Compositional Action System Derivation Introduction Using Enforced - - PowerPoint PPT Presentation

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Compositional Action System Derivation Using Enforced Properties

Brijesh Dongol and Ian J. Hayes

School of Information Technology and Electrical Engineering, The University of Queensland

MPC 2010

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Outline

1

Introduction

2

Action systems

3

Enforced properties

4

Example

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

History

• Sequential program derivation (Dijkstra, 1975)
• Safety-based concurrent program derivation (Feijen and

van Gasteren, 1999)

• Progress-based concurrent program derivation (Dongol

and Mooij, 2006 & 2008)

• Enforced properties (Dongol and Hayes, 2009), (Dongol,

2009) - PhD thesis

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

This paper

Goals Techniques 1. 2. 3. 4. Calculational development Incremental trace refinement Compositionally address safety and progress Simplify existing rules

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

This paper

Goals Techniques 1. 2. 3. 4. Calculational development Incremental trace refinement Compositionally address safety and progress Simplify existing rules Weakest precondition

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

This paper

Goals Techniques 1. 2. 3. 4. Calculational development Incremental trace refinement Compositionally address safety and progress Simplify existing rules Weakest precondition Enforced properties and frames

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

This paper

Goals Techniques 1. 2. 3. 4. Calculational development Incremental trace refinement Compositionally address safety and progress Simplify existing rules Weakest precondition Enforced properties and frames Temporal logic on relations

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

This paper

Goals Techniques 1. 2. 3. 4. Calculational development Incremental trace refinement Compositionally address safety and progress Simplify existing rules Weakest precondition Enforced properties and frames Temporal logic on relations Action systems framework

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Syntax

Statements and actions S ::= diverge | skip | x := E | x :∈ V | S1 ; S2 | x ·[[S]] A ::= b → S | A1 ⊓ A2 | x ·[[A]] Action systems A ˆ = A0 ; do A od is an action system with initialisation action A0 and main action A

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Frames

• If x is a variable of type T:

x ·[[S]] = S ; x :∈ T x ·[[b → S]] = b → x ·[[S]] x ·[[A1 ⊓ A2]] = x ·[[A1]] ⊓ x ·[[A2]]

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Frames

• If x is a variable of type T:

x ·[[S]] = S ; x :∈ T x ·[[b → S]] = b → x ·[[S]] x ·[[A1 ⊓ A2]] = x ·[[A1]] ⊓ x ·[[A2]]

• Frames allow introduction of new (internal) variables

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Frames

• If x is a variable of type T:

x ·[[S]] = S ; x :∈ T x ·[[b → S]] = b → x ·[[S]] x ·[[A1 ⊓ A2]] = x ·[[A1]] ⊓ x ·[[A2]]

• Frames allow introduction of new (internal) variables
• Frames can be turned into statements by refinement

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Refinement

Suppose s ∈ seq.Σ. We assume

• rL.s removes local variables from each state in s
• rS.s removes stuttering in s

Definition (Trace refinement) A ⊑Tr C ˆ = ∀t : Tr.C • ∃s : Tr.A • rS.(rL.s) = rS.(rL.t)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Refinement

Suppose s ∈ seq.Σ. We assume

• rL.s removes local variables from each state in s
• rS.s removes stuttering in s

Definition (Trace refinement) A ⊑Tr C ˆ = ∀t : Tr.C • ∃s : Tr.A • rS.(rL.s) = rS.(rL.t) Lemma

If Tr.C ⊆ Tr.A , then A ⊑Tr C .

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

A temporal logic on relations

Linear temporal logic (LTL)

(Manna and Pnueli, 1992) always (), eventually (), until (U), unless (W) defined for formulas on single-state predicates

Relational linear temporal logic (RLTL)

Defined over two-state relations

• Semantics mostly the same as LTL
• Difference: For sequence of states s and RLTL formula Q,

(s, u) ⊢ Q ⇐ ⇒ ∀v : dom.s • v ≥ u ∧ v + 1 ∈ dom.s ⇒ (s, v) ⊢ Q

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

Definition (Enforced property)

Suppose, A is an action system and R is a RLTL formula. Action system A with enforced property R, denoted A ?R, is an action system such that

Tr.(A ?R) ˆ = {s : Tr.A | s ⊢ R}

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

• Given an initial action system A , suppose we want to

derive an action system that satisfies RLTL property R

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

• Given an initial action system A , suppose we want to

derive an action system that satisfies RLTL property R

• 1. Enforce property R on A to obtain A ?R

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

• Given an initial action system A , suppose we want to

derive an action system that satisfies RLTL property R

• 1. Enforce property R on A to obtain A ?R
• 2. Derive B such that A ?R ⊑Tr B and Tr.B |

= R

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

• Given an initial action system A , suppose we want to

derive an action system that satisfies RLTL property R

• 1. Enforce property R on A to obtain A ?R
• 2. Derive B such that A ?R ⊑Tr B and Tr.B |

