Using Multiple Levels of Abstraction in Embedded Software Design,

Using Multiple Levels of Abstraction in Embedded Software Design,
Using Multiple Levels of Abstractions in
Embedded Software Design
Jerry R. Burch1, Roberto Passerone1, and Alberto L. Sangiovanni-Vincentelli2
Cadence Berkeley Laboratories, Berkeley CA 94704, USA
Department of EECS, University of California at Berkeley, Berkeley CA 94720,
Abstract. The methodologies that are in use today for software devel-
opment rely on representations and techniques appropriate for the applications (compilers, business applications, CAD, etc.) that have been
traditionally implemented on programmable processors. Embedded software is dierent: by virtue of being embedded in a surrounding system,
the software must be able to continuously react to stimula in the desired
way. Verifying the correctness of the system requires that the model
of the software be transformed to include (rene) or exclude (abstract)
information to retain only what is relevant to the task at hand. In this
paper, we outline a framework that we inted to use for studying the problems of abstraction and renement in the context of embedded software
for hybrid systems.
1 Introduction
Embedded Software (ESW) design is one, albeit critical, aspect of the more general problem of Embedded System Design (ESD or just ES). ESD is about the
implementation of a set of functionalities satisfying a number of constraints ranging from performance to cost, emissions, power consumption and weight. The
choice of implementation architecture implies which functionality will be implemented as a hardware component or as software running on a programmable
component. In recent years, the functionalities to be implemented in ES have
grown in number and complexity so much so that the development time is increasingly dicult to predict and control. The complexity increase coupled with
the constantly evolving specications has forced designers to look at implementations that are intrinsically exible, i.e., that can be changed rapidly. Since
hardware-manufacturing cycles do take time and are expensive, the interest in
software-based implementation has risen to previously unseen levels. The increase in computational power of processors and the corresponding decrease in
size and cost have allowed moving more and more functionality to software.
However, this move corresponds to increasing problems in verifying design correctness, a critical aspect of ESD since several application domains, such as
transportation and environment monitoring, are characterized by safety considerations that are certainly not necessary for the traditional PC-like software
applications. In addition to this aspect, little attention has been traditionally
paid to hard constraints on reaction speed, memory footprint and power consumption of software. This is of course crucial for ES. These considerations point
to the fact that ESW is really an implementation choice for a functionality that
can be indierently implemented as a hardware component, and that we cannot
abstract away hard characteristics of software as we have done in the traditional
software domain. No wonder then that we are witnessing a crisis in the ES domain for ESW design. This crisis is not likely to be resolved going about business
as usual but we need to focus at the root of the problems.
Our vision for ESW is to change radically the way in which ESW is developed
today by: 1) linking ESW upwards in the abstraction layers to system functionality; 2) linking ESW to the programmable platforms that support it thus providing
the much needed means to verify whether the constraints posed on ES are met.
ESW today is written using low level programming languages such as C
or even Assembler to cope with the tight constraints on performance and cost
typical of most embedded systems. The tools available for creating and debugging
software are no dierent than the ones used for standard software: compilers,
assemblers and cross-compilers. If any dierence can be found, it is that most
tools for ESW are rather primitive when compared to analogous tools for richer
platforms. On the other hand, ESW needs hardware support for debugging and
performance evaluation that in general is not a big issue for traditional software.
In most embedded software, operating systems were application dependent and
developed in house. Once more, performance and memory requirements forced
this approach.
When embedded software was simple, there was hardly need for a more sophisticated approach. However, with the increased complexity of ES application,
this rather primitive approach has become the bottleneck and most system companies have decided to enhance their software design methodology to increase
productivity and product quality. However, we do not believe that the real reasons for such a sorry state are well understood. We have seen a urry of activities towards the adoption of object-oriented approaches and other syntactically
driven methods that have certainly value in cleaning the structure and the documentation of embedded software but have barely scratched the surface in terms
of quality assurance and time-to-market. Along this line, we also saw a growing interest towards standardization of Real-Time Operating Systems either de
facto, see for example the market penetration of WindRiver in this domain, or
through standard bodies such as the OSEK committee established by the German automotive industry. Quite small still is the market for development tools
even though we do believe this is indeed the place where much productivity
gain can be had. There is an interesting development in some application areas,
where the need to capture system specications at higher levels of abstraction is
forcing designers to use tools that emphasize mathematical descriptions, making
software code an output of the tool rather than an input. The leader in this
market is certainly the Matlab tool set developed by MathWorks. In this case,
designers develop their concept in this friendly environment where they can assemble their designs quickly and simulate their behaviour. While this approach
is denitely along the right direction, we have to raise the ag and say that the
mathematical models supported by Matlab and more pertinently by Simulink,
the associated simulator, are somewhat limited and do not cover the full spectrum of embedded system design. The lack of data ow support is critical. The
lack of integration between the FSM capture tool (State Flow) and Simulink is
also a problem. As we will detail later, this area is of key interest for our vision.
It is at this level that we are going to have the best results in terms of functional
correctness and error free renement to implementation. The understanding of
the mathematical properties of the embedded system functionality must be a
major emphasis of our approach.
We have advocated the introduction of rigorous methodologies for systemlevel design for years, but we feel that there is still much to do. Recently we have
directed our eorts to a new endeavor that tries to capture the requirements of
present day embedded system design: the Metropolis project.
The Metropolis project, supported by the Gigascale Silicon Research Center,
started two years ago and involves a large number of people in dierent research
institutions. It is based on the following principles:
1. Orthogonalization of concerns: In Metropolis, behavior is clearly separated from implementation. Communication and computation are orthogonalized. Communication is recognized today as the main diculty in assembling
systems from basic components. Errors in software systems can often be traced
to communication problems. Metropolis was created to deal with communication
problems as the essence of the new design methodology. Communication-based
design will allow the composition of either software or hardware blocks at any
layer of abstraction in a controlled way. If the blocks are correct, the methodology
ensures that they communicate correctly.
