Table of Contents
caesar - compilation & verification of LOTOS specifications
caesar
[
-aldebaran] [
-analysis] [
-bcg] [
-cc options] [
-comments] [
-depend] [
-english]
[
-error] [
-exec] [
-exit] [
-external] [
-e7] [
-e7old] [
-force] [
-french] [
-functionality]
[
-gc] [
-gradual] [
-graph] [
-indent] [
-iso] [
-map] [
-monitor] [
-more command] [
-network]
[
-newstyle] [
-nupn] [
-oldstyle] [
-open] [
-root instantiation] [
-safety] [
-silent]
[
-simulator] [
-trigger optimization] [
-verbose] [
-version] [
-v3] [
-v4] [
-warning]
filename[
.lotos]
caesar [Gar89b,GS90] is a compiler that translates
a LOTOS specification into executable code that can be used to explore,
on-the-fly or exhaustively, the graph (also called labelled transition system,
reachability graph, state space, etc.) corresponding to the behaviour of
this specification.
caesar itself does not embody verification capabilities,
but it smoothly interfaces with many tools that can perform explicit-state
and on-the-fly verification on the generated graph, including model checking,
equivalence checking, and visual checking.
Taking as input filename.lotos,
which contains a LOTOS specification, optionally accompanied by filename.h,
which provides C types and functions implementing the LOTOS sorts and
operations defined in filename.lotos, caesar performs successive transformation
steps and produces a C program that allows to execute, simulate, and/or
build the corresponding graph. In the latter case, the result of caesar
is the graph itself, rather than the C program, which is removed after
its execution.
When generated by caesar.adt
, filename.h may include
two files filename.t and filename.f if there are external sorts and/or operations
declared in the LOTOS specification.
Refer to the lotos
manual page
for a detailed description of the conventions to be followed by filename.lotos,
filename.h, filename.t and filename.f.
- -aldebaran
- Generate output file
filename.aut, which contains a graph in the AUT textual format. See the aut
manual page for a description of this format. Not a default option.
- -analysis
- Analyze filename.lotos in order to detect errors and stop. The following
phases are performed: syntactic analysis, static semantic analysis, restriction,
expansion and generation. This option does not generate any output, except
error diagnostics. Not a default option.
- -bcg
- Generate output file filename.bcg,
which contains a graph in the BCG (Binary-Coded Graphs) format. See the bcg
manual page for a description of this format. Default option unless one
of the following options is set: -aldebaran, -graph, -exec, or -open.
- -bpn
- As
of April 2014, this option was renamed into -nupn (see item #1828 in file
"$CADP/HISTORY" for details).
- -cc options
- Pass options to the C compiler when
it is invoked. options is a list of compiler options (enclosed in quotes
or double quotes). These options are appended to the compiler options, if
any, contained in the $CADP_CC environment variable (see ENVIRONMENT VARIABLES
below). Not a default option.
- -comments
- Issue a warning message for each LOTOS
sort or operation that is not properly labelled by a special comment of
the form
(*!...*)
. Not a default option.
- -depend
- Display the list of library
files included (directly or transitively) in filename[.lotos] and stop. This
list may be incomplete if the LOTOS specification is syntactically incorrect.
Not a default option.
- -english
- Print messages in English. Opposite of -french.
This option overrides the $CADP_LANGUAGE environment variable (see ENVIRONMENT
VARIABLES below).
- -error
- A file, filename.err, is generated by caesar. It contains
detailed error diagnostics. When it terminates, caesar displays the content
of this file on the screen, using the $CADP/src/com/cadp_more command,
unless -error option is set.
- -exec
- Generate the kernel module filename.c to
be used in the EXEC/CAESAR environment. Not a default option.
- -exit
- Perform
network reduction in order to replace all tau-transitions derived from a
LOTOS enabling operator ">>" by epsilon-transitions, often leading to a smaller
graph. This transformation preserves safety and trace equivalence, but
neither strong, branching, nor observational equivalence. Not a default
option.
