Concurrent Embedded Real-Time Software (CERTS) is intrinsically dierent from traditional, sequential, independent, and temporally unconstrained software. The veri®cation of software is more complex than hardware due to inherent¯exibilities (dynamic behavior) that incur a multitude of possible system states. The veri®cation of CERTS is all the more dicult due to its concurrency and embeddedness. The work presented here shows how the complexity of CERTS veri®cation can be reduced signi®cantly through answering common engineering questions such as when, where, and how one must verify embedded software. First, a new Schedule-Verify-Map strategy is proposed to answer the when question. Second, veri®cation under system concurrency is proposed to answer the where question. Finally, a complete symbolic model checking procedure is proposed for CERTS veri®cation. Several application examples illustrate the usefulness of our technique in increasing veri®cation scalability. Ó
Introduction
With the burgeoning wide-spread embedding of software into computerized systems and the increasing complexity of today's hardware±software systems, software veri®cation is an indispensable procedure in system synthesis. Software veri®ca-tion tries to uncover discrepancies in the interaction between software and hardware, to guarantee the satisfaction of real-time constraints by the software under all circumstances, and to check if the synthesized software is optimally con®gured. In this work, we try to answer questions related to software veri®cation such as when should software be veri®ed, where should software be veri®ed, and how should software be veri®ed.
When should software be veri®ed ? Embedded software is synthesized through a process called quasi-static scheduling (QSS) [25] . QSS computes most of the schedule for a set of software processes at compile time, leaving at run-time only the solution of data-dependent decisions. After QSS, software code is then generated through a simple syntax mapping from the scheduled processes. Veri®cation can be performed at three dierent points: before scheduling, after scheduling, and after code generation. On one hand, before scheduling, processes generally have some regions in its state-space which will be eventually eliminated by scheduling. On the other hand, after code generation, the software code is generally implementation-dependent and contains coding technicalities that do not really contribute toward the actual behavior of the software. Hence, we propose to verify software after scheduling and before code generation, which will be discussed in details in Section 3.
Where should software be veri®ed ? There are generally two kinds of concurrencies in a hardware±software system: system concurrency and process concurrency. System concurrency is generally associated with the number of Central Processing Units (CPUs) or Application Speci®c Instruction Processors (ASIPs) or Application Speci®c Integrated Circuits (ASICs). Normally there are dedicated CPUs for software execution. Thus, we will con®ne ourselves to the number of CPUs executing the software as the system concurrency. Process concurrency is the maximum degree of parallelism that a set of processes exhibits during execution. Process concurrency is generally much larger than system concurrency. This is because if process concurrency were to be smaller than system concurrency then the system will be under-utilized, indicating a waste of resources. Conventionally, software is veri®ed under process concurrency. For example, we usually verify a communication protocol under the maximum-process concurrency assumption. What we propose here is that embedded software should instead be veri®ed under the system concurrency. This has a signi®cant impact on veri®cation eciency and scalability, as will be illustrated in Section 4.
How should software be veri®ed ? An algorithmic procedure for formal veri®cation that has gained unforeseen popularity among veri®cation scientists and likewise among design engineers, is called model checking. Model checking is an automatic procedure to verify if a given system satis®es a given temporal property [4] . For dense real-time systems, a system is often described using Timed Automata (TA) [7] and a property is often speci®ed in Timed Computation Tree Logic (TCTL) [14, 15] . For hybrid systems, Linear Hybrid Automata (LHA) [5, 6] is a theoretically proven model for veri®cation purposes. LHA was also recently used as a formal model for timing coveri®cation of hardware/software systems by the author [16] . Here, we assume that all processors in our target system are homogeneous. Since we are mainly verifying concurrent software that executes on processors with the same clock rates, we will be using the simpler TA model instead of LHA. We propose two model-checking algorithms for Concurrent Embedded Real-Time Software (CERTS). Basically, the algorithms work by abridging a set of given TA into a smaller set to acquiesce for the smaller system concurrency (as compared to process concurrency) and then annotating the abridged TA with pre-generated valid schedules. Finally, model checking is applied on the abridged and annotated set of TA. A detailed description is given in Section 5.
