- •CONTENTS
- •PREFACE
- •LIST OF FIGURES
- •INTRODUCTION
- •1.1 WHAT IS TIME?
- •1.2 SIMULATION
- •1.3 TESTING
- •1.4 VERIFICATION
- •1.6 USEFUL RESOURCES
- •2.1 SYMBOLIC LOGIC
- •2.1.1 Propositional Logic
- •2.1.2 Predicate Logic
- •2.2 AUTOMATA AND LANGUAGES
- •2.2.1 Languages and Their Representations
- •2.2.2 Finite Automata
- •2.3 HISTORICAL PERSPECTIVE AND RELATED WORK
- •2.4 SUMMARY
- •EXERCISES
- •3.1 DETERMINING COMPUTATION TIME
- •3.2 UNIPROCESSOR SCHEDULING
- •3.2.1 Scheduling Preemptable and Independent Tasks
- •3.2.2 Scheduling Nonpreemptable Tasks
- •3.2.3 Nonpreemptable Tasks with Precedence Constraints
- •3.2.5 Periodic Tasks with Critical Sections: Kernelized Monitor Model
- •3.3 MULTIPROCESSOR SCHEDULING
- •3.3.1 Schedule Representations
- •3.3.3 Scheduling Periodic Tasks
- •3.4 AVAILABLE SCHEDULING TOOLS
- •3.4.2 PerfoRMAx
- •3.4.3 TimeWiz
- •3.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •3.7 SUMMARY
- •EXERCISES
- •4.1 SYSTEM SPECIFICATION
- •4.2.1 Analysis Complexity
- •4.3 EXTENSIONS TO CTL
- •4.4 APPLICATIONS
- •4.4.1 Analysis Example
- •4.5 COMPLETE CTL MODEL CHECKER IN C
- •4.6 SYMBOLIC MODEL CHECKING
- •4.6.1 Binary Decision Diagrams
- •4.6.2 Symbolic Model Checker
- •4.7.1 Minimum and Maximum Delays
- •4.7.2 Minimum and Maximum Number of Condition Occurrences
- •4.8 AVAILABLE TOOLS
- •4.9 HISTORICAL PERSPECTIVE AND RELATED WORK
- •4.10 SUMMARY
- •EXERCISES
- •VISUAL FORMALISM, STATECHARTS, AND STATEMATE
- •5.1 STATECHARTS
- •5.1.1 Basic Statecharts Features
- •5.1.2 Semantics
- •5.4 STATEMATE
- •5.4.1 Forms Language
- •5.4.2 Information Retrieval and Documentation
- •5.4.3 Code Executions and Analysis
- •5.5 AVAILABLE TOOLS
- •5.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •5.7 SUMMARY
- •EXERCISES
- •6.1 SPECIFICATION AND SAFETY ASSERTIONS
- •6.4 RESTRICTED RTL FORMULAS
- •6.4.1 Graph Construction
- •6.5 CHECKING FOR UNSATISFIABILITY
- •6.6 EFFICIENT UNSATISFIABILITY CHECK
- •6.6.1 Analysis Complexity and Optimization
- •6.7.2 Timing Properties
- •6.7.3 Timing and Safety Analysis Using RTL
- •6.7.5 RTL Representation Converted to Presburger Arithmetic
- •6.7.6 Constraint Graph Analysis
- •6.8 MODECHART SPECIFICATION LANGUAGE
- •6.8.1 Modes
- •6.8.2 Transitions
- •6.9.1 System Computations
- •6.9.2 Computation Graph
- •6.9.3 Timing Properties
- •6.9.4 Minimum and Maximum Distance Between Endpoints
- •6.9.5 Exclusion and Inclusion of Endpoint and Interval
- •6.10 AVAILABLE TOOLS
- •6.11 HISTORICAL PERSPECTIVE AND RELATED WORK
- •6.12 SUMMARY
- •EXERCISES
- •7.1.1 Timed Executions
- •7.1.2 Timed Traces
- •7.1.3 Composition of Timed Automata
- •7.1.4 MMT Automata
- •7.1.6 Proving Time Bounds with Simulations
- •7.2.1 Untimed Traces
- •7.2.2 Timed Traces
- •7.3.1 Clock Regions
- •7.3.2 Region Automaton
- •7.4 AVAILABLE TOOLS
- •7.5 HISTORICAL PERSPECTIVE AND RELATED WORK
- •7.6 SUMMARY
- •EXERCISES
- •TIMED PETRI NETS
- •8.1 UNTIMED PETRI NETS
- •8.2 PETRI NETS WITH TIME EXTENSIONS
- •8.2.1 Timed Petri Nets
- •8.2.2 Time Petri Nets
- •8.3 TIME ER NETS
- •8.3.1 Strong and Weak Time Models
- •8.5.1 Determining Fireability of Transitions from Classes
- •8.5.2 Deriving Reachable Classes
- •8.6 MILANO GROUP’S APPROACH TO HLTPN ANALYSIS
- •8.6.1 Facilitating Analysis with TRIO
- •8.7 PRACTICALITY: AVAILABLE TOOLS
