Refinement Relation Research Articles

Construction of consistent SysML models applied to the CPS

With the increasing complexity of cyber-physical systems (CPS), it is interesting to decompose a CPS into sub-systems. This provides greater modularity and flexibility so that each system can be developed independently, making it easier to maintain. Also, it can improve its fault tolerance. However, this decomposition of the system can lead to inconsistency. This paper proposes an approach for early verification of cyber-physical systems decomposition using SysML. We address the limitations of SysML as a semi-formal language by introducing syntax and static semantics for its structural diagrams. The aim is to verify structural consistency before defining behavioral aspects. For that, the proposed approach verifies a set of structural consistency rules within a refinement relation to ensure that sub-components offer at least the same services as the abstract block and require the same services. Furthermore, the sub-blocks must satisfy all the requirements that the abstract block is supposed to verify. We used the CyCab as a case study to demonstrate the effectiveness of this approach.

Information-flow interfaces

AbstractContract-based design is a promising methodology for taming the complexity of developing sophisticated systems. A formal contract distinguishes between assumptions, which are constraints that the designer of a component puts on the environments in which the component can be used safely, and guarantees, which are promises that the designer asks from the team that implements the component. A theory of formal contracts can be formalized as an interface theory, which supports the composition and refinement of both assumptions and guarantees. Although there is a rich landscape of contract-based design methods that address functional and extra-functional properties, we present the first interface theory designed to ensure system-wide security properties. Our framework provides a refinement relation and a composition operation that support both incremental design and independent implementability. We develop our theory for both stateless and stateful interfaces. Additionally, we introduce information-flow contracts where assumptions and guarantees are sets of flow relations. We use these contracts to illustrate how to enrich information-flow interfaces with a semantic view. We illustrate the applicability of our framework with two examples inspired by the automotive domain.

Trillium: Higher-Order Concurrent and Distributed Separation Logic for Intensional Refinement

Expressive state-of-the-art separation logics rely on step-indexing to model semantically complex features and to support modular reasoning about imperative higher-order concurrent and distributed programs. Step- indexing comes, however, with an inherent cost: it restricts the adequacy theorem of program logics to a fairly simple class of safety properties. In this paper, we explore if and how intensional refinement is a viable methodology for strengthening higher-order concurrent (and distributed) separation logic to prove non-trivial safety and liveness properties. Specifically, we introduce Trillium, a language-agnostic separation logic framework for showing intensional refinement relations between traces of a program and a model. We instantiate Trillium with a concurrent language and develop Fairis, a concurrent separation logic, that we use to show liveness properties of concurrent programs under fair scheduling assumptions through a fair liveness-preserving refinement of a model. We also instantiate Trillium with a distributed language and obtain an extension of Aneris, a distributed separation logic, which we use to show refinement relations between distributed systems and TLA+ models.

Towards correctness proof for hybrid Simulink block diagrams

Cyber–physical systems (CPS) are often modelled using Simulink to simulate plant and controller behaviour by block diagrams. However, since the incomplete coverage of simulation, design using Simulink alone is insufficient for ensuring the correctness of the modelled system, especially in safety-critical CPS. The correctness is that the Simulink block diagrams satisfy the formal specification of the system being modelled. In this work, we present a contract-based method, which supports compositional reasoning and refinement, for proving the correctness of hybrid Simulink block diagrams (i.e., the block diagrams mixed continuous–discrete blocks and multi-rate discrete-time block diagrams). To this end, we first define a formal semantics for hybrid Simulink block diagrams. We then use the contract as a specification language. Moreover, we present a satisfaction relation between the block diagram and the contract, and a refinement relation between the contracts. We prove that the refinement relation preserves the correctness: if the hybrid Simulink block diagram satisfies the composition contract and the composition contract refines the system specification, the hybrid block diagram is correct relative to the system specification. Furthermore, the effectiveness of our method is illustrated by a vehicle driving control system.

Precise Subtyping for Asynchronous Multiparty Sessions

Session subtyping is a cornerstone of refinement of communicating processes: A process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T ′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T ≤ T ′ holds, it is safe to replace an implementation of T ′ with an implementation of the subtype T , which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (i.e., guarantees safe process replacement, as outlined above) and also complete : Any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). We cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. Our session decomposition technique expresses the subtyping relation as a composition of refinement relations between single input/output trees and provides a simple reasoning principle for asynchronous message optimisations.

