translation-based compositional reasoning for software systems

Translation-Based Compositional Reasoning for Software Systems

Fei Xie and James C. Browne

Robert P. Kurshan

Cadence Design Systems

2

Agenda

• Motivations

• Translation-Based Compositional Reasoning

• An Realization of TBCR

• Applications

• Conclusions

3

Software Model Checking

• Improves reliability of software systems;

• Often applied through– Translation of software systems to directly

model-checkable formalisms;– Or abstraction first, then translation.

• Requires Compositional Reasoning to check large-scale software systems.

4

Compositional Reasoning

• How it works– Decompose a system into components;

– Verify component properties;

– Derive system properties from component properties.

• To support it, what need be done– Establish a compositional reasoning rule;

– Prove the correctness of the rule;

– Implement the rule.

5

Problem to be addressed

• How to support compositional reasoning in software model checking through translation?

6

Problem Context

• Software systems are often model checked through translation.

• Formulation and reasoning of properties are more naturally accomplished in the software semantics.

• Direct proof of compositional reasoning rules in software semantics is often difficult.

• Rules have been established, proven, and implemented for widely used formal semantics.

7

Agenda

• Motivations



• Applications

• Conclusions

8

Rule Establishment and Proof

Software Semantics

Formal Semantics

(1) Establish a compositional reasoning rule

(4) Prove the rule based onthe mapping and proof of the corresponding rule in formal semantics

(3) Prove the corresponding rule or reuse existing proof

(2) Map the rule to its corresponding rule in the formal semantics

Semantics Translation

9

Background: General Form of Rule

• Premises– Verification of component properties;– Validation of circular dependencies;– Derivation of system properties from component

properties.

• Conclusion– System properties hold on the system.

10

Rule Implementation and Application

Software System

Formal Representation

(1) Formulation of premises for applying the rule

(2) Translation of the premises.

(4) Establishmentof conclusion according tothe proven rule.

(3) Discharge of the premises

11

Agenda

• Motivations



• Applications

• Conclusions

12

Translation Context

SemanticsConformance

SemanticsConformance

AIMSemantics

-automatonSemantics

Semantics Translation

xUML S/RxUML-to-S/R Translation

xUML: An executable dialect of UML;S/R: Input language of COSPAN model checker.

13

Realization of TBCR

• Rule Establishment

• Rule Proof

• Rule Implementation and Application

14

AIM Semantics

• Asynchronous Interleaving Message-passing– A system consists of a finite set of processes.– Processes execute asynchronously. – At any moment, only one process executes. – Interactions via asynchronous message-passing.

• Systems, components, and properties are all specified as AIM processes.

15

Definitions

• Let P and Q be two AIM processes;

• L(P), the language of P;

• P implements Q, P |= Q, if L(P) L(Q);– Language containment;– Basic model checking algorithm;

• P // Q is a composition of P and Q;

• CL(P) is the safety closure of P.

16

Rule Establishment

• Adapting existing rules in other semantics– Reuses previous efforts;

• Devising new rules– Customizes to special semantics requirement.

17

Rule AENT [Amla, Emerson, Namjoshi, and Trefler] • Has been adapted to AIM semantics.

To show P1//P2 |= Q, find Q1 and Q2 that satisfy:

C1: P1//Q2 |= Q1 and P2 //Q1 |= Q2

{Verifying component properties assuming properties of other components hold}

C2: Q1//Q2 |= Q

{Deriving system property from component properties}

C3: Either P1//CL(Q) |= (Q + Q1 + Q2) Or P2//CL(Q) |= (Q + Q1 + Q2)

{Validating circular dependencies among component properties}

Conclusion

Premises

18

Why validate circular dependenciesbetween component properties?

Eventually (A) Eventually (B)

Eventually (A) and Eventually (B)?

C1 C2

X X A = FALSEB = FALSE

19

Realization of TBCR


• Rule Proof


20

Translation from AIM Semantics to -automaton semantics

AIM Semantics

-automaton Semantics

I/O-automaton Semantics

21

Preservation of Language Containment

• L(A) L(B) iff L(Trans(A)) L(Trans(B));• Theorem 1:

– Translation from AIM semantics to I/O-automaton semantics preserves language containment.

• Theorem 2: – Translation from I/O-automaton semantic to -

automaton semantics preserves language containment.

