Writing requirements in a formal notation permits automatic assessment of such properties as ambiguity, consistency, and completeness. However, verifying that the properties expressed in requirements are preserved in other software life cycle artifacts remains di cult. The existing techniques either require substantial manual e ort and skill or su er from exponential explosion of the number of states in the generated state spaces. \Light-weight" formal methods is an approach to achieve scalability in fully-automatic veri cation by checking an abstraction of the system for only certain properties.
Introduction
The keys to winning acceptance for employing formal methods during system development include demonstrating that their use improves software quality, amortizing the cost of their creation across several di erent analysis activities, and reducing the cost of their application through automation. Software quality can be improved by eliminating errors arising from inconsistencies within the description of a system or between two di erent descriptions of a system.
The problem of checking consistency between di erent program artifacts has been worked on since the early days of computer science. Attempts at verifying that a program corresponds to its speci cations were rst made by Hoare, Mills and Dijkstra in 1960s. Their methods typically su ered from the necessity to guess program invariants | a di cult task for all but the smallest programs. Theorem-proving 53] allows to check that a property is implied by the program. This approach, although it requires considerable skill and time investment, is useful in ensuring correctness of software, and has been applied in a variety of veri cation e orts, e.g. 16, 4, 59, 63] . Another approach is to check properties via state exploration (model-checking 18] ). This approach is typically limited to nite-state systems but its main attractiveness is that the veri cation is fully automated. Modelchecking has been e ectively applied to verifying hardware 22, 19, 15, 49] and distributed systems, including network and security protocols 34, 47, 48, 43, 3] . Model-checking has also started to be applied to requirements engineering 6, 23, 60, 7, 64] . However, the size of the state-space grows exponentially to the number of variables in the problem, making all but the most trivial programs too large to analyze. Various researchers have been proposing checking abstractions of programs 66, 42, 35] . Unfortunately, coming up with useful abstractions and interpreting counter-examples remains di cult.
Motivated by the necessity to create highly scalable analysis techniques, we have developed a low-degree-polynomial-time approach to check low-level designs against requirements, summarized in this paper.
Requirements for embedded systems often describe a system as a set of concurrently executing state machines (see 2, 30, 46, 28] ) which respond to events in their environment. Designs are frequently expressed in a program design language (PDL) 9] consisting of a concrete outer syntax of basic statement types and an inner syntax of comments. We de ne a design to be consistent with its requirements if the design's state transitions are enabled by the same events as those of the requirements and all the requirement's state transitions appear in the design. In a large project, these properties may be checked by design and code inspections conducted by human reviewers 45] . This process may be e ective in catching local inconsistencies, but the bookkeeping tasks needed to determine all the possible system states at a particular program point make it di cult to ensure that global properties hold. In this paper we de ne a notation which can be used as a PDL and describe a prototype tool, called cord 12, 13, 11] , which automatically determines if a design written in this notation is consistent with its requirements.
Requirements Notation
The SCR requirements notation was developed by a research group at the Naval Research Laboratory as part of the Software Cost Reduction project 2, 33] . The project resulted in SCR requirements and design standards, as well as guidelines for software development using SCR. A complete SCR requirements speci cation contains behavioral, functional, precision, and timing requirements of a software system, as well as assumptions about the environment in which the system will operate. The speci cation language is precise, can be understood by engineers and software developers, and is easy to use and modify. The initial language lacked an underlying formal semantics. A number of semantics have been proposed 5, 30, 26, 54, 62] , some of which became bases of tools performing consistency and completeness checks 31] and enabling simulations 21, 55] of requirements. In this section we brie y describe SCR behavioral requirements and environmental assumptions. A more formal description can be found in 31] .
The SCR model is used to specify reactive systems. The environment contains monitored and controlled variables. Monitored variables are quantities that in uence the system behavior, and controlled variables are quantities that the system regulates. The required behavior of the system is speci ed as a black box by two relations, REQ and NAT 1 , both from monitored to controlled variables. Relation NAT speci es the natural constraints on the system behavior, imposed by physical laws and the system environment, e.g. \the system can never encounter temperatures less than 0 C". REQ describes the ideal behavior of the system to be built. The system is considered correct if it behaves like REQ in all cases speci ed by NAT.
The SCR model is based on discrete-time event-driven state-transition systems. The software samples the sensors periodically or receives their values through interrupts. Changes to monitored variables may cause the system to change its state or to alter the values of its controlled variables.
Representing conditions as predicates allows us to assume that all monitored and controlled entities are boolean variables.
A state of the monitored environment is a mapping of variables to values, and a state space is the set of possible combinations of values of variables. We assume that the system takes one \unit of time" to move between its states. The behavior of the system is rarely a ected by the values of all the variables at once. A mode class de nes a set of states, called modes, that partition the monitored environment's state space. Each mode class speci es one aspect of the system's behavior, and the system's global behavior is de ned to be the composition of the speci cation's mode classes. At all times, the system is in exactly one mode of each mode class. One mode of each mode class is designated as the initial mode. Assumptions about the initial state of the environment are speci ed with the initial modes. In addition to boolean entities, we use expressions in the form mc = m as conditions indicating that the system is in mode m of modeclass mc; thus, we can think of a mode class as an enumerated type whose values are modes of that mode class.
