Verification is critical to the design of large and complex systems. SPIN is a well-known and extensively used verification tool. In this paper, we consider two tool chains, one existing, WSAT, and one introduced here, that support using SPIN to model check systems specified as Simulink Stateflow models. We present algorithms for doing the necessary translations and present empirical results that show the chain using tools introduced in this paper performs better than the one using the existing WSAT tool. We also show that these tools allow SPIN to be used for model checking nondeterministic Stateflow models in addition to deterministic ones.
Introduction
Verification (model checking) plays an important role in the design of large scale and complex systems. The technique is applied to software requirement specifications and design specifications, and aims to increase reliability and productivity from the early stages of software development. System verification ascertains whether designed systems can be executed or specified. Various formal methods for verification have been studied [1] [2] [3] .
The objective of the work described in this paper is to provide a tool chain that supports using the well-known tool SPIN [4] to model check systems specified as Simulink Stateflow models [5] . As shown in Fig. 1 , we consider two such tool chains. In the first chain, XML produced by Simulink is translated via an intermediate file format to MSL using new tools described later in this paper. WSAT
[6] is used to translate the MSL code to PROMELA for input to SPIN. In the second chain, another new tool, also described later in this paper, translates the intermediate file found from the Simulink produced XML directly to PROMELA. Results given later in the paper show the second approach performs better. We also give an example of a nondeterministic model that cannot be checked in Simulink that can be checked using SPIN which shows the diversity of application of our new tools.
The remainder of the paper is organized as follows. The requisite background is reviewed in Section 2 and related work is described in Section 3. The tools introduced in this paper are described in Section 4. Experimental results are presented in Section 5 and the paper concludes with our observations and suggestions for future work in Section 6. 
Background
Model checking is a process that explores a finite state space to determine whether or not a given property holds. The common properties considered are:
Reachability: indicates that some particular situation, or situations, can be reached. Safety: indicates that the system can not transition to an invalid state. Fairness: indicates that any process than can execute an action will eventually be able to execute that action. Liveness: indicates that a process can always eventually reach a desiredstate.
The following tools and languages are used in this work: Simulink [5] is a graphical programming tool developed by MathWorks for modeling, simulating and analyzing multidomain dynamic systems. Its primary interface is a graphical block diagramming tool and a customizable set of block libraries. It integrates with the MATLAB environment and can either drive MATLAB or be scripted from it allowing one to use MATLAB functionality in modeling and analysis.
Simulink includes a Design Verifier [7] that uses formal methods to identify design errors in models including dead logic, integer overflow, division by zero, and violations of design properties and assertions. It does not test for liveness, reachability or deadlock [8] . Extensible Markup Language (XML) [9] is a widely used markup language that defines a set of rules for encoding information in a format that is both human-readable and machine-readable, and that is easily exchanged. Simulink provides a utility to express a Stateflow model in XML.
Model Schema Language (MSL)
[10] is a formalism of the core ideas in XML schema. Web Service Analysis Tool (WSAT) [6, 11, 12 ] is a formal specification, verification, and analysis tool for web service compositions. The tool supports multiple specification approaches of composite web services. In addition, WSAT provides several analyzes techniques that can deduce complexities in the formal verification of asynchronously communicating web services. WSAT translates web service input in MSL into PROMELA thereby supporting the use of SPIN. Process or Protocol Meta Language (PROMELA) is a verification modeling language that allows for the dynamic creation of concurrent processes to model various types of systems. PROMELA programs consist of processes, message channels, and variables. Processes are global objects that represent the behaviour of concurrent entities of a distributedsystem. Channels and global variables define the environment in which the processes run. PROMELA is used to describe systems to be modeled usingSPIN. Simple PROMELA Interpreter (SPIN) [4, 13] is a general tool designed to verify the correctness of distributed software models in a rigorous fashion. PROMELA is used to describe the system to be modeled. In addition to model-checking, SPIN can also operate as a simulator, following one possible execution path through the system and presenting the Simulink (Stateflow) resulting execution trace to the user. SPIN gains efficiency by generating optimized C code modules that perform the requested model checks.
