# Project : vasy

## Section: New Results

### Models and Verification Techniques

#### The OPEN/CÆSAR Libraries

Participants : Nicolas Descoubes, Hubert Garavel, Wendelin Serwe.

The Open/Cæsar libraries [3] are useful modules for on the fly verification, such as state tables, stacks, bitmap tables, etc. These libraries play a discrete, yet central role in the Cadp toolbox.

In 2004, we improved the Open/Cæsar libraries in various ways:

A new library named Caesar_Area was developed (800 lines of C code), which provides for genericity by allowing different objects (states, labels, character strings, user-defined memory blocks) to be handled uniformly.

Another new library named Caesar_Mask was developed (1, 260 lines of C code), which exports primitives for applying sequences of hiding and renaming operations (defined using regular expressions) to memory blocks. In particular, this library allows to hide and/or rename labels on the fly. The Determinator, Generator, Projector, and Reductor tools have been enhanced with this new functionality, and the code of the Bcg_Labels tool was greatly simplified by using the new Caesar_Mask library.

The existing library Caesar_Table was enhanced by taking advantage of the generic features of Caesar_Area, which resulted in simpler and more expressive programming interfaces. Also, a delicate problem regarding automatic insertion of padding bytes to satisfy alignment constraints was solved. In spite of all this changes, binary compatibility was preserved so as not to impact existing Open/Cæsar tools developed by third-parties.

#### The CÆSAR_SOLVE Library

Participant : Radu Mateescu.

Cæsar_Solve is a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadp verification tools, namely the equivalence checker Bisimulator (see § 6.1.3), the model checker Evaluator 4.0, and the -confluence reduction tool. The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables; boolean graphs are handled implicitly in a way similar to the Open/Cæsar interface.

The Cæsar_Solve library provides four different resolution algorithms: A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs; A3 and A4 are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs; they are based upon memory-efficient depth-first traversals of boolean graphs. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).

In 2004, the Cæsar_Solve library (9, 640 lines of C code) was extended and improved as follows:

The library was enhanced with a primitive that enumerates all the variables of a boolean equation system that were stabilized (i.e., whose final value was determined) during the resolutions performed on the system, either since the last call of the primitive, or since the creation of the system (in the case of the first call of the primitive). This primitive provides useful diagnostic information, e.g., for vacuity detection in model checking, which consists in determining, for a temporal logic formula, its subformulas having the same truth value on all states.

Several primitives of the library were simplified in order to enhance the user-friendliness of the interface (e.g., the double pointer indirection was eliminated from the arguments of the primitive for creating a boolean equation system) and to take advantage of the Cæsar_Area library newly added to Open/Cæsar (see § 6.1.1). Also, error management was improved in order to be compatible with the other libraries of Open/Cæsar.

The textual format of boolean equation systems was enhanced to allow the specification of all the parameters necessary to the creation and resolution of a system (e.g., resolution algorithm, single or multiple resolutions, etc.). Also, the syntax of variable identifiers was simplified, and the size of the variables of a boolean equation system read from a text file was reduced.

The Cæsar_Solve library became part of Cadp in December 2004. The documentation of the library interface (23 pages) was updated and extended with examples.

A paper about the Cæsar_Solve library was accepted for publication [17].

#### The BISIMULATOR Tool

Participants : Damien Bergamini, Nicolas Descoubes, Radu Mateescu.

Bisimulator is an equivalence checker, which takes as input two graphs to be compared (one represented implicitly using the Open/Cæsar environment, the other represented explicitly as a Bcg file) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation).

Bisimulator works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Thanks to the use of Open/Cæsar, Bisimulator can be applied directly to descriptions written in high level languages (for instance, Lotos). This is a significant improvement compared to older tools (such as Aldébaran and Fc2Implicit) which only accept lower level models (networks of communicating automata).

