A Framework for Contract-Based Reasoning: Motivation and Application - - PowerPoint PPT Presentation

A Framework for Contract-Based Reasoning: Motivation and Application

Sophie Quinton and Susanne Graf

VERIMAG, Universit´ e Joseph Fourier

FLACOS, Malta, November 28th, 2008

Outline

1 Introduction 2 A definition of contract-based verification framework 3 One application: a generic sufficient condition for dominance 4 Application to interface Input/Output automata 5 Conclusion and future work

2 / 25

1 Introduction 2 A definition of contract-based verification framework 3 One application: a generic sufficient condition for dominance 4 Application to interface Input/Output automata 5 Conclusion and future work

3 / 25

Introduction

Interface (or contract-based) theories A huge number of interface (or contract-based) theories have been developed (Henzinger, Larsen etc.) Specific to a notion of behavior Specific to a notion of interaction between components Our approach What do these theories have in common? The BIP (Behavior, Interaction, Priority) framework clearly separates the notion of behavior from the notion of interaction. BIP allows to represent heterogeneous systems of components, from asynchronous to synchronous systems. We give a definition of contract-based verification framework.

4 / 25

the BIP framework

Clearly separates behavior, interaction, priority Behaviors are represented as LTSs or Petri nets Interactions are represented as sets of ports Priorities are a preorder

=

B2 B3 B2 B3 B1 B1 BIP composition operators are sets of structured connectors which are sets of interactions. Composition is associative and commutative.

5 / 25

1 Introduction 2 A definition of contract-based verification framework 3 One application: a generic sufficient condition for dominance 4 Application to interface Input/Output automata 5 Conclusion and future work

6 / 25

Contract-based verification framework

Definition (Contract-based verification framework) A contract-based verification framework is given by a tuple (B, P, Γ, . , θ), where: B is a set of behaviors; each behavior B ∈ B has as interface a set of ports denoted PB P =

B∈B PB

Γ is a set of BIP composition operators on subsets of P . : Γ × 2B − → B is a partial function defining a behavior semantics for the composition of behaviors θ : B × Γ − → 2B×B is a refinement under context

7 / 25

Contract-based verification framework

Definition (Contract-based verification framework) A contract-based verification framework is given by a tuple (B, P, Γ, . , θ), where: B is a set of behaviors; each behavior B ∈ B has as interface a set of ports denoted PB P =

B∈B PB

Γ is a set of BIP composition operators on subsets of P . : Γ × 2B − → B is a partial function defining a behavior semantics for the composition of behaviors (γ, (B1, ... , Bn)), denoted γ(B1, ... , Bn), is defined iff γ is defined

• n n

i=1 PBi

. preserves associativity and commutativity of the BIP composition

• perators (γ3(γ1,2(B1, B2), B3) = γ1(B1, γ2,3(B2, B3)) etc.)

θ : B × Γ − → 2B×B is a refinement under context

7 / 25

Contract-based verification framework

Definition (Contract-based verification framework) A contract-based verification framework is given by a tuple (B, P, Γ, . , θ), where: B is a set of behaviors; each behavior B ∈ B has as interface a set of ports denoted PB P =

B∈B PB

Γ is a set of BIP composition operators on subsets of P . : Γ × 2B − → B is a partial function defining a behavior semantics for the composition of behaviors θ : B × Γ − → 2B×B is a refinement under context In the following we suppose given a contract-based verification framework (B, P, Γ, . , θ).

7 / 25

Refinement under context

Definition (Context for an interface) Let P ∈ 2P be an interface. A context for P is a pair (E, γ) where E is such that P ∩ PE = ∅ and γ is a composition operator defined on P ⊔ PE.

8 / 25

Refinement under context

Definition (Context for an interface) Let P ∈ 2P be an interface. A context for P is a pair (E, γ) where E is such that P ∩ PE = ∅ and γ is a composition operator defined on P ⊔ PE. E

8 / 25

Refinement under context

Definition (Context for an interface) Let P ∈ 2P be an interface. A context for P is a pair (E, γ) where E is such that P ∩ PE = ∅ and γ is a composition operator defined on P ⊔ PE.

