Symbolic Reachability Analysis of B through ProB and LTSmin

Symbolic Reachability Analysis of B Through ProB

and LTSmin

integrated Formal Methods 2016

Jens Bendisposto

1

Philipp K¨

orner

1

Michael Leuschel

1

Jeroen Meijer

2

Jaco van de Pol

2

Helen Treharne

3

Jorden Whitefield

3

Institut f¨

ur Informatik, Heinrich Heine University D¨

usseldorf, Germany

Formal Methods and Tools, University of Twente, The Netherlands

Department of Computer Science, University of Surrey, United Kingdom

Table of Contents

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

Outline

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

6

Conclusion

Research Topic

LTSmin: high-performance, parallel and symbolic algorithms.

ProB: Powerful specification languages.

How do LTSmin and ProB communicate (integration

,)?

What are the achievements?

Example State Space

cs=FALSE,wait=1,finished=0

cs=TRUE,wait=0,finished=0

cs=FALSE,wait=0,finished=0

cs=FALSE,wait=0,finished=1

Enter

Leave

Exit

Restart

Leave

CS Active

Leave

Leave

main concern

Example State Space

cs=FALSE,wait=1,finished=0

cs=TRUE,wait=0,finished=0

cs=FALSE,wait=0,finished=0

cs=FALSE,wait=0,finished=1

Enter

Leave

Exit

Restart

Leave

CS Active

Leave

Leave

main concern

Example Specification

simple mutex in Event-B

1

MACHINE M u t e x S i m p l e

2

VARIABLES c s ,

w a i t ,

f i n i s h e d

3

INVARIANT

4

c s : BOOL & w a i t : NATURAL & f i n i s h e d : NATURAL

5

INITIALISATION c s := FALSE | |

w a i t := MAXINT | |

f i n i s h e d :=

0

6

OPERATIONS

7

E n t e r

= SELECT c s = FALSE & w a i t > 0 THEN

c s := TRUE | |

w a i t := w a i t − 1 END ;

8

E x i t

= SELECT c s = TRUE THEN

c s := FALSE | |

f i n i s h e d := f i n i s h e d + 1 END ;

9

L e a v e

= BEGIN c s := FALSE END ;

10

C S A c t i v e = SELECT c s = TRUE THEN s k i p END ;

11

R e s t a r t

= SELECT f i n i s h e d > 0 THEN

w a i t := w a i t + 1

| |

f i n i s h e d := f i n i s h e d − 1 END

12

END

Outline

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

The ProB Animator and Model Checker

features

Powerful languages: B,

Event-B, CSP, Tla

+

and Z.

User friendly graphical

interface.

SICStus Prolog rewriting

back-end.

Outline

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

The LTSmin Model Checking Toolset

Pins architecture

Specification

Languages

Pins2Pins

Wrappers

Reachability

Tools

mcrl2

Promela

. . .

ProB

front-end

back-end

Transition

Caching

Variable Reordering,

Transition Grouping

Partial Order

Reduction

Distributed

Multi-core

Symbolic

B

Event-B

Z

_Tla

Features

View hundred lines of

glue code

(in C/C++).

PINS Features

NextState function to get successor states.

Matrices with static information about the model:

Guards of transitions.

Dependencies between transitions and variables.

. . . .

Chunkmapping: pointers to Prolog terms, stored by LTSmin

in memory.

Outline

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

6

Conclusion

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym

Bspec.mch

--regroup=bcm --saturation=sat-like

\

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch

--state=tree

\

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch

--regroup=bcm --saturation=sat-like

\

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch

--state=tree

\

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch

--regroup=bcm --saturation=sat-like

\

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch

--state=tree

\

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch

--regroup=bcm --saturation=sat-like

\

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc

Bspec.mch

--state=tree

\

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch --regroup=bcm --saturation=sat-like \

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch --state=tree \

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch --regroup=bcm --saturation=sat-like \

--deadlock

--action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch --state=tree \

--deadlock

--action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch --regroup=bcm --saturation=sat-like \

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch --state=tree \

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Start ProB via CLI

Symbolic back-end

$ prob2lts-sym Bspec.mch --regroup=bcm --saturation=sat-like \

--deadlock --action=CS Active

Multi-core explicit back-end

$ prob2lts-mc Bspec.mch --state=tree \

--deadlock --action=CS Active

Output

No deadlocks found

1 different actions with prefix "CS Active" are found

state space has 5 states, 13 nodes

Outline

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

6

Conclusion

Chunk Mapping

chunk

A stateless piece of memory, e.g. a Prolog term.

chunk mapping function

value × type → N

simple mutex in Event-B

1

INVARIANT

2

c s : BOOL & w a i t : NATURAL & f i n i s h e d : NATURAL

Chunk tables

Protocol over ØMQ

LTSmin

ProB

init

chunks, events, matrices

NextState(hEnter,. . . ,Restarti, chunks)

(chunks

1

,. . . ,chunks

N

)

Loop

Loop

[ exist unvisited states ]

Example

cs=FALSE,wait=1,finished=0

cs=TRUE,wait=0,finished=0

cs=FALSE,wait=0,finished=0

cs=FALSE,wait=0,finished=1

Enter

Leave

Exit

Restart

Leave

CS Active

Leave

Leave

NextState Example in ØMQ

request frame

content

description

NextState

type

Enter

event

#4441707265645F66616C736500#

cs=FALSE

#4453696E740001493100#

wait=1

#4453696E740001493000#

finished=0

response frame

content

description

NextState

type

1

#states

#4441707265645F7472756500#

cs=TRUE

#4453696E740001493000#

wait=0

#4453696E740001493000#

finished=0

Dependency Matrix













cs

wait

finished

Enter

1

1

0

Exit

1

0

1

Leave

1

0

0

CS Active

1

0

0

Restart

0

1

1













1

Enter

= SELECT

cs

= FALSE &

wait

> 0 THEN

cs

:= TRUE | |

wait

:=

wait

− 1 END;