2. Solid theoretical foundations that provide the necessary infrastructure for a new generation of tools: The tools used in Metropolis will
be interoperable and will work at dierent levels of abstraction, they will verify, simulate, and map designs from one level of abstraction to the next, help
choose implementations that meet constraints and optimize the criteria listed
above. The theoretical framework is necessary to make our claims of correctness
and eciency true. Metropolis will deal with both embedded software and hardware designs since it will intercept the design specication at a higher level of
abstraction. The design specications will have precise semantics. The semantics is essential to be able to: (i) reason about designs, (ii) identify and correct
functional errors, (iv) initiate synthesis processes.
Several formal models have been proposed over the years (see e.g. [6]) to capture one or more aspects of computation as needed in embedded system design.
We have been able to compare the most important models of computations using
a unifying theoretical framework introduced recently by Lee and SangiovanniVincentelli [9]. However, this denotational framework has only helped us to identify the sources of diculties in combining dierent models of computation that
are certainly needed when complex systems are being designed. In this case, the
partition of the functionality of the design into dierent models of computation
is somewhat arbitrary as well as arbitrary are the communication mechanisms
used to connect the \ports" of the dierent models. We believe that it is possible to optimize across model-of-computation boundaries to improve performance
and reduce errors in the design at an early stage in the process.
There are many dierent views on how to accomplish this. There are two
essential approaches: one is to develop encapsulation techniques for each pair of
models that allow dierent models of computation to interact in a meaningful
way, i.e., data produced by one object are presented to the other in a consistent way so that the object \understands" [4, 5]. The other is to develop an
encompassing framework where all the models of importance \reside" so that
their combination, re-partition and communication happens in the same generic
framework and as such may be better understood and optimized. While we realize that today heterogeneous models of computation are a necessity, we believe
that the second approach is possible and will provide designers a powerful mechanism to actually select the appropriate models of computation, (e.g., FSMs,
Data-ow, Discrete-Event, that are positioned in the theoretical framework in
a precise order relationship so that their interconnection can be correctly interpreted and rened) for the essential parts of their design.
In this paper, we focus on this very aspect of the approach: a framework
where formal models can be rigorously dened and compared, and their interconnections can be unambiguously specied. We use a kind of abstract algebra to
provide the underlying mathematical machinery. We believe that this framework
is essential to provide the foundations of an intermediate format that will provide the Metropolis infrastructure with a formal mechanism for interoperability
among tools and specication methods.
This framework is a work in progress. Our earlier work [2, 3] does not provide
a suciently general notion of sequential composition, which is essential for
modeling embedded software. The three models of computation described in
this paper (which all include sequential composition) are examples of the kinds
of models that we want to have t into the framework. After the framework has
been thoroughly tested on a large number of dierent models of computation,
we plan to publish a complete description of the framework.
2 Overview
This section presents the basic framework we use to construct semantic domains,
which is based on trace algebras and trace structure algebras. The concepts
briey described here will be illustrated by examples later in the paper. This
overview is intended to highlight the relationships between the concepts that
will be formally dened later.
More details of these algebras can be found in our earlier work [2, 3]. Note,
however, that our denitions of these algebras do not include sequential composition. For this reason, and other more technical reasons, the models of computation used in this paper do not t into our earlier framework.
We maintain a clear distinction between models of processes (a.k.a. agents)
and models of individual executions (a.k.a. behaviors). In dierent models of
computation, individual executions can be modeled by very dierent kinds of
mathematical objects. We always call these objects traces . A model of a process,
which we call a trace structure, consists primarily of a set of traces. This is analogous to verication methods based on language containment, where individual
executions are modeled by strings and processes are modeled by sets of strings.
However, our notion of trace is quite general and so is not limited to strings.
Traces often refer to the externally visible features of agents: their actions,
signals, state variables, etc. We do not distinguish among the dierent types,
and we refer to them collectively as a set of signals W . Each trace and each
trace structure is then associated with an alphabet A W of the signals it uses.
We make a distinction between two dierent kinds of behaviors: complete
behaviors and partial behaviors. A complete behavior has no endpoint. A partial
behavior has an endpoint; it can be a prex of a complete behavior or of another
partial behavior. Every complete behavior has partial behaviors that are prexes
of it; every partial behavior is a prex of some complete behavior. The distinction
between a complete behavior and a partial behavior has only to do with the
length of the behavior (that is, whether or not it has an endpoint), not with
what is happening during the behavior; whether an agent does anything, or
what it does, is irrelevant.
Complete traces and partial traces are used to model complete and partial
behaviors, respectively. A given object can be both a complete trace and a partial
trace; what is being represented in a given case is determined from context. For
example, a nite string can represent a complete behavior with a nite number
of actions, or it can represent a partial behavior.
In our framework, the rst step in dening a model of computation is to construct a trace algebra. The trace algebra contains the universe of partial traces
and the universe of complete traces for the model of computation. The algebra also includes three operations on traces: projection , renaming and concatenation . Intuitively, these operations correspond to encapsulation, instantiation
and sequential composition, respectively. Concatenation can be used to dene
the notion of a prex of a trace. We say that a trace x is a prex of a trace z if
there exists a trace y such that z is equal to x concatenated with y.
The second step is to construct a trace structure algebra. Here each element
of the algebra is a trace structure, which consists primarily of a set of traces from
the trace algebra constructed in the rst step. Given a trace algebra, and the set
of trace structures to be used as the universe of agent models, a trace structure
algebra is constructed in a xed way. Thus, constructing a trace algebra is the
creative part of dening a model of computation. Constructing the corresponding
trace structure algebra is much easier.
