TA-LTL: Specifying Adaptation Timing Properties in ... - CiteSeerX

TA-LTL: Specifying Adaptation Timing Properties in Autonomic Systems Zhinan Zhou, Ji Zhang, Philip K. McKinley and Betty H. C. Cheng Department of Computer Science and Engineering Michigan State University East Lansing, Michigan 48824 {zhouzhin, zhangji9, mckinley, chengb}@cse.msu.edu

Abstract Increasingly, computer software must adapt dynamically to changing conditions. The correctness of adaptation cannot be properly addressed without precisely specifying the requirements for adaptation. In many situation, these requirements involve absolute time, in addition to a logical ordering of events. This paper introduces an approach to formally specifying such timing requirements for adaptive software. We introduce TA-LTL, a timed adaptation-based extension to linear temporal logic, and use this logic to specify three timing properties associated with the adaptation process: safety, liveness, and stability. A dynamic adaptation of interactive audio streaming software is used to illustrate timed temporal logic.

1 Introduction Interest in adaptive computing systems has grown dramatically in the past few years [15]. One of several driving factors is the increasing demand for autonomic computing [9], which refers to systems being capable of managing and protecting their own resources with only high-level human guidance. Adaptive software behavior, including the dynamic recomposition of the code itself, has been studied extensively with respect to different system layers [15]. Several projects have addressed adaptation at the operating system level [7], while others have focused on middleware [10, 17, 22]. In addition to its traditional role in hiding resource distribution and platform heterogeneity, middleware can be used to address several concerns related to adaptive behavior, including quality-of-service, energy management, fault tolerance, and security. Dynamically adaptive software can be more resilient to changing conditions and offer higher availability than nonadaptive software. The design of adaptive software, however, must be supported by a programming paradigm that lends itself to automated checking of both functional and

nonfunctional properties of the system. In particular, correctness of adaptive programs cannot be properly addressed without precisely specifying their requirements [3]. Many types of adaptation involve timing requirements, including requirements on the allowable sequences of actions in reconfiguring code, and absolute timing requirements arising from real-time characteristics of the application. This paper focuses on the specification of timing requirements associated with dynamic software adaptation. Previously, Zhang and Cheng proposed A-LTL [25, 26], an extension to linear temporal logic for formally specifying the semantics of adaptive and recomposable software. The adaptation semantics graphs and the generated temporal logic specifications help software developers to clearly describe the behavior of adaptive systems. Moreover, ALTL enables application of automated analysis methods to adaptive programs; for example, using model checking to verify the correctness of a program model, and dynamic insertion of adaptation logic code into the program. However, A-LTL describes only the relative temporal ordering among events and system states that occur during the adaptation process. While this capability is sufficient for specifying many types of adaptive behavior, A-LTL cannot be used to specify systems with real-time requirements, where the absolute timing may play an important role. In this paper we introduce Timed A-LTL (TA-LTL), an extension to A-LTL that includes a metric for time [2]. Specifically, TA-LTL enables temporal constraints to be expressed in a quantitative form, in addition to specifying temporal ordering. We model an adaptive program as the composition of a finite number of steady state programs and the adaptations among these programs. We assume that the properties of each program have already been specified with a Linear Temporal Logic (LTL) formula. Furthermore, the adaptation process from one program to another have been specified with an A-LTL formula as described by Zhang and Cheng [26]. TA-LTL enables us to specify three key properties of adaptation that involve absolute time: safety, liveness, and stability during the adaptation process. We

have successfully applied this specification technique to a number of prototype adaptive programs, including adaptable communication software components. The remainder of this paper is organized as follows. Section 2 provides background information on adaptable communication services, and Section 3 discusses related work on specifying temporal constraints. In Sections 4 and 5, respectively, we introduce the syntax and semantics of TALTL, and the use of TA-LTL in specifying the timing properties of three commonly used adaptation semantics. Section 6 illustrates our approach with a mobile computing example. Section 7 concludes the paper and discusses future directions.

vices include: auditing traffic and usage patterns, transcoding data streams into lower-bandwidth versions, encrypting and decrypting data, and implementing forward error correction (FEC) to make data streams more resilient to packet loss. Figure 1 shows that the MetaSocket also supports special types of methods to insert and remove filters, as well as retrieve their status. MetaSocket Component

close

send

InsertFilter RemoveFilter GetStatus

SendSocket

2 Background Socket

This study is part of the ONR-sponsored RAPIDware project, which addresses design and evaluation of adaptive middleware to support interactive applications in dynamic, heterogeneous environments. The RAPIDware project investigates software technologies and programming abstractions for building adaptable systems. An overriding premise of the project is that the design of adaptable software must be grounded in principled, rigorous software engineering methods in order to ensure that the integrity of the system is not compromised as the system adapts, and that the system can be effectively tested and maintained. We developed TA-LTL as part of this effort. While TA-LTL is applicable to many types of software systems, our initial focus, described here, is on adaptable communication services. Responding to changes in the environment is particularly important in mobile computing, where conditions on wireless channels are highly dynamic and devices often must try to maintain an acceptable quality of service while maximizing battery lifetime. Dynamic adaptation can be used to enhance fault tolerance, improve quality of service, and accommodate changing security policies as a user moves from one wireless domain to another. However, reconfiguration of communication software can introduce timing problems, particularly when the data stream has real-time requirements. After presenting the design and use of TA-LTL, we describe a case study in which we use it to specify temporal constraints on MetaSockets [23], an adaptable communication component developed earlier in the RAPIDware project. MetaSockets provide the same imperative functionality as regular Java sockets, including methods for sending and receiving data. However, their internal structure and behavior can be adapted at run time in response to changes in their environment. Figure 1 illustrates the internal architecture of the particular type of MetaSocket used in this study. Packets are passed through a pipeline of Filter components, each of which processes the packets. Example filter ser-

filter with thread and buffer

Figure 1. Structure of a MetaSocket. An earlier experimental study [28] demonstrated the effectiveness of MetaSockets in supporting interactive audio streaming to mobile devices under dynamic wireless channel conditions. In particular, MetaSockets enable a system to invoke stronger error control methods under conditions of high packet loss, as well as implement energy conservation strategies that extend battery lifetime. However, that study also revealed that certain MetaSockets configurations can exhibit processing delays large enough to produce jitter in the delivery and playback of the stream. In the case study, we demonstrate how TA-LTL specifications can be used to prevent such situations.