2

E x i t

= SELECT c s = TRUE THEN

c s := FALSE | |

f i n i s h e d := f i n i s h e d + 1 END ;

3

L e a v e

= BEGIN c s := FALSE END ;

Dependency Matrix













cs

wait

finished

Enter

1

1

0

Exit

1

0

1

Leave

1

0

0

CS Active

1

0

0

Restart

0

1

1













1

Enter

= SELECT cs = FALSE & wait > 0 THEN

cs := TRUE | | wait := wait − 1 END ;

2

E x i t

= SELECT c s = TRUE THEN

c s := FALSE | |

f i n i s h e d := f i n i s h e d + 1 END ;

3

L e a v e

= BEGIN c s := FALSE END ;

4

C S A c t i v e = SELECT c s = TRUE THEN s k i p END ;

5

Restart

= SELECT

finished

> 0 THEN

Dependency Matrix













cs

wait

finished

Enter

1

1

0

Exit

1

0

1

Leave

1

0

0

CS Active

1

0

0

Restart

0

1

1













1

Enter

= SELECT cs = FALSE & wait > 0 THEN

cs := TRUE | | wait := wait − 1 END ;

2

E x i t

= SELECT c s = TRUE THEN

c s := FALSE | |

f i n i s h e d := f i n i s h e d + 1 END ;

3

L e a v e

= BEGIN c s := FALSE END ;

Caching NextState calls

cs=FALSE,wait=0,finished=0

cs=FALSE,wait=0,finished=1

cs=FALSE,wait=1,finished=0

NextState(Leave, (cs = FALSE)) =⇒ {(cs = FALSE)}

Performance

Caching NextState calls

cs=FALSE,wait=0,finished=0

cs=FALSE,wait=0,finished=1

cs=FALSE,wait=1,finished=0

NextState(Leave, (cs = FALSE)) =⇒ {(cs = FALSE)}

project to cs

Caching NextState calls

cs=FALSE,wait=0,finished=0

cs=FALSE,wait=0,finished=1

cs=FALSE,wait=1,finished=0

NextState(Leave, (cs = FALSE)) =⇒ {(cs = FALSE)}

Leave

Leave

Leave

project to cs

Performance

Symbolic Storage of States

TRUE

FALSE

0

0

1

0

0

1

{}

cs

wait

finished

Compact representation

Symbolic Storage of States

TRUE

FALSE

0

0

1

0

0

1

{}

cs

wait

finished

Compact representation

Symbolic Storage of States

TRUE

FALSE

0

0

1

0

0

1

{}

cs

wait

finished

Compact representation

Symbolic Storage of States

TRUE

FALSE

0

0

1

0

0

1

{}

cs

wait

finished

Compact representation

Symbolic Storage of States

TRUE

FALSE

0

0

1

0

0

1

{}

cs

wait

finished

Compact representation

Outline

1

Introduction

2

ProB

3

LTSmin

4

User Perspective

5

Developer Perspective

6

Conclusion

Results

Specification

States

ProB

LTSmin

Speedup

Nxt St

NxtSt

Calls

Calls

CAN BUS

132,600

2,784,560

3,534

77.3

ConcurrentCounters

110,813

443,249

113,032

1.8

Cruise finite1

1,361

35,361

1,667

2.8

file system

698

5,577

1,198

0.4

MutexSimple

10

46

26

0.1

SiemensMiniPilot Abrial0

181

1,621

182

0.4

Simpson Four Slot

46,658

419,906

2,089

20.1

Train1 Lukas POR

24,637

197,082

101,441

0.7

nota

80,719

887,899

588

436.3

pkeyprot2

4,412

44,111

2,004

13.0

Ref5 Switch mch

29,861

1,134,681

1,281

127.4

Results

Specification

States

ProB

LTSmin

Speedup

Nxt St

NxtSt

Calls

Calls

CAN BUS

132,600

2,784,560

3,534

77.3

ConcurrentCounters

110,813

443,249

113,032

1.8

Cruise finite1

1,361

35,361

1,667

2.8

file system

698

5,577

1,198

0.4

MutexSimple

10

46

26

0.1

SiemensMiniPilot Abrial0

181

1,621

182

0.4

Simpson Four Slot

46,658

419,906

2,089

20.1

Train1 Lukas POR

24,637

197,082

101,441

0.7

nota

80,719

887,899

588

436.3

pkeyprot2

4,412

44,111

2,004

13.0

Ref5 Switch mch

29,861

1,134,681

1,281

127.4

Dependency Matrix (revisited)

Variable ordering

Span reduction reduces LDD sizes.

3120 nodes (span=197)

+++++++++++++++++

+---+---+

---+-+---+

+-+---+++++

++--+---+-++----+

+-++---+

+-++---+

--++--+---+

+--+---+---+

333 nodes (span=90)

+++++++++++++++++

---+-++---

---+++---+--+---+++++

++++++--+---

---+--+-+-+----

---+-+++----

---+-++-+---Future Work

More tools that can use the ØMQ interface?

Partial Order Reduction.

Make ProB import counter examples produces by LTSmin.

Benchmark with multi-core symbolic, multi-core explicit and

distributed explicit.

Best of Both Worlds (contribution)

ProB

Constraint-logic programming (CLP) solver for Set Theory +

FOL + Arithmetic.

B, Event-B, CSP, Tla

+

and Z.

Large user community (railways).

LTSmin

No need to implement reachability and model checking

algorithms.

Caching, variable reordering and POR.

High performance multi-core.