Translation-Based Compositional
Reasoning for Software Systems
Fei Xie and James C. Browne
Robert P. Kurshan
Cadence Design Systems
Agenda
•
•
•
•
•
Motivations
Translation-Based Compositional Reasoning
An Realization of TBCR
Applications
Conclusions
2
Software Model Checking
• Improves reliability of software systems;
• Often applied through
– Translation of software systems to directly
model-checkable formalisms;
– Or abstraction first, then translation.
• Requires Compositional Reasoning to check
large-scale software systems.
3
Compositional Reasoning
• How it works
– Decompose a system into components;
– Verify component properties;
– Derive system properties from component properties.
• To support it, what need be done
– Establish a compositional reasoning rule;
– Prove the correctness of the rule;
– Implement the rule.
4
Problem to be addressed
• How to support compositional reasoning in
software model checking through translation?
5
Problem Context
• Software systems are often model checked
through translation.
• Formulation and reasoning of properties are more
naturally accomplished in the software semantics.
• Direct proof of compositional reasoning rules in
software semantics is often difficult.
• Rules have been established, proven, and
implemented for widely used formal semantics.
6
Agenda
•
•
•
•
•
Motivations
Translation-Based Compositional Reasoning
An Realization of TBCR
Applications
Conclusions
7
Rule Establishment and Proof
(1) Establish a compositional
reasoning rule
Software Semantics
(2)
Map the rule to
its corresponding
rule in the formal
semantics
Semantics Translation
(4)
Prove the rule based on
the mapping and proof
of the corresponding
rule in formal semantics
Formal Semantics
(3) Prove the corresponding
rule or reuse existing proof
8
Background: General Form of Rule
• Premises
– Verification of component properties;
– Validation of circular dependencies;
– Derivation of system properties from component
properties.
• Conclusion
– System properties hold on the system.
9
Rule Implementation and Application
(1) Formulation of premises for
applying the rule
Software System
(4)
Establishment
of conclusion
according to
the proven rule.
(2)
Translation of
the premises.
Formal Representation
(3) Discharge of the premises
10
Agenda
•
•
•
•
•
Motivations
Translation-Based Compositional Reasoning
An Realization of TBCR
Applications
Conclusions
11
Translation Context
AIM
Semantics
Semantics Translation
Semantics
Conformance
xUML
-automaton
Semantics
Semantics
Conformance
xUML-to-S/R Translation
S/R
xUML: An executable dialect of UML;
S/R: Input language of COSPAN model checker.
12
Realization of TBCR
• Rule Establishment
• Rule Proof
• Rule Implementation and Application
13
AIM Semantics
• Asynchronous Interleaving Message-passing
–
–
–
–
A system consists of a finite set of processes.
Processes execute asynchronously.
At any moment, only one process executes.
Interactions via asynchronous message-passing.
• Systems, components, and properties are all
specified as AIM processes.
14
Definitions
• Let P and Q be two AIM processes;
• L(P), the language of P;
• P implements Q, P |= Q, if L(P)  L(Q);
– Language containment;
– Basic model checking algorithm;
• P // Q is a composition of P and Q;
• CL(P) is the safety closure of P.
15
Rule Establishment
• Adapting existing rules in other semantics
– Reuses previous efforts;
• Devising new rules
– Customizes to special semantics requirement.
16
Rule AENT
[Amla, Emerson, Namjoshi, and Trefler]
• Has been adapted to AIM semantics.
To show P1//P2 |= Q, find Q1 and Q2 that satisfy:
Conclusion
C1: P1//Q2 |= Q1 and P2 //Q1 |= Q2
{Verifying component properties assuming properties of other
components hold}
C2: Q1//Q2 |= Q
{Deriving system property from component properties}
C3: Either P1//CL(Q) |= (Q + Q1 + Q2)
Or
P2//CL(Q) |= (Q + Q1 + Q2)
{Validating circular dependencies among component properties}
Premises
17
Why validate circular dependencies
between component properties?
C1
C2
Eventually (A)
Eventually (B)
X
?
X
A = FALSE
B = FALSE
Eventually (A) and Eventually (B)
18
Realization of TBCR
• Rule Establishment
• Rule Proof
• Rule Implementation and Application
19
Translation from AIM Semantics to
-automaton semantics
AIM Semantics
I/O-automaton Semantics
-automaton Semantics
20
Preservation of Language Containment
• L(A)  L(B) iff L(Trans(A))  L(Trans(B));
• Theorem 1:
– Translation from AIM semantics to I/O-automaton
semantics preserves language containment.
