{},{a},{a,c} {},{c} {c,d}

Similar documents
Diagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.


Electronic Notes in Theoretical Computer Science 18 (1998) URL: 8 pages Towards characterizing bisim

Embedded Systems Development

Fall 1999 Formal Language Theory Dr. R. Boyer. 1. There are other methods of nding a regular expression equivalent to a nite automaton in

How to Pop a Deep PDA Matters

Partial model checking via abstract interpretation

Oce National d' Etudes. et de Recherches Aerospatiales. Centre d' Etudes et de Recherche de l' Ecole Nationale Superieure

Linear Temporal Logic and Büchi Automata

On Reducing Linearizability to State Reachability 1

7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing-

of acceptance conditions (nite, looping and repeating) for the automata. It turns out,

Wojciech Penczek. Polish Academy of Sciences, Warsaw, Poland. and. Institute of Informatics, Siedlce, Poland.

Splitting a Default Theory. Hudson Turner. University of Texas at Austin.

Lecture 14 - P v.s. NP 1

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

September 11, Second Part of Regular Expressions Equivalence with Finite Aut

2 PLTL Let P be a set of propositional variables. The set of formulae of propositional linear time logic PLTL (over P) is inductively dened as follows

Boolean Automata for Implementing Pure. Axel Poigne. German National Research Center for Information Technology (GMD) Schlo Birlinghoven

for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty

On Controllability and Normality of Discrete Event. Dynamical Systems. Ratnesh Kumar Vijay Garg Steven I. Marcus

TEMPORAL LOGICS FOR TRACE SYSTEMS: ON AUTOMATED VERIFICATION WOJCIECH PENCZEK 1. Institute of Computer Science, Polish Academy of Sciences

Model checking the basic modalities of CTL with Description Logic

A Preference Semantics. for Ground Nonmonotonic Modal Logics. logics, a family of nonmonotonic modal logics obtained by means of a

of concurrent and reactive systems is now well developed [2] as well as a deductive methodology for proving their properties [3]. Part of the reason f

Tableau Calculus for Local Cubic Modal Logic and it's Implementation MAARTEN MARX, Department of Articial Intelligence, Faculty of Sciences, Vrije Uni

1 Introduction Synchronous languages are rapidly gaining popularity as a high-level programming paradigm for a variety of safety-critical and real-tim

Automata-based Verification - III

Let us first give some intuitive idea about a state of a system and state transitions before describing finite automata.

Embedded Systems 2. REVIEW: Actor models. A system is a function that accepts an input signal and yields an output signal.

Laboratoire d Informatique Fondamentale de Lille

The algorithmic analysis of hybrid system

Automata Theory for Presburger Arithmetic Logic

Accepting Zeno words: a way toward timed renements. Beatrice Berard and Claudine Picaronny. LSV, CNRS URA 2236, ENS de Cachan, 61 av. du Pres.

Computability and Complexity

Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time Jean-Francois Raskin and Pierre-Yves Schobbens Computer

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Behavioural theories and the proof of. LIENS, C.N.R.S. U.R.A & Ecole Normale Superieure, 45 Rue d'ulm, F{75230 Paris Cedex 05, France

The rest of the paper is organized as follows: in Section 2 we prove undecidability of the existential-universal ( 2 ) part of the theory of an AC ide

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Lecture 3: MSO to Regular Languages

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Integer Circuit Evaluation is PSPACE-complete. Ke Yang. Computer Science Department, Carnegie Mellon University, 5000 Forbes Ave.

EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

STGs may contain redundant states, i.e. states whose. State minimization is the transformation of a given

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Extending temporal logic with!-automata Thesis for the M.Sc. Degree by Nir Piterman Under the Supervision of Prof. Amir Pnueli Department of Computer

Discrete Dynamics Finite State Machines גרא וייס המחלקה למדעי המחשב אוניברסיטת בן-גוריון

Extremal problems in logic programming and stable model computation Pawe l Cholewinski and Miros law Truszczynski Computer Science Department Universi

Alternating-Time Temporal Logic

Automata-based Verification - III

Fundamenta Informaticae 30 (1997) 23{41 1. Petri Nets, Commutative Context-Free Grammars,

a cell is represented by a triple of non-negative integers). The next state of a cell is determined by the present states of the right part of the lef

