- •CONTENTS
- •PREFACE
- •LIST OF FIGURES
- •INTRODUCTION
- •1.1 WHAT IS TIME?
- •1.2 SIMULATION
- •1.3 TESTING
- •1.4 VERIFICATION
- •1.6 USEFUL RESOURCES
- •2.1 SYMBOLIC LOGIC
- •2.1.1 Propositional Logic
- •2.1.2 Predicate Logic
- •2.2 AUTOMATA AND LANGUAGES
- •2.2.1 Languages and Their Representations
- •2.2.2 Finite Automata
- •2.3 HISTORICAL PERSPECTIVE AND RELATED WORK
- •2.4 SUMMARY
- •EXERCISES
- •3.1 DETERMINING COMPUTATION TIME
- •3.2 UNIPROCESSOR SCHEDULING
- •3.2.1 Scheduling Preemptable and Independent Tasks
- •3.2.2 Scheduling Nonpreemptable Tasks
- •3.2.3 Nonpreemptable Tasks with Precedence Constraints
- •3.2.5 Periodic Tasks with Critical Sections: Kernelized Monitor Model
- •3.3 MULTIPROCESSOR SCHEDULING
- •3.3.1 Schedule Representations
- •3.3.3 Scheduling Periodic Tasks
- •3.4 AVAILABLE SCHEDULING TOOLS
- •3.4.2 PerfoRMAx
- •3.4.3 TimeWiz
- •3.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •3.7 SUMMARY
- •EXERCISES
- •4.1 SYSTEM SPECIFICATION
- •4.2.1 Analysis Complexity
- •4.3 EXTENSIONS TO CTL
- •4.4 APPLICATIONS
- •4.4.1 Analysis Example
- •4.5 COMPLETE CTL MODEL CHECKER IN C
- •4.6 SYMBOLIC MODEL CHECKING
- •4.6.1 Binary Decision Diagrams
- •4.6.2 Symbolic Model Checker
- •4.7.1 Minimum and Maximum Delays
- •4.7.2 Minimum and Maximum Number of Condition Occurrences
- •4.8 AVAILABLE TOOLS
- •4.9 HISTORICAL PERSPECTIVE AND RELATED WORK
- •4.10 SUMMARY
- •EXERCISES
- •VISUAL FORMALISM, STATECHARTS, AND STATEMATE
- •5.1 STATECHARTS
- •5.1.1 Basic Statecharts Features
- •5.1.2 Semantics
- •5.4 STATEMATE
- •5.4.1 Forms Language
- •5.4.2 Information Retrieval and Documentation
- •5.4.3 Code Executions and Analysis
- •5.5 AVAILABLE TOOLS
- •5.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •5.7 SUMMARY
- •EXERCISES
- •6.1 SPECIFICATION AND SAFETY ASSERTIONS
- •6.4 RESTRICTED RTL FORMULAS
- •6.4.1 Graph Construction
- •6.5 CHECKING FOR UNSATISFIABILITY
- •6.6 EFFICIENT UNSATISFIABILITY CHECK
- •6.6.1 Analysis Complexity and Optimization
- •6.7.2 Timing Properties
- •6.7.3 Timing and Safety Analysis Using RTL
- •6.7.5 RTL Representation Converted to Presburger Arithmetic
- •6.7.6 Constraint Graph Analysis
- •6.8 MODECHART SPECIFICATION LANGUAGE
- •6.8.1 Modes
- •6.8.2 Transitions
- •6.9.1 System Computations
- •6.9.2 Computation Graph
- •6.9.3 Timing Properties
- •6.9.4 Minimum and Maximum Distance Between Endpoints
- •6.9.5 Exclusion and Inclusion of Endpoint and Interval
- •6.10 AVAILABLE TOOLS
- •6.11 HISTORICAL PERSPECTIVE AND RELATED WORK
- •6.12 SUMMARY
- •EXERCISES
- •7.1.1 Timed Executions
- •7.1.2 Timed Traces
- •7.1.3 Composition of Timed Automata
- •7.1.4 MMT Automata
- •7.1.6 Proving Time Bounds with Simulations
- •7.2.1 Untimed Traces
- •7.2.2 Timed Traces
- •7.3.1 Clock Regions
- •7.3.2 Region Automaton
- •7.4 AVAILABLE TOOLS
- •7.5 HISTORICAL PERSPECTIVE AND RELATED WORK
- •7.6 SUMMARY
- •EXERCISES
- •TIMED PETRI NETS
- •8.1 UNTIMED PETRI NETS
- •8.2 PETRI NETS WITH TIME EXTENSIONS
- •8.2.1 Timed Petri Nets
- •8.2.2 Time Petri Nets
- •8.3 TIME ER NETS
- •8.3.1 Strong and Weak Time Models
- •8.5.1 Determining Fireability of Transitions from Classes
- •8.5.2 Deriving Reachable Classes
- •8.6 MILANO GROUP’S APPROACH TO HLTPN ANALYSIS
- •8.6.1 Facilitating Analysis with TRIO
- •8.7 PRACTICALITY: AVAILABLE TOOLS
- •8.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •8.9 SUMMARY
- •EXERCISES
- •PROCESS ALGEBRA
- •9.1 UNTIMED PROCESS ALGEBRAS
- •9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
- •9.2.1 Direct Equivalence of Behavior Programs
