How To Validate Synchronous Reactivesystems

Transcription

1 fromformalvericationtoautomatictesting? ValidationofSynchronousReactiveSystems: NicolasHalbwachs,PascalRaymond thevalidationofreactivesystemsdescribedinthesynchronousdata-ow Abstract.Thispapersurveysthetechniquesandtoolsdeveloppedfor Verimag??,Grenoble{France tionofsafetyproperties,bymeansofsynchronousobservers.themodel- checkerlesar[rhr91]takesalustreprogram,andtwoobservers languagelustre[hcrp91].thesetechniquesarebasedonthespecica- (Boolean)abstractionofthesystem.Recentworkconcernsextensions assumptionsaboutthesystemenvironmentunderwhichtheseproperties areintendedtohold,andperformsthevericationonanitestate towardssimplenumericalaspects,whichareignoredinthebasictool. respectivelydescribingtheexpectedpropertiesoftheprogram,andthe mentassumptions,andtorunthetestwhilecheckingthesatisfactionof thespeciedproperties. Providedwiththesamekindofobservers,thetoolLurette[RWNH98] isabletoautomaticallygeneratetestsequencessatisfyingtheenvironnentinteractionwithaphysicalenvironment.inthisarea,systemreliability, designso-called\reactivesystems",whicharesystemsthatmaintainaperma- 1Introduction reactivesystemsaresafetycritical.asaconsequence,manyvalidationtools andthereforedesignvalidation,areparticularlyimportantgoals,sincemost Synchronouslanguages[Hal93,BG92,LGLL91,HCRP91]havebeenproposedto tion[ldbl93,dr94,jpv95,bou98,rhr91],formalproof[bcdp99],orprogram meansofsynchronouslanguages.thesetoolseitherconcernautomaticverica- testing[borz98,rwnh98,mhmm95,mar98]. havebeenproposed,whicharededicatedtodealwithsystemsdescribedby raisesspecicproblems liketakingintoaccountknownpropertiesoftheenvironment andontheotherhandallowstheapplicationofspecictechniques incontrastwithclassicalconcurrentprocesses,whicharegenerallymodelled sincetheprogramstobevalidatedaredeterministicsystemswithinputs, Asamatteroffactthevalidationofsynchronousprograms,ononehand??VerimagisajointlaboratoryofUniversiteJosephFourier,CNRSandINPGassociatedwithIMAG. testing,theuserhastospecify: asnon-deterministicandclosedsystems.bothforformalvericationandfor?thisworkwaspartiallysupportedbytheesprit-ltrproject\syrf".

2 1.theintendedbehavioroftheprogramundervalidation,whichmaybemore 2.theassumptionsabouttheenvironmentunderwhichthepropertiesspecied timesafetyproperties. orlesspreciselydened.inparticular,itmayconsistofasetofproperties, and,forthekindofconsideredsystems,criticalpropertiesaremostofthe in(1)areintendedtohold.theseassumptionsaregenerallysafetyproperties,too. theinputsandtheoutputsoftheprogramundervalidation,anddetectthe ertiesistouse\synchronousobservers"[hlr93],whichareprogramsobserving Insynchronousprogramming,aconvenientwayofspecifyingsuchsafetyprop- formalverication:onecanverify,bymodel-checking,thatforeachinput validationtoolscanusethemfor violationoftheproperty.oncetheseobservershavebeenwritten,automatic automatictesting:theassumptionobserverisusedtogeneraterealistictest tionoftheprogramunderverication. property.ingeneral,thisvericationisperformedonanite-stateabstrac- sequences,whichareprovidedtotheprogram;thepropertyobserverisused owsatisfyingtheassumption,thecorrespondingoutputowsatisfythe hasbeendeveloppedforlong,andextendedtowardsdealingwithsimplenumericalproperties.twotestingtools,lutess[borz98]andlurette[rwnh98bilities. 2SynchronousObserversinLUSTRE arealsoavailable;here,wefocusonlurette,whichhassomenumericalcapa- languagelustre[hcrp91].amodel-checkerforlustre,calledlesar[rhr91], Inthispaper,wepresenttheseapproachesinthecontextofthedeclarative asan\oracle"determiningwhethereachtestsequence\passes"or\fails". 2.1OverviewofLustre programisintendedtohaveacyclicbehavior,andxnisthevalueofxatthe xrepresentsaow,i.e.,aninnitesequence(x0;x1;:::;xn;:::)ofvalues.a Letusrstrecall,inasimpliedway,theprinciplesofthelanguageLustre: Output(andpossiblylocal)owsaredenedbymeansofequations(inthe nthcycleoftheexecution.aprogramcomputesoutputowsfrominputows. ALustreprogramoperatesonowsofvalues.Anyvariable(orexpression) canbeunderstoodasatemporalinvariant.lustreoperatorsoperategloballyon mathematicalsense),anequation\x=e"meaning\8n;xn=en".so,anequation owsasjustshown wewillconsideronlytwotemporaloperators: ows:forinstance,\x+y"istheow(x0+y0;x1+y1;:::;xn+yn;:::).inaddition tousualarithmetic,boolean,conditionaloperators extendedpointwiseto {theoperator\pre"(\previous")givesaccesstothepreviousvalueofitsargument:\pre(x)"istheow(nil;x0;:::;xn 1;:::),wheretheveryrstvalue \nil"isanundened(\noninitialized")value.