Modeling and proving hybrid programs with Event-B: An approach by generalization and instantiation

• A correct-by-construction approach to design and verify Cyber-Physical Systems. • A formal Event-B modeling of the event-time triggered template introduced by Kopetz. • Generic Event-B models for Cyber-Physical Systems. • A set of instantiation rules of the generic models using two different strategies. • Illustration on two frequently used CPS case studies: Stop Sign and Water Tank. Hybrid systems are one of the most common mathematical models for Cyber-Physical Systems (CPSs). They combine discrete dynamics represented by state machines or finite automata with continuous behaviors represented by differential equations. The measurement of continuous behaviors is performed by sensors. When these sensors have a continuous access to these measurements, this kind of model is called an Event-Triggered model. The properties of such models are easier to prove, while their implementation is difficult in practice. Therefore, it is preferable to introduce a more concrete kind of model, called Time-Triggered models, where the sensors take periodic measurements. Contrary to Event-Triggered models, Time-Triggered models are much easier to implement, but much more difficult to verify. Based on the differential refinement logic (dR L ), a dynamic logic for refinement relations on hybrid systems, it is possible to prove that a Time-Triggered model refines an Event-Triggered model. However, being done by hand, this proof is error-prone since no prover is available to support this logic. To overcome this limit, this paper introduces another correct-by-construction approach to prove this refinement, based on Event-B to take advantage of its well-defined refinement process and its support tools. We use the Rodin platform to develop Event-B models and its associated provers (automatic and interactive) to ensure their correctness. The obtained Event-B models are generic and can be then instantiated to model and prove any specific CPS. The proposed approach is illustrated by two frequently used CPS case studies.

Static detection of equivalent mutants in real-time model-based mutation testing

Model-based mutation testing has the potential to effectively drive test generation to reveal faults in software systems. However, it faces a typical efficiency issue since it could produce many mutants that are equivalent to the original system model, making it impossible to generate test cases from them. We consider this problem when model-based mutation testing is applied to real-time system product lines, represented as timed automata. We define novel, time-specific mutation operators and formulate the equivalent mutant problem in the frame of timed refinement relations. Further, we study in which cases a mutation yields an equivalent mutant. Our theoretical results provide guidance to system engineers, allowing them to eliminate mutations from which no test case can be produced. Our empirical evaluation, based on a proof-of-concept implementation and a set of benchmarks from the literature, confirms the validity of our theory and demonstrates that in general our approach can avoid the generation of a significant amount of the equivalent mutants.

Proving Simulink Block Diagrams Correct via Refinement

Simulink is a well-known block diagram-based tool for modular design and multidomain simulation of Cyber-Physical Systems (CPS). However, the simulation by Simulink cannot completely cover the state space or behavior of a target system, which would not ensure the correctness of the developed block diagrams in Simulink. In this work, we present a contract-based method, which supports compositional reasoning and refinement, for proving the correctness of Simulink block diagrams with discrete-time and continuous-time dynamic behavior. We use the assume-guarantee contract as a specification language. The Simulink block diagrams are correct in the sense that if the block diagrams satisfy the formal specifications of the system being modeled. To prove the correctness of a block diagram, we first define semantics for Simulink block diagrams. We study three composition operators, i.e., serial, parallel, and algebraic loop-free feedback with multistep delays. We present a satisfaction relation between the block diagram and contract and present a refinement relation between the contracts. We prove that if the Simulink block diagram satisfies the composition contract and the composition contract refines the system specifications, the block diagram is correct relative to the system specifications. Furthermore, we demonstrate the effectiveness of our method via a real-world case study originating from the control system of a reservoir. Our method can also provide an idea to verify whether the designed CPS is planted with a logic bomb by attackers.

Extending dynamic logic with refinements of abstract actions

Abstract Humans can make a plan by refining abstract actions. Dynamic logic, which enables reasoning about the dynamics of actions, does not support this form of planning. This paper investigates the extension of dynamic logic with a refinement relation that specifies how an abstract action can be refined into a more specific (composite) action. The paper investigates the properties of the refinement relation, the derivation of the refinement relation and a proof system based on a prefixed-tableau.

Structured Proofs for Adversarial Cyber-Physical Systems

Many cyber-physical systems (CPS) are safety-critical, so it is important to formally verify them, e.g. in formal logics that show a model’s correctness specification always holds. Constructive Differential Game Logic ( CdGL ) is such a logic for (constructive) hybrid games, including hybrid systems. To overcome undecidability, the user first writes a proof, for which we present a proof-checking tool. We introduce Kaisar , the first language and tool for CdGL proofs, which until now could only be written by hand with a low-level proof calculus. Kaisar’s structured proofs simplify challenging CPS proof tasks, especially by using programming language principles and high-level stateful reasoning. Kaisar exploits CdGL ’s constructivity and refinement relations to build proofs around models of game strategies. The evaluation reproduces and extends existing case studies on 1D and 2D driving. Proof metrics are compared and reported experiences are discussed for the original studies and their reproductions.

Precise subtyping for asynchronous multiparty sessions

Session subtyping is a cornerstone of refinement of communicating processes: a process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T ′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T T ′ holds, it is safe to replace an implementation of T ′ with an implementation of the subtype T , which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (i.e., guarantees safe process replacement, as outlined above) and also complete : any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations — and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations.

