Section: New Results
Models and Verification Techniques
The CÆSAR_SOLVE Library
Participant : Radu Mateescu.
Cæsar_Solve is a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadp verification tools, namely the equivalence checker Bisimulator (see § 6.1.2 ), the model checker Evaluator 3.5 (see § 6.1.3 ), and the minimization tool Reductor 4.0 (see § 6.1.4 ). The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsar interface [3] .
The Cæsar_Solve library provides four different resolution algorithms: A1 and A2 are general algorithms based upon depthfirst, respectively breadthfirst, traversals of boolean graphs; A3 and A4 are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs; they are based upon memoryefficient depthfirst traversals of boolean graphs. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).
In 2005, the Cæsar_Solve library ( 11, 600 lines of C code) was extended and improved as follows:

The library interface was enhanced with new types and functions to facilitate the definition of boolean equation systems. Also, a bug was corrected in the diagnostic generation mechanism of algorithm A2.

A new resolution algorithm A5 was added to the library. This algorithm, based upon a depthfirst search of the boolean graph, improves over algorithms A1–A4 by performing an early detection of examples (resp. counterexamples) in greatest (resp. least) fixed point equation blocks. This detection is based upon a generalization of Tarjan's algorithm for computing strongly connected components. Algorithm A5 proves to be much faster (between one and two orders of magnitude) than all the other algorithms of Cæsar_Solve when it is invoked many times on the same equation block, e.g., for detecting confluent or redundant transitions during the on the fly reductions performed by the Reductor tool (see § 6.1.4 ).
A journal paper about the Cæsar_Solve library was accepted for publication [21] .
The BISIMULATOR Tool
Participants : David Champelovier, Radu Mateescu.
Bisimulator is an equivalence checker, which takes as input two graphs to be compared (one represented implicitly using the Open/Cæsar environment, the other represented explicitly as a Bcg file) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation). Bisimulator works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Due to the use of Open/Cæsar , Bisimulator can be applied directly to descriptions written in high level languages (for instance, Lotos ). This is a significant improvement compared to older tools (such as Aldébaran and Fc2Implicit ) which only accepted lower level models (networks of communicating automata).
Bisimulator works by reformulating the graph comparison problem in terms of a boolean equation system, which is solved on the fly using the Cæsar_Solve library (see § 6.1.1 ). A useful functionality of Bisimulator is the generation of a ``negative'' diagnostic (i.e., a counterexample), which explains why two graphs are not equivalent (or not included one in the other). The diagnostics generated by Bisimulator are directed acyclic graphs and are usually much smaller than those generated by other tools (such as Aldébaran ) that can only generate counterexamples restricted to sets of traces.
In 2005, we continued the development of the Bisimulator tool ( 15, 300 lines of C code):

The tool was enhanced with comparisons modulo the trace equivalence relation, the weak trace equivalence relation (which considers only visible transitions), and their associated preorder relations. The generation of counterexamples for these equivalences and their preorders was also implemented.

The encoding of branching equivalence in terms of boolean equation systems was enhanced in order to reduce the number of closures (transitive reflexive closures over transitions) computed when one of the states being compared does not have outgoing transitions. The new encoding allows to identify on the fly the cases when branching equivalence becomes identical to ^{*}. a equivalence, and to simplify the equations accordingly. This can reduce the number of boolean variables by up to 40% .

Bisimulator was coupled with the Ocis interactive simulator in order to allow a scenario contained in a Bcg graph to be replayed interactively during the current Ocis simulation session. Typically, the Bcg graph can be either a simulation scenario previously explored and saved using Ocis , or an execution trace produced by Exhibitor or Executor , or a diagnostic generated by Evaluator (see § 6.1.3 ) for a temporal logic property. Bisimulator allows Ocis to determine whether this Bcg graph is a subset or not of the graph being explored during the current Ocis session, which amounts to checking graph inclusion modulo the preorder associated to strong equivalence. If so, a ``positive'' diagnostic (i.e., an example) is generated, which can be subsequently read and replayed by Ocis as an ordinary simulation scenario. This feature required the generation of ``positive'' diagnostics by Bisimulator , which so far only generated ``negative'' ones.
The Bisimulator tool led to a publication [23] .
The EVALUATOR Tool
Participant : Radu Mateescu.
Evaluator is a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsar environment. Properties are described in regular alternationfree calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also allows to define parameterized temporal operators and to group them into separate libraries.
Evaluator works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluator is the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.
In 2005, we continued the development of the Evaluator tool. This led to a new version Evaluator 3.5 ( 5, 600 lines of Syntax / Fnc2 code and 5, 100 lines of C code) that supersedes the previous version 3.0, with the following enhancements:

Evaluator 3.5 uses the resolution algorithms provided by the Cæsar_Solve library (see § 6.1.1 ) whereas Evaluator 3.0 contained an ad hoc resolution engine. This improves modularity by clearly separating the translation of the verification problem into a boolean equation system (this is done in Evaluator ) from the resolution itself (this is done in Cæsar_Solve ).

