{},{a},{a,c} {},{c} {c,d}

Transcription

1 Modular verication of Argos Programs Agathe Merceron 1 and G. Michele Pinna 2 1 Basser Department of Computer Science, University of Sydney Madsen Building F09, NSW 2006, Australia agathe@staff.cs.su.oz.au 2 Dipartimento di Matematica, Universita di Siena Via del Capitano 15, I Siena, Italy pinna@mat.unisi.it Abstract. Synchronous languages have been proposed to specify reactive Real-Time systems. Since such systems are used in safety critical areas, their formal verication is crucial. For machine and human eciency, modular verication is advisable. For the synchronous language Argos, a Statechart variant, modular verication means having a method compatible with parallel composition and renement. We present a translation of Argos programs into Boolean Automata. This translation enlightens the relation between renement and parallel composition. We deduce modular verication results for properties expressed as 8CTL formulas. 1 Introduction Synchronous languages have been proposed to specify reactive Real-Time systems [2]. A reactive system interacts constantly with its environment. In the synchronous approach, the environment produces input signals and the system reacts with output signals quickly enough so that inputs and outputs appear to be synchronous, which is known as synchrony hypothesis [2]. Such a reaction constitutes the basic time unit called instant. Signals are broadcasted. Because reactive systems are used in areas where safety is a critical issue, their formal verication is crucial [2, 1]. Automatic verication methods have been put forward to formally verify systems where control is prevalent, which is quite often the case for, at least, a core part of a reactive system. A well-known automatic verication method is model checking [4]. Modular verication is advantageous because it allows to consider simpler properties on smaller systems. The modules and the properties should be chosen in such a way that what has been proved for a module can be inherited by the whole system. This paper presents results on modular verication considering model checking of Argos programs and the logic 8CTL. The language Argos is a synchronous variant of Statecharts without inter-level transitions [6, 8]. In Statecharts the two main operators to compose modules are parallel composition and renement [6]. Our work relies on a translation scheme common to synchronous languages, the Boolean Automata [11, 7], BA for short. We rst show how to cast Argos programs into BA. This casting claries the relation existing between renement and parallel composition, which is not obvious in Statecharts.

2 This insight suggests the results that can be achieved with respect to modular verication versus renement. Modular verication versus parallel composition has already been studied [5] and we show that similar results hold for Argos programs: if a property holds for a component, it holds also for the whole program. An Argos program Q can rene some state h of another Argos program P giving the resulting program R. Roughly we obtain: If a property holds for P, it holds for R, whereas if holds for Q, then holds as long as control is in h. In the next section we present Argos, Boolean Automata, the translation of Argos programs into BA and list some properties of the BA so obtained. The parallel composition of BA turns out to be the key operation behind parallel composition and renement. Section 3 introduces 8CTL and modular verication results. By lack of space, full proofs are omitted. Concluding remarks, related works and outlook are given in section 4. 2 Argos and Boolean Automata Diagrams that build Argos programs may be seen as Mealy machines where a transition from a state q i to state a q j is made of a boolean expression followed by output signals. Consider the Argos diagram of Figure 1. The initial state is the one drawn in bold, q0. The automaton stays in state q0 as long as the input signal a is absent. If a is present, the automaton goes to state q1 emitting b. The automaton stays in state q1 as long as c is absent or a present. When c is present and a q0 - q1 a/b Fig. 1. A simple Argos diagram. absent, which is coded by c.-a, the automaton goes back to q0 emitting d. Let S be an alphabet, a literal is an element of S or its negation and we denote by M(S) the set of boolean conjunctions of literals of S. Denition 1 An Argos diagram is a tuple A = (Q; q 0 ; T; In; Out) where Q is a nite set of states and q 0 is the initial state; In is a set of input signals and Out is a set of output signals; O = In[Out is called the set of observable signals; T Q M(In) 2 Out Q is the set of transitions. A transition t = (q i ; M; O; q j ) has three parts: the source state q i, the target state q j and the label (M; O). M is the condition part of the label and O is the output part. A computation of A is a sequence of states and sets of signals: q 0 E 1 q 1 : : : q n or q 0 E 1 q 1 : : : such that for any 0 i < n or i 0 the set E i+1 either does not enable any transition t = (q i ; M; O; q) and one has q i = q i+1 or it enables the transition t = (q i ; M; O; q i+1 ), where enable means: O E i+1, E i+1 no I n and M evaluates to true when any non negated literal l is set to true i l 2 E i+1, and conversely for negated literals. Argos programs are assumed to be deterministic (which is checked by the compiler): given a set of input signals and a state of the diagram, at most one transition is enabled, so the next state is uniquely

