Refinement preserving approximations for the design and verification of heterogeneous systems

Roberto Passerone, Jerry R. Burch, Alberto L. Sangiovanni-Vincentelli
2006 Formal methods in system design  
Embedded systems are electronic devices that function in the context of a real environment, by sensing and reacting to a set of stimuli. Because of their close interaction with the environment, and to simplify their design, different parts of an embedded system are best described using different notations and different techniques. In this case, we say that the system is heterogeneous. We informally refer to the notation and the rules that are used to specify and verify the elements of
more » ... ous systems and their collective behavior as a model of computation. In this paper, we consider different classes of relationships between models of computation and discuss their preservation properties with respect to the model's refinement relation and composition operator. In particular, we focus on abstraction and refinement relationships in the form of abstract interpretations and introduce the notion of conservative approximation. We show that, unlike abstract interpretations, conservative approximations preserve refinement verification results from an abstract to a concrete model while avoiding false positives. We also characterize the relationship between abstract interpretations and conservative approximations, and derive necessary and sufficient conditions to obtain a conservative approximation from a pair of abstract interpretations. In addition, we use the inverse of a conservative approximation to identify components that can be used indifferently in several models, thus enabling reuse across models of computation. The concepts described in this paper are illustrated with examples from continuous time and discrete time models of computation. R. Passerone ( ) Cadence Design Systems, 1995 University Embedded systems are electronic devices that function in the context of a real environment, by sensing and reacting to a set of stimuli. Because of their close interaction with the environment, and to simplify their design, different parts of an embedded system are best described using different notations and different techniques. In this case, we say that the system is heterogeneous. For example, the model of the software application that runs on a distributed collection of nodes in a sensor network is often concerned only with the initial and final state of the behavior of a reaction. In contrast, the particular sequence of actions of the reaction could be relevant to the design of one instance of a node. Likewise, the notation employed in reasoning about a resource management subsystem is often incompatible with the handling of real time deadlines, typical of communication protocols. This form of heterogeneity is also reflected in the structure of the design teams, which increasingly consist of highly specialized groups that focus on the solution of a particular task, under the direction of the system architects. Designers benefit from this separation. First, the system is naturally partitioned into smaller and more manageable parts. Secondly, and more importantly, designers are free to select for each subsystem the rules that are used to specify its behavior as a hierarchical collection of modules (composition), and to verify that such behavior conforms to a specification (refinement verification). These rules vary widely across different modeling domains, such as the ones outlined above. The restrictions and the intrinsic properties of these rules, which we collectively refer to as a model of computation, are the basis of domain specific techniques that can be used to more easily guarantee the correctness of the implementation. While specified separately, subsystems must eventually interact to form the system behavior, and will in fact do so in the physical implementation. However, system designers are typically unwilling to wait until the final stages of the implementation to validate the system functionality and performance metrics, because the cost of fixing design and specification errors increases dramatically in the later phases of the design flow as amply documented for electronic systems, software and integrated circuits. The costs associated with late discovery of errors and, in particular, of integration errors, have risen to a point that they are no longer sustainable. To witness, consider the recent recalls by Mercedes-Benz of 1.5 million cars for problems with the braking subsystem. Consequently, the ability of the system designer to specify, manage, and verify the functionality and performance of concurrent behaviors, within and across heterogeneous boundaries, is essential. Most design methodologies that address these problems are based on the processes of abstraction and refinement, that is, of the application of maps that convert and relate different models of computation. However, crossing the boundaries between abstraction levels by abstracting and refining a specification is often not trivial. The most common pitfalls include mishandling of corner cases and inadvertently misinterpreting changes in the communication semantics. These problems arise because of the poor understanding and the lack of a precise definition of the abstraction and refinement maps used in the flow, which are therefore likely to provide little if any guarantee of satisfying a given set of constraints and specifications, without resorting to extensive simulation or tests on prototypes. However, in the face of growing complexity, this approach Springer Form Method Syst Des (2007) 31:1-33 3 will have to yield to more rigorous methods. In addition, abstraction and refinement should be designed to preserve, whenever possible, the properties of the design that have already been established. This is essential to increase the value of early, high level models and to guarantee a speedier path to implementation. The objective of this paper is to approach the problem of abstraction and refinement from a formal standpoint, and to study and compare the preservation properties of different forms of abstraction. In particular, we study abstractions that preserve positive refinement verification results (the relation between an implementation and a specification) from an abstract modeling domain to a concrete modeling domain. This property of an abstraction is useful because, presumably, verification is more efficient at the abstract level than it is at the concrete. In this paper, we focus in particular on abstraction and refinement relationships in the form of abstract interpretations [8, 9] and of conservative approximations [3] [4] [5] [6] 24] . Abstract interpretations are a widely used means of relating different domains of computation for the purpose of facilitating the analysis of a system. An abstract interpretation between two domains of computation consists of an abstraction function and of a concretization function that form a Galois connection. The distinguishing feature of an abstract interpretation is that the concretization of the evaluation of an expression using the operators of the abstract domain of computation is guaranteed to be an upper bound of the corresponding evaluation of the same expression using the operators of the concrete domain. Hence, a conservative evaluation can be carried out at the more abstract level, where it is potentially computationally more efficient. Refinement verification, however, is unsound: a positive refinement verification result at the abstract level does not guarantee a corresponding refinement verification result at the concrete level. This problem is overcome by using conservative approximations. The concept of a conservative approximation in our work is derived from the one introduced by Burch [3]. Here we generalize this approach and apply it to a domain of arbitrary agents, rather than assuming that an agent is modeled by a set of executions. We also decompose the definition of conservative approximation to highlight and discuss its compositionality properties, and study its relationship with traditional notions of abstraction. Conservative approximations are closely related to abstract interpretations, as will be shown later in Section 6. We show, however, that unlike Galois connections, conservative approximations preserve refinement verification from an abstract to a concrete model while avoiding the occurrence of false positive results. This can be accomplished with conservative approximations because they employ two separate abstraction functions, one for the implementation and one for the specification. Our study also shows that this is a necessary condition for the preservation of refinement, and one that is not satisfied by a Galois connection. Conservative approximations and abstract interpretations are however strongly related. The main result of this paper is that a pair of Galois connections can be used to construct a conservative approximation. This result is important because it extends the rich field of abstract interpretations to refinement verification. We examine and determine the exact conditions under which this result holds. The study of heterogeneous systems is also a central theme of both the Metropolis [2] and the Ptolemy [18] projects. In Metropolis, a system is composed of processes that communicate over media expressed in a meta-model of computation. Their combination, and their relationships, implicitly determine the interaction semantics. Because of its generality, the underlying meta-model fabrics can be used to promote reuse of diverse components. The communication media, however, must be carefully designed to resolve possible incompatibilities. Our work can be thought of as the theory base for the use of the meta-model to represent heterogeneous systems. The techniques presented in this paper, in fact, expose the relationships between the different models and help the designer build media that adapt Springer
doi:10.1007/s10703-006-0024-z fatcat:neddatdog5hdnkyljhuvzsrauu