models, and logics for concurrent systems, supported by enhanced visu- alisation capabilities. ... adverts in Concurrency Mailing List). The term Formal Methods ...
Truth – A verification platform for concurrent systems Martin Lange, Martin Leucker, Thomas Noll, Stephan Tobies
Abstract. We briefly explain the design and implementation of the newly developed tool Truth which serves as a general platform for the systematic investigation of different specification languages, semantic models, and logics for concurrent systems, supported by enhanced visualisation capabilities. Modularity is achieved by employing the Rewriting Logic approach as a semantic framework for concurrency. In its current version, Truth supports tableau–based model checking for the full µ–calculus on finite transition systems. The latter are given in terms of CCS processes for which our tool additionally offers interactive visualisation and simulation features. Further extensions of Truth, being in the implementation stage, comprise the support of the trace model of concurrency as well as game–base model checking algorithms.
1
Introduction
Formal Methods are becoming more and more popular for the specification and verification of industrial critical systems. Several case studies have shown that these techniques can help to find errors during the design process (see Clarke and Wing (1996) for an overview). They are also gaining commercial success, e.g., companies such as Intel, National Semiconductor or Texas Instruments are establishing new departments for formal methods (see for example the job adverts in Concurrency Mailing List). The term Formal Methods usually denotes the application of mathematical methods for specifying and verifying complex hardware and software systems. The formal specification of a system helps to understand the system under development. Furthermore, a common and formal basis for discussing about the system is given. The verification of the specified system is a further step. Its aim is to guarantee the correctness of the functionality.1 In practice, verification is more important for debugging the design instead of showing that the design is correct. This means that verification usually proceeds in a cycle of finding errors and correcting the specification until no further errors can be detected. Two approaches for the verification of systems can be distinguished: model checking and theorem 1
Note that in this paper we concentrate on the design of a system. We do not consider the problem of assuring that the concrete implementation of a system meets its specification.
proving. Several case studies have shown that especially model checking can help to find errors during the design process (Clarke and Wing (1996)). In this paper we focus on model checking. The application of formal methods requires the availability of supporting tools because formal methods are especially adequate for the design of large systems where an ad hoc or conventional software engineering approach is not reasonable. Generally speaking, large systems consist of distributed processes working together concurrently. While the distribution of the processes usually does not involve any conceptual problems, the concurrent behaviour makes the system difficult to understand. Therefore, we put our emphasis on analysing concurrent systems. During the last years several prototypes of model checking tools have been developed, e.g., CWB (Moller (1992)), NCSU-CWB (Cleaveland and Sims (1996)), SPIN (Gr´egoire et al. (1997)) and the symbolic model checker SMV (McMillan (1992)). Most of the tools are tailored for a specific setting, e.g., CCS with transition system semantics and µ-calculus model checking. In contrast, we are aiming at a modular tool which can easily be adjusted to different specification formalisms, semantic domains, logics and model checking algorithms. In this paper we describe our verification tool Truth and our current activities to extend its functionality. Leucker and Tobies (1998) describes the tool in full detail. In Section 2 we explain the design and the features of Truth. Section 3 discusses a generic approach to incorporate different models for concurrency in a systematic fashion. The idea of game–based model checking algorithms and their advantage for verification tools is outlined in Section 4. We conclude with Section 5 by mentioning one of our concrete research issues to achieve a more powerful verification tool, Mazurkiewicz traces.