- -external
- Generate a file filename.c.proto containing skeletons for
EXEC/CAESAR's gate functions, i.e., functions associated to all visible gates
of the LOTOS specification. These functions are incomplete and have to be
completed manually (at the places marked "...") with input/output operations
so as to interface the LOTOS specification with its real environment. This
option must be used together with the -exec option. Not a default option.
Note: if filename.c.proto already exists in the current directory, caesar
will not overwrite it, because it might have been modified manually.
- -e7
- Do not perform the new (BDD based) optimization E7, which removes dead
transitions, still preserving strong equivalence. Alternatively, one may
set the environment variable $CAESAR_BDD_TIMEOUT to impose a time limit
on optimization E7, which will stop whenever this limit is exceeded, also
preserving strong equivalence; see the caesar.bdd
manual page for
details. Not a default option.
- -e7old
- Perform the old (explicit-state based)
optimization E7 instead of the new (BDD based) optimization E7. Not a default
option.
- -force
- Force caesar to regenerate filename.c even if not necessary.
This option is only meaningful if caesar is used with options -exec (EXEC/CAESAR
mode), -open (OPEN/CAESAR mode), or -simulator. Not a default option. By default
caesar will attempt not to regenerate filename.c if this file already exists
in the current directory, and if it has been modified more recently than
(1) the corresponding LOTOS file (filename.lotos, filename.lot, or filename.l),
(2) than any LOTOS library transitively included (using the "library" clause)
in this LOTOS file, and
(3) than any C file transitively included (using the "#include
" clause)
in filename.c itself.
- -french
- Print messages in French. Opposite of -english.
This option overrides the $CADP_LANGUAGE environment variable (see ENVIRONMENT
VARIABLES below). Even when this option is set, some warning and error messages
related to lexical and syntactic analysis may still be displayed in English.
- -functionality
- Do not check functionality constraints (``
exit
'' and ``noexit
'').
Not a default option.
- -gc
- Invoke the Boehm-Demers garbage collector to reuse
the (potentially large) amounts of memory that have been allocated for
abstract data types and that are no longer used. This option is especially
suitable for LOTOS descriptions involving dynamic data structures, such
as: lists, queues, stacks, etc. Not a default option.
- -gradual
- Apply the optimizations
gradually when generating the network. By default, the optimizations are
applied only after the network is fully generated. Using this option, the
optimizations are applied to each sub-network generated from each operand
of a parallel composition operator. This option is slower, but it can be
useful for dealing with larger LOTOS descriptions and/or for generating
smaller networks. Not a default option.
- -graph
- Generate output file filename.gph,
which contains a graph in a textual, undocumented format intended for
debugging purpose; this format contains a lot of information but is expensive
in disk space. Not a default option.
- -indent
- Do not format using the shell-script
located in $CADP/src/com/cadp_indent the file filename.c.proto generated
by option -external. Not a default option.
- -iso
- Use the standard LOTOS semantics
as defined in ISO/IEC International Standard 8807, disabling the various
language enhancements mentioned in the section EXTENSIONS TO LOTOS of
the lotos
manual page and implemented in caesar. Not a default option.
Not to be used when processing LOTOS specifications generated by lnt2lotos
- -map
- Generate filename.map, which gives correspondence between sort and operation
names occuring in filename.lotos and C type and function names occuring
in filename.h. Not a default option.
- -monitor
- Open a window for monitoring
in real-time the generation of a BCG graph (see option "-bcg" above). Not
a default option.
- -more command
- Use command to display the error messages,
instead of "$CADP/src/com/cadp_more", which is the default. command is a
shell command (preferably enclosed in quotes or double quotes) containing
the pathname of the chosen pager, possibly followed by a list of options.
Not a default option.
- -network
- Generate output file filename.net, which contains
an Interpreted Petri Net in a textual, undocumented format. Not a default
option.
