Automatic generation of provably correct embedded systems by LIN, Shang-Wei et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
11-2012 
Automatic generation of provably correct embedded systems 
Shang-Wei LIN 
Yang LIU 
Pao-Ann HSIUNG 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Jin Song DONG 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Programming Languages and Compilers Commons, and the Software Engineering 
Commons 
Citation 
LIN, Shang-Wei; LIU, Yang; HSIUNG, Pao-Ann; SUN, Jun; and DONG, Jin Song. Automatic generation of 
provably correct embedded systems. (2012). Proceedings of the 14th International Conference on Formal 
Engineering Methods, , ICFEM 2012, Kyoto, Japan, November 12-16. 214-229. Research Collection School 
Of Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/5021 
This Conference Proceeding Article is brought to you for free and open access by the School of Information 
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in 
Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at 
Singapore Management University. For more information, please email libIR@smu.edu.sg. 
Automatic Generation of Provably
Correct Embedded Systems
Shang-Wei Lin1, Yang Liu1,4, Pao-Ann Hsiung2, Jun Sun3, and Jin Song Dong4
1 Temasek Laboratories, National University of Singapore
{tsllsw,tslliuya}@nus.edu.sg
2 National Chung Cheng University, Chia-Yi, Taiwan
pahsiung@cs.ccu.edu.tw
3 Singapore University of Technology and Design
sunjun@sutd.edu.sg
4 National University of Singapore
dongjs@comp.nus.edu.sg
Abstract. With the demand for new and complicated features, embedded sys-
tems are becoming more and more difficult to design and verify. Even if the de-
sign of a system is verified, how to guarantee the consistency between the design
and its implementation remains a big issue. As a solution, we propose a frame-
work that can help a system designer to model his or her embedded system using a
high-level modeling language, verify the design of the system, and automatically
generate executable software codes whose behavior semantics are consistent with
that of the high-level model. We use two case studies to demonstrate the effec-
tiveness of our framework.
1 Introduction
Embedded systems are increasingly used to control our daily life or critical tasks, which
makes it important to guarantee the correctness. However, embedded systems are more
and more complex due to the demand for new and complicated features, which makes
it challenging to verify the correctness.
To verify embedded systems, system designers usually model the control behavior
of the system using state-based diagrams such as UML state machines, where data
and its operations are abstracted because modeling data and its operations by state-
based diagrams is not straightforward. Furthermore, the number of possible system
states often increases exponentially, which makes system verification (e.g., by model
checking) infeasible. Even if data and its operations are specified by designers directly
in high-level programming languages, the exact interactions among the user-written
code and user-specified models are not precise, which leads to a possible semantic gap
between the code and the models. During verification, if any fault occurs within this
semantic gap, it will go undetected.
 This work is mainly supported by TRF Project “Research and Development in the Formal Ver-
ification of System Design and Implementation” from Temasek Lab@National University of
Singapore; partially supported by project IDG31100105/IDD11100102 from Singapore Uni-
versity of Technology and Design, and project MOE2009-T2-1-072 from School of Comput-
ing@National University of Singapore.
T. Aoki and K. Tagushi (Eds.): ICFEM 2012, LNCS 7635, pp. 214–229, 2012.
c© Springer-Verlag Berlin Heidelberg 2012
Automatic Generation of Provably Correct Embedded Systems 215
In this work, we propose a framework as a solution to bridge the semantic gap. Our
framework adopts communication sequential program (CSP#) [16] as our high-level
modeling facility. CSP# is an expressive formal modeling language, which can be used
to model concurrent processes communicating via both shared memory and message
passing. CSP# even allows users to declare variables and model data operations on the
declared variables. With its expressiveness, the control behavior and data operations of
the system are formally and precisely modeled as a whole, which eliminates the se-
mantic gap between control and data. In addition, to guarantee the consistency between
the design of an embedded system and its implementation, the proposed framework
automatically generates executable embedded software in a constructive way for the
designer such that the functional correctness of the high-level CSP# models is trans-
ferred to the synthesized code. The contributions of this work include the following.
1. We propose a complete framework for modeling and verifying embedded systems.
2. The proposed framework can further automatically generate software code with
functional correctness, and we have proved that the behavior semantics of the gen-
erated code conforms to the high-level model.
The rest of this paper is organized as follows. Section 2 gives related works. Section 3
gives an introduction to the CSP# language as well as its operational semantics. Sec-
tion 4 introduces the proposed framework and proves the correctness of the generated
code. We have applied our framework on two case studies, as given in Section 5. Sec-
tion 6 concludes this paper and discusses some future works.
2 Related Work
Toolsets for design and verification of systems include the SCR toolset [3], NIMBUS
[17], and SCADE Suite [15]. The SCR toolset uses the SPIN model checker, PVS-
based TAME theorem prover, a property checker, and an invariant generator for formal
verification of a real-time embedded system specified using the SCR tabular notation. It
supports test case generation the TVEC toolset. NIMBUS is a specification-based proto-
typing framework for embedded safety-critical systems. It allows execution of software
requirements expressed in RSML with various models of the environment, and it sup-
ports model checking and theorem proving. However, they do not support automatic
code generation. SCADE Suite uses safe state machines (SSM) for requirement spec-
ification and automatically generates DO-178B Level A compliant and verified C/Ada
code for avionics systems.
Worldwide research projects targeting embedded real-time software design include
the MoBIES project [11] supported by USA DARPA, the HUGO project [7] supported
by Germany’s Ludwig-Maximilians-Universita¨ Mu¨nchen, and the TIMES project [1]
supported by the Uppsala University of Sweden. However, none of them completely
support system designers to model, verify, and implement embedded systems with a
comprehensive framework.
For automatic code generation, several works have been proposed on different formal
models such as Objective-Z [13] and Event-B [10]. However, none of them proved the
semantics consistency between the model and the generated code.
