The mCRL2 toolset

Jan Friso Groote, Jeroen Keiren, Wieger Wesselink,Sjoerd Cranen, Frank Stappers, (many others)

4S100 – Verification of discrete-event systemsEindhoven, The NetherlandsOctober 17, 2011

4S100: Frank Stappers 2

INTRODUCTION

17/10/2011

4S100: Frank Stappers 3

Analysis techniques

• Analysis techniques used in hardware/software development: • Structural analysis: what things are in the system− Class diagrams (software) − CAD-models (hardware)− PCB design (electronic circuits)

• Behavioral analysis: what happens in the system − Matlab simulink models− Message sequence charts − Petri nets − Process algebra − Temporal logic...

17/10/2011

4S100: Frank Stappers 4

Behavioral analysis

• What is behavioral analysis about? • Modeling:− Create an abstract model of the behavior

• Validation and Verification:• Validation: does the model roughly behave as expected? − Simulation, testing

• Verification: does the model satisfy the requirements in all states?− Modelchecking, SAT solving, theorem proving

17/10/2011

4S100: Frank Stappers 5

Behavioral analysis

Why modeling? To reduce complexity:• Direct verification of software/hardware system is

impossible due to the huge number of states.• Much more complex than e.g. Rubik’s cube:

43,252,003,274,489,856,000 (4.3 * 10 19) states

17/10/2011

4S100: Frank Stappers 6

Behavioral analysis

From our experience: • Without proper modeling it is impossible to get a system

right.• Implementing a model does not introduce substantial flaws.• Modeling an implementation nearly always reveals flaws or

ambiguities.

17/10/2011

100%(and this is even true for our language)

4S100: Frank Stappers 7

Toolsets for behavioral analysis

For verification of industrial systems, tool support is essential. Toolsets for modeling, validation and verification of behavior: • CADP (INRIA Rhone Alpes, France) • SPIN (Bell Labs, USA) • FDR (Formal Systems Limited, Oxford, UK) • Uppaal (Uppsala University, Sweden) • NuSMV (Carnegie Mellon University, USA) • mCRL2 (MDSE group / LaQuSo, TU/e)• ...

17/10/2011

4S100: Frank Stappers 8

mCRL2 toolset overview - History

•

17/10/2011

1990 2000 2010

now

Common Representation Language (CRL)

micro Common Representation Language (μCRL)

micro Common Representation Language 2 (mCRL2)

2004

4S100: Frank Stappers 9

mCRL2 toolset overview – General Information

• The mCRL2 toolset can be used for the specification, validation and verification of concurrent systems and protocols.

• Collection of tools • Available for the following platforms:

• Microsoft Windows • Linux (Ubuntu/openSUSE/Fedora)• Mac OS X

• Distributed under the Boost license • Available at http://mcrl2.org

17/10/2011

4S100: Frank Stappers 10

Toolset overview

17/10/2011

4S100: Frank Stappers 11

Success stories

17/10/2011

4S100: Frank Stappers 12

MODELING

17/10/2011

4S100: Frank Stappers 13

Actions

• The behavior of a process is that which we can observe. • Observable behavior and observing behavior can be

expressed in terms of actions.

• Example:• A lamp has to shine in order for us to see that it is on. • We have to look at a lamp to see that it is shining.

17/10/2011

4S100: Frank Stappers 14

Labeled Transition Systems

• A labeled transition system is a basic formalism for describing behavior.

• Also known as labeled directed graphs or state spaces. • Labels represent discrete events, also called actions.

17/10/2011

Formal definition:A labeled transition system is a tuple (S, L, →, s, T ) where: S is a set of statesL is a set of labels → ⊆ S × L × S is a transition relation s S∈ is the initial state T S⊆ is the set of terminating states

4S100: Frank Stappers 15

Labeled Transition Systems

• Example: Ordering items

17/10/2011

4S100: Frank Stappers 16

Basic process algebra

A process with name ∈ is defined as

P can be of the following form:• An action (a Act) ∈• Sequential composition • Alternative composition• Recursion (Y ∈ ) • The deadlock process• Internal/hidden action

