We present work of a project for the improvement of a speci cation/validation toolbox integrating a commercial toolset Objectgeode and di erent validation tools such as the veri cation tool cadp and the test sequence generator tgv.
We present work of a project for the improvement of a speci cation/validation toolbox integrating a commercial toolset Objectgeode and di erent validation tools such as the veri cation tool cadp and the test sequence generator tgv.
The intrinsic complexity of most protocol speci cations lead us to study combinations of techniques such as static analysis and abstraction together with classical model-checking techniques. Experimentation and validation of our results in this context motivated the development of an intermediate representation for sdl called if. In if, a system is represented as a set of timed automata communicating asynchronously through a set of bu ers or by rendez-vous through a set of synchronization gates. The advantage of the use of such a program level intermediate representation is that it is easier to interface with various existing tools, such as static analysis, abstraction and compositional state space generation.
INTRODUCTION
sdl and related formalisms such as msc and ttcn are at the base of a technology for the speci cation and the validation of telecommunication systems. This technology will be developing fast due to many reasons, institutional, commercial and economical ones. sdl is promoted by Itu and other international standardization bodies. There exist commercially available tools and most importantly, there are increasing needs for description and validation tools covering as many aspects of system development as possible. These needs motivate the work for enhancement of the existing standards undertaken by Itu and Etsi, in particular.
Among the work directions for improvement of sdl, an important one is the description of non functional aspects of the behavior, such as performance and timing. Finding a \reasonable" notion of time is a central problem which admits many possible solutions depending on choices of semantic models. This is certainly a non trivial question and this is re ected by the variety of the existing proposals.
Choosing an appropriate timed extension for sdl should take into account not only technical considerations about the semantics of timed systems but also more pragmatic ones related to the appropriateness for use in a system engineering context. We believe that the di erent ideas about extensions of the language must be validated experimentally before being adopted to avoid phenomena of rejection by the users. Furthermore, it is important to ensure as much as possible compatibility with the existing technology and provide evidence that the modi ed standard can be e ciently supported by tools.
Another challenge for the existing technology for sdl to face the demand for description and validation of systems of increasing size, is to provide environments that allow the user to master this complexity. The existing commercial tools are quite satisfactory in several respects and this is a recognized advantage of sdl over other formalisms poorly supported by tools. However, it is necessary to improve the existing technology to avoid failing to keep up. Mastering complexity requires a set of integrated tools supporting user driven analysis. Of course, the existing tools such as simulators, veri ers, automatic test generators can be improved. Our experience from real case studies shows that another family of tools is badly needed to break down complexity. All the methods for achieving such a goal are important ranging from the simplest and most \naive" to the most sophisticated.
In this paper we present work of a project for the improvement of a speci cation and validation toolbox interconnecting Objectgeode 1] and di erent validation tools such as cadp 2] developed jointly with the Vasy team of Inria Rhône-Alpes and tgv 3] developed jointly with the Pampa team of Irisa. The project has two complementary work directions. The rst is the study and the implementation of timed extensions for sdl; this work is carried out in cooperation with Verilog, Sema Group and Cnet within a common project. The second is coping with complexity by using a combination of techniques based on static analysis, abstraction and compositional generation. Achieving these objectives requires both theoretical and experimental work. Experimentation and validation of our results in this context motivated the development of an intermediate representation for sdl called if. if is based on a simple, and semantically sound model for distributed timed systems which is asynchronously communicating timed automata (automata with clocks). A translator from a static subset of sdl to if has been developed and if has been connected to di erent tools of our toolbox. The use of such an intermediate representation confers many advantages.
if to implement and evaluate di erent semantics of time for sdl as the underlying model of if is general enough to encompass a large variety of notions of urgency, time non determinism and di erent kinds of real-time constructs. if allows a attened description of the corresponding sdl speci cation with the possibility of direct manipulation, simpli cation and generally application of analysis algorithms which are not easy to perform using commercial tools which, in general, are closed. if can be considered as a common representation model for other existing languages or for the combination of languages adopting di erent description styles.
Related work
After its standardization in the eighties, a lot of work has been done concerning the mathematical foundations of sdl. The rst complete semantics was given by the annex F to the recommendation Z.100 4, 5] and is based on a combination of csp 6] and . Even if it is the reference semantics of sdl (about 500 pages), it is far from being complete and contains many inconsistencies and obscure points.
