Compositional Inductive Verification of Duration Properties of Real-Time Systems Zhiming Liuy Department of Mathematics and Computer Science University of Leicester Anders P. Ravnz Department of Information Technology Technical University of Denmark Xiaoshan Lix Department of Electrical and Electronic Engineering University of Newcastle upon Tyne
Abstract This paper proposes a method for formal real-time systems development. At high level a system is modelled as a conventional dynamical system with states that are functions of time represented by nonnegative real numbers, while the implementation and refinement at low level are described in terms of timed transition systems (TTS). Therefore, The system requirements and high level design decisions are time interval properties, and are thus specified and reasoned about in the Duration Calculus (DC), and the properties of the implementation at low level are specified and verified compositionally and inductively in timed linear temporal logic (TLTL). A link from implementation properties to the requirement and design properties is given by interpreting a DC formula in a model of the executions of a TTS and then providing rules for lifting TLTL properties proved for a TTS to DC. The method is illustrated by the Gas Burner case study.
Keywords: Real-time Systems, Duration Calculus, Timed Transition Systems, Specification, Verification.
1 Introduction Duration calculus (DC) was introduced to specify and reason about properties of embedded real-time systems [ZHR91, RRH93], it has also been successfully used to reason about circuits and digital designs [HZS92, RS94], and in hybrid systems [RR91, ZRH93]. Introductions to the applications are found in [ORS96, Liu96] while the logic and its foundation is given a thorough presentation in [HZ97]. This is a revised and extended version of Technical Report 1997/12. y Address for correspondence: Department of Mathematics and Computer Science, University of Leicester, University Road,
Leicester LE1 7RH, U.K.; E-mail:
[email protected]. z Address for correspondence: Computer Systems Section, Department of Information Technology, Technical University of Denmark, Building 344, Lyngby, Denmark; E-mail:
[email protected]. x Address for correspondence: Department of Electrical and Electronic Engineering, University of Newcastle upon Tyne, Newcastle upon Tyne NE1 7RU, U.K.; E-mail:
[email protected]. On leave from Software Institute, Academia Sinica, Beijing; partially funded by Chinese National Science Foundation.
1
A system is in DC modelled within a conventional dynamical systems framework with states that are functions of time, the non-negative reals. When observe a system, DC takes a continuous and global view in the sense that a Boolean state is observed through its duration in a bounded interval, i.e. the integral of an indicator function. A property for a single interval is specified by an arithmetical relation among durations and real numbers. Properties of the system at isolated time points in the dense time domain are treated unobservable and ignored (or approximated by neighbourhood properties of the time points). Properties for sequences of intervals are expressed by the associative, binary “chop” operator of Interval Temporal Logic [Mos85]. DC also takes a denotational approach in modelling systems and a system at any level of abstract is described by a formula P in DC and properties of the system are those implied by P . In a specification of requirements, the dynamical systems model is beneficial because it focuses on relevant observable states. Furthermore, the interval logic has simple interpretations in a timing diagram for the states. The requirements will thus focus on sequencing of durational relations between observable states rather than on sequencing state transition relations. A typical real-time property is the requirement of a bounded critical duration property, that in every interval bounded by a length the duration of a ‘bad’ (or a ‘good’) state P should not be more than (or should be more than) time units. In DC this can be nicely expressed as
`)
R
P
However in DC, when dealing with an implementation represented as a state machine such as an automaton or a (abstract) program, it is then difficult to apply structural induction proof methodologies (this is generally true for a framework which adopts a continuous, global and denotational approach.). Also, at the this level of abstraction, stronger assumptions may be made about timing. For example, a finite number of state changes may occur or my be be assumed to occur simultaneously at a point of time, though the order in which they occur is still significant. Therefore, properties at a real-time point becomes significant at this level. Transition systems is a widely accepted model for computations in reactive systems in general [Kel76, Pnu77]. While transition systems and the linear temporal logic (LTL) [MP81, MP89] has been used successfully for specification and verification of reactive systems, they are not expressive enough for systems with real-time constraints which are the bounded invariance and bounded responsiveness. Real-time is introduced into transition systems either by associating lower and upper bounds on enabled transitions [Lam77, BH81] or by introducing explicit clocks [AD90, AL92]. The first approach has led to the extensions to LTL with bounded operators [KVdR83, Koy89, AH90], and the second has advocated the use of LTL in dealing with the explicit clocks [PdR82, PH88, AL92]. The relationship between the two approaches, that more or less one can be translated into another, is investigated in [HMP94]. An advantage of TTS frameworks is that they are quite close to implementations using digital hardware and thus reflect semantics of programming languages. Another advantage is that safety properties and time bounded properties can be easily checked by structural induction over the transitions. However, this framework is inherently operational and less abstract than a dynamical systems based framework. For instance, properties that relate states across several transitions have to be expressed using auxiliary state variables [Lam93]. Thus it seems well justified to link the two formalisms such that one may use 1. DC for high level specification and reasoning, 2. TTS for implementation and refinement. In a previous work [SHL94] a link is demonstrated through definition of a combination of the logics of TLA and Duration Calculus. That work investigated some of the techniques presented here. However, the current 2
work differs by focusing on the proof system and proof techniques, which turns out to be the difficult part when combining theories. After this introduction, Section 2 gives an overview of DC and its application to high level specification. Section 3 introduces TTS and a model of their executions called trajectories, which allows us to define the satisfaction of a DC formula by a TTS in Section 4. In Section 5, we provide the rules for proving duration properties of a TTS. In Section 6, the Gas Burner example will be used to illustrate the approach and allow comparisons between this mixed approach and DC-only or TTS-only methods.