The analysis of regular alternationfree calculus formulas was enhanced with the detection of formulas that lead to disjunctive or conjunctive boolean equation systems. These systems can be solved more efficiently using algorithm A4 of Cæsar_Solve , which does not keep in memory the dependencies between boolean variables. Since most of the formulas encountered in practice are of this type, this enhancement resulted in important memory reductions (proportional to the number of transitions in the graph being checked) with respect to Evaluator 3.0.

Another optimization, performed on the system of modal equations used as intermediate representation by the tool, consisted in expanding online the propositional variables which occurred only once in the righthand side of an equation. On most practical examples, this reduced by a factor of 3 the number of variables and induced the same reduction on the time and memory necessary for resolution.

The generation of diagnostics (examples and counterexamples) was improved in order to reflect more accurately the structure of the temporal formulas. In the diagnostics produced by Evaluator 3.0, each state was associated to a state of the graph being checked, which caused the duplication of transitions in the diagnostic. For instance, when evaluating the formula `` '' on the graph consisting of a single aloop `` '', the diagnostic produced by Evaluator 3.0 was the graph with a single state sand three aloop transitions attached to s. Instead, the diagnostic produced by Evaluator 3.5 is the sequence , which is a better explanation that the formula requires to traverse three successive atransitions.

Several new commandline options were added to Evaluator 3.5 to benefit from all features of Cæsar_Solve , namely: use of the breadthfirst search based algorithm A2 to produce smalldepth diagnostics, use of the memoryefficient algorithm A3 to check properties on acyclic graphs, and possibility to display the underlying boolean equation system in a textual form.
A detailed manual page for Evaluator 3.5 was written [36] and the tool became part of Cadp in February 2005.
The REDUCTOR Tool
Participants : Frédéric Lang, Radu Mateescu.
The Cadp toolbox contains a tool named Reductor 3.0 that performs exhaustive reachability analysis combined with elimination of internal transitions on the fly (this preserves ^{*}. a equivalence).
Also, the Vasy team developed in 2003 a prototype tool [16] implementing confluence reduction [48] , a form of partial order reduction that preserves branching equivalence. This reduction is a mean to fight state explosion by trying to avoid the exploration of redundant interleavings resulting from independent transitions. Indeed, experiments on various communication protocols and distributed systems have shown that confluence may reduce the number of states and transitions by up to 3 orders of magnitude.
In 2005, both tools were merged into a single one, leading to version 4.0 of Reductor . This new tool ( 2, 000 lines of C code) operates on graphs represented implicitly using the Open/Cæsar environment and provides six reduction algorithms:

It can eliminate both transitions and the socalled redundant transitions [57] , still preserving safety equivalence.

It can eliminate all transitions, still preserving ^{*}. a equivalence.

It can eliminate all circuits of transitions, still preserving branching equivalence (this reduction is called compression).

It can perform confluence reduction, still preserving branching equivalence.

It can eliminate duplicate transitions, still preserving strong equivalence.

It can fully minimize a graph modulo strong equivalence.
The 1st, 4th, and 6th reductions above are obtained by encoding the reduction problem into a boolean equation system that is resolved on the fly using algorithm A5 of the Cæsar_Solve library (see § 6.1.1 ). The 6th reduction is ``orthogonal'' in the sense that it can be combined with any of the five other reductions.
A detailed manual page for Reductor 4.0 was written [37] and the tool became part of Cadp in October 2005. The compression and confluence reductions led to a publication [29] .
Compositional Verification Tools
Participants : Frédéric Lang, Wendelin Serwe.
The Cadp toolbox contains various tools dedicated to compositional verification, among which Projector 2.0, Exp.Open 2.0, and Svl play a central role.
Projector 2.0 is a tool (totally rewritten in 2002) that implements behaviour abstraction [47] , [53] by taking into account interface constraints. In 2005, we improved its efficiency by introducing a hash function specifically adapted to state products. On real examples provided by the Technical University of Eindhoven, the execution time of Projector was divided by a factor of up to four.
Exp.Open 2.0 is a tool that explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcg files). These automata are composed together in parallel using either algebraic operators (as in Ccs , Csp , Lotos , and μCrl ), ``graphical'' operators (as in ELotos [51] and Lotos NT ), or synchronization vectors (as in the Mec and Fc2 tools). Additional operators are available to hide and/or rename labels (using regular expressions) and to cut certain transitions. In 2005, we enhanced Exp.Open along the following lines:

Following joint work with Jaco van de Pol ( Cwi , Amsterdam) in the framework of the Senva collaboration (see § 8.2 ), we corrected two problems related to the support of μCrl in Exp.Open .