- •9.2.2 Congruence of Behavior Programs
- •9.2.3 Equivalence Relations: Bisimulation
- •9.3 TIMED PROCESS ALGEBRAS
- •9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES
- •9.4.1 Syntax of ACSR
- •9.4.2 Semantics of ACSR: Operational Rules
- •9.4.3 Example Airport Radar System
- •9.5 ANALYSIS AND VERIFICATION
- •9.5.1 Analysis Example
- •9.5.2 Using VERSA
- •9.5.3 Practicality
- •9.6 RELATIONSHIPS TO OTHER APPROACHES
- •9.7 AVAILABLE TOOLS
- •9.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •9.9 SUMMARY
- •EXERCISES
- •10.3.1 The Declaration Section
- •10.3.2 The CONST Declaration
- •10.3.3 The VAR Declaration
- •10.3.4 The INPUTVAR Declaration
- •10.3.5 The Initialization Section INIT and INPUT
- •10.3.6 The RULES Section
- •10.3.7 The Output Section
- •10.5.1 Analysis Example
- •10.6 THE ANALYSIS PROBLEM
- •10.6.1 Finite Domains
- •10.6.2 Special Form: Compatible Assignment to Constants,
- •10.6.3 The General Analysis Strategy
- •10.8 THE SYNTHESIS PROBLEM
- •10.8.1 Time Complexity of Scheduling Equational
- •10.8.2 The Method of Lagrange Multipliers for Solving the
- •10.9 SPECIFYING TERMINATION CONDITIONS IN ESTELLA
- •10.9.1 Overview of the Analysis Methodology
- •10.9.2 Facility for Specifying Behavioral Constraint Assertions
- •10.10 TWO INDUSTRIAL EXAMPLES
- •10.10.2 Specifying Assertions for Analyzing the FCE Expert System
- •Meta Rules of the Fuel Cell Expert System
- •10.11.1 General Analysis Algorithm
- •10.11.2 Selecting Independent Rule Sets
- •10.11.3 Checking Compatibility Conditions
- •10.12 QUANTITATIVE TIMING ANALYSIS ALGORITHMS
- •10.12.1 Overview
- •10.12.2 The Equational Logic Language
- •10.12.3 Mutual Exclusiveness and Compatibility
- •10.12.5 Program Execution and Response Time
- •10.12.8 Special Form A and Algorithm A
- •10.12.9 Special Form A
- •10.12.10 Special Form D and Algorithm D
- •10.12.11 The General Analysis Algorithm
- •10.12.12 Proofs
- •10.13 HISTORICAL PERSPECTIVE AND RELATED WORK
- •10.14 SUMMARY
- •EXERCISES
- •11.1 THE OPS5 LANGUAGE
- •11.1.1 Overview
- •11.1.2 The Rete Network
- •11.2.1 Static Analysis of Control Paths in OPS5
- •11.2.2 Termination Analysis
- •11.2.3 Timing Analysis
- •11.2.4 Static Analysis
- •11.2.5 WM Generation
- •11.2.6 Implementation and Experiment
- •11.3.1 Introduction
- •11.3.3 Response Time of OPS5 Systems
- •11.3.4 List of Symbols
- •11.3.5 Experimental Results
- •11.3.6 Removing Cycles with the Help of the Programmer
- •11.4 HISTORICAL PERSPECTIVE AND RELATED WORK
- •11.5 SUMMARY
- •EXERCISES
- •12.1 INTRODUCTION
- •12.2 BACKGROUND
- •12.3 BASIC DEFINITIONS
- •12.3.1 EQL Program
- •12.3.4 Derivation of Fixed Points
- •12.4 OPTIMIZATION ALGORITHM
- •12.5 EXPERIMENTAL EVALUATION
- •12.6 COMMENTS ON OPTIMIZATION METHODS
- •12.6.1 Qualitative Comparison of Optimization Methods
- •12.7 HISTORICAL PERSPECTIVE AND RELATED WORK
- •12.8 SUMMARY
- •EXERCISES
- •BIBLIOGRAPHY
- •INDEX
252 PROCESS ALGEBRA
Using semantics-based analysis to determine whether two processes are bisimilar, we first construct the two labeled transition systems corresponding to these processes. Then, we combine these two transition systems. Finally, we derive the largest bisimulation relation for the combined labeled transition system [Clements, 1993]. To reduce the complexity of the ACSR requirements specification when trying to prove timing properties, we can ignore the identity of the resources and the absolute priorities of matching events and actions. The relative ordering of these events and actions suffices.