216 S.-W. Lin et al.
Verifiable Embedded Real-Time Application Framework (VERTAF) [4–6], is a com-
prehensive framework supporting high-level modeling, verification, and automatic code
generation for real-time embedded systems. VERTAF adopts UML diagrams as its
modeling language. Since UML diagrams are informal and have limited expressive-
ness, the exact interactions among the user-written high-level programming language
code and the UML models cannot be precisely specified in VERTAF. This leads to
a possible semantic gap between the user-written code and the user-specified models.
During verification, if any fault occurs within this semantic gap, it will go undetected
by the model checker. In this work, we extend the modeling ability of VERTAF with the
CSP# language and enhance the ability of code synthesis such that executable verified
software code can be generated automatically and the generated code is consistent with
the high-level models.
3 Preliminaries
This section is devoted to a brief introduction to the CSP# language and its operational
semantics. A CSP# process is defined (using a core subset of process constructs) as,
P ::= Stop | Skip | e{prog} → P | ch!x → P | ch?x→ P | P ;Q
| [b]P | if b {P} else {Q} | P Q | P []Q
where e is an event with an operational sequential program prog, ch is a channel with
a bounded buffer size, x is a variable, and b is a Boolean expression.
Let Σ denote the set of all visible events, τ denote an invisible action, and denote
the the special event of termination. Let Στ = Σ ∪ {τ} and Στ, = Σ ∪ {τ,}.
The Stop process communicates nothing (also called deadlock). The Skip process is
defined as Skip =  → Stop. Event prefixing e → P performs e and afterwards
behaves as process P . If e is attached with a program prog (also called data operation),
the program is executed automatically together with the occurrence of the event. The
attached program prog can be C# program or any language with reflection that can be
used for observing and/or modifying program execution at runtime. Channel commu-
nication process ch!x → P or ch?x → P behaves as P after sending or receiving x
through the channel ch, respectively. Sequential composition (P ;Q) behaves as P until
its termination and then behaves as Q. Conditional choice if b {P} else {Q} behaves
as P if b evaluates to true and behaves as Q otherwise. Process [b]P waits until condi-
tion b becomes true and then behaves as P . Process P 1Q runsP andQ independently
and they can communicate through shared variables. Process P []2Q behaves as either
P or Q randomly. Example 1 illustrates how to model a system using CSP#.
Example 1. Peterson’s algorithm [12] was designed for the synchronization problem
for processes. Each process has to get into its critical section to do some computa-
tion,but only one process is allowed in its critical section at the same time. Listing 1.1
1 In this work, we only consider the interleaving composition () because parallel composition
(‖) is not natural and practical in real programs.
2 CSP# provides general, external, and internal choice compositions. In this work, we focus on
the general choice composition. The syntax and semantics of the three choice compositions
can be found in PAT user manual.
Automatic Generation of Provably Correct Embedded Systems 217
Listing 1.1. CSP# Model for Peterson’s Algorithm
1 v a r t u r n ; v a r pos [ 2 ] ;
2
3 P0 ( ) = r eq .0{ pos [ 0 ] = 1 ; t u r n = 1} −> Wait0 ( ) ; c s . 0 −> r e s e t .0{ pos [ 0 ] = 0} −> P0 ( ) ;
4 Wait0 ( ) = i f ( pos [ 1 ] == 1 && t u r n == 1) { Wait0 ( ) } e l s e { Stop } ;
5
6 P1 ( ) = r eq .1{ pos [ 1 ] = 1 ; t u r n = 0} −> Wait1 ( ) ; c s . 1 −> r e s e t .1{ pos [ 1 ] = 0} −> P1 ( ) ;
7 Wait1 ( ) = i f ( pos [ 0 ] == 1 && t u r n == 0) { Wait1 ( ) } e l s e { Stop } ;
8
9 P e t e r s o n ( ) = P0 ( ) | | | P1 ( ) ;
shows the CSP# model of the Peterson’s algorithm for two processes P0 and P1, where
req.0 and cs.0 represent that P0 requests to enter its critical section and P0 is cur-
rently in its critical section, respectively.
Given a system modeled by a CSP# process, a system configuration is a three-tuple
(P, V, C) where P is the current process expression, V is the current valuation of the
global variables which is a mapping from a name to a value, and C is the current status
of channels which is a mapping from a channel name to a sequence of items in the
channel. A transition is of the form (P, V, C) e−→ (P ′, V ′, C′) meaning that (P, V, C)
evolves to (P ′, V ′, C′) by performing event e. The meaning or behavior of a CSP# pro-
cess can be described by the operational semantics, as shown in Fig 1, where e ∈ Σ and
eτ ∈ Στ . We use upd(V, prog) to denote the function which, given a sequential pro-
gram prog and V , returns the modified valuation function V ′ according to the semantics
of the program. We use V |= b (or V |= b) to denote that boolean condition b evaluates
to true (or false) given V . We use eva(V, exp) to denote the value of the expression
evaluated with variable valuations in V . By the operational semantics, a CSP# process
is associated with a labeled transition systems (LTS), as formulated in Definition 1.
Definition 1. (Labeled Transition System). A labeled transition system (LTS) is a 4-
tuple (S,Στ,,−→, s0) where S is a set of system configurations, Στ, is a set of
events, −→⊆ S ×Στ, × S is a transition relation, and s0 ∈ S is the initial state. We
use s
α−→ s′, for simplicity, to denote (s, α, s′) ∈−→ where s, s′ ∈ S and α ∈ Στ,.
4 Design and Synthesis Flow
Fig. 2 shows the overall flow of our approach. It consists of two main phases, namely,
design phase and synthesis phase, and we refer to them as the front-end and back-end,
respectively. The front-end is further divided into three subphases, namely, modeling,
scheduling, and verification phases. There are two subphases in the back-end, namely,
implementation mapping and code generation phases. The details of each phase are
described in the following subsections.
