Dongol

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J.
Hayes Introduction Action systems Enforced properties Example
Compositional Action System Derivation Using Enforced Properties

Brijesh Dongol and Ian J. Hayes
School of Information Technology and Electrical Engineering, The University of Queensland
MPC 2010
Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Introduction Action systems Enforced properties Example
Outline
1 Introduction
2 Action systems
3 Enforced properties
4 Example
History
Sequential program derivation (Dijkstra, 1975) Safety-based concurrent program derivation (Feijen and van Gasteren, 1999) Progress-based concurrent program derivation (Dongol and Mooij, 2006 & 2008) Enforced properties (Dongol and Hayes, 2009), (Dongol, 2009) - PhD thesis
This paper
Goals 1. Calculational development 2. Incremental trace renement 3. Compositionally address safety and progress 4. Simplify existing rules
Techniques
This paper
Techniques Weakest precondition
This paper
Techniques Weakest precondition Enforced properties and frames
This paper
Techniques Weakest precondition Enforced properties and frames Temporal logic on relations
This paper
Techniques Weakest precondition Enforced properties and frames Temporal logic on relations Action systems framework
Syntax
Statements and actions S ::= diverge | skip | x := E | x : V | S1 ; S2 | x [[S]] A ::= b S | A1 A2 | x [[A]] Action systems A = A0 ; do A od is an action system with initialisation action A0 and main action A
Frames
If x is a variable of type T:
x [[S]] = S ; x : T x [[b S]] = b x [[S]] x [[A1 A2 ]] = x [[A1 ]] x [[A2 ]]
Frames

Frames allow introduction of new (internal) variables
Frames

Frames allow introduction of new (internal) variables Frames can be turned into statements by renement
Renement
Suppose s seq.. We assume

rL.s removes local variables from each state in s rS.s removes stuttering in s
Denition (Trace renement) A Tr C = t : Tr.C s : Tr.A rS.(rL.s) = rS.(rL.t)
Renement
Suppose s seq.. We assume

rL.s removes local variables from each state in s rS.s removes stuttering in s
Denition (Trace renement) A Tr C = t : Tr.C s : Tr.A rS.(rL.s) = rS.(rL.t) Lemma If Tr.C Tr.A , then A Tr C .
A temporal logic on relations

Linear temporal logic (LTL)
(Manna and Pnueli, 1992) always ( ), eventually ( ), until (U ), unless (W ) dened for formulas on single-state predicates
Relational linear temporal logic (RLTL)

Dened over two-state relations
Semantics mostly the same as LTL Difference: For sequence of states s and RLTL formula Q,
(s, u) Q v : dom.s v u v + 1 dom.s (s, v) Q
Enforced properties
Denition (Enforced property)

Suppose, A is an action system and R is a RLTL formula. Action system A with enforced property R, denoted A ?R, is an action system such that
Tr.(A ?R) = {s : Tr.A | s R}
Enforced properties
Given an initial action system A , suppose we want to derive an action system that satises RLTL property R
Enforced properties
Given an initial action system A , suppose we want to derive an action system that satises RLTL property R 1. Enforce property R on A to obtain A ?R
Enforced properties
Given an initial action system A , suppose we want to derive an action system that satises RLTL property R 1. Enforce property R on A to obtain A ?R 2. Derive B such that A ?R Tr B and Tr.B |= R
Enforced properties
Given an initial action system A , suppose we want to derive an action system that satises RLTL property R 1. Enforce property R on A to obtain A ?R 2. Derive B such that A ?R Tr B and Tr.B |= R 3. Hence, B satises R and furthermore does not need to enforce R
Enforced properties
Given an initial action system A , suppose we want to derive an action system that satises RLTL property R 1. Enforce property R on A to obtain A ?R 2. Derive B such that A ?R Tr B and Tr.B |= R 3. Hence, B satises R and furthermore does not need to enforce R We have rules that allow

