The mCRL2 toolset Jan Friso Groote, Jeroen Keiren, Wieger Wesselink, Sjoerd Cranen, Frank Stappers,...

The mCRL2 toolset

Jan Friso Groote, Jeroen Keiren, Wieger Wesselink,Sjoerd Cranen, Frank Stappers, (many others)

4S100 – Verification of discrete-event systemsEindhoven, The NetherlandsOctober 17, 2011

4S100: Frank Stappers 2

INTRODUCTION

17/10/2011


Analysis techniques

• Analysis techniques used in hardware/software development: • Structural analysis: what things are in the system− Class diagrams (software) − CAD-models (hardware)− PCB design (electronic circuits)

• Behavioral analysis: what happens in the system − Matlab simulink models− Message sequence charts − Petri nets − Process algebra − Temporal logic...

17/10/2011


Behavioral analysis

• What is behavioral analysis about? • Modeling:− Create an abstract model of the behavior

• Validation and Verification:• Validation: does the model roughly behave as expected? − Simulation, testing

• Verification: does the model satisfy the requirements in all states?− Modelchecking, SAT solving, theorem proving

17/10/2011


Behavioral analysis

Why modeling? To reduce complexity:• Direct verification of software/hardware system is

impossible due to the huge number of states.• Much more complex than e.g. Rubik’s cube:

43,252,003,274,489,856,000 (4.3 * 10 19) states

17/10/2011


Behavioral analysis

From our experience: • Without proper modeling it is impossible to get a system

right.• Implementing a model does not introduce substantial flaws.• Modeling an implementation nearly always reveals flaws or

ambiguities.

17/10/2011

100%(and this is even true for our language)


Toolsets for behavioral analysis

For verification of industrial systems, tool support is essential. Toolsets for modeling, validation and verification of behavior: • CADP (INRIA Rhone Alpes, France) • SPIN (Bell Labs, USA) • FDR (Formal Systems Limited, Oxford, UK) • Uppaal (Uppsala University, Sweden) • NuSMV (Carnegie Mellon University, USA) • mCRL2 (MDSE group / LaQuSo, TU/e)• ...

17/10/2011


mCRL2 toolset overview - History

•

17/10/2011

1990 2000 2010

now

Common Representation Language (CRL)

micro Common Representation Language (μCRL)

micro Common Representation Language 2 (mCRL2)

2004


mCRL2 toolset overview – General Information

• The mCRL2 toolset can be used for the specification, validation and verification of concurrent systems and protocols.

• Collection of tools • Available for the following platforms:

• Microsoft Windows • Linux (Ubuntu/openSUSE/Fedora)• Mac OS X

• Distributed under the Boost license • Available at http://mcrl2.org

17/10/2011


Toolset overview

17/10/2011


Success stories

17/10/2011


MODELING

17/10/2011


Actions

• The behavior of a process is that which we can observe. • Observable behavior and observing behavior can be

expressed in terms of actions.

• Example:• A lamp has to shine in order for us to see that it is on. • We have to look at a lamp to see that it is shining.

17/10/2011


Labeled Transition Systems

• A labeled transition system is a basic formalism for describing behavior.

• Also known as labeled directed graphs or state spaces. • Labels represent discrete events, also called actions.

17/10/2011

Formal definition:A labeled transition system is a tuple (S, L, →, s, T ) where: S is a set of statesL is a set of labels → ⊆ S × L × S is a transition relation s S∈ is the initial state T S⊆ is the set of terminating states


Labeled Transition Systems

• Example: Ordering items

17/10/2011


Basic process algebra

A process with name ∈ is defined as

P can be of the following form:• An action (a Act) ∈• Sequential composition • Alternative composition• Recursion (Y ∈ ) • The deadlock process• Internal/hidden action

17/10/2011


Basic process algebra

• Relating algebra to LTSs

17/10/2011


Basic process algebra - Ordering items

17/10/2011


Parallel composition

• can be of the following form: • Parallel composition • Communication merge

• This gives rise to multi-actions (Act*):• multi-action

17/10/2011

a || b a | b


Parallelism

• Process specification

17/10/2011


Parallelism

• Corresponding LTS

17/10/2011


Communication

Three operators for communication:• Communication (Act∗ × Act)• Encapsulation [block] (Act) • Allow (Act∗)

Explanation:•

• renames multi-action a|b to c•

• blocks all actions in the set B•

• blocks multi-actions different from the ones in A

17/10/2011


Communication

17/10/2011

• Specification:


Processes with data

• Why data?• In real-life systems data is essential • Data allows for finite specifications of infinite systems

• Examples:• Represent non-functional properties, e.g. color of a traffic light.• Capture information streams, e.g. communication of

information• Manipulation, e.g. mathematical functions. • ...

17/10/2011


Processes with data

• All sorts

• Basic sorts

• Container sorts

• Functions:

• Structured sorts:

17/10/2011


Processes with data

• Data specification• Sort declarations• Constructors (for creating user defined data types)• Mappings

• Example – compute the sum over a list of values:

17/10/2011


Processes with Data

• BNF:

• Examples• Data parameterized action:• Data parameterized process:• Conditions:• Summation:

17/10/2011


Processes with Data

• Summation:• Short hand notation for choice• over a domain of values:

a(0)+a(1)+...+a(N-1)+a(N)

17/10/2011

∞


• Process specification

An odd-max-5-counter

17/10/2011

filter counter


Tool demo:mCRL2-guimCRL22lps

lps2ltsltsgraph

An odd-max-5-counter

17/10/2011

filter counter


Verification

• How to ensure that…• no deadlock?• counter does not exceed value X?• an input (r1) is always followed by an output (s3)?