3 determined. q 0 fa; bgq 1 fagq 1 fc; dgq 0 : : : is a computation of the Argos diagram in Figure 1. The parallel composition of two programs is represented putting them side by side. Figure 2 composes two diagrams in parallel. A state of the Argos program now consists of two diagram states. The initial state is fa0, b0g. If b is present, control goes to state fa1, b0g emitting f and e. If g is present, it goes to fa0, b1g emitting c and if both are present it goes to the nal state fa1, b1g emitting ff; e; cg. a0 - a1 b/f,e b0 g/c - b1 Fig. 2. The parallel composition of two Argos diagram. Because of broadcasting and synchrony hypothesis output signals produced in some part of the program are instantaneously available to all the other parts that are listening to them. Denition 2 The parallel composition of two Argos programs A 1 and A 2 is the tuple A = (Q 1 Q 2 ; (q 01 ; q 02 ); T; In 1 [ In 2 n (Out 1 [ Out 2 ); Out 1 [ Out 2 ) where t 2 T can have one of the three following forms for t 1 = (q 1 ; M 1 ; O 1 ; q 0 1) 2 T 1 and t 2 = (q 2 ; M 2 ; O 2 ; q 0 2) 2 T 2 : t 1 = ((q 1 ; q 2 ); M 1 ; O 1 ; (q 0 1 ; q 2)) t 2 = ((q 1 ; q 2 ); M 2 ; O 2 ; (q 1 ; q 0 2)) t 12 = ((q 1 ; q 2 ); M 1 ^ M 2 ; O 1 [ O 2 ; (q 0 1 ; q0 2)) A computation of A is as before. Because Argos programs are deterministic, it is always uniquely determined which transition has to be executed. For any i 0, if E i+1 enables a t 12 transition then this is taken. If E i+1 enables a t 1 transition but not a t 12 transition, and similarly for a t 2 transition, then these are taken. Summing up: both components go to a next state if possible. Renement allows to rene states of Argos diagrams. Consider the program as given in Figure 1 with its initial state q0 rened by the program Figure 2. The initial state of the rening program is entered as soon as the rened state is entered. Similarly, the rening program is preempted as soon as the rened state is left. Consequently, the initial state of this program is fq0, a0, b0g. If g is present, c is emitted and the program goes to state fq0, a0, b1g. Note that d is not emitted since q1 does not belong to the actual state of the program. If a is present, then b is instantaneously emitted, and f and e as well, since a0 belongs to the actual state of the program. Then, q0 is left. The program Figure 2 is preempted and the state of the whole program is fq1g only. To make the denition more intuitive, we present it when one state is rened. The general denition renes all the states at once, possibly with a nil Argos diagram if the node is not rened.