17/10/2011

4S100: Frank Stappers 17

Basic process algebra

• Relating algebra to LTSs

17/10/2011

4S100: Frank Stappers 18

Basic process algebra - Ordering items

17/10/2011

4S100: Frank Stappers 19

Parallel composition

• can be of the following form: • Parallel composition • Communication merge

• This gives rise to multi-actions (Act*):• multi-action

17/10/2011

a || b a | b

4S100: Frank Stappers 20

Parallelism

• Process specification

17/10/2011

4S100: Frank Stappers 21

Parallelism

• Corresponding LTS

17/10/2011

4S100: Frank Stappers 22

Communication

Three operators for communication:• Communication (Act∗ × Act)• Encapsulation [block] (Act) • Allow (Act∗)Explanation:•

• renames multi-action a|b to c•

• blocks all actions in the set B•

• blocks multi-actions different from the ones in A

17/10/2011

4S100: Frank Stappers 23

Communication

17/10/2011

• Specification:

4S100: Frank Stappers 24

Processes with data

• Why data?• In real-life systems data is essential • Data allows for finite specifications of infinite systems

• Examples:• Represent non-functional properties, e.g. color of a traffic light.• Capture information streams, e.g. communication of

information• Manipulation, e.g. mathematical functions. • ...

17/10/2011

4S100: Frank Stappers 25

Processes with data

• All sorts

• Basic sorts

• Container sorts

• Functions:

• Structured sorts:

17/10/2011

4S100: Frank Stappers 26

Processes with data

• Data specification• Sort declarations• Constructors (for creating user defined data types)• Mappings

• Example – compute the sum over a list of values:

17/10/2011

4S100: Frank Stappers 27

Processes with Data

• BNF:

• Examples• Data parameterized action:• Data parameterized process:• Conditions:• Summation:

17/10/2011

4S100: Frank Stappers 28

Processes with Data

• Summation:• Short hand notation for choice• over a domain of values:

a(0)+a(1)+...+a(N-1)+a(N)

17/10/2011

∞

4S100: Frank Stappers 29

• Process specification

An odd-max-5-counter

17/10/2011

filter counter

4S100: Frank Stappers 30

Tool demo:mCRL2-guimCRL22lps

lps2ltsltsgraph

An odd-max-5-counter

17/10/2011

filter counter

4S100: Frank Stappers 31

Verification

• How to ensure that…• no deadlock?• counter does not exceed value X?• an input (r1) is always followed by an output (s3)?

17/10/2011

filter counter

4S100: Frank Stappers 32

VERIFICATION

17/10/2011

4S100: Frank Stappers 33

Verification

Model checking is an automated verification method. It can be used to check functional requirements against a model.• A (software or hardware) system is modeled in mCRL2 • The requirements are specified as properties in a temporal

logic• A model checking algorithm decides whether the property

holds for the model.

17/10/2011

Temporal logic used within mCRL2:μ-calculus with data, time and regular expressions

4S100: Frank Stappers 34

Temporal logic

• Idea of μ-calculus: add fixed point operators (i.e. recursion) as primitives to standard Hennessy-Milner logic• μ-calculus is very expressive (subsumes e.g. CTL )∗• μ-calculus is very pure• drawback: lack of intuition

17/10/2011

μ-calculus LTL CTL

CTL*

UPPAAL

mCRL2

4S100: Frank Stappers 35

A flavor of μ-calculus

• Hennessy-Milner logic: proposition logic with modalities:

• Notation: : state of a transition system satisfies formula

17/10/2011

For all states s: s trueFor no state s: s false

4S100: Frank Stappers 36

A flavor of μ-calculus

• Hennessy-Milner logic: proposition logic with modalities:

• Notation: : state of a transition system satisfies formula

17/10/2011

s [a]phi holds in a state s if every a-labeled transition leading out of s leads to a state where phi holds

4S100: Frank Stappers 37

A flavor of μ-calculus

• Hennessy-Milner logic: proposition logic with modalities:

• Notation: : state of a transition system satisfies formula

17/10/2011

s <a>phi holds in a state s if any a-labeled transition leading out of s leads to a state where phi holds

4S100: Frank Stappers 38

A flavor of μ-calculus

Example:Determine the largest set of states S that satisfy:

17/10/2011

S [b]falseS [a][b]trueS <a>true

4S100: Frank Stappers 39

A flavor of μ-calculus

mCRL2 extends HM logic with regular expressions:

Explanation:• R.R concatenation• R+R choice• R* match R zero times or more• R+ match R once or more

17/10/2011

4S100: Frank Stappers 40

A flavor of μ-calculus

Example:Determine the largest set of states S that satisfy:

17/10/2011

S [b+a]falseS [a.b.c]falseS <a.a.b+a.a.a>trueS <a*>trueS <a+>trueS [a*.b]false

4S100: Frank Stappers 41

An odd-max-5-counter verification

• How to ensure that…• no deadlock?

