# TRANSYT: A Tool for the Verification of Asynchronous Concurrent Systems<sup>\*</sup>

Enric Pastor, Marco A. Peña, and Marc Solé

Department of Computer Architecture, Technical University of Catalonia, 08860 Castelldefels (Barcelona), Spain

#### 1 Introduction

TRANSYT is a BDD-based tool specifically designed for the verification of timed and untimed asynchronous concurrent systems. TRANSYT system architecture is designed to be modular, open and flexible, such that additional capabilities can be easily integrated. A state of the art BDD package [1] is integrated into the system, and a middleware extension [2] provides support complex BDD manipulation strategies.

TSIF (Transition System Interchange Format) is the main input language of TRANSYT. TSIF is a low-level language for describing asynchronous event-based systems, although synchronous systems can be also covered. Many formalisms can be mapped onto it: digital circuits, Petri nets, etc. TRANSYT integrates specialized algorithms for untimed reachability analysis based on disjunctive Transition Relation (TR) partitioning, and relative-time verification for timed systems. Invariant verification for both timed and untimed systems is fully supported, while CTL model checking is currently supported for untimed systems. TRANSYT provides orders of magnitude improvement over general untimed verification tools like NuSMV [3] and VIS [4], and expands the horizon of timed verification to middle-size real examples.

### 2 System Functionalities

We provide here a high-level overview of the the most relevant features of TRAN-SYT. Details of the architecture and algorithms will be provided in Section 3.

**User Interaction.** TRANSYT works with an interactive shell, processing systems according to command-line options. The user can activate all phases of the verification process (file parsing, system construction, reachability analysis, model checking, simulation, counter-example generation, etc.) with full control of all available options. On top of the interactive shell, a limited but under expansion GUI front-end offers access to all interactive commands, as well as an improved visualization of the systems and the properties under analysis.

<sup>\*</sup> Ministry of Science and Technology TIN 2004-07739-C02-01 and grant AP2001-2819.

<sup>©</sup> Springer-Verlag Berlin Heidelberg 2005

**System Description.** TRANSYT can process hierarchical systems formalized (using the TSIF format) as a set of variables to encode the state and *events* to describe the "actions" that the system can execute. Systems can be simultaneously coordinated by variable interchange or event synchronization. Other formalisms can be encoded and easily mapped onto TSIF. Currently we offer a front-end for BLIF [4] and Petri nets [5], and we are working toward a new SMV front-end.

**Reachability Analysis.** Implements specialized reachability schemes based on disjunctive TRs and uses a mixed BFS/DFS traversal that schedules the application of the TR parts in order to maximize the state generation ratio and minimize BDD peaks. These algorithms have demonstrated orders of magnitude improvement over existing BFS / conjunctive TR traversal schemes (e.g. [3]) when applied to asynchronous concurrent systems. State-of-the art conjunctive TR traversal schemes are also available to efficiently manipulate mixed synchronous/asynchronous systems.

**Model Checking.** TRANSYT implements fair CTL model checking as defined in [6], and also offers specialized on-the-fly invariant verification. The tool can be configured to detect a minimum number of failures in a single traversal. Failing states are stored to allow selective counter-example generation for all of them.

Semi-formal Verification. In addition to classical reachability analysis, TRAN-SYT offers an automated two-phase simulation-verification hybrid scheme. Simulation follows a branching scheme that generates traces as divergent as possible (interleaved traces will be rejected). Traces are stored for further analysis. The second phase will select a number of simulation traces as seed of a guidedtraversal algorithm. Guided-traversal exploits the behavioral information in the traces to efficiently identify additional states. On-the-fly invariant verification can be carried out during both phases.

**Relative-time Verification.** TRANSYT offers invariant verification of timed systems based on the *relative-timing* paradigm. TSIF events can be annotated with min-max delays. If it exists, the tool provides a timed counter-example. Otherwise, TRANSYT provides a set of graphic structures that inform the user about how the execution of events is ordered due to timing. Note that not all existing orderings are provided, but just those that are relevant to prove the invariants under verification.

## 3 Tool Architecture and Algorithms

This section describes the main functional modules in TRANSYT (see Figure 1), the peculiarities of the algorithms implemented in them and their interrelations.

The System Instantiation and Boolean Model Construction provides support for creating the internal representation of the TSIF format. The system is mapped onto a Boolean model after an encoding process, in which TRs, properties, etc. are constructed. Once TRs are built, their causal interrelations can be analyzed



Fig. 1. TRANSYT modular architecture

in order to determine if the application of a TR part may trigger the execution of other TRs. The granularity of the TR partition is decided here depending on TR size, number of parts and detected causality. Different partition schemes can be used according to these parameters.