2
Truth today
We have developed Truth, a platform for the verification of concurrent systems (Leucker and Tobies (1998)). It is still in a prototype stadium, yet it is publicly available and can be downloaded2 for testing. By now the tool’s functionality is fairly complete regarding the specification and verification of concurrent systems. They can be specified in CCS, a well known process algebra (Milner (1989)). From the specification a labelled transition system is built. Its desired properties can be expressed using the µ-calculus (Kozen (1983)). The µ-calculus is a powerful logic which allows to describe various safety, liveness, and fairness properties (Emerson (1996)). It semantically subsumes the temporal logics CTL, CTL∗ , and LTL, for which effective translations into the µ-calculus are known (Emerson and Lei (1986)). The tableau-based model checker proposed by Cleaveland (1990) is used to test whether these formulae are satisfied by the transition system. It has fairly 2
see URL http://www-i2.informatik.rwth-aachen.de/Research/MCS/Truth/
good runtime properties and supports the full µ-calculus. Furthermore, it is a local model checking algorithm, i.e., it has the advantage that in many cases not the whole transition system has to be built in order to check a formula (Emerson (1997)). This is helpful especially when developing a specification. We have run several tests to compare our implementation to several existing tools. Some results are shown below. Several formulae were tested over three instances of the alternating bit protocol arranged as a pipeline. Φ6 lies outside the fragment of the µ-calculus the NCSU concurrency workbench can handle hence we could not test the performance in this case.
Truth Φ1 73.16 s 34.78 MB Φ2 0.11 s 0.48 MB Φ3 598.52 s 133.55 MB Φ4 187.82 s 92.50 MB Φ5 0.14 s 0.47 MB Φ6 out of mem. -
64.99 67.91 73.66 78.23 85.72 n.a.
NCSU s 147.49 MB s 148.87 MB s 151.12 MB s 148.43 MB s 155.62 MB n.a.
CWB 75.54 s 153.30 MB 0.13 s 99.37 s 196.82 MB 87.76 s 180.13 MB 0.12 s 0.16 s -
Table 1. Runtimes and heap sizes of the model checker
An additional feature of Truth is the possibility for interactive, graphical, and process–oriented visualisation of CCS processes. While existing tools only allow for a very basic style of simulation, Truth is able to represent processes in a much more sensible and useful manner. The simulation of processes is helpful for understanding the behaviour of a system. Figure 1 shows a screen shot for the simulation of the alternating bit protocol. The systems consists of four processes, Sender, Receiver, and channels K and L, working together in parallel and communicating. The visualisation can be scaled up to handle bigger processes by giving the explicit decomposition into subprocesses. In the game–based approach to model checking as presented in Section 4, the invalidity of a formula can be demonstrated by means of an interactive construction of a counterexample. We will reuse the process visualisation component to play and visualise this game between the user and the Truth tool in order to support debugging of error–prone specifications. Truth is implemented in Haskell, a general purpose, fully functional programming language (Peterson et al. (1996)). The choice of a declarative language serves a number of purposes. Changes to the system become easier when using a language which lacks side effects. Also many algorithms which are employed in the context of model checking have a very concise functional notation. This makes the implementation easier to understand. We have chosen a modular design that allows easy modifications of the system. Figure 2 gives an overview of the several modules of the system. The modular design makes the implement-
Fig. 1. A process oriented simulation of the alternating bit protocol
ation of Truth a good basis for the further developments which are sketched in this article. It is worth noting that the choice of a functional language for the implementation of a model checking tool does not imply that the resulting tool must be inefficient. Cleaveland and Sims (1996) claims that tools built with such a language can be very efficient. The statement still holds when using a purely functional language. In the implementation of Truth we applied the optimisations proposed in Cleaveland et al. (1995). By using state monads, a programming technique which allows destructive updates even for purely functional languages (Launchbury and Jones (1994)), we managed to get an implementation with as good runtime behaviour as described in Cleaveland et al. (1995).
3
Modularity via Rewriting Logic
As stated above, one of the main objectives of the Truth system is the modularity with respect to both specification language and underlying semantic model. With the first point in mind, the Process Algebra Compiler PAC which is described in Cleaveland et al. (1995) has been developed as a tool which, given
Specification Language
...
...
