SVL: A Scripting Language for Compositional Verification

mewstennisSoftware and s/w Development

Nov 4, 2013 (3 years and 8 months ago)

64 views

1
SVL: A ScriptingLanguagefor
CompositionalVerification
Hubert Garavel, Frédéric Lang
INRIA Rhône-Alpes / VASY
655, avenue de l’Europe
F-38330 MontbonnotSaint Martin
France
2
CADP (CAESAR/ALDEBARAN) Tools
•A toolboxfor protocolengineering
•Variousinput languages:
–LOTOS
–networks ofcommunicatingautomata
•Variousintermediatemodels:
–explicit LTSs(BCG)
–implicitLTSs(Open/Caesar)
•Bisimulation(Aldébaran, Bcg_Min, Fc2Tools)
•Model-checkers(XTL, Evaluator3.0)
•Simulation, rapidprototyping, test generation…
3
Interface: Graphicsvs Scripts
CADP code librariesandAPIs
CADP command-linetools
graphicaluser-interface
EUCALYPTUS
scriptinglanguage
SVL
4
WhyScripting?
•Verificationscenarioscanbecomplex
•Theycanberepetitive
•Manyobjects/formatsto handle:
–High-levelprocessdescriptions (e.g., LOTOS)
–Networks ofcommunicatingLTSs
–Explicit andimplicitLTSs
•Manyoperationsto perform:
–LTS generationofa LOTOS program, a network ofLTSs
–Label hiding, label renaming
–LTS minimization/comparisonmodulo equivalences
–Verification(deadlock, livelock, temporal logicformula)
•Variousverificationtechniques:
–enumerative, on-the-fly, compositional, etc.
5
Whatis SVL?
•An acronym:
Script VerificationLanguage
•A languagefor describing
(compositional) verificationscenarios
•A compiler(SVL 2.0) for executing
scenarioswritenin thislanguage
•A software componentofCADP 2001
6
Outline
•TheSVL Language
•CompositionalVerificationin SVL
•TheSVL Compiler
7
SVL Components
Twotypes ofcomponents canbemixed
•SVL verificationstatements(writtenS)
–Computeandstore an LTS or network ofLTSsin a file
–Verifytemporal properties
–Compare LTSs, etc.
•Bourneshellconstructs(linesstartingwith%)
–Variables, functions, conditionals, loops, …
–AllUnix commands
8
SVL Behaviours
•Algebraicexpressions usedin statements
•Severaloperators
–Parallelcomposition
–LTS generationandminimization
–Label hidingandrenaming, etc.
•Severaltypes ofbehaviours
–LTSs(four formats)
–Networks ofcommunicatingLTSs(twoformats)
–LOTOS descriptions
–Particularprocessesin LOTOS descriptions
9
Abstract SyntaxofBehaviours
B::= "F.bcg" |"F.aut" |"F.fc2" | "F.seq"
| "F.lotos" | "F.lotos": P [ G1, …, Gn
]
| "F.exp"
| B
1
|[G1, …, Gn]| B2 | B1
||| B2
| generationofB
0
|R reduction[usingM] [withT] ofB
0
|[S] hide[allbut]L1, …, Ln
in B0
|[S] renameL
1

