ProB and XTL :
Model checkers for B and DSSLs
Michael Leuschel
University of Southampton
ProB: Why?

Animate a B-specification


No need for user to guess parameters
Verify a B-Specification
Temporal & State-Based model checking
 Test-case generation & synchronise with implementation


Benefits
Gain confidence in specifications
 Detect bugs before attempting formal proofs
 Check final implementation againts spec
 Learn how B works

ProB: Internals
XML
Encoding
B
Machine
Tatibouet’s
Parser Java
CLP
B-Kernel
subset_of
partial_function
add
…
Parser &
Specialiser
Prolog
Encoding
B-Interpreter
b_execute_statement
b_evaluate_expression
…
Everything except Tatibouet’s parser: in SICStus Prolog
Temporal vs State-Based MC

Temporal




Start from initial state
Find sequence of operations that lead to error
Examples: Spin, SMV, …
Model/State Based



No concept of initial state
Find a valid state (satisfies invariant) such that
applying a single operation leads to an error
Example: Alloy
ProB: A Demo





Animation
Temporal Model Checking
State-Based Model Checking
Visualization
Linking with Java implementation
And now for something
different: XTL

XTL


Written in XSB-Prolog
Exhaustive, finite state model checker for
CTL specifications
 Systems represented in XSB-Prolog (e.g., interpreters!)


Ok, but why YAP (Yet Another Prolog) ?
Prolog: The Base
Qu i ck Ti me ™a nd a TIFF (Unc om pres se d) de co mp re ss or are n ee de d to s ee th is pi ctu re .
QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture.
XSB Prolog
SICStus Prolog
Ciao Prolog
Free, reasonable support
Commercial, academic
site-license, good support
Free, GPL, Access to
developers (ASAP)
Attributed variables
Co-routining, CLP(FD),
CLP(Q&R), CLP(B)
Co-routining, CLP(Q&R),
waiting for CLP(FD)
Tabling
-
-
Java via InterProlog, bad
support
Good Java (Jasper) +
Tcl/Tk interface
Unidirectional Tcl/Tk,
low-level Java, Emacs
PDA-version in the works
PDA-version “planned”
Other players: Mercury (.Net), SWI-Prolog, Yap, IF-Prolog
Tabling: what’s all the fuss?

What it does for you:



Loop checking
Answer Propagation
Program at a higher-level
& Speed!



:- table p/0.
q :- p.
p :- p.
r :- not q.
:- table path/3.
path(X,X,[]).
path(X,Y,[X|T]) :arc(X,Z), path(Z,Y,T).
arc(a,b). arc(b,a).
XSB can be used as deductive database
Useful for parsing
Useful for verification
:- table model_check/1, model_check/2.
model_check(S) :- prop(S,unsafe).
model_check(S) :- trans(_,S,NS), model_check(NS).
model_check(S,[]) :- prop(S,unsafe).
model_check(S,[A|T]) :- trans(A,S,NS), model_check(NS,T).
Tabling II

Loop checking can be easily done in Prolog: e.g.,
assert/retract
:- dynamic tabled/1.
check_table(X) :- (tabled(X) -> (fail) ; assert(tabled(X))).
model_check(S) :- prop(S,unsafe).
model_check(S) :- trans(_,S,NS), check_table(NS),model_check(NS).

But:
No answer propagation
 Speed! (using CSM from Babylon)

Tabling vs Assert - Bench
1000
772.5
650.21
288.02
650.21
772.5
100
300
288.02
32.3
11.25
10
250
10.069
4.58
4.43
200
1.081
1
0
5
10
15
20
0.26
150
100
0.01
ID-15
SICS-assert
Ciao-assert
XSB
0.11
0.1
0.01 0.009
50
0.001
32.3
0
0
0.26
0.11
0.01 0.009
0
5
0.001
11.25
4.43
1.081
10
25
10.069
4.58
15
20
25
ID-15
SICS-assert
Ciao-assert
XSB
XSB:
2: 0.0000 s - 76 states
4: 0.0090 s - 340 states
8: 0.1190 s - 1956 states
16: 1.0810 s - 13124 states
24: 4.5800 s - 41700 states
32: 10.0690 s - 95876 states
SICSTUS - assert
2: 0.010 s - 76 states
4: 0.260 s - 340 states
8: 11.250 s - 1956 states
16: 772.500 s - 13124 states
Summary of our Tools
ECCE
Online specialiser
For pure Prolog
Can do infinite state MC
ProB
model checker &
animator for B
XTL
finite state model checker
for any system encoded in
XSB Prolog
StAC
XSB Prolog
LOGEN
Fast offline specialiser &
compiler generator for Prolog
SICStus Prolog
Ciao Prolog
XTL



Model checker for finite state systems
Written in XSB-Prolog
Pure & simple:


Can be analysed and specialised by other systems
Generic:
Can handle any system described in (XSB)-Prolog
 Ex: Writing an interpreter for StAC in XSB is much easier
than writing a compiler to Promela! (interpreter)


Efficient despite flexibility!
*** = out of memory
One Benchmark: CSM
k=2
XTL
Spin
FDR
Livelock Testing
(from Babylon)
Refinement
(wo compilation time,
wo time to find search depth)
XSB 2.4
XSB 2.5
G4 667Mhz
500Mb
0.10
0.17
0.03
0.01
0.01
4
0.25
0.28
0.03
0.02
0.03
8
1.80
2.17
0.12
0.15
0.23
16
35.64
35.04
0.91
1.27
2.21
24
***
***
3.48
32.04
8.82
32
-
-
9.21
220.36
24.18
40
-
-
20.80
48
-
-
***
746.85 ***
***
-
Future Work

Full scale application of XTL to StAC
Integrate Logen into ProB &XTL
Extend ProB to handle more of B, check refinement

Apply XTL to Proforma, <insert your favourite lge here>,…

Apply XTL to ProB-interpeter
Apply ECCE for infinite state MC


