The fcTools User Manual

action t tti r t tti r t tti r think1 t i t i t i tau ta ta ta eat1 t ea t eat ea ~tau ta ta ta think2 t i t i t i tau ta ta ta eat2 t ea t eat ea ~tau ta ta ta think3 t i t i t i tau ta ta ta bad-philo il il il il il il il il Figure 8: philosophers abstract-action structs 1 :0 "abstract-action" behavs 6 :0 "eat1" :1 "eat2" :2 "think1" :3 "think2" :4 "think3" :5 "bad-philo" struct 0 logic "initial">0 hook "abstract_action" vertice 9 vertex0 edges 1 edge0 behav 2 -> 1 vertex1 edges 1 edge0 behav tau -> 2 vertex2 edges 1 edge0 behav 0 -> 3 vertex3 edges 2 edge0 behav 3 -> 4 edge1 behav ~tau -> 3 vertex4 edges 1 edge0 behav tau 20 -> 5 vertex5 edges 1 edge0 behav 1 -> 6 vertex6 edges 2 edge0 behav 4 -> 7 edge1 behav ~tau -> 6 vertex7 edges 1 edge0 behav tau -> 8 vertex8 behav 5 7.1 The Explicit Abstractor fc2abst To run the explicit abstractor, two fc2 les must be provided: 1. the network description of the system 2. the automaton description of abstract actions The global product is computed wrt the abstract action and instead of producing the whole global system, only the abstracted one is built. 7.2 The Implicit Abstractor fc2iabst From the transition relation of the global automaton and the abstraction criterion, an abstract transition relation is built. Then, to get the abstract model, we compute the reachable states from the initial state with the new transition relation. The command fc2iabst is actually a restricted use of the tool command fc2implicit. One has in fact to give two fc2 les as input to the command, the rst being the network description and the second the abstract criterion. Result output option is automatically set. See section 2.3 for Unix command syntax. 8 Veri cation by Observers and Comparisons A great deal of practical veri cation is usually conducted by compiling an automaton-like structure from the property to establish, with possibly additional annotations on states and transitions of various sorts (success, failure or recur states, don't care transitions,...). Veri cation then starts by constructing a synchronised product of the (usually large) network state space with the (usually smaller) state space of the observer stucture. One can attempt to introduce the actual veri cation algorithms in the middle of this construction, to get potential negative results as early as possible (known as \on the y" or \local" techniques). Here again the distinction between implementations based on explicit and implicit state representation are relevant, and here symbolic techniques are usually a clear winner, the more so if no representation of subsets of transitions are required, and only forward search across states is needed (since backward search may exit the reachable state space and needs to be controled). The combined construction poses little problem. For counterexample facility one has to recover symbolically these states from the network which can be couple (in the synchronous product) to particular states of the observers (these showing success or failure...). Results are then analysed, 21 which in case of undesirable reachable states leads usually to a counterexample path in the product. Source recovery functions are then needed to uplift this diagnostic back to the original multi le network description. 22 9 Top-Level Interface: fc2tcl To rend easy the use of the di erent tools and their related commands, we have encapsulated them in a single environment within a Tcl top-level interpretor. New Tcl commands have been added to call properly the tools' functionnalities. Its related Unix command is called fc2tcl and need no option. When called, the tool displays a prompt and waits for commands. All prede ned Tcl commands are accepted, see [4]. We have de ned a set of new Tcl commands related to the fc2 tools functionnalities. Commands are designed in an object-oriented style: objects are those de ned in fc2 desriptions (automata and networks), and methods are the functions that can be applied on them. As one can imagine, ojects have to be created rst and this is done by the reading and the parsing of fc2 les. Object creation: the interface provides two commands for object creation, one for each kind of representation, i.e. explicit or implicit, called estage and istage respectively. They both return an object of type corresponding to type of the the main net declared in the read le. Both commands need two arguments exactly: rst the name of the variable in which the object has to be stored followed by the name of the fc2 le de ning the object. If varcmd is the name of the variable in the command line, then a new new Tcl command with the same name is also created. This command serves for the manipulation of the created object. Automata manipulation: when the object de ned in a le is just an automaton, the object creation commands stores it in the given variable, say varcmd. Then the automaton can be manipulated through the command varcmd in the following way: varcmd options -fc2 le.fc2 With options, one speci es which operation one wants to operate on the automaton represented by varcmd. The -fc2 option saves the result in an fc2 le whose name follows. Options are: mini bisimulation : to perform a bisimulation minimization. The kind of bisimulation is speci ed just after with one of the keywords strong, weak or branching or their abbreviation s, w, b. If option -fc2 is set, then the quotient automaton is saved in the speci ed le. abstract le.fc2 : to abstract the automaton w.r.t. an abstract criterion given in the fc2 le le.fc2. If option -fc2 is set, then the abstract automaton is saved in the speci ed le. Network manipulation: when the object is a hierarchical network, varcmd contains it and the command is used for the manipulation of the network. The general command line is similar to the one of automata, but options are di erent. We give them in details: reach type : to compute the global reachable states of the network. The speci er type can be one of dead, live or dive: if added, it computes the set of deadlock states, livelock states and divergent state respectively. If option -fc2 is set and no speci er is given, then the global automaton is saved in the given fc2 le, else, an example path leading to a selected state belonging to the computed set is extracted and saved in the given fc2 le. mini bisimulation : same as automata. The minimization is here performed on the global automaton attached to the network, that has to be rstly evaluated. abstract le.fc2 : same as automata. compare f-seq | -weqg le.fc2 : to compare the global automaton with the speci cation given in the fc2 le with the help of strong (resp. weak) bisimulation if -seq (resp. -weq) speci er is given. The command outputs true or false. 23 The current version works only with implicit techniques when dealing with networks. Future versionsshall use also explicit tools included in the package. Also, we shall improve the toplevel environment bysaving results in reusable variables instead of saving them in les. We plan to add graphical facilities torepresent each object in the environment: speci c menus shall provide the set of operations appliableon each objects.24 References[1] A. Bouali and R. de Simone. Symbolic bisimulation minimisation. In Fourth Workshop onComputer-Aided Veri cation, volume 663 of LNCS, pages 96{108, Montreal, 1992. Springer-Verlag.[2] P.C. Kanellakis and S.A. Smolka. CCS expressions, nite state processes, and three problems ofequivalence. Information and Computation, 86:43{68, 1990.[3] E. Madelaine and R. de Simone. The FC2 Reference Manual. available by ftp fromcma.cma.fr:pub/verif as le fc2refman.ps.gz, 1993.[4] J.K. Ousterhout. Tcl and the Tk Toolkit. Professional Computing Series. Addison-Wesley, 1994.25