4.1 Modeling
In the modeling phase, we adopt communicating sequential programs (CSP#) [16] as
our modeling language, which is a high-level formal modeling language for concurrent
218 S.-W. Lin et al.
(Skip, V, C)
−→ (Stop, V, C)
[skip] (P, V,C)
e−→ (P ′, V ′, C′), V |= b
([b]P, V,C)
e−→ (P, V,C)
[guard]
(P, V,C)
e−→ (P ′, V ′, C)
(P  Q,V,C)
e−→ (P ′  Q,V ′, C)
[int1] (Q,V,C)
e−→ (Q′, V ′, C)
(P  Q,V,C)
e−→ (P  Q′, V ′, C)
[int2]
(P, V,C)
−→ (P ′, V ′, C) and (Q,V,C) −→ (Q′, V ′, C)
(P  Q,V,C)
−→ (P ′  Q′, V, C)
[int3]
(e{prog} → P, V,C) e−→ (P, upd(V, prog), C)
[prog]
(P, V,C)
e−→ (P ′, V ′, C)
(P ; Q,V,C)
e−→ (P ′ ; Q,V ′, C)
[seq1] (P, V,C)
−→ (P ′, V ′, C)
(P ; Q,V,C)
τ−→ (Q,V ′, C)
[seq2]
V |= b
(if b {P} else {Q}, V, C) τ−→ (P, V,C)
[cond1]
V 
|= b
(if b {P} else {Q}, V, C) τ−→ (Q,V,C)
[cond2]
(P, V, C)
eτ−→ (P ′, V ′, C)
(P [] Q,V,C)
eτ−→ (P ′, V ′, C)
[ch1] (Q,V,C)
eτ−→ (Q′, V ′, C)
(P [] Q,V,C)
eτ−→ (Q′, V ′, C)
[ch2]
C(ch) is not empty
(ch?x → P, V,C) ch?C(ch).head−−−−−−−−−→ (P, V,C′), where C′(ch) = C(ch) \ {C(ch).head}
[in]
C(ch) is not full
(ch!exp→ P, V, C) ch!eva(V,exp)−−−−−−−−−→ (P, V,C′), where C′(ch) = C(ch) ∪ {eva(V, exp)}
[out]
Fig. 1. Operational Semantics of CSP# Processes [16]
systems. In CSP#, complex communications such as shared memory and message pass-
ing can be easily modeled, and system designers can even include code fragments in the
model. Most importantly, a complete simulation and verification tool support, Process
Analysis Toolkit (PAT) [9], is available.
To model the interactions between system model and hardware, we classify hard-
ware components and define generic hardware API for each class, e.g., for multi-media
hardware components such as a LCD, we define init(), reset(), display(),
and refresh(). Designers can use the generic hardware APIs as data operations in
CSP# to describe the system behavior of interacting with hardware. Note that we as-
sume hardware APIs have no side effects, i.e., they do not change the values of the
declared variables in the model. Thus, they are not considered in the verification.
Automatic Generation of Provably Correct Embedded Systems 219
Scheduling Verification 
Schedulable Specification 
Satisfied 
Code 
Generation 
Yes 
No 
Yes 
Front End 
Back End 
No Un-schedulable 
Information 
CSP# 
Model 
Non-functional 
Information 
Counterexample 
Software  
C/C++ Code 
Implementation  
Mapping 
Implementation  
Configuration File 
Fig. 2. Overall Flow
4.2 Scheduling
Non-functional requirements such as low-power consumption and worst-case execution
time can be evaluated in this phase. To evaluate the non-functional parts of systems, the
system designer can describe the power consumption or execution time of each event
and each data operation (obtained by profiling) in the non-functional information file,
and the requirements of non-functional properties are specified as assertions in CSP#
in the modeling phase. Our framework provides several scheduling algorithms, such as
Quasi-dynamic Scheduling (QDS) [6], to evaluate the non-functional properties. If the
system design is not feasible, information on why it is non-schedulable will be given to
designers. If the system design is schedulable, the flow goes to the verification phase.
4.3 Formal Verification
To check the functional correctness of the systems, we apply model checking [2] in
this phase. Model checking is an automatic analysis procedure that can show if a sys-
tem satisfies a temporal property or violates it with a counterexample. We integrate
the PAT [9] model checker, which takes CSP# model as its input, with our framework.
PAT is a self-contained model checker to support composing, simulating and reason-
ing of concurrent, real-time systems and other possible domains. It implements various
model checking techniques catering for different properties such as deadlock-freeness,
divergence-freeness, reachability, LTL properties with fairness assumptions, refinement
checking and probabilistic model checking. If the system model does not satisfy the
220 S.-W. Lin et al.
assertions of functional correctness, a counterexample will be given to the system de-
signer. If the assertions are all satisfied, then the flow moves on to the back-end phase.
4.4 Implementation Mapping
To make the design of a system executable on a real hardware platform, every generic
hardware API used in the modeling phase has to be mapped into a concrete imple-
mentation. In this phase, the target hardware platform where the final system runs is
configured, and each generic hardware API is mapped into its corresponding imple-
mentation in the specified hardware platform. Hardware-dependent files such as make
files and header files are all included in this phase.
4.5 Automatic Code Generation
In the code generation phase, executable software code is automatically generated from
the high-level CSP# model in two steps. The CSP# processes are first translated into
state machine models and then software code is synthesized from the translated state
machines. The reasons for the two-phase synthesis instead of generating software code
directing from CSP# model are as follows: (1) state machines are still the most popular
models in industries, and the two-phase synthesis gives designers the flexibility to ex-
change state machine models of their system designs. (2) there is a mature middleware
library, Quantum Platform (QP) [14], providing a programming paradigm for imple-
menting the state machine models in C/C++ programming language. In the paradigm
supported by QP, a state and a transition have their corresponding implementation pat-
terns such that general principles can be concluded and code synthesis for state ma-
chines can be automated. In addition, QP supports many operating systems such as
Linux/BSD, Windows/WinCE, μC/OS-II, etc., and many hardware platforms such as
80X86, ARM-Cortex/ARM9/ARM7, etc, which makes the generated software codes
portable. Fig. 3 shows the architecture of QP.