CCS
Semantic Domain
Graphical Simulation
LTS Annotations
Logic and Model Checking
µ-calculus Tableau Model Checker
LTS Data Structure
Misc. Analyses Deadlocks
Graph. Output
Fig. 2. Architecture of Truth
the syntax and the operational rules of a process algebra, generates a compiler front–end which analyses programs and computes their meaning. However, since the semantics is specified in terms of structural operational rules, the scope of this tool is restricted to (labelled) transition systems. It is possible to add a further degree of freedom by allowing also the semantic domain to be specified. This goal can be achieved by employing the Rewriting Logic approach, proposed in Meseguer (1990), Meseguer (1992) as a unified semantic framework for concurrency. It aims at a separate description of the static and dynamic aspects of a distributed system. More exactly, it distinguishes the laws describing the structure of the states of the system from the rules which specify its possible transitions. The two parts are respectively formalised as an equational theory and as a (conditional) term rewriting system. Both structures operate on states, represented as terms built up from the operators of the specification language under consideration. Since a single transition may comprise several (independent) rewriting steps, concurrent behaviour can explicitly be
Rewriting Logic description of SL Term rewriting rules
Grammar
Equations
Compiler
System description in SL
Truth frontend SL Parser
Labeled transition system
LTS generating functions
Fig. 3. Generic implementation of specification languages (SL) using Rewriting Logic
modelled. Rewriting Logic has been successfully applied to specify various languages and semantic domains; an overview can be found in Meseguer (1996). As an example, we give a Rewriting Logic specification of CCS. The expositon is inspired by Viry (1994). The description of the process algebra consists of three parts. First, the syntax of the language has to be given in terms of a context free grammar (with typing information); it is omitted here. The second part is a set of rewrite rules defining the operational semantics. In the case of CCS it has the following form: α
R={
[x] → [x′ ] α
[α.x] → [x] α
[x] → [x′ ] α
α
[x + y] → [x′ ] ¯ l
l
[x] → [x′ ] [y] → [y ′ ] τ
[x k y] → [x′ k y] [x k y] → [x′ k y ′ ] α [x[P/fix(P, x)]] → [x′ ] } α [fix(P, x)] → [x′ ] Finally, the description contains a set of equations between process terms, which identify certain states of the respective system. In this way, we reduce the state space of the resulting system as well as the number of rewrite rules. Note that, for example, the symmetric rule for + is not required above since this operator is declared to be commutative in the following equations:
E = {x + (y + z) = (x + y) + z, x k (y k z) = (x k y) k z, x + y = y + x, x k y = y k x, x + nil = x, x k nil = x, ¯ = α} x + x = x, α In order to integrate this approach in Truth, it is necessary to implement term rewriting modulo an equational theory. Regarding efficiency, it is indispensable to reduce the generally large and complex equational theory to rewriting modulo associativity and commutativity, involving coherence techniques as investigated in Viry (1995) (see also Viry (1996) for an application to the π–calculus). This enables us to employ rewriting tools such as ELAN (Borovansky et al. (1996)) or Maude (Clavel et al. (1996)), which builds up directly on Rewriting Logic, for our implementation. It should be noted that the overall structure of a system specified in rewriting logic is that of a transition system. (Though, as stated above, a single transition may represent concurrent activities in different subcomponents.) Hence, we are able to reuse our efficient implementation of (labelled) transition systems even when dealing with true concurrency. Figure 3 gives an overview of the specification language compiler for the Truth system which employs the ideas described above. It takes a specification language description and corresponding rewriting rules as input and generates a frontend for Truth. The frontend consists of a parser for the user’s specification and suitable functions for generating a corresponding labelled transition system. The specification language compiler is currently in a beta test stadium and will be part of the next release of the Truth system.
4
Games and interactive simulations
Games, as introduced in Stirling (1997), are used to combine a model checking algorithm with an interactive simulation feature. Unlike conventional model checking, which tries to prove the correctness of a formula regarding a given transition system, game–based model checking simultaneously tries to disprove and to prove it. Both tasks are performed by two respective players A and B moving pebbles on a combination of the transition system and of the set of subformulae of the µ-calculus formula under consideration. A winning strategy for a player is a set of rules telling him or her what to do in every situation when it is his or her turn. Thus, the question whether the formula is fulfilled is equivalent to the problem of finding a winning strategy for Player B. Hence the core of a game–based model checking algorithm is not the game itself. While a game can be played in polynomial time and space the finding of a strategy is harder (at most it belongs to NP∩co-NP). There is still some effort on deciding whether a polynomial algorithm exists.
