Checking Synchronous Programs using Automatic ... - CiteSeerX

Checking Synchronous Programs using Automatic Abstraction, Modular Veri cation and Assumption Discharge A. Merceron GMD - SET-EES, SchloBirlinghoven, D-53754 Sankt Augustin email: [email protected]

Abstract We verify synchronous programs using model checking. To cope with data and big programs, we use an automatic abstraction mechanism as well as modular veri cation. Both are proved to be conservative for the logic 8CTL. Model checking

an abstract module M may lead to the formulation of some assumption on some module M . Assumption are discharged using model checking or theorem proving or combining both, depending on which data of M have to be taken into account. We applied our method to a medium-scale industrial example, a Lock system for contactless transponder keys. 1

2

2

1 Introduction Model checking is a well known approach to formal veri cation. A main advantage of this approach is that it is automatic. A major drawback is that it requires nite state systems that do not explode. In this paper we propose abstraction and modular veri cation to make model checking practicable for large synchronous programs. The veri cation process is completed by discharging assumptions that may be formulated while checking abstract modules. First let us set up the synchronous programs context. Synchronous programming languages, like Esterel, Lustre, Statecharts, Signal, have been proposed to specify and program reactive systems [2, 13, 1]. Their paradigm is the so called synchrony hypothesis [2]. One assumes that the program reacts quickly enough to the environment so that the output signals provided by the program appear to be synchronous with the input signals emitted by the environment. Hence, time can be cut into non-overlapping instants at which reactions take place. Synchronous automata, a kind of Mealy automata, have been proposed as a common semantical model for synchronous programs [18, 25, 17]. Roughly speaking, a synchronous automaton is a system which in any state, given some input signals, calculates output signals and then evolves to a next state. In any state, or instant, the status of a signal is well de ned, present or absent, and its value, if the signal is present, is unique for the whole instant. We use synchronous automata to represent synchronous programs. Thus our veri cation method may be used for any program written in a language that compiles into synchronous automata [21, 22]. The choice of our abstraction mechanism rests on the following observation. Quite often synchronous programs are control oriented and manipulate mainly pure signals . Only the emission of some signals require non trivial data calculations. The abstraction we do is rst to treat pure ouput signals, whose status calculation involves data processing, as input signals. Further value domains of non pure signals are mapped onto singletons. This gives a simpler synchronous automaton that manipulates only boolean variables. Our abstraction mechanism turns out to be a homomorphism in the sense of [12]. Thus it is conservative for the temporal logic 8CTL [27, 12]. It means that any property expressed in 8CTL and checked as true for the abstraction is also true for the original synchronous automaton. Our abstraction mechanism is automatic. Signals involving data calculations are picked up at the program level and only the abstract synchronous automaton needs to be built for veri cation. This is done automatically as well. 1

The value set of a pure signal is a singleton; thus it is its status, present or absent, which is relevant. 1

1

Having to verify programs composed of several modules running in parallel makes modular veri cation attractive. We generalise the homomorphism notion of [12] to be able to handle parallel composition of synchronous automata whose output signal sets are not necessarily disjoint. Our homorphism preserves satisfaction of 8CTL formulae which do not have negated signals from the intersection of the output signal sets. If the intersection is empty, which means that a signal can be emitted by only one module, our homomorphism coincide with the one of [12] and we get the same conservation result for 8CTL. Modular veri cation can be combined with abstraction. Unlike the abstractions considered in [16] or [9], the abstraction we have is generally not faithfull. Further, as pointed out in [12, 27], homomorphisms establish a preorder between models. A smaller model, w.r.t. the preorder, is a model where some computation paths have been 'pruned'. Thus, some formulae may be checked as false on a bigger model, i.e. on an abstraction of some module, while being true on a smaller model that contains less paths, i.e. for the whole concrete program. A way of pruning the bigger model is to make assumptions while checking an abstract module. When assumptions involve signals emitted by some (other) modules, they have to be discharged. To prove assumptions, it may be necessary to consider some module(s) with data instead of an abstraction. If data are in nite, theorem proving seems the best way to discharge assumptions as done in [10, 26]. Otherwise, assumptions may be discharged by model checking the integral module, which has the advantage of keeping the whole method more homogeneous. The paper is organised as follows. In the following section synchronous automata are introduced, abstraction and parallel composition are de ned and homomorphism results are proved. In section 3, we show how our abstraction and parallel composition are conservative for the logic 8CTL. Section 4 applies our results to a medium scale industrial example, a Lock system for contactless transponder keys [5]. Section 5 concludes this paper.

