2,180 research outputs found
Requirements Analysis of a Quad-Redundant Flight Control System
In this paper we detail our effort to formalize and prove requirements for
the Quad-redundant Flight Control System (QFCS) within NASA's Transport Class
Model (TCM). We use a compositional approach with assume-guarantee contracts
that correspond to the requirements for software components embedded in an AADL
system architecture model. This approach is designed to exploit the
verification effort and artifacts that are already part of typical software
verification processes in the avionics domain. Our approach is supported by an
AADL annex that allows specification of contracts along with a tool, called
AGREE, for performing compositional verification. The goal of this paper is to
show the benefits of a compositional verification approach applied to a
realistic avionics system and to demonstrate the effectiveness of the AGREE
tool in performing this analysis.Comment: Accepted to NASA Formal Methods 201
Recommended from our members
Modular and Safe Event-Driven Programming
Asynchronous event-driven systems are ubiquitous across domains such as device drivers, distributed systems, and robotics. These systems are notoriously hard to get right as the programmer needs to reason about numerous control paths resulting from the complex interleaving of events (or messages) and failures. Unsurprisingly, it is easy to introduce subtle errors while attempting to fill in gaps between high-level system specifications and their concrete implementations.This dissertation proposes new methods for programming safe event-driven asynchronous systems.In the first part of the thesis, we present ModP, a modular programming framework for compositional programming and testing of event-driven asynchronous systems.The ModP module system supports a novel theory of compositional refinement for assume-guarantee reasoning of dynamic event-driven asynchronous systems. We build a complex distributed systems software stack using ModP.Our results demonstrate that compositional reasoning can help scale model-checking (both explicit and symbolic) to large distributed systems.ModP is transforming the way asynchronous software is built at Microsoft and Amazon Web Services (AWS). Microsoft uses ModP for implementing safe device drivers and other software in the Windows kernel.AWS uses ModP for compositional model checking of complex distributed systems. While ModP simplifies analysis of such systems, the state space of industrial-scale systems remains extremely large.In the second part of this thesis, we present scalable verification and systematic testing approaches to further mitigate this state-space explosion problem.First, we introduce the concept of a delaying explorer to perform prioritized exploration of the behaviors of an asynchronous reactive program. A delaying explorer stratifies the search space using a custom strategy (tailored towards finding bugs faster), and a delay operation that allows deviation from that strategy. We show that prioritized search with a delaying explorer performs significantly better than existing approaches for finding bugs in asynchronous programs.Next, we consider the challenge of verifying time-synchronized systems; these are almost-synchronous systems as they are neither completely asynchronous nor synchronous.We introduce approximate synchrony, a sound and tunable abstraction for verification of almost-synchronous systems. We show how approximate synchrony can be used for verification of both time-synchronization protocols and applications running on top of them.Moreover, we show how approximate synchrony also provides a useful strategy to guide state-space exploration during model-checking.Using approximate synchrony and implementing it as a delaying explorer, we were able to verify the correctness of the IEEE 1588 distributed time-synchronization protocol and, in the process, uncovered a bug in the protocol that was well appreciated by the standards committee.In the final part of this thesis, we consider the challenge of programming a special class of event-driven asynchronous systems -- safe autonomous robotics systems.Our approach towards achieving assured autonomy for robotics systems consists of two parts: (1) a high-level programming language for implementing and validating the reactive robotics software stack; and (2) an integrated runtime assurance system to ensure that the assumptions used during design-time validation of the high-level software hold at runtime.Combining high-level programming language and model-checking with runtime assurance helps us bridge the gap between design-time software validation that makes assumptions about the untrusted components (e.g., low-level controllers), and the physical world, and the actual execution of the software on a real robotic platform in the physical world. We implemented our approach as DRONA, a programming framework for building safe robotics systems.We used DRONA for building a distributed mobile robotics system and deployed it on real drone platforms. Our results demonstrate that DRONA (with the runtime-assurance capabilities) enables programmers to build an autonomous robotics software stack with formal safety guarantees.To summarize, this thesis contributes new theory and tools to the areas of programming languages, verification, systematic testing, and runtime assurance for programming safe asynchronous event-driven across the domains of fault-tolerant distributed systems and safe autonomous robotics systems
The Measurement Calculus
Measurement-based quantum computation has emerged from the physics community
as a new approach to quantum computation where the notion of measurement is the
main driving force of computation. This is in contrast with the more
traditional circuit model which is based on unitary operations. Among
measurement-based quantum computation methods, the recently introduced one-way
quantum computer stands out as fundamental.
