Laurent Mounier

IF-2.0: A Validation Environment for Component-Based Real-Time Systems

It is widely recognised that the automated validation of complex systems can hardly be achieved without tool integration. The development of the IF-1.0 toolbox [3] was initiated several years ago, in order to provide an open validation platform for timed asynchronous systems (such as telecommunication protocols or distributed applications, in general). The toolbox was built upon an intermediate representation language based on extended timed automata. In particular, this representation allowed us to study the semantics of real-time primitives for asynchronous systems. Currently, the toolbox contains dedicated tools on the intermediate language (such as compilers, static analysers and model-checkers) as well as front-ends to various specification languages and validation tools (academic and commercial ones). Among the dedicated tools, we focused on static analysis (such as slicing and abstraction) which are mandatory for an automated validation of complex systems. Finally, the toolbox was successfully used on several case studies, the most relevant ones being presented in [4].

On the Fly Verification of Behavioural Equivalences and Preorders

This paper describes decision procedures for bisimulation and simulation relations between two transition systems. The algorithms proposed here do not need to previously construct them: the verification can be performed during their generation. In addition, a diagnosis is computed when the two transitions systems are not equivalent.

Compositional State Space Generation from Lotos Programs

This paper describes a compositional approach to generate the labeled transition system representing the behavior of a Lotos program by repeatedly alternating composition and reduction operations on subsets of its processes. To restrict the size of the intermediate Ltss generated, we generalize to the Lotos parallel composition operator the results proposed in [GS90], which consist in representing the environment of a process by an interface, i.e., a set of “authorized” execution sequences. This generalization allows to handle both user-given interfaces and automatically computed ones. This compositional generation method has been implemented within the Cadp toolbox and experimented on several realistic case-studies.

A toolbox for the verification of LOTOS programs

This paper presents the tools ALDEBARAN, CESAR, CESAR.ADT and CLEOPATRE which constitute a tool- box for compiling and verifying LOTOS programs. The principles of these tools are described, as well as their performances and limitations. Finally, the formal verification of the ret/REL atomic multicast protocol is given as an example to illustrate the practical use of the tool- box.

IF: An Intermediate Representation and Validation Environment for Timed Asynchronous Systems

Formal Description Techniques (FDT), such as lotos or sdl are at the base of a technology for the specification and the validation of telecommunication systems. Due to the availability of commercial tools, these formalisms are now being widely used in the industrial community. Alternatively, a number of quite efficient verification tools have been developed by the research community. But, most of these tools are based on simple ad hoc formalisms and the gap between them and real FDT restricts their use at industrial scale. This context motivated the development of an intermediate representation called IF which is presented in the paper. IF has a simple syntactic structure, but allows to express in a convenient way most useful concepts needed for the specification of timed asynchronous systems. The benefits of using IF are multiples. First, it is general enough to handle significant subsets of most FDTs, and in particular a translation from SDL to IF is already implemented. Being built upon a mathematically sound model (extended timed automata) it allows to properly evaluate different semantics for fdts, in particular with respect to time considerations. Finally, IF can serve as a basis for interconnecting various tools into a unified validation framework. Several levels of IF program representations are already available via well defined APIs and allow to connect tools ranging from static analyzers to model-checkers.

What can you verify and enforce at runtime

The underlying property, its definition, and representation play a major role when monitoring a system. Having a suitable and convenient framework to express properties is thus a concern for runtime analysis. It is desirable to delineate in this framework the sets of properties for which runtime analysis approaches can be applied to. This paper presents a unified view of runtime verification and enforcement of properties in the Safety-Progress classification. First, we extend the Safety-Progress classification of properties in a runtime context. Second, we characterize the set of properties which can be verified (monitorable properties) and enforced (enforceable properties) at runtime. We propose in particular an alternative definition of “property monitoring” to the one classically used in this context. Finally, for the delineated sets of properties, we define specialized verification and enforcement monitors.

On-the-fly verification of finite transition systems

The analysis of programs by the exhaustive inspection of reachable states in a finite-state graph is a well-understood procedure. It is straightforwardly applicable to many description languages and is actually implemented in several industrial tools. But one of the main limitations of todays verification tools is the size of the memory needed to exhaustively build the state graphs of the programs. For numerous properties, it is not necessary to explicitly build this graph; an exhaustive depth-first traversal is often sufficient. This leads to an on-line algorithms for computing Büchi acceptance (in the deterministic case) and behavioral equivalences: they are presented in detail. In order to avoid retraversing states, it is, however, important to store some of the already visited states in memory. To keep the memory size bounded (and avoid a performance falling down), visited states are randomly replaced. In most cases, this depth-first traversal with replacement can push back significantly the limits of verification tools. We give the name on-the-fly verification to the use of algorithms based on a depth-first search (with replacement) of the finite-state graph associated with the program to be verified.

IF: an intermediate representation for SDL and its applications

We present work of a project for the improvement of a specification/validation toolbox integrating a commercial toolset ObjectGEODE and different validation tools such as the verification tool CADP and the test sequence generator TGV. The intrinsic complexity of most protocol specifications lead us to study combinations of techniques such as static analysis and abstraction together with classical model-checking techniques. Experimentation and validation of our results in this context motivated the development of an intermediate representation for SDL called IF. In IF, a system is represented as a set of timed automata communicating asynchronously through a set of buffers or by rendez-vous through a set of synchronization gates. The advantage of the use of such a program level intermediate representation is that it is easier to interface with various existing tools, such as static analysis, abstraction and compositional state space generation. Moreover, it allows to define for SDL different, but mathematically sound, notions of time

Runtime enforcement monitors: composition, synthesis, and enforcement abilities

Runtime enforcement is a powerful technique to ensure that a program will respect a given set of properties. We extend previous work on this topic in several directions. Firstly, we propose a generic notion of enforcement monitors based on a memory device and finite sets of control states and enforcement operations. Moreover, we specify their enforcement abilities w.r.t. the general Safety-Progress classification of properties. Furthermore, we propose a systematic technique to produce a monitor from the automaton recognizing a given safety, guarantee, obligation or response property. Finally, we show that this notion of enforcement monitors is more amenable to implementation and encompasses previous runtime enforcement mechanisms.

Specification and verification of the PowerScale bus arbitration protocol: an industrial experiment with LOTOS

This paper presents the results of an industrial case-study concerning the use of formal methods for the validation of hardware design. The case-study focuses on PowerScaleTM, a multiprocessor architecture based on PowerPCTM micro-processors and used in Bull’s EscalaTM series of servers and workstations*. The specification language Lotos (ISO International Standard 8807) was used to describe formally the main components of this architecture (processors, memory controller and bus arbiter). Four correctness properties were identified, which express the essential requirements for a proper functioning of the arbitration algorithm, and formalized in terms of bisimulation relations (modulo abstractions) between finite labelled transition systems. Using the compositional and on-the-fly model-checking techniques implemented in the Cadp (CAEsar/Aldebaran) toolbox, the correctness of the arbitration algorithm was established automatically in a few minutes.