2 Synchronous Automata, Abstraction and Parallel Composition For veri cation, we consider only reactive synchronous automata, since they represent causally correct programs [13, 17]. Further we assume the sets of input signals and output signals to be speci ed and disjoint. The de nitions presented here follow [18, 17] with some simpli cation; in particular, local signals are not mentionned since they can be suppressed when synchronous automata are reactive. A reactive synchronous automaton reacts to some input signals taken from a set I n, producing output signals Out. I n and Out are disjoint nite sets and their union form the set of observable signals O. A signal o 2 O may be present having value ?o taken from a set Vo, or it may be absent. The status, presence or absence, of signals is speci ed by a partial function E , called event, from O to the set of all values V . We present such a partial function E by its graph. When a signal is present, its value is unique. Thus we de ne the set VO of possible events as follows. VO = fE  O  V j hx; vi; hx; v0i 2 E ) v = v0 and v; v0 2 Vxg. A reaction may depend on previous reactions. This memory is encoded by a nite set R of registers. A register r 2 R may be active having value ?r taken from a set Vr , or 2

it may be inactive. In a similar way as has be done for signals, theS status of registers, called a state, is an element  of VR. The set of all values is V = x2R[O Vx . We speak of a pure signal or register x if its domain is one-pointed, i.e., Vx = fg, and use x instead of hx; i.

De nition 1 A synchronous automaton P is a tuple (R; I n; Out; P~; P ) where 1. R, the set of registers, I n, the set of input signals, and Out, the set of output signals, are disjoint and nite. I n [ Out = O. Any variable x 2 R [ O ranges !

over a set Vx ,

2. P : fgfg  VO + VR  VO ?! VOut is the reaction function, !

3. P~: fgfg  VO + VR  VO ?! VR is the next state function,

and fg is considered as the initial state;  62 R [ O.

We present synchronous automata by statements of the form

o(

if

 and r



if

.

The signal o is present, respectively the register r is active, if the boolean expression  evaluates to true and its value is given by the expression  (which is assumed to be correctly typed). As an example consider the Esterel [4] program piece: loop await i; if ?i +3 > 5 then emit s(3) end end

It is compiled into the synchronous automaton P with R = frg, I n = fig, Out = fa; sg, Vi = Vs = N; a and r are pure. P : a (  if i ^ r ^ (?i + 3 > 5) s ( 3 if i ^ a ^ r P~ : r  if  _ r 1

1

1

1

1!

1

The next state function is the usual one for automata while the reaction function is instantaneous. The value of a on the right side of ( is the one as computed by P in the instant. P works as follows. Initially all the registers are set to false,  is set to true since fg is the initial state. Thus at the initial reaction no signal will be emitted. The next state is  = frg ( does not belong to any follower state by de nition of P~ since  62 R). After, signals a and s with value 3 will be emitted any instant where the input signal i is present and its value bigger than 2. frg is its own successor state. A reactive synchronous automaton computes a unique reaction in a nite amount of time. Because of synchronous communication, outputs are immediately available to, possibly, calculate more outputs and this process has to terminate for the automaton to be reactive. This is captured by the existence of some xpoint for the function P . Before de ning it, we introduce some notations. !

1

!

3

Inclusion, intersection and dierence of sets are easely extended to events. The union of two events E and E 0 cannot be straightforwardly de ned if E contains the pair ho; vi, E 0 the pair ho; v0i and v 6= v0. When this is not the case, then E [ E 0 is de ned the usual way: E [ E 0 = fho; vi j ho; vi 2 E or ho; vi 2 E 0g In any reachable state  and for any input event I reactive synchronous automata have one and only one reaction. De nition 2 A synchronous automaton P is said to be reactive i for any reachable state  2 VR [ ffgg and any input event I 2 VIn , there exists a unique E 2 VO with (i) I  E (ii) P (; E )  E (iii) E ? P (; E )  I: By O = I n + Out one obtains: E = I [ P (; E ). !

!

!

The semantics of synchronous automata is given under the form of labeled transition systems. De nition 3 The tuple M = (S; T; fg; R) is the labeled transition system of the synchronous automaton P i S , T and R are the smallest sets such that fg 2 S . If  2 S , I 2 VIn , E = I [ P (; E ) and  0 = P~(; E ) then:  0 2 S , E 2 T and (; 0) 2 R. E We also write  ?! 0 . For reactive synchronous automata, the relation R is total. The transition system of P is sketched below. Output signals that are not emitted are omitted.  fig; ?i  2  fig fg ?! frg   fi; a; sg; ?i > 2; ?s = 3 !

1

For O0  O an element E 0 of VO can be restricted to an element E of VO taking its projection on O0. In the sequel we denote this projection explicitly by E 0#O0. 0

2.1 Abstraction We proceed to de ne when a synchronous automaton is an abstraction of another one. The abstraction process is divided in two parts. The rst part is concerned with the shifting of signals from the output set to the input set. The second part is concerned with the surjective mappings on the value sets.

Signals shifting

Abstracting means having less details while respecting behaviours of the original system. In this abstraction part, less details means less output signals. Respecting behaviours means, rst, to have the same set of observable signals and, second, to coincide with the original synchronous automaton for the common set of output signals as well as for the next state. Such an abstraction of a synchronous automaton P is denoted by P a and the notation a is carried over to anything related to P a. 4

De nition 4 Let P and P a be two reactive synchronous automata. P a is called an a-abstraction of P i 1. Ra = R, Oa = O and Outa  Out, 2. 8 2 S , 8E 2 T : P a (; E ) = P (; E )#Outa and P a~ = P~. As a consequence of de nition 4 one has I na = I n [ (Out n Outa). An a-abstraction of P is given changing I n , Out and P as follows: I na = fi; ag, Outa = fsg. P a : s ( 3 if i ^ a ^ r !

