Verifying Functions in Online Stock Trading Systems

Mar. 2004, Vol.19, No.2, pp.203{212

J. Comput. Sci. & Technol.

Verifying Functions in Online Stock Trading Systems Yu-Yue Du1;2;3 and Chang-Jun Jiang2

Department of Computer Science, Liaocheng University, Liaocheng 252059, P.R. China Department of Computer Science and Engineering, Tongji University, Shanghai 200092, P.R. China 3 Department of Computer Science, Shandong Institute of Business and Technology, Yantai 264005, P.R. China E-mail: [email protected]; [email protected] Received June 3, 2002; revised April 2, 2003. Abstract Temporal colored Petri nets, an extension of temporal Petri nets, are introduced in this paper. It can distinguish the personality of individuals (tokens), describe clearly the causal and temporal relationships between events in concurrent systems, and represent elegantly certain fundamental properties of concurrent systems, such as eventuality and fairness. The use of this method is illustrated with an example of modeling and formal veri cation of an online stock trading system. The functional correctness of the modeled system is formally veri ed based on the temporal colored Petri net model and temporal assertions. Also, some main properties of the system are analyzed. It has been demonstrated suÆciently that temporal colored Petri nets can verify eÆciently some time-related properties of concurrent systems, and provide both the power of dynamic representation graphically and the function of logical inference formally. Finally, future work is described. Keywords formal modeling, veri cation, online stock trading system, function, colored Petri net, temporal logic 1

2

1 Introduction

Online communities have emerged in many elds of human interest based on information and communication technologies. Online stock trading has been successful in the domain of electronic commerce. It is a fully electronic stock market. This means of trading is more superior and secure than the traditional stock exchange model of oor broker intermediation. Also, with the tremendous growth of trading volume and the need for fast and accurate transaction execution, the stock exchange has become one of the technology friendly markets. At present, a number of stock exchanges have globally adopted the electronic stock exchange in trading, such as NASDAQ[1] , New York Stock Exchange[2] , American Stock Exchange, Shanghai Stock Exchange[3] . However, while stock exchanges readily use the available technology to execute their transactions, functional correctness and completeness of the wholly electronic stock trading systems must be formally veri ed. The formal modeling and verifying techniques of electronic trade procedures have been discussed by using, for example, formal language theory[4] and documentary Petri nets[5] . However, these approaches either lack dy-

namic modeling power or do not provide an elegant implementing tool. Petri nets, as an eÆcient analysis tool in model checking, are widely used[6 9] . Petri nets provide a uniform environment for the modeling, formal analysis and design of discrete-event systems[10] . However, since time is not considered in Petri nets, no time-related property can be described based on Petri net models. Although time Petri nets[11;12] can specify the timing requirements on the components of a system, the explicit introduction of time leads to complicated formulas that tend to obscure the ideas about underlying causal and temporal relationships between events. Moreover, associating execution times or delays with transitions and places individually is inadequate for studying some of the fundamental properties, such as eventuality and fairness. To cope with the above problems, temporal Petri nets[13] can be considered, and their typical practical use is illustrated with the nontrivial examples given in [14, 15]. Temporal Petri nets can state clearly and compactly the causal and temporal relationships between events, and represent elegantly fundamental properties of a system. However, since colored Petri nets[16] can describe the personality of individuals (tokens), their mod-

Note This work is supported by the National Natural Science Foundation of China (Grant No.60125205), the National Grand Fundamental Research 973 Program of China (Grant Nos.2001AA413020, 2002AA4Z3430), the Open Project of Laboratory of Computer Science, Institute of Software, the Chinese Academy of Sciences (Grant Nos.SYSKF0205, SYSKF0309), Excellent Ph.D. Paper Author Foundation of China (Grant No.199934). 

204

eling and power of analysis are stronger than that of Petri nets in some speci c systems[17;18] . Therefore, we extend temporal Petri nets to temporal colored Petri nets in this paper. Temporal colored Petri nets support a formal description of modeling systems, and provide a graphical representation with a well-de ned semantics. Also, they possess a reasoning ability based on temporal logic, and can describe explicitly the time-related properties of concurrent systems, such as eventuality (some transitions must eventually occur; some places must eventually have at least one token) and fairness (if a transition becomes rable in nitely often, then it must occur in nitely often). The use of temporal colored Petri nets is illustrated with a useful example of formal analysis and veri cation of an online stock trading system. The consistency between functional requirements of the modeled system and dynamic behavior of its temporal colored Petri net model is formally analyzed. The properties of the system are proved, such as liveness, fairness and safeness properties. The rest of this paper is organized as follows. In Section 2, temporal colored Petri net is de ned. Section 3 describes the order processing procedures of an Internet-based stock trading system, and a temporal colored Petri net model of the system is constructed. In Section 4, the functions of the modeled system are formally described by production rules and corresponding temporal logic assertions. Some main properties of the system are analyzed and its functional correctness is formally veri ed in Section 5. Finally, in Section 6 a summary of the work and directions for future research are given. 2 Temporal Colored Petri Nets 2.1 Overview of Colored Petri Nets

