The paper reports on the foundations and experimental results with a model checker for component connectors modelled by networks of channels in the calculus Reo. The specification formalisms is a branching time logic that allows to reason about the coordination principles of and the data flow in the network. The underlying model checking algorithm relies on variants of standard automata-based approaches and model checking for CTL-like logics. The implementation uses a symbolic representation of the network and the enabled I/O-operations by means of binary decision diagrams. It has been applied to a couple examples that illustrate the efficiency of our model checker.
Introduction
In the past 15 years, many languages and models for coordination have been developed that provide a formal description of the glue code for plugging components together and can also serve as a starting point for formal verification. In this paper, we address the latter aspect for the exogenous coordination language Reo [2] . In Reo, the glue code is provided by a network of channels obtained through a series of operations that create channel instances and link them together in (network) nodes. The semantics of Reo networks has been provided in different, but consistent ways. [2] formalizes the enabledness and effect of I/O-operations at the network configurations by means of accept and offer predicates that declare whether and which data items can be written or read at a node. An operational semantics that specifies the stepwise behavior of and possible data flow in a Reo network has been presented in [6] using a variant of labelled transition systems, called constraint automata, and shown to be consistent with the timed data stream semantics of [5] .
Although Reo is an elegant formalism to synthesize component connectors with simple composition operators, Reo networks with many channels tend to be hard to understand. Thus, tool support for analyzing the coordination mechanism specified by a Reo network 1 The authors are supported by the DFG-NWO-projects SYANCO and VOSS II.
This paper is electronically published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs is a crucial aspect for applying the Reo framework for complex scenarios. Algorithms for verifying Reo networks on the basis of their constraint automata semantics have been presented in [6] for checking (bi)simulation and language equivalence and in [3, 10] for temporal logic specifications. We follow here the latter approach and deal with a branching time, time-abstract variant of timed data stream logic (TDSL) introduced in [3] for reasoning about real-time constraints of Reo networks in the linear time setting. Ignoring some minor differences, our logic, called branching time stream logic (BTSL), is contained in the logic considered in [10] , where the main focus is on the treatment of dynamic reconfiguration rather than model checking. BTSL combines the standard CTL-operators [11, 12] with a special path modality α and its dual [α] that allow to reason about the data streams observable at the network nodes by means of a regular expression α. For instance, assume C is a component which is linked to a Reo network by an output port Request where C sends off the request to get access to certain resources and an input port Grant where C might receive the grant. Then, the BTSL formula ∃[true * ; Request ; (¬Grant) * ] ∀ true * ; Grant resources_available states the possibility that each request of C will eventually be granted and the required resources will be available for C .
The purpose of this paper is to report on an implementation of a BTSL model checker. The input is a Reo network and a BTSL formula Φ which has to be checked for the network. The BTSL model checking procedure relies on a combination of known methods for model checking CTL-like logics and automata-based approaches for linear time logics. A rough sketch for model checking a BTSL-like logic has been given in [10] , which follows the standard CTL * model checking approach [14, 12] and uses a reduction to the TDSL model checking problem. However, no details or explanations on an efficient implementation have been provided in [10] . In fact, for BTSL the reduction to the model checking problem for the real-time logic TDSL is unnecessary, since simpler techniques sufficies. As we will show in this paper, for the treatment of the modalities α and [α] even a reduction to ordinary CTL is possible. Furthermore, we depart from former approaches with constraint automata by dealing with infinite and finite runs. The latter are crucial for the treatment of deadlock configurations that might appear in Reo networks.
Our model checker deals with a symbolic approach where the constraint automaton for a Reo network is represented by a binary decision diagram (BDD). The first step is the generation of a BDD-representation of the contraint automaton for the network. This is done in a compositional manner by mimicking Reo's operators to synthesize the network by adding channels and joining nodes by means of corresponding operators on BDDs. The second step is then to perform the BTSL model checking using appropriate operations for manipulating BDDs. For this, we apply state-of-the-art techniques for symbolic CTL model checking in combination with a symbolic treatment of the α -and [α]-modality.