In 8] is given a semantics for sdl based on streams and stream processing functions. It deals with a subset of sdl and the timing aspects are simpli ed. An operational semantics which covers sdl systems, processes, blocks and channels is given in 9]. It de nes a method to build labeled transition systems from sdl speci cations. The approach is relatively complete, however in this case too, time is not handled in a satisfactory manner. An important work is done in 10,11] which gives a semantics based on process algebra to a rather simple subset of sdl, called ' ? sdl. A method is given, for translating each sdl system into a term of PA psc drt -ID which is a discrete time process algebra extended with propositional signals and conditions, counting process creation operator, and a state operator. Finally, we mention the work of 12] which proposes an axiomatic semantics based on Duration Calculus and the work of 13] which uses abstract real time machines.
Our aim is somewhat di erent from the one of the above mentioned works, as it is not only to present a sound semantics, especially concerning timing aspects, but also to make forward a step concerning veri cation of sdl speci cations: we give a program level intermediate representation into which a large subset of sdl and also other speci cation formalisms can be translated | by preserving its semantics | and which is the input language of an open veri cation environment.
The paper is organized as follows. In the next section, we present an example used throughout the paper to illustrate our work. Then, we describe the main features of the if formalism used as an intermediate representation for sdl. Finally, we present an open validation environment for sdl speci cations and illustrate its usefulness by means of some experimental results.
AN EXAMPLE: A DISTRIBUTED LEADER ELECTION ALGORITHM
We present a simple example used throughout the paper to illustrate the introduced formalisms and veri cation methods. We consider a token ring, that is a system of n stations S 1 , : : : , S n , connected through a circular network, in which a station is allowed to access some shared resource R only when it \owns" a particular message, the token. If the network is unreliable, it is necessary to recover from token loss. This can be done using a leader election algorithm 14,15] to designate a station responsible for generating a new token.
Formal speci cations and veri cations of these algorithms already exist and we consider here an sdl version of the one described in 16]. Figure 1 . The token-ring architecture of the timer worried token loss is assumed: this timer is set when the station waits for the token, and reset when it receives it. The \alternating bit" round is used to distinguish between valid claims (emitted during the current election phase) and old ones (cancelled by a token reception). In the idle state, a station may either receive the token from its neighbor (then it reaches the critical state and can access the resource), receive a timer expiration signal (then it emits a claim stamped with its address and the current value of round) or receive a claim. A received claim is \ ltered" if its associated address is smaller than its own address and transmitted unchanged if it is greater. If its own valid claim is received, then this station is elected and generates a new token. In the sdl speci cation, message loss must be modeled explicitly (for instance by introducing a non deterministic choice when a token or claim is transmitted by a station 
An overview on IF
In if, a system is a set of processes (state machines as SDL processes) communicating asynchronously through a set of bu ers (which may be lossy/reliable and bounded/unbounded). Each process can send and receive messages to/from any bu er. The timed behavior of a system can be controlled through clocks (like in timed automata 18, 19] ) and timers (sdl timers, which can be set, reset and expire when they reach a value below 0).
IF system de nition
A system is a tuple Sys = (glob-def,procs) where glob-def = (type-def,sig-def,var-def,buf-def) is a list of global de nitions, where type-def is a list of type de nitions, sig-def de nes a list of parameterized signals (as in sdl), var-def is a list of global variable de nitions, and nally, buf-def is a list of bu ers through which the processes communicate by asynchronous signal exchange. procs de nes a set of processes described in section 3.1.2.
IF process de nition
Processes are de ned by a set of local variables, a set of control states and a set of control transitions. A process P2procs is a tuple P= (var-def, Q, cTrans), where: var-def is a list of local variable de nitions (including timers and clocks)
Q is a set of control states on which the following attributes are de ned:
{ stable(q) and init(q) are boolean attributes, where the attribute stable allows to control the level of atomicity, which is a useful feature for veri cation: only stable states are visible on the semantic level.