Hardware?Platform
Quantum?Platform?(Middleware)
RTOS
Application?Code?(Active?Objects)
Fig. 3. Multi-Layer Code Generation
We formulate a state machine in Definition 2 and the interleaving, sequential, and
choice compositions between two state machines in Definitions 3 to 5, respectively.
Definition 2. (State Machine). A state machine is a 6-tuple M = (S,Σ,B,A, s0, T )
where S is a set of states; Σ is a set of events; B is a set of Boolean expressions; A is
Automatic Generation of Provably Correct Embedded Systems 221
a set of actions; s0 ∈ S is the initial state; T ⊆ S × (Σ ∪ {τ,})×B ×A∗ × S is a
transition relation. We use s e[b]/a1;a2;··· ;an−−−−−−−−−−→ s′ to denote a transition, where s ∈ S is
the source state, s′ ∈ S is the destination state, e ∈ Σ is the event trigger, b ∈ B is the
triggering condition, and (a1; a2; · · · ; an) ∈ A∗ is a sequence of actions for ai ∈ A
and i ∈ {1, 2, . . . , n}. We define Post(s, e) = {s′ ∈ S | s e/−→ s′}.
Definition 3. (Interleaving). Given two state machines Mi = (Si, Σi, Bi, Ai, si0, Ti)
for i ∈ {1, 2}, the interleave composition is the state machine M1  M2 = (S1 ×
S2, Σ1 ∪Σ2, B1 ∪B2, A1 ∪A2, s10 × s20, T ) where T is defined as follows:
(s1, s2)
e[b]/a1;a2;··· ;an−−−−−−−−−−→ (s′1, s2) if s1
e[b]/a1;a2;··· ;an−−−−−−−−−−→ s′1
(s1, s2)
e[b]/a1;a2;··· ;an−−−−−−−−−−→ (s1, s′2) if s2
e[b]/a1;a2;··· ;an−−−−−−−−−−→ s′2
(s1, s2)
/−−→ (s′1, s′2) if s1
/−−→ s′1 and s2
/−−→ s′2
Definition 4. (Sequential Composition).
Given two state machines Mi = (Si, Σi, Bi, Ai, si0, Ti) for i ∈ {1, 2}, the sequential
composition is the state machine (M1;M2) = (S1 ∪ S2, Σ1 ∪ Σ2, B1 ∪ B2, A1 ∪
A2, s
1
0, T ) where T is defined as follows, where s ∈ S1.
T = T1 ∪ T2 \ {s /−−→ s′ ∈ T1 | s′ ∈ Post(s,)} ∪ {s τ/−→ s20 | Post(s,) = ∅}.
Definition 5. (Choice Composition).
Given two state machinesMi = (Si, Σi, Bi, Ai, si0, Ti) for i ∈ {1, 2}, the choice com-
position is the state machine (M1[]M2) = (Si, Σi, Bi, Ai, si0, Ti) where i is randomly
chosen from {1, 2}.
Fig. 4 shows the one-to-one mapping from CSP# processes into state machines. The
translation is performed constructively according the mapping step by step for each
CSP# process. The translated state machine M0 for process P0 in Example 1 is shown
in Fig. 5. We omit the translated state machine M1 for process P1 here since it is the
same as M0 except the conditions on transitions are symmetric to those of M0.
Theorem 1 proves that the behavior of the translated state machines is consistent
with the behavior of the original CSP# models based on the concept of bisimulation.
Definition 6. (Bisimulation). Given two LTS Li = (Si, Σ,−→i, si0) for i ∈ {1, 2}, we
say two states p ∈ S1 and q ∈ S2 are bisimulation of each other, denoted by p ≈ q iff
– for all α ∈ Σ if p α−→1 p′, then there exists q′ such that q α−→2 q′ and p′ ≈ q′
– for all α ∈ Σ if q α−→2 q′, then there exists p′ such that p α−→1 p′ and p′ ≈ q′
We say L1 and L2 are bisimulation of each other, denoted by L1 ≈ L2 iff s10 ≈ s20.
Theorem 1. The translated state machine is a bisimulation of the original CSP# model.
Proof. Given a CSP# process expression E , let the labeled transition system asso-
ciated with the process be LE = (O,Στ,,−→1, o0). Let the translated state ma-
chine w.r.t. the CSP# process be ME and its associated labeled transition system be
LME = (S,Στ,,−→2, s0). We want to prove that LE ≈ LME , i.e., o0 ≈ s0. We use
E ≈ ME to denote LE ≈ LME . It can be proved by a structural induction on the CSP#
expression from the following primitive processes.
222 S.-W. Lin et al.
(a) Stop Stop
(b) Skip s0 Stop /
(c): e{prog} → P s0 sP0 . . .
MP
e / prog()
(d) [b]P s0 ..
.
MP en[b] /
e1[b] /
(e) if b {P} else {Q} s0 sP0sQ0 . . .. . . MPMQ
τ [b] /τ [¬b] /
(f) ch?x → P s0 sP0
MP
. . .ch?x /
(g) ch!x → P s0 sP0
ch!eva(V, x) /
MP
. . .
(h) P ;Q s
′ sQ0ss
P
0
. . .. . .
MQMP
τ /
 /
(h) P []Q
sP0 s
Q
0
random choice
MP MQ
. . .. . .
Fig. 4. Translation Rules from CSP# Processes and State Machines
Automatic Generation of Provably Correct Embedded Systems 223
0
1 2
3
req.0 / pos[0]=1; turn=1
τ [pos[0]=1 ∧ turn=1] /
τ [pos[0]=0 ∨ turn=0] /
cs.0 /
reset.0 / pos[0]=0
Fig. 5. Generated State Machine M0 for Process P0
– Stop: By CSP# operational semantics, there is no transition rule for the Skip pro-
cess, so LStop is a LTS having a single state without any transitions. Its corre-
sponding state machine MStop also has one state without any transitions, as shown
in Fig. 4 (a). Thus, Stop ≈MStop.
