This paper presents a case study for symbolic model checking (SMC) 
Introduction
Embedded systems has found wide applications in almost every aspect of our daily life, such as electro-communication, industrial control, traffic control, aerospace and so forth. With the ever growing complexity of VLSI-circuits or programmable chips, it is of vital importance to detect errors in early stages of the development process. Once an embedded system is shipped, it becomes extremely expensive to fix bugs. Over the last three decades, plenties of techniques have been put forward for the verification of embedded systems, such as symbolic simulation [6] , testing [7] and theorem proving [16] . These techniques, however, are not only usually very time consuming but also easily missing important behaviors as well as requiring a large amount of human intervention. Model checking [8, 9] offers an alternative approach which performs an exhaustive search procedure to automatically examine behaviors of embedded systems and determine if the given specifications are satisfied by that systems. With this technique, the system is modeled as a state-transition structure while the specification is expressed in a temporal logic formula [1] . Since the system models mostly rely on explicit manipulation of state space, the size of systems can be verified is severely limited [11] . Nevertheless, in realistic designs the size of a system model may grow exponentially with the number of concurrent components. To conquer this problem, several approaches, such as symbolic model checking (SMC) [11, 14, 21] , bounded model checking (BMC) [12] , abstract model checking (AMC) [15] , and compositional model checking (CMC) [10] , have been proposed with success. In particular, in [21] , we put forward a symbolic model checking algorithm for Propositional Projection Temporal Logic (PPTL) [2] which offers a polynomial representation of the system model based on Reduced Ordered Binary Decision Diagrams (ROBDDs) [5] , and time duration or periodic specification of desired properties written in PPTL formulas.
In embedded real-time systems, certain actions must accomplish within a limited time bounds or start after some point of time. For instance, the specifications for a data bus arbiter to be verified are: (1) the request signal oscillates with a minimum frequency of 4M Hz 1 ; (2) a grant sinal is given between 15ns and 40ns after the request signal; (3) a data bus never be occupied for more than 10ns. Though numbers of temporal logics have been proposed to specify properties of embedded systems, such as Computation Tree Logic (CTL) [17] and Linear Temporal Logic (LTL) [18] , they are not powerful enough to deal with the above real-time properties. Fortunately, all these time duration and periodic properties can be conveniently expressed in PPTL formulas with chop and projection constructs: (1) (len(250)) + prj request (2) request → len(15); len (25) 
n=1 len(n)); true. Moreover, it has been proved that PPTL has the expressiveness of full regular expressions [23] .
In this paper, as a case study, we will perform symbolic model checking for PPTL on the specification and verification of several real-time properties for an embedded single-track railroad crossing control system (STRCCS).
The rest of the paper is organized as follows. The following section briefly introduces the preliminaries, including the syntax, semantics of the underlying logic as well as some useful concepts. Section 3 presents the outline of SMC algorithm for PPTL. In section 4, a case of STRCCS is studied by means of the SMC for PPTL. Some related work is reviewed in section 5. Finally, conclusions are drawn in section 6.
Preliminaries

Propositional Projection Temporal Logic
Our underlying logic is Propositional Projection Temporal Logic (PPTL) [2] , which is an extension of Propositional Interval Temporal Logic (PITL) [3] . Details of the logic can be found in [2, 20, 24] .
Syntax
Let Prop be a countable set of atomic propositions. The formula ϕ is given by the following grammer:
where p ∈ Prop, ϕ 1 , . . . , ϕ m and ϕ are all well-formed PPTL formulas. ⃝ (next) and prj (projection) are basic temporal operators. A PPTL formula is called a state formula if it contains no temporal operators, and a temporal formula otherwise.
The abbreviations true, false, ∨, → and ↔ are defined as usual. In particular, true def = ϕ ∨ ¬ϕ and false def = ϕ ∧ ¬ϕ. Moreover, we have the following derived formulas:
where Intervals: An interval σ is a finite or infinite sequence of states. The length of σ, |σ|, is the number of states minus 1 if σ is finite, and ω otherwise. We extend the set of non-negative integers N 0 to include ω, i.e. N ω = N 0 ∪ {ω}, and extend the relational operators, =, <, ≤, to N ω by considering ω = ω, and for all i ∈ N 0 , i < ω. Furthermore, we define ≼ as ≤ -{(ω, ω)}. For simplicity, we will denote σ as < s 0 , . . . , s |σ| >, where s |σ| is undefined if σ is infinite. Let σ be an interval and r 1 , . . . , r h be integers
where t 1 , . . . , t l is the longest strictly increasing subsequence obtained from r 1 , . . . , r h by deleting all duplicates. For instance,
Interpretations: An interpretation is a triple I = (σ, k, j), where σ is an interval, k is an integer, and j an integer or ω such that k ≼ j ≤ |σ|. The notation (σ, k, j) |= ϕ means that formula ϕ is interpreted and satisfied over the subinterval σ (k...j) with the current state being s k . The satisfaction relation (|=) is inductively defined as follows:
Normal Form of PPTL
Normal forms are useful in constructing LNFGs [22, 25] . In the following, we briefly present the definition of normal form as well as some relevant concepts.