Organisation of the paper. Section 2 gives a brief introduction in the coordination language Reo and constraint automata that serve as operational model for Reo networks. In Section 3, we explain the syntax and semantics of the logic BTSL. Section 4 summarizes the main steps of the BTSL model checking algorithm and reports on our symbolic implementation. Experimental results will be presented in Section 5. Section 6 concludes the paper.
Reo and constraint automata
In this section we summarize the main concepts of the coordination language Reo and its operational constraint automata semantics. Further details can be found in [2, 6] . Reo is an exogeneous coordination language which is based on a channel-based calculus where complex component connectors are organized in a network of channels and built in a compositional manner. Reo networks provide the glue code for the coordination and interactions of the components that are connected to the network. Reo relies on a very liberal notion of channels and supports any kind of peer-to-peer communication. The requirement for the channels used in a Reo network are that channels must have two channel ends, declared to be sink or source ends, and a user-defined semantics. At source ends data items enter the channel (by performing corresponding write operations), while data items are received from a channel at the sink ends (by performing corresponding read operations). The figure above shows the graphical representation of three simple channel types that will be used in our examples. Synchronous and FIFO channels have a source and a sink end. In synchronous channels the write and read operations have to be performed simultaneously.
The picture in the middle shows a FIFO channel with one buffer cell, briefly called FIFO1 channel, where the buffer is initially empty. Writing a data item at the source end is enabled as long as the buffer is empty. The effect of writing d is that d will be stored in the buffer. Reading at the sink end is enabled if the buffer is filled, in which case the data item is taken off from the buffer. A very useful channel for the design of complex coordination principles in Reo is the synchronous drain. It has two source ends (but no sink end). A data item has to be written on both ends simultaneously and both are being destroyed. The nodes of a Reo network represent sets of channel ends. They arise through Reo's join operator and can be classified into source, sink and mixed nodes, depending on whether all channel ends that coincide on a node A are source ends (then A is a source node), sink ends (then A is a sink node), or whether A combines sink and source ends (then A is a mixed node). Source and sink nodes represent input and output ports where components might connect to the network. The mixed nodes serve as routers where data items can be transmitted through the network.
Concurrent I/O-operations. For simplicity of the paper, we assume here a fixed finite and nonempty set Data of data items that can be written or taken from the channels. If N is a set of network nodes then the observable data flow at some moment can be described by a concurrent I/O-operation. This means a pair (N, δ) where N is a nonempty node-set (i.e., / 0 = N ⊆ N ) and δ : N → Data. The intuitive meaning of a concurrent I/O-operation (N, δ) is that the nodes A ∈ N synchronize their I/O-operations such that δ(A) is the data item observed at node A. More precisely, each source node A ∈ N writes data item δ(A) at all channels with a source end on A, while each sink node A ∈ N takes data item δ(A) from one of the channels with a sink end on A. The mixed nodes A ∈ N read δ(A) from one of the channels with a sink end on A and simultaneously writes δ(A) at all channels with a source end on A. In the moment where the concurrent I/O-operation (N, δ) is performed there is no data flow at the other nodes B ∈ N \ N.
Constraint automata have been introduced to provide a compositional, operational semantics for Reo networks [6] . The states of the automaton for a Reo network represent the configurations (e.g., contents of the buffers for FIFO channels), while the transitions model the enabled concurrent I/O-operations. In [6] the transitions have the form q N,dc −−−→ p where q and p are the starting and target states, respectively, N is the set of nodes where I/O-operations are performed simultaneously and dc is a data constraint, i.e., a boolean condition on the data items written or read at the nodes A ∈ N. According to our BDD-based implementation (see Section 4), we go one step further towards a symbolic representation and deal with transitions q g − → p where g is an I/O-constraint, i.e., a condition on both, the nodes where I/O-operations will be performed and the data items. Furthermore we depart from [6] by dropping the requirement that all runs have to be infinite. We also deal with finite runs, which are necessary to argue about deadlock configurations.
