2.3 HISTORICAL PERSPECTIVE AND RELATED WORK

For three centuries, mathematicians and philosophers have attempted to develop a general decision procedure for verifying the validity or inconsistency of a logic formula. Leibniz (1646–1716) [Davis, 1983], the co-inventor of Calculus, first tried to develop such a procedure. Then in the 1900s Peano [Peano, 1889] and in the 1920s Hilbert’s group [Hilbert, 1927] again studied the problem and tried unsuccessfully to find a decision procedure. Finally, in 1936 Church [Church, 1936] and Turing [Turing, 1936] independently proved that the problem of determining the validity of first-order logic formulas is undecidable; that is, no general decision procedure for this problem exists.

Turing invented the Turing machine [Turing, 1936] in 1936 to formalize the notion of an algorithm to investigate whether the above satisfiability problem in first-order logic is solvable or not. Turing’s machine has one two-way infinite tape and one head. In the same year, Post independently conceived a similar model [Post, 1936]. Mealy in 1955 [Mealy, 1955] and Moore in 1956 [Moore, 1956] were among the first to develop finite automata, also called Mealy and Moore machines, as simplifications of the Turing machine. Also in 1956, Kleene [Kleene, 1956] demonstrated that finite automata accept regular languages. Oettinger [Oettinger, 1961] introduced the pushdown automaton as another simplification of the Turing machine.

In 1930, Herbrand [Herbrand, 1930] proposed an algorithm to find an interpretation that can make a specific first-order logic formula false. A valid formula is by definition true under all interpretations. If the formula to be checked is valid, then Herbrand’s algorithm will not find a falsifying interpretation and terminate in a finite number of steps. His algorithm was the first step toward automatic proof procedures or mechanical theorem proving.

In 1960, Gilmore [Gilmore, 1960] implemented Herbrand’s algorithm on a computer to determine whether the negation of a formula is unsatisfiable or inconsistent. This was proof by contradiction since a formula is valid iff its negation is inconsistent. His program turned out to be quite inefficient for proving most formulas. Davis and Putnam [Davis and Putnam, 1960] improved Gilmore’s computer implementation but their method still was not practical for many formulas. Robinson [Robinson, 1965] made it possible to efficiently perform mechanical theorem proving by introducing the resolution principle.

Several refinements of resolution were introduced in the following years. Slagle [Slagle, 1967] proposed semantic resolution, which unifies hyper-resolution, renamable resolution, and the set-of-support strategy. Boyer [Boyer, 1971] introduced a very efficient lock resolution. Loveland [Loveland, 1970] and Luckham [Luckham, 1970] independently developed linear resolution. Chang [Chang, 1970] showed that a special case of linear resolution called input resolution is equivalent to unit resolution.

Chang and Lee’s textbook [Chang and Lee, 1973] is an excellent introduction to symbolic logic (propositional and predicate) and mechanical theorem proving. Hopcroft and Ullman’s textbook [Hopcroft and Ullman, 1979] is a classic text introducing automata, languages, and the theory of computation. A simpler introduction

38 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS

to automata, languages, and computation is the text by Lewis and Papadimitriou [Lewis and Papadimitriou, 1981]. Their second edition [Lewis and Papadimitriou, 1998] gives a clearer introduction but omits presentations on symbolic logic.

2.4 SUMMARY

This chapter explores the basic foundations of symbolic logic, automata, formal languages, and state transition systems. These concepts can be used to reason, analyze, and verify the correctness of non-real-time systems. Many analysis and verification techniques for real-time systems are based on these untimed approaches.

Symbolic logic is a collection of languages that use symbols to represent facts, events, and actions, and provide rules to symbolize reasoning. Given the specification of a system and a collection of desirable properties, both written in logic formulas, we can attempt to prove that these desirable properties are logical consequences of the specification. Two popular logics are the propositional logic (also called propositional calculus or zero-order logic, the most simple symbolic logic) and the predicate logic (also called predicate calculus or first-order logic).

Using propositional logic, we can write declarative sentences called propositions that can be either true (denoted by T) or false (denoted by F) but not both. We use an uppercase letter or a string of uppercase letters to denote a proposition. The basic proof procedure is based on the following principle.

