#### SAFE CCSL SPECIFICATION: A SUFFICIENT CONDITION

Frédéric Mallet<sup>1</sup>, <u>Jean-Vivien Millo</u><sup>1</sup>, Robert de Simone<sup>2</sup> <sup>1</sup>Univ. Nice Sophia Antipolis, CNRS I3S, INRIA <sup>2</sup>INRIA Sophia-Antipolis

MemoCODE 2013, Portland, Oregon, USA

#### CCSL AND TIMESQUARE

#### CCSL: Clock Constraint Specification Language

🔒 \*Alternates.extendedCCSL 🖾



# OUTLINE

× Motivation and overview

**×** Expressing the sufficient condition

× Conclusion

# MOTIVATION

- × Let us consider a clock c in a specification spec
- x Liveness(c): c can tick/occur infinitely often.

- Model checking (LTL/CTL)
  - + State-based representation of the specification
    - $\times$  State-based representation of each constraint[1]
    - $\times$  A composition operator[1]

× Have a finite state space



#### FINITE AND INFINITE CCSL CONSTRAINTS

- × Some constraints are finite
  - + coincidence, exclusion, subset, delay, or, and
- Some constraints are infinite
   + Precedence, max, min
- Some products of infinite constraints are finite
   Ex: alternate

#### FINITE AND INFINITE CCSL CONSTRAINTS

b = a delayed by 1

left precedes right



a alternates with c



 $\epsilon$ 

. . .

both

#### BUILDING THE STATE SPACE

Problem: the composition operation terminates only when the state space is finite.

× <u>Strategy:</u> detect boundedness before composing.

<u>Solution:</u> 1/ build a MG of precedence
 2/ check for strong connections

# EXAMPLE: ALTERNATES



# OUTLINE

**×** Motivation and overview

Expressing the sufficient condition

× Conclusion

## STATE SPACE

left precedes right



The state space is based on δ=X<sub>left</sub>-X<sub>right</sub> counters
 δ's are integer representations of precedencies
 Precedencies are induced by every constraint
 + ...and capture its state space
 A precedence is equivalent to a place in a MG



#### **INFINITE STATE CONSTRAINTS**

 $i = inf(c_1, c_2)$ : *i* ticks with the first of  $(c_1, c_2)$ 





Corresponding precedence relation:

- + i precedes  $c_1$
- + i precedes  $c_2$

 $\mathbf{x} c_1$  and  $c_2$  are synchronizable

#### FINITE STATE CONSTRAINTS

 $\mathbf{x} o = c_1 \operatorname{or} c_2$ 



#### Corresponding precedence relation:

- + o precedes  $c_1$
- + o precedes  $c_2$



#### MG ABSTRACTION OF A CCSL SPEC

# × Every clock → A transition × Every constraint → precedence(s) → place(s)

Clock  $c_1, c_2, o$  $c_1$  precedes  $c_2$  $o = c_1$  or  $c_2$ 



#### **BOUNDEDNESS CONDITION**

**×** For every synchronizable relation

+ The two transitions belong to the same SCC

+ In a MG, all transitions of a SCC have the same asymptotic rate [Commoner et al. 1971]



# OUTLINE

**×** Motivation and overview

**×** Expressing the sufficient condition

× Conclusion

## CONCLUSION

- We present a sufficient condition to detect bounded/safe CCSL specifications
  - + We use a MG abstraction of CCSL
  - + The condition is probably also necessary
     > but it is not proved.
  - + "Clock death" has not been considered

## **FUTURE WORK**

- × Universal deadlock detection:
- $c_1$  alternates with  $c_2$

 $c_1$  precedes  $c_2$  $c_2$  precedes  $c_1$ 





# **QUESTIONS?**

- MARTE profile: <u>http://www.omgmarte.org</u>
- **×** Timesquare: <u>http://timesquare.inria.fr</u>
- [1] F. Mallet and J-V. Millo, Boundedness issues in CCSL specifications, ICFEM 2013
- [2] Commoner, Holt, Even, Pnueli; Marked Directed Graphs, 1971