Formal verification of infinite-state BIP models by Bliudze, Simon et al.
Formal verification of infinite-state BIP models?
Simon Bliudze1, Alessandro Cimatti2, Mohamad Jaber3, Sergio Mover2
Marco Roveri2, Wajeb Saab1, and Qiang Wang1
1 E´cole polytechnique fe´de´rale de Lausanne
2 Fondazione Bruno Kessler
3 American University of Beirut
Abstract. We propose two expressive and complementary techniques for the
verification of safety properties of infinite-state BIP models. Both our techniques
deal with the full BIP specification, while the existing approaches impose con-
siderable restrictions: they either verify finite-state systems or they do not handle
the transfer of data on the interactions and priorities.
Firstly, we propose an instantiation of the ESST (Explicit Scheduler Symbolic
Thread) framework to verify BIP models. The key insight is to apply symbolic
reasoning to analyze the behavior of the system described by the BIP compo-
nents, and an explicit-state search to analyze the behavior of the system induced
by the BIP interactions and priorities. The combination of symbolic and explicit
exploration techniques allow to benefit from abstraction, useful when reasoning
about data, and from partial order reduction, useful to mitigate the state space
explosion due to concurrency.
Secondly, we propose an encoding from a BIP model into a symbolic, infinite-
state transition system. This technique allows us to leverage the state of the art
verification algorithms for the analysis of infinite-state systems.
We implemented both techniques and we evaluated their performance against the
existing approaches. The results show the effectiveness of our approaches with
respect to the state of the art, and their complementarity for the analysis of safe
and unsafe BIP models.
1 Introduction
BIP [2, 4] is a framework for the component-based design of complex concurrent sys-
tems that is being actively used in many industrial settings [5, 3]. The verification of
BIP plays a crucial role in the Rigorous System Design methodology [28], where a cor-
rect implementation of the system is obtained by a series of transformations from its
high-level model; proving that a property holds in the model will ensure that it holds in
the implementation.
Despite the importance of verifying BIP models, the existing approaches (e.g. im-
plemented in tools like DFINDER [7],VCS [20] and BIP2UPPAAL [29]) impose con-
siderable restrictions on the models that can be analyzed. In particular, only DFINDER
verifies models with infinite-state data variables. However, DFINDER does not consider
? This work was carried out within the D-MILS project, which is partially funded under the
European Commission’s Seventh Framework Programme (FP7).
the data transfer on interactions, an essential feature to express that data is exchanged
among the components (consider that in BIP the components cannot share variables),
and the priorities among interactions.
In this paper, we focus on the safety property verification of infinite-state BIP mod-
els, and we propose two techniques that are: (i) expressive enough to capture all the
features of infinite-state BIP models (e.g. data transfer, priorities); (ii) complementary,
with respect to the performance, for verifying safe and unsafe models.
The first solution is a novel verification algorithm based on the Explicit Scheduler,
Symbolic Threads (ESST) framework [16]. The ESST extends lazy predicate abstrac-
tion and refinement [22, 21] to verify concurrent programs formed by a set of cooper-
ative threads and a non-preemptive scheduler; the main characteristic of the approach
is to use lazy predicate abstraction to explore threads and explicit-state techniques to
explore the scheduler. The choice of ESST is motivated by the clear separation of com-
putations and coordination in the BIP language, which is similar to the separation of
threads and scheduler in the ESST, and by the ESST efficiency, since the ESST out-
performs the verification techniques based on sequentialization (e.g. in the context of
SystemC and Fair Threads programs [16]). In our work, we show an efficient instan-
tiation of the ESST framework in an algorithm that verifies BIP models (ESSTBIP).
The instantiation is not trivial, and consists of defining a suitable interaction model be-
tween the threads and the scheduler, the consequent mapping of BIP components into
threads, and of implementing the scheduler. Moreover, we improve the performance of
our approach with several optimizations, which are justified by the BIP semantic.
In our second solution we explore a conceptually simple, but still novel, encoding of
a BIP model into an infinite-state transition system. This alternative flow is motivated
by the recent advancements in the verification of infinite-state systems (e.g. see [14,
23]). Also this technique supports all the BIP features, like priorities and data transfer
on interactions.
We provide an implementation of both approaches: the ESSTBIP is implemented
in the KRATOS [13] software model checker; the translational approach is performed
using the BIP framework and then verified with the NUXMV [12] model checker. We
performed a thorough experimental evaluation comparing the performance of the two
techniques and of DFINDER (in this case, only on the models without data transfers).
The results show that the proposed approaches always perform better than DFINDER,
and that ESSTBIP and the translational approach using NUXMV are complementary,
with ESSTBIP being more efficient in finding counterexamples for unsafe models, while
the translational approach using NUXMV is more efficient in proving correctness of safe
models.
This paper is structured as follows. We first provide the background of the BIP
language in Section 2. Then in Section 3 we describe the ESSTBIP algorithm, as well as
its optimizations. In Section 4 we show the encoding of BIP into a symbolic transition
system. Then, in Section 5 we review the related work and in Section 6 we present the
experimental evaluation. Finally, in Section 7 we draw some conclusions and outline
directions for future work.
2
2 The BIP model
We denote by V ar a set of variables with domain Z 4, (i.e. for all x ∈ V ar, Dom(x) =
Z). An assignment is of the form x := exp, where x ∈ V ar and exp is a linear
expression over V ar. An assumption is of the form [bexp], where bexp is a Boolean
combination of predicates over V ar. Let BExp(V ar) be the set of assumptions and
Exp(V ar) be the set of assignments. Let Ops(V ar) = BExp(V ar) ∪ Exp(V ar) ∪
{skip} be the set of edge operations, where skip denotes an operation without effects
on V ar. A state s : V ar → Z is a mapping from variables to their valuations; we use
State to denote the set of all possible states. We define an evaluation function [[·]]E :
exp→ (State → Z) for assignments and [[·]]B : bexp→ (State → {true, false}) for
assumptions. We refer to [16] for the definition of [[·]]E and [[·]]B. We denote by s[x := e]
the substitution of x by e in expression s.
The BIP syntax. An atomic component is a tuple Bi = 〈V ari, Qi, Pi, Ei, l0i〉 where
V ari is a set of variables, Qi is a set of locations, Pi is a set of ports, Ei ⊆ Qi × Pi ×
BExp(V ari)×Exp(V ari)×Q′i is a set of edges extended with guards and operations
and l0i ∈ Qi is the initial location.