[true*]<true>true• counter does not exceed value X?

[true*.s3(X)]false• an input (r1) is always followed by an output (s3)?

[true*.r1’.(!s3’)*]<(!s3’)*.s3’>true

17/10/2011

filter counter

r1’,s3’ actions with eliminated data parameters

action wildcard

4S100: Frank Stappers 42

Tool demo:mCRL2-guilps2pbes

pbes2bool(lpsactionrename)

An odd-max-5-counter verification

17/10/2011

filter counter

4S100: Frank Stappers 43

CASE STUDY

17/10/2011

4S100: Frank Stappers 44

HEF system

17/10/2011

• Modular HEF system• Levers (≥ 2) are connect to• Relays connect levers• Messages are sent over CAN-bus• Relays control `length’ of the bus

• Occasionally nonresponsive levers• What is wrong?• Something in the design?

• Time for model-checking!

4S100: Frank Stappers 45

HEF system – full model (6 levers)

17/10/2011

We focus on initialization

4S100: Frank Stappers 46

HEF system - initialization

17/10/2011

1

4

2

3

4S100: Frank Stappers 47

Simplified HEF system

• Assumptions:• Good weather-behavior• Initialization only!• No up- and down movement• Modular design

• Simplified model:• User (#1)• Relays (#3)• Levers (#3)

• Every process has a physical position (used for identification)

17/10/2011

4S100: Frank Stappers 48

Simplified HEF system – User process

User process• User is attached to lever pos• Press “start”

• Send send_start message to attached lever• Notification: “Found n levers”

• recv_found message contains the n found levers

17/10/2011

4S100: Frank Stappers 49

Simplified HEF system – Relay process

Relay process:• Relay can be Open or Closed

• Relay has a position between two levers and an open status:

• Opening/closing relay:

17/10/2011

4S100: Frank Stappers 50

Simplified HEF system – Relay process

• Re-tweeting of message IDs

17/10/2011

4S100: Frank Stappers 51

Simplified HEF system – Lever process

• Lever process• Lever has a position pos and an ID (0 if uninitialized)

• Update ID if uninitialized

• If we get an ID and our ID is initialized we report to user

17/10/2011

4S100: Frank Stappers 52

Simplified HEF system – Lever process

• Open relay

• Close relay

• Sent current ID

17/10/2011

4S100: Frank Stappers 53

Simplified HEF system – Modeled system

• System decomposition

17/10/2011

4S100: Frank Stappers 54

Simplified HEF system – Analysis

Some properties checked:• No Deadlock:

[true*]<true>true• We know that we modeled 3 levers, so 3 levers detected?

<true*.found(3)>true• Finding only 2 levers would be stupid:

[true*.found(2)]false

17/10/2011

?

4S100: Frank Stappers 55

Simplified HEF system – The bug…

• So what’s happing?start(0)ID_to_relay(0, 1)ID_from_relay(1, 1)ID_to_relay(1, 2)ID_from_relay(0, 2)found(2)

• Problem: Process ID==1 gets ID from process ID==2 before the relay is closed!

• Similar problem in the actual system: old relays did not close in time

17/10/2011

Solved the day (again)

4S100: Frank Stappers 56

Summary

• The mCRL2 toolset:• facilitates many kinds of system behavior analysis• can be used to:− detect errors in the design − prevent errors already in the design

• Small introduction, mCRL2 has many more features:• Functional programming in data specifications• Optimization with linear process specifications• State space reduction techniques• Checking for behavioral equivalence • Parameterized Boolean Equations Systems to solve properties• Solving Parity Games• Export to other (analysis) toolsets/formats• ….

17/10/2011