introduction of new enforced properties manipulation of existing enforced properties introduction of new variables (via frames) introduction and modication of actions
Enforced properties
Given an initial action system A , suppose we want to derive an action system that satises RLTL property R 1. Enforce property R on A to obtain A ?R 2. Derive B such that A ?R Tr B and Tr.B |= R 3. Hence, B satises R and furthermore does not need to enforce R We have rules that allow

introduction of new enforced properties manipulation of existing enforced properties introduction of new variables (via frames) introduction and modication of actions
Each rule ensures trace renement
Enforced properties
Lemma
For action systems A and C , and RLTL formulae R and R each of the following holds: a. A Tr A ?R b. A ?R Tr A ?R provided R R c. A ?R Tr C ?R provided A Tr C d. A ?R Tr A provided Tr.A |= R e. A ? (R R ) Tr (A ?R)?R
Enforced properties
Lemma
For action systems A and C , and RLTL formulae R and R each of the following holds: a. A Tr A ?R b. A ?R Tr A ?R provided R R c. A ?R Tr C ?R provided A Tr C d. A ?R Tr A provided Tr.A |= R e. A ? (R R ) Tr (A ?R)?R
Proof. If Tr.C Tr.A , then A Tr C (from previous lemma).
Enforced properties
Denition
If A is an action, p is a predicate, and r a relation, then
A!p = [p] ; A ; [p] A!r = rel.A r

A!p blocks if p does not hold prior to executing A, or the execution of A does not establish p A!r blocks if no execution of A can satisfy r
Enforced properties
Lemma
For actions A, A1 , and A2 ; predicates p, p1 , and p2 ; and relations r, r1 , and r2 , each of the following holds: a. A!(p1 p2 ) = (A!p1 )!p2 b. A!(r1 r2 ) = (A!r1 )!r2 c. A!p = [p] ; A provided p A.p d. A!r = A provided rel.A r e. (A1 A2 )!p = (A1 !p) (A2 !p) f. (A1 A2 )!r = (A1 !r) (A2 !r)
Example - Industrial press
top Weight pnr motor bot
Example - Industrial press
top Weight pnr motor bot
Program variables: locked and motor Environment variables: top, pnr,bot, and pressed
Requirements
Safety requirements:
(1) (locked top motor = Off ) (locked (locked W pressed)) (2) (locked motor = Off (3) (locked motor = Off ) W ((bot pnr) pressed))
(pnr motor = Off ((pnr motor = Off ) W (bot pressed))) (motor = On (motor = On W locked))
Progress requirements: we say p
(4) (5)
( p q)
(6) (7) (8)
(locked pressed) locked (locked pnr pressed) motor = On (bot pressed) motor = On
Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes
Assumptions on the environment
Safety assumptions:
Introduction Action systems Enforced properties Example
(top pnr bot) (bot pnr)
(9)
top, pnr, bot | (top pnr bot ) (top pnr bot ) (10) (pnr top ) (bot pnr )
Progress assumptions:
(locked motor = Off ) top pnr bot (11) (motor = On) top bot pnr (12)
Initial program
Dene:
Safe = (1) (2) (3) (4) (5) Prog = (6) (7) (8) RelyProg = (11) (12) env = pressed [[ (10) ]] !(9) do true env true motor, locked [[skip]] od ?(Safe Prog RelyProg)
Calculational rules
Lemma (Unless) (p (p W q)) holds provided (p q p q )
Derivation - replace unless properties
(2) {denition} (locked locked W pressed) {Lemma (unless)} (locked pressed (locked pressed )) {logic} (locked locked pressed) =
Apply similar calculation to (3), (4), (5) to obtain Safe . Safe Safe Recall A ?R Tr A ?R provided R R
do true env true motor, locked [[skip]] od ?(Safe Prog RelyProg)
Tr
Deriving actions
Consider action that turns the motor on
Deriving actions
Consider action that turns the motor on From calculation wp.(motor := On).Safe , we obtain:
(motor = Off (bot pnr ) pressed ) locked
Deriving actions