We assume that, for each location, every pair of outgoing edges labeled with the
same port has disjoint guards. This can be achieved by simply renaming the ports and
imposes no restrictions on the BIP expressiveness. We also identify a set of error loca-
tions, Qerri ⊆ Qi to encode the safety property5.
Let B = {B1, . . . , Bn} be a set of atomic components. An interaction γ for B
is a tuple 〈Act, g, op〉 such that: Act ⊆ ⋃ni=1 Pi, Act 6= ∅, and for all i ∈ [1, n],
|Act ∩ Pi| ≤ 1 , g ∈ BExp(
⋃
Bj∈γB V arj) and op ∈ Exp(
⋃
Bj∈γB V arj), where
γB = {Bj |Bj ∈ B, Act ∩ Pj 6= ∅}.
We assume that the sets of ports of the components in a BIP model and the sets of
local variables are disjoint (i.e. for all i 6= j, Pi ∩Pj = ∅ and V ari ∩ V arj = ∅). For a
port α ∈ Pi, we identify with id(α) the index i of the component Bi.
Let Γ be a set of interactions, a priority model pi of Γ is a strict partial order of
Γ . For γ1, γ2 ∈ Γ , γ1 has a lower priority than γ2 if and only if (γ1, γ2) ∈ pi. For
simplicity, we write γ1 < γ2 in this case.
A BIP model PBIP is a tuple 〈B, Γ, pi〉, where B = 〈B1, . . . , Bn〉 is a set of atomic
components, Γ is a set of interactions over B and pi is a priority model for Γ .
We assume that each component Bi of PBIP has at most an error location, without
outgoing edges and such that the port of all its incoming edges is errori; each errori
appears in a unique singleton interaction and all such interactions have the highest pri-
ority in PBIP. Any BIP model can be put into such form (see [10]).
The BIP semantics. A configuration c of a BIP model PBIP is a tuple
〈〈l1, s1〉, . . . , 〈ln, sn〉〉 such that for all i ∈ [1, n], li ∈ Qi and si : V ari → Z is a
state of Bi. Let PBIP = 〈B, Γ, pi〉 be a BIP model and c = 〈〈l1, s1〉, . . . , 〈ln, sn〉〉 be a
4 We also consider finite domain variables (e.g. Boolean), which can be easily encoded in Z.
5 We can express any safety property using additional edges, interactions and error locations
3
configuration. The interaction γ = 〈Act, g, op〉 ∈ Γ is enabled in c if, for all the compo-
nentsBi ∈ B such thatAct∩Pi 6= ∅, there exists an edge 〈li, Act ∩ Pi, gi, opi, l′i〉 ∈ Ei
and [[gi]]B(si) = true, and [[g]]B(s1, . . . , sn) = true.
A BIP model PBIP = 〈B, Γ, pi〉 can take an edge from the configuration c =
〈〈l1, s1〉, . . . , 〈ln, sn〉〉 to the configuration c′ = 〈〈l′1, s′1〉, . . . , 〈l′n, s′n〉〉 if there exists
an interaction γ = 〈Act, g, op〉 such that: (i) γ is enabled in c; (ii) there does not
exist an enabled interaction γ′ ∈ Γ in c such that γ′ > γ; (iii) for all Bi ∈ B such
that Act ∩ Pi 6= ∅, there exists 〈li, Act ∩ Pi, gi, opi, l′i〉 ∈ Ei and if op = x := exp,
opi = y := expi then s′′i = si[x := [[exp]]E(si)], s
′
i = s
′′
i [y := [[expi]]E(s
′′
i )]; (iv) for
all Bi ∈ B such that Act ∩ Pi = ∅, l′i = li and s′i = si.
We use the notation c
γ→ c′ to denote that there exists an edge from the con-
figuration c to the configuration c′ on the interaction γ. A configuration c0 =
〈〈l1, s1〉, . . . , . . . , 〈ln, sn〉〉 is an initial configuration if, for some i ∈ [1, n], li = l0i
and, for all i ∈ [1, n], si is a valuation for V ari6. A configuration c is reachable if and
only if there exists a sequence of configurations c0
γ1−→ c1 γ2−→ . . . γk−→ ck, such that
c0 is an initial configuration and ck = c. A BIP model is safe if no error locations are
reachable.
3 ESST for BIP (ESSTBIP)
3.1 The ESST Framework
In this subsection we provide the necessary background on the ESST framework,
following the presentation of [16, 17].
Programming Model. The ESST framework analyzes a multi-threaded program
P = 〈T , SCHED〉, consisting of a set of cooperative threads T = 〈T1, . . . , Tn〉 and
a non-preemptive scheduler SCHED. A non-preemptive scheduler cannot interrupt the
execution of a thread, while a cooperative thread is responsible for suspending its exe-
cution and releasing the control to the scheduler.
A thread Ti = 〈Gi, LV ari〉 is a sequential program with a set of local variables
LV ari and is represented by a control-flow graph (CFG) Gi = (Li, Ei, l0i , Lerri),
where: (i) Li is the set of locations; (ii) Ei ⊆ Li × Ops(LV ari) × Li is the set of
edges; (iii) l0i ∈ Li is the entry location; (iv) Lerri ⊆ Li is the set of error locations.
A scheduler SCHED = 〈SVar ,FS 〉 has a set of variables SVar and a scheduling
function FS . For each thread Ti, the scheduler maintains a variable stTi ∈ SVar to
keep track of its status (i.e. Running ,Runnable,Waiting). A scheduler state S is an
assignment to all the variables SVar . Given a scheduler state S where no thread is
Running , FS (S) generates the set of scheduler states that describes the next thread to
be run. We denote by SState the set of all possible scheduler states, and by SStateOne
the set of scheduler states, where only one thread is Running . A thread can change
the scheduler state by calling a primitive function. For example, the call to a primitive
6 While we did not add initial predicates for V ari, this can be encoded with an additional initial
location and an edge that has as guard the initial predicates.
4
function can change the thread status from Running to Waiting to release the control
to the scheduler.
