Systematic and automatic verification of sensor networks by ZHENG MANCHUN
SYSTEMATIC AND AUTOMATIC
VERIFICATION OF SENSOR NETWORKS
MANCHUN ZHENG
NATIONAL UNIVERSITY OF SINGAPORE
2013
SYSTEMATIC AND AUTOMATIC VERIFICATION OF SENSOR
NETWORKS
MANCHUN ZHENG
(B.Sc., South China University of China of Technology and Design, 2008 )
A THESIS SUBMITTED FOR THE DEGREE OF
DOCTOR OF PHILOSOPHY
DEPARTMENT OF COMPUTER SCIENCE
NATIONAL UNIVERSITY OF SINGAPORE
2013
Declaration
I hereby declare that this thesis is my original work and it has been written by
me in its entirety. I have duly acknowledged all the sources of information
which have been used in the thesis.




c© 2013, Manchun ZHENG
To my parents and husband.
Acknowledgements
This thesis would not have been possible without the guidance and the help of
several individuals who in one way or another contributed and extended their
valuable assistance in the preparation and completion of this thesis.
First and foremost , I would like to give thanks to God for accompanying me
and strengthening me to overcome all difficulties throughout the Ph.D journey.
My deepest and heartfelt gratitude goes to my supervisor, Dr. Dong Jin Song for
his stimulating guidance, continuous suggestions and constant encouragement.
He has walked me through all the stages of my doctoral program, leading me
into the world of formal methods and model checking. Without his immense
support in various ways, I would not have completed the writing of this thesis.
I’m greatly indebted to my mentors Dr. Sun Jun and Dr. Liu Yang, who have
instructed and helped me a lot in the past five years. I thank them for introducing
me to the exciting area of sensor network verification. Their supervision and
involvement in this work has triggered and nourished my intellectual maturity,
which would be beneficial for the rest of my life. My sincere appreciation also
goes to Dr. David Sanán for his involvement and crucial contribution. He has
helped me a lot in the past years and contributed a lot to the progress of this
research.
I would like to express my great gratitude to Dr. Chin Wei Ngan and Dr.
Chan Mun Choon for their valuable suggestions and insightful comments on my
research work. I have special thanks to Dr. Gu Yu, Dr. Chen Chunqing and Mr.
Luu Anh Tuan for their research collaborations. I’m grateful to my senior Dr.
Zhang Xian and fellow student Zhang Shaojie for their support and friendship
throughout these years.
My sincere appreciation also goes to my beloved friends from churches and Chris-
tian fellowships. Their continuous prayers, support and care have helped me to
get through all circumstances. Especially, I want to thank my spiritual mentors
Ms. Josephine Siao and Dr. Esther Goh.
I’m deeply indebted to my parents, my sister and my brother for their encour-
agement, support and love. Last but not least, my heartfelt appreciation goes to
my husband Lin Hai Ting, who has been a spiritual friend, lover and schoolmate
that supports and loves me in everything during my PhD journey.

Contents
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
List of Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
1 Introduction 1
1.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Thesis Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Preliminaries 10
2.1 TinyOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 The NesC Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Interrupt Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Software Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.1 Properties Specification . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.2 Propositional Logical Formula Definition . . . . . . . . . . . . . . . . . 18
2.4.3 State Reachability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4.4 LTL Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3 Related Work 22
3.1 Formal Modeling and Analyzing SNs . . . . . . . . . . . . . . . . . . . . . . . 22
3.1.1 Process Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.1.2 Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.1.3 Timed Formalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.4 Probabilistic Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Verification Techniques for TinyOS-based SNs . . . . . . . . . . . . . . . . . . 25
3.3 Domain-specific Tools for SN Verification . . . . . . . . . . . . . . . . . . . . 27
3.4 Partial Order Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
i
4 Translation-based Verification of SNs 33
4.1 STCSP Semantics for TinyOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.2 Generation of STCSP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3 Experiments and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5 Direct Verification of SNs 44
5.1 Formal Semantics of NesC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.1.2 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.2 Formalization of TinyOS Execution Model . . . . . . . . . . . . . . . . . . . . 58
5.2.1 Hardware Model Collection . . . . . . . . . . . . . . . . . . . . . . . . 58
5.2.2 Interrupt Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.3 Network Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.4 Modeling Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.5 Model Checking Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.6 Experiment and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.6.1 Comparison with NesC2STCSP . . . . . . . . . . . . . . . . . . . . . . 65
5.6.2 The Trickle Algorithm: a Case Study . . . . . . . . . . . . . . . . . . . 65
5.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6 Reduction and Optimization 71
6.1 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.1.1 A Motivating Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.1.2 Local Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.1.3 Global Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.2 Cartesian Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.2.1 Sensor Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.2.2 SN Cartesian Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.3 Two-level POR Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.3.1 State Space Exploration . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.3.2 SNCV Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.3.3 Sensor Prefix Generation . . . . . . . . . . . . . . . . . . . . . . . . . . 84
6.3.4 Persistent Set Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.4 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.5 Experiments and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.5.1 Example: the Blink Application . . . . . . . . . . . . . . . . . . . . . . 93
6.5.2 Enhancing NesC@PAT with Two-level POR . . . . . . . . . . . . . . . 95
6.5.3 Comparison with T-Check . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
7 NesC@PAT 99
7.1 PAT Model Checking Framework . . . . . . . . . . . . . . . . . . . . . . . . . 100
7.2 System Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
7.2.1 Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
7.2.2 Parser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
7.2.3 Model Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
7.2.4 Verification Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
7.2.5 Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
7.2.6 POR Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
7.2.7 Translator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8 Conclusion 107
Bibliography 111
A NesC Language Reference 124
A.1 Interface Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
A.2 Component Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
A.3 Component Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
A.4 Module Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
A.5 Configuration Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
B Syntax of Logical Formulas 132




Sensor networks (SNs) are experiencing increasing application nowadays, many
of which are performing critical tasks like fire detection, surveillance monitoring,
etc. In this thesis, we investigate how software verification techniques could
be adopted to systematically model check SNs implemented in NesC/TinyOS,
which is one of the most widely used platforms for developing SNs.
Firstly, we translate a NesC program to a semantically equivalent specification
in Stateful Timed CSP (STCSP), and hence model checkers for STCSP like
PAT can be used to formally verify the NesC program. This work analyzes
and formalizes the execution model of TinyOS applications and defines mapping
rules between NesC and STCSP. However, this approach suffers from several
drawbacks including overhead introduced in the translation, difficulty in mapping
the verification results to the original NesC program, and so on.
In order to directly examine the behaviors of SNs thoroughly, we develop the di-
rect verification approach so that the capability of revealing errors/bugs could be
maximized. On one hand, the semantics of the NesC language is formalized and
formal definitions are presented to describe the event-driven execution model of
TinyOS applications. On the other hand, we propose a compositional method
to build a sensor network model from individual sensors with a given topology.
The complete semantics of SNs is defined as a set of 66 firing rules. This for-
malization is then used to obtain the state space of a given sensor network, with
fine-grain behaviors such as updating a variable. Model checking algorithms are
developed to verify SNs against safety properties and liveness properties.
In order to perform efficient verification, we propose a novel two-level partial
order reduction (POR) approach for SNs, which reduces unnecessary interleaving
among sensors and among interrupts and tasks within each individual sensor. We
have proved that our POR approach is sound and complete, preserving LTL-X
properties. This approach has provided the opportunity for developing model
checking techniques directly on NesC programs through the formal semantics
of SNs. Moreover, the two-level POR greatly reduces the state space of SNs,
making verification tasks efficient and effective. This novel POR approach could
be extended for systems with various levels of concurrency.
Our work has been implemented as the domain-specific model checker NesC@PAT.
We have studied the performance of NesC@PAT by verifying a number of real-
world applications, and quantitatively compared the reduction ratio of our tool
with a similar tool T-Check [89]. The results have shown that the POR approach
is able to achieve reduction by a factor of at least 102-1010 and that our POR
approach outperforms T-Check. The two-level POR approach significantly im-
proves the performance of NesC@PAT, allowing SNs with programs of thousands
of LOC (lines of code) to be fully verified. We believe that NesC@PAT can be
used by SN developers to conveniently verify their SN programs before network
deployment and thus will help improve the reliability of SNs.
Key words: Sensor Networks, Formal Verification, Software Verifica-
tion, Model Checking, Partial Order Reduction, Cartesian Semantics,
TinyOS, NesC, Sensor Network Protocol
List of Tables
2.1 Common-used NesC Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 LTL Operators [129] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1 The Mapping Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 STCSP processes for NesC constructs . . . . . . . . . . . . . . . . . . . . . . 40
4.3 Verification Results of NesC2STCSP . . . . . . . . . . . . . . . . . . . . . . . 42
4.4 Summary of syntax supported by NesC2STCSP . . . . . . . . . . . . . . . . . 42
5.1 Components of the Messaging Device . . . . . . . . . . . . . . . . . . . . . . . 58
5.2 Comparison of Language Features Supported . . . . . . . . . . . . . . . . . . 66
5.3 Comparison of Performance Features Supported . . . . . . . . . . . . . . . . . 67
5.4 Verifying Trickle Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.5 Summary of semantic rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.1 Performance of Two-level POR . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.2 Comparison with T-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97




1.1 A Motivating Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 TinyOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 TinyOS and NesC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Examples of Invoking Nested Function . . . . . . . . . . . . . . . . . . . . . . 14
2.4 Pseudo Code of Hardware Service Implementation . . . . . . . . . . . . . . . 15
2.5 Modeling Hardware Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.6 Assertion Annotation Language . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1 The Architecture of Gratis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2 The Modeling Flow by BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.1 Source code of the Blink application . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Task scheduler model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.3 Interrupt manager model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.4 The Execution Model of TinyOS . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.5 Modeling Split-phase Operations . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.6 Modeling a component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.1 Event AMControl .startDone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.2 An expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.3 LTS of the expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.4 Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.5 LTS of the assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.6 return statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.7 LTS of the return statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.8 for statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.9 LTS of the for statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.10 Example Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.11 Completion Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.12 An SN Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.13 Network Topology: Star, Ring, Single-track Ring . . . . . . . . . . . . . . . . 67
ix
5.14 Real Executions on Iris Motes . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.1 Pruned State Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6.2 State Graph of a Blink Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.3 State graph of a 2-node Blink network after POR . . . . . . . . . . . . . . . . 95
6.4 Comparing NesC@PAT with T-Check . . . . . . . . . . . . . . . . . . . . . . 97
7.1 PAT Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
7.2 Architecture of NesC@PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
7.3 The Editor of NesC@PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
C.1 STCSP Grammar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
List of Algorithms
1 DFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
2 State Space Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3 Sensor Network Cartesian Vector Generation . . . . . . . . . . . . . . . . . . 84
4 Prefix Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5 Task Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6 Interleaving Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7 Persistent Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
8 DFS with POR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
9 DFS with POR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105





Sensor networks (SNs) are built on small sensing devices (i.e., sensors), which are then
distributed in outdoor or indoor environments to conduct certain tasks. Recently, SNs have
been increasingly used to develop various safety-critical systems, such as railway signaling,
enemy intrusion detection, autopilot, fire detection, landslide detection and so on [6]. Such
systems are usually expected to run unattended for a long period like several months or
even years. Henceforth, failures or errors of these systems might cause severe damage to the
environment and even human lives. Thus, it is significantly important to develop reliable
and correct SNs, which, however, is highly challenging in the following aspects.
First, the behavior of a sensor is usually interrupt-driven. For example, a sleeping sensor
might be waken up by a packet arrival. Most interrupts are related to uncertain external
events like packet arrival, data sampling and so on. TinyOS [87], one of the most widely
used operating systems for sensor networks, provides an interrupt-driven execution model
for SN applications. NesC [53], the programming language of TinyOS applications, provides
fine-grained control over the underlying devices and resources. The interrupt-driven feature
has made the behavior of a single sensor complex and unpredictable.
Second, sensors are highly distributed in SNs and are allowed to independently execute
concurrently. This loose concurrency among sensors make the behavior of an SN complicated
and difficult to be analyzed thoroughly.
Third, sensor networks are usually running in unreliable environments and it is difficult
to analyze SNs without sufficient information of the environments.
A number of simulating and debugging tools have been proposed for analyzing TinyOS
applications, such as TOSSIM [86], TOSSF [128], etc. However, such tools lack the ability
for finding bugs/errors thoroughly, especially those occurring at rare and unexpected sce-
narios like an overflowing buffer. Considering the fragment of a NesC program shown in
Figure 1.1(a) where the statement post sendTask() tries to enqueue the task sendTask to
TinyOS’s task queue, if the post fails, then the statement post sendTask() will never have
the chance to execute again, because the variable sendTaskBusy remains True. The most
probable reason of the failure of a post statement is the overflow of the task queue, which
1
1 re su l t_t tryNextSend ( ){
2 atomic {
3 i f ( ! sendTaskBusy){
4 post sendTask ( ) ;
5 sendTaskBusy = TRUE;
6 }
7 } . . .
8 }
9 void task sendTask ( ){
10 . . .
11 sendTaskBusy = FALSE;
12 . . .
13 }
(a) Buggy code
1 re su l t_t tryNextSend ( ){
2 atomic{
3 i f ( ! sendTaskBusy){
4 i f (SUCCESS != post sendTask ( ) )
5 sendTaskBusy = FALSE;
6 e l s e sendTaskBusy = TRUE;
7 } . . .
8 }
9 void task sendTask ( ){
10 . . .
11 sendTaskBusy = FALSE;
12 . . .
13 }
(b) Revised code
Figure 1.1: A Motivating Scenario
is extremely rare though could lead to severe consequences. Therefore, it is significant to
be aware of the existence of this scenario. However, it is very difficult to identify such a
specific issue by merely testing or simulating. Thus, a more powerful approach, other than
testing or simulating, is required, so as to explore all possible scenarios of a sensor network
to detect errors caused by rare but critical events.
Due to the highly distributed nature of SNs, it is difficult and complex to supervise or
analyze their behaviors at run time. Therefore, apart from bug detection, it is significant for
developers to know whether SNs are faithful to their requirements and system specifications
before deployment. For example, in a fire detection system, it is desirable that whenever
the system “feels” that there is fire then the alarm should be ringing. Another example
is in a railway signaling system, it is crucial that whenever a train enters an available
section, a blocked signal of that section should be released. Such problems are referred to
as temporal properties because they are qualified in terms of time, described using terms
such as whenever , eventually and so on. To solve such problems, one needs to thoroughly
examine the behavior of SNs. Traditional approaches like testing, debugging or simulating
only check limited scenarios of SNs and thus are incapable of solving this problem. Again,
there is a need for approaches that systematically and exhaustively examine the system
space of an SN and answer the question if the SN satisfies specific temporal properties.
Software verification techniques [11] have been proposed and adopted to successfully
verify many systems and projects (e.g., [72]). Model checking [11] is one of the most widely
used verification techniques, which checks desirable properties by systematically exploring
the complete state space of the given system. On one hand, model checking systems against
safety properties will reveal all possible safety violations, i.e., bugs or errors. One recent
success is the full verification of the Intel i7 chip using model checking techniques [78].
On the other hand, model checking systems against liveness properties will answer the
question if some desirable behavior will eventually happen. Liveness properties are usually
2
Chapter 1. Introduction
expressed in temporal logic, like Linear Temporal Logic (LTL) [105] and Computation Tree
Logic (CTL) [31]. For example, an LTL formula “23send ∧ 23receive ” will check if a
sensor is able to send and receive new messages infinitely often. If one wants to find the
potential bug mentioned in Figure 1.1(a), a temporal property saying that sendTaskBusy
should be set to False infinitely often can be defined, i.e., “23(sendTaskBusy = False)”.
Model checking techniques will then explore the whole system state space to decide whether
a counterexample could be evidenced. With the counterexample, one may resolve the bug
with the revised code shown in Figure 1.1(b).
The ability for finding errors of verification techniques has made formal verification more
and more popular in many domains, including sensor networks. A number of approaches
and tools have been published for modeling and verifying SN applications or SNs. And they
could be grouped into three categories.
The first is to manually establish formal models for SN applications using various formal
specification techniques [120, 133, 13, 106, 63, 122, 121], and then use an off-the-shelf model
checker to perform verification. Such approaches contribute to the analysis of sensor net-
work systems, but they are limited in two aspects. First, these approaches rely on manual
modeling of SNs which is non-trivial and could cause false results. Second, since the formal
relationships between formal models and SN programs are absent, these approaches have no
guarantee of the correctness of the final implementation even if the model has been refined
and verified to be completely correct.
Approaches in the second category model, analyze and verify SNs with NesC programs
specifically for TinyOS. TinyOS applications have been modeled as hybrid automata [38],
interface automata [158, 159], CSP [107], LOTOS [132], etc. Such approaches have helped
developers to model and analyze sensor network systems, but they still cannot guarantee
the correctness of the implementation code that is put into practice, because the formal
relationships between formal models and source code are missing. Further, most of these
approaches are not implemented as automatic tools and thus they require extra human effort
for building models.
The approaches of the third category are automatic analysis or verification tools for
sensor networks. There have been approaches for interface contract [8], finite state machine
generation [80], security protocol implementation verification [66, 69], source code verifica-
tion [111, 162, 26, 89, 27] for SNs, etc. Although these existing approaches have contributed
a lot to analyzing and finding bugs of TinyOS applications or SNs, few of them simulate
or model the interrupt-driven execution model of TinyOS. Further, only a few are dealing
with the whole network rather than individual sensors, and the former is obviously more
complex.
Model checking is often applied to high-level modeling languages like CSP [74], LOTO-
S [20], Promela [75] and so on, that describe the behavior of the system under analysis.
Manual translation of implementation code into formal models is a non-trivial task and can
3
1.1. Objectives
introduce additional errors that do not exist in the original code. Therefore, automatic
and direct verification of implementation code is important and necessary. Consequently,
it would be beneficial to develop an automatic verification tool for TinyOS applications of
SNs. However, the complex system behavior of SNs usually causes the infamous state space
explosion problem, and thus makes verification highly challenging.
The state space of a sensor network can be very huge. For example, given a sensor
network consisting of n sensors, each of which has m states, the size of the state space is in
the order of nm . In practice, a typical sensor program might consist of hundreds/thousands
of lines of code (LOC), which introduces a state space of tens of thousands states, considering
only concurrency among internal interrupts. As a result, existing tools usually cover only
a fraction of the state space and/or take a long time. For instance, the work in [25, 27] is
limited to a single sensor, whereas the approaches in [69, 107, 89, 172] work only for small
networks. The solutions in [111, 162] rely on aggressive abstraction techniques and thus is
limited to particular properties only. Furthermore, T-Check [89] which is based on stateless
model checking that keeps no track of explored states takes days or even months to detect
a faulty state.
In an SN, the only shared or “global” resource among sensors is the message buffer of
each sensor, because one sensor sending a packet may update the message buffer of another
sensor. This nature makes partial order reduction techniques nicely suitable for SNs. For
example, the interleaving among sensors could be neglected if there is no communication
involved [89]. However, existing partial order reduction approaches for SNs only employ a
small portion of possible reduction [24, 89], and thus more rigorous reduction techniques are
in need.
In this work, we study how to make use of the powerful verification capability of model
checking techniques for developing SNs with high reliability and correctness, tackling the
verification challenge through appropriate reduction techniques.
1.1 Objectives
There have been a number of approaches for modeling and verifying sensor networks. Al-
though some of the existing approaches were able to detect and reveal bugs of some TinyOS
applications [89], there are still research gaps in verifying SNs, summarized as follows.
• Few of the current approaches simulate or model the interrupt-driven execution model
of TinyOS, and thus are incapable of checking bugs/errors introduced by the concur-
rency of interrupts.
• Only a few [69, 111, 162, 89] are dealing with the whole networks, which are obviously
more complex than individual sensors, since networked behaviors, including the con-




• The state space of sensor networks is incompletely explored and existing approaches
are limited to debugging rather than verification. However, the complete exploration
of the state space is non-trivial and highly challenging due to the state space explosion
problem.
• There is no support for checking temporal properties, such as “whenever a packet is
sent, it should eventually received by some sensor”. Checking temporal properties is
more complicated compared to non-temporal ones.
• The rules for conducting state space reduction of existing approaches are naive, e.g.,
only identifying unnecessary interleaving among sensors based on communication pat-
terns [89]. The performance of reduction techniques could be further improved by
handling intra-sensor concurrency and there is a need for an enhanced reduction ap-
proach.
Goals To summarize, among existing approaches no one verifies SNs completely and ef-
ficiently. Consequently, the main goal of this research is to develop a systematic and self-
contained approach for completely and efficiently verifying SNs. In other words, we want
to exhaustively analyze NesC programs in order to detect bugs/errors thoroughly, in an
efficient way with satisfactory performance and verification speed. However, it is non-trivial
and highly challenging to achieve this objective, due to the following reasons:
• The syntax and the semantics of the NesC language are complex [53] compared to
those of formal modeling languages. To the best of our knowledge, there has not been
any formal semantics for the NesC language. Thus establishing formal models from
NesC programs is non-trivial.
• TinyOS provides hardware operations on motes (i.e., sensors) which can be invoked by
NesC programs including messaging, sensing and so on [54, 52]. Therefore, modeling
NesC programs (executing on TinyOS) requires modeling the behaviors of hardware
at the same time.
• TinyOS adopts an interrupt-driven execution model, which introduces local concurren-
cy (i.e., intra-sensor concurrency) between tasks and interrupts, increasing the com-
plexity of model checking NesC programs.
• Inter-sensor concurrency and intra-sensor concurrency have made the system state
space increase exponentially, which leads to the state space explosion problem easily.
Scope In this thesis, we will only focus on the approaches for verifying SNs in TinyOS/-
NesC, not considering the verification of SNs in other platforms like Contiki [111]. This
is because TinyOS is one of the most widely used platforms for developing SNs, and the
5
1.1. Objectives
methodologies studied in this thesis could be applied to the verification of SNs on other plat-
forms. Moreover, the features of SNs not considered in our work include energy analysis,
hardware errors, node failure or reboot, node movement and so on, for the reasons that our
work focuses on the analysis of SN implementation with the assumption that hardware de-
vices are working well, and that we focus on non-probabilistic verification approaches which
are incapable of analyzing failure behavior.
Our work contains a translation-based approach for modeling and verifying TinyOS ap-
plications, which translates NesC programs into STCSP (Stateful Timed CSP) [143] models
and uses the model checker PAT [144] to perform verification tasks. However, this ap-
proach only supports single-node applications and the scalability is highly limited because
of the redundant states introduced by the semantic difference. Thus there is a need for
direct-verification approaches.
To perform direct verification for sensor networks, we formalize the semantics of sensor
networks. The formalization of SNs includes a component model library for hardware, and
the formal definitions of NesC programs and the TinyOS execution model. Based on these,
the labeled transition systems (LTSs) of individual sensors are constructed directly from
NesC programs. With a network topology that specifies how the sensors are connected,
the LTS of an SN is then composed (on-the-fly) from the LTSs of individual sensors. The
complete formal semantics of SNs is defined as a set of 66 firing rules, including rules for
NesC language constructs, the TinyOS execution model, device concurrency and network
composition. Model checking algorithms are adopted to support the verification of safety
and liveness properties, specified as state reachability and LTL [105] formulas. Both the
state space of an individual sensor and that of the whole SN can be explored for verification.
In order to support the analysis of large programs and larger networks, we propose
a novel two-level partial order reduction (POR) approach which takes advantage of the
unique features of SNs as well as NesC/TinyOS. Existing POR methods [61, 34, 50, 164,
65] reduce the state space of concurrent systems by avoiding unnecessary interleaving of
independent actions. In SNs, there are two sources of “concurrency”. One is the interleaving
of different sensors, which would benefit from traditional POR. The other is introduced by
the internal interrupts of sensors. An interrupt can occur anytime and multiple interrupts
may occur in any order, producing numerous states. Applying POR for interrupts is highly
nontrivial because all interrupts would modify the task queue and lead to different sequences
of scheduled tasks at run time. Our method extends and combines two different POR
methods (one for intra-sensor interrupts and one for inter-sensor interleaving) in order to
achieve better reduction. We remark that applying two different PORmethods in this setting
is complicated, due to the interplay between inter-sensor message passing and interrupts
within a sensor (e.g., a message arrival would generate interrupts). We also show that the
two-level POR is sound and complete for LTL-X properties, i.e., properties specified as LTL
formulas without the next operator.
6
Chapter 1. Introduction
Our approach has been implemented as the NesC module in PAT [97, 144, 99], named
NesC@PAT. The core of NesC@PAT consists of 153K lines of C# code, exclusive of its
GUI implementation. We study the performance of NesC@PAT by a number of real-world
applications such as the Trickle algorithm [88], an anti-theft application, etc. We also quanti-
tatively compare the reduction ratio of our tool with a similar tool T-Check [89]. The results
show that our POR approach is able to achieve reduction by a factor of at least 102-1010 and
that our POR approach outperforms T-Check. The two-level POR approach significantly
improves the performance of NesC@PAT, allowing SNs with programs of thousands of LOC
(lines of code) to be fully verified.
1.2 Contributions
The results of this thesis would be beneficial to SN developers by providing them with
an automatic and complete tool to verify SN implementation against various properties.
Moreover, the semantics of SN implementations formalized in this research could contribute
to bridging low-level programming languages and formal modeling approaches. Furthermore,
the two-level POR approach presented in this thesis could be extended and applied to other
concurrent systems, making software verification feasible for complex systems. We highlight
our contributions as follows.
• The translation-based approach defines a set of mapping rules from NesC language to
STCSP models, which provides the opportunity to analyze or verify sensor network
applications with existing model checkers. And the translation methodology could be
reused by other researchers to translate NesC programs into formal models other than
STCSP.
• We formally define the operational semantics of NesC, TinyOS and SNs. New semantic
structures are introduced for modeling the TinyOS execution model and hardware-
related behaviors like timing, messaging, etc.
• The direct-verification approach works directly on NesC programs, without building
abstract or formal models before applying verification techniques. Manual construction
of models is avoided, which makes our approach useful in practice.
• The interrupt-driven feature of the TinyOS execution model is preserved in the LTS’s
generated in our approach. This allows concurrency errors between tasks and inter-
rupts to be detected.
• Our approach supports the verification of both safety and liveness properties. This
provides flexibility for verifying different properties to guarantee the correctness of
SNs. Moreover, the expressive power of LTL has allowed to define significant liveness
properties (e.g., the infinite occurrences of an event).
7
1.3. Thesis Structure
• The two-level POR approach greatly reduces the state space of SNs, making verifi-
cation tasks efficient and effective. This novel POR approach could be extended for
systems with various levels of concurrency to achieve substantial reduction.
Publications
Most of the work presented in this thesis has been published in international conference
proceedings or journals.
The translation-based verification of sensor network of Chapter 4 was presented in the
4th IEEE International Conference on Secure Software Integration and Reliability Improve-
ment SSIRI’10 (Jun 2010) [170]. The work in Chapter 5 was presented in the 13rd In-
ternational Conference on Formal Engineering Methods ICFEM’11 (Oct 2011) [172]. The
tool NesC@PAT presented in Chapter 7 was demonstrated in the 9th ACM Conference on
Embedded Networked Sensor Systems SenSys’11 (Nov 2011) [173]. The work in Chapter 6
was presented in the 14th International Conference on Verification, Model Checking, and
Abstract Interpretation VMCAI’13 (Jan 2013) [171]. I also made contributions to other
publications [155, 29, 30] which are remotely related to this thesis.
For all the publications mentioned above, I have contributed substantially in both theory
development and tool implementation.
1.3 Thesis Structure
The rest of this thesis is organized as follows.
Chapter 2 provides the preliminary knowledge of this work. First, we introduce the
important features and concepts of TinyOS and NesC, explaining how the NesC language
supports TinyOS’s interrupt-driven execution model. Second, software verification tech-
niques, especially model checking techniques, are briefly introduced, as well as the assertion
annotation language that is used in our work to define verification goals.
Chapter 3 provides the related work review, including approaches for modeling and
analyzing sensor networks, NesC programs, TinyOS applications and partial order reduction
techniques for various systems and programming languages.
Chapter 4 presents the translation-based verification approach of SNs, which automati-
cally obtains STCSP models from NesC programs and uses the model checker PAT to verify
the generated models.
Chapter 5 discusses the direct verification approach for SNs, which obtains LTS’s from
sensor networks running NesC programs. First, the operational semantics of NesC language
constructs is defined in the form of firing rules. In addition, specific operators are intro-
duced to obtain the behaviors of TinyOS’s interrupt-driven execution model. Second, the
network compositional rules are developed to describe networked behaviors. After that,
the verification algorithms for safety and liveness properties of PAT are reused to perform
8
Chapter 1. Introduction
verification tasks. We also study how this approach verifies sensor networks implemented
with a code propagation protocol, i.e., Trickle. Experiments are carried out with different
network topologies and network sizes, and results show that this approach is able to detect
previously unknown bugs.
Chapter 6 discusses a two-level POR approach for optimizing the performance of veri-
fication. Networked actions and intra-sensor actions are analyzed to identify their commu-
tativity, so that the state space of a given sensor network can be reduced. We refer to the
analysis of commutativity as independence analysis in our work. Based on the independence
analysis, we propose the sensor network cartesian semantics which obtains a state space that
is smaller but sound for a certain property. We study the performance of the POR method,
and a comparison with the similar tool T-Check [89] is also presented.
Chapter 7 presents the domain-specific model checker NesC@PAT, which verifies sensor
networks against safety properties and liveness properties. The two-level POR approach
presented in Chapter 6 is integrated in NesC@PAT to obtain better performance. The
translation-based approach described in Chapter 4 is included in NesC@PAT as well, pro-
viding the comparison of direct verification and translation-based verification.





This chapter contains the preliminary knowledge of this thesis. Sections 2.1 and 2.2 introduce
TinyOS and NesC, the operating system and programming language for sensor networks,
respectively; Section 2.3 discusses how interrupts are implemented by TinyOS/NesC and
how we abstract interrupt handlers for modeling SN applications; and Section 2.4 introduces
general software verification and model checking techniques.
2.1 TinyOS
TinyOS [40, 87, 54, 52, 85] is an operating system for embedded systems, which was designed
to make the best use of limited resources of hardware, and to support platform-independent
programming by dealing with low-level operations of different sensor platforms including
Micaz, Iris, Teslob, etc. The platform-independency of TinyOS has attracted many SN
developers and now there are a large number of sensor network applications implemented
based on TinyOS, such as the Collection Tree Protocol [57], the Trickle algorithm [88], and
so on. TinyOS implements an interrupt-driven execution model for SN applications, with
the concepts of tasks, commands and events, as illustrated in Figure 2.1(a). Tasks are
deferred computations, which are scheduled in a certain order, e.g., FIFO (first in first out).
Tasks always run until completion, i.e. only after a task is completed, can a new task start
its execution. In contrast, interrupts are preemptive and always preempt tasks. Commands
and events are similar to traditional functions, except that they are related to interfaces and
components. We will discuss the concepts of commands and events in Section 2.2 where we
introduce the NesC language.
TinyOS is implemented in NesC, with a component library for hardware operations
like sensing, messaging, timing, etc. The TinyOS component library adopts a three-layer
Hardware Abstraction Architecture (HAA), including Hardware Presentation Layer (HPL),
Hardware Adaptation Layer (HAL) and Hardware Interface Layer (HIL) [87, 52], as shown in
Figure 2.1(b). The design of HAA gradually adapts the capabilities of the underlying hard-











1 i n t main ( ) . . . {
2 atomic {
3 plat form_bootstrap ( ) ;
4 c a l l Scheduler . i n i t ( ) ;
5 c a l l P l a t f o rmIn i t . i n i t ( ) ;
6 . . .
7 }
8 // enable i n t e r r up t s
9 nesc_enable_interrupt ( ) ;
10 // execute boot event
11 s i g n a l Boot . booted ( ) ;
12 // s t a r t the task s chedu l e r
13 c a l l Scheduler . taskLoop ( ) ;
14 // te rminates
15 re turn −1;
16 }
(a) TinyOS Boot Function
Configu-
ration










1. A component 
















(b) Call graph of NesC programs
Figure 2.2: TinyOS and NesC
application code. To model TinyOS applications, it is unavoidable to model the behaviors
of hardware operations in a way that is faithful to the component library.
Since version 2.0, each TinyOS application should contain a component MainC (pre-
defined by TinyOS) that implements the boot function of a sensor [85]. Figure 2.2(a)
sketches the function that implements the boot function. At first, the scheduler, the hard-
ware platform and other necessary software components are initialized (lines 2-7). Then
interrupts are enabled (line 9) and the event booted of interface Boot (Boot.booted) is sig-
naled (line 11), after which the scheduler repeatedly runs tasks that have been enqueued
(line 13). The execution of lines 2 to 7 is usually short and always handled by TinyOS.
Therefore, our approach assumes that this part is always correct and the starting point of
modeling the behaviors of a sensor is considered as the execution of the event Boot.booted.
11
2.2. The NesC Language
NesC Construct Example Remark
Command command error t AMControl.start(){· · · } There are commands, events and
tasks besides ordinary functions.
The only difference among them
is the way of invocation. A task
is a parameterless function
without any return value.
Event
event message t* Receive.receive
(message t* msg, · · · , uint8 t len)
{· · · return msg; }
Task task void setLeds(){· · · }
Call call Timer.startPeriodic(250); Call, signal and post are function
calls, invoking commands, events
and tasks, respectively.
Signal signal Timer.fired();
Post a task post setLeds();
Atomic atomic{x = x + 1;call AMSend.send(dst, pkt);}
Interrupts are disabled within
an atomic block.
Table 2.1: Common-used NesC Constructs
2.2 The NesC Language
NesC (Network-Embedded-System C) [53] was proposed to develop TinyOS applications, by
embodying the structural concepts and the execution model of TinyOS. The interrupt-driven
feature of TinyOS is achieved by tasks and interrupts in NesC. Besides, as a dialect of C,
NesC inherits many C features like control statements, variable types, pointers and so on.
These have made NesC source code complex and difficult to understand, and even tedious
to analyze its correctness. The syntax of the NesC language can be found in Appendix A.
NesC has two basic modular concepts: interface and component. An interface declares
a number of commands and events. A command denotes the request for an operation, and
a corresponding event indicates the completion of that operation. Commands and events
together are the basis of split-phase operations [53], which separate requests and responses
for long services and operations. In this way, NesC achieves a non-blocking programming
convention.
An interface can be either provided or used by a component. In NesC, there are two types
of component, i.e. configuration and module. A configuration indicates how components are
wired to one another via interfaces. A module implements the commands declared by its
provided interfaces and the events declared by its used interfaces. Commands and events
are two types of functions, and task is the third. A component may call a command or
signal an event of an interface. Table 2.1 exemplifies the common-used constructs of the
NesC language and more syntax of NesC can be found in [55].
A call graph describes the wiring relation between components. Figure 2.2(b) illustrates
a general call graph of NesC programs. Inside a configuration, a second-level configuration
can be wired to a third component, where the second-level configuration itself contains a
wiring relation between a set of components. Thus, the call graph of a NesC program might
12
Chapter 2. Preliminaries
be a hierarchical “tree” of components, where intermediate nodes are configurations and
leaves are modules.
Although NesC is an extension of the C language, it does not support advanced C features
like dynamic memory allocation, function pointers, multi-threading and so on, which makes
it an ‘easier’ target for formal verification. Nonetheless, it supports almost the same set
of operators, data types, statements and structures as C does and, in addition, NesC-
specific features such as calling a command, signaling an event, posting a task and so forth.
Therefore, verifying NesC programs is highly non-trivial and the challenges are illustrated
in the following.
• Function calls like calling a command or signaling an event can be complex if the mod-
ule invoking the command/event and that implementing it are wired via a hierarchical
call graph.
• NesC allows local variables declared in functions or even in statement blocks, just like
C does. Typically, compilers maintain a stack to handle variables of different scopes.
However, it is tedious and complex to model the variable stack. A common solution is
to carefully rename variables to avoid naming conflicts. This increases the complexity
of the modeling procedure.
• NesC is a typed programming language, and all data types of C including array and
struct are supported. There are also type operations (e.g. type casting) supported by
NesC. Therefore, modeling NesC should take into account type operations.
• There are other expressive features of NesC, which are inherited from C that make it
complex. Examples of such features include pointers, generic interfaces and compo-
nents using types as parameters, definition of types, pre-compilation, etc [55].
We remark that our approach targets NesC programs and does not necessarily support the
verification of C programs. In the following, we briefly explain how we handle the above
“troubling” features.
Fortunately, NesC is static [53], i.e. no dynamic memory allocation or function pointers.
Thus the variable access and the call graph can be completely captured at compile time.
In our work, we treat a pointer as a normal variable, the value of which is a reference to a
certain variable. We develop a parser to produce the call graph of a NesC program with the
function (command, event, task or normal function) bodies defined by each component. A
nested search algorithm is designed to traverse the call graph to obtain the corresponding
function body once a function is invoked.
Local variables are modeled statically in our approach, with a renaming method to avoid
naming conflicts. Nested function calls are supported, e.g., foo(f (1), f (2)) in Figure 2.3(a),
with the assumption that there is no “cycle” within the calling stack. As for the function
foo defined in Figure 2.3(b), our approach is unable to distinguish which function foo in the
13
2.2. The NesC Language
1 void main ( ){
2 foo ( f ( 1 ) , f ( 2 ) ) ;
3 }
4 i n t foo ( i n t a , i n t b){
5 re turn ( a + b ) ;
6 }
7 i n t f ( i n t u){
8 re turn (u ∗ 2 ) ;
9 }
(a) Nested Function Call
1 i n t foo ( i n t u){
2 i n t v = u ;
3
4 i f (v < 100){
5 return v + foo (v+1);
6 }
7
8 return v ;
9 }
(b) Recursive Function
Figure 2.3: Examples of Invoking Nested Function
calling stack that the variable v belongs to, because we rename a local variable according to
the position of its declaration. Thus distinguishing the variable v in the recursive function
foo in Figure 2.3(b) becomes costly and we get rid of such cases by restricting our approach to
supporting code without this feature. Such restriction is modest, because the most common
invocation cycle of NesC programs lies in the split-phase operations, i.e. when a command
finishes it signals an event and in the end of the event the command is called again. However,
NesC programmers are recommended to avoid such situations [85]. Even in such cases, we
can still get rid of naming conflicts of local variables because a repeated invocation of a
function is always at the end of the previous one.
Typing information is captured and we distinguish variables declared as different types
and analyze functions with parameters being types. Our work also supports defining new
types by struct and typedef . Moreover, pre-compilation is supported, as well as capturing
information from .h files.
Example 1 (Trickle). Trickle [88] is a code propagation algorithm which is intended to
reduce network traffic. Trickle controls the message sending rate so that each sensor hears a
small but large enough number of packets to stay up-to-date. In the following, the notion code
denotes the large-size data (e.g. a route table) each sensor maintains, while code summary
denotes the small-size data that summarizes the code (e.g. the latest updating time of the
route table). Each sensor periodically broadcasts its code summary, and
• lasts quiet if it receives an identical code summary;
• broadcasts its code if it receives an older summary;
• broadcasts its code summary if it receives a newer summary.
We have implemented this algorithm in a NesC program TrickleAppC , with the modifi-
cation that a sensor only broadcasts the summary initially, instead of periodically. A struct
MetaMsg is defined to encode a packet with a summary, and ProMsg is defined to encode




