ecdar composition of real-time specifications — revisited kim guldstrand larsen aalborg...

ECDAR Composition ofReal-Time

Specifications— Revisited

Kim Guldstrand LarsenAalborg University, DENMARK

Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan

Observations

Kim G Larsen 2

1993

1995

1988

1994

1991


Observational Equivalence – Revisited

Kim G Larsen 3

CWB

TemporalLogic ofActions

TLC

Calculus of CommunicatingSystems

Need for sound compositional specification formalisms

supporting step-wise development and design of

concurrent real-time systems

Kim G Larsen 4Colloquium in Honor of Martin Abadi, June 25-26, 2015, Cachan

Context Dependent Bisimulation

Modal Transition Systems

Probabilistic MTSInterval Markov Chains

Timed MTS

UPPAAL

Parameterized MTSWeighted MTS

Dual-Priced MTSModal Contracts

1986

1988

1991

1995

2009

2005

ECDAR2011

Constraint Markov Chains 2010

APAC2012

Bisimulation

CWBTAU





Timed MTS

UPPAAL



1986

1988

1991

1995

2009

2005

ECDAR2011


APAC2012

Bisimulation

CWBTAU

Specification Theory

SpecImpsat

where

sat) Spec,(Imp, SPF

Formalism ionSpecificat

Imp: set of implementationsLabelled Transition Systems

}SsatI:I{|S|

Refi nement:

S T iff |S| |T|

Ø |T||S|

Ø |S|

:yConsistenc

Spec: set of specifications


Operations on Specifications

Structural Composition: Given S1 and S2 construct S1 par S2 such that

| S1 par S2 | = |S1| par |S2| · should be precongruence wrt par to allow for

compositional analysis !

Logical Conjunction: Given S1 and S2 construct S1ÆS2 such that

|S1 ÆS2| = |S1|Å|S2|

Quotienting: Given overall specification T and component

specification S construct the quotient specification T\S such that

S par X · T iff X · T\S



MTS is an automata-based specification formalism

MTS allow to express that certain actions may or must happen in their implementation

MTS supports all the required operations on specifications (conjunction, parallel composition, quotienting).

Applications in component-based software development, interface theories, modal abstractions and program analysis.

[L. & Thomsen 88Boudol & L. 90]


Example – Tea-Coffee Machines

cointea coffee cointea coffee

cointea coffee

cointeacoin

Specifications

Refinement

Implementations

coin coincoffee

tea

tea


MTS Definition

An MTS is a triple (P,, }) where P is a set of states and µ } µ P£ Act £ P

If = } then the MTS is an implementation.

R µ P£ P is a modal refinement iff whenever (S,T)2R then i) whenever S-a->} S’ then T-a->}T’ for some T’ with (S’,T’)2 R ii) whenever T-a-> T’ then S-a-> S’ for some S’ with (S’,T’)2 R

We write S ≤mT whenever (S,T)2R for some modal refinement R.


Example – Tea-Coffee Machines

cointea coffee cointea coffee

cointea coffee

cointea coin coincoffee

tea

coin

Specifications

Refinement

Implementations

≤

≤≤

≤tea


MTS Operators

s1 || s2

s1\ s2

SynchronousParallel Composition

Quotienting

Conjunctions1 Æ s2

Refinment & Consistency Checking arePTIME-complete





Timed MTS

UPPAAL



1986

1988

1991

1995

2009

2005

ECDAR2011


APAC2012

Bisimulation

CWBTAU


SEMANTICS:

(A,x=0) – 3.14 (A,x=3.14) - a? (B,x=3.14) (A,x=0) - 5.23 (A,x=5.23) - a? (B,x=5.23) (ERROR, x=5.23)

Extended

Kim G Larsen 14

ClocksChannelsNetworksInteger variablesStructure variables, clocks, channelsUser defined types and functíons

Timed Automata


Timed Automata

int UT (int X, int Y){ return (X+1)*Y;}

const int N = 10;const int D = 30;const int d = 4;typedef int[0,N-1] id_t;

broadcast chan rec[N];broadcast chan w[N];

Extended

ClocksChannelsNetworksInteger variablesStructure variables, clocks, channelsUser defined types and functíons

