A Theory of Probabilistic Contracts

Abstract

In industrial-sized cyber-physical systems, ensuring fulfillment of requirements gets increasingly more costly as the number of components increases. To make the task feasible, compositional verification has been suggested as a scalable solution. Such techniques allow verification by divide-and-conquer, often using assume-guarantee contracts. Although previous research has focused mostly on the non-probabilistic setting, in the real world, probabilities often arise due to random hardware failures, stochastic communication delays, sensor ghost objects, machine learning components, rounding errors caused by finite-precision arithmetic, human behavior, and probabilistic algorithms. Therefore, for contract theories to be practically relevant to cyber-physical systems, there is a need to support probabilistic reasoning, for instance regarding safety and reliability. To this end, we propose a completely trace-based probabilistic contract theory, supporting general probability measures, continuous time, and continuous state spaces. To verify decompositions of such contracts, we also present a deductive system, which is illustrated on an industrially inspired automatic emergency braking example.

Appendices

Proofs of Correctness for the Inference Rules

Proposition 2

(\(\hbox {ai}_1\)). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \(\mathcal {M} \vDash \forall q_1 \forall q_2 \ . \ (q_1 : S) \wedge (q_1 \times q_2 : \copyright ) \rightarrow q_1 \times q_2 : S\), then also \(\mathcal {M} \vDash \textsf{Assertional}(S)\). \(\square \)

Proposition 3

(am). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \(\mathcal {M} \vDash c_1 : S\), \(\mathcal {M} \vDash \textsf{Assertional}(S)\), and \(\mathcal {M} \vDash c_1 \times c_2 : \copyright \), then also \( \mathcal {M} \vDash c_1 \times c_2 : S \). \(\square \)

Proposition 4

(recp-i\(_1\)). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \( \mathcal {M} \vDash c : \textsf{in}_X \), then also \( \mathcal {M} \vDash \textsf{recp}_{X} \). \(\square \)

Proposition 5

(recp-i\(_2\)). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \( \mathcal {M} \vDash c : \textsf{out}_X \), then also \( \mathcal {M} \vDash \textsf{recp}_{X^c} \). \(\square \)

Proposition 6

(recp-i\(_3\)). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \( \mathcal {M} \vDash c : \textsf{recp}_{X_1} \) and \(\mathcal {M} \vDash c : \textsf{recp}_{X_2} \), then also \( \mathcal {M} \vDash \textsf{recp}_{X_1 \cup X_2} \). \(\square \)

Proposition 7

(recp-e). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \( \mathcal {M} \vDash c : \textsf{recp}_{X_1 \cup X_2} \), then also \( \mathcal {M} \vDash \textsf{recp}_{X_1} \). \(\square \)

Proposition 8

(recp-comps). Let \(\mathcal {M} \in \mathbb {M}_{\mathbb {C},\mathbb {S}}\) be any model conforming to the metatheory. If \( \mathcal {M} \vDash c_1 : \textsf{recp}_{X_1}, \dots , \mathcal {M} \vDash c_n : \textsf{recp}_{X_n} \), then also \( \mathcal {M} \vDash c_1 \times \dots \times c_n : \textsf{recp}_{X_1 \cap \dots \cap X_n} \). \(\square \)

Proposition 9

(\(\copyright \)i). Let \(\mathcal {M} \in \mathbb {M}_{\mathfrak {B},\mathbb {C},\mathbb {S}}\) be any model conforming to the probabilistic instantiation of the metatheory. If \( \mathcal {M} \vDash c_1 : \textsf{recp}_{X_1}, \dots , \mathcal {M} \vDash c_n : \textsf{recp}_{X_n} \), \( \forall i \ne j \ . \ X_i^c \cap X_j^c = \emptyset \), and \( \forall i \in \{1..n\} \ . \ (\mathcal {M} \vDash c_i : \textsf{in}_{X_i'}) \wedge X_i' \subseteq \bigcap _{j=i+1}^n X_j \), then also \( \mathcal {M} \vDash c_1 \times \dots \times c_n : \copyright \). \(\square \)

Proposition 10

(ai\(_2\)). Let \(\mathcal {M} \in \mathbb {M}_{\mathfrak {B},\mathbb {C},\mathbb {S}}\) be any model conforming to the probabilistic instantiation of the metatheory. Then \( \mathcal {M} \vDash \textsf{Assertional}\big (\left( f(\textbf{x}) \perp \!\!\!\perp g(\textbf{y})\right) \big ) \). \(\square \)

Proposition 11

(\(\perp \!\!\!\perp \)i). Let \(\mathcal {M} \in \mathbb {M}_{\mathfrak {B},\mathbb {C},\mathbb {S}}\) be any model conforming to the probabilistic instantiation of the metatheory. If \( \mathcal {M} \vDash c_1 : \textsf{in}_{\{y_{1}\}} \), \( \mathcal {M} \vDash c_1 : \left( f_1(\textbf{x}_1) \perp \!\!\!\perp y_1\right) \), \( \mathcal {M} \vDash c_2 : \textsf{in}_{\{y_{2}\}} \), \( \mathcal {M} \vDash c_2 : \left( f_2(\textbf{x}_2) \perp \!\!\!\perp y_2\right) \), and \( \mathcal {M} \vDash c_1 \times c_2 : \copyright \), then also \( \mathcal {M} \vDash c_1 \times c_2 : \left( f_1(\textbf{x}_1) \perp \!\!\!\perp f_2(\textbf{x}_2)\right) \). \(\square \)

Refinement Proof

Fig. 6.

Proof of the sequent (16)