new developments around the crl tool set
play

New Developments around the CRL Tool Set Stefan Blom, Jan Friso - PowerPoint PPT Presentation

New Developments around the CRL Tool Set Stefan Blom, Jan Friso Groote Izak van Langevelde, Bert Lisser Jaco van de Pol Centrum voor Wiskunde en Informatica Specification and Analysis of Embedded Systems Theme leader: Wan Fokkink


  1. New Developments around the µ CRL Tool Set Stefan Blom, Jan Friso Groote Izak van Langevelde, Bert Lisser Jaco van de Pol Centrum voor Wiskunde en Informatica Specification and Analysis of Embedded Systems Theme leader: Wan Fokkink Amsterdam, The Netherlands

  2. O V E R V I E W • Introduction • Symbolic verification – Linear processes, Static Analysis – Confluence – Symbolic Model Checking • Explicit state verification – Distributed implementation – On-the-fly via Open/Cæsar – Visualization • Some Applications Jaco van de Pol FMICS, June 2003 – 2

  3. µ CRL Tool Set well−formedness µ CRL type checking Linearization simulation Optimization invariants control flow analysis Linear process confluence symbolic model checking Generation Minimization visualization simulation LTS model checking equivalence checking Jaco van de Pol FMICS, June 2003 – 3

  4. µ CRL = process algebra + abstract data types µ CRL inherits from abstract data types: • sorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nat, List, Bool • function symbols . . . . . . . . . . . . . . . . . . . . .and: Bool × Bool → Bool • equations . . . . . . . . . . . . . . . . . . . . length(cons(x,l)) = succ(length(l)) µ CRL inherits from ACP style process algebra : • atomic actions with synchronization . . . . . . . read | write = comm • abstraction, encapsulation, renaming . . . . . . . . . . . . . . . . . . . . τ, δ, · · · • process operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , · , || • recursive process equations . . . . . . . . . . . . . . . . . . . X = a.c.X + b.X Jaco van de Pol FMICS, June 2003 – 4

  5. µ CRL = + integration · · · µ CRL provides connections between data and processes: atomic actions have data labels: . . . . . . . . send ( frame ( x , y )) conditions on data: . . . . finish ⊳ empty ( buffer ) ⊲ continue choice over data: . . . . . . . . . . . . . . . � x : Nat rd ( x ) .wr ( Suc ( x )) parameterized recursion: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � X ( prev : Nat ) = read ( next ) .send ( prev ) .X ( next ) next : Nat Jaco van de Pol FMICS, June 2003 – 5

  6. Outline of our Verification Process System specification Compilation Optimization Intermediate symbolic format Facts Analysis Generation On the fly reduction Finite state space Jaco van de Pol FMICS, June 2003 – 6

  7. Optimizations Various optimizations are implemented • Compiler techniques (control + data flow analysis) – replace unchanged variables by constants – remove variables that are not used – reset variables when temporarily not used • Automated theorem prover based – invariant generation/checking – reachability analysis – Partial-order-like reduction based on ∗ Confluence detection (static) ∗ Confluence-based state space reduction (on-the-fly) Jaco van de Pol FMICS, June 2003 – 7

  8. Linear process format � X ( d : D ) = c 1 ( d, e 1 ) ⇒ a 1 ( d, e 1 ) .X ( g 1 ( d, e 1 )) e 1 : E + · · · � + c n ( d, e n ) ⇒ a n ( d, e n ) .X ( g n ( d, e n )) e n : E • d is a vector of state variables • e i is the vector of local variables for summand i • c i is the enabling condition for summand i • a i is the (visible/invisible) actions for summand i • g i is the next-state function for summand i a → X ( d ′ ) iff for some i , X ( d ) − ∃ e i . c i ( d, e i ) ∧ d ′ = g i ( d, e i ) ∧ a = a i ( d, e i ) Jaco van de Pol FMICS, June 2003 – 8

  9. Example: linearization of lossy channel � � � K ( a : Nat ) = 0 in ( a, d ) · 1 τ · 2 loss + τ · 3 out ( a, d ) · 0 K ( a ) d K (17) is linearized by introducing a program counter: � K ( a, x, pc ) = pc = 0 ⇒ in ( a, d ) · K ( a, d, 1) proc d + pc = 1 ⇒ τ · K ( a, x, 2) + pc = 1 ⇒ τ · K ( a, x, 3) + pc = 2 ⇒ loss · K ( a, x, 0) + pc = 3 ⇒ out ( a, x ) · K ( a, x, 0) K (17 , ⊥ , 0) init Parallel composition and hiding can be defined directly on linear processes. In practice, no problematic blow-up occurs. Jaco van de Pol FMICS, June 2003 – 9

  10. Example: linearization of lossy channel � � � K ( a : Nat ) = 0 in ( a, d ) · 1 τ · 2 loss + τ · 3 out ( a, d ) · 0 K ( a ) d K (17) is linearized by introducing a program counter: � K ( a, x, pc ) = pc = 0 ⇒ in ( a, d ) · K ( a, d, 1) proc d + pc = 1 ⇒ τ · K ( a, x, 2) + pc = 1 ⇒ τ · K ( a, x, 3) + pc = 2 ⇒ loss · K ( a, x, 0) + pc = 3 ⇒ out ( a, x ) · K ( a, x, 0) K (17 , ⊥ , 0) init Parallel composition and hiding are defined directly on linear processes. In practice, no problematic blow-up occurs. Jaco van de Pol FMICS, June 2003 – 10