2 Requirement and Design Specification in DC 2.1 Introduction to DC A dynamic system is traditionally modelled by its state functions which are evaluations of the system state variables over the time domain, each of them has a signature V(x ) : Time 7?! V , where V is the value domain of x 2 . For the time being, we do not make Time explicit. Instead we require it is totally ordered, and any interval [t1; t2] between two time positions is measurable by a non-negative real number, and the measure of an interval is called the length of the interval. It can be imagined that the set of non-negative real numbers is such a time domain. We shall extend it to R+ N later in this paper. The state function V(x ) is assumed to satisfy a Dirichlet condition, i.e., it is sectionally continuous and locally bounded. Sectional continuity means that in a bounded interval there is a finite number of discontinuities. For discrete state variables, which are the only variables that we are concerned in this paper, a state function is a step function. A state assertion P of a system is a first order predicate over the state variables and interpreted a Boolean valued function
V(P ) : Time 7?! f0; 1g V(P )(t ) = 1 if the evaluations of the variables in P at t make P hold, and V(P )(t ) = 0 otherwise. The sectional continuity implies that V(P ) is a step function. R
The elementary observationRof a state assertion P is its duration, written P . It denotes for a given time interval [t1 ; t2], the integral tt12 V(P )(t )dt . The duration is a real number and a measure. It satisfies all the properties of a measure, for example we have
R
0 = 0;
R
P 0;
R
(P _ Q ) = R P + R Q ? R (P ^ Q )
In particular, the largest duration corresponding to the length of the real-time interval is abbreviate as `.
R
1, which we
Elementary formulas are arithmetic relations in durations and real valued R rigid variables and constants. An example is the formula expressing that P holds throughout an interval: P = `. The propositional connectives and quantification over rigid variables can be used to generate composite formulas. An example is the formula asserting that P holds on a proper (non-point) interval.
dP e = (R P = `) ^ (` > 0) def
Analogously, we introduce the abbreviation for a ‘point’:
de = ` = 0 def
3
which is true over all and only point intervals.
A model of a DC formula D is a pair M = (V ; [t1; t2]) of an evaluation and an interval, such that M j= D iff D holds for the interval [t1 ; t2] under the evaluation V . A valid formula holds for all intervals under all evaluations.
Properties of subintervals are specified by the binary modal ‘chop’-operator, here denoted by ‘; ’. A formula
D1 ; D2 holds on an interval [t1; t2] just when there exists an intermediate position t such that the formula D1 holds on [t1 ; t ] and the formula D2 holds on [t ; t2]. The chop operator and durations are linked by the key property of summation over subintervals: for any
; 0
(R P = + ) , ((R P = ) ; (R P = ))
The only-if direction of the first of the above two properties encodes the denseness of Time ; it is reflected also in the derived law: dP e , dP e ; dP e. For more details about the semantics, axioms and rules of DC, we would like to refer the reader to [ZHR91, Rav95, HZ97].
2.2 Specification A property of a real-time system with a set of state variables is specified as DC formula D which is valid for the set of all state functions of the system, i.e. it is true of all the state functions of the system for all finite time intervals. The applications of DC to real-time systems in [ZHR91, RRH93, Rav95, Liu96] show that when formulating requirements to an actual system where we have decided on the relevant state variables, the procedure is generally to identify safe or unsafe patterns of behaviour. The ‘yardstick’ properties when we consider duration specifications are as follows: Bounded critical duration: A sate assertion P should not hold more than time units within a time window of time units:
`
) RP
An important special case of this is the unbounded week invariance property d e_d:P e asserting that the bad state occurs nearly no where in any proper interval. Bounded response: An occurrence of P must be followed within time units by an occurrence of Q :
:(dP e ; (d:Q e ^ ` > )) A special case of this is dP e ) ` , which asserts that P can last for at most time units. Minimal separation: Every occurrence of :P must be stable for at least time units. In other words, two occurrences of P must not happen within less than time units:
(dP e ; d:P e ; dP e) ) (` ) The bounded critical duration is related to the bounded response and minimal separation by the following rule BCD
dP e ) ` ; (dP e ; d:P e ; dP e) ) (` ? ) (` ) ) (R P ) 4
A rule of this form is sound if the validity of all premises above the line implies validity of the conclusion under the line is then also valid. The soundness of BCD follows the validity of the implication below:
:(true ; :D ; true ) ^ :(true ; :D ; true ) ) :(true ; :C ; true ) 1
2
where D1 and D2 stand for the two premises, and C stands for the conclusion.
2.3 Specification of the Gas Burner We now take the Gas Burner example in [RRH93] to show the simplicity in writing requirement and design specifications in DC. This case study requires to formulate the safety requirement of a gas burner in terms of a variable Leak denoting undesirable but unavoidable state which represents the presence of unlit gas from the nozzle. For safety, the gas burner system is required that ‘gas must never leak for more than 4 seconds in any period of at most 30 seconds’:
R
Req def = ` 30 ) Leak 4 To meet the requirement specification Req , we make two design decisions:
Des1 def = dLeak e ) ` 4 def Des2 = dLeak e; d:Leak e; dLeak e ) ` 26 Des def = Des1 ^ Des2 Des1 says that any occurrence of Leak must be stopped within 4 seconds, and Des2 says that once a Leak is stopped it may not occur within 26 seconds. The correctness of the design, i.e. Des ) Req is valid, follows directly from rule BCD. Traditionally in DC, Des is implemented by a real-time automaton or a real-time program described as a DC formula P , and the correctness of such an implementation is verified by proving P ) Des in DC. However, P is in general a ‘big’ formula and the direct proof of P ) Des in DC is far from easy. We shall deal with this difficulty by adopting the compositional induction proof techniques in the TTS framework.
3 Transition Systems This section starts with an overview of transition systems which are generally used for modelling reactive systems. A transition system is then extended to a timed version by imposing timing constraints on its transitions. We then define the behaviour of a TTS in a model which will be easily taken as a semantic model for DC as well in Section 4.