- •8.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •8.9 SUMMARY
- •EXERCISES
- •PROCESS ALGEBRA
- •9.1 UNTIMED PROCESS ALGEBRAS
- •9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
- •9.2.1 Direct Equivalence of Behavior Programs
- •9.2.2 Congruence of Behavior Programs
- •9.2.3 Equivalence Relations: Bisimulation
- •9.3 TIMED PROCESS ALGEBRAS
- •9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES
- •9.4.1 Syntax of ACSR
- •9.4.2 Semantics of ACSR: Operational Rules
- •9.4.3 Example Airport Radar System
- •9.5 ANALYSIS AND VERIFICATION
- •9.5.1 Analysis Example
- •9.5.2 Using VERSA
- •9.5.3 Practicality
- •9.6 RELATIONSHIPS TO OTHER APPROACHES
- •9.7 AVAILABLE TOOLS
- •9.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •9.9 SUMMARY
- •EXERCISES
- •10.3.1 The Declaration Section
- •10.3.2 The CONST Declaration
- •10.3.3 The VAR Declaration
- •10.3.4 The INPUTVAR Declaration
- •10.3.5 The Initialization Section INIT and INPUT
- •10.3.6 The RULES Section
- •10.3.7 The Output Section
- •10.5.1 Analysis Example
- •10.6 THE ANALYSIS PROBLEM
- •10.6.1 Finite Domains
- •10.6.2 Special Form: Compatible Assignment to Constants,
- •10.6.3 The General Analysis Strategy
- •10.8 THE SYNTHESIS PROBLEM
- •10.8.1 Time Complexity of Scheduling Equational
- •10.8.2 The Method of Lagrange Multipliers for Solving the
- •10.9 SPECIFYING TERMINATION CONDITIONS IN ESTELLA
- •10.9.1 Overview of the Analysis Methodology
- •10.9.2 Facility for Specifying Behavioral Constraint Assertions
- •10.10 TWO INDUSTRIAL EXAMPLES
- •10.10.2 Specifying Assertions for Analyzing the FCE Expert System
- •Meta Rules of the Fuel Cell Expert System
- •10.11.1 General Analysis Algorithm
- •10.11.2 Selecting Independent Rule Sets
- •10.11.3 Checking Compatibility Conditions
- •10.12 QUANTITATIVE TIMING ANALYSIS ALGORITHMS
- •10.12.1 Overview
- •10.12.2 The Equational Logic Language
- •10.12.3 Mutual Exclusiveness and Compatibility
- •10.12.5 Program Execution and Response Time
- •10.12.8 Special Form A and Algorithm A
- •10.12.9 Special Form A
- •10.12.10 Special Form D and Algorithm D
- •10.12.11 The General Analysis Algorithm
- •10.12.12 Proofs
- •10.13 HISTORICAL PERSPECTIVE AND RELATED WORK
- •10.14 SUMMARY
- •EXERCISES
- •11.1 THE OPS5 LANGUAGE
- •11.1.1 Overview
- •11.1.2 The Rete Network
- •11.2.1 Static Analysis of Control Paths in OPS5
- •11.2.2 Termination Analysis
- •11.2.3 Timing Analysis
- •11.2.4 Static Analysis
- •11.2.5 WM Generation
- •11.2.6 Implementation and Experiment
- •11.3.1 Introduction
- •11.3.3 Response Time of OPS5 Systems
- •11.3.4 List of Symbols
- •11.3.5 Experimental Results
- •11.3.6 Removing Cycles with the Help of the Programmer
- •11.4 HISTORICAL PERSPECTIVE AND RELATED WORK
- •11.5 SUMMARY
- •EXERCISES
- •12.1 INTRODUCTION
- •12.2 BACKGROUND
- •12.3 BASIC DEFINITIONS
- •12.3.1 EQL Program
- •12.3.4 Derivation of Fixed Points
- •12.4 OPTIMIZATION ALGORITHM
- •12.5 EXPERIMENTAL EVALUATION
- •12.6 COMMENTS ON OPTIMIZATION METHODS
- •12.6.1 Qualitative Comparison of Optimization Methods
- •12.7 HISTORICAL PERSPECTIVE AND RELATED WORK
- •12.8 SUMMARY
- •EXERCISES
- •BIBLIOGRAPHY
- •INDEX
120 MODEL CHECKING OF FINITE-STATE SYSTEMS
Symbolic Model Checking Algorithm:
Input: model M represented by BDDs and CTL formula f . Output: whether f is satisfied.