3 {theoperator\->"(\followedby")isusedtodeneinitialvalues:\x->y"is theow(x0;y1;:::;yn;:::),initiallyequaltox,andthenequaltoyforever. Asaverysimpleexample,theprogramshownbelowisacounterof\events": IttakesasinputstwoBooleanows \evt"(truewheneverthecounted \event"occurs),and\reset"(true wheneverthecountershouldbe reinitialized),andreturnsthenumberofoccurrencesof\events"since thelast\reset".oncedeclared, sucha\node"canbeusedanywhereinaprogram,asauserdenedoperator.forinstance,our countercanbeusedtogeneratean event\minute"every60\second", bycounting\second"modulo60. nodecount(evt,reset:bool) returns(count:int); letcount=if(true->reset)then0 elseifevtthenpre(count)+1 elsepre(count) tel mod60=count(second,pre(mod60=59)); minute=(mod60=0); 2.2SynchronousObservers Now,anobserverinLustrewillbeanodetakingasinputsalltheowsrelevant tothesafetypropertytobespecied,andcomputingasinglebooleanow,say \ok",whichistrueaslongastheobservedowssatisfytheproperty. Forinstance,letuswriteanobservercheckingthateachoccurrenceofanevent\danger"isfollowedbyan\alarm"beforethenext occurrenceoftheevent\deadline". Itusesalocalvariable\wait",triggeredby\danger"andresetby \alarm",andthepropertywillbe violatedwhenever\deadline"occurs when\wait"ison. nodeproperty(danger,alarm,deadline:bool) returns(ok:bool); varwait:bool; letwait=ifalarmthenfalse elseifdangerthentrue else(false->pre(wait)); ok=not(deadlineandwait); tel AssumethattheabovepropertyisintendedtoholdaboutasystemS, computing\danger"and\alarm",while\deadline"comesfromtheenvironment. Obviously,exceptifSemits \alarm"simultaneouslywitheach \danger",itcannotfulllthepropertywithoutanyknowledgeabout \deadline".now,assumeweknow that\deadline"neveroccursearlier thantwocyclesafter\danger". nodeassumption(danger,deadline:bool) returns(ok:bool); letok=notdeadlineor (true->pre(notdangerand (true->pre(notdanger)))); tel Thisassumptioncanalsobeexpressedbyanobserver.