{ save(q), discard(q) are lists of filters of the form signal-list in buf if cond. save(q) is used to implement the save statement of sdl; its e ect is to preserve all signals of the list in buf, whenever the condition cond holds. discard(q) is used to implement the implicit discarding of non consumable signals of sdl. When reading the next input signal in buf, all signals to be discarded in buf preceding it are discarded in the same atomic transition. Where in both cases:
g is a predicate representing the guard of the transition which may depend on variables visible in the process (including timers, clocks and and bu ers, where bu ers are accessed through a set of primitives).
body is a sequence of the following types of atomic actions:
{ outputs of the form \output sig(par list) to buf" have as e ect to append a signal of the form \sig(par list)" at the end of the bu er buf.
{ usual assignments. { settings of timers of the form \set timer := exp". This has the e ect to activate timer and to set it to the value of exp. An active timer decreases with progress of time. sdl timers expire when they reach the value 0, but in if any timer tests are allowed. Clocks are always active and they increase with progress of time.
{ resettings of timers and clocks, which have the e ect to inactivate timers and to assign the value 0 to clocks. 
Semantics of IF
We show how with a process can be associated a labeled transition system, and then, how these process models can be composed to obtain a system model.
Association of a model with a process
Let P= (var-def, Q, cTrans) be a process de nition in the system Sys and:
Let TIME be a set of environments for timers and clocks (for simplicity of the presentation, we suppose that these environments are global, that is, applicable to all timers and clocks occurring in Sys). An environment T 2TIME de nes for each clock a value in a time domain T (positive integers or reals), and for each timer either a value in T or the value \inac" (represented by a negative value) meaning that the timer is not active. Setting or resetting a timer or a clock a ects a valuation T in an obvious manner. Progress of time by an amount transforms the valuation T into the valuation T in which the values of all clocks are increased by , and the values of all timers are decreased by (where the minimal reachable value is zero).
Let BUF be a set of bu er environments B, representing possible contents of the bu ers of the system, on which all necessary primitives are de ned: usual bu er access primitives, such as \get the rst signal of a given bu er, taking into account the save and the discard attribute of a given control state", \append a signal at the end of a bu er",... and also \time progress by amount ", denoted by B , is necessary for bu ers with delay.
Let ENV be a set of environments E de ning the set of valuations of all other variables de ned in the system Sys. The semantics of P is the labeled transition system P] = (Q VAL,Trans,Ttrans) where Q VAL is the set of states and VAL= ENV TIME BUF is the set of data states. Trans is the set of untimed transitions obtained from control transitions by the following rule: for any (E,T ,B),(E 0 ,T 0 ,B 0 )2VAL and input transition (and simpler for an internal transition) 
Composition of models
The semantics of a system Sys = (glob-def,procs) is obtained by composing the models of processes by means of an associative and commutative parallel operator k. We present the principles of the translation from sdl to if considering the structural and the behavioral aspects. We do not present the translation of data aspects, and in particular the object oriented features, as they do not interfere with our framework.
3.3.1. Structure sdl provides a complex structuring mechanism using blocks, substructures, processes, services, etc, whereas if systems are at, that is consisting of a single level of processes, communicating directly through bu ers. Therefore, a structured sdl system is attened by the translation into if. Also, the structured communication mechanism of sdl using channels, signal routes, connection points, etc is transformed into point to point communication through bu ers by computing for every output a statically de ned unique receiver process (respectively its associated bu er).
All prede ned sdl data types, arrays, records and enumerated types can be translated. For abstract data types, only the signatures are translated, and for simulation, the user must provide an appropriate implementation.
In sdl all signals are implicitly parameterized with the pid of the sender process, therefore in if all signals have an additional rst parameter of type pid.
Processes
Basically, for each instance of an sdl process, we generate an equivalent if process and associate with it a default input queue. If the number of instances can vary in some interval, the maximal number of instances is created.
Variables: Each local variable/timer of an sdl process becomes a local variable/timer of the corresponding if process. We de ne also variables sender, offspring and parent which are implicitly de ned in sdl. Remote exported/imported variables declared inside an sdl processes become global variables, declared at if system level.
States: All sdl states (including start and stop) are translated into stable if control states. As if transitions have a simpler structure than sdl transitions, we introduce also systematically auxiliary non stable states for each decision and each label (corresponding to a \join") within an sdl transition. For each stable if state we de ne the save and discard sets to be the same as for the corresponding sdl state.