• E

8 / 25

Refinement under context

Definition (Context for an interface) Let P ∈ 2P be an interface. A context for P is a pair (E, γ) where E is such that P ∩ PE = ∅ and γ is a composition operator defined on P ⊔ PE.

• E

Definition (Refinement under context) A refinement under context θ : B × Γ − → 2B×B is a partial function s.t. For each context (E, γ) for an interface P, θ(E, γ), denoted ⊑E,γ, is a reflexive and transitive binary relation over the set of behaviors with associated set of ports PB. θ is monotonic w.r.t composition as defined on the next slide.

8 / 25

Monotony of refinement under context

Definition (Monotony of refinement under context) θ is monotonic w.r.t. composition iff the following holds for any interface P and any context (E, γ) for P such that E is of the form γE(E1, E2). For all B1, B2 behaviors on P: B1 ⊑E,γ B2 = ⇒ γ1(B1, E1) ⊑E2,γ2 γ1(B2, E1) where γ1 and γ2 are calculated from γ and γE for respectively P ⊔ PE1 and P ⊔ PE1 ⊔ PE2.

9 / 25

Monotony of refinement under context

Definition (Monotony of refinement under context) θ is monotonic w.r.t. composition iff the following holds for any interface P and any context (E, γ) for P such that E is of the form γE(E1, E2). For all B1, B2 behaviors on P: B1 ⊑E,γ B2 = ⇒ γ1(B1, E1) ⊑E2,γ2 γ1(B2, E1) where γ1 and γ2 are calculated from γ and γE for respectively P ⊔ PE1 and P ⊔ PE1 ⊔ PE2.

• E1

E2 B2 B1

9 / 25

Monotony of refinement under context

Definition (Monotony of refinement under context) θ is monotonic w.r.t. composition iff the following holds for any interface P and any context (E, γ) for P such that E is of the form γE(E1, E2). For all B1, B2 behaviors on P: B1 ⊑E,γ B2 = ⇒ γ1(B1, E1) ⊑E2,γ2 γ1(B2, E1) where γ1 and γ2 are calculated from γ and γE for respectively P ⊔ PE1 and P ⊔ PE1 ⊔ PE2.

• E1

E2 B2 B1

• E2

E1 E1

= ⇒

B1 B2

9 / 25

Contract and satisfaction

Definition (Contract for an interface) A contract C for an interface P consists of: a context (A, γ) for P, where A is called the assumption a behavior G on P called the guarantee We write C = (A, γ, G) rather than ((A, γ), G). Definition (Satisfaction of a contract) Let C = (A, γ, G) be a contract for an interface P and B a behavior on P. B satisfies C, denoted B | = C, iff B ⊑A,γ G.

10 / 25

Contract and satisfaction

Definition (Contract for an interface) A contract C for an interface P consists of: a context (A, γ) for P, where A is called the assumption a behavior G on P called the guarantee We write C = (A, γ, G) rather than ((A, γ), G). Definition (Satisfaction of a contract) Let C = (A, γ, G) be a contract for an interface P and B a behavior on P. B satisfies C, denoted B | = C, iff B ⊑A,γ G.

• A

G

10 / 25

Contract and satisfaction

Definition (Contract for an interface) A contract C for an interface P consists of: a context (A, γ) for P, where A is called the assumption a behavior G on P called the guarantee We write C = (A, γ, G) rather than ((A, γ), G). Definition (Satisfaction of a contract) Let C = (A, γ, G) be a contract for an interface P and B a behavior on P. B satisfies C, denoted B | = C, iff B ⊑A,γ G.

• A

G B

10 / 25

Contract and satisfaction

Definition (Contract for an interface) A contract C for an interface P consists of: a context (A, γ) for P, where A is called the assumption a behavior G on P called the guarantee We write C = (A, γ, G) rather than ((A, γ), G). Definition (Satisfaction of a contract) Let C = (A, γ, G) be a contract for an interface P and B a behavior on P. B satisfies C, denoted B | = C, iff B ⊑A,γ G.