• Theorem 3: – Translation from AIM Semantic to -automaton

semantics preserves language containment.

22

Proof via Semantics Translation

• Proof sketch for Rule AENT:– Assume that C1, C2, and C3 hold;– By Theorem 3, -automaton translations of

C1, C2, C3 hold; – By -automaton counterpart of Rule AENT,

-automaton translation of P1//P2 |= Q holds;

– By Theorem 3, P1//P2 |= Q holds.

23

Realization of TBCR


• Rule Proof


24

Model Checking of xUML Model

Property Specification Interface xUML IDE Error Visualizer

xUML-to-S/R Translator Error Report Generator

COSPAN Model Checker

S/R ModelS/R Query

Error Report

Error Track

Designer

xUML ModelProperty

AIM Semantics

-automaton Semantics

25

Application of Rule AENT

• Given a system and a property in xUML:• On xUML level:

– The system is decomposed;– Premises of Rule AENT are formulated.

• Premises are translated into S/R.• On S/R level

– Premises are discharged with COSPAN model checker.

• On xUML level – Conclude that the property holds on the system if the

premises are successfully discharged.

26

Agenda

• Motivations


• Realization of TBCR

• Applications

• Conclusions

27

Two Major Applications

• Integrated state space reduction framework

• Verification of component-based systems

28

Verification of Component-based Systems

• Temporal properties are specified, verified, and packaged with components.

• Larger components are composed incrementally. • Component reuse considers component properties.

• Verification of a property of a composed component – Reuses verified properties of its sub-components;

– Follows abstraction-refinement paradigm;

– Is based on compositional reasoning.

29

Case Study: TinyOS [Hill, et. al, `00]

• A run-time system for network sensors from UC Berkeley;

• Component-based– Different requirements of sensors; – Physical limitations of sensors;

• High reliability required – Concurrency-intensive operations;– Installation to many sensors.

30

Sensor Component

Output messageType

Input messageType

ComponentBoundary

AIMProcess

31

Properties of Sensor Component

• Property Q1 (Output repeatedly):Repeatedly (Output);

• Property Q2 (Output handshake correctly handled):After (Output) Never (Output) UntilAfter (OP_Ack);

After (Done) Eventually (Done_Ack);

Never (Done_Ack) UntilAfter (Done);

After (Done_Ack) Never (Done_Ack) UntilAfter(Done);

32

Network Component

33

Properties of Network Component

• Property Q3 (Transmit repeatedly if input repeatedly): IfRepeatedly (Data) Repeatedly (RFM.Pending);

IfRepeatedly (Data) Repeatedly (Not RFM.Pending);

• Property Q4 (Input handshake correctly handled):After (Data) Eventually (Data_Ack);

Never (Data_Ack) UntilAfter (Data);

After (Data_Ack) Never (Data_Ack) UntilAfter (Data);

After (Sent) Never (Sent) UntilAfter (Sent_Ack);

34

Verification of Primitive Components

• Q1 and Q2 were verified on the Sensor component assuming Q4.

• Q3 and Q4 were verified on the Network component assuming Q2.

Discharge of Premise C1 of Rule AENT.

35

Sensor-to-Network (SN) Component

Property Q (Transmit repeatedly):Repeatedly (RFM.Pending); Repeatedly (Not RFM.Pending);

36

Verification of Q on SN

• Q is checked on an abstraction of SN.

• The abstraction consists of sub-component properties that are– Enabled (whose assumptions hold);– Not involved in invalid circular dependencies.

• Q1, Q2, Q3, and Q4 are not included due to circular dependencies between Q2 and Q4.

37

Verification of Q on SN (cont.)

• Circular dependency between Q2 and Q4 is validated.

(Discharge of Premise C3 of Rule AENT. )• The abstraction is refined by including Q1 and Q3.• Q is verified on the refined abstraction.

(Discharge of Premise C2 of Rule AENT.)

Conclusion: Q holds on Sensor-to-Network.

38

Agenda

• Motivations


• Realization of TBCR

• Applications

• Conclusions

39

Conclusions

• Translation-Based Compositional Reasoning– Simple and effective;– Suitable for compositional reasoning in software

model checking through translation;– Simplifies proof of compositional reasoning rules;– Reuses existing compositional reasoning rules.

translation-based compositional reasoning for software systems

Documents