Abstract. Formal Description Techniques (fdt), such as lotos or sdl are at the base of a technology for the speci cation and the validation of telecommunication systems. Due to the availability of commercial tools, these formalisms are now being widely used in the industrial community. Alternatively, a number of quite e cient veri cation tools have been developed by the research community. But, most of these tools are based on simple ad hoc formalisms and the gap between them and real fdt restricts their use at industrial scale.
Introduction
Formal Description Techniques, such as lotos ISO88] or sdl IT94] and related formalisms such as msc and ttcn are at the base of a technology for the speci cation and the validation of telecommunication systems. Due to the availability of commercial tools, mainly for editing, code generation and testing, and the fact that these formalisms are promoted by itu and other international standardization bodies, these formalisms are now being widely used in the community of telecommunication systems. There are also increasing needs for description and validation tools covering as many aspects of system development as possible. This is the reason why the commercial editing tools contain also some veri cation facilities. Unfortunately, these veri cation facilities are often quite restricted and the tools are \closed" in the sense that there are only limited possibilities to interface them with others. On the other hand, a number of quite e cient veri cation tools have been developed by the research community, but they are in general based on ad hoc input formalisms and the gap between them and real fdt restricts their use at an industrial scale. Even if these tools are in general less closed than commercial ones, they have rarely well-de ned interfaces. For example, a lot of developments were made around the Spin veri cation tool Hol91], but they are based on the availability of the source code and not on a priori de ned interfaces.
A di erent approach was followed within cadp FGK + 96], a toolbox for the verication of lotos speci cations. It was conceived right from the beginning as an open platform for interfacing di erent algorithms and provides several well-de ned and documented interfaces (Application Programming Interfaces, api for short). The initial motivation for the work presented here was the fact that sdl becomes a more and more popular formalism in the telecommunication community, and that we wanted to adapt cadp to deal also with sdl speci cations. Since the intermediate program level formalisms used within cadp are not appropriate for sdl speci cations, we had to investigate alternative representations. For example cadp is based on a synchronous communication model (rendez-vous), whereas sdl communications are fully asynchronous (via queues).
Another motivation concerns time modeling. Finding a \reasonable" notion of time in asynchronous systems is a non trivial question and this is re ected by the variety of the existing proposals for existing fdts. For instance, the sdl syntax de nes a timer concept, but there is no consensus on how time progresses, and di erent sdl tools have adopted di erent choices. Similarly, in the original lotos de nition there is no particular notion of time, whereas di erent timed extensions are currently being proposed LL97, Que98] . Choosing an appropriate timed extension for an fdt should take into account not only technical considerations about the semantics of timed systems but also more pragmatic ones related to the appropriateness for use in a system engineering context. We believe that the di erent ideas about extensions of the language must be validated experimentally before being adopted to avoid phenomena of rejection by the users.
These problems motivated the development of if, an intermediate representation for timed asynchronous systems. The requirements on such a formalism are the following ones:
it must be su ciently expressive to be used as an intermediate representation for the above mentioned speci cation formalisms, or at least for reasonably large subsets of them. it must have a formally de ned operational semantics, and be exible enough to experiment di erent choices and extensions. it must be supported by a set of well de ned apis, at di erent levels of program representation, allowing to interface existing validation tools and to experiment new ones.
The paper is organized as follows. First, we de ne the if formalism, its main concepts and its operational semantics. We also discuss its expressiveness with respect to other models and speci cation formalisms, in particular regarding the timing aspects. Then, we present a set of tools interconnected within an open validation environment for if speci cations. Finally, we illustrate the use of if on a small example, a distributed leader election algorithm on which di erent kinds of validation are performed.
Presentation of IF
In the following sections, we give a brief overview of the main features of if, its operational semantics in terms of labeled transition systems. A more complete description of if and of its semantics can be found in BFG + 98].
Syntax
An if system is a set of processes communicating either asynchronously through a set of bu ers or synchronously through a set of gates. The timed behavior of a system can be controlled through clocks (like in timed automata ACD93,HNSY94]).