9.5.1 Analysis Example
We now apply the analysis technique to determine whether a given set of processes is schedulable in the airport radar system example. The maximal computation times of the four processes are: c1 = 32, c2 = 4, c3 = 7, c4 = 3. Their corresponding periods are: p1 = 40, p2 = 20, p3 = 10, p4 = 10.
Since we are reasoning with processes or their representations, the radar system represented as an ACSR specification will deadlock if a process misses its deadline. Therefore, to check whether a set of processes is schedulable, we need to show that the system never deadlocks. Since the ACSR specification also states how the resources are used and how the processes synchronize, we can simplify the analysis by ignoring (or hiding) this information about resource usage and synchronization. Thus, the processes are schedulable if the system is forever idle. Therefore, determining the schedulability means verifying that
Radar \ \{cpu1, cpu2} ≈π recX. : X.
Since a feasible schedule, if one exists, repeats after each time interval of length that is equal to the least common multiple of all the periods (chapter 3), it is sufficient to prove that
Radar \ \{cpu1, cpu2} ≈π 40 : (Radar \ \{cpu1, cpu2}).
Substituting the given numerical values, Radar becomes:
|
|
|
def |
T1 |
T2 |
|||||||||||||
Radar =[(Scheduler |
||||||||||||||||||
T3 T4) |
|
|
|
|
|
|
|
|
|
|
||||||||
\{s1, s2, s3, s4}]{cpu1,cpu2} |
||||||||||||||||||
def |
|
, 1). 40 : ( |
|
|
|
|
|
|
|
, 1). 20 : ( |
|
|
||||||
=[(( |
s1 |
s1 |
, |
1).S1 |
( |
s2 |
s2 |
, 1).S2 |
||||||||||
( |
|
, 1). 10 : ( |
|
, 1).S3 ( |
|
, 1). 10 : ( |
|
, 1).S4 |
||||||||||
s3 |
s3 |
s4 |
s4 |
|||||||||||||||
(s1, 1).C1,0 (s2, 2).C2,0 (s3, 3).C3,0 (s4, 4).C4,0
\{s1, s2, s3, s4}]{cpu1,cpu2}.
ANALYSIS AND VERIFICATION |
253 |
Next, we apply several ACSR laws to repeatedly rewrite the process Radar until
Radar \ \{cpu1, cpu2} ≈π 40 : (Radar \ \{cpu1, cpu2})
is proved. This statement indicates that the system never deadlocks and thus establishes
Radar \ \{cpu1, cpu2} ≈π recX. : X.
Deciding which laws to apply is difficult and requires a great deal of practice. The tool kit VERSA [Clarke, Lee, and Xie, 1995] rewrites the process specification only after the user directs it to do so with a specific, predefined ACSR law specified by the user. It does not automatically construct a proof. The VERSA equivalence tester can automatically convert an ACSR process specification into a labeled transition system, but the user has to assist the tool by pruning transitions that are unreachable due to the semantics of the transition system. This pruning is crucial in reducing the analysis time when checking for deadlocks or equivalence.
9.5.2 Using VERSA
The Verification Execution and Rewrite System for ACSR (VERSA) system [Clarke, Lee, and Xie, 1995] maintains as much as possible the syntax of ACSR while using ASCII keyboard-typable notations for special ACSR characters and subscripted or superscripted variables. Similar techniques are used in other analysis tools, such as the model checker for CTL [Clarke, Emerson, and Sistla, 1986]. VERSA also adds syntactic conventions from mathematics and programming languages as well as features for facilitating the specification of large systems. We summarize the differences between ACSR and VERSA in Figure 9.3.