3 Related Work In the past decade, researchers have proposed many techniques, tools, and models for the formal specification of real-time systems. Formal specification languages typically enumerate the temporal constraints among events and actions, such as periodicity, invariants, liveness, safety conditions, etc. For example, Propositional Temporal Logic (PTL, later referred to as LTL), introduced by Pnueli [18], is a temporal extension to the propositional logic. The propositions of LTL describe the temporal relationship between states that characterize the temporal system evolution. However, LTL does not provide a metric of time and describes only temporal ordering relationships. Several approaches have been proposed to introduce time explicitly in LTL and have given it the capability of making quantitative temporal assertions. Real-Time Temporal Logic (RTTL) [16] extends PTL with the real-time operations and proof rules for real-time properties. Real-Time Logic

(RTL) [8] extends first order logic with a set of elements for specifying real-time system requirements by presenting an absolute clock to measure time progression. Metric Temporal Logic (MTL) [11] extends first order logic with temporal operators, and includes a metric for time to describe the structure of the temporal domain. In Timed Propositional Temporal Logic (TPTL) [1], in addition to the proposition values, there is a single clock reading at every state. Each clock reading can be “frozen” with the use of freeze operator and compared with others. All these formal specification languages have been shown to be effective in specifying certain types of real-time properties. However, to our knowledge, none has been applied to specifying dynamic software adaptation, likely because either the lack of expressiveness for capturing adaptation semantics or the syntax is too complicated to efficiently and concisely specify adaptation. There has been other work in addressing the correctness of adaptations. For example, Kulkarni et al. [14] introduced a transitional-invariant lattice approach; theorem proving is used to show that during and after an adaptation, the adaptive program is in correct states with respect to satisfying the transitional invariants. Other approaches [5, 13] use formal languages to describe the structural changes of the software at the design and implementation levels. Finally, some researchers [12,26] have proposed protocols or algorithms to be used during component replacement so as to guarantee safe adaptation. However, these methods do not explicitly address timing requirements of the adaptation procedure. In this paper, we address this issue by proposing a language to specify the timing properties of adaptation behavior in autonomic systems. We extend our previous work on using A-LTL to specify adaptation semantics by introducing a metric for time.

4 Timed Adapt Operator-Extended LTL The TA-LTL language is based on two existing temporal logics: A-LTL [26] and APTL [24]. We briefly review both logics before giving details of TA-LTL.

4.1 Supporting temporal logics A-LTL. With A-LTL, an adaptive program is modeled with a state machine, and it changes its behavior during its execution. The state space describing each different kind of behavior is a non-adaptive program. The state space describing the change of behavior from one non-adaptive program (source program) to another (target program) is a simple adaptive program, which can be identified by the source and target program pair. To specify adaptation behavior, A-LTL extends LTL with Ω the adapt operator (*), which is a subset of the choppy logic introduced by Rosner and Pnueli [21]. Informally, a system

Ω

satisfies “φ * ψ” (read as φ adapts to ψ with base atomic propositions Ω) means that the system initially satisfies φ, and at a certain state, it stops satisfying φ and starts to satisfy ψ, where φ and ψ are two temporal logic formulae, and Ω is a set of atomic propositions. A-LTL uses σ |=c φ to denote that a state sequence σ Ω satisfies an A-LTL formula φ. Specifically, φ * ψ states that if a state sequence s0 , s1 , s2 , · · · , sk , sk+1 , sk+2 , · · · Ω satisfies φ * ψ, then there exists (k ≥ 1), such that s0 , s1 , s2 , · · · , sk |=c φ and sk+1 , sk+2 , · · · |=c ψ, and sk and sk+1 agree on all atomic propositions in Ω, i.e., an atomic proposition α ∈ Ω is in sk , if and only if it is true in sk+1 , and vice-versa. APTL. Temporal logics with a metric for time allow the definition of quantitative temporal relationships (in addition to qualitative ordering), such as distance among events and durations of events. A typical way to add a metric for time in a propositional temporal logic is to replace the unrestricted temporal operators by time-bounded operators. For example, the bounded operator ♦[1,3] states “eventually within 1 to 3 time units from the current time.” An alternative way to represent time quantitatively is to adopt the freeze quantification proposed by Alur and Henzinger [1] in TPTL (Timed Propositional Temporal Logic). TPTL is a formalism for specifying real-time properties with a single system clock. However, in a distributed system, multiple local clocks may be used among different system components (a local clock is a physical device that when accessed, returns a clock reading). As a result, it may not be possible to compare the numerical readings of these clocks to determine the temporal precedence, since they may tick at completely independent rates. To interpret timing inequalities involving different local clocks, Wang proposed APTL [24], an asynchronous distributed system model, to treat local clock readings not as numerical values, but as special temporal marks, enabling comparison of the “temporal precedence” between readings from different local clocks. For a system of m local clocks ai is the reading a of clock i. Given a local clock reading ai and an integer constant d, ai + d is a displaced local clock reading with displacement d and defined as ai + d ≡ (a + d)i . The formulae of APTL are defined inductively by the grammar φ ::= p | φ1 ∧ φ2 | ¬φ | φ1 U φ2 | ° φ | [x1 , . . . , xm ]φ where x1 , . . . , xm are the names for local reading variables for clock 1, . . . , m respectively; [x1 , . . . , xm ]φ means that the variables x1 , . . . , xm is bound to the time of a state in which the formula φ is true.

