Content uploaded by Nabil Belala
Author content
All content in this area was uploaded by Nabil Belala on Nov 08, 2016
Content may be subject to copyright.
FOCOVE: Formal Concurrency Verification
Environment for Complex Systems
Djamel Eddine Saïdouni*. Adel Benamira*. Nabil Belala* and Farid Arfi*
*LIRE Laboratory, University of Mentouri, 25000 Constantine, Algeria
(e-mail: saidounid@hotmail.com, a.benamira@yahoo.fr, nbelala@gmail.com, arfi_f@hotmail.com)
Abstract: This paper presents a tool to exploit a true concurrency model, namely the Maximality-based
Labeled Transitions Systems. We show the use of this model in model checking technique. Three
techniques are implemented in order to solve the state space combinatorial explosion problem: the
reduction modulo -equivalence relation, the joint use of covering steps and maximality semantics, and
the maximality-based symbolic representation.
Keywords: Maximality semantics, Partial order semantics, Maximality-based symbolic representation,
Model checking, LOTOS specification language.
1. INTRODUCTION
OCOVE (for Formal Concurrency Verification
Environment) is an integrated environment designed to
edit Basic LOTOS [3] behavior expressions which describe
reactive systems and to generate and analyze Maximality-
based Labeled Transitions Systems structures (MLTS) [11].
FOCOVE offers various implementations of some true-
concurrency based techniques: maximality-based model
checking [14], maximality-based symbolic representation,
reduction modulo equivalence relation [11] and partial order
semantics [2,7,8,16].
The paper is organized as follows. Section 2 introduces
maximality-based model checking technique for complex and
reactive systems formal verification. -equivalence relation,
partial order technique and maximality-based symbolic
representation are presented respectively in sections 3, 4 and
5. Some FOCOVE screenshots are given in Section 6. The
paper is enclosed by appendix recalls some definitions related
to the maximality-based semantics of Basic LOTOS as
presented in [6,11].
2. MAXIMALITY-BASED MODEL CHECKING
Formal verification approach supported by FOCOVE is
based on models. In this approach, the application to be
verified firstly specified by means of the formal description
technique Basic LOTOS [3]. This specification will be
translated in an operational way towards an underlying model
represented by a graph called Maximality-based Labeled
Transition System (MLTS) [11]. The expected properties of
the system are written in Computation Tree Logic CTL [5]
logic and they are verified by means of the model checking
approach.
In spite of temporal logics facilitate the specification of
systems to be verified, model checking approach is limited by
the state graph combinatorial explosion problem, particularly
when the specification model underlying semantics is the
interleaving one. Such semantic is characterized, on one hand
by the action temporal and structural atomicity hypothesis
and on the other hand by the interpretation of parallel
execution of two actions as their interleaving executions in
time. To escape the action atomicity hypothesis imposed by
interleaving semantics, new semantics, said true concurrency
semantics, were defined. Among these semantics, we can
quote a variant of the maximality semantics [6,11]; its
principle consists in using the dependence relations between
actions occurrences and by associating to every state of the
system the actions, which are potentially in execution.
In [14], is has been shown that model checking algorithms
proposed in the literature, which are based on interleaving
semantics, may be adapted easily to true concurrency
semantics for the verification of new properties classes
related to simultaneous progress of actions at different states.
This was mainly led by the presence of maximality
information in states and transitions. In particular, this
information makes easy writing atomic propositions
expressing properties to be verified. A particular attention
was concerned the natural and intuitive reading of these
properties.
3. REDUCTION MODULO
-EQUIVALENCE
RELATION
The -equivalence relation [11] is purposed to put in
correspondence MLTSs describing the same behavior of
which the only difference resides in the choice of event
names.
For example, both MLTSs of Fig. 1 describe the same
behavior, i.e. the parallel (or true-concurrent) execution of
actions a and b. We can obtain MLTS of Fig. 1.(a) from that
of Fig. 1.(b) by substituting event names e by x and event
name z by y.
F
Fig. 1. Two -equivalent MLTSs
A reduction consists in eliminating redundancy via certain
relations by preserving properties to be checked. In this
section, we will use the -relation as a criterion of redundant
behaviors.
Fig. 2. -reduction
As illustration, MLTS of Fig. 2.(a) represents the behavior of
the LOTOS expression a;d;stop|[d]|b;d;stop. It was
generated by a mapping of LOTOS maximality-based
operational semantics [11]. Both sub-MLTSs S
1
and S
2
of
Fig. 2.(a) are -equivalent. Indeed, it exists two functions of
substitution
1
={x/x,y/y,z/z} and
2
={x/v,y/u,z/e} such as
S
1
1
S
2
2
. To remove such a redundancy, we must, initially,
apply the substitution function
1
∪
2
to the MLTS of Fig.
