Yann Thierry-Mieg

Hierarchical decision diagrams to exploit model structure

Symbolic model-checking using binary decision diagrams (BDD) can allow to represent very large state spaces. BDD give good results for synchronous systems, particularly for circuits that are well adapted to a binary encoding of a state. However both the operation definition mechanism (using more BDD) and the state representation (purely linear traversal from root to leaves) show their limits when trying to tackle globally asynchronous and typed specifications. Data Decision Diagrams (DDD) [7] are a directed acyclic graph structure that manipulates(a priori unbounded) integer domain variables, and which offers a flexible and compositional definition of operations through inductive homomorphisms. We first introduce a new transitive closure unary operator for homomorphisms, that heavily reduces the intermediate peak size effect common to symbolic approaches. We then extend the DDD definition to introduce hierarchy in the data structure. We define Set Decision Diagrams, in which a variable’s domain is a set of values. Concretely, it means the arcs of an SDD may be labeled with an SDD (or a DDD), introducing the possibility of arbitrary depth nesting in the data structure. We show how this data structure and operation framework is particularly adapted to the computation and representation of structured state-spaces, and thus shows good potential for symbolic model-checking of software systems, a problem that is difficult for plain BDD representations.

On the Formal Verification of Middleware Behavioral Properties

Distribution middleware is often integrated as a COTS, providing distribution facilities for critical, embedded or large-scale applications. So far, typical middleware does not come with a complete analysis of their behavioral properties. In this paper, we present our work on middleware modeling and the verification of its behavioral properties; the study is applied to our middleware architecture: PolyORB. Then we present the tools and techniques deployed to actually verify the behavioral properties of our model: Petri nets, temporal logic and advanced algorithms to reduce the size of the state space. Finally, we detail some properties we verify and assess our methodology.

New features in CPN-AMI 3: focusing on the analysis of complex distributed systems

Due to the state-space size explosion problem, behavioral analysis techniques are difficult to scale up to industrial size problems. Our group couples research on analysis tools with an introspection on modeling and software engineering techniques. CPN-AMI is an integrated development and analysis environment dedicated to Petri nets. The numerous services it offers are built by a homogeneous integration of tools developed internally, and third-party tools from partner universities. These tools include state of the art algorithms and data-structures. This third major release offers better support for modeling and analysis of very large systems

UML behavioral consistency checking using instantiable Petri nets

Model-driven engineering (MDE) development methods are gaining increasing attention from industry. In MDE, the model is the primary artifact and serves several goals, including code generation, requirements traceability, and model-based testing. MDE thus enables cost-effective building of models versus direct coding of an application. Thus model-based formal verification of behavioral consistency is desirable as it helps improve model quality. Our approach is based on translation of a UML model to instantiable Petri nets (IPN). This formalism is based on the semantics of Petri nets, but introduces the concepts of type and instance. This allows one to accurately capture these concepts in UML models. IPN support hierarchical descriptions natively, and use the notion of transition synchronization for composition of behaviors. This is a general and powerful mechanism borrowed from process algebra. We show that IPN allow one to adequately address the challenges of translation from UML for analysis purposes. The approach has been implemented and experimental results are presented.

Hierarchical Set Decision Diagrams and Regular Models

This paper presents algorithms and data structures that exploit a compositional and hierarchical specification to enable more efficient symbolic model-checking. We encode the state space and transition relation using hierarchical Set Decision Diagrams (SDD) [9].In SDD, arcs of the structure are labeled with sets, themselves stored as SDD. To exploit the hierarchy of SDD, a structured model representation is needed. We thus introduce a formalism integrating a simple notion of type and instance . Complex composite behaviors are obtained using a synchronization mechanism borrowed from process calculi. Using this relatively general framework, we investigate how to capture similarities in regular and concurrent models. Experimental results are presented, showing that this approach can outperform in time and memory previous work in this area.