This paper is organized as follows. Section 2 gives a brief survey of current software synthesis methods in context of veri®cation. Section 3 answers the when question by proposing a ScheduleVerify-Map (SVM) strategy. Section 4 answers the where question by demonstrating the validity of verifying at the system concurrency instead of at process concurrency. Section 5 answers the how question by proposing two veri®cation algorithms for CERTS. Section 6 gives several application examples to support the answers presented in the previous three sections. Section 7 concludes the paper.
Embedded software synthesis
Currently, software synthesis is a hot topic of research in the ®eld of hardware±software codesign. Previously, a large eort was directed towards hardware synthesis and comparatively little attention paid to software synthesis. Partial software synthesis was mainly carried out for communication protocols [24] , plant controllers, [8, 9, 23] and real-time schedulers [2, 26] because they generally exhibited regular behaviors. Only recently has there been some work on automatically generating software code for embedded systems [10, 21, 22, 25, 27] . As far as the authors know, no automatic software synthesis method is available for concurrent real-time embedded software. We are working on this portion of research, and this paper is the veri®cation part of the work. In the following, we will brie¯y survey the existing works on the synthesis of non-real-time software.
Lin [21, 22] proposed an algorithm that generates a software program from a concurrent process speci®cation through intermediate Petri-Net representation. This approach is based on the assumption that the Petri-Nets are safe, i.e., buers can store at most one data unit, which implies that it is always schedulable. The proposed method applies QSS to a set of safe Petri-Nets to produce a set of corresponding state machines, which can then be mapped syntactically to the ®nal software code. Zhu and Lin [27] proposed a compositional synthesis method that reduced the generated code size and thus was more ecient.
A software synthesis method was proposed for a more general Petri-Net framework by Sgroi et al. [25] . A QSS algorithm was proposed for FreeChoice Petri Nets (FCPN) [25] . A necessary and sucient condition was given for a FCPN to be schedulable. Schedulability was ®rst tested for a FCPN and then a valid schedule generated by decomposing a FCPN into a set of Con¯ict-Free (CF) components which were then individually and statically scheduled. Code was ®nally generated from the valid schedule.
Balarin et al. [10] proposed a software synthesis procedure for reactive embedded systems in the Codesign Finite State Machine (CFSM) [11] framework with the POLIS hardware±software codesign tool [11] . This work cannot be easily extended to other more general frameworks.
All the above work suggests that the research on software synthesis is still at a very young stage and without any veri®cation. We propose to incorporate software veri®cation into the synthesis procedure for several reasons. Firstly, with the increased use of Virtual Components (VC) or Intellectual Properties (IP), an embedded software might be installed into more than one type of system, hence its adaptability to various system environments should be veri®ed. Secondly, since software is inherently more complex than hardware, mere simulation or testing might not uncover errors that could be drastic. Hence, veri®cation is required especially for high assurance systems. Thirdly, certain features of the software part in a hardware±software system are independent of the hardware. Verifying these features together with the hardware would unnecessarily increase veri®cation complexity. Thus, isolating software-speci®c faults might increase the chances of successfully coverifying the entire system. Lastly, if veri®cation is performed after the complete software synthesis procedure, then the implementation details in the generated software code would simply obscure important behaviors of the software, thus making software more dicult to verify.
In the following, we will illustrate our veri®ca-tion approach based on the QSS method of software synthesis. Our veri®cation approach is independent of the scheduling method and hence can be applied also to other methods of software synthesis such as priority-based preemptive scheduling.
