SAT-Solving in CSP Trace Refinement

Transcription

1 ST-Solving in CSP Trce Refinement Hristin Plikrev, Joël Ouknine nd. W. Roscoe Deprtment of Computer Science, Oxford University, UK bstrct In this pper, we ddress the problem of pplying ST-bsed bounded model checking (BMC) nd temporl k-induction to synchronous concurrent systems. We investigte refinement checking in the process-lgebric setting of Communicting Sequentil Processes (CSP), focusing on the CSP trces model which is sufficient for verifying sfety properties. We dpt the BMC frmework to the context of CSP nd the existing refinement checker FDR yielding bounded refinement checking which lso lys the foundtion for tiloring the k-induction technique. s refinement checking reduces to checking for reverse continment of possible behviours, we exploit the ST-solver to decide bounded lnguge inclusion s opposed to bounded rechbility of error sttes, s in most existing model checkers. Due to the hrder problem to decide nd the presence of invisible silent ctions in process lgebrs, the originl syntctic trnsltion of BMC to ST cnnot be pplied directly nd we dopt semntic trnsltion lgorithm bsed on wtchdog trnsformtions. We propose Boolen encoding of CSP processes resting on FDR s hybrid two-level pproch for clculting the opertionl semntics using supercombintors. We hve implemented prototype tool, SymFDR, written in C++, which uses FDR s shred librry for mnipulting CSP processes nd the stte-of-the-rt incrementl ST-solver MiniST 2.0. Experiments with BMC indicte tht in some cses, especilly in complex combintoril problems, SymFDR significntly outperforms FDR nd even copes with problems tht re beyond FDR s cpbilities. SymFDR in k-induction mode works resonbly well for smll test cses, but is inefficient for lrger ones s the threshold becomes too lrge, due to concurrency. Keywords: CSP, FDR, concurrency, process lgebr, ST-solving, bounded model checking, k-induction, sfety properties 1. Introduction Model checking [CGP99; BK08; BHvMW09] is powerful utomtic forml verifiction technique for estblishing correctness of systems. It requires finite-stte model of system, cpturing ll its possible behviours, nd specifiction property, usully modelled s formul in some kind of temporl logic. The model checker performs nlysis bsed on exhustive explortion of the stte spce of the system to either confirm or refute tht the system meets its specifiction. In the ltter cse, the model checker provides counterexmple trce for reproducing nd fixing the bug. Model checking is complete nd, therefore, relible when pronouncing system correct. The min chllenge in pplying model checking in prctice is the so-clled stte-spce explosion problem which tends to be even more severe in the context of concurrent systems. The stte-spce of concurrent system grows exponentilly with the number of its concurrent components nd the 1

2 number nd size of its dt vlues. This puts restrictions on the size of systems tht cn be trctbly nlysed. To llevite the stte-spce explosion problem, significnt number of techniques hve been proposed. Methods for decresing the size of the generted stte spce nd enhncing the model checking lgorithm include CEGR [CGJ + 00], prtil-order reductions [CGP99; Pel98], bounded model checking [BCCZ99], etc. Regrding stte-spce representtion, the mjor dichotomy is between explicit nd symbolic [BCM + 92; BCCZ99] model checking. Explicit model checking is bsed on explicit enumertion nd exmintion of individul sttes. Symbolic model checking relies on bstrct representtion of sets of sttes, generlly s Boolen formule, nd properties re vlidted using techniques such s BDD mnipultion or ST-solving. The recent dvnces of efficient ST-solvers hve significntly brodened the horizons of symbolic model checking. ST-bsed bounded model checking [BCCZ99] hs proven to be n extremely powerful technique, minly suited, due to its incompleteness, to flsifiction of properties. pproches for mking BMC complete include clculting completeness thresholds [CKOS04; CKOS05] or ugmenting BMC with k-induction [SSS00; ES03b] or Crig interpoltion [McM03] techniques. Both bounded nd unbounded ST-bsed model checking hve been minly investigted in the context of hrdwre nd sequentil softwre systems. In this pper, we ddress pplying BMC nd temporl k-induction [ES03b] to synchronous concurrent systems. The generl problem we investigte is refinement checking in process-lgebric settings nd, more specificlly, in the context of CSP [Ho85; Ros98; Ros10]. In process lgebrs, systems re modelled s interctions of collection of processes, communicting with ech other nd with the outer world vi messge pssing, s opposed to shred vribles. Using high-level lnguge, processes re defined compositionlly nd compiled into hierrchicl structure, strting with tomic process constructs nd combining those using opertors such s choice, prllel nd sequentil composition, hiding, etc. This llows for wy of describing rective systems tht is usully very concise nd much more economicl in stte spce thn shred-vrible lnguges. Unlike in conventionl model checking, where specifictions re generlly defined s temporllogic formule, in process lgebrs specifictions re defined s bstrct designs of the systems, i.e. s processes, which llows for step-wise development process. The refinement checking procedure decides whether the behviours of the system re subset of the behviours of the specifiction, i.e. whether the system refines the specifiction. Hence, the verifiction problem reduces to checking for reverse continment of behviours nd, therefore, to reverse lnguge inclusion. Developed in the lte 1970 s by Hore, CSP is one of the two originl process lgebrs. It llows for the precise description nd nlysis of event-bsed concurrency. n dvntge of the CSP frmework is tht it offers well-developed syntx, lgebric nd opertionl semntics, hierrchy of congruent denottionl semntic models, s well s forml theory of refinement nd compositionl verifiction. In terms of syntx nd semntics, mong other differences with existing formlisms for modelling concurrent systems, CSP supports the usge of brodcst communiction, recursion, s well s hiding nd renming of events, both of which re powerful mechnisms for bstrction. FDR [Ros94; FSE05] is cknowledged s the primry tool for CSP refinement checking nd hs been widely used for nlysing sfety-criticl systems. The core of FDR is refinement checking in ech of the semntic models, which is crried out on the level of the opertionl representtion of the CSP processes nd is implemented using explicit stte enumertion supplemented by hierrchicl stte-spce compression techniques. When deciding whether n implementtion process Impl refines normlised specifiction process Spec, FDR follows lgorithms exploring the Crtesin product of the stte spces of Spec nd Impl in wy comprble to conventionl model checking. lthough 2