The system moves between its modes and changes values of its controlled variables in response to events | changes in the environment. We use notation \@T" and \@F" to denote various events. A primitive event is an event @T/@F (a) where a is a condition. For example, @T(Running) and @F(Running) represent a condition Running becoming true and becoming false, respectively, whereas @T(Operating=O ) represents a mode class Operating moving to mode O . A simple conditioned event is denoted @T(a) when We will use SCR to specify requirements of a simpli ed Water-Level Monitoring System (SWLMS). A switch controls whether the system is on or o . If the system is on and its sensors detect too much (too little) water, a pump is turned on for a xed period to remove (add) some water. If the sensor or the pump fails, the system enters an error state. This simpli ed version of the system has no error recovery, so there are no transitions from the error state. This system has one mode class MC with modes O , Operating, and Error; four monitored variables SwitchOn, PumpFail, TooHigh, and TooLow; and a single controlled variables PumpOn. Table 1 shows a mode transition table for Values of controlled variables change in response to events when the system is in particular modes. Table 2 shows an event table for the controlled variable PumpOn, which represents the pump being turned on or o . This variable starts with value false and becomes true when MC is in mode Operating and either event @T(TooHigh) or @T(TooLow) occurs.
Mode
Triggering Event Operating @T(TooHigh) true  false  Initial: false  Table 2: Event table for controlled variable PumpOn.   7 
Environmental Assumptions
An assumption speci es constraints on the values of variables, imposed either by laws of nature or by other mode classes in the system. As such, assumptions are invariant constraints that must hold in all system states. For example, the water in a container cannot be too high and too low at the same time, and buttons can be either pressed or released but not both. Many environmental assumptions can be expressed by declaring relationships between conditions 5]. Some sample relationships are discussed below.
implication (a?> b). The state space in which a is true is a subset of the state space in which b is true. strict implication (a?>> b). This assumption is similar to implication except that when a becomes true, b should already be true, and when b becomes false, a should already be false. timeline(a < b). Conditions a and b represent lengths of time that a particular environmental condition has been true, where b represents a longer length of time than a. The timeline assumption is a strict implication assumption whose contrapositive is non-strict implication. Therefore, a must already be true when b becomes true and must become false when b becomes false. enumeration (a 0 j a 1 j j a n ). The state space is partitioned such that exactly one member of the enumeration is true in each partition.
The assumptions about environmental conditions can be found in the section of an SCR requirements document that describes the system's controlled and monitored variables. A human requirements analyzer is responsible for accurately interpreting the environmental assumptions as they are stated in the speci cation and translating them into the appropriate syntax. The assumption speci ed in In this fragment, the function READ DEVICE() is called to determine the status of a pump. The Read annotation re ects this action for the requirement's variable PumpFail, The function PUMP FAIL() determines if the value read corresponds to failure of the pump. In the Then clause, we assert that the pump did fail (i.e., the value of PumpFail is true rather than >), and exit an enclosing loop. Otherwise, we assert that the value of PumpFail is false rather than >, and continue processing the next statement.
How to write designs
Designs of programs implementing SCR requirements are very stylized: an Initial annotation marks the starting state and is followed by a loop in which the system reads relevant monitors, tests their values and then decides to change either its mode or the values of some controlled variables. Read annotations correspond to reading monitors; Assert annotations are used to document the results of testing predicates; and Update annotations mark changes in the program's state. Potentially, such designs can be automatically generated 29] .
It is often necessary to hand-optimize designs for better performance or to reduce redundancy by \factoring out" common actions for di erent states. Figure 2 shows the result of such an optimization for SWLMS. Here we notice that the pump can be turned on only when the system is in mode Operating. So, the design has an inner WHILE loop in which the system reads the water level and determines the state of the pump. The system exits the loop when the pump fails or when the switch is turned O . Since the SWLMS has no error recovery, transitions to mode Error are done outside the main WHILE loop.
cord can also be used to verify consistency of existing programs. To do so, we can annotate existing code with annotations corresponding to changes and tests of values of requirements variables. We followed this approach to verify an implementation of the WaterLevel Monitoring System (see Section 7). This approach is similar to that of QDA 36, 38] , where the code is annotated with comments specifying user assertions (representing known information) and hypotheses (representing information to be veri ed). In annotating implementations, we inevitably run into the problem of verifying the consistency of the requirements with that of the annotations rather than the source code. If annotations are done carefully, their correctness provides some assurance about the correctness of the source code. However, in order to suppress diagnostic messages from our analysis, a programmer may add or change annotations without making corresponding changes in the source code. Annotations and source code may also \diverge" as modi cations to the program are being made. We have certainly noticed that ourselves: we often modify the annotations to get cord to give us a correct answer, forgetting to update the source code. To remedy this problem, we have recently implemented a tool sac 14, 11] that checks consistency between annotations and source code. The programmer speci es correspondences between annotation and code variables; these correspondences are not necessarily one-to-one. We will refer to code variables in the correspondences as relevant variables. The tool goes through the annotated code, checking the following four conditions:
1. Every Assert annotation corresponds to a test of the appropriate source code variable(s This is a very restricted de nition. Typically, artifacts are considered consistent with requirements when they implement at least what is speci ed. SCR was developed to specify high-assurance systems and was intended to capture all allowed system behaviors. Indeed, it is clearly a fault if an artifact implements an unspeci ed transition to a state representing a failure. SCR tables can be transformed into a list of properties which capture this notion of consistency. To prove that an artifact is consistent with its requirements, we demonstrate that it is a model of all these properties. We express these properties as rst-order logic formulas.
