Abstraction and Compositional Verification Techniques for Asynchronously Communicating Components Marjan Sirjani Tehran University, IPM FMCO’06 Amsterdam 7-10 November 2006

M. Sirjani, FMCO'062 A joint work with Ali Movaghar Frank de Boer Acknowledgements to Michael Huth Mohammad Reza Mousavi Rebeca Group at Tehran and Sharif Universities

M. Sirjani, FMCO'063 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

M. Sirjani, FMCO'064 Motivation Establishing a formal verification method, easy to use for practitioners, for developing reliable systems in concurrent and distributed applications. Formal verification method: Modeling language + Verification mechanism

M. Sirjani, FMCO'065 The Idea Actor-based modeling language, plus component notion, and formal verification support. Asynchronous message passing in actor-based modeling  makes the verification problem difficult Inherent modularity and encapsulation  provide some solutions: abstraction and modular verification

M. Sirjani, FMCO'066 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

M. Sirjani, FMCO'067 Actor A reference model for concurrent computation Consisting of concurrent, distributed active objects Proposed by Hewitt as an agent-based language (MIT, 1971) Developed by Agha as a concurrent object- based language (Illinois, since 1984)

M. Sirjani, FMCO'068 Rebeca Reactive object language An operational interpretation of actor language Formal semantics Abstraction and Compositional verification approach Model checking tool Introduced by Sirjani and Movaghar, 2001

M. Sirjani, FMCO'069 Key Features of Rebeca Actor-based computational model Units of concurrency and distribution: Reactive objects Simple and natural Objects are threads. Formal semantics Labeled transition system A solid basis for verification

M. Sirjani, FMCO'0610 Key Features … Asynchronous communication Increases the decoupling Buffers lead to state space explosion in model checking Abstraction and compositional verification approaches Reduce the state space Exploite the actor-based semantics to abstract the model Preserving a set of behavioral specifications in temporal logic

M. Sirjani, FMCO'0611 Other Features Object-based language, Java like syntax Encapsulation of data and process, no shared variable Easy to use by software engineers Tool supported Model checking Rebeca code using back-end model checkers Automated abstraction and compositional verification Symmetry and static Partial order reduction

M. Sirjani, FMCO'0612 Added Feature Grouping a set of reactive objects as an open component Allow a set of more tightly coupled objects to be grouped as a component A higher level of abstraction in software design Considering a strategy to keep the verification theory sound

SMV Promela (NuSMV) (Spin) Back-End Model Checkers Compositional Verification Decomposing the model into components Composing the model from re-usable components Rebeca Language Actor-based Properties Closed model Components Rebeca Verifier Tools Abstraction Modere Rebeca Direct Model Checker Partial order reduction - Symmetry

M. Sirjani, FMCO'0614 Rebeca Model Communication: Asynchronous message passing Unbounded message queue for each rebec No explicit receive Computation: Take a message from top of the queue and execute it Event-driven

M. Sirjani, FMCO'0615 In the execution of a message server, a rebec may Execute an assignment Evaluate a condition Send a message The messages are asynchronous No-way blocking (sender, receiver) No explicit receive, arrives in the message queue of the receiver

M. Sirjani, FMCO'0616 Dynamic Behavior Dynamic topology Dynamic rebec creation (runtime) (not considered in compositional verification)

M. Sirjani, FMCO'0617 Operational Semantics The state of a rebec, is the valuation of state variables, and the unbounded buffer (queue) for incoming messages. The state of the system, is the product of local object states A state transition: an atomic execution of a method off the top of the rebec’s queue.

M. Sirjani, FMCO'0618 An Example: Bridge Controller There is a two-way bridge. Trains may arrive at each side. At the same time two trains should not be on the bridge. There are green/red lights on each side. A train goes on the bridge if the light is green.

