An SMT-Based Approach to the Formal Analysis of MARTE/CCSL by Zhang, Min et al.
HAL Id: hal-01394677
https://hal.inria.fr/hal-01394677
Submitted on 21 Dec 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
An SMT-Based Approach to the Formal Analysis of
MARTE/CCSL
Min Zhang, Frédéric Mallet, Huibiao Zhu
To cite this version:
Min Zhang, Frédéric Mallet, Huibiao Zhu. An SMT-Based Approach to the Formal Analysis of
MARTE/CCSL. Formal Methods and Software Engineering, Nov 2016, Tokyo, Japan. pp.433-449,
￿10.1007/978-3-319-47846-3_27￿. ￿hal-01394677￿
open problem of checking the existence of schedules for a given set of ccsl
constraints, it is desirable to perform formal analysis of ccsl constraints such
as to simulate a schedule that satisfies all the constraints with certain policy and
to verify if a given set of constraints satisfy some properties. Many efforts have
been made in this direction, relying on the transformation into automata and
other specific formats [11, 14]. However, successive intermediate transformation
is prone to introduce accidental complexity. In this paper, we propose an SMT-
based approach to the formal analysis of ccsl constraints. In our approach, ccsl
constraints are naturally transformed into SMT formulas. It is well-known that
SMT-based approaches can effectively overcome the notorious state-explosion
problem in model checking, and can also be used for theorem proving. The former
feature helps improve the efficiency when ccsl constraints are verified by model
checking. The latter one allows to prove the invalidity of ccsl constraints by
means of theorem proving, which most of the existing approaches lack.
Among the properties of ccsl constraints, periodicity is a basic but impor-
tant one with the fact that real-time embedded systems are inherently periodic
and it is a crucial task of designing correct periodic schedules for such systems.
Given a set of ccsl constraints, it is desired to know if there exists periodic
schedules of a given set of ccsl constraints. In our earlier work [16], we pro-
posed a sufficient condition to periodic scheduling of ccsl constraints, and a
state-based approach to search all the schedules to find one that satisfies the
condition. The approach is applicable when the number of schedules of the given
constraints is reasonably small and the condition is satisfied at early step, but
becomes less efficient otherwise due to state explosion. In this paper, we propose
a less constraining sufficient condition and encode it into SMT formulas, with
which we can find periodic schedules of given ccsl constraints by SMT solvers
such as Z3 [12] and verify their properties by bounded model checking.
Execution trace analysis is another important application of ccsl constraints.
In the scheme of marte/ccsl, execution trace analysis is an effective way to de-
sign and debug real-time embedded systems [5]. Execution traces are produced
by instrumented code. Events in the generated traces are extracted and then
analyzed to check if they satisfy initial constraint specification. One of the most
challenging problems with execution trace analysis is to find an efficient way of
checking if a trace satisfies the predefined constraints. We show the SMT-based
approach to be proposed is also suited to execution trace analysis.
We implement a prototype tool using the K framework [13] for the trans-
formation from ccsl constraints into SMT formulas and Z3 as its underlying
SMT solver. K is a rewrite-based executable semantic framework in which pro-
gramming languages, type systems and formal analysis tools can be defined. We
choose Z3 because it also accepts and can work with formulas that use quanti-
fiers. Although it is no longer a decision procedure for formulas with quantifiers
in general, it is often able to handle formulas involving quantifiers. Thus, Z3
could return answers to some formulas with quantifiers that are transformed
from ccsl constraints even if no bound is set.
In summary, the contributions of this paper are multifold:
2
1. An approach is proposed to transform ccsl constraints into SMT formu-
las for formal analysis of ccsl constraints. The transformation approach is
straightforward and hence reduces both effort on the transformation and
probability of introducing accidental complexity.
2. Applications of the SMT-based approach are demonstrated, including pe-
riodic scheduling and trace analysis by means of bounded model checking,
and invalidity proving by means of theorem proving.
3. A prototype tool based on the approach is implemented, and experimental
results show the feasibility of the proposed approach and the improvement
of the efficiency for formal analysis of ccsl constraints.
The rest of this paper is organized as follows: Section 2 briefly introduces
ccsl language and some existing work on its periodic scheduling; Section 3
presents the transformation approach from ccsl constraints to SMT formulas.
Section 4 shows the applications of the SMT-based approach to invalidity prov-
ing, periodic scheduling, execution trace analysis, etc. Section 5 describes the
prototype tool and some concrete examples. Section 6 compares our approach
with other existing ones and Section 7 finally concludes the paper.
2 CCSL and its Extension to Periodic Constraint
In ccsl, clocks are used to measure the occurrence time of events in a system.
Each event is associated to a clock. Time is represented in a logical way as
a sequence of discrete steps, instead of physical time. Thus, clocks are called
logical clocks. The constraints between clocks can be interpreted as the relations
between events, e.g., some event must occur earlier than another. Event relations
are usually established at early design stage in the development of a real-time
and embedded system.
Definition 1 (Logical clock). A logic clock c is an infinite sequence of ticks
(ci)i∈ℕ+ , where each ci can be tick or idle, representing that the event associated
to c occurs or not at step i.
In [11], clock relations are divided into two classes, i.e., ccsl constraints and
clock definitions. There are four primitive constraint operators which are binary
relations between clocks, and five kinds of clock definitions. The four constraint
operators are called precedence, causality, subclock and exclusion; and the five
clock definitions are called union, intersection, infimum, supremum, and delay.
Besides, we introduce a new clock definition called periodic filter, which is used
to define the periodicity between two clocks. The meanings of the ten primitive
operators are given by schedule and history. Intuitively, a schedule is used to
record the clocks that tick at each given step, and a history is used to record the
number of ticks of each clock before it reaches a given step.