We added options to obtain static information about the network of communicating automata, such as a list of the labels that potentially belong to the product and the size of each Bcg graph in the network.

We improved the algorithm for enumerating the successors of a given state, which reduced the generation time by 20 % on average, with a constant negligible memory overhead.

We implemented two partial order reduction techniques, one preserving the deadlocks and the other one preserving the weak traces of the network of automata, thus extending the family of partial order reductions already available in Exp.Open .
Exp.Open was used in the framework of the Fiacre national action (see § 8.1 ) and we developed three new demo examples to illustrate the recent functionalities of Exp.Open (see § 6.3 ). An article about Exp.Open was published in an international conference [28] .
Svl ( Script Verification Language ) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language. In 2005, we enhanced Svl along the following lines:

We added support for two new equivalence relations, namely trace and weak trace equivalences, which can be used for graph comparison and reduction.

We added a new operator called `` refined abstraction '', which allows to generate the graph of a process under constraints generated automatically using Exp.Open .

We adapted Svl so that, depending on the equivalence to be preserved, it invokes Exp.Open with the most appropriate partial order reduction, which is inferred from the semantic context automatically.
Parallel and Distributed Verification Tools
Participants : David Champelovier, Hubert Garavel, Christophe Joubert, Radu Mateescu.
Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of current sequential machines. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of Pc s and networks of workstations available in most research laboratories.
As a first goal, we focused on parallelizing the graph construction algorithm, which is a bottleneck for verification, as it requires a considerable amount of memory to store all reachable states. For this purpose, we developed two tools [8] : Distributor splits the construction of a graph over Nmachines communicating using Tcp/Ip sockets; each machine builds a graph fragment, the distribution of states between the machines being determined by a static hash function; Bcg_Merge merges the Ngraph fragments constructed by Distributor to produce the entire graph.
In 2005, this first phase was completed. Distributor 3.0 and Bcg_Merge 3.0 became parts of Cadp in January 2005 and a manual page for Distributor was written [35] . These tools were demonstrated at several occasions, including the Pdmc'2005 international workshop (see § 9.2 ). A tool paper was accepted for publication [25] .
As a second goal, we aim at parallelizing on the fly verification itself. Because the Cæsar_Solve library (see § 6.1.1 ) is our central verification engine for both model checking, e.g., in the Evaluator tool (see § 6.1.3 ), and equivalence checking, e.g., in the Bisimulator (see § 6.1.2 ) and Reductor tools (see § 6.1.4 ), we target at the development of a distributed version of the Cæsar_Solve library that could solve boolean equation systems on the fly using several machines.
In 2005, this work progressed as follows:

We continued the development of a distributed version of Cæsar_Solve (currently 17, 000 lines of C code) [17] . The former distributed resolution algorithm [26] , which could only handle boolean equation systems containing one single equation block, was enhanced to deal with multiple blocks. The enhanced algorithm combines a depthfirst search traversal of the dependency graph between blocks (which is supposed to be acyclic) and a breadthfirst search traversal of the boolean graphs associated to blocks, both performed in a distributed manner. For single block boolean equation systems, the enhanced algorithm exhibits almost the same performance as the former algorithm.

The distributed algorithm for generating diagnostics on the fly was also enhanced to handle boolean equations systems with multiple blocks.

The distributed algorithm for termination detection was improved to detect partial resolutions of the blocks, i.e., the fact that all boolean variables present in a region of a block have their final value computed. This allows to propagate the values of these variables along backward dependencies and, thus, to achieve a good distribution of the simultaneous resolution of all equation blocks.

