Bridging the Gap Between Formal Methods and Software Engineering Using Model-based Technology

International audienceModel-based technology has evolved rapidly in the last decade, bringing immediate benefits to its users. Defining domain specific languages has never been easier, thanks to the infrastructure provided by frameworks such as eclipse EMF and XText. Industrial adoption is easy, you provide specialists with just the language they need. But this is also an opportunity for formal methods and tools to find a wider user base. A problem hindering adoption of formal methods is the effort one needs to invest in learning a particular formalism and the possible gap that exists between a handcrafted model and the reality. Model translation provides an easy way to obtain formal models from domain models that contain fine grain behavioral information, since a DSL typically also has some runtime or code generation support. This talk will present our experiences in building tools for model-checking of various languages using models and transformations and thus lever-aging the state of the art in model engineering technology

Symbolic Model-Checking using ITS-tools

International audienceWe present the symbolic model-checking toolset ITS-tools. The model-checking back-end engine is based on hierarchical set decision diagrams (SDD) and supports reachability, CTL and LTL model-checking, using both classical and original algorithms. As front-end input language, we promote a Guarded Action Language (GAL), a simple yet expressive language for concurrency. Transformations from popular formalisms into GAL are provided enabling fully symbolic model-checking of third party (Uppaal, Spin, Divine...) specifications. The tool design allows to easily build your own transformation, leveraging tools from the meta-modeling community. The ITS-tools additionally come with a user friendly GUI embedded in Eclipse

Modeling a Cache Coherence Protocol with the Guarded Action Language

We present a formal model built for verification of the hardware Tera-Scale ARchitecture (TSAR), focusing on its Distributed Hybrid Cache Coherence Protocol (DHCCP). This protocol is by nature asynchronous, concurrent and distributed, which makes classical validation of the design (e.g. through testing) difficult. We therefore applied formal methods to prove essential properties of the protocol, such as absence of deadlocks, eventual consensus, and fairness.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866

Formal verification of Mobile Robot Protocols

Mobile robot networks emerged in the past few years as a promising distributed computing model. Existing work in the literature typically ensures the correctness of mobile robot protocols via \emph{ad hoc} handwritten proofs, which, in the case of asynchronous execution models, are both cumbersome and error-prone. In this paper, we propose the first formal model and general verification (by model-checking) methodology for mobile robot protocols operating in a discrete space (that is, the set of possible robot positions is finite). Our contribution is threefold. First, we formally model using synchronized automata a network of mobile robots operating under various synchrony (or asynchrony) assumptions. Then, we use this formal model as input model for the DiVinE model-checker and prove the equivalence of the two models. Third, we verify using DiVinE two known protocols for variants of the ring exploration in an asynchronous setting (exploration with stop and perpetual exclusive exploration). The exploration with stop we verify was manually proved correct only when the number of robots is $k>17$, and $n$ (the ring size) and $k$ are co-prime. As the necessity of this bound was not proved in the original paper, our methodology demonstrates that for several instances of $k$ and $n$ \emph{not covered} in the original paper, the algorithm remains correct. In the case of the perpetual exclusive exploration protocol, our methodology exhibits a counter-example in the completely asynchronous setting where safety is violated, which is used to correct the original protocol

Model Checking Contest @ Petri Nets, Report on the 2013 edition

This document presents the results of the Model Checking Contest held at Petri Nets 2013 in Milano. This contest aimed at a fair and experimental evaluation of the performances of model checking techniques applied to Petri nets. This is the third edition after two successful editions in 2011 and 2012. The participating tools were compared on several examinations (state space generation and evaluation of several types of formul{\ae} -- reachability, LTL, CTL for various classes of atomic propositions) run on a set of common models (Place/Transition and Symmetric Petri nets). After a short overview of the contest, this paper provides the raw results from the contest, model per model and examination per examination. An HTML version of this report is also provided (http://mcc.lip6.fr).Comment: one main report (422 pages) and two annexes (1386 and 1740 pages

Web Report on the Model Checking Contest @ Petri Net 2013

http://mcc.lip6.f

Symbolic and Structural Model-Checking

Brute-force model-checking consists in exhaustive exploration of thestate-space of a Petri net, and meets the dreaded state-space explosionproblem. In contrast, this paper shows how to solve model-checking problems using acombination of techniques that stay in complexity proportional to the size ofthe net structure rather than to the state-space size. We combine an SMT based over-approximation to prove that some behaviors areunfeasible, an under-approximation using memory-less sampling of runs to findwitness traces or counter-examples, and a set of structural reduction rulesthat can simplify both the system and the property. This approach was able to win by a clear margin the model-checking contest2020 for reachability queries as well as deadlock detection, thus demonstratingthe practical effectiveness and general applicability of the system of rulespresented in this paper.Comment: Extended Journal version of ICATPN 2020 paper published in Fundamenta Informatica

De la vérification Symbolique aux langages dédiés à un domaine

This talk will present our experience in building data structures, algorithms, languages and tools to enable symbolic model-checking of specifications expressed in a variety of formalisms. The data structures use symbolic representations of large sets of states and of transition relations to face the challenge of state space explosion, inherent to model-checking. The algorithms exploit such symbolic representations to verify complex behavioral properties of a system, expressed using temporal logic.We leverage model-driven engineering and model transformations to propose a simple yet expressive intermediate language to express the semantics of concurrent systems.The tools freely available at offer both a user friendly front-end and an efficient back-end solver. They support analysis of diverse formalisms designed for modeling of concurrent and real-time systems