2.(a), group the start stats of S
1
and S
2
, and then, we remove
S
1
1
or S
2
2
. As a result, we obtain the MLTS of Fig. 2.(b).
Table 1 shows results obtained with the MLTS -reduction
construction on the same examples, where A=a;A.
Table 1. Results of MLTS construction
MLTS MLTS
/=
States Transitions States Transitions
A|||A
5 10 4 8
A|||A|||A
16 48 8 24
A|||A|||A|||A
65 260 16 64
A|||A|||A|||A|||A
326 1630 32 160
4. PARTIAL ORDER TECHNIQUE
Inspiring from the covering steps [17] technique, we do not
consider all possible interleaving sequences. On the other
hand, we build, under certain conditions, a step allowing
directly reaching the final state which would have been
reached by each interleaved sequence. Fig. 3 shows the
obtained benefit in the case of the derivation of three parallel
actions a, b and c in the presence of differed conflict.
Fig. 3. An MLTS and its maximality-based step graph
The graph of Fig.3. (b) is the Maximality-based Step Graph
(MSG) of the MLTS of Fig.3.(a) in which all interleaving
runs were converted into two steps (p
1
and p
2
); the first step
expresses the start of c and the second one expresses true-
concurrent execution of a and b. The built step graph covers
the initial MLTS via the Mazurckiewicz’s traces equivalence
[9]. It is proved that our approach preserves deadlock states
and liveness property, so its on-the-fly generation is thus
possible.
Table 2 compares results by consideration of MLTS and
MSG construction on the system of Fig. 4.
Table 2. Results of MSG construction
MLTS
/=
MSG
n States Transitions
States Transitions
4 33 81 4 3
6 129 449 4 3
8 513 2305 4 3
10 2049 11265 4 3
Fig. 4. Example system
3
:
{z}
Ø
b
y
0
:Ø
Ø
c
z
Ø
a
x
(a )
1
:
{x}
Ø
b
y
Ø
a
x
Ø
c
z
Ø
b
y
2
:
{y}
5
:
{x,z }
z
d
e
Ø
c
z
4
:
{x,y }
Ø
a
x
7
:
{e}
6
:
{y, z}
Ø
c
z
Ø
b
y
Ø
a
x
8
:
{x, y,z}
p
2
:{
Ø
b
y
,
Ø
a
x
}
3
:
{z}
Ø
b
y
0
:Ø
p
1
:
Ø
c
z
Ø
a
x
1
:
{x}
Ø
b
y
Ø
a
x
Ø
c
z
Ø
b
y
2
:
{y}
5
:
{x,z }
z
d
e
Ø
c
z
4
:
{x, y}
Ø
a
x
7
:
{e}
6
:
{y,z }
Ø
c
z
Ø
b
y
Ø
a
x
8
:
{x,y ,z}
(
c
)
(b )
a
n
a2
a1
d
b
=
{
}
z
{
}
e
}
{
z
y
x
d
,
}
{
e
v
u
d
,
u
b
φ
{
}
y
x
,
{
}
v
u
,
{
}
u
x
a
φ
y
b
φ
v
a
φ
{
}
x
S
1
S
2
(a)
Ø
Ø
x
a
φ
{
}
z
}
{
z
y
x
d
,
y
b
φ
{
}
y
x
,
{
}
y
x
a
φ
y
b
φ
{
}
x
S
1
σ
σσ
σ
1
=S
2
σ
σσ
σ
2
(b)
Ø
b
y
Ø
a
x
Ø
b
y
Ø
a
x
{
x
}
{
y
}
{
x
,y
}
Ø
(a )
Ø
b
z
Ø
a
e
Ø
b
z
Ø
a
e
{
e
}
{
z
}
{
e
,
z
}
Ø
(
b
)
5. MAXIMALITY-BASED SYMBOLIC
REPRESENTATION
Anther method to tackle the state space explosion problem is
to use a symbolic representation based on binary decision
diagrams (BDDs) for implicitly representing state spaces of
the model [4]. A trivial solution is to build the MLTS of
source algebraic specification and then convert the MLTS to
BDDs. However this kind of solution, which has already
been adopted to get BDD representations from ATP
specification [10], is not satisfactory, in that the usefulness of
BDD representations stands mainly in the ability to manage
specifications for which the MLTS is too big to be
represented or even traversed.