3.1 Transition systems A transition system S 1. 2.
= h; ; ; T i consists of four components:
is a finite set of state variables. is a set of states. A state s in is an interpretation of which assigns to every variable u 2 a value s [u ]. 5
3. An initial condition which is a state assertion that defines a subset of called the initial states.
4. A finite set T of transitions. Every transition in T is a binary relation on , which defines for every state s , a (possibly empty) set of -successors (s ). A transition is enabled on a state s , denoted as that en ( ) holds for s , just when (s ) 6= ;. When a transition relation holds between states s and s 0 this is often written s ! s 0. A computation (execution, run) of a transition system S 0 ; 1; which satisfies the following two conditions: Initially:
= h; ; ; T i is an infinite state sequence =
0 satisfies .
Consecution For all i 0, either i = i +1 (a stuttering step) or there is a transition in T such that i ! i +1 (a diligent step). In the later case, we say that a step is taken at position i of . Thus, a computation either contains infinitely many diligent steps, or it terminates with an infinite stutteringonly suffix. The set [ S ] of all computations of S is stuttering closed: if an infinite state sequence is a computation of the program, then so is any state sequence obtained from by adding or deleting a finite number of stuttering steps. This stuttering closed property is the key to relate system specifications (or models) [AL91] at different level of abstractions by refinement mappings. As in Manna and Pnueli’s Linear Temporal Logic (LTL) [MP89] or Lamport’s Temporal Logic of Actions [Lam91], we represent transition of a system S as first order Boolean-valued over the state variables and their ’primed versions’ 0, which is interpreted over pairs of states:
hs ; s 0i j= (; 0) iff (s []=; s 0[]=0) holds
3.2 Timed transition systems We incorporate time in the transition systems models by assuming that all transitions happen “instantaneously”, while real-time constraints restrict the times at which transitions occur. The timing constraints require transitions to be performed neither too early nor too late. To describe such timing constraints, each transition is given a lower time bound l , and an upper time bound u . The lower time bound is a value from R+ , which we take to be the set of non-negative real numbers, and the upper time bound is either a value from R+ or the special symbol 1, which denotes the absence of an upper bound. Any real number in R+ is assumed to be less than 1, and the lower bound is assumed not to exceed the upper bound for any transition, and the lower bound is assumed not to exceed the upper bound for any transition. A timed transition system TS = h; ; ; T ; l ; u i consists of an underlying transition system S = h; ; ; T i and two functions l and u defining the transition time interval for each transition.
3.3 Trajectories In stead of defining a computations as a timed state sequence [HMP91, HMP94], we introduce the notion of a trajectory in order to interpret DC formulas by the behaviour of a TTS. In general, a trajectory over a set of state variables is a state function:
: R+ N 7?!
where N is the set of natural numbers and is the set of states over . A trajectory is required to be of finite variability: for any given finite time interval [t1; t2] the set of states f(t ; n ) : t1 t t2 ; n 2 Ng is finite. 6
Thus Time = R+ N is the time domain in our framework. We refer to a pair ht ; n i 2 Time as a position, and (t ; n ) as the state at position ht ; n i in . Positions in Time are ordered by the lexicographic ordering: def
ht ; n i ht ; n i iff t < t or (t = t ) ^ (n < n ) We write ht ; n i ht ; n i for h(t ; n i ht ; n i) _ (ht ; n i = ht ; n i). We also define the length between two positions d (ht ; n i; ht ; n i) as t ? t . If (t ; n ) ! (t ; n + 1), we say transition is taken at position ht ; n i in , and is taken at time point t in if there exists an i 2 N such that is taken at position ht ; n i in . A trajectory : Time 7?! is a trajectory of a timed transition system, TS = h; ; ; T ; l ; u i, if it 1
1
1
2
1
2
2
1
2
1
1
1
2
1
1
1
2
2
2
2
2
2
1
1
2
1
2
2
1
satisfies the following conditions. 1. Initiation: (0; 0) satisfies .
2. Consecution: For all position ht ; n i, either (t ; n ) = (t ; n 2 T such that (t ; n ) ! (t ; n + 1) (a diligent step).
+ 1) (a stuttering step) or there is a
3. Timing constraints: Lower bound: if is taken at position p , there must exist a position p1 p such that d1 (p ; p1) l , and for any position p2 , if p1 p2 p then is enabled at p2 and is not taken at position p2 . Upper bound: if is enabled at position p , there exists p1 p such that d1 (p1; p ) u and either is disabled at p1 or is taken at position p1 . A trajectory that satisfies the first two conditions is a trajectory of the underlying transition system S
h; ; ; T i.
=
It is easy to see that the set [ TS ] traj of all trajectories of a system TS is isomorphic to the set of timed state sequences of TS defined in [HMP91, HMP94].
3.4 A TTS model for the Gas Burner Intuitively, the design decisions of Des for the Gas Burner system can be easily implemented by the TTS shown by Figure 1. This TTS, denoted by GB1 , can be formally described in terms of its initial condition and transitions with their time bounds:
GB1 = h 1 : true 1 : Leak ^ :Leak 0 2 : :Leak ^ Leak 0
i
[0; 4] [26; 1)
The problem is within DC framework how to formally prove that this TTS satisfies Des and how to formally refine GB1 .
4 Satisfaction of a DC formula by a TTS To deal with a TTS in DC, we need to extend DC to cope with instantaneous transitions, and thus sequences of point properties. This section defines DC in terms of trajectories of transition systems and define the satisfaction relation of a duration formula by a TTS. This semantic definition preserves all the validity of the original DC axioms and rules. 7
1 [0; 4]
Leak
:Leak 2 [26; 1)
Figure 1: A simple TTS implementation of Des
4.1 Super-dense intervals A duration formula is to be interpreted over a super-dense interval between two positions p1 = ht1; n1i and p2 = ht2 ; n2i, which is denoted and defined by [p1 ; p2] def = fp : p1 p p2g. We define a measure of such an interval by the function
(
(t ? t ; n ) if t < t (0; n ? n ) if t = t ^ n n We shall use d (p ; p ) and d (p ; p ) to denote the first (which is also called the length of the interval) and second elements of d (p ; p ) respectively. For a trajectory over a state space , an observation over an interval [p ; p ] consists of the states f(t ; n ) : p ht ; n i p g. In particular, at any time point t , every observation over an interval [ht ; n i; ht ; n i] (which is called a point interval) is a finite non-empty state sequence (t ; n ); ; (t ; n ). The observation of over [ht ; n i; ht ; n i] is the single state (t ; n ), i.e. a state sequence of ‘length 0’ is a d (p1 ; p2) =
def
1
1
2
1
2
2
2
1
2
1
2
1
1
2
1
1
2
2
2
1
1
1
2
2
2
1
single state.