Transitions: For each minimal path between two if control states, an if transition is generated. It contains the triggers and actions de ned on that path in the same order.
All the generated transitions are by default eager i.e. they have higher priority than the progress of time; this allows to be conform with the notion of time progress of the tool Objectgeode; more liberal notions of time progress can be obtained by using di erent translations from sdl to if (see the example below).
inputs: sdl signal inputs are translated directly into if inputs, where the sender parameter must be handled explicitly: each signal receives the rst parameter in the local variable sender. Spontaneous input none is translated by an assignment of the sender to the pid of the current process. No input part is generated in this case. timeouts expirations are not noti ed via timeout signals in if: each timeout signal consumption in an sdl process is translated into a transition without input, which tests if the corresponding timer evaluates to zero, followed by the reset of that timer. The reset is needed to avoid multiple consumption of the same timeout expiration. priority inputs: are translated into normal inputs by enforcing the guards of all low priority inputs and the save set of the source state. The guard of each low priority input is conjuncted with a term saying that \there is no higher priority signal in the bu er". All low priority signals are explicitly saved if \at least one input with higher priority exists in the bu er". Such tests can e ectively be expressed by prede ned predicates on bu ers. Example: translation of the token ring to IF
To illustrate if, we present the translation of the token ring introduced in Section 2. The translation of the structure is completely straightforward in this example. Figure 3 contains the if version of the process S 1 , where the additional non stable states are dotted. By default, all transitions are eager, which leads to the same behavior as in Objectgeode.
Thus, time can only progress, and the timeout occur, if the token is really lost (that is, no transition is enabled), and therefore a leader election algorithm is only initiated if necessary. In if, a di erent notion of time, closer to reality, can be modeled, e.g. by considering the transition from the critical state as lazy, thus allowing time to pass in this state by an arbitrary amount. In order to limit the time a process can remain in the critical state, one can consider this transition as delayable, introduce a clock cl crit which is reset when entering critical and add to the outgoing transition the guard cl crit some limit.
AN OPEN VALIDATION ENVIRONMENT BASED ON IF
One of the main motivations for developing if is to provide an intermediate representation between several tools in an \open" validation environment for sdl. Indeed, none of the existing tools provides all the validation facilities a user may expect. Therefore, we want to allow them to cooperate, as much as possible using program level connections. An important feature is the ability of the environment to be open: in particular connections with kronos 21] (a model checker for timed automata) and invest 22, 23] (a tool computing abstractions) are envisaged. In this section, we rst present the architecture of this environment and its main components. Then, we describe in a more detailed manner two more recent modules concerning static analysis (section 4.2) and compositional generation (section 4.3) which are based on if.
Architecture
The environment is based on two validation toolsets, Objectgeode and cadp, connected through the intermediate representation if. There exists already a connection between these toolsets at the simulator level 24], however using if o ers two main advantages:
The architecture still allows connections with many other speci cation languages or tools. Thus, even speci cations combining several formalisms could be translated into a single if intermediate code and globally veri ed.
The use of an intermediate program representation where all the variables, timers, bu ers and the communication structure are still explicit, allows to apply methods such as static analysis, abstraction, compositional generation. These methods are crucial for the applicability of the model checking algorithms.
ObjectGEODE
Objectgeode is a toolset developed by Verilog supporting the use of sdl, msc and omt. It includes graphical editors and compilers for each of these formalisms. It also provides a C code generator and a simulator to help the user to interactively debug an sdl speci cation. The Objectgeode simulator also o ers some veri cation facilities since it allows to perform automatic simulation (either randomly or exhaustively), and behavioral comparison of the speci cation with special state machines called observers 25].