- -newstyle
- When generating skeletons for EXEC/CAESAR's gate functions
(see -external option above), use the new-style function declarations (i.e.,
with prototypes) introduced in ANSI/ISO Standard C. This option must be
used together with the -external option. Default option when option -external
is selected.
- -nupn
- Generate output file filename.nupn, which contains a Nested-Unit
Petri Net in the NUPN format documented in the caesar.bdd
manual
page and stop. Not a default option.
- -oldstyle
- When generating skeletons for
EXEC/CAESAR's gate functions (see -external option above), use the old-style
function declarations (i.e., without prototypes) available in Kerninghan
and Ritchie C. This option is only applicable when gate functions are not
overloaded, i.e., when each gate is always used with the same number of offers,
and with offers of the same sorts and same directions (input or output).
This option must be used together with the -external option. Not a default
option.
- -open
- Generate the graph module filename.c to be used in the OPEN/CAESAR
environement. Not a default option.
- -root instantiation
- Ignore the behaviour
expression following the
behaviour
(or behavior
) keyword in the LOTOS specification
contained in filename.lotos, and replace this behaviour by the one given
by instantiation, which is a character string (preferably enclosed between
single quotes) denoting a LOTOS process instantiation. This string may have
the form 'P
', or 'P [G1, ..., Gm]
', or 'P (V1, ..., Vn)
', or 'P [G1, ..., Gm] (V1, ..., Vn)
',
where P
is either the identifier of the LOTOS specification or the identifier
of a LOTOS process declared at the top-level of the specification (processes
nested within another process are not accepted, and the specification identifier
has precedence over a process identifier having the same name); where [G1,
..., Gm]
is a list of gate identifiers that must either have the same number
of elements as the list of formal gate parameters of P
or be the empty
list (in such case, it is replaced by the list of formal gate parameters
of P
); and where (V1, ..., Vn)
is a list of LOTOS value expressions that must
be algebraically-closed (i.e., contain no variables) and be compatible, in
number and types, with the list of formal variable parameters of P
. Not
a default option. The particular case where instantiation is equal to the
string '-
' is accepted, but left undocumented.
- -safety
- Perform network reduction
in order to replace all tau-transitions by epsilon-transitions, often leading
to a smaller graph. This transformation preserves safety and trace equivalence,
but neither strong, branching, nor observational equivalence. Not a default
option.
- -silent
- Execute silently. Opposite of -verbose. Default option is -verbose.
- -simulator
- Generate the simulator program filename.c and stop, neither compiling,
executing, nor removing this file. This option can be useful to port filename.c
to another (e.g., more powerful) machine, on which the simulator program
can be compiled and executed. Not a default option.
- -trigger optimization
- Print statistics about which optimizations cause a given optimization to
become effective. This option is only useful for CAESAR's development. Not
a default option.
- -verbose
- Print one line for each successive phase performed
by caesar to inform the user about the progress of activities.
- -version
- Display
the current version number of the software and stop. Not a default option.
- -v3
- Do not perform optimization V3, which discovers variables whose values
remain constant during the simulation phase, and replaces them by constants.
Not a default option.
- -v4
- Do not perform optimization V4, which evaluates
statically guards whose value is constant and removes transitions whose
guard is false. Not a default option.
- -warning
- Suppress all warning messages,
keeping (more severe) error messages, at the risk of leaving undetected
issues in the LOTOS specification. Not a default option.
The
architecture of
caesar
follows the principles exposed in [Gar89b]
and Section 3 of [GS90]. The translation proceeds in several successive
phases:
- - syntax analysis phase
- The LOTOS specification is lexically and
syntactically analyzed using a scanner and a parser that have been generated
by the SYNTAX tool of INRIA, which produces analyzers that emit pertinent
error messages and perform, as much as possible, automatic error recovery.