4 correct=property(danger,alarm,deadline); realistic=assumption(danger,deadline); (danger,alarm,...)=s(deadline,...); S Assumption Propertyrealistic Fig.1.ValidationProgram correct 2.3ValidationProgram program,eithertheoutput\correct"isalwaystrue,ortheoutput\realistic"is observers,propertyandassumption.wecancomposetheminparallel,ina problemcomesdowntoshowingthat,whateverbetheinputstothevalidation surroundingprogramcalled\validationprogram"(seefig.1).ourverication Nowweareleftwith3programs:theprogramSundervalidation,anditstwo havebeenpointedout: sometimesfalse.theadvantagesofusingsynchronousobserversforspecication {observersareexecutable;onecantestthemtogetconvincedthatthespecied {thereisnoneedtolearnanduseadierentlanguageforspecifyingthanfor programming. ton(generally,abuchiautomaton),andshowing,byperformingasynchronous nique[vw86]consistingindescribingthenegationofthepropertybyanautoma- Noticethatsynchronousobserversarejustaspecialcaseofthegeneraltech- propertiesarethedesiredones. synchronousproductisthenormalparallelcomposition,sothistechniquecan beappliedwithintheprogramminglanguage. acceptedbytheautomaton.thepointisthat,insynchronouslanguages,the productofthisautomatonandtheprogram,thatnotraceoftheprogramis 3Model-Checking Ofcourse,aLustreprogramcanbeviewedasatransitionsystem.Alloperators, 3.1Lustreprogramsasstatemachines true,andthenalwaysfalse.theresultofapreoperatoristhevaluepreviously exceptpreand->,arepurelycombinational,i.e.,don'tusethenotionofstate. Theresultofa->operatordependsonwhethertheexecutionisinitsrst takenbyitsargument,soeachpreoperatorhasanassociatedstatevariable.all cycleornot:letinitbeanauxiliarybooleanstatevariable,whichisinitially bymodel-checking[qs82,ces86,bcm+90,cbm89]:whentheprogramunder haveonlybooleanvariableshavenitelymanystatesandcanbefullyveried thesestatevariablesdenethestateoftheprogram.ofcourse,programsthat vericationandbothofitsobserversarepurelyboolean,onecantraversethe

5 statewithoutfalsifyingtheoutput\realistic"areconsidered,andineachreached Thiscanbedoneeitherenumeratively(i.e.,consideringeachstateinturn)or symbolically,byconsideringsetsofstatesasbooleanformulas. nitesetofstatesofthevalidationprogram.onlystatesreachedfromtheinitial state,onecheckthat,foreachinput,either\realistic"isfalse,or\correct"istrue. Programswithnumericalvariablescanbepartiallyveried,usingasimilarapproach.Weconsidersuchaprogramasanintepretedautomaton:thestates 3.2Lustreprogramsasinterpretedautomata automaton.anexampleofsuchaninterpretedautomatonwillbeshowninsection4.ifithappensthatapropertycanbeprovedonthe(nite)controlpart andactionsonnumericalvariablesareassociatedwiththetransitionsofthe oftheautomatonaredenedbythevaluesofthebooleanstatevariables,as above.theassociatedinterpretationdealswiththenumericalpart:conditions resultisunconclusive. 3.3LESAR oftheautomaton,thenitissatisedbythecompleteprogram.otherwise,the avalidationprogram,eitherenumerativelyofsymbolically.moreprecisely,it restrictsitssearchtothepartoftheprogramthatcaninuencethesatisfaction kindofvericationdescribedabove,bytraversingthesetofcontrolstatesof oftheproperty.thispart,sometimescalledtheconeofinuence,canbeeasily LesarisavericationtooldedicatedtoLustreprograms.Itperformsthe showsthat,inmanypracticalcases,theaddressedpropertyonlyconcernsa determined,becauseofthedeclarativenatureofthelanguage:alldependences betweenvariablesareexplicit.thisisanimportantfeature,sinceexperience verysmallpartofaprogram:insuchacase,lesarmaybeabletoverifythe 4TowardsNumericalProperties property,evenifthewholestatespaceoftheprogramcouldnotbebuilt. Onlypropertiesthatdependonlyonthecontrolpartoftheprogramcanbe veriedbymodelchecking.thereasonisthatlesarcanconsiderasreachable somecontrolstatesthatareinfactunreachablebecauseofthenumericalinterpretation,whichisignoredduringthestatespacetraversal:sometransitions areconsideredfeasible,whilebeingforbiddenbytheirnumericalguards.letus illustratethisphenomenononaverysimpleexample,extractedfromasubway casteachsecondbyacentralclock.ideally,itshouldencounteronebeaconeach speedregulationsystem: second,but,toavoidshaking,theregulationsystemappliesahysteresisasfollows:let#band#sbe,respectively,thecurrentnumbersofencounteredbeacons Atraindetectsbeaconsplacedalongthetrack,andreceivesasignalbroad-