To remedy this problem, a more satisfactory solution is
implemented in our tool, which exploits compositionality of
process algebras so as to build BDD representations without
enumerating all states and transitions [15]. Proposed
technique consists in building small MLTS to represent basic
building blocks of the specification. These are converted to
BDDs which in turn are combined together, according to the
various process algebras operators to obtain the overall BDD.
This kind of generation is called on-the-fly generation.
Tab. 3. shows comparative results between MLTS and
symbolic-based MLTS where B=b;b;b;stop. Size is given by
Megabytes and total memory used is 1 Gigabyte.
Table 3. Results of symbolic-based MLTS construction
6. USER INTERFACE
The FOCOVE toolbox, available for download on website
http://www.focove.new.fr
, is built in a modular way.
Available modules can be used independently or in
combination. Modules include:
• An editor for Basic LOTOS behavior expressions.
• A compiler of Basic LOTOS behavior expressions.
• A maximality-based model checker.
• A tool for building -reduced MLTS.
• A tool for building LTS and MLTS structures.
• A tool for building MSG.
• A tool for building maximality-based symbolic
representation MSR.
• A viewer for MLTS, LTS, MSG and MSR.
After compiling a Basic LOTOS description, the generation
of MLTS, LTS, MSG and MSR is possible. The result of
generation can be obtained in textual output format or
graphical output format. The screenshot of Fig. 5.(a)
represents a Basic LOTOS expression input, and the second
screenshot is a CTL formula input. Fig. 5.(c) illustrates an
MLTS.
Fig. 5. Some screenshots of FOCOVE environment
Symbolic-based MLTS MLTS
Size States Trans Size States Trans
B|||B 1 25 36 1 25 36
B|||B|||B 2 226 477 3 226 477
B|||B|||B|||B 10 2713 7536 63 2713 7536
B|||B|||B|||B
|||B
63 40696 140175 Out of memory
(a)
(b)
(c)
7. CONCLUSION
This paper presents FOCOVE, an integrated environment to
edit Basic LOTOS behavior expressions and generate and
analyze Maximality-based Labeled Transitions Systems
structures.
Different techniques are taken into account to solve state
space combinatorial explosion problem. In FOCOVE, three
techniques are supported, a maximality-based symbolic
representation, a reduction modulo equivalence relation, a
partial order semantics and a maximality-based model
checking technique to verify MLTSs.
As a perspective, It is interesting to extend FOCOVE to take
into account time [1,12] and conformance testing in the
context of maximality semantics [13].
REFERENCES
[1] N. Belala and D. E. Saïdouni, Non-Atomicity in Timed
Models, in Proceedings of ACIT'2005, 2005.
[2] A. Benamira and D. E. Saïdouni , Consideration of the
Covering Steps in the Maximality-Based Labeled
Transitions Systems, In Proceedings of International
Arab Conference on Information Technology
(ACIT'2006), Yarmouk University, Irbid, Jordan,
December 19-21st, 2006.
[3] T. Bolognesi and E. Brinksma, Introduction to the ISO
Specification Language LOTOS, Computer Networks
and ISDN Systems, volume 14, 1987.
[4] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill
and L. J. Hwang. Symoblic model checking: 10
20
states
and beyond. In Proceeding of 5th IEEE Symposium on
Logic in Computer Science, 1990.
[5] E. M. Clarke, E. A. Emerson, and A. P. Sistla,
Automatic Verification of Finite State Concurrent
Systems Using Temporal Logic Specifications, ACM
Transactions on Programming Languages and Systems,
volume 8, no 2, pages 244-263, 1986.
[6] J. P. Courtiat and D. E. Saidouni, Relating Maximality-
Based Semantics to Action Refinement in Process
Algebras, in D. Hogrefe and S. Leue, Editors, {IFIP}
{TC/WG6}.1, 7th Int. Cof of Formal Description
Techniques (FORTE'94", pages 293-308, Chapman
&Hall, 1995.
[7] P. Godefroid, Using Partial Orders to Improve
Automatic Verification Methods, in Proceedings of
CAV'90, volume 3, pages 321-340, ACM, DIMACS,
1990.
[8] P. Godefroid and P. Wolper, A Partial Approach to
Model Cheking, in Proceedings of the 6th Symp. On
Logic in Computer Science, volume 531, pages 406-
415, Amsterdam 1991.
[9] A. Mazurckiewicz, Trace Theory. In Petri Nets:
Applications and Relationships to Other Model of
Concurrency, in Advances in Petri Nets 1986, Part {II;}
Proceedings of an Advanced Course, pages 279-324,
Springer Verlag, LNCS 255, 1986.
