580 likes | 830 Views
The mCRL2 toolset. Jan Friso Groote, Jeroen Keiren , Wieger Wesselink , Sjoerd Cranen , Frank Stappers , (many others) 4S100 – Verification of discrete- event systems Eindhoven, The Netherlands October 17, 2011. Introduction. Analysis techniques.
E N D
The mCRL2 toolset Jan Friso Groote, JeroenKeiren, WiegerWesselink, SjoerdCranen, Frank Stappers, (many others) 4S100 – Verification of discrete-event systems Eindhoven, The Netherlands October 17, 2011
Introduction 4S100: Frank Stappers
Analysis techniques • Analysis techniques used in hardware/software development: • Structural analysis: what things are in the system • Class diagrams (software) • CAD-models (hardware) • PCB design (electronic circuits) • Behavioral analysis: what happens in the system • Matlabsimulink models • Message sequence charts • Petri nets • Process algebra • Temporal logic... 4S100: Frank Stappers
Behavioral analysis • What is behavioral analysis about? • Modeling: • Create an abstract model of the behavior • Validation and Verification: • Validation: does the model roughly behave as expected? • Simulation, testing • Verification: does the model satisfy the requirements in all states? • Modelchecking, SAT solving, theorem proving 4S100: Frank Stappers
Behavioral analysis Why modeling? To reduce complexity: Direct verification of software/hardware system is impossible due to the huge number of states. Much more complex than e.g. Rubik’s cube: 43,252,003,274,489,856,000 (4.3 * 10 19) states 4S100: Frank Stappers
Behavioral analysis 100% (and this is even true for our language) From our experience: Without proper modeling it is impossible to get a system right. Implementing a model does not introduce substantial flaws. Modeling an implementation nearly always reveals flaws or ambiguities. 4S100: Frank Stappers
Toolsets for behavioral analysis For verification of industrial systems, tool support is essential. Toolsets for modeling, validation and verification of behavior: CADP (INRIA Rhone Alpes, France) SPIN (Bell Labs, USA) FDR (Formal Systems Limited, Oxford, UK) Uppaal(Uppsala University, Sweden) NuSMV(Carnegie Mellon University, USA) mCRL2 (MDSE group / LaQuSo, TU/e) ... 4S100: Frank Stappers
mCRL2 toolset overview - History 1990 2000 2010 now 2004 Common Representation Language (CRL) micro Common Representation Language 2 (mCRL2) micro Common Representation Language (μCRL) 4S100: Frank Stappers
mCRL2 toolset overview – General Information • The mCRL2 toolset can be used for the specification, validation and verification of concurrent systems and protocols. • Collection of tools • Available for the following platforms: • Microsoft Windows • Linux (Ubuntu/openSUSE/Fedora) • Mac OS X • Distributed under the Boost license • Available at http://mcrl2.org 4S100: Frank Stappers
Toolset overview 4S100: Frank Stappers
Success stories 4S100: Frank Stappers
modeling 4S100: Frank Stappers
Actions • The behavior of a process is that which we can observe. • Observable behavior and observing behavior can be expressed in terms of actions. • Example: • A lamp has to shine in order for us to see that it is on. • We have to look at a lamp to see that it is shining. 4S100: Frank Stappers
Labeled Transition Systems Formal definition: A labeled transition system is a tuple (S, L, →, s, T ) where: S is a set of states L is a set of labels →⊆ S × L × Sis a transition relation s ∈ Sis the initial state T ⊆ Sis the set of terminating states A labeled transition system is a basic formalism for describing behavior. Also known as labeled directed graphs or state spaces. Labels represent discrete events, also called actions. 4S100: Frank Stappers
Labeled Transition Systems Example: Ordering items 4S100: Frank Stappers
Basic process algebra A process with name ∈ is defined as P can be of the following form: An action (a ∈ Act) Sequential composition Alternative composition Recursion (Y∈ ) The deadlock process Internal/hidden action 4S100: Frank Stappers
Basic process algebra Relating algebra to LTSs 4S100: Frank Stappers
Basic process algebra - Ordering items 4S100: Frank Stappers
Parallel composition a || b a | b • can be of the following form: • Parallel composition • Communication merge • This gives rise to multi-actions (Act*): • multi-action 4S100: Frank Stappers
Parallelism Process specification 4S100: Frank Stappers
Parallelism Corresponding LTS 4S100: Frank Stappers
Communication Three operators for communication: • Communication (Act∗ × Act) • Encapsulation [block] (Act) • Allow (Act∗) Explanation: • renames multi-action a|b to c • blocks all actions in the set B • blocks multi-actions different from the ones in A 4S100: Frank Stappers
Communication • Specification: 4S100: Frank Stappers