PSPACE-completeness of LTL/CTL model checking

Pushdown timed automata:a binary reachability characterization and safety verication

Finite-Delay Strategies In Infinite Games

Bounded Synthesis. Sven Schewe and Bernd Finkbeiner. Universität des Saarlandes, Saarbrücken, Germany

From Liveness to Promptness

In a second part, we concentrate on interval models similar to the traditional ITL models presented in [, 5]. By making various assumptions about time

CISC 4090: Theory of Computation Chapter 1 Regular Languages. Section 1.1: Finite Automata. What is a computer? Finite automata

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Formal Verification of Mobile Network Protocols

Lecture 15 - NP Completeness 1

T (s, xa) = T (T (s, x), a). The language recognized by M, denoted L(M), is the set of strings accepted by M. That is,

1 CHAPTER 1 INTRODUCTION 1.1 Background One branch of the study of descriptive complexity aims at characterizing complexity classes according to the l


Computing the acceptability semantics. London SW7 2BZ, UK, Nicosia P.O. Box 537, Cyprus,

Modular Model Checking? URL: orna

Embedded Systems 5. Synchronous Composition. Lee/Seshia Section 6.2

automaton model of self-assembling systems is presented. The model operates on one-dimensional strings that are assembled from a given multiset of sma

INDEPENDENCE OF THE CONTINUUM HYPOTHESIS

Notes on generating functions in automata theory

TUM{INFO{10-I /1.{FI Alle Rechte vorbehalten Nachdruck auch auszugsweise verboten c1998 SFB 342 Methoden und Werkzeuge fur die Nutzung parallele

Automatic Verication and Conformance Testing for Validating Safety Properties of Reactive Systems

An Introduction to the Theory of Coalgebras

Another Glance at the Alpern-Schneider. Characterization of Safety andliveness in. Concurrent Executions. Abstract

1 Selected Homework Solutions

Finite-State Model Checking

Krivine s Intuitionistic Proof of Classical Completeness (for countable languages)

1 The Well Ordering Principle, Induction, and Equivalence Relations

Liveness in Timed and Untimed Systems. Abstract. and its timed version have been used successfully, but have focused on safety conditions and

Extending Statecharts with Temporal Logic. A. Sowmya and S. Ramesh

cse303 ELEMENTS OF THE THEORY OF COMPUTATION Professor Anita Wasilewska

UNIT-I. Strings, Alphabets, Language and Operations

In this paper, we take a new approach to explaining Shostak's algorithm. We rst present a subset of the original algorithm, in particular, the subset

Lecture Notes on Emptiness Checking, LTL Büchi Automata

A Weak Bisimulation for Weighted Automata

Linear Algebra (part 1) : Vector Spaces (by Evan Dummit, 2017, v. 1.07) 1.1 The Formal Denition of a Vector Space

Modeling Synchronous Systems in BIP

Asynchronous cellular automata for pomsets. 2, place Jussieu. F Paris Cedex 05. Abstract

A Decidable Class of Planar Linear Hybrid Systems

Non-elementary Lower Bound for Propositional Duration. Calculus. A. Rabinovich. Department of Computer Science. Tel Aviv University

HyTech: A Model Checker for Hybrid Systems y. Thomas A. Henzinger Pei-Hsin Ho Howard Wong-Toi

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

Finite Universes. L is a fixed-length language if it has length n for some

From its very inception, one fundamental theme in automata theory is the quest for understanding the relative power of the various constructs of the t

Chapter 0 Introduction. Fourth Academic Year/ Elective Course Electrical Engineering Department College of Engineering University of Salahaddin

Automata theory. An algorithmic approach. Lecture Notes. Javier Esparza

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Transcription:

Modular verication of Argos Programs Agathe Merceron 1 and G. Michele Pinna 2 1 Basser Department of Computer Science, University of Sydney Madsen Building F09, NSW 2006, Australia agathe@staff.cs.su.oz.au 2 Dipartimento di Matematica, Universita di Siena Via del Capitano 15, I-53100 Siena, Italy pinna@mat.unisi.it Abstract. Synchronous languages have been proposed to specify reactive Real-Time systems. Since such systems are used in safety critical areas, their formal verication is crucial. For machine and human eciency, modular verication is advisable. For the synchronous language Argos, a Statechart variant, modular verication means having a method compatible with parallel composition and renement. We present a translation of Argos programs into Boolean Automata. This translation enlightens the relation between renement and parallel composition. We deduce modular verication results for properties expressed as 8CTL formulas. 1 Introduction Synchronous languages have been proposed to specify reactive Real-Time systems [2]. A reactive system interacts constantly with its environment. In the synchronous approach, the environment produces input signals and the system reacts with output signals quickly enough so that inputs and outputs appear to be synchronous, which is known as synchrony hypothesis [2]. Such a reaction constitutes the basic time unit called instant. Signals are broadcasted. Because reactive systems are used in areas where safety is a critical issue, their formal verication is crucial [2, 1]. Automatic verication methods have been put forward to formally verify systems where control is prevalent, which is quite often the case for, at least, a core part of a reactive system. A well-known automatic verication method is model checking [4]. Modular verication is advantageous because it allows to consider simpler properties on smaller systems. The modules and the properties should be chosen in such a way that what has been proved for a module can be inherited by the whole system. This paper presents results on modular verication considering model checking of Argos programs and the logic 8CTL. The language Argos is a synchronous variant of Statecharts without inter-level transitions [6, 8]. In Statecharts the two main operators to compose modules are parallel composition and renement [6]. Our work relies on a translation scheme common to synchronous languages, the Boolean Automata [11, 7], BA for short. We rst show how to cast Argos programs into BA. This casting claries the relation existing between renement and parallel composition, which is not obvious in Statecharts.

This insight suggests the results that can be achieved with respect to modular verication versus renement. Modular verication versus parallel composition has already been studied [5] and we show that similar results hold for Argos programs: if a property holds for a component, it holds also for the whole program. An Argos program Q can rene some state h of another Argos program P giving the resulting program R. Roughly we obtain: If a property holds for P, it holds for R, whereas if holds for Q, then holds as long as control is in h. In the next section we present Argos, Boolean Automata, the translation of Argos programs into BA and list some properties of the BA so obtained. The parallel composition of BA turns out to be the key operation behind parallel composition and renement. Section 3 introduces 8CTL and modular verication results. By lack of space, full proofs are omitted. Concluding remarks, related works and outlook are given in section 4. 2 Argos and Boolean Automata Diagrams that build Argos programs may be seen as Mealy machines where a transition from a state q i to state a q j is made of a boolean expression followed by output signals. Consider the Argos diagram of Figure 1. The initial state is the one drawn in bold, q0. The automaton stays in state q0 as long as the input signal a is absent. If a is present, the automaton goes to state q1 emitting b. The automaton stays in state q1 as long as c is absent or a present. When c is present and a c.-a/d?? @ q0 - q1 a/b Fig. 1. A simple Argos diagram. absent, which is coded by c.-a, the automaton goes back to q0 emitting d. Let S be an alphabet, a literal is an element of S or its negation and we denote by M(S) the set of boolean conjunctions of literals of S. Denition 1 An Argos diagram is a tuple A = (Q; q 0 ; T; In; Out) where Q is a nite set of states and q 0 is the initial state; In is a set of input signals and Out is a set of output signals; O = In[Out is called the set of observable signals; T Q M(In) 2 Out Q is the set of transitions. A transition t = (q i ; M; O; q j ) has three parts: the source state q i, the target state q j and the label (M; O). M is the condition part of the label and O is the output part. A computation of A is a sequence of states and sets of signals: q 0 E 1 q 1 : : : q n or q 0 E 1 q 1 : : : such that for any 0 i < n or i 0 the set E i+1 either does not enable any transition t = (q i ; M; O; q) and one has q i = q i+1 or it enables the transition t = (q i ; M; O; q i+1 ), where enable means: O E i+1, E i+1 no I n and M evaluates to true when any non negated literal l is set to true i l 2 E i+1, and conversely for negated literals. Argos programs are assumed to be deterministic (which is checked by the compiler): given a set of input signals and a state of the diagram, at most one transition is enabled, so the next state is uniquely

