ABV – A Verifier for the Architecture Analysis and Design Language (AADL)

Stefan Björnander, Cristina Seceleanu, Kristina Lundqvist, and Paul Pettersson
School of Innovation, Design, and Engineering
Mälardalen University, Box 883, 721 23 Västerås, Sweden
Email: {stefan.bjornander, cristina.seceleanu, kristina.lundqvist, paul.pettersson}@mdh.se

Abstract—Designing and developing mission-critical embedded systems is challenging, especially due to additional platform constraints regarding timing and computational resources. The development process of embedded systems should include verification techniques already at the architecture design phase, to provide evidence that a system’s architecture fulfills its requirements. The Architecture Analysis and Design Language (AADL) is used to model the system’s architecture. Among others, the language contains a Behavior Annex, for describing the behavior of an AADL model, at an abstract level.

In this paper, we present a verification tool, called ABV, tailored for AADL models with a behavioral annex. Given an architecture defined in AADL and its behavior specified in the associated language, our tool model-checks the latter against the requirements specified in Computation Tree Logic (CTL). ABV is based on AADL’s formal denotational semantics implemented in Standard ML, and is encapsulated into an Eclipse plug-in based on the OSATE platform. The tool has been applied on the Production Cell case study, which is briefly described in the paper.

Index Terms—Model Checking, Verification, AADL, Behavior Annex, CTL, OSATE, Denotational Semantics.

I. INTRODUCTION

Mission-critical embedded systems play a vital role in aerospace applications, air traffic control, and railway signaling, to mention a few. Design and development of such systems is challenging because, e.g., the fulfillment of real time requirements and resource constraints need to be proven in the development process. Of high practical interest is the architecture design phase, since the timing behavior and resource consumption of systems depend heavily on the chosen system architecture. Consequently, the development process for embedded systems should include verification techniques in the architecture design phase, to provide evidence that a system architecture fulfills its requirements.

We have chosen to study the Architecture Analysis and Design Language (AADL) [1] and its Behavior Annex [2], [3], [4], due to AADL’s rich specification language and its industrial use for the development of embedded systems in, e.g., the automotive and avionics area. AADL is a large language intended for designing both system software and hardware. The architectural language is a standard of the Society of Automotive Engineers (SAE)\(^1\), and it is based on MetaH [5] and the Unified Modeling Language (UML) [6].

\(^1\)The Society of Automotive Engineers is presented at http://www.sae.org.

In this paper, we introduce and describe a novel system architecture verifier, called ABV\(^2\) (AADL and the Behavior Annex Verifier), which performs model checking of embedded system models defined in AADL and its Behavior Annex. The model checking is carried out against requirements formulated in Computation Tree Logic (CTL) [7]. ABV is an Eclipse plug-in based on the Open Source AADL Tool Environment (OSATE\(^3\)) platform, which guarantees seamless interaction with the Eclipse environment. Moreover, ABV is based on an ML implementation of the formal denotational semantics that unambiguously defines a subset of AADL and its Behavior Annex [8], [9].

The intended users of ABV are engineers working with system design; more specifically, engineers modeling AADL systems in the Eclipse environment, who want to check different system properties about the system. By employing our tool, it should be possible that engineers find flaws already in the early design phase, and by that avoid not finding flaws until later development phases.

ABV accepts a subset of AADL including system, system implementation, features, subcomponents, and connections as well as the Behavior Annex. The chosen subset contains all necessary constructs needed for generic modeling.

Although several tools for analyzing AADL have been developed (see Section VI), they do not integrate a model checker for AADL and its Behavior Annex based on a sound underlying semantics within the OSATE platform.

In our approach, we combine powerful model-checking techniques with an underlying formal denotational semantics and a user-friendly graphical interface. We also describe how ABV has been applied on the Production Cell case study.