Resolution Principle: For any two clauses C1 and C2, if a literal L1 in C1 and a literal L2 in C2 such that L1 L2 is false, then the resolvent of C1 and C2 is the clause consisting of the disjunction of the remaining clauses in C1 and C2 after removing L1 and L2 from C1 and C2, respectively.

Propositional logic can express simple ideas with no quantitative notions or qualifications and is also good enough for describing digital (Boolean) logic circuits. For more complex ideas, propositional logic is not sufficient, so the predicate logic is needed. Predicate logic allows the use of quantifiers to specify whether a logic formula holds for at least one or for all objects or persons in a universe. The basic proof procedure is also based on the resolution principle.

Resolution Theorem: A clause set S is unsatisfiable iff there is a deduction of the empty clause from S, that is, R (S).

The resolution theorem and the unification algorithm form the basis of most computer implementations for testing the satisfiability of predicate logic formulas. Resolution is complete, so it always generates the empty clause from an unsatisfiable formula (clause set).

An automaton is able to determine whether a sequence of words belongs to a specific language. This language consists of a set of words over some finite alphabet. Depending on the type of automaton used, this sequence of words may be finite or infinite. If these sequences of words correspond to sequences of events and actions, we can construct an automaton that accepts correct sequences of events and actions in a system, and thus solve the verification problem.

EXERCISES 39

With the introduction of more concepts, we can use an automaton to represent a process or system. More precisely, a specification automaton represents the desired specification of a system, and an implementation automaton models an implementation attempting to satisfy the given specification. Our goal is to verify that the implementation satisfies the specification. This problem can now be viewed as the language inclusion problem (also known as the language containment problem), that is, to determine whether the language accepted by the implementation automaton is a subset of the language accepted by the specification automaton.

A DFA belongs to a special class of finite automata in which their operation is completely determined by their input as described below. A DFA can be viewed as a simple language recognition device.

To make finite automata more expressive, we introduce the feature of nondeterminism. A state change in a nondeterministic finite automaton (NFA) may be only partially determined by the current state and input symbol, and there may be more than one next state given a current state. Every nondeterministic finite automaton can be shown to be equivalent to a deterministic finite automaton, but this corresponding DFA usually contains more states and transitions. Hence, nondeterministic finite automata can often simplify the description of language recognizers.

An automaton can specify a physical system or a set of processes, and how to determine whether a sequence of events or actions is allowed in the specified system. The alphabet of a language can consist of names of events or actions in the system to be specified. We call this alphabet the event set of the specified system. Then we can construct an automaton that accepts all allowable sequences (strings) of events in the specified system. This set of allowable sequences of events is the language accepted by this automaton.

EXERCISES

1.Specify the following English statements in prepositional logic formulas:

(a)Traffic light system: If the car traffic light turns red, then the pedestrian traffic sign changes from “don’t walk” to “walk.” If the pedestrian “walk” sign turns on, pedestrians cross the street; otherwise, pedestrians wait at the sidewalk.

(b)Gate controller: The gate to the building remains closed unless the gate controller receives an “open gate” signal from a wireless transmitter or a wired transmitter.

(c)Pipeline valve: Valve labeled “A” is closed if and only if the pressure of the pipeline is between 20 and 50 psi (pound per square inch).

2.Consider the specification in exercise 1(a). Prove the following using equivalent formulas and then using a truth table: If the car traffic light turns red, then pedestrians cross the street.

3.Specify the following English description of an automobile automatic cruise control system in prepositional logic formulas. Automobile automatic cruise sys-

40 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS

tem: If the “auto-cruise on” button is lighted, the automatic cruise system is turned on; otherwise, it is turned off. Pressing the “auto-cruise on” button once turns its light on. Pressing the “auto-cruise off” button once turns the “autocruise on” button’s light off. If the distance between the car and the obstacle in front is less than a safe distance d, the automatic cruise system applies brake slowly to slow the car. If the distance between the car and the obstacle in front is less than a short distance e, the automatic cruise system applies brake quickly to slow the car more quickly and turn on an “unsafe distance” warning light. If the distance between the car and the obstacle in front is d or more, the automatic cruise system does nothing and is in the monitoring mode; otherwise, it is in both monitoring and control modes.