A property capturing the rst part of our de nition of consistency, the fact that requirements and design have the same starting state, can be obtained from I. I is a conjunction of initial conditions associated with each mode class and controlled variable. If s 0 is the initial state of a model of the design, then this property, called START, is
There is one START property generated for an SCR speci cation. In Section 2.1 we introduced a simple Water-Level Monitoring System (SWLMS). For SWLMS, the START property is s 0 j = (MC = O ^:SwitchOn^:PumpFail^:TooHigh^:TooLow^:PumpOn)
This property was generated from initial conditions of Tables 1 and 2 .
The remaining parts of our de nition of consistency deal with events. We use states to denote points at which variables change values. Thus, three states need to be considered in determining if an event caused a mode change: the state in which the variable involved in the triggering condition had its original value, the state in which this variable was assigned a new value, and the state in which the mode change occurred. Generally, we might know which value has been assigned to a variable more exactly after this variable has been tested. For example, consider lines 38-47 of the design in Figure 2 . The exact values of TooHigh and TooLow, read on line 36, are not known until the test on line 38 has been performed. In particular, the exact values of variables are available at the arcs emanating from the test node. As the result, we de ne formulas as being true on arcs as well as in states. A transition between modes m i and m j of modeclass m, triggered by @T(a) when b], is formalized as (a = false)^(m0 = m i )^(b0 = true)^(a0 = true)^(m00 = m j ); where a condition represents its value on the previous edge, a primed condition represents its value on the current edge, and the double-primed condition represents its value in the adjacent state. Figure 3 gives a pictorial representation of this semantics.
For a state n and a formula f, we use the notation n j = f to indicate that f is true in n. For a pair of states (n; s), we use the notation (n; s) j = f to indicate that f is true on an edge between n and s. We also assume that for each state n we have functions pred(n) and succ(n) returning a list of all predecessor and successor states of n, respectively (this list can be empty). We express all properties using statements about three-state sequences (p2pred(n); n; s2succ(n)). For example, a property \there exists a transition from m = m i to m = m j on @T(a) when b]" is expressed as 9(p 2 pred(n); n; s 2 succ(n)); (s j = (m = m j ))( (n; s) j = ((a= true)^(b = true)^(m = m i )))^((p; n) j = (a = false)) For brevity, we will write (p; n; s) to indicate (p 2 pred(n); n; s 2 succ(n)). Properties quanti ed on all of (p; n; s) are considered vacuously true when pred(n) or succ(n) are empty. A number of properties generated from SCR have the notion of an event in them. We say that an event @T(a), where a is a boolean variable, has occurred on a 3-state sequence (p; n; s), i.e. (p; n; s) j = @T(a), if ((n; s) j = (a= true))^((p; n) j = (a= false))
A set of properties capturing the second and the third parts of our de nition of consistency can be obtained by composing rows and columns of SCR tables. We use the SWLMS requirements to illustrate the kinds of properties which are generated to capture our notion of consistency with SCR requirements. For example, in SWLMS we have a property asserting that the only way for mode class MC to be in mode O in its next state is if MC is currently in O , or if a transition from mode Operating occurs in response to an event @F(SwitchOn) when :PumpFail. This property was obtained by composing the rows of the MC mode transition table which have O in their right columns (in this case, only row three). We write this property as P 1 = 8(p;n;s); (s j = (MC=O )) ! (((n; s) j = (MC=O )) _ (((p; n; s) j = @F(SwitchOn)) ((n; s) j = ((PumpFail=false)^(MC=Operating))))) 14 P 1 = 8(p;n;s); (s j = (MC=O )) ! (((n; s) j = (MC=O )) _ (((p; n; s) j = @F(SwitchOn)) ((n; s) j = ((PumpFail=false)^(MC=Operating))))) P 2 = 8(p;n;s); (s j = (MC=Operating)) ! (((n; s) j = (MC=Operating)) _ (((p; n; s) j = @T(SwitchOn))^((n; s) j = ((PumpFail=false)^(MC=O ))))) P 3 = 8(p;n;s); (s j = (MC=Error)) ! (((n; s) j = ((MC=Error)) _ ((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=Operating))) _ ((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=O )))) P 4 = 8(p;n;s); (s j = (PumpOn=false)) ! (((n; s) j = (PumpOn=false)) _ ((p; n; s) j = @F(TooHigh))^((n; s) j = (MC=Operating))) _ ((p; n; s) j = @F(TooLow))^((n; s) j = (MC=Operating))) _ ((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=Operating))) _ ((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=O )))) P 5 = 8(p;n;s); (s j = (PumpOn=true)) ! (((n; s) j = (PumpOn=true)) _ ((p; n; s) j = @T(TooHigh))^((n; s) j = (MC=Operating))) _ ((p; n; s) j = @T(TooLow))^((n; s) j = (MC=Operating)))) We generate properties similar to P 1 for each value of controlled variables and every mode in the right columns of mode transition tables. These properties capture the second part of our notion of consistency and are called \only legal transitions" (OLT) properties. OLT properties generated from requirements of SWLMS are shown in Figure 4 . Property P 1 was generated from row three of Table 1 ; P 2 from row one; and P 3 from a composition of rows two and four. Properties P 4 and P 5 were generated for the controlled variable PumpOn from Table 2 . There are two OLT properties generated for each controlled variable, re ecting changes of value to false (P 4 ) and to true (P 5 ).
