Formal Aspects of Computing A verification-driven framework for iterative design of controllers

Controllers often are large and complex reactive software systems and thus they typically cannot be developed as monolithic products. Instead, they are usually comprised of multiple components that interact to provide the desired functionality. Components themselves can be complex and in turn be decomposed into multiple sub-components. Designing such systems is complicated and must follow systematic approaches, based on recursive decomposition strategies that yield a modular structure. This paper proposes FIDDle–a comprehensive verification-driven framework which provides support for designers during development. FIDDle supports hierarchical decomposition of components into sub-components through formal specification in terms of pre- and post-conditions as well as independent development, reuse and verification of sub-components. The framework allows the development of an initial, partially specified design of the controller, in which certain components, yet to be defined, are precisely identified. These components can be associated with pre- and post-conditions, i.e., a contract, that can be distributed to third-party developers. The framework ensures that if the components are compliant with their contracts, they can be safely integrated into the initial partial design without additional rework. As a result, FIDDle supports an iterative design process and guarantees correctness of the system at any step of development. We evaluated the effectiveness of FIDDle in supporting an iterative and incremental development of components using the K9 Mars Rover example developed at NASA Ames. This can be considered as an initial, yet substantive, validation of the approach in a realistic setting. We also assessed the scalability of FIDDle by comparing its efficiency with the classical model checkers implemented within the LTSA toolset. Results show that FIDDle scales as well as classical model checking as the number of the states of the components under development and their environments grow.

[1]  Radha Jagadeesan,et al.  Model checking partial state spaces with 3-valued temporal logics , 2001 .

[2]  Armando Solar-Lezama,et al.  Program sketching , 2012, International Journal on Software Tools for Technology Transfer.

[3]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[4]  Sebastián Uchitel,et al.  Synthesis of live behaviour models , 2010, FSE '10.

[5]  Reiner Hähnle,et al.  A Liskov Principle for Delta-Oriented Programming , 2012, ISoLA.

[6]  Rick Salay,et al.  Transformation of Models Containing Uncertainty , 2013, MoDELS.

[7]  Jozef Hooman,et al.  Concurrency Verification: Introduction to Compositional and Noncompositional Methods , 2001, Cambridge Tracts in Theoretical Computer Science.

[8]  Marsha Chechik,et al.  Multi-valued symbolic model-checking , 2003, TSEM.

[9]  George T. Heineman,et al.  Component-Based Software Engineering: Putting the Pieces Together , 2001 .

[10]  Quan Z. Sheng,et al.  A Petri Net Approach to Analyzing Behavioral Compatibility and Similarity of Web Services , 2011, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[11]  Marsha Chechik,et al.  Synthesis of Partial Behavior Models from Properties and Scenarios , 2009, IEEE Transactions on Software Engineering.

[12]  Kerstin Mueller,et al.  Software Product Line Engineering Foundations Principles And Techniques , 2016 .

[13]  Sebastián Uchitel,et al.  Technical Report: Directed Controller Synthesis of Discrete Event Systems , 2016, ArXiv.

[14]  Giuseppe De Giacomo,et al.  Linear Temporal Logic and Linear Dynamic Logic on Finite Traces , 2013, IJCAI.

[15]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[16]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.

[17]  Sanjit A. Seshia,et al.  Mining assumptions for synthesis , 2011, Ninth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMPCODE2011).

[18]  J. R. Büchi On a Decision Method in Restricted Second Order Arithmetic , 1990 .

[19]  Maurice H. ter Beek,et al.  VMC: recent advances and challenges ahead , 2014, SPLC '14.

[20]  K. Larsen A Constraint Oriented Proof Methodology based on Modal Transition Systems , 1994 .

[21]  Rajeev Alur,et al.  Model checking of hierarchical state machines , 1998, TOPL.

[22]  Armando Solar-Lezama,et al.  Program synthesis by sketching , 2008 .

[23]  R. Malik,et al.  Supremica - An integrated environment for verification, synthesis and simulation of discrete event systems , 2006, 2006 8th International Workshop on Discrete Event Systems.

[24]  Bengt Jonsson,et al.  Compositional specification and verification of distributed systems , 1994, TOPL.

[25]  David R. Cok,et al.  OpenJML: JML for Java 7 by Extending OpenJDK , 2011, NASA Formal Methods.

[26]  Marco Pistore,et al.  Weak, strong, and strong cyclic planning via symbolic model checking , 2003, Artif. Intell..

