Refinement Calculus for Compositional System Reasoning Viorel - PowerPoint PPT Presentation

Relational Interfaces and Refinement Calculus for Compositional System Reasoning Viorel Preoteasa Joint work with Stavros Tripakis and Iulia Dragomir 08.12.2015 Computational Logic Day 2015 1

Overview • Motivation • General refinement • Relational interfaces • Refinement calculus for reactive systems • Liveness properties • Modeling Simulink Diagrams 08.12.2015 Computational Logic Day 2015 2

Motivation • Is the system correct? • Can we replace a subsystem by another subsystem, preserving the functionality? • Compatibility. Is the composition of two systems meaningful? • Can we model liveness properties? We are interested in reactive systems – systems that repeatedly take some input from the environment and produce some output 08.12.2015 Computational Logic Day 2015 3

Refinement Refinement (denoted 𝐵 ⊑ 𝐶 ): • System 𝐵 is refined by system 𝐶 or • Informally: 𝐶 can replace 𝐵 in any context • Formally: 1. If 𝐵 satisfies a property 𝑄 then 𝐶 satisfies 𝑄 2. If 𝐵 ⊑ 𝐵’ and 𝐶 ⊑ 𝐶’ then 𝐵  𝐶 ⊑ 𝐵’  𝐶’ 𝐵  𝐶 denotes some composition of systems 𝐵 and 𝐶 08.12.2015 Computational Logic Day 2015 4

Refinement • Correctness: – Specification ⊑ Implementation • Substitutability: – If we have 𝐶 ⊑ 𝐶′ , then – 𝐵  𝐶  𝐷 ⊑ 𝐵  𝐶’  𝐷 – The system 𝐵  𝐶’  𝐷 satisfies all properties satisfied by 𝐵  𝐶  𝐷 • (In)Compatibility: – 𝐵  𝐶 = 𝐺𝑏𝑗𝑚 or 𝐵  𝐶 ⊑ 𝐺𝑏𝑗𝑚 where – 𝐺𝑏𝑗𝑚 = while true do skip, or 𝐺𝑏𝑗𝑚 = unhandled exception, or 𝐺𝑏𝑗𝑚 = assertion on input is false for every input 08.12.2015 Computational Logic Day 2015 5

Interface theories • Interface theories can express some of the properties presented above, but not liveness – Relational interface introduced by Tripakis et al, A Theory of Synchronous Relational Interfaces, ACM TOPLAS, 2011 – Interface automata introduced by Alfaro et al, Interface Automata , FSE, ACM, 2009 • On the other hand there are frameworks capable of expressing liveness properties, but they cannot express compatibility of systems. – Focus framework, Broy et al, Specification and development of interactive systems: focus on streams interfaces and refienemt , Springer, 2001 08.12.2015 Computational Logic Day 2015 6

Relational Interfaces - Example • Division component: 𝑦 𝑨 𝐸𝑗𝑤𝑗𝑒𝑓 𝑧 • Contract: 𝑧 ≠ 0 ∧ 𝑨 = 𝑦/𝑧 • The condition 𝑧 ≠ 0 introduces a requirement on input 𝑧 • If input 𝑧 = 0 , then 𝐸𝑗𝑤𝑗𝑒𝑓 fails (this is different from 𝐺𝑏𝑗𝑚 = fails for all inputs). 08.12.2015 Computational Logic Day 2015 7

Relational Interfaces – Composition • Output of one component becomes the input of the second component 𝑦 𝑏 𝑧 = 𝑏 + 𝑐 𝑧 ≠ 0 𝑨 𝑐 𝑦 > 10 𝑨 = 𝑦/𝑧 𝑧 • The requirement on 𝑧 is propagated to 𝑏 and 𝑐 • Choosing 𝑏 and 𝑐 properly we can ensure 𝑧 ≠ 0 • The composition fails if 𝑏 = −𝑐 (the composition is not 𝐺𝑏𝑗𝑚 ) 08.12.2015 Computational Logic Day 2015 8

Relational Interfaces - Incompatibility • The two systems are incompatible 𝑦 𝑧 ≠ 0 𝑨 𝑏 𝑈𝑠𝑣𝑓 𝑨 = 𝑦/𝑧 𝑧 • The component 𝑈𝑠𝑣𝑓 produces non- deterministically values 𝑦 and 𝑧 • By controlling 𝑏 there is no possibility of ensuring 𝑧 ≠ 0 • The composition of these systems is 𝐺𝑏𝑗𝑚 , because the composition fails for every input. 08.12.2015 Computational Logic Day 2015 9

Relational Interfaces – Limitations • Relational interfaces cannot model liveness properties • Semantics of relational interfaces: – prefix closed sets of finite input output traces 08.12.2015 Computational Logic Day 2015 10

Reactive systems • A reactive system is a machine that takes as input an infinite sequence 𝑦 0 , 𝑦 1 , 𝑦 2 , … and it outputs an infinite sequence 𝑧 0 , 𝑧 1 , 𝑧 2 , … • Assume a system that counts and outputs how many input values seen so far are true. • Then – Input: 0,1,0,0,1,1,1,0,0, … – Output: 0,1,1,1,2,3,4,4,4, … 08.12.2015 Computational Logic Day 2015 11