A trajectory is said to be continuous at a position ht ; n i if there is an open real-time interval (t1 ; t2) such that (t ; n ) = (t3; k ) for any t3 2 (t1; t2) and k 2 N.
2
3t
4.2 The definition of DC over trajectories
R
The duration P for a state assertion P over a super-dense interval [ht1; n1i; ht2; n2i] is still used to define the accumulation time when P holds within the super-dense interval, and it is defined as R t2 t1 P ((t ; 0))dt Thus, a duration ignores all the discontinuous positions, and its existence is guaranteed by the finite variability of the trajectory1. Under these definitions, all the DC axioms given in Section R 2 remain valid. In particular, the largest duration corresponding to the length of the real-time interval is 1, which we still abbreviate `, and a point interval is denoted as d e. The ‘chop’ operator now chops a super-dense interval. A formula D1 ; D2 holds on such an interval [p1 ; p2] just when there exists an intermediate position p such that the formula D1 holds on [p1 ; p ] and the formula D2 holds on [p ; p2]:
; [p1; p2] j= D1 iff 9p (p1 p
1
;D p ) ^ (; [p ; p ] j= D ) ^ (; [p ; p ] j= D ) 2
2
1
1
2
2
R R R The logic remains the same if P is defined as 2 8n 2 N P ((t ; n ))dt or as 2 9n 2 N P ((t ; n ))dt . t
t
t1
t1
8
It is easy to see that as in original DC, ‘chop’ is associative, distributes over disjunction, has false as zero. Furthermore, for any formula D in the original DC, d e is the unit of ‘chop’:
de ; D , D ; de , D In the original DC, the only property that can be observed about a point time interval is d e. We shall introduce two kinds of elementary formulas that can be used to distinguish points: state properties and state transitions. State properties. A state property P which is a first order predicate assertion (no quantification is allowed over state variables) can be treated as an interval formula: P holds for a trajectory over an observation if it holds at the first position of the observation:
; [ht1; n1i; ht2; n2i] j= P iff (t1; n1) j= P All axioms in the first order predicate logic remain valid here.
Now we can specify properties like d e^ P (denoted as P ) and d e^(true at the first state and somewhere, respectively, in a point interval.
; P ), which assert that P holds
To assert the length of a the state sequence in a point interval, we introduce an interval temporal variable h:
; [p1; p2] j= h
=n
iff
d2 (p1; p2) = n
Thus, P ^ ( h = 0) defines the point observations containing a single P -state. The temporal variable h plays the role of the length for a discrete time interval in ITL of [Mos85], about h we have the following added axioms: A1 : A2 : A3 :
9n : N (h = n ) (D , d e ^ (h = 0) ; D ) ^ (D , D ; d e ^ (h = 0)) d e ^ (h = n > 0) , (d e ^ h = 1 ; d e ^ (h = n ? 1)) d e ^ (h = n > 0) , (d e ^ h = n ? 1 ; d e ^ (h = 1)) h = n ) ; (` = r )) A4 : (` = r > 0) ) (d e ^ ( State Transitions.
unit of chop chopping points super-denseness
A transition is represented as a Boolean-valued expression over the state variables
and their ‘primed versions’ 0, defining the relation between the pre-state and post-state of the transition. It is treated as an interval formula as for the case of a state predicate:
; [ht1; n1i; ht2; n2i] j= iff
h(t ; n ); (t ; n + 1)i j= 1
1
1
1
Obviously, a state predicate is a special case of a state transition which does not refer to primed variables. The composite formula d e ^ ( h = 0) ^ specifies the point observations containing a single state in which is enabled; and the formula d e ^ (h > 0) ^ defines the point observations consisting of a sequence of more than one state such that the first two of them is a -step. More general properties. The bounded version of the temporal operator can be defined in terms of d e, h and the chop operator as
D = (d e ^ h = 1) ; D def
9
Then the following super-dense properties can be derived
(R P = rR) ) (R P = r ) R ` > 0 ) ( P = r , ( P = r )) These properties imply dP e , dP e. The Hoare Triple fP g fQ g for any state assertions P and Q and any state transition will be used in structural induction reasoning, and it is defined here as the state transition
fP g fQ g = P ^ ) Q 0 def
where Q 0 is obtained from Q by substitute each state variable x of Q to its primed version x 0 . The operator
relates state point properties with state transitions by the following axiom: for any state assertions P and Q , and any transition , A5 :
:(d e ^ h = 0) ) ((P ^ ) Q 0) , (P ^ ) Q ))
For a state predicate P we use P to denote that P holds anywhere in a interval:
P def = :(true ; :P ; true ) Extending intervals. The ‘chop’ operator is useful for specifying properties of subintervals and in general for specifying finite patterns corresponding to safety properties including bounded liveness and fairness. However, it cannot describe unbounded properties. Several extensions have been proposed to take care of this. We introduce the interval modality : a formula D holds on an interval [b ; e ] there is an interval [b ; f ] which is either a prefix or a suffix of [b ; e ] such that D holds on [b ; f ]:
; [b :e ] j= D iff
9f b (; [b ; f ] j= D )
This operator distributes over disjunction and is monotone. It comes as a combination 3 l 3 r of the two neighbourhood modalities 3 l and 3 r from [ZH96a]. In this paper, we are only concerned about future properties which can be treated sufficiently by the combined operator2. Satisfaction and validity. A trajectory satisfies a formula D , denoted by j= D , if ; [h0; 0i; hr ; n i] j= D for any r 2 Time and any n 2 N. Valid formulas are satisfied by any trajectory. A formula D is valid for (or satisfied by) a TTS, TS , denoted by TS j= D , iff any trajectory 2 [ TS ] traj satisfies D . Remarks. The validity of the axioms and rules in the original DC is preserved in this extended logic. And we can take all formulas from the discrete ITL [Mos85] (with necessary notational modification) for describing properties of state sequences at a time point. For each axiom A in ITL, we have an axiom
de ) A 2 However, using the two neighbourhood modalities together with ` and h , the ‘chop’ is would become an definable operators [LR97].