A Petri net is a particular kind of directed graph, together with an initial state called the initial marking. The graph of a Petri net is a directed, weighted, bipartite graph consisting of two types of nodes, called places and transitions, where arcs are from a node of one type to a node of the other type. In graph representation, places are drawn as circles or ellipses, transitions as bars. A black dot represents a token in a place. Arcs are labeled with their weights. A marking (state) assigns to each place a nonnegative integer, and is denoted by M , an mvector, where m is the number of places. In modeling, using the concepts of conditions and events, places represent conditions, and transitions repre-

J. Comput. Sci. & Technol., Mar. 2004, Vol.19, No.2 sent events. K tokens are put in a place to indicate that k data items or resources are available[9] . The following de nition of colored Petri nets was introduced in [16]. De nition 1. A Colored Petri Net can be de ned as a tuple CPN = ( ; P; T; A; N; C; G; E; I ), where (1)  is a nite set of non-empty types, also called color sets; (2) P is a nite set of places; (3) T is a nite set of transitions; (4) A is a nite set of arcs such that P \T = P \A = T \ A = ;; (5) N is a node function, and it is de ned from A into P  T [ T  P ; (6) C is a color function, and it is de ned from P to p( ), the power set of the color set; (7) G is a guard function, and it is de ned from T into expressions such that: 8t 2 T : [Type (G(t)) = B ^ Type (Var (G(t))  )]; (8) E is an arc expression function, and it is de ned from A into expressions such that 8a 2 A: [Type (E (a)) = C (p)ms ^ Type (Var (E (a)))   ], where p is the place of N (a); (9) I is an initialization function, and it is de ned from P into closed expressions such that: 8p 2 P : [Type (I (p)) = C (p)ms ]:

In De nition 1, the set of types determines the data values and operations and functions that can be used in the net inscriptions. The places, transitions and arcs are represented by three sets P , T and A which are required to be nite and pairwise disjoined. The node function N maps each arc into a pair where the rst element is the source node and the second the destination node. The two nodes must be of dierent kinds (i.e., one of the nodes must be a place while the other is a transition). Several arcs may be allowed to link between the same ordered pair of nodes. C maps each place, p, to a type C (p). This means that each token on p must have a data value belonging to C (p). G maps each transition, t, to an expression of type Boolean, i.e., a predicate. All variables of G(t) must have the types belonging to . The guard expressions evaluated always to be true are omitted in a colored Petri net graph. E maps each arc, a, into an expression of type C (p)ms , i.e., a multi-set which may contain multiple occurrences of the same element over C (p). This means that each arc expression must evaluate to multi-sets over the type of the adjacent place, p. I maps each place, p, into the expression without variables, a closed expression, which must be of type C (p)ms , called an initial marking, M0 .