L1’, …, Ln

Ln’in B
0
| [user] abstraction B1 [syncG1, …, Gn]ofB2
10
Explicit LTSs
•States andtransitions listedexhaustively
•LTSsin severalformats
B::="F.bcg"
BinaryCodedGraphs
|"F.aut"
AldébaranASCII format
|"F.fc2"
Meije’s FC2 format
| "F.seq"
Set oftraces
•Format conversions are fullyautomatic
11
CADP Toolsfor Explicit LTSs
•A set oftoolsto processBCGgraphs
–BCG_IO: Conversions from/to manyothergraphformats
–BCG_MIN: Minimizationfor strong/branchingbisimulation
–BCG_LABELS: Label hidingandrenaming
–BCG_INFO: Display information about a graph
–BCG_DRAW, BCG_EDIT: Draw/edita BCG graph
•AldebaranandtheFC2 Tools
–LTS minimizations/comparisonsfor severalbisimulations
12
ImplicitLTSs
•States andtransitions givenin comprehension
–Initial stateandtransitionrelation
–States generatedon-the-fly
•Severaltypes ofimplicitLTSs
–LOTOS descriptions ("F.lotos")
–ParticularLOTOS processes("F.lotos": P [G1, …, Gn])
–Networks ofcommunicatingautomata("F.exp")
LTSscombinedwithparallelandhiding, e.g.,
hideG
1
in ("spec1.bcg" |[G1, G2
]| "spec2
.aut")
–ParallelFC2 isalsopartlysupported
13
CADP Toolsfor ImplicitLTSs
•Specialcase: communicatingLTSs
–AldebaranandExp.OpenhandleEXP files using
on theflyandBDDmethods
–Fc2 ToolshandleparallelFC2 files usingBDD
methods
•Generalcase: OPEN/CAESAR
–Primitives to computeinitial state and
successors
–Modularseparationbetweenlanguage-
dependentcompilersandlanguage-
independenttools
14
OPEN/CAESAR
Open/CaesarAPI
implicitLTS
BCG_OPEN
EXP.OPEN

LTS generation
interactive simulation
randomexecution
on theflyverification
partial verification
test generation
Open/Caesar
librairies
FC2_OPEN
LOTOS
BCG
EXPFC2
CAESAR.OPEN
15
Explicit vs ImplicitLTSs
SVL principles:
•KeepLTSsimplicitas long as possible
–Explicit LTS generationisexpensive(state explosion)
–Notallpropertiesnecessitateto explore thewholeLTS
•Explicit LTS generationisdoneonlyif required
explicitlyby theuser
16
LTS Generation
Conversion froman implicitLTS to an explicit LTS
B ::=generationofB
0
Examples
–generationof"spec.lotos"
Use CAESAR.ADTandCAESAR
–generationof"spec.lotos" : P [G]
Use CAESAR.ADTandCAESAR(option –root)
–generationof"spec.exp"
Use EXP.OPENandGenerator
–generationof
(("spec1.bcg" |[G1]|"spec2.aut") ||| "spec
3.bcg")
Use EXP.OPENandGenerator
17
ParallelComposition
B ::=B1
|[G1, …, Gn]| B2
|
B1
||| B2
|
B1
|| B2
•Synchronizationon G1, …, Gn
(LOTOS semantics)
•B1
and
B2 canbeLTSs, but alsoanySVL behaviour
•GenerationofintermediateEXP files
18
Label Hiding
B ::= [S] hideL
1, …, Ln
in B0
| [S] hideallbutL
1, …, L
n
in B0
•An extension ofLOTOS hiding, where
Liseither
–a gatename
–a label string (e.g. "G !3.14 !TRUE")
–a regularexpression (e.g. "G !.* !TRUE")
S ::= gate|total | partial isamatchingsemanticsfor
regularexpressions
allbut meanscomplementationoftheset oflabels
•Toolsused: BCG_LABELSor EXP.OPEN
19
Label Hiding: Examples
[gate] hideG, H in "test.bcg"
invokesBCG_LABELS(-hide) andreturnsan LTS in
whichlabels whosegateisG or H are hidden
total hide"G ![AB].*" in "test.bcg"
invokesBCG_LABELSandreturnsan LTS in
whichlabels matching"G ![AB].*" are hidden
partial hideG in "test.bcg"
invokesBCG_LABELSandreturnsan LTS in
whichlabels containingG are hidden
20
Label Renaming
B ::=[S] renameL
1