17/10/2011

filter counter


VERIFICATION

17/10/2011


Verification

Model checking is an automated verification method. It can be used to check functional requirements against a model.• A (software or hardware) system is modeled in mCRL2 • The requirements are specified as properties in a temporal

logic• A model checking algorithm decides whether the property

holds for the model.

17/10/2011

Temporal logic used within mCRL2:μ-calculus with data, time and regular expressions


Temporal logic

• Idea of μ-calculus: add fixed point operators (i.e. recursion) as primitives to standard Hennessy-Milner logic• μ-calculus is very expressive (subsumes e.g. CTL )∗• μ-calculus is very pure• drawback: lack of intuition

17/10/2011

μ-calculus LTL CTL

CTL*

UPPAAL

mCRL2


A flavor of μ-calculus

• Hennessy-Milner logic: proposition logic with modalities:

• Notation: : state of a transition system satisfies formula

17/10/2011

For all states s: s trueFor no state s: s false





17/10/2011

s [a]phi holds in a state s if every a-labeled transition leading out of s leads to a state where phi holds





17/10/2011

s <a>phi holds in a state s if any a-labeled transition leading out of s leads to a state where phi holds



Example:Determine the largest set of states S that satisfy:

17/10/2011

S [b]falseS [a][b]trueS <a>true



mCRL2 extends HM logic with regular expressions:

Explanation:• R.R concatenation• R+R choice• R* match R zero times or more• R+ match R once or more

17/10/2011



Example:Determine the largest set of states S that satisfy:

17/10/2011

S [b+a]falseS [a.b.c]falseS <a.a.b+a.a.a>trueS <a*>trueS <a+>trueS [a*.b]false


An odd-max-5-counter verification

• How to ensure that…• no deadlock?

[true*]<true>true• counter does not exceed value X?

[true*.s3(X)]false• an input (r1) is always followed by an output (s3)?

[true*.r1’.(!s3’)*]<(!s3’)*.s3’>true

17/10/2011

filter counter

r1’,s3’ actions with eliminated data parameters

action wildcard


Tool demo:mCRL2-guilps2pbes

pbes2bool(lpsactionrename)

An odd-max-5-counter verification

17/10/2011

filter counter


CASE STUDY

17/10/2011


HEF system

17/10/2011

• Modular HEF system• Levers (≥ 2) are connect to• Relays connect levers• Messages are sent over CAN-bus• Relays control `length’ of the bus

• Occasionally nonresponsive levers• What is wrong?• Something in the design?

• Time for model-checking!


HEF system – full model (6 levers)

17/10/2011

We focus on initialization


HEF system - initialization

17/10/2011

1

4

2

3


Simplified HEF system

• Assumptions:• Good weather-behavior• Initialization only!• No up- and down movement• Modular design

• Simplified model:• User (#1)• Relays (#3)• Levers (#3)

• Every process has a physical position (used for identification)

17/10/2011


Simplified HEF system – User process

User process• User is attached to lever pos• Press “start”

• Send send_start message to attached lever• Notification: “Found n levers”

• recv_found message contains the n found levers

17/10/2011


Simplified HEF system – Relay process

Relay process:• Relay can be Open or Closed

• Relay has a position between two levers and an open status:

• Opening/closing relay:

17/10/2011


Simplified HEF system – Relay process

• Re-tweeting of message IDs

17/10/2011


Simplified HEF system – Lever process

• Lever process• Lever has a position pos and an ID (0 if uninitialized)

• Update ID if uninitialized

• If we get an ID and our ID is initialized we report to user

17/10/2011


Simplified HEF system – Lever process

• Open relay

• Close relay

• Sent current ID

17/10/2011


Simplified HEF system – Modeled system

• System decomposition

17/10/2011


Simplified HEF system – Analysis

Some properties checked:• No Deadlock:

[true*]<true>true• We know that we modeled 3 levers, so 3 levers detected?

<true*.found(3)>true• Finding only 2 levers would be stupid:

[true*.found(2)]false

17/10/2011

?


Simplified HEF system – The bug…

• So what’s happing?start(0)ID_to_relay(0, 1)ID_from_relay(1, 1)ID_to_relay(1, 2)ID_from_relay(0, 2)found(2)

• Problem: Process ID==1 gets ID from process ID==2 before the relay is closed!

• Similar problem in the actual system: old relays did not close in time

17/10/2011

Solved the day (again)


Summary

• The mCRL2 toolset:• facilitates many kinds of system behavior analysis• can be used to:− detect errors in the design − prevent errors already in the design

• Small introduction, mCRL2 has many more features:• Functional programming in data specifications• Optimization with linear process specifications• State space reduction techniques• Checking for behavioral equivalence • Parameterized Boolean Equations Systems to solve properties• Solving Parity Games• Export to other (analysis) toolsets/formats• ….

17/10/2011

The mCRL2 toolset Jan Friso Groote, Jeroen Keiren, Wieger Wesselink, Sjoerd Cranen, Frank Stappers,...

Documents

Transcript of The mCRL2 toolset Jan Friso Groote, Jeroen Keiren, Wieger Wesselink, Sjoerd Cranen, Frank Stappers,...