Once a winning strategy for a given formula φ and a transition system K has been found it immediately solves the K |= φ problem. If the plain yes/no answer does not satisfy the user it can also be used to generate a simulation environment in which the user interactively plays a graphical game versus the model checker who shows him or her why and where the statement φ is fulfilled or fails. Figure 4 shows a transition system and a snapshot of the a game graph for the formula haihbitt expressing that there is a run starting with an a–step followed by a b–step. Obviously, the current transition system does not allow such a run. The user (Player B) wants to know why and starts the interactive simulation which shows the root of the game graph and asks whether to proceed to the left or to the right branch. Since the user believes that there is no b–successor of state s0 but expects one when moving to state number s1 , he or she chooses the right branch. However, here the game ends since in this state there is no b–successor either. Looking at the successors of state s1 , the user recognises that a c–step will follow and can correct the system.
B looses a s0
c a a
s1
(s0 , haihbitt)
B looses
b c
s2
(s0 , hbitt)
(s1 , hbitt)
Fig. 4. A game-based simulation
5
Towards true concurrency
As described in Section 2, an interleaving model for concurrency (transition systems) is employed in the system Truth. However, interleaving models have a serious disadvantage, the state space explosion. One attempt is to employ BDDs, a technique for efficient storage of the transition system. Furthermore, the visualisation of an interleaving model is less intuitive for the user because usually one describes the underlying system by defining local parts of the system and their mutual interaction. Hence, one expects this view of the system to be visualised with the help of the tool. In Section 3 we proposed a framework which enables us to implement several specification languages over several semantic domains in an easy way. However, with respect to logics and suitable model checking algorithms, it is not clear how to achieve a similar genericity. As a first step, we want to concentrate on a single semantic model, traces (Diekert and Rozenberg (1995)), and investigate suitable specification languages,
several logics, their expressiveness and corresponding model checking algorithms. Due to the specification language compiler and the modularity of Truth, these logics and algorithms can easily be integrated in our verification system.
6
Conclusion
In this paper we described the basic design of the Truth verification tool for concurrent systems. In its current version, it offers tableau–based model checking for the full µ–calculus on finite transition systems, specified as CCS processes. Additionally, it supports interactive visualisation and simulation of CCS processes. The main objective of our approach, distinguishing it from many other systems, is the modularity with respect to the three fundamental parameters for verification tools, the semantic model , the specification language, and the logic. With regard to the first two points, we are developing a compiler based on the Rewriting Logic approach. This tool will enable us to incorporate (and easily modify) specification formalisms together with their associated semantic domains in a systematic fashion, based on an equational characterisation of their algebraic structure and on an operational description of their dynamic behaviour. Existing approaches such as the PAC compiler rely on transition systems only, which are memory–consumptive and difficult to visualise. Concerning the logic, it seems to be nontrivial to achieve a similar level of modularity and genericity when dealing with non-interleaving models of parallelism. Although the overall structure of a process specified in rewriting logic is a transition system, it remains open how to catch the internal structure of a transition, which generally comprises several independent rewriting steps, within a temporal logic such as the µ–calculus. Finally we briefly discussed the game–based approach to model checking which is striking because of its intuitive character, combining model checking and interactive simulation. It will be implemented in a future version of Truth.
References P. Borovansky, C. Kirchner, H. Kirchner, P.E. Moreau, and M. Vittek. Elan: A logical framework based on computational systems. In Proc. of the First Int. Workshop on Rewriting Logic, volume 4 of Electronic Notes in Theoretical Computer Science. Elsevier, 1996. E. M. Clarke and J. M. Wing. Formal methods: State of the art and future directions. Technical Report CMU-CS-96-178, Carnegie Mellon University (CMU), September 1996. Manuel Clavel, Steven Eker, Patrick Lincoln, and Jos Meseguer. Principles of Maude. In Jos´e Meseguer, editor, Proceedings of the First International Workshop on Rewriting Logic, volume 4 of Electronic Notes in Theoretical Computer Science, pages 65–89. Elsevier, 1996.
