Section: New Results

Models and Verification Techniques

The BCG Format and Libraries

Participants : Hubert Garavel, Frédéric Lang, Wendelin Serwe.

Bcg (Binary-Coded Graphs) is both a file format for the representation of explicit graphs and a collection of libraries and programs dealing with this format. Version 1.0 of the Bcg format was recently replaced by version 1.1, which can exploit the capabilities of 64-bit addressing.

In 2011, we continued to enhance the Bcg libraries as follows:

• We extended the Bcg_Read application programming interface with three new primitives so as to increase symmetry with the Open/Cæsar application programming interface (see §  6.1.2 ).

• We fixed a memory corruption problem occurring with very long label strings; this problem would cause random crashes of the Distributor tool (see §  6.1.5 ).

The OPEN/CÆSAR and CÆSAR_SOLVE Libraries

Participants : Iker Bellicot, Hubert Garavel, Yann Genevois, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

Open/Cæsar is an extensible, modular, language-independent software framework for exploring implicit graphs. This key component of Cadp is used to build simulation, execution, verification, and test generation tools.

In 2011, a bug in the Cæsar_Table library has been corrected, which would cause segmentation faults when certain primitives of the Application Programming Interface were invoked on a bounded table.

Cæsar_Solve is a generic software library based on Open/Cæsar for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadp verification tools, namely the equivalence checker Bisimulator , the minimization tool Reductor , and the model checkers Evaluator  3.5 and 4.0. The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsar interface [4] .

In 2011, we improved the parallel resolution algorithm of Cæsar_Solve (see §  6.1.5 ).

The EVALUATOR Tool

Participants : Iker Bellicot, Hubert Garavel, Yann Genevois, Radu Mateescu.

Evaluator is a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsar environment. Evaluator works on the fly, meaning that only those parts of the implicit graph relevant to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluator is the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.

In version 3.5 of Evaluator , properties are described in regular alternation-free $\mu$-calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also enables the user to define parameterized temporal operators and to group them into separate libraries.

In version 4.0 of Evaluator ($5,000$ lines of Syntax code, $40,500$ lines of Lotos NT code, and $13,100$ lines of C code), properties are written in Mcl (Model Checking Language) [18] , an extension of the regular alternation-free $\mu$-calculus of Evaluator  3.5 with data-handling and fairness operators. In particular, Evaluator  4.0 can handle modalities and fixed point operators with data parameters, regular expressions extended with counters, operators inspired from programming languages (“if-then-else”, “for”, etc.), and operators (of alternation depth two) allowing to characterize complex infinite sequences.

In 2011, we continued the extensive testing of Evaluator  3.5 and 4.0 using our test base of $10,000$ Bcg graphs and $3,800$ Mcl formulas. This revealed three errors in Evaluator  4.0, which have been corrected. We also brought the following enhancements to Mcl and Evaluator  4.0:

• We extended the set of Mcl operators of alternation depth two with parameterized versions of the infinite looping and saturation operators, which allow to succinctly encode the presence (respectively, the absence) of accepting cycles in generalized Büchi automata. The evaluation of these parameterized operators is translated into parameterized boolean equation systems, which are instantiated into plain boolean equation systems and solved on the fly using the algorithms A3 and A4 (extended with marked cycle detection) of the Cæsar_Solve library. This evaluation procedure has a complexity linear in the size of the degeneralized Büchi automaton, which is represented by the boolean equation system obtained after instantiation.

• We enhanced Mcl by adding a data type for manipulating sets of natural numbers. This data type, equipped with the classical set operations (union, intersection, difference, insertion, deletion, membership, etc.), enables a succinct specification of temporal properties referring to the past, such as the fact that a certain set of events (represented by natural numbers) occurred on the transition sequences leading from the initial state to the current state.

