REDLIB for the Formal Verification of Embedded Systems�

Farn Wang

Department of Electrical EngineeringGraduate Institute of Electronic Engineering

National Taiwan University, Taiwan 106, ROCfarn@cc.ee.ntu.edu.tw

REDLIB is available at http://cc.ee.ntu.edu.tw/˜val.

Abstract

To promote the technology of dense-time system model-checking in both academia and industry, we developed alibrary, called REDLIB, which supports full TCTL model-checking of dense-time automata with multiple fairness as-sumptions. REDLIB uses the BDD-like diagrams for the ef-ficient representation and manipulation of dense-time state-spaces. Users can use the procedures in REDLIB to quicklyconstruct dense-time models and carry out basic Booleanand state-space operations, postcondtion/precondition cal-culation, state-space representation normalizations, great-est fixpoint calculation, parametric safety analysis of lin-ear hybrid systems, speed-up techniques for greatest fix-point evaluation, and coverage analysis of dense-time state-spaces. REDLIB also has a preprocessor that allows forhigh-level constructs like arrays, message channels, dy-namic memory allocation, procedure calls, and timers. Inthis article, we discuss the features of REDLIB and givesmall examples to show how to use REDLIB.

Keywords: timed automata, linear hybrid automata, mode-checking, verification, tool, library

1 Introduction

The progress of civilization relies on the accumulationof knowledge and intelligence. In order to speed up theprogress, it is essential to share the experience and achieve-ments of researches. In the last few decades, both hard-ware and software technologies have substantial progress.On one hand, the complexity of hardware has grown upto tens of millions of gates per chip. On the other hand,the sizes of industrial software have also grown to mil-

�The work is partly supported by grants NSC 94-2213-E-002-085 andNSC 94-2213-E-002-092.

lion lines of code. The development of hardware ver-ification has benefited greatly from publich library likeNuSMV [6] and CUDD [9]. But for software verification,there is no such library that allows people to share tech-nology and experience. As a result, people usually haveto spend valuable times and resources in developing andimplementing basic algorithms for dense-time state-spacemanipulation. In this article, we report the developmentof REDLIB, a library for the reprsentation and manipu-lation of dense-time state-spaces. REDLIB is extendedfrom model-checker/simulator RED [16, 21] for timed au-tomatas and linear hybrid automatas. REDLIB acceptsCommunicating Timed Automata (CTA) [3, 14] for the de-scription of transitions in dense-time state-spaces. At thismoment, REDLIB supports forward/backward image cal-culation [16], counter-example generation, symmetry re-duction for software with pointer data-structures [22], GUI,deadlock detection, full TCTL model-checking [1, 15, 21]with event predicates and multiple fairness assumptions[15], symbolic simulation [20], and test case generation.REDLIB uses BDD-based technology to gain efficiency[16, 18, 19]. Its verification engine can also analyze thegiven mathematic models with coverage estimation tech-niques [20].

In section 2, we explain the various capabilities ofREDLIB. In section 3, we discuss the REDLIB interface forapplication programs and an example of model constructionwith REDLIB. In section 4, we discuss some future work inREDLIB.

2 Capabilities of REDLIB

REDLIB is developed in language C. Users can eas-ily incorporate REDLIB in their application programs toperform verification tasks. The flow-control and iterationstatements in language C language can be used to construct

Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation

0-7695-3071-0/07 $25.00 © 2007 IEEEDOI

343

Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation

0-7695-3071-0/07 $25.00 © 2007 IEEEDOI 10.1109/ISoLA.2006.68

343

Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation

978-0-7695-3071-0/07 $25.00 © 2007 IEEEDOI 10.1109/ISoLA.2006.68

341

complex models whose configurations and sizes depend onvariables in the C programs. Furthermore, we can inter-act with the application programs to set up the parametervalues. After the construction of the models, we can thenset the options to choose the strategies of the verificaitontasks. We can carry out a verification task in fine grains bycalling the basic state-space manipulation procedures, likestate-space intersections and unions, in REDLIB. We canalso do it in coarse grains by calling high-level procedureslike weakest precondition calculation [10], backward reach-ability analysis, backward time-progress image calculation,and state-space reprsentation normalization.

In the following, we explain the various capabilities ofREDLIB.

2.1 Extensive syntax for complex model construc-tion

In order to reduce the human errors, to save workingtime, and to simplify the construction of models for ver-ification, we have developed a preprocessor to REDLIBthat supports high-level constructs like message channels,dynamic memory allocation, arrays, procedure-calls, andtimers. We can also choose from various options supportedin such high-level constructs. For example, we may set thebuffer sizes and transmission delays of the message chan-nels. We may also choose between lossy and non-lossychannels.