2 prov ide s i n t e r f a c e Se rv i c e ;
3 } implementation {
4 command void Se rv i c e . DoSth ( ){
5 // generate a hardware r eques t
6 }
7 //upon hardware i n t t e r rup t ,
8 // t h i s task w i l l be posted
9 task void Service_Done ( ){





2 uses i n t e r f a c e Se rv i c e ;
3 uses i n t e r f a c e Boot ;
4 } implementation {
5 event void Boot . booted ( ){
6 c a l l S e rv i c e . DoSth ( ) ;
7 }
8 event void Se rv i c e . Done ( ){
9 // s e r v i c e i s done ,




Figure 2.4: Pseudo Code of Hardware Service Implementation
summary (a MetaMsg packet) to the network. If an incoming MetaMsg packet has a newer
summary, the sensor will broadcast its summary; if the received summary is outdated, the
sensor will broadcast its summary and code (a ProMsg packet). An incoming ProMsg packet
with a newer summary will update the sensor’s summary and code accordingly.
2.3 Interrupt Handlers
In NesC programs, there are two execution contexts, interrupt handler and task (a function),
described as asynchronous and synchronous, respectively [53]. An interrupt handler can
always preempt a task if interrupts are not disabled. In the TinyOS execution model [85], a
task queue schedules tasks for execution in a certain order. In our work, we model the task
scheduler in the FIFO (first in first out) order, since it is the default case of TinyOS and is
widely used.
The code fragments shown in Figure 2.4 abstract the common mechanism that TinyOS
implements hardware service. Usually, a device is implemented as a NesC component in
the TinyOS component library, and we use the code shown in Figure 2.4(a) to sketch the
implementation of a certain service, e.g, sending a packet, activing an alarm, etc. Due to the
split-phase feature of NesC, an interface defined with commands and events will be provided
to link the application code with the device component that implements a certain service.
In Figure 2.4, the interface Service declares the command DoSth and the event Done.
The DeviceC module provides Service by implementing the command DoSth, while the
application component AppC uses the interface Service by implementing the event Done.
These two components are wired via the interface Service in a configuration component
which is not shown here. The 6th line of AppC calls the command DoSth of the interface
Service, which is the actual way how it “uses” Service. Since AppC is linked with DeviceC via
the Service interface, calling Service.DoSth will execute the command body Service.DoSth
implemented in DeviceC . During the execution of the command DoSth, the corresponding
15
2.3. Interrupt Handlers
1 void handler_dev ( ){
2 //update s t a tu s o f dev ;
3 // schedu le the complet ion event
4 post dev_compl_task ( ) ;
5 }
6 // complet ion task
7 task void dev_compl_task ( ){
8 // event implemented
9 //by programmers
10 s i g n a l dev_done_event ( ) ;
11 }











Figure 2.5: Modeling Hardware Behavior
hardware request is sent to the hardware and the command terminates after that. Once
the hardware request is completed, an interrupt will occur upon which the corresponding
interrupt handler is executed.
Now we illustrate how interrupt handlers work in TinyOS. As shown in Figure 2.1(a),
the execution of a task could be preempted by interrupt handlers. An interrupt handler
accesses low-level registers and enqueues a task to invoke a certain function at a higher level
of the application code. In our approach, we treat interrupt handlers as black boxes, as we
assume that low-level devices work properly. Variables are used to represent the status of
a certain device and thus low-level functions related to interrupt handlers are abstracted
as the pseudo code in Figure 2.5(a). For example in Figure 2.4(a), the device component
implements the task Severice Done to signal the event Service.Done. The interrupt handler
caused by the related hardware service posts this task to the task queue, and later when the
task Severice Done is executed, the event body of Service.Done implemented by AppC will
be executed and in this way the “control” will be given back to AppC .
In our work, the execution of an interrupt handler is considered as one atomic action.
However, different orders of interrupt handler executions lead to different orders of tasks
in the task queue, making the state space complex and large. We also assume that after a
task is completed all pending interrupt handlers are executed before a new task is loaded
for execution. This approximation reduces concurrency between tasks and interrupts and is
yet reasonable since devices usually respond to requests within a small amount of time (like
the executing period of a task).
To summarize, we model hardware at HAA’s top layer, i.e. Hardware Interface Layer,
ignoring differences between the underlying hardware platforms, as shown in Figure 2.5(b).
A hardware interrupt is modeled as an atomic action which posts a task to the task queue.
This task will signal the corresponding event for as a response to the interrupt. This is also




Although software testing and debugging have been widely used and improved for a long
time, their ability to find bugs or errors is still limited, in that they only explore some (not
all) possible scenarios. Software verification [11] is one of the most powerful techniques for
checking the correctness of software (i.e., source code), because it automatically traverses
all scenarios of the target system.
Model checking [11] is one of the most powerful approaches of software verification tech-
niques, which explores the complete (or equivalently complete) state space of the target
software system to find a violation of a given property like a deadlock. There are successful
model checkers proposed to verify formal models instead of software in practice, such as
SPIN [11], FDR [23], etc. Such approaches are able to handle large systems but yet unable
to assure correctness of software at implementation level. More recently, model checkers for
source code are being developed. Microsoft proposed SLAM for model checking C program-
s [12], while Havelund and his colleagues developed the model checker Java PathFinder for
verifying Java programs [73].
In particular, model checking has been successfully applied to finding intricate errors
of both software and hardware systems. For example, with the help of model checking
techniques, NASA analyzed and found errors over several modules of a spacecraft control
system [76, 72]. Another recent success is the full verification of the Intel i7 chip using model
checking as the replacement of testing in the project [78].
In the following, we present the assertion annotation language defined in our work to
represent verification goals.
2.4.1 Properties Specification
Our work supports the verification of both safety properties and liveness properties, in the
form of state reachability and linear temporal logic (LTL) formulas. We propose a lightweight
assertion annotation language for specifying these properties, which defines each property
as an assertion.
The syntax of our assertion annotation language is presented in Figure 2.6. The keyword
#define is used to define a logical formula with a certain name Var (line 3). Meanwhile,
the keyword #assert is used to define an assertion. Lines 5 to 10 are the types of assertions
supported by the language. First, line 5 defines properties in LTL formulas. Second, lines
6 to 10 are dedicated for state reachability properties, where lines 6 to 9 are to specify pre-
defined state reachability properties and line 10 is to define user-specified state reachability
properties based on the formulas defined by the keyword #define. The syntax of logical
formulas, i.e., mathExpr , is presented in Appendix B.
17
2.4. Software Verification
1 a s s e r t i o n s : ver i fyExpr+ ;
2
3 ver i fyExpr : #define var mathExpr | #assert a s s e r t i onExpr ;
4
5 as se r t i onExpr : var |= l t lExpr
6 | var never Terminates
7 | var never Nul lPo interAcces s
8 | var never ArrayIndexOverflow
9 | var never I n f i n i t eTa sk
10 | var never eventExpr
11
12 l t lExpr : ( eventExpr | l t lOprE l e )+ ;
13
14 l t lOprE l e : ( | ) | [ ] | <> | && | | | | −> | ! | <−> | \/ | /\ ;
15
16 eventExpr : eventNameExpr | eventEle ;
17
18 eventNameExpr : var ( . var )∗ ;
19
20 eventEle : True | Fa l se | SUCCESS | FAIL
21 | var | (1 . . . 9 ) (0 . . . 9)∗ | [ | ] | . ;
22
23 var : ( a . . z | A . . . Z | _) ( a . . . z | A . . . Z | _)∗ ;
Figure 2.6: Assertion Annotation Language
2.4.2 Propositional Logical Formula Definition
Propositional logical formulas are defined by the keyword #define in the following pattern:
#define var formula,
where formula is a propositional logical formula and var is a reference if formula. Assertions
will then referencing formula using var .
Variable Renaming Propositional logical formulas are composed of variables declared in
the NesC programs. Since variables are declared within a component’s scope, a renaming
method for identifying variables from different components and different sensors is necessary.
In our work, given a variable var declared in a component comp of the sensor S, this
variable var is renamed as S.comp.var . As for default variables such as TOS NODE ID
(the identifier of the sensor), TOS AM ADDRESS (the AM address of the sensor), they
are sensor-wide variables and thus the comp field can be omitted in the renaming procedure.
In this way, we are able to avoid confusion of variables declared by different components or
sensors.
Example 2 (Definitions of formulas). In the Trickle application discussed in Example 1,
the variable Si .App.summary is initialized as Si .TOS NODE ID and the larger value of
summary denotes the summary of the newer version of code. We can define the following
propositional formulas:
1. #define S1SumChanged S1.App.summary 6= S1.TOS NODE ID;
18
Chapter 2. Preliminaries
2. #define S1FalseUpdated S1.App.summary < S1.TOS NODE ID;
3. #define FalseUpdated S1.App.summary < S1.TOS NODE ID
|| S2.App.summary < S2.TOS NODE ID || · · · || Sn .App.summary < Sn .TOS NODE ID;
4. #define AllUpdated S1.App.summary = Sn .TOS NODE ID
|| S2.App.summary = Sn .TOS NODE ID || · · · || Sn .App.summary = Sn .TOS NODE ID.
In the Trickle protocol, the variable summary should only be updated to a greater value,
which is considered to be representing a newer version number. This variable summary is
initialized with the value of TOS NODE ID of the current node.
The explanation of the formulas in Example 2 is illustrated as follows.
1. S1SumChanged holds if the variable summary of sensor S1 is changed after initializa-
tion;
2. S1FalseUpdated holds if summary of sensor S1 has a value smaller than S1.TOS NODE ID
which is the initial value of summary in sensor S1;
3. FalseUpdated holds if some sensor updates its summary with an older version number;
4. AllUpdated holds if the summary variables of all sensors are updated with the newest
version number, i.e., Sn .TOS NODE ID , because Si .TOS NODE ID is assigned to
be i in our example.
2.4.3 State Reachability
State reachability properties are dedicated to finding undesirable behaviors or wrong states
of a sensor network. A state reachability property is specified by an assertion in the following
form:
#assert System never Goal ,
where #assert and never are reserved keywords, and Goal is a reference to a propositional
logical formula that has been previously defined. System is the reference of the target
model to be checked, which could be a certain sensor or the whole network. The keyword
SensorNetwork is reserved to represent the whole sensor network.
Example 3 (State Reachability Properties). Based on the formulas defined in Example 2,
we can specify the following properties:
• #assert S1 never S1FalseUpdated;
• #assert SensorNetwork never FalseUpdated.
The first assertion checks if the sensor S1 might perform a wrong update on the variable
S1.App.summary . This assertion is a single-sensor assertion, and during its verification, only
the system state space of S1 is explored.
19
2.4. Software Verification
The second assertion is a network assertion, which requires the state space of the whole
network to be examined during the verification phase. In this example, the assertion checks
if the network system state space contains a state that satisfies the formula FalseUpdated .
Predefined State Reachability Property Similar to C programs, there are common
problems with regards to memory accessing and system evolution in NesC programs, such as
an exception caused by accessing a null pointer, an infinite loop making other processes/tasks
hungry, etc. In order to allow such problems to be checked conveniently, we define a set of
pre-defined properties to specify such problems, as shown in the following.
• Termination, specified by #assert System never Terminates, where Terminates is a
reserved keyword. Generally sensors are expected to actively listen to the environment
or passively stay sleeping until some external events are triggered. Therefore, if a sensor
or a sensor network terminates, usually it means that the system has some bug.
• Array Index Overflow, specified by #assert System never ArrayIndexOverflow , where
ArrayIndexOverflow is a keyword reserved for this property. This is to check if an
array index overflow is encountered. Such cases should be avoided because during the
execution of a NesC program, accessing an array by an overflow index will cause fatal
exceptions.
• Null Pointer Accessing, specified by #assert System never NullPointerAccess, where
NullPointerAccess is a keyword reserved for this property. This is to check if a null
pointer is accessed. Similarly, accessing a null pointer will always trigger fatal excep-
tions.
• Infinite Tasks, specified by #assert System never InfiniteTask , where InfiniteTask is
a reserved keyword. In TinyOS, tasks are run to completion and if there is a task
containing an infinite loop, other tasks will have no chance to run. Therefore, we have
to avoid such circumstances.
2.4.4 LTL Properties
Type Operator Name Explanation
Unary
Xϕ Next ϕ should hold at the next state.
2ϕ Globally ϕ should hold on the entire subsequent path.
3ϕ Finally ϕ should hold eventually somewhere on the subsequent path.
Binary
ϕ ∪ φ Until ϕ should hold on the subsequent path at least until φ starts to hold.
ϕRφ Release φ should hold until and at the point where ϕ first holds; if ϕ never
holds then φ must remain true forever.
Table 2.2: LTL Operators [129]
20
Chapter 2. Preliminaries
Properties specified by LTL formulas are defined using the following form:
#assert System |= LTLformula,
where |= is a symbol dedicated for LTL checking, and the LTL formula is composed by LTL
operators including 2 (always, globally), 3 (eventually, finally), X (next), ∪ (until) and R
(release). The meanings of these LTL operators are given in Table 2.2.
Example 4 (LTL Properties). Based on the formulas defined in Example 2, we can specify
properties in the following:
1. #assert SensorNetwork |= 3 FalseUpdated. This assertion is valid iff the network
eventually reaches a state that in which the formula FalseUpdated holds.
2. #assert SensorNetwork |= 23 FalseUpdated. This assertion is valid iff the network
reaches a state in which the formula FalseUpdated holds for infinitely many times.
Example 5 (An LTL Property). Now we define a formula S1CodeChanged in the following:
#define S1CodeChanged S1.App.code 6= S1.TOS NODE ID.
This formula holds iff the value of variable code of sensor S1 is changed, since it is initialized
as the value of TOS NODE ID. Based on this, we could further define the assertion:
#assert SensorNetwork |= 2(S1SumChanged⇒3 S1CodeChanged).
This assertion is valid if and only if whenever the summary of S1 is changed, then eventually




This chapter presents the related work of this thesis.
3.1 Formal Modeling and Analyzing SNs
This section provides the work that has been done for examining how formal techniques
such as formal modeling and verification can be applied to sensor networks. According to
the formalism used, this work is classified into four categories: process algebra, calculus,
timed formalism, and probabilistic approaches, discussed in Section 3.1.1, Section 3.1.2,
Section 3.1.3 and Section 3.1.4, respectively.
3.1.1 Process Algebra
Process algebras (or process calculi) [51] are a diverse family of related approaches for for-
mally modelling concurrent systems. Process algebras provide the high-level description
of interactions, communications, and synchronization between a number of independent
processes. Algebraic laws have been proposed to allow process descriptions to be systemati-
cally manipulated and analyzed, so that formal reasoning about system properties could be
performed. Leading examples of process algebras include CSP [74], CCS [109], ACP [19],
LOTOS [132], etc. In the following, we discuss a collection of work in modeling and verifying
(or analyzing) sensor network systems with process algebras including Promela [75], CSP
and ReactiveML [104].
Oleshchuk demonstrates the applicability of the finite model-checking based approach
for analyzing properties of ad-hoc sensor networks in [120]. A sensor network is considered
as a network of communicating finite state machines and is presented as a set of concurrent
communicating processes in Promela. Properties of ad-hoc sensor networks are expressed
in the form of LTL formulae and are verified by SPIN [11]. This work has the emphasis on
dynamic network changes and communication ability between sensor nodes but it neglects
important features of sensor networks such as broadcasting, interrupt-driven execution, etc.
22
Chapter 3. Related Work
GLONEMO (GLObal NEtwork MOdel) is proposed for obtaining accurate and efficient
models of sensor networks, by describing the elements of a sensor network at various levels
of abstraction [133]. Several aspects are taken into account, including the hardware that
implements a single node, the protocol layers, the application code, energy consumption and
the physical environment viewed by sensors. SNs are modeled based on a clean and simple
parallel construct at two levels: the physical parallelism between the nodes of the network
and the physical or logical parallelism inside a node. The model is based on communicating
input/output interpreted automata and is specified as a set of communicating processes
written in ReactiveML [104]. GLONEMO has been used to efficiently design the architecture
of a global and accurate model of sensor networks. However, the verification of the formal
model is unavailable because ReactiveML is not connected to any verification tool.
Therefore, a synchronous language Lustre is introduced to build a global and exe-
cutable model of a sensor network, including all the elements that influence energy con-
sumption [106]. Lustre is an appropriate language for building such a detailed model, es-
pecially when it comes to describing the detailed energy consumption of the hardware and
its relationship with time. Further, Lustre allows to build a clean component-based model,
provides a modular-abstraction framework, and is connected to various validation tools for
formal verification by model checking techniques. Lussensor is a modular model for sensor
network systems in Lustre, which serves as a common platform for several abstractions and
is essential for connecting to formal validation tools. This model is valid for modeling energy
consumption, and contributes to power management of sensor networks and satisfies power
constraints.
3.1.2 Calculus
CSN (Calculus for Sensor Networks) [101] is a calculus for sensor networks introduced as
a programming model that allows formal verification of the correctness of programs with
a global vision of a sensor network application. CSN is devised as a two-layer calculus,
offering abstractions for data acquisition, communication, and processing above the link
layer of the protocol stack. A sensor network is described by combining a network layer of
sensor devices modelled as local objects, and a static type system is introduced to enable
safe programming of sensor networks. CSN provides a formal computational programming
model for sensor networks. The static type system enables safe programming of sensor
networks, allowing for premature detection of certain types of programs that would produce
run-time errors. Nevertheless, CSN is still insufficient for analyzing real-world sensor network
applications because there are no formal links between the calculus and real-world sensor
network programs such as NesC programs.
23
3.1. Formal Modeling and Analyzing SNs
3.1.3 Timed Formalism
Green et al. demonstrate the formal modeling of a sensor network system for ice formation
detection [62]. The evolution of the system is captured by discrete and continuous dynamic
models using real-time hybrid automata, i.e. timed automata, implemented using the tool
UPPAAL [18]. A sensor network system is modeled as a set of interactive hybrid automata,
with the interaction between nodes synchronized on events. The specification for correctness
is formulated based on the critical synchronization required among the sensor nodes. Tem-
poral logics are then used for defining properties to verify the system. This approach can
be beneficial for building safe systems with high correctness, in that it allows to model and
check the system design’s correctness prior to implementation through system verification
methods.
P. C. Ölveczky et al. present their work to formally model, simulate and model check
advanced sensor network algorithms with the rewriting-logic-based Real-Time Maude lan-
guage and tool [122, 121]. Some general techniques are proposed for modeling and analyzing
sensor network algorithms, which are then applied to the modeling, performance estimation,
and model checking of the Optimal Geographical Density Control (OGDC) algorithm. Real-
Time Maude language extends the object-oriented specification language Maude to support
the formal specification and analysis of real-time systems. It is used to model typical sensor
network features such as locations, broadcast communication, sensor nodes, time behaviors,
etc [121]. Formal model checking in Real-Time Maude allows to reason about both correct-
ness and best-case/worst-case performance. However, the Real-Time Maude model checking
analysis of OGDC is incomplete, because it does not analyze all possible behaviors from a
given initial sensor network state.
3.1.4 Probabilistic Modeling
A modeling approach tailored to the automatic verification of communication protocols for
sensor networks is presented in [13], where a medium access control protocol (S-MAC)
for sensor networks is formally modeled and verified by the probabilistic model checker
Prism [83]. The main mission of the S-MAC protocol is to reduce energy consumption.
A probabilistic model (i.e. Markovian model) of S-MAC is built, including the schedule
cordination/maintenance behavior. Relevant probabilistic properties of the protocol are
verified, such as probabilistic reachability, time-bounded probabilistic reachability, and ex-
pected reachability. Probabilistic properties are expressed in PCTL [70], a temporal logic
with probabilistic extensions to CTL [31].
This work contributes to studying the capability of probabilistic model checking tech-
niques for analyzing and verifying important protocols of sensor networks. However, more
general techniques are still in need for applying such techniques for more protocols.
24
Chapter 3. Related Work
3.2 Verification Techniques for TinyOS-based SNs
Since we are interested in formally modeling and verifying TinyOS applications implemented
in NesC for sensor network systems, a summary of related work on applying formal methods
to TinyOS applications or NesC implementations is presented in this section.
Coleri et al. describe system verification of TinyOS using HyTech, a tool used to check
linear hybrid automata [38]. In order to account for the clock cycles required for synchroniza-
tion events to occur within the operating system that happen instantaneously in the hybrid
automata, they implement a dummy state to model the duration of the clock cycles that an
event takes. The overhead, therefore, is satisfied within their model by providing additional
states. Event and command completion are modeled as additional events because they are
across component function calls that return a value of success or failure. In order to simulate
packet generation to demonstrate the function of the sensor node interacting on a network,
another automaton is added to represent packet generation either from neighboring sensor
nodes, or the sensing component of the application. This study achieves verification of the
operating system and analyzes power dissipation of a tree-based multi-hop sensor network
and demonstrates essential qualities of a sensor network to be considered in design. On one
hand, base station connection is essential to the life of the network. On the other hand, the
density of the nodes of a sensor network must be inversely proportional to the distance from
the base station or energy available must be increased in nodes closest to base station to
maintain network functionality because the increase in work of the nodes is proportional to
their number of children.
P. Völgyesi et al. [158, 159] propose an interface language, Hierarchical Interface Automa-
ta (HIA), for the development of sensor network applications which have a special emphasis
on interface specification. HIA extends the Interface Automata [84] formalism, by employing
hierarchy to cope with scalability and complexity, and introducing non-preemptable states to
reflect the single thread of control of TinyOS applications. Therefore, HIA is able to capture
the temporal and typed aspects of interfaces, and support the composition of components.
Meanwhile, a modeling environment targeting TinyOS as well as component compatibility
rules are presented for developing temporal interface models and checking compatibility for
TinyOS components.
A metaprogrammable toolkit, Generic Modeling Environment (GME) [84], is used to cre-
ate the modeling environment Graphical Development Environment for TinyOS (Gratis).
TinyOS concepts such as interface, module, and configuration are specified in a UML class
diagram-based notation with OCL constraints [161], and are used as input to GME to gen-
erate the meta-model for Gratis. This metamodel defines the mapping of TinyOS concepts
to GME concepts. The translator of Gratis is capable of generating NesC programs from
graphical models and parsing NesC source code and building corresponding models auto-
matically. As shown in Figure 3.1, two translators are developed in Gratis for checking the
composability of components based on their interface models and verifying other properties,
25
























Figure 3.2: The Modeling Flow by BIP
respectively. TinyOS is first modeled as HIAs in Gratis. On one hand, predicates in terms
of the logic programming language Prolog are generated by the rules explained in [158] from
HIAs, and compatibility between corresponding components can be checked then. On the
other hand, each HIA in Gratis is mapped to a Promela proctype/process by transforming
automata actions to statements and statement transitions to flow control elements, allowing
complex designs and more properties to be verified.
This approach treats TinyOS modules as black box components and is capable of dis-
covering interdependencies of interface primitives and checking compatibility between com-
ponents. However, it is inadequate to explore the entire state space of the systems. Fur-
thermore, this approach suffers from scalability issues: the composition of n components
requires O(n2) checks among these components.
Basu et al. present their model construction methodology to build heterogeneous real-
time systems for TinyOS-based networks using the Behavior-Interaction-Priority (BIP) [14]
component framework in [15]. This approach has a self-contained compiler for NesC lan-
guage and supports both behavioral verification and simulation of sensor network systems.
BIP consists of a language for modeling component-based systems and associated execution,
simulation and verification tools. As illustrated in Figure 3.2, the BIP models for NesC ap-
plications are generated automatically, and are analyzed by powerful state space exploration
techniques offered by the IF tool suite [21]. TinyOS is modeled as the composition of two
sets of components: one is the set of schedulers for events and tasks, and the other is the set
26
Chapter 3. Related Work
of models for hardware components representing Timer , Sensor , and Radio. Two schedulers
are used to model the two-level scheduling mechanism of TinyOS, the Event Scheduler for
the management of events generated by hardware components, and the Task Scheduler for
executing tasks in FIFO order. The global model of the sensor network is composed of BIP
components using connectors, by specifying interactions between nodes.
This approach models NesC programs as well as the execution platform (i.e. TinyOS)
as an abstract machine and provides a global model of the whole sensor network. The
framework supports both behavioral verification and simulation of the networked systems.
However, the generated model might be incapable of verifying functional behaviors, since
computation sequences are ignored to keep model complexity low. This approach is similar
to our work, in that it provides automatic generation of formal models from NesC imple-
mentations.
Rosa et al. propose an approach for formalizing TinyOS applications with a formal de-
scription approach LOTOS [132]. LOTOS is a formal specification language for specifying
concurrent and distributed systems, which describes a system through a hierarchy of compo-
nents or processes (similar to CCS and CSP). The main concepts of NesC, namely interfaces,
modules and configurations, are specified as synchronization ports, processes with choices
and compositional processes in LOTOS. This formalization of NesC applications emphasizes
mostly the interaction between components and allows useful properties of the specification
to be checked.
McInnes presents a technique for modeling the concurrency of a TinyOS application
using CSP, and using FDR to analyze the resulting process models [107]. This approach
contributes to introducing model checking techniques to sensor network systems for enhanced
analysis and early error detection and thus increasing reliability and correctness. However, it
cannot help application developers avoid the trouble caused by constructing process algebra
models entirely manually.
3.3 Domain-specific Tools for SN Verification
In this section, we review existing tools that are dedicated to verifying sensor network
systems.
Approaches like SLEDE [69] translate NesC programs into formal description techniques
(FDT) like Promela and use existing model checkers to conduct verification tasks. SLEDE
was proposed for automatic verification of sensor network security protocols implemented
in NesC [68, 69, 66, 67]. This approach includes extracting Promela models from protocols
implemented in NesC, generating intrusion models and verifying security properties of the
models via the state-of-art model checker SPIN. This framework has contributed to decreas-
ing the cost of verification and improving the quality of sensor network security protocol
implementations. Our work differs from this approach in several ways. First, we implement
27
3.3. Domain-specific Tools for SN Verification
a self-contained parser for the NesC language while SLEDE builds its model extractor on
top of NesC compiler [66]. We believe that a self-contained parser would be feasible for
optimizing verification tasks. Second, we establish the state space of SNs directly from the
source code and thus the state space is more faithful to the source code. Third, our approach
targets checking NesC applications, not only security protocol implementations. It is noticed
that concurrent processing, failure tolerance, effective communication protocols and other
features are critical for sensor network systems. Being aware of the lack of a uniform formal
verification framework, we were trying to develop a systematic framework for automatically
model checking SNs against properties related to such features.
W. Archer et al. present their work on interface contracts for TinyOS components in [8],
which exposes bugs and hidden assumptions caused by improper interface usages, and adds
safety conditions to TinyOS applications. Nguyet and Soffa propose to explore the internal
structure of SN applications using control flow graphs, but without any error detection [116].
V. Menrad et al. propose to use Statecharts to achieve readable yet more precise formulations
of interface contracts [108]. These approaches contribute to the correctness of usages of
interfaces, but are incapable of verifying any specific property like safety or liveness.
The tool FSMGen [80] presented by N. Kothari et al. infers compact, user-readable
Finite State Machines from TinyOS applications and uses symbolic execution and predi-
cate abstraction for static analysis. This tool captures highly abstract behaviors of NesC
programs and has revealed some errors. However, low-level interrupt driven code is not
applicable since the tool is based on a coarse approximation of the TinyOS execution model.
Some essential features like loops are not supported and the tool provides no support for
analyzing the concurrent behaviors of a network (rather than a single sensor).
Anquiro [111] is built based on the Bogor model checking framework [130, 131], for
model checking SN software written in the C language for Contiki OS [45]. Source code is
firstly abstracted and converted to Anquiro-specific models, i.e., Bogor models with domain-
specific extensions. Then Bogor is used to model check the models against user-specified
properties. Anquiro provides three levels of abstraction to generate Anquiro-specific models
and a state hashing technique is adopted to reduce state space, and thus Anquiro is able
to verify a network with hundreds of nodes within half an hour. However, since many
low-level behaviors are abstracted away, Anquiro might not be able to detect certain bugs.
Moreover, translation-based approaches are more likely to cause inaccurate results because
it is non-trivial to enforce and prove the soundness of the translation between NesC and
FDTs. Hence, approaches for direct verifying NesC programs have been developed.
Werner et al. verify the ESAWN protocol by producing abstract behavior models from
TinyOS applications, and uses the C model checker CBMC to verify the models [162]. The
original ESAWN consists of 21000 LOC, and the abstract behavior model contains 4400
LOC (including both C code and CBMC statements). Our approach is comparable to this
approach, since we support SNs with thousands of LOC on each sensor to be explored.
28
Chapter 3. Related Work
However, this approach is only dedicated for checking the ESAWN protocol and it abstracts
away all platform-related behaviors.
Bucur and Kwiatkowska propose Tos2CProver for debugging and verifying TinyOS ap-
plications at compile-time, checking memory-related errors and other low-level errors upon
registers and peripherals [25, 26, 27]. Tos2CProver translates embedded C code (which is
generated by the NesC compiler from NesC source code) to standard C, which is then verified
by CBMC. This approach is incapable of checking temporal safety properties like a buffer
should be released infinitely often. Moreover, it only checks errors for single-node programs
and lacks the ability to find network-level errors. Partial order reduction (POR) is used to
reduce state space, and POR’s over-approximation is improved by reachablity checking. Our
work differs from this work in that this work only supports single-node TinyOS applications
instead of the whole network.
T-Check [89] is built upon the simulator TOSSIM [86] for TinyOS applications and uses
explicit model checking techniques to verify safety. T-Check checks the execution of SNs
by depth-first search (DFS) or random walk to find a violation of user-specified properties,
and it adopts stateless and bounded model checking to find bugs. It was used to verify
several TinyOS applications and revealed several bugs of components/applications in the
TinyOS distribution. One limitation of T-Check is that it does not support the verification
of temporal properties. T-Check has implemented a static partial order reduction algorithm,
but it requires knowledge of which state transitions are potentially dependent. Furthermore,
it only identifies independency at network level, and thus all transitions of the same node are
considered as dependent. T-Check might consume a large amount of time (days or weeks)
to find a violation if a large bounded number is required due to the (equivalently)complete
state space exploration. Our approach complements T-Check as we propose a more effective
POR which preserves LTL-X.
3.4 Partial Order Reduction
Partial order reduction (POR) has been proposed for diminishing the state space explosion
problem in the procedure of model checking concurrent systems [58, 126, 127, 33]. The key of
POR lies in the observation that execution sequences of a concurrent system can be grouped
together into equivalent subsets that are indistinguishable by the property being checked. In
other words, POR exploits the commutativity of concurrently executed transitions, which
result in the same state when executed in different orders. Applying POR constructs a
reduced state space in which each equivalent subset has at least one representative. Initial-
ly, POR approaches for checking safety properties including deadlocks were developed [58].
Peled’s work in [125] combined POR with on-the-fly model checking while preserving tempo-
ral properties. POR has been applied in the verification of industrial concurrent programs,
as reported in [60, 112].
29
3.4. Partial Order Reduction
Further, POR has been introduced to the verification of systems of different domains,
such as timed systems, probabilistic systems, etc. Bengtsson et al. presented a partial-order
reduction method for timed systems based on a local-time semantics for networks of timed
automata [17]. By letting local clocks in each process advance independently of clocks in
other processes and by requiring that two processes re-synchronize their local time scales
whenever they communicate, implicit clock synchronization between processes is removed.
Further, Minea proposed another POR method that reduces both the number of explored
control states and the number of generated time zones [110]. As for probabilistic systems,
Argenio and Niebert discussed partial order reduction for probabilistic programs represented
as Markov decision processes, preserving probabilistic quantification of reachability proper-
ties and maximum and minimum probabilities of LTL-X properties [41]. Moreover, Baier
et al. proposed a POR method for probabilistic branching time [10] and Giro et al. revised
the POR for LTL properties applied to probabilistic model checking [56].
Farzan and Meseguer proposed a method to apply POR without changing the underlying
model checking algorithms, by rewriting semantics [48]. In this way, POR could be achieved
for any language with relatively little effort. Experiments with JVM and a Promela-like
language have indicated that significant state space reductions and time speedups could be
obtained by this approach.
Kurshan et al. presented a POR method that allows to generate a smaller number of
choices from each state at compile time [82]. Such POR methods are referred to as static
POR, and it has been shown that static POR can be directly implemented with existing
verification tools without modifying the verification engine, and may be applied with other
techniques like symbolic model checking and localization reduction to obtain a combined
reduction.
Brim et al. combined POR with distributed memory state exploration which extends
the computational power for LTL model checking [22]. Flanagan and Godefroid initially
explored an arbitrary interleaving of the various concurrent processes/threads and dynam-
ically tracked interactions between them to identify backtracking points where alternative
paths in the state space need to be explored [50]. This approach is called dynamic POR
(DPOR) and is developed for stateless model checking techniques. The authors also showed
that DPOR significantly reduces the search space of multi-threaded programs even when
traditional POR techniques are helpless. To solve the inefficiency of stateless runtime model
checking, Yang et al. proposed a stateful dynamic partial order reduction algorithm (SD-
POR) to avoid a potential unsoundness when DPOR is naively applied in the context of
stateful model checking [164]. This approach combines light-weight state recording with
DPOR, and strikes a good balance between state recording overheads and the elimination of
redundant searches. Their experiments confirm the effectiveness of the approach on several
multi-threaded benchmarks in C. Yang et al. proposed a practical algorithm for distributed
dynamic POR (DDPOR) to help distributed Inspect, the distributed version of the model
30
Chapter 3. Related Work
checker Inspect, gain nearly linear speedup on realistic examples [163]. This work speeds
up stateless model checking using computer clusters and get benefits from DPOR [165],
achieving linear speedup on multi-threaded programs.
Gueta et al. proposed a cartesian semantics that reduces the amount of nondeterminism
in concurrent programs by delaying unnecessary context switches [65]. A novel dynamic POR
algorithm, i.e., cartesian partial order reduction, was then developed using this semantics
and preliminary experimental results showed a significant potential saving in the number of
explored states and transitions.
There is also work in combining POR with other reduction techniques such as symme-
try reduction [47]. Traditionally, POR was applied with enumerative depth-first search for
the analysis of asynchronous network protocols, and symbolic model checking was mainly
applied to the analysis of synchronous hardware designs. Alur et al. combined both tech-
niques and developed a method for using POR techniques in symbolic BDD-based invariant
checking [7]. Kahlon et al. proposed Monotonic Partial Order Reduction (MPOR) which
effectively combines dynamic POR with symbolic state space exploration for model check-
ing concurrent software [77]. This approach adopts quasi-monotonic sequences of thread-ids,
which can be used both for explicit or symbolic model checking. By restricting the interleav-
ings explored to the set of quasi-monotonic sequences, MPOR achieves automatic pruning
of redundant interleavings in a SAT/SMT solver based search for symbolic model checking,
with the guarantee of both soundness and optimality.
In terms of program verification, POR has been widely used [16]. Naumovich et al. pro-
posed a POR method for Ada programs based on FLAVERS [115]. FLAVERS is a general
data flow based verification approach and has been applied to Ada [46], Java [114], C++,
etc. The famous model checker for Java programs Java PathFinder also adopts POR to
improve the performance of verification [157]. Message Passing Interface (MPI) is the dom-
inant model used in high performance computing (HPC) nowadays. Given the distributed
memory nature of MPI programs, POR has considerable potential for alleviating state s-
pace explosion, and Palmer et al. discussed a dynamic POR method for MPI-based parallel
programs [123]. The formal semantics for a non-trivial subset of MPI was defined, and
then independence theorems are proved in order to obtain a semantically clear and general
partial-order reduction approach for MPI. The approach describes the exact dependencies
between MPI non-blocking send operations and their tests for completion for the first time.
Kundu et al. proposed the tool Satya which combines static and dynamic POR techniques
with SystemC semantics to achieve scalable testing of SystemC TLM designs [81].
Among the approaches for SN verification discussed in Section 3.3, only two of them
are using POR to prune the search space. The first is T-Check [89], which adopts stateless
model checking with a static POR method. The POR implemented here only checks the
independence among sensors, which means that intra-sensor concurrency is not reduced.
The other is Tos2CProver [27], which adopts the POR approach proposed in [34] to reduce
31
3.5. Summary
unnecessary interleaving among interrupt handlers. Since Tos2CProver only handles indi-
vidual sensor programs, concurrency between sensors is beyond its scope. Both approaches
are limited to checking safety properties only.
3.5 Summary
The features of NesC and TinyOS presented in Chapter 2 have shown that it is challenging
to analyze NesC programs (or TinyOS applications) for sensor networks. As shown in this
chapter, a number of approaches have been proposed for modeling, analyzing and even
verifying sensor network systems. These approaches have helped to improve the quality
of sensor network systems and contributed to the research community in various ways.
Nevertheless, one major limitation among them that they only formalize NesC/TinyOS
concepts rather than semantics. This means that they are limited to high-level analysis and
are incapable of directly analyzing programs.
One aim of this thesis is to develop a methodology for establishing verification tech-
niques directly upon NesC programs. In Chapter 4, we discuss our early-stage work on
a translation-based approach on model checking sensor networks. Then in Chapter 5, we
present the formalization of NesC programs, the TinyOS execution model and sensor net-
work composition, which facilitates the direct analysis and verification of SNs.
32
Chapter 4
Translation-based Verification of SNs
In this chapter, we propose to automatically generate STCSP (Stateful Timed CSP) mod-
els [148, 143] from sensor network systems implemented in NesC. Section 4.1 relates the
TinyOS execution model to STCSP semantics; Section 4.2 explains how STCSP models are
constructed from NesC programs; Section 4.3 evaluates the performance of NesC2STCSP
with several examples; and Section 4.4 briefly summarizes this chapter. In this chapter, we
use the TinyOS application presented in Example 6 as a running example throughout the
discussion of the translation approach.
Example 6 (The Blink Application). Here we present a simple NesC program Blink. The
source code of Blink is shown in Figure 4.1, which contains two NesC files, BlinkAppC.nc
(Figure 4.1(a)) and BlinkC.nc (Figure 4.1(b)). In this application, an alarm is set at every
second to toggle the red LED (i.e., led0) of the sensor.
4.1 STCSP Semantics for TinyOS
The formal definition of STCSP models is presented in [143], where an STCSP model is
defined as a 3-tuple R = (Var , init ,P). Var is a set of global variables, init is the initial
valuation of the variables and P is the running STCSP process. A brief introduction of the
syntax and the informal semantics of STCSP processes can be found in Appendix C. In this
chapter, we use the following definitions to present the STCSP semantics of the TinyOS
execution model.
• Ch(c,n) defines a channel named c with a buffer of size n and a channel with a buffer
of zero size requires synchronous input and output.
• c!v is a channel output operation which sends the data v to the channel c.
• c?x is a channel input operation which reads from the channel c and caches the data
in the local variable x , while c?v is a conditional channel input that only reads the
channel when the data to be read match v .
33
4.1. STCSP Semantics for TinyOS
1 #inc lude <Timer . h>