  11. Example: linearization of lossy channel � � � K ( a : Nat ) = 0 in ( a, d ) · 1 τ · 2 loss + τ · 3 out ( a, d ) · 0 K ( a ) d The linear process can be optimized in various places: � K ( a, x, pc ) = pc = 0 ⇒ in ( a, d ) · K ( a, d, 1) proc d + pc = 1 ⇒ τ · K ( a, x, 2) + pc = 1 ⇒ τ · K ( a, x, 3) + pc = 2 ⇒ loss · K ( a, x, 0) + pc = 3 ⇒ out ( a, x ) · K ( a, x, 0) K (17 , ⊥ , 0) init Parallel composition and hiding can be defined directly on linear processes. In practice, no problematic blow-up occurs. Jaco van de Pol FMICS, June 2003 – 11

  12. Example: linearization of lossy channel � � � K ( a : Nat ) = 0 in ( a, d ) · 1 τ · 2 loss + τ · 3 out ( a, d ) · 0 K ( a ) d The optimized linear process will be: � K ( a,x, pc ) = pc = 0 ⇒ in (17 , d ) · K ( a,d, 1) proc d + pc = 1 ⇒ τ · K ( a, ⊥ , 2) + pc = 1 ⇒ τ · K ( a,x, 3) + pc = 2 ⇒ loss · K ( a, ⊥ , 0) + pc = 3 ⇒ out (17 , x ) · K ( a, ⊥ , 0) K (17 , ⊥ , 0) init Parallel composition and hiding can be defined directly on linear processes. In practice, no problematic blow-up occurs. Jaco van de Pol FMICS, June 2003 – 12

  13. Correctness of static analysis tools • most optimization tools yield state mappings on LPOs • state mappings on LPOs yield functional bisimulations on LTSs • invariants can be used to verify state mappings • state mappings preserve invariants (in two directions) • the Focus and Cones method provides matching criteria to prove that two linear processes are branching bisimilar • LPO meta-theory has been completely verified in PVS • mcrl2pvs : individual specifications can be translated to PVS automatically, and verified by interactive theorem proving Jaco van de Pol FMICS, June 2003 – 13

  14. State Space Reduction by Confluence An LTS can be reduced, by exploiting confluence properties. τ a strong commutation: τ a a τ b a τ c b τ state space reduction: � τ τ We will study subsets − − → ⊆ − − → . Jaco van de Pol FMICS, June 2003 – 14

  15. Confluence Notions � τ τ − − → ⊆ − − → is step/reduce confluent in an LTS iff: � τ SC a a � τ � τ RC a a � τ Note: SC ⇒ RC Jaco van de Pol FMICS, June 2003 – 15

  16. Reduction based on Confluence Information A representation map replaces each state by its representative, which must be unique in the final strongly connected components. � τ − → is a visible step, − → are − − → steps. Representation maps can be computed on-the-fly by an adaptation of Tarjan’s algorithm. � τ Theorem: if − − → is RC and φ is a representation map, then L ↔ b L φ . Jaco van de Pol FMICS, June 2003 – 16

  17. Confluence detection on LPO • Mark all τ -summands that commute with all other summands. • Invariants can be used to prove commutation. � τ • − − → := the transitions generated from marked τ -summands. � τ τ • Then − − → is an SC, and hence RC, subset of − − → , so it can be used for on-the-fly reduction. • Confluence marking is preserved by state mappings • All meta-theory on confluence has been verified in PVS. Jaco van de Pol FMICS, June 2003 – 17

  18. Confluence Formula Generation � c a ( d, e a ) ⇒ a ( d, e a ) .X ( g a ( d, e a )) e a � c τ ( d, e τ ) ⇒ τ.X ( g τ ( d, e τ )) e τ The commutation formula for this ( a, τ ) -pair is: ∀ d, e a , e τ . c a ( d, e a ) ∧ c τ ( d, e τ ) → c τ ( g a ( d, e a ) , e τ ) c a ( g τ ( d, e τ ) , e τ ) ∧ a ( d, e a ) = a ( g τ ( d, e τ ) , e a ) ∧ g a ( g τ ( d, e τ ) , e a ) = g τ ( g a ( d, e a ) , e τ ) ∧ Jaco van de Pol FMICS, June 2003 – 18

  19. Special-purpose theorem prover • The µ CRL toolset comes with a special-purpose automated theorem prover. • It handles q.f.f. Boolean formulas over an abstract data type. • It is based on EQ-BDDs, an extension of BDDs with equations and function symbols (Groote, vdP). • Other applications are: – inductive invariant checking – removal of “dead” summands – enhance static analysis tools – Future: check user provided state mappings Jaco van de Pol FMICS, June 2003 – 19

Recommend


More recommend