Using an SMT engine to generate Symbolic Automata Electronic Communications of the EASST Volume 076 (2019) Automated Verification of Critical Systems 2018 (AVoCS 2018) Using an SMT engine to generate Symbolic Automata Xudong Qin, Simon Bliudze, Eric Madelaine, and Min Zhang 17 pages Guest Editors: David Pichardie, Mihaela Sighireanu ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Using an SMT engine to generate Symbolic Automata Xudong Qin1∗, Simon Bliudze2, Eric Madelaine3, and Min Zhang4 1 steven_qxd@126.com 4 mzhang@sei.ecnu.edu.cn Shanghai Key Laboratory of Trustworthy Computing, ECNU, China 2 simon.bliudze@inria.fr INRIA Lille – Nord Europe, 40 avenue Halley, 59650 Villeneuve d’Ascq, France 3 eric.madelaine@inria.fr Université Côte d’Azur, Inria, CNRS, I3S, 06902 Sophia Antipolis, France Abstract: Open pNets are used to model the behaviour of open systems, both syn- chronous or asynchronous, expressed in various calculi or languages. They are endowed with a symbolic operational semantics in terms of so-called “Open Au- tomata”. This allows us to check properties of such systems in a compositional manner. We implement an algorithm computing these semantics, building pred- icates expressing the synchronization conditions between the events of the pNet sub-systems. Checking such predicates requires symbolic reasoning over first order logics, but also over application-specific data. We use the Z3 SMT engine to check satisfiability of the predicates, and prune the open automaton of its unsatisfiable transitions. As an industrial oriented use-case, we use so-called “architectures” for BIP systems, that have been used in the framework of an ESA project and to specify the control software of a nanosatellite at the EPFL Space Engineering Center. We use pNets to encode a BIP architecture extended with explicit data, and compute its open automaton semantics. This automaton may be used to prove behavioural properties; we give 2 examples, a safety and a liveness property. Keywords: Networks of Synchronised Automata, Symbolic Behavioral Semantics, Compositional Analysis of Software Components, SMT 1 Introduction In the nineties, several works extended the basic behavioural models based on labelled transition systems to address value-passing or parameterized systems, using various symbolic encodings of the transitions [1, 2, 3, 4]. In [4], H.M. Lin addressed value-passing calculi, for which he developed a symbolic behavioural semantics, and proved algebraic properties. Separately J. Rathke [5] defined another symbolic semantics for a parameterized broadcast calculus, together with strong and weak bisimulation equivalences, and developed a symbolic model-checker based on a tableau method for these processes. Thirty years later, no practical verification approach and ∗ This work was partially funded by the Associated Team FM4CPS between INRIA and ECNU, Shanghai 1 / 17 Volume 076 (2019) mailto:steven_qxd@126.com mailto:mzhang@sei.ecnu.edu.cn mailto:simon.bliudze@inria.fr mailto:eric.madelaine@inria.fr Using an SMT engine to generate Symbolic Automata no verification platform are using this kind of approaches to provide proof methods for value- passing processes or open process expressions. Parameterized Networks of Synchronized Automata (pNets) were proposed to give a be- havioural specification formalism for distributed systems, synchronous, asynchronous, or het- erogeneous. They are used in VerCors [6], a platform for designing and verifying distributed systems, as the intermediate language for various high-level languages. The high-level languages in VerCors formalize each component of the distributed system and their composition. pNets provides the core low-level semantic formalism for VerCors, and is made of a hierarchical com- position of (value-passing) automata, called parameterized labelled transition systems (pLTS), where each hierarchical level defines the possible synchronization of the lower levels. Tradition- ally, pNets have been used to formalize fully defined systems or softwares. But we want also to define and reason about incompletely defined systems, like program skeletons, operators, or open expressions of process calculi. The open pNet model addresses this problem, using “holes” as process parameters, representing unspecified subsystems. The pNet model was developed in a series of papers [7, 8] in which many examples have been introduced showing its ability to encode the operators from some other algebras or program skeletons. The operational semantics of an (open) pNet is defined as an Open Automaton in which Open Transitions contain logical predicates expressing the relations between the behaviour of the holes, and the global behaviour of the system. In the previous publication, only a sketch of a procedure allowing to compute these semantics was presented, together with a proof of finiteness of the open automaton, under reasonable hypotheses on the pNet structure. Implementing these semantics raised several challenges, in order: • to get a tool that could be applied to pNets representing various languages, in particular various actions algebras, with their specific decision theories, • to separate clearly the algorithm generating the transitions of the open automaton from combination of all possible (symbolic) behaviours, from the symbolic reasoning part, specifically here using an SMT engine to check the satisfiability of the predicates gen- erated by our algorithm, • to build a prototype and validate the approach on our basic case-studies, and understand the efficiency of the interaction with the SMT solver. In the long term, we want to be able to check the equivalence between open systems encoded as pNets. The equivalence between pNets is “FH-bisimulation” [8], a