ProB and XTL : Model checkers for B and DSSLs

1
ProB and XTL Model checkers for B and DSSLs

• Michael Leuschel
• University of Southampton

2
ProB Why?

• Animate a B-specification
• No need for user to guess parameters
• Verify a B-Specification
• Temporal State-Based model checking
• Test-case generation synchronise with
  implementation
• Benefits
• Gain confidence in specifications
• Detect bugs before attempting formal proofs
• Check final implementation againts spec
• Learn how B works

3
ProB Internals
XML Encoding
Parser Specialiser
B Machine
Tatibouets Parser
Prolog Encoding
Java
B-Interpreter
CLP B-Kernel
b_execute_statement b_evaluate_expression
subset_of partial_function add
Everything except Tatibouets parser in SICStus
Prolog
4
Temporal vs State-Based MC

• Temporal
• Start from initial state
• Find sequence of operations that lead to error
• Examples Spin, SMV,
• Model/State Based
• No concept of initial state
• Find a valid state (satisfies invariant) such
  that applying a single operation leads to an
  error
• Example Alloy

5
ProB A Demo

• Animation
• Temporal Model Checking
• State-Based Model Checking
• Visualization
• Linking with Java implementation

6
And now for something different XTL

• XTL
• Written in XSB-Prolog
• Exhaustive, finite state model checker for
• CTL specifications
• Systems represented in XSB-Prolog (e.g.,
  interpreters!)
• Ok, but why YAP (Yet Another Prolog) ?

7
Prolog The Base
SICStus Prolog
XSB Prolog
Ciao Prolog
Other players Mercury (.Net), SWI-Prolog, Yap,
IF-Prolog
8
Tabling whats all the fuss?
- table p/0. q - p. p - p. r - not q. -
table path/3. path(X,X,). path(X,Y,XT) -
arc(X,Z), path(Z,Y,T). arc(a,b). arc(b,a).

• What it does for you
• Loop checking
• Answer Propagation
• Program at a higher-level Speed!
• XSB can be used as deductive database
• Useful for parsing
• Useful for verification

- table model_check/1, model_check/2. model_check
(S) - prop(S,unsafe). model_check(S) -
trans(_,S,NS), model_check(NS). model_check(S,)
- prop(S,unsafe). model_check(S,AT) -
trans(A,S,NS), model_check(NS,T).
9
Tabling II

• Loop checking can be easily done in Prolog e.g.,
  assert/retract
• But
• No answer propagation
• Speed! (using CSM from Babylon)

- dynamic tabled/1. check_table(X) -
(tabled(X) -gt (fail) assert(tabled(X))). model_
check(S) - prop(S,unsafe). model_check(S) -
trans(_,S,NS), check_table(NS),model_check(NS).
10
Tabling vs Assert - Bench
XSB 2 0.0000 s - 76 states 4 0.0090
s - 340 states 8 0.1190 s - 1956 states
16 1.0810 s - 13124 states 24 4.5800 s
- 41700 states 32 10.0690 s - 95876 states
SICSTUS - assert 2 0.010 s - 76 states
4 0.260 s - 340 states 8 11.250 s -
1956 states 16 772.500 s - 13124 states
11
Summary of our Tools
ECCE Online specialiser For pure Prolog Can do
infinite state MC
ProB model checker animator for B

XTL finite state model checker for any system
encoded in XSB Prolog
LOGEN Fast offline specialiser compiler
generator for Prolog
StAC
SICStus Prolog
XSB Prolog
Ciao Prolog
12
XTL

• Model checker for finite state systems
• Written in XSB-Prolog
• Pure simple
• Can be analysed and specialised by other systems
• Generic
• Can handle any system described in (XSB)-Prolog
• Ex Writing an interpreter for StAC in XSB is
  much easier than writing a compiler to Promela!
  (interpreter)
• Efficient despite flexibility!

13
One Benchmark CSM (from Babylon)
out of memory
XTL
Spin (wo compilation time, wo time to find
search depth)
FDR
XSB 2.5 G4 667Mhz 500Mb
XSB 2.4
Livelock Testing
Refinement
14
Future Work

• Full scale application of XTL to StAC
• Integrate Logen into ProB XTL
• Extend ProB to handle more of B, check refinement
• Apply XTL to Proforma, ltinsert your favourite lge
  heregt,
• Apply XTL to ProB-interpeter
• Apply ECCE for infinite state MC