• A

G B

• A

⇐ ⇒

G B

10 / 25

Dominance

Definition (Dominance) {Pi}n

i=1 ∈ 2P a family of pairwise disjoint interfaces; P = n i=1 Pi

C = (A, γ, G) a contract for P ∀i = 1..n, Ci = (Ai, γi, Gi) a contract for Pi γI a composition operator on P compatible with γ and the γi C dominates {Ci}n

i=1 w.r.t. γI iff ∀B1, ... , Bn ∈ B on resp. P1, ... , Pn:

∀i, Bi | = Ci = ⇒ γI(B1, ... , Bn) | = C

11 / 25

Dominance

Definition (Dominance) {Pi}n

i=1 ∈ 2P a family of pairwise disjoint interfaces; P = n i=1 Pi

C = (A, γ, G) a contract for P ∀i = 1..n, Ci = (Ai, γi, Gi) a contract for Pi γI a composition operator on P compatible with γ and the γi C dominates {Ci}n

i=1 w.r.t. γI iff ∀B1, ... , Bn ∈ B on resp. P1, ... , Pn:

∀i, Bi | = Ci = ⇒ γI(B1, ... , Bn) | = C

• G1

G2 A and

• A1

G1 are compatible.

11 / 25

1 Introduction 2 A definition of contract-based verification framework 3 One application: a generic sufficient condition for dominance 4 Application to interface Input/Output automata 5 Conclusion and future work

12 / 25

Compositional reasoning

S1 ⊆ P1 S2 ⊆ P2 S1 ∩ S2 ⊆ P1 ∩ P2

13 / 25

Compositional reasoning

S1 ⊆ P1 S2 ⊆ P2 S1 ∩ S2 ⊆ P1 ∩ P2 S1 ⊆ P1 P1 ∩ S2 ⊆ P2 S1 ∩ S2 ⊆ P1 ∩ P2

13 / 25

Compositional reasoning

S1 ⊆ P1 S2 ⊆ P2 S1 ∩ S2 ⊆ P1 ∩ P2 S1 ⊆ P1 P1 ∩ S2 ⊆ P2 S1 ∩ S2 ⊆ P1 ∩ P2 P2 ∩ S1 ⊆ P1 P1 ∩ S2 ⊆ P2 S1 ∩ S2 ⊆ P1 ∩ P2

13 / 25

Apparently circular reasoning

Definition (Apparent circular reasoning) A framework (B, P, Γ, . , θ) allows apparent circular reasoning iff for any given interface P, behavior B on P, context (E, γ) for P and contract C = (A, γ, G) for P we have: B ⊑A,γ G ∧ E ⊑G,γ A = ⇒ B ⊑E,γ G

14 / 25

Apparently circular reasoning

Definition (Apparent circular reasoning) A framework (B, P, Γ, . , θ) allows apparent circular reasoning iff for any given interface P, behavior B on P, context (E, γ) for P and contract C = (A, γ, G) for P we have: B ⊑A,γ G ∧ E ⊑G,γ A = ⇒ B ⊑E,γ G

• ∧

A E A G B G

14 / 25

Apparently circular reasoning

Definition (Apparent circular reasoning) A framework (B, P, Γ, . , θ) allows apparent circular reasoning iff for any given interface P, behavior B on P, context (E, γ) for P and contract C = (A, γ, G) for P we have: B ⊑A,γ G ∧ E ⊑G,γ A = ⇒ B ⊑E,γ G

• ∧

A E A G B G

• =

⇒

B E G

14 / 25

A generic sufficient condition for dominance

Theorem C dominates {Ci}n

i=1 w.r.t. γ if:

γI(G1, ... , Gn) | = C ∀i, γ\i(A, γI\i(G1, ... , Gi−1, Gi+1, ... , Gn)) | = C−1

i

with γI\i standing for the restriction of γI to P\Pi, γ\i for the restriction of γ to PE ∪ P\Pi and C−1

i

= (Gi, γi, Ai).

15 / 25

A generic sufficient condition for dominance

Theorem C dominates {Ci}n

i=1 w.r.t. γ if:

γI(G1, ... , Gn) | = C ∀i, γ\i(A, γI\i(G1, ... , Gi−1, Gi+1, ... , Gn)) | = C−1

i

with γI\i standing for the restriction of γI to P\Pi, γ\i for the restriction of γ to PE ∪ P\Pi and C−1

i

= (Gi, γi, Ai).