Let f s denote the value of formula f in state s. If formula f is:
atomic proposition P: return the BDD for P.
¬ f1 or f1 f2: execute Bryant’s algorithms [Bryant, 1986] for Boolean connectives. EX f : return f s = true iff there is a successor state s such that f s = true,
that is, s [ f s N (s, s )].
E[ f1 U f2]: construct the BDD (representing the states in which f holds) by iterating
E[ f1 U f2] = f2 ( f1 EX E[ f1 U f2]).
EG f : construct the BDD by finding the greatest fixed point EG f and iterating EG f = f EX EG f .
All other CTL operators can be stated using the above operators.
Figure 4.5 Symbolic model checking algorithm.
4.6.2 Symbolic Model Checker
Instead of explicitly enumerating all states in the model, which is a labeled state transition system or Kripke structure, we symbolically represent it as BDDs, hence the name symbolic model checker (SMC) [Burch et al., 1990a]. We have to find a way to translate the model into BDDs. Suppose that the current state of the system is represented by a vector of Boolean variables S = {s0, . . . , sn−1} and the next state of the system is represented by a vector of Boolean variables S = {s 0, . . . , s n−1}. Using S and S , the transition relation between the values of the variables in the current and the next states can be stated as a Boolean formula N (s0, . . . , sn−1, s 0, . . . , s n−1). Note that a finite-domain non-Boolean variable can be easily converted into a vector of Boolean variables. We give an example of this conversion in chapter 12 (section 12.3.1).
Each transition in this transition graph models the time passage of one time unit. Without further extensions, non-unit as well as nondeterministic transition time can be modeled by a sequence of unit transitions. Later, we will see that it is easy to extend this transition graph into a more powerful model called the timed transition graph [Campos et al., 1994].
The symbolic model checker, shown in Figure 4.5, takes as input the model M represented by BDDs and the formula f to be verified (in the initial states of M). For every atomic proposition in S, it outputs a BDD with one Boolean variable such that the BDD is true in a state iff the formula f is true in that state.
4.7 REAL-TIME CTL
CTL can specify the relative ordering of events or actions in a finite state system, but it cannot directly express when these events or actions occur. An awkward way of specifying that some event will occur in the future in at most a fixed number of time units is by nesting EX or AX operators. Real-time systems impose bounds on
REAL-TIME CTL |
121 |
the response time of events and actions. To handle properties with these quantitative constraints, CTL has been extended in a number of ways. Here we describe one extension [Emerson et al., 1990] that adds time intervals to CTL temporal operators and introduces the bounded until operator U[x, y].
The formula E[ f1 U[x, y] f2] at a given state means that a path exists beginning at this state and leading to a future state where f2 holds, f1 holds at every state between the beginning state and this future state, and the distance between the beginning state and this future state is within the interval [x, y]. This definition is now formalized.
Existentially Bounded Until Operator: The formula E[ f1 U[x, y] f2] at state s0 means that a path exists beginning at s0 and some i such that x ≤ i ≤ y and f2 holds at state si and j < i, f1 holds at state s j .
Example. Let f1 denote that the wireless telephone’s battery power is in the “low” position. Let f2 denote that the wireless telephone is “off.” Then E[ f1 U [5, 18] f2] states that there is an execution path in which the telephone will turn “off” within a time interval between 5 and 18 time units of the telephone’s battery power indicating the “low” position, and before this “off” state the telephone’s battery power is in the “low” position.
The formula EG[x, y] f at state s0 means that there exists a path beginning at s0 and i, x ≤ i ≤ y, f holds at state si .