A conservative approximation is a kind of mapping from one trace structure
algebra to another. It can be used to do abstraction, and it maintains a precise
relationship between verication results in the two trace structure algebras. The
two trace structure algebras do not have to be based on the same trace alge-
bra. Thus, conservative approximations are a bridge between dierent models
of computation. Conservative approximations have inverses, which can be used
to embed an abstract model of computation into a more detailed one. Conservative approximations can be constructed from homomorphisms between trace
3 Trace algebras for embedded software
In this section we will present the denition of three trace algebras at progressively higher levels of abstraction. The rst trace algebra, called metric time ,
is intended to model exactly the evolutions (the ows and the jumps) of a hybrid system as a function of global real time. With the second trace algebra
we abstract away the metric while maintaining the total order of occurence of
events. This model is used to dene the untimed semantics of embedded software. Finally, the third trace algebra further abstracts away the information on
the event occurences by only retaining initial and nal states and removing the
intermediate steps. This simpler model can be used to describe the semantics of
some programming language constructs. The next section will then present the
denition of the homomorphisms that we use to approximate a more detailed
trace algebra with the more abstract ones.
3.1 Metric Time
A typical semantics for hybrid systems includes continuous ows that represent
the continuos dynamics of the system, and discrete jumps that represent instantaneous changes of the operating conditions. In our model we represent both
ows and jumps with single piece-wise continuous functions over real-valued
time. The ows are continuous segments, while the jumps are discontinuities
between continuous segments. In this paper we assume that the variables of the
system take only real or integer values and we defer the treatment of a complete
type system for future work. The sets of real-valued and integer valued variables
for a given trace are called VR and VN , respectively.
Traces may also contain actions, which are discrete events that can occur at
any time. Actions do not carry data values. For a given trace, the set of input
actions is MI and the set of output actions is MO .
Each trace has a signature which is a 4-tuple of the above sets of signals:
= (VR ; VN ; MI ; MO ):
The sets of signals may be empty, but we assume they are disjoint. The alphabet
of is
A = VR [ VN [ MI [ MO :
The set of partial traces for a signature is BP ( ). Each element of BP ( )
is as a triple x = (; ; f ). The non-negative real number is the duration (in
time) of the partial trace. The function f has domain A. For v 2 VR , f (v) is a
function in [0; ] ! R, where R is the set of real numbers and the closed interval
[0; ] is the set of real numbers between 0 and , inclusive. This function must be
piece-wise continuous and right-hand limits must exist at all points. Analogously,
for v 2 VN , f (v) is a piece-wise constant function in [0; ] ! N , where N is the
set of integers. For a 2 MI [ MO , f (a) is a function in [0; ] ! f0; 1g, where
f (a)(t) = 1 i action a occurs at time t in the trace.
The set of complete traces for a signature is BC ( ). Each element of BC ( )
is as a double x = (; f ). The function f is dened as for partial traces, except
that each occurence of [0; ] in the denition is replaced by R6, , the set of nonnegative real numbers.
To complete the denition of this trace algebra, we must dene the operations
of projection, renaming and concatenation on traces. The projection operation
proj(B )(x) is dened i MI B A. The trace that results is the same
as x except that the domain of f is restricted to B . The renaming operation
x0 = rename(r)(x) is dened i r is a one-to-one function from A to some
A0 W . If x is a partial trace, then x0 = ( 0 ; ; f 0 ) where 0 results from using
r to rename the elements of and f 0 = r f .
The denition of the concatenation operator x3 = x1 x2 , wherer x1 is a
partial trace and x2 is either a partial or a complete trace, is more complicated.
If x2 is a partial trace, then x3 is dened i 1 = 2 and for all a 2 A,
f1 (a)(1 ) = f2 (a)(0)
(note that 1 , 2 , etc., are components of x1 and x2 in the obvious way). When
dened, x3 = (1 ; 3 ; f3 ) is such that 3 = 1 + 2 and for all a 2 A
f3 (a)() = f1 (a)() for 0 1
f3 (a)() = f2 (a)( , 1 ) for 1 3 :
Note that concatenation is dened only when the end points of the two traces
match. The concatenation of a partial trace with a complete trace yields a complete trace with a similar denition. If x3 = x1 x2 , then x1 is a prex of x3 .
3.2 Non-metric Time
In the denition of this trace algebra we are concerned with the order in which
events occur in the system, but not in their absolute distance or position. This
is useful if we want to describe the semantics of a programming language for
hybrid systems that abstracts from a particular real time implementation.
Although we want to remove real time, we want to retain the global ordering
on events induced by time. In particular, in order to simplify the abstraction
from metric time to non-metric time described below, we would like to support
the case of an uncountable number of events1. Sequences are clearly inadequate
given our requirements. Instead we use a more general notion of a partially
In theory, such Zeno-like behavior is possible, for example, for an innite loop whose
execution time halves with every iteration
ordered multiset to represent the trace. We repeat the denition found in [12],
and due to Gischer, which begins with the denition of a labeled partial order.
Denition 1 (Labeled partial order). A labeled partial order (lpo) is a 4tuple (V; ; ; ) consisting of
1. a vertex set V , typically modeling events;
2. an alphabet (for symbol set), typically modeling actions such as the arrival
of integer 3 at port Q, the transition of pin 13 of IC-7 to 4.5 volts, or the
disappearance of the 14.3 MHz component of a signal;
3. a partial order on V , with e f typically being interpreted as event e
necessarily preceding event f in time; and
4. a labeling funciton : V ! assigning symbols to vertices, each labeled
event representing an occurence of the action labeling it, with the same action
possibly having multiple occurence, that is, need not be injective.