determined. q 0 fa; bgq 1 fagq 1 fc; dgq 0 : : : is a computation of the Argos diagram in Figure 1. The parallel composition of two programs is represented putting them side by side. Figure 2 composes two diagrams in parallel. A state of the Argos program now consists of two diagram states. The initial state is fa0, b0g. If b is present, control goes to state fa1, b0g emitting f and e. If g is present, it goes to fa0, b1g emitting c and if both are present it goes to the nal state fa1, b1g emitting ff; e; cg. a0 - a1 b/f,e b0 g/c - b1 Fig. 2. The parallel composition of two Argos diagram. Because of broadcasting and synchrony hypothesis output signals produced in some part of the program are instantaneously available to all the other parts that are listening to them. Denition 2 The parallel composition of two Argos programs A 1 and A 2 is the tuple A = (Q 1 Q 2 ; (q 01 ; q 02 ); T; In 1 [ In 2 n (Out 1 [ Out 2 ); Out 1 [ Out 2 ) where t 2 T can have one of the three following forms for t 1 = (q 1 ; M 1 ; O 1 ; q 0 1) 2 T 1 and t 2 = (q 2 ; M 2 ; O 2 ; q 0 2) 2 T 2 : t 1 = ((q 1 ; q 2 ); M 1 ; O 1 ; (q 0 1 ; q 2)) t 2 = ((q 1 ; q 2 ); M 2 ; O 2 ; (q 1 ; q 0 2)) t 12 = ((q 1 ; q 2 ); M 1 ^ M 2 ; O 1 [ O 2 ; (q 0 1 ; q0 2)) A computation of A is as before. Because Argos programs are deterministic, it is always uniquely determined which transition has to be executed. For any i 0, if E i+1 enables a t 12 transition then this is taken. If E i+1 enables a t 1 transition but not a t 12 transition, and similarly for a t 2 transition, then these are taken. Summing up: both components go to a next state if possible. Renement allows to rene states of Argos diagrams. Consider the program as given in Figure 1 with its initial state q0 rened by the program Figure 2. The initial state of the rening program is entered as soon as the rened state is entered. Similarly, the rening program is preempted as soon as the rened state is left. Consequently, the initial state of this program is fq0, a0, b0g. If g is present, c is emitted and the program goes to state fq0, a0, b1g. Note that d is not emitted since q1 does not belong to the actual state of the program. If a is present, then b is instantaneously emitted, and f and e as well, since a0 belongs to the actual state of the program. Then, q0 is left. The program Figure 2 is preempted and the state of the whole program is fq1g only. To make the denition more intuitive, we present it when one state is rened. The general denition renes all the states at once, possibly with a nil Argos diagram if the node is not rened.

Denition 3 The renement of an Argos diagram A 1 by the Argos program A 2 at state q 2 Q 1 is the tuple A = ((Q 1 n fqg) [ (fqg Q 2 ); q in ; T; In 1 [ In 1 n (Out 1 [ Out 2 ); Out 1 [ Out 2 ) with q in = q 01 if q 6= q 01, or q in = (q 01 ; q 02 ) if q = q 01. and where t 2 T can have one of the following forms for t 1 = (q 1 ; M 1 ; O 1 ; q 0 1) 2 T 1 and t 2 = (q 2 ; M 2 ; O 2 ; q 0 2) 2 T 2 : t 1 = t 1 if q 6= q 1 and q 6= q 2, t 2 = ((q 1 ; q 2 ); M 2 ; O 2 ; (q 1 ; q 0 2)) or t 12? = ((q 1 ; q 2 ); M 1 ^ M 2 ; O 1 [ O 2 ; q 0 1) for q = q 1 t 12+ = (q 1 ; M 1 ; O 1 ; (q 0 1 ; q o2)) for q = q 0 1 In a similar way as for parallel composition, a computation of A is a sequence such that for any i 0 the set E i+1 enables a t 12? transition, or enables a t 1 transition but not a t 12? or t 12+ transition, or enables a t 2 transition but not a t 12? transition. 2.1 Boolean Automata A BA reacts to some input signals taken from a set In, producing some output signals taken from a set Out. A reaction may depend on previous reactions. This memory is encoded by a nite set of registers R. By B(X) we denote the set of boolean formulas over X. Denition 4 A Boolean Automaton P is a tuple (R; In; Out; P! ; P! ) where R, the set of registers, In, the set of input signals, and Out, the set of output signals, are disjoint and nite. O = In [ Out are the observable signals. P! : Out?! B( [ R [ O) is the reaction function, P! : R?! B( [ R [ O) is the next state function, and fg is considered as the initial state; 62 R [ O. The reaction function P! is presented by equations using the arrow (, e.g. o (. It is evaluated at each instant and its value depends on signals as well as on registers. It denes the instantaneous reaction of the synchronous program, i.e. which output signals are present or absent in a reaction. The output signal o is present when evaluates to true in the equation o (. The synchronous compiler denes the sequence for evaluating the assignments o (. The next state function P! is presented by equations using the arrow. Its value depends on signals as well as on registers. It denes the value of the registers for the next instant, i.e. the state for the next instant. Again the register r is active in the next instant if evaluates to true in r. This evaluation terminates an instant. The assignments r may be executed in parallel. Consider Figure 3 which gives the BA of the Argos program Figure 1. The boolean equation for b translates the fact that b is emitted if the automaton is in state q0 and a is present while the one for d represents the fact that d is emitted if the automaton is in state q1 and c present and a absent. The automaton enters

