Compositional Abstraction Refinement for Component-Based Systems

Zhang, Lianyi; Meng, Qingdi; Lo, Kueiming

doi:https://doi.org/10.1155/2014/703098

Journal of Applied Mathematics

On this page

Abstract Introduction Preliminaries Examples Conclusions Acknowledgments References Copyright Related Articles

Special Issue

Intelligent Modeling and Verification 2014

View this Special Issue

Research Article | Open Access

Volume 2014 | Article ID 703098 | https://doi.org/10.1155/2014/703098

Compositional Abstraction Refinement for Component-Based Systems

Lianyi Zhang,¹Qingdi Meng,¹and Kueiming Lo¹

Academic Editor: Xiaoyu Song

Received14 Mar 2014

Accepted09 May 2014

Published11 Jun 2014

Abstract

The efficiency of the compositional verification of invariants depends on the abstraction, which may lead to verification incompleteness. The invariant strengthening and state partitioning techniques are proposed in this paper. The former could refine the overapproximation by removing the unreachable states, and the latter is a variant of counterexample-guided abstraction refinement. Integrated with these two refinement techniques, a unified compositional verification framework is presented to strengthen the abstraction and find counterexamples. Some examples are included to show that the verification of the safety properties in component-based systems has been achieved by our framework.

1. Introduction

A component-based system is made up of several components using a set of glue (interactions) that describes the coordination between components [1]. Some components, like program processes, contain local data and control information to determine their own behaviors, and their interactions represent the communication between components. Component-based system has the advantages that the development can be simplified and the time-to-market would be reduced. However, the tremendously high (or even infinite) number of states of the components makes the verification of properties of these systems intractable. In this paper, we discuss the compositional verification using abstraction refinement techniques on component-based systems.

Compositional verification would alleviate the problem of state explosion in concurrent model checking, especially in conjunction with abstraction. The work in [2, 3] proposed an automated compositional abstraction framework which differs in the communication method. The abstraction procedure in [2] is guided by the data (interaction through shared variables) of the model while it is guided by the action (interaction through message-passing event) in [3]. Thread modular reasoning is also a compositional abstraction framework proposed in [4], which automatically generates the environment for each thread by analyzing its interaction. Compositional verification using abstraction refinement techniques on component-based systems has been extensively studied. Malkis et al. combined CEGAR and thread modular reasoning in their proposed technique [5], called thread-modular CEGAR. The technique computed reachable states with Cartesian abstraction. They directly compute the reachable states for all processes of the compositional system in an explicit way. Then refinement was applied to eliminate unreachable states by removing them from the Cartesian product. A technique closely related to compositional verification is assume-guarantee reasoning. Henzinger et al. [6, 7] proposed a component-based verification algorithm which is complete for verifying safety properties. They first initialize each component as true (the most abstract model which essentially accepts any behaviors) and then iteratively refine them by adding new auxiliary predicates, whereas they initialize the guarantee of the components as false (the most abstract model which essentially rejects any behaviors) and refine them successively by considering abstraction of current component and guarantees of other components.

Another interesting branch for compositional verification is the inductive invariant based method [8–10]. The properties established from the verification are usually invariants. Given a property on component-based system states, compositional verification of invariant is to verify whether the given property can be inferred from the invariants of their components. Divide-and-conquer approaches can be applied in compositional verification to infer global invariants from local invariants. A compositional verification method based on the inductive invariant is presented in [11, 12]. In this approach, the property of the component-based system can be inferred by the compositional verification rule which is referred to as the component invariant and the interaction invariant. This approach is incomplete. Given a property (predicate), if the conjunction of the component invariants and the interaction invariants is able to establish the property, one concludes the verification. Otherwise, one reports that the verification is inconclusive.