• We added a new option to Evaluator  4.0 for displaying a set of regular expressions that over-approximate the set of visible actions (transition labels in the Lts ) satisfying the action predicates occurring in the Mcl formula. This feature enables to improve the efficiency of verification by hiding the set of actions other than those produced from the Mcl formula, minimizing the Lts modulo a weak equivalence relation compatible with the formula, and then verifying the Mcl formula on the minimized Lts . This may increase the efficiency of verification by one order of magnitude, as reported in [40] .

Evaluator  4.0 was officially integrated in Cadp in March 2011. Mcl and Evaluator  4.0 were used successfully for analyzing mutual exclusion protocols (see §  6.3.1 ) and hardware architectures (see §  6.3.2 ).

Compositional Verification Tools

Participants : Frédéric Lang, Radu Mateescu.

The Cadp toolbox contains various tools dedicated to compositional verification, among which Exp.open  2.1, Projector  3.0, Bcg_Min  2.0, and Svl  2.2 play a central role. Exp.open explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcg files). Projector implements behavior abstraction  [58] , [64] by taking into account interface constraints. Bcg_Min minimizes behavior graphs modulo strong or branching bisimulation and their stochastic extensions. Svl (Script Verification Language) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language.

In 2011, we corrected one bug in Projector , two bugs in Exp.open , and four bugs in Svl . We also enhanced these tools as follows:

• The generalized parallel composition operator proposed in [13] , including the support for “$m$ among $n$” synchronization, has been added to Svl , leading to version 2.3 of Svl .

• Together with Pepijn Crouzen (Saarland University), we pursued our work on the so-called “smart reduction” techniques for compositional verification. An article about smart reduction was published in an international conference [32] .

  We improved smart reduction for stochastic branching bisimulation so as to cut stochastic transitions (according to the “maximal progress” assumption) as early as possible in intermediate parallel compositions, thus yielding state space reductions. With this new optimization, Exp.open detects when some action (usually, an output) offered by some process can synchronize with corresponding actions (usually, inputs) offered by the other processes in all their states; if so, all stochastic transitions in choice with this action can safely be cut in every intermediate composition. This situation occurs frequently with Input/Output Interactive Markov Chains.

Additionally, we studied an alternative compositional verification approach named partial model checking  [47] . Given a temporal logic formula $\varphi$ to be evaluated on a set $S$ of concurrent processes, partial model checking consists in transforming $\varphi$ into another equivalent formula ${\varphi }^{\text{'}}$ to be evaluated on a subset of $S$. Formula ${\varphi }^{\text{'}}$ is constructed incrementally by choosing one process $P$ in $S$ and incorporating into $\varphi$ the behavioral information corresponding to $P$ — an operation called quotienting. Simplifications must be applied at each step, so as to maintain formulas at a tractable size.

We developed a prototype implementation of this approach using the generic software components of Cadp :

• We extended the definition of quotienting given by [47] to support all features of the input language of Exp.open  2.1, which enables networks of labeled transition systems to be described using parallel composition operators borrowed from various process algebras such as Ccs , Csp , and Lotos , including also Lotos NT parallel composition and “$m$ among $n$” synchronisation operators [13] .

• We gave an executable definition of quotienting in terms of a synchronous product between a graph representation (called formula graph) of the formula $\varphi$ and the process $P$, thus enabling quotienting to be implemented efficiently in Exp.open . We extended Evaluator  3.5 to automatically generate the formula graph corresponding to a temporal logic formula.

• We proposed and implemented efficient formula simplifications by combining reductions modulo bisimulations and partial formula evaluation computed using boolean equation systems.

We used this prototype implementation to verify 28 temporal logic properties on the Tftp avionics protocol [14] . For several of these properties, partial model checking uses hundreds of times less memory than on-the-fly model checking using Evaluator . This work led to a publication in an international conference [38] .

Parallel and Distributed Verification Tools

Participants : Iker Bellicot, Hubert Garavel, Rémi Hérilier, Radu Mateescu.