Processes with data • Why data? • In real-life systems data is essential • Data allows for finite specifications of infinite systems • Examples: • Represent non-functional properties, e.g. color of a traffic light. • Capture information streams, e.g. communication of information • Manipulation, e.g. mathematical functions. • ... 4S100: Frank Stappers
Processes with data All sorts Basic sorts Container sorts Functions: Structured sorts: 4S100: Frank Stappers
Processes with data • Data specification • Sort declarations • Constructors (for creating user defined data types) • Mappings • Example – compute the sum over a list of values: 4S100: Frank Stappers
Processes with Data • BNF: • Examples • Data parameterized action: • Data parameterized process: • Conditions: • Summation: 4S100: Frank Stappers
Processes with Data ∞ • Summation: • Short hand notation for choice • over a domain of values: a(0)+a(1)+...+a(N-1)+a(N) 4S100: Frank Stappers
An odd-max-5-counter • Process specification counter filter 4S100: Frank Stappers
An odd-max-5-counter Tool demo: mCRL2-gui mCRL22lps lps2lts ltsgraph counter filter 4S100: Frank Stappers
Verification counter filter • How to ensure that… • no deadlock? • counter does not exceed value X? • an input (r1) is always followed by an output (s3)? 4S100: Frank Stappers
Verification 4S100: Frank Stappers
Verification Temporal logic used within mCRL2: μ-calculus with data, time and regular expressions Model checking is an automated verification method. It can be used to check functional requirements against a model. A (software or hardware) system is modeledin mCRL2 The requirements are specified as properties in a temporal logic A model checking algorithm decides whether the property holds for the model. 4S100: Frank Stappers
Temporal logic UPPAAL CTL* μ-calculus CTL LTL mCRL2 • Idea of μ-calculus: add fixed point operators (i.e. recursion) as primitives to standard Hennessy-Milner logic • μ-calculus is very expressive (subsumes e.g. CTL∗) • μ-calculus is very pure • drawback: lack of intuition 4S100: Frank Stappers
A flavor of μ-calculus For all states s: s true For no state s: sfalse Hennessy-Milner logic: proposition logic with modalities: Notation: : state of a transition system satisfies formula 4S100: Frank Stappers
A flavor of μ-calculus s [a]phi holds in a state sif everya-labeled transition leading out of sleads to a state where phi holds Hennessy-Milner logic: proposition logic with modalities: Notation: : state of a transition system satisfies formula 4S100: Frank Stappers
A flavor of μ-calculus s <a>phi holds in a state s if any a-labeled transition leading out of s leads to a state where phiholds Hennessy-Milner logic: proposition logic with modalities: Notation: : state of a transition system satisfies formula 4S100: Frank Stappers
A flavor of μ-calculus S [b]false S [a][b]true S <a>true Example: Determine the largest set of states S that satisfy: 4S100: Frank Stappers
A flavor of μ-calculus mCRL2 extends HM logic with regular expressions: Explanation: R.R concatenation R+R choice R* match R zero times or more R+ match Ronce or more 4S100: Frank Stappers
A flavor of μ-calculus S[b+a]false S [a.b.c]false S<a.a.b+a.a.a>true S<a*>true S<a+>true S[a*.b]false Example: Determine the largest set of states S that satisfy: 4S100: Frank Stappers
An odd-max-5-counter verification counter filter action wildcard r1’,s3’ actions with eliminated data parameters • How to ensure that… • no deadlock? [true*]<true>true • counter does not exceed value X? [true*.s3(X)]false • an input (r1) is always followed by an output (s3)? [true*.r1’.(!s3’)*]<(!s3’)*.s3’>true 4S100: Frank Stappers
An odd-max-5-counter verification Tool demo: mCRL2-gui lps2pbes pbes2bool (lpsactionrename) counter filter 4S100: Frank Stappers
Case study 4S100: Frank Stappers
HEF system 4S100: Frank Stappers • Modular HEF system • Levers (≥ 2) are connect to • Relays connect levers • Messages are sent over CAN-bus • Relays control `length’ of the bus • Occasionally nonresponsive levers • What is wrong? • Something in the design? • Time for model-checking!
HEF system – full model (6 levers) We focus on initialization 4S100: Frank Stappers
HEF system - initialization 4 3 1 2 4S100: Frank Stappers
Simplified HEF system • Assumptions: • Good weather-behavior • Initialization only! • No up- and down movement • Modular design • Simplified model: • User (#1) • Relays (#3) • Levers (#3) • Every process has a physical position (used for identification) 4S100: Frank Stappers
Simplified HEF system – User process User process • User is attached to lever pos • Press “start” • Send send_start message to attached lever • Notification: “Found n levers” • recv_found message contains the n found levers 4S100: Frank Stappers
Simplified HEF system – Relay process Relay process: Relay can be Open or Closed Relay has a position between two levers and an open status: Opening/closing relay: 4S100: Frank Stappers
Simplified HEF system – Relay process Re-tweeting of message IDs 4S100: Frank Stappers