We have been developing for more than ten years a set of tools dedicated to the design and veri cation of critical systems. Some of them are distributed in collaboration with the Vasy team of Inria Rhône-Alpes as part of the cadp toolset 2,26]. We brie y present here two veri ers integrated in cadp (aldebaran and evaluator) and the test sequence generator tgv 3] built upon cadp jointly with the Pampa project of Irisa. These tools apply model-checking on behavioral models of the system in the form of labeled transition systems (lts). aldebaran allows to compare and to minimize nite lts with respect to various simulation or bisimulation relations. This allows the comparison between the observable behavior of a given speci cation with its expected one, expressed at a more abstract level. evaluator is a model-checker for temporal logic formulas expressed on nite lts. The temporal logic considered is the alternating-free -calculus. tgv aims to automatically generate test cases for conformance testing of distributed systems. Test cases are computed during the exploration of the model and they are selected by means of test purposes. Test purposes characterize some abstract properties that the system should have and one wants to test. They are formalized in terms of lts, labeled with some interactions of the speci cation. Finally, an important feature of cadp is to o er several representations of lts, enumerative and symbolic ones based on bdd, each of them being handled using well-de ned interfaces such as open-caesar 27] and smi 28].
SDL2IF and IF2C
To implement the language level connection through the if intermediate representation we take advantage of a well-de ned api provided by the Objectgeode compiler. This api o ers a set of functions and data structures to access the abstract tree generated from an sdl speci cation. sdl2if uses this abstract tree to generates an if speci cation operationally equivalent to the sdl one.
if is currently connected to cadp via the implicit model representation feature supported by cadp. if programs are compiled using if2c into a set of C primitives providing a full basis to simulate their execution. An exhaustive simulator built upon these primitives is also implemented to obtain the explicit lts representation on which all cadp veri ers can be applied.
Static analysis
The purpose of static analysis is to provide global informations about how a program manipulates data without executing it. Generally, static analysis is used to perform global optimizations on programs 29{31]. Our goal is quite di erent: we use static analysis in order to perform model reductions before or during its generation or validation. The expected results are the reduction of the state space of the model or of the state vector.
We want to perform two types of static analysis: property independent and property dependent analysis. In the rst case, we use classic analysis methods such as live variable analysis or constant propagation, without regarding any particular property or test purpose we are interesting to validate. In the second case, we take into account informations on data involved in the property and propagate them over the static control structure of the program. Presently, only analysis of the rst type is implemented but we are also investigating constraint propagation and more general abstraction techniques. For instance, through the connection with invest we will be able to compute abstract if programs using general and powerful abstraction techniques.
Live variables analysis
A variable is live in a control state if there is a path from this state along which its value can be used before it is rede ned. An important reduction of the state space of the model can be obtained by taking into account in each state only the values of the live variables.
More formally, the reduction considered is based on the relation live de ned over model states: two states are related if and only if they have the same values for all the live variables. It can be easily proved that live is an equivalence relation and furthermore, that it is a bisimulation over the model states. This result can be exploited in several ways. Due to the local nature of live it is possible to directly generate the quotient model w.r.t. live instead of the whole model without any extra computation. Exactly the same reduction is obtained when one modi es the initial program by introducing systematic assignments of non-live variables to some particular value. This second approach is presently implemented for IF programs.
Consider now the token ring protocol example. In the idle state the live variables are round and worried, in the critical state only round is live, while variables sender, adr and rnd are never live. The reduction obtained by the live reduction is shown in Table 1 (line 3).
Constant propagation
A variable is constant in a control state if its value can be statically determined in the state. Two reductions are possible. The rst one consists in modifying the source program by replacing constant variables with their value. Thus, it is possible to identify and then to eliminate parts of dead code of the program e.g. guarded by expressions which always evaluates to false, therefore to increase the overall e ciency of the program. The second reduction concerns the size of the state vector: for a control state we store only the values of the non-constant variables. The constant values do not need to be stored, they can always be retrieved by looking at the control state.
Note that, both of the proposed reductions do not concern the number of states of the model, they only allow to improve the state space exploration (time and space). However, this kind of analysis may be particularly useful when considering extra information about the values assigned to variables, extracted from the property to be checked.
Compositional generation
As shown in the previous section, e cient reductions are obtained by replacing a model M by its quotient w.r.t an equivalence relation like live . However, stronger reductions can be obtained by taking into account the properties under veri cation. In particular, it is interesting to consider a weaker equivalence R | which should be a congruence for parallel composition |, able to abstract away non observable actions. The main di culty is to obtain the quotient M=R without generating M rst.
