Refinement Calculus for Compositional System Reasoning Viorel - - PowerPoint PPT Presentation

β–Ά
refinement calculus for
SMART_READER_LITE
LIVE PREVIEW

Refinement Calculus for Compositional System Reasoning Viorel - - PowerPoint PPT Presentation

Oct 13, 2023 125 likes β€’347 views

Relational Interfaces and Refinement Calculus for Compositional System Reasoning Viorel Preoteasa Joint work with Stavros Tripakis and Iulia Dragomir 08.12.2015 Computational Logic Day 2015 1 Overview Motivation General refinement

slide-1
SLIDE 1

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Viorel Preoteasa Joint work with Stavros Tripakis and Iulia Dragomir

08.12.2015 1 Computational Logic Day 2015

slide-2
SLIDE 2

Overview

  • Motivation
  • General refinement
  • Relational interfaces
  • Refinement calculus for reactive systems
  • Liveness properties
  • Modeling Simulink Diagrams

08.12.2015 2 Computational Logic Day 2015

slide-3
SLIDE 3

Motivation

  • Is the system correct?
  • Can we replace a subsystem by another

subsystem, preserving the functionality?

  • Compatibility. Is the composition of two

systems meaningful?

  • Can we model liveness properties?

We are interested in reactive systems – systems that repeatedly take some input from the environment and produce some

  • utput

08.12.2015 3 Computational Logic Day 2015

slide-4
SLIDE 4

Refinement

Refinement (denoted 𝐡 βŠ‘ 𝐢):

  • System 𝐡 is refined by system 𝐢 or
  • Informally: 𝐢 can replace 𝐡 in any context
  • Formally:
  • 1. If 𝐡 satisfies a property 𝑄 then 𝐢 satisfies 𝑄
  • 2. If 𝐡 βŠ‘ 𝐡’ and 𝐢 βŠ‘ 𝐢’ then 𝐡 ο‚Ÿ 𝐢 βŠ‘ 𝐡’ ο‚Ÿ 𝐢’

𝐡 ο‚Ÿ 𝐢 denotes some composition of systems 𝐡 and 𝐢

08.12.2015 4 Computational Logic Day 2015

slide-5
SLIDE 5

Refinement

  • Correctness:

– Specification βŠ‘ Implementation

  • Substitutability:

– If we have 𝐢 βŠ‘ 𝐢′, then – 𝐡 ο‚Ÿ 𝐢 ο‚Ÿ 𝐷 βŠ‘ 𝐡 ο‚Ÿ 𝐢’ ο‚Ÿ 𝐷 – The system 𝐡 ο‚Ÿ 𝐢’ ο‚Ÿ 𝐷 satisfies all properties satisfied by 𝐡 ο‚Ÿ 𝐢 ο‚Ÿ 𝐷

  • (In)Compatibility:

– 𝐡 ο‚Ÿ 𝐢 = πΊπ‘π‘—π‘š or 𝐡 ο‚Ÿ 𝐢 βŠ‘ πΊπ‘π‘—π‘š where – πΊπ‘π‘—π‘š = while true do skip, or πΊπ‘π‘—π‘š = unhandled exception,

  • r πΊπ‘π‘—π‘š = assertion on input is false for every input

08.12.2015 5 Computational Logic Day 2015

slide-6
SLIDE 6

Interface theories

  • Interface theories can express some of the properties

presented above, but not liveness

– Relational interface introduced by Tripakis et al, A Theory

  • f Synchronous Relational Interfaces, ACM TOPLAS, 2011

– Interface automata introduced by Alfaro et al, Interface Automata, FSE, ACM, 2009

  • On the other hand there are frameworks capable of

expressing liveness properties, but they cannot express compatibility of systems.