I State
condition means that in all enabled concurrent I/O-operations in q at least one of the sink or source nodes is involved. These I/O-operations might be refused if the components that connect to these nodes are not willing to provide the corresponding write or read operations. Thus, data flow might stop in terminal states. The intuitive operational behavior of a constraint automaton can be formalized by its runs. Runs in a constraint automaton are defined as finite or infinite sequences of consecutive transition instances. In the case of finite runs, we allow that they end with a special pseudo-transition with the label √ , denoting the end of data flow, provided that the last state is terminal. I.e., finite runs have the form
. . , k) and q k is terminal for finite runs ending with a √ -transition (case (2)). The length |θ| ∈ IN ∪ {ω} is defined as the number of transition instances taken in θ (possibly including the pseudo-transition with label √ ). A maximal run means an infinite run or a finite run that ends with a pseudo-transition labelled by √ . We write Runs(q) for the set of all runs starting in q and MaxRuns(q) for all maximal runs starting in q. 
Branching Time Stream Logic
In this section we introduce a branching time temporal logic for reasoning about the control and data flow of a constraint automata. The logic, called Branching Time Stream Logic (BTSL), combines features of CTL [11, 12] , PDL [15] and timed data stream logic (TDSL) [3, 9, 4] . As in CTL, formulas may refer to the configurations of a component con-nector (states of a constraint automata) by means of atomic propositions ap ∈ AP and may use the path quantifiers ∃ and ∀. Path properties are specified by the standard until operator or the PDL/TSDL-like modality α where α is a regular expression specifying sequences of I/O-operations at the nodes.
Branching Time Stream Logic (BTSL).
A BTSL signature is a tuple (AP, N ) consisting of a finite nonempty set AP of atomic propositions and a finite nonempty node-set N .
The syntax of BTSL has three levels: state formulas (denoted by capitol greek letters Φ, Ψ), run formulas (denoted by the small greek letter ϕ), and regular I/O-stream expressions (denoted by the letter α). The abstract syntax of BTSL is given by the following grammar where ap ∈ AP and g ∈ IOC:
The intuitive meaning of the state formulas and the until operator U is as in CTL. In the PDL-like formula α Φ, the regular I/O-stream expression α specifies a set of finite I/O streams, i.e., finite sequences of concurrent I/O-operations, possibly ending with the symbol √ . Intuitively, α Φ holds for a maximal run if it starts with a finite prefix where the data flow matches the conditions specified by α.
Other operators can be derived, e.g., 3Φ = true U Φ (eventually), ∀2Φ = ¬∃3¬Φ and 
BTSL formulas over the signature (AP, N ) are interpreted over a constraint automaton with the node-set N and the set AP of atomic propositions. For A = (Q, N , −→, Q 0 , AP, L), the satisfaction relation |= A for BTSL state formulas is defined in the standard way: 
For θ to be an infinite or finite maximal run with the state sequence q 0 q 1 q 2 . . .: The terminal states of a constraint automaton are characterized by the formula Φ terminal = ∃ stop true.
Symbolic BTSL Model Checking
The BTSL model checking problem takes as input a Reo network, possibly together with constraint automata that specify the interfaces of the components that are connected to the source and sink nodes of the network, and a BTSL formula which has to be checked for the network. The automata for the components that are connected to the sink or source nodes of the network describe the environment in which the network operates. They may restrict the nondeterminism in the automaton for the network, since certain transition instances (concurrent I/O-operations) might become impossible due to the behavioral interfaces of the components. After connecting a sink and source node A of the network with a port of a component, A is treated as a mixed node. Thus, the automata for the component might also decrease the set of terminal states. In case nothing is known about the potential behaviors of the components that will be coordinated by the network, these automata can be skipped, in which case all possible interactions of the sink and source nodes will be taken into account for the analysis. The schema of our model checker is depicted in Fig. 4 . The first step is to generate an appropriate representation of the constraint automaton associated with the network, possibly within the environment given by the automata for the components. The goal of the second step is to verify or falsify whether for the generated constraint automata a given BTSL formula holds in all initial states. For certain formula types the model checker can return a witness (e.g., a run θ with θ |= ϕ if the formula to be checked is ∃ϕ) or a counterexample (e.g., a run θ with θ |= ϕ if the formula to be checked is ∀ϕ).