6 Init OnTime Early Fig.2.Interpretedautomatonofthesubwayexample Late Early Late andofelapsedseconds.whenever#b #sbecomesgreater10,thetrainisconsideredearly,until#b #sbecomesnegative.symmetrically,whenever#b #s becomessmallerthan 10,thetrainisconsideredlate,until#b #sbecomes positive.weonlyconsiderthepartofthesystemwhichdetermineswhetherthe trainisearlyoflate.inlustre,thecorrespondingprogramfragmentcouldbe: early=false->ifdi>10thentrue di=0->ifsecondandnotbeaconthenpre(di){1 elsepre(di); elseifbeaconandnotsecondthenpre(di)+1 late=false->ifdi<{10thentrue elseifdi>0thenfalse elseifdi<0thenfalse elsepre(late); elsepre(early); \OnTime"areguardedasfollows: structureshownbyfig2,and,forinstance,thetransitionssourcedinthestate tiallytrue,andthenfalseforever)andthevariablesstoringthepreviousval- uesofearlyandlate.thecorrespondinginterpretedautomatonhasthecontrol Thisprogramhas3Booleanstatevariables:theauxiliaryvariableinit(ini- knowthatsomeoftheseguards(g1andg2)canbesimplied,northatone Withoutanyknowledgeaboutnumericalguards,themodel-checkerdoesnot g1:di>10^di 10!Earlyg3:di>10^di< 10!EarlyLate ofthem(g3)isunsatisable.thisiswhythestate\earlylate"isconsidered g2:di10^di< 10!Lateg4:di10^di 10!OnTime staticallyunfeasible.inourexample,ifweremovestaticallyunfeasibletransitions,wegettheautomatonoffig.3,wherethestate\earlylate"isnolonger reachable. reachable.asimplewayofimprovingthepowerofamodel-checkeristoprovide Atransitiontheguardofwhichisnumericallyunsatisablewillbecalled

7 Init Late OnTime Fig.3.Thesubwayexamplewithoutstaticallyunfeasibletransitions Early Late Init Fig.4.Thesubwayexamplewithoutdynamicallyunfeasibletransitions di0 10di10 OnTime di0 Early cases.forinstance,unfeasibilityofguardsmadeoflinearrelationsiseasyto decide1. itwiththeabilityofdetectingstaticallyunfeasibletransitions,insomesimple canbecut,the\bad"stateisnolongerconsideredreachable.thisverypartialimprovementsignicantlyincreasesthenumberofpracticalcaseswherethe model-checkingalgorithm,thetoolcanlook,alongthepathsleadingtothis state,fortransitionsguardedbyunfeasiblelinearguards.ifallsuch\bad"paths linearalgebra:whenastateviolatingthepropertyisreachedbythestandard ThisiswhyLesarhasbeenextendedwithsuchadecisionprocedurein vericationsucceeds. sitionsareclearlyimpossible,sincedivariesofatmost1ateachcycle,and Moreover,sometransitionsareunfeasiblebecauseofthedynamicbehaviorof transitionsfromstate\early"tostate\late"andconversely.now,thesetran- numericalvariables.forinstance,intheautomatonoffig.3,therearedirect Ofcourse,wearenotalwaysabletodetectstaticallyunfeasibletransitions. cannotjumpfrombeing0instate\early"tobecoming< 10instate callyunfeasibletransitionsismuchmoredicult.weexperiment\linearrelation analysis"[hpr97] anapplicationofabstractinterpretation tosynthesize \Late".Suchtransitionsarecalleddynamicallyunfeasible.Detectingdynami- invariantlinearrelationsineachstateoftheautomaton.iftheguardofatransitionisnotsatisablewithintheinvariantofitssourcestate,thenthetransition 1atleastforrationalsolutions;butsinceunfeasibilityinrationalnumbersimplies unfeasibilityinintegers,suchanapproximatedecisionisstillconservative.