Kim G Larsen 15


S

Real-Time version of Milner’s Scheduler

N0

N1

N2

Ni

Ni+1

w0

w1

w2

wi

wi+1

rec1

rec2

reci

reci+1

rec0

Kim G Larsen 16


Simulation & Verification

A[] not Env.ERROR

A[] forall (i:id_t) forall (j:id_t) ( Node(i).Token and Node(j).Token imply

i==j) Kim G Larsen 17


Compositional Verification

SubSpec1

SubSpec2

SubSpec3

A[] not Env.ERROR

A[] forall (i:id_t) forall (j:id_t) ( Node(i).Token and Node(j).Token imply

i==j) Kim G Larsen 18





Timed MTS

UPPAAL



1986

1988

1991

1995

2009

2005

ECDAR2011


APAC2012

Bisimulation

CWBTAU


Timed MTS, Refinements & Implementations

[CAV93] Karlis Cerans, Jens Chr. Godskesen, Kim Guldstrand Larsen: Timed Modal Specification - Theory and Tools. CAV 1993[EMSOFT02] Luca de Alfaro, Thomas A. Henzinger, Mariëlle Stoelinga: Timed Interfaces. EMSOFT 2002

An ImplementationInconsistent


Timed Game Automata & Synthesis

Problems to be considered:- Does there exist a winning strategy?- If yes, compute one (as simple as possible)

controllable

uncontrollable

Kim G Larsen 21


Computing Winning States

Kim G Larsen 22

Backwards Fixed-Point Computation


Reachability GamesBackwards Fixed-Point Computation

Theorem:The set of winning states is obtained as the least fixpoint of the function: X a p(X) [ Goal

cPred(X) = { q2Q | 9 q’2 X. q c q’}uPred(X) = { q2Q | 9 q’2 X. q u q’}Predt(X,Y) = { q2Q | 9 t. qt2X and 8 s·t. qs2YC }

p(X) = Predt[ X [ cPred(X) , uPred(XC) ]

Definitions

X

YPredt(X,Y)

Kim G Larsen 23


Decidability of Timed Games

Theorem [AMPS98,HK999]Reachability and safety timed games are decidable and EXPTIME-complete. Futhermore memoryless and ”region-based” strategies are sufficient.

Theorem [AM99,BHPR07,JT07]Optimal-time reachability timed games are decidable and EXPTIME-complete.

Algorithm [CDFLL05,BCDFLL07]Efficient ”zone-based”, on-the-fly synthesis algorithm for (optimal-time) rechability and safety timed games. (UPPAAL Tiga)

[AM99] Asarin, Maler: As soon as possible: time optimal control for timed automata. HSCC99.[BHPR07] Brihaye, Henziunger, Prabhu, Raskin: Minimum-time reachability in timed-games. ICALP07.[JT07] Jurdzinski, Trivedi: Rechability-time games on timed automata. ICALP07.[CDFLL05] Cassez, David, Fleury, Larsen, Lime: Efficient On-the-Fly Algorithms for the Analysis of Timed Games. CONCUR 2005[BCDFLL07] Behrmann, Cougnard, David, Fleury, Larsen, Lime: UPPAAL-Tiga: Time for Playing Games! CAV 2007

Kim G Larsen 24


Timed I/O Aut.: A Modern University

coinpub

tea

cof

Machine Researcher

Administration

grantpatent

UNIVERSITY

Input: control. (required)Output: uncontrol. (allowed)

Input: control. (required)Output: uncontrol. (allowed)

Kim G Larsen 25


Overall Specification

coin pub

tea

cof

Machine Researcher

Administration

grantpatent

grant patent

¸?

Kim G Larsen 26


Timed I/O Transition Systems

oiActand

StActStwhere

ActSt

:TIOTS

)(:

),,(

d

i

Time determinism(d )

s ' ' ' ' ' '

I nput enabledness

. s

d

i

if s and s s then s s

f or all s and i

St

touch?

dim!

1.4

off!

0

0

o

Output Urgency

s

I ndependent Progress

.

, .

d

d

d o

whenever

then s implies d

Either d s

or d o s

''''''s

)Act(amDeterminisa ssthenssandsif a

Implementations

Kim G Larsen 27


Refinement =Timed Alternating Simulation

Intuition:S leaves less choices than T for an implementation.

Intuition:S leaves less choices than T for an implementation.

SISsatI

Definition

:|T| |S|thenTSWhenever

Theorem

Theorem:

Whenever |S| |T| then S T

T'S'withT'TthenS'Siii.

T'S'withT'TthenS'Sii.

T'S'withS'SthenT'Ti.

iffTS

TIOGA.beTandSLet

dd

o!o!

i?i?