4 Denition 3 The renement of an Argos diagram A 1 by the Argos program A 2 at state q 2 Q 1 is the tuple A = ((Q 1 n fqg) [ (fqg Q 2 ); q in ; T; In 1 [ In 1 n (Out 1 [ Out 2 ); Out 1 [ Out 2 ) with q in = q 01 if q 6= q 01, or q in = (q 01 ; q 02 ) if q = q 01. and where t 2 T can have one of the following forms for t 1 = (q 1 ; M 1 ; O 1 ; q 0 1) 2 T 1 and t 2 = (q 2 ; M 2 ; O 2 ; q 0 2) 2 T 2 : t 1 = t 1 if q 6= q 1 and q 6= q 2, t 2 = ((q 1 ; q 2 ); M 2 ; O 2 ; (q 1 ; q 0 2)) or t 12? = ((q 1 ; q 2 ); M 1 ^ M 2 ; O 1 [ O 2 ; q 0 1) for q = q 1 t 12+ = (q 1 ; M 1 ; O 1 ; (q 0 1 ; q o2)) for q = q 0 1 In a similar way as for parallel composition, a computation of A is a sequence such that for any i 0 the set E i+1 enables a t 12? transition, or enables a t 1 transition but not a t 12? or t 12+ transition, or enables a t 2 transition but not a t 12? transition. 2.1 Boolean Automata A BA reacts to some input signals taken from a set In, producing some output signals taken from a set Out. A reaction may depend on previous reactions. This memory is encoded by a nite set of registers R. By B(X) we denote the set of boolean formulas over X. Denition 4 A Boolean Automaton P is a tuple (R; In; Out; P! ; P! ) where R, the set of registers, In, the set of input signals, and Out, the set of output signals, are disjoint and nite. O = In [ Out are the observable signals. P! : Out?! B( [ R [ O) is the reaction function, P! : R?! B( [ R [ O) is the next state function, and fg is considered as the initial state; 62 R [ O. The reaction function P! is presented by equations using the arrow (, e.g. o (. It is evaluated at each instant and its value depends on signals as well as on registers. It denes the instantaneous reaction of the synchronous program, i.e. which output signals are present or absent in a reaction. The output signal o is present when evaluates to true in the equation o (. The synchronous compiler denes the sequence for evaluating the assignments o (. The next state function P! is presented by equations using the arrow. Its value depends on signals as well as on registers. It denes the value of the registers for the next instant, i.e. the state for the next instant. Again the register r is active in the next instant if evaluates to true in r. This evaluation terminates an instant. The assignments r may be executed in parallel. Consider Figure 3 which gives the BA of the Argos program Figure 1. The boolean equation for b translates the fact that b is emitted if the automaton is in state q0 and a is present while the one for d represents the fact that d is emitted if the automaton is in state q1 and c present and a absent. The automaton enters

5 state q0 initially, hence or if it was in q1 and c is present and a absent, hence (c ^ :a) ^ q1. It remains in state q0 as long as a is absent, hence :a ^ q0. The boolean equation for q1 obeys the same scheme. R 1 = fq0; q1g; In 1 = fa; cg; Out 1 = fb; dg P! 1 : b ( a ^ q0 P! 1 : q0 _ ((c ^ :a) ^ q1) _ (:a ^ q0) d ( (c ^ :a) ^ q1 q1 (a ^ q0) _ (:(c ^ :a) ^ q1) Fig. 3. Boolean Automaton of the Argos Automaton Figure 1. The parallel composition is the most relevant operation on BA. We compose two dierent automata and therefore their register sets are disjoint. Because of broadcast communication, output signals produced by one automaton are instantaneously available as inputs for another automaton which is composed in parallel. The two automata are then able to evolve to a next state. The reaction of the parallel composition is the union of the two reactions, and the next state is the union of the two next states. Denition 5 Let P 1 and P 2 be BA with R 1 \ R 2 = ;. P is the parallel composition of P 1 and P 2, denoted by P = P 1 k P 2, i: 1. R = R 1 [ R 2, O = O 1 [ O 2, Out = Out 1 [ Out 2, In = (In 1 [ In 2 ) n (Out 1 [ Out 2 ) 2. P! = P 1! _ P 2! 3. P! = P! 1 _ P! 2 where _ is taken component-wise and P!(x) =false if i x 62domain(P! i ), and similarly for P! i, i = 1; 2. α For our purposes, the computations of a BA are better presented by a {},{a}.{c},{a,c} {a,b},{a,c,b} {},{a},{a,c} labeled transition system. With abuse q0 q1 of notation, given a valuation of the {},{c} registers (i.e. those in R [ fg that {c,d} evaluate to true) and E a valuation of the signals (again those in O that are Fig. 4. The transition system of P 1. present), we denote by P! (; E) the set of output signals whose boolean formula evaluates to true and, similarly, we denote by P! (; E) the set of registers whose formula evaluates to true. Denition 6 The tuple T = (S; T; fg; R) is the labeled transition system of the synchronous automaton P i S 2 R[fg, T 2 O and R S S are the smallest sets such that (a) fg 2 S, and (b) if 2 S, I In, E = I [ P! (; E) and 0 = P! (; E) then 0 2 S, E 2 T and (; 0 ) 2 R. We write?! E 0 instead of (; 0 ) 2 R, E = I [ P! (; E) and 0 = P! (; E).