Another property asserts that there exists a transition from mode O to mode Operating on an event @T(SwitchOn) when PumpFail=false]. This property corresponds to the rst row of Table 1 . We express this property as P 6 = 9(p;n;s); (s j = (MC=Operating))^((p; n; s) j = @T(SwitchOn))( (n; s) j = ((MC=O )^(PumpFail=false)))
Such properties ensure that all transitions speci ed in the requirements should appear in the design, capturing the last part of our notion of consistency. We call them \all legal transitions"(ALT) properties. One ALT property is generated for every row of transition tables for mode classes and controlled variables. Other ALT properties for SWLMS are shown in Figure 5 . Properties P 6 -P 9 were generated from Table 1 (rows 1-4, respectively).
15
P 6 = 9(p;n;s); (s j = (MC=Operating))^((p; n; s) j = @T(SwitchOn))( (n; s) j = ((MC=O )^(PumpFail=false))) P 7 = 9(p;n;s); (s j = (MC=Error))^((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=O )) P 8 = 9(p;n;s); (s j = (MC=O ))^((p; n; s) j = @F(SwitchOn))( (n; s) j = ((MC=Operating)^(PumpFail=false))) P 9 = 9(p;n;s); (s j = (MC=Error))^((p; n; s) j = @T(PumpFail))( (n; s) j = (MC=Operating)) P 10 = 9(p;n;s); (s j = (PumpOn=false))^((p; n; s) j = @F(TooHigh))( (n; s) j = ((MC=Operating)^(PumpOn=true))) P 11 = 9(p;n;s); (s j = (PumpOn=false))^((p; n; s) j = @F(TooLow))( (n; s) j = ((MC=Operating)^(PumpOn=true))) P 12 = 9(p;n;s); (s j = (PumpOn=false))^((p; n; s) j = @T(PumpFail))( (n; s) j = ((MC=Operating)^(PumpOn=true))) P 13 = 9(p;n;s); (s j = (PumpOn=false))^((p; n; s) j = @T(PumpFail))( (n; s) j = ((MC=O )^(PumpOn=true))) P 14 = 9(p;n;s); (s j = (PumpOn=true))^((p; n; s) j = @T(TooHigh))( (n; s) j = ((MC=Operating)^(PumpOn=false))) P 14 = 9(p;n;s); (s j = (PumpOn=true))^((p; n; s) j = @T(TooLow))( (n; s) j = ((MC=Operating)^(PumpOn=false)))
Figure 5: ALT properties for SWLMS.
Properties P 10 -P 15 were generated from Table 2 (rows 1-6, respectively). Of course, these properties mean that there may be a path to a transition. Although we are able to nd unreachable states, we are not always able to nd and eliminate infeasible paths. The total number of properties is proportional to the total number of rows in SCR tables.
Creating the Abstraction
We construct a Design-Flow Graph (DFG) from annotations and control-ow information and compute an approximation of the possible system states at each node of the DFG using data-ow analysis techniques. The DFG is abstracted into a nite-state machine (FSM) by removing nodes that are unreachable or do not correspond to annotations that indicate a state change. Section 6 describes how the FSM is compared to properties generated from requirements.
During the analysis, ve kinds of properties are checked: START (\starting state is cor-rect"), OLT (\only legal transitions"), ALT (\all legal transitions"), ENV(\environmental assumptions are preserved"), and REACH (\all nodes are reachable"). Figure 6 depicts the steps needed to create and check an abstraction: Compute the information generated by each annotation. Use environmental assumptions to add values generated by related variables, and report any violations of the assumptions caused by inconsistent annotations. Propagate values throughout the DFG. Remove nodes not corresponding to Initial, Read, and Update annotations to create a FSM. Report and remove nodes which cannot be reached. Check that the initial state of the design is correct (START property). If an error is found, stop the processing.
For each FSM node, compute the set of events causing transitions from predecessor nodes and verify OLT and ALT properties. ftrueg On some paths leading to this node, the variable is true. On others it may be unknown.
Design Flow Graphs
ffalseg On some paths leading to this node, the variable is false. On others it may be unknown.
ftrue, falseg On some paths the variable is true, and on some others it is false. It may be unknown on some paths. The values of mode class variables also form a -lattice on set-inclusion.
We require that there is exactly one variable-value pair for each variable in the requirements, and thus for a state s we can de ne a function v(r j ; s) which returns the value of r j in s:
v(r j ; s) Figure 7 : Operations on system states for set-based approximation.
Operations on states include \t" (union), \u" (intersection), \=" (equality), \=" (superset), \n" (di erence) and \w" (superset or equal to). These operations are de ned in Figure 7 . Note that we overloaded the function repl to take two states as parameters.
States form a complete t-lattice under the partial ordering of inclusion =.
