RESY: Requirement Synthesis for Compositional Model Checking

The requirement synthesis tool RESY automatically computes environment assumptions for compositional model checking. Given a process M in a multi-process PROMELA program, an abstraction refinement loop computes a coarse equivalence relation on the states of the environment, collapsing two states if the environment of M can either force the occurrence of an error from both states or from neither state. RESY supports three different operation modes: assumption generation, compositional model checking, and front-end to the model checker SPIN. In assumption generation mode, RESY minimizes the size of the assumption; small assumptions are useful for program documentation and as certificates for re-verification. In compositional model checking mode, RESY terminates as soon as the property is proven or disproven, independently of the size of the assumption. In front-end mode, RESY terminates when the size of the assumption falls below a specified threshold, and calls SPIN with the simplified verification problem. 1 Requirement Synthesis RESY is a tool for the automatic synthesis of requirement automata for safety properties. Requirement automata represent the assumptions an environment makes on the behavior of a component. Typical applications include program documentation [1], where the synthesized requirements help the user to understand the interaction of the program components; program certification [2], where the synthesized requirements simplify the re-verification of the system (possibly by a different user and a different tool); and compositional model checking [3], where the requirement is synthesized and used during the same model checking run, in order to avoid the construction of the full product state space. RESY implements the requirement synthesis algorithm presented in [4]. Given a system M‖E, which consists of a process M and its environment E, RESY computes an equivalence relation on the states ofM , collapsing two states if E can either force the occurrence of an error from both states or from nei⋆ This work was partly supported by the German Research Foundation (DFG) as part of the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS). ther state. The requirement automaton is the quotient of M with respect to the equivalence relation. Key advantages of this approach are that the generated requirement automaton is small (RESY’s equivalence is much coarser than language-based equivalences like bisimulation), inexpensive to compute (RESY is often dramatically faster than L*-based requirement learning), and easy to re-verify (implementation and requirement are related by a simple homomorphism). 2 Generating Requirements from Abstractions Computing the equivalence relation requires two traversals of the state space. In a forward traversal, we identify states of the process M that are all either reachable or unreachable, depending on the state in the environment E they are combined with. In a backward traversal, we identify states of M that either all have or all do not have a path to the error, depending again on the state in E they are combined with. To avoid the expansion of the full state graph, RESY considers abstractions of E. The abstractions are computed in an automatic abstraction refinement loop that, starting with the trivial abstraction, incrementally increases the size of the abstraction. The abstraction E of the environment is a modal transition system that is defined by an equivalence relation ≃ on E. Replacing E with its abstraction introduces the possibility that two states of M both lead to an error when composed with E , but only one of them leads to an error when composed with E. RESY therefore distinguishes situations that may lead to an error (i.e., when the error is reached in the composition with E but not necessarily in E) from situations that must lead to an error (both in composition with E and in composition with E). Merging two states of M is safe in two cases: (1) if they both must lead to an error, and (2) if neither of them may lead to an error. The environment abstraction identifies must and may transitions. In the backward analysis, for example, a transition ([v], a, [v]) is a must transition if, for all states w ≃ v, there is a state w ≃ v such that (w, a, w) is a transition of E. Reachability on must transitions is a sufficient criterion for reachability in the concrete system; unreachability on may transitions is a sufficient criterion for unreachability in the concrete system. In each abstraction refinement step, RESY uses a heuristic to pick some may transition ([v], σ, [v]) of the forward or backward analysis that is not also a must transition, and splits the equivalence class [v] (respectively [v]), distinguishing states that either have or do not have the incoming (respectively outgoing) transition in E. By default, RESY picks forward and backward transitions that are closest to the initial state and the error, respectively. RESY recognizes situations in which further refinements of the environment abstraction will no longer lead to a reduction of the requirement automaton. Depending on RESY’s operation mode, the refinement loop may also be interrupted earlier, yielding a sound but not necessarily minimal requirement automaton.