[27]  Leonardo Mariani,et al.  Automatic generation of software behavioral models , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[28]  Diego Calvanese,et al.  Reasoning about Actions and Planning in LTL Action Theories , 2002, KR.

[29]  Moshe Y. Vardi,et al.  Experimental Evaluation of Classical Automata Constructions , 2005, LPAR.

[30]  Jerzy Tiuryn,et al.  Dynamic logic , 2001, SIGA.

[31]  Leon S. Levy Taming the Tiger , 1987, Springer Books on Professional Computing.

[32]  Rick Salay,et al.  Partial models: Towards modeling and reasoning with uncertainty , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[33]  Murray Shanahan,et al.  Linkk Oping Electronic Articles in the Event Calculus in Classical Logic { Alternative Axiomatisations Linkk Oping Electronic Articles in Computer and Information Science , 1999 .

[34]  Gunter Saake,et al.  Feature-Oriented Software Product Lines , 2013, Springer Berlin Heidelberg.

[35]  David Lorge Parnas,et al.  A technique for software module specification with examples , 1972, CACM.

[36]  Wolfram Schulte,et al.  VCC: Contract-based modular verification of concurrent C , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[37]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, Verification and Validation. Technologies for Mastering Change , 2012, Lecture Notes in Computer Science.

[38]  Alessandro Cimatti,et al.  Contracts-refinement proof system for component-based embedded systems , 2015, Sci. Comput. Program..

[39]  Moshe Y. Vardi,et al.  Model Checking Buechi Specifications , 2007, LATA.

[40]  Kathi Fisler,et al.  Interfaces for modular feature verification , 2002, Proceedings 17th IEEE International Conference on Automated Software Engineering,.

[41]  Maurice H. ter Beek,et al.  Team Automata Satisfying Compositionality , 2003, FME.

[42]  Thomas A. Henzinger,et al.  Antichains: A New Algorithm for Checking Universality of Finite Automata , 2006, CAV.

[43]  Marsha Chechik,et al.  Partial Behavioural Models for Requirements and Early Design , 2006, MMOSS.

[44]  Patrizio Pelliccione,et al.  Towards multi-robot applications planning under uncertainty , 2018, ICSE.

[45]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, Verification, and Validation , 2012, Communications in Computer and Information Science.

[46]  Marieke Huisman,et al.  Verification of Loop Parallelisations , 2015, FASE.

[47]  Stavros Tripakis,et al.  Testing Conformance of Real-Time Applications by Automatic Generation of Observers , 2005, Electron. Notes Theor. Comput. Sci..

[48]  Robert M. Keller,et al.  Formal verification of parallel programs , 1976, CACM.

[49]  E. Sandewall Features and fluents (vol. 1): the representation of knowledge about dynamical systems , 1995 .

[50]  Klaus Pohl,et al.  Software Product Line Engineering , 2005 .

[51]  Orna Kupfermant,et al.  Synthesis with Incomplete Informatio , 2000 .

[52]  Nadia Polikarpova,et al.  A Fully Verified Container Library , 2015, FM.

[53]  Corina S. Pasareanu,et al.  Assume-guarantee verification of source code with design-level assumptions , 2004, Proceedings. 26th International Conference on Software Engineering.

[54]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[55]  Moshe Y. Vardi,et al.  Model Checking Büchi Specifications , 2007 .

[56]  Michael Huth,et al.  Model Checking Modal Transition Systems Using Kripke Structures , 2002, VMCAI.

[57]  Kim G. Larsen,et al.  A modal process logic , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[58]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[59]  Howard Barringer,et al.  Component Verification with Automatically Generated Assumptions , 2005, Automated Software Engineering.

[60]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[61]  Paola Spoletini,et al.  LOVER: Light-Weight fOrmal Verification of adaptivE Systems at Run Time , 2012, FACS.

[62]  Leon S. Levy Taming the Tiger: Software Engineering and Software Economics , 1986 .

[63]  Ufuk Topcu,et al.  Compositional Synthesis of Reactive Controllers for Multi-agent Systems , 2016, CAV.

[64]  Sebastián Uchitel,et al.  Synthesis of live behaviour models for fallible domains , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[65]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[66]  Corina S. Pasareanu,et al.  Learning Assumptions for Compositional Verification , 2003, TACAS.

[67]  Amir Pnueli,et al.  On the synthesis of a reactive module , 1989, POPL '89.

[68]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[69]  Dalal Alrajeh,et al.  Supporting incremental behaviour model elaboration , 2012, Computer Science - Research and Development.

[70]  Patrizio Pelliccione,et al.  Multi-robot LTL Planning Under Uncertainty , 2018, FM.