In the remainder of this section, we report on a symbolic BTSL model checker. We first summarize the main steps of the BTSL model checking algorithm and then explain its symbolic realization.
The model checking algorithm. BTSL model checking relies on a combination of the CTL model checking algorithm [11] with automata-based approaches. Given a constraint automata A and BTSL state formula Φ, the idea is an iterative computation of the satisfaction sets Sat A (Ψ) for the sub-state-formulas Ψ of Φ.
The treatment of the propositional logic fragment is obvious. The satisfaction sets for 
Given A and Z, we then built the product A × Z where the states are pairs (q, z) consisting of a state q in A and a state z in Z. The transitions in A × Z are obtained by the following rules:
where we use the subscripts A, Z or A × Z for the transition relations in A, Z and A × Z, respectively. The product A × Z is equipped with two atomic propositions sat(Ψ) and final and the labeling function that assigns sat(Ψ) to all states (q, z) where q |= A Ψ and final to all states (q, z) where z ∈ Z F . The following proposition (see appendix for the proof) provides a reduction to CTL. 
Proposition 4.1 (Reduction to CTL)
(a) q |= A ∃ α Ψ iff there exists z 0 ∈ Z 0 with (q, z 0 ) |= A×Z ∃3(sat(Ψ) ∧ final) (b) If A is deterministic then q |= A ∃[α]Ψ iff (q, z 0 ) |= A×Z ∃2(sat(Ψ) ∨ ¬final)
Algorithm 1 Computation of Sat(∃[α]Ψ)
construct an NFA Z for α and built the product A × Z;
Proposition 4.2 Algorithm 1 computes the set of states q ∈ Q where q |=
Proof. Let V be the set of states (q, z) that belong to V when the repeat-loop terminates.
and let W i be the set of states that are removed from V in the i-th iteration. Then,
and n is the number of iterations. Moreover, we have:
(i) for all (q, z) ∈ V where q is non-terminal there exists a transition instance q
(ii) for all (q, z) ∈ W i and for all runs q = q 0
Let us now assume that q 0 is a state contained in the set returned by Algorithm 1. Then, (q 0 , z 0 ) ∈ V for all initial states z 0 in Z. We successively apply (i) to obtain a maximal run in A θ = q 0 We now consider a state q 0 ∈ Q such that q 0 |= A ∃[α]Ψ. Let
Contradiction. This yields (q 0 , z 0 ) ∈ V for all z 0 ∈ Z 0 . Hence, q 0 is in the set of states returned by Algorithm 1. 
Symbolic implementation.