7 components MainC , BlinkC ;
8 components LedsC ;
9 components new TimerMill iC ( ) ;
10 BlinkC −> MainC . Boot ;
11 BlinkC . Timer0 −> TimerMill iC ;
12 BlinkC . Leds −> LedsC ;
13 }
(a) Program BlinkAppC.nc
1 module BlinkC ( )
2 {
3 uses i n t e r f a c e Timer<TMil l i> as Timer0 ;
4 uses i n t e r f a c e Leds ;
5 uses i n t e r f a c e Boot ;
6 } implementation {
7 event void Boot . booted ( ){
8 c a l l Timer0 . s t a r tP e r i o d i c ( 1 000 ) ;
9 }
10 event void Timer0 . f i r e d ( ){
















Figure 4.2: Task scheduler model
• Const(x , v) defines a constant variable x with the value v ;
The execution model of TinyOS is based on split-phase operations, run-to-completion
tasks and interrupt handlers. First, we model the task scheduler that schedules the execution
of tasks in a certain order, and in our work, we assume it to be the FIFO order. Then the
task scheduler can be represented as the state machine shown in Figure 4.2, based on which,
we then formalize the task scheduler as Definition 1.
Definition 1 (Task Scheduler). The task scheduler sdl of TinyOS is modeled as an STCSP
process Psdl = if (Qt 6= ∅){Qt?tsk → sdl !tsk → sdl?EOT → Psdl}else{Psdl}, where:
• Qt = Ch(Qt ,nt) is a queue for deferred tasks and nt > 0;
• sdl = Ch(sdl , 0) is a synchronous channel for notifying the task tsk to execute;
• EOT is a constant variable with the unique value 0 (Const(EOT , 0)) denoting the end
of a task.
The process Psdl is blocked until the task queue Qt is not empty, and a task tsk is
fetched from the queue and the corresponding task is informed to run via the channel sdl .
34





















Task Queue not Empty
Figure 4.4: The Execution Model of TinyOS
The process that models a task tsk is blocked until the scheduler process Psdl sends the
data tsk to the channel sdl , which will be shown in next Section. After the execution of
the task, the task process writes the channel sdl with EOT to inform Psdl of the task tsk ’s
completion, and Psdl will start to execute the next task in Qt .
In contrast to tasks, an interrupt can preempt tasks or other interrupts. The interrupt
manager is introduced to manage the executions and interactions between interrupt handlers.
In the interrupt manager, a new interrupt preempts the execution of the current one. The
state machine of the interrupt manager is shown in Figure 4.3. Since interrupts can preempt
the execution of tasks, the global state machine of the execution model of TinyOS should
capture such features, as presented in Figure 4.4.
Since there is no appropriate interrupt semantics in STCSP, an alternative is to model
interrupt handlers and the task scheduler to concurrently execute. In the following, we
present the STCSP model of an interrupt handler.
Definition 2 (Interrupt Handler). The interrupt handler ih of an interrupt itr is modeled
as an STCSP process Pih = ifb(xitr == ON ){P ′ih → Qt !tskih → {xitr = OFF} → Pih},
where:
35
4.2. Generation of STCSP Model
• ifb is an STCSP construct to define a conditional process which is blocked until the
condition is satisfied;
• xitr is a status variable indicating whether the interrupt itr is activated;
• P ′ih denotes the processing of the interrupt handler;
• and Qt !tskih enqueues a task to signal the corresponding event of the interrupt.
Example 7 (One-shot Timing Interrupts). The one-shot timer implemented by TimerMilliC
is modeled as the following process:
PTimer Os = ifb(TimerMilliC Timer os == ON ){Wait [TimerMilliC period ];
Qt !tskTimerMilliC fired → {TimerMilliC Timer os = OFF} → PTimer Os};
where the variable TimerMilliC Timer os is the status denoting whether the one-shot timer
is active.
Example 8 (Periodic Timing Interrupts). In the modeling of periodic timer, the status of
the interrupt is never disabled in the interrupt process but it can be disable by calling a stop
command. The following is the process of periodic timing interrupts:
PTimer Prd = ifb(TimerMilliC Timer prd == ON ){Wait [TimerMilliC period ];
Qt !tskTimerMilliC fired → PTimer Prd}.
The following presents the formal definition of the TinyOS execution model.
Definition 3 (Execution Model). The TinyOS execution model is a 6-tuple (Var ,Qt ,S,A, s0, δ),
consisting of:
• Var: a set of variables declared in the NesC program, the status variables of interrupts
and all channels except the task queue Qt ;
• Qt : a queue for scheduling tasks;
• S: a set of reachable states;
• A: a set of possible actions;
• s0: an initial state; and
• δ : S ×A → S: a transition function.
4.2 Generation of STCSP Model
TinyOS provides a component library which encapsulates operating system environment
and hardware functionalities as predefined interfaces and components. And this is required
when running NesC applications. Therefore, a set of STCSP models representing the TinyOS
36
Chapter 4. Translation-based Verification of SNs
NesC Elements STCSP Constructs
Split-phase operations Processes communicating via synchronous channels.
Component Global variables, processes modeling behaviors of com-mands, events, and tasks.
System The interleaving composition of all processes.
Table 4.1: The Mapping Algorithm




















Figure 4.5: Modeling Split-phase Operations
component library is statically provided (such as Timer, Sensor, LED, etc.). These static
models are used when applying the mapping algorithm for the generation of STCSP models.
As shown in Table 4.1, the mapping algorithm for extracting STCSP models from NesC
code consists of three steps: modeling split-phase operations, modeling components and
modeling the application as a system-level process. Each step is explained in detail as fol-
lows.
Step 1: model split-phase operations
As shown in Figure 4.5, components interact with each other via interfaces. A wiring in
NesC “wires” a component to another by an interface and the two components are required
to use and provide the interface respectively. Wiring is modeled by defining two processes
transferring command calls and event signals between the user component and the provider
component.
Definition 4 (Wiring Expression). A wiring expression user .ui → prov .pi is modeled as
an STCSP process Pw = (Puser ui prov pic ||| Puser ui prov pie ), where Puser ui prov pic =
37
4.2. Generation of STCSP Model
(user uic?cmd .args.Req → prov pic !cmd .args.Req → prov pic?cmd .Rep → user uic !cmd .Rep
→ Puser ui prov pic), and Puser ui prov pie = (prov pie?evt .args.Req → user uie !evt .args.Req
→ user uie?evt .Rep → prov pie !evt .Rep → Puser ui prov pie ), where:
• Req is a constant denoting the request of calling a command or signaling an event;
• Rep is a constant denoting the completion of the requested command or event;
• user uic is a synchronous channel for the user component to send a request when it
calls a command of the interface ui;
• prov pic is a synchronous channel to which the provider component listens for the
invocation of a command of the interface pi from the user;
• prov pie is a synchronous channel for the provider component to send a request when
it signals an event of the interface pi; and
• user uie is a synchronous channel to which the user component listens for the invoca-
tion of an event of the interface ui from the provider.
Example 9 (Modeling a wiring expression). The wiring expression BlinkC .Timer0 →
TimerMilliC in Figure 4.1(a) is translated into the following process:
PBlinkC Timer0 TimerMilliC = PC ||| PE ;
PC = BlinkC Timer0 C ?x0.x1.Req → TimerMilliC Timer C !x0.x1.Req →
TimerMilliC Timer C ?x0.Rep → BlinkC Timer0 C !x0.Rep → PC ;
PE = TimerMilliC Timer E?x0.Req → BlinkC Timer0 E !x0.Req →
BlinkC Timer0 E?y0.Rep → TimerMilliC Timer E !y0.Rep → PE .
The intuition in modeling a wiring expression is to direct the command calling from a
user to the corresponding provider that implements the command and vice versa for event
signalings.
Step 2: model a component
A component is separated into three parts: component variables, commands, events and
tasks. Each function, which is a task, command or event, is specified as a process, and a
component is the interleaving composition of all the processes representing its implemented
functions, as shown in Figure 4.6. The statements in a function are modeled as STCSP
events or processes, as shown in Table 4.2. To emphasize, a task is scheduled in a task
scheduler and does not execute immediately once it is posted. The queue Qt is defined for
scheduling task, and the channel sdl is used for communication between tasks and the task
scheduler, as shown in Definition 1.
Example 10 (Modeling a command call). The statement call Timer0.startPeriodic(1000)
in Figure 4.1(b) is modeled as the following STCSP construct:
38
Chapter 4. Translation-based Verification of SNs
Component
Var Com_variable_name;
Comp     =      Comp_Intf_Command1
||| … ||| Comp_Intf_Commandk
|||          Comp_Intf_Event1
||| … ||| Comp_Intf_Eventm
|||          Comp_Task1






Figure 4.6: Modeling a component
BlinkC Timer0 C !stPrd .1000.Req → BlinkC Timer0 C ?stPrd .Rep,
where stPrd is the constant defined to identify the startPeriodic command for the Timer
interface, 1000 is the parameter of the command calling, Req denotes the request of the
command and Rep denotes the completion of the command.
Definition 5 (Command Implementation). A command comp.i .cmd of the interface i im-
plemented by the component comp is modeled as an STCSP process Pcomp cmd i = comp ic?
cmd .args.Req → Cmd → comp ic !cmd .Rep → Pcomp cmd i , where Cmd is an STCSP pro-
cess constructed by translating the statements of the command body.
Example 11 (Modeling a command). The command Timer .startPeriodic(dt) of the com-
ponent TimerMilliC of Example 6 is modeled as the following STCSP process:
PTimerMilliC Timer stPrd = TimerMilliC Timer C ?stPrd .dt .Req →
{TimerMilliC period = dt ; } → {TimerMilliC Timer prd = ON ; }
→ TimerMilliC Timer C !stPrd .Rep → PTimerMilliC Timer stPrd , where
stPrd is the identifier of the command startPeriodic, TimerMilliC period is a component
variable of the component TimerMilliC and TimerMilliC Timer prd is the status variable
of the periodic timer associated to the component TimmerMilliC .
Definition 6 (Event Implementation). An event comp.i .evt of the interface i implemented
by the component comp is modeled as an STCSP process Pcomp i evt = comp ie? evt .args.Req
→ Evt → comp ie !evt .Rep → Pcomp i evt , where Evt is an STCSP process constructed by
translating the statements of the event implementation.
Example 12 (Modeling an event). The Timer0.fired event in Figure 4.1(b) can be modelled
as the following STCSP process:
PBlinkC Timer0 fired = BlinkC Timer0 E?fr .Req → BlinkC Leds C !t0.Req →
39
4.2. Generation of STCSP Model
NesC statements STCSP processes
user.ui → prov.pi
(user uic?cmd .args.Req → prov pic !cmd .args.Req →
prov pic?cmd .Rep → user uic !cmd .Rep) ||| (prov pie?evt .args.Req →
user uie !evt .args.Req → user uie?evt .Rep → prov pie !evt .Rep)
(user) call i.cmd() user ic !cmd .args.Req → user ic?cmd .Rep
comp.i.cmd{CMD} comp ic?cmd .args.Req → CMD → comp ic !cmd .Rep
(prov) signal i.evt() user ie !evt .args.Req → user ie?evt .Rep
comp.i.evt{EVT} comp ie?evt .args.Req → EVT → comp ie !evt .Rep
task scheduler Psdl = if (Qt 6= ∅){Qt?tsk → sdl !tsk → sdl?EOT → Psdl}else{Psdl}
post tsk() if (!Qt .Has(tsk)){Qt !tsk → Skip}else{Skip};
tsk{TSK} sdl?tsk → TSK → sdl !EOT
interrupt handler ih Pih = ifb(xitr == ON ){P ′ih → Qt !tskih → {xitr = OFF} → Pih}
if(B){A}else{C} if (B){A}else{C};
while(B){A} if (B){A; WHILE}else{Skip};
do{A}while(B) A; if (B){WHILE}else{Skip};
for(A;B;C){D} A; ReFor ; (ReFor = if (B){D ; C ; ReFor }else{Skip}; )
Table 4.2: STCSP processes for NesC constructs
BlinkC Leds C ?t0.Rep → BlinkC Timer0 E !fr .Rep → PBlinkC Timer0 fired ,
where fr is the identifier of the command fired and t0 is the identifier of the event led0Toggle.
Definition 7 (Task). A task tsk is modeled as an STCSP process Ptsk = sdl?tsk →
Tsk ; sdl !EOT, where Tsk is an STCSP process constructed by translating the statements of
the task.
Example 13 (Modeling Timer Fired Task). The fired task implemented by TimerMilliC is
task void TimerFired(){signal Timer .fired(); }. By Definition 7, it can be modelled as the
following STCSP process:
PTimerMilliC TimerFired = sdl?tskTimerMilliC TimerFired → TimerMilliC Timer E !fr .Req →
TimerMilliC Timer E?fr .Rep → sdl !EOT.
Based on the semantics of STCSP models, we can construct the execution trace of the
event Boot .booted as STCSP events as shown in Example 14.
Example 14 (Executing Trace). The execution trace of the event Boot .booted of Exam-
ple 6 is: BlinkC Timer0 C .stPrd .1000.Req → TimerMilliC Timer C .stPrd .1000.Req →
(startPrd ′s body)→ TimerMilliC Timer C .stPrd .Rep → BlinkC Timer0 C .stPrd .Rep.
Step 3: build the system-level process
40
Chapter 4. Translation-based Verification of SNs
After specifying all components and their wirings, a top-level process is defined as the
interleaving of all existing processes in runtime to represent the whole system, including the
process modeling the task scheduler.
System =̂ Psdl ||| Pwire1 ||| . . . ||| Pwirew ||| Pih1 ||| . . . ||| Pihi ||| Pcomp1 ||| . . . ||| Pcompk ;
In the above definition of the STCSP process System, Pwirej (1 < j < w) is the process
modeling the wire expression wirej and w is the number of wiring expression defined in the
application. Similarly, Pihj (0 < j < i) and Pcompj (0 < j < k) model the interrupt handler
ihj and the component compj , respectively.
Modeling timed constraints TinyOS maintains middlewares such as Timer and Alarm
to support the real-time features for developing NesC applications. The timing middlewares
of TinyOS are modeled as timed processes with timed operators including Wait, Deadline,
Waituntil, Interrupt and so on, as illustrated in [148]. These models are implemented stat-
ically as part of the runtime environmental library when automatically constructing the
STCSP models in our framework.
4.3 Experiments and Evaluation
The generated STCSP models are then verified by the model checker PAT [144], which sup-
ports the verification of STCSP models [148, 143] against properties such as non-termination
(represented as deadlock freeness of STCSP models), state reachability, temporal proper-
ties. This approach is named NesC2STCSP and has been integrated in our framework
NesC@PAT. In this section, we illustrate the execution of the NesC2STCSP framework
with the Blink application presented in Example 6, in which an LED is turned on and off
periodically. We also run the application BlinkC’ for comparison, in which two timers are
used to toggle two LEDs periodically. Moreover, we run the Sensing application, which
periodically samples data and toggles a certain LED based on the value of the data sensed.
Our testbed is a PC with the Intel Core i7-2640M CPU at 2.80GHz and 7.88GB RAM.
During model extraction, timed operator Wait is used when modeling the command
startPeriodic of the interface Timer . The generated STCSP model consists of variables,
channels and processes. Three properties are verified against for both the Blink and the
Blink’ applications. The first is the goal of non-termination; the second is the goal that the
timer(s) is(are) fired infinitely often; and the third is the goal that the LED should eventually
be toggled whenever its corresponding timer is fired. As for the Sensing application, three
properties are defined as well. The first is non-termination, the second is that the timer can
be fired infinitely often, and the third is that whenever the timer is fired some data can be
eventually sampled.
The results of the verification of the three applications are shown in Table 4.3. These
41
4.4. Summary
System(LoC) Assertion Result # States Time (s)
Blink (18)
Non-termination X 41 0.01
23 TimerFired X 86 0.01
2 TimerFired → 3 led0Toggled X 44 0.01
Blink’ (24)
Non-termination X 243 0.02
23TimerFired X 706 0.08
2 TimerFired → 3 led0Toggled X 357 0.05
Sensing (29)
Non-termination X 1048K 60
23TimerFired X 4313K 369
2 TimerFired → 3 led0Toggled X 2598 239










8/16/64-bit (un)signed integer ×
Algebraic operations +,−,×, /,% X
Logical operations &&, ||,¬ ,=, 6=, <,≤, >,≥ X
Bitwise operations &, |,∼,∧, >>,<< ×
Label statement ×
NesC specific
Generic components and interfaces ×
Fan-in(out) wirings ×
Atomic statement ×
Table 4.4: Summary of syntax supported by NesC2STCSP
examples show that our approach is useful and effective for verifying TinyOS applications.
However, to verify the Sensing application takes much more time than to verify either the
Blink application or the Blink’ application. This is because that the Sensing application has
more sources of concurrency than the other two applications, including the concurrency be-
tween the timer and the sensing device, and the concurrency caused by the non-determinism
of the value of data being sensed.
4.4 Summary
This chapter presents the NesC2STCSP approach on the automatic generation of STCSP
models from sensor network programs in NesC. As shown in Table 4.4, where Sup denotes
42
Chapter 4. Translation-based Verification of SNs
whether the corresponding language feature is supported or not, only a subset of NesC
syntax is supported by NesC2STCSP. Most syntax features are not supported due to the
limitation of the modeling language STCSP.
• Since STCSP only supports integer and boolean data types, C features such as pointers,
structs, data types except integer or boolean are not supported. Furthermore, generic
components or interfaces are not supported because they use data types as parameters
in their definitions of components or interfaces.
• Bitwise operations are not supported because they are not allowed in STCSP.
• Label statements are not supported because there is no similar semantic operator in
STCSP and thus it is complicated to model label statements in STCSP. Similarly,
atomic statements that disable interrupts, and fan-in or fan-out features of multiple-
to-one wiring expressions are not supported.
We believe that this approach contributes to the robustness of sensor network systems
because it allows NesC programmers to model check their code without being troubled by
manually constructing formal models. However, due to the semantic differences between
NesC and STCSP, the STCSP models obtained from NesC programs are inevitably large,
complex and redundant.
Intuitively, direct verification is straightforward and more efficient as specialized opti-
mization techniques are possible. However, direct verification is infeasible without a com-
plete operational semantics of the NesC language. The idea is to define the operational
semantics of NesC, and explore the system state space based on them to for verification
purposes. The challenge is that to define the operational semantics is not an easy task, since
currently there exists no formal description of TinyOS or NesC. Since the execution model
of TinyOS application is well-defined, we can develop a formal description of this execution
model and then operational semantics can be defined further. This formalization approach
will be discussed in the next chapter.
43
Chapter 5
Direct Verification of SNs
This chapter presents our work on directly modeling and verifying SNs and is organized
as follows. Section 5.1 presents the formal semantics of the NesC language; Section 5.2
formalizes the TinyOS execution model; Sections 5.3 and 5.4 discuss the network composition
semantics and the modeling of the environment of SNs, respectively; Section 5.5 discusses
the model checking algorithms adopted in our work; Section 5.6 evaluates our approach with
experiments; and Section 5.7 summarizes the chapter.
5.1 Formal Semantics of NesC
In this section, we formalize the semantics of the NesC language. In particular, the formal
definitions of sensors in the LTS semantics are given in Section 5.1.1, and the operational
semantics of NesC language constructs is illustrated in Section 5.1.2.
5.1.1 Definitions
In this thesis, we focus on sensors running TinyOS applications implemented in NesC. The
behaviors of a sensor are then determined by the scheduler of tasks and the concurrent
execution between tasks and device interrupts.
Definition 8 (Sensor Model). A sensor model S is a tuple S = (A,T ,R, init ,P) where A
is a finite set of variables; T is a queue which records posted tasks in a certain order; R is a
buffer that keeps incoming messages sent by other sensors; init is the initial valuation of the
variable set A; and P is a program, composed by the running NesC program M interrupted
by various devices H , i.e., P = M 4 H .
H models (and often abstracts) the behaviors of hardware devices such as Timer, Receiver
and Reader (i.e. the sensing device). Because tasks are deferred computations, when posted
they are pushed into the task queue T for scheduling in a certain order. By default, tasks
would be scheduled in FIFO order on TinyOS. However, TinyOS allows programmers to
44
Chapter 5. Direct Verification of SNs
configure the scheduler with a different order. In our work, we assume that tasks are always
scheduled in FIFO order. We remark that T and R are empty initially for any sensor model
S. The interrupt operator (4) is introduced to capture the interrupt-driven feature of the
TinyOS execution model, which will be explained later in Section 2.3.
The variables in A are categorized into two groups. One is composed of variables de-
clared in the NesC program, which are further divided into two categories according to their
scopes, i.e. component variables and local variables. Component variables are defined in a
component’s scope, whereas local variables are defined within a function’s or a statement
block’s scope. All component variables are loaded to the variable set A at initialization.
As for local variables, they are loaded on demand at run time. To avoid naming conflicts,
the name of each variable is first prefixed with the component name. A local variable is
renamed with the line number of its declaration position in addition. The other is a set of
device variables that capture the status of hardware devices. For example, MessageC .Status
is introduced to model the status of the messaging device. A status variable is added into
A after the compilation if the corresponding device is accessed in the program.
Assume that a sensor executes TrickleAppC implemented for Example 1. By Defini-
tion 8, the corresponding sensor model is S = (A,T ,R, init ,P). In TrickleAppC , compo-
nent TrickleC is referred as App, so App is used for renaming its variables. The variable
set after renaming is A = { MessageC .Status, App.summary , App.code, App.34.pkt , · · · },
where variables with two-field names (e.g. App.summary) are component variables excep-
t for MessageC .Status (a device status variable), and those with three-field names (e.g.
App.34.pkt) are local variables. init is the initial valuation where MessageC .Status = OFF ,
App.summary = 0, App.code = 0, App.34.pkt = null , · · · . In TrickleAppC , only the mes-
saging device MessageC is accessed. Therefore, initially the program P is event Boot .booted
(denoted by Mb) interrupted by the messaging device (denoted by MessageC ), i.e., P =
Mb 4 MessageC . Event Boot .booted is implemented by TrickleC as follows.
event void Boot .booted(){
call AMControl .start(); //Start the messaging device
}
CallingAMControl .start will execute the corresponding command body in component Active-
MessageC . Component ActiveMessageC is defined in the TinyOS component library for ac-
tivating the messaging device. When AMControl .start is completed, the event AMControl .-
startDone (implemented by TrickleC ) will be signaled. IfAMControl .start returns SUCCESS ,
the function sendSummary is called for sending the summary. Otherwise, the command
AMControl .start is re-called, as shown in Figure 5.1. We use a model MessageC to describe
the behaviors of the messaging device of a sensor, as will be presented in Section 5.2.1. If
AMControl .start is performed successfully, the program P of S will becomeM ′b 4 MessageC ′
where M ′b and MessageC
′ are the new program status and the new device status after exe-
45
5.1. Formal Semantics of NesC
1 event void AMControl . startDone ( error_t r s ){
2 i f ( r s ! = SUCCESS){
3 //The prev ious r eque s t f a i l s
4 c a l l AMControl . s t a r t ( ) ;
5 } e l s e {
6 sendSummanry ( ) ;
7 }
8 }
Figure 5.1: Event AMControl .startDone
cuting the command respectively, and the value of MessageC .Status will be modified. 2
Definition 9 (Sensor State). Let S = (A,T ,R, init ,P) be a sensor model. A sensor state
C of S is a tuple (V ,Q ,B ,P) where V is the valuation of variables A; Q is a sequence of
tasks, being the content of T ; B is a sequence of messages, being the content of R; P is the
executing program.
For a sensor model S = (A,T ,R, init ,P), its initial state is C init = (init ,∅,∅,P), in
respect that initially task queue T and message buffer R are empty. A transition is written
as (V ,Q ,B ,P) e→ (V ′,Q ′,B ′,P ′) (or C e→ C ′ for short), where e is a text label assigned
to the transition to denote the behavior of the transition. Next, we define the behavior of a
sensor as an LTS.
Definition 10 (Sensor Transition System). Let S = (A,T ,R, init ,P) be a sensor model.
The transition system of S is defined as a tuple T = (C, init ,→), where C is the set of all
reachable sensor states and → is the transition relation.
The transition relation is defined as→: C×∑×C, where∑ is the set of possible labels.
And → is formally obtained through a set of firing rules associated with each and every
NesC programming construct.
5.1.2 Operational Semantics
Let S(A,T ,R, init ,P) be a sensor model. The transition system of S is T(C, init ,→),
obtained by the firing rules of P . The transition relation (→) is formally defined through a
set of firing rules associated with each and every NesC programming constructs, as follows.
• Function(E ) returns the first function contained in expression E .
• τ is a label denoting a silent transition.
• X simply denotes the termination of the execution of a statement.
• e is used to denote the label of a transition.
46
Chapter 5. Direct Verification of SNs
• x is a mathematical expression and a variable is considered as an expression.
• E [a/x ] updates the expression E by replacing the sub-expression x with a.
• Prog(L) represents the program point that is labelled by L.
• V (x ) is a function over expressions and it evaluates the value of the expression x in
the valuation V .
• V [v/x ] updates the expression x with the value v evaluated in the valuation V .
• I is a status variable, denoting whether interrupts are allowed at a certain state.
• ac is a status variable, serving as the counter of active atomic blocks. This vari-
able is introduced to support nested atomic blocks, as shown in the rules for atomic
statements (rules atm1-atm5).
• at{P} is introduced to encode the list of statements P within an atomic block, where
interrupts are disabled.
• ∩ is sequence concatenation.
• FstFnc(Larg) returns the first argument in Larg which contains function calls.
•  simply means null.
• Impl(f ,Larg) returns the body of function f with arguments Larg .
• {F} denotes the list of statements F within a function’s scope.
• Larg [a ′/a] replaces argument a with a ′ in the argument list Larg .
• r is a status variable, denoting the value returned by a certain function.
• 〈PxQy〉 is introduced as the intermediate representation of a loop statement, where P
is the list of statements in the current iteration and Q is the original loop statement.
• Stop denotes the termination of a sensor.
Expression (E ), defined by rules expr1, expr2 and expr3.
A purely mathematical expression refers to an expression composed of variables and
constant values, without any function calls. For example, a×10−b is a purely mathematical
expression. The firing rule for this case is presented in the rule expr1. The rule expr1 is
used in other rules later to check if an expression contains an incomplete function call.
Function(E ) = 
[ expr1 ]
(V , Q , B , E ) τ→ (V , Q , B , X)
47
5.1. Formal Semantics of NesC
If an expression contains some function call, it will firstly rewrite the original expression
with the target program of the function call (rule expr2). We remark that the function body
is executed step by step. For example, expression a × sum(b, 20) will execute the function
call sum(b, 20) at first.
P = Function(E ) 6= , (V , Q , B , P) e→ (V ′, Q ′, B ′, P ′)
[ expr2 ]
(V , Q , B , E ) e→ (V ′, Q ′, B ′, E [P ′/P ])
If the function call completes its execution, it will update the original expression with
the returned value V ′(r), as shown in the rule expr3. For example, when sum(b, 20) finishes
its execution, the original expression a×sum(b, 20) will be updated with its return value vr ,
becoming a×vr . The rule expr3 restricts that the execution of the return statement and the
updating of the expression E should be considered as one single atomic event. Therefore,
exactly one status variable r is sufficient to correctly capture the semantics of function calls
even if there are concurrent functions, nested function calls, or multiple function calls. This
will be elaborated later in the rules for function calls.
P = Function(E ) 6= , (V , Q , B , P) e→ (V ′, Q ′, B ′, X)
[ expr3 ]
(V , Q , B , E ) e→ (V ′, Q ′, B ′, E [V ′(r)/P ])
Example 15 (LTS of an expression). Given an expression involving a method call as shown
in Figure 5.2, the method call will be executed first and the corresponding LTS is presented
in Figure 5.3. At state C2, the expression will become (i + 5) where 5 is the value returned
by the method call.
1 i + min (10 , 5 ) ;
2
3 i n t min ( i n t a , i n t b){
4 i f ( a < b)
5 return a ;
6 e l s e re turn b ;
7 }
Figure 5.2: An expression
C0start C1 C2
call min(10,5) return 5
Figure 5.3: LTS of the expression
Assignment (x := E ), defined by rules as1 and as2.
If the expression is purely mathematical, denoted by (V , Q , B , E ) τ→ (V , Q , B , X),
the variable x will be updated immediately with the value of E (i.e., V (E )), as shown in the
rule as1. The label e of an assignment transition is constructed in the form of s.assign.x .v ,
where s is the identifier of the sensor that runs the current assignment, assign is a constant
element, x is the variable being updated and v is the new value of x after the assignment. For
example, when executing count := 1 for sensor s1, the label of the corresponding transition
48
Chapter 5. Direct Verification of SNs
is e = s1.assign.count .1.
(V , Q , B , E ) τ→ (V , Q , B , X), v = V (E ), e = s.assign.x .v
[ as1 ]
(V , Q , B , x := E ) e→ (V [v/x ], Q , B , X)
Rule as2 presents the case when the expression E contains a function call. The expression
E is executed first by applying the rule expr2. Upon the return statement of the function
call, the rule expr3 is applied, which will replace the function call with the return value and
then the rule as1 could be applied in the next step to update the variable x . For example,
count := count + getCount() will first execute the function call getCount().
(V , Q , B , E ) e→ (V ′, Q ′, B ′,E ′), E ′ 6= X
[ as2 ]
(V , Q , B , x := E ) e→ (V ′, Q ′, B ′, x := E ′)
Example 16 (LTS of an assignment). Given an assignment as shown in Figure 5.4, suppose
that initially v = 0 and k = 3 and let (v , k) denote each state. The corresponding LTS is
presented in Figure 5.5.
1 v = k + min (10 , 5 ) ;
2
3 i n t min ( i n t a , i n t b){
4 i f ( a < b)
5 return a ;
6 e l s e re turn b ;
7 }
Figure 5.4: Assignment
(0, 3)start (0, 3) (0, 3) (8, 3)
call min(10,5) return 5 v:=k+5
Figure 5.5: LTS of the assignment
Post (post tsk()), defined by rules post1 and post2.
TinyOS does not allow duplicated tasks in the task queue, and thus to execute a post
statement requires checking if the task is already in the task queue. If there are no duplicated
tasks, then the task will be enqueued immediately (rule post1); otherwise the task is dropped
(rule post2).
e = s.post .t , t 6∈ Q , Q ′ = Q ∩ 〈t〉
[ post1 ]
(V , Q , B , post tsk()) e→ (V , Q ′, B , X)
e = s.post .t .fail , t ∈ Q
[ post2 ]
(V , Q , B , post tsk()) e→ (V , Q , B , X)
Command call (call intf .cmd(Larg)), defined by rules call1 and call2.
49
5.1. Formal Semantics of NesC
In the statement call intf .cmd(Larg), Larg is the list of arguments. As shown by rule
call1, if the arguments contain no function calls, the execution of a command call will transit
directly to the execution of the corresponding command body. The label of the transition in
the rule call1 is constructed as call .intf .cmd where call is a keyword denoting a command
call, intf is the name of the interface of the command and cmd is the name of the command.
e = call .intf .cmd ,FstFnc(Larg) = , F = Impl(intf .cmd ,Larg)
[ call1 ]
(V , Q , B , call intf .cmd(Larg))
e→ (V , Q , B , {F})
If the arguments involve function calls, the function calls will be executed first (rule
call2). In the rule call2, the actual execution of the command call (i.e., the rule call1) is
delayed by some function invoked in the arguments. And thus the label of the transition
is identical to the one obtained by executing the functions, i.e., e from (V , Q , B , a) e→
(V ′, Q ′, B ′, a ′).
FstFnc(Larg) = a, a 6= , (V , Q , B , a) e→ (V ′, Q ′, B ′, a ′)
[ call2 ]
(V , Q , B , call intf .cmd(Larg))
e→ (V ′, Q ′, B ′, call intf .cmd(Larg [a ′/a]))
Event signal (signal intf .evt(Larg)), defined by rules sig1 and sig2.
In the statement signal intf .evt(Larg) , Larg is the list of arguments. As shown by rule
sig1, if the arguments contain no function calls, the execution of an event signal will transit
directly to the execution of the corresponding event body. Otherwise, the function calls in
the arguments will be executed first (rule sig2). The labels of both rules are constructed in
the way similar to the rules call1 and call2.
e = s.sig .intf .evt ,FstFnc(Larg) = , F = Impl(intf .evt ,Larg)
[ sig1 ]
(V , Q , B , signal intf .evt(Larg))
e→ (V , Q , B , {F})
FstFnc(Larg) = a, a 6= , (V , Q , B , a) e→ (V ′, Q ′, B ′, a ′)
[ sig2 ]
(V , Q , B , signal intf .evt(Larg))
e→ (V ′, Q ′, B ′, signal intf .evt(Larg [a ′/a]))
Function invocation (func(Larg)), defined by rules inv1 and inv2.
In the statement func(Larg) , Larg is the list of arguments. As shown by rule inv1, if
the arguments contain no function calls, the execution of a function invocation will transit
directly to the execution of the corresponding function body. Otherwise, the function calls
in the arguments will be executed first (rule inv2).
e = s.invoke.func,FstFnc(Larg) = , F = Impl(func,Larg)
[ inv1 ]
(V , Q , B , func(Larg))
e→ (V , Q , B , {F})
50
Chapter 5. Direct Verification of SNs
FstFnc(Larg) = a, a 6= , (V , Q , B , a) e→ (V ′, Q ′, B ′, a ′)
[ inv2 ]
(V , Q , B , func(Larg))
e→ (V ′, Q ′, B ′, func(Larg [a ′/a]))
Return (return or return E ), defined by rules return1, return2 and return3.
A return statement is only legal within a function’s scope, and it will terminate the exe-
cution of the function body ({return; F}) it belongs to, no matter if there is any subsequent
statement. If a return statement has no returned value (i.e. return), the function body is
simply terminated (rule return1). Otherwise, either the rule return2 or the rule return3 will
be applied, depending on whether the returned expression (E ) contains any function call.
[ return1 ]
(V , Q , B , {return; F}) s.return→ (V [/r ], Q , B , X)
(V , Q , B , E ) e→ (V ′, Q ′, B ′, E ′), E ′ 6= X
[ return2 ]
(V , Q , B , {return E ; F}) e→ (V ′, Q ′, B ′, {return E ′; F})
(V , Q , B , E ) τ→ (V , Q , B , X), vr = V (E )
[ return3 ]
(V , Q , B , {return E ; F}) s.return.vr→ (V [vr/r ], Q , B , X)
Example 17 (LTS of return statement). Given a return statement as shown in Figure 5.6,
suppose that initially vr = 0 and let (vr ) denotes each state. The corresponding LTS is
presented in Figure 5.7.
1 . . .
2 re turn 100+sum(5 , 1 0 ) ;
3 . . .
4
5 i n t sum( i n t x , i n t y ){
6 re turn x + y ;
7 }






Figure 5.7: LTS of the return statement
Go-to Statement (gt L), defined by the rule gt .
During the parsing stage, our tool generates a table of labels and their corresponding
program point. In the execution of a go-to statement, Prog(L) returns the program point
of the label L by looking at this table. Moreover, in C, a go-to statement provides an
unconditional jump to a labeled statement in the same function. The NesC language follows
this convention for go-to statements. Therefore, a go-to statement will only affects the
51
5.1. Formal Semantics of NesC