4.2 Syntax of TA-LTL TA-LTL is intended to address the safety, liveness, and stability of adaptation behaviors. Safety and liveness are

adaptation properties to restrict the duration of adaptation state transitions. Stability constrains the rate of state change to ensure the system does not “thrash” by oscillating between states. To support time in A-LTL, we adopt the asynchronous timing metric in APTL and apply it to the adapt Ω operator *. The formulae of TA-LTL are constructed from proposition symbols and timing constraints comprising asynchronous inequality operators, temporal operators, and local reading variables. Let P be a set of proposition symbols (p, q, r, . . .), let N be the set of nonnegative integers, and let V be an infinite supply of local reading variables (x, y, z, . . .). The terms of time π and formulae φ of TALTL are inductively defined as follows:

π := φ :=

xi + c | c p | π1 ∼ π2 | φ1 ∧ φ2 | ¬φ | φ1 → φ2 | ° φ | Ω

φ1 Uφ2 | φ1 * φ2 | [x1 , . . . , xm ]φ for x ∈ V , p ∈ P , and integer constants c ∈ N . The timing constraints. The local clocks are indexed with positive integers 1 through m. The variables x1 , . . . , xm are names of local reading variables for clock 1, . . . , m, respectively. The variable i is the integer index for a clock. The timing constraints (π1 ∼ π2 ) of TA-LTL are the forms of asynchronous inequalities proposed in APTL which presents the temporal relationship between local clock readings [24]. Corresponding to the usual arithmetic inequality operators , ≥, =, there are five asynchronous inequality operators: C : E : B : D : ­ :

earlier than; no later than; later than; no earlier than; at the same instant as;

The temporal operators. ° and U are the modal operators NEXT and UNTIL, respectively. The operator Ω * is the adapt operator defined in A-LTL. The formula [x1 , . . . , xm ]φ means that the variables x1 , . . . , xm are bound (denoted by [ ]) to the the time (readings from the local clocks) of the local temporal context in which the formula φ is true. Additional temporal operators such as ∨(or), → (imply), ↔ (co − imply), ♦(eventually) and ¤(always) can be defined in terms of the ¬(not), ∧(and), °(next), and U(until) operator as usual.

4.3 Semantics of TA-LTL In APTL a conceptual logical global clock is the frame of reference of local clocks. Based on logical global time, the operations of a system of m local clocks can be described by an infinite sequence called a global schedule, σ = σ0 σ1 σ2 . . . σk . . . where, for all k, σk is a total function such that σk (i) = ai if and only if the reading of clock i at global time k is a, for each 1 ≤ i ≤ m. The TA-LTL formulae are interpreted over multi-clock state sequences σ = σ0 σ1 σ2 . . . σk . . ., in which states are marked by local readings and propositions that are true in those states. σ0 is the system starting state. We use σk |=ε φ to denote that a multi-clock state sequence σ with environment ε at state σk satisfies a TA-LTL formula φ. We define the TA-LTL semantics as follows. • σk |=ε [x1 , . . . , xm ]φ iff σk |=ε[x1 ←σk (1),...,xm ←σk (m)] φ. An environment ε is a set of assignments of local clock readings ai to local reading variables xi respectively. Ω

00

• σk |=ε φ1 * φ2 iff there exists a sequence σ and a 0 0 00 0 finite state sequence σ s.t. σ = σ ◦ σ , σ |=ε φ1 , 00 and σ |=ε φ2 , where “◦” represents a sequence fu0 00 sion operation. σ ◦ σ = σ0 , · · · , σk , σk+1 , · · · where 0 00 σ = σ0 , · · · σk , and σ = σk , · · · [21]. A sequence Ω satisfying φ1 * φ2 can be considered as the concatenation of two subsequences, where the first subsequence satisfies φ1 , the second subsequence satisfies φ2 . • Other operators (∧,→,¬,∼,°, and U ) are defined similarly as those used in APTL.

5 Specifying Adaptation Timing Properties Figure 2 depicts three commonly used adaptation scenarios [26]: Figure 2(a) depicts one-point adaptation (the source system adapts to the target system at a certain point during its execution); Figure 2(b) shows guided adaptation (the source system adapts to the target system with a restriction condition); and Figure 2(c) depicts overlap adaptation (under the restriction conditions, the target system behavior starts before the source system behavior stops). There are many other possible adaptation semantics. In this paper, however, we focus on specifying the timing properties of these adaptation semantics with TA-LTL by binding local reading variables to the temporal operators and using asynchronous inequalities to present the timing constraints.

