launch state. If the EQL program indeed reaches a fixed point in a finite number of iterations starting from any launch state, ptaf informs the designer accordingly. Otherwise, ptaf stops at the first launch state for which the program may not reach a fixed point in a finite number of iterations and informs the designer about the unstable launch state.

The module mcf is a temporal-logic model checker based on the Clarke– Emerson–Sistla algorithm for checking the satisfiability of temporal-logic formulas written in CTL [Clarke, Emerson, and Sistla, 1986]. Our model checker assumes that strong fairness is observed by the scheduler; that is, rules that are enabled infinitely often will eventually fire. Under this assumption, a cycle in the state-space graph that has at least one edge exiting from it is not sufficient to cause the program not to reach a fixed point in a finite number of iterations. (The program will leave the states in the cycle because the rule associated with the exit edge must eventually fire.) However, the model checker will warn the designer that the program may require a finite but unbounded number of iterations to reach a fixed point. The default scheduler used to schedule the next enabled rule to fire is fair and is based on a linear-congruential pseudo–random number generator.

The module fptime is a timing analyzer that computes the maximum number of iterations for a given program to reach a fixed point if at least one reachable fixed point exists. In addition, it provides the sequence of rule firings leading from the launch state to this fixed point. It can also compute the number of iterations to any other fixed point and the corresponding sequence of rule firings if the designer so desires. fptime has been designed so that a designer will be able to specify restrictions on the scheduler if it is desired to determine how the specified scheduling restrictions may affect the number of rule firings. This is useful for investigating the performance of customized schedulers.

10.5.1 Analysis Example

We now describe how our tools can be applied to the distributed EQL program of example 2. With the EQL-to-C translator eqtc, we can translate the equational rulebased program in example 2 into a C program by invoking the command

eqtc < example2 > example2.c.

This program can be compiled using a C compiler (the cc command in UNIX) and then executed to obtain the stable output values if a fixed point is reachable in a finite number of iterations. The current version of eqtc simulates the reading of external sensors by initializing the input variables before any rule is fired. The C program generated by the eqtc translator is shown below.

#include <stdio.h> #include "scheduler.c" #define maxseq 24 #define false 0 #define true 1

#define a 0

276 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS

#define b 1 int znext,

randseq[maxseq],

counter;

main() {

extern int znext, randseq[maxseq], counter;

int i;

int sync_a, sync_b, wake_up, object_detected; int arbiter;

int sensor_a, sensor_b;

sync_a = true; sync_b = true; wake_up = true; arbiter = a; sensor_a = 1; sensor_b = 0;

init_random_seq(randseq, &znext, z0, &counter); while (!fixed_point())

{i = schedule(randseq, &znext, 6); switch(i) {

case 1:

if ((sensor_a == 1) && (arbiter == a) && (sync_a == true) && (wake_up == true)) {

object_detected = true; sync_a = false;

}

break; case 2:

if ((sensor_a == 0) && (arbiter == a) && (sync_a == true) && (wake_up == true)) {

object_detected = false; sync_a = false;

}

break; case 3:

if ((arbiter == a) && (sync_a == false) && (wake_up == true)) { arbiter = b;

sync_a = true; wake_up = false;

}

break; case 4:

if ((sensor_b == 1) && (arbiter == b) && (sync_b == true) && (wake_up == true)) {

object_detected = true; sync_b = false;

}

break;

case 5:

if ((sensor_b == 0) && (arbiter == b) && (sync_b == true) && (wake_up == true)) {

object_detected = false; sync_b = false;

}

break; case 6:

if ((arbiter == b) && (sync_b == false) && (wake_up == true)) { arbiter = a;

sync_b = true; wake_up = false;

}

break;

}

printf(" object_detected = %d\\n", object_detected);

}

printf(" object_detected = %d\\n", object_detected);

}

The EQL program with the initial input values can be translated into a finite statespace graph by using the ptf translator with the command:

ptf < example2.

ptf generates the following output for user reference:

Finite State Space Graph Corresponding to Input Program:

--------------------------------------------------------

state next states

----------------

rule # 1 2 3 4 5 6

0:1 0 0 0 0 0

1:1 1 2 1 1 1

2:2 2 2 2 2 2

State Labels:

-------------

state (sync_a, sync_b, wake_up, object_detected, arbiter, sensor_a, sensor_b)

0 1 1 1 0 0 1 0

1 0 1 1 1 0 1 0

21 1 0 1 1 1 0

ptf also generates a CTL temporal-logic formula for checking whether this program will reach a fixed point in finite time from the launch state corresponding to the initial input and program variable values. This formula is stored in the file mc.in, which is generated as input to the model checker and the timing analyzer. mc.in contains the adjacency matrix representation of the labeled state-space graph.

278 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS

3

1 1 0

0 1 1

0 0 1

0 n1 ;

1 n1 ;

2 f1 ;

(au n1 f1) 0

The temporal-logic model checker mcf can then be used to determine whether a fixed point is always reachable in a finite number of iterations by analyzing this finite statespace graph with the given launch state:

mcf < mc.in.

To verify that the program will reach a fixed point from any launch state, the (finite) reachability graph of every launch state must be analyzed by the model checker. The complete state-space graph of the example EQL program, which consists of eight separate finite reachability graphs, one for each distinct launch state, is shown in Figure 10.5. The graph with launch state (3,0), corresponding to the combination of input values and initial program values specified in the C program, is one of 23 = 8 possible graphs that must be checked by the model checker.

In general, for a finite-domain EQL program with n input variables and m program variables, the total number of reachability graphs that have to be checked in the worst case (i.e., all combinations of the values of the input and program variables are possible) is

i=n j=m

|Xi | · |S j |

i=1 j=1

where |Xi |, |S j | are respectively the size of the domains of the ith input and jth program variable. If all variables are binary, this number is 2n+m . In practice, the number of reachability graphs that must be checked is substantially less because many combinations of input and program variable values do not constitute launch states. Other techniques are also available that do not require examination of the entire state-space graph. They will be discussed in the next section.

Finally, the timing analyzer fptime can be invoked to determine the longest sequence of rule firings leading to a fixed point, if at least one exists, by the command:

fptime < mc.in.

The following is the partial output of the fptime module corresponding to the reachability graph with launch state (3, 0):

Figure 10.5 Complete finite state-space graph representing the program example2.

> initial state: 0

>fixed-point state(s):

>2

>initial state: 0 fixed-point state: 2

>maximum number of iterations: 2

> path: 0 1 2

The module ptaf performs the above translation and analysis on the complete state-space graph of the example EQL program automatically. The command:

ptaf < example2

produces the following messages:

>The program always reaches a fixed point in finite time.

>The maximum number of iterations to reach a fixed point is 2.

>8 FSMs checked.

In the next two sections, we shall discuss the complexity of the analysis and synthesis problems of real-time equational rule-based programs. In the appendix, we shall illustrate the practicality of our tools by analyzing a “real-life” real-time decision system: the Cryogenic Hydrogen Pressure Malfunction Procedure of the Space Shuttle Vehicle Pressure Control System [Helly, 1984].