– Focus framework, Broy et al, Specification and development of interactive systems: focus on streams interfaces and refienemt, Springer, 2001

08.12.2015 Computational Logic Day 2015 6

slide-7
SLIDE 7

Relational Interfaces - Example

  • Division component:
  • Contract: 𝑧 β‰  0 ∧ 𝑨 = 𝑦/𝑧
  • The condition 𝑧 β‰  0 introduces a

requirement on input 𝑧

  • If input 𝑧 = 0, then 𝐸𝑗𝑀𝑗𝑒𝑓 fails (this is

different from πΊπ‘π‘—π‘š = fails for all inputs).

𝐸𝑗𝑀𝑗𝑒𝑓 𝑦 𝑧 𝑨

08.12.2015 7 Computational Logic Day 2015

slide-8
SLIDE 8

Relational Interfaces – Composition

  • Output of one component becomes the input of

the second component

  • The requirement on 𝑧 is propagated to 𝑏 and 𝑐
  • Choosing 𝑏 and 𝑐 properly we can ensure 𝑧 β‰  0
  • The composition fails if 𝑏 = βˆ’π‘ (the composition

is not πΊπ‘π‘—π‘š)

𝑧 β‰  0 𝑨 = 𝑦/𝑧 𝑦 𝑧 𝑨 𝑧 = 𝑏 + 𝑐 𝑦 > 10 𝑏 𝑐

08.12.2015 8 Computational Logic Day 2015

slide-9
SLIDE 9

Relational Interfaces - Incompatibility

  • The two systems are incompatible
  • The component π‘ˆπ‘ π‘£π‘“ produces non-

deterministically values 𝑦 and 𝑧

  • By controlling 𝑏 there is no possibility of ensuring

𝑧 β‰  0

  • The composition of these systems is πΊπ‘π‘—π‘š,

because the composition fails for every input.

𝑧 β‰  0 𝑨 = 𝑦/𝑧 𝑦 𝑧 𝑨 π‘ˆπ‘ π‘£π‘“ 𝑏

08.12.2015 9 Computational Logic Day 2015

slide-10
SLIDE 10

Relational Interfaces – Limitations

  • Relational interfaces cannot model liveness

properties

  • Semantics of relational interfaces:

– prefix closed sets of finite input output traces

08.12.2015 10 Computational Logic Day 2015

slide-11
SLIDE 11

Reactive systems

  • A reactive system is a machine that takes as

input an infinite sequence 𝑦0, 𝑦1, 𝑦2, … and it

  • utputs an infinite sequence 𝑧0, 𝑧1, 𝑧2, …
  • Assume a system that counts and outputs how

many input values seen so far are true.

  • Then

– Input: 0,1,0,0,1,1,1,0,0, … – Output: 0,1,1,1,2,3,4,4,4, …

08.12.2015 11 Computational Logic Day 2015

slide-12
SLIDE 12

Our Goal

A compositional theory for reactive systems with both safety and liveness

08.12.2015 12

𝑦 β–‘(𝑦 β‰₯ 0) 𝐡 β–‘ β—Š (𝑦 = 1) 𝐢

  • 𝐡 specifies that its output 𝑦 is always greater or equal than

zero

  • 𝐢 requires that its input is infinitely often equal to one.
  • The output of 𝐡 is connected to the input of 𝐢.
  • In our framework: these components are incompatible
  • We want to be able to use LTL formulas in specifications

Computational Logic Day 2015

slide-13
SLIDE 13

Refinement Calculus for Reactive Systems

  • Monotonic property transformers

– Functions mapping sets of infinite output sequences into sets of output sequences – Property = set of infinite sequences

  • A system 𝐡 applied to a set of output sequences

𝑅 is the set of all input sequences that do not fail and produce an output sequence in 𝑅.

  • Based on Refinement Calculus introduced by

Back, On the correctness of refinement in program development, 1978

08.12.2015 13 Computational Logic Day 2015

slide-14
SLIDE 14

Refinement Calculus for Reactive Systems

This semantics enables reasoning about all features that we mentioned at the beginning:

  • Correctness
  • Substitutability
  • Compatibility
  • And also liveness properties

08.12.2015 14 Computational Logic Day 2015

slide-15
SLIDE 15

Reactive systems – Operations

The operations on reactive systems are defined in the same way as for predicate transformers

  • Sequential composition = function composition:

– 𝐡 ∘ 𝐢 𝑅 = 𝐡 𝐢 𝑅 – where 𝑅 is a set of infinite sequences.