3 until now FDR hs followed the explicit model checking pproch, there hs been some work on the symbolic model checking of CSP resulting in the BDD-bsed refinement checker RC [PY96] nd the model checker PT [SLDS08], both of which exploit fully compositionl encoding of CSP processes. PT verifies systems defined in version of CSP enhnced with shred vribles nd, within the BMC frmework, it uses specifictions defined s rechbility properties on the vlues of the shred vribles, which requires different model checking lgorithm bsed on rechbility nd not on lnguge continment. This pper reports our ttempts to integrte ST-bsed BMC nd temporl k-induction into FDR. The former technique is incomplete nd s such is only suitble to detecting bugs. k-induction, however, is complete nd cn lso be used for estblishing the correctness of systems. Hence, to the best of our knowledge, this is the first ttempt to pply unbounded ST-bsed refinement checking to CSP. We propose n lterntive Boolen encoding of CSP processes bsed on FDR s hybrid two-level pproch for clculting the opertionl semntics using supercombintors [Gol04]. s we del with with problem tht reduces to lnguge inclusion insted of to rechbility nd due to the presence of invisible hidden ctions in process lgebrs, the originl syntctic trnsltion of BMC to ST cnnot be pplied directly nd we dopt semntic trnsltion lgorithm bsed on wtchdog trnsformtions [RGM + 03]. Essentilly, this involves reducing refinement check into nlysing single process which is constructed by putting the implementtion process in prllel with trnsformed specifiction process. The ltter plys the role of wtchdog tht monitors nd mrks violting behviours. Within the scope of this pper, we only consider the trnsltion of trce refinement to ST checking. The result is prototype tool SymFDR 1 which, when combined with stte-of-the-rt ST-solvers such s MiniST 2.0 [ES03; EB05], sometimes outperforms FDR by significnt mrgin in finding counterexmples. We compre the performnce of SymFDR with the performnce of FDR, FDR used in non-stndrd wy, PT [SLD08] nd, in some cses, NuSMV [CCG + 02], lloy nlyzer [Jc06] nd stright ST encodings tilored to the specific problems under considertion. The reminder of the pper is orgnised s follows. In Section 2, we set out the necessry bckground on CSP nd FDR s two-level strtegy for performing refinement checks. We briefly describe the ides underlying ST-bsed BMC nd k-induction. In Section 3, we show how to dpt the wtchdog pproch [RGM + 03] to BMC nd, hence, to k-induction, while in Section 4, we summrise the methods we use to trnslte FDR s supercombintor representtion of stte mchine into input for ST-solver. Section 5 gives detils of how SymFDR is built on top of this, nd Section 6 offers experimentl evlution. 2. Preliminries 2.1. CSP nd FDR In this section, we give brief overview of CSP nd FDR. The interested reder is referred to [Ros98], [Ros10] nd [FSE05] for more detils. We restrict our focus to the trces model exclusively, intentionlly omitting informtion bout other more expressive models of CSP CSP Syntx In CSP, processes interct with ech other nd n externl environment by communicting events. More thn one process my hve to cooperte in the performnce of n event, i.e. hndshke on it. It 1 SymFDR s binries re expected to be online shortly. 3

4 is stndrd to distinguish between visible events tht might need the coopertion of other processes or the environment nd invisible internl ctions tht occur silently, re not observble or controllble outside process nd model n internl computtion such s nondeterminism, unfolding of recursion, bstrction of detils. Let Σ be finite lphbet of visible events with, Σ. denotes the invisible silent ction nd successful termintion of process specil ction which is visible but uncontrollble from outside nd cn only occur lst. In wht follows, we ssume tht Σ, Σ nd B Σ = Σ { }. R Σ Σ denotes renming reltion on Σ. For given process P, we denote by α P Σ the set of ll visible events tht P cn perform. We recll the core syntx of CSP. Definition 2.1. CSP process is defined recursively vi the following grmmr: P = STOP SKIP DIV x : P (x) P 1 P 2 P 1 P 2 P 1 P 2 P 1 P 2 P \ P R µ P F (P ) B STOP represents dedlocked process, i.e. process tht is not cpble of communicting ny visible or ctions. The prefixed process x : P (x) initilly offers the environment to perform ny event from nd subsequently behves like P (). DIV denotes livelock, i.e. process tht is engged in performing n infinite loop of internl ctions without ever communicting with the externl environment. The process SKIP denotes successful termintion nd is willing to perform t ny time. P 1 P 2 nd P 1 P 2 denote, respectively, externl nd internl choice of P 1 nd P 2. In the former cse the choice is resolved by the environment while in the ltter nondeterministiclly. The prllel composition P 1 B P 2 cn communicte n event from B only if both P 1 nd P 2 re redy to do so P 1 nd P 2 need to hndshke (synchronise) on the events in B, but cn perform independently on ll other events. In prctice, it is common to synchronise P 1 nd P 2 on their shred events, i.e. use B = α P1 α P2. The sequentil composition P 1 P 2 behves like P 1 until P 1 termintes successfully, t which point it silently evolves into P 2. P \ behves like P except tht ll events from re being hidden, i.e. turned into internl ctions. Hence, the events in P become invisible nd uncontrollble by other processes or the environment by mens of synchronistion. P R behves like P, except tht, whenever P cn perform n event, P R cn perform ny event b, such tht Rb. µ P F (P ) denotes recursive process. FDR supports the lnguge CSP M which extends core CSP with severl further opertors nd n extensive functionl lnguge. Our prototype tool SymFDR supports the full CSP M syntx, except tht it cnnot t present hndle scripts using the function chse Running Exmple: Milner s Scheduler Given fixed N N, scheduler must rrnge two clsses of events.i nd b.i for i {0,..., N 1}. There re two requirements the.i-s should occur in strict rottion, i.e..0,.1,...,.n 1 }{{},.0,.1....,.N 1,..., nd there should be precisely one b.i between ech pir of.i-s. }{{} In CSP, Milner s scheduler cn be modelled s ring of cell processes synchronised using extr events c.i, s illustrted on Figure 1. n bstrcted CSP script for Milner s scheduler estblishing the rottion specifiction is presented on Figure 2. i 1 denotes (i + 1)%N nd, likewise, i 1 (i 1)%N. For ech process Cell(i), we extend its lphbet α Cell(i) = {.i, b.i} with extr events c.i nd c.i 1 to use for synchronising with its neighbouring processes Cell(i 1 ) nd Cell(i 1 ), respectively. Cell(0 ) is defined in slightly different wy s the -sequence should strt with.0. 4