IF system de nition: A system is a tuple Sys = (glob-def, procs, S) where glob-def = (type-def, sig-def, gate-def, var-def, buf-def) is a list of global de nitions, where type-def is a list of type de nitions (enumerated types, arrays, records and also abstract data types 1 ) sig-def de nes a list of parameterized signals (as in sdl), gate-def de nes a list of parameterized gates (as in lotos), var-def is a list of global variables, and nally, buf-def is a list of bu ers through which the processes communicate by asynchronous signal exchange (as in Promela Hol91] or sdl). Notice that we allow various types of bu ers: fifo queues, stacks or bags, which can chosen to be unbounded or bounded and reliable or lossy. procs de nes a set of processes described in the following paragraph. S is a synchronization expression, as in lotos or csp, telling how the processes de ned in procs synchronize. Such a synchronization expression is given by the following grammar where C is a (possible empty) set of gates:
S ::= P2procs j S j C]j S Thus, a system S is either a process P or a parallel composition of two subsystems S 1 and S 2 with rendez-vous synchronization on the set of gates C. In a system of the form S 1 j C]j S 2 transitions concerning a gate in C are executed synchronously in the two subsystems whereas all other transitions are interleaved. { buf is the name of the bu er from which the signal should be read 2 one can also de ne timers (as in sdl) which can be set to any positive value, decrease with progress of time and expire if they reach the value zero; to simplify the presentation we do not include them in this document 3 or \assignable" expressions such as elements of records or arrays { cond is a time independent \post guard" de ning the condition under which the received signal is accepted and it usually depends on received parameters. Intuitively, an input transition is enabled if its guard is true, the rst signal to be consumed (according to the attributes save(q) and discard(q)) is of the form { asynchronous outputs of the form \output sig(par list) to buf" append a signal of the form \sig(par list)" to the bu er buf.
{ usual assignments between discrete variables. { settings of clocks, which have the e ect to assign to a clock a speci c value.
Semantics
The semantics of if is based on concepts taken respectively from lotos, sdl and timed automata. We de ne it by translating if systems into timed automata with urgency BST98]. First, we show how to associate a timed automaton with each process, and then, how two timed automata can be composed into a single one 4 . Such a timed automaton can then be interpreted either using discrete or dense time depending on the veri cation tools and properties considered. Notice that the discrete/dense interpretation of time does not in uence the translation from IF to a timed automata.
Association of a Timed Automaton with a process: Let P= (var-def, Q, cTrans) be a process de nition in the system Sys and furthermore:
Let buf be a set of bu er environments B, representing possible contents of the bu ers of the system, on which | depending on the declared bu er type | all necessary primitives are de ned: e.g. \get the rst signal of a given bu er, taking into account the save and the discard attributes of the control state", \append a signal at the end of a bu er", etc.
Let env be a set of environments E de ning the set of valuations of all discrete variables de ned in the system Sys (the local and the global ones)
The semantics of the process P is the timed automaton P] = (Q env buf,Trans) where Q env buf is the set of states, for which we extend the attributes of control states in a natural manner, e.g. tpc(q,(E,B)) is the partial evaluation of tpc(q) in (E,B 
Composition of models:
The timed automaton associated with a system of the form Sys = (glob-def,procs,S) is obtained by composing the timed automata of processes according to the composition expression S. The composition rules presented correspond to the and-parallel composition described in BST98].
Let In this rule, the synchronization of two transitions with the same urgency attribute result in a transition with this attribute, the composition of an eager transition with any other transition results in an eager one, an in order to compose a lazy with a delayable transition, one needs to decompose the delayable one into two transitions, an eager and a lazy one, which under a reasonable restriction is always
The semantics of Timed Automata The model of time of if is that of communicating timed automata with urgency introduced in BST98]. Each process has a number of clocks which increase with progress of time (either in a discrete or continuous manner). Clocks can be \tested" in the guards and \set" in the bodies of the transitions. In this model, time is considered global, that is, it progresses synchronously in all processes of the system. The main problem is \when can time progress?". In timed automata ACD93], time progress is de ned by means of \invariants" associated with each state, such that time is allowed to progress as long the invariant expression evaluates to true. The main problem with this model is that it allows not to express urgency of transitions. A model avoiding this problem is obtained by associating with every transition a deadline (a predicate stronger than the guard), meaning that, whenever the deadline predicate evaluates to true, the transition has priority over time progress. In BST98], it has been shown that a much simpler model using just three possible urgency attributes, instead of deadlines, is su cient: eager transitions have always priority over time, delayable transitions may let time progress, but only as long as they remain enabled, and lazy transitions cannot prevent time from progressing. This is the time model we have chosen in if There is no standard semantics of time de ned for sdl and each tool uses its own. For example, Objectgeode uses a very \synchronous" time concept where time can only progress when the system is blocked (in terms of if that means all transitions are eager), whereas in other tools time can always progress (all transitions are lazy). This shows that the currently implemented notions of time of sdl are extreme ones | which is often considered as problem by the users, and leads to unnecessary complicated descriptions | and many intermediate solutions are possible using if as discussed in previous section.
