Taxys = Esterel + Kronos: A tool for verifying real-time properties of embedded systems by Bertin, Valerie et al.
Taxys = Esterel + Kronos
A tool for verifying real-time properties of embedded
systems
1 2
V. Bertin
3
E. Closse
4
M. Poize
3
J. Pulou
3
J. Sifakis
5
P. Venier
3
D. Weil
3
S. Yovine
4
Abstract
The goal of Taxys is to provide a framework for devel-
oping real-time embedded code and verifying its correct
behavior with respect to quantitative timing require-
ments. To achieve so, Taxys connects France Tele-
com's Esterel compiler Saxo-rt with VERIMAG's
model-checker Kronos. Taxys has been successfully
applied on real industrial telecommunication systems,
such as a GSM radio link from Alcatel and a phone
prototype from France Telecom.
1 Introduction
Real-time systems are those systems whose correct
functioning is subject to and must ensure the fulll-
ment of strict timing constraints such as tight execu-
tion and response times. Timing errors in embedded
real-time software are very diÆcult to detect as its be-
havior is extremely sensitive to both the underlying ex-
ecution platform and the patterns of external stimuli.
The development of such software needs using rigorous
methods and tools for generating executable code that
meets the timing requirements at run-time.
Typically, a real-time application is composed of a set
of components that interact. The role of the sched-
uler is to dispatch their execution in a way such that
the timing requirements imposed on the components
(e.g., period, deadline) and the whole system (e.g., syn-
chronization, progress, mutual exclusion) are met. An
approach to schedulability that has been thoroughly
studied in the real-time systems literature (e.g., [12])
consists in (1) giving a scheduling policy (e.g., RMA
, EDF [18]), and (2) showing the system is schedula-
ble with such a policy. This theory led to the devel-
opment of real-time operating systems (RTOS) (e.g.,
1
(c) 2001 IEEE. Reprinted with permission, from CDC 2001.
2
Partially supported by projects RNRT Taxys ITEA-DESS.
3
ST Microelectronics, Central R&D, DAIS, 850 rue Jean
Monnet, 38926 Crolles, France. valerie.bertin@st.com.
4
France Telecom R&D, 28 chemin du Vieux Che^ne, 38243
Meylan, France. Contact: daniel.weil@rd.francetelecom.com.
5
VERIMAG, Centre Equation, 2 Ave. Vignate, 38610 Gieres,
France. Contact: sergio.yovine@imag.fr.
[15]), which typically provide preemptive scheduling al-
gorithms based on priorities and implement protocols
for avoiding deadlocks (e.g., [21]). The scheduling is en-
sured at run-time by the RTOS scheduler. Correctness
is thereby guaranteed by the fulllment of the schedu-
lability conditions. This approach proved to be useful
for hard real-time applications where the behavior of
the environment is not predictable. There are, how-
ever, real-time systems which interact with strongly
constrained environments. For such applications, it is
desirable to generate tailor-made schedulers that make
optimal use of the underlying execution hardware and
shared resources, guided by the knowledge of all the
possible behaviors of the environment. In this case, we
can use amodel of the system, the environment and the
requirements to build an application-specic scheduler.
Several model-based approaches to schedulability have
been proposed in the literature, e.g., [19, 6, 16, 1, 17].
In fact, a scheduler can be regarded as a controller that
prevents the system from performing \undesired" ac-
tions that can lead to the violation of a deadline. Thus,
the construction of a scheduler from a model can the-
oretically be rephrased as a controller synthesis prob-
lem. One well-known approach to controller synthesis
in the context of discrete-event systems is the one rst
proposed in [25], where the actions of the system are
classied as controllable, which are those under con-
trol of the application, or uncontrollable, which corre-
spond to the actions of the environment. The role of
the controller is to forbid or to force certain control-
lable actions to ensure the state of the system remains
in a desired set. In [2] we have proposed a method-
ology for model-based schedulability of real-time sys-
tems that combines (1) recent results on compositional
modeling of timed systems [11] and (2) the controller
synthesis algorithm for timed automata [4] developed
in [5]. Our approach has been experimented on several
case studies that illustrated its interest but also ex-
posed its weaknesses, notably its high computational
cost. A compositional methodology to try to overcome
this problem is investigated in [3].
In this paper, we pursue an alternative direction that
consists in focusing on a particular programming lan-
Application
Environment
O
pe
n
-
K
ro
n
o
s
Saxo-RT graphical
debugger
trace
replay
OKconstraint
violated
Handler
Sa
x
o
-R
T 
Es
te
re
l
Co
m
pi
le
r
Implicit timed automata
E
H
A
1
2
,   : on-the-fly composition of (E,H) and of (H,A)
         : embedded application code
Taxys
verification
moduleC 
co
m
pi
le
r
Figure 1: Taxys.
guage. Our goal is to embody specication-driven
schedulability analysis in the compiler with the aim
of generating auto-scheduled code at compile time.
