Post on 19-Dec-2015
The mCRL2 toolset
Jan Friso Groote, Jeroen Keiren, Wieger Wesselink,Sjoerd Cranen, Frank Stappers, (many others)
4S100 – Verification of discrete-event systemsEindhoven, The NetherlandsOctober 17, 2011
4S100: Frank Stappers 2
INTRODUCTION
17/10/2011
4S100: Frank Stappers 3
Analysis techniques
• Analysis techniques used in hardware/software development: • Structural analysis: what things are in the system− Class diagrams (software) − CAD-models (hardware)− PCB design (electronic circuits)
• Behavioral analysis: what happens in the system − Matlab simulink models− Message sequence charts − Petri nets − Process algebra − Temporal logic...
17/10/2011
4S100: Frank Stappers 4
Behavioral analysis
• What is behavioral analysis about? • Modeling:− Create an abstract model of the behavior
• Validation and Verification:• Validation: does the model roughly behave as expected? − Simulation, testing
• Verification: does the model satisfy the requirements in all states?− Modelchecking, SAT solving, theorem proving
17/10/2011
4S100: Frank Stappers 5
Behavioral analysis
Why modeling? To reduce complexity:• Direct verification of software/hardware system is
impossible due to the huge number of states.• Much more complex than e.g. Rubik’s cube:
43,252,003,274,489,856,000 (4.3 * 10 19) states
17/10/2011
4S100: Frank Stappers 6
Behavioral analysis
From our experience: • Without proper modeling it is impossible to get a system
right.• Implementing a model does not introduce substantial flaws.• Modeling an implementation nearly always reveals flaws or
ambiguities.
17/10/2011
100%(and this is even true for our language)
4S100: Frank Stappers 7
Toolsets for behavioral analysis
For verification of industrial systems, tool support is essential. Toolsets for modeling, validation and verification of behavior: • CADP (INRIA Rhone Alpes, France) • SPIN (Bell Labs, USA) • FDR (Formal Systems Limited, Oxford, UK) • Uppaal (Uppsala University, Sweden) • NuSMV (Carnegie Mellon University, USA) • mCRL2 (MDSE group / LaQuSo, TU/e)• ...
17/10/2011
4S100: Frank Stappers 8
mCRL2 toolset overview - History
•
17/10/2011
1990 2000 2010
now
Common Representation Language (CRL)
micro Common Representation Language (μCRL)
micro Common Representation Language 2 (mCRL2)
2004
4S100: Frank Stappers 9
mCRL2 toolset overview – General Information
• The mCRL2 toolset can be used for the specification, validation and verification of concurrent systems and protocols.
• Collection of tools • Available for the following platforms:
• Microsoft Windows • Linux (Ubuntu/openSUSE/Fedora)• Mac OS X
• Distributed under the Boost license • Available at http://mcrl2.org
17/10/2011
4S100: Frank Stappers 10
Toolset overview
17/10/2011
4S100: Frank Stappers 11
Success stories
17/10/2011
4S100: Frank Stappers 12
MODELING
17/10/2011
4S100: Frank Stappers 13
Actions
• The behavior of a process is that which we can observe. • Observable behavior and observing behavior can be
expressed in terms of actions.
• Example:• A lamp has to shine in order for us to see that it is on. • We have to look at a lamp to see that it is shining.
17/10/2011
4S100: Frank Stappers 14
Labeled Transition Systems
• A labeled transition system is a basic formalism for describing behavior.
• Also known as labeled directed graphs or state spaces. • Labels represent discrete events, also called actions.
