- By
**terah** - Follow User

- 161 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' The mCRL2 toolset' - terah

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### The mCRL2 toolset

Jan Friso Groote, JeroenKeiren, WiegerWesselink,

SjoerdCranen, Frank Stappers, (many others)

4S100 – Verification of discrete-event systems

Eindhoven, The Netherlands

October 17, 2011

4S100: Frank Stappers

Analysis techniques

- Analysis techniques used in hardware/software development:
- Structural analysis: what things are in the system
- Class diagrams (software)
- CAD-models (hardware)
- PCB design (electronic circuits)

- Behavioral analysis: what happens in the system
- Matlabsimulink models
- Message sequence charts
- Petri nets
- Process algebra
- Temporal logic...

- Structural analysis: what things are in the system

4S100: Frank Stappers

Behavioral analysis

- What is behavioral analysis about?
- Modeling:
- Create an abstract model of the behavior

- Modeling:
- Validation and Verification:
- Validation: does the model roughly behave as expected?
- Simulation, testing

- Verification: does the model satisfy the requirements in all states?
- Modelchecking, SAT solving, theorem proving

- Validation: does the model roughly behave as expected?

4S100: Frank Stappers

Behavioral analysis

Why modeling?

To reduce complexity:

Direct verification of software/hardware system is impossible due to the huge number of states.

Much more complex than e.g. Rubik’s cube:

43,252,003,274,489,856,000 (4.3 * 10 19) states

4S100: Frank Stappers

Behavioral analysis

100%

(and this is even true for our language)

From our experience:

Without proper modeling it is impossible to get a system right.

Implementing a model does not introduce substantial flaws.

Modeling an implementation nearly always reveals flaws or ambiguities.

4S100: Frank Stappers

Toolsets for behavioral analysis

For verification of industrial systems, tool support is essential. Toolsets for modeling, validation and verification of behavior:

CADP (INRIA Rhone Alpes, France)

SPIN (Bell Labs, USA)

FDR (Formal Systems Limited, Oxford, UK)

Uppaal(Uppsala University, Sweden)

NuSMV(Carnegie Mellon University, USA)

mCRL2 (MDSE group / LaQuSo, TU/e)

...

4S100: Frank Stappers

mCRL2 toolset overview - History

1990

2000

2010

now

2004

Common Representation

Language (CRL)

micro Common Representation

Language 2 (mCRL2)

micro Common Representation

Language (μCRL)

4S100: Frank Stappers

mCRL2 toolset overview – General Information

- The mCRL2 toolset can be used for the specification, validation and verification of concurrent systems and protocols.
- Collection of tools
- Available for the following platforms:
- Microsoft Windows
- Linux (Ubuntu/openSUSE/Fedora)
- Mac OS X

- Distributed under the Boost license
- Available at http://mcrl2.org

4S100: Frank Stappers

Toolset overview

4S100: Frank Stappers

Success stories

4S100: Frank Stappers

4S100: Frank Stappers

Actions

- The behavior of a process is that which we can observe.
- Observable behavior and observing behavior can be expressed in terms of actions.
- Example:
- A lamp has to shine in order for us to see that it is on.
- We have to look at a lamp to see that it is shining.

4S100: Frank Stappers

Labeled Transition Systems

Formal definition:

A labeled transition system is a tuple (S, L, →, s, T ) where:

S is a set of states

L is a set of labels

→⊆ S × L × Sis a transition relation

s ∈ Sis the initial state

T ⊆ Sis the set of terminating states

A labeled transition system is a basic formalism for describing behavior.

Also known as labeled directed graphs or state spaces.

Labels represent discrete events, also called actions.

4S100: Frank Stappers

Basic process algebra

A process with name ∈ is defined as

P can be of the following form:

An action (a ∈ Act)

Sequential composition

Alternative composition

Recursion (Y∈ )

The deadlock process

Internal/hidden action

4S100: Frank Stappers

Basic process algebra - Ordering items

4S100: Frank Stappers

Parallel composition

a || b

a | b

- can be of the following form:
- Parallel composition
- Communication merge

- This gives rise to multi-actions (Act*):
- multi-action

4S100: Frank Stappers

Communication

Three operators for communication:

- Communication (Act∗ × Act)
- Encapsulation [block] (Act)
- Allow (Act∗)
Explanation:

- renames multi-action a|b to c
- blocks all actions in the set B
- blocks multi-actions different from the ones in A

4S100: Frank Stappers

Processes with data

- Why data?
- In real-life systems data is essential
- Data allows for finite specifications of infinite systems

- Examples:
- Represent non-functional properties, e.g. color of a traffic light.
- Capture information streams, e.g. communication of information
- Manipulation, e.g. mathematical functions.
- ...

4S100: Frank Stappers

Processes with data

All sorts

Basic sorts

Container sorts

Functions:

Structured sorts:

4S100: Frank Stappers

Processes with data

- Data specification
- Sort declarations
- Constructors (for creating user defined data types)
- Mappings

- Example – compute the sum over a list of values:

4S100: Frank Stappers

Processes with Data

- BNF:
- Examples
- Data parameterized action:
- Data parameterized process:
- Conditions:
- Summation:

4S100: Frank Stappers

Processes with Data

∞

- Summation:
- Short hand notation for choice
- over a domain of values:
a(0)+a(1)+...+a(N-1)+a(N)

4S100: Frank Stappers

An odd-max-5-counter

Tool demo:

mCRL2-gui

mCRL22lps

lps2lts

ltsgraph

counter

filter

4S100: Frank Stappers

Verification

counter

filter

- How to ensure that…
- no deadlock?
- counter does not exceed value X?
- an input (r1) is always followed by an output (s3)?

