DimitraFMschoolMay2011

DimitraFMschoolMay2011 - Automating Compositional...

Info iconThis preview shows pages 1–14. Sign up to view the full content.

View Full Document Right Arrow Icon
Dimitra Giannakopoulou, NASA Ames Automating Compositional Verification
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
collaborators § Corina P ă s ă reanu (CMU / NASA Ames) § and talented students / visitors: Howard Barringer (Univ. of Manchester) Colin Blundell (UPenn) Jamieson Cobleigh (UMass, now MathWorks) Michael Emmi (UCLA) Mihaela Gheorgiu (Univ. of Toronto) Chang-Seo Park (UC Berkeley) Suzette Person (Univ. of Nebraska) Rishabh Singh (MIT)
Background image of page 2
state-explosion problem
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
compositional verification M 2 M 1 A satisfies P? check P on entire system: too many states! use system ` s natural decomposition into components to break-up the verification task check components in isolation: does system made up of M 1 and M 2 satisfy property P? does M 1 satisfy P?
Background image of page 4
§ l when we try to pick out anything by itself, we find it hitched to everything else in the universe z John Muir
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
assume-guarantee reasoning l discharge z the assumption 1. A M 1 P 2. true M 2 A true M 1 || M 2 P M 2 M 1 A satisfies P? introduces assumptions / reasons about triples: A M P is true if whenever M is part of a system that satisfies A, then the system must also guarantee P simplest assume-guarantee rule (A SYM ): how do we come up with the assumption?
Background image of page 6
the weakest assumption [ASE 2002] § given component M, property P, and the interface of M with its environment, generate the weakest environment assumption WA such that: WA M P holds § weakest means that for all environments E: true M || E P IFF true E WA M P WA
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
weakest assumption in AG reasoning true M 1 || M 2 P IFF true M 2 WA in other words: true M 2 holds implies true M 1 || M 2 P holds true M 2 not holds implies true M 1 || M 2 P not holds 1. A M 1 P 2. true M 2 A true M 1 || M 2 P weakest assumption makes rule complete for all E, true M || E P IFF true E
Background image of page 8
formalisms § components modeled as finite state machines (FSM) – FSMs assembled with parallel composition operator l || z synchronizes shared actions, interleaves remaining actions § a safety property P is a FSM – P describes all legal behaviors in terms of its alphabet – P err complement of P determinize & complete P with an l error z state; bad behaviors lead to error – component M satisfies P iff error state unreachable in (M || P err ) § assume-guarantee reasoning – assumptions and guarantees are FSMs A M P holds iff error state unreachable in (A || M || P err )
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
example Input Output in send ack out Input in send ack Output out send ack require in and out to alternate (property Order) Order err in out in out
Background image of page 10
parallel composition Input in send ack Output out send ack ||
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
property satisfaction || Order err in out in out Input in send ack crex. 1: (I 0 , O 0 ) out (I 0 , O error ) crex. 2: (I 0 , O 0 ) in (I 1 , O 1 ) send (I 2 , O 1 ) out (I 2 , O 0 ) out (I 2 , O error ) 0 1 2 0 1
Background image of page 12
assume-guarantee reasoning ||
Background image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 14
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/07/2012 for the course CS 4322 taught by Professor Martinrinard during the Spring '11 term at MIT.

Page1 / 43

DimitraFMschoolMay2011 - Automating Compositional...

This preview shows document pages 1 - 14. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online