Jupiter Made Abstract, and Then Refined

Collaborative text editing systems allow multiple users to concurrently edit the same document, which can be modeled by a replicated list object. In the literature, there is a family of operational transformation (OT)-based Jupiter protocols for replicated lists, including AJupiter, XJupiter, and CJupiter. They are hard to understand due to the subtle OT technique, and little work has been done on formal verification of complete Jupiter protocols. Worse still, they use quite different data structures. It is unclear about how they are related to each other, and it would be laborious to verify each Jupiter protocol separately. In this work, we make contributions towards a better understanding of Jupiter protocols and the relation among them. We first identify the key OT issue in Jupiter and present a generic solution. We summarize several techniques for carrying out the solution, including the data structures to maintain OT results and to guide OTs. Then, we propose an implementation-independent AbsJupiter protocol. Finally, we establish the (data) refinement relation among these Jupiter protocols (AbsJupiter included). We also formally specify and verify the family of Jupiter protocols and the refinement relation among them using TLA+ (TLA stands for “Temporal Logic of Actions”) and the TLC model checker. To our knowledge, this is the first work to formally specify and verify a family of OT-based Jupiter protocols and the refinement relation among them. It would be helpful to promote a rigorous study of OT-based protocols.

Inputs and Outputs in CSP

This article addresses refinement and testing based on CSP models, when we distinguish input and output events. In a testing experiment, the tester (or the environment) controls the inputs, and the system under test controls the outputs. The standard models and refinement relations of CSP, however, do not differentiate inputs and outputs and are not, therefore, entirely suitable for testing. Here, we consider an alphabet of events partitioned into inputs and outputs, and we present a novel refusal-testing model for CSP with a notion of input-output refusal-traces refinement. We compare that with the ioco relation often used in testing, and we find that it is more widely applicable and stronger. This means that mistakes found using traditional ioco testing do indicate mistakes in the development. Finally, we provide a CSP testing theory that takes into account inputs and outputs. With our theory, it becomes feasible to develop techniques and tools for automatic generation of realistic and sound tests from CSP models. Our work reconciles the normally disparate areas of refinement and (formal) testing by identifying how ioco testing can be used to inform refinement-based results and vice-versa.

A refinement checking based strategy for component-based systems evolution

We propose inheritance and refinement relations for a CSP-based component model (BRIC), which supports a constructive design based on composition rules that preserve classical concurrency properties such as deadlock freedom. The proposed relations allow extension of functionality, whilst preserving behavioural properties. A notion of extensibility is defined on top of a behavioural relation called convergence, which distinguishes inputs from outputs and the context where they are communicated, allowing extensions to reuse existing events with different purposes. We mechanise the strategy for extensibility verification using the FDR4 tool, and illustrate our results with an autonomous healthcare robot case study.

Symbolic abstractions for nonlinear control systems via feedback refinement relation

This paper studies the construction of symbolic abstractions for nonlinear control systems via feedback refinement relation. Both the delay-free and time-delay cases are addressed. For the delay-free case, to reduce the computational complexity, we propose a new approximation approach for the state and input sets based on a static quantizer, and then a novel symbolic model is constructed such that the original system and the symbolic model satisfy the feedback refinement relation. For the time-delay case, both static and dynamic quantizers are combined to approximate the state and input sets. This leads to a novel dynamic symbolic model for time-delay control systems, and a feedback refinement relation is established between the original system and the symbolic model. Finally, a numerical example is presented to illustrate the obtained results.

Fuzzy Alternating Refinement Relations Under the Gödel Semantics

Refinement relations, such as trace containment, simulation preorder, and their alternating versions, have been successfully applied in formal verification of concurrent systems. Recently, trace containment and simulation preorder have been adopted and developed in fuzzy systems, but the generalization of their alternating versions to fuzzy systems has not been investigated. To satisfy the need for modeling and analyzing fuzzy systems, this article proposes two types of refinement relations called fuzzy alternating trace containment and fuzzy alternating simulation preorder, based on fuzzy concurrent game structures (FCGSs) under the Gödel semantics. These two fuzzy notions inherit properties from the corresponding classical setting. For example, fuzzy alternating simulation preorder for finite-state FCGSs can be computed in polynomial time; fuzzy alternating simulation preorder is a fuzzy subset of fuzzy alternating trace containment, and both relations can be logically characterized in terms of fuzzy version of alternating-time temporal logic. These properties make the theory developed here suitable for the modeling and verification of fuzzy systems.

