TranslationBased Compositional Reasoning for Software Systems

1
Translation-Based Compositional Reasoning for
Software Systems

• Fei Xie and James C. Browne

Robert P. Kurshan
2
Agenda

• Motivations
• Translation-Based Compositional Reasoning
• An Realization of TBCR
• Applications
• Conclusions

3
Software Model Checking

• Improves reliability of software systems
• Often applied through
• Translation of software systems to directly
  model-checkable formalisms
• Or abstraction first, then translation.
• Requires Compositional Reasoning to check
  large-scale software systems.

4
Compositional Reasoning

• How it works
• Decompose a system into components
• Verify component properties
• Derive system properties from component
  properties.
• To support it, what need be done
• Establish a compositional reasoning rule
• Prove the correctness of the rule
• Implement the rule.

5
Problem to be addressed

• How to support compositional reasoning in
  software model checking through translation?

6
Problem Context

• Software systems are often model checked through
  translation.
• Formulation and reasoning of properties are more
  naturally accomplished in the software semantics.
• Direct proof of compositional reasoning rules in
  software semantics is often difficult.
• Rules have been established, proven, and
  implemented for widely used formal semantics.

7
Agenda

• Motivations
• Translation-Based Compositional Reasoning
• An Realization of TBCR
• Applications
• Conclusions

8
Rule Establishment and Proof

• Establish a compositional
• reasoning rule

Software Semantics
Formal Semantics
(3) Prove the corresponding rule or
reuse existing proof
9
Background General Form of Rule

• Premises
• Verification of component properties
• Validation of circular dependencies
• Derivation of system properties from component
  properties.
• Conclusion
• System properties hold on the system.

10
Rule Implementation and Application

• Formulation of premises for
• applying the rule

Software System
Formal Representation
(3) Discharge of the premises
11
Agenda

• Motivations
• Translation-Based Compositional Reasoning
• An Realization of TBCR
• Applications
• Conclusions

12
Translation Context
13
Realization of TBCR

• Rule Establishment
• Rule Proof
• Rule Implementation and Application

14
AIM Semantics

• Asynchronous Interleaving Message-passing
• A system consists of a finite set of processes.
• Processes execute asynchronously.
• At any moment, only one process executes.
• Interactions via asynchronous message-passing.
• Systems, components, and properties are all
  specified as AIM processes.

15
Definitions

• Let P and Q be two AIM processes
• L(P), the language of P
• P implements Q, P Q, if L(P) ? L(Q)
• Language containment
• Basic model checking algorithm
• P // Q is a composition of P and Q
• CL(P) is the safety closure of P.

16
Rule Establishment

• Adapting existing rules in other semantics
• Reuses previous efforts
• Devising new rules
• Customizes to special semantics requirement.

17
Rule AENT Amla, Emerson, Namjoshi, and
Trefler

• Has been adapted to AIM semantics.
• To show P1//P2 Q, find Q1 and Q2 that
  satisfy
• C1 P1//Q2 Q1 and P2 //Q1 Q2
• Verifying component properties assuming
  properties of other components hold
• C2 Q1//Q2 Q
• Deriving system property from component
  properties
• C3 Either P1//CL(Q) (Q Q1 Q2) Or
  P2//CL(Q) (Q Q1 Q2)
• Validating circular dependencies among component
  properties

18
Why validate circular dependenciesbetween
component properties?
19
Realization of TBCR

• Rule Establishment
• Rule Proof
• Rule Implementation and Application

20
Translation from AIM Semantics to ?-automaton
semantics
AIM Semantics
I/O-automaton Semantics
?-automaton Semantics
21
Preservation of Language Containment

• L(A) ? L(B) iff L(Trans(A)) ? L(Trans(B))
• Theorem 1
• Translation from AIM semantics to I/O-automaton
  semantics preserves language containment.
• Theorem 2
• Translation from I/O-automaton semantic to
  ?-automaton semantics preserves language
  containment.
• Theorem 3
• Translation from AIM Semantic to ?-automaton
  semantics preserves language containment.

