- structuring concepts: systems consist of processes, running in parallel and communicating through message passing via communication buffers
- communication primitives: processes may communicate either through signal exchange (directly or via signalroutes) or through shared variables
- real-time primitives: each process may use several clocks to measure time during the execution and, in addition, transitions may be guarded with time constraints (depending on clocks) and decorated with explicit (eager, delayable, lazy) deadlines
- open systems: the language offers the concept of open communication channel, connected to the environment, and transporting messages between it and the system
- non-determinism: processes may be non-deterministic i.e, more than one transition may be enabled at some control state, and all situations have to be considered at execution
- complex data types: the language provide several type constructors such as enumeration, range, array, record, abstract as well as predefined basic types in order to simplify complex data description and manipulation
- parameterisation: it is now possible to parameterize data types (i.e, size of arrays), system configurations (i.e, number of instances), timing behavior (i.e, clock constraints)...
- dynamic creation: the language include dynamic creation and destruction of process and signalroute (channel) instances. This makes system configuration to be dynamic, that is, the number of components running (and in turn, the number of clocks ...) may change during execution
- structured control: the common language integrates hierachical states (to structure automata) and composed transitions basic control statements such as if-then-else and while-do are provided to structure automata transitions
- external code integration: the common language provide a simple an elegant way to abstract complex transformations on data through the integration of external code within procedures. The external code to be provided depend on tools used i.e, an executable implementation in order to simulate and model check, or a first-order axiomatic definition in order to use it inside a prover, etc.
- static analysis: IF provides the dfa tool which implements classical static analysis techniques such as live variable analysis, dead-code elimination and variable elimination (backward slicing) with respect to user-defined criteria.
- model-checking: The core component of the IF toolbox is the IF simulator allowing to explore the underlying semantic model (i.e, state graph) of an IF specification. Several exploration modes are imlemented: interactive (user-driven), random or exhaustive (breadth-first or depth-first). Partial order reductions can be applied in exhaustive- depth first search.
- test generation: The IF simulator has been connected to the TGV test generator in the context of the AGEDIS project. See the AGEDIS web page for more details.
- model: This library gives access to the abstract syntax tree (AST) of IF specifications. It can be used to implement tools operating "statically" on the specification such as translators to other languages, static analysis and optimisations at source level.
- simulator: A simulation library providing the minimal functionality for on-the-fly state-space traversal (state representation + successors computation) is provided. It can be used to implement tools operating "dynamically" on the specifcation such as exploration tools, model-checkers, simulators, etc.
Report bugs here.
IFx is an extended version of the IF toolbox, developped in the OMEGA project.
- Simulation: step by step execution, inspection of the system state, conditional breakpoints, scenario rewind/replay, manual resolution of non-determinism, control of scheduling policy and time related parameters, etc.
- Verification of simple consistency conditions like deadlocks, timelocks, satisfaction of state invariants.
- Verification of behavioral properties by model checking. The properties may be expressed as :
- observer objects (accepting state machines reacting to system events and conditions)
- timing constraints (durations between system events)
- µ-calculus formulas
- The tool is also connected with other tools, such as labelled transition system manipulation tools from the CADP suite (Aldebaran).
Verification is performed on-the-fly in the IFx environment and allows the generation of diagnostic traces which can be inspected using the simulator.
The architecture of the IFx toolset is depicted below. The upper part shows the UML tools specific to IFx, while the lower part shows the components of the IF toolset, including some modules developed in the OMEGA project (in blue).
The main components of IFx, in addition to the IF tools, are:
- the UML-to-IF translator which takes as input a UML model stored in XMI format. The model may use standard UML constructs and extensions defined by the Omega profile: actions written in the Omega action language, timing annotations and observers expressing model properties (more infomation on the profile).
The translator generates an IF specification corresponding to the UML model, according to the Omega semantics. The principles of the translation are described in this paper.
- the UML front-end provides an interface specifically targeted at UML modelers for the IF validation tools. The interface hides IF and the details of translation and presents simulation and verification results in the vocabulary of the initial UML model. The interface supports all compilation and simulation features mentioned before, and offers customizable views on the analyzed system.
Ariane-5 flight software
The IFx tool has beeen used to validate the UML model of the Ariane-5 flight software, a case study provided by EADS in the Omega project.
The architecture of the Ariane-5 model is shown in the figure below. Components drawn in blue represent the environment of the software: the equipment that is controlled, or the actors that interact with it from the ground. Components drawn in yellow are the modules of the flight software:
- Regulation modules which coordinate the behavior of the launcher as a whole and the behavior of each stage. They control events like firing a stage, releasing a component, etc.
- Guidance, Navigation and Control modules perform the fine-grained control of the launcher’s flight parameters: monitor thrust and other parameters, calculate aiming, etc.
IFx has been used in this case study :
- to statically validate the model by syntax cheching, type checking, simple static analysis (e.g., dead code detection)
- to prove 9 timed safety properties of the flight regulation modules,
- to analyze the schedulability of the regulation and the GNC components under the assumption of a fixed priority preemptive scheduling policy. Scheduling objectives were expressed as observers and verified against the model. An example of objective is that the GNC cycle, which repeats every 72ms during the flight, finishes each time.
Below are some of the properties which were verified with IFx on the Ariane-5 model. They are expressed as observers.
- Property 1.
Property 1: Between any two commands sent by the flight software to the valves there should elapse at least 50ms.
- Property 2.
Property 2: If some instance of class Valve fails to open (i.e. enters the state Failed_Open) then:
- No instance of the Pyro class reaches the state Ignition_done
- All instances of class Valve shall reach one of the states Failed_Close or Close after at most 2 seconds since the initial valve failure.
- The events EAP_Preparation and EAP_Release are never emitted.
Other examples IFx has also been used for the verification of timed safety properties in two other Omega case studies : MARS (Medium Altitude Reconnaissance System) by NLR and a Sensor Voting and Monitoring system by IAI. Details are available here. Resources and downloads
Download the tools here for one of the following platforms:
- Linux iX86
- Windows - Cygwin (for GNU GCC users)
- Window - native (for Visual C++ users)
The following documents describe different aspects of the toolset:
- A paper presenting the tool principles and the Ariane-5 case study : _ Iulian Ober, Susanne Graf, Ileana Ober Validating timed UML models by simulation and verification. Accepted for publication in STTT, Int. Journal on Software Tools for Technology Transfer. Springer Verlag, 2004. download
- A paper presenting the real-time features of the Omega profile :
Susanne Graf, Ileana Ober, Iulian Ober. A real-time profile for UML. Submitted to STTT, Int. Journal on Software Tools for Technology Transfer Springer Verlag 2004 download
- Slides of an IF tutorial (given at SPIN’2004) download
- A deliverable on the syntax of different model elements (actions, observers, timing constraints) download
IF-2.0 Copyright (C) Verimag/IMAG. All rights reserved.
This software may be freely used, copied and redistributed without fee for non-commerical purposes provided that this copyright notice is preserved intact on all copies and modified copies.
There is no warranty or other guarantee of fitness of this software. It is provided solely "as is". The author disclaims all responsibility and liability with respect to this software’s usage or its effect upon hardware or computer systems.
The toolbox is available on the following system configurations:
|Sparc station||SunOS Solaris||2.8||-|
|PC computer||Linux Debian||2.2.19||-|
|PC computer||Windows||*||Cygwin 1.3.10|
|PC computer||Windows||*||Visual C++ 6.0|
|PC computer||Windows||*||Visual C++ 7.0 (.NET)|
The entire distribution requires 4 MB of disk space.