L1’, …, Ln

Ln’in B
0
where
–each
L

L’
isa Unix-likesubstitution containing
regularexpressions
–S isa matchingsemantics
S ::= gate| total | single | multiple
•Toolused: BCG_LABELS
21
Label Renaming: Examples
[gate] renameG -> H, H -> G in "test.bcg"
invokesBCG_LABELS(-rename) andreturnsLTS
in whichgateG isrenamedintoH andH intoG
total rename"G !A !TRUE" -> "A_TRUE" in "test.bcg"
invokesBCG_LABELSandreturnsan LTS in which
label "G !A !TRUE" isrenamedintoA_TRUE
total rename"G !\(.*\) !\(.*\)" -> "G \2 \1" in
"test.bcg"
invokesBCG_LABELSandreturnsan LTS in which
offersoflabels whosegateisG are swapped
22
Reduction(alsoMinimization)
LTS Minimizationmodulo an equivalencerelation
B::= R reduction[usingM] [withT] ofB
0
•SeveralrelationsR
strong,branching,observational,safety,
tau*.a, etc.
•SeveraltoolsT
aldebaran, bcg_min, fc2tools
•SeveralmethodsM
std, bdd, fly
•Toolsused: Aldebaran, BCG_MIN, Fc2
23
Reduction: Examples
strongreductionof"test.bcg"[withbcg_min]
invokesBCG_MIN andreturnsan LTS
minimizedfor strongbisimulation
branchingreductionof"test.bcg" withaldebaran
invokesAldebaranandreturnsan LTS
minimizedfor branchingbisimulation
observationalreductionof"test.bcg" withFc2tools
usingbdd
invokesFc2Min usingBDD andreturnsan LTS
minimizedfor observationalequivalence
24
Abstraction
•LTS generationofB2
abstractedw.r.t. interface B1
B ::= abstraction B1
ofB2
| user abstraction B1
ofB2
•Equivalentsyntax
B ::=B2 -|| B1
| B2 -||? B1
where? hasthesamemeaningasuser
•Detailedin Section on CompositionalVerification
25
Abstract SyntaxofStatements
S::= "F.E" = B0
| "F.E" = R comparison[usingM]
[withT] B
1
== B2
| "F.E" = deadlock[withT] ofB
0
| "F.E" = livelock[withT] ofB
0
| ["F1.E" =] verify"F
2.mcl" in B0
26
AssignmentStatement
S::= "F.E" = B
0
•ComputesB0
andstores itin file "F.E"
•Extension Etells theformat for "F.E"
(aut, bcg, exp, fc2, or seq, but notlotos)
•Principles:
–Format conversions are implicit
(BCG_IO)
e.g. "spec.bcg" = "spec.fc2"ispermitted
–No implicitLTS generation
If Eisan explicit LTS format (i.e. allbut exp)
thenB0
must notdenotean implicitLTS
⇒generationmust beusedexplicitly
27
ComparisonofBehaviours
S::= "F.E" = R comparison[usingM] [withT] B1
== B2
| "F.E" = R comparison[usingM] [withT] B1
<= B2
| "F.E" = R comparison[usingM] [withT] B1
>= B2
•Compares B1
andB2
andstores thedistinguishing
path(s) (if any) in "F.E"
•Equivalenceor preorders
•Severalrelations RandseveralmethodsM
•SeveraltoolsT(aldebaranor fc2tools)
28
DeadlockandLivelockChecking
S::= "F.E" = deadlock[withT] ofB
0
| "F.E" = livelock[withT] ofB
0
•Detectsdeadlocksor livelocksusingtoolT
(aldebaran, exhibitor, evaluator, or fc2tools)
•Resultsin a (set of) pathsleadingto deadlockor
livelockstates andstoredin "F.E"
•Verificationmaybeon-the-fly
(Exhibitoror EvaluatorwithOPEN/CAESAR)
29
Temporal PropertyVerification
S ::= ["F1.E" =] verify"F
2.mcl" in B0
•CheckswhetherB0
satisfiesthetemporal logic
propertycontainedin "F2.mcl" (µ-calculus)
•May generatea diagnostic andstore itin
"F1.E"
(exampleor counter-examplewhichexplainstheresulting
truthvalue)
•Verificationmaybeon-the-fly
(OPEN/CAESARandEvaluator)
30
Shell Constructsin SVL Scripts
Shell commands canbeinserted(%)
–Direct callto Unix commands (“echo”...)
–SettingofSVL shellvariables
% DEFAULT_COMPARISON_METHOD=fly
% CAESAR_OPTIONS=-gc
–Enablestheuse ofallshellcontrol structures
"if-then-else" conditional
"for" loop
functiondefinitions
etc.
31
A Simple Example
"bitalt.bcg" = strongreductionof
generationof"bitalt.lotos";
"obs.seq" = observationalcomparison
"bitalt.bcg" == (generationof"simple.lotos");
"dead.seq" = deadlockof"bitalt.bcg";
% for N in 1 2 3 4
% do
verify"prop_$N.mcl" in "bitalt.bcg"
% done
32
Outline
•TheSVL Language
•CompositionalVerificationin SVL
•TheSVL Compiler
33
SVL Key Features
for CompositionalVerification
•Support for Basic CompositionalVerification
Example: TheAlternatingBit Protocol
•Script Simplification usingMeta-Operations
•Support for RefinedCompositionalverification
Example: Therel/REL Protocol
•CompositionalPerformance Evaluation
Example: TheSCSI-2 Protocol
34
Basic CompositionalVerification
usingCADP
How to avoid state explosion?
•Compositionalgeneration: "divideandconquer"
–Partition thesystemintosubsystems
–Minimizeeachsubsystemmodulo a strongor weak
bisimulationpreservingthepropertiesto verify
–Recombine thesubsystemsto geta systemequivalent
to theinitial one
•CADP toolssupport thisapproach
–Handlenetworks ofminimizedprocesses
–On theflyor exhaustively
35
Basic CompositionalVerification
Illustrated
S1

