A Formal (proved) Approach to Discrete System Development Modeling - PowerPoint PPT Presentation

Observing Invariants f f f f 1 r a a a a b r b b b n c n c n r c n c n+1 r a a a g g b b g c g inv 3 : r ∈ 1 .. n + 1 inv 4 : g = (1 .. r − 1) ✁ f 40

Proving Theorem - Our theorem is then easy to prove prp 1 : n ∈ N prp 2 : f ∈ 1 .. n → D inv 3 : r ∈ 1 .. n + 1 inv 4 : g = (1 .. r − 1) ✁ f thm 1 : r = n + 1 g = f ⇒ 41

Another Summary of the Protocol Model Set: D Constants: n, f Variables: r, g prp 1 : n ∈ N inv 3 : r ∈ 1 .. n + 1 prp 2 : f ∈ 1 .. n → D inv 4 : g = 1 .. r − 1 ✁ f = receive � = when init � r ≤ n begin g := ∅ then r := 1 g := g ∪ { r �→ f ( r ) } r := r + 1 end end 42

More Modeling Conventions - The assignment: g := g ∪ { r �→ f ( r ) } - can be re-written g ( r ) := f ( r ) - Because r is not in the domain of g (more to come) since we have inv 4 : g = 1 .. r − 1 ✁ f 43

A Better Summary of the Protocol Model Set: D Constants: n, f Variables: r, g prp 1 : n ∈ N inv 3 : r ∈ 1 .. n + 1 prp 2 : f ∈ 1 .. n → D inv 4 : g = 1 .. r − 1 ✁ f = receive � = when init � r ≤ n begin g := ∅ then r := 1 g ( r ) := f ( r ) r := r + 1 end end 44

What is to be Proved - Our task is not finished - So far we have just observed that the invariants are maintained - Observing is not enough - We want to make precise what we have to prove 45

Transforming Assignments: Before-After Predicates - Assignments are substitutions - We shall transform them into before-after predicates - Given constants c , variables v , and an assignment of the form v := E ( c, v ) - It can be mechanically transformed (by a tool) into the predicate v ′ = E ( c, v ) 46

Example: Event receive These two forms of event receive are equivalent (more to come) = = receive receive � � when when r ≤ n r ≤ n then then g ′ = g ∪ { r �→ f ( r ) } g ( r ) := f ( r ) r ′ = r + 1 r := r + 1 end end - We shall use the left form when writing models - We shall use the right form when proving them 47

Invariant Preservation Statement - Given constants c , properties P ( c ) , variables v , and invariant I ( c, v ) - Given an event of the form when G ( c, v ) then v ′ = E ( c, v ) end P ( c ) I ( c, v ) G ( c, v ) - We have to prove v ′ = E ( c, v ) ⇒ I ( c, v ′ ) 48

Simplification P ( c ) P ( c ) I ( c, v ) I ( c, v ) G ( c, v ) which simplifies to G ( c, v ) v ′ = E ( c, v ) ⇒ ⇒ I ( c, E ( c, v )) I ( c, v ′ ) - This statement can be generated by a tool 49

Statement to be proved prp 1 : n ∈ N inv 3 : r ∈ 1 .. n + 1 prp 2 : f ∈ 1 .. n → D inv 4 : g = 1 .. r − 1 ✁ f n ∈ N = f ∈ 1 .. n → D receive � r ∈ 1 .. n + 1 when r ≤ n g = 1 .. r − 1 ✁ f r ≤ n then g ′ = g ∪ { r �→ f ( r ) } ⇒ r ′ = r + 1 g ∪ { r �→ f ( r ) } = 1 .. r + 1 − 1 ✁ f end r + 1 ∈ 1 .. n + 1 50

Semi-formal Proof n ∈ N f ∈ 1 .. n → D n ∈ N r ∈ 1 .. n + 1 f ∈ 1 .. n → D r ≤ n r ∈ 1 .. n g = 1 .. r − 1 ✁ f ⇒ ⇒ 1 .. r − 1 ✁ f ∪ { r �→ f ( r ) } = g ∪ { r �→ f ( r ) } = 1 .. r ✁ f 1 .. r + 1 − 1 ✁ f r + 1 ∈ 1 .. n + 1 r + 1 ∈ 1 .. n + 1 51

