The mCRL2 toolset Jan Friso Groote, Jeroen Keiren, Wieger Wesselink, Sjoerd Cranen, Frank Stappers,...
-
date post
19-Dec-2015 -
Category
Documents
-
view
224 -
download
2
Transcript of The mCRL2 toolset Jan Friso Groote, Jeroen Keiren, Wieger Wesselink, Sjoerd Cranen, Frank Stappers,...
The mCRL2 toolset
Jan Friso Groote, Jeroen Keiren, Wieger Wesselink,Sjoerd Cranen, Frank Stappers, (many others)
4S100 – Verification of discrete-event systemsEindhoven, The NetherlandsOctober 17, 2011
4S100: Frank Stappers 2
INTRODUCTION
17/10/2011
4S100: Frank Stappers 3
Analysis techniques
• Analysis techniques used in hardware/software development: • Structural analysis: what things are in the system− Class diagrams (software) − CAD-models (hardware)− PCB design (electronic circuits)
• Behavioral analysis: what happens in the system − Matlab simulink models− Message sequence charts − Petri nets − Process algebra − Temporal logic...
17/10/2011
4S100: Frank Stappers 4
Behavioral analysis
• What is behavioral analysis about? • Modeling:− Create an abstract model of the behavior
• Validation and Verification:• Validation: does the model roughly behave as expected? − Simulation, testing
• Verification: does the model satisfy the requirements in all states?− Modelchecking, SAT solving, theorem proving
17/10/2011
4S100: Frank Stappers 5
Behavioral analysis
Why modeling? To reduce complexity:• Direct verification of software/hardware system is
impossible due to the huge number of states.• Much more complex than e.g. Rubik’s cube:
43,252,003,274,489,856,000 (4.3 * 10 19) states
17/10/2011
4S100: Frank Stappers 6
Behavioral analysis
From our experience: • Without proper modeling it is impossible to get a system
right.• Implementing a model does not introduce substantial flaws.• Modeling an implementation nearly always reveals flaws or
ambiguities.
17/10/2011
100%(and this is even true for our language)
4S100: Frank Stappers 7
Toolsets for behavioral analysis
For verification of industrial systems, tool support is essential. Toolsets for modeling, validation and verification of behavior: • CADP (INRIA Rhone Alpes, France) • SPIN (Bell Labs, USA) • FDR (Formal Systems Limited, Oxford, UK) • Uppaal (Uppsala University, Sweden) • NuSMV (Carnegie Mellon University, USA) • mCRL2 (MDSE group / LaQuSo, TU/e)• ...
17/10/2011
4S100: Frank Stappers 8
mCRL2 toolset overview - History
•
17/10/2011
1990 2000 2010
now
Common Representation Language (CRL)
micro Common Representation Language (μCRL)
micro Common Representation Language 2 (mCRL2)
2004
4S100: Frank Stappers 9
mCRL2 toolset overview – General Information
• The mCRL2 toolset can be used for the specification, validation and verification of concurrent systems and protocols.
• Collection of tools • Available for the following platforms:
• Microsoft Windows • Linux (Ubuntu/openSUSE/Fedora)• Mac OS X
• Distributed under the Boost license • Available at http://mcrl2.org
17/10/2011
4S100: Frank Stappers 10
Toolset overview
17/10/2011
4S100: Frank Stappers 11
Success stories
17/10/2011
4S100: Frank Stappers 12
MODELING
17/10/2011
4S100: Frank Stappers 13
Actions
• The behavior of a process is that which we can observe. • Observable behavior and observing behavior can be
expressed in terms of actions.
• Example:• A lamp has to shine in order for us to see that it is on. • We have to look at a lamp to see that it is shining.
17/10/2011
4S100: Frank Stappers 14
Labeled Transition Systems
• A labeled transition system is a basic formalism for describing behavior.
• Also known as labeled directed graphs or state spaces. • Labels represent discrete events, also called actions.