= R

• 3. Hence, B satisfies R and furthermore does not need to

enforce R

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

• Given an initial action system A , suppose we want to

derive an action system that satisfies RLTL property R

• 1. Enforce property R on A to obtain A ?R
• 2. Derive B such that A ?R ⊑Tr B and Tr.B |

= R

• 3. Hence, B satisfies R and furthermore does not need to

enforce R

• We have rules that allow
• introduction of new enforced properties
• manipulation of existing enforced properties
• introduction of new variables (via frames)
• introduction and modification of actions

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

• Given an initial action system A , suppose we want to

derive an action system that satisfies RLTL property R

• 1. Enforce property R on A to obtain A ?R
• 2. Derive B such that A ?R ⊑Tr B and Tr.B |

= R

• 3. Hence, B satisfies R and furthermore does not need to

enforce R

• We have rules that allow
• introduction of new enforced properties
• manipulation of existing enforced properties
• introduction of new variables (via frames)
• introduction and modification of actions
• Each rule ensures trace refinement

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

Lemma

For action systems A and C , and RLTL formulae R and R′ each of the following holds: a.

A ⊑Tr A ?R

b.

A ?R ⊑Tr A ?R′ provided R′ ⇒ R

c.

A ?R ⊑Tr C ?R provided A ⊑Tr C

d.

A ?R ⊑ ⊒Tr A provided Tr.A | = R

e.

A ?(R ∧ R′) ⊑ ⊒Tr (A ?R)?R′

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

Lemma

For action systems A and C , and RLTL formulae R and R′ each of the following holds: a.

A ⊑Tr A ?R

b.

A ?R ⊑Tr A ?R′ provided R′ ⇒ R

c.

A ?R ⊑Tr C ?R provided A ⊑Tr C

d.

A ?R ⊑ ⊒Tr A provided Tr.A | = R

e.

A ?(R ∧ R′) ⊑ ⊒Tr (A ?R)?R′ Proof.

If Tr.C ⊆ Tr.A , then A ⊑Tr C (from previous lemma).

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

Definition

If A is an action, p is a predicate, and r a relation, then

A!p ˆ = [p] ; A ; [p] A!r ˆ = rel.A ∩ r

• A!p blocks if
• p does not hold prior to executing A, or
• the execution of A does not establish p
• A!r blocks if no execution of A can satisfy r

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Enforced properties

Lemma

For actions A, A1, and A2; predicates p, p1, and p2; and relations r, r1, and r2, each of the following holds: a.

A!(p1 ∧ p2) = (A!p1)!p2

b.

A!(r1 ∩ r2) = (A!r1)!r2

c.

A!p = [p] ; A provided p ⇒ A.p

d.

A!r = A provided rel.A ⊆ r

e.

(A1 ⊓ A2)!p = (A1!p) ⊓ (A2!p)

f.

(A1 ⊓ A2)!r = (A1!r) ⊓ (A2!r)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Example - Industrial press

Weight top bot pnr motor

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Example - Industrial press

Weight top bot pnr motor

• Program variables: locked and motor
• Environment variables: top, pnr,bot, and pressed

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Requirements

Safety requirements: (locked ⇒ top ∧ motor = Off)

(1) (locked ⇒ (locked W pressed)) (2) (¬locked ∧ motor = Off ⇒

(¬locked ∧ motor = Off) W ((bot ∨ ¬pnr) ∧ ¬pressed)) (3) (pnr ∧ motor = Off ⇒ ((pnr ∧ motor = Off) W (bot ∧ ¬pressed)))

(4) (motor = On ⇒ (motor = On W locked)) (5)

Progress requirements: we say p q ⇐

⇒ (p ⇒ q)

(locked ∧ pressed) ¬locked

(6)

(¬locked ∧ ¬pnr ∧ ¬pressed) motor = On

(7)

(bot ∧ ¬pressed) motor = On

(8)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Assumptions on the environment

Safety assumptions: (top ⇒ ¬pnr ∧ ¬bot) ∧ (bot ⇒ pnr)

(9) top, pnr, bot | (top⇒¬pnr′ ∧ ¬bot′) ∧ (¬top ∧ ¬pnr⇒¬bot′)

(pnr ⇒ ¬top′) ∧ (bot⇒pnr′)

(10)

Progress assumptions: (¬locked ∧ motor = Off) ⇒ ¬top ∧ pnr ∧ bot (11) (motor = On) ⇒ top ∧ ¬bot ∧ ¬pnr

(12)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Initial program

Define:

Safe ˆ = (1) ∧ (2) ∧ (3) ∧ (4) ∧ (5) Prog ˆ = (6) ∧ (7) ∧ (8) RelyProg ˆ = (11) ∧ (12) env ˆ = pressed ·[[(10)]]!(9) do true → env ⊓ true → motor, locked ·[[skip]]

