The Mur' Verification System

Computer Systems Laboratory Stanford University Email: [email protected] Abstract. This is a brief overview of the Mur' verification system. The Mur' description language Mur' is both a description language and a verifier for finite state concurrent systems [DDHY92]. It is appropriate for protocols and finite-state systems which can reasonably be modelled as a collection of processes that run at arbitrary speeds, where the steps of the processes interleave (only one process takes a step at any time), and where the processes interact by reading and writing shared variables. The Mur' verifier works by explicitly generating states and storing them in a hash table. We have put some effort into developing state reduction techniques, including symmetry reduction [ID93a, ID93b] , exploitation of reversible rules [ID96a], and verification of systems with varying numbers of replicated components [ID96b]. We have also investigated probabilistic verification techniques in Mur' [SD95c]. The Mur' description language was inspired by Misra and Chandy’s Unity formalism [CM88]. A Mur' description consists of a collection of declarations of constants, data types such as subranges, records, and arrays, global variables, transition rules (which are guarded commands), start rules, and invariants. The rules are similar to compound statements Pascal or Modula. Indeed, a rule can be arbitrarily complex, yet it is still executed atomically, meaning that the other rules cannot interfere. A state consists of the current values of the global variables. An execution of a Mur' program is any sequence of states that can be generated by starting in one of the states generated by a start rule, then repeatedly selecting a rule and executing it. Executing a rule generally changes the state, because the rule assigns to the global variables. Mur' is nondeterministic: there can be many executions, varying according to which rule was selected at each step of the execution. A user can encode one of several concurrent processes by declaring variables for the process state and providing rules to capture its behavior. The behavior of several processes can be simulated by forming the union of the state variables and rules into a single Mur' program. Rule selection then simulates scheduling choices (the process whose rule is chosen runs next) as well as nondeterministic choice within a process.