0% found this document useful (0 votes)

88 views49 pages

Verification of Timed Erlang/OTP Components Using The Process Algebra CRL

This document discusses translating timed Erlang/OTP components into the process algebra μCRL for verification. It provides background on μCRL and reviews related work translating Erlang syntax and components like finite state machines into μCRL. However, existing work did not define rules for translating timeout events, which are important for real applications. This paper extends previous work by investigating the verification of timed Erlang/OTP components in μCRL.

Uploaded by

mberrow

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

88 views49 pages

Verification of Timed Erlang/OTP Components Using The Process Algebra CRL

Uploaded by

mberrow

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 49

Verification of Timed Erlang/OTP Components

Using the Process Algebra µCRL

Qiang Guo and John Derrick

Department of Computer Science,
The University of Sheffield,
Regent Court, 211 Portobello Street, S1 4DP, UK
{Q.Guo, J.Derrick}@dcs.shef.ac.uk

October 05, 2007

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Motivation

• Erlang is a concurrent functional programming language with explicit support for real-time
and fault-tolerant distributed systems.
• Although Erlang has many high-level features, verification can still be non-trivial. One
approach is to perform an abstraction of an Erlang program into the process algebra µCRL,
upon which standard tools such as CADP can be applied.
• This approach has recently been applied to the verification of Erlang programs and OTP
components supervisor, generic server and finite stat machine (FSM).
• No existing work has defined rules for the translation of timeout events into µCRL. This could
dramatically degrade the usability of the existing work as in some real applications, timeout
events play a significant role in the system development.
• In this paper, by extending the existing work, we investigated the verification of timed
Erlang/OTP components in µCRL.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 1
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Outline

• Introduction of the process algebra µCRL;

• A review on the related work;
• Translating timed Erlang/OTP components into µCRL;
• Two case studies;
• Conclusions and future work.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 2
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

The Process Algebra µCRL

• The process algebra µCRL (micro Common Representation Language) is extended from
the process algebra ACP where equational abstract data types are integrated into process
specification.
• A µCRL specification is comprised of two parts: the data types and the processes.
• Processes are declared using the keyword proc.
• A process may contain actions representing elementary activities that can be performed. These
actions must be explicitly declared using the keyword act.
• Data types are specified as the standard abstract data types, using sorts, functions and axioms.
Sorts are declared using the key work sort, functions are declared using the keyword func and
map is reserved for additional functions. Axioms are declared using the keyword rew, referring
to the possibility to use rewriting technology for evaluation of terms.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 3
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Related Work - Translating Erlang Syntax

• Arts et al. initiated the studies of translating Erlang into µCRL. Benac-Earle developed a
toolset etomcrl to automate the process of translation.
• Rules for the translation of pattern matching, communication, functions with side-effects,
higher-order functions, generic server and supervision tree have been defined respectively;

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 4
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Related Work - Overlapping in Pattern Matching

• The toolset etomcrl translating the pattern matching in a way where overlapping patterns are
not considered.
• In Erlang, evaluation of pattern matching works from top to bottom and from left to right.
• The µCRL toolset instantiator does not evaluate rewriting rules in a fixed order.
• If there exists overlapping between patterns, the problem of overlapping in pattern matching
occurs, which could lead to the system being represented by a faulty model.
• Benac-Earle discussed a solution to cope with the problem, but did not apply the technique in
etomcrl.
• Guo et al. proposed a different solution, whereby an Erlang program with overlapping patterns
is transformed into a counterpart program without overlapping patterns.
• A data structure called the Structure Splitting Tree (SST) is defined and applied for pattern
evaluation, and its use guarantees that no overlapping patterns will be introduced to the
transformed program.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 5
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Related Work - Translating Finite State Machine

• Guo et al. studied the translation of the Erlang finite state machine (FSM) design pattern.
• By extending the approach discussed by Arts et al., a model was proposed to support the
translation of an Erlang FSM component into µCRL.
• The translation of the Erlang gen fsm module into µCRL is comprised of two parts, simulating
state management and translating the state functions.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 6
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Related Work - Translating FSM::Simulating State Management

