Specification and Verification of Real-Time Properties ... - IEEE Xplore

Specification and Verification of Real-Time Properties Using LOTOS and SQTL Abderrahmane Lakas

Gordon S. Blair

Amanda Chetwynd

Computing Department Lancaster University Lancaster LA1 4YR, UK.

Computing Department Lancaster University Lancaster LA1 4YR, UK.

Computing Department Lancaster University Lancaster LA1 4YR, UK.

Abstract

fined semantics. Considerable research has been carried out on the verification of LOTOS specifications. The verification techniques are mainly based either on bisimulation relations [13] or on simulation techniques as in [9]. We also consider SQTL as a linear realtime temporal logic used for the description of timing properties. The purpose of this language is not only to specify the temporal ordering between the events occurring during the system’s life but also to specify the time interval between these events. A wide range of real-time temporal logics has been defined in the last few years. We can nonexhaustively cite [l],[ll] and [17]. The temporal logic we present in this work is an extension of QTL [5] to include probabilistic and stochastic features. For example, QTL is commonly used to express bounded responsiveness properties of the standard form:

In this paper we present a new approach to the formal specification of distributed real-time systems using the formal description technique L O T O S together with a real-time temporal logic S Q T L . This approach characterized by a separation of concerns, aims t o construct abstractly a model from the a functional specification according t o real-time constraints. The functional behaviour is described in L O T O S without regard f o r the time critical constraints. The specification is then extended with precise real-time properties written in S Q T L . W e present a method t o generate a timing event scheduler from the properties in order to monitor the functional behavdour. The model of event schedulers is based on timed automata and intended t o be used f o r an automata-based verification technique.

1 Introduction

0 (send

Over the past few years there have been several formal techniques used for the design and verification of distributed systems. The most popular ones are process algebras, Petri nets and finite state machines based techniques. More recently, the rise of multimedia applications and real-time systems required the definition of new techniques including both qualitative and real-time analysis. Indeed, time critical properties have become the main issue in such applications and therfore verification is not complete until these properties are satisfied. Due to the fact that the qualitative and the quantitative description of systems are of different natures, we opted for a methodology that uses two description techniques: one for the functional behaviour and one for the quantitative information. Our work focuses on the use of the LOTOS specification language 171 for the formal description of functional behaviour, and a stochastic temporal logic for the specification of timing constraints. EOTOS has been proved to be a powerful formal description technique with a well de-

1063-6765/96$5.000 1996 IEEE Proceedings of IWSSD-8

--t

Os, receive)

which states that every time an action send happens, the action receive will occur within d time-units. SQTL extends this capability to enable the expression of stochastically bounded responsiveness properties such as: 0 (send -+

OEsp,Areceive)

where receive will now occur within a delay randomly determined with respect to an exponential distribution with an average rate of i. A previous paper [12] describes the use of this stochastic information for simulation and performance analysis. This paper focuses on more formal verification using SQTL. Two kinds of timing properties are expressed in SQTL. Firstly, real-tame assumptions are used to impose real-time constraints over the underlying LOTOS behaviour. The combination of LOTOS and these assumptions allows us to build up a real-time model based on timed automata[2]. The events specified

75

reached, to pass from one process to another,

by LOTOS are then scheduled according to the realtime assumptions. Secondly, real-time requirements are used to express the desired real-time properties of the timed model. The verification problem now consists of checking the conformity of our real-time model in respect to the requirements. Due to the decidability problem related to real-time logics in general[3], the language used for the description of the requirements is reduced to a fragment of SQTL. Our approach is motivated by the desire to maintain a separation between functional concerns and real-time concerns. This approach, first adopted in [4], is used in order to tackle complex systems in a simpler way. This mainly allows us to reuse the qualitatively validated specification and extend it with the time constraint requirements for further timing analysis. Also, with this approach, there is no need to change the functional specification when timing constraints are changed. Furthermore, it is easier for the designer to tune the whole system by adding more time constraints. The paper is structured as follows. In section 2 we give a short description of the language LOTOS and its syntax and semantics. Then we introduce, in seetion 3, the real-time temporal logic SQTL. After giving its syntax and semantics, we present an overview of the main properties expressible in SQTL. In this section we focus on the integration of real-time issues in the logic. In section 5 , we define the real-time event scheduler model and view the way the SQTL formulae are translated into real-time event schedulers. We also show how LOTOS systems are composed with event schedulers in order to build real-time systems. In section 6, we present an example of a real-time stream protocol illustrating the generation of a real-time system from its functional behaviour and real-time as sumptions. In section 7, we discuss our main approach to the verification of real-time systems in respect to real-time requirements. Finally, we end with a conclusion in section 8.

g; B the process can execute an action offered on the gate 9 and then behaves like B o

B\G the process behaves like B except for actions belonging to G ; in this case, these actions are hidden from the environment,

e

BlQBz the process has a non-deterministic choice to behave either like B1 or like B2. When one alternative is selected, the other one is discarded, B1[> B2 the process behaves like B1 but at any time it could start executing B2. When it does so,the alternative Bl is discarded,

0

B1 > Bz the process behaves like B1 and when B1 terminates successfully, it behaves like Bz,

e

B11[c;llB2 the process in this case corresponds to the concurrent behaviour of B1 and Bz. If the actions are executed on gates from G then B1 and B2 synchronize their execution, otherwise the two sides progress in an interleaving fashion.