The Cadp toolbox contains several components designed to take advantage of distributed computing facilities (such as clusters of machines) to perform large-scale verifications, namely: Cæsar_Network , a network communication library used by the other tools, Distributor and Bcg_Merge , two companion tools [10] that perform reachability analysis using a distributed state space exploration algorithm, and Bes_Solve  [35] , a tool that solves boolean equations systems using the various resolution algorithms provided by the Cæsar_Solve library (see §  6.1.2 ), including a distributed on-the-fly resolution algorithm.

In 2011, we continued enhancing these tools, taking advantage of the valuable feedback provided by Eric Madelaine (Inria Sophia Antipolis) who used Cadp on the PacaGrid cluster. We brought the following improvements:

• We performed careful code reviews of the Cæsar_Network library, and corrected nine bugs. We equipped this library with logging primitives that proved to be helpful for debugging distributed algorithms programmed above the Cæsar_Network library.

• We fixed three bugs in Distributor and two bugs in Bcg_Merge .

• We pursued the intensive testing campaign undertaken in 2010 for Bes_Solve , using up to 100 concurrent processes running on the Pipol and Grid5000 platforms. We focused our efforts on the distributed resolution algorithm for boolean equation systems of Cæsar_Solve /Bes_Solve , which was tested extensively on examples of boolean equation systems represented explicitly as text files or generated randomly according to various parameters, the resolution results being cross-checked against the sequential resolution algorithms provided by Cæsar_Solve /Bes_Solve .

  Several bugs (affecting memory leaks, handling of early termination, diagnostic generation, collecting of statistical information about the resolution) were fixed. Changes were also carried out on the code to simplify its structure, increase modularity, and improve readability. The convergence of the distributed resolution algorithm was accelerated by backward propagation of constants as soon as they have been discovered.

• The Evaluator  4.0 tool was extended with a new prototype algorithm allowing the distributed verification of an Mcl formula on a graph using several machines connected by a network. This functionality was implemented by connecting the tool to the distributed resolution algorithm for boolean equation systems and experimented out on clusters of machines.

• Finally, we added to Cadp four new tools named Pbg_Cp , Pbg_Info , Pbg_Mv , and Pbg_Rm . These tools respectively enable to copy, query, move, and delete the Pbg (Partitioned BCG Graph) collection of files generated and used by Distributor and Bcg_Merge .

Other Tool Developments

Participants : Hubert Garavel, Yann Genevois, Rémi Hérilier, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

To support the usage of Cadp in industry and academia, we pursued our efforts to master the software quality of Cadp :

• We added support for Mac OS X 10.7 (“Lion”) and enhanced the documentation for Mac OS X.

• We corrected one bug in the Installator installation assistant, two bugs in the Tst platform-checking command, and brought two bug fixes and one usability enhancement in the Eucalyptus graphical user-interface. We also provided a workaround for supporting recent versions of Ubuntu .

• We continued building a comprehensive validation framework, based on non-regression testing and semantical checking for the Cadp tools. This framework allows functional testing of individual tools as well as integration testing for several Cadp tools used together to perform complex verification scenarios on various computing platforms and using various compilers.

Other research teams took advantage of the software components provided by Cadp (e.g., the Bcg and Open/Cæsar environments) to build their own research software. We can mention the following developments:

• the Kmelia tools for component-based systems  [50] , developed at the University of Nantes (France);

• the Vercors tool for unifying architectural and behavioral specifications of distributed components  [52] , developed at Inria Sophia-Antipolis;

• the Damasco (Discovery, Adaptation and Monitoring of Context-Aware Services and Components) framework for composition and adaptation based on model transformation  [54] , developed at the University of Málaga (Spain);

• the Scoop tool for symbolic optimizations of probabilistic processes  [62] , [74] , developed at Rwth Aachen (Germany);

• the Slco (Simple Language of Communicating Objects) environment  [49] , developed at Eindhoven University of Technology (The Netherlands);

• the Motor tool for probabilistic analysis of embedded systems  [68] , developed at the Embedded Systems Institute (Eindhoven, The Netherlands);

• the Alvis modeling language for design and verification of embedded systems  [72] , developed at the Agh University of Science and Technology (Krakow, Poland).