sN/A Recursive2.6 MB10020.03s 1.1s 0.03s6.. 12 Interface2.6 MB29410.04s 1.3s 0.02s12 Analysis Results Results do not reflect the cost of generating the assumptions

22 Cost of Assumption Generation Analysisqueriesoracle1oracle2t SPIN +t Lear n Mem Learn t LTSA Mem LTSA Recursive48844815646.3s1743K42.8s20400K Interface (A 1 ) 852121818.2s508K3.07s4845K LTSA tool

23 Discussion Significant memory savings Serious time overhead Experimented with SPIN’s feature for separate compilation –Encode assumptions as never claims –Restrict search of the verifier New encoding for queries –Significant improvement –Cost of interface generation reduced from 818.213s to 185.185s

24 Conclusion and Future Work Tool architecture for compositional verification –Uses L* for automatic derivation of assumptions –Automated derivation of interface specification “Loose” integration with SPIN –Model checking for queries and conjectures Application to Arbiter case study –Significant memory gains –Serious time overhead  ; techniques to address this issue Future work –Tighter integration with SPIN –Parallel checks for queries –Investigate buffered message passing communication –Liveness (learning for infinitary regular sets) –Distinguish between read and write operations

Download ppt "Towards a Compositional SPIN Corina Păsăreanu QSS, NASA Ames Research Center Dimitra Giannakopoulou RIACS/USRA, NASA Ames Research Center."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.

Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.
Formal Modelling of Reactive Agents as an aggregation of Simple Behaviours P.Kefalas Dept. of Computer Science 13 Tsimiski Str. 546 24 Thessaloniki Greece.

Formal Modelling of Reactive Agents as an aggregation of Simple Behaviours P.Kefalas Dept. of Computer Science 13 Tsimiski Str Thessaloniki Greece.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.

Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.

An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.
1 Learning Assumptions for Compositional Verification J. M. Cobleigh, D. Giannakopoulou and C. S. Pasareanu Presented by: Sharon Shoham.

1 Learning Assumptions for Compositional Verification J. M. Cobleigh, D. Giannakopoulou and C. S. Pasareanu Presented by: Sharon Shoham.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
© 2007 Carnegie Mellon University Optimized L*-based Assume-Guarantee Reasoning Sagar Chaki, Ofer Strichman March 27, 2007.

© 2007 Carnegie Mellon University Optimized L*-based Assume-Guarantee Reasoning Sagar Chaki, Ofer Strichman March 27, 2007.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
A. Frank - P. Weisberg Operating Systems Introduction to Tasks/Threads.

A. Frank - P. Weisberg Operating Systems Introduction to Tasks/Threads.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
System-Level Types for Component-Based Design Paper by: Edward A. Lee and Yuhong Xiong Presentation by: Dan Patterson.

System-Level Types for Component-Based Design Paper by: Edward A. Lee and Yuhong Xiong Presentation by: Dan Patterson.

Similar presentations

Ads by Google