• G1

G2 A

• G1

G2 A G

15 / 25

1 Introduction 2 A definition of contract-based verification framework 3 One application: a generic sufficient condition for dominance 4 Application to interface Input/Output automata 5 Conclusion and future work

16 / 25

Interface Input/Output automata

Interface Input/Output automata Paper written by Larsen, Nyman and Wasowski (FM’06) Behaviours are I/O automata Interfaces are pairs of I/O automata (E, S) Notion of refinement under context Composition of interfaces, comparison with interface automata Our approach We encode output ports as triggers and input ports as synchrons. We show that the corresponding framework allows circular reasoning. We provide simple proofs to the first theorems of the paper.

17 / 25

Interface I/O automata as a contract-based verification framework

(B, P, Γ, . , θ) is defined as: B is a set of LTSs. For each LTS B, PB denotes the set of its labels. P =

B∈B PB.

Γ is the set of composition operators such that every connector has at most one trigger. . is the standard BIP composition semantics for LTSs. For E, B1, B2 ∈ B such that PB1 = PB2 and γ ∈ Γ defined on PE ⊔ PB1, B1 ⊑E,γ B2 is defined as Tr(γ(B1, E)) ↾ γ ⊆ Tr(γ(B2, E)) ↾ γ, where Tr(B) denotes the set of traces of B and ↾ γ is the projection

• f a set of traces onto ports of γ.

θ as defined here is monotonous w.r.t with composition. The framework (B, P, Γ, . , θ) allows circular reasoning.

18 / 25

Theorem 3 of LarsenNW06

Theorem (Theorem 3 of LarsenNW06) ∀I1, I2, I1 ⊑E1,γ1 S1 ∧ I2 ⊑E2,γ2 S2 = ⇒ γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2 is equivalent to γ3(E, S2) ⊑S1,γ1 E1 ∧ γ4(E, S1) ⊑S2,γ2 E2 Proof. Left-to-right implication is trivial since S1 ⊑E1,γ1 S1 ∧ S2 ⊑E2,γ2 S2 (for all E, γ, ⊑E,γ is reflexive). Right-to-left implication: Let I1 and I2 be fixed. Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) We have to prove that γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2.

19 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2.

20 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2. Step 1: applying circular reasoning to (3) and (1), and to (4) and (2): I1 ⊑γ3(E,S2),γ1 S1 (5) I2 ⊑γ4(E,S1),γ2 S2 (6)

20 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2. Step 1: applying circular reasoning to (3) and (1), and to (4) and (2): I1 ⊑γ3(E,S2),γ1 S1 (5) I2 ⊑γ4(E,S1),γ2 S2 (6) Step 2: monotony w.r.t. with composition, from (5) and (6): γ4(E, I1) ⊑S2,γ2 γ4(E, S1) (7) γ3(E, I2) ⊑S1,γ1 γ3(E, S2) (8)

20 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2. Step 2: monotony w.r.t. with composition, from (5) and (6): γ4(E, I1) ⊑S2,γ2 γ4(E, S1) (7) γ3(E, I2) ⊑S1,γ1 γ3(E, S2) (8)

21 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2. Step 2: monotony w.r.t. with composition, from (5) and (6): γ4(E, I1) ⊑S2,γ2 γ4(E, S1) (7) γ3(E, I2) ⊑S1,γ1 γ3(E, S2) (8) Step 3: applying transitivity of ⊑S2,γ2 (resp. ⊑S1,γ1) to (7) and (2) (resp. (8) and (1)). γ4(E, I1) ⊑S2,γ2 E2 (9) γ3(E, I2) ⊑S1,γ1 E1 (10)

21 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2. Step 3: applying transitivity of ⊑S2,γ2 (resp. ⊑S1,γ1) to (7) and (2) (resp. (8) and (1)). γ4(E, I1) ⊑S2,γ2 E2 (9) γ3(E, I2) ⊑S1,γ1 E1 (10)