4.7.1 Minimum and Maximum Delays
Now we describe algorithms [Campos et al., 1994] for finding the minimum and maximum delays between two events. These are known as quantitative algorithms since they compute numerical timing information about events rather than just relative ordering of events in a system. Given a real-time system, they are used to verify that given timing constraints are satisfied and also to predict the system’s performance, telling how well the system performs relative to the given timing constraints. These algorithms start from states satisfying the first event, explore all possible execution paths, and terminate when a state satisfying the second event is reached.
The minimum delay algorithm (Figure 4.6) takes as input the start set and the final set of states satisfying the first event and the second event, respectively. If a state in final set is reachable from a state in start set, it returns the length in terms of the number of edges in a shortest path from a state in start set to a state in final set. If none of the states in final set is reachable, then the algorithm returns infinity. For example, the first event can be a request to use a non-sharable resource by a real-time process and the second event can be the allocation of this resource to this process, so the minimum delay algorithm finds the minimum waiting time for this process to obtain the resource.
The function successors set(S) returns the set of successor states of state S and is defined as successors set(S) = {s |N (s, s ) is true for some s S}. This func-
122 MODEL CHECKING OF FINITE-STATE SYSTEMS
procedure min delay(start set, final set) i := 0;
R := start set;
R := successors set(R) R;
while R = R R ∩ final set = do i := i + 1;
R := R ;
R := successors set(R ) R ; if R ∩ final set =
then return i; else return ∞;
Figure 4.6 Minimum delay algorithm.
tion, the sets R and R of states, and the intersection and union operations are all implemented using BDDs.
Next we describe the maximum delay algorithm (Figure 4.7), which also takes as input the start set and the final set of states satisfying the first event and the second event, respectively. If a state in final set is reachable from a state in start set, it returns the length in terms of the number of edges in a longest path from a state in start set to a state in final set. If an infinite path exists from a state in start set that never reaches a state in final set, then the algorithm returns infinity. Again, for example, the first event can be a request to use a non-sharable resource by a real-time process and the second event can be the allocation of this resource to this process, so the maximum delay algorithm finds the maximum waiting time for this process to obtain the resource. If we impose a deadline (relative to the resource request time by this process) for the allocation of this resource to this process, then the maximum delay algorithm tells us whether this deadline can be satisfied or not.
The set not final set represents the set of states which are not in the set final set. The function predecessors set(S ) returns the set of predecessor states of state S and is defined as predecessors set(S ) = {s|N (s, s ) is true for some s S }. As in the minimum delay algorithm, this predecessor function, the sets R and R of states,
procedure max delay(start set, final set)
i := 0;
R := true;
R := not final set;
while R = R R ∩ start set = do i := i + 1;
R := R ;
R := predecessors set(R ) not final set; if R = R
then return ∞; else return i;
Figure 4.7 Maximum delay algorithm.
REAL-TIME CTL |
123 |
and the intersection operations are all implemented using BDDs. Here, a backward search is needed to identify a longest path.
Two reasons exist for the efficiency of these quantitative algorithms. First, Boolean formulas are used to represent the sets of states satisfying certain events, and these formulas are represented by BDDs in the implementation. Since sets are represented by BDDs, the operations on these sets are implemented as efficient operations on the BDDs described earlier. Second, these operations are applied to sets of many states instead of individual states, thus significantly reducing computation time for exhaustive state space exploration.
4.7.2 Minimum and Maximum Number of Condition Occurrences
Often we are interested in knowing the number of states satisfying a given condition along a path, for example, how many times a train arrives and passes a railroad crossing. Here, we describe two condition counting algorithms [Campos et al., 1994] that compute the minimum and maximum number of states satisfying a given condition over all finite paths from a state in the start set to a state in the final set, thus telling the minimum and maximum number of occurrences of this condition over all finite paths between these states.
Similar to the minimum and maximum delay algorithms, these quantitative algorithms start from states satisfying the first event, explore all possible execution paths and count the number of states satisfying a given condition, and terminate when a state satisfying the second event is reached. Before running either condition counting algorithm, we have to first check that a finite path is present in the transition graph from a state in the start set to a state in the final set using the maximum delay algorithm described above.
We need to introduce a counter variable in each state to remember the number of states satisfying the given condition along the path traversed so far. To do this systematically, a new state transition system is introduced in which each state is a pair of the original state and the positive integer counter [Campos et al., 1994]. Let N be the set of natural numbers. The state set is Sa = S × N.