Definition 1 Let ϕ be a PPTL formula and ϕ p the set of atomic propositions appearing in ϕ. The normal form of ϕ is defined as follows:
i is a general PPTL formula. To simplify the proof and expressiveness, we sometimes use ϕ e ∧ε instead of ∨ m j=1 (ϕ ej ∧ε) and apply
where ϕ e and ϕ i are state formulas. An important conclusion is that any PPTL formula can be transformed to its normal form. Details of the proofs and the algorithm for transforming a PPTL formula into its normal form can be found in [25] .
Labeled Normal Form Graph Definition 2 For a PPTL formula ϕ, LNFG of ϕ is a tuple
where V (ϕ) denotes the set of nodes, E(ϕ) the set of edges and In V (ϕ), each node is specified by a PPTL formula, while in E(ϕ), each edge is a directed arc labeled with a state formula ϕ e from node ϕ to ϕ 1 and is denoted by (ϕ, ϕ e , ϕ 1 ). In LNFG, a finite path, π f = (v 0 , e 0 , v 1 , e 1 , . . . , ε) , is an alternative sequence of nodes and edges from a root v 0 to ε node, while an infinite path, π i = (v 0 , e 0 , v 1 , e 1 , . . . , (v i , e i , . . . , v j , e j ) ω ) contains no ε node and there must exist some nodes, e.g. v i , . . . , v j , occurring for infinitely many times. Let Inf(π) denote the set of nodes which occur infinitely often in an infinite
, an important conclusion is that: In G, finite paths or infinite paths with Inf(π) L j (1 ≤ j ≤ m) precisely characterize finite or infinite models of ϕ. The proof of this fact and the algorithm for constructing the LNFG of a PPTL formula can be found in [22] .
Symbolic Model Checking for PPTL
A symbolic model checking algorithm for PPTL is proposed in [21] . To check a PPTL formula ϕ against the system modeled by a Kripke structure M = (S, I, R, L), Sat(ϕ), namely, the set of state s ∈ S where ϕ holds, is defined. Then whether M |= ϕ or not can be equivalently checked by determine the emptiness of state set Sat(¬ϕ) ∩ I: Proof. The proof of this theorem can be found in [21] .
end case end for return Sat(φ); end function for i =1 to n Sat(φ i ) = false; end for
Figure 1. Symbolic model checking of PPTL formulas
This idea is formalized in the Algorithm checkPPTL, which takes ϕ as its argument and returns an ROBDD representation of Sat(ϕ). In the initialization, Sat(ϕ) and Sat(ϕ i ) (1 ≤ i ≤ n) are initially assigned with false, denoting that Sat(ϕ) = Sat(ϕ i ) = ∅. The key idea of the Algorithm checkPPTL is recursive. Given a PPTL formula ϕ, we firstly rewrite ϕ into its normal form ϕ N F ≡ ∨ n i=1 ϕ i , and then consider each disjunct ϕ i of ϕ N F by the recursive invocation of checkPPTL. Finally, we can figure out Sat(ϕ) by exerting logic "OR" operation on all the Sat(ϕ i ) ( 
Figure 2. Symbolic model checking of PPTL formulas
The definition of Algorithm PreStates is shown in Fig. 2 . Note that in Algorithm checkPPTL and PreStates, unless mentioned otherwise, state set and transition relation are equated with their corresponding characteristic functions which can be obtained by the symbolic manipulation method mentioned in [19] and all the operations are performed on the ROBDD representation of these boolean functions.