state q0 initially, hence or if it was in q1 and c is present and a absent, hence (c ^ :a) ^ q1. It remains in state q0 as long as a is absent, hence :a ^ q0. The boolean equation for q1 obeys the same scheme. R 1 = fq0; q1g; In 1 = fa; cg; Out 1 = fb; dg P! 1 : b ( a ^ q0 P! 1 : q0 _ ((c ^ :a) ^ q1) _ (:a ^ q0) d ( (c ^ :a) ^ q1 q1 (a ^ q0) _ (:(c ^ :a) ^ q1) Fig. 3. Boolean Automaton of the Argos Automaton Figure 1. The parallel composition is the most relevant operation on BA. We compose two dierent automata and therefore their register sets are disjoint. Because of broadcast communication, output signals produced by one automaton are instantaneously available as inputs for another automaton which is composed in parallel. The two automata are then able to evolve to a next state. The reaction of the parallel composition is the union of the two reactions, and the next state is the union of the two next states. Denition 5 Let P 1 and P 2 be BA with R 1 \ R 2 = ;. P is the parallel composition of P 1 and P 2, denoted by P = P 1 k P 2, i: 1. R = R 1 [ R 2, O = O 1 [ O 2, Out = Out 1 [ Out 2, In = (In 1 [ In 2 ) n (Out 1 [ Out 2 ) 2. P! = P 1! _ P 2! 3. P! = P! 1 _ P! 2 where _ is taken component-wise and P!(x) =false if i x 62domain(P! i ), and similarly for P! i, i = 1; 2. α For our purposes, the computations of a BA are better presented by a {},{a}.{c},{a,c} {a,b},{a,c,b} {},{a},{a,c} labeled transition system. With abuse q0 q1 of notation, given a valuation of the {},{c} registers (i.e. those in R [ fg that {c,d} evaluate to true) and E a valuation of the signals (again those in O that are Fig. 4. The transition system of P 1. present), we denote by P! (; E) the set of output signals whose boolean formula evaluates to true and, similarly, we denote by P! (; E) the set of registers whose formula evaluates to true. Denition 6 The tuple T = (S; T; fg; R) is the labeled transition system of the synchronous automaton P i S 2 R[fg, T 2 O and R S S are the smallest sets such that (a) fg 2 S, and (b) if 2 S, I In, E = I [ P! (; E) and 0 = P! (; E) then 0 2 S, E 2 T and (; 0 ) 2 R. We write?! E 0 instead of (; 0 ) 2 R, E = I [ P! (; E) and 0 = P! (; E).