A pomset (partially ordered multiset) is then the isomorphism class of an lpo,
denoted [V; ; ; ]. By taking lpo's up to isomorphism we confer on pomsets a
degree of abstractness equivalent to that enjoyed by strings (regarded as nite
linearly ordered labeled sets up to isomorphism), ordinals (regarded as wellordered sets up to isomorphism), and cardinals (regarded as sets up to isomorphism).
This representation is suitable for the above mentioned innte behaviors: the
underlying vertex set may be based on an uncountable total order that suits
our needs. For our application, we do not need the full generality of pomsets.
Instead, we restrict ourselves to pomsets where the partial order is total, which
we call tomsets .
Traces have the same form of signature as in metric time:
= (VR ; VN ; MI ; MO ):
Both partial and complete traces are of the form x = (; L) where L is a tomset.
When describing the tomset L of a trace, we will in fact describe a particular lpo,
with the understanding that L is the isomorphism class of that lpo. An action
2 of the lpo is a function with domain A such that for all v 2 VR , (v) is a
real number (the value of variable v resulting from the action ); for all v 2 VN ,
(v) is an integer; and for all a 2 MI [ MO , (v) is 0 or 1. The underlying vertex
set V , together with its total order, provides the notion of time, a space that
need not contain a metric. For both partial and complete traces, there must exist
a unique minimal element min(V ). The action (min(V )) that labels min(V )
should be thought of as giving the initial state of the variables in VR and VN . For
each partial trace, there must exist a unique maximal element max(V ) (which
may be indentical to min(V )).
Notice that, as dened above, the set of partial traces and the set of complete
traces are not disjoint. It is convenient, in fact, to extend the denitions so that
traces are labeled with a bit that distinguishes partial traces from complete
traces, although we omit the details.
By analogy with the metric time case, it is straightforward to dene projection and renaming on actions 2 . This denition can be easily extended to
lpo's and, thereby, traces.
The concatenation operation x3 = x1 x2 is dened i x1 is a partial trace,
1 = 2 and 1 (max(V1 )) = 2 (min(V2 )). When dened, the vertex set V3 of x3
is a disjoint union:
V3 = V1 ] (V2 , min(V 2))
ordered such that the orders of V1 and V2 are preserved and such that all elements
of V1 are less than all elements of V2 . The labeling function is such that for all
v 2 V3
3 (v) = 1 (v) for min(V1 ) v max(V1 )
3 (v) = 2 (v) for max(V1 ) v:
3.3 Pre-Post Time
The third and last trace algebra is concerned with modeling non-interactive
constructs of a programming language. In this case we are interested only in an
agents possible nal states given an initial state. This semantic domain could
therefore be considered as a denotational representation of an axiomatic semantics.
We cannot model communication actions at this level of abstraction, so signatures are of the form = (VR ; VN ) and the alphabet of is A = VR [ VN .
A non-degenerate state s is a function with domain A such that for all v 2 VR ,
s(v) is a real number (the value of variable v in state s); and for all v 2 VN , s(v)
is an integer. We also have a degenerate, undened state ?.
A partial trace BP ( ) is a triple (; si ; sf ), where si and sf are states. A complete trace BC ( ) is of the form (; si ; ?! ), where ?! indicates non-termination.
This trace algebra is primarily intended for modeling terminating behaviors,
which explains why so little information is included on the traces that model
non-terminating behaviors.
The operations of projection and renaming are built up from the obvious
denitions of projection and renaming on states. The concatenation operation
x3 = x1 x2 is dened i x1 is a partial trace, 1 = 2 and the nal state of x1
is identical to the initial state of x2 . As expected, when dened, x3 contains the
initial state of x1 and the nal state of x2 .
3.4 Trace Structure Algebras
The basic relationship between trace algebras, trace structures and trace structure algebras was described earlier (see section 2). This section provides a few
more details.
A trace algebra provides a set of signatures and a set of traces for each
signature. A trace structure over a given trace algebra is a pair (; P ), where
is a signature and P is a subset of the traces for that signatures. The set P
represents the set of possible behaviors of an agent.
A trace structure algebra contains a set of trace structures over a given
trace algebra. Operations of projection, renaming, parallel composition and serial
composition on trace structures are dened using the operations of the trace
algebra, as follows.
Project and renaming are the simplest operations to dene. When they are
dened depends on the signature of the trace structure in the same way that
denedness for the corresponding trace algebra operations depends on the signatures of the traces. The signature of the result is also analogous. Finally, the
set of traces of the result is dened by naturally extending the trace algebra
operations to sets.
Sequential composition is dened in terms of concatentation in an analogous
way. The only dierence from projection and renaming is that sequential composition requires two traces structures as arguments, and concatenation requires
two traces as arguments.
Parallel composition of two trace structures is dened only when all the traces
in the structures are complete traces. Let trace structure T 00 be the parallel
composition of T and T 0. Then the components of T 00 are as follows (MI and
MO are omitted in pre-post traces):
VR00 = VR [ VR0
VN00 = VN [ VN0
MO00 = MO [ MO0
MI00 = (MI [ MI0 ) , MO00
P 00 = fx 2 BC ( 00 ) : proj(A)(x) 2 P ^
proj(A0 )(x) 2 P 0 g:
4 Homomorphisms
The three trace algebras dened above cover a wide range of levels of abstraction.
The rst step in formalizint the relationships between those levels is to dene
homomorphims between the trace algebras. As mentioned in section 2, trace
algebra homomorphisms induce corresponding conservative approximations between trace structure algebras.
4.1 From metric to non-metric time
A homomorphism from metric time trace algebra to non-metric time should
abstract away detailed timing information. This requires characterizing events
in metric time and mapping those events into a non-metric time domain. Since
metric time trace algebra is, in part, value based, some additional denitions are
required to characterize events at that level of abstraction.
