compositional design and verification of real-time systems ii · compositional design and...
TRANSCRIPT
![Page 1: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/1.jpg)
CompositionalDesign andVerificationof Real-timeSystems IIAndrzej WasowskiIT University of Copenhagen
Bourke A. David LarsenLegay Møller Nyman RavnSkou L.-M. Traonouez
![Page 2: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/2.jpg)
Specification Theories
Specifications
Implementations
Boolean formulæ
satisfying assignments
![Page 3: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/3.jpg)
Specification Theories
Specifications
Implementations
![Page 4: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/4.jpg)
Specification Theories
![Page 5: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/5.jpg)
Specification Theories
![Page 6: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/6.jpg)
Verifications
Consistency
?orS = S
Common Implementation and Compatibility
S2S1 ?orS1 S2
Refinement
S1 S1S2 ?orS2
![Page 7: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/7.jpg)
Verifications
Consistency
?orS = S
Common Implementation and Compatibility
S2S1 ?orS1 S2
Refinement
S1 S1S2 ?orS2
![Page 8: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/8.jpg)
Verifications
Consistency
?orS = S
Common Implementation and Compatibility
S2S1 ?orS1 S2
Refinement
S1 S1S2 ?orS2
![Page 9: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/9.jpg)
TransformationsConjunction
![Page 10: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/10.jpg)
TransformationsConjunction
![Page 11: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/11.jpg)
TransformationsConjunction
![Page 12: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/12.jpg)
TransformationsConjunction
![Page 13: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/13.jpg)
TransformationsParallel Composition
S
Parallel Composition S ‖ T
![Page 14: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/14.jpg)
TransformationsParallel Composition
T
S
Parallel Composition S ‖ T
![Page 15: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/15.jpg)
TransformationsParallel Composition
S
T
S | T
Parallel Composition S ‖ T
![Page 16: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/16.jpg)
TransformationsQuotient
S
Quotient X = S \\T is an adjoint of parallel composition
![Page 17: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/17.jpg)
TransformationsQuotient
S
T
Quotient X = S \\T is an adjoint of parallel composition
![Page 18: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/18.jpg)
TransformationsQuotient
S
TS \\T
Quotient X = S \\T is an adjoint of parallel composition
![Page 19: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/19.jpg)
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
![Page 20: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/20.jpg)
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
![Page 21: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/21.jpg)
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
![Page 22: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/22.jpg)
Main LawsExpected from a specification theory
Law. Logical Conjunction
J S1 ∧ S2 Kmod = J S1 Kmod ∩ J S2 Kmod
Law. Compositional Design with Structural Composition
I sat S and J sat T then I ‖ J sat S ‖ T
Law. Quotient
S ‖ X ≤ T then X ≤ T \\S
Law. Completeness of Refinement
If J S Kmod 6= ∅ thenJ S Kmod ⊆ J T Kmod iff S ≤ T
![Page 23: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/23.jpg)
I Part I: Timed SystemsThe Model of Timed Automata and Its PropertiesThe Model of Timed GamesWhat all this has to do with compositional design?
I Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust
AGENDA
![Page 24: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/24.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust
AGENDA
![Page 25: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/25.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 26: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/26.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 27: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/27.jpg)
Syntax, Semanticsof specifications and implementations
A
X
S = JAKsem
P = JX Ksem
|= |=
J ·Ksem
J ·Ksem
timed I/Otransition systems
(infinite)
timed I/Oautomata
(finite)
spec
ifica
tions
(im
plem
enta
tions
)m
odel
s
![Page 28: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/28.jpg)
Semantics of SpecificationAre input enabled deterministic timed games
Def. Timed I/O Transition System
I S = (StS, s0,ΣS,−→S)
I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS
i ⊕ ΣSo
I −→S : StS × (ΣS ∪R≥0)× StS
I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′
I time reflexivity: s 0−→Ss for all s ∈ StS
I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′
for each i ∈ ΣSi exists state s′ such that s i?−→Ss′
![Page 29: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/29.jpg)
Semantics of SpecificationAre input enabled deterministic timed games
Def. Timed I/O Transition System
I S = (StS, s0,ΣS,−→S)
I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS
i ⊕ ΣSo
I −→S : StS × (ΣS ∪R≥0)× StS
I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′
I time reflexivity: s 0−→Ss for all s ∈ StS
I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′
for each i ∈ ΣSi exists state s′ such that s i?−→Ss′
![Page 30: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/30.jpg)
Semantics of SpecificationAre input enabled deterministic timed games
Def. Timed I/O Transition System
I S = (StS, s0,ΣS,−→S)
I StS a set of states, s0 ∈ St initial state,I ΣS = ΣS
i ⊕ ΣSo
I −→S : StS × (ΣS ∪R≥0)× StS
I time determinism: s d−→Ss′ and s d−→Ss′′ implies s′=s′′
I time reflexivity: s 0−→Ss for all s ∈ StS
I time additivity: for all s, s′′∈ StS and all d1,d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
I Deterministic, input-enabled.s a−→Ss′ and s a−→Ss′′ implies s′=s′′
for each i ∈ ΣSi exists state s′ such that s i?−→Ss′
![Page 31: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/31.jpg)
ImplementationsAre ’completely specified’ specifications
Def. Implementation
I A specification P = (StP ,p0,ΣP ,−→P)
I Output urgency:∀p′,p′′ ∈ StP if p o!−−→Pp′ and p d−→Pp′′ then d = 0
I Independent progress:either (∀d ≥ 0.p d−→P) or ∃d ∈R≥0. ∃o!∈ΣP
o .p d−→p′ and p′ o!−−→P .
![Page 32: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/32.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 33: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/33.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 34: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/34.jpg)
Refinement (between Specifications)
Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );
S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R
strategy of output for S can be played in the context of T
strategy of input for T can be played against S
Def. Satisfaction. Let I be an implementation and S a spec
I I sat S iff I ≤ SI J S Kmod = {I | I sat S}
Thm. Completeness of Refinement
J S Kmod ⊆ J T Kmod iff S ≤ T
![Page 35: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/35.jpg)
Refinement (between Specifications)Satisfaction (between Specification and Implementations)
Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );
S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R
strategy of output for S can be played in the context of T
strategy of input for T can be played against S
Def. Satisfaction. Let I be an implementation and S a spec
I I sat S iff I ≤ SI J S Kmod = {I | I sat S}
Thm. Completeness of Refinement
J S Kmod ⊆ J T Kmod iff S ≤ T
![Page 36: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/36.jpg)
Refinement (between Specifications)Satisfaction (between Specification and Implementations)
Def. Refinement btw S = (StS, s0,Σ,−→S) and T = (StT, t0,Σ,−→T );
S≤T iff exists R⊆StS×StTcontaining (s0, t0), and (s, t) ∈ R implies:I whenever t i?−→T t ′ then s i?−→Ss′ and (s′, t ′)∈RI whenever s o!−−→Ss′ then t o!−−→T t ′ and (s′, t ′) ∈ RI whenever s d−→Ss′ then t d−→T t ′ and (s′, t ′) ∈ R
strategy of output for S can be played in the context of T
strategy of input for T can be played against S
Def. Satisfaction. Let I be an implementation and S a spec
I I sat S iff I ≤ SI J S Kmod = {I | I sat S}
Thm. Completeness of Refinement
J S Kmod ⊆ J T Kmod iff S ≤ T
![Page 37: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/37.jpg)
Refinement & SatisfactionQuestion: are these refinements? which is an implementation?Refinements, Implementations, Consistency
![Page 38: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/38.jpg)
Extreme SpecificationsInconsistent & Universal
Refinement (example)
A (S)INC
T
B (T)
UNI
Refinement (example)
A (S)INC
T
B (T)
UNI
Thm.
1 There is no implementation satisfying INC: ∀I.¬(I sat INC)
2 Any (signature compatible) system implements UNI: ∀I. I sat UNI
We use UNI to model unpredictability (error).
![Page 39: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/39.jpg)
Extreme SpecificationsInconsistent & Universal
Refinement (example)
A (S)INC
T
B (T)
UNI
Refinement (example)
A (S)INC
T
B (T)
UNI
Thm.
1 There is no implementation satisfying INC: ∀I.¬(I sat INC)
2 Any (signature compatible) system implements UNI: ∀I. I sat UNI
We use UNI to model unpredictability (error).