We now summarize the main features of our symbolic BTSL model checker with binary decision diagrams (BDDs), see e.g. [8, 17, 16, 19] . BDDs are a data structure for switching functions f : Eval(x 1 , . . . , x n ) → {0, 1} where x 1 , . . . , x n are boolean variables and Eval(x 1 , . . . , x n ) denotes the set of evaluations for x 1 , . . . , x n . To represent a constraint automaton A = (Q, N , −→, Q 0 , AP, L) by a BDD, we fix a binary encoding of the states, i.e., we embed Q into {0, 1} n by an injective function bin : Q → {0, 1} n where n = ⌈log |Q|⌉, choose boolean state variables q 1 , . . . , q n and then identify each state q with the evaluation for q 1 , . . . , q n given by bin(q). In the same way, we may encode the data items by bit tuples. For simplicity, we assume here the boolean data domain . . , q n ) encodes the starting state,q ′ = (q ′ 1 , . . . , q ′ n ) the target state, whileĀ andd serve to represent the concurrent I/O-operations. For instance, the transition relations of the constraint automata for a synchronous channel with source node A and sink node B and a synchronous drain are given by:
For a FIFO1 channel we have to encode three states, say bin(q) = 00, bin(q(1)) = 11 and bin(q(0)) = 10, and then may represent the automaton by
The BDD-representation for the transition relation of a Reo network can be constructed in a compositional manner, by mimicking Reo's composition operators with corresponding operators on constraint automata and applying the analogous symbolic operations for manipulating switching functions. We will briefly consider the join operator which allows to collapse two nodes into a single node. Using some appropriate renaming of nodes, Reo's join operator can be reduced on the automata level to a product construction that "synchronizes" the data flow at the common nodes of the given constraint automata (see [6] ). If A 1 and A 2 are constraint automata with node sets N 1 and N 2 , respectively, then the concurrent I/O-operations in the product A 1 × A 2 are given by the transition instances obtained by the following synchronization rule and two interleaving rules:
where ¬N i stands short for
These rules can be realized in a symbolic way by putting
and Q is in the state space of A.
Beside the transition relation, we also need a BDD-represent of the labeling function. 
Examples and results
We applied the BTSL model checker to a couple of examples. We will report here on two case studies. All results were achieved on a Pentium IV, 1.8GHz, 1.5GB RAM with 
Mandriva Linux and kernel 2.6.12. The tool was written in C++, compiled with GCC4.0.3 and uses JINC [18] as library for binary decision diagrams. Table 1 illustrates the efficiency of the symbolic approach to construct the BDDrepresentation of the constraint automaton A for the whole system by the symbolic joinoperation. The first column "size" shows the number of philosophers. The second column "time" shows the time needed for the synthesis phase, while the last column "reachable time" refers to the time needed to compute the reachable fragment of A. The other two columns refer to the size of the generated BDD for A and the maximal size of the BDDs generated during the symbolic computation. To give an impression of the size of the state space: the reachable part of the CA for 800 philosophers consists of about 10 306 states. Several properties have been checked for this model of the dining philosophers. Table 2 shows the results for three BTSL formulas. The columns refer to the number of philosophers, number of steps in the model checking procedure namely the number of iteration within the fixpoint computation and the total amount of time needed to verify (or falsify) the given formula. The second formula does not hold since there is the run where all philosophers take their left chopstick and then wait forever for the missing right chopstick. This deadlock situation has been found with 798 iterations by means of a backward analysis. Computing the reachable part first by means of a forward analysis, the deadlock can be found in 403 steps within 13.92s only.
Example 5.2 [Mutual exclusion]
The second example is the component connector shown in Fig. 7 that realizes a mutual exclusion protocol for n parallel processes (P 1 , . . . , P n ) where at each time instance at most k may perform their critical actions.
We assume here that the behavioural interface of each component P i is represented by the constraint automaton also depicted in Fig. 7 . Fig. 7 . Mutual exclusion scenario and CA for one process Table 3 summarizes the results for the generation of the BDD-representation, where n is the number of processes and k the maximum number of processes allowed to be in their critical section at the same time. For 200 processes and k = 60 this CA consists of more than 5 · 10 119 reachable configurations. n k Time BDD Nodes Peak Reach Time We performed the analysis with several BTSL formulas. 
Conclusion
The purpose of the paper was to explain the functionality and foundations of our model checker for Reo networks. The efficiency has been illustrated by two examples that show that our model checking approach can handle even very large networks with up to 10 1200 configurations in a reasonable amount of time. Given the wide range of applications of the Reo framework, see e.g. [13, 20, 9] , we believe that our model checker yields an important Table 4 Model Checking results for the mutual exclusion contribution for formal reasoning about exogeneous coordination models. Beside further optimizations to increase efficiency and case studies, we will extend our implementation to reason about real-time constraints with the logic TDSL [3] or a branching time version thereof and about dynamic reconfigurations by means of the logic considered in [10] or other formal frameworks for Reo's dynamic operations.
