Automating the Analysis of the Finite State
Machines at CERN
Yi Ling Hwong Jeroen Keiren Vincent Kusters
Sander Leemans Tim Willemse
Namur, February 9, 2012
/ Department of Mathematics and Computer Science
1 / 15
CERN
!
Thanks to Vincent Kusters for the slides!
/ Department of Mathematics and Computer Science
2 / 15
Large Hadron Collider
!
/ Department of Mathematics and Computer Science
3 / 15
Compact Muon Solenoid
!
/ Department of Mathematics and Computer Science
4 / 15
Finite State Machines
!
CMS uses over 30,000
Finite State Machines to
do the supervisory
control of the detector.
Operator
FSM tree
Hardware
/ Department of Mathematics and Computer Science
5 / 15
Problem
!
The system exhibited some problems during operation.
Find errors in CMS finite state machines using mCRL2 based
verification tools.
/ Department of Mathematics and Computer Science
6 / 15
Objective
!
FSM subtree
Requirement
/ Department of Mathematics and Computer Science
Tool
True/False
7 / 15
Objective
!
FSM subtree
Requirement
Tool
True/False
4
/ Department of Mathematics and Computer Science
7 / 15
Objective
!
FSM subtree
Requirement
7
Tool
True/False
4
/ Department of Mathematics and Computer Science
7 / 15
State Manager Language
!
SML
class: $FWPART_$TOP$RPC_Chamber_CLASS
state: OFF
when (($ANY$FwCHILDREN in_state ERROR) or
($ANY$FwCHILDREN in_state TRIPPED))
move_to ERROR
...
action: STANDBY
do STANDBY $ALL$RPC_HV
do ON $ALL$RPC_LV
/ Department of Mathematics and Computer Science
8 / 15
Formalization
!
Approach to formalizing SML:
1. Interview developers.
2. Formalize a small subsystem in the mCRL2 process algebra.
3. Validate using simulation and model checking.
4. Automate translation.
/ Department of Mathematics and Computer Science
9 / 15
Phases
!
when phase
action phase
all guards are false
received state-update
waiting for
command or
state-update
received command
evaluating
when clauses
executing
statements
executed last statement
command queue is empty
/ Department of Mathematics and Computer Science
emptying
command
queue
10 / 15
Translating SML to mCRL2
!
SML
class: Chamber
state: S0
when C1 move_to S1
when C2 move_to S2
...
/ Department of Mathematics and Computer Science
11 / 15
Translating SML to mCRL2
!
SML
class: Chamber
state: S0
when C1 move_to S1
when C2 move_to S2
...
mCRL2
proc Chamber(id, p, chs, state, phase) =
isS0(state) && isWhenPhase(phase) && C1 ->
move_to(id, S1) . Chamber(id, p, chs, S1, phase) <>
...
isS0(state) && isWhenPhase(phase) ->
send_state(id, p, state).
move_phase(id, ActionPhase).
Chamber(id, p, chs, state, ActionPhase)
/ Department of Mathematics and Computer Science
11 / 15
Validation
!
Translation was validated in a case study.
Wheel
Sector
Chamber
LV
/ Department of Mathematics and Computer Science
HV
T
12 / 15
Global and local properties
!
With mCRL2 we can check a wide range of
properties of the system. This includes
global properties like propagation of
commands.
Wheel
Sector
Chamber
LV
/ Department of Mathematics and Computer Science
HV
T
13 / 15
Global and local properties
!
With mCRL2 we can check a wide range of
properties of the system. This includes
global properties like propagation of
commands.
Wheel
Sector
Checking properties suffers from the
state-space explosion problem.
Chamber
LV
/ Department of Mathematics and Computer Science
HV
T
13 / 15
Global and local properties
!
With mCRL2 we can check a wide range of
properties of the system. This includes
global properties like propagation of
commands.
Wheel
Sector
Checking properties suffers from the
state-space explosion problem.
Observation: checking for some properties
can be done locally.
/ Department of Mathematics and Computer Science
Chamber
LV
HV
T
13 / 15
move to loop example
!
Example
class ECALfw_CoolingDee:
state: ERROR
when ( $ANY$FwCHILDREN in_state NO_CONNECTION )
move_to NO_CONNECTION
when ( $ALL$FwCHILDREN in_state OK )
move_to OK
state: NO_CONNECTION
when ( $ALL$FwCHILDREN in_state OK )
move_to OK
when ( $ANY$FwCHILDREN in_state ERROR )
move_to ERROR
/ Department of Mathematics and Computer Science
14 / 15
Results
!
I
Formalized most of SML in mCRL2.
I
Formalization in mCRL2 basis for discussion with developers.
I
Verification possible with mCRL2.
I
Large scale verification of local problems done using SMT.
I
Errors found in 6/40 systems.
/ Department of Mathematics and Computer Science
15 / 15