8 isunfeasible.inourexample,wegettheinvariantsshowninfig.4,whichallow 5AutomaticTesting ustoremoveallunfeasibletransitions. systems withtoocomplexstatespace,orimportantnumericalaspects will remainunfeasible.ontheotherhand,somevalidationproblemsareoutofthe importantvalidationtechnique.ononehand,thevericationoftoocomplex scopeofformalverication:itisthecasewhenpartsoftheprogramcannotbe Inspiteoftheprogressofformalverication,testingisandwillremainan techniques.moreover,testingtechniquesandtoolsshouldbemainlydevoted environment.so,vericationandtestingshouldbeconsideredascomplementary itisalsothecasewhenonewantstovalidatethenalsystemwithinitsactual tocaseswherevericationeitherfailsordoesnotapply.thisiswhyweare formallydescribed,becausetheyareunknownorwritteninlowlevellanguages; needaformaldescriptionofthesystemundertest(blackboxtesting),andthe costofwhichdoesn'tdependontheinternalcomplexityofthetestedsystem. especiallyinterestedintechniquesthatcopewithnumericalsystems,thatdon't automaticgenerationoftestsetsisthesameasforverication:anautomatic testerwillneedaformaldescriptionofboththeenvironment togenerate isextremelyexpensiveanderror-prone.now,itappearsthattheprerequisitefor onlyrealistictestcases andthesystemundertest toprovidean\oracle" Intensivetestingrequiresautomation,sinceproducinghugetestsetsbyhand decidingwhethereachtestpassesorfails.insection2,weproposedtheuseof synchronousobserversfortheseformaldescriptions.inthelurette[rwnh98] andlutess[borz98]tools,suchobserversareusedtoautomaticallygenerate loopwiththeirenvironment.inparticular,theyareoftenintendedtocontrol andruntestsequences.inthissection,weexplaintheprinciplesofthisgenerationṫhespecicfeatureofreactivesystemsis,ofcourse,thattheyruninclosed ofaninputsequencedoesnotmakesenseindependentlyofthecorresponding proach,testsequencesaregeneratedonthey,astheyaresubmittedtothe maydependonthepastoutputs(fromthesystem).inotherwords,therealism outputsequence,computedbythesystemundertest.thisiswhy,inourap- systemundertest. Moreprecisely,weassumethatthefollowingcomponentsareavailable: theirenvironment.thismeansthatthecurrentinput(fromtheenvironment) {TheobserversAandP,respectively {anexecutableversionofthesystemundertest,says.weonlyneedtobeable torunit,stepbystep. checkedduringthetest. i S op A realistic environmentandthepropertiestobe describingtheassumptionsaboutthe correct

9 instantaneouslyoftheoutputs\o"ofs.since\o"issupposedtobecomputed fromthecurrentinput\i",itwouldbeakindofcausalityloopthattherealism of\i"dependon\o". Moreover,theoutput\realistic"oftheobserverAisrequirednottodepend rst,theinitialstateofa:inthisstate,thelustrecodeofacanbesimplied, andtobeabletorunthesystemsandtheobserverp,stepbystep.itconsiders, byreplacingeachexpression\e1->e2"by\e1",andeachexpression\pre(e)"by \nil".afterthissimplication,theresult\realistic"isacombinationalexpression Basically,thetesteronlyneedstoknowthesourcecodeoftheobserverA, oftheinput\i",say\b(i)".thesatisfactionofthebooleanformulab(i)canbe viewedasaconstraintontheinitialinputstothesystem.aconstraintsolver whichwillbedetailedbelow isusedtorandomlyselectaninputvectori0 toitsnewstate,providinganewconstrainton\i".thesameprocesscanbe oracle\correct"outputbyp.thelustrecodeofacanbesimpliedaccording AandPforastep,tomakethemchangetheirinternalstate,andtogetthe vectoro0(andchangingitsinternalstate).knowingbothi0ando0,onecanrun satisfyingthisconstraint.now,sisrunforasteponi0,producingtheoutput givennumberofsteps. repeatedaslongasthetestpasses(i.e.,preturns\correct=true"),orfora servers.aconstraintisthenapurelybooleanformula,whichisrepresentedby abinarydecisiondiagram.acorrectselectioncorrespondstoapathleading agivenconstraint.inlutess[borz98],oneconsideronlypurelybooleanob- toa\true"leafinthisbdd.thetoolisabletoperformsuchaselection,eitherusinganequiprobablestrategy,ortakingintoaccountuser-givendirectives. Lurette[RWNH98]isabletosolveconstraintsthatareBooleanexpressions Theconsideredtoolsmainlydierintheselectionofinputvectorssatisfying involvingbooleaninputsandlinearrelationsonnumericalinputs. S.Anobserverofthisbehaviorcanbewrittenasfollows: derivative.initially,bothuanditsderivativeareknowntobe0.then,thesecond AssumeSisintendedtoregulateaphysicalvalueu,byconstrainingitssecond derivativeofuwillbeinaninterval[ ;+]aroundthe(previous)outputxof Example:Letusillustratethegenerationprocessonaverysimpleexample. vardudt,d2udt2:real; letdudt=0->(u{pre(u)); nodea(u,x:real)returns(realistic:bool); realistic=(u=0)->((pre(x){delta<=d2udt2) d2udt2=dudt{pre(dudt); Attherstcycle,thecodeofAissimpliedto tel and(d2udt2<=pre(x)+delta)); dudt=0;d2udt2=nil;realistic=(u=0);