• d

?(Safe ∧ Prog ∧ RelyProg)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Calculational rules

Lemma (Unless) (p ⇒ (p W q)) holds provided (p ∧ ¬q ⇒ p′ ∨ q′)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Derivation - replace unless properties

(2) = {definition} (locked ⇒ locked W pressed) ⇐ {Lemma (unless)} (locked ∧ ¬pressed ⇒ (locked′ ∨ pressed′)) ⇐ {logic} (locked ∧ ¬locked′ ⇒ pressed)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

• Apply similar calculation to (3), (4), (5) to obtain Safe′.
• Safe′ ⇒ Safe
• Recall A ?R ⊑Tr A ?R′ provided R′ ⇒ R

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

• Apply similar calculation to (3), (4), (5) to obtain Safe′.
• Safe′ ⇒ Safe
• Recall A ?R ⊑Tr A ?R′ provided R′ ⇒ R

do true → env ⊓ true → motor, locked ·[[skip]]

• d

?(Safe ∧ Prog ∧ RelyProg)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

• Apply similar calculation to (3), (4), (5) to obtain Safe′.
• Safe′ ⇒ Safe
• Recall A ?R ⊑Tr A ?R′ provided R′ ⇒ R

do true → env ⊓ true → motor, locked ·[[skip]]

• d

?(Safe ∧ Prog ∧ RelyProg) ⊑Tr do true → env ⊓ true → motor, locked ·[[skip]]

• d

?(Safe′ ∧ Prog ∧ RelyProg)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Deriving actions

• Consider action that turns the motor on

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Deriving actions

• Consider action that turns the motor on
• From calculation wp.(motor := On).Safe′, we obtain:

(motor = Off ⇒ (bot′ ∨ ¬pnr′) ∧ ¬pressed′) ∧ ¬locked

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Deriving actions

• Consider action that turns the motor on
• From calculation wp.(motor := On).Safe′, we obtain:

(motor = Off ⇒ (bot′ ∨ ¬pnr′) ∧ ¬pressed′) ∧ ¬locked

• Because controller does not modify bot, pnr, and pressed

we get action:

motor = Off ∧ (bot ∨ ¬pnr) ∧ ¬pressed ∧ ¬locked → motor := On

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Deriving actions

• Consider action that turns the motor on
• From calculation wp.(motor := On).Safe′, we obtain:

(motor = Off ⇒ (bot′ ∨ ¬pnr′) ∧ ¬pressed′) ∧ ¬locked

• Because controller does not modify bot, pnr, and pressed

we get action:

motor = Off ∧ (bot ∨ ¬pnr) ∧ ¬pressed ∧ ¬locked → motor := On

• Similarly, we get for actions that turn motor off and modify

lock

motor = On ∧ top → motor, locked := Off, true locked ∧ motor = Off ∧ pressed → locked := false

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Deriving actions

• Consider action that turns the motor on
• From calculation wp.(motor := On).Safe′, we obtain:

(motor = Off ⇒ (bot′ ∨ ¬pnr′) ∧ ¬pressed′) ∧ ¬locked

• Because controller does not modify bot, pnr, and pressed

we get action:

motor = Off ∧ (bot ∨ ¬pnr) ∧ ¬pressed ∧ ¬locked → motor := On

• Similarly, we get for actions that turn motor off and modify

lock

motor = On ∧ top → motor, locked := Off, true locked ∧ motor = Off ∧ pressed → locked := false

• These actions are guaranteed to satisfy Safe′

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Action introduction

Lemma

If grd.(A!p) ⇒ grd.(A!p) ∧ b

do A ⊓ (true → x ·[[skip]]) od ?p ⊑ do A ⊓ (b → x := v) od ?p

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Action introduction

Recalling that A ?R ⊑Tr C ?R provided A ⊑Tr C , we obtain:

do true → env ⊓ true → motor, locked ·[[skip]]

• d

?(Safe′ ∧ Prog ∧ RelyProg)

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Action introduction

Recalling that A ?R ⊑Tr C ?R provided A ⊑Tr C , we obtain:

do true → env ⊓ true → motor, locked ·[[skip]]

• d

?(Safe′ ∧ Prog ∧ RelyProg) ⊑Tr do true → env ⊓ motor = Off ∧ (bot ∨ ¬pnr) ∧ ¬pressed ∧ ¬locked → motor := On ⊓ motor = On ∧ top → motor, locked := Off, true ⊓ locked ∧ motor = Off ∧ pressed → locked := false

• d

?(Prog ∧ RelyProg) Safe′

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example

Conclusion

• In this paper:
• Rules for calculational proofs of temporal formulae
• Frames and enforced properties work together to allow

incremental refinement

• Relational linear temporal logic supports compositionality
• Theory supports proofs of safety and progress properties
• Fairness assumptions can be encoded using enforced

properties

• Future work:
• Real-time controllers - teleo-reactive programs, sampling

logic

• Tool support