Invariant Establishment Statement - Given constants c , properties P ( c ) , variables v , and invariant I ( c, v ) - Given an initialization of the form begin v ′ = E ( c ) end - We have to prove P ( c ) P ( c ) v ′ = E ( c ) which simplifies to ⇒ ⇒ I ( c, E ( c )) I ( c, v ′ ) 52

Statement to be proved prp 1 : n ∈ N inv 3 : r ∈ 1 .. n + 1 prp 2 : f ∈ 1 .. n → D inv 4 : g = 1 .. r − 1 ✁ f init = n ∈ N � begin f ∈ 1 .. n → D g ′ = ∅ ⇒ r ′ = 1 ∅ = 1 .. 1 − 1 ✁ f 1 ∈ 1 .. n + 1 end 53

This Model of the “Protocol” is not Satisfactory Set: D Constants: n, f Variables: r, g prp 1 : n ∈ N inv 3 : r ∈ 1 .. n + 1 prp 2 : f ∈ 1 .. n → D inv 4 : g = 1 .. r − 1 ✁ f = receive � The Receiver = when init � accesses r ≤ n begin the original file g := ∅ then r := 1 g ( r ) := f ( r ) We want to distribute r := r + 1 end the file transfer end 54

Techniques of “Blue Printing” (Reminder) - Adding details on different more accurate versions - Postponing choices by having some open options - Decomposing one blue print into several - Reusing “old” blue prints (with slight changes) 55

A More Accurate Version (1) s a a r s b send c SENDER RECEIVER a a receive s b r c r SENDER RECEIVER 56

A More Accurate Version (2) s b a a r b send s c SENDER RECEIVER a a receive s b r c r SENDER RECEIVER 57

Initial Situation f s a b n c d g r 58

Send f f s a a b s b n c n c d d a g g r r 59

Receive f f f s a a a b s b s b n c n c n c d d d a a g g g a r r r 60

Send f f f f s a a a a b s b s b b n c n c n c n s c d d d d a a b g g g g a a r r r r 61

Receive f f a a b b n s c n s c d d b b g g a a r b r 62

Send f f f a a a b b b n s c n s c n c s d d d b b c g g g a a a r b b r r 63

Receive f f f f a a a a b b b b n s c n s c n c n c s s d d d d b b c c g g g g a a a a r b b b r r c r 64

First Refinement of the Protocol Model Set: D Constants: n, f, e Variables: r, g, s, d prp 3 : e ∈ D inv 5 : d ∈ D inv 6 : s ∈ 1 .. n + 1 = send � init = receive = � � when begin when s = r g := ∅ s � = r s ≤ n r := 1 then then s := 1 g ( r ) := d d := f ( s ) d := e r := r + 1 s := s + 1 end end end 65

Refinement - We have added a constant e - We have added two new variables s and d - We have modified the events receive and init - We have added a new event send - Note that the assignments in send and receive are not complete 66

Analysis of Refinement - Refining an abstract event - The problem of event completion - The problem of distinct abstract and refined spaces - “Refining” a new event - Refining initialization - Additional requirement for refinement 67

Refinement: the Situation - We have constants c - We have an abstract state with variables v - We have a refined state with variables w DISTINCT from v - We have an abstract event and a refined event of the forms when when G ( c, v ) H ( c, w ) then then v ′ = E ( c, v ) w ′ = F ( c, w ) end end - WHAT IS TO BE PROVED? 68

Refinement: the Situation (cont’d) - We have some properties P ( c ) on the constants c - We have some invariants I ( c, v ) on the abstract variables v - We also have some gluing invariants J ( c, v, w ) linking concrete variables w to abstract variables v 69

State and Event Refinement I(v’) I(v) G(c,v) Abstract Event v v’=E(c,v) J(c,v,w) J(c,v’,w’) Concrete Event w w’=F(c,w) H(c,w) 70

