Assumption Genertion for Softwre Component Verifiction Dimitr Ginnkopoulou Corin S. Păsărenu RIACS/USRA Kestrel Technologies LLC NASA Ames Reserch Center Moffett Field, CA 94035-1000, USA {dimitr, pcorin}@emil.rc.ns.gov Howrd Brringer Deprtment of Computer Science University of Mnchester Oxford Rod, Mnchester, M13 9PL, UK howrd@cs.mn.c.uk Abstrct Model checking is n utomted technique tht cn be used to determine whether system stisfies certin required properties. The typicl pproch to verifying properties of softwre components is to check them for ll possible environments. In relity, however, component is only required to stisfy properties in specific environments. Unless these environments re formlly chrcterized nd used during verifiction (ssume-gurntee prdigm), the results returned by verifiction cn be overly pessimistic. This work defines frmework tht brings new dimension to model checking of softwre components. When checking component ginst property, our model checking lgorithms return one of the following three results: the component stisfies property for ny environment; the component violtes the property for ny environment; or finlly, our lgorithms generte n ssumption tht chrcterizes exctly those environments in which the component stisfies its required property. Our pproch hs been implemented in the LTSA tool nd hs been pplied to the nlysis of NASA ppliction. 1. Introduction Our work is motivted by n ongoing project t NASA Ames Reserch Center on the verifiction of utonomous softwre. Autonomous softwre involves complex concurrent behviours for recting to externl stimuli without humn intervention. Extensive verifiction is pre-requisite for the deployment of missions tht involve utonomy. Model checking is n utomted verifiction technique tht cn be used to determine whether concurrent system stisfies certin properties by exhustively exploring ll its possible executions. Softwre model checking is typiclly This uthor is most grteful for the prtil support received from RI- ACS/USRA to undertke this reserch whilst on leve t NASA Ames Reserch Center. pplied to components of lrger system for severl resons. For exmple: softwre component my be embedded s is the cse for utonomous softwre; one would typiclly ignore the detils of the operting system in which component opertes; system my be prtilly specified; finlly, given the fct tht the stte explosion problem [9] is prticulrly cute in softwre systems, one relisticlly needs to divide nd conquer, tht is, to brek up the verifiction tsk in smller tsks. In order to model check component in isoltion one needs to incorporte model of the environment intercting with the component. By defult, this is the most generl environment, n environment tht cn invoke, in ny order, ny ction of the interfce between the two, or tht my refuse ny service tht the component requires. We believe tht the bove pproch to component checking is overly pessimistic; the underlying ssumption is tht the environment is free to behve s it pleses, nd tht the component will stisfy the required property for ny environment. A similr observtion is mde by De Alfro nd Henzinger in the context of interfce comptibility checking [10, 11]. In the world of model checking, this problem hs given rise to the ssume-gurntee style of resoning [36], where the model of the environment is restricted by ssumptions provided by the developer. This style of resoning is typiclly performed in n interctive fshion. Developers first check component with the most generl environment. If counterexmple is returned tht is unrelistic for the system under nlysis, they mke severl ttempts t defining n ssumption tht is strong enough to eliminte flse violtions, but tht lso reflects ppropritely the remining system. In this pper we propose nd describe novel frmework for model checking of components tht provides more useful user feedbck thn the usul counter-exmple genertion for property violtions. When model checking component ginst property, our lgorithms return one of the following three results: (i) the component stisfies the property for ny environment; (ii) the component violtes the property for ny environment; or finlly, (iii) n utomticlly
generted ssumption tht chrcterizes exctly those environments in which the component stisfies the property. Let us illustrte this with smll exmple. A multithreded component uses mutex to coordinte ccesses to shred vrible, which my lso be ccessed by the environment. The requirement is tht rce violtions should not occur in the system. If some thred within the component performs unprotected ccesses to the vrible, the requirement my be violted irrespective of the environment. Our pproch reports this fct, together with counterexmple illustrting it. Now ssume tht ll ccesses to the vrible within the component re protected by the mutex. Model checking under the most generl environment would return violtion. Our lgorithms would return n ssumption, reflecting the fct tht ll ccesses to the shred vrible by the environment must be protected by the lock. In fct, our pproch genertes the wekest environment ssumption tht enbles the property to hold. Therefore, in selecting n pproprite environment for component, one cn sfely reject ny environment tht does not stisfy the ssumption generted. Assumption genertion my lso be seen s wy of providing extr utomted support for ssume-gurntee resoning. Finlly, for systems like the ones we study, the environment is often unpredictble. Some ssumptions re typiclly mde bout it, but loss of mission must be voided even if the environment flls outside these ssumptions. For such cses, ssumptions cn be used s runtime monitors of the ctul environment [20]. Monitors cn generte pproprite wrnings when the environment flls outside expected behviour nd trigger specil system behviour, if necessry. We hve implemented our pproch in the Lbelled Trnsition Systems Anlyzer (LTSA) tool [31, 30], which provides good support for incrementl system design nd verifiction. It implements such fetures s component bstrction nd minimiztion tht mke the integrtion of our pproch strightforwrd. The problem of ssumption genertion cn be ssocited with such problems s submodule construction, controller synthesis nd model mtching. To our knowledge, such work hs not been directly pplied to model checking before; the reltion of our pproch with these domins is further discussed in Section 6. The reminder of the pper is orgnized s follows. Section 2 briefly discusses the LTSA tool nd the theory tht underlies our pproch. It is followed by the presenttion of our pproch in Section 3. Section 4 describes our experience with nlyzing the Executive module of n experimentl Mrs Rover developed t NASA Ames. We discuss the pplicbility of our pproch in prctice nd extensions tht we re considering in Section 5. Finlly, Section 6 presents relted work, nd Section 7 concludes the pper. 2. Bckground In this section, we describe the LTSA frmework in which our pproch hs been introduced. We provide forml definitions for those spects of the tool tht we hve used nd/or modified. 