∧

∧

∧

∧

∧

∧

∧ ∧

∧

Figure 2. Three adaptation scenarios. Specifically, we investigate three timing properties of adaptation semantics: safety, liveness, and stability. Safety asserts properties that invalidate the adaptation will not happen. The timing properties of safety enforce that the source/target system should enter the restriction condition or safe state within a certain time period after receiving the adaptation request. If this time constraint cannot be satisfied, then it might be too late for the system to react to the dynamic changing environment, attacks, user requirements, etc. Liveness asserts properties that respond to the adaptation requests and asserts that the adaptation goals will eventually be specified. The liveness timing properties restrict the time periods allowed for the source system to adapt to the target system upon receiving adaptation requests. If this time constraint cannot be satisfied, then the adaptation needs may become invalid or the adaptation may cause the system to enter an inconsistent state [27]. Stability asserts how long the system should remain in certain states. To avoid adaptation oscillation which may be caused by frequent adaptation triggering, the timing properties of stability constrain the time gap between two successive adaptations and thus ensure that the system is executing in a non-adaptation manner for a certain amount of time before the next adaptation is allowed. If this time constraint is

violated, then the system might enter an inconsistent state. We assume that the source system and the target system have been both specified in LTL. We refer to these as base specifications and denote them as SSP EC and TSP EC , respectively. We specify the adaptation from the source system to the target system with A-LTL by extending the base specifications of the source and the target systems. For some adaptations, the source/target system behavior may need to be constrained during the adaptation. We use an LTL formula to specify the restriction condition, RCON D , during the adaptation. We define a meta atomic proposition to be an atomic proposition other than base atomic propositions. We associate a meta atomic proposition, flag proposition, with each base specification formula or restriction condition formula to indicate the interval of states in which the system exhibits the specified behavior. When the system starts (stops) satisfying a base specification (or a restriction condition), the corresponding flag proposition should change from false (true) to true (false). The flag propositions for the two systems are SF L and TF L , respectively. The flag proposition for the restriction condition is RF L , if applicable. To simplify the specifications, we define the EXclusive-True function ExT , to be applied to a set of flag propositions. Informally, ExT (α) is true if and only if for all flag propositions PF L ∈ α, ¤PF L are true; and for all flag propositions PF L ∈ / α, ¤PF L are false. We use another meta atomic proposition AREQ to indicate the receipt of an adaptation request to a target system. Safe states are those states where all the obligations of the source system are fulfilled, and thus it is safe to terminate the source behavior. Note that to be more general, TA-LTL syntax and semantics has been specified to support the use of single and multiple clocks in adaptations. For the purpose of this paper, we focus on specifying adaptation semantics with timing constraints in the context of a single clock. Adaptation semantics with multiple clocks is part of our ongoing work.

5.1 One-point adaptation Under one-point adaptation semantics, after receiving an adaptation request, the source system adapts to the target system at a certain point during its execution. The prerequisite is that the source system should eventually reach a safe state during its execution. This semantics is depicted in Figure 2(a), where circles represent a sequence of states. Solid lines represent state intervals and the label of each solid line represents the property that is held by the interval. The arrow points to the states in which an adaptation request is received. This adaptation semantics can be specified by ALTL as SP ECOP as shown in Figure 3. In the context of adaptive processing of data streams, an example is to insert the encoder at the sender side where each operation is ap-

SP ECOP LIV E

Ω REQ*T AG

ST ABLEOP

=

Ω

(ExT ({SF L }) ∧ SSP EC ∧ ♦AREQ ) * (ExT ({TF L }) ∧ TSP EC ) Ω

=

♦[x]((AREQ ∧ ExT ({SF L })) * [y](ExT ({TF L }) ∧ (x + tl−min E y) ∧ (y E x + tl−max )))

=

¤¬([x]((ExT ({SF L }) ∧ °ExT ({SF L })) * [y]((ExT ({TF L }) ∧ °ExT ({TF L })) ∧ (y C x + tf eq ))))

Ω

Figure 3. Specifying one-point adaptation with TA-LTL plied independently to each packet in the outgoing stream. The formula SP ECOP (Expression (1)) states that the system initially satisfies SSP EC . When the system reaches a safe state, i.e., all obligations generated by SSP EC are satisfied, indicated by SF L becoming f alse and TF L becoming true, the system stops satisfying SSP EC and starts to satisfy TSP EC . As mentioned, we assume that the request thread, the source system and the target system share the same clock. The timing properties of SP ECOP can be specified by TA-LTL as shown in Figure 3 (Expression (2) - (3)). The formula LIV E (Expression (2)) states that Ω REQ*T AG once the source system (ExT ({SF L })) receives an adaptation request AREQ , it should adapt to the target system (ExT ({TF L })) within [tl−min , tl−max ], where tl−min and tl−max represents the lower and upper bound of the constrained time frame respectively. Because the target system of the current adaptation will be the source system of the next adaptation, the stability specification actually applies Ω to a SSP EC * TSP EC adaptation cycle. Thus the formula ST ABLEOP (Expression (3)) states that the current source system should continue to satisfy SSP EC for at least tf eq before it can start to exclusively satisfy TSP EC .

5.2 Guided adaptation Under guided adaptation semantics (visually depicted in Figure 2(b)), after receiving an adaptation request, the system first applies a restriction condition to the source system behavior, and then adapts to the target system when it reaches a safe state. This semantics is suitable for adaptations where source systems cannot otherwise guarantee reaching a safe state within a given amount of time. The restriction condition should ensure that the source system will reach a safe state. This situation arises when continued execution of the old system is needed before switching to the new system. For example, if we are applying encryption encoding/decoding to a sender and receiver, the receiver needs to process any unencoded packets that are in-flight or buffered at the receiver, before inserting the decoder into the processing chain. This adaptation semantics can be specified by A-LTL as SP ECGU IDED in Figure 4. The formula SP ECGU IDED (Expression (4)) states that initially SSP EC is satisfied. After an adaptation request, AREQ , is received, the system should satisfy a restriction condition, RCON D . When the system reaches a safe state of the source system, indi-

cated by TF L becoming true, the system stops satisfying the SSP EC , indicated by SF L becoming f alse, and starts to satisfy TSP EC . The timing properties of SP ECGU IDED can be specified by TA-LTL as shown in Figure 4 (Expression (5) - (7)). The formula SAF E (Expression (5)) states Ω REQ*ADAP T that upon receiving the adaptation request, the source system should satisfy the restriction condition RCON D within [ts−min , ts−max ], otherwise the response time is too long to be useful, where ts−min and ts−max represents the lower and upper bound of the constrained time frame respectively. The formula LIV E and ST ABLEGU IDED Ω REQ*T AG have similar meanings as those described for the one-point adaptation semantics.