The intuitive semantics of a multi-threaded program is the following: the program
executes the thread in theRunning status (note that there is at most one running thread);
the running thread Ti can suspend its execution, setting the variable stTi to a value
different from Running , by calling an appropriate primitive function; when there are
no running threads, the scheduler executes its scheduling function to generate a set of
running threads. The next thread to run is picked non-deterministically. See [10] for a
formal definition of the semantic.
The ESST algorithm. The ESST algorithm [16, 17] performs a reachability analysis
of a multi-threaded program P = 〈T ,FS 〉 using explicit-state techniques to explore the
possible executions of the scheduler and lazy predicate abstraction [22] to explore the
executions of the threads. In the following, we rely on the extended version of the ESST
where the scheduler execution is semi-symbolic [17], since we will need a scheduler
that reads and writes the local state of the threads. We provide a concise description of
the reachability analysis algorithm, and refer to [16, 17] for the details.
The ESST constructs an abstract reachability forest (ARF) to represent the reach-
able states. An ARF node is a tuple 〈〈l1, ϕ1〉, . . . , 〈ln, ϕn〉, ϕ,S〉, where for all i ∈
[1, n], li ∈ Li is a location of Ti and ϕi is a local region (a formula over LV ari), ϕ is
a global region7 (a formula over
⋃
i∈[1,n] LV ari) and S is a scheduler state. The ARF
is constructed by expanding the ARF nodes. An ARF node can be expanded as long
as it is not covered (no other nodes in the ARF include the set of states denoted by
this node) or if it is not an error node (the node does not contain any error location).
If ESST terminates and all the nodes in the ARF are covered then P is safe. If the ex-
pansion of the ARF reaches an error node, the ESST builds an abstract counterexample
(a path in the ARF from the initial node to the error node), which is simulated in the
concrete program; if the simulation succeeds, we find a real counter-example and the
program is unsafe. Otherwise the counter-example is spurious, the ESST refines the
current abstraction, and restarts the expansion (see [16] for details).
The node expansion uses three basic operations: the symbolic execution of a thread
(based on the abstract strongest post-condition), the execution of a primitive function,
and the semi-symbolic execution of the scheduling function FS . The abstract strongest
post-condition SPδop(ϕ) is the predicate abstraction of the set of states reachable from
any of the states in the region ϕ after executing the operation op, using the set of pred-
icates δ. ESST associates a set of predicates to thread locations (δl′i ), as well as to
the global region (δ). The primitive functions are executed by the primitive execu-
tor SEXEC : (SState × PrimitiveCall) → (Z × SState) to update the scheduler
state. The scheduler function FS is implemented by a function FS : ARFNodes →
(2SStateOne×LFProg), where SStateOne is the set of scheduler states with only one
running thread, ARFNodes is the set of ARF nodes and LFProg is the set of loop-
free programs (programs that contains assignments and conditional statements, but not
7 Whereas in the general ESST framework the global region is used to track both local and
global variables, we use it to only track the relations among the local variables due to the data
transfer on interactions.
5
loops) over the variables of P 8. A ARF node η = (〈l1, ϕ1〉, . . . , 〈ln, ϕn〉, ϕ,S) is ex-
panded by the following two rules:
E1. If S(stTi) = Running and there exists an edge (li, op, l′i) ∈ Ei, create a successor
node (〈l1, ϕ′1〉, . . . , 〈l′i, ϕ′i〉, . . . , 〈ln, ϕ′n〉, ϕ′,S′), where:
– 〈S′, oˆp〉 =
{
〈S, op〉 if op is not a primitive function call
〈S′′, x := v〉 if op is x := f(y) and (v,S′′) = SEXEC(S, f(y))
– ϕ′i = SP
δl′
i
oˆp (ϕi ∧ ϕ), ϕ′j = ϕj , for i 6= j, and ϕ′ = SPδoˆp(ϕ).
(δl′i and δ are the precisions associated to the location li and to the global
region respectively).
E2. If there are no running threads, for each 〈S′, P lf 〉 ∈ FS (η) create a successor node
(〈l1, ϕ′1〉, . . . , 〈ln, ϕ′n〉, ϕ′,S′), where ϕ′j = SP
δl′
j
P lf
(ϕj ∧ ϕ), for j ∈ [1, n] and
ϕ′ = SPδˆP lf (ϕ).
The rule E1 expands the ARF node by unfolding the CFG edge 〈l, op, l′〉 of the run-
ning thread Ti. If the operation op is not a primitive function, then the scheduler state
is unchanged (i.e. S′ = S). Otherwise, if the operation op is a primitive function, (e.g.
x := f(y)), the algorithm executes the primitive executor SEXEC to change the sched-
uler state and collect the return value of the function (i.e. (v,S′′) = SEXEC(S, f(y))). In
both cases, the state of the running thread and the global region are updated by comput-
ing the abstract strongest post condition. The rule E2 executes the scheduling function
to create a new ARF node for each output state of the scheduling function when all the
threads are not running. A detailed illustration of the execution of scheduling function
will be give in section 3.2.
3.2 Instantiation of ESST for BIP
To instantiate ESST for BIP, there are two naı¨ve approaches. One is to translate a
BIP model to a SystemC program, hence relying on the SystemC primitive functions
and the SystemC scheduler (i.e. the existing instantiation of ESST [16]). This approach
is inefficient, since one has to encode the BIP semantics with additional threads. An-
other approach is to reuse the SystemC primitive functions as in [16, 17], modifying the
scheduler to mimic the BIP semantics. This approach is not efficient either, since the
primitive functions in SystemC only allow threads to notify and wait for events. This
has the effect of introducing additional variables in the scheduler to keep track of the
sent and received events, which considerably increases the state space to be explored.
In this paper, we provide a novel instantiation of the ESST framework to analyze
BIP models, it consists of: (i) a mapping from BIP to multi-threaded programs and the
definition of a new primitive function wait() used by threads to interact with the sched-
uler; (ii) a new semi-symbolic scheduler that respects the BIP operational semantics
and preserves the reachability of error locations.
We use the ESST version with a semi-symbolic scheduler, instead of using a purely
explicit one, allowing the scheduler to read and write the state of the threads. This
feature is important to analyse BIP models because, in BIP, interaction guards and
8 The ESST framework does not allow the scheduler to produce programs with loops.
6
effects are expressed over the global state of the system. Moreover, the semi-symbolic
scheduler is also needed to correctly enforce the BIP priorities.