We implemented a prototype connection of the Evaluator 3.5 model checker to the distributed version of Cæsar_Solve . Experiments were performed on the Idpot cluster of Pc s using various graphs taken from the Vlts benchmark suite and Cadp demo examples. We checked properties ranging from basic deadlock and livelock detection (on the Vlts graphs) to more complex response properties that must be encoded into boolean equation systems with several blocks. Compared to the sequential version of Evaluator 3.5, the distributed version shows quasilinear speedups, a good load balancing, and a low memory overhead. As regards deadlock and livelock detection, it compared favourably with UppDmc [50] , another distributed model checker for modal calculus developed at Rwth (Aachen, Germany). A paper on this work was accepted for publication [27] .

We implemented a prototype connection of Reductor 's confluence reduction algorithm to the distributed version of Cæsar_Solve . Experiments were performed on the Idpot cluster using various graphs taken from Cadp demo examples. Each experiment consisted in generating a reduced graph using both the sequential version (based on algorithm A2 of Cæsar_Solve ) and the distributed version. We observed that the latter was faster by up to three orders of magnitude, with a low memory overhead. For some examples, the distributed version succeeded where the sequential one would fail due to memory exhaustion [17] .

Along the lines of the test generation theory [52] implemented in the Tgv tool of Cadp , we developed a prototype tool named Extractor that takes as inputs both a ``specification'' graph (represented implicitly using the Open/Cæsar environment) and a ``test purpose'' (represented explicitly as a Bcg graph), and computes the ``complete test graph'' ( Ctg ) containing all sequences of observable actions and quiescence present in the specification and allowed by the test purpose. The Ctg produced by Extractor is subsequently processed using the Determinator tool of Cadp to eliminate nondeterminism and transitions. Compared to Tgv , Extractor uses a radically different approach, as it reformulates the Ctg generation problem in terms of a boolean equation system, for which a diagnostic is computed using the Cæsar_Solve library.
We developed two versions of Extractor , a sequential one ( 1, 200 lines of C code) based on the sequential resolution algorithms of Cæsar_Solve , and a distributed one ( 1, 300 lines of C code) based on the distributed version of Cæsar_Solve . Experiments were performed on various graphs (taken from the Vlts benchmark suite and the Cadp demo examples) by using generic test purposes expressing the reachability of certain visible actions. All Ctg s obtained by applying Extractor and Determinator were strongly equivalent to those produced by Tgv , although slightly larger. On some examples, however, the generation of the Ctg succeeded using Extractor and Determinator , whereas Tgv would fail because of memory shortage. These results have been accepted for publication [27] .
Other Tool Developments
Participants : David Champelovier, Damien Bergamini, Hubert Garavel, Frédéric Lang, Radu Mateescu, Wendelin Serwe.
Late 2004 and early 2005, a significant number of new tools and libraries were integrated to the Cadp toolbox, among which Bcg_Merge , Bcg_Steady , Bcg_Transient , Bisimulator , Caesar_Area , Caesar_Mask , Cæsar_Solve , Determinator , Distributor , Evaluator 3.5, and Projector 2.0. This also implied an important effort in writing the corresponding manual pages and correcting the bugs reported by users worldwide.
Additionally, we improved the following Cadp tools and libraries:

The Caesar_Hash library was improved by adding new hash functions and rewriting several existing ones.

The Caesar_Table library was enhanced by extending the table maximal capacity from (2 ^{24})1 to 2 ^{29} elements, which increases the memory cost of a table, but in a reasonable manner. We also reduced (up to a factor of 2) the memory cost for ``small'' tables, the size of which can be known statically.

The Aldébaran tool, no longer maintained by its authors, was replaced by a shell wrapper (680 lines of shellscript) that invokes the new Cadp tools Bcg_Min , Bisimulator , Reductor 4.0, and Exp.Open 2.0 transparently, while keeping exactly the same commandline interface as the old Aldébaran tool. Except in a few cases (graph comparison and minimization modulo delay equivalence, and minimization modulo observational equivalence), the old Aldébaran tool is no longer used, which is a way to avoid 24 known bugs in this tool.

We updated most of the Cadp demo examples in order to take advantage of recent features and tools of Cadp .
We have continued adapting Cadp to the latest computing platforms:

We ported Cadp to the most recent Linux distributions Fedora Core 3 and 4.

We upgraded the Windows version of Cadp to support recent versions of Microsoft 's Msvcrt and Mingwin 's W32api libraries.

We finished porting the Cadp tools with a graphical userinterface to the Mac OS X operating system and we took provisions to support its most recent version 10.4 `` Tiger ''.

Besides Cadp , F. Lang updated the source code of the Rtl timed verification tool developped by Christophe Lohr (formerly at Laas/Cnrs ) to make it accepted by recent C++ compilers.