Schedule-verify-map strategy
This section answers the when question, that is,`w hen should software be veri®ed?'' The context in which software veri®cation will be discussed is embedded software synthesis, which was described in Section 2. As depicted in Fig. 1 , there are three stages in synthesis (®rst row in the ®gure), namely, process speci®cation, scheduling, and code generation. · Stage (1). In process speci®cation, a set of communicating processes representing the behavior of desired software is speci®ed. This speci®ca-tion can be in the form of a set of Petri-Nets [21, 22, 25, 27] , or in formal speci®cation languages such as Esterel, LOTOS, and others. · Stage (2). In scheduling, except for run-time dependent computations, all other computations in the speci®ed processes are quasi-statically scheduled [22, 25] . The scheduled processes are usually represented by a set of ®nite state-machines. · Stage (3). In code generation, the set of ®nite state-machines is syntactically mapped to actual software code. A software time loop may be utilized to maintain the schedule in the ®nite statemachines.
Conventional veri®cation approaches
Theoretically, verifying the given processes can be done after either one of the stages during software synthesis. Veri®cation scientists try to verify processes immediately after process speci®cation (i.e., Stage (1)) to ®nd any speci®cation errors. This is called the Verify-Schedule-Map (VSM) approach (column 1 and row 1 in Fig. 1 ). Design engineers try to verify the ®nal program after code generation (i.e., Stage (3)). This is called the Schedule-Map-Verify (SMV) approach (row 1 and column 3 in Fig. 1 ). Both of these approaches encounter dierent degrees of state-space explosion problems.
Verifying process speci®cation explores unnecessary regions in the state-space that would eventually not even exist in the ®nal software code. These regions are basically those that will be eliminated after scheduling (Stage (2)). The problem becomes worse when the degree of non-determinism is high in the speci®cation or when the degree of process concurrency increases. The degree of nondeterminism (d ND ) is the maximum number of different possible behaviors that a system can have in any one state. The degree of process concurrency (d PC ) is de®ned as the maximum number of processes that can execute concurrently in the system speci®ed. Further details on how d ND and d PC aect veri®cation are discussed in Sections 3.2 and 4.
Veri®cation of software program code also indulges in unnecessary state-space explosions and thus aects scalability in the number or size of processes veri®able. Software programs usually contain many auxiliary, implementation-dependent variables, that contribute towards neither the real behavior of the software nor the satisfaction of speci®ed real-time constraints by the software. As is well-known, the state-space size explored during veri®cation increases exponentially with the number of clock variables and largest integer constant used [4] . The state-space size also increases drastically with the number of free variables. Software programs generally contain a lot of variables, the number of which is not optimized either by the software synthesis procedure or by the software compiler.
In conclusion, both of the above approaches unnecessarily explore regions in the state-space that do not contribute towards the actual goal of veri®cation. Thus, in Section 3.2 a new approach is proposed called SVM as illustrated by row 1 and column 2 of Fig. 1 .
Proposed SVM approach
To overcome the diculties in veri®cation presented in Section 3.1, we propose a new approach called SVM. In SVM, veri®cation is performed after scheduling and before code generation. Since scheduling eliminates certain regions in the statespace, SVM will obviously explore a much smaller part of the state-space. The degree of reduction is analyzed in Section 3.3. Since the target of veri®-cation is a set of scheduled processes and not program code, SVM will also search a smaller state-space than the engineers' approach (veri®-cation after code generation).
Comparing the two conventional approaches ± VSM adopted by veri®cation scientists, SMV adopted by design engineers, and our proposed SVM approach, we have the pros and cons of each summarized in Table 1 . On comparison, it is observed that SVM is a good trade-o between practical feasibility (column 4) and veri®cation completeness (column 6). Although VSM is more than complete, its practical feasibility is often hindered by the exponentially large state-space. SMV is the most practical among the three approaches, yet it is an incomplete validation process (mostly accomplished through simulation and testing that covers less than 100% of the system behavior). A more detailed analysis on the SVM approach is presented in Section 3.3.
Analysis
To analyze the advantage of the SVM strategy in comparison with the conventional approaches, some formal notations, de®nitions, and results are necessary. The sets of integers and non-negative real numbers are denoted by N and R P 0 , respectively.