Our REDLIB preprocessor translates such high-levelconstructs to basic ones in CTA. The correctness of thetranslation schemes for such high-level constructs has beenrigorously proved. In many industrial reports of model-checking embedded systems, people usually made a lot ef-fort to prove the correctness of their model construction.With the high-level constructs supported by our preproces-sor, valuable time and resources can be saved in construct-ing correct and complex models.

2.2 BDD-like diagrams for state-space represen-tation & manipulations

REDLIB is built with symbolic manipulation proceduresof two types of BDD-like diagrams [5]. The first is CRD[16] for the dense-time state-spaces of timed automata. Thesecond is HRD [18] for the dense-time state-spaces of lin-ear hybrid automata. According to [16, 18], technology ofthe two diagrams have achieved the best performance in thesafety analysis of several popular benchmarks.

2.3 Model-checking with event constraints andfairness assumptions

REDLIB supports the model-checking of full TCTLwith Zeno-checking capability [1, 20]. It also supports the

checking of deadlock. Moreover, it supports the check-ing of an extension of TCTL for the specification withevent predicates and multiple fairness assumptions [15].There are two types of fairness assumptions, strong fair-ness and weak fairness. The former means that some-thing will happen “infinitely often” while the latter meansthat something will be “eventuall forever true.” For ex-ample, in diffusive computing, we may specify that allprocesses will eventually enter their “finished” states ifthey all have their fair shares of execution. This spec-ification can be expressed with strong fairness assump-tions as �����������������������

������ finished�. Here

the strong fairness assumptions are written in square brack-ets as event predicates to the superscript of the universalpath quantifier �. �� means the occurrence of a transitionof process �. Strong fairness assumption �� � � means thattransitions with one or more events �� will happen infinitelyoften. Such a style of fairness assumptions as event predi-cates allows for flexible characterizations of sets of transi-tions.

2.4 Symbolic simulation

Traditional simulation [4] is well-known for its effi-ciency. But it is usually forbiddingly expensive to runenough number of traces to cover the full functionality of asystem. On the other hand, although model-checking [7, 8]can achieve functional completeness, it may suffer from thestate-space explosion problem. Symbolic simulation [13]is a balance between these two technologies and has beenproved valuable for the verification of integrated circuits.While traditional simulation runs along a trace of concretestate recordings, symbolic simulation runs along a trace ofsymbolic constraints, representing a (convex or concave)space of states. By representing and manipulating state-space as logic predicates, the technique of symbolic simula-tion can lead to high performance by encompassing many,even densely many, traces in traditional simulation into onesymbolic trace. REDLIB encapsulates a symbolic sim-ulator [20] for dense-time concurrent systems, with GUI(Graphical User-Interface) and convenient facilities to gen-erate and manage the traces. Figure 1 shows the GUI of theREDLIB simulator. Coverage estimation of three metrics(region, triggering-condition, and arc) is also supported inthe symbolic simulation [20].

2.5 Testcase generation

The engine of REDLIB can also generate test suites withcoverage annotations [11]. We may use CTA as the speci-fication language of test scenarios. The test suites can begenerated in the TTCN language [12], which is a part ofthe ISO/IEC 9646 conformance testing framework and is

344344342

Figure 1. GUI of REDLIB for Symbolic Simu-lation

specially designed for the specification of tests of commu-nication systems.

2.6 Parametric safety analysis of linear hybridsystems

Real-world systems are also usually specified with con-stant symbols, called parameters. Calibrating the valuesof such parameters is a crucial task in determining the be-haviors and cutting down the costs of the system designs.Given a linear hybrid automata [2] with parameters and asafety property, REDLIB tells necessary constraints on pa-rameters to satisfy a safety property [18]. It also supports aspeed-up technique for parametric safety analysis.

There are two main innovations that contribute to theperformance of REDLIB. The first is the design of HRD(Hybrid-Restriction Diagram) which is a BDD-like dia-grams for the representation of concave polyhedra. The sec-ond is a pruning strategy, for state-space exploration, whichdoes not sacrifice the correctness of the parametric safetyanalysis. The idea is that in each iteration, we incremen-tally accumulate the symbolic constraint of the parametervaluations for the reachability. If in each step of state-spaceexploration, we find that the new step is not going to in-crease the volume of the space of the parameter valuationscollected so far, then we can skip this step.

3 REDLIB Application Program Interface

In the following, we first give a brief explanation of theapplication program interface of REDLIB and then use anexample to show how to use REDLIB to construct models.

