control-intensive reactive systems such as communication
protocols. Later, research on model checking addressed verification of infinite state systems by using abstractions.
13, 34
The evolution of abstract interpretation is driven by the
concern for finding adequate abstract domains for efficient verification of program properties by computing
approximations of reachability sets. Model checking has
had a broader application scope, including hardware, software, and systems. Furthermore, depending on the type of
properties to be checked, model checking algorithms may
involve computation of multiple fixed points. I believe that
the combination of the two algorithmic approaches can
still lead to significant progress in the state of the art, e.g.,
by using libraries of abstract domains in model checking
algorithms.
The second avenue addresses significant long-term
progress in defeating complexity. It involves moving from
monolithic verification to compositional techniques. We
need divide-and-conquer approaches for inferring global
properties of a system from the properties of its components. The current state of the art does not meet our
initial expectations. The main approach is by “
assume-guarantee,” where properties are decomposed into two
parts. One is an assumption about the global behavior
of the system within which the component resides; the
other is a property guaranteed by the component when the
assumption about its environment holds. As discussed
in a recent paper,
15 many issues make it difficult to apply
assume-guarantee rules, in particular because synthesis of
assumptions (when feasible) may cost as much as monolithic verification.
In my opinion, any general compositional verification
theory will be highly intractable and will be of theoretical
interest only. We need to study compositionality results for
particular classes of properties and/or particular classes of
systems as explained below.
3. 2. from a posteriori Verification to constructivity
A big difference between Computer Engineering and
more mature disciplines based on Physics, e.g., Electrical
Engineering, is the importance of verification for achieving
correctness. These disciplines have developed theory guaranteeing by construction the correctness and predictability
of artifacts. For instance, the application of Kirchoff’s laws
allows building circuits that meet given properties.
My vision is to investigate links between compositional
verification for specific properties and results allowing constructivity. Currently, there exists in Computer Science an
important body of constructivity results about architectures
and distributed algorithms.
1. We need theory and methods for building faithful models of complex systems as the composition of heterogeneous components, e.g., mixed software/hardware
systems. This is a central problem for ensuring correct
interoperation, and meaningful refinement and integration of heterogeneous viewpoints. Heterogeneity
has three fundamental sources which appear when
composing components with different (a) execution
models, e.g., synchronous and asynchronous execu-
tion, (b) interaction mechanisms such as locks, monitors, function calls, and message passing, and (c)
granularity of execution, e.g., hardware and software.
29
We need to move from composition frameworks
based on the use of a single low-level parallel composition operator, e.g., automata-based composition,
to a unified composition paradigm encompassing
architectural features such as protocols, schedulers,
and buses.
2. In contrast to existing approaches, we should investigate compositionality techniques for high-level
composition operators and specific classes of properties. I propose to investigate two independent
directions:
• One direction is studying techniques for specific
classes of properties. For instance, finding compositional verification rules guaranteeing deadlock-freedom or mutual exclusion instead of investigating
rules for safety properties in general. Potential deadlocks can be found by analysis of dependencies
induced by interactions between components.
28 For
proving mutual exclusion, a different type of analysis
is needed.
• The other direction is studying techniques for particular architectures. Architectures characterize the
way interaction among a system’s components is
organized. For instance, we might profitably study
compositional verification rules for ring or star
architectures, for real-time systems with preempt-able tasks and fixed priorities, for time-triggered
architectures, etc. Compositional verification rules
should be applied to high-level coordination mechanisms used at the architecture level, without
translating them into a low-level automata-based
composition.
The results thus obtained should allow us to identify “
verifiability” conditions (i.e., conditions under which verification
of a particular property and/or class of systems becomes
scalable). This is similar to finding conditions for making
systems testable, adaptable, etc. In this manner, compositionality rules can be turned into correct-by-construction
techniques.
Recent results implemented in the D-Finder tool5, 6 provide some illustration of these ideas. D-Finder uses heuristics for proving compositionally global deadlock-freedom of
a component-based system, from the deadlock-freedom of
its components. The method is compositional and proceeds
in two steps.
• First, it checks that individual components are deadlock-free. That is, they may block only at states where they are
waiting for synchronization with other components.
• Second, it checks if the components’ interaction graph is
acyclic. This is a sufficient condition for establishing
global deadlock-freedom at low cost. It depends only on
the system architecture. Otherwise, D-Finder symbolically