The inconclusive problem is due to two reasons. One is the abstraction, which transforms the original system (infinite) to an abstract system (finite). The other is the interaction invariant, which is the overapproximation of the reachable abstract states. Thus, the conjunction of component invariants and the interaction invariant is such an overapproximation that unreachable states in the original system may be computed as reachable in the abstract system, which may include unreachable error states. We propose two refinement techniques, counterexample-guided invariant strengthening and state partitioning to address the inconclusive problem.

A unified compositional abstraction refinement algorithm for the invariant checking problem on component-based systems is given, which contains two phases. At the verification phase, we apply compositional verification to the invariant checking problem. If it suffices to conclude the verification, we are done. Otherwise, the verification algorithm moves to the refinement phases. In the other phase, we first strengthen the interaction invariant and remove the spurious counterexamples. After the invariant is strengthened, we analyze the remaining counterexamples and partition abstract states. When our algorithm returns to the verification phase, added states will induce a refined abstract model.

The rest is organized as follows. The component-based system, component invariant, and component abstraction are introduced in Section 2. In Section 3, we introduce the compositional verification of invariant for component-based systems, which is the overapproximation of the system states. We give counterexample-guided invariant strength and partition refinement methods in Section 4. A compositional verification framework integrated with iterative refinement and its correctness proof are presented in Section 5. We show the effectiveness of our proposed method in Section 6 and then conclude in Section 7.

2. Preliminaries

In this section, we present concepts and definitions that are used in this paper. We start with the overview of component-based systems, which includes the concepts of atomic component, interaction, and compound component. In the rest of this section, we introduce the concepts for the component invariant and abstraction.

2.1. Component-Based System

Component-based system is a basic model of wide-ranging concurrent systems. It is proven in [13] that such a hierarchical model can be converted to semantically equivalent flat model. Therefore, instead of analyzing complex hierarchical structure, we concentrate on two-level structure in this paper. The lower level of the component-based system is atomic component, and the higher level is compound component which is composed of several atomic components with a set of interactions.

An atomic component is a transition system, denoted by a tuple , where is a transition system; that is, is a set of control locations, is a set of ports, and is a set of transitions. is a set of variables and for each , respectively, is a guard, a predicate on , and is an update relation, a formula on (current) and (next) state variables. Given a transition , and are, respectively, the source and target location denoted by ▪ and ▪.

Given a set of components where , an interaction is a set of ports, subset of , such that, for all s.t. . The is a set of transitions , for arbitrary , which have to execute synchronously.

A compound component is also a transition system, denoted by , where(1) is the transition system such that(i) is a set of control locations,(ii) contains transitions obtained by synchronization of sets of transitions such that and if , for arbitrary ;(2) and for , the transition trans() resulting from the synchronization of a set of transitions , the associated guard and update predicate are, respectively, and .

A typical transition system (e.g., a component ) contains control states, usually the program counter which takes values from the set of control locations. Control states are defined by formulas of the form , where . Additionally, we assume that for each transition , we get a transition formula written as where .

Definition 1 (component system). A component system is denoted by , where is a component (atomic or compound component) and is the initial predicate of the system.

2.2. Component Invariant

Most properties established during verification are either invariants or depend on invariants. To prove that a predicate is an invariant of some system , we need to find such a predicate that is stronger than and is inductive. In general, for a system , is an invariant of if every initial state of system satisfies and is preserved under all transitions of the system.

Definition 2 (component invariant). Given a component , for a global state predicate , the generated formula by post predicate is , where . A fixed point of the post transformer is a component invariant (formula ) of the component ; that is, .

The component invariant is computed by the predicate transformer. A more detailed technique, as well as other related properties for component invariants, is given in [8, 14] and will not be presented.

Consider a system , where is a component and is a state predicate satisfied by the initial states of . is an invariant of , if it is a component invariant of and .

2.3. Component Abstraction

When original system has real or large range discrete variables, enumeration of concrete states by valuation is impossible. Before computing interaction invariants of the compound system, we need first to generate a finite state abstraction for the component-based system.

