Correctness Proofs - The ASM Refinement Method

3.6 The ASM Refinement Method

3.6.3 Correctness Proofs

The ASM method is not geared towards a systematic system verification. Based on the general notion of ASM refinement, correctness verifications are usually carried out informally using the commuting diagrams [17], see Figure 3.1. More formal ways for correctness proofs have been well studied in a series of work by Schellhorn in [93, 92, 96]. In [92], a tool-based refinement correctness verification approach is presented. The general notion of refinement has been modified into two different notions of correct refinement, based on the comparisons of input/output behaviour and traces (runs), which are suitable for result computing and reactive systems, respectively.

The notion for input/output behaviour comparison focuses on finite runs only, and requires that, if ASM0 _{is said to refine ASM, for every finite trace (}_st0

0, . . . , st0n) of the

refined machine ASM0_{, and every related state} _st

0 of ASM with INV(st0, st00), there exists a finite trace (st0, . . . , stm) in ASM such that the output states st0n, stm are related.

The notion of trace correctness is similar to the general notion of refinement given in 3.6.1. It concerns both the finite and the infinite runs and the intermediate states of interest in the runs. It uses a coupling invariant INV(x, x0_{), representing the notion} of equivalence between states, to relate the states of interest in the corresponding runs. The difference from the general notion is that it only requires corresponding runs found when an initial state st0 can be found in ASM being related to the initial statest0

0. This difference (between general ASM refinement on one side, and input/output behaviour comparison and trace correctness on the other), makes it possible to capture incremental refinements, which are not ASM refinements in the general sense. Also it is clear that the trace-correctness refinement is stronger than the input/output correctness refinement.

Based on the two notions of correctness refinements, formulas expressed in DL (Dy- namic Logic) have been developed for verification using the support tool KIV. A case study is presented to show how verifications of a Prolog interpreter is done using the formulas and KIV tool.

In [93], verification using generalised forward simulation is presented. In this work, four definitions of refinement correctness are given, which further breaks down the definitions in [92] into partial and total correctness. The partial and total correctness are similar to the extended refinement notion in [27], for ruling out implementation of termi- nating runs by nonterminating runs in the total correctness refinement. The idea of the verification approach is to allow two corresponding runs to be split into arbitrary commuting diagrams, such as (m, n)−,(0, n)−,(m,0)−refinements using coupling invariants, then the verification of refinement correctness is reduced to the verification of obligation for the commutativity of a diagram. As the proof method propagates the invariant for-

ward through traces, it takes the form of forward simulation. The generalised forward simulation is proven to be sound in the work.

Later in [96], Schellhorn has shown how a completeness proof for ASM refinement can be constructed, which is different from the one in data refinement [27] by combining forward and backward simulation. The later is not working for ASM refinement, since the notion of correctness refinement in ASM considers that termination of all ASM runs from a specific initial state should be preserved as an important property.

Using a simple example, we show how refinement correctness in ASM, particularly for infinite runs, can be established.

Example 3.2. Let us consider the following ASMs which compute the average of a (multi)set of integers, adopted from [29]:

M = values

external newvalue, average

main : values := values∪ {newvalue}; average := sum(values) / nr(values) and the refined ASM

M∗ _{= sum, nr}

external newvalue, average

main : sum := sum + newvalue; nr := nr + 1; average := sum / nr

The sets of initial states for M and M∗ _{are the singletons} IS ={s0 :={values7→ ∅}} IS∗ ₌_{_s∗

0 :={sum7→0, nr 7→0}}

We now want to show that M∗ _refines _M_{w.r.t. the abstraction predicate} A(s, s∗) :⇔sum([values]s) = [sum]s∗∧nr([values]s) = [nr]s∗ which guarantees that the same averages are returned.

For this we can use forward simulation: the initial states s0, s∗0 are corresponding, i.e., A(s0, s∗0) holds. For every corresponding pair of states si, s∗i with A(si, s∗i) and every

successor state s∗

i+1 of s∗i, we can find a successor state si+1 of si such that A(si+1, s∗i+1) holds:

si+1 :={values7→[values]si∪ {[sum]s ∗

i+1−[sum]s∗i}}

Thus, given any (finite or infinite) run ofM∗_{, we can construct a corresponding run for}

M: lets∗

i denote the states in the run ofASM∗. Since for every “matching” triple of states

si, s∗i, s∗i+1 there exists at least one state si+1 which completes the commutation diagram, there exists a function f : Σ×Σ∗ _×_Σ∗ _→ _{Σ which selects such a state} _s

i+1 for every matching triple (in general this requires the axiom of choice (suggested by G. Schellhorn), but here we don’t need it since si+1 can be defined explicitly). This allows us to define a corresponding run of M by induction: si+1 := f(si, s∗i, s∗i+1). By construction we have that A(si, s∗i) and si −→M si+1, which shows that we have indeed found a corresponding run.

3.6. THE ASM REFINEMENT METHOD Jane Qiong Zhao

In document Formal design of data warehouse and OLAP systems : a dissertation presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Information Systems at Massey University, Palmerston North, New Zealand (Page 46-48)