Quantitative Quantitative Quantitative Quantitative Modal Modal - PowerPoint PPT Presentation

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition Systems Systems Kim Guldstrand Larsen Aalborg University Aalborg University, DENMARK

The Early Days –— Edinburgh 83-85 Milner Symposium, Kim Larsen [2] Edinburgh, April 16-18, 2012

Original Aim � Need for sound compositional specification formalisms supporting step-wise development formalisms supporting step wise development and design of concurrent systems � Components are specified in a formal way at a certain abstraction level. � Specifications are gradually refined until a � Specifications are gradually refined until a concrete system is produced. � If the refinement steps preserve certain p p properties, the final system will as well. � STILL HIGHLY RELEVANT ! STILL HIGHLY RELEVANT ! Milner Symposium, Edinburgh, April 16-18, 2012 3

Bisimulation Context Dependent Bisimulation Context Dependent Bisimulation Modal Transition Systems 1986 TAU TAU CWB CWB 1988 UPPAAL Probabilistic MTS 1991 Interval Markov Chains Interval Markov Chains 1995 2005 Timed MTS Timed MTS 2009 ECDAR Constraint Markov Chains 2010 2011 APAC 2012 Parameterized MTS Weighted MTS Weighted MTS Dual-Priced MTS Modal Contracts Milner Symposium, Edinburgh, April 16-18, 2012 4

Bisimulation [Park according to Milner] � R � Pr × Pr is a (strong) bisimulation iff whenever (P Q) � R then whenever (P,Q) � R then i) whenever P-a-> P’‚ then Q-a->Q’‚ for some Q’‚ with (P’‚,Q’‚) � R Q ( Q ) ii) whenever Q-a-> Q’‚ then P-a->P’‚ for some P’‚ with (P’‚,Q’‚) � R � P � Q iff (P,Q) � R for some bisimulation R � � is a congruence relation Milner Symposium, Edinburgh, April 16-18, 2012 5

Compositionality � Properties of a combined program should be obtained from properties of component! obtained from properties of component! � Correctness problem: SYS � SPEC p � Compositional Verification 1. Decompose: SYS = C[SYS 1 ,…‧,SYS n ] 2. Verify: SYS i � SPEC i 3. Combine: 3 Combine: SPEC SPEC � C[SPEC 1 ,…‧,SPEC n ] C[SPEC SPEC ] Problem: how to obtain simple subspecification? Problem: how to obtain simple subspecification? � Milner Symposium, Edinburgh, April 16-18, 2012 6

A Simple Scheduler d � A = a! ab! da? A � A = a! ab! da? A cd c c D C � B = ab? b! bc! B � B = ab? b! bc! B � C = bc? c! cd! C � C = bc? c! cd! C bc b da � D = cd? d! da! D � D = cd? d! da! D A A B B � SPEC = � SPEC = ab a! � b! � c! � d! � SPEC a! � b! � c! � d! � SPEC a b � ( A | B | C | D ) � SPEC � ( A | B | C | D ) � SPEC ( ( ) ) Milner Symposium, Edinburgh, April 16-18, 2012 7

Compositional Verification A = a! ab! da? A A = a! ab! da? A � � d B = ab? b! bc! B B = ab? b! bc! B � � cd C = bc? c! cd! C C = bc? c! cd! C c c � � D C D = cd? d! da! D D = cd? d! da! D � � SPEC = SPEC = � � a! � b! � c! � d! � SPEC a! � b! � c! � d! � SPEC a! � b! � c! � d! � . SPEC a! � b! � c! � d! � . SPEC b bc da SYS 1 = D | C SYS 1 = D | C � � A A B B SYS 2 = A | B SYS 2 = A | B � � ab a b SPEC 1 = bc? c! � d! da! SPEC 1 SPEC 1 = bc? c! � d! da! SPEC 1 � � 1 1 1 1 SPEC 2 = a! � b! bc! da? SPEC 2 SPEC 2 = a! � b! bc! da? SPEC 2 � � � However SYS i � SPEC i � However SYS i � SPEC i Milner Symposium, Edinburgh, April 16-18, 2012 8

Compositional Verification d SYS 1 = D | C SYS 1 = D | C � � cd c SYS 2 = A | B SYS 2 = A | B D C � � SPEC 1 = bc? c! � d! da! SPEC 1 SPEC 1 = bc? c! � d! da! SPEC 1 � � bc da SPEC 2 = a! � b! bc! da? SPEC 2 SPEC 2 = a! � b! bc! da? SPEC 2 � � A A B B ab Clearly SYS 2 � SPEC 2 Clearly SYS 2 � SPEC 2 a b da? In fact no hope for a In fact no hope for a In fact no hope for a In fact no hope for a bc! b! simple SPEC 2 simple SPEC 2 a! � However However da? da? SYS 2 � E SYS 2 � E Y Y E SPEC 2 E SPEC 2 PEC PEC b! A | B bc! where E is an environment where E is an environment a! a! capturing capturing bc! bc! b! b! behaviour relevant behaviour relevant in the context ( [] | C | D) in the context ( [] | C | D) Milner Symposium, Edinburgh, April 16-18, 2012 9