– Skip: By CSP# operational semantics, Skip =  → Stop. the LTS LE has
two states o0, o and one transition o0
−→ o, where o0 = (Skip, V, C) and o =
(Stop, V, C). The translated state machine ME has two states s0, s and one transi-
tion s0
/−−→ s, as shown in Fig. 4 (b). It is obvious o0 ≈ s0. Thus, Skip ≈ MSkip.
– E = e{prog} → P : By CSP# operational semantics, the LTS LE takes tran-
sition o0
e−→ o and behaves like P , where o0 = (e{prog} → P, V, C) and
o = (P, upd(V, prog), C). Let MP be the translated state machine w.r.t. process
P such that P ≈ MP . We add transition s0 e/prog()−−−−−→ sP0 in the translated state
machine ME , as shown in Fig. 4 (c), where sP0 is the initial state of MP . It is
obvious that o0 ≈ s0. Thus, E ≈ ME .
– E = [b]P : By CSP# operational semantics, process [b]P behaves like P only if b
holds, i.e., processP can perform an event only if b holds. LetMP be the translated
state machine w.r.t. process P such that P ≈ MP . For each outgoing transition
from the initial state ofMP , We add a triggering condition b, as shown in Fig. 4 (d),
which guarantees that each outgoing transition from the initial state is taken only if
b holds. Thus, E ≈ME .
– E = if b {P} else {Q}: By CSP# operational semantics, the LTS LE may take
transition o0
τ−→ o′ if b holds; otherwise it takes transition o0 τ−→ o′′, where
o0 = (if b {P} else {Q}, V, C), o′ = (P, V, C), and o′′ = (Q, V,C). Let
MP and MQ be the translated state machines w.r.t. P and Q, respectively, and
P ≈ MP , Q ≈ MQ. In the initial state s0 of ME , two outgoing transitions
s0
τ [b]/−−−→ sP0 and s0
τ [¬b]/−−−−→ sQ0 are available, as shown in Fig. 4 (e), where sP0 and
sQ0 are the initial states of MP and MQ, respectively. It is obvious that o0 ≈ s0.
Thus, E ≈ME .
– E = ch?x → P : By CSP# operational semantics, if the channel ch is not empty,
the LTS LE takes transition o0
ch?C(ch).head−−−−−−−−−→ o, where o0 = (ch?x → P, V, C),
o = (P, V, C′), andC′(ch) = C(ch)\{C(ch).head}, and behaves like P . LetMP
be the translated state machine w.r.t. process P such that P ≈ MP . In the initial
state s0 of ME , we add transitions s0 ch?C(ch).head/−−−−−−−−−−→ sP0 , as shown in Fig. 4 (f),
where sP0 is the initial state of MP . It is obvious that o0 ≈ s0. Thus, E ≈ ME .
224 S.-W. Lin et al.
– E = ch!x → P : By CSP# operational semantics, if the channel ch is not full,
the LTS LE takes transition o0
ch!eva(V,x)−−−−−−−→ o, where o0 = (ch!x → P, V, C),
o = (P, V, C′), and C′(ch) = C(ch) ∪ {eva(V, exp)}, and then behaves like P .
Let MP be the translated state machine w.r.t. process P such that P ≈ MP . In
the initial state s0 of ME , we add transitions s0 ch!eva(V,x)/−−−−−−−−→ sP0 , as shown in
Fig. 4 (g), where sP0 is the initial state of MP . It is obvious that o0 ≈ s0. Thus,
E ≈ ME .
– E = P Q: By CSP# operational semantics, the transitions available in LE are
(P Q, V,C)
e−→ (P ′ Q, V ′, C) if (P, V, C) e−→ (P ′, V ′, C), e = 
(P Q, V,C)
e−→ (P Q′, V ′, C) if (Q, V,C) e−→ (Q′, V ′, C), e = 
(P Q, V,C)
−→ (P ′ Q′, V ′, C) if
{
(Q, V,C)
−→ (Q′, V ′, C)
(P, V, C)
−→ (P ′, V, C)
Let MP and MQ be the two translated state machines w.r.t. P and Q, respectively,
such that P ≈ MP and Q ≈ MQ. The state machine ME w.r.t. E is defined as
ME = MP MQ. By Definition 3, the only three transitions in ME correspond
to the above three transitions in LE , respectively. Thus, E ≈ME .
– E = P ;Q: By CSP# operational semantics, process E first behaves like P until P ’s
termination and then behaves like Q. Let MP and MQ be the two translated state
machines w.r.t. P and Q, respectively, such that P ≈ MP and Q ≈ MQ. The
translated state machine ME , as shown in Fig. 4 (f), first behaves like MP . Right
before the termination of MP , it takes transition s τ/−→ sQ0 and then behaves like
MQ, which corresponds to the operation semantics of E . Thus, E ≈ME .
– E = P []Q: By CSP# operational semantics, process E behaves like either P or Q
randomly. Let MP and MQ be the two translated state machines w.r.t. P and Q,
respectively, such that P ≈MP and Q ≈ MQ. The translated state machineME ,
as shown in Fig. 4 (i), behaves like eitherMP orMQ randomly, which corresponds
to the operation semantics of E . Thus, E ≈ME .