A possible approach is based on the \divide and conquer" paradigm: it consists in splitting the program description into several pieces (i.e., processes or process sets), generating the model M i associated with each of them, and then composing the quotients M i =R. Thus, the initial program is never considered as a whole and the hope is that the generated intermediate models can be kept small. This compositional generation method has already been applied for speci cation formalisms based on rendez-vous communication between processes, and has been shown e cient in practice 32{34]. To our knowledge it has not been investigated within an sdl framework, may be, because bu ers raise several di culties or due to lack of suitable tools.
To illustrate the bene t of a compositional approach we brie y describe here its application to the token ring protocol:
1. We split the if description into two parts, the rst one contains processes S 1 and S 2 and the second one contains processes S 3 and S 4 . For each of these descriptions the internal bu er between the two processes is a priori bounded to two places. Note that, when a bounded bu er over ows during simulation, a special over ow transition occurs in the corresponding execution sequence. 2. The lts associated with each of these two descriptions are generated considering the \most general" environment, able to provide any potential input. Therefore, the over ow transitions appear in these lts (claim and token can be transmitted at any time). 3. In each lts the input and output transitions relative to the internal bu ers (Q 2 and Q 4 ) are hidden (i.e., renamed to the special action); then these lts are reduced w.r.t an equivalence relation preserving the properties under veri cation. For the sake of e ciency we have chosen the branching bisimulation 35], also preserving all the safety properties (e.g. mutual exclusion). 4. Each reduced lts is translated back into an if process, and these two processes are combined into a single if description, including the two remaining bu ers (Q 1 and Q 3 ). It turns out that the lts generated from this new description contains no over ow transitions (they have been cut o during this last composition, which con rms the hypothesis on the maximal size of the internal bu ers). The nal lts is branching bisimilar to the one obtained from the initial if description. The gain, obtained by using compositional generation in addition to static analysis, can be found in Table 1 (line 4) .
Results
We summarize in the table below the size of the lts obtained from the token-ring protocol using several generation strategies. The di erence between the model generated by Objectgeode (line 1) and the one obtained from if (line 2) are due to the following reasons:
the handling of timer expirations in Objectgeode involves two steps: rst the timeout signal is appended to the input bu er of the process, and later it is consumed, whereas in if these two steps are collapsed into a single one, bypassing the bu er. Objectgeode introduces \visible" states for each informal decision, whereas these states do not appear in the model obtained from if. The most spectacular reduction is obtained by the live-reduction: the reduced model is about 100 times smaller than the one obtained by direct generation, preserving all properties (models 2 and 3 are strongly bisimilar).
Finally, when considering as visible only the open and close signals all four lts are branching bisimilar to the one shown in Figure 5 , which proves, in particular, the mutual exclusion property of the protocol. 
CONCLUSION AND PERSPECTIVES
We have presented the formalism if which has been designed as an intermediate representation for sdl, but it can be used as a target language for other fdt as it contains most of the concepts used in these formalisms. The use of if o ers several advantages:
if has a formal semantics based on the framework of communicating timed automata. It has powerful concepts interesting for speci cation purposes, such as di erent urgency types of transitions, synchronous communication, asynchronous communication through various bu er types (bounded, unbounded, lossy, : : : ).
if programs can be accessed at di erent levels through a set of well de ned api. These include not only several low-level model representations (symbolic, enumerative, ...) but also higher level program representation, where data and communication structures are still explicit. Using these api several tools have been already interconnected within an open environment able to cover a wide spectrum of validation methods.
The if package is available at http://www-verimag.imag.fr/DIST SYS/IF. In particular, a translation tool from sdl to if has been implemented and allows both to experiment di erent semantics of time for sdl and to analyze real-life sdl speci cations with cadp.
A concept which is not provided in if is dynamic creation of new process instances of processes and parameterization of processes; this is due to the fact that in the framework of algorithmic veri cation, we consider only static (or dynamic bounded) con gurations. However, it is foreseen in the future to handle some kinds of parameterized speci cations.
The results obtained using the currently implemented static analysis and abstractions methods are very encouraging. For each type of analysis, it was possible to build a module which takes an if speci cation as input and which generates an reduced one. This architecture allows to chain several modules to bene t from multiple reductions applied to the same initial speci cation. We envisage to experiment more sophisticated analysis, such as constraints propagation, and more general abstraction techniques. This will be achieved either by developing dedicated components or through the connections with tools like invest.
