CSL Technical Report September Formal Verication of McMillans Compositional AssumeGuarantee - PDF document

494 views
Uploaded On 2015-02-20

CSL Technical Report September Formal Verication of McMillans Compositional AssumeGuarantee - PPT Presentation

Computer Science Laboratory 333 Ravenswood Ave Menlo Park CA 94025 650 3266200 Facsimile 650 8592844 brPage 3br Abstract To illustrate some of the power and convenience of its speci64257cation language and the orem prover we use the PVS formal veri6 ID: 36734

Computer Science Laboratory 333

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/36734" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Pdf The PPT/PDF document "CSL Technical Report September Formal V..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

AbstractToillustratesomeofthepowerandconvenienceofitsspecicationlanguageandthe-oremprover,weusethePVSformalvericationsystemtoverifythesoundnessofaproofruleforassume-guaranteereasoningduetoKenMcMillan. i ii Contents Contents 1 1Introduction 3 2FormalizationandVericationinPVS 7 Bibliography 13 1 Chapter1IntroductionThekeyideainassume-guaranteereasoning,rstintroducedbyChandyandMisra[ MC81 ]andJones[ Jon83 ],isthatweshowthatcomponentX1guaranteescertainpropertiesP1ontheassumptionthatcomponentX2deliverscertainpropertiesP2,andviceversaforX2,andthenclaimthatthecompositionofX1andX2(i.e.,bothrunningandinteractingtogether)guaranteesP1andP2unconditionally.Wecanexpressthisideasymbolicallyintermsofthefollowingputativeproofrule. hP2iX1hP1ihP1iX2hP2i htrueiX1jjX2hP1^P2iHere,X1jjX2denotesthecompositionofX1andX2andformulaslikehpiXhqiassertthatifXispartofasystemthatsatisesp(i.e.,pistrueofallbehaviorsofthecompositesystem),thenthesystemmustalsosatisfyq(i.e.,Xassumespandguaranteesq).RulessuchasthisarecalledcompositionalbecausewereasonaboutX1andX2separately(inthehypothesesabovetheline)anddeducepropertiesaboutX1jjX2(intheconclusionbelowtheline)withouthavingtoreasonaboutthecomposedsystemdirectly.Theproblemwithsuchproofrulesisthattheyarecircular(X1dependsonX2andviceversa)andpotentiallyunsound.Infact,theunsoundnessismorethanpotential,itisreal:forexample,letP1beeven-tuallyx=1,letP2beeventuallyy=1,letX1bewaituntily=1,thensetxto1,andletX2bewaituntilx=1,thensetyto1,wherebothxandyareinitially0.Thenthehypothesestotherulearetrue,buttheconclusionisnot:X1andX2canforeverwaitfortheothertomaketherstmove.Thereareseveralmodiedassume-guaranteeproofrulesthataresound.Differentrulesmaybecomparedaccordingtothekindsofsystemmodelsandspecicationtheysupport,theextenttowhichtheylendthemselvestomechanizedanalysis,andtheextenttowhichtheyarepreservedunderrenement(i.e.,thecircumstancesunderwhichX1canbereplacedbyanimplementationthatmaydomorethanX1).Earlyworkconsideredmanydifferent 3 NoticethatpqcanbewrittenastheLTLformula:(pU:q),whereUistheLTLuntiloperator. 1 ThismeansthattheantecedentformulascanbeestablishedbyLTLmodelcheckingifthetransitionrelationsforX1andX2arenite.Theproofrule 1.1 hasthecharacteristicswerequire,butwhatexactlydoesitmean,andisitsound?Thesequestioncanberesolvedonlybygivingasemanticstothesymbolsandformulasusedintherule.McMillan'spresentationoftheruleonlysketchestheargumentforitssoundness;amoreformaltreatmentisgivenbyNamjoshiandTreer[ NT00 ],butitisnoteasyreadinganddoesnotconveythebasicintuition.Accordingly,wepresentinthenextChapteraformalizationandvericationofMcMil-lan'sruleusingPVS.ThedevelopmentissurprisinglyshortandsimpleandshouldbecleartoanyonewithknowledgeofPVS. 