2.1. The LTSA Tool The LTSA [31, 30] is n utomted tool tht supports Compositionl Rechbility Anlysis (CRA) of softwre system bsed on its rchitecture. In generl, the softwre rchitecture of concurrent system hs hierrchicl structure [29]. CRA incrementlly computes nd bstrcts the behviour of composite components bsed on the behviour of their immedite children in the hierrchy. Abstrction consists of hiding the ctions tht do not belong to the interfce of component, nd minimizing with respect to observtionl equivlence [17]. The input lnguge FSP of the tool is process-lgebr style nottion with Lbelled Trnsition Systems (LTS) semntics. A property is lso expressed s n LTS, but with extended semntics, nd is treted s n ordinry component during composition. Properties re combined with the components to which they refer. They do not interfere with system behviour, unless they re violted. In the presence of violtions, the properties introduced my reduce the stte spce of the (sub)systems nlyzed. As in our pproch, the LTSA frmework trets components s open systems tht my only stisfy some requirements in specific contexts. By composing components with their properties, it postpones nlysis until the system is closed, mening tht ll contextul behviour tht is pplicble hs been provided. We extend this frmework by performing useful nlysis t the component level. The LTSA tool lso fetures grphicl disply of LTSs, interctive simultion nd grphicl nimtion of behviour models [32], ll helpful ids in both design nd verifiction of system models. 2.2. Progrm Model We use lbelled trnsition systems (LTSs) to model the behviour of communicting components in concurrent system. Let Act be the universl set of observble ctions, nd Act τ = Act {τ}, where τ denotes locl ction unobservble to component s environment. We use π to denote specil error stte, which models the fct tht sfety violtion hs occurred in the ssocited system. A lbelled trnsition system T is qudruple S,αT,R,s 0, where S is set of sttes, αt Act is set of ctions clled the lphbet of T, R S αt {τ} S
Mutex: E.cquire W.cquire 1 0 2 Writer: W.cquire 0 W.enterCS W.exitCS W.relese 1 W.relese W.enterCS W.exitCS Figure 1. LTSs for Mutex nd Writer 1 W.exitCS W.enterCS 0 2 π W.exitCS Figure 2. Mutul exclusion property 2 W.enterCS is trnsition reltion nd s 0 S is the initil stte. We use Π to denote the LTS {π}, Act,,π. For exmple, Figure 1 illustrtes LTSs for Writer component nd Mutex. In ll illustrtions of LTSs in this pper, stte 0 is the initil stte. The Writer cquires the mutex (ction W.cquire), enters nd subsequently exists criticl section (W.enterCS, W.exitCS) used to model the fct tht the Writer updtes some shred vrible, nd then releses the mutex W.relese. The Mutex component cn be cquired nd relesed by the Writer (W.cquire, W.relese) or its environment (E.cquire, ), but single component cn hold it t ny one time. We cll n LTS well formed if the error stte π hs no outgoing trnsitions. We only consider well formed LTSs in this work. An LTS T = S,αT,R,s 0 is non-deterministic if (s,, s ), (s,, s ) R such tht s s (otherwise T is deterministic). A trce σ of n LTS T is sequence of observble ctions tht T cn perform strting t its initil stte. For exmple, <W.cquire> nd <W.cquire, W.enterCS, W.exitCS> re both trces of the Writer component of Figure 1. The set of trces of T is denoted s Tr(T ). For A Act, we use σ A to denote the trce obtined by removing from σ ll occurrences of ctions A. We denote s errtr(t ) the set of trces tht led to the error stte π, which we cll error trces of T. Opertors In the following, we provide semntics for the opertors defined on LTSs tht re used in our work. Although we provide trnsitionl semntics in typicl process lgebr style, our im here is not to define n lgebr. Let T = S,αT,R,s 0 nd T = S,αT,R,s 0. We sy tht T trnsits into T with ction, denoted T T, iff (s 0,,s 0) R nd: either αt = αt nd R = R for s 0 π, or, in the specil cse where s 0 = π, T =Π. The interfce opertor is used to mke unobservble those ctions in the LTS of component tht re not prt of its interfce. Formlly, given n LTS T nd set of observble ctions A Act, T Ais defined s follows. For T =Π, T A=Π.ForT Π, T Ais n LTS with the sme set of sttes nd initil stte s T. The lphbet of T Ais αt A, nd its trnsition reltion is described by the following rules: T T, A T A T A T T, A T A τ T A Prllel composition is commuttive nd ssocitive opertor tht combines the behviour of two components by synchroniztion of the ctions common to their lphbets nd interleving of the remining ctions. For exmple, in computing the prllel composition of components Writer nd Mutex of Figure 1, ctions W.cquire nd W.relese will ech be synchronized. Formlly, let T 1 = S 1,αT 1,R 1,s 1 0 nd T 2 = S 2,αT 2,R 2,s 2 0 be two LTSs. If either T 1 = Π or T 2 =Π, then T 1 T 2 =Π. Otherwise, T 1 T 2 is n LTS T = S,αT,R,s 0, where S = S 1 S 2, s 0 =(s 1 0,s 2 0), αt = αt 1 αt 2, nd R is defined s follows: T 1 T 1, αt 2 T 1 T 1, T 2 T 2, τ T 1 T 2 T 1 T 2 T 1 T 2 T 1 T 2 Properties A sfety property is specified s deterministic LTS tht contins no τ trnsitions, nd no π stte. The set of trces Tr(P ) of property P defines the set of cceptble behviours over αp.anltst stisfies P, denoted s T = P iff Tr(T αp ) Tr(P ). The LTSA utomticlly derives from property P n error LTS denoted P err, which trps possible violtions with the π stte. Formlly, the error LTS of property P = S,αP,R,s 0 is P err = S {π},αp err,r,s 0, where αp err = αp nd R = R {(s,, π) αp nd s S :(s,, s ) R}. Note tht the error utomton is complete, i.e., ech stte (other thn the error stte) hs outgoing trnsitions for every ction in the lphbet. For exmple, Figure 2 illustrtes mutul exclusion property for system consisting of the LTSs of Figure 1.