The transition system of P 1 is sketched Figure 4. Considering only deterministic Argos programs, the BA we obtain are free of causality problems [2, 11] and the reachability relation R of the associated labeled transition system is total. We turn now to the denition of homomorphism between transition systems. Denition 7 An homomorphism from the labeled transition system M = (S; T; s 0 ; R) to the labeled transition system M 1 = (S 1 ; T 1 ; s 1 0 ; R1 ) is a pair of relations (H 1 ; H 2 ) with H 1 S S 1, H 2 T T 1 such that whenever (; 1 ) 2 H, if?! E 0 then for some 10 and E 1 we have: 1?! E1 10, ( 0 ; 10 ) 2 H 1 and (E; E 1 ) 2 H 2. Having dened the parallel composition of two BA, it comes natural to ask how the behaviour of the compound BA is related to the behaviors of its components. Such a result requires Out 1 \ Out 2 = ;. Theorem 8 Let P = P 1 k P 2 with Out 1 \ Out 2 = ;. Then there is an homomorphism from (S; T; fg; R) to (S i ; T i ; fg; R i ), i = 1; 2. Proof. Showing by induction that if?! E 0 E\O then \ R i i?! 0 \ R i. 2.2 From Argos to Boolean Automata We begin with the translation of Argos diagrams into BA. Registers correspond exactly to states of the diagram. Let h be any state or register. Then its boolean equation has the following form: h h _ (: h ^ h) where h is the boolean condition to enter the state h and h is the boolean condition to leave the state h. They are obtained as follows. 1. If h is the W W initial state then h = _ (: h ^ ( r ^ M)) otherwise r h = : h ^ ( r r ^ M) for any transition (r; M; O; h). If h does not have any predecessor state, h is only. As will be shown below, h is used for renement. W In a diagram where h is not rened, h is set to false. 2. h = rm for any transition (h; M; O; r). If h does not have any successor state, h is simply false. Similarly boolean equations for signals have the following form: _ o ( (h ^ M) h for any transition (h; M; O; r) with o 2 O. It follows that two consecutive states h 1 and h 2 of an Argos diagram, consecutive in the sense that (h 1 ; M; O; h 2 ) is a transition, exhibit the following relation between their boolean equations: M occurs in h1 and in h2. The correctness of this translation is given in the following proposition.

Proposition 9 Let A be an Argos diagram and P its associated BA. Then q 0 E 1 q 1 : : : is a computation of A i fg?! E0 fq 0 g?! E1 fq 1 g : : : is a sequence of the transition system of P. Proof. By induction taking E 0 = ;. Boolean automata obtained from Argos programs are called Argos BA. Obviously, the BA for the parallel composition of two Argos programs is obtained taking the parallel composition of the two BA. As an Argos diagram is rened at some state q by another Argos program with dierent states, an Argos BA P 1 is rened at register h by some (Argos) BA P 2 giving the BA P. The register sets of P 1 and P 2 are assumed to be disjoint. P 2 becomes active when state h is entered. Thus, of P 2 has to be substituted by h in the resulting BA P. As soon as state h is exited, P 2 has to be exited as well. This also means that no new state of P 2 can be entered if h has to be exited. Hence, for any register h 2 of P 2, h2 as well as h2 have to be substituted by h2 _ h, h2 _ h respectively, in the resulting BA P. The renement of a state on an Argos BA with another Argos BA accounts to put them in parallel restricting the situations in which the second BA is active. Denition 10 Let P 1 and P 2 be Argos BA with R 1 \ R 2 = ; and h 2 R 1. P is the renement of P 1 by P 2 at h, denoted by P = P 1 h P 2, i conditions 1 and 2 of Denition 5 holds and condition 3 is replaced by the following one: 3 0. P! = P! 1 _ P! 2R where P! 2R is obtained from P! 2 substituting by h, h2 by h2 _ h and h2 by h2 _ h in the boolean equation of any register h 2 of R 2. Figure 5 shows the BA when q0 Figure 1 is rened by the program Figure 2. By structural induction Proposition 9 is generalized to Argos programs. R = fq0; q1; a0; a1; b0; b1g; In = fa; gg; Out = fb; c; d; fg P! : b ( a ^ q0 P! : q0 _ ((c ^ :a) ^ q1) _ (:a ^ q0) d ( (c ^ :a) ^ q1 q1 (a ^ q0) _ (:(c ^ :a) ^ q1) f ( b ^ a0 a0 _ ((c ^ :a) ^ q1) _ (:(b _ a) ^ a0) e ( b ^ a0 a1 (:a ^ b ^ a0) _ (:a ^ a1) c ( g ^ b0 b0 _ ((c ^ :a) ^ q1) _ (:(g _ a) ^ b0) b1 (:a ^ g ^ b0) _ (:a ^ b1) Fig. 5. Boolean Automaton of the Argos Automaton Figure 1. Since renement is not symmetric, the result of Theorem 8 holds in a weaker form. P 1 can simulate P but P 2 can simulate P only when state h is entered and only as long as state h holds.