(V , Q , B , {gt L; P}) s.gt .L→ (V , Q , B , {PL})
Sequential composition (P ; Q), defined by rules seq1 and seq2.
The operator ; describes the sequential composition of statements, and is defined as
left-associate.
(V , Q , B , P) e→ (V ′, Q ′, B ′, P ′), P ′ 6= X
[ seq1 ]
(V , Q , B , P ; S ) e→ (V ′, Q ′, B ′, P ′; S )
(V , Q , B , P) e→ (V ′, Q ′, B ′, X)
[ seq2 ]
(V , Q , B , P ; S ) e→ (V ′, Q ′, B ′, S )
Atomic (atomic{P}), defined by rules atm1, atm2, atm3, atm4 and atm5.
In an atomic block, interrupts are disabled. Thus, the status variable I will be set as
off whenever the system enters a new atomic block (rule atm1). Meanwhile, the atomic
counter ac is increased by 1. The construct at{P ′} is used to denote the statements to be
executed while I remains off .
(V , Q , B , P) e→ (V ′, Q ′, B ′, P ′), P ′ 6= X, vac = V (ac) + 1
[ atm1 ]
(V , Q , B , atomic{P}) e→ (V ′[off /I , vac/ac], Q ′, B ′, at{P ′})
If the atomic block terminates in one step, I or ac will not be changed (rule atm2),
because after that step the atomic block terminates immediately. This rule is designed to
avoid redundant states caused by an unnecessary at{} block.
(V , Q , B , P) e→ (V ′, Q ′, B ′, X)
[ atm2 ]
(V , Q , B , atomic{P}) e→ (V ′, Q ′, B ′, X)
The rule atm3 describes the execution of the remaining statements of an atomic block
after it disables interrupts.
(V , Q , B , P) e→ (V ′, Q ′, B ′, P ′), P ′ 6= X
[ atm3 ]
(V , Q , B , at{P}) e→ (V ′, Q ′, B ′, at{P ′})
The rules atm4 and atm5 handle the last statement of an atomic block. On one hand,
the atomic counter ac is decreased by 1. On the other hand, interrupts are enabled only
52
Chapter 5. Direct Verification of SNs
when there are no active atomic blocks (rule atm5).
(V , Q , B , P) e→ (V ′, Q ′, B ′, X), vac = V (ac)− 1 > 0
[ atm4 ]
(V , Q , B , at{P}) e→ (V ′[vac/ac], Q ′, B ′, X)
(V , Q , B , P) e→ (V ′, Q ′, B ′, X), vac = V (ac)− 1 = 0
[ atm5 ]
(V , Q , B , at{P}) e→ (V ′[on/I , 0/ac], Q ′, B ′, X)
Function ({F}), defined by rules func1 and func2.
{F} is used to denote the execution of a function, where {} denotes the boundary of the
function, and F denotes the statements of the function to be executed. If the function body
finishes its execution, the whole function terminates (rule func2). Note that the function
boundary ({}) disappears when rule func2 is applied.
(V , Q , B , F ) e→ (V ′, Q ′, B ′, F ′), F ′ 6= X
[ func1 ]
(V , Q , B , {F}) e→ (V ′, Q ′, B ′, {F ′})
(V , Q , B , F ) e→ (V ′, Q ′, B ′, X)
[ func2 ]
(V , Q , B , {F}) e→ (V ′, Q ′, B ′, X)
If-Else (if (c) P else S ), defined by rules if 1, if 2 and if 3.
A statement without the else clause like if (c)P is considered as an if-else statement with
S being X, i.e., if (c) P else X. If the condition has some function call, the system will
execute the function call before evaluating the condition (rule if 1).
(V , Q , B , c) e→ (V ′, Q ′, B ′, c′), c′ 6= X
[ if 1 ]
(V , Q , B , if (c) P else S ) e→ (V ′, Q ′, B ′, if (c′) P else S )
The statement if (c) P else S will behave as P if the condition c is evaluated as True
(rule if 2); otherwise, it behaves as S (rule if 3).
(V , Q , B , c) τ→ (V , Q , B , X), V (c) = True
[ if 2 ]
(V , Q , B , if (c) P else S ) e→ (V , Q , B , P)
(V , Q , B , c) τ→ (V , Q , B , X), V (c) = False
[ if 3 ]
(V , Q , B , if (c) P else S ) e→ (V , Q , B , S )
While (while(c) P), defined by rules wh1, wh2, wh3, wh4, wh5 and wh6.
53
5.1. Formal Semantics of NesC
The statement do P while(c) is considered as the sequential composition of P and a
while statement, i.e., P ; while(c) P . Similarly to if-else statements, if the condition has
some function call, the system will execute the function call before evaluating the condition
(rules wh1 and wh2).
As shown in the sequential composition rule seq2, a statement is dismissed after it com-
pletes its execution. This prevents a loop statement like while from repeating the execution
of the loop because both the loop condition and the loop body are missing after the first
iteration of the loop. Therefore, the construct xW0y is introduced to cache the original while
statement including the original loop condition and loop body, in order to allow repeated
execution of the loop.
W0 = while(c) P , (V , Q , B , c)
e→ (V ′, Q ′, B ′, c′), c′ 6= X
[ wh1 ]
(V , Q , B , W0)
e→ (V ′, Q ′, B ′, while(c′) P xW0y)
(V , Q , B , c) e→ (V ′, Q ′, B ′, c′), c′ 6= X
[ wh2 ]
(V , Q , B , while(c) P xW0y) e→ (V ′, Q ′, B ′, while(c′) P xW0y)
In the rules wh3 and wh4, 〈〉 is used to represent the iterative execution of a loop
statement, and xW0y is included to cache the original while loop statement. The firing rules
of 〈P xSy〉 will be defined later by rules loop1 and loop2.
(V , Q , B , c) τ→ (V , Q , B , X), V (c) = True
[ wh3 ]
(V , Q , B , while(c) P) e→ (V , Q , B , 〈P xwhile(c) Py〉)
(V , Q , B , c) τ→ (V , Q , B , X), V (c) = True
[ wh4 ]
(V , Q , B , while(c) P xW0y) e→ (V , Q , B , 〈P xW0y〉)
If the condition c is evaluated to be False, the while statement will terminate immedi-
ately, as shown in the rules wh5 and wh6.
(V , Q , B , c) e→ (V , Q , B , X), V (c) = False
[ wh5 ]
(V , Q , B , while(c) P) e→ (V , Q , B , X)
(V , Q , B , c) e→ (V , Q , B , X), V (c) = False
[ wh6 ]
(V , Q , B , while(c) P xW0y) e→ (V , Q , B , X)
For (for(R; c; S ) P), defined by rules for1, for2, for3, for4, for5, for6, for7 and for8.
In a for statement, the statements before evaluating the condition will be executed
54
Chapter 5. Direct Verification of SNs
exactly once, as shown in the following rules for1 and for2.
(V , Q , B , R) e→ (V ′, Q ′, B ′, R′), R′ 6= X
[ for1 ]
(V , Q , B , for(R; c; S ) P) e→ (V ′, Q ′, B ′, for(R′; c; S ) P)
(V , Q , B , R) e→ (V ′, Q ′, B ′, X)
[ for2 ]
(V , Q , B , for(R; c; S ) P) e→ (V ′, Q ′, B ′, for(; c; S ) P)
When there are no statements to be executed before evaluating the condition, the con-
dition c will be executed if it contains any function call, as in the rules for3 and for4.
F0 = for(; c; S ) P , (V , Q , B , c)
e→ (V ′, Q ′, B ′, c′), c′ 6= X
[ for3 ]
(V , Q , B , F0)
e→ (V ′, Q ′, B ′, for(; c′; S ) P xF0y)
(V , Q , B , c) e→ (V ′, Q ′, B ′, c′), c′ 6= X
[ for4 ]
(V , Q , B , for(; c; S ) P xF0y) e→ (V ′, Q ′, B ′, for(; c′; S ) P xF0y)
Example 18 (LTS of for statement). Given a for statement as shown in Figure 5.8, sup-
pose that initially sum = 0 and let (i , sum) denotes each state. The corresponding LTS is
presented in Figure 5.9.
1 f o r ( i = 0 ; i < 4 ; i++){
2 sum = sum+i ;
3 }
Figure 5.8: for statement
(0, 0)start (1, 0) (1, 1) (2, 1)




Figure 5.9: LTS of the for statement
When the condition is evaluated as True, the for statement transits to a loop 〈P ; xfor(;
c; S ) Py〉 (rules for5 and for6); otherwise, the for statement terminates immediately as
shown in the rules for7 and for8.
(V , Q , B , c) e→ (V , Q , B , X), V (c) = True
[ for5 ]
(V , Q , B , for(; c; S ) P) e→ (V , Q , B , 〈P ; S xfor(; c; S ) Py〉)
55
5.1. Formal Semantics of NesC
(V , Q , B , c) e→ (V , Q , B , X), V (c) = True
[ for6 ]
(V , Q , B , for(; c; S ) P xF0y) e→ (V , Q , B , 〈P ; S xF0y〉)
(V , Q , B , c) e→ (V , Q , B , X), V (c) = False
[ for7 ]
(V , Q , B , for(; c; S ) P) e→ (V , Q , B , X)
(V , Q , B , c) e→ (V , Q , B , X), V (c) = False
[ for8 ]
(V , Q , B , for(; c; S ) P xF0y) e→ (V , Q , B , X)
Loop (〈P xSy〉), defined by rules loop1, loop2 and loop3.
A loop 〈P xSy〉 describes the iterative execution of while (do-while) statements and
for statements, where P is the current iteration and S caches the original loop statement
including the original looping condition. The statement P is executed step by step (rule
loop1).
(V , Q , B , P ; P1)
e→ (V ′, Q ′, B ′, P ′), P ′ 6= X, P 6= gt L
[ loop1 ]
(V , Q , B , 〈P ; P1 xSy〉) e→ (V ′, Q ′, B ′, 〈P ′ xSy〉)
The rule loop2 is introduced to support labelled break and continue statements. There
is no explicit function boundary {} in this rule, which means that the loop and the label
is within the scope of the same function. This rule implies that a go-to statement in a
function invoked by a loop statement will not affect the loop itself. For example, given an




(V , Q , B , 〈gt L; P xSy〉) s.gt .L→ (V , Q , B , PL)
When P terminates, the loop body of the original statement (S ) will be executed (rule
loop3).
(V , Q , B , P) e→ (V ′, Q ′, B ′, X)
[ loop3 ]
(V , Q , B , 〈P xSy〉) e→ (V ′, Q ′, B ′, S )
Although the semantics of a loop seems the same as that of the sequential composition
of statements, this structure is necessary in order to define the semantics of continue and
break statements in loops.
56
Chapter 5. Direct Verification of SNs
1 event void Boot . booted ( ){
2 c a l l Read . read ( ) ;
3 post send_task ( ) ;
4 }
5 event void Read . rdDone ( i n t v ){
6 value += v ;
7 }
8 task void send_task ( ){
9 busy = TRUE;
10 c a l l Send . send ( count ) ;
11 }
12 event void Send . sendDone ( ){
13 busy = FALSE;
14 }
15 event void Receive . r e c e i v e ( ){
16 count ++;
17 post send_task ( ) ;
18 }
(a) Application Code
0:   empty
1:   tst
2:   tst,trd
3:   trd
4:   tst,trv
5:   trd,tst
6:   trv
7:   trv,tst
8:   trv,tst,trd





















rv rv 3 rd 3rd
(b) State Space of Boot.booted
Figure 5.10: Example Code
Continue (continue), defined by the rule cont .
A continue statement is only legal in a loop, i.e., 〈P xSy〉. When a continue statement
is encountered, the current iteration will be skipped immediately and a new iteration will
be started (rule cont).
[ cont ]
(V , Q , B , 〈continue; P xSy〉) s.continue→ (V , Q , B , S )
Break (break), defined by the rule brk .
Similarly, a break statement is only legal in a loop, i.e., 〈P xSy〉. If a break statement is
encountered in a loop, the loop terminates immediately (rule brk).
[ brk ]
(V , Q , B , 〈break ; P xSy〉) s.break→ (V , Q , B , X)
Example 19 (State Space of Functions). In the code shown in Figure 5.10(a), the command
call Read .read()/Send .send() invokes the corresponding command body that requests the
sensing device/messaging device to read a data/to send a packet, which will later trigger the
completion interrupt rd/sd to post a task for signaling event Read .rdDone/Send .sendDone.
We remark that rv is used to denote the interrupt of a packet arrival, and trd , tsd , and trv are
the tasks posted by interrupt handlers of rd, sd and rv, respectively. With the assumption
that a packet arrival interrupt is possible, the state graph of event Boot .booted is shown in
Figure 5.10(b), where each transition is labeled with the line number of the executed state-
ment or the triggered interrupt, and each state is numbered according to the task queue. The
task queues of different state numbers are listed in the figure. For example in Figure 5.10(b),
57
5.2. Formalization of TinyOS Execution Model
Operation Component Remark
Activation ActiveMessageC Activate the messaging device by com-mand SplitControl .start().
Message Transmission AMSenderC Send a message by the commandAMSend .send(dst ,msg , length).
Message Reception
AMReceiverC
Signal its receive event if the destina-
tion address of the incoming message is
the local ID or the broadcast ID.
AMSnooperC
Signal its receive event if the destina-
tion address of the incoming message is
neither the local ID nor the broadcast
ID.
AMSnoopingReceiverC
Always signal its receive event regard-
less of the destination address of the in-
coming message.
Table 5.1: Components of the Messaging Device
initially, after executing call Read .read() (line 2) the task queue still remains empty, while
after executing the interrupt handler rv, the completion task trv is enqueued and the task
queue becomes 〈trv 〉 (i.e., state 6).
5.2 Formalization of TinyOS Execution Model
In this section, we tackle the formalization of features and components related to the TinyOS
execution model, including the formalization of interrupts, the formal models of hardware
devices, and the interrupt operator which models the current execution among interrupts
and tasks.
5.2.1 Hardware Model Collection
The models of the hardware devices are developed systematically. According to the TinyOS
component library, we develop a component model library for common-used components like
AMSenderC , AMReceiverC , TimerC , etc. Currently, our approach models the messaging
device, timing device and sensing device as follows.
Messaging device. In the TinyOS component library, components ActiveMessageC , AM -
SenderC , AMReceiverC , AMSnooperC and AMSnoopingReceiverC are designed for different
operations on the messaging device, such as device activation, message transmission and
message reception. The descriptions of the primary components for the messaging device
are presented in Table 5.1. In the following we present the semantics of the operations or
interrupt handlers of the messaging device.
58
Chapter 5. Direct Verification of SNs
1 task void tsd ( ){
2 //update dev i c e s t a tu s
3 s i g n a l AMSend . sendDone ( ) ;
4 }
5 task void trcv ( ){
6 //update dev i c e s t a tu s
7 s i g n a l Receive . r e c e i v e ( ) ;
8 }




Figure 5.12: An SN Example
• Message transmission. The semantic structure Send is defined to model the behaviors
of sending a message. Send is defined as (s, dst , amid ,msg), where s is the identifier
of the sensor which sends a message, dst is the destination, amid is the AM type
of the channel and msg is the message itself. The task tsd is the sendDone task
of the sender component SenderCamid related to the channel amid and here we use
SendDone(s, amid) to return the sendDone task of the sensor s corresponding to the
channel amid . The task tsd is abstracted by the way explained in Section 2.3, as
shown in Figure 5.11. The message sent msg is stored in a buffer of the component
SenderCamid , which is later used as a parameter in the event signalling of sendDone
event in the task tsd .
tsd = SendDone(s, amid), tsd 6∈ Q , Q ′ = Q ∩ 〈tsd 〉
[ send ]
(V , Q , B , Send(s, dst , amid ,msg)) s.send .dst .amid .msg→ (V , Q ′, B , X)
• Message reception. The semantic structure Rcv is defined to model the behaviors
of receiving a message. When an incoming message arrives, a task (trcv ) will be
enqueued at the task queue, as shown in the rule rcv . The function AMID(msg)
returns the channel amid which msg is sent through. The task trcv is the receive
task of the receiver component ReceiverCamid related to the channel amid and here
we use Receive(s, amid) to return the receive task of the sensor s when receiving a
message from the channel amid . The task trcv is abstracted by the way explained in
Section 2.3, as shown in Figure 5.11. The received message msg is stored in a buffer of
the component ReceiverCamid , which is later used as a parameter in when signalling
the receive event in the task trcv .
B = 〈msg〉∩ B ′, amid = AMID(msg), trcv = Receive(s, amid), trcv 6∈ Q , Q ′ = Q ∩ 〈trcv 〉
[ rcv ]
(V , Q , B , Rcv) s.rcv.amid.msg→ (V , Q ′, B ′, Rcv)
Timing device. The Timer and Alarm interfaces of TinyOS declare commands for the
timing device. And the most important and common commands are command startOneShot
and startPeriodic. The command startOneShot sets a single-shot timer to some time units
59
5.2. Formalization of TinyOS Execution Model
in the future, while startPeriodic sets a periodic timer to repeat at every interval. The rule
frd is defined for the firing of timers.
tfrd 6∈ Q , Q ′ = Q ∩ 〈tfrd 〉
[ frd ]
(V , Q , B , Fired()) s.fired→ (V , Q ′, B , X)
Sensing device. The rule spl is defined to model the interrupt handler Sample(dev) upon
a sampling request, where dev is the related sensing component and Range(dev) denotes
the data range of the sensing component dev . When | Range(dev) |> 1 (i.e., the size of
Range(dev) is larger than one), executing Sample(dev) will become non-deterministic.
dt ∈ Range(dev), trd 6∈ Q , Q ′ = Q ∩ 〈trd 〉
[ spl ]
(V , Q , B , Sample(dev)) s.sensed .dt→ (V [dt/s.dev .sensed ], Q ′, B , X)
Concurrent execution of devices. In our work, an interrupt handler is considered as an
atomic action. Thus we ignore the preemption of interrupts. Nevertheless, devices such as
Timer, Receiver, Reader (Sensor) and so on ‘execute’ concurrently, because they can trigger
interrupts independently. This is captured using an interleave operator |||, which resembles
the interleave operator in CSP [74]. Rules int1 - int5 describe the semantics of interleaving.
If neither P nor S is termination, then one of them is chosen nondeterministically to execute,
as shown in the rules int1 and int2.
P 6= X, (V , Q , B , P) e→ (V ′, Q ′, B ′, P ′)
[ int1 ]
(V , Q , B , P ||| S ) e→ (V ′, Q ′, B ′, P ′ ||| S )
S 6= X, (V , Q , B , S ) e→ (V ′, Q ′, B ′, S ′)
[ int2 ]
(V , Q , B , P ||| S ) e→ (V ′, Q ′, B ′, P ||| S ′)
If one of the devices terminates, then the interleave operator is resolved and a non-
termination device is executed, as shown in the rules int3 and int4.
S 6= X, (V , Q , B , S ) e→ (V ′, Q ′, B ′, S ′)
[ int3 ]
(V , Q , B , X ||| S ) e→ (V ′, Q ′, B ′, S ′)
P 6= X, (V , Q , B , P) e→ (V ′, Q ′, B ′, P ′)
[ int4 ]
(V , Q , B , P ||| X) e→ (V ′, Q ′, B ′, P ′)
If both devices are terminations, then the result is also termination and the interleave
60
Chapter 5. Direct Verification of SNs
operator is resolved.
[ int5 ]
(V , Q , B ,X ||| X) τ→ (V , Q , B , X)
5.2.2 Interrupt Operator
The interrupt operator (4) is introduced to formalize the concurrent execution between
tasks and interrupts. In TinyOS execution model, interrupts always preempt tasks. When
a task terminates, a new task will be fetched from the task queue for execution. A sensor
will remain idle when no interrupts are triggered by devices and no tasks are scheduled in
the task queue. It can be activated again by an interrupt like the arrival of a new message.
If interrupts are enabled (i.e., V (I ) = on), the hardware devices (H ) can run one step.
V (I ) = on, (V , Q , B , H ) e→ (V ′, Q ′, B ′, H ′)
[ itr1 ]
(V , Q , B , M 4 H ) e→ (V ′, Q ′, B ′, M 4 H ′)
The executing task can perform a step when hardware devices are idle, or interrupts are
disabled like when executing an atomic block.
H = idle or V (I ) = off , (V , Q , B , M ) e→ (V ′, Q ′, B ′, M ′)
[ itr2 ]
(V , Q , B , M 4 H ) e→ (V ′, Q ′, B ′, M ′ 4 H )
When a task (M ) completes its completion, a new task will be fetched from the task
queue (Q) for execution.
H = idle, M = Impl(t ,∅)
[ itr3 ]
(V , 〈t〉∩Q ′, B , X 4 H ) τ→ (V , Q ′, B , M 4 H )
A sensor will remain idle when no interrupts are triggered by devices or no tasks are
deferred (rule itr4), and it can be activated by an interrupt like the arrival of a new message.
H = idle
[ itr4 ]
(V , ∅, B , X 4 H ) s.idle→ (V , ∅, B , X 4 H )
A sensor will stop if no hardware devices are active and no tasks are pending execution,
as in the rule itr5.
[ itr5 ]




In this section, we formalize SNs as LTSs. A sensor network N is composed of a set of
sensors and a network topology1. From a logical point of view, a network topology is
simply a directed graph where nodes are sensors and edges are data links between sensors.
In reality, a sensor always broadcasts messages and only the ones within its radio range
would be able to receive the messages. We introduce a radio range model to describe the
network topology, i.e. whether a sensor is able to send messages to some other sensor. Let
N = {0, 1, · · · , i , · · · ,n} be the set of the unique identifier of each sensor in an SN N . The
radio range model is defined as the relation R : N ↔ N, such that (i , j ) ∈ R if and only if
sensor j is within sensor i ’s radio range. We define an SN model as the parallel composition
of the sensors with the radio range model, as shown in Definition 11.
Definition 11 (SNModel). The model of a sensor network N is defined as a tuple(R, {S0, · · · ,
Sn}) where R is the radio model (i.e. network topology), {S0, · · · ,Sn} is a finite ordered set
of sensor models, and Si (0 6 i 6 n) is the model of sensor i.
For each sensor model Si = (Ai ,Ti ,Ri , initi ,Pi), its initial state is C initi = (initi ,∅,∅,Pi),
in respect that initially task queue Ti and message buffer Ri are empty. Sensors in a network
can deliver messages between one another, and semantic structures Send and Rcv are de-
fined to model message transmission among sensors. SNs are highly concurrent as all sensors
run in parallel, i.e. the network behaviors are obtained by non-deterministically choosing
one sensor to execute at each step.
Definition 12 (SN State). Let N = (R, {S0, · · · ,Sn}) be an SN model. A state of N is
defined as the finite ordered set of sensor states: C = {C0, · · · ,Cn} where Ci (0 6 i 6 n) is
the state of Si .
Definition 12 formally defines a global system state of an SN. Based on this, we are now
able to represent a sensor network as an LTS.
Definition 13 (SN Transition System). Let N = (R, {S0, · · · ,Sn}) be an SN model. The
transition system corresponding to N is a 3-tuple T = (Γ, init , ↪→) where Γ is the set of
all reachable SN states, init = {C init0 , · · · ,C initn } (C initi is the initial state of Si) being the
initial state of N , and ↪→ is the transition relation.
A transition of an SN is of the form C e↪→ C′, where C = {C0, · · · ,Ci , · · · ,Cn} and
C′ = {C ′0, · · · ,C ′i , · · · ,C ′n}. The transition relation is obtained through a set of firing rules,
which are shown below.
Ci
e→ C ′i , e 6= si .send .dst .am.msg , e 6= si .idle, e 6= si .stop [ network1 ]
{C0, · · · ,Ci , · · · ,Cn} e↪→ {C0, · · · ,C ′i , · · · ,Cn}
1We assume that the network topology for a given SN is fixed in this work.
62
Chapter 5. Direct Verification of SNs
Rule network1 describes the concurrent execution betweens sensors, i.e. the network non-
deterministically chooses a sensor to perform a transition. This rule also indicates that
our modeling approach ignores the problem of collision caused by the simultaneous packet
transmission of sensor nodes.
Ci
e→ C ′i , e = si .send .dst .am.msg , ∀ 0 ≤ j ≤ n, i 6= j • C ′j = InMsg(i ,msg ,Cj )
[ network2 ]
{C0, · · · ,Ci , · · · ,Cn} e↪→ {C ′0, · · · ,C ′i , · · · ,C ′n}
Rule network2 is dedicated to network communication. Function InMsg(i ,msg ,Cj )
enqueues the message msg to sensor i if it is in the radio range of sensor j . Formally,
C ′j = InMsg(i ,msg ,Ci)⇔ (i , j ) ∈ R∧C ′j = Cj [Bj ∩ 〈msg〉 /Bj ]∨ (i , j ) 6∈ R∧C ′j = Cj . Thus
a sensor sending a message will not only change its local state but also may change those of
the sensors in its radio range, by enqueuing the message to their message buffers.
As shown in the rule network3, the network will remain idle if all sensors are at an idle
state.
∀ 0 ≤ i ≤ n • Ci si .idle→ Ci
[ network3 ]
{C0, · · · ,Ci , · · · ,Cn} nw .idle↪→ {C0, · · · ,Ci , · · · ,Cn}
If a sensor stops, the corresponding sensor state is removed from the network state.
Ci
si .stop→ C ′i [ network4 ]
{C0, · · · ,Ci , · · · ,Cn} si .stop↪→ {C0, · · · ,Ci−1,Ci+1, · · · ,Cn}
Example 20 (An SN Model). Figure 5.12 presents an SN with three nodes.
The radio range of each senor is described by a circle around it. Let S1 = (A1,T1,R1, init1,
P1), S2 = (A2,T2,R2, init2,P2) and S3 = (A3,T3,R3, init3,P3) be the sensor models of sen-
sor 1, 2 and 3, respectively. Then the model of the SN is N = (R, {S1,S2,S3}), where R =
{(1, 2), (2, 1), (2, 3)}. Let T1 = (C1, init1,→1), T2 = (C2, init2,→2) and T3 = (C3, init3,→3)
be the sensor transition systems for S1, S2 and S3, respectively. Then the SN transition
system is T = (Γ, init , ↪→) where Γ ⊆ C1 × C2 × C3, and init = {C init1 ,C init2 ,C init3 } =
{(init1,∅,∅,P1), (init2,∅,∅,P2), (init3,∅,∅,P3), }.
5.4 Modeling Environments
In order to model the unreliable environments, we consider the following features.
• Environment data. In our approach, we provide an interface to specify the value range
of each sensing device for each sensor, which will be presented in Section 7.2.1. The
rule spl for data sampling then decides the range of value that can be sensed by the
63
5.5. Model Checking Algorithms
range specified. The unreliable environment can be modeled by specifying the value
range of sensing device. For example, in order to analyze a fire detection system, we
can specify the range of value of the temperature sensing device to include normal
temperature values and abnormally high temperature values.
• Unreliable communication. In our approach, the message buffer of each sensor is
limited and we allow users to specify the size of message buffer of each sensor. When
the buffer is full, incoming packets are simply dropped and in this way the behavior of
packet loss is modeled in our approach. Packet loss due to unreliable data links is not
modeled in our approach, because modeling unreliable data links without probability
will always introduce false-negatives of the network being analyzed.
• Uncertain interrupts. On one hand, interrupts are allowed to interleave the execution
of a task at each single statement of the task. On the other hand, enabled interrupts
are allowed to concurrently execute. Thus, the behavior of interrupts is exhaustively
modeled and the uncertainty of interrupt events is resolved.
5.5 Model Checking Algorithms
Algorithm 1 DFS
DFS (C0, ϕ)
1: if C0 violates ϕ then
2: return false
3: end if
4: vs ← {C0}
5: ws ← {C0}
6: while ws 6= ∅ do
7: C ← ws.Pop()
8: for all C′such that ∃α. C α↪→ C′ do
9: if C′ violates ϕ then
10: return false
11: end if
12: if C′ 6∈ vs then
13: ws ← ws.Push(C′)





Our approach supports the verification of both safety properties and liveness properties,
as introduced in Section 2.4. In the following, we introduce the algorithms for verifying
these properties.
Safety properties are checked by exhaustively exploring the state space using Depth-first
search (DFS) or Breadth-first search (BFS) algorithms. We present the DFS algorithm in 1,
and the BFS algorithm is developed in a similar way. As shown in Algorithm 1, two stacks
vs (visited states) and ws (working states) are maintained to keep track of the states that
have been visited and the states to be explored for successors, respectively. Both stacks
are initialized with the initial state C0 of the sensor network to be model checked. The
64
Chapter 5. Direct Verification of SNs
loop between lines 6 and 17 takes a state from ws and applies the firing rules introduced
in Sections 5.1 - 5.3 to generate subsequent states. The algorithm terminates immediately
if a state violating the property ϕ is encountered (lines 9 and 10). Otherwise, new states
that do not exist in vs are pushed to ws and vs (lines 12 to 17). If no states violate ϕ, the
algorithm terminates when ws becomes ∅, which means that the complete state space of
the sensor network has been explored.
We adopt the approach presented in [144] to verify LTL properties. First, the negation
of an LTL formula is converted into an equivalent Büchi automaton; and then accepting
strongly connected components (SCC) in the synchronous product of the automaton and
the model are examined in order to find a counterexample. Notice that the SCC-based
algorithm allows us to model check with fairness [149], which often plays an important role
in proving liveness properties of SNs.
5.6 Experiment and Evaluation
The direct verification approach of SNs has been implemented in the tool NesC@PAT, which
will be explained in Chapter 7. In this section, we evaluate the direct verification approach
and present experiment results. Section 5.6.1 provides a comparison of the direct verification
approach and the translation-based approach NesC2STCSP, an Section 5.6.2 presents a case
study on the verification of the real-world sensor network protocol, the Trickle algorithm [88].
5.6.1 Comparison with NesC2STCSP
In this section, we compare the translation-based approach NesC2STCSP presented in Chap-
ter 4 with the direct verification approach presented in this chapter.
First, the direct verification approach supports a larger set of the NesC language features
than NesC2STCSP. Table 5.2 demonstrates comparison of the supported language features
of both approaches, where N2S stands for the NesC2STCSP approach and Direct stands
for the direct verification approach.
Second, the state space obtained by the direct approach has fewer states than the
NesC2STCSP approach. Table 5.3 compares the verification statistics of both approach-
es. It can be seen that the direct approach has much fewer states for the Sensing application
than the NesC2STCSP approach. This confirms that direct verification approaches are more
feasible and efficient for the purpose of verification.
5.6.2 The Trickle Algorithm: a Case Study
The direct verification approach has been used to analyze SNs deployed with the Trickle
algorithm presented in Example 1. We studied SNs with different topologies including
star, ring and single-tracked ring (SRing for short). The settings of SNs are presented in
65
5.6. Experiment and Evaluation









8/16/64-bit (un)signed integer × X
Algebraic operations +,−,×, /,% X X
Logical operations &&, ||,¬ ,=, 6=, <,≤, >,≥ X X
Bitwise operations &, |,∼,∧, >>,<< × X
Label statement × X
NesC specific
Generic components and interfaces × X
Fan-in(out) wirings × X
Atomic statement × X
Table 5.2: Comparison of Language Features Supported
Figure 5.13, where 1/1 stands for new code/new summary and 0/0 stands for old code/old
summary and a directed graph is used to illustrate the logical view for each network.
Two safety properties (i.e. Non-termination and Reach FalseUpdated) and two liveness
properties (i.e. 3AllUpdated and23AllUpdated) are verified. Property Reach FalseUpdated
is a state reachability checking, which is valid if and only if the state FalseUpdated where a
node updates its code with an older one can be reached. Property 3AllUpdated is an LTL
formula which is valid if and only if the state AllUpdated where all nodes are updated with
the new code can be reached eventually, while 23AllUpdated requires state AllUpdated to
be reached infinitely often.
In order to specify these assertions, we define the following propositions, where n stands
for the size of the related network.
• FalseUpdated ≡ S1.code < S1.ID || S2.code < S2.ID || · · · || Sn−1.code< Sn−1.ID;
• AllUpdated ≡ S1.code == Sn .ID && S2.code == Sn .ID && · · · && Sn .code ==Sn .ID.
Based on these propositions, the two safety properties Non-termination and Reach False-
Updated are specified as follows.
• Non-termination: #assert SensorNetwork never Terminates;
• Reach FalseUpdated : #assert SensorNetwork never FalseUpdated.
As for liveness properties 3AllUpdated and 23AllUpdated , they are specified as the
following.
• 3AllUpdated: #assert SensorNetwork |= <>AllUpdated;
66
Chapter 5. Direct Verification of SNs
App Assertion Result NesC2STCSP Direct# States Time (s) # States Time (s)
Blink
Non-termination True 41 0.01 32 0.01
23 TimerFired True 86 0.01 67 0.01
2 (TimerFired → 3
led0Toggled)
True 54 0.01 68 0.01
Blink’
Non-termination True 243 0.02 85 0.01
23TimerFired True 706 0.08 199 0.01
2 (TimerFired → 3
led0Toggled)
True 417 0.05 202 0.01
Sensing
Non-termination True 1048K 60 590 0.02
23TimerFired True 4313K 369 1533 0.13
2 (TimerFired → 3
led0Toggled)
True 2598 239 1538 0.15











Figure 5.13: Network Topology: Star, Ring, Single-track Ring
• 23AllUpdated: #assert SensorNetwork |= []<>AllUpdated.
A server with Intel Xeon 4-Core CPU*2 and 32 GB memory was used to run the veri-
fication, and the results are summarized in Table 5.4. The results show that the algorithm
satisfies the safety properties, i.e. neither a terminating state nor a FalseUpdated state is
reachable. As for the liveness property, both ring and star networks work well, which means
that every node is eventually updated with the new code.
However, the single-tracked-ring (SRing) network fails to satisfy either liveness property.
The counterexample produced by NesC@PAT shows that only one sensor can be updated
with the new code. By simulating the counterexample in NesC@PAT, we can find the reason
for this bug. On one hand, the initially updated node A receives old summary from node C
thus broadcasting its code but only node B can hear it. On the other hand, after node B is
updated it fails to send its code to node C because node B never hears an older summary
from node C. We also increased the number of sensors for SRing networks, and the results
remained the same.
67
5.6. Experiment and Evaluation
(a) Initial Setting (b) Star/Ring network (c) SRing network
Figure 5.14: Real Executions on Iris Motes




X 300,332 859,115 49 42,936
Reach FalseUp-
dated
× 300,332 859,115 47 23,165
3AllUpdated X 791,419 2,270,243 148 25,133




X 1,093,077 3,152,574 171 80,108
Reach FalseUp-
dated
× 1,093,077 3,152,574 161 27,871
3AllUpdated X 2,127,930 6,157,922 389 78,435
SRing
Non-termination 3 X 30,872 85,143 5 19,9684 X 672,136 2,476,655 170 72,209
Reach
FalseUpdated
3 × 30,872 85,143 5 23,641
4 × 672,136 2,476,655 156 62,778
3AllUpdated
3 × 42 73 <1 19,290
4 × 52 113 <1 19,771
23AllUpdated
3 × 146 147 <1 51,938
4 × 226 227 <1 51,421
8 × 746 747 <1 59,900
20 × 4,126 4,127 2 148,155
Table 5.4: Verifying Trickle Algorithm
We ran the Trickle program on IRIS motes to study whether this bug could be evidenced
in real executions. The TrickleAppC was modified by adding operations on LEDs to display
the changes of code:
1. Initially sensor A has the new code (1/1) and has its red LED on, while sensor B and
C have the old code (0/0) and have their yellow LEDs on, as shown in Figure 5.14(a).
2. A sensor will turns on its red LED when it is updated with the new code.
3. Different topologies are achieved by specifying different AM id for each sensor’s
AMSenderC and AMReceiverC .
The revised TrickleAppC was executed on real sensors with star, ring and single-tracked ring
topologies. Figure 5.14(b) shows that the star/ring network is able to update all nodes, and
Figure 5.14(c) shows that the single-tracked ring network fails to update one node, which
confirms that the bug found by NesC@PAT could be evidenced in reality.
68
Chapter 5. Direct Verification of SNs
Category Sum Construct Number Rules
Inherited from C 37
Expression 3 expr1-3
Assignment 2 as1, 2
Function Invocation 2 inv1, 2
Function 2 func1, 2
Label 1 gt
Return 3 return1-3
Sequence 2 seq1, 2
If-else 3 if 1-3





Post 2 post1, 2





Device Operation 4 send , rcv , spl , frd
Device Interleave 5 int1-5
Network composition 4 network1-4
Total 66
Table 5.5: Summary of semantic rules
Discussion The results in Table 5.4 show that a SN of the Trickle algorithm with three
nodes has a state space of 106 ∼ 107, and the state space grows exponentially with the
network topology and the number of nodes. Thus there is a need for techniques to reduce
the state space. Hardware-related behaviors are abstracted and manually modeled based on
real sensors, i.e. Iris motes. This manual abstraction of hardware is simple to implement,
but lacks the ability to find errors due to hardware failures, as the hardware is assumed to
be always working.
5.7 Summary
In this chapter, we present the complete semantics and define firing rules for the language
constructs of NesC. The complete semantics for sensor networks consists of 66 firing rules,
as summarized in Table 5.5. With this formal semantics, it is now possible to build the
system state space directly from sensor network implementations directly.
Verification goals are presented in a lightweight annotation language separated from the
NesC language or TinyOS. In this way, assertions could be defined without modifying the
original sensor network programs, and thus it makes it convenient to put the same copy
of code being model checked into practice. The approach has been implemented in the
tool NesC@PAT, which will be discussed in Chapter 7. We have studied the performance
69
5.7. Summary
of this approach with a number of examples, and results show that our approach helps to
analyze and verify SNs with NesC programs effectively. The comparison between the direct
verification approach and the translation-based approach NesC2STCSP confirms that direct
verification approach works better.
The main challenge of this approach (and general model checking methods) is the state
space explosion problem. The concurrency among sensors and among interrupts inside
each sensor has introduced a huge state space which is usually infeasible to be completely
explored within acceptable time and available memory. Therefore, there is a need to develop
techniques to reduce the system state space without losing the ability to analyze and check
the system. In the next chapter, we will discuss a novel two-level partial order reduction




In this chapter, we discuss a method developed to significantly reduce the state space of
SNs while preserving important properties so that state space exploration methods (like
model checking or systematic testing) become more efficient. The method works as follows.
First, static analysis is performed to automatically identify independent actions/interrupts
at both inter-sensor and intra-sensor levels. Second, we extend the Cartesian semantics [65]
to reduce network-level interleaving. The original Cartesian POR algorithm treats each
process (in our case, sensor) as a simple sequential program. However, in our work, we have
to handle the internal concurrency among interrupts for each sensor and thus the Cartesian
semantics of SNs is developed. The interleaving among interrupts is then minimized by the
persistent set technique [34].
This chapter is organized as follows. In Section 6.1, we present the theoretical techniques
for analyzing the independence relation among actions in SNs. In Section 6.2, we present the
sensor network cartesian semantics, which is based on the cartesian semantics for concurrent
programs [65]. And then in Section 6.3, we present our novel two-level POR for SNs, which
extends the POR in [65] to allow reduction at different system levels. In Section 6.4, we
formally prove that our method is sound and complete, i.e., preserving LTL-X properties [34].
The proposed method has been implemented in the model checker NesC@PAT [172] and
experiment results show that our method reduces the state space significantly, e.g., the
reduced state space is orders of magnitudes smaller. We also approximate the reduction
ratio obtained by a related tool T-Check [89] under POR setting and the data show that
our two-level POR achieves much better reduction ratio than T-Check’s POR algorithm, as
elaborated in Section 6.5. A summary of this chapter is presented in Section 6.6.