Action:

S ; B ~ , B

exit Astop

2 Background on LOTOS 2.1 Syntax The specification language LOTOS [7] is a process algebra based on CCS [lS]. Its terms are called behaviour expressions which are composed with a few operators. The set of LOTOS behaviour expressions is defined as follows:

B&B; B1

I14IB:

Table 1: The operational semantics of LOTOS

a stop is the

unsuccessful termination. The process executing this action is locked,

e

, B i a B : , g€G

114( B o

Semantics A LOTOS specification is interpreted as a Labelled Thnsition Sgstem. A transition B A B ’ indicates that the system behaving as B, executes an action a and

2.2

exit is the successful termination. This action also permits the control, when a termination is

76

moves to B'. The following presents the structure of a labelled transition system which represent the LOTOS semantics.

0

Definition 2.1 A labelled transition system over the set A d as deJined by the tuple LTS = (S,+, so) where: 0

S is a finite set of states,

0

so 6

0

Other temporal operators can be derived for convenient use like: Op o p

S is the initial, state

-+c

S x Act x S is a transition relation: -+= { A l a E A c t , 3(s, s') E S x S, SAS'}.

0

B E Der(B) if B' f Der(B) and 3a E A c t , B'AB'' then B" E Der(B)

Der is finite since we assume that the finiteness conditions holds for the specifications that we consider. A specification is considered finite when the processes are guarded and regular [14]. This condition allows us to calculate the labelled transition system corresponding to a LOTOS process. Given a behaviour expression B then L T S ( B ) = (S,4, SO) where: 0

S = Der(B) and

0

+=

SO

=

TrueUp

TrueSp +-p

where d is a time constant that bounds the time during which $1 will hold and at the end of which $2 will hold. This formulation is equivalent to

v

$1

U=,$2

OS6Sd

=B

or in more compact and more general form $1 Url,u$2.

The time interval between events can also be stociastically distributed as in:

{ A l a E A c t ( B ) , 3 ,s' E D e r ( B ) , SAS'}

$1 U=Ezp,X $2

where (Ezp,A) means that the time interval d is now randomized according to an exponential distribution with a mean interval of i.e, d is following an exponential distribution whose probability density function f(z) dz = 1. with d 2 0 and is f(d) = The temporal logic expressing only qualitative properties represents then a subset of quantified temporal logic where time distance between the situations is undefined, i.e:

In our research, we use a linear time temporal logic featuring boolean connectives and temporal operators. Formulae are interpreted on infinite sequences of states sosl ... For the sake of simplicity, we consider here a minimal version of SQTL with a constant operator True, the negation and the disjunction V. Other classical boolean connectives can be derived as well: $1 A $2 -(-$I V 71/12) and $1 $2 f -$I V $2. The temporal operators consist of two dual classes of operators: future operators and past operators:

i,

sr

-

-+

0

sz

$1 U 6 2 otherwise a;& [ ] b;B2-%B2 if b is enabled. Secondly, the non-determinism can also explicitly be reduced using probability quantification using the “exclusive oZ’ operator. For instance, the formula: 0 (send

0.1

-+

0 (error V receive))

reduces the non-determinism in the LOTOS expression send; (errorureceive) using a probabilistic distribution {O.l, 0.9). This construction is similar to the probabilistic choice introduced in timed LOTOS [15]: send; (errorOpreceive). 0

Definition 5.1 A n event scheduler is represented by the tuple Sch = (S,E,T,E , P, R,H, SO) where: S is a finite set of states

Timed synchronization: The synchronization through the parallel operator I[. .]I in LOTOS is now explicitly or implicitly timed by specifying the time at which it takes place. As actions are constrained with deadlines, their synchronization are assumed to have the same constraints. In addition to the semantics of synchronization in LOTOS we assume that synchronization fails when the synchronized actions have no compatible deadlines. In the expression: a; B1

\[.I1

e so

E S is the initial state.

C is a finite set of events e

E C S x S is a finite set of edges. 3a E E:s 1 3 s a -

(SI,SZ)

EE

+

T is a finite set of timers. The timers are initially set to a deadline value. The value of every tamer coupled wath the current state represents a generalized state (s, [Eli) where s E S and [Eli denotes the current reading of all timers z E T . The reading of every timer changes automatically with the progress of time. It is decreased with the elapsed delay: ( s ,[E])%(s’, [1;.t - e ] ) .

a; B2

the synchronization will occur after the same delay 6 as the one action a must wait for, i.e: U ; B ~ ~ [ U ] ~ U ; B ~ ~ BHowever, ~ I [ U ]due I B to ~ . the maximal progress property, when the deadline constraint is bounded by an interval, the participating agents should engage in the synchronization as soon as they are ready.

e

5 Event Schedulers 5.1 The Event Scheduler Model

P: E -+ CT is a function associating with each edge in E a timing constraint from CT. A transition S I ~ S Zis enabled if the constraint P(sl,a,sz) holds. CT is constructed from algebraic relation +E {=,