![Page 40: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/40.jpg)
Refinement as a Timed Safety GameExample for S ≤ T
So we can use the engine of Uppaal TIGA to check it!
![Page 41: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/41.jpg)
Refinement as a Timed Safety GameExample for S ≤ T
So we can use the engine of Uppaal TIGA to check it!
![Page 42: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/42.jpg)
Consistency VerificationA simple safety game. Consistency
S
Err = Definitions
0Err = { | . . } d os d s o s
(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]
Theorem f ( ) A specificiation (state) s is
inconsistentiffff
s ∈ μX. π(X) errS ={s
∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}
![Page 43: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/43.jpg)
Consistency VerificationA simple safety game. Pruning as a maximum strategy findingConsistency
S
Err = Definitions
0Err = { | . . } d os d s o s
(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]
Theorem f ( ) A specificiation (state) s is
inconsistentiffff
s ∈ μX. π(X)
Consistency
S
0 5 10
y
0 5 10
0 5 10
y
6
y
0 5 10
y
(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s
Pruned VersionerrS ={s
∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}
![Page 44: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/44.jpg)
Consistency VerificationA simple safety game. Pruning as a maximum strategy findingConsistency
S
Err = Definitions
0Err = { | . . } d os d s o s
(X) = Err ∪Pred [ X ∪ iPred(X) oPred(XC) ]Predt[ X ∪ iPred(X) , oPred(X ) ]
Theorem f ( ) A specificiation (state) s is
inconsistentiffff
s ∈ μX. π(X)
Consistency
S
0 5 10
y
0 5 10
0 5 10
y
6
y
0 5 10
y
(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s
Pruned Version
Consistency
S
0 5 10
y
0 5 10
0 5 10
y
6
yPruned Version
0 5 10
y
(X) = Err ∪ Predt[ X ∪ iPred(X) , oPred(XC) ]0Err = { | . . } d os d s o s
errS ={s∣∣ (∃d . s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→}
Specification is consistent iff the result of pruning is non-empty
![Page 45: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/45.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 46: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/46.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 47: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/47.jpg)
Conjunction of SpecificationsConjunction, SÆTIA
A
ghl
o!
IA
TheoremSÆ T ≤ SSÆ T ≤ TCl
gi
a?… sl
ri
SÆ T ≤ T(U≤ S) and (U≤ T) ⇒ U≤ (SÆ T)
AiA,B
S IA Æ IB
Bvm
IB gi Æ uj
a? o!
hl Æ vm
Dmuj
a?
o!…tj
pm ri ∪ tj sl ∪ pm
Bj Ai,BjT Cl,Dm
tj
![Page 48: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/48.jpg)
Conjunction of Specifications (2)Definition
Def. Product of S = (StS, sS0 ,Σ,−→S) and T = (StT , sT
0 ,Σ,−→T )
S × T = (StS × StT , (sS0 , s
T0 ),Σ,−→), where:
s a−→Ss′ t a−→T t ′ a ∈ Σ ∪R≥0
(s, t) a−→(s′, t ′)
A result of the product may be locally inconsistent, or inconsistent.Apply a consistency check and pruning to the result.
![Page 49: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/49.jpg)
Conjunction of Specifications (2)Definition
Def. Product of S = (StS, sS0 ,Σ,−→S) and T = (StT , sT
0 ,Σ,−→T )
S × T = (StS × StT , (sS0 , s
T0 ),Σ,−→), where:
s a−→Ss′ t a−→T t ′ a ∈ Σ ∪R≥0
(s, t) a−→(s′, t ′)
A result of the product may be locally inconsistent, or inconsistent.Apply a consistency check and pruning to the result.
![Page 50: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/50.jpg)
Example of ConjunctionConjunction, Ex.
S T
S Æ T
ClearlyInconsistent !
![Page 51: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/51.jpg)
Optimistic Parallel CompositionPruning wrt to input strategiesComposition, S|T
teaMachine Researcher
i ? b!
cof
TheoremTheorem
coin? pub!