In this section, we study the commutativity of actions in a sensor network. In this thesis,
two actions are said to be independent if and only if their execution order is commutative.
In particular, we examine the independence relation between actions within an arbitrary
sensor, and between actions from different sensors. These are important as in SNs, there are
inter-sensor concurrency and intra-sensor concurrency. The independence analysis rules are
elaborated and we propose a systematic way to detect independence among interrupts by
taking into account the shared task queue. These will be used for automatic identification
of independent actions for the two-level POR approach which will be covered later.
For a sensor network, C denotes a network state, defined as {C0, · · · ,Cn} where Ci
(0 6 i 6 n) is the state of Si , also denoted by C[i ]. In the rest of this chapter, the following
definitions and notations are used.
• enable(C ) : the set of all actions enabled at a sensor state C , i.e., enable(C ) = {α |
∃C ′ ∈ C,C α→ C ′}.
• ex (C , α) (where α ∈ enable(C )): the sensor state after executing α at state C .
• ∑S (or simply ∑ if S is clear): the set of actions of S. We assume that ∑ is finite.
• ∑iq ⊆∑: the set of hardware request actions.
• ∑pt ⊆∑: the set of actions that are post statements.
• itrH (S) ⊆∑ : the set of interrupt handlers.
• ∑sd ⊆∑: the set of actions involving packet transmission.
• ∑asyn ⊆∑: the set of actions executed in an asynchronous context, i.e., in an inter-
rupt handler.
• ∑syn ⊆ ∑: the set of actions executed in a synchronous context, i.e., in a normal
task.
• Tasks(S) (or simply Tasks if S is clear): the set of all tasks defined in S. We assume
that Tasks is finite.
6.1.1 A Motivating Example
Inside a sensor, the interleaving between an interrupt handler and a non-post action can be
reduced, since interrupt handlers only modify the task queue and non-post actions never ac-
cess the task queue. For example, in Figure 5.10(b) presented in Section 5.2, the interleaving
between line 2 and rv can be ignored. Moreover, for post statements and interrupt handlers,
their interleaving could be reduced if their corresponding tasks access no common variables,
72












































  Task Queue    
Figure 6.1: Pruned State Graph
like rd and rv at state 2, and line 3 and rd at state 1. This is because trd only accesses the
variable value which is never accessed by tst or trv . Therefore, it is important to detect the
independence among actions inside a sensor, which is referred to as local independence.
From the view of the network, each sensor only accesses its own and local resources,
unless it sends a message packet, modifying some other sensors’ message buffers. Intuitively,
the interleaving of local actions of different sensors can be reduced without missing critical
states. This observation leads to the independence analysis at the network level, referred to
as global independence. Consider a network with two sensors S1 and S2 implemented with
the code shown in Figure 5.10(a). Applying partial order reduction at both network and
sensor levels, we are able to obtain a reduced state graph as shown in Figure 6.1, where
states are numbered with the task queues of both sensors, e.g., state 2.1 shows that the
task queue of S1 is 〈tst , trd 〉 and 〈tst〉 for S2 where there is communication between the two
sensors. In this example, interleaving between two sensors is only allowed when necessary,
like at the shadowed states labeled with 2.0 and 4.0. The sub-graph within each dashed
rectangle is established by executing actions from only one sensor, either S1 or S2. In each
sub-graph, local independence is used to prune unnecessary interleaving among local actions.
Dashed arrows indicate pruned local actions. For example, rectangle p23 is constructed by
removing all shadowed states and dashed transitions in Figure 5.10(b). It can be seen that
the corresponding complete state space of this graph consists of around 200 states, whereas
the reduced graph contains fewer than 20 states.
In the following, we investigate local and global independence w.r.t. a certain property,





In a sensor, an action may modify a variable or the task queue. Thus local independence is
defined to describe independent actions according to their effects on the variables and the
task queue. In the following, the concepts of actions, tasks, and task queues are w.r.t. a
given sensor model S.
Definition 14 (Variable Independence). Given a state C , α1, α2 ∈
∑
, and α1, α2 ∈
enable(C ), actions α1 and α2 are said to be variable-independent, denoted by α1 ≡VI α2, iff
ex (ex (C , α1), α2) =v ex (ex (C , α2), α1).
In the above definition, =v (referred to as v -equal) denotes that two states share the
same valuation of variables, message buffer, and the same running program. That is, if
C1 = (V1,Q1,B1,P1), C2 = (V2,Q2,B2,P2), then we have C1 =v C2 iff V1 = V2 ∧ B1 =
B2 ∧P1 = P2. Let Wα and Rα be the set of variables written and only read by an action α,
respectively. Let C (a) be the valuation function of variable a at state C .
Lemma 1. ∀α1, α2 ∈
∑
. Wα1 ∩ (Wα2 ∪ Rα2) = Wα2 ∩ (Wα1 ∪ Rα1) = ∅⇒ α1 ≡VI α2.
Proof Suppose that α1, α2 ∈ enable(C0). Let ex (C0, α1) = C01, ex (C01, α2) = C12,
ex (C0, α2) = C02, and ex (C02, α1) = C21. Let V0,V01, V12, V02 and V21 be the valuation
of C0, C01, C12, C02 and C21, respectively. Since Wα2 ∩ (Wα1 ∪Rα1) = ∅, we can conclude
that ∀ x ∈ (Wα1 ∪Rα1). V02(x ) = V0(x ) ∧ V01(x ) = V12(x ), further V21(x ) = V01(x ), and
finally V12(x ) = V21(x ). Similarly, we can prove that ∀ x ∈ (Wα2 ∪ Rα2). V21(x ) = V12(x ).
Let Var be the set of all variables and we can conclude immediately that ∀ x ∈ (Var−(Rα1∪
Wα1 ∪ Rα2 ∪Wα2)). V12(x ) = V21(x ). Therefore, V12 = V21 and C12 =v C21. 2
Lemma 1 shows that two actions are variable-independent if the variables modified by
one action are mutual exclusive with those accessed (either modified or read) by the other.
For example, by Lemma 1, αl6 ≡VI αl13, where αl6(αl13) refers to an action executing the
statement at line 6 (13) of Figure 5.10(a).
Interrupt handlers might run in parallel resulting in different orders of tasks in the task
queue. Given a task t , Ptask(t) denotes the set of tasks posted by a post statement in t or an
interrupt handler of a certain interrupt request in t . Formally, Ptask(t) = {t ′ | ∃α ∈ t . α =
post(t ′)∨ (α ∈∑iq) ∧ t ′ = tsk(ih(α)))}, where post(t) is a post statement to enqueue task
t ; ih(αiq) denotes the corresponding interrupt handler of a device request αiq , and tsk(αih)
denotes the completion task of αih . In the code in Figure 5.10(a), Ptask(trv ) = {tst}, due to
the post statement in line 17. As for tst (lines 8 to 11), it has a request for sending a message
(line 10), the interrupt handler of which will post the task tsd , and thus Ptask(tst) = {tsd}.
Note that more tasks can be enqueued during the execution of a previously enqueued
task. We define Rtask(t) to represent all possible tasks enqueued by a given task t and
the tasks in its Ptask set in a recursive way. Formally, Rtask(t) = {t} ∪ Ptask(t) ∪
(∪t ′∈Ptask(t)Rtask(t ′)). Since Tasks is finite, for every task t , Rtask(t) is also finite and
74
Chapter 6. Reduction and Optimization
thus could be obtained statically at compile time. In Figure 5.10(a), since Ptask(tsd ) = ∅,
we have Rtask(tsd ) = {tsd}. Similarly, we can obtain that Rtask(tst) = {tst , tsd} and
Rtask(trv ) = {trv , tst , tsd}. Let R(ϕ,S) be the set of variables of S accessed by the prop-
erty ϕ. Let Ŵ (t) be the set of variables modified by Rtask(t). We say that t is a ϕ-safe
task, denoted by t ∈ safe(ϕ,S) iff (Ŵ (t) ∩ R(ϕ,S)) = ∅. In the following, we define local
independence of tasks.
Definition 15 (Local Task Independence). Let ti(j ) ∈ Tasks be two tasks. ti and tj are said
to be local-independent, denoted by ti ≡TI tj , iff (ti ∈ safe(ϕ,S) ∨ tj ∈ safe(ϕ,S)) ∧ ∀ t ′i ∈
Rtask(ti), t ′j ∈ Rtask(tj ). ∀αi ∈ t ′i , αj ∈ t ′j . αi ≡VI αj .
In the above definition, the condition that one of the task should be ϕ-safe guarantees
that executing the two tasks in different orders will introduce no difference on the effect of
the property ϕ.
Though interrupt handlers in asynchronous context and post statements in synchronous
context both modify the task queue, we observe that task queues with different orders of
tasks might be equivalent. Based on Definition 15, we define the independence relation of
two task sequences as follows, which is used to further define equivalent task sequences.
Definition 16 (Task Sequence Independence). Let Qi = 〈ti0, · · · , tim〉,Qj = 〈tj0, · · · , tjn〉
(m,n > 0) be two task sequences, where tiu(0 ≤ u ≤ m), tjv (0 ≤ v ≤ n) ∈ Tasks. Qi and Qj
are said to be sequence-independent, denoted by Qi ≡SI Qj , iff ∀ ti ∈ (∪mk=0Rtask(tik )), tj ∈
(∪nk=0Rtask(tjk )). ti ≡TI tj .
A partition P of a task sequence Q is a list of task sequences q0, q1, · · · , qm such that
Q = q∩0 q∩1 · · · qm , and for all 0 6 i 6 m, qi 6= 〈〉 (qi is called a sub-sequence of Q).
We use part(Q) to denote the set of all possible partitions of Q . Given a partition P,
SwapP(Q , i) = q∩0 · · · q∩i+1q∩i · · ·∩ qn denotes the task sequence obtained by swapping two
adjacent sub-sequences (i.e., qi and qi+1) consistent with P, and Q = 〈q∩0 q∩1 · · ·∩ qn〉. Then
task sequence equivalence is defined in Definition 17, which is adopted to reduce unnecessary
interleaving among interrupt handlers and actions.
Definition 17 (Task Sequence Equivalence). Given two task sequences Q and Q ′, they are
equivalent (Q ' Q ′) iff Q0 = Q ∧ ∃P. ∃m > 0,Qm = Q ′ ∧ (∀ k ∈ [0,m). ∃ ik . qkik ≡SI
qkik+1 ∧ Qk+1 = SwapP(Qk , ik )) where qki is the i th sub-sequence of Qk .
The above definition indicates that if a task sequence Q ′ can be obtained by swap-
ping adjacent independent sub-sequences of Q , then Q ' Q ′. The relation ' is reflexive,
symmetric and transitive, as shown in Lemma 2.
Lemma 2 (Reflexivity, Symmetry and Transitivity of ').
1. Reflexivity: Q ' Q; (P1)
2. Symmetry: Q1 ' Q2 ⇒ Q2 ' Q1; (P2)
3. Transitivity: Q1 ' Q2 ∧Q2 ' Q3 ⇒ Q1 ' Q3. (P3)
75
6.1. Static Analysis
Proof By Definition 17, m = 0⇒ Qm1 = Q01 = Q , thus Q ' Q and P1 is proved.
Assume that Q1 ' Q2, if Q1 = Q2, by reflexivity it is trivial that Q2 ' Q1. Suppose
that Q1 6= Q2, then by Definition 17, we have Q01 = Q1 ⇒ ∃m > 0,Qm1 = Q2 ∧ (∀ 1 ≤ k ≤
m,∃ ik , qk−1ik ≡SI qk−1ik+1 ∧Qk1 = SwapP(Qk−11 , ik )) (1). Here qki denotes the ith subsequences
of Qk1 . Let Qk2 be the task sequence after swapping adjacent independent task sequences
in Q2 for k times, q˜ki denote the ith subsequence of Q
k
2 . Assume Q02 = Q2 and let Qk2 =
SwapP(Qk−12 , im−(k−1)). Then we have Q
0
2 = Swap
P(Qm−11 , im) ∧ q˜0im = qm−1im+1 ∧ q˜0im+1 =
qm−1im , thus q˜
0
im ≡SI ∧q˜0im+1 and Q12 = SwapP(Q02 , im) = SwapP(SwapP(Qm−11 , im), im) =










and q˜kim−k+1 = q
m−k−1
im−k . By (1), we can infer that q
m−k−1




P(Qk2 , im−k ) = SwapP(Q
m−k
1 , im−k ) = Swap
P(SwapP(Qm−(k+1)1 ,
im−((k+1)−1), im−k ) = Q
m−(k+1)




1 = Q1 and thus Q2 ' Q1. Conse-
quently, P2 is proved.
Assume that Q1 ' Q2 ∧ Q2 ' Q3. If Q1 = Q2 or Q2 = Q3, then trivially Q1 ' Q3.
Suppose that Q1 6= Q2 and Q2 6= Q3, by Definition 17, there exist i1, i2, · · · , im such that
Q01 = Q1 ∧ qk−1ik ≡SI qk−1ik+1 ∧Qk1 = SwapP(Qk−11 , ik ) ∧Qm1 = Q2 and j1, j2, · · · , jn such that
Q02 = Q2 ∧ qk−1jk ≡SI qk−1jk+1 ∧ Qk2 = SwapP(Qk−12 , jk ) ∧ Qn2 = Q3. Again, let Q˜01 = Q1,
v = m + n, and ∀ 1 ≤ k ≤ v , let Q˜k1 = SwapP(Q˜k−11 , lk ) and (1 ≤ k ≤ m ⇒ lk =
ik ) ∧ ((m + 1) ≤ k ≤ (m + n) ⇒ lk = jk ). Then we have Q˜m1 = Qm1 = Q2 and thus
Q˜m+n1 = Q
n
2 = Q3. Therefore Q1 ' Q3 and P3 is proved. 2
Then we define two actions to be locally independent as the following definition, based
on their effects on the variable evaluation and the task queue.
Definition 18 (Local Independence). Given a state C , α1, α2 ∈
∑
, and α1, α2 ∈ enable(C ),
actions α1 and α2 are said to be local-independent, denoted by α1 ≡LI α2, if the following
two conditions are satisfied.
1. α1 ≡VI α2;
2. Q(ex (ex (C , α1), α2)) ' Q(ex (ex (C , α2)), α1).
Now we are able to conclude that a non-post action in the synchronous context is always
local-independent with any action in the asynchronous context, as shown in Lemma 3.
Lemma 3. ∀α ∈∑syn , α′ ∈∑asyn . α 6∈∑pt ⇒ α ≡LI α′.
Proof From α′ ∈∑asyn , we can conclude that α′ only accesses device variables which can-
not be accessed by synchronous actions including α. Thus we are able to conclude that α ≡VI
α′. Suppose that α, α ∈ enable(C ). Since α 6∈ ∑pt implying executing α never changes
the task queue, we can obtain Q(ex (C , α)) = Q(C ). Therefore, Q(ex (ex (C , α), α′)) =
Q(ex (ex (C , α), α′)), and by Lemma 2 we have Q(ex (ex (C , α), α′)) ' Q(ex (ex (C , α), α′)).
Now we can obtain that α ≡LI α′ according to Definition 18. 2
The following lemma shows another property of task sequence equivalence (').
Lemma 4. Q1 ' Q2 ⇒ Q∩1 Q ′ ' Q∩2 Q ′ ∧Q ′∩Q1 ' Q ′∩Q2.
76
Chapter 6. Reduction and Optimization
Proof By Definition 17, there exists m ≥ 0 such that Q0 = Q1 ∧ Qm = Q2 ∧ ∃ i0, i1, · · · ,
ik , · · · , im−1. qkik ≡SI qkik+1 ∧ Qk+1 = SwapP(Qk , ik ). Suppose that Q3 = Q∩1 Q ′ and
Q4 = Q∩2 Q ′, then Q0 = Q3 ∧ Qm = Q4 ∧ ∀ i0, i1, · · · , ik , · · · , im−1. qkik ≡SI qkik+1 ∧ Qk+1 =
SwapP(Qk , ik ). Thus Q3 ' Q4. Similarly, we can prove Q ′∩Q1 ' Q ′∩Q2. 2
The above definition indicates that if a task sequence Q ′ can be obtained by swapping
adjacent independent sub-sequences of Q , then Q ' Q ′. Given two states C and C ′, we said
that C is equivalent to C ′, denoted by C ∼= C ′, iff C =v C ′ ∧ Q(C ) ' Q(C ′). Further, two
state sets C, C′ are said to be equivalent, denoted by C  C′, iff ∀C ∈ C. ∃C ′ ∈ C′. C ∼= C ′
and vice versa. We explore the execution of task sequences starting at a state which is the
completion point of a previous task, i.e., a state with the program as (X 4 H ). This is
because only after a task terminates can a new task be loaded from the task queue for
execution. The case when B(C ) 6= 〈〉 is related to network communication, and is ignored
here but will be covered in global independence analysis in Section 6.1.3.
Let exs(Q ,C ) be the set of final states after executing all tasks of Q starting at state
C , which requires that the task queue of state C is exactly Q . In our work, actions are
deterministic. During the execution of a task (which is a sequence of actions), interrupts
are concurrently executed with the task if interrupts are enabled. Thus the execution of the
task queue exs(Q ,C ) implicitly includes the concurrent execution with interrupt handlers.
Lemma 5. Given C = (V ,Q , 〈〉,X 4 H ) and C ′ = (V ,Q ′, 〈〉,X 4 H ). Q ' Q ′ ⇒
exs(Q ,C )  exs(Q ′,C ′).
Proof Let Q = Q0 = q0∩1 q0∩2 · · ·∩ q0n . Since Q ' Q ′, we can assume that Q ′ is obtained
by applying m Swap actions on Q . Let k ∈ [0,m), by Definition 17, we have Qm = Q ′
and for each k there exists ik such that qkik ≡SI qkik+1 ∧ Qk+1 = SwapP(Qk , ik )). Let
C k = (V ,Qk , 〈〉,X 4 H ) (this implies that C 0 = C and Cm = C ′), and C˜ k ∈ exs(Qk ,C k ).
By Definition 16 and Lemma 1, ∀ C˜ k+1 ∈ exs(Qk+1,C k+1),V (C˜ k ) = V (C˜ k+1). More-
over, since all tasks and all interrupt handlers are completed after exs(Q ,C ), thus ∀ C˜ k ∈
exs(Qk ,C k ), C˜ k+1 ∈ exs(Qk+1,C k+1),P(C˜ k ) = P(C˜ k+1) = X 4 H . Thus C˜ k =v C˜ k+1.
Suppose that qkik = 〈t1ik , · · · , t iik 〉 and qkik+1 = 〈t1ik+1, · · · , t lik+1〉, and that q˜kik = 〈˜t1ik , · · · , t˜xik 〉
and q˜kik+1 = 〈˜t1ik+1, · · · , t˜
y
ik+1〉 being the task sequences introduced by executing all tasks in
qkik and q
k
ik+1 respectively. We remark that ∀ 1 ≤ u ≤ x , t˜uik ∈ ∪lv=1Ptask(tvik ) and ∀ 1 ≤
u ≤ y , t˜uik+1 ∈ ∪lv=1Ptask(tvik+1) (1) and ∀ 1 ≤ u ≤ x , 1 ≤ v ≤ y , t˜uik ≡TI t˜vik+1(2). Then we




1 . According to the semantics that interrupts are allowed to





q˜kik = 〈〉 or q˜kik+1 = 〈〉, then Q(C˜ k ) = Q(C˜ k+1), and by the reflexivity of ' we can obtain
Q(C˜ k ) ' Q(C˜ k+1). Now consider the case of q˜kik 6= 〈〉∧q˜kik+1 6= 〈〉. By (1), (2) and the defini-





Thus qkik ≡SI qkik+1 implies that q˜kik ≡SI q˜kik+1 and Q(C˜ k ) ' Q(C˜ k+1). Now we have proved
that ∀ C˜ k ∈ exs(Qk ,C k ),∃ C˜ k+1 ∈ exs(Qk+1,C k+1), C˜ k =v C˜ k+1∧Q(C˜ k ) ' Q(C˜ k+1) (3).
Applying (3) to Q0 for m times, with the transitivity of the ' relation of task sequences,
77
6.1. Static Analysis
we can conclude that ∀ C˜ 0 ∈ exs(Q0,C 0),∃ C˜m ∈ exs(Qm ,Cm), C˜ 0 =v C˜m ∧ Q(C˜ 0) '
Q(C˜m). Equivalently, ∀ C˜ ∈ exs(Q ,C ),∃ C˜ ′ ∈ exs(Q ′,C ′), C˜ ∼= C˜ ′. Similarly, we can
prove vice versa. 2
Lemma 5 shows that executing two equivalent task sequences from v -equal states will
always lead to equivalent sets of final states. Given an action α, we use ptsk(α) to denote the
task that could be enqueued by executing α. We remark that executing α at most enqueues
one task to the task queue, but sometimes which task to be enqueued is only decided at
runtime, e.g., if (sum > 10){post tsk1}else{post tsk2}. With the above lemma, the rule for
deciding local independence between actions can be obtained, as shown in Lemma 6.
Lemma 6. Given C , α1, α2 ∈ enable(C ), (α1 ≡VI α2 ∧∀ t1 ∈ ptsk(α1), t2 ∈ ptsk(α2). t1 ≡TI
t2)⇒ α1 ≡LI α2.
Proof Since α1 ≡VI α2, we only need to prove the second condition in Definition 18.
Suppose Q(C ) = Q0, ex (ex (C , α1), α2) = C12, ex (ex (C , α2), α1) = C21 and Q(C12) =
Q∩0 tsk∩1 tsk2. Since α1 ≡VI α2, then we can have Q(C12) = Q∩0 tsk∩2 tsk1. Since ∀ t1 ∈
ptsk(α1), t2 ∈ ptsk(α2). t1 ≡TI t2, we can conclude that tsk∩1 tsk2 ' tsk∩2 tsk1. Therefore,
Q(C12) ' Q(C21). 2
6.1.3 Global Independence
SNs are non-blocking, i.e., the execution of one sensor never blocks others. In addition,
a sensor accesses local resources most of the time, except when it broadcasts a message
to the network and fills in others’ message buffers. At the network level, we explore the
execution of each sensor individually, and only allow interleaving among sensors when an
action involving network communication is performed. Let N be a sensor network with n
sensors S1,S2 · · · Sn and C be a network state. We use EnableT (C) to denote the set of
enabled tasks at C. Given t ∈ Tasks(Si), t ∈ EnableT (C)⇔ C[i ] = (V , 〈t , · · · 〉,B ,X 4 H ).
Ex (C, t) represents the set of final states after executing task t (and interrupt handlers
caused by it) starting from C. For two network states C1 and C2, we say that C1 and C2 are
equivalent (C1 ∼= C2) iff ∀ 1 ≤ i ≤ n. C1[i ] ∼= C2[i ]. Similarly, we say that two network state
sets Γ and Γ′ are equivalent (i.e., Γ  Γ′) iff ∀ C ∈ Γ. ∃ C′ ∈ Γ′. C ∼= C′ and vice versa.
Definition 19 (Global Independence). Let ti ∈ Tasks(Si) and tj ∈ Tasks(Sj ) such that Si 6=
Sj . Tasks ti and tj are said to be global-independent, denoted by ti ≡GI tj , iff ∀ C ∈ Γ. ti , tj ∈
EnableT (C)⇒ ∀Ci ∈ Ex (C, ti). ∃ Cj ∈ Ex (C, tj ). Ex (Ci , tj )  Ex (Cj , ti) and vice versa.
A data transmission would trigger a packet arrival interrupt at receivers and thus is
possible to interact with local concurrency inside sensors. In the following, Sends(S) denotes
the set of tasks that contain data transmission requests, and Rcvs(S) denotes the set of
completion tasks of packet arrival interrupts.
Given t ∈ Tasks(S), t is considered as rcv-independent, denoted by t ⊂RI S, iff ∀ tr ∈
Rcvs(S), tp ∈ Posts(t). tr ≡TI tp . A rcv-independent task never posts a task local-dependent
78
Chapter 6. Reduction and Optimization
with the completion task of any packet arrival interrupts. Thus, we can ignore interleaving
such tasks with other sensors’ tasks even if there is some data transmission. We say that
t is a global-safe task of S, i.e., t ⊂GI S, iff t ⊂RI S. If t 6⊂GI S, then t is global-unsafe.
The following theorem indicates that a global-safe task is always global-independent with
any task of other sensors.
Theorem 1. ∀ t1 ∈ Tasks(Si), t2 ∈ Tasks(Sj ). Si 6= Sj , t1 ⊂GI Si ⇒ t1 ≡GI t2.
Proof Supposing that t2 6∈ Sends(Sj ), since t1 6∈ Sends(Si), we can prove immediate-
ly that t1 ≡GI t2. Suppose that t2 ∈ Sends(Sj ) and Si is connected with Sj . Thus
after executing t2, the message buffer of Si might be modified. Suppose that t1, t2 ∈
EnableT (C0) and C0[i ] = (V , 〈t1〉∩qi), and let C2 ∈ Ex (C0, t2) and C21 ∈ Ex (C2, t1). Let
C21[i ] = (V i12, q∩i 〈t ′1 · · · trv · · · t ′m〉,∅,X 4 H ), where trv is the task posted by packet arrival
interrupt handler of Si and for every t ′k (1 ≤ k ≤ m) we have t ∈ Ptask(t1). It is immediate-
ly that there exists C1 ∈ Ex (C0, t1) such that there exists C12 ∈ Ex (C1, t2), C12[j ] = C21[j ],
C12[i ] =v C21[i ] and Q(C12[i ]) = q∩i 〈t ′1, t ′2 · · · t ′m , trv 〉. Intuitively, B(C12[i ]) 6= ∅, since a pack-
et arrival interrupt in Si is triggered after t2 is executed and the task trv is enqueued to be
the last element. By the definition of ⊂RI and Lemma 5, we have Q(C12[i ]) ' Q(C21[i ]), and
thus C12[i ] ∼= C21[i ]. It is obvious that for all k(1 ≤ k ≤ n ∧ k 6= i , j , we have C12[i ] = C21[i ].
Consequently, C21 ∼= C12. Similarly, we can prove vice versa. 2
6.2 Cartesian Semantics
In this section, we present our two-level POR, which extends the cartesian vector ap-
proach [65] and combines it with a persistent set algorithm [61] to achieve maximum re-
duction. We use N to denote a sensor network with n sensors (S1, · · · ,Sn); and C to denote
a network state of N .
The cartesian vector approach, also referred to as Cartesian POR, was proposed by
Gueta et al. to reduce nondeterminism in concurrent systems [65], which delays unnecessary
context switches among processes. Given a concurrent system with n processes and a state
S , a cartesian vector is composed by n prefixes, where the i th (1 ≤ i ≤ n) prefix refers to
a trace executing actions only from the i th process starting from state S . For SNs, sensors
could be considered as concurrent processes and their message buffers could be considered
as “global variables”.
It has been shown that cartesian semantics is sound for local safety properties [65]. A
global property that involves local variables of multiple processes (or sensors) is converted
into a local property by introducing a dummy process for observing involved variables. In
our case, we avoid this construction by considering the global property in the cartesian
semantics for SNs. Let Gprop(N ), or simply Gprop since N is clear in this section, be the
set of global properties defined for N . Given an action α ∈ Tasks(S) and a global property
ϕ ∈ Gprop, α is said to be ϕ-safe, denoted by α ∈ safe(ϕ), iff Wα ∩ R(ϕ) = ∅ where
79
6.2. Cartesian Semantics
Wα is the set of variables modified by α and R(ϕ) is the set of variables accessed by ϕ. If
α 6∈ safe(ϕ), then α is said to be ϕ-unsafe.
6.2.1 Sensor Prefix
In order to allow sensor-level nondeterminism inside prefixes, we define Prefix as a tree-like
trace rather than a sequential trace. Let Prefix (S) be the set of all prefixes of sensor S,
Prefix (S, C) be the set of prefixes of S starting at a network state C, and first(p) be the
initial state of a prefix p. A sensor prefix is defined as follows.
Definition 20 (Prefix). A prefix p ∈ Prefix (S) is defined as a tuple (〈C0, α1, C1, · · · , αm−1,




↪→ Ci+1, and ∀ 0 ≤ i ≤ n.bri ∈
Prefix (S, Cm).
Here Prefix (S, C) denotes the set of prefixes of sensor S starting at state C. The function
tr(p) denotes the trunk prefix of p before branching prefixes, i.e., tr(p) = 〈C0, α1, C1, · · · , αm−1, Cm〉.
The function br(p) denotes the set of branching prefixes of p, i.e., br(p) = {br0, br1, · · · , brn}.
In Figure 6.1, the dashed rectangles p11, p12 and p13 are prefixes of S1, and p21, p22
and p23 are prefixes of S2. More specifically, tr(p23) = 〈(4.0), α2, (4.0)〉 and br(p23) =
{〈(4.0), α3, (4.1), αrd , · · · 〉, 〈(4.0), αrv , (4.6), α3, · · · 〉}.
If there are no branching prefixes, then the prefix is also said to be a leaf prefix, denoted
by p ∈ LfPrefix (S). By Definition 20, tr(p) ∈ LfPrefix (S). Moreover, it is obvious that
LfPrefix (S) ⊆ Prefix (S). Formally, we have LfPrefix (S) = {lp | ∀ lp ∈ Prefix (S). br(lp) =
∅}. A leaf prefix always appears as (〈C0, α1, C1, · · · , αm−1, Cm〉,∅), and thus is abbreviated
as 〈C0, α1, C1, · · · , αm−1, Cm〉.
Given a prefix p ∈ Prefix (S), the following notations are defined, which are later used
in the POR algorithms.
• The set of tree prefixes of S: TreePrefix (S) = Prefix (S)− LfPrefix (S).
• The set of leaf prefixes of p: p ∈ LfPrefix (S) ∧ leaf (p) = {p} ∨ p 6∈ LfPrefix (S) ∧
leaf (p) = ∪bp∈br(p)leaf (bp).
• The final state of a leaf prefix lp: lp = 〈C0, α0, C1, · · · , Cm〉 ⇒ l̂ast(lp) = Cm .
• Subsequent prefixes A: ∀ lp ∈ LfPrefix (S). lp A p ≡ l̂ast(lp) = first(p).
• Concatenation of leaf prefixes ̂ : ∀ p1 = 〈C0, α0, · · · , Ck 〉, p2 = 〈Ck , αk , Ck0 , αk0 , · · · ,
Ckm 〉.p1 ̂ p2 = 〈C0, α0, · · · , Ck , αk , Ck0 , · · · , Ckm 〉.
• The set of final states of p:
p ∈ LfPrefix (S)∧ last(p) = {l̂ast(p)} ∨ p 6∈ LfPrefix (S)∧ last(p) = ∪bp∈br(p)last(bp).
• The final task of a leaf prefix lp: lp = 〈C0, α0, C1, · · · , Cm〉 ⇒ l̂astT (lp) = currentT (Cm),
where currentT (C) is the currently executing task at state C.
80
Chapter 6. Reduction and Optimization
• The set of final tasks of p: p ∈ LfPrefix (S) ∧ lastT (p) = {l̂astT (p)} ∨ lastT (p) =
∪bp∈br(p)lastT (bp).
• The final action of a leaf prefix lp: lp = 〈C0, α0, · · · , αm , Cm+1〉 ⇒ ̂lastAct(lp) = αm .
• The set of final actions of p: p ∈ LfPrefix (S) ∧ lastAct(p) = {̂lastAct(p)} ∨ p 6∈
LfPrefix (S) ∧ lastAct(p) = ∪bp∈br(p)lastAct(bp).
• The set of states in p: states(p) = {C0, · · · , Cm} ∪ (∪sp∈br(p)states(sp)).
• The set of tasks of p: tasks(p) = (∪0≤i≤mcurrentT (Ci)) ∪ (∪sp∈br(p)tasks(sp)).
• The set of actions of a leaf prefix lp:
lp = 〈C0, α0, C1, α1, · · · , αm , Cm+1〉 ⇒ acts(lp) = {α0, α1, · · · , αm}.
• The set of actions of a prefix p: acts(p) = acts(tr(p)) ∪ (∪bp∈br(p)acts(bp)).
Lemma 7. ∀ p1, p2 ∈ Prefix (S). tr(p1) = tr(p2)⇒ first(p1) = first(p2).
Proof This is trivial by the definition of first(p). 2
Lemma 8. ∀ lp ∈ LfPrefix (S), p ∈ Prefix (S). p′ = (lp, {p})⇒ first(lp) = first(p′).
Proof Since p′ = (lp, {p}), it can be immediately concluded that tr(p′) = tr(lp). By
Lemma 7, we can obtain first(lp) = first(p′). 2
6.2.2 SN Cartesian Vector
Definition 21 (SN Cartesian Vector). Given a global property ϕ ∈ Gprop, a vector (p1, · · · , pi ,
· · · , pn) is a sensor network cartesian vector for N w.r.t. ϕ from a network state C if the
following conditions hold:
1. pi ∈ Prefix (Si , C);
2. ∀ t ∈ tasks(pi). t 6⊂GI Si ⇒ t ∈ LastT (pi);
3. ∀α ∈ acts(pi). α 6∈ safe(ϕ)⇒ α ∈ lastAct(pi).
According to Definition 21, a vector (p0, p1, · · · , pn) from C is a valid sensor network
cartesian vector (SNCV) if for every 0 ≤ i ≤ n, pi is a prefix of Si and each leaf prefix of pi
ends with a ϕ-unsafe action or a global-unsafe task as defined in Section 6.1.3. In Figure 6.1,
if value, busy 6∈ R(ϕ), then (p11, p21) is a valid SNCV from the initial state.
To generate a sensor network cartesian vector for any explored state, we assume the
existence of a cartesian function φ: Γ × Prefixn such that, for every C ∈ Γ, φ(C) is a
cartesian vector from C. Given a cartesian function φ, we can build a cartesian semantics
that uses φ as a guide for execution. When the cartesian semantics starts the execution
from a state C it selects a prefix p from the vector φ(C) and executes the transitions of p.
When the semantics reaches a state C′ ∈ last(p), it executes the function φ again from C′.
81
6.3. Two-level POR Algorithm
The cartesian semantics generated by φ is formalized as two binary relations →φ and
⇒φ on states, where →φ relates final states at the end of prefixes and is transitively closed,
and ⇒φ extends →φ to also include intermediate states. In the following, we define the
corresponding inference rules of →φ and ⇒φ .
[ reflexivity ]
C →φ C
i ∈ [1,n], ∃ p ∈ Prefix (Si , C) . C′ ∈ last(p)
[ basis ]
C →φ C′





i ∈ [1,n], ∃ p ∈ Prefix (Si , C) . C′ ∈ states(p)
[ basis ]
C ⇒φ C′
C →φ C′, C′ ⇒φ C′′
[ pseudo − transitivity ]
C ⇒φ C′′
6.3 Two-level POR Algorithm
In this section, we present the two-level POR algorithm. The main idea is to explore the
state space by the sensor network cartesian semantics. Reduction is performed during the
generation of SNCVs. Section 6.3.1 presents the top-level state exploration algorithm, which
could be invoked in existing verification algorithms directly without changing the verification
engine. Section 6.3.2 presents the algorithm for SNCV generation and Section 6.3.3 discusses
the algorithm for generating a prefix for a certain sensor.
6.3.1 State Space Exploration
Given a network state C and a global property ϕ, the state space of N is explored via
C′s corresponding SNCV, as shown in Algorithm 2. The following definitions are used in
this algorithm.
• Method pfx (C): returns the prefix that contains C. For the initial state C0, we have
82
Chapter 6. Reduction and Optimization
Algorithm 2 State Space Generation
GetSuccessors(C, ϕ)
1: list ← ∅
2: p ← pfx (C)
3: if Next(p, C) 6= ∅ then
4: {there are some successors of C in p}
5: list ← Next(p, C)
6: else
7: {there are no successors of C in p}
8: {generate a new sncv from C}
9: scv ← GetNewCV (C, ϕ)
10: for all i ← 1 to n do
11: {traverse each sensor prefix to obtain the
successors of C}




pfx (C0) = 〈C0〉. For each state C′ further generated, pfx (C′) is assigned during the
extension of the corresponding sensor prefix, which can be found in Algorithms 5
and 6.
• Method Next(p, C): returns the successors of C in p. The relation Next : Prefix (S)×
Γ→ P(Γ) traverses a prefix to find the set of successors of C. Formally, Next(p, C) =
{C′ | ∃α ∈ acts(p), C α↪→ C′}.
• Method GetNewCV (C, ϕ): generates a new SNCV starting from C, which is shown in
Algorithm 3.
In summary, the responsibility of Algorithm 2 is to look up the prefix of C to find its
successors (lines 3 to 5). If C is found to be one of the final states of the corresponding
prefix, then the algorithm will generate a new SNCV starting from C (lines 9), and continue
to traverse each prefix of the SNCV for the successors of C (lines 10 to 13).
6.3.2 SNCV Generation
Algorithm 3 generates an SNCV from C w.r.t. the property ϕ. In this algorithm, the
following notations are used.
• Variable visited : the set of final states of prefixes that have been generated.
• Variable workingLeaf : the stack of leaf prefixes to be further extended.
• Function Extensible: Prefix (S) × {S1, · · · ,Sn} × Gprop → {True,False}, defined as
Extensible(p,S, ϕ) ≡ ∀ t ∈ lastT (p), α ∈ lastAct(p). t ⊂GI S ∧ α ∈ safe(ϕ).
• MethodGetPrefix (Si , C, ϕ): producing a prefix of Si by executing actions and interrupt
handlers of Si in parallel, which will be shown in Algorithm 4.
83
6.3. Two-level POR Algorithm
Algorithm 3 Sensor Network Cartesian Vector Generation
GetNewCV (C, ϕ)
1: scv ← (
n︷ ︸︸ ︷
〈〉, · · · , 〈〉)
2: for all Si ∈ N do
3: {generate sensor prefix for each sensor}
4: visited ← {C}
5: workingLeaf ← ∅
6: {generate a prefix from S}
7: pi ← GetPrefix (Si , C, ϕ)
8: for all lp ∈ leaf (pi) do
9: {cache extensible leaf prefixes
to be further extended}
10: if l̂ast(lp) 6∈ visited
and Extensible(lp,Si , ϕ) then
11: workingLeaf .Push(lp)
12: visited ← visited ∪ l̂ast(lp)
13: end if
14: end for
15: while workingLeaf 6= ∅ do
16: pk ← workingLeaf .Pop()
17: visited ← visited ∪ {l̂ast(pk )}
18: {generate a new prefix from the
last state of pk}
19: p′k ← GetPrefix (Si , l̂ast(pk ), ϕ)
20: pk ← (pk , {p′k})
21: for all lp ∈ leaf (p′k ) do
22: {cache extensible leaf prefixes
to be further extended}
23: if Extensible(lp,Si , ϕ) and