TA is composed of various modes interconnected by transitions. Variables are segregated into categories of clock and discrete. Clock variables increment at a uniform rate and can be reset on a transition, whereas discrete variables change values only when assigned a new value on a transition. A TA may remain in a particular mode as long as the values of all its variables satisfy a mode predicate, which is a conjunction of clock constraints and boolean propositions.
De®nition 1 @wode predite).
Given a set C of clock variables and a set D of discrete variables, the syntax of a mode predicate g over C and D is de®ned as:
, where xYy PC, $PfTY`YYPYbg, cPN, d PD, and g 1 Yg 2 are mode predicates. Ã Let BCY D be the set of all mode predicates over C and D. A TA may go from a mode to another, that is perform a transition, when the triggering condition (also speci®ed as a mode predicate) is satis®ed by the current valuation of clock and discrete variables. On a transition, some clocks may be reset to zero and some discrete variables may be assigned new integer values.
De®nition 2 @imed utomton). A timed automaton (TA) is a tuple
is an invariance function that labels each mode with a condition true in that mode, E i M i Â M i is a set of transitions, s i X E i U 3BC i Y D i de®nes the transition triggering conditions, and q i X E i U 32
CiDiÂN is an assignment function that maps each transition to a set of assignments such as resetting some clock variables and setting some discrete variables to speci®c integer values. Ã De®nition 3 @ystem stte). Given a system S of n processes fP 1 Y P 2 Y F F F Y P n g modeled by a set of n TA, 
With the above given de®nitions on TA, system state, and mode transition, we will start analyzing SVM by ®rst de®ning the concepts of state nondeterminism in a system, and then using it to quantify the bene®ts obtain by SVM.
De®nition 5 @tte nonEdeterminism). Given a system S of n processes fP 1 
, and a state s of system S, the state non-determinism of s is de®ned as the total number of mode transitions (s 3 s H ), whose occurrence at s is non-deterministic (arbitrarily decided), where s H is a successor system state. Notationally, we have the following de®nition for the state non-determinism (ws) at s:
where xm is the number of out-going transitions of a mode m, which are non-deterministic. Ã
In general, not all state non-determinism (ws) at a state (s) can be quasi-statically scheduled. We denote by w qss s those non-determinism that can be quasi-statically scheduled. In notations,
where x qss m is the number of out-going transitions of a mode m, which are non-deterministic and can be quasi-statically scheduled.
Considering the overall eect of QSS on veri®-cation complexity, we have the following results. First, given a state s of a system S, since all QSS non-determinism have been eliminated before SVM, the reduction obtained is a multiplicative factor of w qss s for a state s. Second, along a computation run of a system (that is, a sequence of alternating states and mode transitions), the combined eect of state non-determinisms at a state s and a successor state s H is multiplicative. This means that the combined non-determinism is w qss s Â w qss s H . Thus, the overall reduction eect of QSS on a system behavior can be quanti®ed by the total number of non-determinisms, W qss S, resolved by QSS for a system S, as follows.
where Reach(S) is the set of reachable states of system S.
Here, the resolution of a set of non-determinisms at a state, s, means instead of considering all possible successor states, s H , due to the concurrent non-determinisms in each process, QSS has ®xed (that is, scheduled) only one of the successor states as a valid scheduled state, where s 3 s H . Hence, the total number of computation runs that SVM explores is W qss S times less than that explored by the VSM approach for a system S.
Taking limits on W qss S, we ®nd that it is a double exponential term in the number of system processes, n, and in the size of the reachable statespace jReachSj, as given in the following.
where d ND is the maximum degree of non-determinism of all processes,
This shows a double exponential decrease in the number of computation runs that need be explored by SVM compared to VSM.
The above was an analytical comparison between the proposed SVM approach and the VSM approach. For a comparison between SVM and SMV, since each ®nal generated program code might contain dierent number of auxiliary variables and data structures, it is dicult to analyze theoretically. Nevertheless, the number of computation runs explored by SMV will be de®nitely larger than that by the SVM approach due to an increase in state-space size with an increase in the number of variables.