Верификация соответствия между разноуровневыми моделями функциональных требований

The paper considers the problem of verification of compliance between models representing the same system on different level of abstraction. The existing approaches are mostly based on refinement relation. But the models representing industrial systems are quite big and complex, while semantics gap between the level is quite big. As a result, the existing methods became too complex and labour intensive. The paper presents new verification techniques that targets to prove multimodel compliance in terms of individual trace semantics. The techniques assume that each model is verified, i.e. it is proved that starting from initial states of labelled transition system is not possible to reach unsafe states by using valid transitions. The first proposed technique allows to prove that the detailed model satisfies to requirements of the abstract model, i.e. reachable states of detailed model do not include states corresponding to unsafe states of the abstract model. The second proposed technique allows to prove that the detailed model satisfies to behaviour specification of the abstract model, i.e. all reachable transitions of the detailed model do not include transitions corresponding to invalid transitions of the abstract model. For each technique the correspondence relation is defined in terms of the models, i.e. the relations are formally defined and they can be used for analysis with interactive or automated provers. At the same time, there are some requirements to that relations that are expressed in terms of low level events that exist hypothetically only and can be analyzed theoretically only. As a result, the proposed techniques provides a reasonable approach to prove compliance between mulilevel models in more approachable way for industrial settings.

Верификация соответствия между разноуровневыми моделями функциональных требований

The paper considers the problem of verification of compliance between models representing the same system on different level of abstraction. The existing approaches are mostly based on refinement relation. But the models representing industrial systems are quite big and complex, while semantics gap between the level is quite big. As a result, the existing methods became too complex and labour intensive. The paper presents new verification techniques that targets to prove multimodel compliance in terms of individual trace semantics. The techniques assume that each model is verified, i.e. it is proved that starting from initial states of labelled transition system is not possible to reach unsafe states by using valid transitions. The first proposed technique allows to prove that the detailed model satisfies to requirements of the abstract model, i.e. reachable states of detailed model do not include states corresponding to unsafe states of the abstract model. The second proposed technique allows to prove that the detailed model satisfies to behaviour specification of the abstract model, i.e. all reachable transitions of the detailed model do not include transitions corresponding to invalid transitions of the abstract model. For each technique the correspondence relation is defined in terms of the models, i.e. the relations are formally defined and they can be used for analysis with interactive or automated provers. At the same time, there are some requirements to that relations that are expressed in terms of low level events that exist hypothetically only and can be analyzed theoretically only. As a result, the proposed techniques provides a reasonable approach to prove compliance between mulilevel models in more approachable way for industrial settings.

Symbolic Supervisory Control of Periodic Event-Triggered Control Systems

Abstract This paper studies supervisory control of periodic event-triggered control (PETC) systems based on the construction of symbolic abstractions. To this end, we first construct symbolic abstractions for PETC systems, and establish feedback refinement relation from the PETC system to its symbolic models. Here, the constructed symbolic models are represented by the form of discrete event systems (DESs), including extended finite state machines, finite state machines, and classic DESs. With the constructed symbolic models, we study the supervisory control of PETC systems to achieve the desired specification. Since the constructed symbolic models are nondeterministic, we first transfer the symbolic models into deterministic versions, and then verify the existence of the supervisor. Finally, the obtained results are illustrated via a numerical example.

Specification and inference of trace refinement relations

The modern software engineering process is evolutionary, with commits/patches begetting new versions of code, progressing steadily toward improved systems. In recent years, program analysis and verification tools have exploited version-based reasoning, where new code can be seen in terms of how it has changed from the previous version. When considering program versions, refinement seems a natural fit and, in recent decades, researchers have weakened classical notions of concrete refinement and program equivalence to capture similarities as well as differences between programs. For example, Benton, Yang and others have worked on state-based refinement relations . In this paper, we explore a form of weak refinement based on trace relations rather than state relations. The idea begins by partitioning traces of a program C 1 into trace classes, each identified via a restriction r 1 . For each class, we specify similar behavior in the other program C 2 via a separate restriction r 2 on C 2 . Still, these two trace classes may not yet be equivalent so we further permit a weakening via a binary relation A on traces, that allows one to, for instance disregard unimportant events, relate analogous atomic events, etc. We address several challenges that arise. First, we explore one way to specify trace refinement relations by instantiating the framework to Kleene Algebra with Tests (KAT) due to Kozen. We use KAT intersection for restriction, KAT hypotheses for A , KAT inclusion for refinement, and have proved compositionality. Next, we present an algorithm for automatically synthesizing refinement relations, based on a mixture of semantic program abstraction, KAT inclusion, a custom edit-distance algorithm on counterexamples, and case-analysis on nondeterministic branching. We have proved our algorithm to be sound. Finally, we implemented our algorithm as a tool called Knotical, on top of Interproc and Symkat. We demonstrate promising first steps in synthesizing trace refinement relations across a hand-crafted collection of 37 benchmarks that include changing fragments of array programs, models of systems code, and examples inspired by the thttpd and Merecat web servers.