17/10/2011
Formal definition:A labeled transition system is a tuple (S, L, →, s, T ) where: S is a set of statesL is a set of labels → ⊆ S × L × S is a transition relation s S∈ is the initial state T S⊆ is the set of terminating states
4S100: Frank Stappers 15
Labeled Transition Systems
• Example: Ordering items
17/10/2011
4S100: Frank Stappers 16
Basic process algebra
A process with name ∈ is defined as
P can be of the following form:• An action (a Act) ∈• Sequential composition • Alternative composition• Recursion (Y ∈ ) • The deadlock process• Internal/hidden action
17/10/2011
4S100: Frank Stappers 17
Basic process algebra
• Relating algebra to LTSs
17/10/2011
4S100: Frank Stappers 18
Basic process algebra - Ordering items
17/10/2011
4S100: Frank Stappers 19
Parallel composition
• can be of the following form: • Parallel composition • Communication merge
• This gives rise to multi-actions (Act*):• multi-action
17/10/2011
a || b a | b
4S100: Frank Stappers 20
Parallelism
• Process specification
17/10/2011
4S100: Frank Stappers 21
Parallelism
• Corresponding LTS
17/10/2011
4S100: Frank Stappers 22
Communication
Three operators for communication:• Communication (Act∗ × Act)• Encapsulation [block] (Act) • Allow (Act∗)
Explanation:•
• renames multi-action a|b to c•
• blocks all actions in the set B•
• blocks multi-actions different from the ones in A
17/10/2011
4S100: Frank Stappers 23
Communication
17/10/2011
• Specification:
4S100: Frank Stappers 24
Processes with data
• Why data?• In real-life systems data is essential • Data allows for finite specifications of infinite systems
• Examples:• Represent non-functional properties, e.g. color of a traffic light.• Capture information streams, e.g. communication of
information• Manipulation, e.g. mathematical functions. • ...
17/10/2011
4S100: Frank Stappers 25
Processes with data
• All sorts
• Basic sorts
• Container sorts
• Functions:
• Structured sorts:
17/10/2011
4S100: Frank Stappers 26
Processes with data
• Data specification• Sort declarations• Constructors (for creating user defined data types)• Mappings
• Example – compute the sum over a list of values:
17/10/2011
4S100: Frank Stappers 27
Processes with Data
• BNF:
• Examples• Data parameterized action:• Data parameterized process:• Conditions:• Summation:
17/10/2011
4S100: Frank Stappers 28
Processes with Data
• Summation:• Short hand notation for choice• over a domain of values:
a(0)+a(1)+...+a(N-1)+a(N)
17/10/2011
∞
4S100: Frank Stappers 29
• Process specification
An odd-max-5-counter
17/10/2011
filter counter
4S100: Frank Stappers 30
Tool demo:mCRL2-guimCRL22lps
lps2ltsltsgraph
An odd-max-5-counter
17/10/2011
filter counter
4S100: Frank Stappers 31
Verification
• How to ensure that…• no deadlock?• counter does not exceed value X?• an input (r1) is always followed by an output (s3)?
17/10/2011
filter counter
4S100: Frank Stappers 32
VERIFICATION
17/10/2011
4S100: Frank Stappers 33
Verification
Model checking is an automated verification method. It can be used to check functional requirements against a model.• A (software or hardware) system is modeled in mCRL2 • The requirements are specified as properties in a temporal
logic• A model checking algorithm decides whether the property
holds for the model.
17/10/2011
Temporal logic used within mCRL2:μ-calculus with data, time and regular expressions
4S100: Frank Stappers 34
Temporal logic
• Idea of μ-calculus: add fixed point operators (i.e. recursion) as primitives to standard Hennessy-Milner logic• μ-calculus is very expressive (subsumes e.g. CTL )∗• μ-calculus is very pure• drawback: lack of intuition
17/10/2011
μ-calculus LTL CTL
CTL*
UPPAAL
mCRL2
4S100: Frank Stappers 35
A flavor of μ-calculus
• Hennessy-Milner logic: proposition logic with modalities:
• Notation: : state of a transition system satisfies formula
17/10/2011
For all states s: s trueFor no state s: s false
4S100: Frank Stappers 36
A flavor of μ-calculus
• Hennessy-Milner logic: proposition logic with modalities:
• Notation: : state of a transition system satisfies formula
17/10/2011
s [a]phi holds in a state s if every a-labeled transition leading out of s leads to a state where phi holds
4S100: Frank Stappers 37
A flavor of μ-calculus
• Hennessy-Milner logic: proposition logic with modalities:
• Notation: : state of a transition system satisfies formula
17/10/2011
s <a>phi holds in a state s if any a-labeled transition leading out of s leads to a state where phi holds
4S100: Frank Stappers 38
A flavor of μ-calculus
Example:Determine the largest set of states S that satisfy:
17/10/2011
S [b]falseS [a][b]trueS <a>true
4S100: Frank Stappers 39
A flavor of μ-calculus
mCRL2 extends HM logic with regular expressions:
Explanation:• R.R concatenation• R+R choice• R* match R zero times or more• R+ match R once or more
17/10/2011
4S100: Frank Stappers 40
A flavor of μ-calculus
Example:Determine the largest set of states S that satisfy:
17/10/2011
S [b+a]falseS [a.b.c]falseS <a.a.b+a.a.a>trueS <a*>trueS <a+>trueS [a*.b]false
4S100: Frank Stappers 41
An odd-max-5-counter verification
• How to ensure that…• no deadlock?