1ThesubexpressionpU:qholdsifqeventuallybecomesfalse,andpwastrueateveryprecedingpoint;thisistheexactoppositeofwhatwewant,hencetheouternegation. 5 6 Chapter2FormalizationandVericationinPVSWebeginwithaPVSdatatypethatdenesthebasiclanguageofLTL(tobeinterpretedoverastatetypestate). pathformula[state:TYPE]:DATATYPEBEGINHolds(state_formula:pred[state]):Holds?U(arg1:pathformula,arg2:pathformula):U?X(arg:pathformula):X?(arg:pathformula):NOT?\/(arg1:pathformula,arg2:pathformula):OR?ENDpathformula Here,UandXrepresenttheuntilandnextmodalitiesofLTL,respectively,andand\/representnegationanddisjunction,respectively.Holdsrepresentsapplicationofastate(asopposedtoapath)formula.Thesemanticsofthelanguagedenedbypathformulaaregivenbythefunction|=denedinthetheorypaths.LTLformulasareinterpretedoversequencesofstates(thus,anLTLformulaspeciesasetofsuchsequences).Thedenitions|=P 1 (ssatisesP)recursivelydecomposesthepathformulaPbycasesanddetermineswhetheritissatisedbythesequencesofstates. 1PVSinxoperatorssuchas|=mustappearinprexformwhentheyaredened. 7 ofaprogram(i.e.,itrepresentsapossiblesequenceofthestatesastheprogramexecutes)ifeachpairofadjacentstatesinthesequenceisconsistentwiththetransitionrelation.Thesenotionsarespeciedinthetheoryassume guarantee,whichisparameterizedbyastatetypeandatransitionrelationNoverthattype. assume_guarantee[state:TYPE,N:pred[[state,state]]]:THEORYBEGINIMPORTINGpaths[state]i,j:VARnats:VARsequence[state]path:TYPE=fs|FORALLi:N(s(i),s(i+1))gp:VARpathJUDGEMENTsuffix(p,i)HAS_TYPEpath Akeyproperty,expressedasaPVSjudgement(i.e.,alemmathatcanbeappliedbythetypechecker)isthateverysufxtoapathofNisalsoapathofN.Theproofobligationthatjustiesthisjudgementisprovedautomatically.Next,wespecifywhatitmeansforapathformulaPtobevalidforN(thisnotionisnotusedinthisdevelopment,butitisimportantinothers). 2 Wethenstateausefullemmaand lem.Itisprovedby(GRIND). H,P,Q:VARpathformulavalid(P):bool=FORALLp:p|=Pand_lem:LEMMA(p|=(P&Q))=((p|=P)AND(p|=Q)) Next,wedenethefunctionag(P,Q)thatgivesaprecisemeaningtotheinformalnotation&#xP000;N&#xQ000;usedearlier(again,theNisimplicitasitisatheoryparameter). ag(P,Q):bool=FORALLp:(p|=P)IMPLIES(p|=Q) Twokeylemmasarethenstatedandproved. agr_box_lem:LEMMAag(H,[]Q)=FORALLp,i:(p|=H)IMPLIES(suffix(p,i)|=Q)constrains_lem:LEMMAag(H,P�|Q)=FORALLp,i:(p|=H)AND(FORALL(j:below(i)):suffix(p,j)|=P)IMPLIES(suffix(p,i)|=Q)ENDassume_guarantee 2NotethatNisimplicitasitisaparametertothetheory;thisisnecessaryfortheJUDGEMENT,whichwouldotherwiseneedtocontainNasafreevariable(whichisnotallowedinthecurrentversionofPVS). 