10
5 Lifting Properties of TTS to Duration Properties The most common properties of an untimed transition system are unbounded invariance properties and unbounded progress properties (or liveness properties); and the ‘yardstick’ properties of a timed transition system include bounded invariance properties, and bounded progress properties. These properties and the structural induction proof rules for them are given in [MP81] in LTL for unbounded properties and in [HMP94] for bounded properties in timed linear temporal logic (TLTL). This section shows how these properties are incorporated into our extended DC framework.
5.1 Unbounded properties We start with the unbounded liveness properties which are described by using the LTL operator 3 meaning somewhere in the future (including from starting position). Thus, a liveness property is of the form
3 D = (true ; D ) Thus, 3 P says that a P -state eventually occur in the future, and 3 P , 3 P . The dual LTL operator 2 of 3 is used for specifying safety properties, and it is defined as def
2 D = : 3 :D def
A state property P is an invariant of a transition system S if P holds at any position in any interval for all trajectories of S . Thus, an unbounded invariance property is of the form 2 P , where P is a state predicate. Notice that 2 P , 2 P .
P is an invariant of TS iff P holds initially and implied by , and P is preserved by all transitions in Let
fP gT fQ g =
def
^
2T
T.
fP g fQ g
An induction rule for proving an invariant of TS is given in [MP81] as: UB-INV
) P ; fP gT fP g 2P
which is still sound in the interval logical setting, i.e. any transition system satisfying the premises also satisfies the conclusion. There are other induction rules for proving untimed properties in [MP81], which we would like to leave out of this paper.
5.2 Bounded properties As in [HMP94], we are interested in proving bounded-invariance and bounded-response properties, and thus restricted ourselves to the following bounded temporal formulas: Primitive formulas: State formulas and state transitions are temporal formulas. Boolean connectives: Every Boolean combination of temporal formulas is a temporal formula.
11
Bounded-eventually formula: If is temporal formula and u 2 R+ , then so is 3 u ; it is true over a trajectory with an initial position ht0 ; n0i iff there is a position p = ht ; n i such that t t0 + u and holds for the suffix of starting with p . We thus define
3u = (` u ; ) def
Bounded-unless formula: If P is a state properties, is a temporal formula, and l 2 R+ , then P Ul is a temporal formula; it is true over a trajectory iff P holds at the initial position ht0; n0i of and either P holds for all positions in , or there there is some position p such that t t0 + l , and holds for the suffix starting with p , and P holds at every position q p . This formula can thus be defined as
P Ul def = 2 (P _ (P ^ (` l ) ; )) We use the convention that the letters P , Q , R , as well as ', denote state formulas; and its indexed versions denote state transitions; , and stand for temporal formulas; and D , F and their indexed versions, denote general formulas in the extended logic. We also denote P Ul true by 2 0, and define 2 0 dP e ) (true ; dQ e) The second premise describes the stability of Q . LINK-2
The bounded version of the above rule links between a bounded-eventually property and a DC-bounded response property: LINK-3
P ) 3 u Q :Q ) :Q U Q Ul :Q ; l > 0 :(dP e ; (d:Q e ^ ` > d )) 13
Using bounded unless properties, we can prove minimal separation properties by the following link:
Q ) :P ; ) :Q ) P Ul1 Q U P Ul1 Q U ) P Ul1 Q U l2 ( ; true ) ) :(true ; (dP e ; dQ e ; ) ^ (` < l1 + l2) ; true )
LINK-4
This rule is inductive in the sense that and are temporal formulas which may be linked further to DCformulas. Premises in the first line ensure the pattern (dP e ; dQ e ; ) does not collapse, the premise in the second line says that a -state sequence pattern can only proceed with P lasting for at least l1 time units followed by a Q -state and then a pattern, the premise in the third line then ensures that Q lasts at least l2 time units. The last two premises in the rule may be combined into one. However, the one in the second line have to be established which then can be used to establish the last one by rule U -CSS. The special case when l1 = 0 and is P is often used. In this case the rule becomes LINK-40
Q ) :P R ) :Q P ) P UQ U R P U Q U R ) P U Q U l R (dP e ; dQ e ; dRe) ) (` l )
6 Implementation and Refinement of the Gas Burner This section shows how the linked methods are used in the development of the Gas Burner Systems. We first show that the timed transition system GB1 given in Section 3.4 satisfies the requirement specification Req in Section 2.3. Then we show how GB1 is refined into an implementation that may have only ignition failure. Finally, we present an implementation of Req which may suffer from both ignition failure and flame failure.
6.1 Correctness of GB1 For the timed transition systems GB1 in Section 3.4, we have the theorem below. Theorem 1
GB1 satisfies Des1 and Des2 , and thus Req as well.