The salient features of ABV are:

- An underlying formal denotational semantics for AADL and its Behavior Annex [8], [9].
- An implementation of the denotational semantics in Standard ML.
- An Eclipse plug-in based on the OSATE platform, offering an intuitive and user-friendly graphical interface, well integrated with other OSATE-based products.
- A trace file generator, listing a shortest path from the

\(^2\)ABV is available at http://www.idt.mdh.se/~sbr02/ABV.
\(^3\)The OSATE platform is described and available for downloading at http://www.aadl.info/aadl/currentsite/tool/osate.html.
initial state of the model to a state satisfying the condition of the CTL requirement.

The rest of this paper is organized as follows. Section II gives an overview of ABV. Section III describes ABV’s input, whereas Section IV describes the graphical interface. We apply ABV on the Production Cell case study in Section V. In Section VI we discuss related work, before concluding the paper in Section VII.

II. ABV TOOL OVERVIEW

The main purpose of ABV is to perform model checking by verifying CTL properties of system models defined in AADL and its Behavior Annex. ABV provides an intuitive and user-friendly graphical environment. The user inputs the source code of the model, as well as the CTL property specification, and the verifier displays the yes/no analysis result.

Denotational semantics is an approach to formalize the meaning of programming languages by constructing mathematical objects (called denotations), which describe the meaning of expressions from the languages. The main benefit with denotational semantics is that it is based on a rigorous mathematical foundation and is built on the same principles as functional programming languages, such as Standard ML.

Such benefits determined us to define an underlying denotational semantics for AADL and its Behavior Annex [2], [3], [4], and consequently implement the verifier in Standard ML.

The ABV tool consists of the following modules (see Figure 1): the Parser, Initializer, Generator and PropertyEvaluator. The Parser module parses, type checks and stores the model. The Initializer module initializes the model; that is, the initializations of state variables and output signals are executed. The Generator module generates the state space that is later evaluated against the CTL property specification. Finally, the PropertyEvaluator module traverses the state space and eventually decides on the truth value of the property.

The root node of the generated state space represents the initial state of the system (see Listing 1). For each possible transition, a child node representing the new system state (after the transition has been taken) is added to the node. If several transitions are possible, several child nodes are added. Each child node represents the system state after some transition has been taken, respectively. ABV keeps track of all states, such that, if one state is repeated, the state space generation along that path is aborted. After the state space has been generated, it is next evaluated against the CTL property specification.

Since the kernel of ABV is written in ML, its input needs to be translated from AADL and its Behavior Annex, as well as CTL, into Standard ML format. The ABV Parser performs the transformation task. It is written in Standard Java, the CUP Parser Generator for Java, and the JLex Lexical Analyzer Generator for Java. For instance, the following safety property specification is translated into the Standard ML code of Listing 2:

\[
\text{all global not \{subsystem1.Critical and subsystem2.Critical\}}
\]

III. TOOL INPUT

ABV takes two inputs: the AADL and its Behavior Annex model, as well as the CTL property specification.

A. The AADL and its Behavior Annex Model

In AADL, there are two types of systems: the system that defines the port interface and an optional behavioral annex, and the system implementation that defines the subcomponents and the port connections between them. The chosen AADL subset allows at least one system and exactly one system implementation. The subcomponents of the system implementation are instances of earlier defined systems (equivalent to objects and classes in object-oriented languages) and the connections are

\[
\begin{align*}
\text{function generate_space subcomp_list conn_list} \\
\text{log_set main_space} \\
\text{for each subcomp in subcomp_list} \\
\text{for each trans in subcomp.trans_list} \\
(\text{boolean guard_value, symbol_table}) \leftarrow \\
\text{evaluate_expression trans.guard} \\
\text{subcomp.symbol_table} \\
\text{if (subcomp.state = trans.source_state) and} \\
\text{guard_value then} \\
\text{subcomp.state }\rightarrow\text{subcomp.target_state} \\
\text{subcomp.symbol_table }\rightarrow\text{execute_actions} \\
\text{trans.action} \rightarrow\text{subcomp.symbol_table} \\
\text{if not (log_set.exists subcomp_list) then} \\
\text{log_set.add subcomp_list} \\
\text{subcomp_list }\leftarrow\text{execute_connections conn_list} \\
\text{subcomp_list} \\
\text{sub_space }\leftarrow\text{space_create subcomp_list} \\
\text{generate_space subcomp_list conn_list} \\
\text{log_set sub_space} \\
\text{return main_space.add_child sub_space}
\end{align*}
\]
made between input and output ports of the subcomponents, rather than the systems.