Since any CSP# process expression E is composed with primitive processes inductively
and we have proved that for each primitive process, the translated state machine is a
bisimulation of it, therefore we can conclude that E ≈ ME for any CSP# process. unionsq
The executable software code is then synthesized from the translated state machine
models. Let us take the Peterson’s algorithm in Example 1 to illustrate how software
code is automatically generated. In QP, an active object consists of a logical state ma-
chine structure, an event queue, and an execution thread, as shown in Fig. 6. QP provides
a base class, QActive, to implement an active object. A state machine is implemented
as a subclass of the QActive class, and each state is implemented as a member func-
tion of the class. Listing 1.2 shows the declaration file of state machine M0 in Fig. 5,
where the four states 0, 1, 2, 3 are implemented as four member functions P0 0(),
P0 1(), P0 2(), and P0 3(), respectively. Each execution thread of an active ob-
ject is responsible for dispatching events in its event queue, i.e., invoking the member
Automatic Generation of Provably Correct Embedded Systems 225
Listing 1.2. P0.h
1 c l a s s P0 : pub l i c QActive {
2 pr i v a t e : s t a t i c QSta t e i n i t i a l ( P0 ∗me , QEvent cons t ∗e ) ;
3 s t a t i c QSta t e P0 0 ( P0 ∗me , QEvent cons t ∗e ) ;
4 s t a t i c QSta t e P0 1 ( P0 ∗me , QEvent cons t ∗e ) ;
5 s t a t i c QSta t e P0 2 ( P0 ∗me , QEvent cons t ∗e ) ;
6 s t a t i c QSta t e P0 3 ( P0 ∗me , QEvent cons t ∗e ) ;
7 QTimeEvt m t imeEvt ;
8 pub l i c : P0 ( ) : QActive ( ( QS t a t eHand l e r )&P0 : : i n i t i a l ) , m t imeEvt (TIMEOUT SIG){} ;
9 ˜ P0 ( ){} ;
10 void r e q 0 ( ) { s t d : : cou t<<” r e q 0 ”<<s t d : : e nd l ; }
11 void c s 0 ( ) { s t d : : cou t<<” c s 0 ”<<s t d : : e nd l ; }
12 void r e s e t 0 ( ) { s t d : : cou t<<” r e s e t 0 ”<<s t d : : e nd l ; }
13 } ;
function representing the current state and passing the event as the argument. A transi-
tion from state s to s′ in the state machine is implemented by invoking the Q TRAN(s′)
macro provided by QP.
An active object can communicate with others via shared variables and message
passing. QP provides a publish-subscription mechanism for supporting message pass-
ing communication among active objects. Once an active object publishes an event, QP
delivers the event to the event queue of whoever subscribes it, and each subscriber will
receive the event by the execution thread. The dotted arrows in Fig. 6 show the paths of
event passing between active objects and QP.
Quantum Platform (QP) 
publish  
event e 
Active Object Active Object 
TIMEOUT event 
init() 
e = queue.get() 
dispatch(e) 
e 
Fig. 6. Communications among Active Objects
QP also provides the timer facility such that an active object can register a timeout
event of a certain time interval. After the time interval since the timer is fired, QP puts
a timeout event into the event queue of the active object that registered it. Let us recall
M0 in Fig. 5, we implement state 0 by registering a timeout event (Line 6 in List-
ing 1.3). After the timeout event occurs, the active object performs the req 0() func-
tion representing the CSP# event req.0 and assigns value 1 to both of the variables
226 S.-W. Lin et al.
Listing 1.3. P0.cpp
1 QS ta t e P0 : : i n i t i a l ( P0 ∗me , QEvent cons t ∗){ re turn Q TRAN(&P0 : : P0 0 ) ; }
2
3 QS ta t e P0 : : P0 0 ( P0 ∗me , QEvent cons t ∗e ){
4 sw i t ch ( e−>s i g ){
5 case Q ENTRY SIG :
6 me−>m timeEvt . p o s t I n (me , WAIT TIME ) ; re turn Q HANDLED ( ) ;
7 case TIMEOUT SIG :
8 me−>r e q 0 ( ) ; pos [ 0 ] = 1 ; t u r n = 1 ;
9 re turn Q TRAN(&P0 : : P0 1 ) ;
10 } re turn Q SUPER(&QHsm : : t op ) ;
11 }
12
13 QS ta t e P0 : : P0 1 ( P0 ∗me , QEvent cons t ∗e ){
14 sw i t ch ( e−>s i g ){
15 case Q ENTRY SIG :
16 me−>m timeEvt . p o s t I n (me , WAIT TIME ) ; re turn Q HANDLED ( ) ;
17 case TIMEOUT SIG :
18 i f ( pos [ 1 ] == 1 && t u r n == 1) { re turn Q TRAN(&P0 : : P0 1 ) ; }
19 e l s e { re turn Q TRAN(&P0 : : P0 2 ) ; }
20 } re turn Q SUPER(&QHsm : : t op ) ;
21 }
22 . . .
pos[0] and turn, which corresponds to Line 8 in Listing 1.3. Then it transits to state
1 by invoking the Q TRAN macro provided by QP (Line 9).
Theorem 2 proves that the behavior of implementation in active objects conforms to the
behavior of the state machines.
Theorem 2. The behavior of the implementation conforms to the state machine.
Proof. We give our proof sketch here. To prove that for each state machine, the be-
havior of its implementation in active object conforms to the original one, let us recall
and analyze what the execution thread of each active object does, as shown at the right
side of Fig 6. The execution thread keeps doing the followings: if there is an event in
the event queue, it removes the event and dispatches the event by invoking the member
function representing the current state and passing the event as the argument. In the
current active state, the pointer to the member function representing the current active
state is changed to its successor state by invoking Q TRAN() macro provided by QP.
For each transition A e[b]/act()−−−−−−→ B from state A to state B, the call graph for QP func-
tions and member functions representing states A and B is as shown in Fig. 7, which
satisfies the operational semantics of state machines. Since the implementation for each
transition satisfies the operational semantics of state machines, we can conclude that
the implementation for the whole active object conforms to the original state machine.