!

1

1

1

1!

!

This automaton can be also directly obtained from the Esterel code: loop await i; present a then emit s(3) end end.

An abstraction has generally more behaviours than an implementation. The event with ?i = 1, ?a =  and ?s = 3 is a possible transition in the state frg, which is not the case for P . However, P a can simulate P . This is re ected by the fact that there is an homomorphism from the labeled transition system of P to the one of P a. 1

1

1

De nition 5 An homomorphism from the labeled transition system M = (S; T; s ; R) to the labeled transition system M = (S ; T ; s ; R ) is a pair of relations (H ; H ) E 0 then for with H  S  S , H  T  T such that whenever (;  ) 2 H , if  ?! E some  and E we have:  ?!  , (0;  ) 2 H and (E 0; E ) 2 H . Theorem 6 Let P be a synchronous automaton and P a be some a-abstraction of P . Then there is an homomorphism from (S; T; fg; R) to (S a; T a; fg; Ra ). 0

1

1

1

1

1

1

0

1

1

0

1

2

0

1

1

10

1

0

0

1

2

0

1

0

1

1

1

2

E E Proof We show by induction that if  ?! 0 in M then  ?! 0 in Ma. Thus H = f(; ) 2 S  S ag and H = f(E; E ) 2 T  T ag. By de nition P and P a have the same initial state fg. Let I 2 VIn and E = I [ P (fg; E ). P (fg; E ) can be split making the dierence between input and output signals of the abstraction: P (fg; E ) = (P (fg; E )#I na) [ (P (fg; E )#Outa) by I na \ Outa = ;. Thus E = (I [ P (fg; E )#I na) [ P a a(fg; E ) by P a = P #Outa. But I a = I [ (P (fg; E )#I na 2 VIn and E satis es de nition 2 for I a. Thus E is a transition of P a occuring at fg. E E By P a~ = P~, fg ?! 0 in M implies fg ?! 0 in Ma. 1

2

!

!

!

!

!

!

!

!

!

!

The induction step is similar and omitted.

Surjective mappings

The second part of our abstraction, called data abstraction, is concerned with values of signals. Having less details now means not to distinguish between dierent values. The set of possible values is reduced to fg. Respecting behaviours means respecting signals and registers status. Thus in a data abstraction, only the rst component of pairs is relevant. We de ne: 5

(E ) = fho; i j ho; vi 2 E g.

De nition 7 Let P and P d be two reactive synchronous automata. P d is called a data abstraction of P i 1. Rd = R, I nd = I n, Outd = Out and V d = fg, 2. 8 2 S , 8E 2 T : P d ((); (E )) = (P (; E )) and P d~((); (E )) = (P~(; E )). !

!

The following boolean automaton is a data abstraction of the a-abstraction of P . P d : s (  if i ^ a ^ r P d! : r  if  _ r This automaton can also be obtained directly from the following code: 1

!

loop await i; present a then emit s end end.

As in [8], we get that the labeled transition system of a synchronous automaton is homomorphic to the one of a data abstraction.

Theorem 8 Let P be a reactive synchronous automaton and P d be a data abstraction. Then there is an homomorphism from (S; T; fg; R) to (S d; T d; fg; Rd ). E E Proof We prove by induction that if  ?! 0 for P then () ?! (0) for P d. Thus H = f(; ())g and H = f(E; (E ))g. The two labeled transition systems have the same initial state fg (we assume (fg) = fg). Let I 2 VIn and E = I [ P (fg; E ). It is immediate to see that (E ) = (I ) [ (P (fg; E ). d By de nition of P d , (E ) = (I ) [ P d (fg; (E )). But I d = (I ) 2 VdIn and (E ) satis es de nition 2 for I d. Thus (E ) is a transition of P d at fg. Further by E E P d~(fg; (E )) = (P~(fg; E )) we deduce fg ?! 0 implies fg ?! (0). (

1

)

2

!

!

!

!

(

)

The induction step uses a similar argument and is omitted. The labeled transition system of a data abstraction is nite. In the following, speaking of an abstraction P ad of an automaton P , we mean either an a-abstraction or a data abstraction or the composition of an a-abstraction by a data abstraction. By theorems 6 and 8 we have that the labeled transition system of P is homomorphic to the one of P ad.