We have identi ed a large static subset of sdl which we are able to translate into if. That is, with the exception of dynamic creation of processes and some mobility aspects of communication, we can de ne a syntactic level translation between these two formalisms. A prototype translator has been implemented using the sdl Hoa84] . In lotos, the communication is synchronous using rendez-vous. lotos has a well-de ned operational semantics and there exist several tools supporting it.
The right approach to model and validate lotos speci cations is recognized to be the use of Petri nets, rather than communicating extended automata GS90] as intermediate representation. However, our experience with lotos has shown that often the speci cations have the form of a parallel composition of sequential components (processes). This observation motivated also the use of compositional generation methods, which gives good results for this kind of lotos speci cations KM97].
The timed extensions introduced in E-Lotos Que98], ET-Lotos LL97] and Lotos-NT Sig99] are similar to that of if, only that the urgency of an action is de ned implicitly by its type: \exceptions" and internal actions are urgent, whereas observable actions are not. This is due to the fact, that they aim for a much stronger form of compositionality, where with each process can be associated directly a labeled transition system (and not a timed automaton) which then can be composed to a system model.
We plan to investigate the translation of decomposable lotos speci cations into if, as parallel composition with synchronization between processes can be handled in if. Furthermore, a reasonably small Petri Net (corresponding to a non-decomposable lotos part) can be modeled as an if process.
PROMELA
Another language we have considered is Promela, the native language of the Spin model-checker Hol91]. It has not been designed as a speci cation language but as an intermediate representation language for protocols, mainly for validation purposes. It is based on extended nite-state machines communicating asynchronously or synchronously via queues. We consider Promela as it has a relatively important visibility as well in the academic community as in the industrial one. Its success is due to the high availability of Spin, which provides powerful model-checking algorithms based on partial-order reductions.
There exist timed extensions of Promela. The one proposed in CT96] is based on timed automata, whereas the one of BD98] has a similar time concept as Objectgeode: all set timers decrease synchronously until one of them expires; then time is blocked until the corresponding timeouts are consumed, where these timeout consumptions take place when no other transition is possible in the system.
A translator from if to Promela has been developed in the framework of the vires Esprit-ltr project at Eindhoven University and has been used to verify sdl speci cation with Spin BDHS99]. We plan to study also the translation from Promela to if. As for sdl, there are some limitations due to dynamic process creation and mobility features of Promela. An integrated validation environment should ful ll the following requirements: First of all, it is able to support several validation techniques, from symbolic interactive simulation to automatic property checking, together with test case generation and executable code generation. Indeed, all these functionalities cannot be embodied in a single tool and only tool integration facilities can provide all of them.
Moreover, for a sake of e ciency, this environment also has to support several level of representations. For instance it is well-known that model-checking veri cation of real life case studies usually needs to combine several optimization techniques to overcome the state explosion problem.
In particular, some of these techniques rely on a syntactic level representation, like static analysis and computations of abstractions (for which it may be necessary to cooperate with decision procedures or a theorem-prover). Other techniques operate on a representation of the underlying semantic model, such as on-the-y analysis, bisimulation based model reduction or model-checking. These representations can be either implicit, enumerative or symbolic and are explained below. Another important feature is to keep this environment open and evolutive. Therefore, tool connections are performed by sharing either input/output le formats, or libraries of internal data structures. For this purpose several well-de ned interfaces (apis) must be provided.
In the remainder of the section we present the overall architecture of the already existing environment and some of its related components. In the future new connections with existing tools and new analysis modules may be added. The syntactic level allows to consult and modify the abstract tree on an if program. Since all the variables, timers, bu ers and the communication structure are still explicit, high-level transformations based on static analysis (such as live variable computation) or program abstraction can be applied. Moreover, this api is also well suited to implement translators between if and other speci cation formalisms.
