Abstract. Model-checking is now widely recognised as an e cient method for analysing computer system properties, such as deadlock-freedom. Its practical applicability is due to existing automatic tools which deal with tedious proofs. Another increasingly research area is formal language integration where the capabilities of each language are used to capture precisely some aspects of a system. In this paper we describe a formal strategy for deadlock analysis of speci cations in CSP-Z (a language which integrates CSP and Z). We also show how FDR (a modelchecker originally developed for CSP) can be adapted for CSP-Z. Finally, we present a subset of a CSP-Z formal speci cation of a real Brazilian arti cial microsatellite, and use FDR to check that the speci cation is deadlock-free.
Introduction
There is an increasing interest, among the Computer Science community, in model-checkers. These are programs that work by checking every possible state of a system to verify some speci ed property such as deadlock-freedom. Although model-checking is limited to certain problems, those that have not the exponential state explosion problem, it has a great advantage over, for example, general theorem proving because it is fully automatic whereas the latter is not.
Linking theories is also a recent trend in the area of formal methods. The main advantage of these is to capture more than one aspect of a system using a uniform notation. For example, concurrent speci cation languages, such as CSP 12] or CCS 17] , can characterise precisely the behaviour aspects of a system meanwhile they are not suitable for stating concisely (and abstractly) the system data structures. This is because the data structures in these languages are similar to those of a programming language. On the other hand, languages such as Z 20] , VDM 14] and OBJ 11] have great expressive power to describe abstract data structures but lack the notion of operation evaluation order. Currently, there are a lot of language integration proposals. Some examples are LOTOS 2], Temporal Logic and CSP 16], LOTOS and Z 6] and CSP- Z 7, 8] .
In this paper we use CSP-Z, a language which integrates CSP and Z both sintactically and semantically. CSP-Z was de ned such that apart from enabling one to deal with the behaviour and the data structure aspects of a system independently, the resulting speci cation can also be re ned independently, i.e., the approach to re nement is compositional in the sense that re ning the CSP or the Z part (with some constraints) leads to the re nement of the entire CSP-Z speci cation. The main contribution of this paper is a strategy for deadlock analysis of CSP-Z based on 4] and its mechanisation by adapting the FDR model-checker 9], which was originally developed to deal exclusively with CSP speci cations. Finally, we present a case study of a Brazilian arti cial microsatellite (SACI-1) being developed by the Brazilian Space Research Institute (INPE), where we apply our strategy for deadlock analysis with the aid of FDR. This case study is a small subset of a detailed formalisation and analysis of the SACI-1, described in 1].
The rest of this paper is organised as follows. Section 2 introduces the CSP-Z language through an example, and brie y describes its syntax and semantics. In Section 3 we present a technique developed by Brookes and Roscoe 4 ] to analyse the deadlock-freedom property of a CSP speci cation, and explain how FDR implements this technique. Based on this technique we develop a deadlock analysis strategy for CSP-Z speci cations and show how to adapt FDR to work for CSP-Z; this is presented in Section 4. Section 5 illustrates this approach through the speci cation and analysis of the On-Board Computer system (OBC) of the SACI-1 Brazilian microsatellite. Finally, we consider what are the bene ts of using an integrated language and the practical advantages and limitations of using FDR in this setting. We assume some familiarity with the languages CSP and Z.
CSP-Z
The language CSP-Z 7, 8] is a conservative extension of both CSP and Z in the sense that the syntactical and semantical aspects of CSP is fully preserved while Z operations have a slightly di erent interpretation. In order to give an overview of CSP-Z we present part of the speci cation of our case study, fully described in Section 5. In 8] the integration of CSP with an object oriented extension of Z is presented. Here we consider the plain Z notation.