6 The transition system of P 1 is sketched Figure 4. Considering only deterministic Argos programs, the BA we obtain are free of causality problems [2, 11] and the reachability relation R of the associated labeled transition system is total. We turn now to the denition of homomorphism between transition systems. Denition 7 An homomorphism from the labeled transition system M = (S; T; s 0 ; R) to the labeled transition system M 1 = (S 1 ; T 1 ; s 1 0 ; R1 ) is a pair of relations (H 1 ; H 2 ) with H 1 S S 1, H 2 T T 1 such that whenever (; 1 ) 2 H, if?! E 0 then for some 10 and E 1 we have: 1?! E1 10, ( 0 ; 10 ) 2 H 1 and (E; E 1 ) 2 H 2. Having dened the parallel composition of two BA, it comes natural to ask how the behaviour of the compound BA is related to the behaviors of its components. Such a result requires Out 1 \ Out 2 = ;. Theorem 8 Let P = P 1 k P 2 with Out 1 \ Out 2 = ;. Then there is an homomorphism from (S; T; fg; R) to (S i ; T i ; fg; R i ), i = 1; 2. Proof. Showing by induction that if?! E 0 E\O then \ R i i?! 0 \ R i. 2.2 From Argos to Boolean Automata We begin with the translation of Argos diagrams into BA. Registers correspond exactly to states of the diagram. Let h be any state or register. Then its boolean equation has the following form: h h _ (: h ^ h) where h is the boolean condition to enter the state h and h is the boolean condition to leave the state h. They are obtained as follows. 1. If h is the W W initial state then h = _ (: h ^ ( r ^ M)) otherwise r h = : h ^ ( r r ^ M) for any transition (r; M; O; h). If h does not have any predecessor state, h is only. As will be shown below, h is used for renement. W In a diagram where h is not rened, h is set to false. 2. h = rm for any transition (h; M; O; r). If h does not have any successor state, h is simply false. Similarly boolean equations for signals have the following form: _ o ( (h ^ M) h for any transition (h; M; O; r) with o 2 O. It follows that two consecutive states h 1 and h 2 of an Argos diagram, consecutive in the sense that (h 1 ; M; O; h 2 ) is a transition, exhibit the following relation between their boolean equations: M occurs in h1 and in h2. The correctness of this translation is given in the following proposition.

7 Proposition 9 Let A be an Argos diagram and P its associated BA. Then q 0 E 1 q 1 : : : is a computation of A i fg?! E0 fq 0 g?! E1 fq 1 g : : : is a sequence of the transition system of P. Proof. By induction taking E 0 = ;. Boolean automata obtained from Argos programs are called Argos BA. Obviously, the BA for the parallel composition of two Argos programs is obtained taking the parallel composition of the two BA. As an Argos diagram is rened at some state q by another Argos program with dierent states, an Argos BA P 1 is rened at register h by some (Argos) BA P 2 giving the BA P. The register sets of P 1 and P 2 are assumed to be disjoint. P 2 becomes active when state h is entered. Thus, of P 2 has to be substituted by h in the resulting BA P. As soon as state h is exited, P 2 has to be exited as well. This also means that no new state of P 2 can be entered if h has to be exited. Hence, for any register h 2 of P 2, h2 as well as h2 have to be substituted by h2 _ h, h2 _ h respectively, in the resulting BA P. The renement of a state on an Argos BA with another Argos BA accounts to put them in parallel restricting the situations in which the second BA is active. Denition 10 Let P 1 and P 2 be Argos BA with R 1 \ R 2 = ; and h 2 R 1. P is the renement of P 1 by P 2 at h, denoted by P = P 1 h P 2, i conditions 1 and 2 of Denition 5 holds and condition 3 is replaced by the following one: 3 0. P! = P! 1 _ P! 2R where P! 2R is obtained from P! 2 substituting by h, h2 by h2 _ h and h2 by h2 _ h in the boolean equation of any register h 2 of R 2. Figure 5 shows the BA when q0 Figure 1 is rened by the program Figure 2. By structural induction Proposition 9 is generalized to Argos programs. R = fq0; q1; a0; a1; b0; b1g; In = fa; gg; Out = fb; c; d; fg P! : b ( a ^ q0 P! : q0 _ ((c ^ :a) ^ q1) _ (:a ^ q0) d ( (c ^ :a) ^ q1 q1 (a ^ q0) _ (:(c ^ :a) ^ q1) f ( b ^ a0 a0 _ ((c ^ :a) ^ q1) _ (:(b _ a) ^ a0) e ( b ^ a0 a1 (:a ^ b ^ a0) _ (:a ^ a1) c ( g ^ b0 b0 _ ((c ^ :a) ^ q1) _ (:(g _ a) ^ b0) b1 (:a ^ g ^ b0) _ (:a ^ b1) Fig. 5. Boolean Automaton of the Argos Automaton Figure 1. Since renement is not symmetric, the result of Theorem 8 holds in a weaker form. P 1 can simulate P but P 2 can simulate P only when state h is entered and only as long as state h holds.