Theorem 11 Let P = P 1 h P 2 with Out 1 \ Out 2 = ;. Then there is an homomorphism from (S; T; fg; R) to (S 1 ; T 1 ; fg; R 1 ). Theorem 12 Let P = P 1 h P 2, with Out 1 \ Out 2 = ;. Let fg?! E0 E 1 1?! 2 E 2?! 3 : : : be a sequence of the transition system of P. Suppose this sequence E contains a sub-sequence i E i?! i+1 i+1?! i+2 : : : i+n with h 62 i and h 2 i+j for 1 j n; i 0. Then exists a sequence fg?! E00 0 0 E 1 1?! 0 0 E 2 2?! 0 3 : : : of the transition system of P 2 such that 0 = j i+j \R 2, 1 j n, and E 0 = j E i+j \O 2 for 0 j n. The translation scheme shows a clear connection between between parallel composition and renement: W plays a similar key role in both denitions. 3 Modular Verication The logic 8CTL is a subset of CTL [5, 4]. It is constructed with the quantier 8 only, and the usual four path operators: X (next), U (until), F (future) and G (generally). Negations are allowed at the level of atomic propositions only. 8CTL formulas are interpreted on structures K = (M; R; L; m in ; P ). M is a set of states, R M M is the reachability relation, m in is the initial state, P is a set of atomic propositions, L is a labelling function which associates to any state the set of atomic propositions true at that state. A path = m 0 ; m 1 ; : : : in K is an innite sequence of states of M such that 8i 0: (m i ; m i+1 ) 2 R. We refer to [5, 4] for the full denitions. The structure of a boolean automaton is almost its labeled transition system, except that labeled transitions become part of the labels attached to states. Denition 13 Let P be a BA, (S; T; fg; R) be its labeled transition system. Its structure is K = (S; R; L; fg; R [ O) where L: S?! R [ O, the labelling function, is dened by L() = [ E where E 2 T is such that 0?! E. We say that a BA P satises a state formula, P j=, i fg j=. The homomorphism of Theorem 11 induces a close relation between the paths in the structure of P and the paths in the structure of P 1. Lemma 14 Let P = P 1 h P 2 with Out 1 \ Out 2 = ;. Let K and K 1 be the structures of P 1 and P 1. Let 2 S and 0 2 S 1 such that (; 0 ) 2 H 1. Then for every path = 0 1 : : : with 0 = in K, there exists a path 0 = 0 0 0 1 : : : with 0 0 = 0 in K 1 such that for every i 0, ( i ; 0 i ) 2 H 1 and, by the choice of H 2, L( i ) \ (R 1 [ O 1 ) = L 1 ( 0 i ): We make a slight abuse of notations and for such paths, we write (; 0 ) 2 H 1. The disjointness of the output signal sets is essential. Suppose the program of Figure 2 is modied to emit d when g is present. Again suppose state q0 of Figure 1 is rened by the program in Figure 2. One can obtain the following path: fg?! fq0; a0; b0g?! fq0; a0; b1; g; c; dg : : :. Its projection on (R 1 [O 1 ) is not legal for Figure 1. A structural induction on the formulas and gives:

Lemma 15 Let P = P 1 h P 2 with Out 1 \ Out 2 = ;. Let K and K 1 be the structures of P and P 1. Let be a state formula and be a path formula with atomic propositions in R 1 [ O 1. Let and 0 be paths with (; 0 ) 2 H 1. If 0 j= then j=. Let (m; m 0 ) 2 M M 0 with (m; m 0 ) 2 H 1. If m 0 j= then m j=. By Theorem 8, similar results can be obtained for parallel composition. Using these Lemmata, one can easily deduce: Theorem 16 Let P 1 and P 2 be two BA with Out 1 \Out 2 = ; and be a 8CTL state formula. Let P = P 1 h P 2, with atomic propositions in R 1 [ O 1 : if P 1 j= then P j=. Let P = P 1 k P 2, with atomic propositions in R i [ O i : if P i j= then P j=, i = 1 or 1 = 2. The result one can achieve with the rening automaton P 2 is much weaker since it is preempted any time the rened register h is left. The formula (b0^g)! F b1 is true for the Argos program Figure 2 but it is not true anymore for the program obtained when Program 2 renes Program 1 at q0 since g and a could be present in the same instant. If is a formula true for every state in P 2, the formula one can derive for P is roughly: holds as long as the state h is active. This is formulated below. Proposition 17 Let P = P 1 h P 2 with Out 1 \Out 2 = ;. Let 8G with atomic propositions in R 2 [ O 2 : if P 2 j= 8G then P j= 8G (h! ( _ F:h)). As an example, using Theorem 16, the property q 0 ^ a ) AX q 1 true for the module Figure 1 is also true when initial state q0 is rened by the program Figure 2. 4 Conclusions This paper presents a translation of Argos programs into Boolean Automata, which shows a clear connection between parallel composition and renement. Consequences for modular formal verication are given. We have used these results to formally verify a time triggered protocol modularly [10]. Our present work relies on the translation scheme for Argos and other synchronous languages as given in [7, 11]. Another translation format exists (see [1]). The work in [9] presents also a translation of Argos into Boolean equations. Further the connection between parallel composition and renement has also been pointed out in [8] using other arguments. We have restricted our presentation to the case where Argos programs are rened by other Argos programs, but in general Argos programs can be re- ned by other synchronous programs and we think that our verication results still apply. In this way, various synchronous languages can be combined to produce one executable reactive program [11]. The verication results have been

established for the Statecharts variant Argos, but we believe that they also hold for other Statecharts variants where inter-level transitions are allowed as in [6]. Indeed, the key Theorems 11 and 12 can be generalized to include inter-level transitions. Another future work is to consider sensible classes of safety properties that, when true for the rening program, yield properties also true for the whole program. Safety properties are very crucial for the verication of real time systems. In [3] it has been shown how to translate safety properties expressed as past temporal logic formulas into BAs. As these safety properties are a subset of 8CTL formulas, Proposition 17 could be strengthened and nice classes in terms of rening programs should exist. References 1. A. Benveniste. Synchronous languages provide safety in reactive system design. Control Engineering, September 1994. 2. A. Benveniste and G. Berry. The synchronous approach to reactive and real-time systems. Proceedings of the IEEE, 79(9), 1991. 3. R. Budde and A. Merceron. Verifying a time-triggered protocol in a multi-language environment. In PART'98, pages 45{56. Springer-Verlag, 1998. 4. E. Clarke, O. Grunberg, and D. Long. Verication tools for nite-state concurrent systems. In A Decade of Concurrency. REX Symposium 1993, LNCS 803, pages 1{45. Springer-Verlag, 1994. 5. O. Grumberg and D.E. Long. Model checking and modular verication. ACM Transactions on Programming Languages and Systems, 16:843{871, 1994. 6. D. Harel. Statecharts: A visual approach to complex systems. Science of Computer Programming, 8:231{275, 1987. 7. M. Kubiczek and L. Holenderski. Compiling TARGOS to boolean automata. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1996. 8. F. Maraninchi. Argos: a graphical language for the description of reactive systems. Spectre report 29, LGI, Imag-Campus, BP 53X, F-38041 Grenoble Cedex, 1991. 9. F. Maraninchi and N. Halbwachs. Compiling argos into boolean equations. In FTRTFT'96, LNCS 1135, pages 312{328. Springer-Verlag, 1996. 10. A. Merceron, M. Mullerburg, and G. M. Pinna. Verifying a time-triggered protocol in a multi-language environment. In SAFECOMP98, LNCS 1516, pages 73{82. Springer-Verlag, 1998. 11. A. Poigne, M. Morley, O. Maes, L. Holendersky, and R. Budde. The synchronous approach to designing reactive systems. Formal Methods in System Design, 12:163{ 187, 1998.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback