The Automata-Theoretic Approach to Verification of Reactive Systems

Basic problems related to the use of automata-theoretic methods of verification of reactive systems are considered; in particular, the construction of an automaton from a formula of a temporal logic and the reduction of the automaton being verified are described.     

Synchronous/Reactive Programming of Concurrent System Software

Synchronous languages are intended for programming reactive systems. Reactive systems, which include real-time systems and key operating system components, interact continually with their environment. This paper considers the applicability of imperative synchronous/reactive languages to the development of general system software, that is, to the implementation of operating system kernels, file systems, databases, networks, server architectures, device drivers, etc. The languages Esterel and Reactive C (RC) receive special attention as Esterel is the oldest and most developed such language and RC is specifically designed for compatibility with C systems programming. An alternative soft-instruction software architecture is described, which is well suited to real-world system programming. © 1997 by John Wiley & Sons, Ltd.     

An Implementation of Constructive Synchronous Programs in POLIS

Design tools for embedded reactive systems commonly use a model of computation that employs both synchronous and asynchronous communication styles. We form a junction between these two with an implementation of synchronous languages and circuits (Esterel) on asynchronous networks (POLIS). We implement fact propagation, the key concept of synchronous constructive semantics, on an asynchronous non-deterministic network: POLIS nodes (CFSMs) save state locally to deduce facts, and the network globally propagates facts between them. The result is a correct implementation of the synchronous input/output behavior of the program. Our model is compositional, and thus permits implementations at various levels of granularity from one CFSM per circuit gate to one CFSM per circuit. This allows one to explore various tradeoffs between synchronous and asynchronous implementations.     

基于SMT的区域控制器同步反应式模型的形式化验证

在安全关键系统的软件开发过程中,形式化验证是一种经检验的提高软件质量的技术.然而,无论从理论上还是从应用角度来看,软件的验证都必须是完整的,数据流验证应该是对实现层软件模型进行验证的必要体现.因此,环境输入、泛型函数、高阶迭代运算和中间变量对于分析形式化验证的可用性至关重要.为了验证同步反应式模型,工程师很容易验证控制流模型(即安全状态机).现有工作表明,这类工作无法全面地验证安全关键系统的同步反应式模型,尤其是数据流模型,导致这些方法没有达到工业应用的要求,这成为对工业安全软件进行形式化验证的一个挑战.提出了一种自动化验证方法.该方法可以实现对安全状态机和数据流模型的集成进行验证.采用了一种基于程序综合的方法,其中,SCADE模型描述了功能需求、安全性质和环境输入,可以通过对Lustre模型的程序综合,采用基于SMT的模型检查器进行验证.该技术将程序合成作为一种通用原理来提高形式化验证的完整性.在轨道交通的工业级应用(近200万行Lustre代码)上评估了该方法.实验结果表明,该方法在大规模同步反应式模型长期存在的复杂验证问题上是有效的.     

Fail-Awareness: An Approach to Construct Fail-Safe Systems

We present a framework for building fail-safe hard real-time applications in timed asynchronous distributed systems subject to communication partitions and performance, omission, and crash failures. Most distributed systems built from commercial-off-the-shelf (COTS) processor and communication services are subject to such partitions because their COTS components do not provide hard real-time guarantees. Also custom designed systems can be subject to partitions due to unmaskable link or router failures. The basic assumption behind our approach is that each processor has a local hardware clock that proceeds within a linear envelope of real-time. This allows one to compute an upper bound on the actual delays incurred by a particular processing sequence or message transmission. Services and applications can use these computed bounds to detect when they cannot guarantee all their standard properties because of excessive delays. This allows an application to be fail-aware, that is, to detect when it cannot guarantee all its safety properties and in particular, to detect when to switch to a fail-safe mode.     

使用SDF图描述的嵌入式DSP系统存储优化

提出一种嵌入式DSP系统的存储优化方法．该方法利用遗传算法求得存储需求量较少的同步数据流(Synchronous Data Flow,SDF)图顶点调度序列;使用TPFIFO(Two-Port FIFO)数据缓冲模型来实现顶点输入边和输出边的存储共享,以进一步提高数据缓冲的利用率．实验结果证实了该方法的有效性．     

嵌入式DSP系统中SDF模型的层次化存储优化方法

在同步数据流模型(SDF)描述的嵌入式数字信号处理(DSP)系统中,计算体单一出现调度(SAS)算法对于存在反馈环和数据密集处理的应用不可解或内存优化效果很差.文中提出了将SAS和Non-SAS类型调度算法相结合的层次化的存储优化方法,定义了数据密集分量和强连通分量来描述环和数据密集处理结构,并依据数据优先消耗原则设计了启发式的Non-SAS调度算法对分量进行存储优化.该方法适用于任意SDF模型,并有良好的存储优化效果.实验结果证明了其有效性.     

An Automata-Theoretic Approach to the Reachability Analysis of RPPS Systems

We show how the tree-automata techniques proposed by Lugiez and Schnoebelen apply to the reachability analysis of RPPS systems. Using these techniques requires that we express the states of RPPS systems in a tailor-made process rewrite system where reachability is a relation recognizable by finite tree-automata.     