10 systemsisrunforonecycle,withthisinputvalue,letx0bethereturnedvalue. Thereisonlyonewayofsatisfyingtheconstraint,bychoosingu0=0.The SothecodeofAissimpliedto Atthesecondcycle,weknowthat dudt=u;d2udt2=dudt; pre(u)=0;pre(dudt)=0;pre(x)=x0 u1=x0+isselected,andprovidedtos,whichreturnssomenewvaluex1.at thenextcycle,weknowthat whichgivesthe(linear)constraintx0 ux0+.assumethevalue realistic=(x0{delta<=d2udt2)and(d2udt2<=xo+delta); So,thecodeofAsimpliesto dudt=u{(x0+delta);d2udt2=dudt{(x0+delta); pre(u)=pre(dudt)=x0+;pre(x)=x1 whichgivestheconstraintx1+2x0ux1+2x0+2,andsoon... realistic=(x1{delta<=d2udt2)and(d2udt2<=x1+delta) specicationofpropertiesbysynchronousobservers.whilenotbeingrestricted 6Conclusion andconvenientinthatcontext,sincethesamekindoflanguagecanbeusedto tosynchronousmodels,thiswayofspecifyingpropertiesisespeciallynatural Wehavepresentedsomevalidationtechniques,whichmainlyderivefromthe describethesystemanditsproperties. chronousobserverswereanaturalgeneralizationoftherelationsinesterel, couldbeadaptedtoanysynchronouslanguage.notice,however,thatsomeideas whichareawayofexpressingknownimplicationsorexclusionbetweeninput weredirectlysuggestedbythedeclarativenatureoflustre.forinstance,syn- OurpresentationwascenteredonthelanguageLustre,butthetechniques straintisespeciallynaturalwhentheobserveriswritteninlustre,butcanbe sequencegeneration,theideaofconsideringanobserverasa(dynamic)con- invariantbooleanexpressions.generalizedtoanybooleanlustreexpression, thismechanismprovidesawayofspecifyinganysafetyproperty.also,intest events.whentransposedintolustre,theserelationsarejustspecialcasesof adaptedtoanysynchronouslanguage. References [BCDP99]S.Bensalem,P.Caspi,C.Dumas,andC.Parent-Vigouroux.AmethodologyforprovingcontrolprogramswithLustreandPVS.InDependable Society,January1999. ComputingforCriticalApplications,DCCA-7,SanJose.IEEEComputer

