Team VASY

Application Domains
Software
Contracts and Grants with Industry
Other Grants and Activities
Bibliography
Inria / Raweb 2003
Project: VASY

# Project : vasy

## Section: New Results

### Case Studies and Practical Applications

#### The FAME Cache Coherency Protocol

Participants : Damien Bergamini, Hubert Garavel, Radu Mateescu, Solofo Ramangalahy.

Since October 1998, we have been co-operating with Bull in the framework of the FormalFame contract (see §  7.2) devoted to the use of formal methods for verifying and testing multiprocessor architectures. Our work targets at Fame, the Cc-Numa architecture developed by Bull for its NovaScale series of high-performance servers based on 64 bits Intel Itanium processors. The core of Fame is a complex circuit (named B-sps), which implements the Fame cache coherency protocol and performs routing between processors and input/output nodes. The complexity of this circuit comes both from the internal parallelism inherent to routing and from multiple accesses to shared data, the consistency of which must be preserved.

After studying the B-sps as a whole (1999–2002), FormalFame currently focuses on two complex sub-components of B-sps: the Prr (Pending Request Responses) block and the Ilu (InterLeaving) unit, which are modeled and analyzed in great detail. In 2003, work took place in two directions:

• Formal specification: The development of Lotos specifications for Prr (about $7,500$  lines of Lotos and 200 lines of C code) and Ilu (about $8,900$  lines of Lotos and $3,400$  lines of C code) was done at Bull Les Clayes-sous-Bois by Yehong Xing and Jack Abily. Two successive versions V1 and V2 were described, the former corresponding to a chip sent to foundry in March 2003 and the latter to the forthcoming evolution of this chip. The role of Vasy was essentially to provide expertise in writing Lotos specifications (for instance, on the proper way of introducing random number generation in formal models, on the decision to implement a given feature either as a Lotos process or as a Lotos data operation, etc.).

• Validation of Verilog designs: A long-standing goal of FormalFame is to reuse the Lotos specification developed for a hardware system (or unit, or block, respectively) as a means to check the correctness of the Verilog design implementing this system (or unit, or block). So doing, the effort invested in formal specification is rewarded not only by finding mistakes at a high level of abstraction, but also in the actual system implementation itself.

In 2003, we experimented two different approaches to validate the Verilog designs of Prr and Ilu.

As regards Prr, the conformance between the Lotos specification and the Verilog design is checked by means of random test sequences generated automatically from the Lotos specification (using the Executor tool of Cadp). This approach is justified by the deterministic nature of Prr, which always emits the same outputs when given the same inputs. The generated test sequences contain both input and output events; they are applied to the Verilog design of Prr using Cadence's TestBuilder tool [35]. This approach proved to be successful as large test sequences (more than $100,000$ transactions) were produced and allowed to find a problem in Prr V1 (technically, a non-conformity between the Lotos specification and the Verilogdesign). This problem was not detected by other techniques because it has no impact on global cache coherence/memory consistency.

As regards Ilu, the conformance between the Lotos specification and the Verilog design is checked by translating the Lotos specification into a C program that is connected to the Verilog design of Ilu using the Exec/Cæsar and TestBuilder tools. This C program drives the execution of the Verilog design, sending inputs and checking the correctness of received outputs. The inputs are generated randomly using an history-based guidance mechanism, which gives priority to branches that have not been chosen already. The approach targets at the extensive testing of the Verilog design by letting this guided simulation execute automatically for a certain amount of time until a suitable coverage level is reached. For Ilu, the coverage criterion used in 2003 is the percentage of transitions (in the Petri net generated by Cæsar from the Lotos specification of Ilu) fired during the guided simulation. This approach proved to be technically challenging due to the intrinsic complexity of the Ilu behavior and to the programming machinery needed to interface the Ilu design with its formal specification. For the approach to be effective, two main issues had to be solved: The simulation speed was initially too slow (about 360 visible transitions per second) and the coverage was originally too small ( $15%$ of transitions fired). These issues were addressed in several ways:

• The Lotos specification of Ilu was modified to define various hardware data structures (e.g., associative search tables, directories, etc.) using data types and functions rather than Lotos processes.

• The efficiency of the C code generated by Cæsar was significantly improved (see §  6.2.1).

• The firing of $\tau$ -transitions evolved from fixed priority order to random order.

