Reconciling Real-Time with Asynchronous Message ... - CiteSeerX

Reconciling Real-Time with Asynchronous Message Passing M. Broy, R. Grosu, C. Klein? Institut fur Informatik, TU Munchen, D-80290 Munchen email: fbroy,grosu,[email protected]

Abstract. At rst sight, real-time and asynchronous message passing

like in SDL and ROOM seem to be incompatible. Indeed these languages fail to model real-time constraints accurately. In this paper, we show how to reconcile real-time with asynchronous message passing, by using an assumption which is supported by every mailing system throughout the world, namely that messages are time-stamped with their sending and arrival time. This assumption allows us to develop a formalism which is adequate to model and to specify real-time constraints. The proposed formalism is shown at work on a small real-time example.

1 Introduction Asynchronous message passing has gained a lot of popularity in the industrial community. Two of the most prominent speci cation and description languages for real-time systems use it as their basic communication and synchronization scheme between processes: the ITU-T speci cation and description language SDL [OFMP+ 94, IT93] and the ObjecTime speci cation and description language ROOM [SGW94]. Basically, the behavior of a system in SDL or ROOM is given as a set of asynchronously communicating extended nite state machines (EFSM). A signal instance, i.e., a message, is created when an EFSM executes an output and ceases to exist when the receiving EFSM consumes the signal in an input. Communication channels convey the signal instance from the sender to the receiver. When the signal arrives, it is kept in the input port of the receiver, which is an unbounded FIFO queue, until the receiver consumes it. The virtue of this communication scheme is the loose coupling between system parts: a sender is never blocked because a receiver is not ready to communicate. In order to express real-time constraints, both SDL and ROOM allow to access the global, actual time and to set and reset timers. A timer is a stopwatch which is set with an expiration time. The expiration of the timer is then signaled to ?

This work is partly sponsored by the Deutsche Forschungs Gemeinschaft (DFG) project Syslab

the process as an ordinary input signal. When a timer is no longer needed, it can be reset before its expiration, to avoid spurious expirations. Unfortunately, these timing facilities are not precisely de ned in the SDL and ROOM semantics [Hin96, Leu95, BB91, SGW94] and therefore implementation dependent. Practical experience has shown that the SDL timing facilities behave well only if the tolerance intervals are at least 100 times the average instruction time of the CPU used for the implementation [OFMP+ 94]. Moreover, these timing facilities are not always expressive enough. In order to understand why this is the case, let us examine a small fragment of a telephone protocol. \ After the caller has lifted the phone receiver, he must receive a dial tone within 0.1s." Assuming that no delay occurs on the communication lines, this protocol can be expressed very intuitively by using a timed variant of message sequence charts, as shown in Figure 1, left, where offH is the abbreviation for o-hook, dtB is the abbreviation for dial-tone-begin and a,b are points in time (see [IT96] for the MSC standard). Caller

TelHandler

a

offH

b

dtB

idle b - a < 0.1s

offH dtB waitF

Fig. 1. MSC and EFSM for the protocol fragment This requirement is neither expressible in SDL nor in ROOM. The best one can do is to write the EFSM given in SDL-notation in Figure 1, right. It consists of a start symbol, the control states idle and waitF, and a transition labeled by the input offH and the output dtB. This EFSM neither guarantees that the transition is taken synchronously with the generation of the offH message nor that the transition takes less than 0.1s. The transition can be delayed, even if the dtB message was already queued in the input port. Moreover, it is unknown how long does it take to produce the output dtB. Note that timers are not helpful in this case, since they can only be used to enforce a reaction if a signal does not arrive within a given time interval. One of the most successful formal models for specifying and verifying real-time systems are timed automata [AD94, HNSY92]. The formalism of timed automata