2 Taxys
We use Esterel [10] as development language of the
application. This language provides powerful con-
structs for management of parallelism and exceptions.
It has rigorously dened semantics. Esterel programs
run in a single thread on a single processor and can ac-
cess external data and call routines written in C for
complex (numerical) computations. In this context, an
embedded real-time program is decomposed into a con-
trol part, written in Esterel and a data-manipulation
part written in C. The program is compiled with the
Esterel compiler Saxo-rt [24] that generates very
eÆcient sequential C code targeted to mono-processor
hardware architectures. The order of execution of the
specied parallel modules is resolved at compile time.
Such an implementation is (functionally) correct mod-
ulo the so-called synchrony assumption, which states
that the program always reacts faster than its environ-
ment [7]. However, it may not satisfy the real-time
requirements which depend on the execution speed of
the target machine and the timing constraints imposed
by the environment. In practice, validating the syn-
chrony assumption amounts to show that the environ-
ment does not take too much lead over the applica-
tion. This requires the use of a "realistic" synchrony
assumption strongly depending on the application and
its interactions with the environment. To interface the
real-time system with its environment, we need to use
an external event-handler which keeps track of the his-
tory of the environment and triggers computation steps
of the application.
To check whether the program meets the timing re-
quirements, we have developed the tool Taxys [9, 13],
which integrates Saxo-rt and the verication tech-
niques implemented in the toolKronos [14]. The basic
underlying idea of Taxys consists in producing a for-
mal model (actually, a timed automaton [4]), that cap-
tures the real-time behavior of the whole application
composed of the program, its execution constraints,
and the external environment. The Esterel source
code is annotated with timing constraints of two kinds:
(a) time intervals associated with the execution times
of the external C functions, and (b) the requirements
to be satised. Taxys produces timed model of the
self-sequenced executable code of the application. This
model is composed with a timed model of the external
environment. The global model is analyzed to vali-
date timing requirements. Whenever a property is not
satised, Taxys generates a source-level error trace.
In many cases, the violation of a timing constraint is
indeed caused by the wrong execution order of some
computations triggered by independent events within
a reaction (or synchronous step). Such problems can
be remedied by automatically re-arranging the sequen-
tial code at compile time. To do so, the information
derived from the error trace can be used as a com-
piler directive to make Saxo-rt generate a correctly
scheduled sequential implementation of the Esterel
program.
Taxys actual design ow is shown in Fig. 1. The
overall system is made up from three components: (1)
the Esterel program A, (2) the environment E, and
(3) the external event handler H . The environment
E is also an Esterel program. Since synchronous
programs are deterministic, we added the statement
npause to the Esterel language to be able to model
non-deterministic behaviors. Timing constraints are
specied as pragmas in the Esterel code of A and
E. The event handler H determines the way external
events are taken into account by the program to gener-
ate an image of the state of the environment which is
consistent with the synchronous semantics. Typically,
external events are stored in a FIFO queue. The be-
havior of H is specied in terms of the size of the buer
and the incoming events. These can be specied to be
cumulative or separator. All the occurrences of a cu-
mulative event are stored in the buer. It is assumed
that between two successive such occurrences there ex-
ists a reaction of the program that consumes it. The
occurrence of a separator events marks the beginning
of a new synchronous instant. This information is used
to determine the events that are consumed by the pro-
gram at each reaction.
Saxo-rt generates three C modules which compute A,
H and E transition functions. Kronos explores the
system state-space by composing on-the-y the three
models. The C code is indeed an instrumented version
of the actual embedded code. Thus, the model of the
system is produced by running the (instrumented) em-
bedded code itself. The on-the-y analysis avoids the
state explosion problem and only computes the reach-
able states for the given environment model. If a tim-
ing constraint is violated, a trace leading to this error is
generated. This trace can be re-executed step by step
on the Saxo-rt graphical debugger to provide to the
user more precise diagnostics.
3 Timing analysis
We make the assumption that the execution time of the
program is spent by the C functions called from the
Esterel program. This hypothesis is true for many
reactive applications if the embedded code has been
compiled eÆciently as with Saxo-rt [24]. The exe-
cution times of the C functions can be estimated by
proling or static analysis techniques. The Esterel
code is annotated with pragmas specifying this infor-
mation. Taxys checks two kinds of timing require-
ments, namely throughput and deadline constraints.