S

Reduced
network ofS
Reducedstate
spaceofS
1
State space
ofS
n
Reducedstate
spaceofS
n
Reducedstate
spaceofS
Composition
State space
ofS
1
Generation
Sn
GenerationReduction
Reduction
36
Example
TheAlternatingBit Protocol(ABP)
Protocolarchitecture
37
CompositionalGenerationoftheABP
usingSVL
"bitalt.bcg" = strongreductionof
hideSDT0, SDT1, RDT0, RDT1, RDTe, RACK0, RACK1, SACK0, SACK, SACKein
(
(
(strongreductionof"bitalt.lotos" : TRANSMITTER)
|||
(strongreductionof"bitalt.lotos" : RECEIVER)
)
|[SDT0, SDT1, RDT0, RDT1, RDTe, RACK0, RACK1, SACK0, SACK1, SACKe]|
(
(strongreductionof"bitalt.lotos" :MEDIUM1)
|||
(strongreductionof"bitalt.lotos" :MEDIUM2)
)
) ;
38
SimplifiedABP Script usingthe
DEFAULT_LOTOS_FILE variable
% DEFAULT_LOTOS_FILE="bitalt.lotos"
"bitalt.bcg" = strongreductionof
hideSDT0, SDT1, RDT0, RDT1, RDTe, RACK0, RACK1, SACK0, SACK1, SACKein
(
(
(strongreductionofTRANSMITTER)
|||
(strongreductionofRECEIVER)
)
|[SDT0, SDT1, RDT0, RDT1, RDTe, RACK0, RACK1, SACK0, SACK1, SACKe]|
(
(strongreductionofMEDIUM1)
|||
(strongreductionofMEDIUM2)
)
) ;
39
Meta-operations
B ::=leafR reduction[usingM][withT]ofB
0
|rootleafR reduction[usingM][withT]ofB
0
|nodeR reduction[usingM][withT]ofB
0
•Threecompositionalverificationstrategies:
–ReductionofLTSsattheleavesofparallel
compositions in B0
–ReductionofLTSsattheleavesofparallelcomposition
in B0
andthenreductionofthewholebehaviour
–ReductionateverynodeofB0
•Meta-operationsexpandto basic SVL behaviours
40
SimplifiedABP Script usingthe
"rootleafreduction" Meta-operation
% DEFAULT_LOTOS_FILE="bitalt.lotos"
"bitalt.bcg" = rootleafstrongreductionof
hideSDT0, SDT1, RDT0, RDT1, RDTe, RACK0, RACK1, SACK0, SACK1, SACKein
(
(
TRANSMITTER
|||
RECEIVER
)
|[SDT0, SDT1, RDT0, RDT1, RDTe, RACK0, RACK1, SACK0, SACK1, SACKe]|
(
MEDIUM1
|||
MEDIUM2
)
) ;
41
RefinedCompositionalVerification
•Compositionalverificationmayfail
–Concurrent processesconstraineachother
–Separatingtightly-coupledprocesses-> explosion
•Solution: use interfaces
–[Graf-Steffen-91], [Krimm-Mounier-97]
–Use interfaces to modeltheenvironment
–CADP supports thisapproach
Projectortool
(KrimmandMounier)
Des2Auttool: replacedby SVL
42
TheAbstraction Behaviour
•TheLTS ofa behaviourBmaybelargerthanthe
LTS ofa behaviourcontainingBbecause of
contextconstraints
•Example
("User1.bcg" ||| "User2.bcg") |[G]| "Medium.bcg"
"Medium.bcg" mayconstraintheinterleaving
•An SVL behaviourcanberestrictedw.r.t. an
(exact or user-given) interface
B ::= [user]abstraction B1
ofB
2
|B2
-||[?]B1
43
Use ofInterfaces for Abstraction
•Interface = LTS understoodas a set oftraces