If A1 ≤ B1 andA2≤ B2
th
If A1 ≤ B1 andA2≤ B2
ththenA1|A2 ≤ B1|B2
thenA1|A2 ≤ B1|B2
Classical rules forComposition of I/O transition
Systems
![Page 52: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/52.jpg)
Composability – as a game
Administration
grant patent
coin pub
grant
teaMachine Researcher
cof
Is it possible for the user to use the Small Universitycomponent without
Researcher entering the UNI ?
control: A[] ! UNI
![Page 53: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/53.jpg)
ECDAR Demo
![Page 54: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/54.jpg)
Demo ExampleTimed Systems Specifications =Timed I/O Automata
Administration
grantpatent
grant
Input: control. ( i d)
Input: control. ( i d)
coinpub (required)
Output: uncontrol.(allowed)
(required)Output:
uncontrol.(allowed)
t
Machine Researcher
tea
cof
![Page 55: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/55.jpg)
Overall SpecificationOverall Specification
grant patent
AdministrationAdministration
grant patent
≥coin pub
teaMachine Researcher
?
cof
![Page 56: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/56.jpg)
![Page 57: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/57.jpg)
End of Demo
![Page 58: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/58.jpg)
Quotient Quotienting, T\SI …
Ahi
o !
IA oX!kiqi
Ei
oS! Cigi
i?
oS!… si
ri
i?X Ai T
ri
…
Bvj
IB oX?wjæj
…
Ei
S
oX!
Djuj
vj
i?
oS!…t
pj
ToX!
Bj S
tj
![Page 59: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/59.jpg)
Quotienting, T\SoS!
I …
S
i? XA
hio !
IA oX!kiqi
Ei
T
S
oX!Ci
gi
i?
oS!… si
ri
UNI
Ai Tri
…
A\B i?INC
hi vjgi,uj i?
ri tj
Bvj
IB oX?wjæj
…
Fi
hi,vj
os? ¬ H ,vj
ki,wjox!
qi ,æj
ri ,tj
Ai\ Bj
Djuj
vj
i?
oS!…t
pjos? ¬ V
os?
qi , j
Ei\ Fj
si,pj
Bj S
tjCi\ Dj
INC UNI
Ei\ Fj
T\S
Quotient
![Page 60: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/60.jpg)
QuotientingoS!
I …
S
i? XA
hio !
IA oX!kiqi
Ei
T
S
oX!Ci
gi
i?
oS!… si
ri
UNI
TheoremTheoremAi T
ri
…
A\B i?INC
hi vjgi,uj i?
ri tj
Theorem
( | ) ff ( )
Theorem
( | ) ff ( )B
vj
IB oX?wjæj
…
Fi
hi,vj
os? ¬ H ,vj
ki,wjox!
qi ,æj
ri ,tj
Ai\ Bj
(S | X) ≤ T iff X ≤ (T\S)(S | X) ≤ T iff X ≤ (T\S)
Djuj
vj
i?
oS!…t
pjos? ¬ V
os?
qi , j
Ei\ Fj
si,pj
Bj S
tjCi\ Dj
INC UNI
Ei\ Fj
T\S
Quotient
![Page 61: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/61.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 62: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/62.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 63: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/63.jpg)
Why should I bother?
![Page 64: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/64.jpg)
Combating State Space Explosion
![Page 65: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/65.jpg)
Combating State Space Explosion
![Page 66: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/66.jpg)
Compositional Refinement Checking
![Page 67: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/67.jpg)
Leader Election in a RingRing Structure
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 68: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/68.jpg)
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 69: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/69.jpg)
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 70: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/70.jpg)
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 71: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/71.jpg)
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 72: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/72.jpg)
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 73: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/73.jpg)
Leader Election in a Ring (2)The Protocol. Synchronous Example
Initially cur = pr.Then cur increases whenever send[i] on higher channel arrives.
![Page 74: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/74.jpg)
Template of a Single NodeParameters: id, pr
send[id][e]?
send[id][pr]?
leader[id]!
send[id][e]?
send[id][e]?
send[(id+1)%N][cur]!
send[id][e]?
x<=MaxD
Leader
x=0
e<=cur &&!(e==pr)
cur=e
e>curI Initially cur = pr
I Receives on channelssend[id][e]? where e is a priority
I Sends on channelssend[(id+1)%N][e] to next in ring
I If the received priority is largerthan current, store it.