In our methodology, given a component-based system , component invariant is automatically generated from a transition system (a component) that describes its behavior, which is represented by the disjunction of atomic formulas, such as . However, instead of using the atomic formulas to generate an abstract system, we use them to construct an abstraction function.

The abstraction function maps an atomic formula to an abstract value of that formula, which preserves the relation among the atomic formulas instead of treating them as independent propositions. The abstraction technique used here is based on the approach proposed by Bensalem et al. in [2, 8]. An abstraction function maps the concrete representation of the atomic predicates to the abstract presentation , called abstract state. We use to represent a set of abstract states.

Definition 3 (abstract component). Given a component , a component invariant of , and the associated abstraction function , the abstract component is denoted by , where (i) is the abstract state, where is the component invariant and is abstraction function,(ii) is a set of ports of ,(iii) is the transition of . For any pair of abstract states and , there exists the transition from to through (denoted by ) if and only if , .

3. Compositional Verification

After the overview of component-based system, the component invariant, and the component abstraction, we first present the compositional verification rule of component-based systems, then we give out the concepts of the verification rules, and last we do the analysis on the overapproximation of the compositional abstraction.

3.1. Compositional Verification Rule

In the approach presented in [11, 12], the property of can be inferred by the following compositional verification rule: where means that is an invariant of component and belongs to the set of interaction invariants . For component , a predicate on the component states is a component invariant of . Before generating the interaction invariants, one needs to compute the abstraction for the components. The abstraction for , denoted by , is computed from by the abstraction function . In the abstract system , we generate the interaction invariant under the global behavior constraint, which is the overapproximation of the reachable abstract states. Given a property (predicate) , if the conjunction of the invariant and the interaction invariants are able to establish the property, one concludes the verification. Otherwise, one reports that the verification is inconclusive.

3.2. Related Concepts

Consider a compound system and a set of component invariants associated with the atomic components. If is an abstraction of with respect to an invariant and its abstraction function for , then is an abstraction of with respect to and an abstraction function obtained as the composition of the .

Definition 4 (abstract system). Given a component system , the abstract system is denoted by , where is the abstraction for a component and , where is the set of the initial abstract states.

The following lemma in [11] says that is an abstraction of and that invariants of the abstract system are also invariants of the concrete system.

Lemma 5. If is an abstraction of with respect to an invariant and its abstraction function, then simulates . Moreover, if is an invariant of , then is an invariant of .

Given an abstract system, interaction invariants characterize constraints on the global abstract state space induced by synchronization among components. Interaction invariants are based on the concept of traps in Petri net, which are computed on finite transition system without variables but abstract locations .

Consider a compound system , where is a transition system. For a set of abstract states , the forward interaction set is denoted by ▪ ▪ where ▪ ▪ is related to some interactions. In each interaction, there exists a transition from participate in. That is, ▪ is composed of sets of transitions involved in some interaction of in which a transition from can participate.

Given a parallel composition , where , a trap [15] is a set of abstract locations such that ▪ ▪.

Definition 6 (interaction invariant). Given an abstract system , if the set of locations is a trap containing the initial states of some components, then is the interaction invariant of .

The characterization of traps in [12] allows one to compute the set of traps [16] using different approaches, including methods of positive mapping or fix-pointed computation.

3.3. Overapproximation

In the compositional verification rule present in Section 1, the conjunction of component invariants and the interaction invariant is an overapproximation of reachable system states. The overapproximation of the compositional verification mainly results from two kinds of abstractions. One is due to the abstraction function, and the other is caused by interaction interference. The conjunction of interaction invariants overapproximates the set of reachable states, which may cause some unreachable error states to be included.

The abstract system for a component is generated by elimination in a conservative way. To check whether , where and , we check that for all transitions we have . When we generate abstract systems, the behaviors of the abstract system are more than the original system’s. As the compositional verification performance on abstract components, the verification is incompleteness.