R. Cleaveland. Tableau-based model checking in the propositional mu-calculus. Acta Informatica, 27(8):725–748, 1990. R. Cleaveland, E. Madelaine, and S. Sims. A front-end generator for verification tools. Lecture Notes in Computer Science, 1019:153–173, 1995. R. Cleaveland and S. Sims. The NCSU concurrency workbench. Lecture Notes in Computer Science, 1102:394–397, 1996. The concurrency mailing list. http://www-i2.informatik.rwth-aachen.de/Forschung/MCS/mailing list.html Volker Diekert and Grzegorz Rozenberg, editors. The Book of Traces. World Scientific, Singapore, 1995. E. A. Emerson. Automated Temporal Reasoning about Reactive Systems, volume 1043 of Lecture Notes in Computer Science, pages 41–101 Springer-Verlag Inc., New York, NY, USA, 1996. E. A. Emerson. Model checking and the mu-calculus, volume 31 of DIMACS: Series in Discrete Mathematics and Theoretical Computer Science, chapter 6. American Mathematical Society, 1997. E.A. Emerson and C.L. Lei. Efficient model checking in fragments of the propositional µ–calculus. In Symposion on Logic in Computer Science, pages 267–278, Washington, D.C., USA, June 1986. IEEE Computer Society Press. Jean-Charles Gr´egoire, Gerard J. Holzmann, and Doron A. Peled, editors. The Spin Verification System, volume 32 of DIMACS series. American Mathematical Society, 1997. ISBN 0-8218-0680-7, 203p. Dexter Kozen. Results on the propositional mu-calculus. Theoretical Computer Science, 27:333–354, December 1983. J. Launchbury and S. Peyton Jones. Lazy functional state threads. In Programming Languages Design and Implementation, Orlando, 1994. ACM Press. Martin Leucker and Stephan Tobies. Truth—A Platform for Verification of Distributed Systems. Technical Report 98-05, RWTH Aachen, May 1998. K. L. McMillan. The SMV system, symbolic model checking - an approach. Technical Report CMU-CS-92-131, Carnegie Mellon University, 1992. J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96(1):73–155, April 1992. Jos´e Meseguer. Rewriting as a unified model of concurrency. In Proceedings Concur’90 Conference, Lecture Notes in Computer Science, Volume 458, pages 384–400, Amsterdam, August 1990. Springer. Also, Report SRI-CSL-90-02R, Computer Science Lab, SRI International. Jos´e Meseguer. Rewriting logic as a semantic framework for concurrency: a progress report. In Seventh International Conference on Concurrency Theory (CONCUR ’96), volume 1119 of Lecture Notes in Computer Science, pages 331–372. Springer Verlag, August 1996. R. Milner. Communication and Concurrency. International Series in Computer Science. Prentice Hall, 1989. F. Moller. The Edinburgh Concurrency Workbench (Version 6.1). Department of Computer Science, University of Edinburgh, October 1992. John Peterson, Kevin Hammond, et al. Report on the programming language haskell, a non-strict purely-functional programming language, version 1.3. Technical report, Yale University, May 1996. C. Stirling. Games for bisimulation and model checking, June 1997. Notes for Mathfit instructional meeting on games and computation, Edinburgh.
Patrick Viry. Rewriting: An effective model of concurrency. In Proceedings of PARLE ’94 – Parallel Architectures and Languages Europe, volume 817 of Lecture Notes in Computer Science, pages 648–660. Springer-Verlag, 1994. Patrick Viry. Rewriting modulo a rewrite system. Technical Report TR-95-20, Dipartimento di Informatica, December 01 1995. Patrick Viry. A rewriting implementation of pi-calculus. Technical Report TR-96-30, Dipartimento di Informatica, March 26 1996.