Definition 2 (Schedule). Given a set C of clocks, a schedule of C is a total
function  ∶ ℕ+ → 2C such that for any i in ℕ+, (i) = {c|c ∈ C ∧ ci = tick} and
(i) ≠ ∅.
3
1.  ⊧ c1 ≺ c2 ⟺ ∀n ∈ ℕ+.(c2, n) = (c1, n) ⇒ c2 ∉ (n) (Precedence)
2.  ⊧ c1 ⪯ c2 ⟺ ∀n ∈ ℕ+.(c1, n) ≥ (c2, n) (Causality)
3.  ⊧ c1 ⊆ c2 ⟺ ∀n ∈ ℕ+.c1 ∈ (n) ⇒ c2 ∈ (n) (Subclock)
4.  ⊧ c1 # c2 ⟺ ∀n ∈ ℕ+.c1 ∉ (n) ∨ c2 ∉ (n) (Exclusion)
5.  ⊧ c1 ≜ c2 + c3 ⟺ ∀n ∈ ℕ+.(c1 ∈ (n) ⟺ c2 ∈ (n) ∨ c3 ∈ (n)) (Union)
6.  ⊧ c1 ≜ c2 × c3 ⟺ ∀n ∈ ℕ+.(c1 ∈ (n) ⟺ c2 ∈ (n) ∧ c3 ∈ (n)) (Intersection)
7.  ⊧ c1 ≜ c2 ∧ c3 ⟺ ∀n ∈ ℕ+.(c1, n) = max((c2, n), (c3, n)) (Infimum)
8.  ⊧ c1 ≜ c2 ∨ c3 ⟺ ∀n ∈ ℕ+.(c1, n) = min((c2, n), (c3, n)) (Supremum)
9.  ⊧ c1 ≜ c2 $ d ⟺ ∀n ∈ ℕ+.(c1, n) = max((c2, n) − d, 0) (Delay)
10.  ⊧ c1 ≜ p ⋈ c2 ⟺ ∀n ∈ ℕ+.c1 ∈ (n) ⟺ c2 ∈ (n) ∧ ∃m ∈ ℕ+.(c2, n) = m ∗ p (Periodicity)
Fig. 1. Definition of the 10 primitive ccsl operators
Intuitively, (i) is the subset of all the clocks in C which tick at step i. Note that
we have the condition (i) ≠ ∅ in the definition of , which says that at any step
there must be at least one clock ticking. The condition excludes from schedules
those steps where no clocks tick. They are called empty steps which are trivial in
that adding them to and removing them from a schedule do not affect the logical
relations among the clocks. Thus, we exclude the empty steps from schedules.
Definition 3 (History). Given a set C of clocks, and a schedule  ∶ ℕ+ → 2C ,
a history of  over C is a function  ∶ C ×ℕ+ → ℕ such that for any clock c ∈ C
and i ∈ ℕ:
(c, i) =
⎧
⎪
⎨
⎪
⎩
0 if i = 1
(c, i − 1) if i > 1 ∧ c ∉ (i − 1)
(c, i − 1) + 1 if i > 1 ∧ c ∈ (i − 1)
Obviously, (c, i) is the number of the ticks that clock c has ticked immediately
before it reaches step i.
We use  ⊧  to denote that schedule  satisfies constraint . Figure 1 shows
the definition of the satisfiability of a constraint  with regards to a schedule .
We take the definition of precedence for example.  ⊧ c1 ≺ c2 holds if and only
if for any n in ℕ+, c2 must not tick at step n if the number of the ticks of c1
is equal to the one of c2 immediately before they reach step n. Precedence and
causality are asynchronous constraints and they forbid clocks to tick depending
on what has happened on other clocks in the earlier steps. Subclock and exclusion
are synchronous constraints and they force clocks to tick or not depending on
whether another clock ticks or not.
Clock definitions from 5 to 10 are used to define new clocks such that the
clock c1 at the left-hand side of “≜” is uniquely determined by the clock(s) at
the right-hand side. By union it defines a clock c1 which ticks whenever c2 or c3
4
ticks, and by intersection it defines a clock c1 which ticks whenever both c2 and
c3 tick. Supremum is used to define the slowest clock c1 which however is faster
than both c2 and c3, and infimum is used to define the fastest clock c1 which
however is slower than both c2 and c3. By delay it defines the clock c1 which is
delayed by c2 with d steps, and by periodicity it defines the clock c1 which ticks
once every after c2 ticks p times.
Given a set Φ of ccsl constraints and definitions, we use  ⊧ Φ to denote
that the schedule  satisfies all the constraints in Φ, and ; k ⊧ Φ with k ∈ ℕ+ to
denote that  satisfies all the constraints in Φ at step k. It is obvious that  ⊧ Φ
if and only if ∀k ∈ ℕ+.; k ⊧ Φ.
Definition 4 (Satisfiability problem of CCSL). Given a set Φ of ccsl
constraints, does there exist a schedule  such that  ⊧ Φ?
The satisfiability problem of ccsl is still open, and there has not been a decision
procedure proposed to it so far. Nevertheless, the satisfiability problem of some
subclass of ccsl constraints has been studied [11]. For instance, the satisfiability
problem of ccsl constraints without operators ≺, ∧, and ∨ is decidable. The ccsl
operators except ≺, ∧, and ∨ can be encoded as finite-state transition systems
[11], and the satisfiability problem of a given subclass of ccsl constraints is
transformed into the reachability problem of the synchronized product of finite-
state transition systems, which is decidable. The three operators ≺, ∧, and ∨
cannot be encoded as finite-state transition systems if no extra information such
as counter is provided. They are called unsafe operators in [11] in that they
may cause non-terminating of composing state transition systems. To solve the
satisfiability problem of ccsl constraints with unsafe operators, we can set an
upper bound to schedules in that we are only concerned with the schedules
within a bounded step. In [16], we call them bounded schedules.