This theorem follows from the following lemma: Lemma 1 The time transition system GB1 satisfies the following TLTL properties:
(T ) : Leak ) 3 :Leak (T ) : Leak ) Leak U :Leak U Leak (T ) : Leak ) Leak U :Leak U Leak 1
4
2
3
26
Proof: (T1) is proven by applying premises:
Leak ) en ( ) fLeak g fLeak g fLeak g f:Leak g 1
2
1
3 -SS to = Leak ^ :Leak 0 and u1 = 4, with the following 1
def
as en (1) = Leak as Leak ^ :Leak ^ Leak 0 ) Leak 0 as Leak ^ Leak ^ :Leak 0 ) :Leak 0 14
Idle
GoIdle ; [0; e ]
HeatOn ; [0; e ]
Out 1b ; e
Burn
FlOn [0; e ] Ignite2
[1; 1 + ]
Purge
Out 1a ;
[30; 30 + ]
e
Out 30; e
Ignite1
[1; 1 + ]
Figure 2: A refinement of GB1
(T ) is obviously valid in the untimed LTL proof system. U -CSS for with l2 = 26. ~ 2
From
(T ), we have (T ) then by applying 2
3
2
Des1 is deduced by LINK-3 with (T1) and (T2) as the premises. Des2 follows from LINK-40 by letting P , Q , and R in the rule be Leak , :Leak and Leak , respectively, to establish the first two premises of the rule; while (T2) and (T3) are the last two required premises. Finally, Req is proven from Des1 and Des2 by rule BCD given in Section 2. Proof of Theorem 1:
~
6.2 An implementation without flame failure After the initial implementation, GB1 can be refined in the traditional TTS framework. For example, the transition system in Figure 1 is a refinement of GB1 . It has the following phases: Idle:
Await heat request, no gas and ignition. It enters the Purge phase within e time units on heat request. The constant parameter e in this example can be understood as the system reacting time upper bound 3 .
Purge: Pauses for 30 seconds, and then Ignite1 is entered within e time units. Ignite1: Starts ignition and gas supply, and enters after one second the Ignite2 phase within time.
e
reacting
Ignite2: Monitors the flame and enters the Burn phase if flame is sensed within 1 second, otherwise goes back to Idle after 1 second by switching the gas off within e reacting time. Burn:
Ignition is switched off, but gas is still supplied. The Burn phase is stable until heat request goes off. The gas is then turned off and the Idle phase is entered within e reacting time.
3
In [RRH93, Lam93], another lower bound was included for the system reacting time which is in fact not needed for proving the correctness of the system.
15
We use only one simple error recovery procedure to return to Idle from Ignite2. We assume no flame failure in the Burn phase. Therefore, in this implementation, Leak can only occur in the Ignite1 phase and in the Ignite2 phase. We take the convention that the value of a variables x is changed by a transition only if names x 0 . The formal definition of this refined transition systems is given as follows.
GB2 = h
= = HeatOn = Out 30 =
def def
def
def
Out 1a
def
=
Out 1b
def
=
=
FlOn
def
GoIdle
def
=
^ ^ ^ ^
fgas ; ignition ; sensor ; phase g (gas ; ignition ; sensor ; phase ) = (off, off, off, Idle) HeatReq ^ (phase = Idle) ^ (phase 0 = Purge) (phase = Purge) (phase 0; gas 0; ignition 0) = (Ignite1, on, on) (phase = Ignite1) ^ (phase 0 = Ignite2) (sensor 0 = on) (phase = Ignite2) ^ (phase 0 = Idle) ^(ignition 0 = off) ^ (gas 0 = off) (phase = Ignite 2) ^ Flame ^ (phase 0 = Burn) (ignition 0 = off) (phase = Burn) ^ :HeatReq ^ (phase 0 = Idle) (gas 0 = off) ^ (sensor 0 = off) Time bounds are given as in Figure 2
i
Let Leak1 hold iff phase = Ignite1 holds and Leak2 hold iff phase = Ignite2 holds. In the following, we present the properties of these two leak states of GB2 which correspond to the properties of Leak and have same proof routines as those for GB1 . Lemma 2 The timed transition system GB2 satisfies the following TLTL properties if e
(T (T (T (T (T (T
): ): ): ): ): ):
11
12 13 21 22 23
Leak1 ) 3 1+e :Leak1 Leak1 ) Leak1 U :Leak1 U Leak1 Leak1 ) Leak1 U :Leak1 U 31 Leak1 Leak2 ) 3 1+e :Leak2 Leak2 ) Leak2 U :Leak2 U Leak2 Leak2 ) Leak2 U :Leak2 U 31 Leak2
corresponds to (T1) of Leak corresponds to (T2) of Leak corresponds to (T3) of Leak corresponds to (T1) of Leak corresponds to (T2) of Leak corresponds to (T3) of Leak
1: in GB1 in GB1 in GB1 in GB1 in GB1 in GB1
By the induction rules, Lemma 2 leads to the following corollary: Corollary 1 (GB2 refines GB1 )
Let Leak
= Leak _ Leak
def
1
2
and e
1. GB
2
satisfies the properties (T1), (T2) and (T3) in Lemma 1.