The conjunction of interaction invariant (a trap) characterizes constraints on the states induced by synchronization among components. States satisfying interaction invariants provide enabled execution information, a local projection of global states on part of components. However, these global states may not be reachable from initial states. Moreover, different interactions may include common ports. The interactions including the same port must exclusively execute, that is, just only one interaction can execute. Interaction invariant cannot characterize this dynamic information.

From the above analysis, we can conclude that invariant-based compositional verification is incomplete. We propose two refinement techniques in conjunction with invariant-based compositional verification rule to get a verification framework. The framework is an iterative scheme which starts from the abstraction until a concrete counterexample is found or until the safety property holds on abstract systems.

We give counterexample-guided invariant strengthening and partition refinement methods in this section.

4.1. Invariant Strengthening

In the first part of this section, we present the invariant strengthening approach. As interaction invariant computed by the greatest fixed point is the overapproximation, counterexamples (represented by the conjunction of abstract states) may be spurious. For this case, we check whether counterexamples can be reachable from the initial states. If not, we generate a fixed point backward from the spurious counterexample and strengthen the invariant by the fixed point.

Given an abstract component system, , where and . Formally, is a finite state machine (FSM) in which(i) is a set of global states; for the abstract state , we can represent it as conjunction (a vector) of local abstract state; that is, ;(ii) is a predicate on global states and ; for , where , there exists , where and ;(iii) is the initial predicate of the abstract system.

A formula is interpreted as the set of all the global states; satisfy . We define the set of the global states from the states via the transition as the smallest set such that if . Consider an abstract component system , where is a set of the global states, is the transition predicate, and is the initial predicate. The converse transition system is defined by . For a formula , we compute all the successor states which are generated from the states hold by . , where and holds . Likewise, we can define , where and holds .

The following lemma [17] says that if none of the states represented by is backward reachable from the initial states, then is an invariant.

Lemma 7. Let be a transition system and an arbitrary formula (or states). If is such that and the formula is unsatisfiable, then is an inductive invariant of .

Corollary 8. If , then the formula corresponding to the complement of the set of is an inductive invariant.

Theorem 9. Assume that is a counterexample and , where is an abstract state of . If , then is the spurious counterexample and the complement of the set of is used to strengthen the invariants of .

Inspired by the above theorem, we propose an approach, called the invariant strengthening, to strengthen the invariants from the compositional verification rule.

We first choose a counterexample and generate a fixed point from the selected counterexample using backward propagation. An abstract state including a counterexample is the conjunction formula of abstract states like , where , which is the product of abstract states of each component. On the abstract system , we do the backward propagation by . Then from a counterexample, we can compute all the global abstract system states using backward propagation. If the intersection of the generated fixed point and the initial states is empty, the counterexample and all of the backward generated fixed points are not reachable from initial states. For this case, we say the selected counterexample is spurious. The invariant strengthening approach removes the spurious counterexample and eliminates the unreachable states generated from the spurious counterexample to strengthen the invariant.

For invariant strengthening, time consumes at counterexample reachable global states set computation. As this set computation is based on fixed-pointed computation and is monotonic, so time complexity for Algorithm 1 is , where is number of global states of abstract system and and the number of abstract states from th component.

Input: Component system , property
Output: or
(1) for each ,
(2) for to do
(3) compute the component invariant based on
(4)
(5) compute the corresponding abstraction based on and
(6) end
(7) from , compute
(8) for to do
(9)
(10) end
(11)
(12) if = then
(13) is an invariant of
(14) return
(15) else
(16) compute counterexample set

(17) if then
(18) return
(19) end
(20) if then
(21) return
(22) else
(23) goto 12
(24) end
(25) end

4.2. Partition Refinement

In this part, we proposed a more effective counterexample-guided method, called partition refinement, which can accelerate abstraction refinement mechanism. Consider the abstraction function which transforms the original infinite system to the finite abstract system. An abstract state is an aggregation of a number of original system states. If a concrete state is part of an abstract state , we cannot make decisions whether is a counterexample, if is a counterexample in concrete system; whether is reachable in concrete system, although is reachable in abstract system. We propose our refinement approach to give the solution of the above question (Figure 1).