Definition 5 (Bounded schedule). Given a set Φ of clock constraints on
clocks in C, and a function  ∶ ℕ+≤n → 2C ,  is called an n-bounded schedule if
for any i ≤ n, ; i ⊧ Φ.
In most of the cases, bounded schedule is too restrictive in practice for real-
time systems, because real-time systems are assumed to run infinitely until they
are shut down. We consider a special class of infinite schedules by which each
clock ticks periodically from a pragmatic point of view. We call such schedules
periodic schedules. Periodic schedules are useful in practice based on the fact
that periodicity is one of the intrinsic features of real-time embedded systems.
Definition 6 (Periodic schedule). A schedule  is called periodic if there exist
k, p in ℕ+ such that for any k′ ≥ k, (k′ + p) = (k′), and p is called a period of
.
Definition 6 means that after step k the schedule  repeats every p steps. p is
called the smallest period of  if there does not exist p′ in ℕ+ such that p′ is also
a period of  and p′ < p.
It is also an open problem of deciding the existence of a periodic schedule
for a given set of ccsl constraints. In [16] we proposed an approach to extend
5
a bounded schedule to a periodic one and a sufficient condition under which the
approach can be applied. We omit the extension approach here due to space
limitation. Interested readers are referred to the work [16] for the details of the
approach. In this paper, we propose a less constraining sufficient condition than
the one in the work [16].
Theorem 1. Given a bounded schedule  ∶ ℕ+≤n → C of a set Φ of ccsl con-
straints,  can be extended to a periodic one if there exist two natural numbers
k, k′ ≤ n and k < k′ such that the following five conditions are satisfied:
1. (k) = (k′);
2. If  is in form of c1 ≺ c2 or c1 ≼ c2, then (c1, k′) − (c1, k) ≥ (c2, k′) −
(c2, k);
3. If  is in form of c1 ≜ c2 $ d , then (c2, k) ≥ d and (c1, k′) − (c1, k) =
(c2, k′) − (c2, k);
4. If  is in form of c3 ≜ c1 ∧ c2 or c3 ≜ c1 ∨ c2, then (c1, k′) − (c1, k) =
(c2, k′) − (c2, k) = (c3, k′) − (c3, k);
5. If  is in form of c1 ≜ p ⋈ c2, then there exists m ∈ ℕ+ such that ((c2, k′) −
(c2, k)) = m × p.
Intuitively, condition 1 says that the clocks that tick at step k are the same
as those at step k′; condition 2 means from the step k to k′, c1 must tick faster
than or at the same speed as c2 if c1 and c2 satisfy precedence or causality; and
condition 3 says that for the constraint that a clock c1 is delayed d steps by
c2 the number of ticks of c2 immediately before step k must be greater than or
equal to d and c1 and c2 must tick the same steps from step k to k′. Condition
4 requires that for the three clocks i.e. c1, c2 and c3 that are constrained by
infimum or supremum, they must tick the same number of ticks from step k to
k′. The last condition says that between k and k′ there must be m times p steps
ticking of c2
The above conditions are less constrained than the ones in our earlier work
[16] in that by the new conditions all the clocks do not necessarily need to tick
the same number of ticks from step k to k′, which is required by the conditions
in the work [16]. With the new sufficient condition, we may find more periodic
schedules for a given set of ccsl constraints. Theorem 1 can be proved by
case analysis on ccsl constraints. We omit the proof in the paper due to space
limitation.
3 Encoding CCSL Constraints into SMT formulas
In this section we introduce an approach for encoding ccsl constraints and
the sufficient condition of periodic scheduling proposed in Section 2 into SMT
formulas. The generated formulas may contain quantifiers, linear integer arith-
metic and uninterpreted functions, and hence belongs to UFLIA (abbreviated
for the linear fragment of theory of integer arithmetic with free sort and function
symbols) logic according to SMT-LIB standard [2].
6
1. c1 ≺ c2 ⟺ ∀n ∈ ℕ+.ℎc1 (n) = ℎc2 (n) ⇒ ¬tc2 (n) (Precedence)
2. c1 ⪯ c2 ⟺ ∀n ∈ ℕ+.ℎc1 (n) ≥ ℎc2 (n) (Causality)
3. c1 ⊆ c2 ⟺ ∀n ∈ ℕ+.tc1 (n) ⇒ tc2 (n) (Subclock)
4. c1 # c2 ⟺ ∀n ∈ ℕ+.¬(tc1 (n) ∧ tc2 (n)) (Exclusion)
5. c1 ≜ c2 + c3 ⟺ ∀n ∈ ℕ+.tc1 (n) ⟺ tc2 (n) ∨ tc3 (n) (Union)
6. c1 ≜ c2 × c3 ⟺ ∀n ∈ ℕ+.tc1 (n) ⟺ tc2 (n) ∧ tc3 (n) (Intersection)
7. c1 ≜ c2 ∧ c3 ⟺ ∀n ∈ ℕ+.(ℎc2 (n) ≥ ℎc3 (n) ⇒ ℎc1 (n) = ℎc2 (n)) ∧ (ℎc2 (n) < ℎc3 (n) ⇒ ℎc1 (n) = ℎc3 (n)) (Infimum)
8. c1 ≜ c2 ∨ c3 ⟺ ∀n ∈ ℕ+.(ℎc2 (n) ≥ ℎc3 (n) ⇒ ℎc1 (n) = ℎc3 (n)) ∧ (ℎc2 (n) < ℎc3 (n) ⇒ ℎc1 (n) = ℎc2 (n)) (Supremum)
9. c1 ≜ c2 $ d ⟺ ∀n ∈ ℕ+.(ℎc2 (n) ≥ d ⇒ ℎc1 (n) = (ℎc2 (n) − d)) ∧ (ℎc2 (n) < d ⇒ (ℎc1 (n) = 0)) (Delay)
10. c1 ≜ p ⋈ c2 ⟺ ∀n ∈ ℕ+.((tc1 (n) ⟺ tc2 (n)) ∧ ℎc2 (n) ≠ 0 ∧ ℎc2 (n)%p = 0) (Periodicity)
Fig. 2. Encoding ccsl constraints into SMT formulas
ccsl constraints can be straightforwardly encoded as SMT formulas. Given
a set Φ of ccsl constraints on a set C of clocks, a schedule  of Φ can be encoded
by a finite set  = {tc ∶ ℕ+ → Bool|c ∈ C} of functions such that for any c in C
and n in ℕ+, c ∈ (n) ⟺ tc(n). The functions in  are uninterpreted functions.