generalizes nite state machines over in nite strings to generate (or accept) in nite sequences of states which are additionally constrained by timing requirements. A timed automaton operates with nite control { a nite set of locations, a nite set of propositions and a nite set of real-valued clocks. All clocks proceed at the same rate and measure the amount of time that has elapsed since they were reset. Each edge of the automaton may reset some of the clocks and assign new values to a set of propositional variables. Each edge and each location may put certain constraints on the values of the clocks and propositions corresponding to that location. Using a syntax similar to the one given in [HNSY92], the caller and the telephone handler automata can be expressed as shown in Figure 2. Suppose the channels i and o and the timer x are modeled with shared variables, and that composition is done by interleaving. If initially i 6= offH, then only the caller automaton can proceed by \sending" offH along i simultaneously with reseting the timer x. The telephone handler is then able to make its rst transition. The second transition of the telephone handler can than be taken at any moment such that x < 0.1s with the eect of \sending" dtB. c1

i := offH, reset(x)

c2 Caller

s1

i = offH

s2

x < 0.1s → o := dtB

TelHandler s3

Fig. 2. The timed automata solution The above timed-automata solution uses shared variables both for communication and for time synchronization. Although shared variables are appropriate for single-processor systems, they are unnatural in the context of distributed systems. Moreover, the timed automata approach is not modular, since timed automata may constrain their environment, as we will show in the next section. Note that the sharing of the timer variable x between the caller and the telephone handler implies that the receiver knows when the offH message has been sent. In the following, we use essentially the same idea, but in a modular way, and within a message-passing communication paradigm. In the solution we propose, each message is time-stamped both with the sending and the arrival time, as this is a common practice of any mailing system. To simplify the semantics (but without loss of generality because the communication medium can be modeled again as a component) we assume instantaneous delivery, i.e., the sending and

the arrival time are considered to be the same. As in SDL and ROOM, we describe the behavior of processes with extended nite-state machines which we call timed state transition diagrams (TSTDs). We also assume asynchronous communication and the presence of a timer variable now containing at each moment the actual time. However, in contrast to SDL and ROOM we allow to access the arrival time of a message by using timestamped input patterns. For example, the pattern i?offH@t matches the rst offH message in the input port i, and updates the variable t with the arrival time of this message. This variable can be used in conjunction with now to guard a transition, as in now - t < 0.1s. When the transition is taken, it takes place instantaneously. Using our approach, the timing requirement of the telephone protocol fragment can be expressed with only one TSTD { the telephone handler { as shown in Figure 3. {now - t < 0.1s} i?offH@t / o!dtB s1

s2

Fig. 3. Our solution The input and the output patterns are separated by a slash, and written in a syntax inspired by CSP [Hoa85]. The guard (or precondition) is written within curly brackets before the input/output patterns. Assignments to the state variables can be written between curly brackets after the input/output patterns (the postcondition). Intuitively, a component speci ed by this TSTD behaves as follows. If the component is in the control state s1, the rst message on the port i is offH, and the arrival time t of this message is such that now-tm : [ ik ?[]] s;;'

[ i1 ?p1 ; : : : ; im?pm ] s;;'

def

[ i?[m1 [@t1 ]; : : : ; mk [@tk ]]] s;;' def = [[ m1 @t1 ] s; ; : : : ; [ mk @tk ] s; ; [ @t] s;] = ':i

def [ i? ] s;;' = [ @s:now] = ':i For messages not explicitly time stamped in the input patterns as well as for the negative pattern , we assume the existence of fresh, anonymous time variables in the environment . For simplicity, all patterns in the example in Section 2 have used only oneelement lists. However, it is often convenient to use the more general form of patterns introduced in this section. For instance, the requirement that the time between the dialing of two consecutive digits is limited to 20s can be expressed as follows:

f8i.1i3.ti

+1

-ti m : :ok = [] 0

[ o![m1 ; : : : ; mk ]] s;s ;;; 0

0

= [[ m1 ] s;s ;; ; : : : ; [ mk ] s;s ;; ] = :o

def

0

0

6 Composition Given two timed state transition diagrams tstd1 and tstd2 with port signatures 1 = (I1 ; O1 ; D1 ) and 2 = (I2 ; O2 ; D2 ), respectively. If O1 \ O2 = ; and for all i 2 (I1 \ O2 ) [ (I2 \ O1 ) it holds that (D1 )i = (D2 )i , then we call the two port signatures compatible. For compatible signatures 1 and 2 , the composition 1 2 is de ned as follows: each output port of 1 is connected with an input port of the same name of 2 , and similarily, each output port of 2 is connected to an input port of 1 . The feedback channels introduced this way are hidden in 1 2 . Formally, 1 2 = (I; O; D), where4

