In this file, we will describe the syntax of the main EFM instructions and we will give an intuition of their symbolic evaluation semantics. Before that, we will introduce the notions of symbolic evaluation context and symbolic evaluation tree which represent all possible evaluation paths for an instruction. The behavior of a machine is described thanks to a set of instructions. An evaluation context EC (also called an evaluation environment) contains the information necessary for the symbolic evaluation of these instructions. It is composed of
![Tree][tree.jpg]
It defines a set of instructions ordered by an operator. By default, this operator is the standard sequence |;|. These block operators can be put into three categories: sequencing, scheduling and concurrency.
{ [ operator ] ( statement )+ } operator ::= // sequencing |§| | |;| | |;;| | |.| // scheduling |>| | |xor| | |/\| // concurrencing |and| | |or| | |i| | |,|
Let P and Q be two processes. We say that a process terminates when it has been totally evaluated (without being interrupted by, for example, the failure of a guarded instruction), and that it fails otherwise.
![Evaluation possibilities][evaluation.jpg]
There are as many evaluation possibilities as there are red dots (starting states). For instance, « P |.| Q » can be reduced to P if Q does not terminate, or to P followed by Q. If P does not terminate, « P|.|Q » does not terminate either.
Its evaluation terminates only if both P and Q terminate. Otherwise, no effects are preserved, and we go back to the initial context.
This is not a standard sequence: its evaluation terminates if one of the two processes P or Q terminate. We try to evaluate P. If it terminates, then Q is evaluated from the resulting context, otherwise, from the initial context. This sequence can be used to create a partial order which avoids combinatorial explosion resulting from machine interleaving.
This sequence terminates only if P terminates. If Q does not terminate, the resulting context will be P‘s resulting context: P side-effects are preserved. For example, from context EC< CS, VD, BD, PC, ET >, if Q does not terminate, the evaluation of a transition labelled with « P |.| Q » will fail, but still, the result will be a new context EC’< CS, VD’, BD’, PC’, ET’ > with, at least, the same control CS as EC. The evaluation of this transition will be tried again from EC’ at the next step.
Process P is evaluated in the initial context. Process Q is evaluated in the initial context with in addition, if P terminates, the Boolean negation of conditions resulting from P’s evaluation. Thus, if both P and Q terminate, there are two possible resulting contexts
Both processes P and Q are evaluated from the initial context. If both terminate, there will be at least two execution paths, showing the indeterminism.
Both processes are evaluated from the initial context. If they both terminate, both contexts of resulting sets will be merged, providing that there are no concurrent accesses and the merge of their reachability constraints is satisfiable. Thus, we will simulate their strict simultaneous evaluation, i.e. their synchronous evaluation. Otherwise, the evaluation fails.
Both processes are sequentially evaluated, considering every possibility: here P followed by Q and Q followed by P. Warning: this operator easily leads to an explosion of the number of execution paths.
If both processes terminate, they are evaluated simultaneously if possible (for example, there must be no concurrent acces), otherwise the evaluation fails. If one of the processes does not terminate, the other one will be evaluated alone.
A « rvalue » expression is evaluated and assigned to the variable resulting of the evaluation of a « lvalue ». This variable is:
lvalue ( = | := ) rvalue ;
An expression « rvalue » is assigned to a « macro » without being evaluated.
lvalue<macro> ::= rvalue ;
[ ++ | -- ] lvalue ; lvalue [ ++ | -- ] ;
The guard instruction evaluates a symbolic expression, checks whether it is satisfiable, and adds the result to Path Condition. The event instruction evaluates an expression to true or false without using any solver. If it is not possible, the expression is evaluated to false.
guard expression< boolean >; event expression< boolean >;
guard patient_connected && (! Error) ; guard timer != 0; event bad_connection; event x>x_Max;
input portID [ ( ( expression ) +<,> ) ] [ <-- machine ] ; output portID [ ( ( expression ) +<,> ) ] [ --> machine ] ; present portID absent portID
Input and output instructions enable the sending and reception of messages or signals that might contain parameters. The sending machine – in the case of an input, or the receiving machine – in the case of an output, can be specified. Keywords present and absent check whether a message is present or absent on a given port.
@declaration{ public port input p1; public port input p2(boolean); public port output p3; public port output p4(integer); } … input p1; input p2(x); output p3 --> m2; output p4(6,25);
They are standard conditional instructions.
if expression< boolean > { statement } ( elseif expression< boolean > { statement } )* [ else { statement } ]
if cond1 {x = x+1;} elseif cond2 {x = x+2;} else {x = y;}
They are standard for, while and do instructions.
for ( statement < assign > ; expression< boolean > ) { statement } while expression< boolean> { statement } do { statement } while expression< boolean > ;
for x=1 ; x<x_Max ; x=x+1; {…} while (x < x_Max) {x=x+1;} do {x=x+1;} while (x < x_Max);
They are standard control and loop instructions.
break ; continue ;