1 / 39

Translation-Based Compositional Reasoning for Software Systems

Cadence Design Systems. Translation-Based Compositional Reasoning for Software Systems. Fei Xie and James C. Browne. Robert P. Kurshan. Agenda. Motivations Translation-Based Compositional Reasoning An Realization of TBCR Applications Conclusions. Software Model Checking.

min
Download Presentation

Translation-Based Compositional Reasoning for Software Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cadence Design Systems Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan

  2. Agenda • Motivations • Translation-Based Compositional Reasoning • An Realization of TBCR • Applications • Conclusions

  3. Software Model Checking • Improves reliability of software systems; • Often applied through • Translation of software systems to directly model-checkable formalisms; • Or abstraction first, then translation. • Requires Compositional Reasoning to check large-scale software systems.

  4. Compositional Reasoning • How it works • Decompose a system into components; • Verify component properties; • Derive system properties from component properties. • To support it, what need be done • Establish a compositional reasoning rule; • Prove the correctness of the rule; • Implement the rule.

  5. Problem to be addressed • How to support compositional reasoning in softwaremodel checking through translation?

  6. Problem Context • Software systems are often model checked through translation. • Formulation and reasoning of properties are more naturally accomplished in the software semantics. • Direct proof of compositional reasoning rules in software semantics is often difficult. • Rules have been established, proven, and implemented for widely used formal semantics.

  7. Agenda • Motivations • Translation-Based Compositional Reasoning • An Realization of TBCR • Applications • Conclusions

  8. (4) Prove the rule based on the mapping and proof of the corresponding rule in formal semantics (2) Map the rule to its corresponding rule in the formal semantics Semantics Translation Rule Establishment and Proof • Establish a compositional • reasoning rule Software Semantics Formal Semantics (3) Prove the corresponding rule or reuse existing proof

  9. Background: General Form of Rule • Premises • Verification of component properties; • Validation of circular dependencies; • Derivation of system properties from component properties. • Conclusion • System properties hold on the system.

  10. (4) Establishment of conclusion according to the proven rule. (2) Translation of the premises. Rule Implementation and Application • Formulation of premises for • applying the rule Software System Formal Representation (3) Discharge of the premises

  11. Agenda • Motivations • Translation-Based Compositional Reasoning • An Realization of TBCR • Applications • Conclusions

  12. AIM Semantics Semantics Translation -automaton Semantics Semantics Conformance Semantics Conformance xUML-to-S/R Translation xUML S/R xUML: An executable dialect of UML; S/R: Input language of COSPAN model checker. Translation Context

  13. Realization of TBCR • Rule Establishment • Rule Proof • Rule Implementation and Application

  14. AIM Semantics • Asynchronous Interleaving Message-passing • A system consists of a finite set of processes. • Processes execute asynchronously. • At any moment, only one process executes. • Interactions via asynchronous message-passing. • Systems, components, and properties are all specified as AIM processes.

  15. Definitions • Let P and Q be two AIM processes; • L(P), the language of P; • P implements Q, P |= Q, if L(P)  L(Q); • Language containment; • Basic model checking algorithm; • P // Q is a composition of P and Q; • CL(P) is the safety closure of P.

  16. Rule Establishment • Adapting existing rules in other semantics • Reuses previous efforts; • Devising new rules • Customizes to special semantics requirement.

  17. Conclusion Premises Rule AENT [Amla, Emerson, Namjoshi, and Trefler] • Has been adapted to AIM semantics. To show P1//P2 |= Q, find Q1 and Q2 that satisfy: C1: P1//Q2 |= Q1 and P2 //Q1 |= Q2 {Verifying component properties assuming properties of other components hold} C2: Q1//Q2 |= Q {Deriving system property from component properties} C3: Either P1//CL(Q) |= (Q + Q1 + Q2) Or P2//CL(Q) |= (Q + Q1 + Q2) {Validating circular dependencies among component properties}

  18. C1 C2 Eventually (A) Eventually (B) A = FALSE B = FALSE X X ? Eventually (A) and Eventually (B) Why validate circular dependenciesbetween component properties?

  19. Realization of TBCR • Rule Establishment • Rule Proof • Rule Implementation and Application

  20. Translation from AIM Semantics to -automaton semantics AIM Semantics I/O-automaton Semantics -automaton Semantics

  21. Preservation of Language Containment • L(A)  L(B) iff L(Trans(A))  L(Trans(B)); • Theorem 1: • Translation from AIM semantics to I/O-automaton semantics preserves language containment. • Theorem 2: • Translation from I/O-automaton semantic to -automaton semantics preserves language containment. • Theorem 3: • Translation from AIM Semantic to -automaton semantics preserves language containment.