In each scheduling loop, the scheduler performs two tasks: (i) it computes the set
of possible interactions and chooses one to be run; (ii) it schedules the execution of
each thread that participates in the chosen interaction. When all the threads are in the
Waiting state, the scheduler computes the set of possible interactions and chooses one
interaction to be run by setting the status of the participating threads to Runnable , and
by setting the value of a local variable in the thread. The variable is used in the guards of
the thread edges and encode the BIP ports. Moreover, the scheduler is also responsible
for executing the global effects of the interaction. Whithin each scheduling cycle, the
scheduler picks the Runnable threads one by one, until no such threads are available.
Primitive functions and threads. In our BIP instantiation of ESST we introduce
a primitive function wait(), which suspends the execution of the calling thread and re-
leases the control back to the scheduler (thus, we have only one primitive function). The
function does not change the state of the thread, but changes the status of the thread in
the scheduler state toWaiting . Since the return value ofwait() is of no interest, we will
write wait() instead of x := wait(). Formally, the semantics of wait() is defined by the
primitive executor SEXEC, that is [[wait()]]E(s,S) = SEXEC(〈S, wait()〉) = 〈∗,S′〉,
where ∗ denotes a dummy return value, s is the state of Ti, and S′ = S[stTi :=
Waiting ], if Ti is the caller of wait().
Given an atomic component Bi = 〈V ari, Qi, Ei, l0i , Qerri〉 of PBIP, we define
the thread Ti = 〈Gi, LV ari〉, where LV ari = V ari ∪ {evti}, Dom(evti) = Z and
Gi = (Li, Ei, l
′
0i , Lerri), where:
Li ={l, lwait|l ∈ Qi} ∪ {le|e ∈ Ei, e = 〈l, α, g, op, l′〉};
Ei ={〈l, wait(), lwait〉|l ∈ Qi}∪
{〈lwait, evti = α, le〉, 〈le, op, l′〉|e ∈ Ei, e = 〈l, α, g, op, l′〉};
l′0i =l0i ;
Lerri =Qerri .
We introduce an additional integer variable evti for each thread and we associate every
port α to a distinct integer value; for clarity, we use the notation evti = α instead of
evti = i, where i ∈ Z is the value we associated to the port α. The CFG Gi of the
thread is obtained from a transformation of the BIP atomic component Bi: (i) adding
a location lwait and an edge from l to lwait for each l ∈ Qi; (ii) for each edge e =
〈l, α, g, op, l′〉 ∈ Ei, add an intermediate location le, and an edge from lwait to le,
labelled with evti = α, and an edge from le to l′, labelled with op9.
The edge to the location lwait labelled by the primitive function wait() ensures
that the thread releases the control to the scheduler, waiting that the scheduler chooses
an interaction to be run. The subsequent edge labelled by evti = α ensures that the
thread only executes the edge chosen by the scheduler and constrained by the value
9 Note that, while the formal presentation introduces intermediate locations and edges, in prac-
tice these are collapsed in a single edge since we use the large block encoding [8].
7
of the variable evti. Notice that the edge guard will be taken into account by the BIP
scheduler.
Semi-symbolic BIP scheduler. For analyzing BIP models, we design the
semi-symbolic BIP scheduler SCHED(PBIP) = 〈FS ,SVar〉, where SVar =
{stT1 , . . . , stTn}, and FS is the scheduling function that respects the BIP semantics.
As required by the ESST, the scheduler keeps the status of each thread Ti in a variable
stTi , with values {Running, Runnable, Waiting}. Initially all stTi are Runnable.
Given an ARF node η = 〈〈l1, ϕ1〉, . . . , 〈ln, ϕn〉, ϕ,S〉, we say that an interaction
γ = 〈{α1, . . . , αk}, g, op〉 is enabled if there exists a set of edges {tα1 , . . . , tαk} such
that, for all i ∈ [1, k], tαi ∈ Eid(αi), tαi = 〈lid(αi), αi, gtαi , optαi , l′tαi 〉. In that case,
we write enabled(η, γ) and we denote with EnabledSet(η) the set of all the enabled
interactions in η. Notice that the concept of enabled interaction on an ARF node is dif-
ferent from the one we had on a BIP configuration: we do not check the satisfiability of
the guards in the ARF node to determine the set of enabled interactions. Instead, inter-
action guards and effects are accounted for by the symbolic execution of the scheduling
function.
FS alternates two different phases: (i) scheduling of new interactions; (ii) ex-
ecution of edges participating in the chosen interaction. Given an ARF node η =
〈〈l1, ϕ1〉, . . . , 〈ln, ϕn〉, ϕ,S〉, FS (η) is defined as follows:
F1. If for all stTi ∈ SVar , such that S(stTi) = Waiting and EnabledSet(η) =
{γ1, . . . , γk}, FS (η) = {〈S1, P lf1 〉, . . . , 〈Sk, P lfk 〉}, where for all i ∈ [1, k]:
– γi = 〈{α1i , . . . , αli}, gi, opi〉;
– Si = S[stT
id(α1
i
)
:= Runnable, . . . , stT
id(αl
i
)
:= Runnable];
– P lfi = p; gi; ge; opi; evt1id(α1i ) := α
1
i ; . . . ; evt
l
id(αli)
:= αli, where
p =
∧
〈γi,γ′〉∈pi,α∈γ′
∧
〈l,α,gα,opα,l′〉∈Eid(α) ¬gα
and ge =
∧
α∈γi
∨
〈l,α,gα,opα,l′〉∈Eid(α) gα.
F2. If there exists a thread Ti, such that S(stTi) = Runnable, then FS (η) =
{〈S[stTi := Running], skip〉}.
In rule F1, the formula p encodes the priority constraints (there are no enabled
interactions with a higher priority than γi), and the formula ge imposes that, in each
thread that participates in the interaction, there is at least one enabled edge labeled with
the corresponding interaction port. Thus, the loop free program P lfi ensures that the
interaction γi will be scheduled, according to the BIP semantics, and also imposes the
correct ports that must be executed by the threads. The rule F2 just picks the next thread
to be run.
Correctness of ESSTBIP.