Computing Values of States
Our computation of states at each node of the DFG is similar to that of constant propagation | a compiler technique whose goal is to discover values that are constant for all possible executions of a program and to propagate these constant values as far forward through the program as possible 65, 1]. For every node n in the graph, we keep the following sets of variable-value pairs:
Pairs with values generated in the annotation at node n. known(n) Pairs with values assumed by the designer at node n.
in (n) Pairs that may exist when control reaches n.
out (n) Pairs that may exist when control leaves n.
gen and known sets for each node are computed using the following rules:
For A set F of transfer functions describing the transformation between in and out sets at each node, is de ned as follows:
If the known set for a node n containing an Assert annotation consists of several disjuncts,
Our framework is strictly monotonic, i.e., in and out sets at the end of each iteration of our algorithm have at least as many values associated with each variable as at the beginning. Since all variables in R have a nite number of abstract values, our states do not have an in nite increasing chain of values, and the xed point can be achieved in a nite number of steps. The height of the lattice of states is the length of the longest increasing chain of values, i.e., the maximum number of times that information for each node can be changed before the xed point is achieved, is H = r j 2R jT(r j )j + 1:
Thus, the entire computation of in and out sets for the DFG can take at most O(jV j 2 ( r j 2R jT(r j )j + 1)) steps, where jV j is the number of nodes in the DFG. To build a FSM from a DFG, we remove all nodes except those corresponding to Initial (I), Update (U), and Read (Rd) annotations, and connect all predecessors of a removed node to the node's successors. Let S = I U Rd be the set of these nodes. We assume that all variables are initialized by an Initial annotation, so for every node, we check an implicit property (REACH): 8n 2 S(8r j 2 R; v(r j ; out(n)) 6 = fg)
Note that this property could have been checked after the DFG had been constructed. However, checking it while building the FSM limits the reported violations to lines containing annotations. If the REACH property is violated in a node, an error is reported and the node is removed from the FSM. The running time to build the FSM is proportional to jEj, the number of edges in the DFG, and the number of nodes in the resulting FSM is bounded above by jSj, the number of state changes in the design. Figure 9 shows the FSM created for the SWLMS design in Figure 2 , depicting out and gen sets for every node. The number of each node of the FSM indicates the line of the design at which the corresponding Update, Read or Initial annotation can be found. For example, nodes 41 and 46 correspond to @@Update PumpOn=true and @@Update PumpOn=false, respectively. The algorithm for computing out sets ensures that the e ects The semantics of an SCR event, given in Section 2.1, indicates that some formulas need to hold on states or edges. However, our FSM consists of just states, with in, gen and out sets. Formally, we say that an atomic formula f (f: variable = value) holds in a state s if f holds in out(s), i.e., out(s)j= f. Also, we say that f holds on an edge between nodes n and s if (out(n) u in(s)) j = f. By construction of the FSM, if a formula holds on the exit from the node but does not hold on the entrance, then it has been generated at this node, i.e. for a node n,
We also note that an event occurs at a node if a value of some variable on an edge entering the node is di erent from its value on an edge leaving the node. Thus, the variable is changed in the node's gen set.
We cannot verify properties exactly, i.e., claim that a property is violated if and only if we nd a violation. So, we have carefully designed our veri cation algorithms so that the results can be correctly interpreted. Properties may be checked optimistically or pessimistically.
De nition 6.1 A property is checked pessimistically if all of its violations in the design
are detected, but the analysis may incorrectly identify violations at points in the design at which the property actually holds. A property is checked optimistically if all detected violations are present in the design, but the analysis may be unable to nd all violations of the property.
Checking Starting States
We use exact checking that the initial conditions of the SCR requirements and the design are the same, i.e., an error is reported if and only if there is a violation. By construction of the FSM, s 0 , the starting state, is a node corresponding to the Initial annotation of the design. Thus, verifying the START property reduces to checking that the variablevalue assignment of the gen set of the starting state is a model of the requirements' initial condition. However, if the START property is violated, we report an error and halt the rest of the analysis, since in this case the behavior of the rest of the system is unde ned.