5 Figure 1: Milner s scheduler for N = 5 The scheduler is constructed by composing ll the cells in prllel nd hiding ll c-events on top s they hve been introduced solely for synchronistion purposes. Within Scheduler, the opertor corresponds to synchronising the two rgument processes on the set of their common events nd is fully ssocitive. Hence, cell cn perform n event only if ll other cells tht hve the sme event in their lphbet re lso offering to do so. { c } is shorthnd for {c.i i N}. We give rough ide of how Scheduler works nd why it preserves the rottion specifiction (modelled s Spec). The only process tht cn initilly perform n event is Cell(0 ) for ll i > 0, Cell(i) is blocked s it needs Cell(i 1 ) to lso offer c.i. fter Cell(0 ) communictes.0, the only thing tht cn hppen next is Cell(0 ) nd Cell(1 ) synchronising on c.1, thus enbling Cell(1 ) to perform.1. Concerning the sequence of -s, the sme process is repeted round the ring s, synchronising on c.i 1, Cell(i) psses token to Cell(i 1 ) to signify tht it is Cell(i 1 ) s turn to contribute n.i 1. Obviously, the second requirement for the scheduler is cptured s well, lso in the most generl wy. Cell(0 ) =.0 c.1 b.0 c.0 Cell(0 ) Cell(i) = c.i.i c.i 1 b.i Cell(i) if i > 0 Scheduler = (Cell(0 ) Cell(1 )... Cell(N 1 )) \ { c } Spec(i) =.i Spec(i 1) Spec = Spec(0) ssert Spec T Scheduler \ { b } Figure 2: CSP syntx Milner s scheduler Denottionl Semntics Trditionlly, the primry mens of understnding CSP descriptions hs been to use denottionl (behviourl) models, whereby process is identified with the set of observble behviours it cn exhibit. CSP supports hierrchy of severl such denottionl semntic models. Different models describe different types of behviours, providing more or less informtion bout process, with the nturl trde-off between the mount of detils recorded for process nd the complexity of working in the model. ll denottionl models re compositionl in the sense tht the denottionl vlue (the set of possible behviours) of ech process cn be computed in terms of the denottionl vlues of its 5

6 subcomponents. The vlue of recursive process is obtined using stndrd fixed-point theory in the style of Scott nd Strchey. In the simplest of ll models, the trces model, process P is identified with the set of its finite trces, denoted by trces(p ). Intuitively, trce of process is sequence of visible ctions tht the process cn perform. Nturlly, the set of trces of process is non-empty nd prefix-closed. For exmple, going bck to the scheduler described on Figure 2, trce of Cell(0 ) is ny prefix of (.0 c.1 b.0 c.0). The trces model records informtion bout wht process my do nd is, therefore, sufficient for verifying sfety properties. There re two different pproches for obtining the set trces(p ) either by constructing it inductively from the trces of its subcomponents, or by extrcting it from the opertionl representtion. Refer to [Ros98] for the rules underlying the first pproch. Just to give flvour of it in terms of Milner s scheduler: ˆ trces(spec) = { } {.0 t t trces(spec(1))}, ˆ trces(scheduler) = {t (Σ \ { c }) t trces(cell(0 )... Cell(N 1 ))}. Since denottionl vlues of processes re rther complex nd often infinite, FDR clcultes the behviours of process from its stndrd opertionl representtion which is justified by stndrd congruence theorems, presented nd proven in [Ros98; Ros88] Opertionl Semntics The opertionl semntics models CSP processes s lbelled trnsition systems (LTS s), with nodes denoting processes nd lbels denoting visible events or ctions. Since the LTS representtion is not unique, in terms of the opertionl semntics, two processes re considered equivlent if they re strongly bisimilr [Ros98]. The opertionl semntics cn generlly be clculted by repetedly pplying set of SOS-style inference rules, clled firing rules. Firing rules provide recipes for constructing n LTS out of CSP description of process. The recipes define how processes cn evolve by clculting the initil ctions vilble t ech node nd the possible results fter performing ech ction. The firing rules re presented below. We use n uxiliry process term Ω to denote ny process tht hs lredy terminted successfully. If F is CSP term with free process vrible X nd Q is CSP process, F [Q/X] represents the process obtined by substituting every free occurrence of X in F with Q. The lst three rules reflect the fct tht termintion is distributive P 1 P 2 termintes when both P 1 nd P 2 do. The reder is referred to [Ros98] for more informtion. SKIP x : P (x) P 1 P 2 Ω ( ) P () ( P 1 P 1 P 2 P 2 µ P F (P ) P 1 P 1 P 1 P 2 P 1 P 2 F [(µ P F (P ))/P ] P 2 P 2 P 1 P 2 P 1 P 2 (SKIP) ) ( ) (µ P F (P )) ( ) 6

7 b P 1 P 1 (b Σ ) b P 1 P 2 P 1 P 1 P 1 P 1 P 2 P 1 P 2 P 1 P 1 P 1 ; P 2 P 1 ; P ( Σ) 2 P P P P \ ( ) P \ P P P R Ω P 1 P 1 P 1 P 2 P 1 P 1 P 1 P 1 P 2 P 1 ( Σ \ ) P 2 P 1 P 1 P 2 P P P \ P \ P P P \ Ω b P 2 P 2 (b Σ ) ( b Σ ) P 1 P 2 P 2 ( ) P 1.P 1 P 1 ( Σ ) P 1 ; P 2 P 2 (\ ) (\ ) P P \ P \ ( Σ \ ) (\ Σ) P P P R P R P P R P b P R P 2 P 2 P 2 P 1 P 2 P 2 P 1 P 2 P 1, P 2 P 2 P 1 P 2 ( R ) (Rb) ( R Σ ) P 1 P 2 P 2 P 1 P 2 ( ) ( Σ \ ) ( Σ1) ( ) ( Σ2) P 1 P 1 P 2 P 2 P 1 P 2 Ω P 2 P 1 P 2 P 1 Ω Ω Ω Ω ( 1) ( 2 ) 7