5.3 Overlap adaptation Under overlap adaptation semantics (visually depicted in Figure 2(c)), the target system behavior starts before the source system behavior stops. During the overlap of the source and the target behavior, the restriction conditions are applied to safeguard the correct behavior of both systems. This adaptation semantics is appropriate for the case when continuous service from the adaptive system is required. The restriction conditions should ensure that both the source system and the target system reach safe states. For example, in some systems a receiver may need to be able to handle both unencoded and encoded packets for a period of time after the filter has been reconfigured. This adaptation semantics can be specified by ALTL as SP ECOV ERLAP in Figure 5. The formula SP ECOV ERLAP (Expression (8)) states that the whole adaptation process comprises two parts. Initially only the SSP EC is satisfied. After an adaptation request, AREQ , is received, the system should start to satisfy a restriction condition, SRCON D until the system reaches a safe state of the source system, indicated by SF L becoming f alse, the system stops satisfying SSP EC and SRCON D . The second part of the formula is used to specify the target system behavior which starts to satisfy TSP EC and target system restriction condition T RCON D upon receiving adaptation request AREQ . Finally only the TSP EC is satisfied, indicated by only ExT ({TF L }) is true. The timing properties of SP ECOV ERLAP can be specified by TA-LTL as shown in Figure 5 (Expression (9) - (14)). The formula SAF E (ExpresΩ REQ*ADAP T sion (9)) states that upon receiving the adaptation re-

(1) (2) (3)

SP ECGU IDED SAF E

Ω REQ*ADAP T

LIV E

Ω REQ*T AG

ST ABLEGU IDED

=

Ω

Ω

(SSP EC ∧ ((ExT ({SF L }) ∧ ♦AREQ ) * (ExT ({SF L , RF L }) ∧ RCON D ))) * (ExT ({TF L }) ∧ TSP EC )

(4)

Ω

=

♦[x]((ExT ({SF L }) ∧ AREQ ) * [y]((ExT ({SF L , RF L }) ∧ RCON D ) ∧ (x + ts−min E y) ∧ (y E x + ts−max ))) (5)

=

♦[x]((AREQ ∧ SF L ) * [y](ExT ({TF L }) ∧ (x + tl−min E y) ∧ (y E x + tl−max )))

=

Ω

(6)

Ω

¤¬([x]((ExT ({SF L }) ∧ °ExT ({SF L })) * [y]((ExT ({TF L }) ∧ °ExT ({TF L })) ∧ (y C x + tf eq ))))

(7)

Figure 4. Specifying guided adaptation with TA-LTL SP ECOV ERLAP

=

Ω

Ω

((SSP EC ∧ ((ExT ({SF L }) ∧ ♦AREQ ) * (SF L ∧ SRF L ∧ SRCON D ))) * (¬(SF L ∨ SSP EC ))) ∧ Ω

Ω

((¬(TF L ∨ T RF L ) ∧ ♦AREQ ) * (((TF L ∧ T RF L ∧ T RCON D ) * ExT ({TF L })) ∧ TSP EC )) SAF E

Ω REQ*ADAP T

LIV E SAF E SAF E

Ω REQ*Send

Ω REQ*Tstart

Ω Tstart *Tf ully

LIV E

Ω REQ*Tf ully

ST ABLEOV ERLAP

=

(8)

Ω

♦[x]((ExT ({SF L }) ∧ AREQ ) * [y]((SF L ∧ SRF L ∧ SRCON D ) ∧ (x + tss−min E y) ∧ (y E x + tss−max ))) Ω

(9)

=

♦[x]((AREQ ∧ SF L ) * [y](¬(SF L ) ∧ (x + tsl−min E y) ∧ (y E x + tsl−max )))

=

♦[x]((¬(SF L ∨ SRF L ) ∧ AREQ ) * [y]((TF L ∧ T RF L ∧ T RCON D ) ∧ (x + tts−min E y) ∧ (y E x + tts−max ))) (11)

=

♦[x]((TF L ∧ T RF L ∧ T RCON D ) * [y](ExT ({TF L }) ∧ (x + tta−min E y) ∧ (y E x + tta−max )))

(10)

Ω

Ω

Ω

=

♦[x]((¬(TF L ∨ T RF L ) ∧ AREQ ) * [y](SAF E

=

¤¬([x]((ExT ({SF L }) ∧ °ExT ({SF L })) * [y]((ExT ({TF L }) ∧ °ExT ({TF L })) ∧ (y C x + tf eq ))))

Ω Tstart *Tf ully

∧ (x + ttl−min E y) ∧ (y E x + ttl−max )))

Ω

Figure 5. Specifying overlap adaptation with TA-LTL quest, the source system should satisfy the restriction condition SRCON D within [tss−min , tss−max ], otherwise the response time is too long to be effective. The formula LIV E (Expression (10)) states that Ω REQ*Send once the source system receives an adaptation request, it should complete the whole adaptation process within [tsl−min , tsl−max ]. Similarly, SAF E (ExpresΩ REQ*Tstart sion (11)) and SAF E (Expression (12)) inΩ Tstart *Tf ully dicates the safety for the target system to start adaptation after receiving the adaptation request and fully function after starting adaptation respectively. LIV E Ω REQ*Tf ully (Expression (13)) states the timing constraint for the target system to complete the adaptation process from receiving the adaptation request to fully functioning. ST ABLEOV ERLAP (Expression (14)) states the similar stability specifications as those used in the one-point and the guided adaptation semantics.

with a higher loss rate. The loss rate of the wireless connection changes over time and the program should adapt its behavior accordingly: when the loss rate is low, the sender/receiver should use a low loss-tolerance and low bandwidth-consuming encoder/decoder or remove the encoder/decoder completely; and when the loss rate is high, they should use high-loss-tolerance and consequently high bandwidth-consuming protocol.

