Verification of Hierarchical Component-Based Designs in FRESCO Tom Henzinger, Marius Minea, Vinayak Prabhu

Download Verification of Hierarchical Component-Based Designs in FRESCO Tom Henzinger, Marius Minea, Vinayak Prabhu

Post on 22-Dec-2015




0 download

Embed Size (px)


<ul><li> Slide 1 </li> <li> Verification of Hierarchical Component-Based Designs in FRESCO Tom Henzinger, Marius Minea, Vinayak Prabhu </li> <li> Slide 2 </li> <li> Context Overall Approach use component hierarchy to limit complexity design for verifiability Application Domain primarily embedded systems Verification Goals refinement checking assume-guarantee reasoning </li> <li> Slide 3 </li> <li> FRESCO: Formal Real-Time Software Components formal: components are mathematical objects that can be analyzed real-time: behavior contains discrete and continuous executions over time components model software + hardware + environment Masaccio: high-level component view Giotto: processes executing on real-time OS </li> <li> Slide 4 </li> <li> Components in Masaccio Component = interface + behavior Interface: specifies interaction with other components input and output variables + dependence relation control locations + entry conditions Behavior: set of executions entry (jump | flow)*(a, ) entry (jump | flow)* exit(a, , b) components are deadlock-free x y a z b </li> <li> Slide 5 </li> <li> Atomic Components Atomic discrete component Atomic continuous component ab xy y = f(x, y) ab xy y = f(x, y). </li> <li> Slide 6 </li> <li> Operations: Parallel Composition synchronous conjunction of component behaviors same entry locations one component may preempt another (determines exit location) aa || cbbc a </li> <li> Slide 7 </li> <li> Operations: Serial Composition disjunction of component behaviors entry conditions for common entry locations are disjoint can represent different execution modes of the system a + cb a g1g2 bc a g1 g2 </li> <li> Slide 8 </li> <li> Operations: Hiding and Renaming Location hiding makes location internal to a component strings together component executions typically used with serial composition Location renaming Variable hiding Variable renaming abbcca </li> <li> Slide 9 </li> <li> Building Components All components can be built from atomic components using the six basic operations Example: control of a robot motor, with obstacle sensor e x left:=right:=T obst obst left: bool right: bool obst: bool </li> <li> Slide 10 </li> <li> Refinement of Components Generalizes trace inclusion Component A refines component B iff: A and B have compatible interfaces (A may have more variables, stronger dependence relation) every behavior of A has as prefix a behavior of B (possibly ending in a different exit location) caab refines abbc + \ b = ca because </li> <li> Slide 11 </li> <li> Example: A Simple Robot Motor Controller || Motor + || FollowLead + || Motor ++ StraightTurnMoveWait </li> <li> Slide 12 </li> <li> Compositionality All components operations are compositional: A B A + C B + C A B A || C B || C A B A \ a B \ a A B A [a := b] B [a := b] A B A \ x B \ x A B A [x := y] B [x := y] </li> <li> Slide 13 </li> <li> Assume-Guarantee Reasoning C[A1,B2] C[A2,B2] C[A2,B1] C[A2,B2] C[A1,B1] C[A2,B2] B2A1 C B2A2 C B2A2 C B1A2 C B2A2 C B1A1 C </li> <li> Slide 14 </li> <li> Assume-Guarantee: Example Consider reimplementation of robot controller. Prove: C A [Control I A ]||C B [Control I B ] C A [Control A ]||C B [Control B ] discharged by assume-guarantee: C A [Control I A ]||C B [Control B ] C A [Control A ]||C B [Control B ] C A [Control A ]||C B [Control I B ] C A [Control A ]||C B [Control B ] first premise rewritten as: Control I A ||Motor A ||Control B ||Motor B Control A ||Motor A ||Control B ||Motor B discharged by compositional reasoning: Control I A ||Control B Control A ||Control B rewritten as: (Control I A + Follow A )\e L \e F ||Control B (Control A + Follow A )\e L \e F ||Control B </li> <li> Slide 15 </li> <li> Assume-Guarantee: Importance Assume-guarantee rule for parallel composition: well studied [Abadi &amp; Lamport, Alur &amp; Henzinger, McMillan] For serial composition: only recently [Alur &amp; Grosu 00] In Masaccio: first combination of the two Exploits compositionality and hierarchy of formalism </li> <li> Slide 16 </li> <li> Ongoing and Future Work Related: rich application interfaces (real-time, QoS) (Luca) time-triggered implementation of Giotto (Ben, Christoph) Compositionality and Assume-Guarantee (w. Vinayak) evaluation on examples Refinement of Timed Behavior reduce to refinement of time-abstract quotients use to show refinement between Masaccio and Giotto Exploiting Hierarchy in Verification reachability analysis without flattening design </li> </ul>