17/10/2011
Formal definition:A labeled transition system is a tuple (S, L, →, s, T ) where: S is a set of statesL is a set of labels → ⊆ S × L × S is a transition relation s S∈ is the initial state T S⊆ is the set of terminating states
4S100: Frank Stappers 15
Labeled Transition Systems
• Example: Ordering items
17/10/2011
4S100: Frank Stappers 16
Basic process algebra
A process with name ∈ is defined as
P can be of the following form:• An action (a Act) ∈• Sequential composition • Alternative composition• Recursion (Y ∈ ) • The deadlock process• Internal/hidden action
17/10/2011
4S100: Frank Stappers 17
Basic process algebra
• Relating algebra to LTSs
17/10/2011
4S100: Frank Stappers 18
Basic process algebra - Ordering items
17/10/2011
4S100: Frank Stappers 19
Parallel composition
• can be of the following form: • Parallel composition • Communication merge
• This gives rise to multi-actions (Act*):• multi-action
17/10/2011
a || b a | b
4S100: Frank Stappers 20
Parallelism
• Process specification
17/10/2011
4S100: Frank Stappers 21
Parallelism
• Corresponding LTS
17/10/2011
4S100: Frank Stappers 22
Communication
Three operators for communication:• Communication (Act∗ × Act)• Encapsulation [block] (Act) • Allow (Act∗)
Explanation:•
• renames multi-action a|b to c•
• blocks all actions in the set B•
• blocks multi-actions different from the ones in A
17/10/2011
4S100: Frank Stappers 23
Communication
17/10/2011
• Specification:
4S100: Frank Stappers 24
Processes with data
• Why data?• In real-life systems data is essential • Data allows for finite specifications of infinite systems
• Examples:• Represent non-functional properties, e.g. color of a traffic light.• Capture information streams, e.g. communication of
information• Manipulation, e.g. mathematical functions. • ...
17/10/2011
4S100: Frank Stappers 25
Processes with data
• All sorts
• Basic sorts
• Container sorts
• Functions:
• Structured sorts:
17/10/2011
4S100: Frank Stappers 26
Processes with data
• Data specification• Sort declarations• Constructors (for creating user defined data types)• Mappings
• Example – compute the sum over a list of values:
17/10/2011
4S100: Frank Stappers 27
Processes with Data
• BNF:
• Examples• Data parameterized action:• Data parameterized process:• Conditions:• Summation:
17/10/2011
4S100: Frank Stappers 28
Processes with Data
• Summation:• Short hand notation for choice• over a domain of values:
a(0)+a(1)+...+a(N-1)+a(N)
17/10/2011
∞
4S100: Frank Stappers 29
• Process specification
An odd-max-5-counter
17/10/2011
filter counter
4S100: Frank Stappers 30
Tool demo:mCRL2-guimCRL22lps
lps2ltsltsgraph
An odd-max-5-counter
17/10/2011
filter counter
4S100: Frank Stappers 31
Verification
• How to ensure that…• no deadlock?• counter does not exceed value X?• an input (r1) is always followed by an output (s3)?
17/10/2011
filter counter
4S100: Frank Stappers 32
VERIFICATION
17/10/2011
4S100: Frank Stappers 33
Verification
Model checking is an automated verification method. It can be used to check functional requirements against a model.• A (software or hardware) system is modeled in mCRL2 • The requirements are specified as properties in a temporal
logic• A model checking algorithm decides whether the property
holds for the model.
17/10/2011
Temporal logic used within mCRL2:μ-calculus with data, time and regular expressions
4S100: Frank Stappers 34
Temporal logic
• Idea of μ-calculus: add fixed point operators (i.e. recursion) as primitives to standard Hennessy-Milner logic• μ-calculus is very expressive (subsumes e.g. CTL )∗• μ-calculus is very pure• drawback: lack of intuition
17/10/2011
μ-calculus LTL CTL
CTL*
UPPAAL
mCRL2
4S100: Frank Stappers 35
A flavor of μ-calculus
• Hennessy-Milner logic: proposition logic with modalities:
• Notation: : state of a transition system satisfies formula
17/10/2011
For all states s: s trueFor no state s: s false
4S100: Frank Stappers 36
A flavor of μ-calculus
• Hennessy-Milner logic: proposition logic with modalities:
• Notation: : state of a transition system satisfies formula
17/10/2011
s [a]phi holds in a state s if every a-labeled transition leading out of s leads to a state where phi holds
4S100: Frank Stappers 37
A flavor of μ-calculus
• Hennessy-Milner logic: proposition logic with modalities:
• Notation: : state of a transition system satisfies formula
17/10/2011
s <a>phi holds in a state s if any a-labeled transition leading out of s leads to a state where phi holds
4S100: Frank Stappers 38
A flavor of μ-calculus
Example:Determine the largest set of states S that satisfy:
17/10/2011
S [b]falseS [a][b]trueS <a>true
4S100: Frank Stappers 39
A flavor of μ-calculus
mCRL2 extends HM logic with regular expressions:
Explanation:• R.R concatenation• R+R choice• R* match R zero times or more• R+ match R once or more
17/10/2011
4S100: Frank Stappers 40
A flavor of μ-calculus
Example:Determine the largest set of states S that satisfy:
17/10/2011
S [b+a]falseS [a.b.c]falseS <a.a.b+a.a.a>trueS <a*>trueS <a+>trueS [a*.b]false
4S100: Frank Stappers 41
An odd-max-5-counter verification
• How to ensure that…• no deadlock?