6 Case Study

6.1 Forward Error Correction Filters

To illustrate the use of TA-LTL in specifying adaptation timing properties, we use TA-LTL to specify the safety, liveness, and stability of the adaptation behavior of the adaptive audio streaming system mentioned earlier. The interconnection of the systems is depicted in Figure 6. A live audio stream is multicast from a wired desktop computer to multiple mobile devices via the 802.11b WLAN. Effectively, the receivers are used as multicast-capable Internet “phones” participating in a conferencing application. We expect the system to operate in two different domains: the domain with a low loss rate and the domain

The adaptive behavior in this system is realized using MetaSockets [23], which internally support dynamic reconfiguration of a chain of processing filters. In this case study, we use two different FEC filters to respond to the dynamic changing loss rate. One protocol uses block erasure codes [19], and the other uses the GSM 06.10 encoding algorithm for cellular telephones [6]. The FEC encoded data is different from the original audio data and can be played only after it is decoded by the FEC decoder. A run-time scenario is to have all collected audio samples at the sender side stored in a data buffer waiting for encoding by the FEC

.. .

Audio Stream

Wired Sender

Access Point

Wireless Receivers

Figure 6. Audio streaming system connection

(12) (13) (14)

Data Flow

encoder; the encoded data packets are multicast to the receivers and stored in a data buffer waiting for decoding by the FEC decoder; the decoded audio data will eventually be played by the receivers. Here, we use the guided adaptation semantics to specify the adaptation of inserting an FEC filter at the receiver side. The use of (n, k) block erasure codes for error correction was popularized by Rizzo [19] and is now used in many wired and wireless distributed systems. Figure 7 depicts the basic operation of these codes. An encoder converts k source packets into n encoded packets, such that any k of the n encoded packets can be used to reconstruct the k source packets [19]. In this paper, we use only systematic codes, which means that the first k of the n encoded packets are identical to the k source packets. We refer to the first k packets as data packets, and the remaining n − k packets as parity packets. Each set of n encoded packets is referred to as a group. The advantage of using block erasure codes for multicasting is that a single parity packet can be used to correct independent single-packet losses among different receivers [19]. In the remainder of the paper, we refer to the block-oriented FEC simply as “FEC (n, k).” While block-oriented FEC approaches are effective in improving the quality of interactive audio streams on wireless networks, the group sizes must be relatively small in order to reduce playback delays. ENCODED DATA SOURCE DATA

RECEIVED DATA

DECODER

ENCODER

RECONSTRUCTED DATA

Figure 7. Operation of block erasure code. An alternative approach with lower delay and lower overhead is signal processing based FEC (SFEC) [4], in which a lossy, compressed encoding of each packet i is piggybacked onto one or more subsequent packets. If packet i is lost, but one of the encodings of packet i arrives at the receiver, then at least a lower quality version of the packet can be played to the listener. The parameter θ is the offset between the original packet and its compressed version. Figure 8 shows two different examples, one with θ = 1 and the other with θ = 2. As mentioned, it is also possible to place multiple encodings of the same packet in the subsequent stream, for example, using both θ1 = 1 and θ2 = 3. Although GSM is a CPU-intensive coding algorithm [4], the bandwidth overhead is very small. In the remainder of the paper, we refer to the GSM-oriented FEC simply as “GSM (θ, c),” which means copies of the coded packet p are placed in c successive packets, beginning θ packets after p.

gi+1 di+2

gi

di+1

gi-1

di

gi-2

di-1

(a) GSM encoding with θ = 1 Data Flow

gi

di+2

gi-1 di+1

gi-2

di

gi-3

di-1

(b) GSM encoding with θ = 2

Figure 8. Different ways of using GSM encoding on a packet stream (di : data, gi : copy).

6.2 Specifying QoS Constraint with TA-LTL In previous research [28], we have investigated the quality-of-service (QoS) properties (such as packet delivery rate and delay) of these two FEC protocols. Table 1 shows the loss rate as perceived by the receiving application, that is, after FEC decoding, for different FEC (n, k) or GSM (θ, c) settings. Another factor important to realtime communication is the additional delay introduced into the packet stream. Table 2 calculates the worst case delay introduced by different FEC codes to wait for the encoded packets. For example, considering FEC (8, 4) and GSM (3, 1), if the first data packet is lost, then the receiver will need to wait for at least 3 packets until the first parity packet or piggybacked packet arrives to recover the loss. From the QoS comparison we know that for a certain wireless environment (e.g., 28% raw loss rate as shown in Table 1), different FEC codes have different loss recovery performance while holding different timing characteristics. For example, if the raw loss rate of the wireless environment changes to 28% and the expected loss rate after FEC decoding is 10%, FEC (8, 4), GSM (1, 2), GSM (1, 3), GSM (2, 3), GSM (2, 3), GSM (3, 2), and GSM (3, 3) are possible filter candidates for adaptation. However, in order to satisfy the real-time interactive audio streaming requirement, the accumulated delay after adaptation should not exceed 150 msec [20]. For this example guided adaptation, the restriction condition is that the data is blocked from transmission during the adaptation. Thus the accumulated delay comprises two parts: the adaptation delay and the FEC delay. If there is no additional operation (e.g., dropping packet, fast playback) to reduce the delay, this accumulated delay will remain in the post-adaptation communication. So we can use TA-LTL to specify the real-time constraint, and the selection of FEC filters and the implementation of adaptation should satisfy this constraint. This adaptation semantics and its timing properties can be specified by A-LTL and TA-LTL as shown in Figure 9. The formula SP ECF EC (Expression (15)) states that ini-