Let x be a metric trace with signature and alphabet A such that
= (VR ; VN ; MI ; MO )
A = VR [ VN [ MI [ MO :
We dene the homomorphism h by dening a non-metric time trace y = h(x).
This requires building a vertex set V and a labeling function to construct an
lpo. The trace y is the isomorphism class of this lpo. For the vertex set we take
all reals such that an event occurs in the trace x, where the notion of event is
formalized in the next several denitions.
Denition 2 (Stable function). Let f be a function over a real interval to R
or N . The function is stable at t i there exists an > 0 such that f is constant
on the interval (t , ; t].
Denition 3 (Stable trace). A metric time trace x is stable at t i for all
v 2 VR [VN the function f (v) is stable at t; and for all a 2 MI [MO , f (a)(t) = 0.
Denition 4 (Event). A metric time trace x has an event at t > 0 if it is not
stable at t. Because a metric time trace doesn't have a left neighborhood at t = 0,
we always assume the presence of an event at the beginning of the trace. If x has
an event at t, the action label for that event is a function with domain A such
that for all v 2 A, (a) = f (a)(t), where f is a component of x as described in
the denition of metric time traces.
Now we construct the vertex set V and labeling function necessary to dene
y and, thereby, the homomorphsim h. The vertex set V is the set of reals t such
that x has an event at t. While it is convenient to make V a subset of the reals,
remember that the tomset that results is an isomorphism class. Hence the metric
dened on the set of reals is lost. The labeling function is such that for each
element t 2 V , (t) is the action label for the event at t in x.
Note that if we start from a partial trace in the metric trace we obtain a
trace in the non-metric trace that has an initial and nal event. It has an initial
event by denition. It has a nal event because the metric trace either has an
event at (the function is not constant), or the function is constant at but
then there must be an event that brought the function to that constant value
(which, in case of identically constant functions, is the initial event itself).
To show that h does indeed abstract away information, consider the following
situation. Let x1 be a metric time trace. Let x2 be same trace where time has
been \stretched" by a factor of two (i.e., forall v 2 A1 , x1 (a)(t) = x2 (a)(2t)).
The vertex sets generated by the above process are isomorphic (the order of the
events is preserved), therefore h(x1 ) = h(x2 ).
4.2 From non-metric to pre-post time
The homomorphism h from the non-metric time traces to pre-post traces requires
that the signature of the trace structure be changed by removing MI and MO .
Let y = h(x). The initial state of y is formed by restricting (min(V )) (the
initial state of x) to VR [ VN . If x is a complete trace, then the nal state of y is
?! . If x is a complete trace, and there exists a 2 MI [ MO and time t such that
f (a)(t) = 1, the nal state of y is ? . Otherwise, the nal state of y is formed
by restricting (max(V )).
5 Conservative Approximations
Trace algebras and trace structure algebras are convenient tools for constructing
models of agents. We are interested in relating dierent models that describe
systems at dierent levels of abstraction. Let A and A0 be two trace structure
algebras. A conservative approximation is a pair of functions (l ; u ) that map
the trace structures in A into the trace structures in A0 . Intuitively, the trace
structure u (T ) in A0 is an upper bound of the behaviors contained in T (i.e.
it contains all abstracted behaviors of T plus, possibly, some more). Similarly,
the trace structure l (T ) in A0 represents a lower bound of T (it contains only
abstract behaviors of T , but possibly not all of them). As a result,
u (T1 ) l (T2 ) implies T1 T2 :
Thus, a verication problem that involves checking for renement of a specication can be done in A0 , where it is presumably more ecient than in A. The
conservative approximation guarantees that this will not lead to a false positive
result, although false negatives are possible.
5.1 Homomorphisms and Conservative Approximations
A conservative approximation can be derived from a homomorphism between
two trace algebras. A homomorphism h is a function between the domains of
two trace algebras that commutes with projection, renaming and concatenation.
Consider two trace algebras C and C 0 . Intuitively, if h(x) = x0 the trace x0 is an
abstraction of any trace y such that h(y) = x0 . Thus, x0 can be thought of as representing the set of all such y. Similarly, a set X 0 of traces in C 0 can be thought
of as representing the largest set Y such that h(Y ) = X 0 , where h is naturally
extended to sets of traces. If h(X ) = X 0 , then X Y , so X 0 represents a kind of
upper bound on the set X . Hence, if A and A0 are trace structure algebras over
C and C 0 respectively, we use the function u that maps an agent P in A into
the agent h(P ) in A0 as the upper bound in a conservative approximation. A
sucient condition for a corresponding lower bound is: if x 62 P , then h(x) is not
in the set of possible traces of l (T ). This leads to the denition of a function
l (T ) that maps P into the set h(P ) , h(B(A) , P ). The conservative approximation = (l ; u ) is an example of a conservative approximation induced by
h. A slightly tighter lower bound is also possible (see [2]).
It is straightforward to take the general notion of a conservative approximation induced by a homomorphism, and apply it to specic models. Simply
construct trace algebras C and C 0 , and a homomorphism h from C to C 0 . Recall
that these trace algebras act as models of individual behaviors. One can construct the trace structure algebras A over C and A0 over C 0 , and a conservative
approximation induced by h. Thus, one need only construct two models of
individual behaviors and a homomorphism between them to obtain two trace
structure models along with a conservative approximation between the trace
structure models.
This same approach can be applied to the three trace algebras, and the two
homomorphisms between them, that were dened in section 3, giving conservative approximations between process models at three dierent levels of abstraction.
5.2 Inverses of Conservative Approximations
Conservative approximations represent the process of abstracting a specication in a less detailed semantic domain. Inverses of conservative approximations
represent the opposite process of renement.