[10] X.Nicollin, J. Sifakis and S.Yovine , Compiling Real-
Time Specifications into Extended Automata, IEEE
Trans. on Software Engineering, volume 18,794-804,
1992.
[11] D. E. Saidouni, Sémantique de Maximalité: Application
Au Raffinement D'actions Dans LOTOS, Phd thesis,
LAAS, Univerity of Paul Sabastier, Toulouse,1996.
[12] D. E. Saïdouni and N. Belala, Actions Duration in
Timed Models, in Proceedings of International Arab
Conference on Information Technology (ACIT'2006),
Yarmouk University, Irbid, Jordan, December 19-21st,
2006.
[13] D. E. Saidouni and A. Ghenai, Intégration des refus
temporaries dans les graphes de refus, in proceeding of
NOTERE '2006, Toulouse, France, 2006.
[14] D. E. Saïdouni and N. Belala. Using Maximality-Based
Labeled Transition System Model for Concurrency
Logic Verification, The International Arab Journal of
Information Technology (IAJIT), Vol. 2, No. 3, pages
199-205. July 2005. Zarka Private University, P. O. Box
2000, Zarka 13110, Jordan, ISSN: 1683-3198.
[15] R. Sisto, A method to build symbolic representations of
LOTOS specification. Protocol specification, Testing
and verification, pages 323-338, 1995.
[16] A. Valmari, Sets for Reduced State Space Generation,
in Proceedings of the Tenth International Conference on
Application and Theory of Petri Nets, volume II, Bohn
1989.
[17] F. Vernadat, P. Azéma and F. Michel, Covering Step
Graph, in Proceedings of Application and Theory of
Petri Nets 96, volume LNCS 1091, Springer Verlag,
1996.
Appendix A. MAXIMALITY SEMANTICS
A.1 Intuition [6,11]
The semantics of a concurrent system can be characterized by
the set of the system states and the transitions by which the
system passes from a state to another. In the approach based
on the maximality, the transitions are events which represent
only the beginning of actions execution. To distinguish each
action execution, an identifier is associated to its start. In a
state, an event is said to be maximal if it corresponds to the
beginning of the execution (start) of an action which can
possibly be always under execution in this state.
To illustrate the maximality principle, let us consider the
LOTOS behavior expressions Ea;stop|||b;stop and
Fa;b;stop[]b;a;stop. In the initial state, no action is under
execution, therefore, the set of maximal events is empty,
from where following initial configurations associated to E
and F are
Ø
[E] and
Ø
[F]. From the configuration
Ø
[E], starting
the execution of actions a and b leads to the following
transitions:
[ ]
{ }
[ ]
stopE
x
m
a
x
φ
φ
→
|||
[ ]
{ }
[ ]
stopstopb
x
m
b
y
φ
φ
→;
|||
{ }
[
]
stop
y
x (respectively y) is the event name identifying the beginning
of the action a (respectively b). Since nothing can be
concluded about the termination of both actions a and b in the
configuration
{
x
}
[stop] |||
{
y
}
[stop], x and y are then maximal in
this configuration. Let us note that x is also maximal in the
intermediate state represented by the configuration
{x}
[stop]
|||
Ø
[b;stop].
Fig. 6. MLTS structures of E and F expressions
For the initial configuration, associated to the behavior
expression F, the following transition is
possible:
[ ]
{ }
[ ]
stopbF
x
m
a
x
;
φ
φ
→
. As previously, x identifies the
beginning of the action a and it is the unique maximal event
name in the configuration
{x}
[b;stop]. It is clear that, within
sight of the action prefixing operator semantics, the
beginning of the action b is possible only if the action a
terminates its execution. Consequently, x does not remain
maximal any more when the action b begins its execution; the
unique maximal event in the resulting configuration is y
which identifies the beginning of execution of action b. Thus
the following derivation
{ }
[ ]
{ }
{ }
[ ]
stopstopb
x
m
b
x
yx
→;
.
The configuration
{y}
[stop] is different from the configuration
{x}
[stop] |||
{y}
[stop], because the first has only one maximal
event (identified by y), whereas the second has two
(identified by x and y). The derivation structures of the
behavior expressions E and F obtained by the application of
the maximality semantics principle are represented in Figure
5. These structures are called Maximality-based Labeled
Transition System (MLTS).
A.2. Related definitions
In this section, we recall some related definitions of Basic
LOTOS. The complete presentation of Basic LOTOS
maximality-based operational semantics may be found in
[6,11].