Thus, we have the following theorem corresponding to Theorem 1 for GB1 . Theorem 2 Let Leak Gas Burner system
= Leak _ Leak
def
1
2
and e
1. GB
16
2
satisfies Des1 and Des2 , as well as Req , of the
Lemma 3 The timed transition system GB2 satisfies the following properties if e
(Des (Des (Des (Des
11 12 21 22
): ): ): ):
dLeak e ) ` 1 + e dLeak e ; d:Leak e ; dLeak e ) ` 31 dLeak e ) ` 1 + e dLeak e ; d:Leak e ; dLeak e ) ` 31 1
1
1
1
2
2
2 2
1:
corresponds to Des1 of Leak corresponds to Des2 of Leak corresponds to Des1 of Leak corresponds to Des2 of Leak
in GB1 in GB1 in GB1 in GB1
Using Lemma 2, the proofs of Des11 and Des21 are the same as the proofs of Des1 of GB1 , while the proofs of Des12 and Des22 are the same as that of Des2 for GB1 , in Theorem 1. Using the linking rules as in the proof of Theorem 1, Lemma 3 has the corollary below: Corollary 2 The timed transition system GB2 satisfies the following properties if e
(Req ) (Req ) 11
21
R
1:
` 30 ) R Leak1 1 + e corresponds to Req of Leak in GB1 ` 30 ) Leak2 1 + e corresponds to Req of Leak in GB1
It is interesting to notice that Req of the Gas Burner (which is already deduced from Corollary 1 in Theorem 2) can be also deduced from Corollary 2 and the valid formula
R
(Leak _ Leak ) = R Leak + R Leak = 2 + 2e 4 1
2
1
2
6.3 An implementation with flame failure When flame may disappear in the phase Burn, we can add another simple error recovery procedure which enters Idle from Burn by switching off the gas. Formally, we only have to redefine the action GoIdle in GB2 as
GoIdle def =
(phase = Burn) ^ (:Flame _ :HeatReq ) ^ (phase 0 = Idle) ^ (gas 0 = off) ^ (sensor 0 = off) Now let Leak denote Burn ^ :Flame . Then in the same way as we proved the properties of GB 3
1
and
GB2 , for the new implementation, denoted by GB3, we have the following two lemmas corresponding to Lemma 2 and Lemma 2 respectively. Lemma 4 The timed transition system GB3 satisfies Lemma 2 and the following properties:
(T ) : Leak ) 3 e :Leak (T ) : Leak ) Leak U :Leak U Leak (T ) : Leak ) Leak U :Leak U Leak 31
3
3
32
3
3
3
33
3
3
3
3
31
3
corresponds to (T1) of Leak in GB1 corresponds to (T2) of Leak in GB1 corresponds to (T3) of Leak in GB1
Lemma 5 The timed transition system GB3 satisfies Lemma 3 and the following properties:
(Des ) : dLeak e ) ` e (Des ) : dLeak e ; d:Leak e ; dLeak e ) ` 31 31
3
32
3
3
3
corresponds to Des1 of Leak in GB1 corresponds to Des2 of Leak in GB1
This lemma has the following corollary which corresponds to Corollary 2: Corollary 3 The timed transition system GB2 satisfies Corollary 2 and the following property:
(Req ) : 31
` 30 )
R
Leak3 e
corresponds to Req of Leak in GB1 17
Let Leak be the disjunction Leak1 _ Leak2 _ Leak3. By the valid formulas
R
R
Leak = R (Leak1 _RLeak2 _ Leak 3) = Leak1 + Leak2 + R Leak3 = 2 + 3e This gives the following correctness theorem for GB3 : Theorem 3 (Correctness of GB3 ) Assume that e ment Req of the Gas Burner system.
2=3, the transition system GB
3
satisfies the require-
However, we should mention that GB3 is not a refinement of GB1 or GB2 . It does not implement Des as it does not meet Des2. In other words, we do not have a corollary for GB3 corresponding to Corollary 1 or a theorem for GB3 corresponding to Theorem 2.
7 Conclusion This paper presents a logic which combine the original DC approach in [ZHR91] and the LTL approach in [HMP91, Lam91] to specification and verification of embedded real-time systems. This combination provides both the advantage of DC for directly modelling conventional dynamical systems with state that are functions of time, and the advantage of TTS for modelling computation in reactive systems. Rules for linking the two level specifications are given. Within this framework, DC is used for specifying the system requirement and initial design which is intuitively corresponding to a simple TTS. Then we can refine the initial implementation totally in the TTS framework step by step until we obtain an implementation which can be easily coded into a program. The approach is illustrated by solving the classic Gas Burner example. The advantage of the combined approach becomes obvious if we compare the solution in the single DC framework in [RRH93], and the solution in the single LTL framework in [Lam93]: specifications of the system at different levels are simpler and better structured; the proofs of the correctness of the systems at different levels are easier as they directly reflect the structural induction of each step in the refinement/implementation, and concrete states (e.g. Leak1, Leak2 and Leak3 in GB2 and GB3) at a lower level are reasoned about in the same way as the corresponding abstract state (e.g. Leak in GB1 ) at a higher level. The combined logic allows us to describe multiple instantaneous transitions at a time point. For the same purpose, papers [ZH96b] and [Xu97] introduce a dense-chop operator which can define the meaning of the sequential composition of state transitions. However, in both papers the intermediate states of a sequentially composite statement are hidden, and thus the semantics of x := 1; x := x +2 is the same as that of x := 3. This is a nice property if the approaches are used to deal with concurrent systems with no shared variables. However, in shared memory based models such as TTSs, the semantics of (x := x + 1; x := x + 2) k (x := 0) should be quite different from that of x := 3 k x := 0. This problem is avoided in this paper by directly defining DC in terms of trajectories of a TTS. Further work to this paper includes the development of the full logic [LR97], and extension of this logic to deal with hybrid transition systems [MP93].
References [AD90]
R. Alur and D.L. Dill. Automata for modelling real-time systems. In M.S. Paterson, editor, ICALP 90: Automata, Languages and Programming, Lecture Notes in Computer Science 443, pages 322–335. Springer-Verlag, 1990. 18
[AH90]
A. Alur and T.A. Henzinger. Real-time logics: complexity and expressiveness. In Proc. 5th Annual Symposium on Logic in Computer Science, pages 390–401. IEEE Computer Society, 1990.
[AL91]
M. Abadi and L. Lamport. The existence of refinement mapping. Theoretical Computer Science, 83(2):253–284, 1991.
[AL92]
M. Abadi and L. Lamport. An old-fashioned recipe for real-time. In W.P. de Rover J.W. de Bakker, C. Huizing and G. Rozenberg, editors, Real-Time: Theory in Practice, Lecture Notes in Computer Science 600, pages 1–27. Springer-Verlag, 1992.
[BH81]
A. Bernstein and P.K. Harter. Proving real-time properties of programs with temporal logic. In Proc. 8th Annual Symposium on Operating Systems Principles, pages 1–11. ACM press, 1981.
[HMP91] T. Henzinger, Z. Manna, and A. Pnueli. Temporal proof methodologies for real-time systems. In Proc. 8th ACM Annual Symposium on Principles of Programming Languages, pages 269–276, 1991. [HMP94] T. Henzinger, Z. Manna, and A. Pnueli. Temporal proof methodologies for timed transition systems. Information and Computation, 112(2):273–337, 1994. [HZ97]
M.R. Hansen and C.C. Zhou. Duration calculus: logical foundations. Formal Aspects of Computing, 9(3):283–330, 1997.