The Behavior Annex is based on the Abstract State Machine [10] language. It models the following: (i) states, among which one is the initial state, and state variables, which can be initialized; (ii) input and output signals that are connected to the ports of the surrounding system, together with initializations of the output signals, and (iii) the set of state transitions [3], where each transition is equipped with a guard, that is, a boolean expression that has to evaluate to true for the transition to be fired.

Example 1: Figure 2 illustrates a main system holding two subsystems with one critical section each, modeled in AADL and its Behavior Annex. The subsystems communicate through port signals CriticalLeave and CriticalEnter in order to ensure that they cannot access the critical sections simultaneously; the code is given in Listings 3 and 4. The first subsystem is initialized to trigger the CriticalLeave signal, which means that the second subsystem is free to enter its critical section. The second subsystem is similar to the first one, except that the initializations part is omitted. Each subsystem starts in the initial state Waiting. As soon as it receives the CriticalEnter signal from the other subsystem, it enters its critical section. When it leaves the latter, it sends the CriticalLeave signal to the other subsystem, in order to allow it to enter its critical section in turn. The main system instantiates the two subcomponents, subsystem1 and subsystem2, and connects them to each other by using the CriticalLeave and CriticalEnter ports. In Section III-B, we define a CTL property specification for such system.

B. The CTL Property Specification

CTL [7] is a branching-time temporal logic, that is, it models time as a tree structure with a non-determined future. There are different paths into the future, and any one of them may be the realized one. There are several quantifiers available in CTL, among them the universal all and existential exists quantifiers over paths. There are also the path-specific operators global and eventually. See Table I for their informal definitions.

Syntactically, a property specification includes a path quantification (all or exists), followed by path-specific operators (global or eventually), or a regular expression. However, these kinds of expressions can also hold a state or a state variable.

For example 1 described in Section III-A, we formulate below the CTL property that, provided that it holds for the model, guarantees that the two subsystems never reach their critical section simultaneously:

\[
\text{all} \ \text{global} \ \text{not} \ \{\text{subsystem1.Critical and subsystem2.Critical}\}
\]
IV. The Graphical Interface

ABV is encapsulated in an Eclipse plug-in on top of the OSA TE platform. The plug-in adds the ABV menu with the Settings and Property Specification items (see Figure 3). The Settings item displays an input dialog divided into two parts, where the first part specifies a set of paths needed for ABV to work properly while the second part specifies optional output to be displayed.

The result of model checking a property specification against a model of AADL and its Behavior Annex is a boolean value. ABV also reports the size of the generated state space and the execution time, depending on the user settings in the second part of the dialog. ABV can also be instructed to generate a log file, listing a sequence of states from the initial state to a state satisfying the condition of the property specification (if no state is satisfying the condition, an empty file is generated). See Appendix B for an excerpt.

The Property Specification item displays an input dialog in which the user inputs the CTL property specification (see Figure 4).

Table I: CTL.

<table>
<thead>
<tr>
<th>Property</th>
<th>CTL Notation</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>all ϕ</td>
<td>all</td>
<td>ϕ must be satisfied for every path.</td>
</tr>
<tr>
<td>exists ϕ</td>
<td>exists</td>
<td>ϕ must be satisfied for at least one path.</td>
</tr>
<tr>
<td>global ϕ</td>
<td>global</td>
<td>ϕ must be satisfied for each node on the path from root to leaf.</td>
</tr>
<tr>
<td>eventually ϕ</td>
<td>eventually</td>
<td>ϕ must be satisfied for at least one node on the path from root to leaf.</td>
</tr>
</tbody>
</table>

V. Case Study

In order to validate ABV, we have performed a case study in which a Production Cell system is modeled in AADL and its Behavior Annex. For the complete source code of the system, we refer the reader to Björnander et al. [8], [9]. Also, see Appendix A for an excerpt. The case study is based on an automated manufacturing system that is modeled on an industrial plant in Karlsruhe, Germany. It was first described by Lewerentz [11]. Ouimet [12] presented it as depicted in Figure 5.