Hierarchical Set Decision Diagrams and Automatic Saturation

Shared decision diagram representations of a state-space have been shown to provide efficient solutions for model-checking of large systems. However, decision diagram manipulation is tricky, as the construction procedure is liable to produce intractable intermediate structures (a.k.a peak effect). The definition of the so-called saturation method has empirically been shown to mostly avoid this peak effect, and allows verification of much larger systems. However, applying this algorithm currently requires deep knowledge of the decision diagram data-structures, of the model or formalism manipulated, and a level of interaction that is not offered by the API of public DD packages. Hierarchical Set Decision Diagrams (SDD) are decision diagrams in which arcs of the structure are labeled with sets, themselves stored as SDD. This data structure offers an elegant and very efficient way of encoding structured specifications using decision diagram technology. It also offers, through the concept of inductive homomorphisms, unprecedented freedom to the user when defining the transition relation. Finally, with very limited user input, the SDD library is able to optimize evaluation of a transition relation to produce a saturation effect at runtime. We further show that using recursive folding, SDD are able to offer solutions in logarithmic complexity with respect to other DD. We conclude with some performances on well known examples.

Report on the Model Checking Contest at Petri Nets 2011

This article presents the results of the Model Checking Contest held within the SUMo 2011 workshop, a satellite event of Petri Nets 2011. This contest aimed at a fair and experimental evaluation of the performances of model checking techniques applied to Petri nets.

Building Efficient Model Checkers using Hierarchical Set Decision Diagrams and Automatic Saturation

Shared decision diagram representations of a state-space provide efficient solutions for model-checking of large systems. However, decision diagram manipulation is tricky, as the construction procedure is liable to produce intractable intermediate structures (a.k.a peak effect). The definition of the so-called saturation method has empirically been shown to mostly avoid this peak effect, and allows verification of much larger systems. However, applying this algorithm currently requires deep knowledge of the decision diagram data structures. Hierarchical Set Decision Diagrams (SDD) are decision diagrams in which arcs of the structure are labeled with sets, themselves stored as SDD. This data structure offers an elegant and very efficient way of encoding structured specifications using decision diagram technology. It also offers, through the concept of inductive homomorphisms, flexibility to a user defining a symbolic transition relation. We show in this paper how, with very limited user input, the SDD library is able to optimize evaluation of a transition relation to produce a saturation effect at runtime. We build as an example an SDD model-checker for a compositional formalism: Instantiable Petri Nets (IPN). IPN define a type as an abstract contract. Labeled P/T nets are used as an elementary type. A composite type is defined to hierarchically contain instances (of elementary or composite type). To compose behaviors, IPN use classic label synchronization semantics from process calculi. With a particular recursive folding SDD are able to offer solutions for symmetric systems in logarithmic complexity with respect to other DD. Even in less regular cases, the use of hierarchy in the specification is shown to be well supported by SDD. Experimentations and performances are reported on some well known examples.

A Symbolic Symbolic State Space Representation

Symmetry based approaches are known to attack the state space explosion problem encountered during the analysis of distributed systems. In another way, BDD-like encodings enable the management of huge data sets. In this paper, we show how to benefit from both approaches automatically. Hence, a quotient set is built from a coloured Petri net description modeling the system. The reachability set is managed under some explicit symbolic operations. Also, data representations are managed symbolically based on a recently introduced data structure, called Data Decisions Diagrams, that allow flexible definition of application specific operators. Performances yielded by our prototype are reported in the paper.

Formal verification of mobile robot protocols

Mobile robot networks emerged in the past few years as a promising distributed computing model. Existing work in the literature typically ensures the correctness of mobile robot protocols via ad hoc handwritten proofs, which, in the case of asynchronous execution models, are both cumbersome and error-prone. Our contribution is twofold. We first propose a formal model to describe mobile robot protocols operating in a discrete space i.e., with a finite set of possible robot positions, under synchrony and asynchrony assumptions. We translate this formal model into the DVE language, which is the input format of the model-checkers DiVinE and ITS tools, and formally prove the equivalence of the two models. We then verify several instances of two existing protocols for variants of the ring exploration in an asynchronous setting: exploration with stop and perpetual exclusive exploration. For the first protocol we refine the correctness bounds and for the second one, we exhibit a counter-example. This protocol is then modified and we establish the correctness of the new version with an inductive proof.