• Theorem 2:
– Translation from I/O-automaton semantic to -automaton
semantics preserves language containment.
• Theorem 3:
– Translation from AIM Semantic to -automaton
semantics preserves language containment.
21
Proof via Semantics Translation
• Proof sketch for Rule AENT:
– Assume that C1, C2, and C3 hold;
– By Theorem 3, -automaton translations of
C1, C2, C3 hold;
– By -automaton counterpart of Rule AENT,
-automaton translation of P1//P2 |= Q holds;
– By Theorem 3, P1//P2 |= Q holds.
22
Realization of TBCR
• Rule Establishment
• Rule Proof
• Rule Implementation and Application
23
Model Checking of xUML Model
Designer
AIM
Semantics
Property Specification Interface
xUML IDE
Error Visualizer
Property
xUML Model
Error Report
xUML-to-S/R Translator
S/R Query
-automaton
Semantics
S/R Model
Error Report Generator
Error Track
COSPAN Model Checker
24
Application of Rule AENT
• Given a system and a property in xUML:
• On xUML level:
– The system is decomposed;
– Premises of Rule AENT are formulated.
• Premises are translated into S/R.
• On S/R level
– Premises are discharged with COSPAN model checker.
• On xUML level
– Conclude that the property holds on the system if the
premises are successfully discharged.
25
Agenda
•
•
•
•
•
Motivations
Translation-Based Compositional Reasoning
Realization of TBCR
Applications
Conclusions
26
Two Major Applications
• Integrated state space reduction framework
• Verification of component-based systems
27
Verification of Component-based
Systems
• Temporal properties are specified, verified, and
packaged with components.
• Larger components are composed incrementally.
• Component reuse considers component properties.
• Verification of a property of a composed component
– Reuses verified properties of its sub-components;
– Follows abstraction-refinement paradigm;
– Is based on compositional reasoning.
28
Case Study: TinyOS [Hill, et. al, `00]
• A run-time system for network sensors from
UC Berkeley;
• Component-based
– Different requirements of sensors;
– Physical limitations of sensors;
• High reliability required
– Concurrency-intensive operations;
– Installation to many sensors.
29
Sensor Component
AIM
Process
Input message
Type
Component
Boundary
Output message
Type
30
Properties of Sensor Component
• Property Q1 (Output repeatedly):
Repeatedly (Output);
• Property Q2 (Output handshake correctly handled):
After (Output) Never (Output) UntilAfter (OP_Ack);
After (Done) Eventually (Done_Ack);
Never (Done_Ack) UntilAfter (Done);
After (Done_Ack) Never (Done_Ack) UntilAfter(Done);
31
Network Component
32
Properties of Network Component
• Property Q3 (Transmit repeatedly if input
repeatedly):
IfRepeatedly (Data) Repeatedly (RFM.Pending);
IfRepeatedly (Data) Repeatedly (Not RFM.Pending);
• Property Q4 (Input handshake correctly handled):
After (Data) Eventually (Data_Ack);
Never (Data_Ack) UntilAfter (Data);
After (Data_Ack) Never (Data_Ack) UntilAfter (Data);
After (Sent) Never (Sent) UntilAfter (Sent_Ack);
33
Verification of Primitive Components
• Q1 and Q2 were verified on the Sensor
component assuming Q4.
• Q3 and Q4 were verified on the Network
component assuming Q2.
Discharge of Premise C1 of Rule AENT.
34
Sensor-to-Network (SN) Component
Property Q (Transmit repeatedly):
Repeatedly (RFM.Pending); Repeatedly (Not RFM.Pending);
35
Verification of Q on SN
• Q is checked on an abstraction of SN.
• The abstraction consists of sub-component
properties that are
– Enabled (whose assumptions hold);
– Not involved in invalid circular dependencies.
• Q1, Q2, Q3, and Q4 are not included due to
circular dependencies between Q2 and Q4.
36
Verification of Q on SN (cont.)
• Circular dependency between Q2 and Q4 is
validated.
(Discharge of Premise C3 of Rule AENT. )
• The abstraction is refined by including Q1 and Q3.
• Q is verified on the refined abstraction.
(Discharge of Premise C2 of Rule AENT.)
Conclusion: Q holds on Sensor-to-Network.
37
Agenda
•
•
•
•
•
Motivations
Translation-Based Compositional Reasoning
Realization of TBCR
Applications
Conclusions
38
Conclusions
• Translation-Based Compositional Reasoning
– Simple and effective;
– Suitable for compositional reasoning in software
model checking through translation;
– Simplifies proof of compositional reasoning rules;
– Reuses existing compositional reasoning rules.
39