• A (one place) stack is used in the µCRL specification to simulate the management of FSM states and state data.
Actions s event, r event and send event, are defined to save and read data from the stack; s event |
r event = send event.
• The process write is defined to push a data onto the stack while the process read to pop from the stack.
• An Erlang FSM state S1 is assigned with a µCRL state name s S1 (“s ” plus the state name) and a state
process f sm S1 (“fsm ” plus the state name).
• The current state and the state data are coded in a tuple with the form of tuple(state, tuplenil(state data))
and saved in the stack.
• The process fsm init(State:T erm, Data:T erm) initially pushes tuple(Init State, tuplenil(State Data))
onto the stack. The process fsm next state(State:T erm, Data:T erm) updates the current state and the
state data in the stack.
• The process fsm next state receives a command through r command. When a command is received, the
process f sm state change is proceeded where the current state and the state data are read out from the
stack. The current state determines which state process is about to be activated.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 7
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

act fsm change state =

s event, r event, send event: Term sum(Cmd:Term,
r event(Cmd).read(Cmd))
comm
s event | r event = send event fsm init(S:Term,Data:Term) =
fsm next state(S,Data)
proc
write(Val:Term) = fsm next state(S:Term,Data:Term) =
wcallresult (Val) wcallresult(tuple(S,tuplenil(Data))).
sum(Cmd:Term,r command(Cmd).
read(Cmd:Term)= s event(Cmd).fsm change state)
sum(Val:Term, recallresult(Val).
fsm S1 (Cmd,element (2,Val)) fsm S1 (Cmd:Term, Data:Term) =
C is s S1 (element(1,Val)) B pre defined actions ...
fsm S2 (Cmd,element (2,Val)) fsm next state(next State, new data)
C is s S2 (element(1,Val)) B ....
... fsm Sn (Cmd:Term, Data:Term) =
fsm Sn (Cmd,element(2,Val)) pre defined actions ...
C is s Sn (element(1,Val))B fsm next state(next State,new data)
delta)

Figure 1: Rules for translating state processes.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 8
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

act fsm change state =

Figure 2: Rules for translating state processes.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 9
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

act fsm change state =

Figure 3: Rules for translating state processes.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 10
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

act fsm change state =

Figure 4: Rules for translating state processes.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 11
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

act fsm change state =

Figure 5: Rules for translating state processes.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 12
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

act fsm change state =

Figure 6: Rules for translating state processes.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 13
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Related Work - Translating FSM::Translating State Functions

Si (N) →
case N of Si (N) when N is of P1 →
P1 → actions(1);
actions(1); Si (N) when N is of P2 →
P2 → actions(2);
actions(2); ...
... Si (N) when N is of Pn →
Pn → actions(n).
actions(n)
end.

Figure 7: Guarded Erlang programs.

• The translation of an Erlang state function into µCRL starts by splitting the function into two parts, one of
which defines a series of µCRL state functions while the other a set of action sequences.
• Every set of action sequences is translated into a pre-defined action set in µCRL. According to the order that
patterns occur in the Erlang function, the pre-defined action sets are uniquely indexed with a set of integers.
• For example, in Figure 7, the set of action sequences {actions(1), ..., actions(n)} is indexed with an integer
set {1, ..., n} where integer i identifies the pre-defined action set actions(i).

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 14
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

• The selection of a µCRL state function for execution is determined by the pattern of function arguments.
• By the end, the µCRL function returns a tuple with the form of tuple(next state, tuple(new data,
tuplenil(index))) where next state returns the next state, new data the updated state data and index
the index of the action sequence that needs to be performed.
• To eliminate any potential overlapping between patterns, techniques proposed by Guo et al. are applied.
• Figure 8 illustrates the translation rules for the Erlang state function shown in Figure 7.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 15
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

rew proc
Si(Args) = fsm Si(Cmd:Term,Data:Term) =
Si case 0(patterns match(Args,P1),Args) actions(1).
Si case 0(true,Args) = fsm next state(element(1,Si(Cmd,Data)),
tuple(Sj ,tuple(Data,tuplenil(1))) element(2,Si(Cmd,Data)))
Si case 0(false,Args) = C element(3,Si(Cmd,Data))=1 B
Si case 1(patterns match(Args,P2),Args) (actions(2).
Si case 1(true,Args) = fsm next state(element(1,Si(Cmd,
tuple(Sk ,tuple(Data,tuplenil(2))) Data)),element(2,Si(Cmd,Data)))
... C element(3,Si(Cmd,Data))=2 B
Si case (n-1)(true,Args) = ...
tuple(Su,tuple(Data,tuplenil(n-1))) (actions(n).
Si case (n-1)(false,Args) = fsm next state(element(1,Si(Cmd,
Si case n(patterns match(Args,Pn),Args) Data)),element(2,Si(Cmd,Data)))
Si case n(true,Args) = C element(3,Si(Cmd,Data))=n B
tuple(Sv ,tuple(Data,tuplenil(n))) delta)...)