11 [BCM+90]J.R.Burch,E.M.Clarke,K.L.McMillan,D.L.Dill,andJ.Hwang.Symbolicmodelchecking:1020statesandbeyond.InFifthIEEESymposium [BG92] [BORZ98]L.duBousquet,F.Ouabdesselam,J.-L.Richier,andN.Zuanon.Lutess: guage:design,semantics,implementation.scienceofcomputerprogram- ming,19(2):87{152,1992. onlogicincomputerscience,philadelphia,1990. G.BerryandG.Gonthier.TheEsterelsynchronousprogramminglan- [Bou98] testingenvironmentforsynchronoussoftware.intoolsupportforsystemspecicationdevelopmentandverication.advancesincomputing Science,Springer,1998. (B.C.),June1998.LNCS1427,SpringerVerlag. nationalconferenceoncomputer-aidedverication,cav'98,vancouver A.Bouali.Xeve:anEsterelvericationenvironment.InTenthInter- [CBM89]O.Coudert,C.Berthet,andJ.C.Madre.Vericationofsynchronous sequentialmachinesbasedonsymbolicexecution.ininternationalworkshoponautomaticvericationmethodsforfinitestatesystems,grenoble.lncs407,springerverlag,1989. [DR94] [CES86] nite-stateconcurrentsystemsusingtemporallogicspecications.acm TOPLAS,8(2),1986. andvericationbycompositionalreductions.ind.dill,editor,6thinternationalconferenceoncomputeraidedverication,cav'94,stanford, June1994.LNCS818,SpringerVerlag. N.Halbwachs.Synchronousprogrammingofreactivesystems.Kluwer R.DeSimoneandA.Ressouche.Compositionalsemanticsofesterel E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automaticvericationof [Hal93] [HLR93] [HCRP91]N.Halbwachs,P.Caspi,P.Raymond,andD.Pilaud.Thesynchronous 79(9):1305{1320,September1991. dataowprogramminglanguagelustre.proceedingsoftheieee, N.Halbwachs,F.Lagnier,andP.Raymond.Synchronousobserversand AcademicPub.,1993. [HPR97]N.Halbwachs,Y.E.Proy,andP.Roumano.Vericationofreal-time thevericationofreactivesystems.inm.nivat,c.rattray,t.rus,and G.Scollo,editors,ThirdInt.Conf.onAlgebraicMethodologyandSoftware Technology,AMAST'93,Twente,June1993.WorkshopsinComputing, [JPV95] SpringerVerlag. systemsusinglinearrelationanalysis.formalmethodsinsystemdesign, 11(2):157{185,August1997. vericationofesterelprogramsandapplicationstotelecommunication software.inp.wolper,editor,7thinternationalconferenceoncomputeraidedverication,cav'95,liege(belgium),july1995.lncs939, L.J.Jagadeesan,C.Puchol,andJ.E.VonOlnhausen.Safetyproperty [LGLL91]P.LeGuernic,T.Gautier,M.LeBorgne,andC.LeMaire.Programming [LDBL93]M.LeBorgne,BrunoDutertre,AlbertBenveniste,andPaulLeGuernic. SpringerVerlag. pages2191{2196,groningen,1993. DynamicalsystemsoverGaloiselds.InEuropeanControlConference, [Mar98] 1336,September1991. B.Marre.Testdataselectionforreactivesynchronoussoftware.In Dagstuhl-Seminar-Report223:TestAutomationforReactiveSystems- TheoryandPractice,September1998. realtimeapplicationswithsignal.proceedingsoftheieee,79(9):1321{

12 [MHMM95]M.Mullerburg,L.Holenderski,O.Maeis,andM.Morley.Systematic testingandformalvericationtovalidatereactiveprograms.software [RHR91]C.Ratel,N.Halbwachs,andP.Raymond.Programmingandverifying [QS82] QualityJournal,4(4):287{307, ,SpringerVerlag,April1982. systemsincesar.ininternationalsymposiumonprogramming.lncs J.P.QueilleandJ.Sifakis.Specicationandvericationofconcurrent [RWNH98]P.Raymond,D.Weber,X.Nicollin,andN.Halbwachs.Automatictesting Systems,NewOrleans,December1991. guagelustre.inacm-sigsoft'91conferenceonsoftwareforcritical ofreactivesystems.in19thieeereal-timesystemssymposium,madrid, criticalsystemsbymeansofthesynchronousdata-owprogramminglan- [VW86] programverication.insymposiumonlogicincomputerscience,june Spain,December M.Y.VardiandP.Wolper.Anautomata-theoreticapproachtoautomatic