In the above approach, we analyze whether the remaining counterexamples are the spurious counterexamples which are caused by inaccurate characterization. To eliminate these spurious counterexamples, we refine the abstract component states by the proposed state partition approach. Consider an abstract system state and a counterexample such that (). We can partition into two states and , and , where ; here we denote and . Assume that there exist and , from which is reachable such that and () hold. We remove from abstract state space and add and into .

From the above, we assume that reach the error-part of and reach the other . In this case, we should add the transitions into the system. If such that (), we add a transition from to (here, stands for both and ); likewise, if , and such that (), we add a transition from to .

Theorem 10. If is a refined system returned by Algorithm 2, then simulates . Moreover, if is an invariant of , then is an invariant of .

Input: Abstract system ,
set of counterexamples , interaction invariant
Output: or
(1) , ,
(2) foreach do
(3) ∖
(4)
(5) if then
(6)
(7) else
(8)
(9) end
(10) end
(11)
(12) if then
(13) return
(14) else
(15) foreach do
(16) if then
(17)
(18) end
(19) end
(20) from split refinement abstract system , compute
new compute interaction invariant
(21) foreach do
(22)
(23) end
(24) return
(25) end

Proof. By Lemma 5, we show that the Algorithm 2 only makes states partition and then has no effect on the simulation relation. If and , then there exists such that , , and . If does not hold, then the abstract state cannot be partitioned by . Otherwise, we split abstract state with disjoint two parts and , and we have and , so we have either or . Then, the refined abstract system simulates . If is an invariant of , then is an invariant of .

For partition refinement method, given a counterexample , state partition in th component, based on , only affects one abstract state to be parted. And a state is parted only once by . As exists quantifier for states needs examines all possible abstract state pairs and so does the quantifier of transitions, state partition needs time complexity as .

The above refinement approaches are applied on the parallel compositional system. However, extended with the decidable theories and symbolic representation, our approaches can be applied on a more complex system like the hierarchical component system.

5. Iteration Verification Framework

In this section, we present the unified verification framework composed of compositional abstraction and our proposed refinement techniques.

Our verification framework for component-based systems is an iterative scheme presented by Algorithm 1. In our framework, there exists the method of abstraction refinement presented by Algorithm 2, which includes the counterexample guided invariant strengthening and abstract state partitioning inspired by CEGAR mechanism. In the Algorithm 1, the unified compositional abstraction refinement for the invariant checking problem on component-based systems is given, which contains two phases.

At the verification phase, we apply compositional verification to the invariant checking problem. If properties can be proven under the current abstraction (see line 12 in Algorithm 1), the verification succeeds immediately. Otherwise, the refinement is performed (see line 16 in Algorithm 1). If the abstraction cannot be further refined by the current reachable counterexample (see line 17 in Algorithm 1), then current counterexample is a genuine counterexample. If current counterexamples are all spurious counterexamples (see line 20 in Algorithm 1), we conclude that verification succeeds. Otherwise, we go to line 23; we get refined abstract system and compute the new more concrete interaction invariant with conjunction of strengthened inductive invariant computed from backward propagation of spurious counterexamples and go back to counterexample guiding abstraction refinement, portion of verification basis, which call for less efforts than previous iteration processes in [11, 12].