Because controller does not modify bot, pnr, and pressed we get action:
motor = Off (bot pnr) pressed locked motor := On
Deriving actions


Similarly, we get for actions that turn motor off and modify lock
motor = On top motor, locked := Off , true locked motor = Off pressed locked := false
Deriving actions


Similarly, we get for actions that turn motor off and modify lock
motor = On top motor, locked := Off , true locked motor = Off pressed locked := false
These actions are guaranteed to satisfy Safe
Action introduction
Lemma
If grd.(A!p) grd.(A!p) b
do A (true x [[skip]]) od ? p do A (b x := v) od ? p
Action introduction
Recalling that A ?R Tr C ?R provided A Tr C , we obtain:
Action introduction
Recalling that A ?R Tr C ?R provided A Tr C , we obtain:
Tr
do true env motor = Off (bot pnr) pressed locked motor := On motor = On top motor, locked := Off , true locked motor = Off pressed locked := false od ?(Prog RelyProg) Safe
Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes
Conclusion
In this paper:
Introduction Action systems Enforced properties Example
Rules for calculational proofs of temporal formulae Frames and enforced properties work together to allow
incremental renement
Relational linear temporal logic supports compositionality Theory supports proofs of safety and progress properties Fairness assumptions can be encoded using enforced
properties
Future work:
Real-time controllers - teleo-reactive programs, sampling
logic
Tool support

Dongol

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Dongol

Hochgeladen von

Copyright:

Verfügbare Formate

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J.

Hayes Introduction Action systems Enforced properties Example

Compositional Action System Derivation Using Enforced Properties

Techniques Weakest precondition

Techniques Weakest precondition Enforced properties and frames

x [[S]] = S ; x : T x [[b S]] = b x [[S]] x [[A1 A2 ]] = x [[A1 ]] x [[A2 ]]

x [[S]] = S ; x : T x [[b S]] = b x [[S]] x [[A1 A2 ]] = x [[A1 ]] x [[A2 ]]

x [[S]] = S ; x : T x [[b S]] = b x [[S]] x [[A1 A2 ]] = x [[A1 ]] x [[A2 ]]

Suppose s seq.. We assume

Denition (Trace renement) A Tr C = t : Tr.C s : Tr.A rS.(rL.s) = rS.(rL.t)

Suppose s seq.. We assume

A temporal logic on relations

Relational linear temporal logic (RLTL)

(s, u) Q v : dom.s v u v + 1 dom.s (s, v) Q

Denition (Enforced property)

Tr.(A ?R) = {s : Tr.A | s R}

Each rule ensures trace renement

Proof. If Tr.C Tr.A , then A Tr C (from previous lemma).

A!p = [p] ; A ; [p] A!r = rel.A r

Example - Industrial press

top Weight pnr motor bot

Example - Industrial press

top Weight pnr motor bot

Assumptions on the environment

(top pnr bot) (bot pnr)

Lemma (Unless) (p (p W q)) holds provided (p q p q )

Derivation - replace unless properties

do true env true motor, locked [[skip]] od ?(Safe Prog RelyProg)

do true env true motor, locked [[skip]] od ?(Safe Prog RelyProg)

(motor = Off (bot pnr ) pressed ) locked

(motor = Off (bot pnr ) pressed ) locked

motor = Off (bot pnr) pressed locked motor := On

(motor = Off (bot pnr ) pressed ) locked

motor = Off (bot pnr) pressed locked motor := On

(motor = Off (bot pnr ) pressed ) locked

motor = Off (bot pnr) pressed locked motor := On

do true env true motor, locked [[skip]] od ?(Safe Prog RelyProg)

do true env true motor, locked [[skip]] od ?(Safe Prog RelyProg)

Das könnte Ihnen auch gefallen