Compositional Verification d SYS 1 = D | C SYS 1 = D | C � � cd c SYS 2 = A | B SYS 2 = A | B D C � � SPEC 1 = bc? c! � d! da! SPEC 1 SPEC 1 = bc? c! � d! da! SPEC 1 � � bc da SPEC 2 = a! � b! bc! da? SPEC 2 SPEC 2 = a! � b! bc! da? SPEC 2 � � A A B B ab Clearly SYS 2 � SPEC 2 Clearly SYS 2 � SPEC 2 a b da? In fact no hope for a In fact no hope for a In fact no hope for a In fact no hope for a bc! b! simple SPEC 2 simple SPEC 2 a! � da? da? b! A | B bc! a! a! bc! bc! b! b! Milner Symposium, Edinburgh, April 16-18, 2012 10

Bisimulation Context Dependent Bisimulation Context Dependent Bisimulation Modal Transition Systems 1986 1988 UPPAAL Probabilistic MTS 1991 Interval Markov Chains Interval Markov Chains 1995 2005 Timed MTS Timed MTS 2009 ECDAR Constraint Markov Chains 2010 2011 APAC 2012 Parameterized MTS Weighted MTS Weighted MTS Dual-Priced MTS Modal Contracts Milner Symposium, Edinburgh, April 16-18, 2012 11

Environments � E E = ( Env , Act, � ) P � E Q � E –—a-> E’‚ : � E allows (can consume) the action a and become E’‚ E allows (can consume) the action a and become E � P -a-> P’‚ : � P can produce the action a and become P’‚ p � Special Environments � O : ¬ ( O –—a->) for all actions a. Thus we expect P � O Q for all P and Q Th t P Q f ll P d Q � U : U –—a-> U for any action a. Thus we expect P � U Q iff Thus we expect P U Q iff P � Q P Q . Milner Symposium, Edinburgh, April 16-18, 2012 12

Environment Environment should cover the Environment should cover the d behaviour allowed by behaviour allowed by cd the context the context c c D C ( [] | C | D ) ??? ( [] | C | D ) ??? Only a!, b!, da?, bc!, � Only a!, b!, da?, bc!, � bc b N No restrictions on a!, b!, � No restrictions on a!, b!, � N t i ti t i ti ! b! ! b! da a!, b!, � Inhabitant Inhabitant E a b bc! bc! da?, da? E’‚ U U bc! bc! a!, b!, � Milner Symposium, Edinburgh, April 16-18, 2012 13

Parameterized Bisimulation � Let E = ( Env , Act, � ). � An E -parameterized bisimulation is an Env- � An E -parameterized bisimulation is an Env- indexed family R = { R E : E � Env } with R E � Pr × Pr , such that whenever whenever (P,Q) � R E and E-a->E’‚ then i) whenever P-a->P’‚ then Q-a->Q’‚ for some Q with (P ,Q ) � R E’‚ for some Q’‚ with (P’‚ Q’‚) � R ii) whenever Q-a->Q’‚ then P-a->P’‚ for some P’‚ with (P’‚,Q’‚) � R E’‚ E � P � E Q, whenever (P,Q) � R E for some parameterized bisimulation R parameterized bisimulation R . Milner Symposium, Edinburgh, April 16-18, 2012 14

Compositional Verification –— Revisited da? a!, b!, � bc! b! a! a! SPEC SPEC 2 � E bc! da?, da? E’‚ U bc! b! a! bc! � d ? da? da? d ? a! b! a!, b!, � A | B b! Remaining Question Remaining Question bc! Does Does a! a! SPEC 2 � E A|B SPEC 2 � E A|B bc! b! imply imply (SPEC 2 | C|D ) � ( A|B | C|D ) (SPEC 2 | C|D ) � ( A|B | C|D ) Semantics of contexts as Semantics of contexts as action transducer! action transducer! Milner Symposium, Edinburgh, April 16-18, 2012 15

The Alternating Bit Protocol Milner Symposium, Edinburgh, April 16-18, 2012 16

ABP in the TAU Tool � CWB Milner Symposium, Edinburgh, April 16-18, 2012 17

ABP in the TAU Tool � CWB Tatsuya Hagino Professor, Faculty of Faculty of Environmental Information, Keio University, Japan Milner Symposium, Edinburgh, April 16-18, 2012 18

Bisimulation Context Dependent Bisimulation Context Dependent Bisimulation Modal Transition Systems 1986 TAU TAU CWB CWB 1988 UPPAAL Probabilistic MTS 1991 Interval Markov Chains Interval Markov Chains 1995 2005 Timed MTS Timed MTS 2009 ECDAR Constraint Markov Chains 2010 2011 APAC 2012 Parameterized MTS Weighted MTS Weighted MTS Dual-Priced MTS Modal Contracts Milner Symposium, Edinburgh, April 16-18, 2012 19

Operations on Specifications � Structural Composition: � Given S 1 and S 2 construct S 1 par S 2 such that | | S 1 par S 2 | = |S 1 | par |S 2 | | | | | | � should be precongruence wrt par to allow for � compositional analysis ! � Logical Conjunction: � Given S and S construct S Æ S such that � Given S 1 and S 2 construct S 1 Æ S 2 such that |S 1 Æ S 2 | = |S 1 | Å |S 2 | � Quotienting: � Given overall specification T and component specification S construct the quotient specification T\S such that q p f S par X � T iff X � T\S Milner Symposium, Edinburgh, April 16-18, 2012 20