Table 1. Loss Rate Comparison of Different FEC Codes Code

Raw

%

28

GSM (1,1) 11.05

GSM (1,2) 6.28

GSM (1,1) 19.95

GSM (1,2) 39.95

GSM (1,3) 3.53

GSM (2,1) 13.88

GSM (2,2) 6.8

GSM (2,3) 3.78

GSM (3,1) 10.27

GSM (3,2) 4.8

GSM (3,3) 2.75

FEC (4,4) 28.20

FEC (6,4) 16.29

FEC (8,4) 9.16

GSM FEC (3,3) (4,4) 102.87 17.79

FEC (6,4) 37.73

FEC (8,4) 52.33

Table 2. Delay Comparison of Different FEC Codes Code Delay (msec)

GSM (1,3) 59.9

GSM (2,1) 40.83

GSM (2,2) 60.37

tially the system is running without FEC filters inserted. After an adaptation request, AREQ , is received, the system should satisfy a restriction condition RCON D : the receiver temporarily stops receiving incoming encoded FEC data. When the source system reaches a safe state: all original audio data in the buffer have been played, the system stops satisfying the N oF ECSP EC , and starts to satisfy W ithF ECSP EC . SAF E (Expression Ω REQ*ADAP T (16)) states that upon receiving the adaptation request: inserting FEC decoder, the source system should stop receiving incoming packets within [ts−min , ts−max ], otherwise the encoded FEC data will be received and stored in the data buffer, causing a failure since it cannot be played directly. LIV E (Expression (17)) specifies the real-time Ω REQ*F EC constraint of the adaptation for inserting FEC filters discussed above. Specifically, trt is the criteria for ensuring real-time audio communication (150 msec in this study). ST ABLEF EC (Expression (18)) prevents the system from inserting/removing the FEC filter too frequently. This example illustrates the use of TA-LTL in specifying absolute timing requirements for adaptive communication software.

7 Discussion and Conclusions Adaptation semantics should be precisely specified at the requirements level so that they can be well understood and correctly implemented in later phases of the software development process. This paper introduced the specification of adaptation timing properties in autonomic systems in terms of TA-LTL. The TA-LTL introduced in this paper can be considered as an extension to the A-LTL and APTL, where TA-LTL is strictly more expressive than A-LTL and APTL. It is apparently more expressive than A-LTL for its realtime capability. It is also more expressive than APTL for its adapt operation, since APTL cannot express adaptation. Due to the use of the flag operators, A-LTL has the same complexity as LTL, i.e., PSPACE-complete. APTL has double exponential complexity. The complexity for TA-LTL should be at least double exponential. Our preliminary results show that it should be no more complex than APTL. After an adaptation temporal specification is constructed, it may serve as guidance for the adaptation developers to clarify the intent for the adaptive program. It can also be

GSM (2,3) 80.10

GSM (3,1) 62.55

GSM (3,2) 82.52

used to check for consistency in the temporal logic specifications. By using run-time verification techniques, we may also automatically identify the safe states for an adaptation and insert adaptation logic at appropriate points in the program. If a program model is available, then we may even perform model checking to verify the correctness of the program model against the temporal logic specifications. Our future work includes investigating adaptation semantics with multiple clocks, satisfiability verification of TA-LTL, automatically generating program models and code based on a given adaptation semantics, extending existing or developing new model checking tools to verify the correctness of adaptive programs. Acknowledgements. This work was supported in part by the U.S. Department of the Navy, Office of Naval Research under Grant No. N00014-01-1-0744, and in part by National Science Foundation grants CCR-9901017, EIA0000433, EIA-0130724, and ITR-0313142, and by Siemens Cooperate Research. A number of related papers and technical reports of the Software Engineering and Network Systems Laboratory can be found at the following URL: http://www.cse.msu.edu/sens. Further Information. A number of related papers and technical reports of the Software Engineering and Network Systems Laboratory can be found at the following URL: http://www.cse.msu.edu/sens.

References [1] R. Alur and T. A. Henzinger. A really temporal logic. Journal of the ACM, 41(1):181–203, 1994. [2] P. Bellini, R. Mattolini, and P. Nesi. Temporal logics for real-time system specification. ACM Computing Surveys, 32(1):12–42, 2000. [3] D. M. Berry, B. H. Cheng, and J. Zhang. The four levels of requirements engineering for and in dynamic adaptive systems. In Proceedings of the 11th International Workshop on Requirements Engineering: Foundation for Software Quality, Porto, Portugal, June 2005. [4] J.-C. Bolot and A. Vega-Garcia. Control mechanisms for packet audio in Internet. In Proceedings of IEEE INFOCOM’96, pages 232–239, San Francisco, California, April 1996.