8 Extrcting Behviours from Opertionl Semntics. We now present how behviours, in our cse trces, cn be retrieved from the opertionl semntics of process. Intuitively, trce of process is obtined by trimming the invisible ctions from n execution of the LTS underlying the opertionl representtion. Formlly, lbelled trnsition system is qudruple M = S, s 0, L, T, where S is finite set of sttes, s 0 S is the initil stte, L is finite set of lbels, T S L S is the trnsition reltion. For convenience, we write s s S, such tht s l s insted of (s, l, s ) T. Furthermore, we write s l if there exists l s. n execution of M is finite or infinite lternting sequence of sttes nd l i+1 events π = s 0 l 1 s 1 l 2... l n s n..., such tht s 0 is the initil stte nd for ll i 0, s i si+1. Going bck to our exmple, the LTS s of Cell(0 ) nd Cell(1 ) re depicted on Figure 3(b). Let P be finite-stte process nd OS P = S P, s P 0, L P = Σ,, T P be the LTS underlying the opertionl semntics of P. We write Σ to denote the set of finite words over Σ which might end with, nd similrly, (Σ ). For p, q S P, we use the following nottion: ˆ initils(p) = {l Σ p }, l i.e. initils(p) is the set of visible events tht cn be communicted from the stte p. ˆ For t = x i 0 i < n (Σ ) t, we write p q if there exists sequence of sttes x p 0, p 1,..., p n, such tht p 0 = p, p n = q nd p k k pk+1 for k {0,..., n 1}. t ˆ For t Σ, we write p = q if there exists t (Σ ), such tht p t q nd t = t Σ, i.e. t is t with ll the s removed. Then, we define trces(p ) = {t Σ q S P.s P 0 t = q} Opertionl Representtion in FDR The Two-Level pproch The SOS nottion for opertionl semntics llows the cretion of mny opertors tht do not fit in the denottionl world of CSP. ny CSP opertor cn be described using less generl combintor opertionl rules insted nd, conversely, ny opertor tht cn be given combintor opertionl semntics cn be derived nd given denottionl semntics in CSP [Ros10]. Combintor-style semntics cn be generlised to supercombintor opertionl semntics which is the one used in FDR. We give detils bout both combintor nd supercombintor semntics below. Combintor Rules. s with SOS, there re severl combintor rules for ech CSP opertor nd these llow us to infer the initil ctions vilble t ech process node out of its top-level opertor nd the initil ctions vilble t its immedite process rguments. The crucil difference compred to SOS rules origintes from the fct tht process rguments cn be viewed s switched on or off, depending on the context they re used in. Given compound CSP process P = (P 1,..., P n ), process rgument P i is considered switched on if its initil ctions re immeditely relevnt for the initil ctions of P nd switched off if does not need its initil ctions to deduce the resulting initil ction of P. For exmple: ˆ in P 1 P 2 = P 1 P 2, both P 1 nd P 2 re switched on ˆ in P 1 P 2, P 2 is initilly switched off until P 1 performs, t which point P 1 becomes switched off nd P 2 switched on ˆ in P, P is initilly switched off but gets switched on when is communicted 8

9 ˆ in P 1 P 2, P 1 nd P 2 re initilly switched off s the nondeterministic choice is only resolved fter is performed, t which point precisely one of the two processes becomes ctivted. Combintor rules keep trck of which processes re switched on t every given moment nd restrict SOS by llowing only two types of rules: ˆ rules enforcing tht whenever switched-on process rgument performs, this is promoted to of the compound process tht does not chnge its structure. ˆ rules combining visible events of switched-on process rguments (if ny) into resulting ction of the compound process. In those rules, switched-on process cn prticipte with either visible event or not be involved t ll, the ltter of which we denote with the symbol ɛ. Combintor rules lso need to indicte the structure of the successor term. In mny instnces, the structure is the sme s the initil one nd so does not hve to be mentioned explicitly in the rules. When the structure does chnge (i.e. processes become switched from on to off or conversely), this is indicted by CSP term in which the vrious rguments of the opertor my pper. In every cse, the successor stte contins the originl rgument if the ltter hs not prticipted in the ction, or the stte tht the rgument hs moved to if it did. Now formlly [Ros11], let P be compound process with top-level opertor, switched-on rguments P 1,..., P n (for some n 0) nd switched-off rguments Q = P λ λ Λ. Hving ny switched-on process rgument P i tht cn go vi to stte P i, the -promotion rule tkes the form: (P 1,..., P i,... P n, Q) (P 1,..., P i,... P n, Q). s this rule holds universlly for ny switched-on rgument of ny CSP opertor, -promotion rules do not need to be dded explicitly to the combintor opertionl semntics s they were in the SOS rules,, \, R,. Rules combining visible events tke the generl form ((x 1,..., x n ), y, T ), where x i Σ {ɛ}, y Σ, nd T is piece of CSP syntx specifying the structure of the successor term. The ide is tht whenever ll P i s tht hve x i ɛ cn perform x i nd go to sttes P i, they cn synchronise to mke the compound process P perform y nd enter stte T. The successor stte T is either Ω, if y =, or is specified by n open CSP term in which the free vribles re indices drwn from {1,..., n} {-λ λ Λ}, which get substituted ccording to the following rules: ˆ For i {1,..., n}, we distinguish different cses. If x i = ɛ or x i Σ, i is replced by P i or P i, respectively. If x i =, i does not pper in the successor term T ny more s P i becomes switched off. ˆ n index -λ for λ Λ indictes tht the process P λ hs become switched on nd is replced by P λ. We list the combintor rules below. In some of them, e.g. Σ \ Σ, R Σ, nd 1 2, the structure of the successor term does not chnge, i.e. the resulting stte is (P 1,..., P n, Q), where P i = P i if x i = ɛ nd P i = P i if x i Σ. In those cses, we omit T from the rules for simplicity. In rules SKIP, nd, there is no switched-on rgument initilly which we indicte by. Ω is nturlly switched off s it represents successful termintion. Hence, Ω nd Ω re viewed s unry opertors. 9