In CSP# operational semantics, the execution of each transition is atomic. If we want
to conclude that two-phase code generation is sound by Theorems 1 and 2, we have to
make an assumption that the execution of the action on a transition of a state machine is
also atomic. Fortunately, this can be guaranteed by taking and releasing a mutex at the
beginning and the end of the action, respectively, which is exactly how we implement
in our framework. Thus, the code generation in our framework is sound. unionsq
Automatic Generation of Provably Correct Embedded Systems 227
A B
e[b] / act()
e = queue.get() dispatch(e) A() act() Q TRAN(B)
e[b]/
Fig. 7. Call Graph of A State Transition
Listing 1.4. CSP# Model for the Entrance Guard System
1 # de f i n e RESET 77 ;
2 va r p i n [ 4 ] ; v a r r e s u l t = 0 ; va r open = 0 ;
3 va r a l a rm = 0 ; va r symbol = 0 ;
4 c h anne l pw 0 ; ch anne l i 2 c t r 0 ; c h anne l c t r 2 d b 0 ; c h anne l d b 2 c t r 0 ;
5 c h anne l i 2d 0 ; c h anne l c t r 2 a 0 ; c h anne l c t r 2 a lm 0 ; c h anne l f l a g 0 ;
6
7 User ( ) = User2 ( ) [ ] User1 ( ) ; f l a g ?x−> i f ( open == 1) { e n t e r−> Skip } e l s e { User ( ) } ;
8 User1 ( ) = pw!1 −> pw!1 −> pw!1 −> pw!1 −> Skip ;
9 User2 ( ) = pw!2 −> pw!RESET −> pw!2 −> pw!2 −> pw!2 −> pw!2 −> Skip ;
10 I n p u t ( ) = pw?x −> check{symbol = x} −> i f ( symbol == RESET) { I n p u t ( ) } e l s e {
11 i n p u t 1 { p in [ 0 ] = symbol } −> i 2d ! symbol −> pw?y −> check{ symbol = y } −>
12 i f ( symbol == RESET) { I n p u t ( ) } e l s e {
13 i n p u t 2{ p in [ 1 ] = symbol } −> i 2d ! symbol −> pw? z −>check{ symbol = z } −>
14 i f ( symbol == RESET){ I n p u t ( ) } e l s e {
15 i n p u t 3 { p in [ 2 ] = symbol } −> i 2d ! symbol−> pw?k −> check{symbol = k} −>
16 i f ( symbol == RESET) { I n p u t ( ) } e l s e { i n p u t 4{ p in [ 3 ] = symbol } −>
17 i 2d ! symbol −> i 2 c t r !1 −> I n p u t ( ) }
18 }
19 } } ;
20 D i s p l ay ( ) = i 2d ?x −> show { d i s p l a y ( ’∗ ’ ) } −> Di sp l ay ( ) ;
21 C o n t r o l l e r ( ) = i 2 c t r ?x −> c t r 2 d b ! x −> db2 c t r ?x −>
22 i f ( r e s u l t ==1) { c t r 2 a !1 −> f l a g !1 −> Co n t r o l l e r ( ) }
23 e l s e { c t r 2 a lm !1 −> f l a g !1 −> Co n t r o l l e r ( ) } ;
24 DBMS( ) = c t r 2 d b ?x −>
25 i f ( p i n [0]==1 && pin [1]==1 && pin [2]==1 && pin [3 ]==1 ) {
26 checkOK{ r e s u l t = 1;}−> db2 c t r !1 −> DBMS( )
27 } e l s e { c h e c kF a i l{ r e s u l t = 0;} −> db2 c t r !1 −> DBMS( ) } ;
28 Alarm ( ) = c t r 2 a lm ?x −> a la rmon{a la rm = 1} −> a l a rmo f f{a la rm = 0} −> Alarm ( ) ;
29 Ac t u a t o r ( ) = c t r 2 a ?x −> opendoor{open = 1;} −> c l o s e d o o r{open = 0} −> Ac t u a t o r ( ) ;
30 System ( ) = User ( ) | | | I n p u t ( ) | | | Co n t r o l l e r ( ) | | | DBMS( ) | | |
31 D i s p l a y ( ) | | | Ac t u a t o r ( ) | | | Alarm ( ) ;
32 # de f i n e p r e p i n [0]==1 && pin [1]==1 && pin [2]==1 && pin [ 3 ]==1 ;
33 # a s s e r t System ( ) |= [ ] p r e −><> open == 1 ;
34 # a s s e r t System ( ) r e a c h e s ( r e s u l t == 0 && open == 1 ) ;
35 # a s s e r t System ( ) |= [ ] r e s u l t == 0 −><> a la rm == 1 ;
5 Case Studies
We have applied the proposed framework on two case studies, namely an entrance guard
system and a secure communication box. Both of the systems are modeled using the
CSP# language and verified by the PAT model checker, and executable software codes
for both systems are generated by our framework automatically.
The entrance guard system (EGS) controls the entrance of a building and it consists
of six components, namely Input, Display, Controller, DBMS, Actuator, and Alarm,
which are modeled as six CSP# processes in Listing 1.4. Input is a keypad receiving
the 4-digit password as user input. Once a user enters a digit, it saves the digit to the
PIN array and sends the digit to Display via the channel i2d. If the user presses the
reset button, Input collects the 4-digit password from the first digit. After receiving
four digits, it sends the password to Controller via the channel i2ctr (Lines 10-19).
Display receives digits from Input and prints a ‘*’ symbol by calling the hardware
API display() for each digit on the LCD (Line 20). Controller sends the query
228 S.-W. Lin et al.
Listing 1.5. CSP# Model for the Secure Communication Box
1 # de f i n e UserConnec t 1 ; # de f i n e Data 2 ; # de f i n e Use rD i s connec t 3 ;
2 c h anne l ne twork 0 ; v a r p a c k e t ;
3
4 User ( ) = ne twork ! UserConnec t −> ne twork ! Data −> ne twork ! Use rD i s connec t −> User ( ) ;
5 Box ( ) = poweron −> i n i t −> ne twork ? UserConnec t −> Connec ted ( ) ; Box ( ) ;
6 Connec ted ( ) = ne twork ?x −> s t o r e {pa ck e t =x} −>
7 i f ( p a c k e t == Data ) {Connec ted ( )} e l s e { r e s e t −> Skip } ;
8 System ( ) = User ( ) | | | Box ( ) ;
of password to DBMS and receives the result via the channel ctr2db (Line 21). If
the password is correct, it notifies Actuator to open the door via the channel ctr2a
(Line 22); otherwise, it notifies Alarm via the channel ctr2alm (Line 23). Actuator
will open the door if Controller notifies it, and then it closes the door after a certain time
interval (Line 29).