8 Theorem 11 Let P = P 1 h P 2 with Out 1 \ Out 2 = ;. Then there is an homomorphism from (S; T; fg; R) to (S 1 ; T 1 ; fg; R 1 ). Theorem 12 Let P = P 1 h P 2, with Out 1 \ Out 2 = ;. Let fg?! E0 E 1 1?! 2 E 2?! 3 : : : be a sequence of the transition system of P. Suppose this sequence E contains a sub-sequence i E i?! i+1 i+1?! i+2 : : : i+n with h 62 i and h 2 i+j for 1 j n; i 0. Then exists a sequence fg?! E E 1 1?! 0 0 E 2 2?! 0 3 : : : of the transition system of P 2 such that 0 = j i+j \R 2, 1 j n, and E 0 = j E i+j \O 2 for 0 j n. The translation scheme shows a clear connection between between parallel composition and renement: W plays a similar key role in both denitions. 3 Modular Verication The logic 8CTL is a subset of CTL [5, 4]. It is constructed with the quantier 8 only, and the usual four path operators: X (next), U (until), F (future) and G (generally). Negations are allowed at the level of atomic propositions only. 8CTL formulas are interpreted on structures K = (M; R; L; m in ; P ). M is a set of states, R M M is the reachability relation, m in is the initial state, P is a set of atomic propositions, L is a labelling function which associates to any state the set of atomic propositions true at that state. A path = m 0 ; m 1 ; : : : in K is an innite sequence of states of M such that 8i 0: (m i ; m i+1 ) 2 R. We refer to [5, 4] for the full denitions. The structure of a boolean automaton is almost its labeled transition system, except that labeled transitions become part of the labels attached to states. Denition 13 Let P be a BA, (S; T; fg; R) be its labeled transition system. Its structure is K = (S; R; L; fg; R [ O) where L: S?! R [ O, the labelling function, is dened by L() = [ E where E 2 T is such that 0?! E. We say that a BA P satises a state formula, P j=, i fg j=. The homomorphism of Theorem 11 induces a close relation between the paths in the structure of P and the paths in the structure of P 1. Lemma 14 Let P = P 1 h P 2 with Out 1 \ Out 2 = ;. Let K and K 1 be the structures of P 1 and P 1. Let 2 S and 0 2 S 1 such that (; 0 ) 2 H 1. Then for every path = 0 1 : : : with 0 = in K, there exists a path 0 = : : : with 0 0 = 0 in K 1 such that for every i 0, ( i ; 0 i ) 2 H 1 and, by the choice of H 2, L( i ) \ (R 1 [ O 1 ) = L 1 ( 0 i ): We make a slight abuse of notations and for such paths, we write (; 0 ) 2 H 1. The disjointness of the output signal sets is essential. Suppose the program of Figure 2 is modied to emit d when g is present. Again suppose state q0 of Figure 1 is rened by the program in Figure 2. One can obtain the following path: fg?! fq0; a0; b0g?! fq0; a0; b1; g; c; dg : : :. Its projection on (R 1 [O 1 ) is not legal for Figure 1. A structural induction on the formulas and gives:

9 Lemma 15 Let P = P 1 h P 2 with Out 1 \ Out 2 = ;. Let K and K 1 be the structures of P and P 1. Let be a state formula and be a path formula with atomic propositions in R 1 [ O 1. Let and 0 be paths with (; 0 ) 2 H 1. If 0 j= then j=. Let (m; m 0 ) 2 M M 0 with (m; m 0 ) 2 H 1. If m 0 j= then m j=. By Theorem 8, similar results can be obtained for parallel composition. Using these Lemmata, one can easily deduce: Theorem 16 Let P 1 and P 2 be two BA with Out 1 \Out 2 = ; and be a 8CTL state formula. Let P = P 1 h P 2, with atomic propositions in R 1 [ O 1 : if P 1 j= then P j=. Let P = P 1 k P 2, with atomic propositions in R i [ O i : if P i j= then P j=, i = 1 or 1 = 2. The result one can achieve with the rening automaton P 2 is much weaker since it is preempted any time the rened register h is left. The formula (b0^g)! F b1 is true for the Argos program Figure 2 but it is not true anymore for the program obtained when Program 2 renes Program 1 at q0 since g and a could be present in the same instant. If is a formula true for every state in P 2, the formula one can derive for P is roughly: holds as long as the state h is active. This is formulated below. Proposition 17 Let P = P 1 h P 2 with Out 1 \Out 2 = ;. Let 8G with atomic propositions in R 2 [ O 2 : if P 2 j= 8G then P j= 8G (h! ( _ F:h)). As an example, using Theorem 16, the property q 0 ^ a ) AX q 1 true for the module Figure 1 is also true when initial state q0 is rened by the program Figure 2. 4 Conclusions This paper presents a translation of Argos programs into Boolean Automata, which shows a clear connection between parallel composition and renement. Consequences for modular formal verication are given. We have used these results to formally verify a time triggered protocol modularly [10]. Our present work relies on the translation scheme for Argos and other synchronous languages as given in [7, 11]. Another translation format exists (see [1]). The work in [9] presents also a translation of Argos into Boolean equations. Further the connection between parallel composition and renement has also been pointed out in [8] using other arguments. We have restricted our presentation to the case where Argos programs are rened by other Argos programs, but in general Argos programs can be re- ned by other synchronous programs and we think that our verication results still apply. In this way, various synchronous languages can be combined to produce one executable reactive program [11]. The verication results have been

10 established for the Statecharts variant Argos, but we believe that they also hold for other Statecharts variants where inter-level transitions are allowed as in [6]. Indeed, the key Theorems 11 and 12 can be generalized to include inter-level transitions. Another future work is to consider sensible classes of safety properties that, when true for the rening program, yield properties also true for the whole program. Safety properties are very crucial for the verication of real time systems. In [3] it has been shown how to translate safety properties expressed as past temporal logic formulas into BAs. As these safety properties are a subset of 8CTL formulas, Proposition 17 could be strengthened and nice classes in terms of rening programs should exist. References 1. A. Benveniste. Synchronous languages provide safety in reactive system design. Control Engineering, September A. Benveniste and G. Berry. The synchronous approach to reactive and real-time systems. Proceedings of the IEEE, 79(9), R. Budde and A. Merceron. Verifying a time-triggered protocol in a multi-language environment. In PART'98, pages 45{56. Springer-Verlag, E. Clarke, O. Grunberg, and D. Long. Verication tools for nite-state concurrent systems. In A Decade of Concurrency. REX Symposium 1993, LNCS 803, pages 1{45. Springer-Verlag, O. Grumberg and D.E. Long. Model checking and modular verication. ACM Transactions on Programming Languages and Systems, 16:843{871, D. Harel. Statecharts: A visual approach to complex systems. Science of Computer Programming, 8:231{275, M. Kubiczek and L. Holenderski. Compiling TARGOS to boolean automata. Technical report, GMD, Schloss Birlinghoven, D Sankt Augustin, F. Maraninchi. Argos: a graphical language for the description of reactive systems. Spectre report 29, LGI, Imag-Campus, BP 53X, F Grenoble Cedex, F. Maraninchi and N. Halbwachs. Compiling argos into boolean equations. In FTRTFT'96, LNCS 1135, pages 312{328. Springer-Verlag, A. Merceron, M. Mullerburg, and G. M. Pinna. Verifying a time-triggered protocol in a multi-language environment. In SAFECOMP98, LNCS 1516, pages 73{82. Springer-Verlag, A. Poigne, M. Morley, O. Maes, L. Holendersky, and R. Budde. The synchronous approach to designing reactive systems. Formal Methods in System Design, 12:163{ 187, 1998.