Let A and A0 be two trace structure algebras, and let be a conservative
approximation between A and A0 . Normal notions of the inverse of a function
are not adequate for our purpose, since is a pair of functions. We handle this
by only considering the T in A for which u (T ) and l (T ) have the same value
T 0. Intuitively, T 0 represents T exactly in this case, hence we dene (T 0 ) = T .
When u (T ) 6= l (T ) then is not dened.
The inverse of a conservative approximation can be used to embed a trace
structure algebra at a higher level of abstraction into one at a lower level. Only
the agents that can be represented exactly at the high level are in the image of
the inverse of a conservative approximation. We use this as part of our approach
for reasoning about embedded software at multiple levels of abstraction.
6 Embedded Software
This section outlines our approach for using multiple levels of abstraction to
analyze embedded software. Our motivating example is a small segment of code
used for engine cuto control [1]. This example is particularly interesting to
us because the solution proposed in [1] includes the use of a hybrid model to
describe the torque generation mechanism.
6.1 Cuto Control
The behaviors of an automobile engine are divided into regions of operation,
each characterized by appropriate control actions to achieve a desired result. The
cuto region is entered when the driver releases the accelerator pedal, thereby
requesting that no torque be generated by the engine. In order to minimize
power train oscillations that result from suddenly reducing torque, a closed loop
control damps the oscillations using carefully timed injections of fuel. The control
problem is therefore hybrid, consisting of a discrete (the fuel injection) and
a continuous (the power train behavior) systems tightly linked. The approach
taken in [1] is to rst relax the problem to the continuous domain, solve the
problem at this level, and nally abstract the solution to the discrete domain.
Figure 1 shows the top level routine of the control algorithm. Although we use
a C-like syntax, the semantics are simplied, as described later. The controller
is activated by a request for an injection decision (this happens every full engine
cycle). The algorithm rst reads the current state of the system (as provided by
the sensors on the power train), predicts the eect of injecting or not injecting on
the future behavior of the system, and nally controls whether injection occurs.
The prediction uses the value of the past three decisions to estimate the position
of the future state. The control algorithm involves solving a dierential equation,
which is done in the call to compute sigmas (see [1] for more details). A nearly
optimal solution can be achieved without injecting intermediate amounts of fuel
(i.e., either inject no fuel or inject the maximum amount). Thus, the only control
inputs to the system are the actions action injection (maximum injection)
and action no injection (zero injection).
void control_algorithm( void ) {
// state definition
struct state { double x1; double x2; double omega_c; } current_state;
// Init the past three injections (assume injection before cutoff)
double u1, u2, u3 = 1.0;
// Predictions
double sigma_m, sigma_0;
loop forever {
await( action_request );
read_current_state( current_state );
compute_sigmas( sigma_m, sigma_0, current_state, u1, u2, u3 );
// update past injections
u1 = u2;
u2 = u3;
// compute next injection signal
if ( sigma_m < sigma_0 ) {
action_injection( );
u3 = 1.0;
} else {
action_no_injection( );
u3 = 0.0;
Fig.1. The control algorithm
6.2 Using Pre-Post Traces
One of the fundamental features of embedded software is that it interacts with
the physical world. Conventional axiomatic or denotational semantics of sequential programming languages only model initial and nal states of terminating
programs. Thus, these semantics are inadequate to fully model embedded software.
However, much of the code in an embedded application does computation or
internal communication, rather than interacting with the physical world. Such
code can be adequately modeled using conventional semantics, as long as the
model can be integrated with the more detailed semantics necessary for modeling
interaction. Pre-post trace structures are quite similar to conventional semantics.
As described earlier, we can also embed pre-post trace structures into more
detailed models. Thus, we can model the non-interactive parts of an embedded
application at a high level of abstraction that is simpler and more natural, while
also being able to integrate accurate models of interaction, real-time constraints
and continuous dynamics.
This subsection describes the semantics of several basic programming language constructs in terms of pre-post trace structures. The following two subsections describe how these semantics can be integrated into more detailed models.
The semantics of each statement is given by a trace structure. To simplify the
semantics, we assume that inter-process communication is done through shared
actions rather than shared variables. A pre-post trace structure has a signature
of the form (VR ; VN ). For the semantics of a programming language statement,
indicates the variables accessible in the scope where the statement appears.
For a block that declares local variables, the trace structure for the statement in
the block includes in its signature the local variables. The trace structure for the
block is formed by projecting away the local variables from the trace structure
of the statement.
The sequential composition of two statements is dened as the concatenation
of the corresponding trace structures: the denition of concatenation ensures
that the two statements agree on the intermediate state. The traces in the trace
structure for an assignment to variable v are of the form (; si ; sf ), where si is
an arbitrary initial state, and sf is identical to si except that the value of v is
equal to the value of the right-hand side of the assignment statement evaluated
in state si (we assume the evaluation is side-eect free).
The semantics of a procedure denition is given by a trace structure with
an alphabet fv1 ; : : : ; vr g where vk is the k-th argument of the procedure (these
signal names do not necessarily correspond to the names of the formal variables).
We omit the details of how this trace structure is constructed from the text of
the procedure denition. More relevant for our control algorithm example, the
semantics of a procedure call proc(a, b) is the result of renaming v1 ! a and
v2 ! b on the trace structure for the denition of proc. The parameter passing
semantics that results is value-result (i.e. no aliasing or references) with the restriction that no parameter can be used for both a value and result. More realistic
(and more complicated) parameter passing semantics can also be modeled.
To dene the semantics of if-then-else and while loops we dene a function init(x; c) to be true if and only if the predicate c is true in the initial state
of trace x. The formal denition depends on the particular trace algebra being
used. In particular, for pre-post traces, init(x; c) is false for all c if x has ? as
its initial state.
