Project : vasy
Section: New Results
Case Studies and Practical Applications
In 2004, the Vasy team also worked on the following case studies:
We collaborated with Gwen Salaün (formerly at University ``La Sapienza'', Rome) on the verification of negotiating Web services involving clients and providers, who try to agree on some information (e.g., prices) . In this case study, we used our latest prototype of Cæsar (see § 6.2.2) to verify large configurations.
In the framework of the Inria/Leti collaboration (see § 8.1), we studied the suitability of Lotos and Cadp for the verification of asynchronous circuits. We developed a Lotos specification (about 2, 000 lines of code) for an asynchronous circuit, designed by the Leti and Tima laboratories, which implements the Des (Data Encryption Standard) algorithm. We successfully verified several correctness properties about the control flow of the circuit, such as absence of deadlocks, correct number of iterations, etc.
We studied a cache coherence protocol for a multiprocessor architecture specified in Lotos by Massimo Zendri (Bull) in 1999. This protocol is based on a remote directory used by concurrent agents. Using a simple compositional verification approach, we could generate the state space for 5 agents, but failed to handle larger configurations, because the remote directory process became too large (1 million states, 40 million transitions for 5 agents) to be generated in isolation for more than 5 agents. The automated interface generation feature of Exp.Open 2.0 (see § 6.1.5) allowed us to constrain tightly the remote directory process (which never exceeded 60 states) and to generate the state space for 7 agents (1 million states and 7 million transitions).
We collaborated with Holger Hermanns and Sven Johr (Saarland University) to generate a stochastic model of a distributed mutual exclusion algorithm. The model was obtained from the parallel composition using Exp.Open 2.0 of ``sequential'' stochastic models corresponding to each concurrent process. Using the Cadp toolbox, all configurations with up to 5 processes could be generated without problem. For the configuration with 6 processes, we first generated, using Distributor on a cluster of 8 machines, a Pbg model (see § 6.1.6), which was unfortunately too large (224 million states, 1, 300 million transitions, 12 Gbytes) to fit on standard 32-bit file systems; therefore, we used the partial order reduction for stochastic systems implemented in Exp.Open 2.0 (see Section 6.1.5) together with Distributor; using a cluster of 11 machines, we managed to generate a much smaller, yet equivalent, state space (44 million states, 80 million transitions) in less than 7 minutes.
We continued the work undertaken in collaboration with Grégory Batt and Hidde de Jong (Helix team of Inria Rhône-Alpes) for connecting the Gna (Genetic Network Analyzer) tool developed by Helix with Cadp in order to verify temporal properties of genetic regulatory networks.
Gna provides a simulator of qualitative models of genetic regulatory networks in the form of piecewise-linear differential equations. The connection is performed by the Gna2Bcg translator from the graph format produced by Gna to the Bcg format. The resulting Bcg graph can be simplified by eliminating instantaneous states using abstraction and reduction modulo branching equivalence, and inspected visually by using the Bcg_Edit tool of Cadp. Then, various temporal properties concerning the behavior of the regulatory network (evolution of protein concentrations, reachability of equilibrium states, etc.) can be verified using the Evaluator 3.0 model checker.
In 2004, we improved the translation between the graphs produced by Gna and those accepted by Cadp in order to preserve strong equivalence, and we defined the Ctl operators, which are useful for expressing properties of genetic regulatory networks, as a library (50 lines of regular alternation-free -calculus) in Evaluator 3.0. The joint use of Gna and Cadp for model checking genetic regulatory networks was subject to a publication .
In the framework of the FormalFame contract (see § 7.2), we performed a comparative study of the Murφ and Cadp verification tools. For this study, Bull selected as a benchmark a cache coherence protocol for multiprocessor architectures present in the Murφ distribution (under the name ``Cache3'').