Correct Refinement Proof - One has to prove (more in next lecture): P ( c ) I ( c, v ) P ( c ) J ( c, v, w ) I ( c, v ) H ( c, w ) J ( c, v, w ) which w ′ = F ( c, w ) H ( c, w ) simplifies to v ′ = E ( c, v ) ⇒ ⇒ G ( c, v ) G ( c, v ) J ( c, E ( c, v ) , F ( c, w )) J ( c, v ′ , w ′ ) - This statement can be generated by a tool 71

More on Before-After Predicates: Completion - Given constants c , and distinct variables x and y , the assignment x := E ( c, x, y ) - can be transformed into the before-after predicate x ′ = E ( c, x ) y ′ = y - Variables x and y are the only variables of our model - This completion can be done mechanically by a tool 72

Completion Example: Refined Event receive These two forms of event receive are equivalent = receive � receive = when � r ≤ n when r ≤ n then g ′ = g ∪ { r �→ d } then r ′ = r + 1 g ( r ) := d s ′ = s r := r + 1 d ′ = d end end - Notice the difference between the two 73

Completion Example: New Event send These two forms of event send are equivalent = send � send = when � s = r when s = r s ≤ n s ≤ n then g ′ = g then r ′ = r d := f ( s ) d ′ = f ( s ) s := s + 1 s ′ = s + 1 end end - Notice the difference between the two 74

Abstract and Concrete Events receive ( abstract ) receive = ( refined ) receive = � � when when s � = r r ≤ n then then g ( r ) := f ( r ) g ( r ) := d r := r + 1 r := r + 1 end end - These events deal with the same variables g and r - This cannot be the case - Abstract and concrete states must have distinct variables - Solution: change of variables and adding a trivial gluing invariant - This can be done by a tool 75

First Refinement (Transformations made by a tool) prp 3 : e ∈ D inv 7 : r 1 = r inv 5 : d ∈ D inv 8 : g 1 = g inv 6 : s ∈ 1 .. n + 1 = send � = = init receive � � when begin when s = r 1 g 1 := ∅ s � = r 1 s ≤ n r 1 := 1 then then s := 1 g 1 ( r 1 ) := d d := f ( s ) d := e r 1 := r 1 + 1 s := s + 1 end end end 76

To be proved for Refinement of Event receive (1) ( refined ) receive = � ( abstract ) receive = when � s � = r 1 when r ≤ n then g ′ 1 = g 1 ∪ { r �→ d } then g ′ = g ∪ { r �→ f ( r ) } r ′ 1 = r 1 + 1 r ′ = r + 1 s ′ = s d ′ = d end end inv 6 : s ∈ 1 .. n + 1 inv 7 : r 1 = r inv 8 : g 1 = g 77

To be proved for Refinement of Event receive (2) s ∈ 1 .. n + 1 r 1 = r g 1 = g P ( c ) s � = r 1 I ( c, v ) g ′ 1 = g 1 ∪ { r �→ d } J ( c, v, w ) r ′ 1 = r 1 + 1 H ( c, w ) g ′ = g ∪ { r �→ f ( r ) } w ′ = F ( c, w ) r ′ = r + 1 v ′ = E ( c, v ) s ′ = s ⇒ d ′ = d G ( c, v ) ⇒ J ( c, v ′ , w ′ ) r ≤ n r ′ 1 = r ′ g ′ 1 = g ′ 78

Informal Proof: Applying Equalities s ∈ 1 .. n + 1 r 1 = r g 1 = g s � = r 1 g ′ 1 = g 1 ∪ { r �→ d } s ∈ 1 .. n + 1 r ′ 1 = r 1 + 1 s � = r g ′ = g ∪ { r �→ f ( r ) } ⇒ r ′ = r + 1 r ≤ n s ′ = s r + 1 = r + 1 d ′ = d g ∪ { r �→ d } = g ∪ { r �→ f ( r ) } ⇒ r ≤ n r ′ 1 = r ′ g ′ 1 = g ′ 79