Bisimulator works by reformulating the graph comparison problem in terms of a boolean equation system, which is solved using the Cæsar_Solve library (see § 6.1.2). A useful functionality of Bisimulator is the generation of diagnostics (counterexamples), which explain why two graphs are not equivalent (or not included one in the other). The counterexamples generated by Bisimulator are directed acyclic graphs and usually much smaller than those generated by other tools (such as Aldébaran) that can only generate counterexamples restricted to sets of traces.

In 2004, we continued the development of the Bisimulator tool (11, 700 lines of C code):

The tool was enhanced with comparisons modulo the branching equivalence relation and its associated preorder relation. The generation of counterexamples for branching equivalence and its preorder was also implemented.

An optimized encoding of the branching and observational equivalence relations in terms of boolean equation systems was designed, which exploits local absence of -transitions to simplify the right-hand sides of boolean equations. This optimization increased the performance of Bisimulator roughly by a factor 2, both in terms of speed and memory consumption. It is worth noticing that boolean equations can be simplified on the fly: There is no need to check before verification if the explicit graph (represented in Bcg format) does not contain -transitions.

The tool was enhanced with two new functionalities, implemented using the primitives newly added to the Cæsar_Solve library (see § 6.1.2): printing of the boolean equation system corresponding to the equivalence checking problem in textual form, and printing of statistical information about its resolution.

In order to validate Bisimulator and compare its performance with other equivalence checking tools, we continued the extensive experiments on realistic examples obtained from the Cadp distribution and the Vlts benchmark suite. The systematic use of Bisimulator allowed to detect an error in the on the fly algorithm for branching equivalence implemented in the Aldébaran tool.

The encoding of boolean variables has been adapted in order to connect Bisimulator to the new distributed resolution algorithm for boolean equation systems (see § 6.1.6). The new encoding ensures that the contents of the boolean variables, which are sent over the communication network during the distributed resolution, are machine-independent, such that they can be interpreted unambiguously by all the processes involved in the distributed computation.

The tool was properly documented [33] and integrated in Cadp in December 2004.

The Bisimulator tool was subject to an accepted publication [19].

#### The AAL Tool

Participants : Damien Bergamini, David Champelovier, Nicolas Descoubes, Hubert Garavel, Radu Mateescu, Wendelin Serwe.

In the framework of the ArchWare project (see § 7.1), we focus on the analysis of software architectures.

Aal (*Architecture Analysis Language*) is the language defined by ArchWare for expressing properties of software architectures and architectural styles.
Aal contains operators borrowed from first-order logic and modal -calculus, extended with predicates specific to architectural descriptions.
It allows to specify both style-related structural properties (e.g., connectivity between components, cardinality, etc.) and architecture-related behavioral properties (e.g., safety, liveness, fairness).

Aaf-Mc (*Architecture Analysis Formalism for Model Checking*) is the fragment of Aal containing properties to be verified using model checking.
A large number of property patterns relevant to software architectures are available as libraries defined in Aaf-Mc, and several fragments of Aaf-Mc, compatible with usual equivalence relations (e.g., strong, branching, observational, and safety equivalences) are identified.

Aaf-Mc is equipped with a model checker that translates the temporal formulas expressed in Aaf-Mc into boolean equation systems. The analysis methodology adopted by ArchWare consists in using the Aaf-Mc model checker to verify correctness properties on execution traces generated during the simulation of an architectural description [20].

In 2004, we continued the development of the Aaf-Mc model checker (16, 400 lines of code):

The model checker was enhanced with generation of diagnostics (examples and counterexamples) as prefixes of the execution traces on which Aaf-Mc formulas are verified. This facilitates the understanding of Aaf-Mc formulas and helps the user to debug an architecture.

A new verification algorithm was added to the model checker, based upon a breadth-first search resolution strategy of the underlying boolean equation system. Compared to the existing depth-first search based algorithm, the new algorithm has the advantage of producing diagnostics of shortest length.

In collaboration with ArchWare partners, the Aaf-Mc model checker was integrated in the ArchWare environment, which is centered around a virtual machine responsible for executing architectural descriptions written in the ArchWareAdl (

*Architectural Description Language*). The various ArchWare tools (e.g., visual modeler, animator, model checker, etc.) are viewed as Cots (*components off the shelf*) communicating with the virtual machine using Web services. The Aaf-Mc model checker was integrated in this environment by developing two software tools:a connector (350 lines of Adl code), which executes on the virtual machine and is responsible for initiating the Web service connection, launching the model checker on a (possibly) remote machine, and sending the appropriate arguments (execution traces and Aaf-Mc formulas) encoded as text files;

a wrapper (520 lines of Java and Unix shell code), which executes on the machine hosting the model checker and is responsible for receiving the execution traces and the Aaf-Mc formulas sent by the Adl connector, invoking the Aaf-Mc model checker, and sending the results (truth value and diagnostic) back to the connector.

The Aaf-Mc model checker is described in two ArchWare deliverables [27][28]. R. Mateescu gave a keynote presentation about this model checker at Vveis'2004 (see § 9.3).

#### Compositional Verification Tools

Participant : Frédéric Lang.

The Cadp toolbox contains various tools dedicated to compositional verification, among which Projector 2.0, Exp.Open 2.0, and Svl play a central role.

Projector 2.0 is a tool (totally rewritten in 2002) that implements behaviour abstraction [47][52], by taking into account interface constraints. In 2004, we improved Projector 2.0 by adding options to hide and rename labels on the fly, based on the Cæsar_Mask library, and we corrected a few bugs. A manual page was written for Projector 2.0 [37] and the tool became part of Cadp in December 2004.

Exp.Open 2.0 is a tool that explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcg files). These automata are composed together in parallel using either algebraic operators (as in Ccs, Csp, Lotos, and μCrl), ``graphical'' operators (as in E-Lotos[50] and Lotos NT), or synchronization vectors (as in the Mec and Fc2 tools). Additional operators are available to hide and/or rename labels (using regular expressions) and to cut certain transitions. In 2004, we enhanced Exp.Open 2.0 along the following lines:

We took μCrl syntax conventions into account to extract information (gate, offers) from labels, thus improving μCrl support.

Based on feedback received from external users, we added warning messages when some synchronization between automata cannot ever happen because one of the automata does not contain the appropriate label.

We implemented a partial order reduction technique for stochastic models (based on observations made in [49]), which consists in giving priority to invisible transitions over stochastic transitions, thus expressing that invisible transitions are instantaneous. In collaboration with Holger Hermanns and Sven Johr (Saarland University), we applied this technique to study a stochastic model of a distributed mutual exclusion algorithm (see § 6.3). This allowed to divide by up to 5 the number of states of the generated stochastic models.

We also implemented a technique that allows to synthesize interface constraints imposed on one automaton by (a subset of) its neighbour automata in a network of communicating automata. These interface constraints can be given to the Projector 2.0 tool so as to generate the behaviour corresponding to a process. We experimented this technique on two case studies, namely the HAVi (Home Audio Video) protocol developed by eight consumer electronics companies (Grundig, Hitachi, Matsushita, Philips, Sharp, Sony, Thomson, and Toshiba) and a cache coherence protocol (see § 6.3), both modeled in Lotos. The experiments allowed to reduce the state space of some processes by one or two orders of magnitude, thus improving over existing techniques.

A detailed manual page for Exp.Open 2.0 was written [36] and the tool became part of Cadp in August 2004. It is used in the framework of the Fiacre national action (see § 8.1) and at Saarland University, among other places.

In 2004, we enhanced the Svl language and compiler along the following lines:

Svl now uses the new Bisimulator tool (see § 6.1.3) to perform behavioural comparisons;

Svl now uses Projector 2.0 to implement its abstraction operator, which allowed to extend this operator with new functionalities;

Svl now uses Exp.Open 2.0 to compute automata products, which allows to perform general label hiding and renaming (previously, only a restricted form of label hiding was available).

#### Parallel and Distributed Verification Tools

Participants : Damien Bergamini, Nicolas Descoubes, Hubert Garavel, Christophe Joubert, Radu Mateescu.

Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of current sequential machines. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of Pcs and networks of workstations available in most research laboratories.

Our initial efforts focused on parallelizing the graph construction algorithm [8], which is a bottleneck for verification as it requires a considerable amount of memory to store all reachable states. In this respect, we developed the following software:

Distributor splits the construction of a graph over N machines communicating using sockets. Each machine is required to build a fragment of the graph represented as a Bcg file, the states being distributed between the N machines by means of a statically determined hash function.

Bcg_Merge merges the N graph fragments constructed by Distributor to obtain — after renumbering states appropriately — a unique Bcg file representing the entire graph.

Cæsar_Network is a code library for distributed tools such as Distributor and Bcg_Merge. It provides basic functionalities including: management of the machine configuration file that contains the parameters of the distributed computation, process deployment protocol on a set of remote machines, emission and reception of messages using blocking or non-blocking sockets, communication buffer management, etc. Cæsar_Network allows a clear separation between verification algorithms and communication primitives.

In 2004, we improved the distributed model checking tools as follows:

D. Bergamini fixed a few problems in the Cæsar_Network library and ported it to the Mac OS X operating system.

C. Joubert improved the algorithm used in Distributor 3.0 in order to optimize speed by reducing busy waits and to solve an issue in termination detection. N. Descoubes adapted the code of Distributor 3.0 to implement the modified algorithm.

In the framework of the Senva collaboration (see § 8.2), Stefan Blom (Cwi, Amsterdam), N. Descoubes, and H. Garavel defined the Pbg (

*Partitioned Bcg**Graphs*) format to represent the concept of ``partitioned labeled transition system'' advocated in [8]. Then, N. Descoubes and D. Bergamini implemented this new format in Distributor and Bcg_Merge, which simplified the command-line interface of these tools.*The Distributor and Bcg_Merge tools were ported to the Windows and Mac OS X operating systems, and the manual page of Bcg_Merge was finalized [30].**C. Joubert continued the development of a distributed version of the Cæsar_Solve library (see § 6.1.2), which uses several machines to solve boolean equation systems on the fly. This distributed version (currently 10, 000 lines of C code) implements a resolution algorithm based on a breadth-first traversal of the boolean graph.**In 2004, this distributed algorithm was improved in order to produce diagnostics (boolean subgraphs illustrating the truth value of boolean variables) and various statistical information about the distributed resolution (e.g., number of variables and dependencies explored, number and size of messages used for resolution and termination detection, computation and idle times for each machine, etc.).**C. Joubert developed a random generator of boolean equation systems in order to test the performance of the distributed resolution algorithm. This tool (1, 000 lines of C code) produces boolean equation systems (represented by the successor function of their corresponding boolean graph) according to various parameters which vary randomly in a given domain: number of variables and operators, number of true and false constants, proportion of disjunctive and conjunctive variables in the right-hand sides of the equations, etc. An extensive set of distributed resolutions of boolean equation systems with various forms produced by the random generator was performed on several clusters of Pcs (I-Cluster of the Apache team, Idpot of the Id-Imag laboratory, and Ion of the Sardes team). These experiments showed a good behaviour of the distributed resolution algorithm: quasi-linear speedup compared to the sequential breadth-first search algorithm of Cæsar_Solve, good scalability with the number of machines, low percentage of termination detection messages, and low memory overhead. For example, a boolean equation system with 240 millions of variables and 1 billion operators was solved in 28 minutes on a cluster with 17 machines.**C. Joubert and R. Mateescu developed a prototype connection of the Bisimulator tool (see § 6.1.3) to the distributed boolean resolution algorithm in order to obtain distributed on the fly equivalence checking functionalities. A large number of experiments were performed on the three clusters of Pcs mentioned above, using various graphs obtained from the Cadp distribution and the Vlts benchmark suite. Each experiment consisted in comparing a graph with its minimized version modulo a given equivalence relation, which is the worst case for on the fly equivalence checking algorithms, because the two graphs must be explored entirely. For all equivalence relations implemented by Bisimulator, the experiments showed speedups close to linear (compared to the sequential version of Bisimulator used in breadth-first search mode) and a balanced distribution of work among machines.*