A throughput constraint expresses the fact that the
program reacts fast enough for the given environment
model. The violation of a throughput constraint corre-
sponds to an overow of H which is checked by Taxys
by default. A deadline constraint is imposes a maxi-
mum delay between a given input event from the en-
vironment and a the corresponding reaction from the
program. Deadlines are specied by annotations on the
Esterel code.
We illustrate the approach with a simple example de-
Sensor [65,70]
Pulse [100,100]
Environment
Filter F
Shared
variabl
Controlle
H
an
dl
er
Embedded progra
SensorData
PulsePeriod
Figure 2: Simple example.
picted in Fig. 2. The program is composed of two par-
allel modules that control some physical device. The
lter F is triggered by the external event SensorData
cyclically emitted by a sensor with a minimum delay
of 65ms and a maximum of 70ms between each occur-
rence. The role of F is to perform some computation
using the data and store the result in a shared variable.
This computation takes between 20ms and 25ms. The
computed value is then used by the controller C to ap-
proximate the state of the device at that moment and
apply the desired control, called a pulse. The controller
C is periodically triggered by the event PulsePeriod.
Computing the pulse takes between 10ms and 15ms.
Pulses should be applied every 100ms with an admissi-
ble delay of at most 40ms. The value used to compute
the pulse must be less than 85ms old.
The Esterel code of the program is depicted in Fig. 3.
The comments between %f and g% are the annotations
carrying the timing information. The execution times
are given as intervals which are actually interpreted as
being closed. Variables SD and PP are clocks as in the
timed automata theory, that is, they are continuous
variables that progress at equal rate. The assignment
SD:=age(SensorData) sets SD to the time elapsed since
the occurrence of the event SensorData consumed in
the current reaction. Notice that this is not necessarily
the last occurrence of the event which may still be in
not SensorData?
SensorData?
CPU:=0
SD:=age(SensorData)
react
not PulsePeriod?
PulsePeriod?
CPU:=0
PP:=age(PulsePeriod)
Data!
20<=CPU<=25
10<=CPU<=15
Pulse!
PP>40 \/ SD>85
error C()
F()
Figure 5: Program's model.
loop
await SensorData %fSD:=age(SensorData)g%;
call F() %f(20,25)g%;
emit Data
end loop
||
loop
await PulsePeriod %fPP:=age(PulsePeriod)g%;
call C() %f(10,15), PP40 ^ SD85g%;
emit Pulse
end loop
Figure 3: Program.
emit SensorData;
loop
npause %f65X70, X:=0g%;
emit SensorData
end loop
||
loop
npause %fY=100, Y:=0g%;
emit PulsePeriod
end loop
Figure 4: Environment.
65<=X<=70, X:=0
SensorData!
X:=0
Y=100, Y:=0
PulsePeriod!
Y:=0
SensorData!
Figure 6: Environment's model.
the queue. The constraint PP40 ^ SD85 expresses
the requirements: the deadline for a pulse is 40ms and
the data used to compute the pulse has been obtained
at most 85ms before. The code of the environment is
depicted in Fig. 4. Variables X and Y are clocks that are
reset to 0 each time the environment emits SensorData
and PulsePeriod, respectively.
The corresponding (extended) timed automata models
are depicted in Fig. 5 and Fig. 6. Dotted arrows rep-
resent eager transitions, that must happen as soon as
they become enabled. The \react" transition is the be-
ginning of a reaction that starts as soon as there is an
event in the buer of the handler. In this example, the
handler delivers all the events currently present. No-
tice that, between the two possible orderings which are
consistent with the semantics of Esterel, the sequen-
tial code generated by the compiler Saxo-rt schedules
the lter F rst when both events are simultaneously
present.
Taxys runs in less than a second, generates about 300
symbolic states and concludes that the timing require-
ments are satised. A symbolic state is composed of
the state of the program (i.e., a valuation of the signals
SensorData and PulsePeriod as present or not, and
a control point), the state of the event handler (i.e., a
conguration of the queue), the state of the environ-
ment (similar to the program), and a constraint on the
clocks (i.e., a DBM structure used by Kronos [14].)
4 Experimental results
4.1 Communication mode of a GSM terminal
This case study is inspired from the communication
mode of a GSM mobile terminal [20]. The complete
design and verication of the radio link of a GSM ter-
minal developed by Alcatel is reported in [8]. We de-
scribe here a small part of the application [9] which is
composed of two modules (Fig. 7). When the event
loop
await Prepar %fX:=age(Prepar)g%;
call RF() %f(50,50), X80g%;
await Receipt %fX:=age(Receipt)g%;
call demodulation() %f(80,100), X150g%;
call decoding() %f(20,20)g%
end loop
||
loop
await Freq %fY:=age(Freq)g%;
call frequency comp() %f(40,40), Y90g%
end loop
Figure 7: Simplied GSM communication mode.