Train1 Bridge Controller Train2 Arrive YouMayPass Arrive YouMayPass Leave passed

Example: Rebeca code reactiveclass Train { knownobjects {BridgeController controller;} statevars{ … } msgsrv … … } reactiveclass BridgeController { knownobjects{Train t1; Train t2;} statevars{ … } msgsrv … … } main { BridgeController theController (t1, t2); Train t1 (theController); Train t2 (theController); }

Trains reactiveclass Train(3) { knownobjects … statevars { boolean onTheBridge; } msgsrv initial() { onTheBridge = false; self. ReachBridge(); } msgsrv YouMayPass(){ onTheBridge = true; self.Passed(); } msgsrv Passed(){ onTheBridge = false; controller.Leave(); self.ReachBridge(); } msgsrv ReachBridge(){ controller.Arrive(); }

Bridge Controller reactiveclass BridgeController(3) { knownobjects … statevars { boolean isWaiting1; boolean isWaiting2; boolean signal1; boolean signal2; } msgsrv initial() { signal1 = false;/* red */ signal2 = false;/* red */ isWaiting1 = false; isWaiting2 = false; } msgsrv Arrive(){ … } msgsrv Leave(){ … }

M. Sirjani, FMCO'0623 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

M. Sirjani, FMCO'0624 Formal Verification Two general approaches Model checking: Algorithmic verification Theorem proving: Deductive verification

M. Sirjani, FMCO'0625 Model Checking of Real Systems State explosion problem Solution: Modularity Abstraction

M. Sirjani, FMCO'0626 Compositional Verification 1. proving properties of components (as open systems in an arbitrary environment) by model checking, and 2. deducing the whole system’s property from the properties of its components. C |= P C’ |= Q P  Q  R C || C’ |= R

M. Sirjani, FMCO'0627  Useful if the model is inherently modular.  Environment Problem. Note: We need assume-guarantee reasoning. We only consider LTL and ACTL properties.

M. Sirjani, FMCO'0628 Inherent Modularity in Rebeca Rebecs are inherently Independent, decoupled, encapsulated Because of Asynchronous message passing no explicit receive statement no shared variables => Leads to natural modularity and abstraction techniques

M. Sirjani, FMCO'0629 Rebeca verification approach Exploit the inherent modularity and encapsulation of the model to apply Compositional verification Property preserving abstraction Can be used for any system based on asynchronous message passing and actor-based computation.

M. Sirjani, FMCO'0630 Compositional verification details … Decompose a model into components, verify some specific properties for these components, and then deduce the system’s property from the properties of its components. This deduction is sound, due to the weak simulation relation. (between a component in a model and its parallel composition with another arbitrary component in the same model.)

M. Sirjani, FMCO'0631 Decompose a model into components: Model the environment as incoming messages (external messages): M={C,E c } Abstracting the environment from its concrete behavior (state variables). Abstract the queue from external messages: C a

Decomposing a system into components: Internal messages: coming from internal rebecs External messages: coming from external rebecs.

M. Sirjani, FMCO'0633 Semantics of a Component Values for all variables of all internal rebecs. A multi-queue: one message-queue for each internal rebec. A set of external messages always present. Properties: based on rebecs’ state variables.

M. Sirjani, FMCO'0634 The Environment: Automatic Generation The Environment of a component C: E C sending all the possible messages to C Nondeterministically Unboundedly E C can be automatically derived from the system. No state variable Servicing no messages Just sending messages to C The composition of C and E C makes a closed model M=(C, E C ).

Bridge Controller Example Train1 Bridge Controller Arrive YouMayPass Arrive YouMayPass Leave passed Receiving ‘Arrive’ or ‘Leave’ from the environment, arbitrarily (not blocking the component).

Bridge Controller Example

M. Sirjani, FMCO'0637 Abstracting the Message Queue No external messages (messages coming from E C ) in the Queue External messages are assumed to be always present and are modeled by transitions of C a.

M. Sirjani, FMCO'0638 Bridge Controller Example Train as a component

s0s0 s3s3 s2s2 s1s1 sksk... External messages Internal messages e1 e2 e3 i1 e1e2e3 … i1 slsl i2 Multi-queue Constant set States and Transition

Formally speaking: Let ∑(M) be the transition system of M={C,E c } ∑(C a ) be the transition system generated by the transition relation considering queue abstraction ∑(M’) be the transition system of any model M’ containing C We have the following weak simulation relations: ∑(C a ) weakly simulates ∑(M) (Queue Abstraction) ∑(M) weakly simulates ∑(M’) (Component Composition)

We have the following weak simulation relations: ∑(C a ) ≤ ∑(M) (Queue Abstraction) ∑(M) ≤ ∑(M’) (Component Composition) And the property preservation theorem Safety properties (LTL-X, ACTL-X) are preserved due to weak simulation. Hence ∑(C a ) |= φ → ∑(M) |= φ, for M={C,E c } ∑(M) |= φ → ∑(M’) |= φ, for an arbitrary model M’ containing C.