[HZS92]
M.R. Hansen, C.C. Zhou, and J. Staunstrup. A real-time duration semantics for circuits. In Proc. ACM/SIGDA workshop on Timing Issues in Specification and Synthesis of Digital Systems, 1992.
[Kel76]
R. Keller. Formal verification of parallel programs. Communication of the ACM, 19(7):371– 384, 1976.
[Koy89]
R. Koymans. Specifying message passing and Time-critical systems with temporal logic. PhD thesis, Eindhoven University of Technology, 1989.
[KVdR83] R. Koymans, J. Vytopil, and W.-P. de Roever. Real-time programming and asynchronous message passing. In Proc. 2nd Annual Symposium on Principles of Distributed Computing, pages 187–197. ACM press, 1983. [Lam77]
L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125–143, 1977.
[Lam91]
L. Lamport. The temporal logic of actions. Technical Report 79, Digital SRC, California, 1991.
[Lam93]
L. Lamport. Hybrid systems in TLA+ . In A.P. Ravn R.L. Grossman, A. Nerode and H. Rischel, editors, Hybrid Systems, Lecture Notes in Computer Science 736, pages 77–102. SpringerVerlag, 1993.
[Liu96]
Z. Liu. Specification and verification in the duration calculus. In M. Joseph, editor, Real-Time Systems: Specification, Verification and and Analysis, pages 182–227. Prentice Hall, 1996.
[LR97]
Z. Liu and A.P. Ravn. Linking duration calculus and timed transition systems. Department of Maths & Computer Science, University of Leicester, Leicester, UK., 1997.
19
[Mos85]
B. Moszkowski. A temporal logic for multilevel reasoning about hardware. IEEE Computer, 18(2):10–19, 1985.
[MP81]
Z. Manna and A. Pnueli. The temporal framework for concurrent programs. In R.S. Boyer and J.S. Moore, editors, The Correctness Problem in Computer Science, pages 215–274. Academic Press, 1981.
[MP89]
Z. Manna and A. Pnueli. Completing the temporal picture. In G. Ausiello, M. DezaniCiancaglini, and S. Ronchi Della Rocca, editors, ICALP 89: Automata, Languages, and Programming, Lecture Notes in Computer Science 372, pages 534–558. Springer-Verlag, 1989.
[MP93]
Z. Mamma and A. Pnueli. Verifying hybrid systems. In A.P. Ravn R.L. Grossman, A. Nerode and H. Rischel, editors, Hybrid Systems, Lecture Notes in Computer Science 736, pages 4–35. Springer-Verlag, 1993.
[ORS96]
E-R. Olderog, A. P. Ravn, and J. U. Skakkebæk. Refining system requirements to program specifications. In C. Heitmeyer and D. Mandrioli, editors, Formal Methods in Real-Time Systems, Trends in Software-Engineering, chapter 5, pages 107–134. Wiley, 1996.
[PdR82]
A. Pnueli and W.-P. de Roever. Rendez-vous with Ada: a proof-theoretical view. In Proc. SIGPLAN AdaTEC Conference on Ada, pages 129–137. ACM Press, 1982.
[PH88]
A. Pnueli and E. Harel. Applications of temporal logic to the specification of real-time systems. In M. Joseph, editor, Formal Techniques in Real-Time and Fault-Tolerant Systems, Lecture Notes in Computer Science 331, pages 84–98. Springer-Verlag, 1988.
[Pnu77]
A. Pnueli. The temporal logic of programs. In Proc. 18th Annual Symposium on Foundations of Computer Science, pages 46–57. IEEE Computer Society Press, 1977.
[Rav95]
A.P. Ravn. Design of embedded real-time computing systems. Department of Computer Science, Technical University of Denmark, DK-2800 Lyngby, Denmark, Doctoral Dissertation ID-TR: 1955-179, 1995.
[RR91]
A.P. Ravn and H. Rischel. Requirements capture for embedded real-time systems. In Proc. IMACS-MCTS’91 Symposium on Modelling and Control of Technical Systems, Vol 2, pages 1147–152, 1991.
[RRH93]
A.P. Ravn, H. Rischel, and K.M. Hansen. Specifying and verifying requirements of real-time systems. IEEE Transactions on Software Engineering, 19(1):41–55, 1993.
[RS94]
A.P. Ravn and J. Staunstrup. Interface models. In Proc. 3rd International Workshop on Hardware/Software Codesign, pages 157–164, 1994.
[SHL94]
M.U. Sørensen, O.E. Hansen, and H.H. Løvengreen. Combining temporal specification techniques. In Temporal Logic ICTL 94, Lecture Notes in Artificial Intelligence 827, pages 1–16. Springer-Verlag, 1994.
[Xu97]
Q.W. Xu. A semantics and verification of extended phase transition systems in duration calculus. In O. Maler, editor, International Workshop on Hybrid and Real-Time Systems, Lecture Notes in Computer Science 1201, pages 301–315. Springer-Verlag, 1997.
[ZH96a]
C.C. Zhou and M.R. Hansen. An adequate first order interval logic. Technical Report 91, UNU/IIST, P.O. Box 3058, Macau, 1996. 20
[ZH96b]
C.C. Zhou and M.R. Hansen. Chopping a point. In J. Cooke J.F. He and P. Wallis, editors, Proc. BCS FACS 7th Refinement Workshop: Theory and Practice of System Design, 1996.
[ZHR91]
C.C. Zhou, C.A.R. Hoare, and A.P. Ravn. A calculus of durations. Information Processing Letters, 40(5):269–276, 1991.
[ZRH93]
C.C. Zhou, A.P. Ravn, and M.R. Hansen. An extended duration calculus for hybrid real-time systems. In A.P. Ravn R.L. Grossman, A. Nerode and H. Rischel, editors, Hybrid Systems, Lecture Notes in Computer Science 736, pages 36–59. Springer-Verlag, 1993.
21