dedicated version of symbolic bisimulation taking the predicate of the open transitions into account when matching such open transitions. We foresee that the interplay with the SMT solver that we use here for satisfiability of open transitions will be similar with what we need when proving (symbolic) equivalence between open transitions. Contribution In the article we show how: • We define the open automaton generation algorithm. We implemented a full working pro- totype, within the VerCors platform. In the process, we improved the semantics rules from [8], and add features in the algorithm to deal with the full model, including manage- ment of variables and assignments. • We implement the interaction between our algorithm and the Z3 SMT solver, for checking AVoCS 2018 2 / 17 ECEASST satisfiability of the transitions generated by the algorithm. • We show the interest of this approach on an industry-inspired case-study, namely one architectural pattern extracted (and extended) from the BIP specification of a nanosatellite on-board software. Related work. Very few attempts were made to develop symbolic bisimulation approaches for the value-passing process algebras and languages—our long-term goals—especially, there is no algorithmic treatment of the symbolic systems developed by interacting with automatic theorem provers. The closest work is the one already mentioned from J. Rathke [5], who developed the symbolic bisimulation for a calculus of broadcasting system (CBS). CBS is similar with classic process calculi such as CCS and CSP, but communicating by broadcasting values, transmitting values without blocking. That makes the definition of the symbolic semantic and bisimulation equivalence different from the classic works. For other applications, such as the analysis of programming languages, there exist dedicated platforms using external automatic theorem provers (ATP) or automatic tactics from interac- tive theorem provers (ITP), to perform symbolic reasoning, and for example to discharge some subgoals in the proofs. Tools like Rodin [9, 10] have already integrated several provers, like Z3, as modules for proving the proof obligations generated from a user model. The prover we use, which also happens to be Z3, is developed by Microsoft Research based on the satisfiabil- ity modulo theories framework (SMT), is mainly applied in extended static checking, test case generation, and predicate abstraction. In a similar way, there are several ATPs/ITPs we could consider to use for result pruning and bisimulation checking in our algorithm, as an alternative to Z3, such as CVC4 [11], Coq [12] or others. BIP (Behaviour-Interaction-Priority) [13] is a framework for the component-based design of concurrent software and systems. In particular, the BIP tool-set comprises compilers for gener- ating C/C++ code, executable by linking with one of the dedicated engines, which implement the BIP operational semantics [14]. This approach ensures that any property, shown to hold on a given BIP model, will also hold by construction on the generated code. BIP Architectures [15] formalise design patterns, which enforce global properties characterising the coordination among the components of the system. They provide a compositional approach, ensuring correctness by construction during the design of BIP models. In [15], it was shown that application of archi- tectures is compositional w.r.t. safety properties, i.e. when several architectures are applied, each enforcing a safety property, the resulting system satisfies their conjunction. But the interaction feature in architectures does not handle data-sensitive interaction con- straints. Using an encoding of architectures, extended with data-dependant interactions, into open pNets was an interesting alternative to a direct extension to the architecture semantics. Structure. In section 2 we give a description and a formal definition of the pNet model, as found in previous publications. Then in section 3 we present our use-case, based on a BIP architecture from the nano-satellite case-study. Section 4 recalls briefly the operational semantics of pNet. Section 5 explains in details the algorithm used to compute this semantics, including the interaction with Z3, and shows the full result of the semantic computation on the running example. Finally we conclude and discuss perspectives in Section 6. 3 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata 2 Background: pNets definition This section introduces pNets and the notations we will use in this paper. Then it gives the formal definition of pNet structures, together with an operational semantics for open pNets. pNets are tree-like structures, where the leaves are either parameterized labelled transition systems (pLTSs), expressing the behaviour of basic processes, or holes, used as placeholders for unknown processes, of which we only specify their set of possible actions, named sort. Nodes of the tree (pNet nodes) are synchronizing artifacts, using a set of synchronization vectors that express the possible synchronization between the parameterized actions of a subset of the sub- trees. Notations. We extensively use indexed structures over some countable indexed sets, which are equivalent to mappings over the countable set. ai∈Ii denotes a family of elements ai indexed over the set I. When this is not ambiguous, we shall use notations for sets, and typically write “indexed set over I” when formally we should speak of multisets, and write x ∈ ai∈Ii to mean ∃i ∈ I.x = ai. An empty family is denoted /0. We denote classically a a family when the indexing set is irrelevant. ] is the disjoint union on indexed sets. Term algebra. Our models rely on a notion of parameterized actions that are symbolic ex- pressions