Embed Size (px)
Citation preview
ProB and XTL :Model checkers for B and DSSLs
Michael Leuschel
University of Southampton
ProB: Why?
Animate a B-specification No need for user to guess parameters
Verify a B-Specification Temporal & State-Based model checking Test-case generation & synchronise with implementation
Benefits Gain confidence in specifications Detect bugs before attempting formal proofs Check final implementation againts spec Learn how B works
CLPB-Kernel
ProB: Internals
BMachine
Tatibouet’sParser
PrologEncoding
XMLEncoding
B-Interpreter
Parser &Specialiser
b_execute_statementb_evaluate_expression…
subset_ofpartial_functionadd…
Java
Everything except Tatibouet’s parser: in SICStus Prolog
Temporal vs State-Based MC
Temporal Start from initial state Find sequence of operations that lead to error Examples: Spin, SMV, …
Model/State Based No concept of initial state Find a valid state (satisfies invariant) such that applying
a single operation leads to an error Example: Alloy
ProB: A Demo
Animation Temporal Model Checking State-Based Model Checking Visualization Linking with Java implementation
And now for something different: XTL XTL
Written in XSB-Prolog Exhaustive, finite state model checker for
CTL specifications Systems represented in XSB-Prolog (e.g., interpreters!)
Ok, but why YAP (Yet Another Prolog) ?
Prolog: The Base
SICStus PrologXSB Prolog Ciao Prolog
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Free, reasonable support Commercial, academic site-license, good support
Free, GPL, Access to developers (ASAP)
Attributed variables Co-routining, CLP(FD), CLP(Q&R), CLP(B)
Co-routining, CLP(Q&R), waiting for CLP(FD)
Tabling - -
Java via InterProlog, bad support
Good Java (Jasper) + Tcl/Tk interface
Unidirectional Tcl/Tk, low-level Java, Emacs
PDA-version in the works PDA-version “planned”
Other players: Mercury (.Net), SWI-Prolog, Yap, IF-Prolog
Tabling: what’s all the fuss?
What it does for you: Loop checking Answer Propagation
Program at a higher-level& Speed! XSB can be used as deductive database Useful for parsing Useful for verification
:- table p/0.q :- p.p :- p.r :- not q.
:- table path/3.
path(X,X,[]).path(X,Y,[X|T]) :- arc(X,Z), path(Z,Y,T).
arc(a,b). arc(b,a).
:- table model_check/1, model_check/2.model_check(S) :- prop(S,unsafe).model_check(S) :- trans(_,S,NS), model_check(NS).
model_check(S,[]) :- prop(S,unsafe).model_check(S,[A|T]) :- trans(A,S,NS), model_check(NS,T).
Tabling II
Loop checking can be easily done in Prolog: e.g., assert/retract
But: No answer propagation Speed! (using CSM from Babylon)
:- dynamic tabled/1.
check_table(X) :- (tabled(X) -> (fail) ; assert(tabled(X))).
model_check(S) :- prop(S,unsafe).model_check(S) :- trans(_,S,NS), check_table(NS),model_check(NS).
Tabling vs Assert - Bench
32.3
650.21
0.01 0.2611.25
772.5
0.01 0.11 4.43
288.02
0 0.009 1.081 4.5810.069
0
50
100
150
200
250
300
0 5 10 15 20 25
ID-15SICS-assertCiao-assertXSB
32.3
650.21
0.01
0.26
11.25
772.5
0.01
0.11
4.43
288.02
0.001
0.009
1.081
4.58
10.069
0.001
0.01
0.1
1
10
100
1000
0 5 10 15 20 25
ID-15SICS-assertCiao-assertXSB
XSB: 2: 0.0000 s - 76 states 4: 0.0090 s - 340 states 8: 0.1190 s - 1956 states 16: 1.0810 s - 13124 states 24: 4.5800 s - 41700 states 32: 10.0690 s - 95876 states SICSTUS - assert 2: 0.010 s - 76 states 4: 0.260 s - 340 states 8: 11.250 s - 1956 states 16: 772.500 s - 13124 states
Summary of our Tools
SICStus PrologXSB Prolog Ciao Prolog
XTLfinite state model checkerfor any system encoded in
XSB Prolog
ECCEOnline specialiserFor pure Prolog
Can do infinite state MC
LOGENFast offline specialiser &
compiler generator for Prolog
ProBmodel checker &
animator for B
StAC
XTL
Model checker for finite state systems Written in XSB-Prolog Pure & simple:
Can be analysed and specialised by other systems
Generic: Can handle any system described in (XSB)-Prolog Ex: Writing an interpreter for StAC in XSB is much easier than
writing a compiler to Promela! (interpreter)
Efficient despite flexibility!
One Benchmark: CSM (from Babylon)
k = 2 0.10 0.17 0.03 0.01 0.01
4 0.25 0.28 0.03 0.02 0.03
8 1.80 2.17 0.12 0.15 0.23
16 35.64 35.04 0.91 1.27 2.21
24 *** *** 3.48 32.04 8.82
32 - - 9.21 220.36 24.18
40 - - 20.80 746.85 ***
48 - - *** *** -
*** = out of memory
Spin(wo compilation time,
wo time to find search depth)
XTL
XSB 2.4
XSB 2.5G4 667Mhz
500Mb
FDRLivelock Testing Refinement
Future Work
Full scale application of XTL to StAC Integrate Logen into ProB &XTL Extend ProB to handle more of B, check refinement
Apply XTL to Proforma, <insert your favourite lge here>,…
Apply XTL to ProB-interpeter Apply ECCE for infinite state MC