These changes led to a satisfactory solution (speed multiplied by a factor of 3 and coverage increased up to nearly $100%$ ). The FormalFame approach is now fully operational and used intensively for the validation of Prr V2 and Ilu V2. The next research steps of FormalFame investigate a different coverage criterion: the percentage of reachable, visible labels produced during the guided simulation (thus measuring coverage for both Lotos data types and gate offers).

#### The SCALAGENT Deployment Protocol

Participants : Hubert Garavel, Frédéric Lang, Radu Mateescu, Frédéric Tronel.

In the framework of the Parfums contract (see §  7.3), we studied a deployment protocol designed and implemented by ScalAgent, a startup company originating from the former Sirac team of Inria Rhône-Alpes. Among many potential applications, this protocol can be used to install and configure a set of mobile agents (Java components) on the uninterruptible power supplies manufactured by the Mge-Ups company.

The approach followed for the verification of the deployment protocol consists in generating automatically a formal specification in Lotos for a given configuration of agents to be deployed. The automatic generation is accomplished by a translator that, given as input an Xml file produced by a graphical configuration editor, produces a set of corresponding Lotos processes and an Svl script that drives the verification. The translator takes into account the Java class hierarchy and inheritance relationships to synthesize the dynamic behavior of each agent.

Given the high complexity of the deployment protocol (which features a set of distributed agents, each agent consisting itself of a set of concurrent activities), we chose a compositional verification approach reflecting closely the deployment protocol architecture. Virtually, all tools of Cadp are used during the verification process, including the Bcg_Graph tool (see §  6.1.1) especially developed to generate communication buffers efficiently.

In 2003, we completed the deployment protocol verification, with the following results:

• Model checking verification revealed some obscure points in the protocol specification, which we clarified in accordance with the ScalAgent designers. In particular, the original specification was silent about the model of communications between activities. In this respect, verification made clear (by exhibiting an infinite loop of error messages) that the protocol was not meant for handling asynchronous messages between inner activities and would only function properly with communications implemented as local procedure calls (i.e., the calling activity gets suspended until the procedure call returns).

• We applied the translator to configurations of increasing sizes, up to 71 concurrent processes. Although the high degree of concurrency could have lead to state explosion (potentially $9·1{0}^{68}$ states), compositional verification allowed to keep the size of intermediate state spaces under a workable limit (below $1{0}^{6}$ states).

These results led to a publication [25].

#### The VLTS Benchmark Suite

Participants : Damien Bergamini, Nicolas Descoubes, Hubert Garavel.

In collaboration with the Sen2 team of Cwi (Amsterdam, The Netherlands), we developed and made available to the scientific community the Vlts benchmark suite (see http://www.inrialpes.fr/vasy/cadp/resources/benchmark_bcg.html).

First benchmark base of this kind, Vlts (Very Large Transition Systems) is a collection of forty labeled transition systems of increasing sizes (ranging from 300 states to 34 million states). It provides a scientific criterion for a performance assessment of algorithms and tools operating on large graphs, including graph visualization software, explicit state verification software (model checkers, equivalence checkers, and minimization tools), as well as computer formats for the representation of transition systems. Although very recent, the Vlts benchmark suite has already been used in several scientific publications.

The benchmarks of the Vlts are encoded in the Bcg format and benefit from the specific compression techniques provided by this format. The development of the Vlts benchmark base led us to a finer tuning of the default compression parameters of the Bcg format, resulting in a better compression (approximately 12%). Moreover, we developed additional compression techniques and tools, which decreased the amount of the disk space needed to store the entire Vlts from 800 down to 454 Mbytes.

#### Other Case Studies

In 2003, the Vasy team also worked on the following case studies:

• We verified compositionally (using Svl scripts) a randomized consensus protocol [36] [49], in which several distributed processes try to agree on a common value. The convergence is guaranteed, but only after an unbounded number of rounds. We generated the Bcg graph for one round and showed that the Bcg graph for several rounds can be obtained by induction from the former graph using label renaming and parallel composition only. This case study allowed us to experiment the new Bcg_Graph tool (see §  6.1.1) to generate the communication media.

• We reconsidered a former case study: the verification of a cache memory (originally described in [33]), which was verified using abstractions and Cadp as described in [43]. While some years ago the verification of the abstracted protocol was only feasible using sophisticated compositional techniques, the latest version of Cæsar managed to generate a smaller graph (about $10,000$ states) directly.