The BDD-based verification module is the core of TRANSYT. It implements highly efficient traversal schemes based on mixed BFS/DFS algorithms that schedule the application of the disjunctive TR parts. New states generated by one part are immediately reused as source for following parts. If causality is taken into account, this simple scheme provides orders-of-magnitude improvement over BFS traversal. Based on BFS/DFS traversal, on-the-fly invariant verification and fair CTL model checking can be performed on the selected design. Once failures are detected, counter-example traces can be generated and stored —associated to each failing property— for both further manipulation or visualization.

An alternative invariant verification approach, combining simulation and guided-traversal, is provided. Simulation can be executed following a branching strategy that resembles partial-order verification. At each visited state the causality between enabled events is analyzed. In case of detecting concurrent events, only one of the execution traces is followed. In case of conflict (i.e. a choice in the execution path) both execution traces are explored. Exploration continues until no additional states are available or until a certain number of failures have been identified. Causality information can be extracted from traces. Given a trace, its associated causality can be extracted and directly applied to a guided-traversal process. Guided-traversal executes a BFS/DFS reachability analysis applying events in the best order as indicated by causality.

TRANSYT extends symbolic invariant verification to timed systems. The use of *relative timing* [7] eliminates the need to compute the exact timed state space. Instead, the timed behavior of events is captured by means of partial orders that represent relative temporal relations. Timed systems provide delays for all the events in the system; however, many of the constraints imposed by such delays are not actually required. TRANSYT only considers timing information in an *on-demand* basis, as long as it is required to prove a given property.

Moreover, the timing analysis is performed over the subset of events involved in such proof by any external timing analysis algorithm. As a result, the untimed state space of the system is refined incrementally. The tool not only proves or disproves the correctness of the system with respect to a set of invariants, but also provides a set of sufficient relative-time relations that guarantee such correctness or demonstrate a counterexample.

### 4 Results and Future Directions

TRANSYT is a well-structured platform for the verification of asynchronous concurrent systems. The TSIF front-end provides a flexible entry point for most specification languages relevant to the area. Additional functionalities and algorithms for each phase of the verification flow can be easily integrated. The performance of the tool is satisfactory due to the BDD package and its specific algorithms. Additional information about TRANSYT is available at

http://research.ac.upc.es/VLSI/transyt/transyt.html.

TRANSYT has been successfully used to analyze a number systems, both in the timed and untimed domain. Extensive comparisons have been carried out with the state generation engines in NuSMV [3] and VIS [4]. In both cases, orders of magnitude improvements have been obtained [8]. Complex timed systems have been also analyzed using TRANSYT. In particular, several interface FIFO implementations (IPCMOS by S. Schuster and STARI by M.R. Greenstreet) connecting different clock domains have been successfully verified.

Currently, several new functionalities are under development. A mixed conjunctive/disjunctive TR construction and scheduling scheme is being implemented for complex Globally Asynchronous Locally Synchronous (GALS) systems. The CTL verification algorithm is being upgraded to exploit the same causality information used during the reachability process. A restricted version of timed-CTL is being developed to be integrated with the relative-time verification engine. On the user's side, better feedback visualization is being implemented through more powerful visual libraries.

### References

- 1. Somenzi, F.: CUDD: CU decision diagram package release (1998)
- 2. Cabodi, G., Quer, S.: PdTRAV package politecnico di torino reachability analysis for verification (release 1.2) (1999)
- Cimatti, A., Clarke, E.M., Giunchiglia, F., Roveri, M.: NuSMV: A new symbolic model checker. International Journal on Software Tools for Technology Transfer 2 (2000) 410–425
- 4. The VIS Group: VIS: A system for verification and synthesis. In: Proc. International Conference on Computer Aided Verification. Volume 1102 of LNCS., Springer-Verlag (1996) 428–432

- Cortadella, J., Kishinevsky, M., Kondratyev, A., Lavagno, L., Yakovlev, A.: Petrify: a tool for manipulating concurrent specifications and synthesis of asynchronous controllers. IEICE Transactions on Information and Systems E80-D (1997) 315– 325
- Clarke, E.M., Grumberg, O., McMillan, K.L., Zhao, X.: Efficient generation of counterexamples and witnesses in symbolic model checking. In: Proceedings of the 32nd ACM/IEEE conference on Design automation conference. (1995) 427–432
- Stevens, K., Ginosar, R., Rotem, S.: Relative timing. In: Proc. International Symposium on Advanced Research in Asynchronous Circuits and Systems. (1999) 208–218
- Solé, M., Pastor, E.: Evaluating symbolic traversal algorithms applied to asynchronous concurrent systems. In: International Conference on Application of Concurrency to System Design (ACSD'04). (2004) 207–216