Incorrect LOTOS specifications are rejected; otherwise, an abstract syntax
tree is built. This phase is shared with caesar.adt
- - semantic analysis
phase
- The static semantics constraints of the standard LOTOS definition
are checked on the abstract syntax tree. This is done in several steps:
binding of processes, binding of gates, binding of types, analysis of
type signatures, binding of sorts, binding of variables, binding of operations,
and analysis of process functionality. The LOTOS specifications not matching
these constraints are rejected. This phase is also shared with caesar.adt
- - restriction phase
- The additional static semantics constraints listed in
the section "STATIC-CONTROL CONSTRAINTS" of the lotos
manual page
are checked, and the LOTOS specifications not satisfying these constraints
are rejected. Also, warnings are emitted for the LOTOS processes that cannot
be called from the entry point of the specification.
- - expansion phase
- The
LOTOS syntax tree is translated into another syntax tree implementing SUBLOTOS,
a simplified language derived from LOTOS. Translation is done by replacing
certain LOTOS operators by semantically-equivalent forms, and finitely
unfolding certain process calls to obtain a statically-fixed hierarchy of
concurrent processes in which each gate, variable, and process identifier
plays a unique role.
- - type survey phase
- If a file named filename.h exists,
an auxiliary C program that includes this file is generated, compiled,
and executed so as to obtain information on how LOTOS sorts are implemented
in filename.h (which may itself include other files, such as filename.t
or filename.f). This phase may fail if the contents of filename.h are incorrect
or incomplete.
- - generation phase
- The SUBLOTOS syntax tree is translated
into an interpreted Petri net extended with epsilon-transitions and typed
variables that can be read or written on transitions, and hierarchically
structured into nested units. This network model provides a compact representation
of the control and data flows. During this phase, warnings are emitted when
certain actions cannot be synchronized with a compatible action (i.e., same
gate and same offer types), as this situation is likely to cause local
or global deadlocks.
- - optimization phase
- The network model produced by the
generation phase is simplified by applying a collection of transformations,
each focusing on a particular aspect of the control or data flow. These
optimizations preserve strong equivalence unless the -safety option is set.
Certain transformations generate an auxiliary C program that is compiled
and executed. The generation and optimization phases can be intertwined
by setting the -gradual option.
- - simulation phase
- The optimized network model
is translated into a C program called simulator. With certain options (e.g.,
-exec, -open, or -simulator), the translation terminates there. Otherwise,
the simulator program is compiled and executed to explore all the reachable
states of the network and store the corresponding graph in a file, using
the format requested by the user. If the graph is large, the simulation
phase may take a long time. Because each new state is kept in memory, the
simulation phase should always terminate, either because the available
memory is sufficient to contain all reachable states, or because memory
gets exhausted before the entire graph has been explored; in such case,
caesar tries to properly close the file under generation to leave it in
a coherent state. However, the simulation may loop forever if one of the
C functions defined in filename.h to implement LOTOS operations does not
terminate.
- $CADP_LANGUAGE
- If this variable is set,
its value determines the language in which diagnostic messages will be
reported. Possible values are 'english' and 'french'. Incorrect values will be
ignored silently. If this variable is unset, it is given the default value
'english'.
- $CADP_CC
- If this variable is set, its value determines the name
of the C compiler that will be invoked by caesar. See file $CADP/INSTALLATION_2
for detailed information about this variable. If this variable is unset,
the script-shell $CADP/src/com/cadp_cc will automatically determine the
C compiler to be used by default.
- $CADP_TMP
- If this variable is set, its
value determines the directory in which temporary files are created. If
this variable is unset, it is given the default value '/tmp'.
- $PAGER
- If this
variable is set, its value will be used by the script-shell $CADP/src/com/cadp_more
to display error and warning messages.
When the source is erroneous,
error messages are issued. Exit status is 0 if everything is alright, 1
otherwise.