Related Work

Simulink model checking
Model checking for Matlab/Simulink models has been researched in [8, 14, 15] . In [14] , the authors describe a translation process that can convert a welldefined subset of MSS (Matlabs Simulink and Stateflow) into a standard form of hybrid automata. In his thesis [8] , Leitner compares Simulink Design Verifier and the SPIN model checking tool. The comparison is based on the case study of an AUTOSAR compliant memory management module. In this context, it is also described how Simulink/Stateflow models can be manually translated into the input language of the model checker SPIN. In [15] , the authors report their initial experience in using modelbased safety analysis on an example system taken from the ARP Safety Assessment Guidelines document.
UML/Statechart to PROMELA
The basic ideas for the translation of UML/Statechart to PROMELA have been well-defined in [16, 17] . In [16] , the translator is an implemented system, integrated with a commercial design tool. In their implementation they use Visio as the frontend GUI, which connects to Visual Basic toexecute the translator. Reference [17] presents a translation from a subset of UML Statechart Diagramscovering essential aspects of both concurrent behaviour, like sequentialization, parallelism, nondeterminism and priority, and state refinement -into PROMELA. The work reported in [17] provides basic ideas regarding translation from UML Statecharts to PROMELA.
C to PROMELA
Translation from other language to PROMELA, have been developed in [18] [19] [20] . In [18] , Jiang addresses the problem of automatically verifying the correctness of concurrent algorithms, and describes a step in this direction: an automated translation from a subset of C to PROMELA. Reference [19] gives a method for using the tool SPIN to verify the network protocol stack TCP/IP for communications. The approach consists of building a model of the underlying operating system to be joined with the original C code in order to obtain the input for the model checker. Reference [20] uses static analysis to automatically construct an abstract matching function which depends on the program and the property to be verified.
XML to PROMELA
Simulink models can produce XML (eXtensive Markup Language). A translator from XML to PROMELA has been developed as the WSAT tool [6, 11, 12] . The presented algorithms translate (bounded) XML data and XPath expressions to PROMELA. The techniques constitute the basic of their Web Service Analysis Tool (WSAT) which verifies LTL properties of composite web services. MSL, a compact formal model of XML, has a straightforward mapping to PROMELA. Boolean XPath expressions are used in branch for loop conditions, and location path and arithmetic expressions are used on the left and right hand sides of assignment statements. In this paper, we use basic ideas of translation XML to PROMELA but WSAT tool is different target areas.
Our Tools
Simulink is a well defined tool for Model-Based Development (MBD). We focus on the Simulink Stateflow model. A well-known Simulink cruise control demonstration example is shown as Fig.2 . 
Extracting states and transitions from XML descriptions
Simulink has a function for producing XML from MDL which is a text description of a Stateflow model. XML can also be created from SLX, a binary format for Simulink models available from version R2012a onward. The first step in our tools is to create an intermediate format file from the XML file shown as if (tree is !! junction !! ) then 12 :
end if 14: end for 15: for k 0, trN do 16: if (tree is !! transition !! ) then 17 :
trk.lb
end if 20 :
trk.src
end if 23 :
trk.dst 
Published by Atlantis Press
Copyright: the authors [21] , seeFig.5.
In Fig.5 , the set of state or junctions is extracted in line 5. Then transitions are extracted in line 10. Thus, the MSL contains all states, junctions and transitions.
Our implementation of the WSAT algorithm [11] is shown in Fig.6. Figs. 3, 5 and 6 together provide a path from XML to PROMELA. Fig.6 describes a procedure MSLToPROMELA. The first string, i.e., ret1, contains the type declaration for g. The second output is the attribute definitions for g, if g is an intermediate type. As shown in Fig.6 , the function body of MSLToPROMELA translates the input MSL type declaration recursivelyaccording to the syntax rules. m1=gn +"->" 12: m2=gn+1, gn+2, ..., gn+k 13: end if 14: end switch 15: return (m1, m2) 16 ret1=tr(g0) [1] +"typedef"+type+"{"+tr(g0) [2] +"}" 13: ret2=type+" "+t 14: else 15: ret1=tr(g0) [1] +"typedef"+t+"{" +tr(g0) [2] + "}" 16: ret2=null 17: end if 18: g g1{m, n}:
ret1=tr(g1) [1] 20:
ret2=tr(g1) [2] +" [ "+n+" ] "+"int"+g1.tag+"occ" 21: g g1, g2,..., gk: 22: ret1=tr(g1) [1] 
XML to PROMELA directly
The second tool chain we consider also uses Fig.3 to translate XML to our intermediate file format. We then use Fig.7 
m1="mtype {"+f0, f1,..., fi+"}" if ( fn is f ( !! machine !! )) then 12: m1="proctype"+ !! machinename !! +"()"
13:
end if 15: if ( fn is f ( !! transition !! )) then 16: m1="atomic {" fn +"->" 17: m2= fn+1, fn+2, ..., fk "}" 18: end if 19: return (m1, m2) 20: end procedure 
Temporal Properties
Once a Stateflow model has been translated to PROMELA using either tool chain, temporal properties can be described in an external file for verifying desired behaviors. SPIN supports temporal operators such as <> (sometime), [] (always) and U (until). For example, the two key temporal properties considered in the examples below can be expressed as follows:
Note that property P1 expresses that active can be reached from o f f by some sequence of transitions, i.e., reachability. Property P2 indicates that state active can eventually be reached starting from any other state, i.e., liveness. The interested reader should consult [13] for details on specifying temporal and other properties for checking using SPIN.