We develop a rigorous mathematical model underlying the one-way quantum
computer and present a concrete syntax and operational semantics for programs,
which we call patterns, and an algebra of these patterns derived from a
denotational semantics. More importantly, we present a calculus for reasoning
locally and compositionally about these patterns.
We present a rewrite theory and prove a general standardization theorem which
allows all patterns to be put in a semantically equivalent standard form.
Standardization has far-reaching consequences: a new physical architecture
based on performing all the entanglement in the beginning, parallelization by
exposing the dependency structure of measurements and expressiveness theorems.
Furthermore we formalize several other measurement-based models:
Teleportation, Phase and Pauli models and present compositional embeddings of
them into and from the one-way model. This allows us to transfer all the theory
we develop for the one-way model to these models. This shows that the framework
we have developed has a general impact on measurement-based computation and is
not just particular to the one-way quantum computer.Comment: 46 pages, 2 figures, Replacement of quant-ph/0412135v1, the new
version also include formalization of several other measurement-based models:
Teleportation, Phase and Pauli models and present compositional embeddings of
them into and from the one-way model. To appear in Journal of AC
Quantitative Robustness Analysis of Quantum Programs (Extended Version)
Quantum computation is a topic of significant recent interest, with practical
advances coming from both research and industry. A major challenge in quantum
programming is dealing with errors (quantum noise) during execution. Because
quantum resources (e.g., qubits) are scarce, classical error correction
techniques applied at the level of the architecture are currently
cost-prohibitive. But while this reality means that quantum programs are almost
certain to have errors, there as yet exists no principled means to reason about
erroneous behavior. This paper attempts to fill this gap by developing a
semantics for erroneous quantum while-programs, as well as a logic for
reasoning about them. This logic permits proving a property we have identified,
called -robustness, which characterizes possible "distance" between
an ideal program and an erroneous one. We have proved the logic sound, and
showed its utility on several case studies, notably: (1) analyzing the
robustness of noisy versions of the quantum Bernoulli factory (QBF) and quantum
walk (QW); (2) demonstrating the (in)effectiveness of different error
correction schemes on single-qubit errors; and (3) analyzing the robustness of
a fault-tolerant version of QBF.Comment: 34 pages, LaTeX; v2: fixed typo
Encapsulating deontic and branching time specifications
In this paper, we investigate formal mechanisms to enable designers to decompose specifications (stated in a given logic) into several interacting components in such a way that the composition of these components preserves their encapsulation and internal non-determinism. The preservation of encapsulation (or locality) enables a modular form of reasoning over specifications, while the conservation of the internal non-determinism is important to guarantee that the branching time properties of components are not lost when the entire system is obtained. The basic ideas come from the work of Fiadeiro and Maibaum where notions from category theory are used to structure logical specifications. As the work of Fiadeiro and Maibaum is stated in a linear temporal logic, here we investigate how to extend these notions to a branching time logic, which can be used to reason about systems where non-determinism is present. To illustrate the practical applications of these ideas, we introduce deontic operators in our logic and we show that the modularization of specifications also allows designers to maintain the encapsulation of deontic prescriptions; this is in particular useful to reason about fault-tolerant systems, as we demonstrate with a small example.Fil: Castro, Pablo Francisco. Universidad Nacional de RĂo Cuarto; Argentina. Consejo Nacional de Investigaciones CientĂficas y TĂ©cnicas. Centro CientĂfico TecnolĂłgico Conicet - CĂłrdoba; ArgentinaFil: Maibaum, Thomas S. E.. Mc Master University; Canad
- âŠ