using data types and variables. As we want to encode the low-level behaviour of possibly very different programming languages, we do not want to impose one specific algebra for denoting actions, nor any specific communication mechanism. So we leave unspecified the constructors of the algebra that will allow building expressions and actions. Moreover, we use a generic action interaction mechanism, based on unification between two or more action expres- sions. This will be used in the semantics of synchronization vectors to express various kinds of communication or synchronization mechanisms. Formally, we assume the existence of a term algebra TΣ,V , where Σ is the signature of the data and action constructors, and V a set of variables. Within TΣ,V , we distinguish a set of data expressions EV , including a set of Boolean expressions BV (BV ⊆ EV ). On top of EV we build the action algebra AV , with AV ⊆ TV ,EV ∩AV = /0; naturally action terms will use data expressions as sub-terms. The function vars(t) identifies the set of variables in a term t ∈ T . pNets can encode naturally the notion of input actions as found, e.g. in value-passing CCS [16] or of usual point-to-point message passing calculi, but it also allows for more general mech- anisms, like gate negotiation in Lotos [17], or broadcast communications. Algebra presentations. In practice, the parameterization of the pNet model by some specific action algebra is realized by the definition of a many-sorted “algebra presentation”. It will be used to check the well-formedness of a pNet system, and to define the translation of the pNet semantics into the SMT engine input language ([18]). Definition 1 An algebra presentation is a triple P = 〈Sorts,Constrs,Ops〉, where • Sorts is a set of data sorts • Constrs is a set of constructor operators: for each Con ∈ Constrs, arity(Con) = n ∈ N is its arity and ’Con : (sel1,sort1),...,(seln,sortn)→ sort’ is its signature with the associated AVoCS 2018 4 / 17 ECEASST Table 1: Algebra Presentation: predefined Sorts and Operators Sort Constructors Auxiliary Operators Bool true, false ∧, ∨, ¬, =⇒ , =, 6= Action Synchro, FUN Int 0,{i,−i}i∈Nat −(unary), +, −(binary), ×, ÷ etc. Extension for the BIP use-case of Fig. 2 Action FUN_Action_Bool, fail, resume, timeout, reset, start, tick, ask selectors. For each argument, the pair (seli,sorti) defines an auxiliary operator of name seli with signature seli : sort → sorti. • Ops is a set of auxiliary operators, with their arity and signature, of the form: Op : sort1,...,sortn → sort • Constrs(sortname) and Sels(sortname) are, respectively, the sets of constructors and se- lectors of the sort sortname Constructors of arity 0 are called constants, and denoted Consts(P). Sorts Bool and Int are predefined with standard operators. Sort Action also, with a con- structor Synchro denoting a synchronized action, i.e. an “internal” action that cannot be further synchronized with the environment. It also comes with an overloaded FUN constructor, used to build actions with arguments, that will be instantiated to the required sorts for a given pNet. The definition of an Algebra Presentation, and a set of variables V fixes the Term algebra elements TΣ,V ,BV ,AV . 2.1 The (open) pNets Core Model A pLTS is a labelled transition system with variables, which can be manipulated, defined, or accessed inside states, actions, guards, and assignments. Each state has its set of variables called state variables, which can only be modified by the assignment in transitions targeting this state. A global state variable of a pLTS is a state variable defined in all states. Note that we make no assumptions on finiteness of the set of states, nor on finite branching of the transition relation. We first define the set of actions a pLTS can use. Let a range over action labels, op are operators, and xi range over variable names. Action terms are: α ∈ A ::= a(p1,..., pn) action terms pi ::= Expr parameters Expr ::= Value | x | op(Expr1,...,Exprn) expressions Definition 2 (pLTS) Given a term algebra TΣ,V , a pLTS is a tuple pLT S , 〈〈S,s0,→〉〉 where: • S is a set of states, with s0 ∈ S the initial state. • →⊆ S×L×S is the transition relation, with L the set of labels of the form 〈α, eb, (x j := e j) j∈J〉, where α ∈ AV is a parameterized action, eb ∈ BV is a guard, and expressions EV ∪AP are assigned to x j. If s 〈α, eb, (x j:=e j) j∈J〉−−−−−−−−−−−→ s′ then vars(eb)⊆vars(s)∪vars(α), and ∀ j∈J.vars(e j)⊆vars(s)∧x j∈vars(s′). 5 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata fail t := t−1 [t > 0] t0 t1 s2 s1s0 fail ti m eo u t resume reset Control resume start, t := Max timeout, [t = 0] B start tick Timer resetresumeresume timeouttimeout finish fail resume tick Figure 1: The BIP specification of the Failure Monitor architecture Now, we define pNet nodes as constructors for hierarchical structures. A pNet node has a set of sub-pNets that can be either pNets or pLTSs, and a set of holes, playing the role of process parameters (i.e. unknown in the environment). A composite pNet consists of a set of sub-pNets, each exposing a set of actions. The relation between actions of a pNet and those of its sub-pNets are given by synchronization vectors, which synchronize one or several internal actions, and expose a single resulting global action. Definition 3 (pNets) A pNet is a hierarchical structure where leaves are pLTSs and holes: pNet , pLTS | 〈〈pNeti∈Ii ,J,SVk∈Kk 〉〉, with I,J,K potentialy infinite, where • pNeti∈Ii is the family of sub-pNets; • J is a set of indexes, called holes. I and J are disjoint: I∩J = /0, I∪J 6= /0 • SVk∈Kk is a set of synchronisation vectors (K ∈IV ). ∀k∈K,SVk =α l∈Ik]Jk l →α′k |gk, where α ′ k ∈ AV , Ik ⊆ I, Jk ⊆ J, and vars(α′k) ⊆ ⋃ l∈Ik]Jk vars(αl). The global action of a vector SVk is α′k. The Boolean expression gk, such that vars(gk) ⊆ ⋃ l∈Ik]Jk vars(αl), is a guard associated to the vector. In Fig. 2, we show examples of these constructs, with two pLTSs, one hole and one pNet node encoding our running example. 