Jean-Claude Fernandez

An implementation of an efficient algorithm for bisimulation equivalence

Abstract We present an efficient algorithm for bisimulation equivalence. Generally, bisimulation equivalence can be tested in O(mn) for a labeled transition system with m transitions and n states. In order to come up with a more efficient algorithm, we establish a relationship between bisimulation equivalence and the relational coarsest partition problem, solved by Paige and Tarjan in O(m log n) time. Given an initial partition and a binary relation, the problem is to find the coarsest partition compatible with them. Computing bisimulation equivalence can be viewed both as an instance and as a generalization of this problem: an instance, because only the universal partition is considered as an initial partition and a generalization since we want to find a partition compatible with a family of binary relations instead of one single binary relation. We describe how we have adapted the Paige-Tarjan algorithm of complexity O(m log n) to minimize labeled transition systems modulo bisimulation equivalence. This algorithm has been implemented in C and is used in Aldebaran, a tool for the verification of concurrent systems.

An experiment in automatic generation of test suites for protocols with verification technology

Abstract In this paper we describe an experiment in automatic generation of test suites for protocol testing. We report the results gained with generation of test suites based on advanced verification techniques applied to a real industrial protocol. In this experiment, several tools have been used: the commercial tool GEODE (VERILOG) was used for the generation of finite state graph models from SDL specifications, the tool Aldebaran of the CADP toolbox for the minimization of transition systems, and a prototype named TGV (for Test Generation using Verification techniques) for the generation of test suites which has been developed in the CADP toolbox. TGV is based on verification techniques such as synchronous product and on-the-fly verification. These tools have been applied to an industrial protocol, the DREX protocol. The comparison of produced test suites with hand written test suites proves the relevance of the used techniques.

Minimal Model Generation

This paper adresses the problem of generating a minimal state graph from a program, without building first the whole state graph. The minimality is considered here with respect to bisimulation. A generation algorithm is presented and illustrated.

Minimal state graph generation

Abstract We address the problem of generating a minimal state graph from a program, without building the whole state graph. Minimality is considered here with respect to bisimulation. A generation algorithm is derived and illustrated. Applications concern program verification and control synthesis in reactive program compilation.

Safety for Branching Time Semantics

We study in a first part of this paper safety and liveness properties for any given program semantics. We give a topological definition of these properties using a safety preorder. Then, we consider the case of branching time semantics where a program is modeled by a set of infinite computation trees modulo bisimulation. We propose and study a safety preorder for this semantics based on simulation and dealing with silent actions. We focus on regular safety properties and characterize them by both tree-automata and formulas of a branching time logic. We show that verifying safety properties on trees reduces to simulation testing.

A toolbox for the verification of LOTOS programs

This paper presents the tools ALDEBARAN, CESAR, CESAR.ADT and CLEOPATRE which constitute a tool- box for compiling and verifying LOTOS programs. The principles of these tools are described, as well as their performances and limitations. Finally, the formal verification of the ret/REL atomic multicast protocol is given as an example to illustrate the practical use of the tool- box.

IF: An Intermediate Representation and Validation Environment for Timed Asynchronous Systems

Formal Description Techniques (FDT), such as lotos or sdl are at the base of a technology for the specification and the validation of telecommunication systems. Due to the availability of commercial tools, these formalisms are now being widely used in the industrial community. Alternatively, a number of quite efficient verification tools have been developed by the research community. But, most of these tools are based on simple ad hoc formalisms and the gap between them and real FDT restricts their use at industrial scale. This context motivated the development of an intermediate representation called IF which is presented in the paper. IF has a simple syntactic structure, but allows to express in a convenient way most useful concepts needed for the specification of timed asynchronous systems. The benefits of using IF are multiples. First, it is general enough to handle significant subsets of most FDTs, and in particular a translation from SDL to IF is already implemented. Being built upon a mathematically sound model (extended timed automata) it allows to properly evaluate different semantics for fdts, in particular with respect to time considerations. Finally, IF can serve as a basis for interconnecting various tools into a unified validation framework. Several levels of IF program representations are already available via well defined APIs and allow to connect tools ranging from static analyzers to model-checkers.

What can you verify and enforce at runtime

The underlying property, its definition, and representation play a major role when monitoring a system. Having a suitable and convenient framework to express properties is thus a concern for runtime analysis. It is desirable to delineate in this framework the sets of properties for which runtime analysis approaches can be applied to. This paper presents a unified view of runtime verification and enforcement of properties in the Safety-Progress classification. First, we extend the Safety-Progress classification of properties in a runtime context. Second, we characterize the set of properties which can be verified (monitorable properties) and enforced (enforceable properties) at runtime. We propose in particular an alternative definition of “property monitoring” to the one classically used in this context. Finally, for the delineated sets of properties, we define specialized verification and enforcement monitors.

On-the-fly verification of finite transition systems

The analysis of programs by the exhaustive inspection of reachable states in a finite-state graph is a well-understood procedure. It is straightforwardly applicable to many description languages and is actually implemented in several industrial tools. But one of the main limitations of todays verification tools is the size of the memory needed to exhaustively build the state graphs of the programs. For numerous properties, it is not necessary to explicitly build this graph; an exhaustive depth-first traversal is often sufficient. This leads to an on-line algorithms for computing Büchi acceptance (in the deterministic case) and behavioral equivalences: they are presented in detail. In order to avoid retraversing states, it is, however, important to store some of the already visited states in memory. To keep the memory size bounded (and avoid a performance falling down), visited states are randomly replaced. In most cases, this depth-first traversal with replacement can push back significantly the limits of verification tools. We give the name on-the-fly verification to the use of algorithms based on a depth-first search (with replacement) of the finite-state graph associated with the program to be verified.

IF: an intermediate representation for SDL and its applications

We present work of a project for the improvement of a specification/validation toolbox integrating a commercial toolset ObjectGEODE and different validation tools such as the verification tool CADP and the test sequence generator TGV. The intrinsic complexity of most protocol specifications lead us to study combinations of techniques such as static analysis and abstraction together with classical model-checking techniques. Experimentation and validation of our results in this context motivated the development of an intermediate representation for SDL called IF. In IF, a system is represented as a set of timed automata communicating asynchronously through a set of buffers or by rendez-vous through a set of synchronization gates. The advantage of the use of such a program level intermediate representation is that it is easier to interface with various existing tools, such as static analysis, abstraction and compositional state space generation. Moreover, it allows to define for SDL different, but mathematically sound, notions of time