Hubert Garavel and Wendelin Serwe (INRIA Rhone-Alpes)
- filename.lotos
- LOTOS specification (input)
- filename.h
- implementation in C
of data types (input)
- filename.c
- C code of the simulator (output of -simulator)
- filename.c
- C code of the graph module (output of -open)
- filename.c
- C code
of the kernel module (output of -exec)
- filename.c.proto
- skeleton for gate
functions (output of -external)
- filename.aut
- graph in AUT format (output)
- filename.bcg
- graph in BCG format (output)
- filename.net
- Interpreted Petri
Net (output)
- filename.nupn
- Nested-Unit Petri Net (output)
- filename.gph
- graph
in debugging format (output)
- filename.err
- detailed error messages (output)
- filename.map
- ADT correspondence table (output)
- libname.lib
- user ADT library
(input)
For simplicity, the standard error stream is not used; all messages
are written to the standard output stream, which is made unbuffered. The
file filename.err is created at the beginning of execution and removed,
if empty, at the end of execution.
- $CADP/lib/libname.lib
- predefined
ADT library (input)
- $CADP/src/com/cadp_cc
- C compiler shell
- $CADP/src/com/cadp_more
- pager shell
- $CADP/gc
- Boehm-Demers garbage collector (input)
- $CADP/LICENSE
- license file
- $CADP_TMP/*.c
- C code generated during type survey (temporary)
- $CADP_TMP/*.c
- C code generated during optimization (temporary)
- $CADP_TMP/*.x
- binary code for
type survey (temporary)
- $CADP_TMP/*.x
- binary code for optimization (temporary)
- $CADP_TMP/*.x
- binary code of simulator program (temporary)
- $CADP_TMP/*.inf
- results
of information phase (temporary)
- $CADP_TMP/*.trt
- contents of -root option
(temporary)
- $CADP_TMP/*.tsv
- results of type survey (temporary)
- $CADP_TMP/*.nupn
- Nested-Unit Petri Net for optimization (temporary)
- $CADP_TMP/*.oe7
- results
of old optimization E7 (temporary)
- $CADP_TMP/*.ov3
- results of optimization
V3 (temporary)
- $CADP_TMP/*.ov4
- results of optimization V4 (temporary)
- $CADP_TMP/*.ov7
- results of optimization V7 (temporary)
[Gar89b] Hubert Garavel.
Compilation et verification de programmes LOTOS. These de doctorat, Universite
Joseph Fourier, Grenoble, November 1989. Available from
http://cadp.inria.fr/publications/Garavel-89-b.html
[GS90] Hubert Garavel and Joseph Sifakis. Compilation and Verification of
LOTOS Specifications. In L. Logrippo, R. L. Probert, and H. Ural, editors, Proceedings
of the 10th IFIP International Symposium on Protocol Specification, Testing
and Verification (PSTV'90), Ottawa, Canada. North Holland, pages 379-394,
June 1990. Available from http://cadp.inria.fr/publications/Garavel-Sifakis-90.html
[GS04] Hubert Garavel and Wendelin Serwe. State Space Reduction for Process
Algebra Specifications. In Charles Rattray, Savitri Maharaj, and Carron
Shankland, editors, Proceedings of the 10th International Conference on
Algebraic Methodology and Software Technology (AMAST'04), Stirling, Scotland,
UK. Lecture Notes in Computer Science, vol. 3116, pages 164-180, Springer,
July 2004. Available from http://cadp.inria.fr/publications/Garavel-Serwe-04.html
[GS06] Hubert Garavel and Wendelin Serwe. State Space Reduction for Process
Algebra Specifications. Theoretical Computer Science, vol. 351, num. 2, pages
131-145, February 2006. Available from http://cadp.inria.fr/publications/Garavel-Serwe-06.html
OPEN/CAESAR Reference Manual,
aut
,
bcg
,
caesar.adt
,
caesar.bdd
,
caesar.indent
,
lotos
,
lotos.open
,
lnt2lotos
Additional information is available from the CADP Web
page located at http://cadp.inria.fr
Directives for installation are given
in files $CADP/INSTALLATION_*.
Recent changes and improvements to this software
are reported and commented in file $CADP/HISTORY.
Please report new
bugs to
[email protected]
Table of Contents