3 Running example As a running example we use the Failure Monitor architecture from the CubETH nanosatellite on-board software case-study [19] realised using BIP. The architecture-based design process in BIP takes as input a set of components providing basic functionality of the system and a set of temporal properties that must be enforced in the final system. For each property, a corresponding architecture is identified and applied to the model, thereby potentially introducing additional co- ordinator components and modifying the connectors that define synchronisation patterns among ports of components. Figure 1 shows a refined version of the Failure Monitor architecture used in [19]. Contrary to standard BIP models, architectures comprise one or several operand components, whereof only the set of ports is given. Here, the operand component is B and its interface consists of the ports finish, resume and fail. The two coordinator components—C and T —are standard BIP components insofar as they also have their behaviour specified by finite automata extended with AVoCS 2018 6 / 17 ECEASST local data variables. Transitions of these automata are labelled with the ports of the correspond- ing components, Boolean guards and update functions on local variables. For instance the loop transition t2 tick,[t−−−−−−→ t2, is a parameter of the architecture. Connectors are hierarchical, tree-like structures with component ports at the leaves. They define sets of interactions, based on the attributes of the connected ports [20], which may be either trigger (triangles in Fig. 1) or synchron (bullets in Fig. 1). If all sub-connectors of a connector are synchrons, then an interaction may be executed by the connector only if each subconnector can contribute. If at least one of the sub-connectors is a trigger, then any interaction consisting of contributions of any set of sub-connectors, involving at least one of the triggers, can be executed. For instance, the two ports T.s and C.fail are always synchronised, since they belong to the same binary sub-connector, where they are both synchrons. In particular, this means that whenever the transition s1 fail−→s2 is fired, so is the transition t1 s,t:=0,z:=>−−−−−−→ t2, initialising the timer. The binary connector T.s•−−•C.fail is a sub-connector of a hierarchical connector, where the port B.fail is a trigger. Thus, the above interaction can only happen together with B.fail, forming a ternary interaction. On the contrary, being a trigger, the port B.fail can fire alone, forming a singleton interaction. The composition semantics of BIP systems consists in firing exactly one interaction, enabled through at least one of the top-level connectors, at each execution round. Finally, priorities—defined by a strict partial order on the set of possible interactions—narrow the choice among the enabled interactions at any given round. The default priority is the so- called maximal progress, whereby among any two interactions a ⊂ b (as sets of ports), b has higher priority than a. For example, the port B.fail will never fire alone in a global state, where both T.s and C.fail are enabled. Application of the Failure Monitor architecture ensures that, whenever a failure is registered in the operand component, the system will be reset, unless a resumption is registered within Max time units (more details in Sect. 5.4). Figure 2 shows a pNet encoding of the above Failure Monitor architecture. This encoding is structural: each coordinator component is encoded as a pLTS, the operand component—as a hole; connectors of the BIP model are encoded as synchronisation vectors. Each connector that does not involve triggers is trivially encoded by a synchronisation vector comprising the same ports. In order to encode the semantics of the connectors involving triggers, we 1) in the pLTS encoding the coordinator components, add loop transitions to ensure that all ports involved in such connectors are enabled in all states, 2) associate a Boolean value to each of these ports: the original transitions carry the value true (e.g. s1 fail(true)−−−−−→ s2), the added loops carry the value false (e.g. s3 fail(false)−−−−−→ s3), 3) add to the corresponding synchronisation vectors the Boolean predicate encoding the connector structure. For example, SV 0 encodes the connector discussed above: the predicate (b1 = b2)∧(b1∨b2 ⇒ b0) means that the “true” transitions C.fail and T.s can only fire together (b1 = b2) and whenever one of them fires, B.fail must fire also (b1∨b2 ⇒ b0). This encoding can be systematically obtained for any hierarchical BIP connector [21]. Although, 7 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata s2 s0 s1 t0 t1 B start(false) SV5 <-, -, finish, -> → finish SV4 → reset SV3 ask SV2 <-, tick, -> → tick SV1 → resume [b1 = b2 ∧ b1 ∨ b2 =⇒ b0] SV0 → fail [b1 = b2 ∧ b1 ∨ b2 =⇒ b0] tick[t > 0] {t := Max} {t := t − 1} Timer t, Max : Int Control timeoutreset fail(false)resume(false) fail(false) resume(true) fail(true) resume(false) timeout[t = 0] start(true) resume(true) resume(false) Figure 2: pNet encoding of the Failure Monitor architecture for the sake of brevity, we omit priorities from the encoding, this can be easily achieved, by introducing additional Boolean variables for relevant ports [14]. 