Property LTSA + Assumption Genertion E.cquire Component (1) Composition nd Minimistion Property True (ll environments) 0 E.cquire 1 2 3 (2) Bckwrd Error Propgtion (3) Property Extrction Property Flse (ll environments) Property True (some environments) + Assumption τ π Figure 4. Composite LTS Figure 3. Model Checking with Assumption Genertion The property comprises sttes 0, 1, 2 nd the trnsitions denoted by solid rrows. It expresses the fct tht the component nd its environment should never be in their criticl sections t the sme time. In other words, the intervls defined by their mutul entercs nd exitcs ctions should never overlp. The dshed rrows illustrte the trnsitions to the error stte tht re dded to the property to obtin its error LTS. Let T be n LTS tht hs no error trces. To detect violtions of property P by component T, the LTSA computes T P err. It hs been proven in [8] tht T violtes P iff the π stte is rechble in T P err, or equivlently, iff errtr(t P err ). The error stte hs specil tretment during minimiztion, so tht violtion does not dispper s result of bstrction. In fct, n error stte within component cn only dispper with composition, i.e., if component with which it intercts blocks the erroneous behviour. 3. Assumption Genertion In this section we describe in detil our proposed extensions to trditionl model checking, nd their implementtion in LTSA. We lso provide forml proof of correctness. 3.1. Generl Method The trditionl pproch to verifying property of n open system (i.e., softwre component tht intercts with n environment, represented by other components) is to check it for ll the possible environments. The result of verifiction is either true, if the property holds for ll the possible environments, or flse, if there exists some environment tht cn led the component to flsify the property. We believe tht this pproch is overly pessimistic nd only pproprite for the nlysis of closed systems, where no further interction with the environment is expected. When nlyzing open systems, n optimistic view, which ssumes helpful environment, is more pproprite. Usully, softwre components re required to stisfy properties in specific environments, so it is nturl to ccept component if there re some environments in which the component does not violte the property. In our pproch, the result of component verifiction is lso true, if the property holds for ll environments. However, the result is flse only if the property is flsified in ll environments. If there exist some environments in which the component stisfies the property, the result of verifiction is not flse, s in the trditionl pproch, but rther true in environments tht stisfy specific ssumption. This ssumption, i.e. property LTS, is utomticlly generted nd chrcterizes exctly those environments. Intuitively, this environment ssumption encodes ll possible winning strtegies of the environment in gme between the system, which ttempts to get to the error stte, nd the environment, which ttempts to prevent this. Figure 3 illustrtes our pproch together with the steps we follow to build the ssumptions (tht re described below). Step 1: Composition nd Minimiztion Given n open system nd property LTS tht my relte the behviour of the system with the behviour of the environment, our first step is to compute ll the violting trces of the system for unrestricted environments, nd turn into τ ll ctions in these trces over which the environment hs no control, i.e., the internl ctions of the system. We perform this step by building the composition of the system with the error LTS of the property, nd subsequently hiding the internl ctions of the system. The resulting LTS cn be minimized with respect to observtionl equivlence, since such minimiztion preserves trces. For exmple, Figure 4 depicts the result of composing the components depicted in Figure 1 with the mutul exclu-
E.cquire E.cquire, 0 3 2 θ, E.cquire E.cquire π Figure 5. The Result fter Bckwrd Error Propgtion sion property of Figure 2, fter minimiztion. The internl ctions of the system, i.e. the W lbelled trnsitions, were bstrcted to τ. If the error stte is not rechble in this composition, the property is true in ny environment, nd this is reported to the user. Otherwise, we identify whether there exist environments tht cn help the system void the error in ll circumstnces; this is chieved through the following steps. Step 2: Bckwrd Error Propgtion This step first performs bckwrd propgtion of the error stte over τ trnsitions, thus pruning the sttes where the environment cnnot prevent the error stte from being entered vi one or more τ steps. Since we re interested only in the error trces, we lso eliminte the sttes tht re not bckwrd rechble from the error stte. If, s result of this trnsformtion, the initil stte becomes n error stte, it mens tht no environment cn prevent the system from possibly reching the error stte, so the property is flse (for ll environments) nd this is reported to the user. Consider gin the composite system in Figure 4. The thicker line mrks the only τ trnsition tht remins in the system fter minimiztion. As result of bckwrd propgtion, we identify stte 1 with the error stte; the result is shown in Figure 5. The intuition here is tht, if the component is in stte from which it cn violte the property by some number of internl moves, then no environment cn prevent the violtion from occurring. Step 3: Property Extrction This step builds the property LTS tht is our ssumption. It performs this in two stges; first it builds the error LTS for the ssumption, from which it extrcts the corresponding property LTS. Note tht the LTS resulting from Step 2 might not be n error LTS, lthough it contins n error stte. Recll from the bckground section tht the error LTS is deterministic nd complete. In order to get n error LTS we mke the LTS obtined from step 2 deterministic by pplying to it τ elimintion nd the subset construction [3], but by tking specil cre of the π stte s follows. During subset construction, the sttes 0 E.cquire 3 2 Figure 6. Generted