28: {update the ith element of scv with pi}
29: scv [i ]← pi
30: end for
31: return scv
In order to generate an SNCV, the algorithm executes each sensor in the network in-
dependently to obtain the corresponding sensor prefixes that form the SNCV. In order
to minimize inter-sensor interleaving, a prefix is extended as much as possible. Initially,
GetPrefix () is invoked to obtain a sensor prefix pi (line 7). Then each leaf prefix of pi are
examined and pushed into workingLeaf stack if it is extensible and not extended before
(lines 8 to 14). Here, the method Extensible alleviates unnecessary interleaving among dif-
ferent sensors. After this, the leaf prefixes in the stack workingLeaf are popped for further
extension, and the leaf prefixes of the resultant prefix are pushed to workingLeaf . This will
be repeated until workingLeaf becomes empty. We can see from Algorithm 3 that a prefix
is further extended (lines 19 to 26) only if it has not executed a global-unsafe task or a
ϕ-unsafe action. Finally, pi is assigned to the i th element of the sensor cartesian vector scv
(scv [i ]) by line 29.
6.3.3 Sensor Prefix Generation
Algorithm 4 shows how a sensor S establishes a prefix from C w.r.t. ϕ. The following
definitions are used in this algorithm.
• Method getCurrentTsk(C,S): return the currently executing task of S at state C.
• Method ExecuteTask(t , p, ϕ, C,S): extending p by executing t w.r.t. ϕ. Details could
84
Chapter 6. Reduction and Optimization
Algorithm 4 Prefix Generation
GetPrefix (S, C, ϕ)
1: p ← 〈C〉
2: t ← getCurrentTsk(C,S)
3: {extend p by executing task t}
4: ExecuteTask(t , p, ϕ, {C},S)
5: if t terminates then
6: for all pi ∈ leaf (p) do
7: C′ ← l̂ast(pi)
8: irs ← GetItrs(C′,S)
9: p′i ← RunItrs(C′, itrs,S)




be found in Algorithm 5.
• Method GetItrs(C,S): return the set of pending interrupt requests of S at state C.
• Method RunItrs(C, itrs,S): interleaving the execution of S’s interrupt requests in itrs
based on a persistent set approach.
The mission of Algorithm 4 is to generate a valid sensor prefix w.r.t. a certain property
by executing the task enabled at a given state. Initially, p is initialized as 〈C〉 (line 1) and
the current enabled task is obtained by line 2. Then actions in t will be executed until t
terminates or an ϕ-unsafe action is encountered, as shown in Algorithm 5. Interrupts are
handled after a task has terminated, which is reasonable by Lemma 3 (lines 5 to 12). As
for actions that post a task, interrupts are considered when executing such actions using a
persistent set algorithm. More details will be discussed in Algorithm 6.
In Algorithm 5, the following notations are used.
• Set Cs: the set of states that has been visited.
• Method GetAction(t , C): returns the enabled action of task t at state C.
• Method setPfx (C, p): assigns prefix p as the prefix that state C belongs to.
Initially, the currently enabled action α will be executed (lines 5 to 16). At this phase,
two cases are considered. The first is when α is a post statement, and interrupts dependent
with α will be taken to run in parallel in order to preserve states with different task queues.
This is achieved by lines 5 to 9. The second case handles all non-post actions, and the
action will be executed immediately to obtain the resultant prefix (lines 10 to 16). In this
case, all interleaving between interrupts and the action α is ignored, which is reasonable by
Lemma 3.
After the action α completes its execution, the algorithm will return immediately if α is
ϕ-unsafe or t has no more actions to be executed. Otherwise, a new iteration of ExecuteTask
85
6.3. Two-level POR Algorithm
Algorithm 5 Task Execution
ExecuteTask(t , lp, ϕ, Cs,S)
1: {let α be the current action of t}
2: α← GetAction(t , C)
3: C ∈ l̂ast(lp)
4: {only post actions need to
interleave interrupts}
5: if α← post(t ′) then
6: itrs ← GetItrs(S, C)
7: {interleave α and interrupts itrs}
8: p ← RunItrs(C, itrs ∪ {α},S)
9: lp ← (lp, {p})
10: else
11: {non-post actions run independently}
12: C′ ← ex (C, α)
13: tmp ← 〈C, α, C′〉
14: setPfx (C′, tmp)
15: lp ← (lp, {tmp})
16: end if
17: lps ← leaf (lp)
18: {stop executing t when t terminates or
a non-safe action is encountered}
19: if α 6∈ safe(ϕ) or terminate(t , α) then
20: return
21: end if
22: for all lp′ ∈ lps do
23: {extend lp only if there is no loop in it}
24: if l̂ast(lp′) 6∈ Cs then
25: Cs ′ ← Cs ∪ states(lp′)
26: {continue to execute t to extend lp′}
27: ExecuteTask(t , lp′, ϕ, Cs ′,S)
28: end if
29: end for
will be invoked at each final state of the prefix that has been currently established (lines 22
to 29). Line 24 is to prevent the algorithm from being stuck by loops.
6.3.4 Persistent Set Algorithm
In this section, we present the algorithms to apply partial order reduction at sensor level in
order to minimize interleaving caused by interrupts. The idea is motivated by the observation
that the only shared resource among interrupt handlers and normal actions is the task
queue. One reason is that in the NesC language, variables are defined within a component’s
scope. The other reason is that only interrupt handlers are abstracted to exclusively access
corresponding device status variables. By Lemma 3, we only need to consider two kinds of
concurrency, i.e. the concurrency between a post statement, and the concurrency between
any two interrupt handlers. This is implemented by Algorithms 6 and 7.
Algorithm 6 (RunItrs) establishes a prefix for the sensor S from a state C by interleaving
actions in the set itrs using a persistent set approach. Here, itrs would be a set of interrupt
handlers plus at most one post action. Algorithm 7 (Persistent Set) establishes a persistent
set from a given set of actions itrs. If itrs contains a post action, then this post action will be
chosen as the first action of the persistent set to return; otherwise, an action will be chosen
randomly to start generating the persistent set (lines 2 to 10). After that, the persistent
set will be extended by iteratively adding actions from itrs that are dependent with at least
one actions in the persistent set.
86
Chapter 6. Reduction and Optimization
Algorithm 6 Interleaving Interrupts
RunItrs(C, itrs,S)
1: if itrs ← ∅ then
2: return 〈〉
3: end if
4: p ← 〈C〉
5: {pis is the persistent set of itrs}
6: pis ← GetPerSet(itrs, C,S)
7: {interleave dependent actions}
8: for all α ∈ pis do
9: C′ ← ex (C, α)
10: lp ← 〈C, α, C′〉
11: setPfx (C′, lp)
12: {only allow interleaving if α is not a post}
13: if α ∈∑iq then
14: s ← RunItrs(C′, pis − {α},S)
15: lp ← (lp, {s})
16: end if
17: {add lp as a new branch of p}
18: p ← (tr(p), br(p) ∪ {lp})
19: end for
20: return p
Algorithm 7 Persistent Set
GetPerSet(itrs, C,S)
1: {choose an α to start with}
2: if ∃α′ ∈ itrs. α 6∈∑iq then
3: {there exists a post in itrs,
then we should start from the post}
4: α← α′
5: else
6: if α′ ∈ itrs then




11: pset ← {α}
12: work ← {α}
13: while work 6= ∅ do
14: α← work .Pop()
15: {find new dependent actions of α from
itrs}
16: αs ← DepActions(α, itrs − pset)
17: pset ← pset ∪ αs




In this section, we show that the above POR algorithms work properly and are sound
for model checking global properties and LTL-X properties. Lemmas 9 and 10 assure the
correctness of the functions invoked in Algorithm 4.
Lemma 9. Given t ∈ Tasks(S), t ∈ EnableT (C) and ϕ, ExecuteTask(t , 〈C〉, ϕ, {C},S)
extends 〈C〉 by executing actions in t and enabled interrupt handlers, until t terminates or
a ϕ-unsafe action or a loop is encountered. 2
Lemma 10. Given a network state C where C[i ] = (V ,Q ,B ,X 4 H ), RunItrs(C,GetItrs(C′,Si))
terminates and returns a valid prefix of Si . 2
Based on Lemma 4 and 5, we can show the correctness of Algorithm 3 in generating a
prefix for a given state and a property, as shown in the following theorem.
87
6.4. Correctness
Theorem 2. Given S, C and ϕ, Algorithm 4 terminates and returns a valid prefix of S for
some SNCV.
Proof By Lemma 9, after line 3 p is a valid prefix of S. If lines 5 to 10 are not executed,
then p is immediately returned. Suppose lines 5 to 10 are executed, and at the beginning of
the i th iteration of the for loop p is a valid prefix. Let p̂ be the updated prefix after line 9,
and then leaf (p̂) = (leaf (p)−pi)∪ leaf (p′i) since pi has been concatenated with p′i and is no
longer a leaf prefix. By Lemma 10, p′i is a valid prefix and thus p̂ is a valid prefix. Therefore,
at the beginning of the (i + 1)th iteration, p is a valid prefix. By Lemmas 9 and 10, both
lines 3 and 8 terminates. Further, we assume that variables are finite-domain, and therefore
the size of leaf (p) is finite assuring that the for loop terminates. 2
Theorem 3. For every state C, Algorithm 3 terminates and returns a valid sensor network
cartesian vector.
Proof We prove that at the beginning of each iteration of the while loop (lines 15 to 27)
in Algorithm 3 the following conditions hold for any i (1 ≤ i ≤ n):
1. pi ∈ Prefix (Si , C);
2. workingLeaf = {p ∈ leaf (pi) | Extensible(p,Si , ϕ) ∧ l̂ast(p) 6∈ visited}.
By line 7, it is immediately true that first(pi) = C, and by Lemma 7, we can conclude that
first(pi) = C holds for all iterations. Since pi is extended by executingGetPrefix (Si , l̂ast(pk ), ϕ)
(line 19), which only executes actions of Si , thus pi ∈ Prefix (Si) always holds. Intuitively,
condition 1 holds for all iterations. In the following we prove condition 2 by induction.
At the first iteration, by lines 8 to 14, we can immediately obtain that workingLeaf =
{lp ∈ leaf (pi) | Extensible(lp,Si , ϕ) ∧ l̂ast(lp) 6∈ visited} and condition 2 holds. Suppose
that at the beginning of the mth iteration, condition 2 holds with workingLeaf = wm ,
pi = pm . After executing line 16, we can obtain that workingLeaf = wm −{pk}. By lines 19
to 26, wokingPrefix = (wm−{pk})∪{lp ∈ leaf (p′k ) | Extensible(lp,Si , ϕ) ∧ l̂ast(lp) 6∈ visited}
(1). Let p̂k be the new value of pk . After executing line 20, we have p̂k = (pk , p′k ). By
Lemma 7, now we can obtain leaf (p̂k ) = leaf (p′k ) (2). Consequently, we have leaf (pi) =
(leaf (pm) − {pk}) ∪ leaf (p̂k ), since the leaf prefix pk has been extended to be a tree prefix
p̂k . Since wm = {p ∈ leaf (pm) | Extensible(p,Si , ϕ) ∧ l̂ast(p) 6∈ visited}, with (1) and
(2), we can obtain that at the beginning of the (m + 1)th iteration condition 2 holds. By
the definition of Extensible, we can conclude that ∀ t ∈ tasks(pi), α ∈ acts(pi). t 6⊂GI Si ⇒
t ∈ LastT (pi) ∧ (α 6∈ safe(ϕ) ∨ α ∈
∑sd ) ⇒ α ∈ lastAct(pi) holds when the while loop
terminates. Thus the cartesian vector generated by Algorithm 3 is valid.
For termination, we assume that all variables are finite-domain and thus the state space
of each sensor is finite. On one hand, the function GetPrefix (S, C, ϕ) always terminates and
returns a valid prefix, which has been proved in Theorem 2. On the other hand, Algorithm 3
uses visited to store each state that has been used to generate a new prefix, and by lines 10
88
Chapter 6. Reduction and Optimization
and 23 a state is used at most once to generate a new prefix. Thus termination is guaranteed.
2
Let ϕ be a property and ψ be the set of propositions belonging to ϕ. We say that
two transition systems T and T ′ are stuttering equivalent w.r.t. ϕ iff C0 = C′0 where
C0(C′0) is the initial state of T (T ′), and for every trace σ in T there exists some trace
σ′ in T ′ such that σ and σ′ are stuttering equivalent w.r.t. ψ, i.e., σ ≡stψ σ′, and vice
versa. Let L(C) be the valuation of the truth values of ψ in state C. Given two traces
σ = C0, α0, C1, α1, · · · , Ci , αi , · · · and σ′ = C′0, α′0, C′1, α′1, · · · , C′i , α′i , · · · , the definition of two
stuttering equivalent traces is then presented. σ ≡stψ σ′ iff for every M = {m0,m1, · · · ,mi}
(i ≥ 0) such that m0 = 0, for all k ≥ 0, mk+1 = mk + nk ∧ L(Cmk ) = L(Cmk+1) = · · · =
L(Cmk+(nk−1)) 6= L(Cmk+1), there exists P = {p0, p1, · · · , pi} such that p0 = 0, pk+1 =
pk + qk ∧ L(Cmk ) = L(C′pk ) = L(C′pk+1) = · · · = L(C′pk+(qk−1)) ∧ L(C′pk+1) = L(Cmk+1) and
vice versa.
Let ϕ be a property, ψ be the set of propositions belonging to ϕ, and L(C) be the valuation
of the truth values of ψ in state C. Given two traces σ = C0, α0, C1, α1, · · · , Ci , αi , · · · and
σ′ = C′0, α′0, C′1, α′1, · · · , C′i , α′i , · · · , we then define two stuttering equivalent traces w.r.t. ϕ in
the following definition.
Definition 22 (Stuttering Equivalent Traces). Two traces σ = C0, α0, C1, α1, · · · , Ci , αi , · · ·
and σ′ = C′0, α′0, C′1, α′1, · · · , C′i , α′i , · · · are said to be stuttering equivalent w.r.t. ϕ iff for every
M = {m0,m1, · · · ,mi} (i ≥ 0) such that m0 = 0, for all k ≥ 0, mk+1 = mk +nk ∧L(Cmk ) =
L(Cmk+1) = · · · = L(Cmk+(nk−1)) 6= L(Cmk+1), there exists P = {p0, p1, · · · , pi} such that
p0 = 0, pk+1 = pk + qk ∧ L(Cmk ) = L(C′pk ) = L(C′pk+1) = · · · = L(C′pk+(qk−1)) ∧ L(C′pk+1) =
L(Cmk+1) and vice versa.
Given a state C = (V ,Q ,B ,P), let trExs(C,Q) be the set of all possible traces af-
ter executing all tasks in Q . In the following, we define task sequences that generates
stuttering equivalent traces. Given two states C = (V ,Q ,B ,P) and C′ = (V ,Q ′,B ,P),
the two task sequences Q and Q ′ are stuttering equivalent w.r.t. ϕ (Q 'stϕ Q ′) iff
∀σ ∈ trExs(C,Q). ∃σ′ ∈ trExs(C′,Q ′). σ ≡stϕ σ′ and vice versa. The following lemma
illustrates that GetPrefix returns a prefix of traces that are stuttering equivalent to those
generated by the original semantics.
Lemma 11. Given three task sequences Q, Q ′, Q ′′ such that Q 'stϕ Q ′ and Q ′ 'stϕ Q ′′
then Q 'stϕ Q ′′.
Proof Immediate by definition of stuttering equivalence of task sequences and by the
transitivity of stuttering. 2
Lemma 12. Given a property ϕ, and two configurations C = (V ,Q ,B ,P) ∈ S, C ′ =
(V ,Q ′,B ,P) ∈ S for all traces resulting of executing the actions starting from αi = current-
Action(P) and σ = C = C0, α0,· · · , αi , · · · , αn−1, cn where for all j 0 ≤ j ≤ n − 1
αi 6∈
∑iq ⇒ αj ∈ t, and αn−1 is the last action from t or holds some of the conditions
89
6.4. Correctness
2., 3. from Definition 21, and Cn = (Vσ,Q∩Qσ,Bσ,Pσ) then GetPrefix (C ′) returns a
valid prefix p such that there exist a trace pi in p, σ′ = C ′ = C ′0, α′0, · · · , α′i , · · · , α′n−1,C ′n ,
C ′n = (Vσ,Q ′∩Q ′σ,Bσ,Pσ) where ∀ j , 0 ≤ j ≤ n, αj ∈ σi .αj 6∈
∑iq ⇒ αj ∈ t and σ ≡stϕ σ′
and if all the actions from t have been executed then Qσ 'st Q ′σ .
Proof Since C , C ′ have the same valuation of variables V then L(C ) = L(C ′) (1). In-
terruptions do not modify the values of variables V in an state C , it holds for σ and σ′
that for all j 0 ≤ j ≤ n such that αj ∈
∑iq , Cj ,αj ,Cj+1 then L(Cj ) = L(Cj+1) (2).
Given σ = C ,α0,· · · ,Cr ,αr ,Cr+1,· · · ,αn−1,Cn By Algorithm 5, ExecuteTask returns a trace
σ′ = C ′,α′0,· · · ,Cs ,αs ,Cs+1,· · · ,α′n−1,C ′n such that for every αr ∈ σ, αr ∈ t then there exist
αs ∈ σ, αs ∈ t and αr = αs and for all r< 0 ≤ r< < r αr< ∈ σ, αr< ∈ t there exist
αs< ∈ σ′ such that αr< = αs< , and for all r> n − 1 ≤ r> > r αr> ∈ σ, αr> ∈ t there
exist αs> ∈ σ′, αs> ∈ t such that αr> = αs> (3).Then by (1) and (2) L(Cr ) = L(Cs) and
L(Cr+1) = L(Cs+1) therefore for all traces σ′ from a prefix p returned by GetPrefix (C ′)
holds that σ ≡stϕ σ′ .
On the other hand, let σp = C = c0, αp0 ,Cp0 ,· · · ,αpn−1 ,αpn , Cpn+1 with Cpn+1 =
(V ,Q∩Qp ,B ,
Pp) where σp is the result of removing all the actions that do not modify the task queue,
and Qp = tsk(αp0)∩ · · ·∩ tsk(αpn ) therefore Qp = Qσ(4). By Algorithm 5 and as it is
shown in (3) all the Post actions αp in σ belong to all the traces σ′ from a prefix p that
ExecuteTask(C ′) returns, and every αp is in the same relative positions w.r.t. other α′p
such that α′p 6= αp . Since C ′ = (V ,Q ′,B ,P) such that V ,B ,P are the same as in C
then for all the actions αint ∈ σ such that αint ∈
∑iq and for all σ′ ∈ traces(p) there
exist an action α′int ∈ σ′ such that αint = α′int . For any αγ , where αγ is a post action,
let intsγ = {αγ0 , · · ·αγn} where for all i , 0 ≤ i ≤ n αγi ∈
∑iq and for all αpk ∈ σp such
that pk < γ0 then there exist a Post action α′γ such that γ′ < γ and pk < γ′ < γ0 , and
for all α′pk ∈
∑iq such that p′k > γn then there exist a Post action α′′γ such that γ′′ > γ
and p′k > γ
′′ > γn . Let consider the set dep{α}) which is defined as the fixed point of
dep(X ) = X ′ = {αj ∈ intsγ .∀α′j ∈ s, αj 6≡TI α′j ∪ dep(X ′). By induction in the number of
Post actions in σp Qσ 'st Q ′σ is proven:
Base Case: The number of Post actions in σp is zero. Let Ωdep = {αϕ0 , · · · , αϕl}
the set of actions such that for some t ∈ Rtask(tsk(αϕi )), t 6∈ safe(ϕ,S). Since by
Definition 15 for all the actions αs ∈ σp .αs 6∈ Ωdep tsk(αs) ∈ safe(ϕ,S) then the val-
uation of the truth values of ψ while executing tsk(αs) will not vary and for all trace
from t σt = Ct0 ,αt0 ,· · · ,αtm ,Ctm+1 for all i 0 ≤ i ≤ m L(Cti ) = L(Cti+1) (1). Let
σϕ = C = Cϕ0 , αϕ0 ,· · · ,αϕl ,Cϕl+1 = (V ,Q∩Q ′p ,B ,Pσ) with Q ′p = tsk(αϕ0)∩ · · ·∩ tsk(αϕn )
and by (1) Q ′p 'st Qp . By Algorithms 5, 6 and 7 GetPrefix (C ′) returns a prefix p
that contains a trace σ′ = C ′,α′0,· · · ,α′j ,Cα′j+1 , σϕ,· · · ,α′n ,C ′n+1 = (V ,Q∩Q ′σ,B ,Pp) with
Cσϕ = (V ,Q∩Qσϕ ,B ,Pγ) where for all i , 0 ≤ i ≤ n α′n does not enqueue any task which
modifies the valuation value of ψ in any state and Qσϕ 'st Q ′σ. By lemma 11 Q ′′p 'st Q ′p
and Q ′′p 'st Qp then Qσ 'st Q ′σ.
90
Chapter 6. Reduction and Optimization
Induction Step: Let suppose that the number of Post actions in σp is n and Qσ 'st Q ′σ.
Suppose that the number of Post actions is n + 1. Let αγ = Post(t) the first Post oper-
ation in σp = C = C0, αp0 ,Cp0 ,· · · ,αγ ,Cγ ,· · · ,αpm−1 ,Cpm and Cγ = (V ,Q∩Qγ ,B ,Pγ) and
Qγ = tsk(αγ0)∩ · · ·∩ tsk(αγn )∩t . Let Ωdep = dep(αγ) ∪ αγ , as explained above all the en-
queued tasks t = tsk(αint) such that αint ∈ intsγ and αint 6∈ Ωdep do not alter the valuation
of the propositions of ψ. Let σϕ = C = Cϕ0 , αϕ0 ,· · · ,αϕl ,Cϕl ,αγ , C ′γ = (V ,Q∩Q ′γ ,B ,Pϕ)
such that for all i , 0 ≤ i ≤ l αϕi ∈ ints and αϕi ∈ Ωdep that is, σϕ is composed by
actions in ints without the independent tasks and Q ′γ = tsk(αϕ0)∩ · · ·∩ αϕl−1)∩t . There-
fore Q ′γ 'st Qγ . By Algorithms 5, 6 and 7 GetPrefix (C ′) returns a prefix p that con-
tains a trace σ′ = C ′,α′0,· · · ,α′j ,C′α′j , σϕ,· · · ,α
′
n−1,C′n where for all i , 0 ≤ i ≤ j α′i does
not enqueue any task which modifies the valuation value of ψ in any state. Let σ′p =
C ′,α′p0 ,· · · ,σϕ,Cσϕ ,· · · ,α′pq−1 ,C ′pq the trace containing only actions from σ′ that modifies the
task queue with Cσϕ = (V ,Q∩Q ′′γ ,B ,Pγ). Therefore Q ′′γ 'st Q ′γ and Q ′′γ 'st Qγ . By
the I.H. σγ = Cγ ,αγ+1,· · · ,αpm−1 , Cpm = (Vp ,Q∩Q ′∩γ Qγ0 ,Bp ,Pp) there exist a sequence
of tasks σ′γ = Cσϕ ,αp0 ,· · · ,α′pm−1 , C ′pm = (Vp ,Q∩Q ′′∩γ Q ′γ0 ,Bp ,Pp) where ∩Q ′∩γ Qγ0 = Qσ,
Q ′′∩γ Q ′γ0 = Q
′
σ such that Q ′γ0 'st Qγ0 . By By lemma 11 Qσ = Q ′∩γ Qγ0 'st Q ′σ = Q ′′∩γ Q ′γ0
and Qσ 'st Q ′σ. 2
Lemma 12 shows that for all the possible local interleaving from c pi in the original
network N starting and ending in t , one traversal t from the prefix returned by GetPrefix
contains the same sequences of valuations for the set of propositions from ϕ.
Lemma 13. Given a property ϕ, two configurations C = {C0, · · · ,Cns} ∈ N , and C′ =
{C ′0, · · · ,C ′ns} ∈ N , and a sensor Si , then for any trace σ = Ci , α0, · · · , αn−1,Cn =
(Vσ,Qσ,Bσ,Pσ) where for all j 0 ≤ j < n αj ∈ ΣSi and αn−1 holds some of the conditions
2., 3. from Definition 21 then Algorithm 3 returns a SNCV sncv = (p0, · · · , pns) such that
there exist a trace σ′ in pi , σ′ = c′ = c′0, α′0, · · · , α′i , · · · , α′n−1, c′n , c′n = (Vσ,Q ′σ,Bσ,Pσ)
where σ ≡stϕ σ′ and Qσ 'st Q ′σ.
Proof By induction in the number of different tasks ntasks in σ:
Base Case: ntasks = 1. Let σ = Ci ,α0,· · · ,αn−1,Cn = (Vσ,Qσ,Bσ,Pσ). Let pi the
prefix returned by σ′ = c′ = c′0, α′0, · · · , α′i , · · · , α′n−1, c′n , c′n = (Vσ,Q ′σ,Bσ,Pσ). Immedi-
ately, by Lemma 12 GetPrefix (C ′0) returns a prefix p such that contains a trace σ′i = c
′ =
c′0,α′0,· · · ,α′i ,· · · ,α′n−1,c′n , c′n = (Vσ,Q ′σ,Bσ,Pσ) where σ ≡stϕ σ′ and Qσ 'st Q ′σ.
Induction Step: Let suppose that the hypothesis holds for σ containing n tasks. Given
a trace σ containing actions from n +1 different tasks σ = C0,α0,· · · ,αi ,Ci+1,· · · ,αn−1,Cn =
(Vσ,Qσ,Bσ,Pσ) let αi an action such that for all j 0 ≤ j < i there exist tj ∈ Tasks(S ),ti ∈
Tasks(S ). αi 6∈
∑iq ⇒ αi ∈ ti αj 6∈∑iq ⇒ αj ∈ tj and tj 6= ti , or αi ∈∑iq , αj ∈∑iq and
αi = αj . Let σi = C0,α0,· · · ,αi−1,Ci = (Vi ,Q∩Qσ,Bi ,Pi). By Lemma 12 GetPrefix (C ′0)
returns a prefix p such that contains a trace σ′i = c
′ = c′0, α′0, · · · , α′i , · · · , α′n−1, c′n , c′n =
(Vi ,Q ′∩Q ′σ,Bi ,Pi) where σi ≡stϕ σ′ and Qσ 'st Q ′σ. Then considering σii = Ci ,αi+1,· · · ,
αn−1,Cn = (Vσ,Qσ,Bσ,Pσ) σii has n tasks and by I.H. and by transitivity of stuttering
91
6.4. Correctness




i+1,· · · , α′n−1,C ′n = (Vσ,Q ′σ,Bσ,Pσ) such that σii ≡stϕ σ′ii and
Qσ 'st Q ′σ 2
Theorem 4. Let T be the transition system of N , where N = (R, {S0, · · · ,SN }). Let T ′
be the transition system obtained after applying the two-level partial order reduction w.r.t.
ϕ over N . Then T ′ and T are stuttering equivalent w.r.t. ϕ.
Proof Let ψ be the set of propositions contained in ϕ, and let C0, C′0 be the initial state of
T , T ′, respectively. It is immediately true that C0 = C′0 because both T and T ′ are obtained
from the initial state of N . We will prove that for any trace σ = C0, α0, · · · , αm , Cm+1 from
T , there exists a trace σ′ = C′0, α′0, · · · , α′m , C′m+1 in T ′ such that σ ≡stψ σ′. This will be
proved by induction in the number of updating the valuation of ψ in a certain trace σ.
Base Case: if the number of updating the valuation of ψ in σ is zero, then we have
L(C0) = · · · = L(Cm+1). Since C0 belongs to T ′, then let σ′ = C′0 and σ′ ≡stψ σ.
Induction Step: suppose that when the number of updating the valuation of ψ in σ is x ,
there exits σ′ = C0, α′0 · · ·α′n , Cm+1 such that σ ≡stψ σ′, and it also holds for the case when
there are (x + 1) changes in the valuation of ψ in σ.
Let αk1 , αk2 , · · · , αkx be the actions in σ such that αki 6∈ safe(ϕ) for all 1 ≤ i ≤ x .
Suppose that there exist l1, · · · , lx such that for all 1 ≤ i ≤ x , 0 ≤ li ≤ n ∧ αki ∈
∑
Sli .
Suppose that αki is the last extendable action from a task tki ∈ Tasks(Sli ) such that tki 6⊂GI





Slb (la 6= lb), if αka is a Send action and αkb ∈ t , t 6⊂GI Slb then there exists α
′
kb
which is a receive interrupt handler in Sla . If a < b′ < b then kb < ka , otherwise ka > kb .
The same reasoning is applied when αkb is Send action and αka ∈ t , t 6⊂GI Sαka . If αka and
αkb are both Send actions or they belong to a task t 6⊂GI Slb then ka > kb if a > b and vice
verse.
By independence of global actions two consecutive actions αs−1 ∈ ΣSl , αs 6∈ ΣSl can
be permuted for all 0 ≤ s ≤ k0 and the trace 〈· · · , Cs−1, αs−1, Cs ,αs , Cs+1,· · · 〉 is e-
quivalent to the trace 〈· · · ,C′s−1,αs ,C′s ,αs+1,C′s+1,· · · 〉. It is possible to get a trace σk0 =
C0, α′0, · · · , αk0 , C′k0 such that for 0 ≤ j ≤ k0, αj ∈ ΣSl . Let cv = (p0, · · · pl , · · · , pn) =
GetNewCV (C0). By Algorithm 3, Theorem 3 and Lemma 12, there exits a trace σ′k0 ∈
traces(pl ) such that σ′k0 = C0, α′′0, · · · , C′′k0 and σk0 ≡stϕ σ′. Repeating this for all ki in (1)
and by transitivity of stuttering [102] we get that σkx = C0, · · · , αk0 , · · · , αkx , Ckx+1 ≡stϕ
σ′kx = C0, · · · , α′k0 , · · · , α′kx ,
Ckx+1. Permuting again · · · , Cs−1, αs−1, Cs , αs , Cs+1, · · · , for all kx ≤ s ≤ kx+1 and by
Algorithm 3, Theorem 3, and Lemma 12 σi = C0, · · · , αk1 , · · · , αkx+1 , Ckx+1+1 ≡stϕ σ′i =
C0, · · · , α′k1 , · · · , α′kx+1 , C′kx+1+1 and the number of changes in the valuations of ψ is (x + 1).
By I.H. and transitivity of stuttering σ ≡stψ σ′. 2
It has been shown that if two structures T , T ′ are stuttering equivalent w.r.t. ϕ, and
if ϕ is an LTL-X property, then T ′ |= ϕ if and only if T |= ϕ [34]. This indicates that our
method preserves LTL-X properties.
92
Chapter 6. Reduction and Optimization
6.5 Experiments and Evaluation
In this section, we first study the performance of the two-level POR method by the Blink
application to show how the state space is reduced. Then we evaluate the performance of
the two-level POR method using a number of real-world SN applications. After that, a
comparison between our POR and the POR implemented in T-Check [89] is provided, since
T-Check provides verification of TinyOS/NesC programs with a POR algorithm. Experi-
ments were conducted on a PC with Intel Core 2 Duo CPU (2.33GHz) and 3.25GB memory
with Windows XP.
6.5.1 Example: the Blink Application
In this section, we demonstrates the reduction achieved by our two-level POR algorithm by
the Blink application presented in Example 6 presented in Chapter 4.
The original state space of Blink is shown in Figure 6.2(a), where the timing interrupt
event Sensor1.Timer0.firing has introduced a lot branches. In Blink application, toggling
the red LED is always independent with timer interrupt since there is no common accessed
resource. Therefore, the interleaving between firing event and other event can be pruned,
resulting in the state graph in Figure 6.2(b), which is automatically generated by our tool.
It is obvious that originally there are 22 states and after sensor-level partial order reduction
there are only 16 states.
Suppose that there is a network with two sensors both of which are running the Blink
application. Since there is no network communication between sensors in Blink application,
it is easy to calculate that the total number of states in the network is 222 = 464. If on-
ly sensor-level reduction is applied, then the total number of states becomes 162 = 256.
However, we could still decrease this number by applying reduction to the network lev-
el. Since there is no communication between the two sensors, every task inside a sensor
becomes global independent . Therefore, the interleaving between sensors could be delayed
until a sensor prefix could not be further extended, i.e., when a maximal prefix is obtained.
After network-level reduction, the state space is reduced to be only 64 states, as shown in
Figure 6.3.
Given a network N with n sensors S1,S2, · · · ,Sn , let Si be the size of sensor Si . Then
the size of the network will be N ≈ ×ni=1Si .
Let Ŝi be the size of sensor Si after sensor level reduction, and let ki be the global
dependent factor of Si , representing the number of sensor prefixes that Si has, which is
actually the number of necessary interleaving of sensor i . Then the total number of prefixes
is
∑n
i=1 ki). Since our algorithm establishes the system state space by interleaving prefixes
instead of states, now we calculate the total number of branches after fully exploring the
state space. Intuitively, the “full” execution will have the branches of the total order of all
prefixes, which has (
∑n
i=1 ki)! orderings. However, this is an over-approximation, because
93
6.5. Experiments and Evaluation
(a) w/o POR (b) w/t POR
Figure 6.2: State Graph of a Blink Sensor
that for those prefixes of the same sensor there is only one order. We can know that the
number of unnecessary orderings of each sensor’s prefixes is (ki !). Thus, the actual total
number of branches should be (
∑n
i=1 ki )!
×ni=1(ki !) , which, however, is still an approximation, since we
consider the prefix of each sensor as a sequential trace during the calculation. Since each
branch is in fact a total execution path of the network, then the number of states in each
branch is
∑n
i=1 Ŝi . Therefore, the size of the network after the two-level POR approach
will be N̂ ≈ (
∑n
i=1 Ŝi) × (
∑n
i=1 ki )!
×ni=1(ki !) (n! is the factorial of n). Then the reduction ratio R̂ of
two-level POR is R̂ ≈ (1− N̂N), based on which we can obtain that R̂ ∝ (%i , 1ki), where %i is
the local dependent factor of Si , i.e., %i = 1− ŜiSi . Ideally, ki should be 1, which means that
there is no global dependent action between sensors and the reduced network size becomes
N̂ = n ×∑ni=1 Ŝi . And the Blink example is an ideal case.
94
Chapter 6. Reduction and Optimization
Figure 6.3: State graph of a 2-node Blink network after POR
6.5.2 Enhancing NesC@PAT with Two-level POR
In this section, we present the experiment results obtained by the two-level POR. In par-
ticular, we study two real-world applications, an anti-theft application and the Trickle al-
gorithm [88]. The anti-theft application is taken from the TinyOS distribution, which is a
real-world application of sensor networks. It consists of more than 3000 LOC of the NesC
program running on each sensor. The Trickle algorithm is widely used for code propagation
in SNs, and we adopted a simplified implementation to show the reduction effects. Besides,
we also considered the following TinyOS applications as benchmarks:
• Blink: an extended version of the simple Blink application in Section 6.5.1, where
three timers are used to periodically toggle three LEDs, respectively.
• BlinkTask: a modified version of the simple Blink application where a task is posted
to toggle the red LED instead of calling the LED toggle command directly in the timer
95
6.5. Experiments and Evaluation







1 X 50 50 0.1 0.05 360 0.13
2 X 475 500 0.1 0.06 129K 3× 10−3
3 X 3500 3750 0.36 0.08 46.6M 3× 10−5
4 X 23K 25K 2 0.09 16796M 1× 10−6





1 X 20 20 0.02 0.03 32 0.6
2 X 144 160 0.01 0.04 1024 0.14
3 X 832 960 0.06 o.13 32K 0.02
4 X 4352 5120 0.30 0.07 1M 4× 10−3





2 X 2040 2129 0.1 1.18 45K 0.04
3 X 30K 31827 1.4 1.30 9M 3× 10−3
4 X 276K 294K 14 2025M 1× 10−4





X 57.4K 1.2M 791 95 >2.3G < 6× 10−4
2(theft⇒
3alert)
X 1.3M 1.4M 2505 108 >4.6G < 3× 10−4
Trickle(332) 3AllUpdated
2 X 1848 1880 0.4 2 111683 1× 10−2
3 X 48K 50K 9 3 >23.7M < 2× 10−3
4 X 838K 947K 405 4 >5.4G < 2× 10−4
5 X 13.3M 15.7M 8591 5 >1232.2G < 1× 10−5
Table 6.1: Performance of Two-level POR
fired event.
• Example: the running example shown in Figure 5.10(a).
For the anti-theft application, we checked if a sensor turns on its theft LED whenever a
theft is detected, i.e., 2(theft ⇒ 3alert), based on the following propositions.
• theft ≡ NodeA.AntiTheftC.detected==1;
• alert ≡ NodeA.AntiTheftC.ledon==1.
Then the property 2(theft ⇒ 3alert) is specified as (#assert SensorNetwork |= [](theft ->
<> alert)) in NesC@PAT.
In the Trickle algorithm, we checked that eventually all the nodes are updated with
the latest data among the network, i.e., 3AllUpdated . We also checked a safety property
to guarantee that each node never performs a wrong update operation. The properties of
Trickle algorithm are specified in the same way as shown in Section 5.6.
Both applications as well as the benchmarks are verified using NesC@PAT against the
aforementioned properties with the two-level POR, on a PC with Intel Core 2 Duo CPU
(2.33GHz) and 3.25GB memory with Windows XP. Results are presented in Table 6.1. The
results of the safety property against the Trickle algorithm are presented in Table 6.2 for
the comparison with T-Check.
96