反应系统的连续时序逻辑表示和验证

引进一个称为LTLC的连续时间时序逻辑，用来对反应系统进行规范与验证．LTLC的一个重要特点是它能在统一的逻辑框架下表示反应系统及其性质，这样就可将系统与性质问的满足关系转化为逻辑公式间的蕴涵关系．同时，采用非负实数集作为时间域还使我们可以利用标准的存在量词来表示变量隐藏，并可用逻辑蕴涵来表示反应系统间的求精关系．该文首先给出了LTLC的一个简单介绍，然后讨论了如何使用LTLC对反应系统进行表示与推理，最后证明了一个关于LTLC的可判定性结果．此结果可用于有穷状态反应系统的自动验证．     

一种基于监测的嵌入式系统设计技术

提出一种嵌入式系统软硬件协同设计方法，它以数据流图为系统模型对嵌入式系统的功能和性能需求进行描述，并通过一种特定的实现结构，使得设计者可以借助快速样机平台和事件驱动式监测技术来精确测定目标系统对系统模型的实现状况，从而使得软硬件协同设计过程特别是系统优化和性能验证能在精确、可靠的测试数据基础上进行．同目前通常使用的以软硬件部件性能估算为基础的软硬件协同设计方法相比，这种以测试为基础的设计技术更能确保设计结果的合理．     

Systematic testing and formal verification to validate reactive programs

The use of systematic testing and formal verification in the validation of reactive systems implemented in synchronous languages is illustrated. Systematic testing and formal verification are two techniques for checking the consistency between a program and its specification. The approach to validation is through specification: two system views are developed in addition to the program, a behavioural specification for systematic testing and a logical specification for formal verification. Pursuing both activities, reactive programs can be validated both more efficiently (in terms of costs) and more effectively (in terms of confidence in correctness). This principle is demonstrated here using the well known lift example.     

An Integrated Approach to Scheduling in Safety-Critical Embedded Control Systems

This paper describes an approach that has been developed over a number of years for the job of scheduling systems and providing evidence that timing requirements are met. The approach has been targeted at the safety-critical systems domain, and more specifically the development of control systems for jet engines. The work provides a usable computational model that supports the reuse of legacy systems. In addition, timing analysis has been developed that features low pessimism, low computational complexity and that is robust to change. The contributions of this paper are to show how standard timing analysis is often insufficient for real systems, presenting extensions to the standard analysis to give an integrated approach to verification, and providing a case study that demonstrates the appropriateness and benefits of the overall technique.     

Functional Programming of Behavior-Based Systems

In this paper, I describe a simple functional programming language, GRL, in which most of the characteristic features of the popular behavior-based robot architectures can be concisely written as reusable software abstractions. This makes it easier to write clear, modular code, to mix and match arbitration mechanisms, and to experiment with variations on existing mechanisms. I describe the compilation process for the language, our experiences with it, and issues of efficiency, expressiveness, and code size relative to other languages.     

Dynamic Partitioning in Linear Relation Analysis: Application to the Verification of Reactive Systems

We apply linear relation analysis (P. Cousot and N. Halbwachs, in 5th ACM Symposium on Principles of Programming Languages, POPL'78, Tucson (Arizona), January 1978; N. Halbwachs, Y.E. Proy, and P. Roumanoff, Formal Methods in System Design, Vol. 11, No. 2, pp. 157–185, 1997) to the verification of declarative synchronous programs (N. Halbwachs, Science of Computer Programming, Special Issue on SAS'94, Vol. 31, No. 1, 1998). In this approach, state partitioning plays an important role: on one hand the precision of the results highly depends on the fineness of the partitioning; on the other hand, a too much detailed partitioning may result in an exponential explosion of the analysis. In this paper, we propose to dynamically select a suitable partitioning according to the property to be proved. The presented approach is quite general and can be applied to other abstract interpretations.     

如何构造嵌入式实时应用系统

文中对组织和设计嵌入式实时应用系统应着重考虑的一些问题做了探讨,主要包括系统实时目标分析、硬件平台的规划、实时操作系统的选择、编程语言的选择和其它方面的一些关键问题。     

Behaviour Analysis of Distributed Systems Using the Tracta Approach

Behaviour analysis should form an integral part of the software development process. This is particularly important in the design of concurrent and distributed systems, where complex interactions can cause unexpected and undesired system behaviour. We advocate the use of a compositional approach to analysis. The software architecture of a distributed program is represented by a hierarchical composition of subsystems, with interacting processes at the leaves of the hierarchy. Compositional reachability analysis (CRA) exploits the compositional hierarchy for incrementally constructing the overall behaviour of the system from that of its subsystems. In the Tracta CRA approach, both processes and properties reflecting system specifications are modelled as state machines. Property state machines are composed into the system and violations are detected on the global reachability graph obtained. The property checking mechanism has been specifically designed to deal with compositional techniques. Tracta is supported by an automated tool compatible with our environment for the development of distributed applications.     

An Event Algebra Extension of the Triggering Mechanism in a Component Model for Embedded Systems

In this article we present how the component triggering in SaveCCM, a component model intended for embedded vehicular systems, can be extended by means of an event algebra. The extension allows components to be triggered by complex event patterns, and not only by clock signals or single external events.Separating the detection of triggering conditions from the definition of the triggered services permits more general components and thus improves component reusability. Providing event detection mechanisms within the component model means that triggering conditions are explicitly available for system analysis at design time.An event algebra is used to define the complex triggering conditions. This algebra has a relatively simple declarative semantics and well documented algebraic properties, which facilitates formal and informal reasoning about the system. The algebra also ensures that detection of triggering conditions can be efficiently implemented with limited resources, which is critical in embedded applications.     

Concurrency in Synchronous Systems

In this paper we introduce the notion of weak endochrony, which extends to a synchronous setting the classical theory of Mazurkiewicz traces. The notion is useful in the synthesis of correct-by-construction communication protocols for globally asynchronous, locally synchronous (GALS) systems. The independence between various computations can be exploited here to provide communication schemes that do not restrict concurrency while still guaranteeing correctness. Such communication schemes are then lighter and more flexible than their latency-insensitive or endo/isochronous counterparts. Work supported by the ARTIST and COLUMBUS IST European projects