SP ECF EC

=

Ω

Ω

(N oF ECSP EC ∧ ((ExT ({N oF ECF L }) ∧ ♦AREQ ) * (ExT ({N oF ECF L , RF L }) ∧ RCON D ))) * (ExT ({W ithF ECF L }) ∧ W ithF ECSP EC )

SAF E

Ω REQ*ADAP T

(15)

Ω

=

♦[x]((ExT ({N oF ECF L }) ∧ AREQ ) *

=

♦[x]((AREQ ∧ N oF ECF L ) *

[y]((ExT ({N oF ECF L , RF L }) ∧ RCON D ) ∧ (x + ts−min E y) ∧ (y E x + ts−max ))) LIV E

Ω REQ*F EC

[y](ExT ({W ithF ECF L }) ∧ (x + ts−min + trt E y) ∧ (y E x + ts−max + trt ))) ST ABLEF EC

=

(16)

Ω

(17)

Ω

¤¬([x]((ExT ({N oF ECF L }) ∧ °ExT ({N oF ECF L })) * [y]((ExT ({W ithF ECF L }) ∧ °ExT ({W ithF ECF L })) ∧ (y C x + tf eq ))))

(18)

Figure 9. Specifying adaptation semantics with TA-LTL [5] C. E. Cuesta, P. de la Fuente, and M. Barrio-Solarzano. Dynamic coordination architecture through the use of reflection. In Proceedings of the 2001 ACM Symposium on Applied Computing, pages 134–140, New York, NY, USA, 2001. ACM Press. [6] J. Degener and C. Bormann. The GSM 06.10 lossy speech compression library and its applications, 2000. available at http://kbs.cs.tu-berlin.de/ jutta/toast.html. [7] J. Appavoo et al. Enabling autonomic behavior in systems software with hot swapping. IBM Systems Journal, Special Issue on Autonomic Computing, 42(1), 2003. [8] F. Jahanian and A. K. Mok. Safety analysis of timing properties in real-time systems. IEEE Transaction of Software Engineering, 12(9):890–904, 1986. [9] J. O. Kephart and D. M. Chess. The vision of autonomic computing. IEEE Computer, 36(1):41–50, 2003. [10] F. Kon, M. Rom´an, P. Liu, J. Mao, T. Yamane, L. C. Magalh˜aes, and R. H. Campbell. Monitoring, security, and dynamic configuration with the dynamicTAO reflective ORB. In Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms and Open Distributed Processing, number 1795 in LNCS, pages 121–143, New York, April 2000. Springer-Verlag. [11] R. Koymans. Specifying real-time properties with metric temporal logic. Real-Time Systems, 2(4):255–299, 1990. [12] J. Kramer and J. Magee. The evolving philosophers problem: Dynamic change management. IEEE Transactions on Software Engineering, 16(11):1293–1306, 1990. [13] J. Kramer, J. Magee, and M. Sloman. Configuring distributed systems. In Proceedings of the 5th Workshop on ACM SIGOPS European, pages 1–5, New York, NY, USA, 1992. ACM Press. [14] S. S. Kulkarni and K. N. Biyani. Correctness of componentbased adaptation. In Proceedings of the 7th International Symposium on Component-Based Software Engineering, pages 48–58, 2004. [15] P. K. McKinley, S. M. Sadjadi, E. P. Kasten, and B. H. C. Cheng. Composing adaptive software. IEEE Computer, 37(7):56–64, 2004. [16] J. Ostroff and W. Wonham. Modeling and verifying realtime embedded computer systems. In Proceedings of the IEEE Real-Time Systems Symposium, pages 124–132, 1987. [17] P. P. Pal, J. Loyall, R. E. Schantz, J. A. Zinky, and F. Webber. Open implementation toolkit for building survivable applications. In Proceedings of the DARPA Information Survivability Conference and Exposition, Hilton Head Island, January 2000.

[18] A. Pnueli. The temporal logic of programs. In Proceedings of the 18th IEEE Symposium Foundations of Computer Science (FOCS 1977), pages 46–57, 1977. [19] L. Rizzo. Effective erasure codes for reliable computer communication protocols. ACM Computer Communication Review, April 1997. [20] J. Rosenberg, L. Qiu, and H. Schulzrinne. Integrating packet FEC into adaptive voice playout buffer algorithms on the Internet. In Proceedings of IEEE INFOCOM 2000, pages 1705–1714, 2000. [21] R. Rosner and A. Pnueli. A choppy logic. In Proceedings of Symposium on Logic in Computer Science, pages 306–313, Cambridge, Massachusetts, USA, 1986. [22] S. M. Sadjadi and P. K. McKinley. ACT: An adaptive CORBA template to support unanticipated adaptation. In Proceedings of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS), Tokyo, Japan, March 2004. [23] S. M. Sadjadi, P. K. McKinley, and E. P. Kasten. Architecture and operation of an adaptable communication substrate. In Proceedings of the Ninth IEEE International Workshop on Future Trends in Distributed Computing, San Juan, Puerto Rico, May 2003. [24] F. Wang, A. Mok, and E. A. Emerson. Formal specification of asynchronous distributed real-time systems by APTL. In Proceedings of the 14th International Conference on Software Engineering, pages 188–198, New York, NY, USA, 1992. ACM Press. [25] J. Zhang and B. H. Cheng. Model-based development of dynamically adaptive software. In Proceedings of the 28th Annual International Conference on Software Engineering (ICSE 2006), Shanghai, China, May 2006. to appear. [26] J. Zhang and B. H. C. Cheng. Specifying adaptation semantics. In Proceedings of the 2005 Workshop on Architecting Dependable Systems, pages 1–7, New York, NY, USA, 2005. ACM Press. [27] J. Zhang, Z. Yang, B. H. Cheng, and P. K. McKinley. Adding safeness to dynamic adaptation techniques. In Proceedings of the ICSE 2004 Workshop on Architecting Dependable Systems, Edinburgh, Scotland, May 2004. [28] Z. Zhou, P. K. McKinley, and S. M. Sadjadi. On quality-ofservice and energy consumption tradeoffs in FEC-enabled audio streaming. In Proceedings of the 12th IEEE International Workshop on Quality of Service (IWQoS 2004), Montreal, Canada, June 2004.