2.2 Parallel Composition We continue with the parallel composition of two synchronous automata [18]. We compose two dierent synchronous automata and therefore we assume that they have dierent register sets. Because of synchronous communication, output signals produced by one automaton are instantaneously available as inputs for another automaton which 6

is composed in parallel. The two automata are then able to evolve to a next state. A problem may arise if two parallel components emit the same signal o in the same instant with distinct values. There is some inconsistency between these two components. In this paper, we assume to have consistent automata and consequently, if a signal is emitted in the same instant by two parallel components, both assigne to it the same value. The reaction of the parallel composition is the union of the two reactions (which in this case remains well de ned), taken with the respective input signal sets, and the next state is the union of the two next states. 2

De nition 9 Let P , P and P be reactive synchronous automata, P being consistent and R \R = ;. P is the parallel composition of P and P , denoted by P = P k P , 1

1

2

2

1

2

1

2

i:

1. R = R [R , O = O [O , Out = Out [Out , I n = (I n [I n )n(Out [Out ), 1

2

1

2

1

2

1

2

1

2

2. P (; E ) = P (#R ; E ) [ P (#R ; E ), !

1!

1

1

2!

2

2

3. P~(; E ) = P ~(#R ; E ) [ P ~(#R ; E ), 1

1

1

2

2

2

where E 2 T ,  2 S and E i = E#I ni [ P i (#Ri; E i), i = 1; 2. !

Consider the Esterel code: loop await b; emit a; present s then emit o end end.

It is translated into the synchronous automaton P given by: R = fr0g, I n = fb; sg and Out = fa; og. P : a (  if b ^ r0 o (  if s ^ b ^ r0 P ~ : r0  if  _ r0 At the inital state, nothing is emitted. Then any time b is present, a is emitted; if, moreover, s is present, then o is emitted as well. The automaton P below is the parallel composition of P (beginning of this section) with P . R = fr; r0g, I n = fi; bg, Out = fa; s; og. P : a (  if ((i ^ r ^ (?i + 3 > 5)) _ (b ^ r0) s ( 3 if i ^ a ^ r o (  if s ^ b ^ r0 P~ : r  if  _ r 0 r  if  _ r0 Initially P does not emit any signal; then a is emitted any time i is present and its value bigger than 2 or any time b is present; further if i is present and a emitted, s will be emitted as well and if b is present and s emitted then o is also emitted. 2

2

2

2

2!

2

1

2

!

A dierent approach is taken in [4]. There, a combined value is delivered for o. We could also adopt this approach, de ne the union of events accordingly and get a similar homomorphism result. 2

7

Composing P with P adds constraints to the behaviour of P . This comes from the fact that what could be free inputs for P alone may be outputs of P and, consequently, outputs for P k P . We get a result similar to theorems 6 and 8. 1

2

1

1

1

2

2

Theorem 10 Let P = P k P . Then there is an homomorphism from (S; T; fg; R) to (S i ; T i; fg; Ri), i = 1; 2. 1

2

E Ei 0 #Ri for P i, Proof By induction showing that if  ?! 0 for P then  #Ri ?!

i = 1; 2. Given a reactive synchronous automaton, it is not dicult to construct an abstraction which is also reactive. This is not true for parallel composition as the following example shows. P : a ( b_ k P : b ( a_ The emission of a needs b and the emission of b needs a. Taking the union does not deliver a synchronous automaton which is reactive, see reactivity in [17]. Parallel composition and abstraction can be combined. Particularly the abstraction of the parallel composition is the parallel composition of the abstractions if Outa = Out a [ Out a. 1!

1

2!

2

3 Satisfaction of 8CTL Formulas Our interest in verifying synchronous programs is to make sure that the right signals are present at the right instants. Computation Tree Logic [7] is a language in which it is natural to express such properties. The set of observable signals of the program, O = I n + Out, is taken as the set of atomic propositions from which formulae are built. We are interested in abstraction and parallel composition. So we look for properties which, if they hold for an abstraction, hold for the original synchronous automaton or, if they hold for a component, hold for the parallel composition. A subset of CTL, called 8CTL [27, 12] allows for expressing such properties. The logic 8CTL is constructed with only one quanti er: 8 and three path operators: X, U and G. Negations are allowed at the level of atomic propositions only. This restriction prevents the danger of having existential quanti ers through the negation of 8.

De nition 11 The logic 8CTL is the set of state formulae given inductively as follows: 1. The constants true and false are state formulas. For every atomic proposition p, p and :p are state formulas. 2. If  and

are state formulas, then  ^ and  _ are state formulas.

3. If  is a path formula, then 8 is a state formula. 4. If  is a state formula, then  is a path formula. 5. If  and are path formulas, then  ^ ,  _ , X,  U and G are also path formulae. F is an abreviation to denote true U .