10 (( ),, Ω) (( ),, -1) (SKIP) ( ) (( ),, -1) nd (( ),, -2) ( ) ((, ɛ),, Ω) nd ((ɛ, ),, Ω) ( ) ((, ɛ),, 1) nd ((ɛ, ),, 2) ( Σ ) ((), ) nd (( ),, -2) ( Σ ) (( ),, Ω) (\ ) ((), ) if nd ((), ) if Σ \ (\ Σ ) (( ),, Ω) nd ((), b) when Rb ( R Σ ) ((, ɛ), ) nd ((ɛ, ), ) if Σ \ ((, ), ) if ( Σ1) ( Σ2) ((, ɛ),, Ω 2) nd ((ɛ, ),, 1 Ω) ( 1) ((), ) if Σ \ nd (( ),, SKIP) (Ω, Ω) Supercombintor Opertionl Semntics. Combintor opertionl semntics cptures precisely CSPdefinble opertors [Ros10; Ros11]. However, ctions of compound processes need to be clculted recursively on-the-fly out of the ctions of their subterms. Furthermore, successor sttes re presented s pieces of syntx which does not prove to be efficient when nlysing lrge systems. Supercombintor opertionl semntics is less generl but more efficient version of the combintor opertionl semntics [Ros10]. Supercombintor rules tke the form of combintor ones, but re generlised to combine together ctions of subprocesses nested under n rbitrry number of pplictions of CSP opertors. s there is no combintor rule for recursion, the only constrint is tht ny process rgument should be closed CSP term, i.e. should hve ll the recursion unwound. Bsed on this ssumption, ll process rguments hve combintor semntic rules which cn be composed together to obtin rules for the outermost CSP opertor. Hence, it trnsforms combintion of CSP opertors into single one. Furthermore, this cn be implemented efficiently in single run before the stte-spce explortion phse rther thn on-the-fly when needed using recursive clls. 10

11 We illustrte the pproch by exmple. Let P = 1 ( 2 (P 1, P 2 ), 3 (P 3, P 4 )) nd let us ssume for simplicity tht ll 1, 2 nd 3 hve their two rguments switched on nd their ppliction does not result in successor terms with different structure (formt). Considering the -promotion rules, if 2 or 3 hve rule tht genertes, this gets promoted by 1. For instnce, if 2 hs the rule ((, b), ), then we crete supercombintor rule ((, b, ɛ, ɛ), ) for the compound process 1. The other type of supercombintor rises when we cn mtch ll input requirements of one of 1 s combintors using combintors of 2 nd 3 tht produce visible results. For exmple, if 1, 2 nd 3 hve the rules ((, b), c), ((ɛ, ), ) nd ((b, d), b), respectively, then the composition will hve ((ɛ,, b, d), c). Supercompiling the process of ssociting supercombintor-style opertionl semntics to CSP process, follows hybrid high-/low-level pproch for clcultion nd representtion [Ros10]. It identifies ll true recursions nd compiles them on low level, generting explicit LTS s using the combintor rules. Wht remins for the high level re closed processes combined typiclly using prllel composition, hiding nd renming, lthough the dividing line is somewht more complex nd is drwn where sensible. For exmple, the choice opertors nd sequentil composition cn lso be lifted to the high level s long s their rguments re ll closed terms. The result of supercompiltion is high-level structure which consists of two prts. The first one is process tree with leves low-level compiled LTS s, nd internl nodes CSP opertors compiled on the high level, usully hiding, renming or prllel composition. Ech node, even if internl, represents process nd cn be interpreted s n LTS with its behviours deducible on-the-fly from the behviours of its children. The second prt of the high-level structure is set of supercombintors mpping ctions of number of lef processes to n event-outcome of the composite root process [Ros98]. In wht follows, we use the notions of supercombintors nd rules interchngebly. We note tht the list of lef processes together with the set of supercombintors is complete chrcteristion of the high-level process s the semntics of ll CSP opertors corresponding to the internl nodes in the process tree is cptured by the supercombintor rules. The structured process tree cn be used, though, for mking the whole high-level process completely explicit. The set of combintors is prtitioned with respect to the existing formts the different configurtions of switched on nd switched off lef processes. In the worst cse, the number of formts cn be exponentil in the number of leves, but in prctice this is rrely the cse nd quite often, there is just single formt, especilly when composing processes in prllel on the top level. Within supercombintor, ech process cn prticipte with visible event, silent ction, or not be involved t ll, the ltter of which we gin denote by ɛ. s with combintor rules, the supercompiler genertes two types of rules[ros98; Gol04; RRS + 01]: ˆ rule for lef process willing to perform which promotes ction of the root process, ˆ rules using visible ctions. Note tht the visible ctions tht the lef processes perform need not be the sme if hiding or renming is involved in the combintion being modelled. For exmple, if P = P nd Q = b Q, then if P performs nd Q performs b, P Q /b cn perform, where Q /b is the process Q with the event b being renmed to. Hence, ((, b), ) is vlid rule for the root process P Q /b with leves P nd Q. {} Going bck to our running exmple, fter supercompiling Scheduler \ { b }, we obtin the process tree depicted on Figure 3(). The simple recursive cell processes re compiled s leves nd {} 11

12 \{ b } \{ c } Cell 0 Cell 1 Cell 2 Cell 3 Cell 4 () (b) Figure 3: Opertionl semntics Milner s scheduler their LTS s generted explicitly. The root process contins just single formt with three types of supercombintors: ˆ if Cell(i) nd Cell(i 1) perform c.i 1, Scheduler \ { b } performs ˆ if Cell(i) performs.i, Scheduler \ { b } lso performs.i ˆ if Cell(i) performs b.i, Scheduler \ { b } performs Supercombintor opertionl representtion cn be considered n implicit LTS becuse it gives n initil stte nd sufficient informtion to clculte ll the trnsitions of the system on-the-fly. Given root high-level process, we refer to tuples of the current sttes of its lef processes s configurtions. When running the root process, FDR computes its initil ctions by checking which supercombintors re enbled from the current configurtion nd the current formt of the root. supercombintor might be disbled if not ll lef processes re currently ble to communicte the event tht they re responsible for within the supercombintor. Hence, the opertionl semntics of the root process cn be considered n implicit LTS, whose trnsitions cn be switched on nd off. The sttes re represented by pir of configurtion nd formt of the root. Trnsitions re modelled by supercombintors. For exmple, the supercombintor ((c.1, c.1, ɛ, ɛ, ɛ), ) (see Figure 3(b)) would be enbled iff Cell(0 ) is in its stte s 1 nd Cell(1 ) is in its stte s 0, independent of the current sttes of the other three cells. If this rule is enbled nd the trnsition tken, Cell(0 ) will go to stte s 2, Cell(1 ) will go to stte s 1, the other three cells will not progress nd Scheduler \ { b } will perform. To summrise, supercombintors cn be viewed s implicit stte-spce representtions. They re generted by mimicking the SOS or combintor rules, but yield more compct storge nd more efficient lgorithms. Therefore, FDR is most efficient when mnipulting processes with reltively simple sequentil leves composed in prllel or pplied hiding or renming upon. Of course, highlevel processes cn be explicted, i.e. trnsformed into explicit LTS s, pying potentilly exponentil price. This is quite logicl s expliction breks down the hierrchicl structure of system composed of concurrent processes nd mkes it sequentil Refinement Checking Given two CSP processes Spec nd Impl, the refinement check Spec Impl reduces to checking for reverse continment of possible behviours. For the trces model, Spec T Impl iff trces(impl) 12