What remains to be proved s ∈ 1 .. n + 1 s ∈ 1 .. n + 1 s � = r s � = r ⇒ ⇒ r ≤ n r ≤ n r + 1 = r + 1 d = f ( r ) g ∪ { r �→ d } = g ∪ { r �→ f ( r ) } This cannot be proved. But the following invariants are suggested inv 9 : s ∈ r .. r + 1 inv 10 : s � = r ⇒ d = f ( r ) 80

Observing the invariant s ∈ r .. r + 1 f f f f a a a a b b b b n s c s (3) c n c n c s (4) s d d d d b b c c g g g g a a a a r b b b r (3) r (3) c r 81

Observing the invariant s � = r ⇒ d = f ( r ) f f f f a a a a b b b b n s c n s c n c n c s (4) s d d d=f(3) d b b c c g g g g a a a a r b b b r r (3) c r 82

But the New Invariants Have to be Proved - After applying equalities again, we obtain s ∈ 1 .. n + 1 s ∈ 1 .. n + 1 s ∈ r .. r + 1 d = f ( r ) s � = r ⇒ d = f ( r ) s = r + 1 s � = r ⇒ ⇒ r ≤ n r ≤ n s ∈ r + 1 .. r + 2 s ∈ r + 1 .. r + 1 + 1 s � = r + 1 ⇒ d = f ( r + 1) s � = r + 1 ⇒ d = f ( r + 1) d = f ( r ) d = f ( r ) 83

The Final Step s ∈ 1 .. n + 1 d = f ( r ) s = r + 1 r + 1 ∈ 1 .. n + 1 ⇒ ⇒ r ≤ n r ≤ n s ∈ r + 1 .. r + 2 r + 1 ∈ r + 1 .. r + 2 s � = r + 1 d = f ( r + 1) ⇒ d = f ( r ) All this can be done by a tool 84

Adding New Events in a Refinement - Each new event must (in general) refine skip - New events must not take control for ever - For this, they all decrease a variant V ( c, w ) - For a new event of the form P ( c ) I ( c, v ) when J ( c, v, w ) S ( c, w ) S ( c, w ) One has w ′ = K ( c, w ) then to prove w ′ = K ( c, w ) ⇒ J ( v, w ′ ) end 0 ≤ V ( c, w ′ ) V ( c, w ′ ) < V ( c, w ) 85

To be proved for Refinement of Event send s ∈ 1 .. n + 1 s ∈ r 1 .. r 1 + 1 s � = r 1 ⇒ d = f ( r 1 ) = send � r 1 = r when g 1 = g s = r 1 s = r 1 s ≤ n s ≤ n then d ′ = f ( s ) d ′ = f ( s ) s ′ = s + 1 s ′ = s + 1 r ′ 1 = r 1 r ′ 1 = r 1 g ′ 1 = g 1 g ′ 1 = g 1 ⇒ end s ′ ∈ 1 .. n + 1 s ′ ∈ r ′ 1 .. r ′ 1 + 1 s ′ � = r ′ d ′ = f ( r ′ 1 ) ⇒ The variant V is n + 1 − s 1 0 ≤ n + 1 − s ′ n + 1 − s ′ < n + 1 − s 86

Informal Proof: Applying Equalities s ∈ 1 .. n + 1 s ∈ r 1 .. r 1 + 1 s � = r 1 ⇒ d = f ( r 1 ) r 1 = r r ∈ 1 .. n + 1 g 1 = g r ∈ r .. r + 1 s = r 1 r � = r ⇒ d = f ( r ) s ≤ n r ≤ n d ′ = f ( s ) ⇒ s ′ = s + 1 r + 1 ∈ 1 .. n + 1 r ′ 1 = r 1 r + 1 ∈ r .. r + 1 g ′ 1 = g 1 r + 1 � = r ⇒ f ( r ) = f ( r ) ⇒ 0 ≤ n + 1 − ( r + 1) s ′ ∈ 1 .. n + 1 n + 1 − ( r + 1) < n + 1 − r s ′ ∈ r ′ 1 .. r ′ 1 + 1 s ′ � = r ′ d ′ = f ( r ′ 1 ) ⇒ 1 0 ≤ n + 1 − s ′ n + 1 − s ′ < n + 1 − s 87