Handling concurrency
This section answers the where question, that is,`w here should software be veri®ed ?'' The context in which software veri®cation will be discussed is embedded software synthesis, which was described in Section 2. In general, embedded software is executed on one or more embedded microprocessors. The system concurrency, d SC , as de®ned in Section 1, is the number of CPUs allocated for executing an embedded software program. The degree of process concurrency, d PC , as de®ned in Section 1, is the maximum number of processes that can execute concurrently in the system speci®ed. As described in the rest of this section, we propose to verify embedded software under system concurrency, rather than under process concurrency.
Process concurrency and system concurrency
Nearly all veri®cation theory is based on process concurrency. In general, a system is speci®ed as consisting of a set of processes and the system is then expected to be veri®ed under the assumption that all the processes execute concurrently. However, in the real-world of computerized embedded systems, concurrency is generally limited by the embedding system, that is, the hardware architecture that provides an execution environment. The former is process concurrency, while the latter is system concurrency. System concurrency is generally much smaller than process concurrency. For example, in a two-processor system executing 200 processes concurrently, the process concurrency is 200, but the system concurrency is only two.
Concurrent software is also generally speci®ed as a set of processes. For example, an image processing task may consists of several concurrent processes working on a part of the image data, but if there are only two processors then there can be at most only two processes working concurrently. Communication protocol algorithms are also considered to be executed by a set of processes running concurrently. For example, a system of 10 processes, obeying the Fischer's Mutual Exclusion Protocol (FMEP) [1, 19, 20] and executing on ®ve processors, has a maximum degree of concurrency of ®ve, and not 10. TA for a typical process obeying FMEP is given in Fig. 2. 
Veri®cation under dierent concurrencies
The scalability of formal veri®cation, especially that of model checking, strictly depends on inherent concurrencies in a system model. The size of state-spaces explored by model checking grows exponentially with an increase in concurrency. For example, a two-process system obeying FMEP has 70 modes and 160 transitions [18] , a three-process system has 1239 modes and 4013 transitions, and a 4-process system has approximately 28K modes and 120K transitions. The increase is drastic.
The concurrency of a system is generally speci®ed as the number of processes running in the system. This is incorrect when embedded systems are concerned, because the actual concurrency (number of processors) is much smaller than the number of processes. For example, if veri®cation is performed for a four-process signal polling system executing on two processors, then the size of statespace explored is only 57 modes and 79 transitions, which is much smaller than that for a 4-process system veri®ed under process concurrency of four (78K modes and 205K transitions). TA for the signal polling system is given in Fig. 3 .
For ease of discussion, we will adopt the following notations. In the rest of this paper, unless mentioned otherwise, assume we are given a system S with n processes P fP 1 
Hence, a system is de®ned as a two-tuple S hPY Qi.
On software synthesis, the n processes in P are QSS on the m processors in Q (refer to Section 2 for software synthesis methods). Let Z be the set of valid schedules generated by any software synthesis method, that is,
is a schedule for processor Q i , such that processes P k 1 Y P k 2 Y F F F Y P kr are scheduled to run on Q i . Here, it is assumed that processes are scheduled non-preemptively, which is not a severe restriction as most preemptions can always be removed by breaking a process into two or more at its preemption points. Further, loop repetitions in a schedule can be denoted by a bar on a sequence of processes with an integer on top of the bar to denote the number of times the loop is repeated. For example,
is a schedule for ®rst executing P 1 , then executing three times the sequence of P 3 Y P 5 , and ®nally the rest of the schedule P 8 Y P 10 .
The main issue in handling concurrency is how do we verify n processes under the system concurrency of m processors. In the following Sections 4.3 and 4.4, we propose two dierent approaches for solve this issue, namely, processor-oriented veri®cation and process-oriented veri®cation.