We translated manually the Murφ code (1, 000 lines) into Lotos (1, 800 lines of Lotos). Both languages do not provide the same level of description: Murφ requires a sequential abstraction in which the entire protocol is viewed as a single sequential process handling global data, whereas Lotos allows a more detailed view, closer to the actual implementation, in which the protocol consists of several distributed processes having their own local memories.
We analysed using Cadp several configurations of the protocol with one memory containing up to 2 different data values, one cache line, and up to 3 processors.
For the simplest configuration (one data value and one processor), the corresponding state space (7, 694 states, 10, 242 transitions) could be generated in a few seconds.
For a more complex configuration (two data values and three processors), the compositional verification tools of Cadp allowed to generate the corresponding state space (about 3 million states, 18 million transitions) in about 40 minutes on a standard Pc. On the same example, Murφ, when used without its symmetry reduction feature, took 58 minutes to generate a state space of 760, 000 states; enabling symmetry reduction led to a smaller state space (about 16, 000 states) that could be generated in 3 minutes.
On this example, the state spaces generated using Cadp are larger than those of Murφ, which corresponds to the fact that, using Lotos, we modeled the cache coherence protocol at a finer degree of granularity.
On the opposite, the correctness properties that can be verified using Murφ are restricted to mere state invariants on the variables of the Murφ specification (``white box'' approach), whereas Cadp allows sophisticated properties relying the input and output events of the protocol (``black box'' approach); for instance, we specified the user-level view of memory consistency as a -calculus formula, which we evaluated using Cadp.
We collaborated with Judi Romijn and Stefan Vorstenbosch (Eindhoven University of Technology) on the verification of the Net Update Protocol that is part of the Ieee P1394.1 draft standard.
In his Master thesis (May 2004), Stefan Vorstenbosch developed successive Lotos specifications for this protocol, which he tried to verify using the Cadp toolbox.
We contributed to the specification task by suggesting to model broadcast (i.e., n-to-n communications) using Lotosn-ary rendezvous. This allowed a significant reduction in the size of the Petri nets generated by Cæsar.
We contributed to the verification task by using our latest prototype of Cæsar (see § 6.2.2), our compositional verification tools (see § 6.1.5), and our distributed verification tools (see § 6.1.6) to study complex configurations of the protocol.
Using Cæsar directly on a single machine, we managed to generate the state space for one net update (nearly 21, 000 states and 77, 000 transitions) and two net updates (nearly 2 million states and 10 million transitions). Using a compositional approach, we managed to generate and minimize a state space valid for any number of net updates (nearly 5 million states and 61 million transitions). We discovered the presence of deadlocks in the protocol as soon as more than one net update was allowed. Based on the counter-example traces reported by us, Stefan Vorstenbosch removed some (but not all) deadlocks from the specification.
In September 2004, we studied an updated specification provided to us by Judi Romijn. Using abstractions, compositional, and distributed verification, we generated a tractable state space (nearly 8 million states and 88 million transitions) despite the fact that some intermediate state spaces were larger (28 million states and 487 million transitions). Unfortunately, this state space still contained deadlocks, which are under investigation in Eindhoven.
Other teams also used the Cadp toolbox for various case studies. To cite only recent work, we can mention:
the verification of control properties of asynchronous circuits ,
the automatic verification of the Root Contention Protocol of the Ieee 1394 ``FireWire'' bus ,
the formal specification and verification of a fair payment protocol ,
the formal specification and verification of middleware behavior for the Corba transaction service , and
the parameterized specification and verification of the Chilean electronic invoice system .
Other research teams took advantage of the software components provided by Cadp (e.g., the Bcg and Open/Cæsar environments) to build their own research software. We can mention the following developments:
the Mcrl.Open tool, developed by Jaco van de Pol (Cwi, Amsterdam), which compiles descriptions written in the μCrl process algebra into C code that complies with the Open/Cæsar programming interface, thus allowing all Cadp tools that operate on the fly to be applied to μCrl descriptions; in the framework of the Senva collaboration (see § 8.2 below), H. Garavel helped to improve the memory performance of Mcrl.Open;