M. Sirjani, FMCO'0642 Summary Having a model M, and a component C (a sub-model of M), we can derive the environment E C for C. For every safety property, specified by LTL-X or ACTL-X formula, with atomic propositions on variables in C, C a |= P implies C||C’||E C||C’ |= P

M. Sirjani, FMCO'0643 Abstraction Techniques: Summary Abstracting environment as external messages Bounded queues Abstracting external messages Queue length in model checking Check overflow, supported by tool Course grained interleaving Method execution as a transition (Atomic method execution) Conventional data abstractions

M. Sirjani, FMCO'0644 One more point: Symmetry Reduction Techniques We may use symmetry for state space reduction Like in dining philosophers (Ring-like topologies) The permutation relation shall preserve both rebec types and known-rebec relation.

Dining Philosophers Component C1 Component C5 Component C2 Component C3 Component C4  (  i=0,n ¬(phil i.fr  phil i+1.fl))

External message from the right fork of philosopher 0 External message from the left fork of philosopher 1 Component C1 Component C1: phil0 || fork0 || phil1 Property:  ( ¬(phil 0.fr  phil 1.fl))

M. Sirjani, FMCO'0647 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

M. Sirjani, FMCO'0648 What we had: decomposing a model for verification purposes in a top-down manner. What we added: notion of components re-usable parts fixed proven specifications build a system in bottom-up fashion.

M. Sirjani, FMCO'0649 Introducing Components Introducing components for modeling purposes, As an additional higher level of abstraction in modeling Enriching the model of computation

M. Sirjani, FMCO'0650 Components Components are sets of reactive objects Components interact via broadcasting asynchronous anonymous messages => No need to put a name for a component. No need to know the names of the rebecs inside a component (for communication). Just know the service you want.

M. Sirjani, FMCO'0651 In Extended Rebeca Rebecs within a component can be synchronized by handshaking communication mechanism. Components encapsulate tightly coupled reactive objects. Like in Globally Asynchronous Locally Synchronous Systems (GALS)

Extended Rebeca Components in Extended Rebeca

M. Sirjani, FMCO'0653 Asynchronous anonymous broadcasting (between components) Dispatching the message arrived in a component Internal broadcast to all Nondeterministic choice of one rebec (is selected to keep queue abstraction possible)

left-Controllerright-Controller Train1Train2

Extended Rebeca code: the controller reactiveclass leftController() { knownobjects { rightController right;} provided { Arrive; } required { YouMayPass; } statevars { int trainsin; } msgsrv initial() { trainsin = 0; } msgsrv Arrive (int TrainNr) { YouMayPass(TrainNr); trainsin = trainsin + 1; receive(passed); } reactiveclass rightController() { knownobjects { leftController left;} provided {Leave; } required { } statevars { int trainsout; } msgsrv initial() { trainsout = 0; } msgsrv Leave () { trainsout = trainsout + 1; left.passed( ); }

Extended Rebeca code: trains reactiveclass Train() { knownobjects {} provided { YouMayPass; } required { Arrive; Leave; } statevars { boolean OnTheBridge; } msgsrv initial(int MyTrainNr) { self.ReachBridge(); OnTheBridge = false; } msgsrv YouMayPass(int TrainNr) { if (TrainNr == MyTrainNr) { self.GoOnTheBridge(); OnTheBridge = true; } msgsrv GoOnTheBridge() { Leave(); OnTheBridge = false; self.ReachBridge(); } msgsrv ReachBridge() { Arrive(MyTrainNr); }

Extended Rebeca code: instantiating rebecs and declaring components main { Train train1(1); Train train2(2); leftController theLeftCtrl(theRightCtrl); rightController theRightCtrl(theLeftCtrl); Components: {train1}; {train2}; {theLeftCtrl, theRightCtrl}; }

