Project : vasy
Section: New Results
Languages and Compilation Techniques
Compilation of the LOTOS Data Part
In 2004, we deeply modified the Cæsar.adt compiler for the data part of Lotos so as to implement a feature requested by many users around the world.
Enumerative verification for specifications that contain typed values may require to enumerate exhaustively the domains of certain types, i.e., the set of all values of certain types. To do this, Cæsar.adt generates automatically iterators (i.e., fragments of C code) suitable for enumerating Lotos types, which are basically data types defined by a set of free constructors. Obviously, this can only be done for types with a finite domain. Cæsar.adt also accepts iterators written by the user manually.
So far, the iterators generated automatically by Cæsar.adt were restricted to certain classes of Lotos types: (bounded) natural numbers, enumerated types, and tuple types. The changes brought to Cæsar.adt in 2004 allow iterators to be generated for all finite Lotos types, including the intricate case of union types, which might be nested at any depth.
This improvement required a deep modification of the concept of iterators and the addition of 1, 000 new lines of code in Cæsar.adt. In the former version of Cæsar.adt, an old-style iterator consisted of one single C macro-definition (similar to a ``for''-loop), whereas in the modified versions of Cæsar.adt, a new-style iterator consists of two companion C macro-definitions (based on a ``first/next'' scheme).
A key issue was to maintain, as much as possible, backward compatibility with former versions of Cæsar.adt, in particular by accepting old-style iterators already written by the users manually. In most cases, the change is transparent to the end-user; otherwise, error messages are emitted, which will disappear after minor modifications by the user.
The Cæsar compiler, the predefined Lotos data type libraries, and the Cadp demo examples have been updated so as to take advantage of new-style iterators.
Compilation of the LOTOS Process Part
In 2004, we enhanced in several ways the Cæsar compiler for the process part of Lotos:
We enhanced the optimization by which Cæsar eliminates all ``dead'' transitions from its internal network model (i.e., an extended Petri net model generated by Cæsar from a source Lotos description).
Previously, the detection of ``dead'' transitions was done using an explicit state approach, by enumerating all reachable markings. However, a benchmark experiment that we conducted in 2003 on a large Lotos example provided to us by Bull demonstrated that symbolic methods were superior for that task.
For this reason, D. Bergamini developed in 2004 a new tool named Cæsar.bdd  (900 lines of C code), which uses symbolic methods (Binary Decision Diagrams) to compute structural properties of basic Petri nets, including the set of ``dead'' transitions. The Cæsar compiler was enhanced to cooperate with Cæsar.bdd for the elimination of ``dead'' transitions. The good performance provided by the symbolic approach made possible to turn ``dead'' transitions elimination into a systematic optimization, whereas it was previously only an optional one.
We continued the work undertaken in 2003 about techniques for state space reduction, our goal being to decrease the size of the graphs generated by Cæsar, still preserving strong bisimulation between the original and reduced graphs.
Our approach is based on live variable analysis, first proposed by H. Garavel and Juan Galvez . The basic idea is to assign a canonical value to any variable that is no longer used, so as to avoid distinguishing state vectors that only differ by the values of some variables not used in the future. This is done by adapting classical data flow analysis to the extended Petri nets generated by Cæsar and by resetting to zero each variable as soon as it ceases to be alive.
Our approach is general enough to handle so-called hierarchical units, i.e., the possibility to split each process into a set of concurrent sub-processes at an arbitrary nesting depth. In this model, concurrent processes do not share variables; however, the variables of a parent process can be consulted (but not modified) by its child sub-processes, a situation for which we designed several heuristics.
In 2004, we identified a difficult problem arising in the particular case of ``reset/use'' conflicts, and we refined our approach to handle such conflicts properly. This work led to publications .