For the semantics of if-then-else, let c be the conditional expression and
let PT and PE be the sets of possible traces of the then and else clauses,
respectively. The set of possible traces of the if-then-else is
P = fx 2 PT : init(x; c)g [ fx 2 PE : :init(x; c)g
Notice that this denition can be used for any trace algebra where init(x; c) has
been dened, and that it ignores any eects of the evaluation of c not being
In the case of while loops we rst dene a set of traces E such that for all
x 2 E and traces y, if x y is dened then x y = y. For pre-post traces, E is the
set of all traces with identical initial and nal states. If c is the condition of the
loop, and PB the set of possible traces of the body, we dene PT;k and PN;k to
be the set of terminating and non-terminating traces, respectively, for iteration
k, as follows:
PT;0 = fx 2 E : :init(x; c)g
PN;0 = fx 2 E : init(x; c)g
PT;k+1 = PN;k PB PT;0
PN;k+1 = PN;k PB PN;0
The concatenation of PT;0 and PN;0 at the end of the denition ensures that the
nal state of a terminating trace does not satisfy the condition c, while that of a
non-terminating trace does. Clearly the semantics of the loop should include all
the terminating traces. For non-terminating traces, we need to introduce some
additional notation. A sequence Z =< z0 ; : : : > is a non-terminating execution
sequence of a loop if, for all k, zk 2 PN;k and zk+1 2 zk PB . This sequence is a
chain in the prex ordering. The initial state of Z is dened to be the initial state
of z0. For pre-post traces, we dene PN;! to be all traces of the form (; s; ?! )
where s is the initial state of some non-terminating execution sequence Z of the
loop. The set of possible traces of the loop is therefore
P = ( PT;k ) [ PN;! :
6.3 Using Non-Metric Time Traces
Using an inverse conservative approximation, as described earlier, the pre-post
trace semantics described in the previous subsection can be embedded into nonmetric time trace structures. However, this is not adequate for two of the constructs used in gure 1: await and the non-terminating loop. These constructs
must be describe directly at the lower level of abstraction provided by non-metric
time traces.
As used used in gure 1, the await(a) simply delays until the external action
a occurs. Thus, the possible partial traces of await are those where the values
of the state variables remain unchanged and the action a occurs exactly once, at
the endpoint of the trace. The possible complete traces are similar, except that
the action a must never occur.
To give a more detailed semantics for non-terminating loops, we dene the set
of extensions of a non-terminating execution sequence Z to be the set ext(Z ) =
fx 2 B( ) : 8k[zk 2 pref (x)]g. For any non-terminating sequence Z , we require
that ext(Z ) be non-empty, and have a unique maximal lower bound contained
in ext(Z ), which we denote lim(Z ). In the above denition of the possible traces
of a loop, we modify the denition of the set of non-terminating behaviors PN;!
to be the set of lim(Z ) for all non-terminating execution sequences Z .
6.4 Using Metric Time Traces
Analogous to the embedding discussed in the previous subsection, non-metric
time traces structures can be embedded into metric-time trace structures. Here
continuous dynamics can be represented, as well as timing assumptions about
programming language statements. Also, timing constraints that a system must
satisfy can be represented, so that the system can be veried against those
7 Conclusions and Comparisons with Other Approaches
It was not our goal to construct a single unifying semantic domain, or even a
parameterized class of unifying semantic domains. Instead, we wish to construct
a formal framework that simplies the construction and comparison of dierent
semantic domains, including semantic domains that can be used to unify specic,
restricted classes of other semantic domains.
There is a tradeo between two goals: making the framework general, and
providing structure to simplify constructing semantic domains and understanding their properties. While our framework is quite general, we have formalized
several assumptions that must be satised by our semantic domains. These include both axioms and constructions that build process models (and mappings
between them) from models of individual behaviors (and their mappings). These
assumptions allow us to prove many generic theorems that apply to all semantic domains in our framework. In our experience, having these theorems greatly
simplies constructing new semantic domains that have the desired properties
and relationships.
Process Spaces [10, 11] are an extremely general class of concurrency models.
However, because of their generality, they do not provide much support for constructing new semantic domains or relationships between domains. For example,
by proving generic properties of broad classes conservative approximations, we
remove the need to reprove these properties when a new conservative approximation is constructed.
Similarly, our notion of conservative approximation can be described in terms
of abstract interpretations. However, abstraction interpretations are such a general concept that they do not provide much insight into abstraction and renment
relationships between dierent semantic domains.
Many are the models that have been proposed to represent the behavior of
hybrid systems. Most of them share the same view of the behavior as composed
of a sequence of steps; each step is either a continuous evolution (a ow) or a
discrete change (a jump). Dierent models varies in the way they represent the
sequence. One example is the Masaccio model ([7, 8]) proposed by Henzinger et
alii. In Masaccio the representation is based on components that communicate
with other components through variables and locations. During an execution
the ow of control transitions from one location to another according to a state
diagram that is obtained by composing the components that constitute the system. The underlying semantic model is based on sequences. The behavior of each
component is characterized by a set of nite executions, each of them composed
of an entry location and a sequence of steps that can be either jumps or ows.
An exit location is optional. The equations associated with the transitions in
the state diagram dene the legal jumps and ows that can be taken during the
sequence of steps.
The operation of composition in Masaccio comes in two avors: parallel and
serial. The parallel composition is dened on the semantic domain as the conjunction of the behaviors: each execution of the composition must also match an
execution of the individual components. Conversely, serial composition is dened
as the disjunction of the behaviors: each execution of the composition need only
match the execution of one of the components. Despite its name, this operation
doesn't serialize the behaviors of the two components. Instead, a further operation of location hiding is required to string together the possible executions of a
In our framework we talk about hybrid models in terms of the semantic domain only (which is based on functions of a real variable rather than sequences).