[true*]<true>true• counter does not exceed value X?
[true*.s3(X)]false• an input (r1) is always followed by an output (s3)?
[true*.r1’.(!s3’)*]<(!s3’)*.s3’>true
17/10/2011
filter counter
r1’,s3’ actions with eliminated data parameters
action wildcard
4S100: Frank Stappers 42
Tool demo:mCRL2-guilps2pbes
pbes2bool(lpsactionrename)
An odd-max-5-counter verification
17/10/2011
filter counter
4S100: Frank Stappers 43
CASE STUDY
17/10/2011
4S100: Frank Stappers 44
HEF system
17/10/2011
• Modular HEF system• Levers (≥ 2) are connect to• Relays connect levers• Messages are sent over CAN-bus• Relays control `length’ of the bus
• Occasionally nonresponsive levers• What is wrong?• Something in the design?
• Time for model-checking!
4S100: Frank Stappers 45
HEF system – full model (6 levers)
17/10/2011
We focus on initialization
4S100: Frank Stappers 46
HEF system - initialization
17/10/2011
1
4
2
3
4S100: Frank Stappers 47
Simplified HEF system
• Assumptions:• Good weather-behavior• Initialization only!• No up- and down movement• Modular design
• Simplified model:• User (#1)• Relays (#3)• Levers (#3)
• Every process has a physical position (used for identification)
17/10/2011
4S100: Frank Stappers 48
Simplified HEF system – User process
User process• User is attached to lever pos• Press “start”
• Send send_start message to attached lever• Notification: “Found n levers”
• recv_found message contains the n found levers
17/10/2011
4S100: Frank Stappers 49
Simplified HEF system – Relay process
Relay process:• Relay can be Open or Closed
• Relay has a position between two levers and an open status:
• Opening/closing relay:
17/10/2011
4S100: Frank Stappers 50
Simplified HEF system – Relay process
• Re-tweeting of message IDs
17/10/2011
4S100: Frank Stappers 51
Simplified HEF system – Lever process
• Lever process• Lever has a position pos and an ID (0 if uninitialized)
• Update ID if uninitialized
• If we get an ID and our ID is initialized we report to user
17/10/2011
4S100: Frank Stappers 52
Simplified HEF system – Lever process
• Open relay
• Close relay
• Sent current ID
17/10/2011
4S100: Frank Stappers 53
Simplified HEF system – Modeled system
• System decomposition
17/10/2011
4S100: Frank Stappers 54
Simplified HEF system – Analysis
Some properties checked:• No Deadlock:
[true*]<true>true• We know that we modeled 3 levers, so 3 levers detected?
<true*.found(3)>true• Finding only 2 levers would be stupid:
[true*.found(2)]false
17/10/2011
?
4S100: Frank Stappers 55
Simplified HEF system – The bug…
• So what’s happing?start(0)ID_to_relay(0, 1)ID_from_relay(1, 1)ID_to_relay(1, 2)ID_from_relay(0, 2)found(2)
• Problem: Process ID==1 gets ID from process ID==2 before the relay is closed!
• Similar problem in the actual system: old relays did not close in time
17/10/2011
Solved the day (again)
4S100: Frank Stappers 56
Summary
• The mCRL2 toolset:• facilitates many kinds of system behavior analysis• can be used to:− detect errors in the design − prevent errors already in the design
• Small introduction, mCRL2 has many more features:• Functional programming in data specifications• Optimization with linear process specifications• State space reduction techniques• Checking for behavioral equivalence • Parameterized Boolean Equations Systems to solve properties• Solving Parity Games• Export to other (analysis) toolsets/formats• ….
17/10/2011