Informal Proof: Applying Simple Reasoning r ∈ 1 .. n + 1 r ∈ r .. r + 1 r ∈ 1 .. n r � = r ⇒ d = f ( r ) r ≤ n r ≤ n ⇒ ⇒ r + 1 ∈ 1 .. n + 1 r + 1 ∈ 1 .. n + 1 f ( r ) = f ( r ) r + 1 ∈ r .. r + 1 0 ≤ n − r r + 1 � = r ⇒ f ( r ) = f ( r ) n − r < n − r + 1 0 ≤ n + 1 − ( r + 1) n + 1 − ( r + 1) < n + 1 − r - Such a proof could be made by a tool 88

Refinement of Initialization - We have constants c and properties P ( c ) - We have an abstract state with variables v - We have a refined state with variables w DISTINCT from v - We have a gluing invariant J ( c, v, w ) - We have an abstract init and a refined init of the forms P ( c ) v ′ = E ( c ) begin begin v ′ = E ( c ) w ′ = F ( c ) w ′ = F ( c ) To prove end end ⇒ J ( c, v ′ , w ′ ) 89

To bo Proved for init init = � e ∈ D g ′ = ∅ begin g ′ = ∅ r ′ = 1 r ′ = 1 g ′ 1 = ∅ end r ′ 1 = 1 s ′ = 1 d ′ = e ⇒ = init � d ′ ∈ D begin s ′ ∈ 1 .. n + 1 g ′ 1 = ∅ s ′ ∈ r ′ .. r ′ + 1 r ′ 1 = 1 s ′ � = r ′ ⇒ d ′ = f ( r ′ ) s ′ = 1 r ′ = r ′ d ′ = e 1 g ′ = g ′ end 1 90

Informal Proof: Applying Equalities e ∈ D g ′ = ∅ e ∈ D r ′ = 1 ⇒ g ′ 1 = ∅ e ∈ D r ′ 1 = 1 1 ∈ 1 .. n + 1 s ′ = 1 1 ∈ 1 .. 1 + 1 d ′ = e 1 � = 1 ⇒ e = f (1) 1 = 1 ⇒ d ′ ∈ D ∅ = ∅ s ′ ∈ 1 .. n + 1 s ′ ∈ r ′ .. r ′ + 1 s ′ � = r ′ ⇒ d ′ = f ( r ′ ) r ′ = r ′ Such a proof could 1 g ′ = g ′ be made by a tool 1 91

Additional Requirement for Refinement - A system stops when all the guards of its events are false - When a refinement stops, its abstraction must have stopped - In other words: no early stop for the refinement - We have thus to prove one of the following all refined guards false some abstract guards true ⇒ ⇒ all abstract guards false some refined guards true 92

Additional Requirement to be proved send = � ( abs ) receive = ( ref ) receive = � � when when when s = r r ≤ n s � = r s ≤ n then then then g ( r ) := f ( r ) g ( r ) := d d := f ( s ) r := r + 1 r := r + 1 s := s + 1 end end end To be proved r ≤ n r ≤ n s = r simplified to ⇒ ⇒ s � = r ∨ ( s = r ∧ s ≤ n ) s ≤ n 93

Some Ideas for a Second Refinement? Set: D Constants: n, f, e Variables: r, g, s, d prp 3 : e ∈ D inv 9 : s ∈ r .. r + 1 inv 5 : d ∈ D inv 10 : s � = r ⇒ d = f ( r ) inv 6 : s ∈ 1 .. n + 1 = send � init = receive = � � when begin when s = r g := ∅ s � = r s ≤ n r := 1 then then s := 1 g ( r ) := d d := f ( s ) d := e r := r + 1 s := s + 1 end end end 94

Third Version (1) parity(s) a a r s b send c SENDER RECEIVER a a receive s b r c parity(r) SENDER RECEIVER 95

Third Version (2) parity(s) b a a r b send s c SENDER RECEIVER a a receive s b r c parity(r) SENDER RECEIVER 96