This is a choice of emphasis: in Masaccio the semantic domain is used to describe
the behavior of a system which is otherwise represented by a transition system.
In our approach the semantic domain is the sole player and we emphasize results that abstract from the particular representation that is used. It's clear, on
the other hand, that a concrete representation (like a state transition system) is
extremely important in developing applications and tools that can generate or
analyze an implementation of a system.
In our paper we presented three models for semantic domains. Masaccio
compares to our more detailed model. In our approach we have decided to model
the ows and the jumps using a single function of a real variable: ows are the
continuous segments of the functions, while jumps are the points of discontinuity.
This combined view of jumps and ows is possible in our framework because we
are not constrained by a representation based on dierential equations, and hence
we do not require the function to be dierentiable. Another dierence is that
dierent components are allowed to concurrently execute a jump and a ow,
as long as the conditions imposed by the operation of parallel composition are
Because in Masaccio the operations of composition are dened on the semantic domain and not on the representation it is easy to do a comparison with our
framekwork. Parallel composition is virtually identical (both approaches use a
projection operation). On the other hand we dene serial composition in quite
dierent terms: we introduce a notion of concatenation that is dicult to map
to the sequence of steps that include serial composition and location hiding. In
fact, it appears that the serial composition so obtained might contain side-eects
that are intuitively not intended in a proper sequential composition of behaviors
(because of the projection during the serial composition, a behavior of the compound component might include executions that were not originally present in
the components themselves). We believe this could simply be an artifact of the
representation based on state transitions that requires the identication of the
common points where the control can be transferred.
The concept of renement in Masaccio is also based on the semantic domain.
Masaccio extends the traditional concept of trace containment to a prex relation
on trace sets. In particular, a component A renes a component B either if the
behavior of A (its set of executions) is contained in the behavior of B , or if the
behaviors of A are suxes of behaviors of B . In other words, B could be seen
as the prex of all legal behaviors.
In our framework we must distinguish between two notions of renement. The
rst is a notion of renement within a semantic domain: in our framework this
notion is based on pure trace containment. We believe this notion of renement
is sucient to model the case of sequential systems as well: it is enough to require
that the specication include all possible continuations of a common prex.
The second notion of renement that is present in our framework has to do
with changes in the semantic domain. This notion is embodied in the concept
of conservative approximation that relates models at one level of abstraction to
models at a dierent level of abstraction. There is no counterpart of this notion
in the Masaccio model.
1. A. Balluchi, M. D. Benedetto, C. Pinello, C. Rossi, and A. Sangiovanni-Vincentelli.
Cut-o in engine control: a hybrid system approach. In IEEE Conf. on Decision
and Control, 1997.
2. J. R. Burch. Trace Algebra for Automatic Verication of Real-Time Concurrent
Systems. PhD thesis, School of Computer Science, Carnegie Mellon University,
Aug. 1992. Technical Report CMU-CS-92-179.
3. J. R. Burch, R. Passerone, and A. Sangiovanni-Vincentelli. Overcoming heterophobia: Modeling concurrency in heterogeneous systems. In M. Koutny and
A. Yakovlev, editors, Application of Concurrency to System Design, 2001.
4. J. Davis II, M. Goel, C. Hylands, B. Kienhuis, E. A. Lee, J. Liu, X. Liu, L. Muliadi,
S. Neuendorer, J. Reekie, N. Smyth, J. Tsay, and Y. Xiong. Overview of the
ptolemy project. ERL Technical Report UCB/ERL No. M99/37, Dept. EECS,
University of California, Berkeley, July 1999.
5. J. Davis II, C. Hylands, B. Kienhuis, E. A. Lee, J. Liu, X. Liu, L. Muliadi, S. Neuendorer, J. Tsay, B. Vogel, and Y. Xiong. Heterogeneous concurrent modeling and
design in java. Technical Memorandum UCB/ERL M01/12, EECS, University of
California, Berkeley, Mar. 2001.
6. S. Edwards, L. Lavagno, E. Lee, and A. Sangiovanni-Vincentelli. Design of embedded systems: Formal models, validation, and synthesis. Proceedings of the IEEE,
85(3):366{390, Mar. 1997.
7. T. Henzinger. Masaccio: a formal model for embedded components. In J. van
Leeuwen, O. Watanabe, M. Hagiya, P. Mosses, and T. Ito, editors, TCS 00: Theoretical Computer Science, volume 1872 of Lecture Notes in Computer Science,
pages 549{563. Springer-Verlag, 2000.
8. T. Henzinger, M. Minea, and V. Prabhu. Assume-guarantee reasoning for hierarchical hybrid systems. In M. di Benedetto and A. Sangiovanni-Vincentelli, editors,
HSCC 00: Hybrid Systems|Computation and Control, volume 2034 of Lecture
Notes in Computer Science, pages 275{290. Springer-Verlag, 2001.
9. E. A. Lee and A. L. Sangiovanni-Vincentelli. A framework for comparing models of computation. IEEE Trans. Comput.-Aided Design Integrated Circuits,
17(12):1217{1229, Dec. 1998.
10. R. Negulescu. Process Spaces and the Formal Verication of Asynchronous Circuits. PhD thesis, University of Waterloo, Canada, 1998.
11. R. Negulescu. Process spaces. In C. Palamidessi, editor, CONCUR, volume 1877
of Lecture Notes in Computer Science. Springer-Verlag, 2000.
12. V. R. Pratt. Modelling concurrency with partial orders. International Journal of
Parallel Programming, 15(1):33{71, Feb. 1986.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF