Chunks: Component Verification in CSP Steve Schneider & Helen Treharne, Surrey Neil Evans, Southampton http://www.csp-b.org
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Chunks: Component Verification in CSP
Steve Schneider & Helen Treharne, SurreyNeil Evans, Southampton
http://www.csp-b.org
CSP Controlled B machines B machines as concurrent components (good for data-
rich aspects) CSP processes as controllers (good for patterns of
communication) Combination underpinned by CSP semantics for B Tap into tools for CSP and for B
B machine
CSP process
B operations
Example
MACHINE SwitchVARIABLES switchINITIALISATION switch := offOPERATIONS light = PRE switch = off THEN switch := on END;
dark = PRE switch = on THEN switch := off ENDEND
B machine CSP controller
Consistency Operations must be called within their
preconditions Established techniques available (based
on wp semantics) for establishing consistency between a controller and a controlled machine.
Consistency expressed as divergence-freedom
Divergence-freedom means operations called within their preconditions
Combining Components
• System divergence-free if each pair is
• System deadlock-free if CSP part is.
• System meets particular specs if CSP part does
CSP CSPCSP
B BB
Sorted? Not quite.Odd-Even example
MACHINE OddVARIABLES nnINVARIANT odd(nn)OPERATIONS odd_set(ii) = PRE odd(ii) THEN nn := ii END;jj <-- odd_get = jj := nnEND
MACHINE EvenVARIABLES mmINVARIANT even(mm)OPERATIONS even_set(ii) = PRE even(ii) THEN mm := ii END;jj <-- even_get = jj := mmEND
odd_get.7 odd_set.9
eopass.9
even_get.8 even_set.8
oepass.8
Component Consistency
MACHINE Odd…
odd_set(ii) = PRE odd(ii) THEN nn := ii END;…END
odd_get.m odd_set.n
eopass?n
oepass.m+1
Consistency relies on n being odd
Guarantees m even
<odd(n)>
{even(m)}
Introduceblocking assertion
divergingassertion
Consistency of ODD_CTRL’and Odd guarantees m evenunder assumption of n odd
Lifting state
Sometimes we need to relate assertions to the B state
To do this, we lift relevant state to the CSP level
transfer.tim
add.tim
but T not in CSP
Interaction
transfer.tim
add.timtake.tim
Decomposing requirements
Chunks – discharging proof obligations (chunks theorem) Split the network into chunks – each
assertion needs to be diverging in at least one chunk. Can be blocking in all others.
Chunks need to be divergence-free – this can be checked by FDR (for CSP parts) or by wp technique (CSP||B technique)
Then the system is divergence-free
Chunks
P<P>{P}
Every predicate must have a chunk where it diverges (verify)In other chunks it can block (assumption)
Current work More elaborate architectures (B
machines interact with more than one controller)
Hardware/software codesign Links to software development
methodology (industrial partner)
http://www.csp-b.org
Related Documents