Our Goal A compositional theory for reactive systems with both safety and liveness 𝑦 𝐵 𝐶 □(𝑦 ≥ 0) □ ◊ (𝑦 = 1) • 𝐵 specifies that its output 𝑦 is always greater or equal than zero • 𝐶 requires that its input is infinitely often equal to one. • The output of 𝐵 is connected to the input of 𝐶 . • In our framework: these components are incompatible • We want to be able to use LTL formulas in specifications 08.12.2015 Computational Logic Day 2015 12

Refinement Calculus for Reactive Systems • Monotonic property transformers – Functions mapping sets of infinite output sequences into sets of output sequences – Property = set of infinite sequences • A system 𝐵 applied to a set of output sequences 𝑅 is the set of all input sequences that do not fail and produce an output sequence in 𝑅 . • Based on Refinement Calculus introduced by Back, On the correctness of refinement in program development , 1978 08.12.2015 Computational Logic Day 2015 13

Refinement Calculus for Reactive Systems This semantics enables reasoning about all features that we mentioned at the beginning: • Correctness • Substitutability • Compatibility • And also liveness properties 08.12.2015 Computational Logic Day 2015 14

Reactive systems – Operations The operations on reactive systems are defined in the same way as for predicate transformers • Sequential composition = function composition: – 𝐵 ∘ 𝐶 𝑅 = 𝐵 𝐶 𝑅 – where 𝑅 is a set of infinite sequences. • Refinement = point-wise subset: – 𝐵 ⊑ 𝐶 ⇔ (∀𝑅 ∶ 𝐵 𝑅 ⊆ 𝐶(𝑅)) • 𝐺𝑏𝑗𝑚(𝑅) = ∅ 08.12.2015 Computational Logic Day 2015 15

Simulink Example 𝑦 𝑧 𝑦 Delay 𝑨 ≠ 0 𝑣 𝑨 ≔ 𝑣 − 𝑦 𝑏 𝑧 ≔ 𝑦/𝑨 𝑨 𝑨 𝑨 • 𝑢 = 0: 𝑦 0 ; 𝑣 0 ≔ 𝑏; 𝑨 0 ≔ 𝑣 0 − 𝑦 0 ; 𝑧 0 ≔ 𝑦 0 /𝑨 0 ; 𝑨 0 = 𝑣 0 − 𝑦 0 ≠ 0 • 𝑢 = 1: 𝑦 1 ; 𝑣 1 ≔ 𝑧 0 ; 𝑨 1 ≔ 𝑣 1 − 𝑦 1 ; 𝑧 1 ≔ 𝑦 1 /𝑨 1 ; 𝑨 1 = 𝑣 1 − 𝑦 1 ≠ 0 08.12.2015 Computational Logic Day 2015 16

Simulink Example • The variable 𝑣 after the delay is calculated by: 𝑣 0 ≔ 𝑏; 𝑣 𝑜 + 1 ≔ 𝑦 𝑜 /(𝑣𝑜 − 𝑦𝑜) • The output is given by: 𝑨 𝑜 ≔ 𝑣𝑜 − 𝑦𝑜 • The input 𝑦 𝑜 must satisfy the following property: (∀𝑜 ∶ 𝑣 𝑜 ≠ 𝑦𝑜) 08.12.2015 Computational Logic Day 2015 17

Simulink Example as Property Transformer • Our tool produces the following property transformer 𝑦 𝑜 {∀𝑣: (𝑣 0 = 𝑏) ∧ ∀𝑜 ∶ 𝑣 𝑜 + 1 = 𝑣 𝑜 −𝑦𝑜 ⇒ (∀𝑜 ∶ 𝑣𝑜 ≠ 𝑦𝑜)} 𝑦 ∘ [𝑨 ∶ ∃𝑣 ∶ 𝑣 = 𝑏 ∧ □ (𝑣 1 = 𝑣−𝑦 ∧ 𝑨 = 𝑣 − 𝑦)] 08.12.2015 Computational Logic Day 2015 18

Simulink Example as Property Transformer • Using Linear Temporal Logic {∀𝑣 ∶ 𝑣 = 𝑏 ∧ □ 𝑣 1 = 𝑦 𝑣−𝑦 ⇒ □(𝑣 ≠ 𝑦)} ∘ 𝑦 [𝑨 ∶ ∃𝑣 ∶ 𝑣 = 𝑏 ∧ □ (𝑣 1 = 𝑣 − 𝑦 ∧ 𝑨 = 𝑣 − 𝑦)] 08.12.2015 Computational Logic Day 2015 19

Conclusions • We can model a number of desired features – Correctness – Substitutability – Compatibility – Liveness properties – … and many more • We can use linear temporal logic to specify and reason about these systems • We built a tool that translates Simulink models to property transformers. • The results were formalized in Isabelle theorem prover 08.12.2015 Computational Logic Day 2015 20