A simple Example
The Watch-Dog Timer or simply WDT is a process of the SACI-1 microsatellite responsible for waiting a reset signal that comes (periodically) from another SACI-1 process, the Fault-Tolerant Router (FTR). If this reset signal does not come, the WDT sends a recovery signal to the FTR in order to initiate a recovery process to normalise the situation. This procedure occurs three times and, if after that, the FTR does not respond, than the WDT considers the FTR faulty.
A CSP-Z speci cation is encapsulated into a spec and end spec scope, where the name of the speci cation follows these keywords. The interface is the rst part of a CSP-Z speci cation and is used to declare the external channels (keyword channel) and the local (or hidden) ones (keyword local channel). Each list of channels has an associated Z schema type, where the empty schema type ( ]) denotes a list of events, i.e., channels which do not communicate values. The concurrent behaviour of the system is introduced by the keyword main, where other equations can be added to obtain a more structured CSP speci cation. spec The equation introduced below with the keyword main describes a totally independent behaviour between the processes Signal and Verify using the CSP interleaving operator (kj). Signal is simply characterised by waiting for consecutive reset signals, i.e., waiting for a reset and then (!) behaving like Signal again (i.e., waiting for another signal). Verify waits for a clock, then checks whether a reset signal arrived at the right period or not via the choice operator (2). If a timeOut occurs then the WDT tries to send a recovery signal to the FDR. If the FTR is not ready to synchronise in this event then the WDT assumes that the FTR is faulty and then nishes its execution (behaving like skip). main=Signal kj Verify Signal=(reset!Signal) Verify=(clockWDT!(noTimeOut!Verify 2 timeOut!(recover!Verify 2 failFTR!skip)) After introducing the behaviour of the WDT, the data structures used are declared. In order to x a timeout and to know if the clock achieved this maximum we introduce two constants, WDTtOut and WDTP. The system state (State) has simply a declarative part where is recorded the number of cycles that the WDT tries to recover the FTR and the value of the last clock received. The initialisation schema (Init) asserts that the number of cycles is initially zero. The following schemas are standard Z schemas (with a declaration part and a predicate which constrains the values of the declared variables) except that their names are originated from the channel names, pre xing the keyword com . Informally, the meaning of a CSP-Z speci cation is that, when a CSP event c occurs the respective Z operation com c is executed, possibly changing the data structures. Further, when there is no schema name associated with a given channel, this means that no change of state occurs. An observation is that every external communication has a type, then when no type is explicit CSP-Z assumes the type signal, where the desired behaviour is merely that of a synchronisation and not a value passing. For events with an associated non-empty schema type, the Z schema must have input or output variables with corresponding names in order to exchange communicated values between the CSP and the Z parts. Hence, the input variable clk? receives values communicated through the clockWDT channel. For schemas where prime (') variables are omitted, we assume that no modi cations occur, i.e., in the schema com reset below it is implicit that the time component is not modi ed (time 0 = time). When a Z schema has a precondition di ering from true then it imposes a restriction on the occurrence of a CSP event. It is like a CSP guard, i.e., if the precondition is true then the event is allowed to occur normally, otherwise it is refused and the process behaves like the canonical deadlock process (stop).
Note As already explained, the recovery process is attempted for 3 times, after which the WDT assumes that the FTR is faulty. process P is a set of pairs (s, X), of traces (observed events) and refusals, such that after P performs the trace s it cannot engage in any event of the refusal set X. The divergences of a process P are sets of traces such that after P performs any trace of this set it engages in an in nite loop of hidden events. The language CSP-Z is a semantical integration of CSP and Z in that it is given a Failures-Divergence meaning to Z 7, 8] . This interpretation is required in order to allow Z components to be combined using the CSP operators like interleaving (jjj) and parallelism (jj).
As explained above, a CSP-Z speci cation is a parallel combination of the CSP and the Z parts via the channel names, such that on the occurrence of a channel c the corresponding Z schema com c is activated. As the semantics of CSP-Z is also based on the Failures-Divergence model, we should explain what happens when a given event c occurs successfully, when it is refused and when it leads to divergence. These situations are considered below.