Syntax of Basic LOTOS: Let PN be the set of processes
ranged over by P and let be the set of gates ranged over by
. A particular observable action
∉
is used to notify the
successful termination of the processes. L indicates any
subset of , the internal action is noted by i. The set of all
actions is indicated by Act=
∪
{i,}. , ranged over by E,
F, ... denotes the set of behavior expressions whose syntax is:
E::= Stop | exit | E[L] | g;E| i;E | E[ ] E
E|[L]|E | hide L in E | E>>E | E[>E
Given a process P which have the behavior E, the definition
of P is expressed by P:=E.
The set of event names is a countable set indicated by M.
This set is ranged over by x,y,.... M,N,... indicate finite
subsets of M. The set of atoms of support Act is
Atm=
MAct
M
fn
××2,
M
fn
2
being the set of finite parts of M.
For M
M
fn
2∈
,
Mx
∈
and
Acta
∈
, the atom (M,a,x) will
be noted
M
a
x
. The choice of an event name can be done in a
deterministic way by the use of any function get:2
M
-{Ø}M
satisfying get(M)
∈
M for any M
∈
2
M
-{Ø}.
Configuration: The set of configurations of Basic LOTOS
behavior expressions is the smallest set defined inductively as
follows
:
∈
∀
E
,
∀
M
M
fn
2∈
:
M
[E]
∈
∀
∈
∀
,PNP
M
M
fn
2∈
:
M
[P]
∈
If
∈
then hide L in
∈
If
∈
and
∈
F
then
>>F
∈
If
∈
then
op
∈
op
∈
{ [], |||, || ,|[ ]| , [>}
If
∈
and{a
1
,a
2
, …, a
n
},{b
1
,b
2
, …,
b
n
}
M
fn
2∈
then
[a
1
/b
1
,a
2
/b
2
,…,a
n
/b
n
]
Given a set M
M
fn
2∈
,
M
[…] is called embedding operation.
This operation is distributive over the operations [],|[L]|, hide,
[> and the renaming gates operation. We also admit that
M
[E>>F]
M
[E]>>F. A configuration is known as canonical if
it cannot be reduced any more by the distribution of the
embedding operation on the other operators. Thereafter, we
suppose that all configurations are in canonical form.
Any canonical configuration is under one of the following
forms (
and
being canonical configurations):
M
[stop] |
M
[ exit] |
M
[a;E] |
M
[P] |
[ ]
|
hide L in
|
>>F |
[>
|
[a
1
/b
1
,a
2
/b
2
,…,a
n
/b
n
]
The function
:
M
fn
2
, which determines the set of event
names in a configuration, is defined inductively by:
(
M
[E])=M
(
[]
∪
(
(
|[L]|
)=
(
)
∪
(
)
(
>>F)=
(
)
(hide L in
)=
(
)
(
[>
)=
(
)
∪
(
)
(
[b
1
/a
1
,...,b
n
/a
n
])=
(
)
Let E be a configuration; E \N indicates the configuration
obtained by removing the set of event names N from the
configuration E. E \N is defined inductively as follows:
∅
a
x
∅
b
y
{y} {x}
{x,y}
∅
∅
b
y
∅
a
x
E
{x,y}
{y}
a
x
{x}
b
y
{y} {x}
{y}
∅
∅
b
y
∅
a
x
F
{x}
(
M
[E])\N=
M-N
[E]
(
[]
)\N=
\N []
N
(
|[L]|
)\N=
\N |[L]|
\N
(hide L in
)\N=hide L in
\N
(
>>
)\N=
\N>>
(
[>
)\N=
\N [>
\N
(
[b
1
/a
1
,...,b
n
/a
n
])\N=
\N [b
1
/a
1
,...,b
n
/a
n
]
The set of substitution functions of event names is noted Subs
(i.e. Subs =M
M
fn
2
); ,
1
,
2
,... are elements of Subs. Given
x,y,z
∈
M and M
M
fn
2∈
, then
The application of to x will be written by x
The substitution identity function is defined by
x={x}
M=
∪
x
∈
M
x;
[y/z] is defined by
{y} if z=x
[y/z]x=
{
x otherwise
Let be a substitution function, the simultaneous substitution
of all occurrences of x in
by x, is defined recursively on
the configuration
as follows:
(
M
[
])=
M
[
]
(
[]
)=
[]
(
|[L]|
)=
|[L]|
(hide L in
)=hide L in
(
>>
)=
>>
F
(
[>
)=
[>
(
[b
1
/a
1
,...,b
n
/a
n
])=
[b
1
/a
1
,...,b
n
/a
n
]