I = (I1 n O2 ) [ (I2 n O1 ) O = (O1 n I2 ) [ (O2 n I1 ) D = D1 + D2 The resulting network is graphically depicted in Figure 5. 4

Given two type mappings (Di )i2I and (Dj0 )j2J , their sum is de ned such that (D + D0 ):i = D:i if i 2 I , and (D0 + D0 ):i = D0 :i if i 2 J . Given two named tuples ' 2 i2I Di and 2 j2J Dj , and K  I , their sum ' + is de ned such that (' + ):i = ':i if i 2 I , and (' + ):i = :i if i 2 J . The projection 'jK is de ned such that ('jK ):i = ':i for all i 2 K .

θ

I 1\ O2 I 1 ∩ O2

I 2 \ O1 I2 ∩ O1

F1

F2

ϕ

ψ

O2 \ I1

O1 \ I 2

Fig. 5. Composition Let the semantics of tstd1 and tstd2 with compatible port signatures be given by Q Q [ tstd1 ] : Qi2I1 (D1 )@i ! }(Qi2O1 (D1 )@i ); [ tstd2 ] : i2I2 (D2 )@i ! }( i2O2 (D2 )@i ): The semantics [ tstd1 tstd2 ] of their composition is equal to the parallel composition with feedback [ tstd1 ] [ tstd2 ] of their input-/output-relations. The operator is de ned for relations as follows: Q Q [ tstd1 ] [ tstd2 ] : i2I Di@ ! }( i2O Di@ ) ([[tstd1 ] [ tstd2 ] )() = f jO 2 Qi2O Di@ j jO1 2 [ tstd1 ] (jI1 + jI1 ) ^ jO2 2 [ tstd2 ] (jI2 + jI2 )g For the above equation a unique solution exists if both input-/output relations are time guarded on the feedback channels [GKR96, BS97].

7 Conclusion We have presented timed state transition diagrams, a new formalism for the speci cation of real-time aspects of reactive systems. The formalism is based on a semantic model where components communicate asynchronously via unbounded FIFO-channels. We have shown that existing approaches using this communication paradigm, like SDL and ROOM, fail to model real-time aspects accurately. The basic idea of our formalism is to time-stamp messages with their arrival time and to allow the speci er to label transitions with timing constraints. By using negative patterns, we can also easily deal with priorities. Therefore, timed

state diagrams can be seen as a powerful extension of SDL and ROOM. In particular, it allows for a stepwise development process, where timing constraints are omitted in the rst step and introduced gradually in the next steps. Our approach is fully modular, since it is based on Focus, a formal approach for the speci cation and re nement of reactive systems [BDD+ 93, BS97, GS96]. Among other formalisms for real time systems, timed input/output automata [LV96, LSVW95] seem to be closest to our approach. However, whereas the main goal of timed input/output automata is to provide a semantical model for real time systems, our main concern was to provide a pragmatic and tractable speci cation formalism for real time systems. Timed state transition diagrams can be extended in several ways. A rst extension would be to use a dense time model. We believe that such an extension can easily be accomplished along the lines of [MS96]. Dense time models are gaining more and more attention in theory and practice for the modeling of real-time systems. Of great importance is also the development of a tractable re nement calculus, as it has been presented for a similar, time-independent notation in [RK96]. Future extensions will also include an extension to hierarchical state transition diagrams a la statecharts [Har87]. The semantic foundations needed for hierarchical AND-states have already been presented in this paper. In constrast to the various approaches under way to de ne a semantics for statecharts [Von94], we start from a semantic model and de ne an appropriate notation for specifying components.

Acknowledgments We thank Jan Philipps, Ursula Hinkel and Christian Prehofer for reading a draft version of the paper.