For verifying EGS, we add a User process to model user behavior (Line 7). The sys-
tem is the interleaving of six components and User. Note that User is just used for veri-
fication, and we don’t generate code for user behavior (our framework gives designers
the flexibility to choose the components to generate software code for). We have veri-
fied three assertions: (1) the door never opens if the password is incorrect, (2) the door
will eventually open once the correct password is entered, and (3) if the password is
incorrect, Alarm will eventually be switched on (Lines 32-35). After the verification,
EGS satisfies the three assertions. The detailed model and the generated software code
for EGS can be found in [8].
The secure communication box (SCB) is a device for providing secure communica-
tion between two clients. SCB is funded by Singapore Defense, and it is confidential.
Thus, we only give a prototype here. Listing 1.5 shows the CSP# model for the SCB
prototype. After being powered on, SCB is initialized and then waits for a user connec-
tion (Line 5). In our framework, we provide the flexibility of implementing channels as
interprocess or socket communications. Designers can choose the implementation for
each channel. In SCB, the channel network is implemented as a socket communi-
cation. Once a user connects to SCB, it keeps receiving packets until the user sends a
disconnection packet (Line 7). The detailed model and the generated software code can
be found in [8].
6 Conclusion and Future Work
In this work, we proposed a framework that can help a system designer to model em-
bedded systems from a high-level modeling language, verify the design of the system,
and automatically generate executable software code whose behavior semantics is con-
sistent with the high-level model. With our framework, the development cycle of em-
bedded systems can be significantly reduced. In our future work, we plan to enhance the
code generation such that the synthesized software code can be executed on multi-core
architectures. We also plan to extend the syntax of the CSP# modeling language as well
as its semantics such that system designers can design more featured systems such as
real-time systems, probabilistic systems, safety-critical systems, and security protocols.
Automatic Generation of Provably Correct Embedded Systems 229
References
1. Amnell, T., Fersman, L., Mokrushin, E., Petterson, P., Yi, W.: TIMES: A Tool for Schedu-
lability Analysis and Code Generation of Real-Time Systems. In: Larsen, K.G., Niebert, P.
(eds.) FORMATS 2003. LNCS, vol. 2791, pp. 60–72. Springer, Heidelberg (2004)
2. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press (1999)
3. Heitmeyer, C., Kirby, J., Labaw, B., Bharadwaj, R.: SCR*: A Toolset for Specifying and
Analyzing Software Requirements. In: Vardi, M.Y. (ed.) CAV 1998. LNCS, vol. 1427, pp.
526–531. Springer, Heidelberg (1998)
4. Hsiung, P.A., Lin, S.W.: Automatic synthesis and verification of real-time embedded soft-
ware for mobile and ubiquitous systems. Computer Languages, Systems & Structures 34(4),
153–169 (2008)
5. Hsiung, P.-A., Lin, S.-W., Hung, C.-C., Fu, J.-M., Lin, C.-S., Chiang, C.-C., Chiang, K.-
C., Lu, C.-H., Lu, P.-H.: Real-Time Embedded Software Design for Mobile and Ubiquitous
Systems. In: Kuo, T.-W., Sha, E., Guo, M., Yang, L.T., Shao, Z. (eds.) EUC 2007. LNCS,
vol. 4808, pp. 718–729. Springer, Heidelberg (2007)
6. Hsiung, P.A., Lin, S.W., Tseng, C.H., Lee, T.Y., Fu, J.M., See, W.B.: VERTAF: An applica-
tion framework for the design and verification of embedded real-time software. IEEE Trans-
actions on Software Engineering 30(10), 656–674 (2004)
7. Knapp, A., Merz, S., Rauh, C.: Model Checking - Timed UML State Machines and Collabo-
rations. In: Damm, W., Olderog, E.-R. (eds.) FTRTFT 2002. LNCS, vol. 2469, pp. 395–414.
Springer, Heidelberg (2002)
8. Lin, S.W.: https://sites.google.com/site/shangweilin/pat-codegen
9. Liu, Y., Sun, J., Dong, J.S.: Developing Model Checkers Using PAT. In: Bouajjani, A., Chin,
W.-N. (eds.) ATVA 2010. LNCS, vol. 6252, pp. 371–377. Springer, Heidelberg (2010)
10. Me´ry, D., Singh, N.K.: Automatic code generation from event-B models. In: SoICT 2011,
pp. 179–188 (2011)
11. Niz, D., Rajkumar, R.: Time Weaver: A software-through-models framework for embedded
real-time systems. In: LCTES, pp. 133–143 (2003)
12. Peterson, G.L.: Myths about the mutual exclusion problem. Information Processing Let-
ters 10(3), 115–116 (1981)
13. Ramkarthik, S., Zhang, C.: Generating java skeletal code with design contracts from specifi-
cations in a subset of object Z. In: ACIS-ICIS 2006, pp. 405–411 (2006)
14. Samek, M.: Practical UML Statecharts in C/C++: Event-Driven Programming for Embedded
Systems. Newnes (2008)
15. SCADE,
http://www.esterel-technologies.com/products/scade-suite/
16. Sun, J., Liu, Y., Dong, J.S., Chen, C.: Integrating specification and programs for system
modeling and verification. In: TASE 2009, vol. 962, pp. 127–135 (2009)
17. Thompson, J.M., Heimdahl, M.P.E., Miller, S.P.: Specification-based prototyping for embed-
ded systems. In: SIGSOFT 1999, pp. 163–179 (1999)