Assumption of the deterministic LTS tht is being generted re sets of sttes in the originl non-deterministic LTS. In our context, if ny one of the sttes in the set is π, the entire set becomes π. Intuitively, trce tht non-deterministiclly my or my not led to n error hs to be considered s n error trce. Such non-determinism reflects the fct tht, by performing prticulr sequence of ctions, the environment cnnot gurntee tht the component will void error sttes. For exmple, consider gin the composite system in Figure 4. There re two outgoing trnsitions from the initil stte 0 tht re lbelled by the sme environment ction : one leds to the error stte, while the other one leds to stte 1. This mens tht if the environment performs ction, it cn not prevent the system from getting to the error, so we would like to identify stte 1 with π. In our exmple in Figure 4, this ws chieved during Step 2, but this my not be the cse in generl. Wht remins to be performed t this stge is to mke the resulting LTS complete. Completion is performed by dding new sink stte to the LTS, nd dding trnsition to this stte for ech missing trnsition in the incomplete LTS. The missing trnsitions in the incomplete LTS represent behviour of the environment tht is never exercised by the open system under nlysis. As result, no ssumptions need to be mde bout these behviours. The sink stte reflects exctly this fct, since it poses no implementtion restrictions to the environment. Once we hve the error LTS, we obtin the ssumption by deleting the error stte nd the trnsitions tht led to it. Figure 6 depicts the ssumption generted for our exmple. Since the result from Step 2 is lredy deterministic, we get the ssumption by completing it with the sink stte, denoted by θ, nd deleting the π stte. The ssumption expresses the fct tht the environment should only ccess its criticl section protected by the mutex. Moreover, s imposed by the mutex, E.cquire nd ctions of the environment cn only lternte, nd therefore ny different behviour is inconsequentil. Notice for exmple tht from stte 0, ction leds to stte θ.
Implementtion in the LTSA As mentioned, the LTSA provides frmework tht fcilittes the introduction of the extensions we hve presented. For exmple, we took dvntge of its support for composition, bstrction, minimiztion nd determiniztion. The extr fetures tht our pproch required re: Specil tretment of the error stte, π, during determiniztion. The specil semntics of this stte were not previously tken into ccount. Bckwrds rechbility nd error propgtion s required by step 2. We believe tht error propgtion should be performed during CRA for incresed efficiency, irrespective of our pproch. Completion with the sink stte, θ, nd property extrction from the error LTS. 3.2. Correctness of Approch Let T denote n open system with lphbet αt nd let E denote nother system representing n rbitrry environment for T, whose lphbet is αe. Let P denote property LTS with lphbet αp αt αe ( property my refer to ctions in both T nd E). Let C = αt αe be the set of common ctions between T nd E, nd let I = αt C denote the internl ctions of the system. Our tool genertes the property LTS A with lphbet αa = C (αp I), representing the wekest ssumption chrcterizing ll the environments tht, composed with the system, stisfy the property, i.e., E = A if nd only if E T = P. The following proposition sys tht the error trces of A err re obtined from the trces in T P err tht my led to n error stte, from which we remove the ctions not present in αa. Proposition 3.1 errtr(a err ) = {σ αa σ errtr(t P err ) σ = σ αa}. The following theorem mkes precise the clim tht A is the wekest ssumption bout the environment E of T tht ensures property T. Theorem 3.2 E, E = A if nd only if E T = P. Proof. E such tht E = A, we hve to show tht E T = P. The proof is by contrdiction. Assume E T = P. Then, there is trce σ in E T P err tht leds to the error stte (i.e., σ errtr(e T P err )). We use σ to build trce σ Tr(E) such tht σ αa errtr(a err ), thus contrdicting E = A. Since σ is n error trce in E T P err, it follows tht σ αe Tr(E) nd σ (αt αp ) errtr(t P err ). From proposition 3.1, it follows tht (σ (αt αp )) αa errtr(a err ). Since αa αe nd αa αt αp, we lso hve tht (σ αe) αa =(σ (αt αp )) αa. Let σ = σ αe. We then hve tht σ αa =(σ (αt αp )) αa errtr(a err ), nd thus we hve contrdiction. E such tht E T = P, we hve to show tht E = A. Agin, we prove this by contrdiction. Assume E = A. Then, there is trce σ Tr(E) such tht σ αa errtr(a err ). From proposition 3.1, it follows tht there is trce σ errtr(t P err ) such tht σ αa = σ αa. We use σ nd σ to build trce σ in E T P err such tht σ αp errtr(p err ), thus reching the contrdiction of E T = P. Since σ is trce of E, σ is trce of T P err, σ αa = σ αa nd C αa it follows tht σ nd σ my differ only on non-common ctions. It follows tht there exists trce σ in E T P err such tht σ αe = σ nd σ (αt αp )=σ. (we build σ by composing σ nd σ using the sme rules s for prllel composition of systems). Since σ errtr(t P err ), it follows tht σ αp errtr(p err ). We lso hve σ αp = σ αp, since σ my introduce in σ only ctions tht re not present in αa or αp. It follows tht σ αp errtr(p err ), nd thus we hve contrdiction. 4. Appliction: the Rover Executive We experimented with our pproch in the context of the verifiction of the executive subsystem for the K9 Mrs Rover, developed t NASA Ames. The executive receives flexible plns from Plnner, which it executes ccording to the pln lnguge semntics. A pln is hierrchicl structure of ctions tht the Rover must perform. Trditionlly, plns re deterministic sequences of ctions. However, incresed Rover utonomy requires dded flexibility. The pln lnguge therefore llows for brnching bsed on stte or temporl conditions tht need to be checked, nd lso for flexibility with respect to the strting time of n ction. The pln lnguge llows the ssocition of ech ction with number of stte or temporl pre-, mintennce, nd postconditions, which must hold before, during, nd on completion of the ction execution, respectively.