References [AD94]

Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical Computer Science, 2(126):183{235, April 1994. [AH92] R. Alur and T.A. Henzinger. Logics and models of real time: a survey. In J.W. de Bakker, K. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Real Time: Theory in Practice, Lecture Notes in Computer Science 600, pages 74{106. Springer-Verlag, 1992. [BB91] F. Bause and P. Buchholz. Protocol analysis using a timed version of SDL. In J. Quemada, J. Ma~nas, and E. Vazquez, editors, Formal Description Techniques. North Holland, 1991. + [BDD 93] M. Broy, F. Dederichs, C. Dendorfer, M. Fuchs, T.F. Gritzner, and R. Weber. The Design of Distributed Systems - An Introduction to

FOCUS. Technical Report SFB 342/2/92 A, Technische Universitat Munchen, Institut fur Informatik, 1993. [BS97] M. Broy and K. Stlen. Interactive System Design. To appear, 1997. [GKR96] Radu Grosu, Cornel Klein, and Bernhard Rumpe. Enhancing the syslab system model with state. TUM-I 9631, Technische Universitat Munchen, 1996. [GKRB96] Radu Grosu, Cornel Klein, Bernhard Rumpe, and Manfred Broy. State transition diagrams. TUM-I 9630, Technische Universitat Munchen, 1996. [GS96] Radu Grosu and Ketil Stoelen. A Model for Mobile Point-to-Point Data ow Networks without Channel Sharing . In Martin Wirsing and Maurice Nivat, editors, Proceedings of the 5th International Conference on Algebraic Methodology and Software Technology, AMAST'96, Munich, Germany, pages 505{519. Lecture Notes in Computer Science 1101, 1996. [Har87] D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8, 1987. [Hin96] Ursula Hinkel. SDL and Time { A Mysterious Relationship. 1996. submitted to SDL Forum 97. [HNSY92] T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking for real-time systems. In Proceedings of the Seventh Annual Symposium on Logic in Computer Science, pages 394{406. IEEE Computer Society Press, 1992. [Hoa85] C.A.R. Hoare. Communicating sequential processes. Prentice-Hall International series in computer science. Prentice Hall, Inc., Englewood Clis, New Jersey, 1985. [IT93] ITU-T. Recommendation Z.100, Speci cation and Description Language (SDL). ITU-T, Geneva, 1993. [IT96] ITU-T. Z.120 { Message Sequence Chart (MSC). ITU-T, Geneva, 1996. [Leu95] S. Leue. Specifying Real-Time Requirements for SDL Speci cations - A Temporal Logic-Based Approach. In Proceedings of the Fifteenth International Symposium on Protocol Speci cation, Testing, and Veri cation PSTV'95. Chapmann & Hall, 1995. [LSVW95] N. Lynch, R. Segala, F. Vaandrager, and H.B. Weinberg. Hybrid I/O automata. Technical Report CS-R9578, CWI, Computer Science Department, Amsterdam, 1995. Also appeared in: Hybrid Systems III, Lecture Notes in Computer Science. Available under http://www.cs.kun.nl/~fvaan/. [LV96] N.A. Lynch and F. Vaandrager. Forward and backward simulations { part II: Timed systems. Information and Computation, 128(1):1{25, 1996. [MS96] Olaf Muller and Peter Scholz. Speci cation of real-time and hybrid systems in focus. TUM-I 9627, Technische Universitat Munchen, 1996.

[OFMP+ 94] A. Olsen, O. Frgemand, B. Mller-Pedersen, R. Reed, and J. R. W. Smith. Systems Engineering Using SDL-92. Elsevier Science, NorthHolland, 1994. [Pau91] L.C. Paulson. ML for the Working Programmer. Cambridge University Press, 1991. [RK96] B. Rumpe and C. Klein. Automata describing object behavior. In H. Kilov and W. Harvey, editors, Speci cation of Behavioral Semantics in Object-Oriented Information Modeling, pages 265{286, Norwell, Massachusetts, 1996. Kluwer Academic Publishers. [SGW94] B. Selic, G. Gullekson, and P. T. Ward. Real-Time Object-Oriented Modeling. John Wiley and Sons, Inc., 1994. [Von94] M. Von der Beeck. A Comparison of Statecharts Variants. Lecture Notes in Computer Science, 863:128{148, September 1994.

This article was processed using the LATEX macro package with LLNCS style