For example, the START property of the SWLMS is s 0 j = (MC = O ^:SwitchOn^:PumpFail^:TooHigh^:TooLow^:PumpOn)
In the FSM corresponding to the design of the SWLMS, s 0 is node 2 (see Figure 9 ). gen (2) 
Computing Transitions
OLT and ALT properties involve state transitions which occur only in response to events. Our techniques overestimate the number of transitions in the design, i.e., if a transition is present in the design, we compute it, but some of the computed transitions might not be present in the design. Overestimation of the number of transitions occurs from statefolding during construction of the FSM, described in Section 5, and does not invalidate the veri cation of automatically-generated properties. For OLT properties, we want to check if all transitions in the design are present in the requirements, and overestimating the transitions might cause the tool to report some false negatives, which is a correct treatment of pessimistic analysis. For ALT properties, we want to check if all transitions in the requirements are present in the design, and overestimating the transitions might cause the tool to report some false positives, which is a correct treatment of optimistic analysis 4 . not implemented in the design and is not computed by our tool (row 4), then the tool reports a violation of a corresponding ALT property and does not report a violation of an OLT property. Our computation nds all transitions present in the design. Thus the cases described by rows 3 and 7 in Table 3 cannot occur, so the analysis results are not de ned for them. To determine if an event occurred at a node s, we use information generated at each predecessor node n and check it against in(s) and the out sets of the predecessors of n. The algorithm to compute transitions leading to a node s is shown in Figure 10 n is a predecessor of s; to and from are in the form r j = v0 r j and r j = v r j , respectively, indicating the change of value of r j from v r j to v0 r j for a transition between n and s; trigger is a logical expression | a disjunction of simultaneously occurring triggering conditions, or NONE, if no events can occur; and when is a set of variable-value pairs indicating the When condition for this transition. We assume that controlled variables cannot be part of Triggering conditions, and that variables which are part of a Triggering condition cannot be part of a corresponding When condition. In summary, the algorithm constructs transitions into node s by joining when conditions from each node n, a predecessor of s, with triggering conditions from the changes between n and its predecessors. The running time of this algorithm is O(jSj 2 r j 2R jT(r j )j + k ( r j 2R jT(r j )j)
2 ) where k is the number of disjuncts in triggs. In our experience, k < 10 and does not depend on the size of the speci cation or the design. The maximum number of transitions generated by this algorithm for node s is Trans s = O(jSj k r j 2M C (jT(r j )j)
2 ) The function events(r j ; s 1 ; s 2 ) checks values of a variable r j in states s 1 and s 2 to determine if an event involving r j has occurred. If s 1 is a node containing the Initial annotation, events returns none(r j ). \none" here is a symbolic constant to indicate that the variable did not change its value. Otherwise, for a boolean r j , events(r j , s 1 , s 2 ) is de ned as follows: v(r j ; s 1 ) n v(r j ; s 2 ) ftrueg ffalseg ftrue,falseg ftrueg none(r j ) @F(r j ) @T(r j ) _ none(r j ) ffalseg @T(r j ) none(r j ) @F(r j ) _ none(r j ) ftrue,falseg @T(r j ) _ none(r j ) @F(r j ) _ none(r j ) @T(r j ) _ @F(r j ) _ none(r j ) Thus, for a boolean variable r j , events returns a disjunction of @T(r j ), @F(r j ) or none(r j ).
For a mode class mc, events(mc, s 1 , s 2 ) returns a disjunction of all possible event combinations (conjunctions of events which can occur simultaneously) which could occur between the two nodes. For example, if v(mc; s 1 ) = fm1, m2g and v(mc; s 2 ) = fm2, m3g, then events(mc; s 1 ; s 2 
Finally, a function partof(r j ; trigger) returns true if trigger contains a conjunct corresponding to r j and false otherwise. In our SWLMS example, consider calculating the event which causes MC to be set to Error at node 52 of the FSM in Figure 9 . Figure 11 shows a fragment of this FSM. when is out (5) We take advantage of the fact that all properties have been generated from SCR tables, and thus trcond j consists of a conjunction of one or more simple Triggering conditions (e.g., @T(a)). Our algorithm for computing transitions also results in a conjunction of simple Triggering conditions. To check that trigger ! trcond j , we check that each conjunct in trcond j is present in trigger.
Before checking that when v whcond j , we rst represent whcond j as a set of variablevalue pairs. For example, PumpOn = true is treated as (PumpOn, ftrueg), and :(MC = Operating) means that MC can be either O or Error and is treated as (MC, fO , Errorg). If a variable r k 2 R is not part of whcond j , then it was speci ed as a \don't care" condition in the tables. The value for this variable is considered to be a set of all of its attainable values, i.e., it is treated as (r k ; T(r k )). One of the OLT properties for SWLMS is P 3 = 8(p;n;s); (s j = (MC=Error)) ! (((n; s) j = ((MC=Error)) _ ((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=Operating))) _ ((p; n; s) j = @T(PumpFail))^((n; s) j = (MC=O )))) Then found = true If not found report a violation of P i at node n. g g None of the messages reported by cord for SWLMS spurious, but this is not true in general. Spurious messages come from checking that when v whcond, and often constitute a fair share of all reported messages (see Section 7). \Don't care" conditions in SCR turned out to be ideal for set-based appxomation that we use as the basis of cord. Attempts to implement exact analysis { a technique that keeps track of inter-variable dependencies 10] quickly showed that not only does the running time of the algorithm go from polynomial to exponential, the rate of spurious messages does not decrease. The reason is that many states of the system result from infeasible paths, and the exact analysis lists every combination that is not correct, including variables which are not relevant to a property being veri ed, overwhelming the user.
Veri cation of ALT Properties
All ALT properties have the general form P i = 9(p;n;s); (s j = (r = v new ))^((p; n; s) j = trcond)^((n; s) j = ((r = v old )^whcond));
where v old and v new are the new and the old values, respectively, for the mode class or controlled variable r. trcond and whcond are conjuncts representing the Triggering and the When conditions for this transition. ALT properties are veri ed optimistically, so we might not report all unimplemented transitions. Once transitions are computed for a given node, we look through the list of ALT properties and mark those which are satis ed by this transition. Any properties remaining unmarked at the end of analysis are reported as errors. An algorithm to check ALT properties is outlined in Figure 14 . For ALT properties, we translate \don't care" conditions in whcond to empty sets, so whcond v when returns true if the computed When condition contains at least the variable-value pairs speci ed in P i 's whcond. Our model of SCR guarantees that there are no transitions in which the source and the destination are the same, i.e. for each P i , v new 6 = v old .