The executive hs been implemented s multi-threded system, mde up of min coordinting component nmed Executive, components for monitoring the stte conditions ExecCondChecker, nd temporl conditions Exec- TimerChecker - ech further decomposed into two threds - nd finlly n ActionExecution thred tht is responsible for issuing the commnds to the Rover. Synchroniztion between these threds is performed through mutexes nd condition vribles. The developers provided some design documents to us, which described the synchroniztion between these components in n dd-hoc flowchrt-style lnguge. They looked very much like LTSs, which llowed us to trnslte them in strightforwrd nd systemtic, lbeit mnul, wy into FSP for the LTSA. We first checked the occurrence of rce conditions for the cse of vrible of the ExecCondChecker shred with the Executive. We checked the property on the ExecCond- Checker (tht consists internlly of two threds) together with the mutexes it uses, since mutexes constitute the synchroniztion mechnism in this system. The ExecCond- Checker with mutexes nd the property hd 426 sttes but minimized to 18 sttes. The propgtion of the error stte produced n LTS of just 10 sttes, nd the finl ssumption generted hd 12 sttes (one being the sink stte). We were surprised to see tht our pproch did not generte the expected ssumption, i.e. tht ccesses to the shred vrible by the environment must be protected by the pproprite mutex, s in the exmple of Section 3. In fct, the ssumption obtined ws weker. It reflected the knowledge tht, once the environment holds the mutex, the vlues tht the environment reds reflect chnges tht only the environment my hve mde. For exmple, ssume tht, while holding the mutex, the environment ssigns vlue x to the vrible. Reding ny vlue x x would led the environment to the sink stte, becuse this behviour will never ctully be exercised in the context of the ExecCondChecker. The second property tht we checked in this fshion ws one tht the developer thought might be violted by the code, but could ctully not produce n execution tht would demonstrte this fct. For specific vrible of the ExecCondChecker shred with the Executive, the property stted the following: if the Executive reds the vlue of the vrible, then the ExecCondChecker should not red this vlue until the Executive clers it first. Agin, we used the ExecCondChecker together with mutexes nd the property to generte n ssumption on the behviour of the Executive. The result hd 524 sttes, minimized to 9 sttes, reduced to 7 sttes with error propgtion, nd to 6 sttes with determiniztion. The resulting ssumption hd 7 sttes (including the sink stte). It stted tht the environment of the component should red the vrible fter cquiring mutex, nd should hold on to tht mutex until it clers the vrible. Note tht, gin, there were trnsitions to the sink stte, expressing the fct tht some behviour of the environment is never exercised. For exmple, the ssumption mde cler tht the ExecCondChecker only updtes the vrible with vlues lrger thn the one it currently holds. The ssumption generted ws stisfied by the design level Executive. Our result gve confidence to the developers bout the correctness of their design nd implementtion. They lso found it useful to be ble to understnd how the property decomposes cross modules of the system. 5. Discussion The complexity bottleneck of our pproch is the determiniztion step, which, in the worst cse, is exponentil in the number of the sttes of the given LTS. There re severl resons tht led us to believe tht this my not be the cse often in prctice. In our experiments such s the Rover study reported in Section 4, non-determinism lmost disppers by propgtion of the error stte. As we only study modules of lrger system, we expect tht the stte spce of these modules will be reltively smll. This will be the cse in prticulr when they interct through limited interfces with their environment, which will llow the minimiztion step to considerbly reduce their behviour. Note lso tht, if we extend our results to other frmeworks, the ssumption my not be required to be deterministic. Admittedly, however, deterministic ssumptions tend to be clerer to understnd. From our extensive experience with compositionl rechbility nlysis (CRA) techniques, we re only too wre of the potentil intermedite stte explosion ssocited with them [18]. This problem describes the fct tht, in lck of context, component my exhibit n excessively lrge stte-spce. However, this does not occur in the generl cse for well-designed softwre rchitectures. Moreover, severl pproches hve been proposed in the literture [18, 7, 26] for ddressing the problem. Our pproch extends the LTSA tool in severl useful wys. First of ll, it chieves further reduction of component behvior by pplying propgtion of the error sttes, computtionlly inexpensive but efficient step. Moreover, our pproch genertes the wekest environment ssumptions. As such, these ssumptions my be used for runtime monitoring, or for component retrievl, cpbilities tht were not formerly provided by the tool. As fr s component retrievl is concerned, we would like to stress the following observtion from our experiments (Section 4). The sink stte tht our ssumptions contin, reflects the fct tht some services tht component provides will never be used in the context of system. Our ssumptions llow free implementtions for these services, nd simply ensure tht the used services comply with the requirements.