Processor-oriented veri®cation
A straightforward method is to create a new TA for modeling the behavior of each processor. This is called processor-oriented veri®cation. Besides being straightforward, it can be easily extended to include process preemptions due to the¯exibility in directly incorporating schedule changes into the structure of a processor timed automaton.
Based on the syntax representation of a TA, we know that each process automaton, A i , either has a transition, e f P E i , that loops back to the initial mode, m 0 i , from some mode in M i n fm 0 i g or has a ®nal mode, m f P M i . A looping transition is de®ned as one that loops back to the initial mode from some non-initial mode. A ®nal mode is de®ned as an accepting mode, from which there is no outgoing transition.
A processor timed automaton, 
Process-oriented veri®cation
Another method of verifying n processes, running under the system concurrency of m processors, is by directly restricting the execution of the process timed automata in A. This approach is called process-oriented veri®cation. This approach does not allow process preemption, but is more elegant.
A processor locking variable is used to restrict the execution of a process according to a schedule. A processor locking variable is a mutual exclusion variable that indicates which process is currently being executed on a processor. For example, a processor locking variable, l k , locks processor Q k and if l k k j , then process P kj is currently being executed on processor Q k .
Modi®cations of process timed automata are carried out as follows. Create a set of m processor locking variables, fl 1 Y F F F Y l m g, such that l k locks processor Q k , 1 T k T m. Suppose the processor schedules are as follows:
Let the initial value of l k be k 1 . Assume that process P kj is scheduled on processor Q k , 1 T j T r. Modify each process timed automaton, A kj , as follows: · Create a new initial mode, m 3), e, let q kj e q kj eY l k X k j1 , where P k j1 is the next process scheduled to be executed on processor Q k after P kj and``;'' is a concatenation operator for an assignment statement. · For each loop repetition in a schedule (denoted by an overline bar), a counter variable is created to count the number of times the loop has executed. A basic assumption made here is that each process is scheduled on a single processor and no preemption is allowed. The set of modi®ed process timed automata in A is now denoted by
n g, which is ®nally input to the model-checking procedure as described in Section 5.
Model checking embedded software
The framework of veri®cation that we use for software veri®cation is the popular model checking framework [4, 15] , as introduced in Section 1. Model checking veri®es if a given system satis®es a given property. In our framework, a real-time system is described using TA [7] (see De®nition 2) and a temporal property is speci®ed using Timed Computation Tree Logic (TCTL) [14, 15] (see De®nition 6) .
In our framework, recall from Section 4.2, a system S hPY Qi is composed of the following components: · a set of n processes,
De®nition 6 @imed omputtion tree logi formuE l). A timed computation tree logic formula has the following syntax.
Here, g is a mode predicate in
HH are TCTL formulae, $ P f`Y T Y Y P Y bg, and c P N. WÃ/ H means there exists a computation, from the current state, along which / H is always true. W/ H U $c / HH means there exists a computation, from the current state, along which / H is true until / HH becomes true, within the time constraint of $ c. Traditional shorthands like W}, V}, V}, VU, , and 3 can all be de®ned [15] .
Ã Besides a system model and a property speci®-cation, since we are verifying embedded software, we also need the schedules generated by an embedded software synthesis procedure (see Section 2). Recall from Section 4.2, a set of schedules is denoted by:
We are now ready to formulate our problem.
De®nition 7 @gi verifition prolem).
Given a real-time system S hPY Qi, a TCTL formula /, and a set of schedules Z, CERTS veri®cation problem is to verify if S satis®es / under the schedule Z. In notations, this is represented as S Z /. Ã A model checking solution to the CERTS veri®cation problem is proposed in this Section. Two model checking algorithms are given in Tables 2  and 3 . The former is based on the processor-oriented veri®cation approach presented in Section 4.3, while the latter is based on the process-oriented veri®cation approach presented in Section 4.4. The main dierence in these two algorithms is in the set of TA, which is input to the Symbolic_MCheck() procedure (Table 4 ).