Figure 8: Translation rules for Erlang state function.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 16
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Figure 9: Translation rules for Erlang state function.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 17
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Figure 10: Translation rules for Erlang state function.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 18
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Figure 11: Translation rules for Erlang state function.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 19
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Related Work - Model Checking Erlang in µCRL

• Once an Erlang program is translated into a µCRL specification, one can check the system
properties by using some existing tools such as CADP.
• Properties one wishes to check with the CADP model checker are formalized in the regular
alternation-free µ-calculus (a fragment of the modal µ-calculus), a first-order logic with
modalities, and least and greatest fixed point operators.
• Automation for property checking can be achieved by using the Script Verification Language
(SVL). SVL provides a high-level interface to all CADP tools, which enables an easy description
and execution of complex performance studies.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 20
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Translating Timed Erlang/OTP Components

• All existing work so far translates Erlang programs without taking timeout events into account.
• This could degrade the usability of the existing work.
• In some real applications, timeout events play a significant role in the OTP design.
• This paper studies the translation of timeout events into µCRL and defines rules to support
the translation of timed Erlang functions into µCRL.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 21
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Translating Timed Components - Definition of a Timer in µCRL

• Two approaches might be considered to extend the existing work for coping with timeout
events; (I) use a timed extension to µCRL; (II) define a timer in the untimed µCRL.
• A timed version of µCRL was defined in by Groote et al. but has limitations in the applications.
• This work considers the second approach. A timer and an explicit timing action tick are
incorporated in the µCRL specification.
• A timer, has two states, on and off. The µCRL function set(t:Timer, x:Natural) instantiates a
timer with an integer while the µCRL function expired(t:Timer) evaluates whether the time-up
occurs.
• A timer periodically calls the µCRL function pred(t:Timer) to count down the value of timing.
To do so, the µCRL function pred(x:Natural) with an integer as its argument needs to be
defined before the definition of timer.
• The µCRL function pred(x:Natural) determines the time elapse unit for a timer, namely,
pred(x) = x - time elapse unit. For example, if the time elapse unit is defined as 1, then
pred(3) = 2 and pred(2) = 1.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 22
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

• Figure 12 illustrates the µCRL syntax.

sort var
Timer t:Timer
func n:Natural
off:→ Timer rew
on: Natural → Timer expire(off)=F
map expire(on(n))=eq(0,n)
pred: Timer → Timer pred(on(n))=on(pred(n))
expired: Timer → bool pred(off)=off
set: Timer # Natural → Timer set(t,n)=on(n)
reset: Timer → Timer reset(t)=off

Figure 12: The syntax of a µCRL timer

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 23
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Translating Timed Components - Translating Timed Functions

• To incorporate timeout events in the translation, for those Erlang functions with timing
restrictions, two processes are defined in µCRL, one of which deals with timing; the other
copes with count down.
• When the timing begins, the timing process will be called. The timing process will either call
another process or activate the count down process (counts down the timer by one unit).
• When going through the count down process, the timer is evaluated.
• If the timer does not expire, a tick action will be performed once, stating the passing of one
time elapse unit. Afterwards, the timing process is called;
• otherwise, a timeout event will be generated and the corresponding timeout process is enabled
to process the event.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 24
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

Figure 13: FSM - Door with Code Lock:Design.

• Figure 13 and 14 illustrates an example - A door with code lock. The door consists of two
states, locked and open, and a system code for opening the door.
• Initially, the door is set to locked while the code is set to a word.
• The door switches between states, driven by an external event.
• A timing restriction is applied for the system. If the door is switched to the open state and no
action is performed within a defined period, a timeout event is generated, which activates the
timeout function to close the door.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 25
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

-module(fsm door). locked({button, Password}, Code) →

-export([start link/1, button/1, init/ 1]). case Password of
-export([locked/2, open/ 2]). Code →
action:do unlock(),
start link(Code) → {next state, open, Code, 20000};
gen fsm:start link(local, fsm door, Wrong →
fsm door, Code,[]). action:display message(),
{next state, locked, Code}.
init(Code) →
{ok, locked, Code}. open({button, Password}, Code) →
action:do lock(),
button(Password) → {next state, locked,Code};
gen fsm:send event(fsm door, open(timeout, Code) →
{button, Password}). action:display message(),
action:do lock(),
{next state, locked, Code}.

Figure 14: The Erlang code for a door with code lock.

Sixth ACM SIGPLAN Erlang Workshop, Freiburg, Germany, October 05, 2007 page 26
Q.Guo & J.Derrick Verification of Timed Erlang/OTP Components Using the Process Algebra µCRL

proc
fsm locked(Cmd:Term,Data:Term,x:Natural) =
do unlock . locked timing(Cmd,Data, on(x))
C term to bool(equal(element(int(1),element(int(3),
locked(Cmd,Data))),int(1))) B
warning message .
fsm next state(element(int(1),locked(Cmd,Data)),
element(int(2),locked(Cmd,Data)))

locked timing(Cmd:Term,Data:Term,t:Timer) =
count down locked(Cmd,Data,t) +
fsm next state(element(int(1),locked(Cmd,Data)),
element(int(2),locked(Cmd,Data)))