3.1 Application Program Interface of REDLIB

We can use REDLIB routines to construct TCTLspecification formulae with event predicates andmultiple fairness assumptions. We can then callRED verify() to get the answer of the model-checking tasks. Library routines for the checking ofdeadlock and Zenoness conditions are also available withRED deadlock check() andRED zenoness check() respectively.

Procedures are available in REDLIB for ba-sic CRD/HRD+BDD manipulations. These in-clude RED and(), RED or(), RED not(),RED bdd atom(), RED crd atom(),RED hrd atom(), RED true(), and RED false().REDLIB also provides routines for performance tuningtoward special cases. In addition, suppport for MTBDDmatrix operation is also available.

REDLIB also has procedures to calculate the pre-condition and postcondition of discrete transitions andtime progress. There are also procedures to calculatethe backward and forward reachable state-space descrip-tions. There are also procedures to calculate the closureand DRC forms of state-space representation. Theseinclude RED weakest postcondition fwd(),RED weakest precondition bck(),RED reachable bck(), RED reachable fwd(),etc.

The capability of symbolic coverage estimation of RED[20] is also accessible through REDLIB. Users can buildtheir symbolic verification application and manage the ver-ification process with coverage concepts, which has been avaluable technique in real-world industry in the last severaldecades.

REDLIB does not only use BDD-like data-structures,it actually uses shared BDD-like data-structures. In theprocessing of such data-structures, huge memory leak mayhappen due to those inaccessible BDD-like data-structures.REDLIB maintains a stack so that the users can push theirintermediate state-space representations to this stack. Whenthe users call procedure RED garbage collect(), all BDD-like data-structures neither used internally by REDLIB norsaved in the stack will be reclaimed. The users can accessthe data-structures saved in the user stack and maybe lat-ter pop them us in a first-in-last-out order. Users can onlyaccess the stacks through REDLIB procedures.

There are also other REDLIB procedures that help theusers get information of their verification sessions. Theseinclude procedures telling the total CPU time consumed, thesize of memory occupied by the BDD-like data-structures,and the status of the system runtime options. There arealso procedures help changing the runtime options of theREDLIB. There are also procedures that print out BDD-

345345343

W�a�i�t�x�<�5�

A�c�t�i�v�e�x�<�=�3�

x�>�4�!�s�y�n�c� �x�=�0�;� �d�1�=�1�;�

x�>�4�?�s�y�n�c� �x�=�0�;� �d�2�=�2�;�

x�>�=�1�x�=�0�;� �d�1�=�0�;� �d�2�=�0�;�

W�a�i�t�x�<�5�

A�c�t�i�v�e�x�<�=�3�

x�>�4�!�s�y�n�c� �x�=�0�;� �d�1�=�1�;�

x�>�4�?�s�y�n�c� �x�=�0�;� �d�2�=�2�;�

x�>�=�1�x�=�0�;� �d�1�=�0�;� �d�2�=�0�;�

P�r�o�c�e�s�s� �1�,� �P�=�=�1�

P�r�o�c�e�s�s� �2�,� �P�=�=�2�

Figure 2. The Example of Model Construction

like data-structures in various formats. There are also pro-cedures that perform reduction and abstraction techniquesof the state-space representations.

3.2 Model Construction with REDLIB

Users can input a model directly from a file or struc-turally construct the model by executing library procedures.The latter approach has the flexibility in generating modelsaccording to the input parameters (for example, the numberof processes, the message buffer capacity, the ways transi-tions may synchronize with one another). For example, wemay have the following input file.

process count = 2; global discrete d1, d2: 0..2; globalsynchronizer sync; local clock x;

mode wait (x < 5) {when !sync (x > 4) may x = 0; d1 = 1; goto active;when ?sync (x > 4) may x = 0; d2 = 2; goto active;

}

mode active (x <= 3) {when (x >= 1) may x = 0; d1 = 0; d2 = 0; goto wait;

}

initially d1 == 0 && d2 == 0&& forall p, (wait[p] && x == 0);

risk (active[1] && x[1] == 0 && wait[2]);

This REDLIB program uses CSP-style binary synchro-nizations between two processes running the same programtemplate. Initially, both processes are in mode wait withtheir respective local clock � � �. The risk condition is thatprocess 1 is in mode active with its clock � � � whileprocess 2 is in mode wait. REDLIB can be invoked tocheck whether this risk condition can happen.The illustra-tion of this example is shown in Figure 2

Suppose this REDLIB program is saved in file‘sample.d.’ Then we can use the following REDLIB

procedure to read in the file and construct the model. Thisprogram piece basically follow the syntax of REDLIBinput files line by line. Thus users that either have someacquaintance with TAs or have used RED [16] before neednot learn a new language to use the REDLIB. We shallelaborate on this aspect in the section.