The execution model level gives access to the lts representing the semantics of the if program. The following three apis are those o ered in cadp for di erent types of representations. In the if environment, also mixed representations are used.
The implicit enumerative representation is based on the open-caesar Gar98] philosophy. It consists in a set of C functions and data structures allowing to compute on demand the successors of a given state. This piece of C code is generated by the if compiler, and it can be linked with a \generic" exploration program performing on the y analysis (deadlock detection, model-checking, test-case generation, ...).
In the symbolic representation (called smi Boz97]) sets of states and transitions of the lts are expressed by their characteristic functions over a set of nite variables. These functions are implemented in terms of decision diagrams (bdds Bry86] and mdds). Existing applications based on this api are symbolic model-checking and minimal model generation.
Finally, the explicit enumerative representation simply consists in an lts le format with an associated access library. Although such an explicit representation is not suitable for handling large systems globally, it is still useful in practice to minimize some of its abstractions with respect to bisimulation based relations (like in compositional generation, see below). Below, we discuss the tools being part of the IF veri cation environment and some external tools for which exists a strong connection. cadp FGK + 96,BFKM97] is a tool set for the veri cation of lotos speci cations. It has been developed and by Verimag and the Vasy team of Inria Rhône-Alpes. We brie y present here two of its veri ers which are also part of the if environment: aldebaran compares and minimizes nite ltss with respect to various simulation or bisimulation relations. This allows the comparison of the observable behavior of a speci cation with its expected one, described at a more abstract level. evaluator is a \on-the-y" model-checker for formulas of the alternating-free -calculus Koz83].
Objectgeode Ver96] is a commercial tool set developed by Verilog supporting sdl, msc and omt. It includes graphical editors and compilers for each of these formalisms. It also provides a C code generator and a simulator to help the user to interactively debug an sdl speci cation.
Objectgeode also provides an api o ering a set of functions and data structures to access the abstract tree generated from an sdl speci cation. Our translation tool (sdl2if) uses this abstract tree to generate an operationally equivalent if speci cation.
Kronos Yov97], developed at Verimag is a model-checker for symbolic veri cation of tctl formulae on communicating timed automata. The current connection with the if/cadp environment is as follows: control states and discrete variables are expressed using the if/cadp implicit enumerative representation whereas clocks are expressed using an appropriate symbolic representation (particular polyhedra). Currently we are working on a more e cient translation of sdl timers into clocks.
tgv FJJV97] is a test sequence generator built upon cadp jointly by Verimag and the Pampa project of Irisa. tgv aims to automatically generate test cases for conformance testing of distributed systems. Test cases are computed during the exploration of the model and they are selected by means of test purposes. Test purposes characterize some abstract properties that the system should have and one wants to test, given trees of labels, decorated with verdicts \ok" and \fail".
invest BLO98] is a symbolic veri cation tool based on the interaction with the theorem prover pvs OSR93] computing abstractions and invariants on a set of guarded command processes communicating through shared variables. It has been developed jointly by Verimag, the university of Kiel and sri. We have implemented translations between this formalism and if, allows us to compute abstract systems.
Live BFG99a] is a tool developed at Verimag. It transforms an if speci cations into an equivalent if speci cation with a smaller state graph by means of static analysis. Presently, only simple algorithms, such as constant variable elimination and dead variable resetting (a variable which at some control point is never used before assigned again, is set to some default value) are implemented. Even this very simple analysis is very e cient, as a reduction of the state space by a factor 100 is common. In the future, we intend also to implement algorithms building weaker abstractions, for example elimination of irrelevant variables.
compo is a tool being developed at Verimag for compositional generation of minimal models associated with if programs. This compositional generation method has already been applied for speci cation formalisms based on rendez-vous communication, and has been shown e cient in practice GLS96,Val96,KM97]. It has not been investigated for systems based on communication via bu ers, may be, because bu ers raise several di culties or due to the lack of suitable representations and tools. The potential bene t of this approach is illustrated on an example in the next section.