4 Operational Semantics for Open pNets The semantics of open pNets will be defined as an open automaton, that is an automaton where each transition composes transitions of several LTSs with the actions of some holes; the transition occurs if some predicates hold, and can involve a set of state modifications. Each state of an open automaton has a set of state variables that can be assigned by incoming transitions. Strictly speaking, the LTSs at the leaves of the open automaton are a restricted form of pLTSs, where labels are parametrised actions, but include no guard nor assignments. Definition 4 (Open transitions) An open transition OT over a set 〈Si,s0i,→i〉i∈I of LTSs, a set J of holes, and a set of states S is a structure of the form: ································································ {si ai−→i s′i}i∈I,{ b j−→ j} j∈J,Pred,Post s α−→ s′ , where s,s′∈S , the ai,b j,α are action expressions, si ai−→is′i is a transition of the LTS 〈Si,s0i,→i〉, b j is an action of the hole j, and α is the resulting action of OT . Pred is a predicate over the variables of the terms, labels, and states si, b j, s, α . Post is a set of equations that hold after the open transition, represented as a substitution {xk ← ek}k∈K where xk are variables of s′ and s′i, whereas ek are expressions over the other variables of the open transition. Definition 5 (Open automaton) An open automaton is a structure A = 〈LTSi∈Ii ,J,S ,s0,T 〉 where: • I and J are sets of indices, AVoCS 2018 8 / 17 ECEASST • LT Si∈Ii is a family of LTSs, • S is a set of states and s0 ∈ S the initial state, • T is a set of open transitions and, for each t ∈T , there exist I′, J′ with I′⊆ I, J′⊆ J, such that t is an open transition over LT Si∈I ′ i , J ′, and S . The states and the shape of predicates in the transitions of an open automaton representing the semantics of a pNet have the following specific structure. States of open pNets. A state of an open pNet is a tuple of the states of its leaves (in which we denote tuples in structured states as /....). For any pNet p, let Leaves = 〈〈Si,si0,→i〉〉i∈L be the set of pLTS at its leaves, then States(p) ={/si∈Li .|∀i ∈ L.si ∈ Si}. A pLTS being its own single leave: States(〈〈S,s0,→〉〉) ={/s .|s ∈ S}. The initial state is defined as: InitState(p) = /si0i∈L.. Predicates. Let 〈〈pNet,J,SVk∈Kk 〉〉 be a pNet. Consider a synchronization vector SVk, for k ∈ K. We build a predicate MkPred relating the actions of the involved sub-pNets and the resulting actions. This predicate verifies: MkPred(SVk,a i∈I i ,b j∈J j ,v)⇐⇒∃(a ′ i) i∈I ,(b′j) j∈J ,v′. SVk = (a ′ i) i∈I ,(b′j) j∈J → v′∧∀i ∈ I.ai = a′i ∧∀ j ∈ J.b j = b′j ∧v = v′ Example 1 (An open transition) This transition is generated by application of the vector SV0, synchronizing the initial actions of pLTSs Control and Timer (see Fig. 2), with an action of the hole B equal to fail. The local variable t of the Timer is assigned to its initial value Max. A full output of the use-case is provided in [22]. ·········································································································································· {s0 fail(true)−−−−−→ s1,t0 start(true)−−−−−→ t1}{ hb−→},hb = fail(true)∧v = fail,{t := Max} /s0,t0. v−→/s1,t1. Structural Semantic Rules: The semantics of pNet in term of open automata has been defined in [8], in the form of 2 structural rules, one for pLTSs, one for pNet nodes. These rules are slightly improved, adding guards in the synchronisation vectors and syntax for universal quantifier in the guards (see [22]). In [8] we also proved: Theorem 1 (Finiteness) Given an open pNet pnet =〈〈pNet,S,SVk∈Kk 〉〉 with leaves li∈Ii and holes h j∈Jj , if the sets I and J are finite, if the synchronisation vectors of all pNets included in pnet are finite, and if ∀i ∈ L. f inite(states(li)) and li has a finite number of state variables, then its semantics is an open automaton T with finitely many states and transitions. Remark that all the elements of such pNets and open automata being symbolic, they can represent many classes of unbounded systems. 9 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata 5 Generation of Open Automata In this section we describe the algorithm implementing the pNet semantics, the interaction with the Z3 SMT solver, and we show the result on our example. Under the hypotheses of Theorem 1 this algorithm terminates. Algorithm 1 Open Automaton Generation Input: A pNet P (cannot be a hole) 1: Initialize sets U = {InitState(P)} and E = /0, for unexplored and explored global states, respectively; L = /0 for the resulting OTs; 2: while !isEmpty(U) do 3: Choose S in U ; remove S from U , add S to E; 4: OTs = MakeTransitions(P,S); 5: for each OT ∈ OTs do Check satisfiability of OT using the SMT solver; 6: if SAT (OT) then 7: {Add OT to L; 8: Let S′ be the target global state of OT 9: if (S′ 6∈U ∪E) then Add S′ into U ; } 10: end for 11: end while 12: return OA = (InitState(P),L); Algorithm 1 starts with an open pNet, and builds its set of open transitions. Its main loop is a classical residual algorithm: starting from the initial global state, it picks a state in an unexplored set, and computes all possible OTs, adding their target states in the unexplored set, until this set is empty. The inside loop (MakeTransitions method) applies recursively the semantic rules following the structure of the pNet. When applied to a pLTSs at the leaves, we simply take the pLTS transitions of the corresponding local state and use the semantic rule to build the OT1. When applied to a pNet node we use two methods, combining and matching, to generate the open transitions in a hierarchical manner, as shown in Alg. 2. This method directly manages the holes of the node, so MakeTransitions is never called on a hole. At the root of the pNet, the predicate of each OT is translated into SMTlib assertions, and checked for satisfiability. The final open automaton includes all satisfiable OTs, and the set of reachable global states. Combining. The combining method enumerates all the possible behaviours of the subnets as all the possible combinations of their open transitions. Assume that there is a collection of n subnets. We denote ot i the set of open transitions of the i-th subnet (obtained in line 3 of the algorithm); “−” means that the subnet is not involved. The combination comb, a set of n-tuples, is the cartesian product: comb = ({−}∪ot 1)×({−}∪ot 2)×···×({−}∪ot n). 