If P alt is the set of ALT properties, then the running time of this algorithm is O(jP alt j r j 2R jT(r j )j Trans)
Consider verifying property P 7 of the SWLMS: P 7 = 9(p;n;s); (s j = (MC=Error))^((p; n; s) j = @T(PumpFail))( (n; s) j = (MC=O )) 
Case Study
To demonstrate our analysis technique on a more realistic application, we conducted a case study of a Water-Level Monitoring System (WLMS) which had been speci ed using SCR requirements notation and subsequently implemented 62]. To create the design, we reverse engineered an existing implementation of WLMS in order to determine what types of errors can be detected with our methods.
A WLMS is a safety monitoring device which serves as a component of a steam generator application. It ensures that the water level is within a speci ed range while the stream generator is in operation. Inside this allowable water-level range, there is a speci ed hysteresis water-level range. The area inside the allowable water-level range but outside the hysteresis range is used as a bu er to keep the generator from toggling on and o when the water level is near the limits of its allowable range. The system also raises visual and audio alarms and shuts o its pump when the level is out of range or when the monitoring system fails. In addition, there are two buttons on the system control console: the SelfTest button permits the operator to test the system, and the Reset button permits the operator to return the monitoring system (and the stream generator) to normal operation, provided that the water level is inside the hysteresis range. A complete description of this system can be found in 62]. WLMS has two mode classes, Normal and Failure, whose modes are described in Table 4 . The system starts in mode Standby of mode class Normal and mode AllOK of mode class Failure. Monitored variables indicate the water level in the container (both that it is within its limits and its more stringent hysteresis range, InsideHysR -> WithinLimits), the lengths of time that buttons have been pressed (SlfTstPressed < SlfTstPressed500) or that the system has been in a mode (InTest < InTest2000 < InTest4000 < InTest14000), and device failures. Controlled variables are set to trigger alarms and to display the water level to the operator. A mode transition table for mode class Normal is shown in Table 5 . Environmental assumptions which appear in this table have been deduced from descriptions of the conditions in the requirements.
All together, the system speci cation consists of 2 mode classes with 3 and 4 modes each, 18 monitored and 7 controlled variables. To build a design, we reverse engineered an existing implementation of the WLMS, originally consisting of roughly 1300 lines of FORTRAN and Assembler code. First, we translated it into C and changed the Assembler routines for manipulating the screen with a GUI written in Xlib. Then we manually reverse engineered the implementation. This process entailed determining the meaning of the code in terms of requirements, and capturing programmer assumptions and state changes in our PDL. The resulting design was about 300 lines long, with 45 LDTestVal j LD0 InTest0 < InTest2000 < InTest4000 < InTest14000 Table 5: Mode transition table for mode class Normal. command was 12.0s (real), 8.5s (user) and 1.3s (system). We found it was necessary to rerun the analysis a number of times before we could get the annotations right (sac 14, 11] did not exist yet), and thus a quick response was appreciated. Table 6 : Results of analyzing the WLMS.
After we eliminated annotation errors, cord reported a number of inconsistencies be-tween the requirements and the design (see Table 6 ). Messages produced by cord are organized in three columns: \Messages" indicates the total number of reported messages, \Spurious Messages" indicates messages that did not correspond to errors, and \Viola-tions" indicates the number of invalid mode transitions or changes of values of controlled variables. Even after subtracting spurious messages from all messages, the numbers overestimate the actual errors in the design. Some mode transitions and controlled variable value changes resulted in a number of OLT properties violations. For example, eight illegal mode transitions generated 15 violation messages because several illegal transitions were detected at each location. In this case study, all of the mode transition problems can be attributed to four principal causes: (1) the wrong monitored variable was checked to enable mode transitions (WithinLimits rather than InsideHysR); (2) the times that the operator pressed the SelfTest and Reset buttons were not calculated or checked; (3) some events were computed several statements before mode transitions triggered by them occurred; (4) no transitions to a mode corresponding to the complete system failure were implemented. Most of the illegal assignments to the controlled variables occurred because the order of triggering events in the design di ered from that in the requirements. Finally, even though ALT properties were checked optimistically, we found that a large portion of the speci cation was not implemented. The WLMS design and the messages reported by cord are available in 10].
The case study showed that cord can be applied to the analysis of designs of realistic systems. It can nd subtle errors quickly and e ectively, giving easy to interpret messages. The code of WLMS has not been implemented with as careful of a de nition of events as we use in this work. Thus, it led to several event-related errors. A more careful way of treating events in designs can signi cantly reduce the number of errors identi ed by cord and lead to better-quality programs.
Conclusion and Related Work
In this section we describe related work and summarize the paper.
Related Work
cord contains features similar to those in several other static analysis systems. To simplify the veri cation of properties of programs, these systems restrict the forms of their formal speci cation notations or create abstract models from programs that could be analyzed with state-exploration rather than theorem-proving techniques.
In Inscape 56, 57, 58], complex logical formulas are abstracted to simple predicates which may be primitive or de ned in terms of other predicates (like our environmental assumptions). Predicates form pre-and postconditions used to specify implementations. A programmer constructs an implementation with an editor that analyzes the implementation's control ow and operation invocations to calculate its pre-and postconditions.