Given a set Φ of ccsl constraints, finding a schedule of Φ is equal to giving
interpretations to these uninterpreted functions.
We introduce another set  = {ℎc ∶ ℕ+ → ℕ|c ∈ C} of functions in order to
encode ccsl constraints into SMT formulas. Each function in  takes a natural
number n as its argument, and returns the number of steps that its associated
clock has ticked immediately before the clock reaches step n. That is, for any c
in C and n in ℕ, there is ℎc(n) = (c, n). According to Definition 3, the functions
in  must satisfy the following two formulas:
⋀
c∈C
ℎc(1) = 0 (F1)
⋀
c∈C
∀n ∈ ℕ+.(¬tc(n)⇒ ℎc(n + 1) = ℎc(n)) ∧ (tc(n)⇒ ℎc(n + 1) = ℎc(n) + 1) (F2)
With  and , we replace c ∈ (n) by tc(n) and (c, n) by ℎc(n) in the defini-
tion of the ten primitive ccsl constraints in Figure 1, and consequently obtain
the ten corresponding formulas as shown in Figure 2. Given a ccsl constraint
, we denote its corresponding formula by ⟦⟧.
According to Definition 2, a schedule must return a non-empty set of clocks
at each step. Correspondingly, for each i in ℕ+ there must exist at least one
function tc in  such that tc(i) is true. Thus, the functions in  must satisfy the
following formula:
∀n ∈ ℕ+.
⋁
c∈C
tc(n) (F3)
A set Φ = {1,… , m} of m (m > 0) ccsl constraints can be encoded as a
set ⦃Φ⦄ of SMT formulas such that ⦃Φ⦄ ≜ {⟦1⟧, ⟦2⟧,… , ⟦m⟧,F1,F2,F3}.
7
4 Applications of SMT-based Formal Analysis
The SMT formulas that are transformed from ccsl specifications contain unin-
terpreted functions and quantifiers. As there can be no decision procedure for
first-order logic, we may not get an answer to the problem that whether there
exists a model satisfying generated SMT formulas. Nevertheless, there are still
multiple applications of the SMT-based approach to the formal analysis of ccsl
specifications such as invalidity proving, periodic scheduling, bounded model
checking and execution trace analysis.
4.1 Invalidity proving
In the work [11], a set Φ of ccsl constraints is called invalid if there does not
exist any schedule  such that  ⊧ Φ. Namely, there does not exist a set  of
functions such that  satisfies all the formulas in ⦃Φ⦄, i.e., ⦃Φ⦄ is not satisfiable.
Consequently, we have the following proposition hold:
Proposition 1. A set Φ of ccsl constraints is valid iff ⦃Φ⦄ is satisfiable.
By the above proposition, we can conclude that Φ is valid once we find a solu-
tion, i.e., a set  of functions, to the satisfiability problem of ⦃Φ⦄. As mentioned
in Section 3, the formulas in ⦃Φ⦄ are in UFLIA logic and hence its satisfiability
problem is undecidable. If an upper bound is set to the universally quantified
variable n in each formula in ⦃Φ⦄, the satisfiability problem becomes decidable
because the quantifiers in the formulas can be eliminated. We denote the set of
formulas in ⦃Φ⦄ with a common upper bound u for each n in the formulas by
⦃Φ⦄≤u. If ⦃Φ⦄≤u is unsatisfiable, by Proposition 1 we can immediately conclude
that Φ must be invalid because the unsatisfiability of ⦃Φ⦄≤u implies that ⦃Φ⦄
is also unsatisfiable.
Invalidity proving is also useful to prove automatically the derivation of a
constraint  from a set Φ of ccsl constraints.
Definition 7. A constraint  is derived from a set Φ of ccsl constraints if for
any schedule ,  ⊧ Φ implies  ⊧ .
Let  be the set of functions that represent .  ⊧ Φ implies that  is a
solution of ⦃Φ⦄. By Definition 7,  must be a solution of ⟦⟧ if  can be derived
from Φ. That is, for any solution of ⦃Φ⦄, it must be a solution of ⟦⟧. Namely,
⦃Φ⦄ ⟹ ⟦⟧ is valid. Thus, we have the following proposition hold:
Proposition 2. A constraint  is derived from a set Φ of ccsl constraints if
and only if ⟦Φ⟧ ⟹ ⟦⟧ is valid.