The system is not controlled by a central unit. Instead, the components communicate with each other through port connections. The components work concurrently: when a component is ready to accept a new block, it notifies the preceding component, which in turn acknowledges that it has loaded the block. It also sends a signal acknowledging that the loading location of the component is free.

The Production Cell System is composed of the robot arms Loader, ArmA, and ArmB, the conveyer belts FeedBelt and DepositBelt, as well as the Press. The purpose of the system is to transport blocks through the production cell. They arrive in a crate and the same blocks with bolts attached to them finally become delivered by the deposit belt for further processing. Once a block has been loaded, it is moved through the system. See Figure 6 for a schematic illustration of the system.

In the DepositBelt subsystem, we have added the state variable StoredBlocks that counts the number of blocks that become transported through the final deposit belt. In the main system of the Production Cell, the DepositBelt system has been instantiated into the depositBelt subcomponent. In order to make sure that a loaded block always becomes transported through the system, we require that the state variable storedBlocks in the depositBelt subcomponent is always eventually assigned the value one. This means that a block has gone through the whole system. The requirement can be formally stated in CTL as follows:

all eventually depositBelt.StoredBlocks = 1
Always read before the next signal is sent. One, we can be sure that once a signal is sent to the port, it is decremented each time it is read. If the variable never exceeds increment each time a signal is sent to the port, and the suffix "count" is stored. It is an integer that becomes incremented every time a signal is sent to the port, and decremented each time it is read. If the variable never exceeds one, we can be sure that once a signal is sent to the port, it is always read before the next signal is sent.

For each input port, a state variable with the same name and the suffix "count" is stored. It is an integer that becomes incremented each time a signal is sent to the port, and decremented each time it is read. If the variable never exceeds one, we can be sure that once a signal is sent to the port, it is always read before the next signal is sent.

As evident from Figure 8, all paths finally lead to a state where storedBlocks is equal to one, meaning that the block is always moved through the Production Cell system.

As ABV and also the underlying denotational semantics also support verification of architectural properties, the following CTL specification is an example of such property, which ensures that the InBlockLoaded input signal in the depositBelt subcomponent is never written twice without being read between the writings:

\[ \forall \text{global} \text{ depositBelt.InBlockLoaded_count} \leq 1 \]

In this paper, we have presented ABV, which is a novel tool designed to perform model checking on systems modeled in AADL and its Behavior Annex, with properties specified in CTL. Our tool comes with a graphical interface as an Eclipse plug-in on top of the OSATE platform, and it has been successfully applied on the Production Cell case study.

The next step on the work of this paper would be to optimize the algorithms of ABV, e.g., the state space generation and the property specification evaluation. It should be possible to evaluate the state space "on-the-fly"; that is, to perform evaluation during the tree state space generation. In that way, the state space generation can be terminated as soon as the value of the property specification has been determined.

Another possible future work is to extend the semantics with timing annotations, to enable modeling of timing and verification of the form, e.g., minimum and maximum time for a property specification to be satisfied.

BIp (Behavior Interaction Priority) [13] is a language for description and composition of components, as well as for analysis and code generation of models. Chkouri et al. [14] describe a general methodology and an associated tool for translating AADL and its Behavior Annex specifications into BIP. This allows simulation of systems specified in AADL and application of formal verification techniques developed for BIP. The input language of the tool includes the Behavior Annex. Even though BIP supports model checking of component interaction, it does not support model checking at the system level, as ABV does.

The COMPASS\(^5\) project (Correctness, Modeling, and Performance of Aerospace Systems) is an ambitious attempt to fully capture the system under development by applying model-checking techniques. The COMPASS toolset has been developed by Bozzano et al. [15], [16] and is based on a formal semantics. It is a tool that models both the nominal and faulty behavior of AADL, and it has been validated in several case studies. However, in contrast to ABV, it focuses on the error behavior. Moreover, the tool is equipped with a graphical interface that, unlike ABV, is not OSATE-based and hence not integrated with tools based on Eclipse or OSATE.

