ProB and XTL : Model checkers for B and DSSLs

1. ProB and XTL :Model checkers for B and DSSLs Michael Leuschel University of Southampton

2. ProB: Why? • Animate a B-specification • No need for user to guess parameters • Verify a B-Specification • Temporal & State-Based model checking • Test-case generation & synchronise with implementation • Benefits • Gain confidence in specifications • Detect bugs before attempting formal proofs • Check final implementation againts spec • Learn how B works

3. ProB: Internals XML Encoding Parser & Specialiser B Machine Tatibouet’s Parser Prolog Encoding Java B-Interpreter CLP B-Kernel b_execute_statement b_evaluate_expression … subset_of partial_function add … Everything except Tatibouet’s parser: in SICStus Prolog

4. Temporal vs State-Based MC • Temporal • Start from initial state • Find sequence of operations that lead to error • Examples: Spin, SMV, … • Model/State Based • No concept of initial state • Find a valid state (satisfies invariant) such that applying a single operation leads to an error • Example: Alloy

5. ProB: A Demo • Animation • Temporal Model Checking • State-Based Model Checking • Visualization • Linking with Java implementation

6. And now for something different: XTL • XTL • Written in XSB-Prolog • Exhaustive, finite state model checker for • CTL specifications • Systems represented in XSB-Prolog (e.g., interpreters!) • Ok, but why YAP (Yet Another Prolog) ?

7. Prolog: The Base XSB Prolog SICStus Prolog Ciao Prolog Other players: Mercury (.Net), SWI-Prolog, Yap, IF-Prolog

8. Tabling: what’s all the fuss? :- table p/0. q :- p. p :- p. r :- not q. :- table path/3. path(X,X,[]). path(X,Y,[X|T]) :- arc(X,Z), path(Z,Y,T). arc(a,b). arc(b,a). • What it does for you: • Loop checking • Answer Propagation • Program at a higher-level& Speed! • XSB can be used as deductive database • Useful for parsing • Useful for verification :- table model_check/1, model_check/2. model_check(S) :- prop(S,unsafe). model_check(S) :- trans(_,S,NS), model_check(NS). model_check(S,[]) :- prop(S,unsafe). model_check(S,[A|T]) :- trans(A,S,NS), model_check(NS,T).

9. Tabling II • Loop checking can be easily done in Prolog: e.g., assert/retract • But: • No answer propagation • Speed!(using CSM from Babylon) :- dynamic tabled/1. check_table(X) :- (tabled(X) -> (fail) ; assert(tabled(X))). model_check(S) :- prop(S,unsafe). model_check(S) :- trans(_,S,NS), check_table(NS),model_check(NS).

10. Tabling vs Assert - Bench XSB: 2: 0.0000 s - 76 states 4: 0.0090 s - 340 states 8: 0.1190 s - 1956 states 16: 1.0810 s - 13124 states 24: 4.5800 s - 41700 states 32: 10.0690 s - 95876 states SICSTUS - assert 2: 0.010 s - 76 states 4: 0.260 s - 340 states 8: 11.250 s - 1956 states 16: 772.500 s - 13124 states

11. Summary of our Tools ECCE Online specialiser For pure Prolog Can do infinite state MC ProB model checker & animator for B XTL finite state model checker for any system encoded in XSB Prolog LOGEN Fast offline specialiser & compiler generator for Prolog StAC XSB Prolog SICStus Prolog Ciao Prolog

12. XTL • Model checker for finite state systems • Written in XSB-Prolog • Pure & simple: • Can be analysed and specialised by other systems • Generic: • Can handle any system described in (XSB)-Prolog • Ex: Writing an interpreter for StAC in XSB is much easier than writing a compiler to Promela! (interpreter) • Efficient despite flexibility!

13. *** = out of memory One Benchmark: CSM (from Babylon) XTL Spin (wo compilation time, wo time to find search depth) FDR XSB 2.5 G4 667Mhz 500Mb XSB 2.4 Livelock Testing Refinement

14. Future Work • Full scale application of XTL to StAC • Integrate Logen into ProB &XTL • Extend ProB to handle more of B, check refinement • Apply XTL to Proforma, <insert your favourite lge here>,… • Apply XTL to ProB-interpeter • Apply ECCE for infinite state MC