4S100: Frank Stappers

4S100: Frank Stappers

Verification

Temporal logic used within mCRL2:

μ-calculus with data, time and regular expressions

Model checking is an automated verification method. It can be used to check functional requirements against a model.

A (software or hardware) system is modeledin mCRL2

The requirements are specified as properties in a temporal logic

A model checking algorithm decides whether the property holds for the model.

4S100: Frank Stappers

Temporal logic

UPPAAL

CTL*

μ-calculus

CTL

LTL

mCRL2

- Idea of μ-calculus: add fixed point operators (i.e. recursion) as primitives to standard Hennessy-Milner logic
- μ-calculus is very expressive (subsumes e.g. CTL∗)
- μ-calculus is very pure
- drawback: lack of intuition

4S100: Frank Stappers

A flavor of μ-calculus

For all states s: s true

For no state s: sfalse

Hennessy-Milner logic: proposition logic with modalities:

Notation: : state of a transition system satisfies formula

4S100: Frank Stappers

A flavor of μ-calculus

s [a]phi holds in a state sif everya-labeled

transition leading out of sleads to a state

where phi holds

Hennessy-Milner logic: proposition logic with modalities:

Notation: : state of a transition system satisfies formula

4S100: Frank Stappers

A flavor of μ-calculus

s <a>phi holds in a state s if any a-labeled

transition leading out of s leads to a state

where phiholds

Hennessy-Milner logic: proposition logic with modalities:

Notation: : state of a transition system satisfies formula

4S100: Frank Stappers

A flavor of μ-calculus

S [b]false

S [a][b]true

S <a>true

Example:

Determine the largest set of states S that satisfy:

4S100: Frank Stappers

A flavor of μ-calculus

mCRL2 extends HM logic with regular expressions:

Explanation:

R.R concatenation

R+R choice

R* match R zero times or more

R+ match Ronce or more

4S100: Frank Stappers

A flavor of μ-calculus

S[b+a]false

S [a.b.c]false

S<a.a.b+a.a.a>true

S<a*>true

S<a+>true

S[a*.b]false

Example:

Determine the largest set of states S that satisfy:

4S100: Frank Stappers

An odd-max-5-counter verification

counter

filter

action wildcard

r1’,s3’ actions with eliminated data parameters

- How to ensure that…
- no deadlock?
[true*]<true>true

- counter does not exceed value X?
[true*.s3(X)]false

- an input (r1) is always followed by an output (s3)?
[true*.r1’.(!s3’)*]<(!s3’)*.s3’>true

- no deadlock?

4S100: Frank Stappers

An odd-max-5-counter verification

Tool demo:

mCRL2-gui

lps2pbes

pbes2bool

(lpsactionrename)

counter

filter

4S100: Frank Stappers

4S100: Frank Stappers

HEF system

4S100: Frank Stappers

- Modular HEF system
- Levers (≥ 2) are connect to
- Relays connect levers
- Messages are sent over CAN-bus
- Relays control `length’ of the bus

- Occasionally nonresponsive levers
- What is wrong?
- Something in the design?

- Time for model-checking!

Simplified HEF system

- Assumptions:
- Good weather-behavior
- Initialization only!
- No up- and down movement
- Modular design

- Simplified model:
- User (#1)
- Relays (#3)
- Levers (#3)

- Every process has a physical position (used for identification)

4S100: Frank Stappers

Simplified HEF system – User process

User process

- User is attached to lever pos
- Press “start”
- Send send_start message to attached lever

- Notification: “Found n levers”
- recv_found message contains the n found levers

4S100: Frank Stappers

Simplified HEF system – Relay process

Relay process:

Relay can be Open or Closed

Relay has a position between two levers and an open status:

Opening/closing relay:

4S100: Frank Stappers

Simplified HEF system – Lever process

- Lever process
- Lever has a position pos and an ID (0if uninitialized)
- Update ID if uninitialized
- If we get an ID and our ID is initialized we report to user

4S100: Frank Stappers

Simplified HEF system – Analysis

?

Some properties checked:

- No Deadlock:
[true*]<true>true

- We know that we modeled 3 levers, so 3 levers detected?
<true*.found(3)>true

- Finding only 2 levers would be stupid:
[true*.found(2)]false

- We know that we modeled 3 levers, so 3 levers detected?

4S100: Frank Stappers

Simplified HEF system – The bug…

Solved the day (again)

- So what’s happing?
start(0)

ID_to_relay(0, 1)

ID_from_relay(1, 1)

ID_to_relay(1, 2)

ID_from_relay(0, 2)

found(2)

- Problem: Process ID==1gets IDfrom process ID==2before the relay is closed!
- Similar problem in the actual system:
old relays did not close in time

4S100: Frank Stappers

Summary

- The mCRL2 toolset:
- facilitates many kinds of system behavior analysis
- can be used to:
- detect errors in the design
- prevent errors already in the design

- Small introduction, mCRL2 has many more features:
- Functional programming in data specifications
- Optimization with linear process specifications
- State space reduction techniques
- Checking for behavioral equivalence
- Parameterized Boolean Equations Systems to solve properties
- Solving Parity Games
- Export to other (analysis) toolsets/formats
- ….

4S100: Frank Stappers

Download Presentation

Connecting to Server..