Preface

Prefac

Synthesis and verification of constraints in the PGM protocol

Specifications of protocols usually involve several parameters, for example the number of retransmissions or the timeout delays. The properties satisfied by the protocol depend often on the relation between these parameters. Automatic synthesis of such relations becomes a difficult problem when the constraints are too complex, e.g., non-linear expressions between integer and/or real parameters. This paper reports about modeling and constraint synthesis in the Pragmatic General Multicast (PGM) protocol. The property that we aim to satisfy is the full reliability property for data transmission. The complexity of the PGM prevents us from doing automatic synthesis of this constraint. Instead, we propose a methodology to deal with this problem using classical model-checking tools for timed and finite systems. Our methodology consists of several steps. First, we identify the sources of complexity and, for each source, we propose several abstractions preserving the full reliability property. Then, we build an abstract parameterized model on which we test, after instantiation of parameters, that the basic properties of the protocol (deadlock freedom, liveness) are preserved. By analyzing the scenario which invalidate the full reliability property, we find a non-linear constraint between the parameters of the protocol. We check the relation found by instantiating the parameters with relevant values and applying model-checking

Simple Algorithm for Simple Timed Games

version 1.1We propose a subclass of timed game automata (TGA), called Task TGA, representing networks of communicating tasks where the system can choose when to start the task and the environment can choose the duration of the task. We search to solve finite-horizon reachability games on Task TGA by building strategies in the form of Simple Temporal Networks with Uncertainty (STNU). Such strategies have the advantage of being very succinct due to the partial order reduction of independent tasks. We show that the existence of such strategies is an NP-complete problem. A practical consequence of this result is a fully forward algorithm for building STNU strategies. Potential applications of this work are planning and scheduling under temporal uncertainty

SPADE: Verification of Multithreaded Dynamic and Recursive Programs

International audienceThe tool SPADE allows to analyse automatically boolean programs with parallelism, communication between parallel processes, dynamic process creation, and recursion at the same time. As far as we know, this is the first software model checking tool based on an expressive model that accurately models all these aspects in programs

Rewriting Systems over Nested Data Words

We propose a generic framework for reasoning about infinite state systems handling data like integers, booleans etc. and having complex control structures. We consider that configurations of such systems are represented by nested data words, i.e., words of ... words over a potentially infinite data domain. We define a logic called $ndwl$ allowing to reason about nested data words, and we define rewriting systems called $ndwrs$ over these nested structures. The rewriting systems are constrained by formulas in the logic specifying the rewriting positions as well as structure/data transformations. We define a fragment $Sigma_2^*$ of $ndwl$ with a decidable satisfiability problem. Moreover, we show that the transition relation defined by rewriting systems with $Sigma_2^*$ constraints can be effectively defined in the same fragment. These results can be used in the automatization of verification problems such as inductive invariance checking and bounded reachability analysis. Our framework allows to reason about a wide range of concurrent systems including multithreaded programs (with procedure calls, thread creation, global/local variables over infinite data domains, locks, monitors, etc.), dynamic networks of timed systems, cache coherence/mutex/communication protocols, etc

Requirement Capture, Formal Description and Verification of an Invoicing System

Projet VASY-RAThe Invoicing case study is a typical business system proposed by Henri Habrias as a common example for a contest on the capacity of particular formal methods to capture requirements from the client. For this, the case study is informally described by half a page of English text. In this report, we use the formal description technique LOTOS for requirement capture, formal description and verification of the Invoicing case study. First, we analyse and interpret the informal requirements of the case study using the LOTOS approach for description of systems. This leads to a set of twenty questions about the informal description. By answering to these questions, we obtain a high-level specification architecture that can be formalised. Then, we present the formal description of the case study in LOTOS and, for comparison, in E-LOTOS, the new version of LOTOS currently being standardized. Since LOTOS allows a balance to be struck between process-oriented and data-oriented modeling, descriptions in both styles are given. After that, we verify the LOTOS descriptions by model-checking using the CADP (CÆSAR/ALDEBARAN) toolbox. The underlying Labelled Transition System (LTS) models corresponding to various scenarios are generated using the CÆSAR compiler. We push further the analysis of the case study by formalizing in temporal logic six properties of the system. We verify these properties on the LTS models using the XTL model-checker. Finally, we study the equivalence of the process-oriented and data-oriented descriptions using the ALDEBARAN tool

A Generic Framework for Reasoning about Dynamic Networks of Infinite-State Processes

We propose a framework for reasoning about unbounded dynamic networks of infinite-state processes. We propose Constrained Petri Nets (CPN) as generic models for these networks. They can be seen as Petri nets where tokens (representing occurrences of processes) are colored by values over some potentially infinite data domain such as integers, reals, etc. Furthermore, we define a logic, called CML (colored markings logic), for the description of CPN configurations. CML is a first-order logic over tokens allowing to reason about their locations and their colors. Both CPNs and CML are parametrized by a color logic allowing to express constraints on the colors (data) associated with tokens. We investigate the decidability of the satisfiability problem of CML and its applications in the verification of CPNs. We identify a fragment of CML for which the satisfiability problem is decidable (whenever it is the case for the underlying color logic), and which is closed under the computations of post and pre images for CPNs. These results can be used for several kinds of analysis such as invariance checking, pre-post condition reasoning, and bounded reachability analysis.Comment: 29 pages, 5 tables, 1 figure, extended version of the paper published in the the Proceedings of TACAS 2007, LNCS 442

The CoLiS Platform for the Analysis of Maintainer Scripts in Debian Software Packages

International audienceThe software packages of the Debian distribution include more than twenty-seven thousand maintainer scripts in total, almost all of them being written in the Posix shell language. These scripts are executed with root privileges at installation, update, and removal of a package, which makes them critical for system maintenance. While the Debian policy provides guidance for package maintainers producing the scripts, only few tools exist to check the compliance of a script to that policy. We present CoLiS, a software platform for discovering violations of non-trivial properties required by the Debian policy in maintainer scripts. We describe our methodology which is based on symbolic execution and feature tree constraints, and we give an overview of the toolchain. We obtain promising results: our toolchain is effective in analysing a large set of Debian maintainer scripts, and it has already detected over 150 policy violations that have lead to bug reports, more than two-third of them now being fixed

Distributed Branching Bisimulation Minimization by Inductive Signatures

We present a new distributed algorithm for state space minimization modulo branching bisimulation. Like its predecessor it uses signatures for refinement, but the refinement process and the signatures have been optimized to exploit the fact that the input graph contains no tau-loops. The optimization in the refinement process is meant to reduce both the number of iterations needed and the memory requirements. In the former case we cannot prove that there is an improvement, but our experiments show that in many cases the number of iterations is smaller. In the latter case, we can prove that the worst case memory use of the new algorithm is linear in the size of the state space, whereas the old algorithm has a quadratic upper bound. The paper includes a proof of correctness of the new algorithm and the results of a number of experiments that compare the performance of the old and the new algorithms