•Abstraction eliminatesstates andtransitions ofa
processneverreachedwhilefollowingalltraces
ofitsinterface
•User-giveninterfaces involvepredicate
generationto checktheircorrectness
44
SVL Example
TheRel/REL Protocol
% DEFAULT_LOTOS_FILE="rel_rel.lotos"
"crash_trans.bcg" = strongreductionofCRASH_TRANSMITTER;
"rel_rel.bcg" = strongreductionofgenerationof
leafstrongreductionof
hideR_T1, R_T2, R12, R21 in
(
(
abstraction(hideR_T1, R_T2 in "crash_trans.bcg") of
(
(user abstraction"r1_interface.lotos" ofRECEIVER_NODE_1)
|[R12, R21]|
(user abstraction"r2_interface.lotos" ofRECEIVER_NODE_2)
)
)
|[R_T1, R_T2, R_T3]|
"crash_trans.bcg"
);
45
CompositionalPerformance Evaluation
•SVL canalsobeusedfor compositional
performance evaluation
•SeeFME 2002 paperby Garavel& Hermanns
http://www.inrialpes.fr/vasy/Publications/Garavel-Hermanns-02.html
46
Outline
•TheSVL Language
•CompositionalVerificationin SVL
•TheSVL Compiler
47
TheSVL 2.0 Compiler
leafbranchingreductionof
hideG in
(
"spec.lotos":P1 [A, B, G]
|[G]|
"spec.lotos":P2 [C, G]
)
SVL script
SVL compiler
(TRAIAN + SYNTAX)
xxxxxxxxxxxxxx
xxxx
xxxxxxxxxxx
xxxxxxxxxxx
xxxxxxxxxxxxxx
xxxxxxxxx
xxxxxxxxxxxxxx
xxxxxx
xxxxxx
xxxxxxxxxxxxxxxx
xxxxxxxxxx
xxxxxxx
xxxxxxx
Bourneshellscript
Caesar, Caesar.adt
Aldebaran
Bcg_min, Bcg_labels
Fc2tools
Exp.Open
Projector
48
TheSVL 2.0 Compiler Detailed
Output
files
Code
generator
Bourne
shellscript
Input
files
Shell
interpreter
Interm.
files
SVL
script
Truthvalues
InvokesCADP
andFC2 tools
49
TheSVL 2.0 Compiler
•7 000 linesofcode
(SYNTAX + LOTOS NT + C + BourneShell)
•Important design effort
–Concise messages + log ofexecution
–Eraseintermediatefiles as soonas possible
–Severalmodes to debugSVL descriptions
–Implements«expert» knowledge
(e.g., alternative reductionstrategies)
50
Conclusion
•SVL isa new languageanda new tool
•Fullyintegratedin CADP 2001
•Originallydesignedfor compositionalverification
•But nowusedfor mostCADP demos(27 over31)
•Advantages
–Avoidsknowledgeofeachtooloptions/syntax
–AvoidsMakefiles, script-shells, intermediatefiles
–Improvesreadabilityofverificationscripts
–A 5 page Makefile-> (muchclearer) 2 page SVL script
•Extensible to support new tools
•Positive feedback fromseveralusers
•CompositionalVerificationbecomespractical
51
More Information
•FORTE 2001 paper
http://www.inrialpes.fr/vasy/Publications/Garavel-Lang-01.html
•TACAS 2002 toolpaper
http://www.inrialpes.fr/vasy/Publications/Lang-02.html
•SVL manualpage
http://www.inrialpes.fr/vasy/cadp/man/svl.html
•CADP anddemoexamples
http://www.inrialpes.fr/vasy/cadp