Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Introduction

SCAN (StatistiCal ANalyzer) is a statistical model checker designed to verify large concurrent systems for which standard verification techniques do not scale.

SCAN has a modular architecture that supports multiple frontends, allowing multiple modeling and property specification languages. Currently, and with different levels of maturity, SCAN supports:

  • SCXML as modeling language, with past MTL as property specification language and state/event dense time traces.
  • JANI as modeling language, with (limited) LTL as property specification language.
  • PROMELA as modelling language (in developement).
  • ... (support for other languages is underway)

SCAN is currently under developement at DIBRIS, University of Genoa in the context of the CONVINCE project.

While SCAN can also be as a standalone model checker, it closely integrates with the other tools in the CONVINCE toolchain. In particular, AS2FM can target the SCXML format accepted by SCAN, to make verification of robotic systems more accessible to robotic systems developers.

API docs for the library crates.

Installation

Build prerequisites

SCAN is entirely written in Rust, so, to build it, you need to install a recent version of the Rust toolchain. The easiest and recommended way to do so is by installing rustup either following the instructions on its homepage or through your OS's package manager. Do not forget to set your PATH correctly, if required.

Installing with Cargo

To install and use SCAN on your system, the easiest way is to use the cargo install command, with:

$ cargo install --git https://github.com/convince-project/scan

Cargo will build and install SCAN on your system, after which it can be used as a command-line tool. The same command updates SCAN to the latest version.

After installation, type

$ scan

to verify that the installation completed successfully by displaying the in-line help.

The User Interface

SCAN provides a command line interface.

To print the help screen, use

$ scan --help

which will show the available functionalities and commands' syntax.

The general syntax to run SCAN is

$ scan [OPTIONS] <MODEL> <COMMAND>

where MODEL can be:

  • For SCXML models, the path to either the main xml file, or to the directory containing all the model's files.
  • For JANI models, the path to the JANI model's file.

SCAN tries to auto-detect the model format, but the --format [scxml|jani] flag can be used to specify it explicitly.

Available commands are:

  • validate to check the syntax and semantics of the model is correct, without executing any verification.
  • verify to verify properties over the model.
  • trace to save execution traces to file.

Each of these commands has its own options and help section, which can be displayed with scan help [COMMAND].`

Global flags

SCAN accepts the following global flags:

  • --format sets which model specification format is being used. Possible values: [scxml|jani].
  • --verbose increases the log verbosity (can be invoked multiple times as -vv or -vvv etc.). Normally, this is unnecessary save for debugging purposes.
  • --quiet disables logging completely.

An alternative way to set the logging level is to use:

$ RUST_LOG=<LOG_LEVEL> scan [OPTIONS] [MODEL]

where LOG_LEVEL=[error|warn|info|debug|trace] (from the highest-level to the lowest-level log entries).

Validate

This command has no options or flags: it just parses the model specification and builds the internal model representation to check that there are no issues with the specification. Just run it with:

$ scan <MODEL> validate

Verify

The command runs a verification task on the input model and uses statistical methods to estimate the probability that the specified properties are satisfied.

The syntax for verify is:

$ scan [GLOBAL_OPTIONS] <MODEL> verify [OPTIONS] [PROPERTIES]...

where PROPERTIES is a list of space-separated properties to verify (as named in the model specification). A most useful flag is --all in alternative to the list of properties, which triggers verification of all properties specified in the model.

Example: The simplest way to verify all specified properties of an SCXML model contained in a directory is to enter the directory containing the model and call the following command.

user@host:path/to/model$ scan . verify --all

The following flags control the statistical parameters of the verification:

  • --confidence sets the statistical confidence that the produced result is accurate.
  • --precision sets the target precision of the result.

Together, --confidence and --precision also determine how many executions are required to be performed, via the new adaptive sampling method. This determines the number of necessary samples also based on the outcomes of the previous samples, so that this number cannot be known a-priori but has to be continually recalculated during the verification task.

The --duration flag's value sets the maximum duration (in model time) that the execution can take before being stopped. As this may vary depending on the input model and SCAN has no means to determine it, SCAN sets a reasonably large default value, but for best results the developer should set a more appropriate value.

By default, SCAN only prints a short message informing the user that a verification task is underway, then it hangs silently until the task is finished (if ever). This is a fine behavior for use by other tools or in scripts, but less than ideal for human users.

For long verification tasks, the user can enable a more informative interface updated in real time and featuring progress bars with the flag --progress [plain|fancy], where plain is just ascii (for universal compatibility) and fancy uses colors and Unicode characters. The interface will show the progress towards task completion and make a best-effort attempt to estimate how long it is still missing. Moreover, it will show the proportion of violations for each property and for the overall model. At the end of the execution, the progress bars will be cleared out to print the final verification report.

At the end of a verification task, the outcome is printed as a plain message. For toolchain integration, SCAN can output the report serialized in JSON format instead, by passing the --json flag.

By default, SCAN runs taking full advantage of the host system's multi-threading capabilities. Verification can be run on a single thread by passing the --single-thread flag. Notice that there is no guarantee that SCAN (and its dependencies) will not still use multiple threads to run other tasks, such as, for example, parsing.

Trace

This command executes the model and saves the execution traces to disk as gz-compressed csv files.

The syntax for trace is

$ scan [GLOBAL_OPTIONS] <MODEL> trace [OPTIONS] <TRACES>

where TRACES is the number of traces that are requested.

The available options are --duration and --single-thread, with the same meaning as for the verify command.

The traces produced during verification are saved in a ./traces_NN/ directory, with NN progressive indexing, and further classified into success/, failure/ and undetermined/ sub-directories based on the outcome of the execution. Traces are saved into gz-compressed csv format. Since traces can take up a large amount of disk space, care is recommended when running this command.