During the calculation, Inscape uses pattern matching and simple deduction to determine if the precondition of an operation has been satis ed before its invocation. If not, unsatised predicates are propagated backwards through the control-ow graph until Inscape nds operations satisfying them. The predicates of an operation's postconditions are propagated forward through the graph so that they might satisfy a subsequent operation's precondition. To determine if an implementation is correct, Inscape compares the calculated and the speci ed conditions.
LCLint 25] is a tool developed to do static checks on C source code using LCL specications. When no speci cations are provided, LCLint behaves like lint, detecting uninitialized variables and incorrect parameter-passing. However, with more speci cations, it is able to detect violations of abstraction boundaries, undocumented uses of global variables, incorrect dependencies between variables, etc. LCLint was designed to provide \useful" information, so some of the checks are neither sound nor complete. The tool also has extensive facilities to control the kinds of messages reported to the user. More recent work 24] extends LCLint to detect a broad class of pointer-related errors, like misuses of null pointers, uses of dead storage, memory leaks, and dangerous aliasing. This approach takes advantage of annotations which make certain assumptions, like \pointer cannot have the value NULL", explicit at interface points.
Quick Defect Analysis (QDA) 36, 38] also uses a simple annotation language. Annotations called hypotheses are embedded in comments to describe properties that objects should have at particular program points. Other comments contain assertions about properties of objects. An interpreter builds an abstract model of the implementation from the assertions and the implementation's control ow graph. Hypotheses are veri ed with respect to this model. More recent work 37] enriches QDA's speci cation language so assertions also describe event occurrences, and hypotheses assert that the implementation's events occur in certain sequences. However, QDA annotations do not correspond to program units, like functions, loops, etc. Some do not even describe observable properties, but rather record intentions of the programmer about a role of a variable. The QDA is similar to our veri cation of implementations, where we annotate existing code with events corresponding to changes and tests of values of requirements variables. However, our approach is more formal, taking advantage of complete system speci cation and being able to interpret the results as strictly optimistic or strictly pessimistic.
The Cecil speci cation language permits the description of sequencing constraints on user-de nable program events (e.g., de nitions or uses of variables, operation invocations, etc.) by anchored, quanti ed regular expressions (AQREs) 50, 51, 52] . After a user speci es a mapping from programming language constructs to Cecil events, the Cesar analyzer uses data ow analysis techniques to determine if the implementation meets Cecil constraints.
Aspect's 39, 40, 41] speci cation notation permits users to write pre-and postconditions about the data dependencies of an operation. Data ow analysis is used to compute an upper bound on the data dependencies of the implementation. If an asserted dependency is missing, an error is reported. Clarke et al. 17 ] also create abstract, nite state models of programs, and use model checking techniques to verify formulas. Programs written in a special nite-state programming language are translated into relational expressions characterizing the program's initial state and transition relation. To reduce the size of the model, users de ne mappings of implementation values to abstract values and symbolically execute operations on the values. The model checking approach is pessimistic for formulas expressed in 8CTL* 27], a subset of CTL in which only universal path quanti cation is allowed. The authors also identify a large class of temporal formulas for which the veri cation results are exact, i.e., formulas hold in the model i they hold in the original program.
All of the methods outlined above do not assume existence of complete speci cations, and thus can be applied to a variety of di erent systems. Our method takes advantage of a complete, fully-developed, SCR speci cation. On one hand, this means that cord can be applied only to event-driven systems | the kinds of systems that can be e ectively speci ed using SCR notation. And, of course, results of the analysis are only as good as the speci cation. On the other hand, our analysis makes sure that the design implements exactly the same transitions as speci ed. A number of approaches are similar to ours by nature. Equivalence checking in process algebras, e.g., as implemented in the Concurrency Workbench 20] , checks that two levels of speci cations (or a speci cation and an implementation) exhibit exactly the same behavior. COSPAN 44] uses L-automata to check two levels of speci cations (or a speci cation and an implementation) for language containment properties. Both approaches have been used to formally verify communication protocols and circuit designs, as well as other hardware and software systems.
A group of researchers at Naval Research Lab recently undertook a veri cation e ort similar to ours 7] . The goal of this work was to use a linear-time model-checker SPIN to check consistency of SCR requirements. Promela (an input language for SPIN) is a C-like language with non-deterministic guarded IF statements. Rather than using analysis to determine when events occurred, their implementation explicitly keeps track of previous values of variables. Then, an event @T(a) occurs when previous value of a is false and current value is true. This technique allows a more natural treatment of SCR events, but does not help in analyzing existing code.
Summary
We have de ned a notion of consistency between an SCR-style requirements document and a detailed design. We have also presented a technique to check that this notion of consistency is satis ed, implemented in a tool called cord. cord creates a nite-state abstraction of a detailed design and checks it against a set of properties automatically generated from the requirements. The analysis takes a low-degree polynomial time.
We believe that our techniques are highly-scalable, and envision cord being used in a software development process in which SCR speci cations are rst written and checked for consistency and completeness. Then, a design is developed using our PDL. A detailed design is automatically veri ed for consistency with the requirements. Afterwards, a real implementation is written around the PDL statements. Consistency checking between code and design statements is assured through code reviews or via an automated procedure. This process gives a developer some assurance that the code implements the system behavior speci ed in the requirements. Finally, the implementation is thoroughly tested.