#B wt POR #State
wo POR Ratio#S Exh T(s) #S Exh T(s)
2 1683 Y 2 52.3K 3× 10−2 20 4765 Y 1 106.2K ≈ 4× 10−2
3 27K Y 20 >11.8M < 2× 10−3 12 66.2K N 1 13.5M ≈ 5× 10
−3
50 12.6M Y 283 NA NA
4 192K Y 58 >2.7G < 7× 10−5 10 56.7K N 1 41.8M ≈ 1× 10
−3
50 420.7M Y 1291 NA NA
5 2.1M Y 638 >616G < 3× 10−6 8 85.2K N 1 17.4M ≈ 1× 10
−3
50 NA N >12600 NA NA
Table 6.2: Comparison with T-Check
(a) States Explored (b) Time Used (c) Reduction Ratio
Figure 6.4: Comparing NesC@PAT with T-Check
In Table 6.1, column OH shows the computational overhead for static analysis at compile
time, which depends on the program size, the network size and the property to be checked.
This overhead is negligible (within 1 second) even for a large application like Anti-theft.
The second last column estimates the complete state space size so that we can use it to
calculate POR ratio (=#State wt POR#State wo POR). For safety properties, #State wo POR is estimated as
S1×S2×· · ·×Sn , where Si is the state space of the i th sensor; whereas for LTL properties, it
is further multiplied by the size of the Büchi automaton of the corresponding LTL property.
Note that this estimation is an under approximation since the state space of a single
sensor is calculated without networked communication. Therefore, the PORRatio (both in
Table 6.1 and 6.2) is also an under approximation. With this under-estimation, our POR
approach achieves a reduction of at least 102-1010. Further, the larger a network is, the
more reduction it will be.
6.5.3 Comparison with T-Check
We compared the performance of our POR approach and the POR method implemented
in T-Check, by checking the Trickle algorithm for the same safety property, on the same




We approximated the POR ratio by the number of explored states, i.e., POR Ratio ≈
#State wt POR
#State wo POR, because T-Check adopts stateless model checking. Moreover, there is no way
to calculate the state space of a single sensor and thus it is difficult to estimate the complete
state space like what we did for NesC@PAT. Thus, we had to set small bounded numbers
(around 10) in order to obtain the number of states explored by T-Check without the POR
setting.
We present the comparison of both approaches in Table 6.2, where Exh indicates if
all states are explored and #B is the bounded number used for stateless model checking
by T-Check. The POR method of T-Check treats all actions within the same sensor as
dependent , i.e., it only reduces inter-sensor concurrency. Thus, our two-level approach would
be able to obtain better reduction since intra-sensor concurrency is also minimized. Another
observation is that T-Check explores more states per second, which is reasonable since T-
Check does not maintain the explored states. However, our approach is more efficient in
state space exploration, taking shorter time (102-103). This is mainly because T-Check may
explore the same path multiple times due to its stateless model checking.
6.6 Summary
In this chapter, we have presented a novel two-level POR for sensor networks, which has been
integrated into NesC@PAT. We have studied how the two-level POR improved NesC@PAT’s
performance by a number of examples, and results have indicated that our POR approach
outperforms an existing POR approach for SNs. In the following chapter, we discuss the
tool of our work, NesC@PAT, which incorporates the approaches presented in this thesis,





Our approach has been implemented and integrated as the NesC module in the model
checking framework PAT [97, 144, 99], named NesC@PAT1. NesC@PAT is a fully automatic
model checker, which takes NesC programs and a network topology as the input and verifies
the SN against both safety and liveness properties specified as state reachability or linear
temporal logic (LTL) formulas. The expressive power of LTL has allowed the tool to specify a
larger set of properties, compared to that supported by other similar tools like T-Check [89].
NesC@PAT covers most of the C-like and NesC features including pointers, commands,
events and tasks or even advanced features like parameterized wiring and hierarchical wiring.
Currently it is capable of analyzing a large set of NesC programs that execute on real motes,
without any modification to the code. The development of NesC@PAT started in Nov, 2009,
and its core implementation exclusive of PAT and GUI contains 153K lines of C# code, as
shown in Table 7.1.
Component # LoC Summary
Parser 100K Generated from 9K LoC of grammar rules by agrammar tool
Model Generator 50K Encoding the formal semantics of SNs and thetwo-level POR algorithmPOR Engine
NesC2STCSP 1K Integrating the transformation rules from NesCto STCSP
PAT Related 2K Linking PAT’s GUI, editor, simulator and veri-fication algorithms
Total 153K
Table 7.1: Distribution of LoC
99
7.1. PAT Model Checking Framework
Figure 7.1: PAT Framework
7.1 PAT Model Checking Framework
PAT (Process Analysis Toolkit) [97, 146, 99, 100] is a generic and extensible framework
that facilitates effective incorporation of domain knowledge with formal verification using
model checking techniques. PAT implements a library of model checking techniques catering
for checking deadlock-freeness, divergence-freeness, reachability, LTL properties with fair-
ness assumptions [147, 144], refinement checking [141, 95, 160, 94] and probabilistic model
checking. PAT has been implemented with advanced optimization algorithms like process
abstraction, partial order reduction, symmetry reduction and so on [98, 149, 169]. Besides
explicit model checking, PAT supports symbolic model checking as well, providing a BDD
library to support different domains [117, 119, 118]. PAT has been used for studying various
algorithms and systems [168, 96, 167, 155, 135, 140, 138, 93, 71, 136].
As shown in Figure 7.1, PAT is a self-contained environment to support composing, simu-
lating and reasoning about system models. It comes with user friendly interfaces, a featured
model editor and an animated simulator. PAT has been extended for modeling and verifying
various domain-specific systems like Communicating Sequential Process (CSP#) [142, 44],
Stateful Timed CSP [148, 99, 143], C# language [174], Orchestration language [152, 153],




































Figure 7.2: Architecture of NesC@PAT
vice [145], PRTS (probability real-time system) [150, 139], ERA (Event-Recording Au-
tomata) [91], PDDL [90], timed system [92], stateflow diagrams [29], etc. NesC@PAT is
implemented as the NesC module in PAT, which will be explained in next section.
7.2 System Introduction
Figure 7.2 illustrates the architecture of NesC@PAT. There are seven components, i.e. the
Editor, the Parser, the POR Engine, the NesC2STCSP Translator, the Model Generator,
the Simulator, and the Verification Engine. For the implementation of the Editor, the
Simulator and the Verification Engine, NesC@PAT reuses the existing implementation of
the PAT framework and the implementation effort for these components has been reduced
to only linking the computation of NesC@PAT with the corresponding library provided by
PAT. In the following, we illustrate each of the seven components in detail.
7.2.1 Editor
The Editor provides a Visual-Studio-like editing environment to input NesC programs run-
ning on sensors, as shown in Figure 7.3(d). Different sensors are allowed to run different
copies of NesC programs in an SN. The network topology is presented in the form of a
directed graph, and the Editor offers a graphical GUI for drawing topology graphs, as illus-




(a) Network Topology (b) Assertions
(c) Sensor Configuration (d) NesC Programs
Figure 7.3: The Editor of NesC@PAT
The Editor also allows users to switch to assertion view or program view to edit assertions
(Figure 7.3(b)) or NesC programs (Figure 7.3(d)), respectively. In this way, verification goals
can be defined without modifying the NesC program. This is desirable because it makes
it possible to directly deploy the verified NesC programs in practice, without any further
changes introduced by verification.
As shown in Figure 7.3(c), a sensor can be configured with the following parameters:
name, TOS NODE ID (i.e., the unique ID of the sensor referred to by TinyOS), location
of the NesC program (i.e., the NesC file that implements the top-level configuration), the
data ranges of sensing components and predefined variables. It is important to specify a
data range for each sensing component (if any) of a sensor, otherwise the system space will
become extremely large or even infinite, making it infeasible for verification tasks.
Moreover, NesC@PAT also provides an interface for advanced configuration, which allows
users to define the hardware platform, task queue size, buffer size, etc. The hardware
platform is chosen to be IRIS by default. As for the task queue size, it is set to be 256 by
default, which is the default size of the task queue in TinyOS. The message buffer is set
as 1 by default. This is to reduce the states introduced by networked communication. In
NesC@PAT, a message packet will be abandoned when the message buffer is full and in this
way the packet loss feature of SNs is captured. However, this buffer size needs to be larger




The Parser compiles all inputs from the editor, including the network topology, the NesC
programs of each sensor and the assertions to be verified. NesC@PAT has supported the
parsing of interface files, module files, configuration files of NesC programs as well as header
files with the file extension of “.h” files. A sensor network model is stored as a file with “.sn”
extension including the network topology, the application path of each sensor node and the
assertions to be verified.
7.2.3 Model Generator
The Model Generator is provided to generate models from NesC code automatically,
for the aim of minimum manual effort. Generated models preserve the interrupt-driven
concurrency among tasks and events, which is essential for TinyOS applications. In this
way, the NesC program running on a node, like the fragment shown in Figure 1.1(a), is
translated into a Label Transition System (LTS), avoiding manual construction of models
and making NesC@PAT useful in practice.
The operational semantics for each NesC language structure provides the basis for con-
structing LTSs from NesC programs, which has been presented in Chapter 5. Moreover, the
interrupt-driven feature of the TinyOS execution model is preserved in the generated LTS,
which allows concurrency errors among tasks and interrupts to be detected. Radio, timer,
sensor device and other devices are abstracted in the Hardware Model Collection, which
is also taken into account in the generation of LTS. With the network topology specified
in the Editor and individual node LTSs, the LTS of an SN is composed, considering the
non-determinism between sensor nodes.
7.2.4 Verification Engine
The Verification Engine conducts an exhaustive search (optimized by partial order re-
duction) of the generated LTS state space, and it returns a counterexample if an assertion
(i.e., a correctness criterion) is violated. Currently, it integrates model checking algorithms
for verifying termination, state reachability and LTL formulas [144]. This allows flexibility
for specifying significant goals to verify SNs against. Taking the code in Figure 1.1(a) as an
example, the statement post sendTask() might not be able to execute, if a previous sendTask
has not been posted successfully and thus sendTaskBusy remains TRUE . Such a scenario
is undesirable and should be avoided under any circumstance. With NesC@PAT, it is very
convenient to find this buggy behavior by model checking the code with the LTL property
23sendTaskBusy = FALSE (P1), i.e. sendTaskBusy is always eventually set to FALSE .
NesC@PAT supports both sensor-level and network-level verification, against properties
defined as state reachability or LTL properties. Non-termination and state reachability are
checked by exhaustively exploring the state space using Depth-first search or Breadth-first
103
7.2. System Introduction
search algorithms. We adopt the approach presented in [144] to verify LTL properties.
First, the negation of an LTL formula is converting into an equivalent Büchi automaton;
and then accepting strongly connected components (SCC) in the synchronous product of
the automaton and the model are examined in order to find a counterexample. Notice that
the SCC-based algorithm allows us to model check with fairness [149], which often plays an
important role in proving liveness properties of SNs.
7.2.5 Simulator
Using the Simulator, users can easily simulate the visualized execution of a node or a
whole network step by step. At each step only a fine-grained statement (e.g., updating a
variable) is executed, which provides detailed runtime behavior to be monitored. Moreover,
if a property is violated, the Model Checker will report a counterexample to the simulator, so
that users can reason about it and correct the buggy code. Verifying the code in Figure 1.1(a)
against P1, the Model Checker will return a counterexample, in which there is a state
where post sendTask() fails. Simulating this counterexample helps to correct the program
by the revised code in Figure 1.1(b), where sendTaskBusy is set to FALSE if the statement
post sendTask() fails.
7.2.6 POR Engine
Algorithm 8 DFS with POR
ParseSN (N )
1: {parse and statically analyze each sensor}




6: {depth-first search for state reachability}
7: vs ← {C0}
8: ws ← {C0}
9: setPfx (C0, 〈C0〉)
10: while ws 6= ∅ do
11: C ← ws.Pop()
12: if C violates ϕ then
13: return false
14: else
15: ns ← GetSuccessors(C, ϕ)
16: for all C′ ∈ ns do
17: if C′ 6∈ visited then
18: ws ← ws.Push(C′)






The two-level POR approach presented in Chapter 6 has been implemented as the POR
Engine in NesC@PAT. First, independence analysis of actions at sensor level and network
level is performed statically at compile time. Second, the sensor network cartesian semantics
is applied to generate the reduced state space before the model checking. Our POR approach
is static, i.e., it can be directly integrated to existing model checking algorithms, without
104
Chapter 7. NesC@PAT
Algorithm 9 DFS with POR
MCwtPOR(N , C0, ϕ)
1: {parse and statically analyze each sensor}




6: {depth-first search for state reachability}
7: vs ← {C0}
8: ws ← {C0}
9: setPfx (C0, 〈C0〉)
10: while ws 6= ∅ do
11: C ← ws.Pop()
12: if C violates ϕ then
13: return false
14: else
15: ns ← GetSuccessors(C, ϕ)
16: for all C′ ∈ ns do
17: if C′ 6∈ visited then
18: ws ← ws.Push(C′)






making significant modifications. As an example, we present the DFS algorithm with POR
for checking safety properties as shown in Algorithm 9, where the following notations are
used:
• Method Parse(S): parsing a sensor S.
• Method StaticAnalysis(S, ϕ): analyzing the independence relation of actions and tasks
of sensor S w.r.t the property ϕ.
• Variable vs: the set of visited states.
• Variable ws: the stack of states that are to be further explored.
• Method setPfx (C, p): assigns prefix p as the prefix that state C belongs to.
During the compilation of the network modelN , independence analysis is applied to each
sensor S (lines 2 to 5). The depth-first search (DFS) is implemented by lines 10 to 23, during
which GetSuccessors(C, ϕ) is invoked for obtaining successors of each state and to establish
a reduced state space. The DFS search will terminate immediately if a state violating the
property is evidenced; otherwise, the DFS will terminate only and if only no more new states
can be generated, in which case ϕ is considered as valid for the network N .
Algorithm 10 statically identifies the dependent relation among tasks, in which the fol-
lowing notations are used:
• Variable TD : Tasks × Tasks, the pairs of locally dependent tasks. Formally, (t , t ′) ∈
TD ⇔ t 6≡TI t .




Algorithm 10 Statical Analysis of Independence
StaticAnalysis(S,M , ϕ)
1: tks ← Tasks(S)
2: GD ← ∅{global dependent tasks}
3: {analyze global dependence of tasks}
4: for all task t ∈ tks do
5: if t 6⊂GI S then
6: GD ← GD ∪ {t}
7: end if
8: end for
9: TD ← ∅ {task dependence relation}
10: {analyze local dependence among tasks}
11: for all task t ∈ tks do
12: tsk ← tsk − {t}
13: for all task u ∈ tsk do
14: if t 6≡TI t ′ then





The NesC2STCSP approach presented in Chapter 4 is implemented as the Translator
component in NesC@PAT. The translator generates STCSP models from NesC programs
for a certain sensor, and store the model in a file. Then one can use the PAT model checker to
load the STCSP model from the file and perform verification tasks. The translator provides
the complementary checking of timed features to the direct verification approach. Moreover,





In this thesis, we developed approaches and techniques to verify sensor network (SN) imple-
mented on TinyOS/NesC. The work consists a set of mapping rules from NesC language to
STCSP, a complete formal semantics for networked NesC programs and SNs, and the two-
level Cartesian partial order reduction (POR) for SNs. We have integrated our techniques
into the systematic model checker for sensor networks, NesC@PAT. We used NesC@PAT to
verify a number of real-world sensor network applications, protocols and algorithms, with
or without POR settings. We have evaluated the performance of NesC@PAT and shown
that NesC@PAT efficiently verifies SN implementations and detects errors or bugs effective-
ly. We compared our tool with a similar tool T-Check and results show that our approach
outperforms it. Our work can help SN developers to find bugs or errors in their systems
before deployment and thus is significant for improving SN quality and reliability.
In Chapter 4 we presented the NesC2STCSP approach that obtains STCSP models from
NesC programs automatically, which contains a set of mapping rules from NesC to STCSP.
NesC2STCSP has been implemented in NesC@PAT, and has been used to study several
NesC programs. We believe that this approach contributes to the robustness of sensor
network systems because it allows NesC programmers to model check their code without
being troubled by manually constructing formal models. However, due to the gap between
the semantics of NesC and those of formalisms, formal models extracted from NesC are
inevitably large, complex and redundant. Intuitively, direct verification is straightforward
and more efficient as specialized optimization techniques are possible. Therefore, we came
up with the direct verification approach explained in Chapter 5.
In Chapter 5 we presented the formal definitions of SNs, which were the basis for auto-
matically generating the state space of SNs. Here, we highlight that the formal definitions
of SNs have the following significance. First, the formal semantics defined in this thesis
for NesC opens chances for the research community to directly verify SN implementations.
Existing work [68, 89, 24] was either built based on simulators of TinyOS applications or
translated NesC programs into some intermediate representation. According to our knowl-
edge, our work is the first to define the complete semantics formally for networked NesC
107
programs. Second, our approach is the first to model the interrupt-driven execution model
of TinyOS. This is important since it allows concurrency errors at sensor level to be de-
tected. However, our work currently adopts a non-threaded execution model of TinyOS.
Recently, new models have been proposed, e.g., TOSThread [79] has been proposed to allow
user threads in TinyOS. Nevertheless, our work would still benefit the SN development s-
ince many SNs are implemented in non-threaded settings. Althouth the current component
model library of NesC@PAT only models a subset of the TinyOS component library, our
approach can be easily extended to support more component models. A future direction
would be to design approaches for modeling TOSThread.
This direct verification approach has been integrated into NesC@PAT, making it the
first self-contained model checker specifically for the NesC language, which systematically
supports verification of both safety and liveness properties. We studied the behaviors of
a Trickle algorithm by NesC@PAT and the results confirmed that NesC@PAT is able to
find bugs thoroughly in the implementation of the algorithm. However, verifying a net-
work with four nodes encountered an OutOfMemory exception in our testbed. This means
that NesC@PAT is highly limited with the number of nodes and number of LOC of SNs.
However, NesC@PAT opens up new avenues for the direct and automatic verification of SN
implementations. In practice, there are usually a large number of sensors in a network and
a real-world NesC program usually consists of thousands of LOC. Thus, there is a need to
develop techniques to improve the scalability of NesC@PAT, which leads to the proposal of
the two-level partial order reduction (POR) for SNs.
In Chapter 6, we presented the two-level POR algorithm, which was integrated into
NesC@PAT based on independence analysis and the sensor network Cartesian semantics.
We also proved that our POR is sound for verifying LTL-X properties. Experiments of
verifying sensor networks with NesC programs of more than three thousands LOC were
conducted with NesC@PAT under the POR setting. As shown in Section 6.5, we achieved
reduction of more than 102 - 1010 for our test cases. This indicates that the two-level POR
has significantly improved the efficiency of verification, by allowing sensor networks with
thousands of LOC in each sensor to be model-checked exhaustively. To the best of our
knowledge, the two-level POR proposed for SNs is the first to reduce the state pace of SNs
at both global and local situations, and achieves a larger portion of reduction than existing
approaches [89]. This approach could be generalized for reduction of systems of multiple
levels of concurrency, and would be applicable for distributed systems, concurrent embedded
systems besides SNs. It must be noted that the state space of SNs still grows quite fast
with the number of sensor nodes. However, most errors and bugs in implementation can be
found in SNs within ten nodes and thus verification results are satisfactory for most SNs
with POR.
The contributions of our work are two-fold. First, the formal definitions of SNs and
the two-level POR algorithm are theoretically significant for both researchers in the model
108
Chapter 8. Conclusion
checking community to develop verification techniques for either SNs or other concurrent
systems. Second, the model checker NesC@PAT can be applied directly and conveniently by
SN developers to verify their programs before system deployment and thus will help improve
the reliability of SNs.
Although we have achieved the above contributions, our work is still limited in the
following aspects.
First, although the two-level POR approach has achieved substantial reduction of the
state space for sensor networks, our approach is still incapable of handling large sensor net-
works of hundreds or thousands of nodes. Although some work has shown that a finite
number of nodes are sufficient for analyzing certain properties of a network (e.g., [39]), a
common problem is that the protocol properties might vary with the size of the network.
For example, in [49], it was reported that errors found for the LMAC protocol were dif-
ferent between sensor networks with three, four and five nodes. One possible solution is
to adopt techniques that reduce the verification of a large system to a smaller one like pa-
rameterized model checking techniques [32, 1]. Therefore, one of our future direction is to
employ parameterized model checking techniques to support the verification of larger sensor
networks.
Second, as shown by the Trickle algorithm in Section 5.6, the errors of a protocol might
only exist in certain topologies. Therefore, it is interesting to verify sensor networks with
different topologies. However, the number of possible topologies grows exponentially fast,
i.e. 2N (N−1) where N is the number of nodes. For example, a network with 5 nodes
has 1024 topologies. This introduces an interesting but highly challenging to verify sensor
networks with all possible topologies. Therefore, another future work direction is to work
on verification techniques to solve this problem.
The third future direction is to develop local reasoning techniques for SNs. Cohen et. al.
proposed to explore the behaviors and correctness of concurrent systems by only examining
certain local behaviors of individual sub-systems or processes [113, 35, 36, 37]. Moreover,
Guerraoui and Yabandeh discussed a local approach for model checking a networked system
without the network [64]. Only the local nodes’ states are explored in a separate manner and
the set of valid system states is a subset of all combinations of the local states of nodes and
checking validity of such a combination is only performed a posteriori, in case of a possible
bug. This approach drastically reduces the number of transitions executed by the model
checker. It is interesting to explore such techniques to SNs and to support the verification
of large networks or even parameterized sensor networks.
Fully automatic model extraction from protocol implementation without relying on a
pre-existing protocol specification is meaningful. Aizatulin et. al. verified cryptograph-
ic protocols coded in C for correspondence properties with respect to the computational
model of cryptography [2, 3, 4, 5]. They first used symbolic execution to extract a pro-
cess calculus model from a C implementation of the protocol. Then the extracted model
109
would be translated to a CryptoVerif protocol description, such that successful verification
with CryptoVerif implies the security of the original C implementation. They successfully
verify over 3000 LOC and the largest example is about 1000 LOC, during the analysis of
which a vulnerability was uncovered. Recently, Bai et. al. proposed [9] AUTHSCAN to
automatically extract specifications from protocol implementations and checking security
flaws. AUTHSCAN recovers the authentication protocol specification from its implementa-
tion without any knowledge of the protocol specifications being checked. One more future
direction of this thesis is to explore such techniques and to develop a tool for automatic
analysis of SN security protocols at implementation level. We believe that this could be




[1] Parosh Aziz Abdulla, Ahmed Bouajjani, Bengt Jonsson, and Marcus Nilsson. Handling
Global Conditions in Parameterized System Verification. In CAV, pages 134–145, 1999.
8
[2] Mihhail Aizatulin, François Dupressoir, Andrew D. Gordon, and Jan Jürjens. Verifying
Cryptographic Code in C: Some Experience and the Csec Challenge. In Formal Aspects
in Security and Trust, pages 1–20, 2011. 8
[3] Mihhail Aizatulin, Andrew D. Gordon, and Jan Jürjens. Extracting and Verifying
Cryptographic Models from C Protocol Code by Symbolic Execution. In ACM Con-
ference on Computer and Communications Security, pages 331–340, 2011. 8
[4] Mihhail Aizatulin, Andrew D. Gordon, and Jan Jürjens. Extracting and Verifying
Cryptographic Models from C Protocol Code by Symbolic Execution. CoRR, ab-
s/1107.1017, 2011. 8
[5] Mihhail Aizatulin, Andrew D. Gordon, and Jan Jürjens. Computational Verification of
C Protocol Implementations by Symbolic Execution. In ACM Conference on Computer
and Communications Security, pages 712–723, 2012. 8
[6] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. Wireless Sensor
Networks: A Survey. Computer Networks, 38:393–422, 2002. 1
[7] Rajeev Alur, Robert K. Brayton, Thomas A. Henzinger, Shaz Qadeer, and Sriram K.
Rajamani. Partial-Order Reduction in Symbolic State-Space Exploration. Formal
Methods in System Design, 18(2):97–116, 2001. 3.4
[8] Will Archer, Philip Levis, and John Regehr. Interface contracts for TinyOS. In IPSN,
pages 158–165, Massachusetts, USA, 2007. 1, 3.3
[9] Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek
Saxena, Jun Sun, Yang Liu, and Jin Song Dong. AuthScan: Automatic Extraction
of Web Authentication Protocols from Implementations. In Proceedings of the 20th
Annual Network and Distributed System Security Symposium (NDSS’13), San Diego,
CA, USA, February 2013. 8
[10] Christel Baier, Pedro R. D’Argenio, and Marcus Größer. Partial order reduction for
probabilistic branching time. Electr. Notes Theor. Comput. Sci., 153(2):97–116, 2006.
3.4
[11] Christel Baier and Joost P. Katoen. Principles of Model Checking. The MIT Press,
May 2008. 1, 2.4, 3.1.1
111
BIBLIOGRAPHY
[12] Thomas Ball, Vladimir Levin, and Sriram K. Rajamani. A Decade of Software Model
Checking with SLAM. Commun. ACM, 54(7):68–76, 2011. 2.4
[13] Paolo Ballarini and Alice Miller. Model Checking Medium Access Control for Sensor
Networks. In ISoLA, pages 255–262, 2006. 1, 3.1.4
[14] A. Basu, M. Bozga, and J. Sifakis. Modeling Heterogeneous Real-time Components
in BIP. In SEFM, pages 3–12, 2006. 3.2
[15] A. Basu, L. Mounier, M. Poulhiès, J. Pulou, and J. Sifakis. Using BIP for Modeling
and Verification of Networked Systems – A Case Study on TinyOS-based Networks.
In NCA, pages 257–260, 2007. 3.2
[16] Ira D. Baxter, Christopher Pidgeon, and Michael Mehlich. DMS R©: Program Trans-
formations for Practical Scalable Software Evolution. In ICSE, pages 625–634, 2004.
3.4
[17] Johan Bengtsson, Bengt Jonsson, Johan Lilius, and Wang Yi. Partial Order Reduc-
tions for Timed Systems. In 9th International Conference on Concurrency Theory,
volume 1466 of Lecture Notes in Computer Science, pages 485–500. Springer-Verlag,
1998. 3.4
[18] Johan Bengtsson, Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi.
Uppaal — a Tool Suite for Automatic Verification of Real–Time Systems. In Proc. of
Workshop on Verification and Control of Hybrid Systems III, number 1066 in Lecture
Notes in Computer Science, pages 232–243. Springer–Verlag, October 1995. 3.1.3
[19] Jan A. Bergstra and Jan Willem Klop. ACTtau: A Universal Axiom System for
Process Specification. In Algebraic Methods, pages 447–463, 1987. 3.1.1
[20] Tommaso Bolognesi and Ed Brinksma. Introduction to the ISO Specification Language
LOTOS. Computer Networks, 14:25–59, 1987. 1
[21] M. Bozga, S. Graf, and L. Mounier. IF-2.0: A Validation Environment for Component-
Based Real-Time Systems. In CAV ’02, pages 343–348, London, UK, 2002. Springer-
Verlag. 3.2
[22] Lubos Brim, Ivana Cerná, Pavel Moravec, and Jirí Simsa. Distributed Partial Order
Reduction of State Spaces. Electr. Notes Theor. Comput. Sci., 128(3):63–74, 2005. 3.4
[23] Philippa J. Broadfoot and A. W. Roscoe. Tutorial on FDR and Its Applications. In
SPIN, page 322, 2000. 2.4
[24] Doina Bucur. Intelligible TinyOS Sensor Systems: Explanations for Embedded Soft-
ware. In CONTEXT, pages 54–66, 2011. 1, 8
[25] Doina Bucur and Marta Z. Kwiatkowska. Bug-Free Sensors: The Automatic Veri-
fication of Context-Aware TinyOS Applications. In AMI, pages 101–105, Salzburg,
Austria, 2009. 1, 3.3
[26] Doina Bucur and Marta Z. Kwiatkowska. Software verification for TinyOS. In IPSN,
pages 400–401, 2010. 1, 3.3
112
BIBLIOGRAPHY
[27] Doina Bucur and Marta Z. Kwiatkowska. On software verification for sensor nodes.
Journal of Systems and Software, 84(10):1693–1707, 2011. 1, 3.3, 3.4
[28] Ricky W. Butler. What is formal methods? Online reference: http://shemesh.larc.
nasa.gov/fm/fm-what.html [6 August 2001]. D
[29] Chunqing Chen, Jun Sun, Yang Liu, Jin Song Dong, and Manchun Zheng. Formal
modeling and validation of stateflow diagrams. The International Journal on Software
Tools for Technology Transfer (STTT), 2012. 1.2, 7.1
[30] Gabriel Ciobanu and Manchun Zheng. Automatic Analysis of TiMo Systems in PAT.
In ICECCS, 2013. 1.2
[31] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state
concurrent systems using temporal logic specifications. ACM Trans. Program. Lang.
Syst., 8(2):244–263, 1986. 1, 3.1.4
[32] Edmund M. Clarke, Orna Grumberg, and Somesh Jha. Veryfying Parameterized Net-
works using Abstraction and Regular Languages. In CONCUR, pages 395–407, 1995.
8
[33] Edmund M. Clarke, Orna Grumberg, Marius Minea, and Doron Peled. State Space
Reduction Using Partial Order Techniques. STTT, 2(3):279–287, 1999. 3.4
[34] Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model checking. MIT Press,
2001. 1.1, 3.4, 6, 6.4
[35] Ariel Cohen and Kedar S. Namjoshi. Local proofs for linear-time properties of con-
current programs. In CAV, pages 149–161, 2008. 8
[36] Ariel Cohen and Kedar S. Namjoshi. Local proofs for global safety properties. Formal
Methods in System Design, 34(2):104–125, 2009. 8
[37] Ariel Cohen, Kedar S. Namjoshi, and Yaniv Sa’ar. A dash of fairness for compositional
reasoning. In CAV, pages 543–557, 2010. 8
[38] S. Coleri, M. Ergen, and T. J. Koo. Lifetime analysis of a sensor network with hy-
brid automata modelling. In WSNA ’02: Proceedings of the 1st ACM international
workshop on Wireless sensor networks and applications, pages 98–104, New York, NY,
USA, 2002. ACM. 1, 3.2
[39] Véronique Cortier, Jan Degrieck, and Stéphanie Delaune. Analysing Routing Proto-
cols: Four Nodes Topologies Are Sufficient. In POST, pages 30–50, 2012. 8
[40] David E. Culler, Jason Hill, Philip Buonadonna, Robert Szewczyk, and Alec Woo.
A Network-Centric Approach to Embedded Software for Tiny Devices. In EMSOFT,
pages 114–130, 2001. 2.1
[41] Pedro R. D’Argenio and Peter Niebert. Partial Order Reduction on Concurrent Prob-
abilistic Programs. In QEST, pages 240–249, 2004. 3.4