[true*]<true>true• counter does not exceed value X?
[true*.s3(X)]false• an input (r1) is always followed by an output (s3)?
[true*.r1’.(!s3’)*]<(!s3’)*.s3’>true
17/10/2011
filter counter
r1’,s3’ actions with eliminated data parameters
action wildcard
4S100: Frank Stappers 42
Tool demo:mCRL2-guilps2pbes
pbes2bool(lpsactionrename)
An odd-max-5-counter verification
17/10/2011
filter counter
4S100: Frank Stappers 43
CASE STUDY
17/10/2011
4S100: Frank Stappers 44
HEF system
17/10/2011
• Modular HEF system• Levers (≥ 2) are connect to• Relays connect levers• Messages are sent over CAN-bus• Relays control `length’ of the bus
• Occasionally nonresponsive levers• What is wrong?• Something in the design?
• Time for model-checking!
4S100: Frank Stappers 45
HEF system – full model (6 levers)
17/10/2011
We focus on initialization
4S100: Frank Stappers 46
HEF system - initialization
17/10/2011
1
4
2
3
4S100: Frank Stappers 47
Simplified HEF system
• Assumptions:• Good weather-behavior• Initialization only!• No up- and down movement• Modular design
• Simplified model:• User (#1)• Relays (#3)• Levers (#3)
• Every process has a physical position (used for identification)
17/10/2011
4S100: Frank Stappers 48
Simplified HEF system – User process
User process• User is attached to lever pos• Press “start”
• Send send_start message to attached lever• Notification: “Found n levers”
• recv_found message contains the n found levers
17/10/2011
4S100: Frank Stappers 49
Simplified HEF system – Relay process
Relay process:• Relay can be Open or Closed
• Relay has a position between two levers and an open status:
• Opening/closing relay:
17/10/2011
4S100: Frank Stappers 50
Simplified HEF system – Relay process
• Re-tweeting of message IDs
17/10/2011
4S100: Frank Stappers 51
Simplified HEF system – Lever process
• Lever process• Lever has a position pos and an ID (0 if uninitialized)
• Update ID if uninitialized
• If we get an ID and our ID is initialized we report to user
17/10/2011
4S100: Frank Stappers 52
Simplified HEF system – Lever process
• Open relay
• Close relay
• Sent current ID
17/10/2011
4S100: Frank Stappers 53
Simplified HEF system – Modeled system
• System decomposition
17/10/2011
4S100: Frank Stappers 54
Simplified HEF system – Analysis
Some properties checked:• No Deadlock:
[true*]<true>true• We know that we modeled 3 levers, so 3 levers detected?
<true*.found(3)>true• Finding only 2 levers would be stupid:
[true*.found(2)]false
17/10/2011
?
4S100: Frank Stappers 55
Simplified HEF system – The bug…
• So what’s happing?start(0)ID_to_relay(0, 1)ID_from_relay(1, 1)ID_to_relay(1, 2)ID_from_relay(0, 2)found(2)
• Problem: Process ID==1 gets ID from process ID==2 before the relay is closed!
• Similar problem in the actual system: old relays did not close in time
17/10/2011
Solved the day (again)
4S100: Frank Stappers 56
Summary
• The mCRL2 toolset:• facilitates many kinds of system behavior analysis• can be used to:− detect errors in the design − prevent errors already in the design
• Small introduction, mCRL2 has many more features:• Functional programming in data specifications• Optimization with linear process specifications• State space reduction techniques• Checking for behavioral equivalence • Parameterized Boolean Equations Systems to solve properties• Solving Parity Games• Export to other (analysis) toolsets/formats• ….
17/10/2011