You Assume, We Guarantee: Methodology and Case Studies

Assume-guarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Refinement mappings (homomorphisms) have long been advertised as an important method for solving the language-inclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than offering instant solutions, the success of assume-guarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in limn of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.

[1]  Leslie Lamport,et al.  Specifying Concurrent Program Modules , 1983, TOPL.

[2]  Thomas A. Henzinger,et al.  MOCHA: Modularity in Model Checking , 1998, CAV.

[3]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[4]  Eugene W. Stark,et al.  A Proof Technique for Rely/Guarantee Properties , 1985, FSTTCS.

[5]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[6]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[7]  E BryantRandal Graph-Based Algorithms for Boolean Function Manipulation , 1986 .

[8]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[9]  Edmund M. Clarke,et al.  Compositional model checking , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[10]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[11]  Gerard J. Holzmann,et al.  The State of SPIN , 1996, CAV.

[12]  Thomas A. Henzinger,et al.  Reactive Modules , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[13]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[14]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[15]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[16]  Amir Pnueli,et al.  Verifying out-of-order executions , 1997, CHARME.

[17]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[18]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1996, Inf. Comput..

[19]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[20]  Joseph Sifakis,et al.  Property Preserving Simulations , 1992, CAV.

[21]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[22]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.