By Proposition 2, to prove the derivation of  from Φ is equivalent to prove
that the formula ¬(⦃Φ⦄ ⟹ ⟦⟧) is unsatisfiable, which generally is undecid-
able. However, we can assign a value to n, and check if ¬(⦃Φ⦄≤n ⟹ ⟦⟧≤n) is
unsatisfiable. We repeat until some n is found such that ¬(⦃Φ⦄≤n ⟹ ⟦⟧≤n)
is unsatisfiable or abort when n exceeds a predefined bound.
8
The aforementioned approach can be also applied to verification of ccsl
constraints’ properties that are expressed in temporal logic such as LTL and
CTL. Let  be a property, and we use Φ ⊧  to denote that the constraints in
Φ satisfy  , i.e., for any schedule that satisfies Φ, it must satisfy  . We assume
that a property  is encoded to be an SMT formula ⟦⟧. Then, to verify Φ ⊧ 
is equivalent to prove that ⦃Φ⦄ ∪ {¬⟦⟧} is unsatisfiable. If ⦃Φ⦄ ∪ {¬⟦⟧} is
proved to be satisfiable, a solution of it can be considered as a counterexample,
i.e., a witness to the violation of  by Φ. Due to the undecidability of the
problem, we may not be able to prove that ⦃Φ⦄ ∪ {¬⟦⟧} is unsatisfiable or
find a solution using existing SMT solvers. If  is an invariant property, that
is, a property stating that something bad should never happen [3], we can do
bounded model checking of  by setting an upper bound to the number of steps.
If a counterexample is found,  must not be satisfied by Φ. However, bounded
model checking cannot be directly applied to liveness properties.
4.2 Verification of periodic scheduling
The SMT-based approach can be applied to formal analysis of periodic schedul-
ing of ccsl constraints, such as the existence of periodic schedules and model
checking of temporal properties of periodic schedules.
By Theorem 1, we can conclude there must be a periodic schedule of a given
set Φ of ccsl constraints once we find two natural numbers k and k′ (k, k′ ≤ n
and k < k′) for an n-bounded schedule of Φ such that k, k′ satisfies the five
sufficient conditions. The problem of finding k, k′ is a satisfiability problem by
transforming the five sufficient conditions into corresponding SMT formulas. We
declare two free integer constants k, k′. As argued above, k, k′ should satisfy the
formula k < k′ ∧ k′ ≤ n ∧ k > 0. The five conditions are transformed straightfor-
wardly into SMT formulas as follow:
1. Condition 1 is equivalent to the following formula:
⋀
c∈C
tc(k) ⟺ tc(k′) (C1)
2. For each constraint in form of c1 ≺ c2 or c1 ≼ c2:
ℎc1 (k
′) − ℎc1 (k) ≥ ℎc2 (k′) − ℎc2 (k) (C2)
3. For each constraint in the form of c1 ≜ c2 $ d :
ℎc2 (k) ≥ d ∧ ℎc1 (k′) − ℎc1 (k) = ℎc2 (k′) − ℎc2 (k) (C3)
4. For each constraint in form of c3 ≜ c1 ∧ c2, or c3 ≜ c1 ∨ c2:
ℎc1 (k
′) − ℎc1 (k) = ℎc2 (k
′) − ℎc2 (k) ∧ ℎc2 (k
′) − ℎc2 (k) = ℎc3 (k
′) − ℎc3 (k) (C4)
5. For each constraint in form of c1 ≜ p ⋈ c2:
(ℎc2 (k
′) − ℎc2 (k))%p = 0 (C5)
9
Let ⦃Φ⦄p = ⦃Φ⦄ ∪ {C1,… ,C5}. If ⦃Φ⦄p is satisfiable, there exists a periodic
schedule for Φ. By existing SMT solvers we can find solutions to k and k′ and n-
bounded schedule of a given set of ccsl constraints, and then obtain the periodic
schedule by extending the bounded schedule in the aforementioned way.
There can be more than one periodic schedule for a given set of ccsl con-
straints. We may need some specific properties which should be satisfied by the
returned periodic schedule, e.g., a fixed period n. In that case, we only need to
transform these properties into SMT formulas. For instance, the property of fixed
period n can be expressed as k′ − k = n. Another example is that all the clocks
should tick infinitely often, which is a common requirement for real-time and
embedded systems. The requirement can be encoded as the following formula:
⋀
c∈C
∃i ∈ ℕ+.tc(i) ∧ ∀j ∈ ℕ+.∃j′ ∈ ℕ+.(j′ > j) ∧ (tc(j) ⟹ tc(j′))
The formula says that for each clock c it much tick at some step i, and for any step
j if c ticks at step j there must be a forthcoming step j′ where c also ticks. For a
periodic schedule, it suffices to define a formula
⋀
c∈C ∃i ∈ ℕ+.(k ≤ i < k′)∧tc(i)),
which says that each clock c must tick at least once in a period. By specifying
these specific constraints, we can obtain desired periodic schedules.
We can also verify if all the periodic schedules of a given set of ccsl con-
straints satisfy some desired properties by bounded model checking. For the pe-
riodicity, we can verify even liveness properties of periodic schedules. For some
liveness properties, it suffices to verify if they are satisfied before the step k′
where all the clocks start a new period. The approach to bounded model check-
ing of a property with respect to periodic schedules is the same as the one
described in the previous subsection.
4.3 Execution trace analysis
The proposed approach can be also used for execution trace analysis. An ex-
ecution trace is a sequence of sets of events that occur each step. A trace is
produced during the execution of real-time embedded systems by the code that
is instrumented in the systems. Thus, each trace is finite in that the number of
the steps that clocks tick is finite. A finite trace with length n is essentially an
n-bounded schedule. A bounded schedule can be encoded as quantifier-free for-
mulas. Given an n-bounded schedule  on a set C of clocks,  can be transformed
into a quantifier-free formula as follows:
⋀
c∈C
⋀
i=1,…,n
.tc(i) = x (F4)
where x is true if c ∈ (i), and false otherwise.