With checkPPTL, the model checking procedure can be performed in the following way: firstly, invoking checkPPTL to calculate the ROBDD representation of Sat(¬ϕ); secondly, if Sat(¬ϕ) ∩ I equals to false, namely there is no states s ∈ I in which ¬ϕ holds, then we have M |= ϕ. Further, if Sat(¬ϕ) ∩ I ̸ = false, then starting from any state in set of states Sat(¬ϕ) ∩ I, we can always find a path Π wn of M as a witness to the fact that the system model M violates the desired property ϕ. Details of checkPPTL can be found in [21] .
A Case Study
In this section, as a case study, we are concerned with how the following single-track railroad crossing control system (STRCCS) [13] can be verified by means of SMC for PPTL. In the STRCCS system shown in Fig. 3 , a train tries to pass through a railroad crossing in such a way that the gates must be "closed" before the train enters the crossing and will never be "open" before the train has left. The controller is used to lower and raise the gates to control the flow of traffic across the crossing. An electrical schematic of the controller can be found in Fig. 4 . The essential functions of this system are presented as follows: Accordingly, we achieve the simulation result of input signal "request", "closed", "inside" and output signal "lowering", "raising" to illustrate how STRCCS works. The key idea of this system is to ensure that: (a) : The gates are closed before the train enters the crossing; (b) : The gates will never be closed for more than 6 minutes.
Though failed or cumbersome to be specified by CTL and LTL, these properties can be conveniently expressed in PPTL as follows, where len(n); (gate status = closed) denotes that after n minutes gate status = closed holds:
n=1 len(n)); true)) To present them in a standard way, atomic propositions req, in, cld, lr and rs are defined to denote train request = true, train status = inside, gate status = closed, gate status = lowering and gate status = raising respectively. Successively, we have:
Moreover, we assume that ¬in and ¬lr ∧ ¬cld ∧ ¬rs respectively represent train status = outside and gate status = open. Then, we can model the target system as a Kripke structure M = (S, I, R, L) defined on AP = {req, in, cld, lr, rs} as in Fig. 6 
Figure 6. Model of STRCCS system
Note that a system model specified by a Kripke structure M = (S, I, R, L) has the property that for two states With the frame work proposed in [19] for boolean representation of finite domains, sets, and k-ary relations, we assume a fixed order on atomic propositions in AP as req < in < lr < cld < rs < a < b < c, and assign each atomic proposition a corresponding boolean value b i ∈ {0, 1} (0 ≤ i ≤ 7). Then each state s ∈ S can be represented with the boolean vector by B : S −→ {0, 1} 8 , where
for each i, 0 ≤ i ≤ 7, b i = 1 if its corresponding atomic proposition holds at state s and b i = 0 otherwise. For instance, the boolean encoding for state s 6 ∈ S is B(s 6 ) = (0, 1, 0, 1, 0, 0, 1, 1). Accordingly, transition relation can be symbolically represented by its characteristic function:
where for every 1 ≤ j ≤ 17, C R j (x, x ′ ) can be found in Table 2 , while "+" and "·" are logical "OR" and "AND" respectively. 
Symbolic model checking [11, 14] has found successful use in the verification of qualitative properties of embedded systems. However, when it comes to the specification of quantitative properties, especially the real-time properties, SMC for CTL and LTL becomes inefficient. In [26] , authors talk about the limitations of applying CTL into the verification of real-time systems and present a new model checking algorithm for quantitative temporal structures and quantitative computation tree logic (QCTL). Compared with [26] , authors of [27] also extend CTL to include bounded until constructs and merely take the interpretations of timed transition graphs with intermediate information into consideration. However, both QCTL and CTL with bounded until constructs are not powerful enough to specify the full regular properties, namely the periodic properties of real-time systems. Therefore, we show how the SMC for PPTL can be used in the specification and verification of embedded systems and give a paradigm as an application in this paper.
Conclusion
In this paper, we briefly introduce propositional projection temporal logic and its corresponding symbolic model checking algorithm. This enables us to specify and verify time duration and periodic properties of embedded real-time systems with PPTL, which are failed or cumbersome to be verified by CTL and LTL, and to alleviate the state space explosion problems. Then, a case of a single-track railroad crossing control system is studied to show the feasibility of SMC for PPTL.
However, it should be noted that this paradigm just considers simple real-time properties. In the future, we will further explore the specification and verification of quantitative properties for embedded systems with PPTL in a systematic fashion. Moreover, as symbolic model checking is well suited to the verification of embedded systems, we are also motivated to develop a practical tool to ensure the correctness of a system specified by the Hardware Description Language (HDL), such as Verilog, VHDL and SystemC, before behavior synthesis in system on programmable chip (SOPC) design flow.