At the refinement phase, we first strengthen the interaction invariant and remove the spurious counterexamples. After the invariant is strengthened, we analyze the remaining counterexamples and partition abstract states. When our algorithm returns to the verification phase, added states will induce a refined abstract model. Our refinement method (see Algorithm 2) reconsiders information of counterexamples, which may include Err_I and Err_II, where Err_I is unreachable error state introduced by interaction interference and Err_II is inaccurate local configuration caused by abstraction function. We use the invariant strengthening technique to remove Err_I from the counterexamples and strengthen the invariant use of the counterexample in Err_I. We use the counterexample in Err_II to do the state partition refinement which refines the abstraction until a genuine counterexample is found or the safety property holds on abstract systems.

Theorem 11. Let be a compound component-based system, and let be a specific property predicate. (1)If returns , then ;(2)if returns , then .

Proof. If Algorithm 1 returns from line 14, with the precondition , we get the conclusion that the property satisfied immediately. Otherwise, if all current counterexamples are spurious counterexamples, the verification stops with the property satisfied at line 21. If Algorithm 1 returns from line 18 with and , we get that the abstract system is unable to be refined any more by the current counterexample, which means the counterexample is a real violated behavior truly reachable from the initial configuration and cannot be eliminated by a more concrete system. Otherwise, abstract system should be refined by the next refinement using the current counterexamples.

Theorem 12. Let be a compound component-based system, and let be a specific property predicate. Algorithm always terminates.

Proof. In each refinement iteration, either some new strengthening invariant is added or the abstract system state is split into new states. Note that the state space of abstract system is finite and that the number of possible split states is also finite. In the worst case, the algorithm finally terminated with the refined system is just the original system. Then the algorithm can terminate finally.

Theorem 13. Let be a compound component-based system, and let be a specific property predicate. (1)If , then returns ;(2)if , then returns .

Proof. (1) According to the second statements of Theorem 11, if , Algorithm 1 cannot return with . According to Theorem 12, Algorithm 1 always terminates. Thus, if , then algorithm can only terminate with .
(2) Similarly, according to the first statement of Theorems 11 and 12, if , the algorithm can only terminate with .

6. Examples and Experiments

We will provide certain examples to illustrate the effectiveness of our proposed verification framework.

6.1. Train Gate Controller

Consider the example of the train gate controller [18], which consists of a , a , and a number of . The model presented in Figure 2 describes only one train interacting with the controller and the gate. The controller operates the gate up and down when a train enters and exits, respectively.

The has four locations , one variable , five ports , and eight guarded transitions. The has three locations , a variable , four ports , and six guarded transitions. The has four locations , a variable , four ports , and eight guarded transitions. Three atomic components , , and are composed with a set of interactions: , , , , and . In this example, we aim to verify the TGC system by the initial condition . For the above three atomic components, we generate the following predicates , , and , which are, respectively, the component invariants of , and . Since this system has an infinite number of reachable states. With the application of abstraction function , we transform the original components (infinite) to the computed abstract components (finite) presented in Figure 3. The computed abstract states are , , , (see Table 1).

The interested safety property is that when the train is at the location , the gate is at . We apply the compositional verification rule to check the property. In this model, the verification rule can infer this property, so we get the conclusion of the properties satisfied.

6.2. Temperature Control System

Consider the example of the temperature control system [11, 12] presented in Figure 4. The model consists of three atomic components: , , and .

The has two locations , a variable , three ports , and four guarded transitions. The has two locations , a variable , three ports , and four guarded transitions. Likewise, the has two locations , a variable , three ports , and four guarded transitions. Three atomic components , , and are composed with a set of interactions: , , , , and . In this example, we aim to verify deadlock-freedom of the temperature control system by the initial condition .

For the above three atomic components, we generate the following predicates , , and , which are, respectively, the component invariants of , and . Since this system has an infinite number of reachable states, with the application of abstraction function , we transform the original components (infinite) to the computed abstract components (finite) in Figure 5. The computed abstract states are .

The interaction invariant of the component system is generated from the concept of the trap. The sets of traps for the abstract system are , , , and . After the computation of traps, we generate interaction invariants and then get .