Suppose that c is a CSP untyped channel with corresponding schema com c. If the event c occurs, the guard of the event and the precondition of the schema com c are satis ed, this characterises a successful execution step. In this case, the state space is subjected to the predicate part of com c and the CSP part also evolves (where the event c is added to the trace of the process). Now, suppose that the channel c is a typed channel. If c?x is performed and the value v assigned to x cannot be treated by the input part of com c, due to a type incompatibility, then c is refused. Similarly, if com c exhibits a value v from one of its output variables which cannot be communicated through c!v then c is also refused. Finally, suppose that c is not refused by the Z part, according to the above explanation, then if the value communicated falsi es the precondition of com c then the whole process diverges. A more formal presentation of the semantics is given in Appendix A.1.
Formalising the above explanation, we can state precisely a refusal or a divergence introduced by the Z part. Let c be a channel and tr be a trace then 
Deadlock Analysis for CSP: Theory and Tools
Concurrent programming is more complex than sequential one mainly because the number of states grows exponentially with the number of processes that compose the system. Describing precisely a concurrent system and analysing its properties is essential to guarantee its expected behaviour. One of the most important properties of a concurrent system is deadlock-freedom, i.e., the system will work normally without an unforeseen and permanent interruption.
In this section we present the two main results of a deadlock analysis technique developed by Brookes and Roscoe 4] . We also show how the FDR modelchecker analyses a speci cation for deadlock-freedom and how the work reported in 4] can guide one in an automatic deadlock analysis of a complex concurrent system using FDR. The theorems presented here are based on some concepts which are informally explained below and de ned formally in Appendix A.2. Each of such concepts appears in this section in slanted font, to ease the references to the appendix.
The present approach to deadlock analysis considers only CSP processes that do not diverge. This requirement allows a simpler mathematical treatment while it is not too severe in practice, since almost all practical applications are expected to be divergence-free.
Theorem 1 deals with the case where an arbitrary network of CSP processes is analysed whereas Theorem 2 is used when one can partition the network into smaller ones. By network we mean a set of parallel processes; it is busy if all its processes are deadlock-free. Both theorems use the concept of vocabulary which is the set of events containing the synchronisation channels of each pair of processes of the network. A request between processes A and B is just a possibility of A synchronising with B. An ungranted request is a request (say, from A to B) that cannot be satis ed, i.e., B cannot o er any event needed by A. A con ict occurs when both processes involved in a request have ungranted requests to each other; and a strong con ict means that these two processes cannot communicate with a third one. A cycle of requests is a sequence of indices (identifying processes) in which each ordered pair of distinct indices form a request.
Theorem 1 Let V be a busy network with vocabulary . If V is free of strong -con ict, any deadlock state of the network contains a proper cycle of ungranted requests with respect to . If V is con ict-free then any deadlock state contains a proper cycle of ungranted requests hi 0 ;...;i r?1 i with respect to (r > 2), such that the only requests being made in this state between processes involved in the cycle are the requets recorded in the cycle.
We can visualise a network using a graph where the processes are the nodes of the graph and the edges are events that synchronise two processes, i.e., events common to two processes. Thus, by disconnecting edges we mean those whose removal increase the number of partitions of the graph, and by essential components those that stay after removing all disconnecting edges. A pair of processes is con ict-free if one cannot nd a trace which introduces a reciprocal ungranted request or a strong one between these processes.
Theorem 2 Suppose V is a network with essential components V 1 ;...;V k where the pair of processes joined by each disconnecting edge are con ict-free with respect to the vocabulary . Then if each of the V i is deadlock-free, so is V.
The above theorem establishes a connection between deadlock freedom and pairwise con ict freedom of the essential components of a network. The con ictfreedom constraint is necessary because if one essential component blocks then it can infect others if the edge linking two essential components has con ict. This is a very important result because for large networks one can arrange them such that they can be partitioned into simpler ones. Then Theorem 2 tells us that it su ces to check for deadlock-freedom of the essential components.