The bility to generte ssumptions lso opens up number of other interesting reserch directions: we mention few to give some flvour. Assumptions my be further nlyzed. Assume tht component does not violte property in ny environment. However, it my be tht, when put in the context of the wekest ssumption tht our lgorithms generte, no useful behvior is obtined s result. In the extreme, the component with the ssumption my result in single dedlock stte. Or the ssumption my be tht the environment will hold on to specific lock for ever. All these re indictions tht there is something inherently wrong with the behvior of the component under nlysis. Our work hs been performed with limited but importnt set of properties (sfety) expressed within specific frmework tht fcilittes the development of our lgorithms. However, we believe our pproch hs ppliction in other frmeworks. In prticulr, we re investigting the extension of our pproch for the cse of firness nd/or liveness properties, which requires more expressive formlism. When the behvior of the environment, or prt thereof, is provided, we wish to find effective wys of dischrging ssumptions on the environment. One wy would be to use the ssumption s property, nd model check in the sme fshion components in the environment. This process cn be seen s wy of decomposing, utomticlly, property cross components of system. Indeed, n ssumption reflects those spects of the property tht hve not been stisfied by the component nd tht remin to be stisfied by its environment. Property decomposition is n extremely difficult problem, nd our pproch my be seen helpful step in its fcilittion. Of course, such decomposition will not be effective in ll cses. It is esy to imgine tht there will be cses where ssumptions my grdully grow in size during this process, problem referred to in the literture s property explosion. Our pproch to ssumption genertion cn strightforwrdly be used for submodule construction, where the submodule is plced s n intercting component in prllel with the given one. Generliztion to other forms of composition is nturl step, e.g. find progrm context for the given component to chieve the desired property in some pproprite environment. 6. Relted Work For over three decdes now, there hs been reserch effort focused on finding trctble pproches to the forml specifiction, design nd development of complex systems. Significnt erly progress occurred with techniques nd tools for sequentil, non-intercting or trnsformtionl, systems. However, the quest for obtining effective methods nd tools for the forml support of compositionl nd/or modulr development nd resoning for rective systems still remins, in our view, mjor chllenge. As there is insufficient spce to do justice to the work tht hs been undertken, we refer the interested reder to the proceedings [14] - its introductory chpter in prticulr [12] - nd the recent book [13]. In more recent yers with the development nd tke-up of OO-design technology, forml techniques for support of component-bsed design is lso gining prominence, see for exmple [10, 11], for which modulr-bsed resoning is key. The work of Inverrdi nd collegues, see [22] nd [21] for exmple, hs lso been imed t providing support for the modulr checking of certin properties, s dedlock freedom, but is somewht limited in the checks performed for comptibility between components. In order to mke progress in ny of these res, some form of ssumption (either implicit or explicit) bout the interction with, or interference from, the environment hs to be mde, [23, 2]. Even though we hve sound nd complete resoning systems for such rely-gurntee (or ssumptioncommitment) style of resoning, see for exmple [24, 39] nd most recently [41], it is lwys mentl chllenge to obtin the most pproprite ssumption (if there is such). It is even more of chllenge to find utomted techniques to support this resoning style - the thred modulr resoning underlying the Clvin tool [16] is one strt in this direction. In the frmework of temporl logic, the work on Alternting time Temporl Logic ATL (nd trnsition systems) [5] ws proposed for the specifiction nd verifiction of open systems together with utomted support vi symbolic model checking procedures, lbeit of rther high complexity; the Moch toolkit [4] provides support for modulr verifiction of components with requirement specifiction bsed on the ATL. It goes without sying tht if tool support is lcking, tke-up of these techniques will be rther low. The underlying pproch to utomted ssumption genertion tht we ve dopted nd implemented in LTSA hs similrity to number of other problems tht hve been considered by number of reserchers over the pst two decdes. Closest to our our work in the softwre engineering nd concurrency theory re the sub-module construction problem, scheduler synthesis nd interfce eqution solving problems. In the discrete event community, it ppers s the supervisory control problem, in control theory there is the model mtching problem nd in the logic synthesis world there is the intercting FSM synthesis. Of course, the prticulr frmeworks in which these problems re considered mkes ll the difference to their