9 Therstlemmaallowsthealways([])modalitytoberemovedfromtheconclusionofanassume-guaranteeassertion,whilethesecondlemmaallowseliminationoftheconstrains(�|)modality.Bothoftheseareprovedby(GRIND:IF-MATCHALL).Finally,wecanspecifycompositionandMcMillan'sruleforcompositionalassume-guaranteereasoning. composition[state:TYPE]:THEORYBEGINN,N1,N2:VARPRED[[state,state]]//(N1,N2)(s,t:state):bool=N1(s,t)ANDN2(s,t)IMPORTINGassume-guaranteei,j:VARnatH,P,Q:VARpathformula[state]kens_thm:THEOREMag[state,N1](H,P�|Q)ANDag[state,N2](H,Q�|P)IMPLIESag[state,N1//N2](H,[](P&Q))ENDcomposition Here,//isaninxoperatorthatrepresentscompositionofprograms,denedastheconjunctionoftheirtransitionrelations.Then,kens thmisadirecttransliterationintoPVSoftheproofrule 1.1 onpage 4 .ThePVSproofofthistheoremissurprisinglyshort:itbasicallyusesthelemmastoexposeandindexintothepaths,andthenperformsastronginductiononthatindex. (SKOSIMP)(APPLY(REPEAT(THEN(REWRITE"agr_box_lem")(REWRITE"constrains_lem"))))(INDUCT"i":NAME"NAT_induction")(SKOSIMP*:PREDS?T)(REWRITE"and_lem[state,N1!1//N2!1]")(GROUND)(("1"(APPLY(THEN(INST-6"p!1""j!1")(LAZY-GRIND))))("2"(APPLY(THEN(INST-5"p!1""j!1")(LAZY-GRIND))))) Ourrstattempttoformalizethisapproachtoassume-guaranteereasoningwaslong,andtheproofswerealsolonganddifcult.Othergroupshaveapparentlyinvestedmonthsofworkinasimilarendeavorwithoutsuccess.ThatthenaltreatmentinPVSissostraight-forwardistestamenttotheexpressivenessofthePVSlanguage(e.g.,itsabilitytodeneLTLinafewdozenlines)andthepowerandintegrationofitsprover(e.g.,thepredicate 10 subtypepathanditsassociatedJUDGEMENT,whichautomaticallydischargesnumeroussideconditionsduringtheproof).AlthoughwehaveprovedMcMillan'sassume-guaranteemethodtobesound,itisknowntobeincomplete(i.e.,therearecorrectsystemsthatcannotbeveriedusingtherule 1.1 ).NamjoshiandTreer[ NT00 ]presentanextendedrulethatisbothsoundandcomplete,anditwouldbeinterestingtoextendourPVSvericationtothisrule.Anotherextensionwouldexpandtheformaltreatmentfromthetwo-processtothen-processcase(thisisatechnicalchallengeinformalverication,ratherthananactivitythatwouldyieldadditionalinsight).Finally,itwillbeusefultoinvestigatepracticalapplicationoftheapproachpresentedhere.Onepossibleapplicationistothemutualinterdependenceofmembershipandsyn-chronizationinTTA:eachoftheseisveriedonthebasisofassumptionsabouttheother.AcknowledgmentThePVSformalizationofLTLwasperformedbyCarstenSch¨urmann.ThePVSformal-izationandproofof 1.1 wasacollaborativeeffortwithJonathanFord,SamOwre,HaraldRueß,andN.Shankar. 11 12 Bibliography [Jon83] C.B.Jones.Tentativestepstowardadevelopmentmethodforinterferingpro-grams.ACMTOPLAS,5(4):596619,1983. 3 [KG94] HermannKopetzandG¨unterGr¨unsteidl.TTPaprotocolforfault-tolerantreal-timesystems.IEEEComputer,27(1):1423,January1994. 4 [MC81] JayadevMisraandK.ManiChandy.Proofsofnetworksofprocesses.IEEETransactionsonSoftwareEngineering,7(4):417426,July1981. 3 [McM99] K.L.McMillan.Circularcompositionalreasoningaboutliveness.InLaurencePierreandThomasKropf,editors,AdvancesinHardwareDesignandVeri-cation:IFIPWG10.5InternationalConferenceonCorrectHardwareDesignandVericationMethods(CHARME'99),volume1703ofLectureNotesinComputerScience,pages342345,BadHerrenalb,Germany,September1999.Springer-Verlag. 4 [NT00] KedarS.NamjoshiandRichardJ.Treer.Onthecompletenessofcomposi-tionalreasoning.InE.A.EmersonandA.P.Sistla,editors,Computer-AidedVerication,CAV'2000,volume1855ofLectureNotesinComputerScience,pages139153,Chicago,IL,July2000.Springer-Verlag. 5 , 11 [TTT01] Time-TriggeredTechnologyTTTechComputertechnikAG,Vienna,Austria.SpecicationoftheTTP/CProtocol(version0.6p0504),May2001. 4 13