  • Refinement = point-wise subset:

– 𝐡 βŠ‘ 𝐢 ⇔ (βˆ€π‘… ∢ 𝐡 𝑅 βŠ† 𝐢(𝑅))

  • πΊπ‘π‘—π‘š(𝑅) = βˆ…

08.12.2015 15 Computational Logic Day 2015

slide-16
SLIDE 16

Simulink Example

08.12.2015 Computational Logic Day 2015 16

𝑨 β‰  0 𝑧 ≔ 𝑦/𝑨

𝑦 𝑨 𝑧

Delay 𝑏 𝑨 ≔ 𝑣 βˆ’ 𝑦

𝑦 𝑣 𝑨 𝑨

  • 𝑒 = 0: 𝑦0;

𝑣0 ≔ 𝑏; 𝑨0 ≔ 𝑣0 βˆ’ 𝑦0; 𝑧0 ≔ 𝑦0/𝑨0; 𝑨0 = 𝑣0 βˆ’ 𝑦0 β‰  0

  • 𝑒 = 1: 𝑦1;

𝑣1 ≔ 𝑧0; 𝑨1 ≔ 𝑣1 βˆ’ 𝑦1; 𝑧1 ≔ 𝑦1/𝑨1; 𝑨1 = 𝑣1 βˆ’ 𝑦1 β‰  0

slide-17
SLIDE 17

Simulink Example

  • The variable 𝑣 after the delay is calculated by:

𝑣0 ≔ 𝑏; π‘£π‘œ + 1 ≔ π‘¦π‘œ/(π‘£π‘œ βˆ’ π‘¦π‘œ)

  • The output is given by:

π‘¨π‘œ ≔ π‘£π‘œ βˆ’ π‘¦π‘œ

  • The input π‘¦π‘œ must satisfy the following

property: (βˆ€π‘œ ∢ π‘£π‘œ β‰  π‘¦π‘œ)

08.12.2015 Computational Logic Day 2015 17

slide-18
SLIDE 18

Simulink Example as Property Transformer

  • Our tool produces the following property

transformer

{βˆ€π‘£: (𝑣0 = 𝑏) ∧ βˆ€π‘œ ∢ π‘£π‘œ + 1 =

π‘¦π‘œ π‘£π‘œβˆ’π‘¦π‘œ β‡’ (βˆ€π‘œ ∢ π‘£π‘œ β‰  π‘¦π‘œ)}

∘ [𝑨 ∢ βˆƒπ‘£ ∢ 𝑣 = 𝑏 ∧ β–‘ (𝑣1 =

𝑦 π‘£βˆ’π‘¦ ∧ 𝑨 = 𝑣 βˆ’ 𝑦)]

08.12.2015 Computational Logic Day 2015 18

slide-19
SLIDE 19

Simulink Example as Property Transformer

  • Using Linear Temporal Logic

{βˆ€π‘£ ∢ 𝑣 = 𝑏 ∧ β–‘ 𝑣1 =

𝑦 π‘£βˆ’π‘¦ β‡’ β–‘(𝑣 β‰  𝑦)} ∘

[𝑨 ∢ βˆƒπ‘£ ∢ 𝑣 = 𝑏 ∧ β–‘ (𝑣1 = 𝑦 𝑣 βˆ’ 𝑦 ∧ 𝑨 = 𝑣 βˆ’ 𝑦)]

08.12.2015 Computational Logic Day 2015 19

slide-20
SLIDE 20

Conclusions

  • We can model a number of desired features

– Correctness – Substitutability – Compatibility – Liveness properties – … and many more

  • We can use linear temporal logic to specify and reason

about these systems

  • We built a tool that translates Simulink models to

property transformers.

  • The results were formalized in Isabelle theorem prover

08.12.2015 20 Computational Logic Day 2015