4.Suppose R(x) represents “task x is schedulable by the rate-monotonic scheduler” and E(x) represents “task x is schedulable by the earliest-deadline scheduler.” Specify the following English statements in predicate logic formulas:

(a)Every task schedulable by the rate-monotonic scheduler is schedulable by the earliest-deadline scheduler.

(b)Not every task is schedulable by the earliest-deadline scheduler.

(c)Some tasks not schedulable by the rate-monotonic scheduler are schedulable by the earliest-deadline scheduler.

5.Using the specifications in 4(a), (b), and (c), prove the validity of the following statement: If a task is not schedulable by the earliest-deadline scheduler, then this task is not schedulable by the rate-monotonic scheduler.

6.Prove by resolution whether the following clauses are satisfiable:

A, B, C, D, E, F G, ¬F ¬G, ¬B ¬D ¬F, ¬A ¬C ¬G ¬E.

7.Show the DFA accepting the language represented by the following regular expression: (message ack) .

8.Describe the difference between a deterministic finite automaton and a nondeterministic finite automaton. Are they equivalent in terms of expressive power?

9.Consider the smart traffic light system in Figure 2.14 and the safety property shown in Figure 2.15. Show why this safety property is not satisfied. Describe how the revised Pedestrian automaton in Figure 2.16 corrects the problem.

10.Consider a smart airbag deployment system in an automobile. A sensor that detects the distance between the driver and the steering wheel is attached to the driver’s seat. This distance depends on the shape and size of the driver, and the position of the steering wheel. Based on this distance, the airbag computer determines the force of the airbag inflation to minimize harm to the driver. The airbag will deploy when a collision impact with a speed exceeding 30 mph occurs; otherwise, it will not deploy. If the distance is far (> 1.5 ft), the airbag will be inflated with maximum force. If the distance is average (between 1.0 ft and 1.5 ft), the airbag will be inflated with regular force. If the distance is near (< 1.0 ft), the airbag will be inflated with minimum force. Specify this system as a deterministic finite automaton.

42 REAL-TIME SCHEDULING AND SCHEDULABILITY ANALYSIS

Schedulable Utilization: A schedulable utilization is the maximum utilization allowed for a set of tasks that will guarantee a feasible scheduling of this task set.

A hard real-time system requires that every task or task instance completes its execution by its specified deadline; failure to do so even for a single task or task instance may lead to catastrophic consequences. A soft real-time system allows some tasks or task instances to miss their deadlines, but a task or task instance that misses a deadline may be less useful or valuable to the system.

There are basically two types of schedulers: compile-time (static) and run-time (on-line or dynamic).

Optimal Scheduler: An optimal scheduler is one which may fail to meet a deadline of a task only if no other scheduler can.

Note that “optimal” in real-time scheduling does not necessarily mean “fastest average response time” or “shortest average waiting time.” A task Ti is characterized by the following parameters:

S: start, release, ready, or arrival time c: (maximum) computation time

d: relative deadline (deadline relative to the task’s start time) D: absolute deadline (wall clock time deadline).

There are three main types of tasks. A single-instance task executes only once. A periodic task has many instances or iterations, and there is a fixed period between two consecutive releases of the same task. For example, a periodic task may perform signal processing of a radar scan once every 2 seconds, so the period of this task is 2 seconds. A sporadic task has zero or more instances, and there is a minimum separation between two consecutive releases of the same task. For example, a sporadic task may perform emergency maneuvers of an airplane when the emergency button is pressed, but there is a minimum separation of 20 seconds between two emergency requests. An aperiodic task is a sporadic task with either a soft deadline or no deadline. Therefore, if the task has more than one instance (sometimes called a job), we also have the following parameter:

p: period (for periodic tasks); minimum separation (for sporadic tasks).

The following are additional constraints that may complicate scheduling of tasks with deadlines:

1.frequency of tasks requesting service periodically,

2.precedence relations among tasks and subtasks,

3.resources shared by tasks, and

4.whether task preemption is allowed or not.

If tasks are preemptable, we assume that a task can be interrupted only at discrete (integer) time instants unless we indicate otherwise.