13 trces(spec). FDR crries out the refinement check on the level of the LTS representtions OS Spec = S s, s s 0, L s, T s nd OS Impl = S i, s i 0, L i, T i. The lgorithm is similr to the stndrd one for deciding lnguge continment L() L(B) of nondeterministic utomt nd B, which reduces to checking whether L() L(B) = nd requires tht B be determinised priori. In similr fshion, s preprocessing step, FDR normlises OS Spec, so tht OS Spec reches unique stte fter ny trce. The normlistion procedure requires s precondition tht OS Spec be explicted nd therefore Spec sequentilised. Essentilly, the normlistion procedure trnsforms OS Spec into the unique equivlent -free deterministic bisimultion-reduced LTS. We remrk tht ny finite-stte CSP process cn be normlised, lthough potentilly incurring n exponentil blow-up. fter normlising OS Spec, FDR trverses the Crtesin product of OS Spec nd OS Impl in bredth-first mnner, checking for comptibility of mutully-rechble sttes. For the trces model, pir of sttes (s s, s i ) is comptible if initils(s i ) initils(s s ). If the property is violted, the bredth-first mode of serch gurntees tht the counterexmple generted is of miniml length ST-Bsed Model Checking Techniques In this section, we give brief summry of ST-bsed bounded model checking [BCCZ99] nd temporl k-induction [ES03b] Bounded Model Checking Bounded model checking is sound but generlly incomplete technique tht focuses on serching for counterexmples of bounded length only. The underlying ide is to fix bound k nd unwind the implementtion model for k steps, thus considering behviours nd counterexmples of length t most k. In prctice, BMC is conducted itertively by progressively incresing k until one of the following hppens: (1) counterexmple is detected, (2) k reches precomputed threshold clled completeness threshold [CKOS04; CKOS05], which indictes tht the model stisfies the specifiction, or (3) the model checking instnce becomes intrctble. Different notions of completeness threshold exist, minly bsed on the properties of the underlying grph of the system, e.g. dimeter (the longest shortest pth between ny two sttes), recurrence dimeter (the longest simple pth between ny two sttes), forwrd nd bckwrd rdius versions of both, the size of the stte spce, etc. [BCCZ99; CKOS04; CKOS05; BHvMW09]. simple pth is pth long which ll sttes re different nd, in generl, the recurrence dimeter of grph cn be rbitrrily longer thn its dimeter (the sme holding for rdii) if we consider clique of size n, it s dimeter would be 1, while the recurrence dimeter would be n 1. We remrk tht this problem is excerbted when modelling concurrent systems due to the exponentil blow up of the stte spce. It is importnt to note tht without knowing or reching completeness threshold, the BMC procedure is incomplete since we do not know t wht step it is correct to stop iterting nd declre tht the system preserves the desired property. Therefore, BMC is mostly suitble for detecting bugs rther thn for full verifiction, i.e. proving the bsence of bugs. The problem with completeness thresholds is two-fold. On one hnd, clculting the exct completeness threshold cn be s hrd s the model checking problem itself [CKOS05] nd, therefore, sound overpproximtions of it re usully used in prctice. On the other hnd, in some cses those overpproximtions cn be too lrge to hndle efficiently. ST-bsed BMC [BCCZ99] reduces the model checking problem to propositionl stisfibility problem. The ide is to construct t ech step k Boolen formul which is stisfible if nd only if 13

14 there is counterexmple of length k. This formul is fed into ST-solver which decides the model checking problem in question nd produces counterexmple, if ny. Due to the DFS-nture of the ST decision procedure, this technique llows for fst detection of counterexmples. Moreover, due to the itertive nture of the BMC frmework, the counterexmple generted is of miniml length. In the originl syntctic [BCCZ99] nd the subsequent semntic [CKOS04; CKOS05] trnsltion of BMC to ST, the implementtion is modelled by Kripke structure M nd verified ginst specifiction f defined s n LTL formul. The BMC instnce t ech step k is trnslted to Boolen formul ϕ k = M k f k, where M k encodes ll pths of M of length k nd f k represents ll pths of length up to k tht violte f. Figure 4: Encoding pths of length k Generlly, hving Boolen encoding of the stte spce (e.g. binry or one-hot encoding [KB05]), the Kripke structure M cn be represented symboliclly by pir of Boolen functions I(s), T (s, s ) defined s the chrcteristic functions of the set of initil sttes nd the trnsition reltion, respectively. We use s nd s s shorthnd for the vectors of Boolen vribles necessry for encoding sttes of M. We replicte seprte copy of stte vribles s i for ech time step i. Then M k = I(s 0 ) k 1 i=0 T (s i, s i+1 ) (see Figure 4). We illustrte the structure of the entire formul ϕ k with simple exmple in cse f = Gp, where p represents stte predicte with Boolen encoding P : k ϕ k = I(s 0 ) k 1 i=0 T (s i, s i+1 ) i=0 P (s i ) Temporl k-induction Temporl k-induction [SSS00; ES03b] is complete ST-bsed technique for verifying sfety properties. s opposed to BMC, it cn be used lso for estblishing correctness of systems. Given model I(s), T (s, s ) nd sfety property P (s), the method checks if ll rechble sttes of the model preserve P. k-induction builds upon BMC nd is lso conducted itertively, s presented in lgorithm 1. It provides two conditions for termintion in cse the property is not violted k-inductiveness of P for some k N or reching the bckwrd recurrence rdius of the model with respect to P. The property P is k-inductive if it cn be proven tht if P holds long ll pths of the system of length k, then it cnnot be violted on pth of length k + 1. The bckwrd recurrence rdius is the length of the longest simple pth from ny stte to stte violting P nd is vlid completeness threshold. For ech step k, the temporl induction proof consists of two prts bse cse nd n induction step. The bse cse Bse k is similr to BMC instnce we check if, strting from n initil stte, there is pth of length k tht violtes P (see Figure 5). In the bse cse, we ssume tht we hve lredy checked ll bse cses of shorter length nd strengthen the BMC instnce by stting tht P holds long ll initil pths of length up to k 1. If the bse cse is stisfible, we hve found counterexmple. Otherwise, we proceed with the induction step Step k which is designed to prove tht P is k-inductive. The induction step is strengthened nd mde complete by constrint Simple k 14