solution(s) nd s such it would be quite inpproprite to clim they re solving the sme problem. However, in very generl terms, ech cn be seen s n instnce of the following problem, given component, C, nd desired behviour, B, find context for C, X, such tht X(C) B, for some pproprite notion of equivlence. Merlin nd Bochmnn [33] were probbly the first to ddress the bove s submodule construction in the world of communiction protocol specifiction nd synthesis. In setting of lbelled trnsition systems, given module specifiction M 0 nd submodule specifiction M 1, they outlined nd exemplified mnul pproch to construct n intercting submodule M 2 such tht M 1 nd M 2 together chieve the desired specifiction of M 0. Their construction hs much in common with ours lthough some significnt spects of the construction were left to the reder s imgintion. The lter work of [38, 19] hs revisited the Merlin-Bochmnn pproch nd provided new, detiled, lgorithms for the sub-module construction nd implemented n utomted tool. One recognized limittion of the Merlin- Bochmnn is tht the notion of correctness, nmely just trce equivlence, does not cpture number of behviourl properties, e.g. potentil dedlock. The work of Shields [37], over decde lter, introduces the Interfce Eqution in the setting of the process lgebr, CCS [34], under observtionl equivlence. In order to solve (C X)\ L = B for the process X, he restricts to cses where B is deterministic, with some minor restrictions on the sorts of C nd B, nd provides necessry nd sufficient conditions for solution to exist nd then in such situtions presents n explicit construction. Prrow [35] lso ddressed the interfce eqution nd presented procedure for solving the equtions vi successive trnsformtion of the CCS equtions to simpler ones, generting solution long the wy; his pproch is bsed upon tbleu method. Prrow s method ttempts to find most generl solution, but even if it exists, it is not necessrily pproprite for implementtion. Continuing in the process lgebr frmework, Lrsen nd Xinxin [28] consider the more generl problem of solving system of equtions C i (X) P i, for 0 <i n, where the C i re rbitrry contexts, P i re rbitrry processes nd X is the process to be found - the equivlence is tken s bisimultion. They considered the problem in the context of disjunctive modl trnsition systems, [27] nd implemented n utomted tool for solving the equtions (in the finite stte cse) when solution exists. As stted bove, there is further body of work in supervisory control synthesis, discrete event systems, nd logic synthesis res, see for exmple [1, 15, 40, 25, 6]. However, we should stress tht whilst these pproches re in generl set in FSM/DFA context, the principl gol is quite different in comprison with ours. 7. Conclusions We presented n pproch to model checking components s open, rther thn closed systems. Our pproch reports whether there is something inherently wrong with the component behviour, or whether stisfying requirement is simply mtter of providing the right environment. Moreover, it chrcterizes exctly ll helpful environments. The possibility of generting ssumptions provides incresed flexibility in model checking, nd opens up number of interesting reserch topics. It llows, for exmple, the dischrge of ssumptions t run-time for unpredictble environments, the retrievl of components focused on only relevnt spects of their behviour, or the decomposition of properties cross components. It remins to further investigte how useful our pproch is in prctice. Open reserch issues include optimiztions nd extensions for firness/liveness properties nd other frmeworks. However, our erly experiments with rel cse studies provide strong evidence in fvour of this line of reserch. References [1] A. Aziz, F. Blrin, R. K. Bryton, M. D. Dibenedetto, A. Sldnh, nd A. L. Sngiovnni- Vincentelli. Supervisory control of finite stte mchines. In 7th Int. Conference on Computer Aided Verifiction, volume 939 of Lecture Notes in Computer Science, Liège, Belgium. Springer Verlg. [2] M. Abdi nd L. Lmport. Composing specifictions. ACM Trnsctions on Progrmming Lnguges nd Systems, 15(1):73 132, Jnury 1992. [3] A. V. Aho, J. E. Hopcroft, nd J. D. Ullmn. Introduction to Automt Theory, Lnguges, nd Computtion. Addison- Wesley, 2000. [4] R. Alur, T. Henzinger, F. Mng, S. Qdeer, S. Rjmni, nd S. Tsirn. Moch: Modulrity in model checking. In Proceedings of 10th Interntionl Conference on Computer Aided Verifiction, volume 1427 of Lecture Notes in Computer Science, pges 521 525. Springer Verlg, 1998. [5] R. Alur, T. A. Henzinger, nd O. Kupfermn. Alterntingtime temporl logic. In de Roever et l. [14], pges 23 60. [6] S. Blemi, G. Hoffmnn, P. Gyugyi, H. Wong-Toi, nd G. Frnklin. Supervisory control of rpid therml multiprocessor. IEEE Trnsctions on Automtic Control, 38(7):1040 1059, July 1993. [7] S. Cheung nd J. Krmer. Context constrints for compositionl rechbility nlysis. ACM Trnsctions on Softwre Engineering nd Methodology, 5(4):334 377, 1996. [8] S. Cheung nd J. Krmer. Checking sfety properties using compositionl rechbility nlysis. ACM Trnsctions on Softwre Engineering nd Methodology, 8(1):49 78, 1999. [9] E. M. Clrke, O. Grumberg, nd D. Peled. Model Checking. MIT Press, 2000. [10] L. de Alfro nd T. Henzinger. Interfce utomt. In Proc. of the Joint 8th Europen Softwre Engineering Conference nd 9th ACM SIGSOFT Interntionl Symposium on Foundtions of Softwre Engineering. ACM Press, 2001.