VIII. Conclusion and Future Work

In this paper, we have presented ABV, which is a novel tool designed to perform model checking on systems modeled in AADL and its Behavior Annex, with properties specified in CTL. Our tool comes with a graphical interface as an Eclipse plug-in on top of the OSATE platform, and it has been successfully applied on the Production Cell case study.

In AADL and its annexes, ADeS\(^4\) (Architecture Description Simula) is a software tool intended for simulation of the behavior of system architectures described with AADL. It is implemented as an Eclipse plug-in based on the OSATE platform, with seamless interaction with other OSATE based tools. It can perform simulation and scheduling of models defined in AADL. However, unlike ABV, it does not perform model checking, and it also lacks a formal underlying analysis.

\(^{4}\)The AdeS tool is available at \url{http://www.axlog.fr/aadal/ades_en.html}.

\(^{5}\)The COMPASS project is presented at \url{http://compass.informatik.rwth-aachen.de}.
ACKNOWLEDGMENT

This research work was partially supported by Swedish Research Council (VR), and the Swedish Foundation for Strategic Research via the strategic research center PROGRESS.

REFERENCES


APPENDIX

A. The Case Study Source Code (excerpt)

system Loader
features
    InFeedBeltReady: in event port;
    OutBlockReady: out event port;

annex Loader {/**

state variables
    LoadedBlocks :integer;

initializations
    LoadedBlocks := 0;

states
    Waiting :initial state;
    Loading :state;

transitions
    Waiting -{LoadedBlocks < 1} and
    (InFeedBeltReady?) -> Loading;
    Loading -[true] -> Waiting {OutBlockReady!;
    LoadedBlocks := LoadedBlocks + 1;}
    **;
end Loader;

...system implementation ProductionCell.impl
subcomponents
    loader: system Loader;
    feedBelt: system FeedBelt;
    beltToPress: system BeltToPress;
    press: system Press;
    pressToBelt: system PressToBelt;
    depositBelt: system DepositBelt;
    storer: system Storer;

collections
    event port feedBelt.InFeedBeltReady -> loader.InFeedBeltReady;
    event port loader.OutBlockReady ->
    feedBelt.InBlockReady;
    event port beltToPress.InArmReady ->
    feedBelt.InArmReady;
    event port feedBelt.OutBlockReady ->
    beltToPress.InBlockReady;
    event port pressPressed ->
    beltToPress.InPressed;
    event port pressToBelt.OutBlockReady ->
    press.InBlockReady;
    event port pressToBelt.OutArmReady ->
    press.OutArmReady;
    event port pressToBelt.InBlockReady ->
    pressToBelt.InArmReady;
    event port pressToBelt.OutFeedBeltReady ->
    pressToBelt.InFeedBeltReady;
    event port pressToBelt.OutBlockReady ->
    depositBelt.InBlockReady;
    event port storer.StorerReady ->
    depositBelt.StorerReady;
    event port depositBelt.OutBlockReady ->
    storer.InStorerBlockReady;
end ProductionCell.impl;

B. The Generated Log File (excerpt)

0:
    Transition: loader.Waiting -> loader.Loading
State: loader = Loading, LoadedBlocks = 0
    feedBelt = NoBlock_MotorOff
    beltToPress = MagnetOff_AtBelt_Retracted
    press = Waiting
    pressToBelt = MagnetOff_AtPress_Retracted
    depositBelt = NoBlock_MotorOff
    storer = Waiting, StoredBlocks = 0

...
24:
    Transition: storer.Storing -> storer.Waiting
State: loader = Waiting, LoadedBlocks = 1
    feedBelt = BlockAtEnd_MotorOff
    beltToPress = MagnetOff_AtBelt_Retracted
    press = Waiting
    pressToBelt = MagnetOff_AtPress_Retracted
    depositBelt = BlockAtEnd_MotorOff
    storer = Waiting, StoredBlocks = 0