Software Model Checking with Explicit Scheduler and Symbolic Threads

In many practical application domains, the software is organized into a set of threads, whose activation is exclusive and controlled by a cooperative scheduling policy: threads execute, without any interruption, until they either terminate or yield the control explicitly to the scheduler. The formal verification of such software poses significant challenges. On the one side, each thread may have infinite state space, and might call for abstraction. On the other side, the scheduling policy is often important for correctness, and an approach based on abstracting the scheduler may result in loss of precision and false positives. Unfortunately, the translation of the problem into a purely sequential software model checking problem turns out to be highly inefficient for the available technologies. We propose a software model checking technique that exploits the intrinsic structure of these programs. Each thread is translated into a separate sequential program and explored symbolically with lazy abstraction, while the overall verification is orchestrated by the direct execution of the scheduler. The approach is optimized by filtering the exploration of the scheduler with the integration of partial-order reduction. The technique, called ESST (Explicit Scheduler, Symbolic Threads) has been implemented and experimentally evaluated on a significant set of benchmarks. The results demonstrate that ESST technique is way more effective than software model checking applied to the sequentialized programs, and that partial-order reduction can lead to further performance improvements.Comment: 40 pages, 10 figures, accepted for publication in journal of logical methods in computer scienc

Preface of the special issue on Model Checking of Software

Software Model Checking consists of a broad collection of techniques to tackle the complexity and the diversity in the use of software in safety-critical systems. The contributions in this special issue address some of the core problems in software model checking. The articles are based on papers selected from the 2013 SPIN Symposium on Model Checking of Software, an annual forum for practitioners and researchers interested in symbolic and state space-based techniques for the validation and analysis of software systems.The final publication is available at Springer via https://doi.org/10.1007/s10009-016-0414-5.(VLID)138711

A Polynomial Translation of pi-calculus FCPs to Safe Petri Nets

We develop a polynomial translation from finite control pi-calculus processes to safe low-level Petri nets. To our knowledge, this is the first such translation. It is natural in that there is a close correspondence between the control flows, enjoys a bisimulation result, and is suitable for practical model checking.Comment: To appear in special issue on best papers of CONCUR'12 of Logical Methods in Computer Scienc

LTSmin: high-performance language-independent model checking

In recent years, the LTSmin model checker has been extended with support for several new modelling languages, including probabilistic (Mapa) and timed systems (Uppaal). Also, connecting additional language front-ends or ad-hoc state-space generators to LTSmin was simplified using custom C-code. From symbolic and distributed reachability analysis and minimisation, LTSmin’s functionality has developed into a model checker with multi-core algorithms for on-the-fly LTL checking with partial-order reduction, and multi-core symbolic checking for the modal μ calculus, based on the multi-core decision diagram package Sylvan.\ud In LTSmin, the modelling languages and the model checking algorithms are connected through a Partitioned Next-State Interface (Pins), that allows to abstract away from language details in the implementation of the analysis algorithms and on-the-fly optimisations. In the current paper, we present an overview of the toolset and its recent changes, and we demonstrate its performance and versatility in two case studies

A partial order semantics approach to the clock explosion problem of timed automata

AbstractWe present a new approach to the symbolic model checking of timed automata based on a partial order semantics. It relies on event zones that use vectors of event occurrences instead of clock zones that use vectors of clock values grouped in polyhedral clock constraints. We provide a description of the different congruences that arise when we consider an independence relation in a timed framework. We introduce a new abstraction, called catchup equivalence which is defined on event zones and which can be seen as an implementation of one of the (more abstract) previous congruences. This formal language approach helps clarifying what the issues are and which properties abstractions should have. The catchup equivalence yields an algorithm to check emptiness which has the same complexity bound in the worst case as the algorithm to test emptiness in the classical semantics of timed automata. Our approach works for the class of timed automata proposed by Alur–Dill, except for state invariants (an extension including state invariants is discussed informally). First experiments show that the approach is promising and may yield very significant improvements

Vers l'intégration de paramètres temporels statiques et dynamiques dans les techniques de vérification par ordre partiel

RÉSUMÉ Les systèmes temps réels sont utilisés de nos jours d’une façon importante, surtout dans le domaine des applications critiques. Pour les modéliser, nous avons opté pour l’utilisation des réseaux de Petri temporels (TPN) qui sont une extension temporelle des réseaux de Petri simples (Rdp) proposés par Carl Adam Petri. Ce choix est justifié par le fait que les TPN sont des modèles permettant de représenter les aspects importants des systèmes temps réel comme la concurrence, la synchronisation et les contraintes temporelles d’une façon triviale. De plus, les TPN offrent des techniques formelles de vérification qui intègrent les contraintes temporelles. Parmi ces techniques, ce mémoire s'intéresse aux approches énumératives. Ces approches se basent sur des abstractions et visent à représenter les espaces d‘états infinis des TPN par des graphes finis. Plusieurs abstractions d'espaces d'états ont été proposées dans la littérature : le SCG (State Class Graph), le CSCG (Contracted State Class Graph), le ZBG (Zone Based Graph), etc. Ces graphes sont finis pour des TPN bornés (ayant un nombre fini de marquages accessibles) et préservent les marquages et les séquences de franchissement des TPN. Ce mémoire s'intéresse au CSCG car il est plus compact que les autres. Cependant, à l'instar des approches énumératives, le CSCG se heurte au problème d'explosion combinatoire. Pour atténuer ce problème, ce mémoire propose d'étendre et d'appliquer des techniques de réduction d'ordre partiel aux TPN. La première contribution de ce mémoire est d'implémenter une technique d'ordre partiel pour les TPN. Cette technique est une extension aux TPN de l'approche de réduction Stubborn Set (proposée par Valmari pour les réseaux de Petri simples). La deuxième contribution est le développement d’un outil qui permet de générer l’espace d’états réduit d’un TPN en appliquant notre technique. Cet outil permet aussi la construction des graphes SCG et CSCG. Nous avons réalisé certaines optimisations dans l’implémentation de cet outil en nous basant sur des algorithmes de classes d'états de moindres complexités. Nous avons testé l'approche d'ordre partiel proposée dans ce mémoire et comparée avec d'autres approches et variantes. Divers réseaux de Petri temporels ont été testés, incluant quelques modèles de références. Ces derniers sont utilisés pour confronter des outils de vérification, dans des compétitions organisées au sein de la conférence annuelle Petri nets. Les résultats obtenus en utilisant ces TPN de références montrent que notre technique permet d’avoir de meilleurs résultats par rapport aux autres approches en utilisant les même TPN. En effet, le gain a varié entre 20% et 90% en termes de nombres de classes d’états, d’arcs et de temps d’exécution.----------ABSTRACT Real time systems are widely used today especially in the field of critical applications. For modeling, we chose to use Time Petri network (TPN), which is an extension of simple Petri networks (Rdp) implemented by Carl Adam Petri. This is justified by the fact that TPN models are used to represent important aspects of real-time systems such as concurrency and synchronization in a simple way. Besides, TPN are rich in theories that have helped us to implement our technique. The two major issues of real-time systems are the obtaining of an infinite state space and the combinatorial explosion. To overcome the first issue, we have chosen the method of abstraction CSCG (Contracted State Class Graph). It is a method of abstraction which is applied to the TPN to get a finite state space representation. To address the second issue, we have extended partial order reduction technique "Stubborn Set" in the context of TPN. Note that the Stubborn Set method is a partial order reduction technique that aims to alleviate the problem of combinatorial explosion of the state space of simple Petri net i.e. without considering the time constraints. Therefore, our first contribution of our research is to participate to develop a partial order reduction technique extending the method Stubborn Set in the context of TPN. The second contribution is the development of a tool to generate the reduced state space of TPN by applying our technique. It also allows the construction of the state space using other techniques discussed in the chapter "literature review". We have performed some optimizations in the implementation of this tool based on algorithms with reduced complexity taken from the literature. To test our technique with our developed tool, we chose various examples of temporel Petri nets such the benchmark TPN. The results shows that our technique can achieve better results compared to other techniques in terms of the number of state classes, arcs and execution time