22
Proof via Semantics Translation

• Proof sketch for Rule AENT
• Assume that C1, C2, and C3 hold
• By Theorem 3, ?-automaton translations of C1,
  C2, C3 hold
• By ?-automaton counterpart of Rule AENT,
  ?-automaton translation of P1//P2 Q holds
• By Theorem 3, P1//P2 Q holds.

23
Realization of TBCR

• Rule Establishment
• Rule Proof
• Rule Implementation and Application

24
Model Checking of xUML Model
Property Specification Interface
xUML IDE
Error Visualizer
xUML-to-S/R Translator
Error Report Generator
COSPAN Model Checker
25
Application of Rule AENT

• Given a system and a property in xUML
• On xUML level
• The system is decomposed
• Premises of Rule AENT are formulated.
• Premises are translated into S/R.
• On S/R level
• Premises are discharged with COSPAN model
  checker.
• On xUML level
• Conclude that the property holds on the system if
  the premises are successfully discharged.

26
Agenda

• Motivations
• Translation-Based Compositional Reasoning
• Realization of TBCR
• Applications
• Conclusions

27
Two Major Applications

• Integrated state space reduction framework
• Verification of component-based systems

28
Verification of Component-based Systems

• Temporal properties are specified, verified, and
  packaged with components.
• Larger components are composed incrementally.
• Component reuse considers component properties.
• Verification of a property of a composed
  component
• Reuses verified properties of its sub-components
  
• Follows abstraction-refinement paradigm
• Is based on compositional reasoning.

29
Case Study TinyOS Hill, et. al, 00

• A run-time system for network sensors from UC
  Berkeley
• Component-based
• Different requirements of sensors
• Physical limitations of sensors
• High reliability required
• Concurrency-intensive operations
• Installation to many sensors.

30
Sensor Component
31
Properties of Sensor Component

• Property Q1 (Output repeatedly)
• Repeatedly (Output)
• Property Q2 (Output handshake correctly handled)
• After (Output) Never (Output) UntilAfter
  (OP_Ack)
• After (Done) Eventually (Done_Ack)
• Never (Done_Ack) UntilAfter (Done)
• After (Done_Ack) Never (Done_Ack)
  UntilAfter(Done)

32
Network Component
33
Properties of Network Component

• Property Q3 (Transmit repeatedly if input
  repeatedly)
• IfRepeatedly (Data) Repeatedly (RFM.Pending)
• IfRepeatedly (Data) Repeatedly (Not
  RFM.Pending)
• Property Q4 (Input handshake correctly handled)
• After (Data) Eventually (Data_Ack)
• Never (Data_Ack) UntilAfter (Data)
• After (Data_Ack) Never (Data_Ack) UntilAfter
  (Data)
• After (Sent) Never (Sent) UntilAfter (Sent_Ack)

34
Verification of Primitive Components

• Q1 and Q2 were verified on the Sensor component
  assuming Q4.
• Q3 and Q4 were verified on the Network component
  assuming Q2.
• Discharge of Premise C1 of Rule AENT.

35
Sensor-to-Network (SN) Component
Property Q (Transmit repeatedly) Repeatedly
(RFM.Pending) Repeatedly (Not RFM.Pending)
36
Verification of Q on SN

• Q is checked on an abstraction of SN.
• The abstraction consists of sub-component
  properties that are
• Enabled (whose assumptions hold)
• Not involved in invalid circular dependencies.
• Q1, Q2, Q3, and Q4 are not included due to
  circular dependencies between Q2 and Q4.

37
Verification of Q on SN (cont.)

• Circular dependency between Q2 and Q4 is
  validated.
• (Discharge of Premise C3 of Rule AENT. )
• The abstraction is refined by including Q1 and
  Q3.
• Q is verified on the refined abstraction.
• (Discharge of Premise C2 of Rule AENT.)

Conclusion Q holds on Sensor-to-Network.
38
Agenda

• Motivations
• Translation-Based Compositional Reasoning
• Realization of TBCR
• Applications
• Conclusions

39
Conclusions

• Translation-Based Compositional Reasoning
• Simple and effective
• Suitable for compositional reasoning in software
  model checking through translation
• Simplifies proof of compositional reasoning
  rules
• Reuses existing compositional reasoning rules.