8

8CTL is a subset of 8CTL where any path operator has to be preceded by 8. For instance 8G 8F  is both a 8CTL and a 8CTL formula while 8GF  is a 8CTL formula only, not a 8CTL formula. The semantics of 8CTL is given on structures also called labeled state transition graphs K = (M; R; L; m ; P ) [11, 7]. M is a set of states, R  M M is the reachability relation 0

which must be total, m is the initial state, P is a set of atomic propositions, L is a labelling function which associates to any state the set of atomic propositions true at that state. A path  = m ; m ; : : : in K is an in nite sequence of states of M such that 8i  0: (mi; mi ) 2 R. i denotes the sux of  which begins at state mi. 0

0

1

+1

De nition 12 Satisfaction of a state formula  by a state m (m j= ) and of a path formula by a path  ( j= ) is de ned inductively as follows: 1. m j=true and m 6j=false. m j= p i p 2 L(m). m j= :p i p 62 L(s). 2. m j=  ^  i m j=  and m j=  . m j=  _  i m j=  or m j=  . 3. m j= 8 i for every path  starting at m  j= . 4.  j=  i the rst state of  satis es . 5.  j= ^ i  j= and  j= . 6.  j= _ i  j= or  j= . 7.  j= X i  j= . 8.  j= U i there exists n 2 N such that  n j= and for all i < n,  i j= . 9.  j= G i for all n 2 N  n j= . 1

2

1

1

2

1

1

2

1

2

1

2

1

2

2

2

1

1

2

2

1

Homomorphisms for labeled state transition graphs are de ned in a very similar way as for labeled transition systems, see de nition 5. However, since labeled state transition graphs do not have labeled transitions but labels attached to states, the relation H between transitions of de nition 5 is replaced by a condition on state labels. A set U is distinguished to handle parallel composition when sets of ouput signals are not necessarily disjoint. 2

De nition 13 Let K and K 0 be two labeled transition graphs with P 0  P and consider U  P 0. A relation H  M  M 0 is a homomorphism from K to K 0 i the following conditions hold: Forall m and m0, H (m; m0) implies

1. L(m) \ (P 0 n U ) = L0 (m0) \ (P 0 n U ),

L(m) \ U  L0(m0) \ U and 2. If (m; m ) 2 R then there is some m0 2 M 0 with (m0; m0 ) 2 R0 and H (m ; m0 ). 1

1

1

1

K  K 0 i there is a homomorphism from K to K 0 with H (m ; m0 ). 0

9

0

1

It is immediate that to any path of K one can associate one in K 0 such that all the corresponding states belongs to H :

Lemma 14 Let H be an homomorphism from K to K 0, m 2 M and m0 2 M 0 with

H (m; m0).

For every path  = m m : : : from m = m there exists a path  0 = m0 m0 : : : from m0 = m0 such that for every i  0, H (mi; m0i). For such paths we write H (;  0). 0

1

0

0

1

0

Thus a homomorphism in our sense is also a homomorphism in the sense of [12] if the set U is empty. We get a similar result to the one of [27, 12]: validity of 8CTL formulae which do not contain negated atomic propositions of the set U is preserved. The following lemma, proved by structural induction, helps make it clear.

Lemma 15 Suppose K  K 0. Let  be a state formula and be a path formula with

atomic propositions in P 0 but no negated atomic propositions from U . 1. Let  and  0 be paths with H (;  0).  0 j= implies  j= . 2. Let (m; m0) 2 M  M 0 with H (m; m0). m0 j=  implies m j= .

Proof By structural induction. Only a few steps are given.

Let  and 0 be paths with H (; 0) and be a path formula as in the hypothesis. Let be an atomic proposition or the negation of some atomic proposition not in U and suppose 0 j= . It follows that  j= by de nition 13 and the hypothesis on U . Let be a path formula as in the hypothesis such that if 0 j= then  j= for any ; 0 with H (; 0). We show that this result also holds for the formula X . Suppose 0 j= X . Then 0 j= . But one has H ( ; 0 ), hence  j= and  j= X . Let be a path formula as in the hypothesis such that if 0 j= then  j= for any ; 0 with H (; 0). Let m and m0 be states with H (m; m0). We show that if m0 j= 8 then m j= 8 . By hypothesis, any path 0 starting at m0 satis es . For any path  starting at m, there is a path 0 starting at m0 with H (; 0) by lemma 14. By induction hypothesis any path  starting at m satis es this implies m j= 8 . From lemma 15 the following theorem can be deduced: 1

1

1

1

Theorem 16 Suppose K  K 0. Then for every 8CTL state formula  with atomic propositions in P 0 and no negated atomic propositions from U : K 0 j=  implies K j= .

 de nes a preorder (a re exive and transitive relation) on labeled state-transition graphs.

We apply these results to synchronous automata. The labeled state-transition graph of a synchronous automaton is almost its labeled transition system, except that labeled transitions are transformed into labels attached to states. It has to be decided whether labels will be attached to preceding states or to follower states. For expressing power facilities at the initial state, see [21], we decided E that transitions should label follower states as has been done in [15]: if  ?! 0 then fo 2 O j ho; ?oi 2 E g becomes the label of 0. 10

De nition 17 Let P be a synchronous automaton, (S; T; fg; R) be its labeled transition system. Its labeled state-transition graph is K = (S; R; L; fg; O) where L: S ?! O, the labelling function, is such that L(0) = fo 2 O j ho; ?oi 2 E g i it E exists  2 S and E 2 T with  ?!  0. Extending de nition 12 we say that a synchronous automaton P satis es a formula , denoted by P j= , i fg j= . We extend the  notation as well and write P  P 0 i K  K 0, K and K 0 being the labeled state-transition graphs of P and P 0 respectively. From theorems 6, 8 and 10, it can be deduced that the labeled state-transition graph of a synchronous automaton is homomorphic to the one of an abstraction, and similarly for parallel composition with either of its components:

Theorem 18 Let P , P and P be synchronous automata and P ad be an abstraction of P . Then: 1. with U = ;, P  P ad. 2. with U = Out \ Out , P k P  P i , i 2 f1; 2g. 1

1

2

2

1

2

Proof Identifying H with H in both cases and noting that L = Lad for Li(i) ( i

1

abstractions

\ O n U ) = L() \ (Oi n U ) and Li(i) \ U  L() \ U if (; i) 2 H for parallel

composition. With theorem 16 we get:

Theorem 19 Let P , P and P be synchronous automata and P ad be an abstraction of P . Then for every 8CTL state formula  1. with atomic propositions in O: P ad j=  implies P j= . 2. with atomic propositions in Oi and no negated atomic propositions in Out \Out : P i j=  implies P k P j= , i 2 f1; 2g. 1

2

1

1

2

2

To illustrate the second item of the above theorem, AX AG (b _ :a) is a formula which is true for P but not for P . The signal a belongs to Out \ Out . Note that in the case where the abstraction is a d-abstraction only, then theorem 19 has a converse: P j=  implies P d j= . This comes partly from the de nition of our labelling function in 17. States are labeled with events instead of valued events. Thus d-abstractions are faithfull and allow to do veri cation with full CTL. 2

1

2

4 Verifying the Lock System The Lock system for contactless transponder keys has been developped in the prototype language Embedded Eiel which associates an object oriented method with synchronous programming [6, 5]. Behaviours of time-critical objects are written in a synchronous language, actually Esterel [4]. The Lock system has 15 time-critical objects described 11

in 8 classes, about the half of the whole system. It would be very dicult to verify this system {computationaly but also intellectually{ whithout abstraction and modular veri cation. The behaviour of any time-critical object is an Esterel program which runs in parallel with the other behaviour programs. Using the results of section 2 and 3, we verify the whole system modularly. Considering a property  that has to be checked, we pick up one object, the one which manipulates the signals involved in  and abstract it. Checking  on the abstract module M may lead to the formulation of some assumption on some (other) module M . To discharge the assumption we use model checking or theorem proving or combine both, depending whether data of M have to be taken into account. The whole system is too big to be entirely described here. Rather we demonstrate our method concentrating on one aspect of the whole veri cation which had to be conducted during the design process. The Lock system uses several instantiations of the object Timer. One way to optimize the nal product is to implement several logical timers by sharing one Timer-object. If this is possible, then a cheaper micro-controller with less memory cells can be used to build the nal product. For this, timers which are never used simultaneously have to be identi ed. We show here how we proved that two timers: the Open Timer and the Learn Timer are never used simultaneously. The Lock system is composed of several devices, among them a sensor eld, a microcontroller, a button and transponder keys. The door is opened the following way. The key is held close to the sensor eld. If the key is identi ed as a valid open-key the lock is opened and stays opened as long as the key is held closed to the sensor eld. It is closed 3 seconds after the key is retracted from the sensor eld. New keys can be learned as open-keys. For that the learn button has to be pressed and, whithin 2 minutes, the key to be learned has to be held in the sensor eld. Timers measure time and work as countdown stopwatches. They start measuring time when they receive a START signal and emit an ELAPSED signal upon termination. One does not always have to wait for an ELAPSED signal to be emitted. If, for example, a new key is learned and memorized in less than two minutes, then the learn mode is exited before the emission of the ELAPSED signal by the Learn Timer. Another frequent situation is when a timer is started and re-started before it elapses. For example, if a new valid key is recognised during the 3 seconds the door stays open, then a new time measure will start at once. The Open Timer is restarted before it nishes its previous measure. The Open Timer and the Learn Timer are controlled by the module RFILock. When RFILock is waiting for an ELAPSED of the Learn Timer, it emits a watching LearnT ELAPSED signal and, similarly, it emits a watching OpenT ELAPSED while waiting for the Open Timer. Doing modular veri cation, we pick up RFILock and abstract it to obtain a boolean automaton as shown in section 2 and, consequently, loose key values. Thus several output signals, like the key table include key signal which is present only if a key is a valid entry-key, become input signals and their presence or absence is set at random by SMV, the model checker we use [19]. This module has 2 reachable states. The proof takes advantage of the fact that there exists a hierarchy between timers. Any time a timer higher in the hierarchy is started, RFILock discards the running timer lower in the hierarchy. 1

2

2

64

First we proved that if RFILock starts the Learn Timer while waiting for an ELAPSED 12

from the Open Timer, then it discards the open Timer: at the next instant it does not wait for it anymore. The following CTL formula was checked as true:

AG((learnT START ^ watching openT ELAPSED) ) AX :watching openT ELAPSED). Further, if RFILock waits for the Learn Timer only, then it will not start the Open Timer unless the Learn Timer is discarded. In CTL it can be expressed by: AG((watching learnT ELAPSED ^ :watching openT ELAPSED) ) A[:openT START U :watching learnT ELAPSED]). This formula is checked as true if watching learnT ELAPSED becomes false, i.e., under the assumption that RFILock eectively discards the learn Timer. RFILock discards the learn Timer either if it starts the Restart Timer higher in the hierarchy or if the learn Timer emits ELAPSED. The Restart Timer is started if the button has been pressed for a too long time by the user. Thus it concerns the environment. The part of the assumption we have to discharge in the concrete system concerns the Learn Timer: any time it is started, it eventually emits an ELAPSED. In CTL this is written as : AG (learnT START ) AF learnT ELAPSED). The dischargement of this assumtion involves two steps. The rst one is to check whether, while running, the Learn Timer may be restarted in the module RFILock. But this is not possible. Any LEARN signal -which indicates that the learn button has been pressed- present while the Learn Timer is already running is just ignored and does not cause any restart of the Learn Timer. The following formula is checked as true on the abstract RFILock: AG (watching learnT ELAPSED ) AX (watching learnT ELAPSED ^ LEARN ) :learnT START)). The second step is to prove that the Timer-object works correctly, i.e., if started and not re-started during a measure, it inevitably emits ELAPSED. To prove it, obviously data have to be taken into account. In this case, data consist of a counter, the variable count which is initialised with a positive integer value contained in countlatch and decremented till 0. Data are enumerable and can be handled within SMV. The formula was checked as true under the assumption AG AF CLOCK, i.e., the signal CLOCK, which is the global tick provided by the environment, should not fail. For the sake of generality, we also proved the second step using the theorem prover PVS [23]. It has the advantage of keeping countlatch as an uninterpreted positive integer. The proof is done establishing four lemmata given as Hoare triples: Lemma 1: At any instant s for any emitted signal o:

fSTARTg o fcount (s ) = countlatch g Any time a timer receives the signal START it initialises its counter. Lemma 2: At any instant s for any emitted signal o

f:STARTg o fcount (s )  count (s + 1 )g 13

where s + 1 is the instant following s. This means that the value of count, except at initialisation time, decreases. Lemma 3: At any instant s

f:STARTg

timer tick

fcount (s ) > count (s + 1 )g

At any instant if the signal START is absent, then the value of count strictly decreases provided the signal timer tick is emitted. Lemma 4: At any instant s

fcount (s ) = 0 g

timer tick

fELAPSEDg

Any time the value of count is nul, then the timer emits ELAPSED provided it emits timer tick. These four lemmata are quite easy to prove with PVS. It follows that if the Learn Timer receives a START it will emit an ELAPSED provided it emits timer tick a sucient number of times. The emission of timer tick necessitates the signal CLOCK as the following formula checked on the abstract timer shows: AG timer tick ) CLOCK. Thus the timer works correctly if the environment provides it with the global tick. Considering the whole system, we proved that three timers are sucient instead of eight in the original design, and we identi ed the components that can safely share a timer.

5 Conclusions and Future Work Our work on synchronous program veri cation is part of the "synchronous programming for embedded systems" project of the EES research group at GMD-SET [24]. This project is founded on synchronous automata which allow for integrating various synchronous languages {Esterel, Argos and Lustre till now{ in a common semantical framework. We use model checking to verify synchronous programs. We do abstraction and modular veri cation and obtain conservation results for 8CTL. Unlike [12], our modular veri cation is not restricted to modules that have disjoint sets of output signals. In practice, our abstraction mechanism does not necessitate any deep understanding of the program, in contrast to [16, 8]. It combines what we call signals shifting, which bears similarities with the closing environments of Moore machines [12], with mappings of data domains onto singletons, which is called synchronisation abstraction in [3]. At rst glance, our automatic abstraction {concentrate on signals status thus neglecting their value{ may seem rough. It makes sense in our synchronous programs context as the Lock system shows. In such programs, control aspects are dominant. It is very attractive to verify control properties automatically using a model checker. However, properties involving data may have to be established, especially to discharge assumptions. To meet the synchrony hypothesis, data operations peformed at any instant are necessarily of low algorithmic complexity. Thus we believe that when data are very large and, thus, not integrable in a model checker, it should not be dicult to handle them using a theorem prover. The Lock system gives support to this view [20]. 14

Model checking and theorem proving turn out to be complementary methods for formal veri cation, as also argued in [10, 26]. Veri cation tools already exist for synchronous programs [13, 14]. Most of them are language speci c. An aim of our veri cation method is to be language independent. We believe that the approach of [14], compose the property and the program in parallel, can be generalised translating temporal properties into synchronous automata rather than into Esterel programs. Future work also includes putting heuristics on datacontrol dependencies in our abstraction mechanism to make it less rough while keeping it automatic as much as possible. Further SMV and PVS cannot deal with cyclic references. However causally correct synchronous programs may well generate reactive synchronous automata with cyclic references. More investigation is needed to cope with these 'acceptable cycles'. Acknowledgments I would like to thank my colleagues of the EES research group and Einar Smith for fruitfull discussions.