3.1 FDR FDR 9] stands for Failures-Divergence Re nement and is a model-checker for CSP speci cations. Since the speci er uses his knowledge about the theory of communicating processes to overcome the problem of the exponential state explosion, this tool is very e cient to analyse properties such as determinism, deadlock and livelock and to verify some re nement relations among processes.
Di erences between CSP and FDR-CSP. FDR adopts a rather di erent interpretation (de ned in 18]) of two elements of the earlier de nition of CSP 12] . The rst one is the treatment of alphabets that is considered by FDR as a global parameter of the speci cation. Hence, let P 1 ;...;P n be the processes of the speci cation then the global alphabet is now denoted as P 1 P 2 P n . Because of this new view of the alphabet, the parallel operator must have an explicit characterisation of the synchronisation events. In 12], the parallel operator is denoted simply as jj because the synchronisation events are precisely determined by the alphabet of the two processes involved, while FDR uses two new (alphabetised) parallel operators: let P and Q be two processes then P A jj C]Q (with A P and C Q) is the process that acts as P for events in A, as Q for events in C and as P and Q (synchronisation) for events in A \ C; P j B j]Q (with B = A \ C P \ Q) acts as P for events in P ? B, as Q for events in Q ? B and as P and Q for events in B. Regarding notation, FDR-CSP uses a machine-readable version of CSP.
Deadlock analysis using FDR. FDR can analyse a CSP speci cation using one of the three semantical models de ned for CSP, namely the Traces model (T), the Failures model (F) and the Failures-Divergence model (FD). With the rst model one can prove safety properties of a system, the second can be used to prove safety, liveness and a combination of these properties and, in addition to the previous properties, the last one can be used to check divergence-freedom. Thus, to check deadlock for a divergent-free speci cation it is su cient and more e cient to use the Failures model.
We consider how FDR prove deadlock-freedom and how to use the previous results to ease the analysis for complex networks. Initially let DF (Deadlock-Free) be a process such that DF = u a2 a ! DF Informally, DF can perform any trace, selecting any event a of the alphabet , but may not refuse all events. In FDR, proving that a process P is deadlockfree is simply verifying if P re nes DF, i.e., DF v F P, where F denotes the Failures model. Hence, FDR checks for deadlock based on the De nition 2 (see Appendix A.2), that is, if FDR nds a trace s of P such that after P performs s its refusal set X equals its alphabet P, then P deadlocks. Further, FDR checks deadlock-freedom through a re nement relation. The relation DF v F P is satised i F P F DF , that is, s P s DF and X P X DF . The rst relation is always satis ed because DF can perform any trace (interleaving events) formed by the events of the alphabet of P, but the second will not hold when if P refuses all its events because DF cannot.
The veri cation of DF v F P is done by FDR through a normalisation of the transition system of DF where a transition system equivalent to the original one is built such that there is a one-to-one relation between states and traces. Although the normalisation transition system of any process is smaller than its original one and FDR can also apply compression techniques, one can always get a process that exhibits the exponential state explosion problem. Therefore, it is convenient to apply the decomposition techniques captured by Theorem 2 whenever possible. The deadlock analysis strategy is compositional in the sense that we verify smaller processes and use the theorems to conclude the deadlock-freedom of their parallel compositions. With FDR we can easily check if a network is busy, verifying its individual components for deadlock. Also we can prove whether two processes are con ict-free, using Theorem 2, simply checking if its parallel composition is deadlock-free.
Deadlock Analysis for CSP-Z: Theory and Tools
According to the requirements of the formal strategy for deadlock analysis presented in the previous section, a network can only be investigated if it is divergence-free, triple-disjoint, uses an associative parallel operator such as jj (de ned in 12] ) and has a static topology. If one can prove that a network has all these properties than all the results of the preceding section can be used. In this section we show what are the conformity obligations for such results to generalise for CSP-Z speci cations. We also suggest an approach to adapt the FDR system to work for CSP-Z.