• We extended our Ntif model of the Ceps (Common Electronic Purse Specification, see § 5.2.1 in the 2001 Vasy activity report) with new functionalities, such as for instance the ``Load device'' operation. This extended model ( $1,300$  lines of Ntif code, 102 variables among which 11 symbolic parameters) was used as a common case study for several verification and testing tools (TReX, HarVey, Atelier B, Stg, and BZ-TT). The Vasy team carried out the verification using TReX, which generated the graph of reachable symbolic states in 1h42. Some properties, such as ``all slots used contain different currencies'', were verified in a few seconds using Evaluator 3.0 (see §  6.1.4).

• In collaboration with Carmen Occhipinti and Paolo Fabriani (Engineering, Italy), we specified in Lotos the Fkms (Federated Knowledge Management System) case study proposed by Engineering in the framework of the ArchWare project (see §  7.1). Two different versions of the Lotos specification were developed, containing a simple federation manager (750 lines of code) and an enhanced one ( $1,100$ lines of code) [29]. We then expressed several temporal logic properties characterizing the proper handling of documents within the Fkms and checked them on several configurations using Evaluator 3.0. This activity allowed to spot an error in the querying mechanism of documents in an Fkms ontology.

• In collaboration with Nathalie Chabrier, François Fages, and Nathalie Sznajder (Contraintes team of Inria Rocquencourt), we investigated the use of Cadp for analyzing formal models of biological processes expressed in the Biocham language developed by Contraintes. A translator from Biocham to Lotos was developed and applied to a qualitative model of cell cycle control for mammals; on the generated Lotos code, it was then possible to verify various temporal properties using the Evaluator 3.0 model checker. This experiment led to several findings. The syntax and static semantics rules of Lotos unveiled various mistakes, which had not been caught before; this problem was addressed by Contraintes in its revised version of Biocham. Also, it appeared that the Lotos code generated by the translator was excessively verbose; for this reason, Vasy started to incorporate in its Lotos compilers some useful shorthand notations that exist in E-Lotos and Lotos NT.

• In collaboration with Grégory Batt and Hidde de Jong (Helix team of Inria Rhône-Alpes), we connected the Gna (Genetic Network Analyzer) tool developed by Helix with Cadp in order to verify temporal properties of genetic regulatory networks. Gna provides a simulator of qualitative models of genetic regulatory networks in the form of piecewise-linear differential equations. To achieve the connection, we developed a translator named Gna2Bcg (200 lines of C code) from the graph format produced by Gna to the Bcg format. The resulting Bcg graph can be simplified by eliminating instantaneous states using abstraction and reduction modulo branching equivalence, and inspected visually by using the Bcg_Edit tool of Cadp. Then, various temporal properties concerning the behavior of the regulatory network (evolution of protein concentrations, reachability of equilibrium states, etc.) can be verified using the Evaluator 3.0 model checker. In addition, the input language of Evaluator 3.0 was extended with an operator for string concatenation, which allows a better parameterization of property definitions, yielding more concise specifications. This verification methodology was applied to the analysis of a small biologically-inspired system.

Other teams also used the Cadp toolbox for various case studies. To cite only the work published in 2003, we can mention:

• the synthesis and verification of constraints for the Pragmatic General Multicast (Pgm) protocol [38],

• the verification of the cache coherency protocol of the Jackal distributed shared memory implementation of Java [48],

• the verification of an agent-oriented auction protocol [40],

• the verification of a distributed fault tolerant algorithm developed using the JavaSpaces coordination architecture [52],

• the architectural unit testing of a robot teleoperation system described in Uml [51],

• the verification of distributed dataspace applications developed using the space calculus [47],

• the verification of the Positive Acknowledgement Retransmission (Par) protocol [37].

Other research teams took advantage of the software components provided by Cadp (e.g., the Bcg and Open/Cæsar environments) to build their own research software. We can mention the following developments:

• the VoDkaV tool, which uses Cadp to extract information from a system described in Erlang, with application to a video-on-demand server [34],

• a translator of SoC (System on Chip) descriptions based on the STBus developed by STMicroelectronics into Lotos for codesign and verification purposes [53],

• the Else state space generator, which explores the symbolic reachability graph of timed automata in connection with Cadp [54].