In the processor-oriented veri®cation approach, as given in Table 2 , a set of TA, B, is constructed, from the system description and from the set of schedules (generated from a synthesis method), to model the set of processors and this set is input to the symbolic model checking procedure. The construction procedure (Construct Processor TA) was described in Section 4.3.
In the process-oriented veri®cation approach, as given in Table 3 , a set of TA, A H , is constructed by modifying the set of process TA, A, given in the system description and this set is input to the symbolic model checking procedure. The construction procedure (Modify Process TA) was described in Section 4.4.
The symbolic model checking procedure (Symbolic MCheck) used in the two algorithms (Tables 2 and 3 ) is given in Table 4 . A region is de®ned symbolically as a collection of states that satisfy a symbolic condition on clock variable values and a symbolic condition on discrete variable values. Given a region R, its symbolic clock condition and symbolic discrete variable condition are represented by RXClockCond and RXDVarCond, respectively. In most model checking tools, Difference Bound Matrices (DBM) [3, 13] and Binary Table 2 Model checking algorithm for embedded software (processororiented)
schedule set Z; { Let B be an empty set of TA;
// where B k is a timed automaton. B B fB k g; } Symbolic_MCheckBY /; } Table 3 Model checking algorithm for embedded software (processoriented)
The symbolic model checking procedure presented above veri®es if the input set B of TA satis®es the given TCTL formula /. Application examples are given in Section 6 to illustrate and compare the two proposed veri®cation approaches and also how they compare with traditional approaches.
Examples
Several application examples are given here to illustrate our proposed model checking procedure for the veri®cation of concurrent embedded realtime software. First, we will illustrate the SVM approach proposed in Section 3.2 and how it compares with the conventional VSM approach described in Section 3.1. Second, we will illustrate the two veri®cation approaches presented in Sections 4.3 and 4.4. Comparisons are also made between the two proposed approaches. It illustrates the advantage of verifying under system concurrency, compared to verifying under process concurrency.
In the following experiments, we use the StateGraph Manipulators (SGM) [17, 18] , a high-level real-time system veri®cation tool based on the model checking framework. SGM allows¯exibility in comparing dierent veri®cation techniques, such as reduction technique, scheduling technique, etc. Hence, we used SGM. All the experiments were run on a Sun 296 MHz UltraSPARC-II workstation with 256 MB physical memory.
SVM approach versus VSM approach
The proposed SVM approach was compared analytically with the conventional VSM approach Table 6 Label region function in Section 3.3. Here, we will illustrate through application examples the actual comparison between the two veri®cation approaches.
Fischer's mutual exclusion protocol
The ®rst example is the Fischer's Mutual Exclusion Protocol (FMEP) [1, 19, 20] as ®rst introduced in Section 4.1 and illustrated by a process timed automaton in Fig. 2 . In this example, each process tries to enter a critical section (M 4 ) by checking to determine whether the value of variable lock is zero, writing its index (i) to lock within less than one time unit after lock is read as zero, and then re-checking if the value of lock is still its index after one time unit. The read time should be less than the write time for the protocol to work properly. This is exactly the property to be veri®ed. In Fig. 2 , x i is a clock variable and lock is a discrete variable.
The size of state-space of a system of processes obeying the FMEP increases exponentially due to a drastic increase in the number of possible concurrencies. This is observable from the non-scheduled rows in Table 7 . The number of modes and transitions represent the state-space sizes that the conventional VSM approach needs to explore for veri®cation. Here, n, the number of processes in the system, was varied from 2 to 6 to observe the eect of increasing concurrency on the state-space sizes. For illustrating SVM, a system of process timed automata was scheduled by assigning priorities to concurrent lock variable writes (transition M 2 3 M 3 ). The results of scheduling FMEP processes are given by the scheduled rows in Table 7 . On comparison, we observe a large dierence between the state-space sizes explored by the two approaches. Thus, veri®cation scalability is improved when the SVM approach is adopted.