RED\_initialize\_session();RED\_input("sample.d");

If the users choose to construct the model at run-time,then the following program piece also construct the samemodel.

#include "redlib.h"

main(void) {char *d1, *d2, *x, *sync, *wait, *active,

*const0, *const1, *const2, *const4;char *condition, *p, *xp;

RED_begin_session();RED_open_output("sample");RED_begin_model();RED_set_process_count(2);RED_begin_variable_declaration

(RED_GLOBAL, RED_DISCRETE);d1 = RED_declare_one_variable("d1");d2 = RED_declare_one_variable("d2");

RED_set_discrete_bounds(0,2);RED_end_variable_declaration();RED_begin_variable_declaration

(RED_GLOBAL, RED_SYNCHRONIZER);sync = RED_declare_one_variable("sync");

RED_end_variable_declaration();RED_begin_variable_declaration(RED_LOCAL, RED_CLOCK);

x = RED_declare_one_variable("x");RED_end_variable_declaration();wait = RED_begin_mode("wait");

RED_add_mode_invariance(RED_formulus_ineq(x, RED_LESS, RED_const(5)));

RED_begin_transition();RED_add_transition_synchronizer

(RED_SYNC_OUTPUT, sync, NULL);condition =RED_formulus_ineq

(x, RED_GREATER, const4 = RED_const(4));RED_add_transition_trigger(condition);RED_add_transition_action

(x, RED_ASSIGN, const0 = RED_const(0));RED_add_transition_action

(d1, RED_ASSIGN, const1 = RED_const(1));RED_add_transition_action

(RED_MODE,RED_GOTO, "active");RED_end_transition();RED_begin_transition();

RED_add_transition_synchronizer(RED_SYNC_INPUT, sync, NULL);

condition =RED_formulus_ineq(x, RED_GREATER, const4);

RED_add_transition_trigger(condition);RED_add_transition_action(x, RED_ASSIGN, const0);RED_add_transition_action

(d1, RED_ASSIGN, const2 = RED_const(2));RED_add_transition_action

(RED_MODE,RED_GOTO, "active");RED_end_transition();

RED_end_mode();active =RED_begin_mode("active");

RED_add_mode_invariance(RED_formulus_ineq(x, RED_LEQ, RED_const(3)));

RED_begin_transition();condition = RED_formulus_ineq(x, RED_GEQ, const1);

346346344

RED_add_transition_trigger(condition);RED_add_transition_action(x, RED_ASSIGN, const0);RED_add_transition_action(d1, RED_ASSIGN, const0);RED_add_transition_action(d2, RED_ASSIGN, const0);RED_add_transition_action(RED_MODE,RED_GOTO,wait);

RED_end_transition();RED_end_mode();p = RED_quantified("p");xp = RED_var_base_exp(x, p);condition = RED_mode_predicate(wait, p);condition = RED_formulus_and

(condition, RED_formulus_ineq(xp, RED_EQ, const0));condition = RED_formulus_forall(p, condition);condition = RED_formulus_and

(condition, RED_formulus_ineq(d2, RED_EQ, const0));condition = RED_formulus_and

(condition, RED_formulus_ineq(d1, RED_EQ, const0));RED_set_initial_condition(condition);condition = RED_mode_predicate(active, const1);xp = RED_var_base_exp(x, const1);condition = RED_formulus_and

(condition, RED_formulus_ineq(xp, RED_EQ, const0));condition = RED_formulus_and

(condition, RED_mode_predicate(wait, const2));RED_set_risk_condition(condition);RED_end_model();RED_end_session();

}

The functions provided by Library of REDLIB have allpassed the Valgrind memory check. And the formal modelconstructed in correct sequence can pass the syntax checkand perform the verification applications of RED.

4 Future Work

Although the REDLIB contains many basic functions ofutilizing RED, including model construction, parser librarycalls, basic CRD/HRD+BDD manipulations, preconditionand postcondition calculations, coverage estimation, infor-mation display, garbage collection, etc., there could be moreto desire. We plan to continuously improve and enrich thecontent of REDLIB to furthermore popularize the technol-ogy of dense-time system model-checking [1]. By applyingREDLIB to various verification tasks, we will try findingout the insufficiencies and shortcomings of REDLIB anddeveloping the functions required in the future.

References

[1] R. Alur, C. Courcoubetis, D.L. Dill. Model Checkingfor Real-Time Systems. IEEE LICS, 1990.

[2] R. Alur, C.Courcoubetis, T.A. Henzinger, P.-H. Ho.Hybrid Automata: an Algorithmic Approach to theSpecification and Verification of Hybrid Systems. Pro-ceedings of HYBRID’93, LNCS 736, Springer-Verlag,1993.