The conformity obligations that must be veri ed are:
1. When is the parallel operator jj] used by CSP-Z equivalent to jj? Because of the above theorem we can encapsulate the enable c schema into the precondition of the com c one, changing the refusals of the channel c from :enable c to : pre com c. This simpli es the mathematical treatment of CSP-Z speci cations because one does not need to refer to enable c, only to pre com c. This is extensively used in what follows.
Finally, we arrive at the point to consider how to manage the dynamic aspects introduced by the Z part. This characteristic makes the topology of any network built using CSP-Z dynamic; hence, we cannot carry out only a static analysis such as described in Section 3. According to the CSP-Z semantics, if c is a channel and pre com c false then c is refused even if its environment enables it. Therefore, it is not su cient to consider only the CSP equations, but one must also consider the state space on every occurrence of a CSP event.
The impact of the refusal sets of the Z part on the theoretical analysis is that CSP maximal refusal sets are not CSP-Z maximal refusal sets. In order to use that strategy for CSP-Z, apart from the CSP maximal refusal sets, one must also consider the pre com c schema for every event c of every trace tr.
In 4], dynamic networks are not considered. The dynamic aspects, introduced by the Z part, can only be managed keeping track of the network's structure during execution; so, it seems very convenient to use FDR for CSP-Z. Therefore, for analysing a CSP-Z speci cation it is necessary to consider what happens to the network after its data structures initialisation. Let S be a CSP-Z speci cation such that the CSP part has a cyclic behaviour as ha; b; c; a; b; c; a; b; c; . ..i then if one can prove that 8 e : fa; b; cg pre com e true then the CSP-Z behaviour is equal to the CSP one, otherwise this cyclic trace is broken. The analysis is no more static because for the trace ha; b; ci, the data structures are a ected by the following Z composition com a com b com c, according to the CSP-Z semantics. Therefore, the next occurrence of a might happen in the context of a state which falsi es pre com a.
FDR for CSP-Z
Deadlock analysis is not trivial even if one considers only CSP processes. Hence, it is essential to nd out a strategy to mechanise deadlock analysis for CSP-Z. In this section we present how to adapt FDR for analysing CSP-Z speci cations.
In order to use FDR to analyse CSP-Z we have to de ne the following elements in FDR: State (the system state space), Init (the initialisation schema), com c (schema associated to the channel c), pre com c (precondition of the schema com c) and the communication of values between the CSP and the Z parts of the speci cation. The translation strategy is de ned as follows. In general, Z operations are relations between initial and nal states, as well as input and output values. However, for simplicity we assume in the following that these relations are functional.
State: FDR has no means to represent a global state space due to its foundations on CSP. However, FDR processes can have parameters which are commonly used for indexing. Therefore, the system state space can be represented as a parameter of all processes of the speci cation. When a schema com c updates the state space the nal state produced must be taken as the initial state for the next execution step.
Init: As FDR cannot represent a state space globally then the Init schema is translated into FDR as a process such that it initialises the data structures used by the main equation. Thus, Init = main(InitialState), where InitialState is a tuple which de nes an initial value for each state component.
com c: A Z schema can be translated into FDR as a function. The arguments to this function are the (current) state and the values of the input variables; the function result is formed by the nal state de ned by the schema and the values of the output variables. This function does not embody the precondition part of the schema, only the e ect.
pre com c: A precondition is also encoded as an FDR function of type State Input B; it evaluates to true in the states and input values which satisfy the precondition of the com c schema, and to false otherwise.
Communications: Values communicated in the CSP part of the FDR script must be passed to the Z part, and vice-versa. All conversion patterns below have the form of a CSP guarded command. For an input, the condition of the guard is a pre x choice of a suitable value for the input parameter. The expression a?x : fa:x x : T; pre com a(S; x)g is a set comprehension which generates the set of elements a:x where x ranges over T and sati es the predicate pre com a(S; x). For an output we simply pass the result of the Z part to the CSP part.