[11] L. de Alfro nd T. Henzinger. Interfce theories for component-bsed design. In Proceedings of EMSOFT 01: Embedded Softwre, volume 2211 of Lecture Notes in Computer Science, pges 148 165. Springer Verlg, 2001. [12] W.-P. de Roever. The need for compositionl proof systems: A survey. In de Roever et l. [14], pges 1 22. [13] W.-P. de Roever, F. de Boer, U. Hnnemn, J. Hoomn, Y. Lkhnech, M. Poel, nd J. Zwiers. Concurrency Verifiction: Introduction to Compositionl nd Non-compositionl Methods. Cmbridge University Press, 2001. [14] W.-P. de Roever, H. Lngmck, nd A. Pnueli, editors. Compositionlity: The Significnt Difference - An Interntionl Symposium, COMPOS 97, volume 1536 of Lecture Notes in Computer Science. Springer-Verlg, 1997. [15] M. di Benedetto nd A. Sngiovnni-Vincentelli. Model mtching for finite-stte mchines. IEEE Trnsctions on Automtic Control, 46(11):1726 1743, November 2001. [16] C. Flngn, S. Freund, nd S. Qdeer. Thred-modulr verifiction for shred-memory progrms. In Proceedings of the Europen Symposium on Progrmming, 2002. [17] D. Ginnkopoulou, J. Krmer, nd S. Cheung. Anlysing the behviour of distributed systems using Trct. Journl of Automted Softwre Engineering, specil issue on Automted Anlysis of Softwre, 6(1):7 35, 1999. [18] S. Grf, B. Steffen, nd G. Lüttgen. Compositionl minimistion of finite stte systems using interfce specifictions. Forml Aspects of Computtion, 8, 1996. [19] E. Hghverdi nd H. Url. Submodule construction from concurrent system specifictions. Informtion nbd Softwre Technology, 41:499 506, 1999. [20] K. Hvelund nd G. Rosu. Monitoring Jv progrms with Jv PthExplorer. In First Workshop on Runtime Verifiction (RV 01), volume 55(2) of Electronic Notes in Theoreticl Computer Science, Pris, Frnce, 2001. [21] P. Inverrdi nd S. Scriboni. Connectors synthesis for dedlock-free component bsed rchitectures. In Proceedings of 16th IEEE Annul Interntionl Conference on Automted Softwre Engineering, pges 174 181, 2001. [22] P. Inverrdi, A. Wolf, nd D. Ynkelevich. Sttic checking of system behviors using derived component ssumptions. ACM Trnsctions on Softwre Engineering Methods, 9(3):239 272, July 2000. [23] C. Jones. Specifiction nd design of (prllel) progrms. In R. Mson, editor, Informtion Processing 83: Proceedings of the IFIP 9th World Congress, pges 321 332. IFIP: North Hollnd, 1983. [24] C. Jones. Tenttive steps towrds development method for interfering progrms. ACM Trnsctions on Progrmming Lnguges nd Systems, 5(4):596 619, 1983. [25] S. Khtri, A. Nryn, S. Krishnn, K. McMilln, R. Bryton, nd A. Sngiovnni-Vincentelli. Engineering chnge in non-deterministic FSM setting. In Proceedings of 33rd IEEE/ACM Design Automtion Conference, 1996. [26] J.-P. Krimm nd L. Mounier. Compositionl stte spce genertion from LOTOS progrms. In E. Brinksm, editor, 3rd Interntionl Workshop on Tools nd Algorithms for the Construction nd Anlysis of Systems (TACAS 97), volume 1217 of Lecture Notes in Computer Science, Enschede, The Netherlnds, 1997. Springer. [27] K. Lrsen nd B. Thomsen. A modl process logic. In Proceedings of the IEEE/ACM Conference on Logic in Computer Science, LICS 88, 1988. [28] K. Lrsen nd L. Xinxin. Eqution solving using modl trnsition systems. In Proceedings of the IEEE/ACM Conference on Logic in Computer Science, LICS 90, 1990. [29] J. Mgee, N. Duly, nd J. Krmer. Regis: A constructive development environment for prllel nd distributed progrms. Distributed Systems Engineering Journl, Specil Issue on Configurble Distributed Systems, 1(5):304 312, 1994. [30] J. Mgee nd J. Krmer. Concurrency: Stte Models & Jv Progrms. John Wiley & Sons, 1999. [31] J. Mgee, J. Krmer, nd D. Ginnkopoulou. Behviour nlysis of softwre rchitectures. In 1st Working IFIP Conference on Softwre Architecture (WICSA1), Sn Antonio, TX, USA, 1999. [32] J. Mgee, N. Pryce, D. Ginnkopoulou, nd J. Krmer. Grphicl nimtion of behvior models. In 22d Interntionl Conference on Softwre Engineering (ICSE 2000), Limerick Irelnd, 2000. ACM. [33] P. Merlin nd G. V. Bochmnn. On the construction of submodule specifiction nd communiction protocols. ACM Trnsctions on Progrmming Lnguges nd Systems, 5:1 25, 1983. [34] R. Milner. Communiction nd Concurrency. Prentice-Hll, 1989. [35] J. Prrow. Submodule construction s eqution solving CCS. Theoreticl Computer Science, 68:175 202, 1989. [36] C. Păsărenu, M. Dwyer, nd M. Huth. Assume-gurntee model checking of softwre: A comprtive cse study. In D. Dms, R. Gerth, S. Leue, nd M. Mssink, editors, Theoreticl nd Prcticl Aspects of SPIN Model Checking, volume 1680 of Lecture Notes in Computer Science, pges 168 183. Springer-Verlg, 1999. [37] M. Shields. A note on the simple interfce eqution. The Computer Journl, 32(5):399 412, 1989. [38] D. P. Sidhu nd J. Aristizbl. Constructing submodule specifictions nd network protocols. IEEE Trnsctions on Softwre Engineering, 14(11):1565 1577, November 1988. [39] K. Stølen. A method for the development of totlly correct shred-stte prllel progrms. In J. Beten nd J. Groote, editors, Proceedings of Concur 91, volume 527 of Lecture Notes in Computer Science. Springer Verlg, 1991. [40] E. Tronci. Automtic synthesis of controllers from forml specifictions. In Proc. of 2nd IEEE Int. Conf. on Forml Engineering Methods, Brisbne, Austrli, 1998. [41] Q. Xu, W.-P. de Roever, nd J. He. The rely-gurntee method for verifying shred vrible concurrent progrms. Forml Aspects of Computing, 9(2):149 174, 1997.