To verify the deadlock-freedom of the temperature control system, we define a predicate which characterizes the set of system states from which all interactions in are disabled. In this example, . If the predicate is an invariant of the temperature control system, then it is deadlock-free. To check that is an invariant, we need a stronger invariant such that (equivalently, ). Based on the previous compositional verification rule, the computed invariant is . To verify the deadlock-freedom of the system, we computed the predicate , which is reduced to(1); (2); (3).

As the invariant is the overapproximate of the reachable states, some spurious counterexamples may be included. We can strengthen invariants and refine the abstract system by our proposed refinement approaches. At first, we analyze the generated counterexamples , , and and check whether the counterexamples are spurious or not by our counterexample-guided invariant strengthening. The abstract states and , which include and , are unreachable from the initial abstract states. Since and are unreachable from the initial abstract states, we can conclude that and are spurious counterexamples. However, we cannot make decisions whether is reachable from the initial states, although is reachable from the initial abstract states.

After the application of invariant strengthening on the abstract system, we eliminate and from counterexamples and strengthen invariants by the generated infeasible states. Now, we refine the abstract system and check whether is genuine counterexample or not by state partition technique. After the application of state partition technique on the abstract system, we get the refined abstract system presented in Figure 6. We split the state into and ; state into and ; state into and . By the state partition technique, finally we find that is a counterexample of the system.

The example is implemented as BIP models and has been translated into timed automata using the tool BIP2UPPAAL [19]. To illustrate effectiveness of our approach, we verify models against property , , and , which means “there exists a run that eventually reaches deadlock states .” As a comparison, we first check both original system and abstract system. The checking results are shown in Table 2. As and are not satisfied by the abstract model, we conclude that and are spurious counterexamples immediately. Then we make partition refinement with . During state partition refinement, states , , and (refer to , , and , resp.) have been partitioned. We verified refined abstract models against property. As is ultimately satisfied and we cannot use to partition models further, we conclude that is a genuine counterexample.

From the above analysis, we have shown the effectiveness of our proposed verification framework. Using our proposed refinement techniques, we reconsidered the counterexamples of the system. We finally identify which are spurious counterexamples and refine the abstract systems.

7. Conclusions

We have proposed a unified framework with iterative refinements for compositional verification of component-based systems. This framework extends invariant-based compositional verification rule with the counterexample-guided invariant strength and state partition techniques. The former removes the spurious counterexample and uses the fixed point generated backward from the spurious to strengthen the system invariant. The latter partitions the abstract states according to the rest counterexamples to refine the abstract system. Both contribute to the unified verification framework which is proved to be sound and complete.

Compared with the invariant-based compositional verification which is incomplete, our verification framework with the iterative refinements can get more precise results with the balance of the verification complexity.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported by the Fund NSFC61171121 and the Science Foundation of Chinese Ministry of Education-China Mobile 2012.