An execution trace is finite. Supposing that the length of a trace is n, it
suffices to check if the corresponding schedule satisfies all the constraints in Φ in
the first n steps. Namely, we only need to check the satisfiability of ⦃Φ⦄≤n∪{F4}.
All the formulas are quantifier-free and built over linear integer arithmetic, i.e.,
in QF LIA logic. The satisfiability problem in QF LIA logic is decidable. Thus,
it is decidable to check if an execution trace satisfies a set Φ of ccsl constraints.
10
Listing 1.1. K definition of ccsl syntax
of constraints
1 syntax ClockRel ::= Clock "<" Clock
2 | Clock "<=" Clock
3 | Clock "->" Clock
4 | Clock "#" Clock
5 | Clock "=" Clock "+" Clock
6 | Clock "=" Clock "*" Clock
7 | Clock "=" Clock "/\" Clock
8 | Clock "=" Clock "\/" Clock
9 | Clock "=" Clock "$" Int
10 | Clock "=" Int "~" Clock
Listing 1.2. K rule for translating
causality without bound constraint
1 rule <k> ((C1 <= C2) => .) ... </k>
2 <bound > 0 </bound >
3 <consts >
4 (.List => ListItem(C1 <= C2)) ...
5 </consts >
6 <out > ...
7 (.List =>
8 ListItem(smtsPrettyPrint(assert(
causUnbd(C1,C2)))))
9 </out >
5 A Prototype Tool and Examples
In this section, we introduce a prototype analyzer of ccsl language which is
developed based on the proposed approach and show some experimental results.
All the experiments are conducted on a Linux desktop operating system (Ubuntu
16.04) with an Intel 8-Core CPU (i7-4790 model, 3.60GHz) and 12GB memory.
5.1 CCSL analyzer: clyzer
We implement a prototype tool clyzer (abbreviated for ccsl analyzer) for the
formal analysis of ccsl constraints. The tool consists of a translator for the
transformation from ccsl constraints in SMT problems, and a backend SMT
solver Z3.
The translator is implemented in the K framework. K is a rewrite-based
executable semantic framework which is mainly used to formalize the operational
semantics of programming languages, type systems and define formal analysis
tools. By defining the operational semantics of a programming language such
as C [6], K automatically generates an interpreter which can execute programs
of the language, and also provides exhaustive state exploration and LTL model
checking facilities to verify properties of programs [13]. In our earlier work [16],
we have defined the operational semantics of ccsl using Maude [4], the backend
language of K. K also provides APIs to interact with Z3. These features allow
us to develop in K an integrated environment for both the state-based approach
and the SMT-based approach to the formal analysis of ccsl constraints, which
is one piece of our future work.
At present, we use K only as a pretty-printer (translator) to print out an
SMT script, which can be fed into Z3. In K the syntax of a programming lan-
guage is naturally defined in a standard Backus-Naur Form (BNF), and the
transformation is implemented by K rules. Listing 1.1 shows the K definition
of ccsl syntax. The translation of ccsl constraints are defined in K as a state
transition system. A state is represented as a labeled and potentially nested cell
structure in XML style, which is called a configuration. A K rule specifies the
information change of each cell. For instance, Listing 1.2 shows the K rule which
11
Listing 1.3. The command that is
used to prove a ≺ b implies a ≼ b
1 Clock a
2 Clock b
3 a < b
4 //prec.ccsl is a file for the code
5 clyzer -f prec.ccsl -b 10 -c a<=b
Listing 1.4. The command used to
prove alternation implies exclusion
1 Clock a b c
2 a < b
3 c = a $ 1
4 b < c
5 clyzer -f alter.ccsl -b 7 -c a#b
formalizes the translation of a causality constraint, e.g., C1 <= C2 in the k cell,
into a corresponding formula. Function smtsPrettyPrint prints out the formula
as an SMT assertion that conforms to the syntax of SMT-LIB standard. The
value in bound cell is 0, indicating that the variable in the generated formula is
not bounded but universally quantified in ℕ+.
5.2 Examples of invalidity proving
Mallet et al. proved that precedence is a stronger form of causality, i.e., for any
two clocks a, b, a ≺ b implies a ≼ b [11]. As an example, we show that it can be
automatically proved in the proposed approach using Z3.
Listing 1.3 shows the code and command used to prove a ≺ b implies a ≼ b
in our tool clyzer. The tool clyzer takes a file where a set Φ of ccsl constraints
are declared, an optional argument for bound, and a target ccsl constraint ,
which is going to be proved. In this example, it returns unsat with the above
command, which means that ¬(⟦a ≺ b⟧≤10 ⟹ ⟦a ≼ b⟧≤10) is unsatisfiable. By
the argument in Section 4, we can conclude that precedence is a stronger form
of causality. We need a bound e.g., 10, because the underlying SMT solver Z3
times out without outputting any result if no bound is given.
Another example is that alternation implies exclusion, i.e., if two clocks tick
alternatively, then they must satisfy the exclusion constraint. Alternation can be
represented by the combination of precedence and delay. For instance, if clock
a alternates with clock b, it is represented as a set Φalt of constraints such that
Φalt ≜ {a ≺ b, c ≜ a $ 1 , b ≺ c}. We prove that Φalt implies a # b with the
code and command shown in List 1.4. Z3 returns unsat if the bound is set to an
odd number e.g., 7. If the bound is set an even number, e.g. 6, Z3 returns the
following solution to the formula ¬(⦃Φalt⦄≤6 ⟹ ⟦a # b⟧≤6):
ta(i) =
{
idle if i ∈ {2, 4}
tick if otherwise
tb(i) =
{
tick if i ∈ {2, 4, 6}
idle if otherwise
tc(i) =
{
tick if i ∈ {3, 5}
idle if otherwise
.