[71]  Maurice H. ter Beek,et al.  Modelling and analysing variability in product families: Model checking of modal transition systems with variability constraints , 2016, J. Log. Algebraic Methods Program..

[72]  Rick Salay,et al.  The semantics of partial model transformations , 2012, 2012 4th International Workshop on Modeling in Software Engineering (MISE).

[73]  Mattias Ulbrich,et al.  Implementation-level verification of algorithms with KeY , 2015, International Journal on Software Tools for Technology Transfer.

[74]  Porfirio Tramontana,et al.  Reverse Engineering Finite State Machines from Rich Internet Applications , 2008, 2008 15th Working Conference on Reverse Engineering.

[75]  Jean-Christophe Filliâtre,et al.  Why3 - Where Programs Meet Provers , 2013, ESOP.

[76]  Ufuk Topcu,et al.  Pattern-Based Refinement of Assume-Guarantee Specifications in Reactive Synthesis , 2015, TACAS.

[77]  Carlo Ghezzi,et al.  From Model Checking to a Temporal Proof for Partial Models , 2017, SEFM.

[78]  Sagar Chaki,et al.  Verification of evolving software via component substitutability analysis , 2008, Formal Methods Syst. Des..

[79]  Carlo Ghezzi,et al.  Dealing with Incompleteness in Automata-Based Model Checking , 2016, FM.

[80]  Ufuk Topcu,et al.  Counter-strategy guided refinement of GR(1) temporal logic specifications , 2013, 2013 Formal Methods in Computer-Aided Design.

[81]  Carlo Ghezzi,et al.  Integrating Goal Model Analysis with Iterative Design , 2017, REFSQ.

[82]  Nadia Polikarpova,et al.  AutoProof: auto-active functional verification of object-oriented programs , 2015, International Journal on Software Tools for Technology Transfer.

[83]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[84]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[85]  Rick Salay,et al.  Comparing the effectiveness of reasoning formalisms for partial models , 2012, MoDeVVa '12.

[86]  Erik P. de Vink,et al.  Supervisory Controller Synthesis for Product Lines Using CIF 3 , 2016, ISoLA.

[87]  Josep Carmona,et al.  Compatibility in a multi-component environment , 2013, Theor. Comput. Sci..

[88]  Marsha Chechik,et al.  Supporting Verification-Driven Incremental Distributed Design of Components , 2018, FASE.

[89]  George S. Avrunin,et al.  Property specification patterns for finite-state verification , 1998, FMSP '98.

[90]  A. T. Hofkamp,et al.  CIF 3: Model-Based Engineering of Supervisory Controllers , 2014, TACAS.

[91]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[92]  Gian Luigi Ferrari,et al.  Automata for Specifying and Orchestrating Service Contracts , 2016, Log. Methods Comput. Sci..

[93]  Erik P. de Vink,et al.  Towards Modular Verification of Software Product Lines with mCRL2 , 2014, ISoLA.

[94]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[95]  Zohar Manna,et al.  A hierarchy of temporal properties (invited paper, 1989) , 1990, PODC '90.

[96]  Fabien Dagnat,et al.  Formalization of Component Substitutability , 2008, Electron. Notes Theor. Comput. Sci..

[97]  Adnan Aziz,et al.  Constraint-based verification , 2006 .

[98]  Sebastián Uchitel,et al.  Distribution of Modal Transition Systems , 2012, FM.

[99]  Dimitra Giannakopoulou,et al.  Fluent model checking for event-based systems , 2003, ESEC/FSE-11.

[100]  Thomas A. Henzinger,et al.  Reactive Modules , 1999, Formal Methods Syst. Des..

[101]  Howard Barringer,et al.  Assumption generation for software component verification , 2002, Proceedings 17th IEEE International Conference on Automated Software Engineering,.

[102]  Manfred Broy,et al.  Software Engineering for Automotive Systems: A Roadmap , 2007, Future of Software Engineering (FOSE '07).

[103]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[104]  Sebastián Uchitel,et al.  Synthesizing nonanomalous event-based controllers for liveness goals , 2013, TSEM.

[105]  Peter Müller,et al.  Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[106]  Piergiorgio Bertoli,et al.  Planning and Monitoring Web Service Composition , 2004, AIMSA.

[107]  Jeannette M. Wing,et al.  Specification matching of software components , 1997 .

[108]  Jorge García Duque,et al.  Supporting Software Variability by Reusing Generic Incomplete Models at the Requirements Specification Stage , 2004, ICSR.