[3] R. Alur, D.L. Dill. Automata for modelling real-timesystems. ICALP’ 1990, LNCS 443, Springer-Verlag,pp.322-335.

[4] M. Brockmeyer, C. Heitmeyer, F. Jahanian, B. Labaw.A Flexible, Extensible Simulation Environment forTesting Real-Time. IEEE, 1997.

[5] R.E. Bryant. Graph-based Algorithms for BooleanFunction Manipulation, IEEE Trans. Comput., C-35(8),1986.

[6] A. Cimatti, E. Clarke, F. Giunchiglia, M. Roveri.NUSMV: A New Symbolic Model Verifier. CAV 1999,LNCS 1633, Springer-Verlag.

[7] E.M. Clarke and E.A. Emerson. Design and Synthe-sis of SynchronizationSkeletons using Branching-TimeTemporal Logic, Proceedings of Workshop on Logicof Programs, Lecture Notes in Computer Science 131,Springer-Verlag, 1981.

[8] E.M. Clarke, E.A. Emerson, A.P. Sistla. AutomaticVerification of Finite-State Concurrent Systems usingTemporal-Logic Specifications, ACM Trans. Program-ming, Languages, and Systems, 8, Nr. 2, pp. 244–263.

[9] http://vlsi.colorado.edu/˜fabio/CUDD/

[10] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine.Symbolic Model Checking for Real-Time Systems.IEEE LICS 1992.

[11] G.-D. Huang, F. Wang. Automatic Test Case Gener-ation with Region-Related Coverage Annotations forReal-time Systems. The Third International Sympo-sium on Automated Technology for Verification andAnalysis, October 2005, LNCS 3707, Springer Verlag.

[12] ISO/IEC 9646:IT-OSI-Conformance testing method-ology and framework,1996.

[13] C.-J. H. Seger, R. E. Bryant. Formal verification bysymbolic evaluation of partially-ordered trajectories.Formal Methods in System Designs, Vol. 6, No. 2, pp.147-189, Mar. 1995.

[14] A. Shaw. Communicating Real-Time State Machines.IEEE Transactions on Software Engineering 18(9),September, 1992.

[15] F. Wang. Model-Checking Distributed Real-TimeSystems with States, Events, and Multiple FairnessAssumptions. 10th AMAST, LNCS 3116, Springer-Verlag.

[16] F. Wang. Efficient Verification of Timed Automatawith BDD-like Data-Structures, STTT (Jouranl of Soft-ware Tools for Technology Transfer), Vol. 6, Nr. 1, June2004, Springer-Verlag; Special issue for VMCAI’2003,LNCS 2575, Springer-Verlag.

347347345

[17] F. Wang. Formal Verification of Timed Systems - ASurvey and Perspective. Proceedings of the IEEE, Vol.92, Nr. 8, August 2004, pp.1283-1307, IEEE.

[18] F. Wang. Symbolic Parametric Analysis of LinearHybrid Systems with BDD-like Data-Structures. IEEETransactions on Software Engineering, January 2005(Vol. 31, No. 1), p.38-51. A preliminary version of thepaper also appears in proceedings of CAV 2004, LNCS3114, Springer-Verlag.

[19] F. Wang. Symbolic Verification of Distributed Real-Time Systems with Complex Synchronizations. 7thICFEM (International Conference on Formal Engineer-ing Methods), Nov. 2005, Manchester, UK. LNCS3785, Springer-Verlag.

[20] F. Wang, G.-D. Hwang, F. Yu. Numerical CoverageEstimation for the Symbolic Simulation of Real-TimeSystems. FORTE 2003, Sept.-Oct. 2003, Berlin, Ger-many; LNCS 2767, Springer-Verlag.

[21] F. Wang, G.-D. Huang, F. Yu. TCTL InevitabilityAnalysis of Dense-Time Systems: From Theory to En-gineering. IEEE Transactions on Software Engineering,Vol. 32, No. 7 (July 2006), ISSN: 0098-5589, IEEEComputer Society. A preliminary version is in the pro-ceedings of CIAA 2003, LNCS 2759, Springer-Verlag.

[22] F. Wang, K. Schmidt, G.-D. Huang, F. Yu, B.-Y.Wang. BDD-based Safety Analysis of Concurrent Soft-ware with Pointer Data Structures using Graph Auto-morphism Symmetry Reduction. IEEE Transactions onSoftware Engineering, Vol. 30, Nr. 6, June 2004, ISSN0098-5589, pp.403-417, IEEE.

348348346