Overall Objectives
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Models and Verification Techniques


Participant : Radu Mateescu.

Cæsar_Solve is a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadp verification tools, namely the equivalence checker Bisimulator (see §  6.1.2 ), the model checker Evaluator  3.5 (see §  6.1.3 ), and the minimization tool Reductor  4.0 (see §  6.1.4 ). The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsar interface [3] .

The Cæsar_Solve library provides four different resolution algorithms: A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs; A3 and A4 are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs; they are based upon memory-efficient depth-first traversals of boolean graphs. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).

In 2005, the Cæsar_Solve library ( 11, 600 lines of C code) was extended and improved as follows:

A journal paper about the Cæsar_Solve library was accepted for publication  [21] .


Participants : David Champelovier, Radu Mateescu.

Bisimulator is an equivalence checker, which takes as input two graphs to be compared (one represented implicitly using the Open/Cæsar environment, the other represented explicitly as a Bcg file) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation). Bisimulator works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Due to the use of Open/Cæsar , Bisimulator can be applied directly to descriptions written in high level languages (for instance, Lotos ). This is a significant improvement compared to older tools (such as Aldébaran and Fc2Implicit ) which only accepted lower level models (networks of communicating automata).

Bisimulator works by reformulating the graph comparison problem in terms of a boolean equation system, which is solved on the fly using the Cæsar_Solve library (see §  6.1.1 ). A useful functionality of Bisimulator is the generation of a ``negative'' diagnostic (i.e., a counterexample), which explains why two graphs are not equivalent (or not included one in the other). The diagnostics generated by Bisimulator are directed acyclic graphs and are usually much smaller than those generated by other tools (such as Aldébaran ) that can only generate counterexamples restricted to sets of traces.

In 2005, we continued the development of the Bisimulator tool ( 15, 300 lines of C code):

The Bisimulator tool led to a publication  [23] .


Participant : Radu Mateescu.

Evaluator is a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsar environment. Properties are described in regular alternation-free $ \mu$ -calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also allows to define parameterized temporal operators and to group them into separate libraries.

Evaluator works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluator is the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.

In 2005, we continued the development of the Evaluator tool. This led to a new version Evaluator  3.5 ( 5, 600 lines of Syntax / Fnc2 code and 5, 100  lines of C code) that supersedes the previous version 3.0, with the following enhancements:

A detailed manual page for Evaluator  3.5 was written [36] and the tool became part of Cadp in February 2005.


Participants : Frédéric Lang, Radu Mateescu.

The Cadp toolbox contains a tool named Reductor  3.0 that performs exhaustive reachability analysis combined with elimination of internal transitions on the fly (this preserves $ \tau$*. a equivalence).

Also, the Vasy team developed in 2003 a prototype tool  [16] implementing $ \tau$ -confluence reduction  [48] , a form of partial order reduction that preserves branching equivalence. This reduction is a mean to fight state explosion by trying to avoid the exploration of redundant interleavings resulting from independent $ \tau$ -transitions. Indeed, experiments on various communication protocols and distributed systems have shown that $ \tau$ -confluence may reduce the number of states and transitions by up to 3 orders of magnitude.

In 2005, both tools were merged into a single one, leading to version 4.0 of Reductor . This new tool ( 2, 000 lines of C code) operates on graphs represented implicitly using the Open/Cæsar environment and provides six reduction algorithms:

The 1st, 4th, and 6th reductions above are obtained by encoding the reduction problem into a boolean equation system that is resolved on the fly using algorithm A5 of the Cæsar_Solve library (see §  6.1.1 ). The 6th reduction is ``orthogonal'' in the sense that it can be combined with any of the five other reductions.

A detailed manual page for Reductor  4.0 was written [37] and the tool became part of Cadp in October 2005. The $ \tau$ -compression and $ \tau$ -confluence reductions led to a publication  [29] .

Compositional Verification Tools

Participants : Frédéric Lang, Wendelin Serwe.

The Cadp toolbox contains various tools dedicated to compositional verification, among which Projector  2.0, Exp.Open  2.0, and Svl play a central role.

Projector  2.0 is a tool (totally rewritten in 2002) that implements behaviour abstraction  [47] , [53] by taking into account interface constraints. In 2005, we improved its efficiency by introducing a hash function specifically adapted to state products. On real examples provided by the Technical University of Eindhoven, the execution time of Projector was divided by a factor of up to four.

Exp.Open  2.0 is a tool that explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcg files). These automata are composed together in parallel using either algebraic operators (as in Ccs , Csp , Lotos , and μCrl ), ``graphical'' operators (as in E-Lotos   [51] and Lotos NT ), or synchronization vectors (as in the Mec and Fc2 tools). Additional operators are available to hide and/or rename labels (using regular expressions) and to cut certain transitions. In 2005, we enhanced Exp.Open along the following lines:

Exp.Open was used in the framework of the Fiacre national action (see §  8.1 ) and we developed three new demo examples to illustrate the recent functionalities of Exp.Open (see §  6.3 ). An article about Exp.Open was published in an international conference  [28] .

Svl ( Script Verification Language ) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language. In 2005, we enhanced Svl along the following lines:

Parallel and Distributed Verification Tools

Participants : David Champelovier, Hubert Garavel, Christophe Joubert, Radu Mateescu.

Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of current sequential machines. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of Pc s and networks of workstations available in most research laboratories.

As a first goal, we focused on parallelizing the graph construction algorithm, which is a bottleneck for verification, as it requires a considerable amount of memory to store all reachable states. For this purpose, we developed two tools  [8] : Distributor splits the construction of a graph over Nmachines communicating using Tcp/Ip sockets; each machine builds a graph fragment, the distribution of states between the machines being determined by a static hash function; Bcg_Merge merges the Ngraph fragments constructed by Distributor to produce the entire graph.

In 2005, this first phase was completed. Distributor  3.0 and Bcg_Merge  3.0 became parts of Cadp in January 2005 and a manual page for Distributor was written [35] . These tools were demonstrated at several occasions, including the Pdmc'2005 international workshop (see §  9.2 ). A tool paper was accepted for publication  [25] .

As a second goal, we aim at parallelizing on the fly verification itself. Because the Cæsar_Solve library (see §  6.1.1 ) is our central verification engine for both model checking, e.g., in the Evaluator tool (see §  6.1.3 ), and equivalence checking, e.g., in the Bisimulator (see §  6.1.2 ) and Reductor tools (see §  6.1.4 ), we target at the development of a distributed version of the Cæsar_Solve library that could solve boolean equation systems on the fly using several machines.

In 2005, this work progressed as follows:

Other Tool Developments

Participants : David Champelovier, Damien Bergamini, Hubert Garavel, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

Late 2004 and early 2005, a significant number of new tools and libraries were integrated to the Cadp toolbox, among which Bcg_Merge , Bcg_Steady , Bcg_Transient , Bisimulator , Caesar_Area , Caesar_Mask , Cæsar_Solve , Determinator , Distributor , Evaluator  3.5, and Projector  2.0. This also implied an important effort in writing the corresponding manual pages and correcting the bugs reported by users worldwide.

Additionally, we improved the following Cadp tools and libraries:

We have continued adapting Cadp to the latest computing platforms:


Logo Inria