  22. Proof via Semantics Translation • Proof sketch for Rule AENT: • Assume that C1, C2, and C3 hold; • By Theorem 3, -automatontranslations of C1, C2, C3 hold; • By -automaton counterpart of Rule AENT, -automatontranslation of P1//P2 |= Q holds; • By Theorem 3, P1//P2 |= Q holds.

  23. Realization of TBCR • Rule Establishment • Rule Proof • Rule Implementation and Application

  24. AIM Semantics Designer Property xUML Model Error Report S/R Query S/R Model Error Track -automaton Semantics Model Checking of xUML Model Property Specification Interface xUML IDE Error Visualizer xUML-to-S/R Translator Error Report Generator COSPAN Model Checker

  25. Application of Rule AENT • Given a system and a property in xUML: • On xUML level: • The system is decomposed; • Premises of Rule AENT are formulated. • Premises are translated into S/R. • On S/R level • Premises are discharged with COSPAN model checker. • On xUML level • Conclude that the property holds on the system if the premises are successfully discharged.

  26. Agenda • Motivations • Translation-Based Compositional Reasoning • Realization of TBCR • Applications • Conclusions

  27. Two Major Applications • Integrated state space reduction framework • Verification of component-based systems

  28. Verification of Component-based Systems • Temporal properties are specified, verified, and packaged with components. • Larger components are composed incrementally. • Component reuse considers component properties. • Verification of a property of a composed component • Reuses verified properties of its sub-components; • Follows abstraction-refinement paradigm; • Is based on compositional reasoning.

  29. Case Study: TinyOS [Hill, et. al, `00] • A run-time system for network sensors from UC Berkeley; • Component-based • Different requirements of sensors; • Physical limitations of sensors; • High reliability required • Concurrency-intensive operations; • Installation to many sensors.

  30. AIM Process Input message Type Component Boundary Output message Type Sensor Component

  31. Properties of Sensor Component • Property Q1 (Output repeatedly): Repeatedly (Output); • Property Q2 (Output handshake correctly handled): After (Output) Never (Output) UntilAfter (OP_Ack); After (Done) Eventually (Done_Ack); Never (Done_Ack) UntilAfter (Done); After (Done_Ack) Never (Done_Ack) UntilAfter(Done);

  32. Network Component

  33. Properties of Network Component • Property Q3 (Transmit repeatedly if input repeatedly): IfRepeatedly (Data) Repeatedly (RFM.Pending); IfRepeatedly (Data) Repeatedly (Not RFM.Pending); • Property Q4 (Input handshake correctly handled): After (Data) Eventually (Data_Ack); Never (Data_Ack) UntilAfter (Data); After (Data_Ack) Never (Data_Ack) UntilAfter (Data); After (Sent) Never (Sent) UntilAfter (Sent_Ack);

  34. Verification of Primitive Components • Q1 and Q2 were verified on the Sensor component assuming Q4. • Q3 and Q4 were verified on the Network component assuming Q2. Discharge of Premise C1 of Rule AENT.

  35. Sensor-to-Network (SN) Component Property Q (Transmit repeatedly): Repeatedly (RFM.Pending); Repeatedly (Not RFM.Pending);

  36. Verification of Q on SN • Q is checked on an abstraction of SN. • The abstraction consists of sub-component properties that are • Enabled (whose assumptions hold); • Not involved in invalid circular dependencies. • Q1, Q2, Q3, and Q4 are not included due to circular dependencies between Q2 and Q4.

  37. Verification of Q on SN (cont.) • Circular dependency between Q2 and Q4 is validated. (Discharge of Premise C3 of Rule AENT. ) • The abstraction is refined by including Q1 and Q3. • Q is verified on the refined abstraction. (Discharge of Premise C2 of Rule AENT.) Conclusion: Q holds on Sensor-to-Network.

  38. Agenda • Motivations • Translation-Based Compositional Reasoning • Realization of TBCR • Applications • Conclusions

  39. Conclusions • Translation-Based Compositional Reasoning • Simple and effective; • Suitable for compositional reasoning in software model checking through translation; • Simplifies proof of compositional reasoning rules; • Reuses existing compositional reasoning rules.

More Related