1 We omit detailed presentation of this case for the sake of brevity. AVoCS 2018 10 / 17 ECEASST Algorithm 2 MakeTransitions() for a pNet node Input: a pNet node P with subnets sn and holes hole; a global state S. 1: Initialize empty list l and set L for sub-transitions and transitions, respectively; 2: for each Subnet in sn do \\ Recursively apply the semantic rules on the subnets 3: Store MakeTransitions(Subnet,S) in l; 4: end for 5: comb = Combining(l); 6: for each sv ∈ SV and each comb ∈ comb do 7: ot = Matching(sv,comb,hole); 8: if (ot is defined) then Store ot in L; \\ if Matching() succeeds 9: end for 10: return L; Matching. The Matching method builds the OTs of a pNet node from those of its subnets. For each synchronisation vector and each possible combination of behaviours of the subnets, as gen- erated by the Combining method, it builds the corresponding open transition. Here, we only de- tail the construction of the predicate. From a synchronization vector sv = ( (a′i) i∈I(b′j) j∈J → v′ ) ∈ SV and its guard Gk; a tuple of open transitions C = (ot i)i∈[1,n] ∈ comb, such that, for each i ∈ [1,n], either oti = −, or the result action of oti is ai; the hole behaviours Hole = (b j) j∈J ; and a fresh variable v, representing the result action of the OT under construction, we build the predicate: MkPred(sv,C,hole) = (∀i ∈ I,ai = a′i)∧(∀ j ∈ J,b j = b′j)∧(v = v′)∧Gk. Filtering. While matching a vector with a combination tuple, Matching tries to filter out some incompatibilities; there may be several reasons why the matching would fail: • if some subnet is marked as inactive in the vector, and the chosen combination has an active behaviour at this position, • if some subnet action expression in the vector does not match (by pattern-matching) the corresponding action expression in C, • or if the whole set of active subnet actions in the vector cannot be matched (by unification) with the corresponding action expressions on the tuple C. Even when unification succeeds, it is still possible that the resulting predicate would be unsat- isfiable, because of some incompatibility involving the guards. In our algorithm, we choose to apply only the simplest filter inside the Matching method (before applying the predicate and OT construction). Matching and unification will be checked later, together with the guards collected from synchronisation vectors and from pLTS transtions, using the satisfiability check in the SMT engine. 11 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata ot = ································································································································ {s0 f ail(true)−−−−−→ s0,t0 resume( f alse)−−−−−−−→ t0}, { hb−→}, f ail(true) = f ail(b1) ∧ resume( f alse) = start(b2) ∧ hb = f ail(b0) ∧ v = f ail ∧ b1 = b2 ∧ (b1 ∨b2)⇒ b0, {} /s0,t0. v−→/s0,t0. Figure 3: One of the unsatisfiable open transitions in the Failure Monitor pNet 5.1 Management of state variable assignments In a pLTS, there may be several incoming transitions that assign potentially different values to a state variable. To handle such cases, the algorithm manages, for each pLTS state, a list of expressions collected from the assignments of each state variable. For a global state in the open automaton, the set of state variables (which may be used in a transition) is the disjoint union of sets of state variables of the individual pLTS states constituting this global state. 5.2 Pruning the unsatisfiable results Our matching/filtering strategy builds some transitions where the predicates express incompat- ible constraints. Even if having an unsatisfiable (symbolic) transition would not be incorrect, we choose to minimize the open automaton (i.e. its number of transitions and states), by check- ing the predicates for satisfiability. In Fig. 3, we show an unsatisfiable open transition from the open automaton of our running example. It shows the case where the failure controller performs a “fail” action, while the timer executes a “resume”. The chosen synchronization vector (SV0 from Fig. 2) does not match with these actions, since it expects T.s. This mismatch is materi- alised by the predicate fragment “resume(false) = start(b2)”. Checking satisfiability requires some symbolic computation on the action expressions and the predicates, which may depend on the specific theory of the action algebra datatypes. The “Modulo Theory” part of SMT solvers is important here, so that the solver can use specific properties of each action algebra. 