Syntactic conventions used in Mathematica (http://www.wolfram.com) are employed in VERSA to define indexed process variables, resource names, and event labels. Specifications may be divided into logical components and recombined using file inclusion. We can define symbolic constants and macros using a #define notation,
ACSR: |
VERSA: |
|||
|
|
|
|
|
α, |
|
|
a, ’a, a’, a[i] |
|
α, α , αi |
||||
|
|
|
τ |
t or tau |
|
|
NIL |
NIL |
|
α |
|
or | |
||
P t (Q, R, S) |
scope(P,a,t,Q,R,S) |
|||
|
|
|
∞ |
inf or infinite or infinity |
|
|
[P]I |
[P]I |
|
|
|
|
|
{} or idle |
Figure 9.3 Differences between ACSR and VERSA.
254 PROCESS ALGEBRA
as in the C programming language. VERSA also provides indexed composition and set construction operators for operating on sets of indexed names.
VERSA has a query facility for the user to inquire about identifiers and the binding of process variables, as well as for comparing actions and for comparing processes for equality. For example, the query
T [1] == T [2]?
compares processes T1 and T2 for equality. One often-used notion of equivalence is that of prioritized strong equivalence. Here, VERSA converts the algebraic process descriptions bound to these processes to state machines and then employs a state minimization algorithm to preserve strong bisimulation to these two machines simultaneously. The original machines are strongly bisimilar if the corresponding minimal state machine contains a state with the start state of both original machines. Since this construction of the state machine from its corresponding algebraic expression requires space exponential in the length of the expression, checking for prioritized strong equivalence is restricted for algebraic expressions with small state machines.
VERSA and its graphical user interface version, X-VERSA, are implemented in C++. It is made more portable with the use of the LEDA class library, and the libg++ and X/Motif libraries. The input and output interface is built with the Lex and Yacc compiler construction tools. To make the analysis more efficient, the tool kit makes use of a low-level programming language and the latest state space construction and bisimulation testing algorithms. Indexed names are not supported in X-VERSA.
9.5.3 Practicality
Originally, the lack of a graphical input-output interface makes ACSR and its corresponding tool kit VERSA more difficult to use than other tools with a graphical user interface. Recently, a graphical language [Ben-Abdallah, Lee, and Choi, 1995; BenAbdallah, 1996; Ben-Abdallah and Lee, 1998] was introduced to provide a better user interface. Even when compared to several other techniques, such as RTL, writing and understanding the system specification in ACSR or other process algebras seem to be more difficult since there is an extra level of process abstraction. Also, some of the notations are cumbersome. However, the fact that several practical timing constraints are already expressed by the timing operators of ACSR makes it attractive to specify systems more compactly, whereas in other specification languages such timing constraints must be explicitly written. Since process algebras were originally designed to specify processes, their timed extensions are especially appropriate for describing resource-sharing processes with timing constraints.
AVAILABLE TOOLS |
255 |
9.6 RELATIONSHIPS TO OTHER APPROACHES
In the context of the Jahanian and Mok’s RTL approach [Jahanian and Mok, 1986], the abstract process loosely corresponds to the safety assertion and the detailed process corresponds to the system specification. Determining equivalence of these processes is analogous to finding the relationship between the specification and the safety assertion. In the context of whether an actual system implementation exactly follows the system specification, or whether a specification is a faithful representation of an implemented system, the abstract process corresponds to the specification and the detailed process represents the implementation.
To perform semantic analysis for determining equivalence of two processes in ACSR, the process behaviors are first described as (translated into) a prioritized labeled transition system. This transition system is basically a state space graph used in other approaches such as untimed automata (chapter 2), model-checking (chapter 4), Statecharts (chapter 5), RTL (chapter 6), and timed automata (chapter 7), and thus also suffers from the state-explosion problem. However, this transition system is usually smaller since it describes only behaviors of interest to the analysis, such as deadlock-freedom. The process-algebraic method constructs a specification of a system with encoded constraints such that whenever certain safety or timing properties are violated, the specified process enters an exception state. The analysis consists of finding the set of reachable states and then checking whether the exception state is in this set.
9.7 AVAILABLE TOOLS
VERSA is a toolset with the following analysis functions:
1.derivation of system properties from ACSR specifications using rewriting rules;
2.generation and analysis of the state space to verify safety properties, and testing of equivalence of different process formulations;
3.interactive execution of the process specification to study specific system behaviors.
The basic version of VERSA has a command-oriented interface for inputting process descriptions, binding them to identifiers, and operating on them. The graphicsoriented version of VERSA provides an X/Motif user interface, known as X-VERSA, with a point-and-click interface. This significantly improves the usability of the algebraic term rewriting facility. VERSA extends the basic ACSR syntax with a number of notational conventions borrowed from programming languages. VERSA is available at
http://www.cis.upenn.edu/~lee/duncan/versa.html