References

K. M. Chandy, Parallel Program Design, Springer, 1989.
S. Bensalem, Y. Lakhnech, and S. Owre, “Computing abstractions of infinite state systems compositionally and automatically,” in Computer Aided Verification, pp. 319–331, Springer, 1998.
View at: Publisher Site | Google Scholar | MathSciNet
S. Chaki, J. Ouaknine, K. Yorav, and E. Clarke, “Automated compositional abstraction refinement for concurrent C programs: a two-level approach,” Electronic Notes in Theoretical Computer Science, vol. 89, no. 3, pp. 417–432, 2003.
View at: Publisher Site | Google Scholar
C. Flanagan and S. Qadeer, “Thread-modular model checking,” in Model Checking Software, pp. 213–224, Springer, 2003.
View at: Google Scholar
A. Malkis, A. Podelski, and A. Rybalchenko, “Thread-modular counterexample-guided abstraction refinement,” in Static Analysis, pp. 356–372, Springer, 2011.
View at: Google Scholar
T. A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer, “Thread-modular abstraction refinement,” in Computer Aided Verification, pp. 262–274, Springer, Berlin, 2003.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
T. A. Henzinger, R. Jhala, and R. Majumdar, “Race checking by context inference,” ACM SIGPLAN Notices, vol. 39, no. 6, pp. 1–13, 2004.
View at: Google Scholar
S. Bensalem, Y. Lakhnech, and S. Owre, “Invest: a tool for the verification of invariants,” in Computer Aided Verification, pp. 505–510, Springer, 1998.
View at: Google Scholar
A. Pnueli, S. Ruah, and L. Zuck, “Automatic deductive verification with invisible invariants,” in Tools and Algorithms for the Construction and Analysis of Systems, pp. 82–97, Springer, 2001.
View at: Google Scholar
T. Arons, A. Pnueli, S. Ruah, Y. Xu, and L. Zuck, “Parameterized verification with automatically computed inductive assertions,” in Computer Aided Verification, pp. 221–234, Springer, Berlin, 2001.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
S. Bensalem, M. Bozga, T.-H. Nguyen et al., “Compositional verification for component-based systems and application,” in Proceedings of the Automated Technology for Verification and Analysis 6th International Symposium (ATVA '08), vol. 5311, pp. 64–79, Seoul, Republic of Korea, 2008.
View at: Google Scholar
S. Bensalem, M. Bozga, T.-H. Nguyen, and J. Sifakis, “Compositional verification for component-based systems and application,” IET Software, vol. 4, no. 3, pp. 181–193, 2010.
View at: Publisher Site | Google Scholar
M. Bozga, M. Jaber, and J. Sifakis, “Source-to-source architecture transformation for performance optimization in BIP,” IEEE Transactions on Industrial Informatics, vol. 6, no. 4, pp. 708–718, 2010.
View at: Publisher Site | Google Scholar
S. Bensalem and Y. Lakhnech, “Automatic generation of invariants,” Formal Methods in System Design, vol. 15, no. 1, pp. 75–92, 1999.
View at: Publisher Site | Google Scholar
J. L. Peterson, Petri Net Theory and the Modeling of Systems, Prentice Hall, Englewood Cliffs, NJ, USA, 1981.
View at: MathSciNet
K. Barkaoui and M. Minoux, “A polynomial-time graph algorithm to decide liveness of some basic classes of bounded Petri nets,” in Application and Theory of Petri Nets, vol. 616, pp. 62–75, Springer, Berlin, 1992.
View at: Publisher Site | Google Scholar | MathSciNet
A. Tiwari, H. Rueß, H. Saïdi, and N. Shankar, “A technique for invariant generation,” in Tools and Algorithms for the Construction and Analysis of Systems, pp. 113–127, Springer, 2001.
View at: Google Scholar
R. Alur and D. L. Dill, “A theory of timed automata,” Theoretical Computer Science, vol. 126, no. 2, pp. 183–235, 1994.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
C. Su, M. Zhou, L. Yin, H. Wan, and M. Gu, “Modeling and verification of component-based systems with data passing using bip,” in Proceedings of the 18th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS '13), pp. 4–13, 2013.
View at: Google Scholar

Copyright

Copyright © 2014 Lianyi Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

912

Downloads

818

Citations

Journal of Applied Mathematics

Intelligent Modeling and Verification 2014

Compositional Abstraction Refinement for Component-Based Systems

Abstract

1. Introduction

2. Preliminaries

2.1. Component-Based System

2.2. Component Invariant

2.3. Component Abstraction

3. Compositional Verification

3.1. Compositional Verification Rule

3.2. Related Concepts

3.3. Overapproximation

4. Refinement Approaches

4.1. Invariant Strengthening

4.2. Partition Refinement

5. Iteration Verification Framework

6. Examples and Experiments

6.1. Train Gate Controller

6.2. Temperature Control System

7. Conclusions

Conflict of Interests

Acknowledgments

References

Copyright