Kim G Larsen 28


Refinement (example)

T

A (S)

B (T)

INC

UNI

T'S'withT'TthenS'Siii.

T'S'withT'TthenS'Sii.

T'S'withS'SthenT'Ti.

iffTS

TIOGA.beTandSLet

dd

o!o!

i?i?

Kim G Larsen 29

Timed Game

''''.

''''.

''''.

.

!!

??

TSwithTTthenSSiii

TSwithTTthenSSii

TSwithSSthenTTi

iffTS

TIOGAbeTandSLet

dd

oo

ii

Refinement as a Game

A

Ai

Cl

gi

hl

a?

o!

……

B

Bj

Dm

uj

vm

a?

o!

…

…

IA

IB

S

T

sl

ri

tj

pm

not A · B

iffAxB sat control: A<> Error

not A · B

iffAxB sat control: A<> Error

Error

IA : IB

UU

A,B

uj

a?tj

hl

o!sl

gi

a?

ri

vm

o!

pm

: G

: V

Ai,Bj Cl,Dm

…

…

…

…

FORMATS09Optimized Refinement Algorithm

Timed I/O Automata

refuter

verifier


Kim G Larsen 30


Refinement in ECDAR

Kim G Larsen 31


More Refinement .. In ECDAR

coin pub

tea

cof

Machine Researcher

Administration

grantpatent

grant patent

· ?????

Kim G Larsen 32


Consistency

Consistency:

Does there exist I such that

I S ?

S1 S3S2

S4

Kim G Larsen 33


Consistency

p(X) = Err [ Predt[ X [ iPred(X) , oPred(XC) ]

0

Err =

{ | . . } d os d s o s

Theorem A specificiation (state) s is inconsistentiff

s 2 ¹X. ¼(X)

Definitions

Pruned Version

S

Kim G Larsen 34


Conjunction, SÆT

A

Ai

Cl

gi

hl

a?

o!

……

B

Bj

Dm

uj

vm

a?

o!…

…

IA

IB

A,B

Ai,Bj

gi Æ uj

a?

S

T

o!

hl Æ vm

Cl,Dm

sl

ri

tj

pmri [ tj

IA Æ IB

sl [ pm

Theorem SÆT · S SÆT · T (U·S) and (U·T) ) U · (SÆT)

Kim G Larsen 35


Conjunction, Ex.

S T

S Æ T

ClearlyInconsistent !

Kim G Larsen 36


Composition, S|T

1 21 10

1 2 1 2

1 21 1

1 2 1 2

1 21 1 2 2

1 2 1 2

1 1 2 2

1 2 1 2

i

ii

o

o io

a a

o ia

d d

d

s si

s s s s

s so

s s s s

s s s sa

s s s s

s s s sd

s s s s

?

?

!

!

! ?

!

'

| ' |

'

| ' |

' '

| ' ' | '

' '

| ' ' | 'Classical rules for

Composition of I/O transitionSystems

Theorem

If A1 · B1 and A2· B2 then A1|A2 · B1|B2

Theorem

If A1 · B1 and A2· B2 then A1|A2 · B1|B2

coin? pub!

tea

cof

Machine Researcher

Kim G Larsen 37


Quotienting, T\S

T

S

i?X

oX!

oS!

A

Ai

Ci

gi

hi

i?

oS!

…

…

B

Bj

Dj

uj

vj

i?

oS!…

…

IA

IB

T

S

si

ri

tj

pj

oX!kiqi

…

Ei

oX?wjæj

…

Fi

Kim G Larsen 38


Quotienting, T\S

T

S

i? X

oX!

oS!

A

Ai

Ci

gi

hi

i?

oS!

…

…

B

Bj

Dj

uj

vj

i?

oS!…

…

IA

IB

T

S

si

ri

tj

pj

oX!kiqi

…

Ei

oX?wjæj

…

Fi

A\BIA

Æ : IB

§ UNI

IB Æ : IAi?

INC

hi,vj

os?

Ci\ Dj

: H ,vj

os?

INC

: V

os?

UNI

ki,wj

ox!

qi ,æj

Ei\ Fj

gi,uj i?

si,pj

ri ,tj

Ai\ Bj

T\SKim G Larsen 39


Quotienting, T\S

T

S

i? X

oX!

oS!

A

Ai

Ci

gi

hi

i?

oS!

…

…

B

Bj

Dj

uj

vj

i?

oS!…

…

IA

IB

T

S

si

ri

tj

pj

oX!kiqi

…

Ei

oX?wjæj

…

Fi

A\BIA

Æ : IB

§ UNI

IB Æ : IAi?