Prepar occurs, the rst module calls the C function
RF(), which takes 50ms to prepare the radio front end
of the mobile terminal in order to receive data. Then,
when the event Receipt occurs, it sequentially exe-
cutes demodulation(), that takes between 80ms and
100ms, followed by decoding(), that nishes in 20ms.
The second module is triggered by the event Freq and
executes the C function frequency comp(), which con-
sists in calculating the frequencies on which the data
are going to be received and completes in 40ms. The
computations are subject to the timing constraints an-
notated in the code.
The code of the full application developed by Alcatel
consists in 815 lines of Esterel and 48000 lines of C.
The application was validated for 62 test environments
provided by Alcatel. 4 scenarios were found to lead
to deadline violations caused by a wrong scheduling of
calls. These errors were corrected by slightly changing
the Esterel code.
4.2 ISDN prototype phone
In [13] we presented the results obtained on a digi-
tal phone prototype carrying simultaneously voice and
data produced by a graphic tablet, implemented on a
32 MIPS Digital Signal Processor (Fig. 8). The proto-
type has an audio input channel sampled at 8kHz that
is connected to the microphone, an rs232 input chan-
nel carrying data from the graphic tablet, and an input
channel sampled at 8 kHz to retrieve audio and graphic
data sent by the network (TNR). Processing audio data
consumes 3900 CPU cycles over the 4000 CPU cycles
available every 125s. Graphic data are compressed by
a vectorization algorithm which consumes sporadically
between 15000 and 20000 CPU cycles.
Clearly, there is a risk of buer overow if graphic data
samples arrive too often. We have used Taxys to an-
alyze the relationship between the size of the input
buers and the arrival rate of graphic data. We car-
ried out 6 experiments with the same Esterel code
for the program but with dierent environment mod-
TNR
h221_in_8kHz()
8 kHz
fifo_canalB_in
g722_decod()
AEA()
8 kHz
fifo_HP_a
fifo_data_h221_in
fifo_rs232_out 8 kHz
h221_out_8kHz()
fifo_canalB_out
g722_encod()
compression()
decompression()
fifo_rs232_in
8 kHz
decompression()
fifo_data_h221_out
8 kHz
8 kHz
fifo_micro_a
Figure 8: ISDN phone prototype.
Name Bu. Symb. Verif. Diagnostic
size States Time
ISDN
1
5 2 200 1.27 s overow
ISDN
2
6 10 849 5 s OK
ISDN
3
5 15 894 6.29 s overow
ISDN
4
6 633 472 10 mn 47 s OK
ISDN
5
5 22 695 13.6 s overow
ISDN
6
6 > 10
7
? aborted
Table 1: Experimental results for the phone prototype.
els and handler buer sizes. ISDN
1
and ISDN
2
with
an environment model composed of two strictly peri-
odic and independent tasks (the rst carrying audio
data at 8kHz and the second the graphic tablet data
at 100Hz). ISDN
3
and ISDN
4
with the second task
being aperiodic and emitting bursts at rates varying
in a non-deterministic manner between 25 and 100Hz.
ISDN
5
and ISDN
6
with a third additional periodic
task modeling switching between several audio modes.
In all cases, the program consists of 3000 C lines and
258 Esterel lines, and the environment of 120 Es-
terel lines. Results presented in table 1 show that
a buer size of at least 6 is necessary for absorbing
the sporadic task. We observe that the number of
symbolic states explored by Kronos increases expo-
nentially with the \degree" of non-determinism of the
environment. Therefore, to cope with state explosion
due to environment non-determinism, it is necessary
to nd appropriate environment model approximations
preserving the veried properties.
5 Conclusion
We have presented an original approach for specify-
ing, designing and validating real-time embedded sys-
tems. Compared to other approaches where verication
is done on an abstract model, in Taxys the embedded
code itself is eectively executed during verication.
Timing analysis is done on-the-y during the execu-
tion of the appropriately instrumented C code gener-
ated by the compiler. Instrumentation allows the ver-
ier to observe the execution time of the application
code specied in the pragmas. This approach is fully
implemented in an entirely automated tool that demon-
strated to be applicable to mid-size applications from
the telecommunications industry. Recently, we started
using Taxys in other application domains, such as ve-
hicle control software [23].
References
[1] Y. Abdeddam and O. Maler. Job-shop schedul-
ing using timed automata. In CAV'01. LNCS 2102,
Springer, 2001.