The following conversion patterns implement the above strategy and ease the encoding of a CSP-Z speci cation into FDR:
CSP-Z FDR CSP-Z P=a!P P(S)=pre_com_a(S) & (let S'=com_a(S) within a -> P(S'))
P=a?x!P P(S)=a?x:{a.x @ x:T,pre_com_a(S,x)} & (let S'=com_a(S,x) within P(S'))
P=a!e!P P(S)=pre_com_a(S) & (let (S',e)=com_a(S) within a!e -> P(S'))
The translation of channel declarations, constants and free types is a straightforward syntactical conversion, as presented in 1].
Case Study
In this section we present the CSP-Z speci cation of two processes which combined in parallel with that introduced in Section 2 results in a nal speci cation that represents the simpli ed behaviour of the SACI-1 OBC. We also show how to translate the speci cation into our FDR representation and then we carry out a deadlock analysis using FDR.
The SACI-1 OBC is a fault-tolerant distributed processing system which combines software and hardware components 5]. Its main parts are: its Watch-Dog Timer (WDT) and its Fault-Tolerant Router (FTR). Due to its fault-tolerant aspects, the SACI-1 was designed with redundant components. It has three WDT's, three FTR's, etc. However, for illustrative purposes we consider here a simplication of the real con guration, removing indices and presenting its behaviour.
The SACI-1 Main Components
Fault-Tolerant Router. The FTR is responsible for some tasks and for periodically sending a reset signal to the WDT. In order to model the FTR as close as possible to its original conception we consider that it can stop temporarily or permanently. In a temporary stop, the FTR can be reanimated through a recover signal. However, in a permanent one the WDT cannot be restarted. spec The other two processes are translated into the FDR notation in a similar way. We have done that, loaded into FDR and checked that the SACI-1 specication is deadlock-free. 6 
Conclusion
In this paper we proposed a strategy for model-checking CSP-Z speci cations based on previous work for model-checking CSP and on the semantics of the CSP-Z language, verifying its conformity, and adapting the FDR model-checker to work with the state part of CSP-Z speci cations. We presented a formal speci cation in CSP-Z of a subset of the SACI-1 microsatellite OBC as well as a deadlock analysis of this speci cation using the FDR tool.
The SACI-1 project as developed by the Brazilian Space Research Institute lacked formal documentation, hence our rst contribution was to formally de ne a subset of the SACI-1 1]: its OBC system. From the very beginning, the goal of the formalisation task was to develop a formal speci cation free from problems and hence we did not nd any deadlocks in our speci cation, as required. However, some problems in the informal documentation were detected: the informal documentation was found to be ambiguous (di culting the understanding of the system), and the description of many processes which were supposed to cooperate did not specify synchronisation points. These problems were reported to the members of the SACI-1 project and the speci cation reported in 1] serves today as a formal reference for the implementation of this project.
One research direction we intend to pursue is the derivation of an implementation in a language like OCCAM 15] from CSP-Z speci cations. To this end, we count with an important theoretical result 7, 8] : re nement of the CSP and of the Z part (subject to some constraints) of a CSP-Z speci cation leads to re nement of the entire CSP-Z speci cation.
Another topic for further research is the integration of tools to deal with CSP-Z speci cations. In 1], we have shown how to use Z-EVES 19] to type-check the Z part of the SACI-1 speci cation and to re ne some of its data structures. Furthermore, the ZANS animator 13] was also used in 1] to analyse the behaviour of the data structures in the Z part of the SACI-1 speci cation. Ideally, these tools should also be adapted to work for CSP-Z, as we did with FDR. The ultimate goal would be linking all these tools into a uniform development environment for CSP-Z.
A nal remark is that although we have based our work on CSP-Z, the results could, in principle, be easily adapted to other approaches to integrate CSP and Z, such as, for example 10].