5.3 Translation to SMTlib We check the satisfiability of each open transitions using the SMT solver Z3. In this section, we describe the translation of the algebra presentation, of assignments, and of the predicates. Our implementation submits satisfiability requests to Z3 using its JAVA API. Here, for read- ability, we show the Z3 code using its SMT-LIB input language. Note that in the previous sections, the OTs were displayed in a simplified, human readable form. The input and output of our tool, and also the generated SMTlib fragments, are slightly more difficult to read, in par- ticular because of structured names for the fresh variables generated by the algorithm, allowing tracability of the result [22]. Figure 4 shows the translation of the transition of Fig. 3 in the SMTlib syntax. It contains the declaration of the BIP action algebra sorts and constructors, then the declaration of variables, and finally the predicate to be checked, encoded as a set of assertions. Here the behavior of the hole “B” appears as a variable “|hb_B:13:1|”, and line 10 shows the constraint that matching with a AVoCS 2018 12 / 17 ECEASST Figure 4: The input of the Z3 solver in SMT-LIB language and the output result synchronisation vector has imposed on the behavior of “B”. Here we display also the diagnosis (“sat” or “unsat”) generated by Z3. By lack of space, we have only shown here a use-case with boolean data parameters, so we only require the basic SAT capability of the Z3 engine. It should be clear that more involved examples will require reasonning on predicates of various data types. Z3 provides theories for reasonning on integers, bitstrings, enumerated types, arrays, etc. We also need to deal with some universal quantification on free variables occuring in the guards of synch vectors. For other data structures usual in such models, like records, or recursive structures, the user will have to develop its own theories. Decidability of these theories will condition the completeness of the satisfiability check, and the decidability of model-checking or bisimulation checking. Production of the SMT-lib code To build the input submitted to Z3 for each OT, we translate the algebra presentation, the predicates and the variable assignments into Z3 (Java-API) calls. Translation of action algebra presentation. In [22], we define the translation of an algebra presentation into SMTlib declarations (declare-datatypes and declare-fun). We also formalize a condition of well-formedness of pNets ensures that the generated code is correct, and will not raise runtime errors in the SMT engine. Note that the declare-datatypes command comprises both the action constructors from table 1 and also the constant action names from our example. Additionally, we will include axiomatisation of any required functions and predicates of the presentation data-types. Translation of open transitions. In [22] we formally define all steps of the translation of each open transition, including: • collect all variables in the transition, and declare them (using declare-const) • check well-formedness and correct typing of expressions, • translate the predicate into a conjunction of assertions, • if present in the source state, translate the state-variable assignments into a disjunctive assertion. This translation ensures that no runtime error will occur in the SMT engine. 13 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata ask [t = 0] ⊳s2, t0⊲ finish resume [hB = resume(b0)] ⊳s0, t0⊲ ⊳s1, t1⊲ resume [hB = resume(true)] finish finish [hB = resume(b0)] resume fail [hB = fail(b0)] tick [t 6= 0] {t ← t−1} fail [hB = fail(true)] {t ← Max} reset Figure 5: Open Automaton for the Failure Monitor architecture Figure 4 shows the decomposition of the predicate into a set of asserts, each encoding an elementary equality, inequality, or a guard. The result (sat or unsat) of the final check-sat command in the translation () is then decoded. 5.4 Result for the running example For this example, the tool builds 184 open transitions, whereof 173 are detected unsatisfiable by Z3. The resulting open automaton, with 3 reachable global states (out of the possible 6) and 11 open transitions, is shown in Fig. 5. To improve the readability of this figure, we used the following conventions: we omit the transitions of the two pLTS, and the set of “working” holes; and we directly write the resulting action as first element of each OT, rather than including it as an equality inside the predicate. Failure Monitor enforces 1) the safety property “the system reset never happens, unless asked for by a timeout following a failure”, formalised in CTL by ϕ ∧AG(reset → ϕ), where ϕ = A[¬reset W ask]∧A[¬ask W fail], (W being the weak until operator) and 2) the liveness property “a reset will be fired when asked for by a timeout”: AG(ask → AF reset). The satisfaction of the safety property could be estab- lished by applying symbolic model checking techniques. However, in this example, it is obvious by inspection of the open automaton. The satisfaction of the liveness property relies on the above observation that in the state /s2,t0. only the reset transition involves C. Therefore, under resonable scheduling assumptions, reset will always be fired. 6 Conclusion and Discussion The formal definitions and properties of the open pNets model were published in [8]. In this new work we describe an implementation of the model and its semantics construction, including its interaction with the Z3 SMT engine. The implementation has two parts: the first is a finitary algorithm that builds all possible combinations of synchronisations through the pNet hierarchical structure. The result is a so-called open-automaton, which transitions contains predicates relating the actions of the pNet holes and controllers. Some of the open transitions obtained at this step, may contain predicates which do not represent any possible concrete instantiations. In the second part of the tool we use the SMT solver Z3 for checking the satisfiability of the predicate in each AVoCS 2018 14 / 17 ECEASST open transition. To this end, we encode into Z3 the representations of the action algebra and the predicates before submitting them to the Z3 solver. In this paper, we used a running example, based on a BIP architecture from an earlier nanosatellite case study [19]. This example shows that open-automata-based semantics can be instrumental in verifying the properties enforced by the architectures through an encoding into open pNets. This encoding—which we intend to formalise and prove correct in a separate paper—also opens the way