[43] Jim Davies and Steve Schneider. A Brief History of Timed CSP. Theor. Comput. Sci.,
138(2):243–271, 1995. D
[44] Jin Song Dong and Jun Sun. Towards Expressive Specification and Efficient Model
Checking. In Wei-Ngan Chin and Shengchao Qin, editors, Proceedings of the 3rd IEEE
International Symposium on Theoretical Aspects of Software Engineering (TASE’09),
page 9. IEEE Computer Society, 2009. 7.1
[45] Adam Dunkels, Björn Grönvall, and Thiemo Voigt. Contiki - a Lightweight and Flex-
ible Operating System for Tiny Networked Sensors. In Proceedings of the 1st IEEE
Workshop on Embedded Networked Sensors (Emnets-I), pages 455–462, Tampa, Flori-
da, USA, 2004. 3.3
[46] Matthew B. Dwyer and Lori A. Clarke. Data Flow Analysis for Verifying Properties
of Concurrent Programs. In SIGSOFT FSE, pages 62–75, 1994. 3.4
[47] E. Allen Emerson, Somesh Jha, and Doron Peled. Combining Partial Order and
Symmetry Reductions. In TACAS, pages 19–34, 1997. 3.4
[48] Azadeh Farzan and José Meseguer. Partial Order Reduction for Rewriting Semantics
of Programming Languages. Electr. Notes Theor. Comput. Sci., 176(4):61–78, 2007.
3.4
[49] Ansgar Fehnker, Lodewijk van Hoesel, and Angelika Mader. Modelling and Verification
of the LMAC Protocol for Wireless Sensor Networks. In IFM, pages 253–272, 2007. 8
[50] Cormac Flanagan and Patrice Godefroid. Dynamic Partial-order Reduction for Model
Checking Software. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium
on Principles of Programming Languages, POPL 2005, Long Beach, California, USA,
January 12-14, 2005, pages 110–121. ACM, 2005. 1.1, 3.4
[51] Wan Fokkink. Introduction to Process Algebra. Texts in theoretical computer science.
Springer, 2000. 3.1.1
[52] D. Gay, P. Levis, and D. E. Culler. Software design patterns for TinyOS. ACM Trans.
Embedded Comput. Syst., 6(2), 2007. 1.1, 2.1
[53] D. Gay, P. Levis, R. v. Behren, M. Welsh, E. Brewer, and D. Culler. The nesC
Language: A Holistic Approach to Networked Embedded Systems. In PLDI, pages
1–11, 2003. 1, 1.1, 2.2, 2.3, D
[54] David Gay, Philip Levis, and David Culler. Software Design Patterns for TinyOS. In
LCTES, pages 40–49, Illinois, USA, 2005. 1.1, 2.1
[55] David Gay, Philip Levis, David Culler, and Eric Brewer. nesC 1.3 Language Reference
Manual, 2009. 2.2, A
[56] Sergio Giro, Pedro R. D’Argenio, and Luis María Ferrer Fioriti. Partial Order Reduc-
tion for Probabilistic Systems: A Revision for Distributed Schedulers. In CONCUR,
pages 338–353, 2009. 3.4
[57] Omprakash Gnawali, Rodrigo Fonseca, Kyle Jamieson, David Moss, and Philip Levis.
Collection Tree Protocol. In SenSys, pages 1–14, 2009. 2.1
114
BIBLIOGRAPHY
[58] Patrice Godefroid. Using Partial Orders to Improve Automatic Verification Methods.
In CAV, pages 176–185, 1990. 3.4
[59] Patrice Godefroid. Partial-Order Methods for the Verification of Concurrent Systems:
An Approach to the State-Explosion Problem. Springer-Verlag New York, Inc., Secau-
cus, NJ, USA, 1996. D
[60] Patrice Godefroid, Doron Peled, and Mark G. Staskauskas. Using Partial-Order Meth-
ods in the Formal Validation of Industrial Concurrent Programs. In ISSTA, pages
261–269, 1996. 3.4
[61] Patrice Godefroid and Pierre Wolper. Using Partial Orders for the Efficient Verifica-
tion of Deadlock Freedom and Safety Properties. Formal Methods in System Design,
2(2):149–164, 1993. 1.1, 6.2
[62] J. Green, S. Bhattacharyya, and B. Panja. Real-Time Logic Verification of a Wireless
Sensor Network. World Congress Computer Science and Information Engineering,
3:269–273, 2009. 3.1.3
[63] J. Green, S. Bhattacharyya, and Biswajit Panja. Real-Time Logic Verification of a
Wireless Sensor Network. In CSIE, pages 269–273, Los Angeles, USA, 2009. 1
[64] Rachid Guerraoui and Maysam Yabandeh. Model Checking a Networked System with-
out the Network. In NSDI, 2011. 8
[65] Guy Gueta, Cormac Flanagan, Eran Yahav, and Mooly Sagiv. Cartesian Partial-Order
Reduction. In SPIN, pages 95–112, 2007. 1.1, 3.4, 6, 6.2, D
[66] Y. Hanna. SLEDE: lightweight verification of sensor network security protocol imple-
mentations. In ESEC, pages 591–594, Dubrovnik, Croatia, 2007. 1, 3.3
[67] Y. Hanna and H. Rajan. SLEDE: event-based specification of sensor network security
protocols. ACM SIGSOFT Software Engineering Notes, 31(6):1–2, 2006. 3.3
[68] Y. Hanna and H. Rajan. SLEDE: Framework for automatic verification of sensor net-
work security protocol implementations. In ICSE, pages 427–428, Vancouver, Canada,
2009. 3.3, 8
[69] Y. Hanna, H. Rajan, and W. Zhang. SLEDE: a domain-specific verification framework
for sensor network security protocol implementations. InWISEC, pages 109–118, 2008.
1, 1.1, 3.3
[70] H. Hansson and B. Jonsson. A Logic for Reasoning about Time and Reliability. Formal
Aspects of Computing, 6:102–111, 1994. 3.1.4
[71] Jianye Hao, Songzheng Song, Yang Liu, Jun Sun, Lin Gui, Jin Song Dong, and Ho fung
Leung. Probabilistic Model Checking Multi-agent Behaviors in Dispersion Games
Using Counter Abstraction. In PRIMA, pages 16–30, 2012. 7.1
[72] Klaus Havelund, Mike Lowry, and John Penix. Formal analysis of a space-craft con-
troller using spin. IEEE Trans. Softw. Eng., 27:749–765, August 2001. 1, 2.4
[73] Klaus Havelund and Thomas Pressburger. Model Checking JAVA Programs using
JAVA PathFinder. STTT, 2(4):366–381, 2000. 2.4
115
BIBLIOGRAPHY
[74] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985. 1, 3.1.1,
5.2.1, C, D
[75] Gerard J. Holzmann. The SPIN Model Checker - primer and reference manual.
Addison-Wesley, 2004. 1, 3.1.1
[76] Gerard J. Holzmann and Rajeev Joshi. Model-Driven Software Verification. In PASTE,
pages 80–89, 2001. 2.4
[77] Vineet Kahlon, Chao Wang, and Aarti Gupta. Monotonic Partial Order Reduction:
An Optimal Symbolic Partial Order Reduction Technique. In CAV, pages 398–413,
2009. 3.4
[78] Roope Kaivola, Rajnish Ghughal, Naren Narasimhan, Amber Telfer, Jesse Whitte-
more, Sudhindra Pandav, Anna Slobodová, Christopher Taylor, Vladimir Frolov, Erik
Reeber, and Armaghan Naik. Replacing Testing with Formal Verification in Intel
CoreTM i7 Processor Execution Engine Validation. In CAV, pages 414–429, Greno-
ble, France, 2009. 1, 2.4
[79] Kevin Klues, Chieh-Jan Mike Liang, Jeongyeup Paek, Razvan Musaloiu-Elefteri,
Philip Levis, Andreas Terzis, and Ramesh Govindan. TOSThreads: thread-safe and
non-invasive preemption in TinyOS. In SenSys, pages 127–140, 2009. 8
[80] N. Kothari, T. D. Millstein, and R. Govindan. Deriving State Machines from TinyOS
Programs Using Symbolic Execution. In IPSN, pages 271–282, 2008. 1, 3.3
[81] Sudipta Kundu, Malay K. Ganai, and Rajesh Gupta. Partial order reduction for
scalable testing of systemC TLM designs. In DAC, pages 936–941, 2008. 3.4
[82] Robert P. Kurshan, Vladimir Levin, Marius Minea, Doron Peled, and Hüsnü Yenigün.
Static Partial Order Reduction. In TACAS, pages 345–357, 1998. 3.4
[83] M. Kwiatkowska, G. Norman, and D. Parker. PRISM: Probabilistic Model Checking
for Performance and Reliability Analysis. ACM SIGMETRICS Performance Evalua-
tion Review, 36(4):40–45, 2009. 3.1.4
[84] Á. Lédeczi, A. Bakay, M. Maroti, P. Völgyesi, G. Nordstrom, J. Sprinkle, and G. Kar-
sai. Composing Domain-Specific Design Environments. IEEE Computer, 34(11):44–51,
2001. 3.2, 3.2
[85] P. Levis and D. Gay. TinyOS Programming. Cambridge University Press, 1 edition,
2009. 2.1, 2.1, 2.2, 2.3
[86] P. Levis, N. Lee, M. Welsh, and D. E. Culler. TOSSIM: Accurate and Scalable Simu-
lation of Entire TinyOS Applications. In SenSys, pages 126–137, 2003. 1, 3.3
[87] Philip Levis, Sam Madden, Joseph Polastre, Robert Szewczyk, Alec Woo, David Gay,
Jason Hill, Matt Welsh, Eric Brewer, and David Culler. TinyOS: An operating system
for sensor networks. In Ambient Intelligence. Springer Verlag, 2004. 1, 2.1
[88] Philip Levis, Neil Patel, David E. Culler, and Scott Shenker. Trickle: A Self-Regulating
Algorithm for Code Propagation and Maintenance in Wireless Sensor Networks. In
NSDI, pages 15–28, California, USA, 2004. 1.1, 2.1, 1, 5.6, 6.5.2
116
BIBLIOGRAPHY
[89] Peng Li and John Regehr. T-Check: bug finding for sensor networks. In IPSN, pages
174–185, Stockholm, Sweden, 2010. (document), 1, 1.1, 1.1, 1.3, 3.3, 3.4, 6, 6.5, 7, 8
[90] Yi Li, Jing Sun, Jin Song Dong, Yang Liu, and Jun Sun. Translating PDDL into
CSP# - The PAT Approach. In ICECCS, pages 240–249, 2012. 7.1
[91] Shang-Wei Lin, Étienne André, Jin Song Dong, Jun Sun, and Yang Liu. An Efficient
Algorithm for Learning Event-Recording Automata. In Tevfik Bultan and Pao-Ann
Hsiung, editors, Proceedings of the 9th International Symposium on Automated Tech-
nology for Verification and Analysis (ATVA’11), volume 6996 of Lecture Notes in
Computer Science, pages 463–472, Taipei, Taiwan, October 2011. Springer. 7.1
[92] Shang-Wei Lin, Yang Liu, Jun Sun, Jin Song Dong, and Étienne André. Automatic
Compositional Verification of Timed Systems. In FM, pages 272–276, 2012. 7.1
[93] Yan Liu, Xian Zhang, Jin Song Dong, Yang Liu, Jun Sun, Jit Biswas, and Mounir
Mokhtari. Formal Analysis of Pervasive Computing Systems. In ICECCS, pages 169–
178, 2012. 7.1
[94] Yang Liu, Wei Chen, Yanghong A. Liu, Shao Jie Zhang, Jun Sun, and Jin Song Dong.
Verifying Linearizability via Optimized Refinement Checking. IEEE Transactions on
Software Engineering, 2013. 7.1
[95] Yang Liu, Wei Chen, Yanhong A. Liu, and Jun Sun. Model Checking Linearizability
via Refinement. In Ana Cavalcanti and Dennis Dams, editors, Proceedings of the
Second World Congress on Formal Methods (FM’09), volume 5850 of Lecture Notes in
Computer Science, pages 321–337. Springer, 2009. 7.1
[96] Yang Liu, Jun Pang, Jun Sun, and Jianhua Zhao. Verification of Population Ring
Protocols in PAT. In Wei-Ngan Chin and Shengchao Qin, editors, Proceedings of the
3rd IEEE International Symposium on Theoretical Aspects of Software Engineering
(TASE’09), pages 81–89. IEEE Computer Society, 2009. 7.1
[97] Yang Liu, Jun Sun, and Jin Song Dong. An Analyzer for Extended Compositional
Process Algebras. In ICSE Companion, pages 919–920. ACM, 2008. 1.1, 7, 7.1
[98] Yang Liu, Jun Sun, and Jin Song Dong. Scalable Multi-core Model Checking Fairness
Enhanced Systems. In Karin Breitman and Ana Cavalcanti, editors, Proceedings of the
11th IEEEInternational Conference on Formal Engineering Methods (ICFEM 2009),
volume 5885 of Lecture Notes in Computer Science, pages 426–445. Springer, 2009.
7.1
[99] Yang Liu, Jun Sun, and Jin Song Dong. Developing Model Checkers Using PAT.
In Ahmed Bouajjani and Wei-Ngan Chin, editors, ATVA, pages 371–377, Singapore,
2010. Springer. 1.1, 7, 7.1
[100] Yang Liu, Jun Sun, and Jin Song Dong. PAT 3: An Extensible Architecture for
Building Multi-domain Model Checkers. In ISSRE, Hiroshima, Japan, 2011. 7.1
[101] L. Lopes, F. Martins, M. S. Silva, and J. Barros. A Formal Model for Programming
Wireless Sensor Networks. Informal Publication, 2007. 3.1.2
117
BIBLIOGRAPHY
[102] Bas Luttik and Nikola Trcka. Stuttering Congruence for chi. In Model Checking
Software, 12th International SPIN Workshop, San Francisco, CA, USA, August 22-
24, 2005, Proceedings (SPIN’05), pages 185–199, 2005. 6.4
[103] Anh Tuan Luu, Jun Sun, Yang Liu, Jin Song Dong, Xiaohong Li, and Quan Thanh
Tho. SeVe: automatic tool for verification of security protocols. Frontiers of Computer
Science in China, 6(1):57–75, 2012. 7.1
[104] L. Mandel and M. Pouzet. ReactiveML, a Reactive Extension to ML. In Proceedings of
7th ACM SIGPLAN International conference on Principles and Practice of Declarative
Programming (PPDP’05), Lisbon, Portugal, July 2005. 3.1.1
[105] Zohar Manna and Amir Pnueli. The Temporal Logic of Reactive and Concurrent
Systems:Specification. Springer-Verlag, 1992. 1, 1.1
[106] F. Maraninchi, L. Samper, K. Baradon, and A. Vasseur. Lustre as a System Modeling
Language: Lussensor, a Case-Study with Sensor Networks. Electron. Notes Theor.
Comput. Sci., 203(4):95–110, 2008. 1, 3.1.1
[107] A. I. McInnes. Using CSP to Model and Analyze TinyOS Applications. In ECBS,
pages 79–88, California, USA, 2009. 1, 3.2
[108] Volker Menrad, Miguel Garcia, and Sibylle Schupp. Improving TinyOS Developer
Productivity with State Charts. In SOMSED, 2009. 3.3
[109] Robin Milner. A Calculus of Communicating Systems, volume 92 of Lecture Notes in
Computer Science. Springer, 1980. 3.1.1
[110] Marius Minea. Partial Order Reduction for Model Checking of Timed Automata. In
CONCUR, pages 431–446, 1999. 3.4
[111] Luca Mottola, Thiemo Voigt, Fredrik Osterlind, Joakim Eriksson, Luciano Baresi,
and Carlo Ghezzi. Anquiro: Enabling Efficient Static Verification of Sensor Network
Software. In SESENA, pages 32–37, 2010. 1, 1.1, 1.1, 3.3
[112] Ratan Nalumasu and Ganesh Gopalakrishnan. New Partial Order Reduction Algo-
rithm for Concurrent System Verification. In Proc of IFIP. Chapman & Hall, 1997.
3.4
[113] Kedar S. Namjoshi. Symmetry and completeness in the analysis of parameterized
systems. In VMCAI, pages 299–313, 2007. 8
[114] Gleb Naumovich, George S. Avrunin, and Lori A. Clarke. Data Flow Analysis for
Checking Properties of Concurrent Java Programs. In ICSE, pages 399–410, 1999. 3.4
[115] Gleb Naumovich, Lori A. Clarke, and Jamieson M. Cobleigh. Using partial order tech-
niques to improve performance of data flow analysis based verification. In In Proceed-
ings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software
Tools and Engineering, pages 57–65, 1999. 3.4
[116] Nguyet T. M. Nguyen and Mary Lou Soffa. Program representations for testing wireless
sensor network applications. In DOSTA, pages 20–26, 2007. 3.3
118
BIBLIOGRAPHY
[117] Truong Khanh Nguyen, Jun Sun, Yang Liu, and Jin Song Dong. A model checking
framework for hierarchical systems. In ASE, pages 633–636, 2011. 7.1
[118] Truong Khanh Nguyen, Jun Sun, Yang Liu, and Jin Song Dong. Symbolic Model-
Checking of Stateful Timed CSP Using BDD and Digitization. In ICFEM, pages
398–413, 2012. 7.1
[119] Truong Khanh Nguyen, Jun Sun, Yang Liu, Jin Song Dong, and Yan Liu. Improved
BDD-Based Discrete Analysis of Timed Systems. In FM, pages 326–340, 2012. 7.1
[120] Vladimir A. Oleshchuk. Modeling, specification and verification of ad-hoc sensor net-
works using SPIN. Computer Standards & Interfaces, 28(2):159–165, 2005. 1, 3.1.1
[121] P. C. Ölveczky and S. Thorvaldsen. Formal modeling, performance estimation, and
model checking of wireless sensor network algorithms in Real-Time Maude. Theor.
Comput. Sci., 410(2-3):254–280, 2009. 1, 3.1.3
[122] Peter Csaba Ölveczky and Stian Thorvaldsen. Formal Modeling and Analysis of the
OGDC Wireless Sensor Network Algorithm in Real-Time Maude. In FMOODS, pages
122–140, 2007. 1, 3.1.3
[123] Robert Palmer, Ganesh Gopalakrishnan, and Robert M. Kirby. Semantics driven
dynamic partial-order reduction of MPI-based parallel programs. In PADTAD, pages
43–53, 2007. 3.4
[124] Doron Peled. All from One, One for All: on Model Checking Using Representatives.
In CAV, pages 409–423, 1993. D
[125] Doron Peled. Combining Partial Order Reductions with On-the-Fly Model-Checking.
Formal Methods in System Design, 8(1):39–64, 1996. 3.4
[126] Doron Peled. Partial Order Reduction: Model-Checking Using Representatives. In
MFCS, pages 93–112, 1996. 3.4
[127] Doron Peled. Ten Years of Partial Order Reduction. In CAV, volume 1427 of Lecture
Notes in Computer Science, pages 17–28, Vancouver, Canada, 1998. Springer. 3.4
[128] Luiz Felipe Perrone and David M. Nicol. A scalable simulator for TinyOS applications.
In WSC, 2002. 1
[129] Amir Pnueli. The Temporal Logic of Programs. In FOCS, pages 46–57, 1977. (docu-
ment), 2.2
[130] Robby, Matthew B. Dwyer, and John Hatcliff. Bogor: an extensible and highly-
modular software model checking framework. In ESEC / SIGSOFT FSE, pages 267–
276, 2003. 3.3
[131] Robby, Matthew B. Dwyer, and John Hatcliff. Bogor: A Flexible Framework for
Creating Software Model Checkers. In TAIC PART, pages 3–22, 2006. 3.3
[132] N. S. Rosa and P. R. F. Cunha. Behavioural Specification of Wireless Sensor Network
Applications. In GIIS, pages 66–72, 2007. 1, 3.1.1, 3.2
119
BIBLIOGRAPHY
[133] L. Samper, F. Maraninchi, L. Mounier, and L. Mandel. GLONEMO: Global and
Accurate Formal Models for the Analysis of Ad-Hoc Sensor Networks. In InterSense:
First International Conference on Integrated Internet Ad hoc and Sensor Networks,
Nice, France, May 2006. IEEE. 1, 3.1.1
[134] Steve Schneider. An Operational Semantics for Timed CSP. Inf. Comput., 116(2):193–
213, 1995. D
[135] Ling Shi and Yan Liu. Modeling and Verification of Transmission Protocols: A Case S-
tudy on CSMA/CD Protocol. Secure Software Integration and Reliability Improvement
Companion, IEEE International Conference on, 0:143–149, 2010. 7.1
[136] Ling Shi, Yang Liu, Jun Sun, Jin Song Dong, and Gustavo Carvalho. An Analytical
and Experimental Comparison of CSP Extensions and Tools. In ICFEM, 2012. 7.1
[137] Songzheng Song. An Efficient Method of Probabilistic Model Checking. Secure Soft-
ware Integration and Reliability Improvement Companion, IEEE International Con-
ference on, 0:24–25, 2010. 7.1
[138] Songzheng Song, Jianye Hao, Yang Liu, Jun Sun, Ho-Fung Leung, and Jin Song Dong.
Analyzing multi-agent systems with probabilistic model checking approach. In ICSE,
pages 1337–1340, 2012. 7.1
[139] Songzheng Song, Jun Sun, Yang Liu, and Jin Song Dong. A Model Checker for
Hierarchical Probabilistic Real-Time Systems. In CAV, pages 705–711, 2012. 7.1
[140] Jun Sun, Yang Liu, and Bin Cheng. Model Checking a Model Checker: A Code
Contract Combined Approach. In Jin Song Dong and Huibiao Zhu, editors, Formal
Methods and Software Engineering - 12th International Conference on Formal Engi-
neering Methods, ICFEM 2010, Shanghai, China, November 17-19, 2010. Proceedings,
volume 6447 of Lecture Notes in Computer Science, pages 518–533. Springer, 2010.
7.1
[141] Jun Sun, Yang Liu, and Jin Song Dong. Model Checking CSP Revisited: Introducing
a Process Analysis Toolkit. In Proceedings of the 3rd International Symposium on
Leveraging Applications of Formal Methods, Verification and Validation (ISoLA 2008),
volume 17 of Communications in Computer and Information Science, pages 307–322.
Springer, 2008. 7.1
[142] Jun Sun, Yang Liu, Jin Song Dong, and Chunqing Chen. Integrating Specification and
Programs for System Modeling and Verification. In Wei-Ngan Chin and Shengchao
Qin, editors, Proceedings of the 3rd IEEE International Symposium on Theoretical
Aspects of Software Engineering (TASE’09), pages 127–135. IEEE Computer Society,
2009. 7.1
[143] Jun Sun, Yang Liu, Jin Song Dong, Yan Liu, Ling Shi, and Étienne André. Modeling
and Verifying Hierarchical Real-time Systems using Stateful Timed CSP. ACM Trans.
Softw. Eng. Methodol., 2012. 1.1, 4, 4.1, 4.3, 7.1, C
[144] Jun Sun, Yang Liu, Jin Song Dong, and Jun Pang. PAT: Towards Flexible Verification
under Fairness. In CAV, pages 709–714, 2009. 1.1, 4.3, 5.5, 7, 7.1, 7.2.4
120
BIBLIOGRAPHY
[145] Jun Sun, Yang Liu, Jin Song Dong, Geguang Pu, and Tian Huat Tan. Model-based
Methods for Linking Web Service Choreography and Orchestration. In APSEC 2010,
pages 166 – 175, 2010. 7.1
[146] Jun Sun, Yang Liu, Jin Song Dong, and Jing Sun. Bounded Model Checking of
Compositional Processes. In Proceedings of the 2nd IEEE International Symposium
on Theoretical Aspects of Software Engineering, pages 23–30. IEEE Computer Society,
2008. 7.1
[147] Jun Sun, Yang Liu, Jin Song Dong, and Hai H. Wang. Specifying and verifying event-
based fairness enhanced systems. In Proceedings of the 10th International Conference
on Formal Engineering Methods (ICFEM 2008), volume 5256 of Lecture Notes in
Computer Science, pages 318–337. Springer, Oct 2008. 7.1
[148] Jun Sun, Yang Liu, Jin Song Dong, and Xian Zhang. Verifying Stateful Timed CSP
Using Implicit Clocks and Zone Abstraction. In Karin Breitman and Ana Cavalcanti,
editors, Proceedings of the 11th IEEEInternational Conference on Formal Engineering
Methods (ICFEM 2009), volume 5885 of Lecture Notes in Computer Science, pages
581–600. Springer, 2009. 4, 4.2, 4.3, 7.1
[149] Jun Sun, Yang Liu, Abhik Roychoudhury, Shanshan Liu, and Jin Song Dong. Fair
Model Checking with Process Counter Abstraction. In FM, pages 123–139, 2009. 5.5,
7.1, 7.2.4
[150] Jun Sun, Yang Liu, Songzheng Song, Jin Song Dong, and Xiaohong Li. PRTS:
An Approach for Model Checking Probabilistic Real-Time Hierarchical Systems. In
Shengchao Qin and Zongyan Qiu, editors, Formal Methods and Software Engineering,
volume 6991 of Lecture Notes in Computer Science, pages 147–162. Springer Berlin /
Heidelberg, 2011. 7.1
[151] Jun Sun, Songzheng Song, and Yang Liu. Model Checking Hierarchical Probabilistic
Systems. In Jin Song Dong and Huibiao Zhu, editors, Formal Methods and Software
Engineering - 12th International Conference on Formal Engineering Methods, ICFEM
2010, Shanghai, China, November 17-19, 2010. Proceedings, volume 6447 of Lecture
Notes in Computer Science, pages 388–403. Springer, 2010. 7.1
[152] Tian Huat Tan. Towards Verification of a Service Orchestration Language. Secure Soft-
ware Integration and Reliability Improvement Companion, IEEE International Con-
ference on, 0:36–37, 2010. 7.1
[153] Tian Huat Tan, Yang Liu, Jun Sun, and Jin Song Dong. Verification of Orchestra-
tion Systems Using Compositional Partial Order Reduction. In Shengchao Qin and
Zongyan Qiu, editors, Formal Methods and Software Engineering, volume 6991 of Lec-
ture Notes in Computer Science, pages 98–114. Springer Berlin / Heidelberg, 2011.
7.1
[154] Luu Anh Tuan. Modeling and Verifying Security Protocols Using PAT Approach.
Secure Software Integration and Reliability Improvement Companion, IEEE Interna-
tional Conference on, 0:157–164, 2010. 7.1
121
BIBLIOGRAPHY
[155] Luu Anh Tuan, Man Chun Zheng, and Quan Thanh Tho. Modeling and verification
of safety critical systems: A case study on pacemaker. Secure System Integration and
Reliability Improvement, 0:23–32, 2010. 1.2, 7.1
[156] Antti Valmari. Stubborn sets for reduced state space generation. In Applications and
Theory of Petri Nets, pages 491–515, 1989. D
[157] Willem Visser, Klaus Havelund, Guillaume P. Brat, Seungjoon Park, and Flavio Lerda.
Model Checking Programs. Autom. Softw. Eng., 10(2):203–232, 2003. 3.4
[158] P. Völgyesi, M. Maróti, S. Dóra, E. Osses, and Á. Lédeczi. Software Composition and
Verification for Sensor Networks. Sci. Comput. Program., 56(1-2):191–210, 2004. 1,
3.2, 3.2
[159] P. Völgyesi, M. Maróti, S. Dóra, E. Osses, Á. Lédeczi, and T. Paka. Embedded
Software Composition and Verification. Technical Report ISIS-04-503, Vanderbilt U-
niversity, 2004. 1, 3.2
[160] Ting Wang, Songzheng Song, Jun Sun, Yang Liu, Jin Song Dong, Xinyu Wang, and
Shanping Li. More Anti-chain Based Refinement Checking. In ICFEM, pages 364–380,
2012. 7.1
[161] J. Warmer and A. Kleppe. The Object Constraint Language: Getting Your Models
Ready for MDA. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA,
2 edition, 2003. 3.2
[162] Frank Werner and David Faragó. Correctness of Sensor Network Applications by
Software Bounded Model Checking. In FMICS, pages 115–131, 2010. 1, 1.1, 3.3
[163] Yu Yang, Xiaofang Chen, Ganesh Gopalakrishnan, and Robert M. Kirby. Distributed
Dynamic Partial Order Reduction Based Verification of Threaded Software. In SPIN,
pages 58–75, 2007. 3.4
[164] Yu Yang, Xiaofang Chen, Ganesh Gopalakrishnan, and Robert M. Kirby. Efficient
Stateful Dynamic Partial Order Reduction. In SPIN, volume 5156 of LNCS, pages
288–305. Springer, 2008. 1.1, 3.4
[165] Yu Yang, Xiaofang Chen, Ganesh Gopalakrishnan, and Robert M. Kirby. Distributed
dynamic partial order reduction. STTT, 12(2):113–122, 2010. 3.4
[166] Shao Jie Zhang and Yang Liu. An Automatic Approach to Model Checking UML
State Machines. Secure Software Integration and Reliability Improvement Companion,
IEEE International Conference on, 0:1–6, 2010. 7.1
[167] Shao Jie Zhang and Yang Liu. Model Checking a Lazy Concurrent List-Based Set
Algorithm. In Proceedings of the 4th International Conference on Secure Software
Integration and Reliability Improvement, SSIRI ’10, pages 43–52, Washington, DC,
USA, 2010. IEEE Computer Society. 7.1
[168] Shao Jie Zhang, Yang Liu, Jun Sun, Jin Song Dong, Wei Chen, and Yanhong A. Liu.
Formal Verification of Scalable NonZero Indicators. In Proceedings of the 21st Interna-
tional Conference on Software Engineering & Knowledge Engineering (SEKE’2009),
pages 406–411. Knowledge Systems Institute Graduate School, 2009. 7.1
122
BIBLIOGRAPHY
[169] Shao Jie Zhang, Jun Sun, Jun Pang, Yang Liu, and Jin Song Dong. On Combining
State Space Reductions with Global Fairness Assumptions. In Michael Butler and
Wolfram Schulte, editors, FM 2011: Formal Methods, volume 6664 of Lecture Notes
in Computer Science, pages 432–447. Springer Berlin / Heidelberg, 2011. 7.1
[170] Man Chun Zheng. An Automatic Approach to Verify Sensor Network Systems. Se-
cure Software Integration and Reliability Improvement Companion, IEEE Internation-
al Conference on, 0:7–12, 2010. 1.2
[171] Manchun Zheng, David Sanán, Jun Sun, Yang Liu, Jin Song Dong, and Yu Gu. State
Space Reduction for Sensor Networks using Two-level Partial Order Reduction. In 14th
International Conference on Verification, Model Checking, and Abstract Interpretation
(VMCAI), 2013. 1.2
[172] Manchun Zheng, Jun Sun, Yang Liu, Jin Song Dong, and Yu Gu. Towards a model
checker for nesc and wireless sensor networks. In ICFEM, pages 372–387, 2011. 1, 1.2,
6
[173] Manchun Zheng, Jun Sun, David Sanán, Yang Liu, Jin Song Dong, and Yu Gu. To-
wards bug-free implementation for wireless sensor networks. In SenSys, pages 407–408,
2011. 1.2
[174] Huiquan Zhu. Model Checking C# Code: A Translation Approach. Secure Software
Integration and Reliability Improvement Companion, IEEE International Conference




This chapter presents the syntax of the NesC language, based on the NesC 1.3 Language
Reference Manual [55].
A.1 Interface Definition
Interface definitions have the following syntax:
interface-definition :
interface identifier type-parametersopt{declaration-list}
Interface definitions have a name (identifier) with global scope. The type − parameters
is a list of optional C type parameters for this interface definition:
type-parameters :
< type-parameter -list >
type-parameter -list :
identifier
type-parameter -list , identifier
An interface definition with type parameters is called a generic interface definition. The
declaration-list of an interface definition specifies a set of commands and events. It must
consist of function declarations with the command or event storage class:
storage-class-specifier : also one of
command event async
An interface type is specified by giving the name of an interface definition and, for generic
124
Appendix A. NesC Language Reference








There must be as many types in type-arguments as there are parameters in the interface
definitionąŕs type parameter list. Type arguments can not be incomplete or of function or
array type. Two interface types are the same if they refer to the same interface definition
and their corresponding type arguments (if any) are of the same C type. Example interface
types are interface SendMsg and interface Queue<int>.
A.2 Component Specification
The first part of a componentąŕs definition is its specification, a declaration of provided or


























A specification can contain independent interfaces of the same interface type, e.g.,
provides interface X as X1;
uses interface X as X2;
Commands or events can be included directly as specification elements by including a




storage-class-specifier : also one of
command event async
It is a compile-time error if the declaration is not a function declaration with the com-
mand or event storage class. As in interfaces, async indicates that the command or event
can be called from an interrupt handler.
As with interface declarations, bare commands (bare events) can have instance param-
eters; these are placed before the functionąŕs regular parameter list, e.g., command void




If instance parameters are present, the declaration specifies a bare, parameterised com-
mand (bare, parameterised event). Note that instance parameters are not allowed on com-
mands or events inside interface definitions.
A component specification can also include regular declarations (these belong to the
126
Appendix A. NesC Language Reference
specification scope):
uses − provides : also
declaration
A.3 Component Definition
A nesC component definition has a name, optional arguments, a specification and an imple-
mentation:
component :










Generic component parameter lists are similar to function parameter lists, but allow for















where translation-unit is a list of C declarations and definitions. The top-level decla-
rations of the moduleąŕs translation-unit belong to the moduleąŕs implementation scope.
These declarations have indefinite extent and can be: any standard C declaration or defini-
tion, a task declaration or definition (placed in the object name space), a command or event
implementation.
These command and event implementations are specified with the following C syntax
extensions:












call -kind : one of
call signal post
A module can specify a default implementation for a used command or event α (a
compile-time error occurs if a default implementation is supplied for a provided command
or event). Default implementations are executed when α is not connected to any command
or event implementation. A default command or event is defined by prefixing a command
or event implementation with the default keyword:
declaration-specifiers : also
default declaration-specifiers
A task is an independent locus of control defined by a function of storage class task
returning void and with no arguments: task void myTask() { ... }. A task can also have a
128
Appendix A. NesC Language Reference
forward declaration, e.g., task void myTask();.
storage-class-specifier : also one of
task





guarantee that the statement is executed “as-if” no other computation occurred simul-
taneously, and furthermore any values stored inside an atomic statement are visible inside
all subsequent atomic statements.
A.5 Configuration Implementation
Configurations implement a component specification by selecting regular components or
instantiating generic components, and then connecting (ąřwiringąś) these components to-











A components element specifies the components that are used to build this configuration,
a connection specifies a single wiring statement, and a declaration can declare a typedef
or tagged type (other C declarations are compile-time errors). A configuration composed of
wiring statements connects two sets of specification elements:




• The specification elements of the components referred to instantiated in C. We refer
to these as internal specification elements.
A components elements specifies some components used to build this configuration.
These can be:
• A non-generic component X. Non-generic components are implicitly instantiated, ref-
erences to X in different configurations all refer to the same component.
• An instantiation of a generic component Y . Instantiations of Y in different con-
figurations, or multiple instantiations in the same configuration represent different
components.

















Wiring is used to connect specification elements (interfaces, commands, events) together.
130







identifier -path [argument-expression-list ]
identifier -path :
identifier
identifier -path . identifier
There are three wiring statements in nesC:
• endpoint1 = endpoint2 (equate wires): Any connection involving an external specifica-
tion element. These effectively make two specification elements equivalent. Let S1 be
the specification element of endpoint1 and S2 that of endpoint2. One of the following
two conditions must hold or a compile-time error occurs:
– S1 is internal, S2 is external (or vice-versa) and S1 and S2 are both provided or
both used,
– S1 and S2 are both external and one is provided and the other used.
• endpoint1 → endpoint2 (link wires): A connection between two internal specification
elements. Link wires always connect a used specification element specified by endpoint1
to a provided one specified by endpoint2 . If these two conditions do not hold, a
compile-time error occurs.
• endpoint1 ← endpoint2 is equivalent to endpoint2 → endpoint1.
A configuration can refer to the typedefs and enum constants of the components that
it includes. To support this, the syntax for referring to typedefs is extended as follows:




Syntax of Logical Formulas
In the following, we present the BNF syntax of logical formulas which are used in the
assertion annotation language of NesC@PAT.
mathExpr : condit ionalAndExpr ( | | condit ionalAndExpr )∗
condit ionalAndExpr : bitwiseOrExpr (&&bitwiseOrExpr )∗
bitwiseOrExpr : bitwiseXorExpr ( | bitwiseXorExpr )∗
bitwiseXorExpr : bitwiseAndExpr (? bitwiseAndExpr )∗
bitwiseAndExpr : equa l i tyExpr (&equal i tyExpr )∗
equa l i tyExpr : r e l a t i ona lExp r ((== | !=) r e l a t i ona lExp r )∗
r e l a t i ona lExp r : b i tw i s eSh i f tExpr ((< | > | <= | >=) b i tw i s eSh i f tExpr )∗
b i tw i s eSh i f tExpr : addit iveExpr ((<< | >>) addit iveExpr )∗
addit iveExpr : multiveExpr ((+ | −) multiveExpr )∗
multiveExpr : unaryOprExpr ( (∗ | / | %) unaryOprExpr )∗
unaryOprExpr : ∗unaryExpr | &unaryExpr | ! mathExpr | mathExpr
| +addit iveExpr | −addit iveExpr | ++ re f e renceExpr
| −− r e f e r enceExpr | unaryExpr | (mathExpr )
unaryExpr : (0 . . . 9) (0 . . . 9) ∗ | True | Fa l se | r e f e r enceExpr
re f e r enceExpr : varNameExpr | varNameExpr −>. var
| varNameExpr −> var | varNameExpr [ addit iveExpr ]
varNameExpr : var ( . var )∗




In the following, we present the syntax and the informal semantics of STCSP processes,
based on [143].
A Stateful Timed CSP model (hereafter a model) is a tuple S = (Var , InitG ,P) where
Var is a finite set of finite-domain global variables; initG is the initial valuation of the
variables and P is a timed process. A variable can be of a predefined type like Boolean,
integer, array of integers or any user-defined data type. Process P models the control logic of
the system using a rich set of process constructs. A process can be defined by the grammar
presented in Figure C.1. For simplicity, we assume that P is not parameterized.
Process Stop does nothing but idling. Process Skip terminates, possibly after idling for
some time. Process e → P engages in event e first and then behaves as P . Note that
e may serve as a synchronization barrier, if combined with parallel composition. In order
to seamlessly integrate data operations, we allow sequential programs to be attached with
events. Process a{program} → P performs data operation a (i.e., executing the sequen-
tial program whilst generating event a) and then behaves as P . The program may be a
simple procedure updating data variables (written in the form of a{x := 5; y := 3}) or a
complicated sequential program.
Given a channel ch with pre-defined buffer size, process ch!exp → P evaluates the
expression exp (with the current valuation of the variables) and puts the value into the tail
of the respective buffer and behaves as P . Process ch?x → P gets the top element in the
respective buffer, assigns it to variable x and then behaves as P . Channels with zero buffer
size require synchronous input and output while channels with non-zero buffer size only
perform asynchronous input and output operations.
A conditional choice is written as if (b){P}else{Q}, whereas ifb(b){P} is referred to as
a blocking conditional choice that is blocked until b is satisfied and behaves as P . Process
P | Q offers an (unconditional) choice between P and Q . Process P ; Q behaves as P
until P terminates and then behaves as Q immediately. Process P\X hides occurrences
of events in X . Parallel composition of two processes is written as P || Q , where P and
Q may communicate through event synchronization (following CSP rules [74]) or shared
133
P = Stop – in-action
| Skip – termination
| e → P – event prefixing
| a{program} → P – data operation prefixing
| ch?exp → P – channel input
| ch!x → P – channel output
| if (b){P}else{Q} – conditional choice
| ifb(b){P} – blocking conditional choice
| P | Q – general choice
| P\X – hiding
| P ; Q – sequential composition
| P || Q – parallel composition
| Q – process referencing
| Wait [d ] – timed delay∗
| P timeout [d ] Q – timeout∗
| P interrupt [d ] Q – timed interrupt∗
| P within[d ] – timed responsiveness∗
| P deadline[d ] Q – timed deadline∗
| e  P – urgent event prefixing ∗
Figure C.1: STCSP Grammar
variables. Notice that if P and Q do not communicate through event synchronization, then
it is written as P ||| Q , which reads as “P interleave Q”. A process may be given a name,
written as P=̂Q , and then referenced through its name. Recursion is allowed by process
referencing. Additional process constructs (e.g., while or periodic behaviors) can be defined
using the above.
In addition, a number of timed process constructs (marked with * in Figure C.1) are
designed to capture common real-time system behavior patterns. Let d ∈ R+. Process
Wait [d ] idles for exactly d time units. In process P timeout [d ] Q , the first observable event
of P shall occur before d time units elapse (since process P timeout [d ] Q is activated).
Otherwise, Q takes over control after exactly d time units. In process P interrupt [d ] Q ,if
P terminates before d time units, P interrupt [d ] Q behaves exactly as P . Otherwise,
P interrupt [d ] Q behaves as P until d time units and then Q takes over. In contrast to
P timeout [d ] Q , P may engage in multiple observable events before it is interrupted. Process
P within[d ] must react within d time units, that is, an observable event must be engaged by
process P within d time units. Urgent event prefixing [42], written as e  P , is defined as
(e → P)within[0], that is, e must occur as soon as it is enabled. In process P deadline[d ], P
must terminate within d time units, possibly after engaging in multiple observable events.
Notice that a timed process construct is always associated with an integer constant d , which




• Cartesian Semantics A semantics for concurrent system that is presented by
Cartesian vectors [65]. It has been used in the Cartesian partial order reduction
algorithm for concurrent programs.
• CSP (Communicating Sequential Processes) A formal language for describing
patterns of interaction in concurrent systems [74]. It is a member of the family of
mathematical theories of concurrency known as process algebras, containing process
operators parallel (‖), interleave (|||), interrupt (4), choices (2 and u), etc.
• Formal Methods A particular kind of mathematically based techniques for the
specification, development and verification of software and hardware systems. A s-
tudy of mathematically rigorous techniques and tools for the specification, design and
verification of software and hardware systems. The phrase ‘mathematically rigorous’
means that the specifications used in formal methods are well-formed statements in a
mathematical logic and that the formal verification are rigorous deductive processes
in that logic (i.e., each step follows from a rule of inference and hence can be checked
by a mechanical process) [28].
• Label Transition System (LTS) An abstract machine consists of a set of states
and transitions between states, which may be labeled with labels chosen from a set;
the same label may appear on more than one transition. It is adopted to represent
the state space of systems for model checking techniques.
• Linear Temporal Logic (LTL) Formalism commonly used to describe temporal
requirements precisely. There are a few basic operations given with symbols 2, 3,
X , U , W , R corresponding to English language terms ‘always’, ‘eventually’, ‘next’,
‘until’, ‘weak-until’ and ‘release’.
• Liveness Property Properties defined by LTL formulas, which means that some-
thing good eventually happens. Formally, every finite prefix of a counterexample can
be extended to an infinite path that satisfies the formula.
135
• Model Checking Given a model of a system, exhaustively and automatically check-
ing whether this model meets a given specification. Typically, one has hardware or
software systems in mind, whereas the specification contains safety requirements such
as the absence of deadlocks and similar critical states that can cause the system to
crash. Model checking is a technique for automatically verifying correctness properties
of finite-state systems.
• NesC (Network Embedded System C) A component-based, interrupt-driven
programming language used to build applications for the TinyOS platform [53]. NesC
has been widely used to develop sensor network programs.
• Partial Order Reduction (POR) A technique for reducing the size of the state
space to be searched by a model checking algorithm. It exploits the commutativity
of concurrently executed transitions, which result in the same state when executed in
different orders. In explicit state space exploration, POR usually refers to the specific
technique of expanding a representative subset of all enabled transitions. POR has
also been described as model checking with representatives [124]. There are various
techniques of POR, including the stubborn set method [156], ample set method [124],
and persistent set method [59].
• PAT (Process Analysis Toolkit) PAT is a self-contained framework for to sup-
port composing, simulating and reasoning of concurrent, real-time systems and other
possible domains. It comes with user friendly interfaces, featured model editor and
animated simulator. Most importantly, PAT implements various model checking tech-
niques catering for different properties such as deadlock-freeness, divergence-freeness,
reachability, LTL properties with fairness assumptions, refinement checking and prob-
abilistic model checking. To achieve good performance, advanced optimization tech-
niques are implemented in PAT, e.g. partial order reduction, symmetry reduction,
process counter abstraction, parallel model checking. So far, PAT has over 2300 reg-
istered users from over 550 organizations in 58 countries and regions.
• Process Algebra A diverse family of related approaches for formally modelling
concurrent systems. They provides a tool for the high-level description of interactions,
communications, and synchronization between a collection of independent agents or
processes. They also provide algebraic laws that allow process descriptions to be
manipulated and analyzed, and permit formal reasoning about equivalences between
processes (e.g., using bisimulation). Leading examples of process calculi include CSP,
CCS, ACP, and LOTOS.
• Safety Property Properties defined by LTL and also state reachability. Formally,
every counterexample has a finite prefix such that, however it is extended to an infinite
136
Appendix D. GLOSSARY
path, it is still a counterexample. In our work, we allow safety properties to be defined
as LTL formulas, state reachability assertions, etc.
• Software Verification A discipline of software engineering with goal to assure that
software fully satisfies all the expected requirements. The aim of software verification
is to find the errors introduced by an activity, i.e. check if the product of the activity
is as correct as it was at the beginning of the activity.
• Stateful Timed CSP (STCSP) A formal specification language to model hierar-
chical realtime systems that extends Timed CSP [43, 134] with language constructs
to manipulate data structures and data operations in order to support real-world ap-
plications. STCSP supports a rich set of timed process constructs to capture timed
system behavior patterns, e.g., delay, deadline, timeout, timed interrupt, etc.
• TinyOS A component-based operating system and platform targeting sensor net-
works. TinyOS is an embedded operating system written in the NesC programming
language as a set of cooperating tasks and processes. It is intended to be incorporated
into smartdust. TinyOS started as a collaboration between the University of Califor-
nia, Berkeley in co-operation with Intel Research and Crossbow Technology, and has
since grown to be an international consortium, the TinyOS Alliance.
137