We implemented our ideas in a prototype version of Cæsar (about 5, 000 lines of additional C code), which we applied to a benchmark suite of 518 Lotos specifications, among which 289 appeared to be relevant for assessing our approach; for the 229 others, the network variables could be eliminated by optimizations already implemented in Cæsar, such as constant detection and transformation into registers (i.e., variables local to a transition). For 131 examples, the size of graphs generated by Cæsar was divided by a mean factor of 9 (with a maximum of 400) as regards the number of states and a mean factor of 13 (with a maximum of 500) as regards the number of transitions. On three further examples our prototype was capable to generate state space that the standard version Cæsar 6.2 could not handle due to lack of memory. For one of these examples, we observed a reduction factor greater than 104.
Additionally, W. Serwe experimented further uses of data-flow analysis so as to reduce memory requirements for enumerative verification.
Compilation of E-LOTOS
As regards the data part of E-Lotos, we continued to improve the Traian compiler (see § 5.2), which is distributed on the Internet (see § 9.1) and used intensively within the Vasy team as a development tool for compiler construction .
In 2004, we released a new version 2.4 of Traian, which corrects two bugs of the previous version 2.3 issued in 2003. In addition, we ported the Traian compiler to the Mac OS X and recent Linux operating systems.
We also continued to work on the compilation of the process part of E-Lotos and Lotos NT, which is a difficult problem as these languages combine concurrency, quantitative time, and exceptions. To deal with these problems progressively, we chose to focus first on the sequential processes present in E-Lotos and Lotos NT. In 2002, we designed a formalism named Ntif (New Technology Intermediate Form) to be used as an intermediate language for compiling and verifying E-Lotos and Lotos NT processes.
Ntif allows to specify extended automata parameterized by typed variables. Each transition is labeled with an action (which allows communication with the environment according to the rendezvous semantics of process algebras) and a sequential code fragment to read and/or write variables. Compared to classical ``condition/action'' (or ``guarded commands'') automata, Ntif provides high level control structures (statements ``case'', ``if-then-else'', ``while'', etc.); this avoids the introduction of spurious intermediate states and transitions, as well as the duplication of boolean conditions, an important source of errors .
Since 2003, Ntif also features quantitative time concepts, in the form of a ``wait'' operator that lets a given amount of time elapse, timing tags on actions to express deadline and urgency, and a construct to capture the time elapsed between the instant an action is enabled and the instant it actually occurs.
In 2004, we revised and simplified the semantics of timed Ntif automata, by observing that properties inherent to time (namely time additivity, time determinism, and maximal progress) can be decoupled from the structural semantics definition. To this aim, we defined a time equivalence relation on Timed Labeled Transition Systems, the underlying model of Ntif. This lead to structural operational semantics rules that are lightweight extensions of the untimed rules. Besides Ntif, this approach could be used to simplify the (generally complex) semantics of many timed process algebras.
Source-Level Translations between Process Algebras
Although process algebras are, from a technical point of view, the best formalism to describe concurrent systems, they are not used as widely as it could be. Besides the steep learning curve of process algebras, which is traditionally mentioned as the main reason for this situation, it seems also that the process algebra community scattered its efforts by developing too many languages, similar in concept but incompatible in practice. Even the advent of two international standards, such as Lotos (in 1989) and E-Lotos (in 2001), did not remedy to this fragmentation.
Because of this, process algebras other than Lotos do not benefit from the advanced functionalities provided by the Cadp toolbox. In 2004, we started to address this problem by designing source-level translators from various process algebras into Lotos.
In the framework of the Inria/Leti collaboration (see § 8.1), we focused on the process algebra Chp (Communicating Hardware Processes) for which the Tima laboratory has developed a circuit synthesis tool named Tast and which is used by the Leti laboratory to describe complex, asynchronous circuits at a high abstraction level.
G. Salaün undertook the development of a translator from Chp to Lotos (currently, 2, 130 lines of Syntax compiler-generator code, 1, 970 lines of Lotos NT code, and 350 lines of C code). When completed, this translator should allow Chp designs to be verified using Cadp before being turned into asynchronous circuits using Tast.
Besides the case of Chp, G. Salaün started studying translators for other process algebras, including Csp/Fdr2 and Fsp.