INC

hi,vj

os?

Ci\ Dj

: H ,vj

os?

INC

: V

os?

UNI

ki,wj

ox!

qi ,æj

Ei\ Fj

gi,uj i?

si,pj

ri ,tj

Ai\ Bj

Theorem

(S | X) · T iff X · (T\S)

T\SKim G Larsen 40


Quotienting, ”Application”

coin pub

tea

cof

Machine Researcher

Administration

grantpatent

grant patent

Specification

·

coin pub

tea

cof

Machine Researcher

Spec \ Adm

·IFF

Spec\Adm

u·20

u·20

u·20

Kim G Larsen 41


Compositional Refinement Checking

… ·C1 C2 CnC3

…C2 CnC3

S

S \ C1

·iffP( S \ C1 )

iff …CnC3

·P( P(S C1) \C2 )

iff … …

Andersen: Partial MC & Laroussinie, L.: CMC Tool

Kim G Larsen 42


Assume-Guarantee

ButA

ButB

Good

Bad

Guarantee Assumption

A>>G = (A | G) \ A

Kim G Larsen 43

Properties (A | G) · ¸

(A | A>>G )

A>>G ¸ G

A · A’ ) A>>G ¸ A’>> G

G · G’ ) A>>G · A>>G’


Assume-Guarantee Reasoning

A, G

A1, G1 A2, G2

Proof Rule: A>>G ¸ ( A1>>G1 | A2>>G2 )

Kim G Larsen 44

FASE’12: Moving from Specifications to Contracts in Component-Based Design


Milner’s Scheduler Compositionaly

S

N0

N1

N2

Ni

Ni+1

w0

w1

wi+1

rec1

rec2

reci

reci+1

rec0

w2

wi

Find SSi and verify:

1. N1· SS1

2. SS1 | N2 · SS2

3. SS2 | N3 · SS3

… …n. SSn-1 | Nn · SSn

n+1. SSn | N0 · SPEC

SPECKim G Larsen 45



S

N0

N1

N2

Ni

Ni+1

w0

w1

wi+1

rec1

rec2

reci

reci+1

rec0

w2

wi

Find SSi ……

A1

G

A2

No new rec[1]! untilrec[i+1]?

After rec[1]? then rec[i+1]!within [d*i,D*i]

Kim G Larsen 46

rec[1]! occurs with> N*d time sep.



S

N0

N1

N2

Ni

Ni+1

w0

w1

wi+1

rec1

rec2

reci

reci+1

rec0

w2

wi

A1

G

A2

Take SSi = (A1 & A2)>>G

Kim G Larsen 47



S

N0

N1

N2

Ni

Ni+1

w0

w1

wi+1

rec1

rec2

reci

reci+1

rec0

w2

wi

Take SSi = (A1 & A2)>>G

Kim G Larsen 48


Experiments

D=30

Kim G Larsen 49


References

LICS88: Kim Guldstrand Larsen, Bent Thomsen: A Modal Process Logic. EMSOFT 2002: Luca de Alfaro, Thomas A. Henzinger, Mariëlle Stoelinga: Timed

Interfaces.

FMCO’09: Methodologies for Specification of Real-Time Systems Using Timed I/O Automata

WADT’10: An Interface Theory for Timed Systems ATVA’10: ECDAR: An Environment for Compositional Design and Analysis of Real

Time Systems HSCC’10:Timed I/O Automata: A Complete Specification Theory for Real-time

Systems STTT’12: Compositional verification of real-time systems using Ecdar

QEST’10: Compositional Design Methodology with Constraint Markov Chains QEST’11: APAC: A Tool for Reasoning about Abstract Probabilistic Automata FASE’12: Moving from Specifications to Contracts in

Component-Based Design FMSD’13:: Weighted modal transition systems. Sci. Comput. Prg ‘14: A modal specification theory for components with data.

www.cs.aau.dk/~adavid/ecdar www.cs.aau.dk/~adavid/tiga

www.uppaal.comKim G Larsen 50

Timed TLA

UPPAAL ECDAR ?




UPPAAL

1986

1991

2009

2005

2010

APAC2012

Congratulation !!

ecdar composition of real-time specifications — revisited kim guldstrand larsen aalborg...

Documents

honor of martin abadi

work of martin

aware of martin abadi

martin kimobligation

new compositional approach

bisimulation equivalence

realtime modelchecker

quotient of specifications