By the solution, at step 6 clock a ticks but clock c idles, which violates the
constraint c ≜ a $ 1 at step 7 where (a, 7) = 4 but (c, 7) = 2. However, by
definition of the delay, we have (c, 7) = (a, 7) − 1, which is obviously violated
by the solution. The reason for the spurious solution is that for some constraints
such as delay, infimum and supremum, a clock depends on its ticking history
to determine whether it should tick next step. Because of the bound, it is not
12
Table 1. Experimental results for periodic scheduling checking of Φalt
(a) The results with different bounds
Bound i j Time (sec)≤ 4 unsat ≤ 0.011
5 2 4 0.018
10 5 7 0.028
100 97 99 2.042
(b) The periodic schedule found
with bound 5
Clock/Step 1 2 3 4 5
a t i t i -
b i t i t -
c i i t i -
required that all the constraints should be satisfied after the step exceeds the
bound. Thus, the schedule may not be correct at the step which is equal to the
bound. For instance, clock a should not tick at step 6, although it ticks according
to the returned solution.
There are also cases when Z3 returns result even if no bound is given. For
instance, we can prove that for any two clocks a and b if b is delayed by a with
one step, a must precede b, i.e., b ≜ a $ 1 implies a ≺ b. Z3 returns unsat even
if no bound is given.
We finally show an example on the verification of temporal properties of
ccsl constraints by bounded model checking. We verify that the constraints
defined in Φalt satisfy one-step alternation, i.e., two clocks tick alternatively
by a single step. One-step alternation can be represented as an LTL formula
□((tick(a) ⟹ ⚪tick(b)) ∧ (tick(b) ⟹ ⚪tick(b)) ∧ (tick(a) ⊕ tick(b))), where
□ and ⚪ are globally and next operators in LTL, and tick is a parameterized
state predicate which returns true in a state for a clock a if a ticks in that state
and otherwise false. The LTL formula can be equivalently translated into the
following formula in first-order logic:
∀i ∈ ℕ+.(ta(i) ⟹ tb(i + 1)) ∧ (tb(i) ⟹ ta(i + 1)) ∧ ta(i)⊕ tb(i) (A1)
Similar to the proof of a # b, Z3 returns unsat when the bound is set an odd
number, and returns a spurious counterexample when the bound is an even
number. The reason for the occurrence of spurious counterexample is the same
as one for the occurrence of spurious solution. If no bound is given, Z3 times out
without outputting any result.
5.3 Examples of periodic scheduling analysis
We show in this section some applications of the proposed approach to the
analysis of periodic scheduling. The first application is to check if there exists
a periodic schedule for a given set of ccsl constraints. Let us consider the
constraints in Φalt. We use the command clyzer -f alter.ccsl -p to find a
periodic schedule for Φalt. However, Z3 cannot return any result and times out.
We need to set a bound to make the problem decidable.
Table 1 shows the experimental results with different bounds. When the
bound is less than or equal to 4, Z3 returns unsat which means that no periodic
13
in1
in2
step1
step2
step3
out
⪯
⪯
≺
≺
⪯
tmp1 tmp2
∨
≜ ≺
$ 1
≺
Fig. 3. Clocks and the constraints Φfla
among them in the FLA example
Table 2. Experimental results for pe-
riodic scheduling checking of Φfla
Bound i j Time (sec)≤ 4 unsat ≤ 0.033
5 2 4 0.071
8 4 6 0.206
10 5 8 0.274
100 52 83 102.994
110 4 6 183.122
schedule is found. When the bound is set 5, a periodic schedule is returned with
i = 2 and j = 4, that is, the period is 2. Table 1(b) shows the returned schedule,
by which each clock starts to repeat step 2 and step 3 from step 4. By increasing
the bound, the values of i and j are different, but the returned periodic schedule
has the same period, as shown in Table 1(a). Actually, Z3 returns the same
periodic schedule when the bound is set 5, 10 and 100 respectively.
Next, we show that the returned periodic schedule satisfies the one-step al-
ternation property. As mentioned in Section 4, it suffices to verify the property
is satisfied by a single period, e.g. from step 2 to 3. That is, the formula to be
verified is that ¬(⦃Φalt⦄≤5 ⟹ A12≤i≤3), where A12≤i≤3 represents the formula
A1 with the quantified variable i range from 2 to 3, instead of ℕ+. Z3 returns
unsat, which means the property is verified.
We finally consider a more complex set of ccsl constraints which are ab-
stracted from an application for Flow Latency Analysis (FLA) on AADL (ab-
breviated for Architecture Analysis & Design Language) specifications [7]. Figure
4 shows the clocks and the constraints denoted by Φfla among them in the appli-
cation. There are eight clocks, each of which is associated to an event. Clocks in1
and in2 stand for two inputs, based on which some calculations are performed
at step1 and step2 respectively. At step3 the calculation results are synthesized
and the final result is output at out. Clocks tmp1 and tmp2 are two intermediate
clocks which are used to represent the alternation constraint between in1 ∨ in2
and out.
We try to find periodic schedules that satisfy the constraints in Φfla. Table 2
shows the returned results with different bounds. No periodic schedule is found
in the first 4 steps. With the increase of the bound, different periodic schedules
are found. Note that when the bound is set to 5 and 8, the same schedule is
returned. It is obvious that for the periodicity a periodic schedule that satisfies
the constraints within 5 steps must also satisfy within 8 steps. We can also give
a specific period p so that the returned schedule must have the period p. A
different schedule whose period is 3 is returned when the bound is set to 10.