Theorem 1. Let PBIP = 〈B, Γ, pi〉 be a BIP model and P = 〈T , SCHED(PBIP)〉
be the corresponding multi-threaded program with semi-symbolic BIP scheduler
SCHED(PBIP). If the ESSTBIP algorithm terminates on P , then the ESSTBIP returns
safe iff the BIP model PBIP is safe.
For lack of space, we provide the proofs in the extended technical report [10].
8
3.3 Optimizations
In this section we present some optimizations aiming to reduce the number of the
ARF nodes that must be explored during the reachability analysis.
Partial Order Reduction for BIP. The application of POR to the ESSTBIP is based on
the following idea: when the ESSTBIP executes the scheduling function FS on a node
η, it creates the successor nodes only for a representative subset of the set of all the
enabled interactions EnabledSet(η). To compute the independence relation between
interactions, we define the following valid dependence relation [16] for BIP models:
two interactions are dependent if they share a common component. This valid depen-
dent relation can be computed statically from the BIP model. We have implemented
both persistent set and sleep set POR approaches. The use of POR in ESSTBIP is cor-
rect since the application of POR to the general ESST framework is sound, provided a
valid dependence relation [16].
Simultaneous execution of the edges participating in an interaction. In the basic
ESSTBIP, we serialize the edges participating in the same interaction since we use a
scheduling function that allows only one thread to run at a time. Consider an ARF node
η = 〈〈l1, ϕ1〉, . . . , 〈ln, ϕn〉, ϕ,S〉, and an interaction γ = 〈{α1, . . . , αk}, g, op〉 en-
abled in η. Let {tα1 , . . . , tαk} be the set of participating edges in γ and opα1 , . . . , opαk
be their respective effects. When we expand η, we will create the following sequence
of successor nodes:
η
E2−−→ η1 E2−−→ η2 α1−→ η3
opα1−−−→ η4 wait()−−−−→ η5 E2−−→ η6 α2−→ . . . wait()−−−−→ η2+4k
where the label E2 denotes the execution of the ESSTBIP scheduler function. The in-
termediate nodes η1, . . . , η2+4k−1 are due to the sequentialization of the execution of
the edges participating in the interaction. These intermediate nodes increase the com-
plexity of the reachability analysis. They do not correspond to any state reachable in the
BIP model, where all the edges involved in an interaction are executed simultaneously,
and are an artefact of the encoding of the BIP model into the ESST framework. We
can modify the search discussed in Section 3 in order to avoid the generation of these
intermediate states by (i) extending the primitive execution function SEXEC to simul-
taneously evaluate a sequence of primitive functions, (ii) changing the node expansion
rule E1 of ESST as follows:
E1’. If S(stTi) = Running , let TR = {Ti ∈ T |S(stTi) 6= Waiting} be the set of
threads not in the Waiting state. Let op = op1; . . . ; opk be a sequential composi-
tion (in arbitrary order) of the operations labeling the outgoing edges (li, opi, l′i) ∈
Ei, for Ti ∈ TR 10. The successor node is (〈l′1, ϕ′1〉, . . . , 〈l′n, ϕ′n〉, ϕ′,S′), where:
– 〈S′, oˆp〉 =
{
〈S, op〉 if none of the opi in op is a call to wait()
〈S′′, skip〉 if all opi in op is a wait() and (∗, S′′) = SEXEC(S, op)
10 Note that there is no non-determinism on the outgoing edge to be executed by each thread Ti
after the scheduling of the interaction γ.
9
– ϕ′i = SP
δl′
i
ˆopi
(ϕi ∧ ϕ) for each thread Ti ∈ TR, ϕ′j = ϕj and l′j = lj for each
thread Tj /∈ TR, and ϕ′ = SPδoˆp(ϕ), where oˆpi is the projection of oˆp on the
instructions of thread Ti.
We remark that, in BIP, we do not have shared variables. Thus, all the opi are local
to the corresponding components, and executing a sequence of opi altogether will not
create any conflict. The correctness of this optimization can be easily justified since it
respects BIP operational semantics.
Implicit primitive functions. The previous optimization does not remove all the in-
termediate ARF nodes η1, . . . , η2+4k−1 visited by the ESSTBIP that do not have a
corresponding configurations in the BIP operational semantics. In particular, we can
avoid the creation of the intermediate ARF nodes created by calls to wait() noting that:
(i) wait() is always executed immediately after the execution of some edge tαi labeled
by αi, i.e. η
αi−→ η′ wait()−−−−→ η′′ (see the description of the sequence of the ARF nodes
visited after the scheduling of an interaction in the previous optimization); (ii) wait()
only modifies the scheduler states of an ARF node. Thus, we can combine the execu-
tion of wait() with the execution of its preceding edge tαi . This optimization can be
integrated in the ESSTBIP framework by modifying rule E1 as follows.
E1”. If S(stTi) = Running , and {(li, op, l1i ), (l1i , wait(), l′i)} ⊆ Ei, then the successor
node is (〈l1, ϕ′1〉, . . . , 〈ln, ϕ′n〉, ϕ′,S′), where:
– 〈S′, oˆp〉 = 〈S′′, op; skip〉 if op is not wait() and (∗,S′′) = SEXEC(S, wait())
– ϕ′ = SPδoˆp(ϕ), ϕ′i = SP
δl′
i
oˆp (ϕi ∧ ϕ), and ϕ′j = ϕj , for i 6= j,
This optimization is correct with respect to BIP semantics since ESSTBIP will still visit
all the reachable states of the original BIP model PBIP. To see this, notice that there are
no interactions to be scheduled in the intermediate sequence of ARF nodes created
while executing an interaction, and after the execution of the edge tαi the thread Ti will
always stop its execution.
We remark that the optimization for the implicit execution of primitive functions
and the optimization for the simultaneous execution of the edges of an interaction can
be combined together, to further reduce the search space of the basic ESSTBIP.
4 Encoding BIP into Transition System
In this section, we show how to encode a BIP model into a Symbolic Transition System,
thus enabling a direct application of state-of-the-art model checkers for infinite state
systems, such as the NUXMV [12] symbolic model checker.
A Symbolic Transition System (STS) is a tuple S = 〈V, I, T r〉, where: (i) V is a
finite set of variables, (ii) I is a first-order formula over V (called initial condition), and
(iii) Tr is a first-order formula over V ∪V ′ (called transition condition11). The semantic
of an STS can be given in terms of an explicit transition systems (see for example [26]).
11 Hereby and below, we denote with V ′ = {x′|x ∈ V } the set of primed variables of V .
10
The encoding of a BIP model PBIP = 〈B, Γ, pi〉 as an STS SPBIP = 〈V, I, T r〉 is the
following. The set of variables is defined as:
V =
⋃n
i=1 {loci} ∪
⋃n
i=1 x|x ∈ V ari} ∪
⋃n
i=1 {vα|α ∈ Pi} ∪ {vΓ }
where for all i ∈ [1, n], we preserve the domain of each var x ∈ V ari, Dom(loci) =
Qi; for all α ∈ Pi, Dom(vα) = {true, false}; and Dom(vΓ ) = Γ .
The initial condition is I =
∧n
i (loci = l0i), since we do not have initial predicates
in PBIP. The transition condition is Tr = (
∧n
i=1(Trei ∧ Trpi) ∧ TrΓ ∧ Trpi , where
Trei encodes the edges of the component Bi, Trpi determines when the variable vα
for port α is true, TrΓ encodes when an interaction is enabled, and Trpi encodes the
priorities.
In the following, let ΓBi = {〈Act, g, op}|Act ∩ Pi 6= ∅〉 be the set of all the interac-
tions on which Bi participate and Γe = {〈Act, g, op〉|e = 〈li, α, ge, ope, l′i〉, α ∈ Act},
with e ∈ Ei, be the set of interactions that contain the port that labels e.
The encoding of an edge e of a component Bi is defined as:
Trei =
∨
e=〈li,Act∩Pi,ge,ope,l′i〉∈Ei
loci = li ∧ loc′i = l′i ∧ ge ∧
∨
γ∈ΓBi
vΓ = γ∧
∧
γ∈ΓBi
(
vΓ = γ →
∧
x∈V ari
x′ = update(x, e, γ)
) ∧ ∧
γ 6∈ΓBi
(
vΓ = γ →
∧
x∈V ari
x′ = x
)
update(x, e, γ) =
{
replace(e, γ) if ope = x := e
replace(x, γ) otherwise
and replace(e, γ) is a function that replaces all the occurrences of a variables y
in e with eγ , if opγ = y := eγ and γ = 〈Act, gγ , opγ〉12. Trpi is defined as∧
α∈Γ
(
vα ↔
∨
〈li,α,ge,ope,l′i〉∈Ei
(
loci = li ∧ ge
))
. Finally, the conditions that con-
straint the interactions to their ports and the priorities among the interactions are defined
as:
TrΓ =
∧
γ=〈Actγ ,gγ ,opγ〉∈Γ
∧
α∈Actγ
vΓ = γ → (vα ∧ gγ)
Trpi =
∧
(γ1,γ2)∈Γ,γ1=〈Actγ1 ,gγ1 ,opγ1 〉
(gγ1 ∧
∧
α∈Actγ1
vα)→ vΓ 6= γ2
Theorem 2. The transition system SPBIP for a BIP model PBIP preserves reachability
of any configuration of the BIP model.
The proof relies on the fact that the state space of the BIP model is preserved. The
initial configuration is preserved by formula I , where loci is constrained to the initial
locations of the corresponding component. The transition relation is also preserved,
since the variable vΓ can be assigned to the value representing an interaction γ, enabling
the corresponding edges, if and only if γ is enabled in the corresponding state of the
BIP model. The valuations of the additional variables vα and vΓ do not alter the state
space: their valuations are constrained by formula the Tr to reflect the BIP semantics.
12 Note that, while in our definition opγ is a single assignment, the approach can be easily gener-
alized to sequential programs applying a single-static assignment (SSA) transformation [18].
11
5 Related work
Several approaches to the verification of BIP models have been explored in the liter-
ature. DFINDER [7] is a verification tool for BIP models that relies on compositional
reasoning for identifying deadlocks and verifying safety properties. The tool has sev-
eral limitations: it is unsound in the presence of data transfers among components (it
assumes that the involved variables do not exchange values); its refinement procedure
is not effective for infinite-state systems, since it consists only in removing the found
unreachable deadlock states from the next round of the algorithm; finally, it can only
handle BIP models with finite domain variables or integers. Our approaches instead
are sound in the presence of data transfer, they exploit standard refinement mechanisms
(e.g. refinement based on interpolation) and can handle BIP models with real variables.
The VCS [20] tool supports the verification of BIP models with data transfer among
components, using specialized BDD- and SAT-based model checking algorithms for
BIP. Differently from our approach, VCS is only able to deal with finite domain vari-
ables, and priority is ignored.
Our encoding in transition system is related to works in [29, 25]. In [29], a timed
BIP model is translated into Timed Automata and then verified with UPPAAL [6]. The
translation handles data transfers, but it is limited to BIP models with finite domain
data variables and without priorities. In [25], the authors show an encoding of a BIP
models into Horn Clauses. They do not handle data transfers on interactions and do not
describe how to handle priorities. We remark that, any transition system can be encoded
into Horn Clauses and then verified with tools such as Z3 [23] or ELDARICA [24].
With respect to the verification of multi-threaded programs, the works most related
to ours are [16, 17, 30]. In [16, 17], the authors present the ESST framework, instan-
tiating it for SystemC [27] and FairThreads [11]. They neither consider instantaneous
synchronizations nor priorities among interactions. Instead, in this work we instantiate
the ESST framework for the analysis of BIP models, which encompasses instantaneous
synchronizations and priorities. The semi-symbolic scheduler in [17] is also different
from ours: while they use the semi-symbolic scheduler to handle parameters of the
primitive functions, we use it to change the status of the local threads. We also apply
and adapt several optimizations sound w.r.t. the BIP operational semantics. The work
in [30] combines lazy abstraction and POR for the verification of generic multi-threaded
programs with pointers. They do not leverage on the separation between coordination
and computation which is the core of our ESSTBIP approach. Moreover, because of the
pointers, they rely on a dynamic dependence relation for applying POR.
6 Experimental evaluation
We implemented ESSTBIP extending the KRATOS [13] software model checker. We
implemented the encoding from BIP to transition system in a tool based on the BIP
framework [2]. Our tool generates models in the input language of NUXMV, allowing
us to reuse its model checking algorithms.
In the experimental evaluation, we used several benchmarks taken and adapted from
the literature, including the temperature control system model and ATM transaction
model used in [7], the train gate control system model used in [25], and several other
consensus and voting algorithm models. Every benchmark is scalable with respect to
12
 50
 100
 150
 200
 250
 300
 0.1  1  10  100  1000  10000
Nu
m
be
r o
f s
ol
ve
d 
in
st
an
ce
s
Total time (sec)
EsstBip+S+I+P
EsstBip+S+I
EsstBip+S+P
EsstBip+S
EsstBip+P
EsstBip
IC3
BMC
VirtualBest
Fig. 1: Cumulative plot for all the benchmarks
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
Fig. 2: Run time (sec.) DFINDER (y
axes) IC3 (x axes)
the number of components. In total, we created 379 instances of both safe and unsafe
models, and verified different invariant properties. All the benchmarks are infinite-state,
due to integer variables, and some of them feature data transfer on interaction. Due
to lack of space, we do not provide the details of each benchmark, but refer to our
webpage 13 for more information.
We run several configurations of ESSTBIP: ESSTBIP, ESSTBIP+P, ESSTBIP+S,
ESSTBIP+S+P, ESSTBIP+S+I and ESSTBIP+S+I+P, where ESSTBIP is the base ver-
sion without any optimization, P denotes the use of partial order reduction, S denotes
the use of the simultaneous execution of the interaction edges and I denotes the implicit
execution of the primitives functions. After the encoding into transition systems, we run
two algorithms implemented in NUXMV: (IC3) an implementation of the IC3 algorithm
integrated with predicate abstraction [14]; (BMC) an implementation of Bounded Model
Checking [9] via SMT [1] solving. For the benchmarks that do not exhibit data transfer,
we also compared our approaches against DFINDER (version 2) [7].
All the experiments have been performed on a cluster of 64-bit Linux machines with
a 2.7 Ghz Intel Xeon X5650 CPU, with a memory limit set to 8Gb and a time limit of
900 seconds. The tools and benchmarks used in the experiments are available in our
webpage.
Comparison with DFINDER. We first compare on the subset of the benchmarks (100
instances) that DFINDER can handle (these benchmarks do not have data transfer and
are safe). We compare DFINDER and IC3 in the scatter plot of Figure 2: DFINDER
is able to solve only 4 of our instances, while IC3 solves all the 100 instances. The
best configuration of ESSTBIP (ESSTBIP+S+I+P) shows a similar trend (solving 75
instances). For lack of space we do not show the respective plot. DFINDER requires
about 142 seconds to solve the four benchmarks, while both IC3 and ESSTBIP+S+I+P
solve all of them in a fraction of a second. The main explanations for these results are:
(i) DFINDER cannot prove 60 instances since it cannot find strong enough invariants to
prove the property; (ii) it exceeds the memory limits for the remaining 36 instances.
Comparison of NUXMV and ESSTBIP. We show the results of the comparison among
our approaches on the full set of instances in Figure 1, where we plot the cumulative
time to solve an increasing number of instances. IC3 clearly outperforms all the other
13 https://es.fbk.eu/people/mover/atva15-kratos.tar.bz2
13
 20
 40
 60
 80
 100
 120
 140
 0.01  0.1  1  10  100  1000
Nu
m
be
r o
f s
ol
ve
d 
in
st
an
ce
s
Total time (sec)
EsstBip+S+I+P
EsstBip+S+I
EsstBip+S+P
EsstBip+S
EsstBip+P
EsstBip
IC3
VirtualBest
Fig. 3: Safe benchmarks
 20
 40
 60
 80
 100
 120
 140
 160
 0.1  1  10  100  1000
Nu
m
be
r o
f s
ol
ve
d 
in
st
an
ce
s
Total time (sec)
EsstBip+S+I+P
EsstBip+S+I
EsstBip+S+P
EsstBip+S
EsstBip+P
EsstBip
IC3
BMC
VirtualBest
Fig. 4: Unsafe benchmarks
approaches, while the version of ESSTBIP with all the optimization outperforms all
the other ESSTBIP configurations. In Figure 3 we focus only on the safe instances: the
plot shows that IC3 is more efficient than ESSTBIP. IC3 is much more effective than
ESSTBIP on a subset of the instances, where IC3 can easily find an inductive invari-
ant (for this subset, the number of frames needed by IC3 to prove the property does
not increase when increasing the number of components in each benchmark). In these
cases instead, ESSTBIP still has to visit several nodes before succeeding in the coverage
check. In Figure 4, we focus on the unsafe properties. Both all the ESSTBIP approaches
that enable the implicit primitive function execution and IC3 outperform BMC. The
main reason is that BMC is not effective on long counterexamples, while in our bench-
marks the length of the counterexamples grows with the number of components. We
also observe that, for the unsafe cases, the approach ESSTBIP+S+I+P is faster than
IC3. Thus, the experiments show that IC3 and ESSTBIP are complementary, with IC3
being more efficient in the safe case, and ESSTBIP being more efficient for the unsafe
ones. This can be also seen in Figure 1, where we plot the virtual best configuration
(VIRTUALBEST) (i.e. the configuration obtained taking the lower run time for each
benchmark), which shows the results that we would obtain running all our approaches
in parallel (in a portfolio approach).
Evaluation of the ESSTBIP optimization. In Figures 5a and 5b we show two scat-
ter plots to compare the results obtained with and without partial order reduction. The
plot 5a shows how POR improves the performance when applied to ESSTBIP (for ES-
STBIP+S we get similar results), while the plot 5b shows the same for ESSTBIP+S+I.
The plots show that POR is effective on almost all benchmarks, even if in some cases
the POR bookkeeping introduces some overhead. In Figures 5c and 5d we show the re-
sults of applying the simultaneous execution of the edges participating in an interaction
to the basic configuration with and without partial order reduction enabled (ESSTBIP
and ESSTBIP+P). In both cases, the improvements to the run times brought by the con-
current execution of edges is consistent, since the run times are always lower and the
number of solved instances higher. Finally, in Figures 5e and 5f we show the plots that
compares ESSTBIP+S with ESSTBIP+S+I and ESSTBIP+S+P with ESSTBIP+S+I+P.
In both cases the implicit execution of the primitives functions always brings a perfor-
mance improvement.
7 Conclusions and Future Work
In this paper, we described two complementary approaches for the verification of
infinite-state BIP models that, contrary to the existing techniques, consider all the fea-
14
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
(a) ESSTBIP (y axes) ESSTBIP+P (x axes)
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
(b) ESSTBIP+S+I (y axes) ESSTBIP+S+I+P (x axes)
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
(c) ESSTBIP (y axes) ESSTBIP+S (x axes)
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
(d) ESSTBIP+P (y axes) ESSTBIP+S+P (x axes)
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
(e) ESSTBIP+S (y axes) ESSTBIP+S+I (x axes)
 0.1
 1
 10
 100
 1000
 10000
 0.1  1  10  100  1000  10000
safe
unsafe
(f) ESSTBIP+S+P (y axes) ESSTBIP+S+I+P (x axes)
Fig. 5: Scatter plots of run times (sec.) for the ESSTBIP optimizations
tures of BIP such as the global effects on the interactions and priorities. First, we in-
stantiated for BIP the ESST framework and we integrated several optimization sound
w.r.t. the BIP semantics. Second, we provided an encoding of BIP models into sym-
bolic transition systems, enabling us to exploit the existing state of the art verification
algorithms. Finally, we implemented the proposed techniques and performed an exper-
imental evaluation on several benchmarks. The results show that our approaches are
complementary, and that they outperform DFINDER w.r.t performance and also w.r.t.
the coverage of the BIP features. As future work we would like extend the proposed
techniques to support timed BIP [4] (e.g. the symbolic encoding could be extended to
HYDI [15]) and, in the case of ESST we would improve its performance in finding
bugs using direct model checking [19]. Finally, we will investigate the possibility to
exploit the invariants computed by DFINDER in all our approaches.
References
1. Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In:
Handbook of Satisfiability (2009)
2. Basu, A., Bensalem, S., Bozga, M., Combaz, J., Jaber, M., Nguyen, T.H., Sifakis, J.: Rigor-
ous component-based system design using the bip framework. Software, IEEE 28(3) (2011)
3. Basu, A., Bensalem, S., Bozga, M., Caillaud, B., Delahaye, B., Legay, A.: Statistical abstrac-
tion and model-checking of large heterogeneous systems. In: FTDS, vol. 6117, pp. 32–46
(2010)
4. Basu, A., Bozga, M., Sifakis, J.: Modeling heterogeneous real-time components in BIP. In:
SEFM (2006)
5. Basu, A., Gallien, M., Lesire, C., Nguyen, T.H., Bensalem, S., Ingrand, F., Sifakis, J.: Incre-
mental component-based construction and verification of a robotic system. In: ECAI. vol.
178, pp. 631–635 (2008)
15
6. Behrmann, G., David, A., Larsen, K.G., Ha˚kansson, J., Pettersson, P., Yi, W., Hendriks, M.:
UPPAAL 4.0. In: QEST (2006)
7. Bensalem, S., Bozga, M., Nguyen, T.H., Sifakis, J.: D-Finder: A Tool for Compositional
Deadlock Detection and Verification. In: CAV (2009)
8. Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software model check-
ing via large-block encoding. In: FMCAD (2009)
9. Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic Model Checking without BDDs. In:
TACAS (1999)
10. Bliudze, S., Cimatti, A., Jaber, M., Mover, S., Roveri, M., Saab, W., Wang, Q.: Formal
verification of infinite-state bip models. Tech. rep., https://es-static.fbk.eu/
people/mover/paper/fvbip.pdf
11. Boussinot, F.: FairThreads: mixing cooperative and preemptive threads in C. Concurrency
and Computation: Practice and Experience 18(5) (2006)
12. Cavada, R., Cimatti, A., Dorigatti, M., Griggio, A., Mariotti, A., Micheli, A., Mover, S.,
Roveri, M., Tonetta, S.: The nuXmv Symbolic Model Checker. In: CAV (2014)
13. Cimatti, A., Griggio, A., Micheli, A., Narasamdya, I., Roveri, M.: Kratos - A Software Model
Checker for SystemC. In: CAV (2011)
14. Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: IC3 Modulo Theories via Implicit Predicate
Abstraction. In: TACAS (2014)
15. Cimatti, A., Mover, S., Tonetta, S.: HyDI: A language for symbolic hybrid systems with
discrete interaction. In: SEAA (2011)
16. Cimatti, A., Narasamdya, I., Roveri, M.: Software model checking with explicit scheduler
and symbolic threads. Logical Methods in Computer Science 8(2) (2012)
17. Cimatti, A., Narasamdya, I., Roveri, M.: Verification of parametric system designs. In: FM-
CAD (2012)
18. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing
static single assignment form and the control dependence graph. ACM Trans. Program. Lang.
Syst. 13(4) (1991)
19. Edelkamp, S., Schuppan, V., Bosnacki, D., Wijs, A., Fehnker, A., Aljazzar, H.: Survey on
directed model checking. In: MoChArt (2008)
20. He, F., Yin, L., Wang, B., Zhang, L., Mu, G., Meng, W.: VCS: A verifier for component-
based systems. In: ATVA (2013)
21. Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In:
ACM SIGPLAN Notices. vol. 39. ACM (2004)
22. Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL (2002)
23. Hoder, K., Bjørner, N.: Generalized property directed reachability. In: SAT (2012)
24. Hojjat, H., Konecny´, F., Garnier, F., Iosif, R., Kuncak, V., Ru¨mmer, P.: A verification toolkit
for numerical transition systems - tool paper. In: FM (2012)
25. Hojjat, H., Ru¨mmer, P., Subotic, P., Yi, W.: Horn clauses for communicating timed systems.
In: HCVS (2014)
26. Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems: Specifica-
tion. Springer-Verlag (1992)
27. IEEE 1666: SystemC language Reference Manual (2005)
28. Sifakis, J.: Rigorous system design. Foundations and Trends in Electronic Design Automa-
tion 6(4) (2013)
29. Su, C., Zhou, M., Yin, L., Wan, H., Gu, M.: Modeling and Verification of Component-Based
Systems with Data Passing Using BIP. In: ICECCS (2013)
30. Wachter, B., Kroening, D., Ouaknine, J.: Verifying multi-threaded software with Impact. In:
FMCAD (2013)
16