We present a simple example to illustrate the if formalism and related veri cation tools. We consider a token ring, that is a system of n stations (processes) S 1 , : : : S n , connected in a circular network, in which a station is allowed to access some shared resource R only when it \owns" a particular message, the token. If the network is unreliable it is necessary to recover from token loss. This can be done using a leader election algorithm Lan77, CR79] All stations S i are identical up to their identity and described by an if process as the one of Figure 2 . The timer worried is set when the station waits for the token and reset when it receives it. On expiration of the timer worried token loss is assumed and an election phase is started. The \alternating bit" round is used to distinguish between valid claims (emitted during the current election phase) and old ones (cancelled by a token reception). In the idle state, a station may either receive the token from its neighbor (then it reaches the critical state and can access the resource) or receive the timer expiration signal (then it emits a claim stamped with its address and the current value of round) or receive a claim from its neighbor. A received claim is \ ltered" if its associated address is smaller than its own address and transmitted unchanged if it is greater. If its own valid claim is received, this station becomes elected and generates a new token.
Model generation: We summarize in Table 2 the size of the models obtained from the token-ring protocol using three generation methods: directly from the initial if program (global generation), using the live variable reduction (global + live) and using a compositional generation strategy (compositional + live). The most spectacular reduction is obtained by the live reduction: the reduced model is about 100 times smaller than the one obtained by simultaneous generation, while preserving all properties (models 1 and 2 are strongly bisimilar). This is explained by the fact that only a few variables are live in each state: in the idle state the live variables are round More reduction is achieved by the following compositional generation strategy yielding an lts branching bisimilar to the original one:
1. We split the if description into two parts, the rst one contains processes S 1 and S 2 and the second one processes S 3 and S 4 . For each one of these descriptions, the internal bu er between the two processes is a priori bounded to two places. Note that, when a bounded bu er over ows during simulation, a special over ow transition occurs in the corresponding execution sequence.
2. The lts associated with each description is generated considering the \most general" environment providing any potential input. As claim and token can be transmitted at any time, over ow transitions appear in the generated ltss. 3. In each lts the input and output transitions relative to the internal bu ers (Q 2 and Q 4 ) are hidden (i.e., renamed to the special action); then the two ltss are reduced w.r.t an equivalence relation preserving the properties under veri cation. For the sake of e ciency we have chosen the branching bisimulation vGW89] preserving all the safety properties (e.g. mutual exclusion). 4. The reduced ltss are then translated back into an if process (without variables), and the resulting processes are combined into a single global if description with only two bu ers (Q 1 and Q 3 ). It turns out that the lts generated from this new description contains no over ow transitions (they have been cut o during the second composition, which con rms the hypothesis on the maximal size of the internal bu ers). Veri cation: We are interested in checking that the shared resource is accessed in mutual exclusion. For this, we consider as visible only the open and close actions.
Mutual exclusion property can be rephrased as follows: after every open(S i ) (station i enters the critical section) the only possible visible action is close(S i ) (station i leaves the critical section) possibly after a number of internal moves . This property can be expressed in the -calculus (see below) and veri ed with evaluator, on any of the generated models. Test Generation: We illustrate the use of tgv to extract test cases for the token ring protocol. We want to test the property stating that a station lters a received claim with a smaller address than its own and transmits it unchanged if it is greater. We chose a test purpose expressing that after S 4 has sent its claim, it will be transmitted unchanged by station S 1 , then by S 2 and nally by S 3 . The generated test case is shown in gure 4.
Our translator from sdl to if has already been used successfully to analyze reallife sdl speci cations with cadp and spin, and is actually being used to experiment di erent semantics of time for sdl using the connection with the kronos tool.
A concept which is not provided in if is dynamic creation of new process instances of processes and parameterization of processes; this is due to the fact that in the framework of algorithmic veri cation, we consider only static con gurations. However, it is foreseen in the future to handle some kind of parameterized speci cations and to translate also systems with bounded process creation.
The results obtained using the currently implemented static analysis and abstractions methods are very encouraging. For each type of analysis, we built a module taking an if speci cation as input and which generates a reduced one. This architecture allows to chain several modules to bene t in a modular way from multiple reductions applied to the same initial speci cation. We envisage to experiment more sophisticated analysis, such as constraints propagation, and more general abstraction techniques. This will be achieved either by developing dedicated components or through the connections with invest.
The if package is available at http://www-verimag.imag.fr/DIST SYS/IF.