Augmented Transition Relation: Given an original state-transition graph with transition relation N S × S, the corresponding augmented transition relation Na Sa × Sa is defined as
Na ( s, k , s , k ) = N (s, s ) (s condition k = k + 1 s / condition k = k).
This means that in the augmented transition relation Na , there is a transition froms, k to s , k iff there is a transition from state s to state s in the original transition relation N and either s belongs to the condition and the counter k is k + 1 or s does not belong to the condition and k is the same as k. Therefore, the condition counter k for state s is incremented only if state s satisfies this condition.
124 MODEL CHECKING OF FINITE-STATE SYSTEMS
Let T Sa . Again, the function successors set(T ) returns the set of predecessor states of state S and is defined as successors set(T ) = {t |N (t, t ) is true for some t T }. We now outline the minimum counting algorithm.
Procedure min count ( start set, condition, final set ) current min := ∞;
R = { s, 1 |s start set ∩ condition} { s, 0 |s start set ∩ condition}; loop
reached final set := R ∩ final set; if reached final set = then begin
m := max{k| s, k reached final set}; if m < current min then current min := m
end;
R := R ∩ not final set;
if R = then return current min;
R := successors set(R ) endloop;
Figure 4.8 Minimum condition-counting algorithm.
In the algorithm (Figure 4.8), variable current min gives the minimum count for all previous iterations. The set R is the set of states in Sa reached in the current iteration of the loop. The algorithm checks the endpoints of paths with i states during the ith iteration. If the states are in final set (meaning they are the terminal states of paths), the counter values are used to compute the minimum count for these paths and the current minimum is updated. If the states are not in final set (meaning they are not terminal states of paths), the loop continues after deriving the successors of these non-terminal states. The algorithm returns the current minimum as the minimum count when all reached states are in final set.
Procedure max count ( start set, condition, final set ) current max := −∞;
R = { s, 1 |s start set ∩ condition} { s, 0 |s start set ∩ condition}; loop
reached final set := R ∩ final set; if reached final set = then begin
m := max{k| s, k reached final set};
if m > current max then current max := m
end;
R := R ∩ not final set;
if R = then return current max;
R := successors set(R ) endloop;
Figure 4.9 Maximum condition-counting algorithm.
REAL-TIME CTL |
125 |
We derive the maximum condition counting algorithm by reversing the inequalities and by replacing min by max, as shown in Figure 4.9.
4.7.3 Non-Unit Transition Time
Events in a real-time system may take different lenghts of time to occur, leading to non-unit transition time between two states in the state transition system modeling this real-time system. Also, transition time between two specific states may also change for different instances of the same event. However, the state transition system presented earlier assumes that every transition takes one time unit. One way to handle non-unit transition time is to extend the unit-time state transition graph into a timed transition graph [Campos and Clarke, 1993].
Timed Transition Graph (TTG): A timed transition graph (TTG) model attaches a discrete time interval of a pair of natural numbers [lower bound, upper bound] to each transition in a finite-state transition graph.
The notation N (s, lower bound, upper bound, s ) means that the transition from state s to state s may nondeterministically take any number of time units between lower bound and upper bound. Using the same approach as in the augmented state transition graph model for the condition counting algorithms, here we add a time counter to each state to indicate the number of time units to transition out of this state.
Timed Transition Relation (TTR): transition relation N S × S, the Na Sa × Sa is defined as
Given an original state-transition graph with corresponding augmented transition relation
Na ( s, t , s , t ) = N (s, δ, s ) t = t + δ.
This means that in the augmented transition relation Na , a transition exists from s, t to s , t iff a transition exists from state s to state s in the original transition relation N that may take δ time units, t = t + δ, and lower bound ≤ δ ≤ upper bound.
Now we consider how to determine quantitative properties of a real-time system specified in a TTG model. To compute the minimum and maximum delays between two sets of states satisfying two events, we can use the same minimum and maximum delay algorithms described earlier with the extra steps described below (Figure 4.10).
We can also apply the condition counting algorithms without modification to TTGs by first extending the augmented transition relation in the unit-time transition system described earlier into the augmented timed transition relation.
Augmented Timed Transition Relation (ATTR): Given an original state-transition graph with transition relation N S × S, the corresponding augmented timed transition relation Na Sa × Sa is defined as
Na ( s, t , s , t ) = N (s, δ, s ) (s condition t = t + δ s condition t = t).