Experimental Results
Checking Reachability andLiveness
In this section, we show experimental results for the verification of a number of Simulink Stateflow models. Our experiments are performed on a 2.4 GHz Core i7 processor under OS X v10.8 with 8 GB of available RAM. All simulations are verified by SPIN version 6.2.7 and our tools are developed using Python 2.7.6. Table 1 shows our results regarding reachability checking for a number of Simulink models from [5] . For each the table gives the name and the number of state variables. The section WSAT shows the results of applying the tool path employing WSAT and the section Our Tool shows the results of using our tool for direct translation to PROMELA. For each case, we show the number of states visited, the number of transitions taken and the total CPU time. The time value consists of WSAT or PY (depending on the tool chain), plus the time for SPIN, the time gcc for compiling the C code produced by SPIN and the run time exec. Note that the times quoted do not include the initial translation from XML to the intermediate format (Fig.3) or the translation from the intermediate format to MSL (Fig.5) to be input to the WSAT tool. Those times are relatively minor.
The reachability property as generated by SPIN is: 
P2 [] (<>( f inal state(s))).
In Table 1 and 2, all models are verified correctly for the properties of reachability and liveness.
Simulink model checking can only verify deterministic behavior which means that events occur in a particular order. For example, if a model can transition from {a} to b or c with some probability, deterministic behavior requires either {a b c} or {a c b}. In this type of case were more than one transition is possible at the same time, one of them will be selected by the Simulink checker in a deterministic way using the Stateflow 12 o'clock rule [22] . In practical models, we have to consider true nondeterministic behavior which motivates our approach of translating the Simulink model to a form that can be checked nondeterministically using SPIN.
A Nondeterministic Example
In this section, we describe a nondeterministic Simulink Stateflow model as shown in Fig. 8 . There are nondeterministic behaviors in valid state and f ailure state. Here, if the system has some nondeterministic behaviors, the results may cause failure operations. We use the PROMELA code shown in Fig.9 in order to check failure operations. In Fig.9 , processes valid state and failure state can be expressed deterministically. Therefore, we can check nondeterministic behaviors of the Stateflow model by the SPIN model checker. Experimental results for nondeterministic models are shown in Tables 3 and 4 . The examples in the top half of the table are from [23] . We created the examples in the bottom half of the table to illustrate the performance of our approach on larger examples. The client server is extended from 2 to 12 nodes; the ring is extended from 3 to 36 nodes; and the ethernet example is extended from 4 to 22 nodes.
The results for reachability checking show that the number of states visited, the number of transitions applied and the CPU time used are are all reduced by using our new tool. Moreover, the results show especially efficient checking results for the large models. For liveness checking, the results show similar performance improvement.
It is interesting to note that the DTMF generator example only has 8 state variables but requires visiting a large number of states and taking a large number of transitions. This is due to the particularstructure of this example.
Our new approach consistently requires fewer state visits and transitions in testing reachability and liveness for both the deterministic and nondeterministic examples. Our method is also consistently faster and very much so for the large examples. Note that the main difference in time is between WSAT 6 ) and our tool in Python (Fig.7) . Our tool is a much simpler approach resulting in a much faster translation process.
To better illustrate the application of the checking methods we have included results for variants (marked err) of our large examples which contain errors that make the reachability and liveness tests fail. Note that the fail cases consistently require fewer state visits and transitions.
Conclusion
"Simulink
Q c documentation center (the mathworks,
In this paper, we have described two tool chains that support using SPIN to model check systems specified as Simulink Stateflow models. This ap- 