References [1] A. Benveniste. Synchronous languages provide safety in reactive system design. Control Cngineering, September 1994. [2] A. Benveniste and G. Berry. The synchronous approach to reactive and real-time systems. Proceedings of the IEEE, 79(9), 1991. [3] A. Benveniste, P. Caspi, P. Le Guernic, and N Halbwachs. Data- ow synchronous languages. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, A Decade of Concurrency Re ections and Perspectives REX School/Symposium, June 1993, volume 803 of Lecture Notes in Computer Science, pages 1{45. Springer-Verlag, 1994. [4] G. Berry and G. Gonthier. The Esterel synchronous programming language: Design, semantics, implementation. Science of Computer Programming, 19:87{152, 1992. [5] R. Budde and K-H. Sylla. Eingebettete Echzeitsysteme. OBJEKTspektrum, 0(4):10{16, 1995. [6] R. Budde and K-H. Sylla. Objektorientierte Echzeit-Anwendungen auf Grundlage perfekter Synchronisation. OBJEKTspektrum, 0(2):54{60, 1995. [7] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veri cation of nite-state concurrent sytems using temporal logic speci cations. ACM Transactions on Programming Languages and Systems, 8(2):244{263, 1986. [8] E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. In Proceedings of the 19th ACM Symposium on Principles of Programming Languages, pages 343{354. ACM Press, 1992. [9] O. Grumberg D. Dams and R. Gerth. Generation of reduced models for checking fragments of ctl. In C. Courcoubetis, editor, Computer Aided Veri cation, volume 697 of Lecture Notes in Computer Science, pages 479{490. Springer-Verlag, 1993. [10] J. Dingel and T. Filkorn. Model checking for in nite state systems using data abstraction, assumption-commitment style reasonning and theorem proving. In P. Wolper, editor, Computer Aided Veri cation, volume 939 of Lecture Notes in Computer Science, pages 54{69. Springer-Verlag, 1995.

15

[11] E.A. Emerson and J.Y. Halpern. `sometimes' and `not never' revisited: On branching versus linear time temporal logic. Journal Of the Association for Computing Machinery, 33(1):151{178, 1986. [12] O. Grumberg and D.E. Long. Model checking and modular veri cation. In J.C.M Baeten and J.F. Groote, editors, Concurr'91, volume 527 of Lecture Notes in Computer Science, pages 250{265. Springer-Verlag, 1991. [13] N. Halbwachs. Synchronous Programming of Reactive Systems. Kluwer Academic Publishers, 1993. [14] L.J. Jagadeesan, C. Puchol, and J.E. Von Olnhausen. Safety propertiy veri cation of esterel programs and applications to telecommunications software. In P. Wolper, editor, Computer Aided Veri cation, volume 939 of Lecture Notes in Computer Science, pages 127{140. Springer-Verlag, 1995. [15] B. Jonsson, A.H. Khan, and J. Parrow. Implementing a model checking algorithm by adapting existing automated tools. In J. Sifakis, editor, Automatic Veri cation Methods for Finite State Systems, volume 407 of Lecture Notes in Computer Science, pages 179{ 188. Springer-Verlag, 1990. [16] C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjini, and S. Bensalem. Property preserving abstarctions for the veri cation of concurrent systems. Formal Methods in System Design, 6(1):11{44, 1995. [17] O. Maeiis and A. Poigne. Reactivity, causality and synchronous languages. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1995. [18] O. Maeiis and A. Poigne. Synchronous automata and reactive, real-time or embedded systems. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1995. [19] K. L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993. [20] A. Merceron. Checking synchronous programs using automatic abstraction, modular veri cation and assumption discharge. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1995. [21] A. Merceron, M. Morley, and A. Poigne. Veri cation of synchronous programs. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1995. [22] M. Mullerburg, L. Holenderski, O. Maeis, A. Merceron, and M. Morley. Systematic testing and formal veri cation to validate reactive systems. Software Quality Journal, 4(4):287{307, 1995. [23] S. Owre, J.M. Rushby, and N. Shankar. PVS: A prototype veri cation system. In D. Kapur, editor, 11th International Conference on Automated Deduction, volume 607 of Lecture Notes in Arti cial Intelligence, pages 748{752. Springer-Verlag, 1992. [24] A. Poigne. http://borneo.gmd.de/EES/Homepage.html. [25] A. Poigne and L. Holenderski. Boolean automata for implementing esterel. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1995. [26] S. Rajan, N. Shankar, and M.K. Srivas. An integration of model checking with automated theorem proving. In P. Wolper, editor, Computer Aided Veri cation, volume 939 of Lecture Notes in Computer Science, pages 84{97. Springer-Verlag, 1995.

16

[27] G. Shurek and O. Grumberg. The modular framework of computer-aided veri cation. In E.M. Clarke and R.P. Kurshan, editors, Computer Aided Veri cation, volume 531 of Lecture Notes in Computer Science, pages 214{223. Springer-Verlag, 1991.

17