Formal verification of timed synchronous dataflow graphs using Lustre

Abstract

The timed synchronous dataflow graph model is a graphical model of computation that allows concurrency between processes. This model is widely used due to its expressive power, semantic simplicity and predefined properties. However, the lack of support for formal verification makes it difficult to manually verify user-defined properties, even for small-sized graphs. This paper presents a formal verification solution of timed synchronous dataflow graphs based on the Lustre language and model checking. The solution consists in an automatic translation of synchronous dataflow graphs into Lustre code and in coding the user-defined properties as Lustre expressions. Use cases are presented showing the applicability of the method.

Introduction

A dataflow diagram is a graphical representation of the “flow” of tokens between parallel processes (also called actors). Nodes are associated with processes, and arcs connect nodes to represent the flow of information between processes. Synchronous dataflow graph (SDFG) is a model proposed by Lee and Messerschmitt [1]. The original SDFG model was untimed; later, for timing analysis purposes, it was annotated with execution times for each actor [2]. An example of a timed SDFG is shown in Fig. 1(a). The label on an input (output) edge represents the static number of tokens consumed (produced) during each firing of the actor, the black dots on an edge represent the initial number of tokens, and the label on a vertex represents the execution time of the actor. To enhance the expressiveness of the SDFG model, a number of extensions have been proposed over the years: the cyclo-static dataflow (CSDF) model [3], which allows the numbers of tokens produced and consumed to vary between actor firings as long as the variation forms a periodic pattern; the static dataflow with access patterns (SDFAP) model [4], which captures the timing of data accesses (for both token production and consumption); a multitude of dynamic dataflow models [5] such as Boolean Dataflow (BDF) where an actor may have a Boolean input port that conditionally controls the read/write operations on other ports, Parameterized Dataflow (PDF) which allows variability in the numbers of tokens produced and consumed by actors, and Scenario-Aware Dataflow (SADF) which combines SDF with stochastic models to capture distinct modes of operation of processes in a streaming application.

As a model of computation, the timed SDFG model offers strong compile-time analyzability of many useful predefined properties, such as absence of deadlock, channel boundedness and throughput bounds [6], [7], [8]. These properties make the model suitable for various design tasks, such as computing the buffer requirements of streaming applications [9], [10], scheduling tasks in single-processor or multiprocessor architectures [11], [12], [13], [14], analyzing the performance of a system under certain constraints [15], [16], [17], [18], [19], modeling resource-sharing arbiters [20], [21], [22], [23], and modeling hardware-software codesign [24]. While the algorithms for the analysis of SDFG's predefined properties are well established and integrated into graph analysis tools such as the SDF3 tool [25], there is still a lack of support for the formal verification of user-defined properties and model equivalence. This lack of formal verification support makes it difficult to manually verify user-defined properties even for a simple SDFG; addressing this shortcoming will further enhance the benefits of the SDFG model. This paper reports on the use of the Lustre formal language to validate safety properties of SDFGs. Lustre [26], [27] is a language developed to model and verify reactive systems. It is a declarative synchronous language from the same family as Esterel and Signal. The choice of Lustre is motivated by a number of factors: it allows both a design and its properties to be described in the same language; it is dedicated to verifying safety properties; its temporal operators facilitate the expression of user-defined properties and assertions; its functional paradigm allows model composability; and it is supported by a set of formal validation tools such as Lesar [28], [27], a model checker based on BDDs (binary decision diagram), and Kind_2 [29], [30], a multi-engine and parallel model checker based on SMT (satisfiability modulo theories).

This paper presents a transformation of timed SDFGs into Lustre models. The transformation targets a specific semantic of SDFGs called the self-timed execution mode. This mode is of high practical value because it maximizes the throughput of the system. The user-defined properties and the assumptions regarding the environmental inputs are expressed directly in Lustre. We present two Lustre models: one that captures each time unit step individually and one that considers progress in time in larger steps. Each model offers a different scalability depending on the structure of the SDFG model. The SDFG-to-Lustre translator is implemented as a Java program that takes an XML file modeling the SDFG as input and produces the corresponding Lustre code. The assertions and the target properties are then added to the generated code. The software is available in GitHub [31].

The remainder of this paper is structured as follows. The next section presents previous work on the use of formal methods for verifying SDFGs. Section 3 gives a preliminary background on the SDFG model of computation, on its formal semantics and on the Lustre language. Section 4 presents the two transformation schemes and their correctness proofs. An overview of the verifiable properties of SDFGs and their expression in Lustre is given in Section 5. Section 6 details the modeling and verification of a set of embedded system designs. Section 7 concludes the paper.