In particular, a schedule whose period is 31 is found when the bound is 100.
Figure 3 depicts the periodic schedule. The period is much longer than what we
expected and is not founded by any other existing approaches.
14
Fig. 4. The periodic schedule with period 31 found by clyzer
6 Related Work
Many efforts have been made to the formal analysis of ccsl constraints and
several approaches have been proposed. André defined the operational seman-
tics of ccsl as a set of rewrite rules and built a simulation engine that can
perform the clock calculus dynamically on the fly [10]. Gascon et al. proposed
to encode ccsl specifications as Büchi automata and compare its expressiveness
with temporal logic [8]. Yin et al. proposed to transform ccsl specifications into
Promela and perform model checking using Spin [15]. In all of their approaches,
only a safe subset of ccsl operators were taken into consideration, i.e., the un-
derlying state space is finite. Mallet et al proposed a state-based semantics of
ccsl and encoded each constraint as a transition system [11]. However, some
ccsl constraints such as precedence, supremum and infimum cannot be repre-
sented as a finite-state transition system, which may lead to non-termination of
the synchronization of transition systems. Suryadevara et al. proposed to encode
ccsl as timed automata and showed that clocks of ccsl were complementary
to real-valued clocks of timed automata [14]. In our earlier work [16], we defined
an executable semantics of ccsl in Maude and showed its applications to both
simulation and model checking. The above-mentioned approaches can be used
to boundedly model check those unsafe specifications by setting a bound to the
steps that the clocks can proceed, which is similar to our SMT-based approach
to bounded model checking.
Compared with the above existing approaches, the main advantage of the
SMT-based approach proposed in this paper is that it is more suited to verifying
the invalidity of ccsl constraints and finding bounded and periodic schedules
even for unsafe ccsl constraints. Moreover, the direct interpretation of ccsl con-
straints as SMT formulas makes the transformation easier to implement than
other state-based approaches. From the efficiency perspective SMT-based ap-
proaches are generally more efficient than state-based approaches. These features
make the proposed SMT-based approach complementary to existing approaches
to the formal analysis of ccsl constraints.
15
7 Conclusion and future work
We have proposed an SMT-based approach and a prototype tool clyzer to the
formal analysis of ccsl constraints. We showed the applications of the proposed
approach to invalidity proving, periodic scheduling, bounded model checking and
trace analysis. Some examples were presented to demonstrate the feasibility and
experimental results showed the efficiency of the proposed approach.
Based on the proposed approach, more work is required to do, e.g., how to
guide the choice of bounds for a given example, how to translate CTL or LTL
properties of ccsl constraints into SMT formulas for model checking, and how
to detect whether a returned model is spurious. Besides, more complex case
studies will be conducted to check the scalability of proposed approach.
References
1. André, C., Cuccuru, A., Dekeyser, J.L., et al.: MARTE: a New OMG Profile RFP
for the Modeling and Analysis of Real-Time Embedded systems. In: Proceedings
of the 2nd UML-SoC Workshop (2005)
2. Barrett, C., Fontaine, P., Tinelli, C.: The SMT-LIB standard (version 2.5) (2015)
3. Clarke, E.M., Grumberg, O., Peled, D.A.: Model checking. MIT Press (2001)
4. Clavel, M., et al.: All about Maude. LNCS, Springer (2007)
5. Ebeid, E., Fummi, F., Quaglia, D.: HDL code generation from UML/MARTE
sequence diagrams for verification and synthesis. Design Autom. for Emb. Sys.
19(3), 277–299 (2015)
6. Ellison, C., Roşu, G.: An executable formal semantics of C with applications. In:
Proceedings of the 39th POPL. pp. 533–544. ACM (2012)
7. Feiler, P., Hansson, J.: Flow latency analysis with the architecture analysis and
design language (AADL) (2007)
8. Gascon, R., Mallet, F., DeAntoni, J.: Logical time and temporal logics: Comparing
UML MARTE/CCSL and PSL. In: Proceedings of the 18th TIME. pp. 141–148.
IEEE CS (2011)
9. Lamport, L.: Time, clocks, and the ordering of events in a distributed system.
Commun. ACM 21(7), 558–565 (1978)
10. Mallet, F., André, C.: On the semantics of UML/MARTE clock constraints. In:
Proceedings of ISORC. pp. 305–312. IEEE CS (2009)
11. Mallet, F., de Simone, R.: Correctness issues on MARTE/CCSL constraints. Sci.
Comput. Program. 106, 78–92 (2015)
12. de Moura, L.M., Bjørner, N.: Z3: an efficient SMT solver. In: Proceedings of the
14th TACAS. LNCS, vol. 4963, pp. 337–340. Springer (2008)
13. Roşu, G., Şerbănută, T.F.: An overview of the K semantic framework. The Journal
of Logic and Algebraic Programming 79(6), 397–434 (2010)
14. Suryadevara, J., Seceleanu, C.C., Mallet, F., et al.: Verifying MARTE/CCSL mode
behaviors using UPPAAL. In: Proceedings of the 11th SEFM. LNCS, vol. 8137,
pp. 1–15. Springer (2013)
15. Yin, L., Mallet, F., Liu, J.: Verification of MARTE/CCSL time requirements in
Promela/SPIN. In: Proceedings of the 16th ICECCS. pp. 65–74. IEEE CS (2011)
16. Zhang, M., Mallet, F.: An executable semantics of clock constraint specification
language and its applications. In: Proceedings of the 4th FTSCS. CCIS, vol. 596,
pp. 37–51. Springer (2015)
16