[2] K. Altisen, G. Goessler, A. Pnueli, J. Sifakis, S.
Tripakis, and S. Yovine. A framework for scheduler
synthesis. In IEEE RTSS'99, Phoenix, AZ, USA, De-
cember 1999. IEEE Computer Society Press.
[3] K. Altisen, G. Goler, and J. Sifakis. Scheduler
modeling based on the controller synthesis paradigm.
To appear in Journal of Real-Time Systems, special is-
sue on control-theoretical approaches to real-time com-
puting, 2001.
[4] R. Alur and D.L. Dill. A theory of timed au-
tomata. Theoretical Computer Science, 126:183{235,
1994. Elsevier Science.
[5] E. Asarin, O. Maler, and A. Pnueli. Symbolic
controller synthesis for discrete and timed systems. In
Hybrid System II. LNCS 999, Springer, 1995.
[6] H. Ben-Abdallah, J.-Y. Choi, D. Clarke, Y. Kim,
I. Lee and H.-L. Xie. A process algebraic approach to
the schedulability analysis of real-time systems. Real-
Time Systems, 15, 1998.
[7] A. Benveniste and G. Berry. The synchronous ap-
proach to reactive and real-time systems. Proceedings
of the IEEE, 79(9):1270{1282, 1991.
[8] V. Bertin. Validation d'applications temps-reel
par analyse de programmes synchrones temporises.
PhD. Thesis, INPG 2000.
[9] V. Bertin, M. Poize, J. Pulou, J. Sifakis. Towards
Validated Real-Time Software. In 12
th
Euromicro Con-
ference on Real-Time Systems, Stockholm, Sweden,
June 2000
[10] G. Berry, G. Gonthier, The Esterel Syn-
chronous Programming Language : Design, Semantics,
Implementation. Science of Computer Programming,
19(2):87{152, 1992.
[11] S. Bornot and J. Sifakis. An algebraic framework
for urgency. Information and Computation, 163:172{
202, 2000. Academic Press.
[12] A. Burns. Scheduling hard real-time systems: a
review. Software Engineering Journal, p. 116{128, May
1991.
[13] E. Closse, M. Poize, J. Pulou, J. Sifakis, P. Ve-
nier, D. Weil, and S. Yovine. TAXYS: a tool for the
developpment and verication real-time embedded sys-
tems. In CAV'01. LNCS 2102, Springer, 2001.
[14] C. Daws, A. Olivero, S. Tripakis and S.Yovine.
The tool Kronos. In Hybrid Systems III, Verication
and Control, LNCS 1066, Springer, 1996.
[15] IEEE Standard P1003.4. Real-time extensions to
POSIX. 1991.
[16] H. Kwak, I. Lee, A. Philippou, J. Choi, and O.
Sokolsky. Symbolic schedulability analysis of real-time
systems. In IEEE RTSS'98, Madrid, Spain, December
1998. IEEE Computer Society Press.
[17] K. Larsen, G. Behrmann, E. Brinksma, A.
Fehnker, T. Hune, P. Pettersson, and J. Romijn. As
cheap as possible: eÆcient cost-optimal reachability
for priced timed automata. In CAV'01. LNCS 2102,
Springer, 2001.
[18] C. Liu and J. Layland. Scheduling algorithms
for multiprogramming in a hard real-time environment.
JACM, 20(1):46{61, 1973. ACM.
[19] A. K. Mok, D. C. Tsou and R. C. M. Rooij.
The MSP.RTL Real-Time Scheduler Synthesis Tool.
In RTSS'96, Washington, DC, USA, December 1996.
IEEE Computer Society Press.
[20] M. Mouly and M.B. Pautet. The GSM System
for Mobile Communication. Cell&Sys, 1992.
[21] R. Rajkumar. Synchronization in real-time sys-
tems: a priority inheritance approach, Kluwer Aca-
demic Publishers, 1991.
[22] S. Tripakis. Software Architecture of PATH's Au-
tomated Vehicle Control. Technical report UCB/ERL
M01/6, 2001.
[23] S. Tripakis and S. Yovine. Timing Analysis and
Code Generation of Vehicle Control Software using
Taxys. ENTCS, 55(2):174{183, 2001. Elsevier.
[24] D. Weil, V. Bertin, E. Closse, M. Poize, P. Venier,
J. Pulou. EÆcient Compilation of Esterel for Real-
Time Embedded Systems. In CASES'2000, San Jose,
November 2000.
[25] W. M. Wonham and P. J. Ramadge. On the
supremal controllable sublanguage of a given language.
SIAM J. Control and Optimization, 25(3):637{659,
May 1987.