I Ignore it otherwise
I If received own priority, broadcast’I-am-the-leader’ immediately
![Page 75: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/75.jpg)
VerificationTwo simple properties
I left S: if leader is reported, it is a correct one (soundness)
I right T : a leader is reported within a deadline (termination)
leader[0]!
ECDAR Verification Queries
refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= S
![Page 76: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/76.jpg)
VerificationTwo simple properties
I left S: if leader is reported, it is a correct one (soundness)I right T : a leader is reported within a deadline (termination)
leader[0]!
leader[e]!
leader[e]!
x<=(N+1)*MaxD
ECDAR Verification Queries
refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= S
refinement:(N0 || N1 || N2 || N3 || N4 || N5) <= T
![Page 77: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/77.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodes
I We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 78: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/78.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= S
refinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 79: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/79.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1
refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 80: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/80.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2
refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 81: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/81.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3
refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 82: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/82.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4
refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 83: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/83.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 84: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/84.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 85: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/85.jpg)
Compositional Verification
I Combat state-space explosion for larger numbers of nodesI We introduce abstractions for sub-rings: checks:
refinement: ( S1 || N0 ) <= Srefinement: ( S2 || N1 ) <= S1refinement: ( S3 || N2 ) <= S2refinement: ( S4 || N3 ) <= S3refinement: ( S5 || N4 ) <= S4refinement: N5 <= S5
I Refinement ≤ is pre-congruence wrt to ‖, so ring refines S.
![Page 86: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/86.jpg)
Compositional Verification (3)Template Si . Parameters: i, S
send[0][e]!
send[i][e]?
leader[e]!
S[e]==0
send[i][e]?
send[i][e]?send[0][e]!
S[e]==1
e>=i
I The sub-specification Si
I Nodes (NN , . . . ,Ni ) candeclare themselves leaderafter receiving a prioritycovered by Si
I If priority received is notcovered, ignore it.
I If it is covered, then you candeclare leadership.
I S[e] is an auxiliary arrayflagging priorities covered by
I The above template suffices to prove soundness inductivelyI Timed termination can be proven inductively using a more
complex template
![Page 87: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/87.jpg)
Compositional Verification (3)Template Si . Parameters: i, S
send[0][e]!
send[i][e]?
leader[e]!
S[e]==0
send[i][e]?
send[i][e]?send[0][e]!
S[e]==1
e>=i
I The sub-specification Si
I Nodes (NN , . . . ,Ni ) candeclare themselves leaderafter receiving a prioritycovered by Si
I If priority received is notcovered, ignore it.
I If it is covered, then you candeclare leadership.
I S[e] is an auxiliary arrayflagging priorities covered by
I The above template suffices to prove soundness inductivelyI Timed termination can be proven inductively using a more
complex template
![Page 88: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/88.jpg)
Performance ComparisonCompositional vs Monolithic
5 10 15 20 25 30 35 40
Nodes
00:00
00:20
00:40
01:00
01:20
Tim
e (
mm
:ss)
S_cS_mT_cT_m
Timing of verification of S and T
![Page 89: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/89.jpg)
![Page 90: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/90.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & Verification
Overview of Specification TheoriesImplementations, SpecificationsRefinement, verificationTransformations: OperatorsCase study: Leader Election Protocol
I Part III: Loosing Ideals. Going Robust
AGENDA
![Page 91: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/91.jpg)
I Part I: Timed SystemsI Part II: Compositional Design & VerificationI Part III: Loosing Ideals. Going Robust
AGENDA
![Page 92: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/92.jpg)
Thank You for Today!
visuals by
Alexandre DavidPatricia Bouyer-Decitre
Ulrik NymanKim Guldstrand LarsenLouis-Marie Traonouez
Yours Truly
![Page 93: Compositional Design and Verification of Real-time Systems II · Compositional Design and Verification of Real-time Systems II Andrzej Waso˛ wski IT University of Copenhagen Bourke](https://reader035.vdocument.in/reader035/viewer/2022062912/5d1b496c88c993dc468c95c7/html5/thumbnails/93.jpg)
Thank You for Today!
visuals by
Alexandre DavidPatricia Bouyer-Decitre
Ulrik NymanKim Guldstrand LarsenLouis-Marie Traonouez
Yours Truly