for an extension of BIP architectures with the transfer of data among variables of different components. Indeed, such data transfer can be easily encoded using the predicates associated to synchronisation vectors in open pNets. The encoding of open transitions into SMTlib and the availability of theories can guide the definition of such an extension. Our case-studies show that our encoding successfully identifies the unsatisfiable open transitions and that the resulting automata correctly reflect the expected movements of the encoded process expressions. Naturally, our next goals after the generation of the open automata will be to model-check logical properties, and to check equivalence of pNets. While model-checking open automata seems easy to define, equivalence checking is more challenging. In [8], we have already found the FH-bisimulation, to be a suitable definition. But weak equivalences, or refinements, will definitely be useful when comparing different pNets with different structure. For bisimulation, we foresee that SMT methods will be the basis for comparison of open transitions. Scaling up. One important motivation of this work is to attack the complexity of verification of realistic systems by a compositional and parametric approach. Still one may wonder if the price for analysing our symbolic transitions will not make the approach too expensive in term of computing time. We tried a slighly bigger example, assembling 2 Failure controllers. In [22], we show that Z3 can check the satisfiablility of a 90K open transitions in a couple of minutes. Bibliography [1] De Simone, R.: Higher-level synchronising devices in MEIJE-SCCS. Theoretical Com- puter Science 37 (1985) 245–267 [2] Larsen, K.G.: A context dependent equivalence between processes. Theoretical Computer Science 49 (1987) 184–215 [3] Hennessy, M., Lin, H.: Symbolic bisimulations. Theoretical Computer Science 138(2) (1995) 353–389 [4] Lin, H.: Symbolic transition graph with assignment. In Montanari, U., Sassone, V., eds.: Concur’96. Volume 1119 of LNCS., Springer, Heidelberg (1996) 50–65 [5] Hennessy, M., Rathke, J.: Bisimulations for a calculus of broadcasting systems. Theoretical Computer Science 200(1-2) (1998) 225–260 [6] Henrio, L., Kulankhina, O., Liu, D., Madelaine, E.: Verifying the correct composition of distributed components: Formalisation and Tool. In: FOCLASA. Number 175 in EPTCS, Rome, Italy (2014) 15 / 17 Volume 076 (2019) Using an SMT engine to generate Symbolic Automata [7] Henrio, L., Madelaine, E., Zhang, M.: pNets: an Expressive Model for Parameterised Net- works of Processes. In: 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP’15), IEEE (2015) [8] Henrio, L., Madelaine, E., Zhang, M.: A Theory for the Composition of Concurrent Processes. In: Formal Techniques for Distributed Objects, Components, and Systems (FORTE). Volume LNCS-9688., Heraklion, Greece (2016) [9] Déharbe, D.: Integration of smt-solvers in b and event-b development environments. Sci- ence of Computer Programming 78(3) (2013) 310–326 [10] Déharbe, D., Fontaine, P., Guyot, Y., Voisin, L.: Integrating smt solvers in rodin. Science of Computer Programming 94 (2014) 130–143 [11] Barrett, C., Conway, C., Deters, M., Hadarean, L., Jovanović, D., King, T., Reynolds, A., Tinelli, C.: Cvc4. In: Computer aided verification, Springer (2011) [12] Armand, M., Faure, G., Grégoire, B., Keller, C., Théry, L., Werner, B.: A modular inte- gration of sat/smt solvers to coq through proof witnesses. In: International Conference on Certified Programs and Proofs, Springer (2011) 135–150 [13] Basu, A., Bensalem, S., Bozga, M., Combaz, J., Jaber, M., Nguyen, T.H., Sifakis, J.: Rig- orous component-based system design using the BIP framework. IEEE Software 28(3) (2011) 41–48 [14] Baranov, E., Bliudze, S.: Offer semantics: Achieving compositionality, flattening and full expressiveness for the glue operators in BIP. Science of Computer Programming 109(0) (2015) 2–35 [15] Attie, P., Baranov, E., Bliudze, S., Jaber, M., Sifakis, J.: A general framework for architec- ture composability. Formal Aspects of Computing 18(2) (2016) 207–231 [16] Milner, R.: Communication and Concurrency. Int. Series in Computer Science. Prentice- Hall, Englewood Cliffs, New Jersey (1989) SU Fisher Research 511/24. [17] ISO: Information Processing Systems – Open Systems Interconnection – LOTOS – A For- mal Description Technique based on the Temporal Ordering of Observational Behaviour. ISO/IEC 8807, International Organisation for Standardization, Geneva, Switzerland (1989) [18] Barrett, C., Fontaine, P., Tinelli, C.: The SMT-LIB Standard: Version 2.6. Techni- cal report, Department of Computer Science, The University of Iowa (2017) Available at www.SMT-LIB.org. [19] Mavridou, A., Stachtiari, E., Bliudze, S., Ivanov, A., Katsaros, P., Sifakis, J.: Architecture- based design: A satellite on-board software case study. In: 13th Int. Conf. on Formal Aspects of Component Software (FACS 2016). (2016) [20] Bliudze, S., Sifakis, J.: The algebra of connectors—Structuring interaction in BIP. IEEE Transactions on Computers 57(10) (2008) 1315–1330 AVoCS 2018 16 / 17 ECEASST [21] Bliudze, S., Sifakis, J.: Causal semantics for the algebra of connectors. Formal Methods in System Design 36(2) (2010) 167–194 [22] Qin, X., Bliudze, S., Madelaine, E., Zhang, M.: Using SMT engine to generate Symbolic Automata – Extended version. Rapport de recherche RR-9177, INRIA (June 2018) 17 / 17 Volume 076 (2019) Introduction Background: pNets definition The (open) pNets Core Model Running example Operational Semantics for Open pNets Generation of Open Automata Management of state variable assignments Pruning the unsatisfiable results Translation to SMTlib Result for the running example Conclusion and Discussion