15 lgorithm 1 Temporl k-induction [ES03b] 1: for k = 0 to do 2: if stisfible(bse k ) then 3: return property violted nd counterexmple trce 4: end if 5: if unstisfible(step k Simple k ) then 6: return property holds 7: end if 8: end for requiring tht ll sttes on the (k +1)-pth be different. Hence, k-induction termintes with positive nswer when reching the bckwrd recurrence r rdius even if the property P hs not mnifested itself s k-inductive for ny k r. ( Bse k = I(s 0 ) 0 i<k (P (s i ) T (s i, s i+1 ))) P (s k ) ( Step k = 0 i<k+1 (P (s i) T (s i, s i+1 ))) P (s k+1 ) Simple k = 0 i<j k (s i s j ) Figure 5: k-induction ingredients [ES03b] We remrk gin tht, in mny cses, the bckwrd rdius of the model the longest shortest pth from ny stte to stte violting P, cn be considerbly smller thn its bckwrd recurrence rdius. However, the trnsltion of shortest pths between two sttes to ST involves plenty of existentil quntifiers nd is mostly suitble to using QBF engine insted of ST solver. s we re deling with sfety properties, we cn lso crry out the k-induction lgorithm bckwrds, strting from sttes tht violte P nd trying to prove tht initil sttes re never rechble. This cn be implemented by redefining Bse k nd Step k s depicted in Figure 6. This lgorithm gurntees termintion upon reching the forwrd recurrence rdius the longest simple pth to ny stte strting from n initil stte. ( Bse k = P (s 0 ) 0 i<k ( I(s i ) T 1 (s i, s i+1 ))) I(s k ) ( Step k = 0 i<k+1 ( I(s i) T 1 (s i, s i+1 ))) I(s k+1 ) Simple k = 0 i<j k (s i s j ) Figure 6: Bckwrd k-induction ingredients 3. Bounded Trce Refinement Frmework In this section, we present our itertive bounded refinement checking lgorithm. Our pproch for estblishing trce refinement is bsed on wtchdog trnsformtions [RGM + 03]. Our objective is the following. We re given two CSP processes Spec nd Impl nd n integer k. We im t checking whether Spec k T Impl, i.e. whether ll executions of the implementtion of length t most k gree with the specifiction. Similrly to BMC nd k-induction, we crry out the nlysis on the level of the 15

16 opertionl representtion of Spec nd Impl. We point out tht executions of length k cn correspond to trces of smller length if hving ctions entngled within, s defined in Section Chllenges s the LTS s underlying the opertionl semntics of processes re event-bsed models, we need to lso hndle events in our encoding. Let OS Spec = I s (s), T s (s, l, s ) nd OS Impl = I i (t), T i (t, l, t ) be the models of Spec nd Impl, respectively. t first glnce, the most nturl pproch for encoding bounded execution refinement would be to try to directly mirror the originl trnsltion of BMC to ST. We would need to similrly construct the Boolen formul ϕ k s conjunction of two formule to model ll executions of Impl of length k tht re not executions of Spec ϕ k = OS Impl k OS Spec k. Hence, we would be looking for n instntition of the vectors of Boolen vribles l 1,..., l k, such tht OS Impl k = I i (t 0 ) k 1 i=0 T i (t i, l i, t i+1 ) is stisfible nd OS Spec k = I s (s 0 ) k 1 i=0 T s (s i, l i, s i+1 ) is not. Due to the implicit universl quntifiction of s 0,..., s k in the unstisfibility check of OS Spec k, this nlysis is mostly suitble to QBF engine. Using ST-solver in this cse would men tht we would need to extinguish ll possible stisfying ssignment of l 1,..., l k in OS Impl k nd to prove the unstisfibility of OS Spec k over ech one of them. Furthermore, invisible ctions cn be rbitrrily interleved in the executions of Impl nd, therefore, syntcticlly different executions cn produce semnticlly equivlent trces. This cn led to reporting spurious counterexmples. To illustrte this, consider the executions,,, b,, c of Impl nd, b, c of Spec s depicted on Figure 7(b). Even though they correspond to the sme trce, b, c, they do not mtch pointwise nd,,, b,, c would be flsely reported s violtion of Spec. However, bookkeeping the possible sequences of -s stuttered in between visible events does not seem to be trivil nd computtionlly justifible on the level of Boolen functions. () (b) Figure 7: ctions in bounded trce refinement 3.2. The Wtchdog pproch s explined in Section 2.1.6, FDR performs the refinement check by normlising the specifiction nd looking for the existence of behviours tht the implementtion llows nd the specifiction does not. s n lterntive, the wtchdog pproch [RGM + 03; Ros10] reduces the refinement check to nlysing single process constructed by composing the implementtion in prllel with trnsformed specifiction process. The ltter plys the role of wtchdog tht monitors the implementtion nd flgs ny behviours tht re considered violting with respect to the specifiction. 16