*Three papers on distributed model checking were either published or accepted for publication [23][24][19].*

#### Performance Evaluation Tools

Participants : Damien Bergamini, David Champelovier, Hubert Garavel, Christophe Joubert, Frédéric Lang, Radu Mateescu.

In addition to its verification capabilities, the Cadp toolbox contains several tools dedicated to performance evaluation, namely Bcg_Min, Bcg_Steady, Bcg_Transient, and Determinator. Contrary to most Cadp tools that operate on labeled transition systems, these tools operate on probabilistic/stochastic models derived from discrete-time and continuous-time Markov chains.

In 2004, these tools have progressed as follows:

D. Bergamini (with some help from H. Garavel) found a subtle semantic bug in the algorithm used by Bcg_Min to minimize a probabilistic/stochastic model with respect to stochastic branching bisimulation.

D. Champelovier and H. Garavel finalized the Bcg_Steady and Bcg_Transient prototype tools developed in 2002 by C. Joubert and Holger Hermanns (Saarland University). The source code of these tools (2, 700 lines of C code) was entirely scrutinized and revised; the command-line interface was enhanced and the various output formats were improved. The draft manual pages were rewritten [31][32]. These tools became part of Cadp in November 2004.

F. Lang revised the Determinator prototype tool developed in 2002 by C. Joubert and Holger Hermanns (Saarland University). The source code was revised and two bugs were fixed. R. Mateescu extended Determinator to eliminate nondeterminism from standard (i.e., non-stochastic) labeled transition systems. The draft manual page was finalized [35] and Determinator (1, 650 lines of C code) became part of Cadp in December 2004.

#### Other Tool Developments

Participants : David Champelovier, Damien Bergamini, Nicolas Descoubes, Hubert Garavel, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

We also improved the following Cadp tools and libraries:

D. Champelovier, H. Garavel, and R. Mateescu enhanced the formula language of the Evaluator 3.0 model checker by adding concatenation operators for strings and regular expressions. These operators provide a higher degree of parameterization for macro-definitions, which allows to simplify the set of -calculus formulas to be verified by Evaluator 3.0. Using these operators, for instance, the set of formulas characterizing a dynamic reconfiguration protocol [43] was reduced from 783 to 183 lines.

W. Serwe reviewed the source code of the Tgv tool [51] and fixed a bug occurring on Windows platforms only; he also ported Tgv to the Mac OS X operating system and removed all compile-time warnings.

N. Descoubes and H. Garavel solved various issues in the Installator tool and enhanced it with new functionalities such as the support for remote connections based on Ssh/Scp or Krsh/Kcp, and the sending of reminder messages to users before license expiration.

We pursued our continous work of adapting Cadp to the latest computing platforms:

We completed the port undertaken in 2003 of the Cadp tools to the latest versions of the Linux kernel, Gnu C library, and Gcc 3 compiler.

With the help of Stefan Blom (Cwi, Amsterdam), we ported the Cadp tools to Amd's Opteron processors running in 32-bit mode.

We improved the integration of the Cadp tools with Windows, especially as regards support for file names containing spaces and other blank characters.

We ported all the Cadp tools to the Mac OS X operating system.

We enhanced our software engineering environment used to develop and maintain Cadp:

We merged various lists of pending issues into one unique database (bug repository).

We set up an automated non-regression testing for all the Cadp demo examples and all computing platforms. This revealed a few bugs specific to certain platforms; these bugs, undetected so far, were fixed.

Additionally, non-regression test suites dedicated to particular tools (namely, Bcg_Min, Bcg_Steady, Bcg_Transient, and Determinator) were developed.