M. Sirjani, FMCO'0658 Modular verification: the same approach Environment of a component Queue Abstraction Weak Simulation Property Preservation

M. Sirjani, FMCO'0659 Subtleties for queue abstraction: Initial state Internal dispatching of message

M. Sirjani, FMCO'0660 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

M. Sirjani, FMCO'0661 Rebeca Verifier Tool Enter a model in Rebeca, Translate it into SMV (or Promela), Specify properties at Rebeca source code level (based on state variables), Translate the properties to NuSMV (or Spin) format, Model check using NuSMV (or Spin).

M. Sirjani, FMCO'0662 Or Choose a component and then the same scenario … (compositional verification) By Amin Shali, Mahdi Jaghoori and Hamed Iravanchi,

M. Sirjani, FMCO'0663 Modere: Rebeca Model Checker Engine Direct model Checking of Rebeca Symmetry and Partial Order Reduction By Mahdi Jaghoori,

Automated Modular Verification

M. Sirjani, FMCO'0669 Case studies Network and Security Protocols CSMA/CD protocol Mitnick and Needham Schroeder attacks Perlman algorithm Security Sub-layer in IEEE Hardware/Software Co-designs A pipeline CPU design Examples in TLM library of SystemC

M. Sirjani, FMCO'0670 A Real Case Study: ACM Module in SystemC SystemC code specification: 1 module 14 sc_methods 31 Signals (all shared) 18 sc_logic 13 variable size unsigned-int 5 shared variables Total states: 2^165 The code

M. Sirjani, FMCO'0671 ACM in Rebeca Stages of modeling the system: Modeling: 14 rebecs for 14 methods with their own variables Optimization: reducing number of rebecs Abstraction: removing insignificant data Compositional verification: model checking the units involved in the given properties

M. Sirjani, FMCO'0672 ACM: Model Checking Compositional verification for memory unit: 1 rebec Queue length: one A total of approximately 2^18 states Model checking results: Stored states: 3276 Memory used: KB Time: less than 1 minute

M. Sirjani, FMCO'0673 ACM: Properties Memory read and write signals can never be active at the same time [] ( (flag_start_mem_read == 1)  (flag_start_mem_write == 0) ) violated in certain situations The code Read and write signals to HDLC unit can never be active at the same time [] ( (flag_start_hdlc_read == 1)  (flag_start_hdlc_write == 0) ) violated in certain situations The code When the system starts to save an announce it starts the saving process from the first bit [] ( (flag_save == 0) && (EX(flag_save == 1))  (EX counter == 0) ) Satisfied The code

M. Sirjani, FMCO'0674 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

M. Sirjani, FMCO'0675 Conclusion Proposing an actor-based language Defining its Formal Semantics Using a Java–based syntax Abstraction and compositional verification approaches using the formal semantics and exploiting the encapsulation and inherent modularity of the model Developing a tool Modeling case studies

M. Sirjani, FMCO'0676 Generalizing the verification theorem for a component-based actor language

M. Sirjani, FMCO'0677 Outline Motivation Actor-based Language Rebeca Compositional Verification of Rebeca Introducing Components Supporting Tools Conclusion Future Work

Related, Ongoing and Future Work Theory Symmetry in Rebeca Queue abstractions Dynamic features in verification Coordinating rebecs Tool Direct model checking Partial order reduction Rebeca to mCRL to use its model checker SystemC to Rebeca Application Network and security protocols Hardware/software co-design Web services

M. Sirjani, FMCO'0679 Questions?

Rebec Is a bowed string musical instrument, developed from the Persian instrument, the rabab.rabab Like all good medieval things, the rebec's origins can be traced to the middle east. Around the middle to the end of the ninth century AD, there are several discussions of an instrument called a rabab in Persia …

CCS SMV Java C Modeling languages RML I/O Automata Actor model CSP Promela Mocha FDR NuSMV Spin Java PathFinder Bandera SLAM Abstract Mathematical Too heavy Informal Verification Techniques: Deduction Model checking Programming languages Petri net needs high expertise causes state explosion Where are we standing?