17 In our settings, using wtchdog trnsformtions llows us to ctully reduce bounded execution continment to bounded rechbility which is lredy menble to ST. The wtchdog trnsformtion phse is performed by mens of FDR Preprocessing Phse Using FDR Our implementtion is intended s n lterntive bck-end for FDR, orthogonl to the stndrd explicit method of performing trce refinement. Currently, we use shred librry version of FDR for mnipulting CSP processes nd we mimic FDR up to the point of the finl stte-spce explortion phse. Therefore, SymFDR reuses FDR s compiler nd supercompiler nd the dt structures underlying the hybrid two-level opertionl representtion of processes, consisting of process tree nd set of supercombintors, s defined in Section t present, we use FDR to supercompile nd normlise Spec nd to retrieve OS Spec representing the opertionl semntics of Spec. Without loss of generlity, we ssume tht the implementtion Impl comprises the interction of c sequentil processes P 1,..., P c running in prllel, possibly using hiding, renming or other CSP opertors other thn recursion. We write Impl = P 1 P 2... P c to ctully denote high-level process Impl with lef processes P 1,..., P c, s defined in Section This form of representing concurrent systems fter supercompiltion is of no limittion nd, s mentioned in Section 2.1.1, we cn hndle the entire CSP M syntx nd functionlity prt from the function chse. We use FDR to supercompile Impl nd to retrieve both the set of supercombintors nd the set {OS Pi i {1,..., c}} Wtchdog Bounded Refinement-Checking lgorithm In nutshell, the min steps of our lgorithm re the following: 1. We trnsform Spec into process Wtchdog which llows the behviours of both Spec nd Impl nd, in fct, mny others, but mrks those tht do not conform to Spec. The trnsformtion is crried out on the level of the LTS nd not on the higher CSP description of Spec. It is most esily defined if the specifiction process is normlised so tht it reches unique stte fter following ny trce. The LTS of Wtchdog is then obtined s n extension of OS Spec we dd fresh stte sink nd mke OS Spec totl with respect to the lphbet α Spec α Impl by directing ll non-existing trnsitions to sink. Formlly, hving OS Spec = S s, s s 0, T s, L s = α Spec, OS Wtchdog = S w = S s {sink}, s s 0, T w, L w = α Spec α Impl, where the trnsition reltion T w is defined s follows: T w = T s {(sink, l, sink) l α Spec α Impl } {(s, l, sink) s S s, l α Spec α Impl, s l } The resulting process Wtchdog opertionlly psses through sink whenever executing trce tht is not llowed by Spec. 2. We construct process Refinement = Wtchdog Impl = α Impl α Spec Wtchdog α Impl α Spec (P 1 P 2... P c ). Refinement cptures precisely the behviours of Impl, but those behviours tht do not conform to Spec force Wtchdog to brk, i.e. pss through its sink stte. Hence, Refinement cn be used s n indictor whether Impl cn behve in wy incomptible with Spec. Wtchdog becomes just one of the sequentil lef processes of Refinement. It is evident then tht: 17

18 () Spec T Impl Wtchdog never reches its sink stte in ny execution of Refinement. (b) ll executions of Refinement forcing Wtchdog to pss through its sink stte constitute vlid counterexmples of the ssertion Spec T Impl. 3. We check whether Wtchdog cn rech its sink stte within k steps of the execution of Refinement. 4. Boolen Encoding of CSP Processes In this section we present our encoding of CSP processes into Boolen formule. First, we show how to encode sequentil or explicted processes, corresponding to lef processes in the opertionl representtion. Then, we show how to glue together sequentil processes with supercombintors to obtin n encoding of high-level process. In wht follows, we cll high-level process concurrent system. For illustrting the Boolen encoding in this section, we use the following nottion. X (Vrs) denotes the Boolen encoding of X with respect to the vector(s) of Boolen vribles Vrs. Generlly, to encode finite set of elements S, we use n injective mpping enc S : S {0, 1} m to ssocite ech element s S with unique bit vector b = (b 1,..., b m ) of certin size m. To represent elements of S s Boolen functions, we introduce n ordered vector of m distinct Boolen vribles x = (x 1,..., x m ). Ech vrible x i uniquely identifies the corresponding bit b i nd for ech s S, s (x) x=b = 1 iff enc S (s) = b. Typiclly, binry or one-hot [KB05] encoding of sets re used in prctice. The bsic ide behind binry encoding is to enumerte the elements of S in binry nottion nd represent them s Boolen functions over m = log 2 S Boolen vribles. In one-hot encoding, ech s S is represented by bit vector of size S in which precisely one bit is set to 1. To illustrte the two encodings, let us consider the set S = {s 0, s 1, s 2, s 3 }. If we consider the binry encoding s 0 = (00), s 1 = (01), s 2 = (10), s 3 = (11), vector of just two vribles x = (x 0, x 1 ) suffices nd s 1 (x) = x 0 x 1, for exmple. For the one-hot encoding s 0 = (1000), s 1 = (0100), s 2 = (0010), s 3 = (0001), we need vector x = (x 0, x 1, x 2, x 3 ) of four vribles nd s 1 (x) = x 0 x 1 x 2 x 3. lterntively, we cn use s 1 (x) = x 1, but in this cse we need to dd globl constrints enforcing tht precisely one bit is set to true t given time instnce. Those constrints cn be expressed by formul of size liner in S Encoding Sequentil Process s explined in Section 3.3, for ech sequentil lef process P, we obtin the explicit opertionl representtion of P using FDR. Let OS P = S, s 0, L = Σ,, T be the LTS ssocited with the finite-stte lef process P communicting over finite lphbet of events Σ. Using either binry or one-hot encoding of sets, we introduce vectors of Boolen vribles x nd y for encoding the set of sttes S nd the set of lbels L, respectively. We define I (x) = s 0 (x). In order to represent the trnsition reltion T, we employ copy x of x. x serves to represent the source sttes of trnsitions nd x the destintion sttes. Then, for t = (s src, l, s dest ) T, t (x, y, x ) = s src (x) l (y) s dest (x ). For ny s S, we write s (x ) to denote s (x)[x x], i.e. we represent s with respect to the vribles x nd then substitute the vribles x with x. The encoding of the entire trnsition reltion is the following: T (x, y, x ) = t T t (x, y, x ). We cn now represent sequentil process P implicitly by pir of Boolen functions T P (x, y, x ), I P (x). For given integer k, we define Pths(P, k) to be the set of ll executions s 0 l 1 s 1 l 2... l k s k of OS P of length k. In order to represent Pths(P, k) symboliclly, we replicte (k + 1) vectors of Boolen vribles x 0, x 1... x k for encoding the sttes s 0, s 1,..., s k nd k vectors of Boolen vribles 18