22 / 25

Proof of theorem 3 of LarsenNW06

Suppose:        γ3(E, S2) ⊑S1,γ1 E1 (1) γ4(E, S1) ⊑S2,γ2 E2 (2) I1 ⊑E1,γ1 S1 (3) I2 ⊑E2,γ2 S2 (4) Goal: γ3(E, I2) ⊑I1,γ1 E1 ∧ γ4(E, I1) ⊑I2,γ2 E2. Step 3: applying transitivity of ⊑S2,γ2 (resp. ⊑S1,γ1) to (7) and (2) (resp. (8) and (1)). γ4(E, I1) ⊑S2,γ2 E2 (9) γ3(E, I2) ⊑S1,γ1 E1 (10) Step 4: applying circular reasoning to (9) and (4), and to (10) and (3): γ4(E, I1) ⊑I2,γ2 E2 (11) γ3(E, I2) ⊑I1,γ1 E1 (12)

22 / 25

Theorem 4 of LarsenNW06

Theorem (Theorem 4 of LarsenNW06) γ3(E, S2) ⊑S1,γ1 E1 ∧ γ4(E, S1) ⊑S2,γ2 E2 implies ∀I1, I2, I1 ⊑E1,γ1 S1 ∧ I2 ⊑E2,γ2 S2 = ⇒ γ5(I1, I2) ⊑E,γ γ5(S1, S2)

23 / 25

Theorem 4 of LarsenNW06

Theorem (Theorem 4 of LarsenNW06) γ3(E, S2) ⊑S1,γ1 E1 ∧ γ4(E, S1) ⊑S2,γ2 E2 implies ∀I1, I2, I1 ⊑E1,γ1 S1 ∧ I2 ⊑E2,γ2 S2 = ⇒ γ5(I1, I2) ⊑E,γ γ5(S1, S2) Theorem (Sufficient condition for dominance) C dominates {Ci}n

i=1 w.r.t. γ if:

γI(G1, ... , Gn) | = C ∀i, γ\i(A, γI\i(G1, ... , Gi−1, Gi+1, ... , Gn)) | = C−1

i

with γI\i standing for the restriction of γI to P\Pi, γ\i for the restriction of γ to PE ∪ P\Pi and C−1

i

= (Gi, γi, Ai).

23 / 25

Theorem 4 of LarsenNW06

Theorem (Theorem 4 of LarsenNW06) γ3(E, S2) ⊑S1,γ1 E1 ∧ γ4(E, S1) ⊑S2,γ2 E2 implies ∀I1, I2, I1 ⊑E1,γ1 S1 ∧ I2 ⊑E2,γ2 S2 = ⇒ γ5(I1, I2) ⊑E,γ γ5(S1, S2) Theorem (Sufficient condition for dominance) (A, γ, G) dominates {(Ai, γi, Gi)}n

i=1 w.r.t. γ if:

γI(G1, ... , Gn) ⊑A,γ G ∀i, γ\i(A, γI\i(G1, ... , Gi−1, Gi+1, ... , Gn)) ⊑Gi,γi Ai with γI\i standing for the restriction of γI to P\Pi and γ\i for the restriction of γ to PE ∪ P\Pi.

23 / 25

Theorem 4 of LarsenNW06

Theorem (Theorem 4 of LarsenNW06) γ3(E, S2) ⊑S1,γ1 E1 ∧ γ4(E, S1) ⊑S2,γ2 E2 implies ∀I1, I2, I1 ⊑E1,γ1 S1 ∧ I2 ⊑E2,γ2 S2 = ⇒ γ5(I1, I2) ⊑E,γ γ5(S1, S2) Theorem (Sufficient condition for dominance) (A, γ, G) dominates {(Ai, γi, Gi)}n

i=1 w.r.t. γ if:

   γ5(S1, S2) ⊑E,γ S γ3(E, S2) ⊑S1,γ1 E1 γ4(E, S1) ⊑S2,γ2 E2

23 / 25

1 Introduction 2 A definition of contract-based verification framework 3 One application: a generic sufficient condition for dominance 4 Application to interface Input/Output automata 5 Conclusion and future work

24 / 25

Conclusion and future work

Conclusion a definition of contract-based verification framework contracts with a structural part separation between assumption and guarantee a generic sufficient condition for dominance two motivating examples (see Larsen, Nyman, Wasowski, Modal I/O Automata for Interface and Product Line Theories) Future work

• ther proofs can be generalized

take into account the structure of the set of behaviors generalize notions such as compatibility, consistency etc.

25 / 25