Signal polling system
The second example is the signal polling system (SPS) as ®rst introduced in Section 4.2 and illustrated by a process timed automaton in Fig. 3 . This example illustrates not only how SVM explores a smaller state-space compared to VSM, but also how dierent scheduling techniques aect the sizes of state-spaces explored for veri®cation.
This application is a distributed signal polling system that is generally located at each entry/exit gates of a parking lot. In this example, each process initializes a counter to 500 vacant parking spaces. Then, it starts to poll for any Car-Entry, Car-Exit, or Check-Count signal. When a signal is detected, appropriate actions are carried out. The counter value is decremented for a Car-Entry signal and incremented for a Car-Exit signal. The counter value is output for a Check-Count signal. After completing actions, the polling process is repeated. Here, we need to verify that a car is never allowed entry when there are no vacant parking space available (Count 0).
Experiments were carried out for this example with and without scheduling, the details of which are shown in Table 8 . Veri®cation of a 4-process signal polling system required exploring 78K modes with 205K transitions when no scheduling was applied. This is a very large state-space, the construction of which requires large amounts of Table 8 that the three types of scheduling techniques result in dierent sizes of state-spaces. Applying both post-and pre-signal scheduling results in the smallest state-space. Applying pre-signal scheduling results in a smaller state-space than applying post-signal scheduling. This is consistent with our intuition, because pre-signal scheduling applies a much greater restriction on the behavior of the processes than post-signal scheduling.
System concurrency versus process concurrency
Instead of process concurrency (number of processes), veri®cation under system concurrency (number of processors executing software) was proposed in Section 4. Two dierent models were also proposed, namely, processor-oriented and process-oriented in Sections 4.3 and 4.4, respectively. Here, veri®cation under system concurrency is performed for two application examples and both the models compared with the conventional veri®cation under process concurrency.
Fischer's mutual exclusion protocol
This example is a 4-process system obeying the Fischer's Mutual Exclusion Protocol (FMEP). See Section 6.1.1 for a short description on FMEP. Three dierent system con®gurations are considered: one processor, two processors, and four processors. The 4-process software system was executed on all the three system con®gurations and the state-space sizes recorded as shown in Table 9 , where column n represents the number of processes and column m represents the number of processors.
It can be observed that compared to verifying under process concurrency (row 1 of Table 9 ), verifying under system concurrency (rows 2±5 of Table 9 ) results in a much smaller state-space and in a higher veri®cation scalability. It can also be observed that a process-oriented model for veri®-cation under system concurrency has a smaller state-space compared to that of a processororiented model (rows 3 and 4 of Table 9 ).
Signal polling system
This example is a 4-process SPS, which was introduced in Section 6.1.2. Three dierent system con®gurations are considered: one processor, two processors, and four processors. The 4-process software system was executed on all the three system con®gurations and the state-space sizes recorded as shown in Table 10 . Similar to the previous example, it can be observed that compared to verifying under process concurrency (row 1 of Table 10 ), verifying under system concurrency (rows 2±5 of Table 10 ) results in a much smaller state-space and in a higher veri®cation scalability. It can also be observed that a process-oriented model for veri®cation under system concurrency has a smaller state-space compared to that of a processor-oriented model (rows 3 and 4 of Table 10 ).
Conclusion
A veri®cation method for CERTS was proposed. The method covered three important veri®cation issues: when, where, and how should CERTS veri®cation be performed. In answer to the when issue, a SVM strategy was proposed. It was both analytically and experimentally validated how SVM supercedes conventional VSM and SMV approaches. In answer to the where issue, instead of the conventional veri®cation under process concurrency, veri®cation under system concurrency was proposed. The advantage of verifying under system concurrency was also illustrated through application examples. In answer to the how issue, a complete symbolic model checking procedure was presented within two dierent veri®cation approaches: processor-oriented and process-oriented. Application examples show how the proposed answers to each of the three issues aid in CERTS veri®cation. 