Yu-Yue Du et al.: Verifying Functions in Online Stock Trading Systems 205 For all t 2 T , the following notations are intro- The formula fUg, \until," means that f remains true at least until g becomes true at a marking duced: reachable from the current marking. A(t) = fa 2 AjN (a) 2 P  ftg [ ftg  P g; De nition 3. A transition t with the binding Var (t) = fvjv 2 Var (G(t)) _ 9a 2 A(t) : b, denoted by (t; b), is rable (enabled) in a marking v 2 Var (E (a))g: M reachable from M0 i (1) 8p 2  t: E (p; t)hbi 6 M (p); A binding of a transition t is a function b de ned (2) If the occurrence of t is constrained by a on Var (t) such that 8v 2 Var (t): b(v) 2 Type (v) temporal formula f, then f must be satis ed at M. and G(t)hbi, where G(t)hbi denotes the evaluation And when (t; b) is rable at M , it may re, of the guard expression G(t) in the binding b. changing the marking another marking M 0 , The notation expr hbi is used to denote the value de ned by: 8p 2 P : MM0 (pto ) = M (p) E (p; t)hbi + obtained by evaluating an expression, expr, in a E (t; p)hbi. binding b. Notation t is used to represent the set As a matter of fact, f is a restriction on the of all input places of a transition t. Notations t, ring sequences in a colored Petri net, that is, only  p and p have similar meanings. those ring sequences that satisfy f are allowed to occur. Let M be a marking of TCN, L(TCN ; M ) 2.2 De nition of Temporal Colored Petri and L! (TCN ; M ) denote sets of all nite and inNets nite ring sequences from M respectively. L1 TCN ; M ) = L(TCN ; M ) [ L! (TCN ; M ). ThereGiven any set S , S  is the set of all nite se- (fore, the set of all ring sequences of TCN is de ned quences of elements of S , including the empty se- as follows: quence . S ! is the set of all in nite sequences of elements of S . S 1 = S ! [ S  . jj represents the L(TCN ; M )= fj 2 L1 (CPN ; M ) and hM; i ` f g length of  2 S .  denotes the concatenation of where hM; i ` f means that f is satis ed by the sequences  and . If  2 S ! , the length of  is pair of M and . The semantics of a certain fordenoted by symbol ! and i < ! for any integer i. mula is explained in temporal colored Petri nets as For  2 S 1 and each i: 0 6 i 6 jj, let i and i follows. be the sequences such that j ij = i and  = i i . (f1) hM; i ` p i there is at least one token in p i is the pre x of  with length i, and i is a post x at M . of  excluding i. (f2) hM; i ` p(nc) i there are n tokens colored c De nition 2. A Temporal Colored Petri Net is in p at M . Note that \n" is omitted if n = 1. de ned to be a pair TCN = (CPN ; f ), where CPN (f3) hM; i ` (t; b) r i t is rable (enabled) with is the colored Petri net de ned in De nition 1, and the binding b at M . f is a formula having the following syntax: (f4) hM; i ` (t; b) i t occurs with the binding b (1) Propositions p, p(nc), (t; b) r and (t; b) are at M . (f5) hM; i ` f _ g i hM; i ` f or hM; i ` g. atomic propositions, where p 2 P; t 2 T , c 2 , n (f6) hM; i ` f ^ g i hM; i ` f and hM; i ` g. is a nonnegative integer, b is a binding of t; (f7) hM; i ` f ) g i hM; i ` f implies hM; i ` (2) Atomic propositions are formulas; g. (3) If f and g are formulas, then so are :f , (f8) hM; i ` :f i not hM; i ` f . f _ g, f ^ g, f ) g, Æf , 3f , 2f , fUg. (f9) hM; i ` Æf i  = 6  and hM1; 1i ` f . The atomic propositions p and p(nc) mean that (f10) hM; i ` 2f i hM ; i ` f for every i: there is at least one token, and that there is one to0 6 i 6 jj. ken colored c in p, where n is a nonnegative integer (f11) hM; i ` 3f i hM ; i ` f for some i: and \n" is omitted if n = 1. (t; b) r and (t; b) 0 6 i 6 jj. mean that t is rable (enabled) with the binding b, (f12) hM; i ` fUg i (hM ; i ` f for every i: and that t occurs ( res) with the binding. Symbols 0 6 i 6 jj) or (hM ; i ` g for some i: 0 6 i 6 jj and hM ; i ` f for every j : :; _; ^ and ) represent the Boolean connectives. 0 6 j < i). The formula Æf , \next," means that f becomes The following properties can be easily proved true in the next marking. The formula 2f , \henceforth," means that f becomes true in each marking based on the previous formulas. PR1: hM; i ` f _ Æf implies hM; i ` 3f . reachable from the current marking. The formula PR2: hM; i ` 2(f1 ) 3f2 ) ^ 2(f2 ) 3f3 ) 3f , \eventually," means that f becomes true at some marking reached from the current marking. implies hM; i ` 2(f1 ) 3f3 ). i

i

i

i

i

i

j

i

i

j

J. Comput. Sci. & Technol., Mar. 2004, Vol.19, No.2 PR3: hM; i ` 3 (3f ) implies hM; i ` 3f . stock exchange is safe. Each order is a limit order, i.e., the order will be bought at the speci ed price 3 Modeling an Online Stock Trading Sys- or lower, or sold at the speci ed price or higher. The investor buying/selling the stock can specify tem the limit order price. There are one secure proces3.1 Speci cation of an Online Stock Trad- sor and m trading processors in the exchange. 206

ing System

The online stock trading system (OSTS) based on the Shanghai Stock Exchange will be modeled and analyzed in this paper. A stock market transaction involves three types of parties: investors (buyers and sellers), brokers and a stock exchange. Each investor wishes to sell or buy shares of a certain company, and submits an order to the broker committed. Each broker must rst verify the validity of the orders from its investors, and then send them to the exchange in time based on in-order (FIFO). The stock exchange ensures that the transactions are processed in a fair and timely manner. The brokers are connected to the exchange, while the investors are connected to the brokers, through an electronic network. They exchange messages containing identity, stocks, payment, etc. An order is an instruction to buy or sell, to withdraw buying or selling a type of stock. An order to buy a type of stock is called a bid. An order to sell is referred to as an oer. An order usually consists of six parts: the check number, the number of the stock, the order's type (to buy or sell or withdraw), the shares of the stock, the order's price, and the order coming time. In the exchange, an order from a broker is rst accepted by a secure processor and its coming time is recorded, then the processor will transfer the order to a trading processor where a match of the order is made with a proper order deposited in a database based on the trading rule: First Price and First Time (FPFT). FPFT means that the matching privilege belongs to a bid with the highest buying price and the earliest coming time, and to an oer with the lowest selling price and the earliest coming time. If a match cannot immediately be found, the order is stored in the database as a potential match for future incoming orders. But orders (bids and oers) may be withdrawn by corresponding investors, if they want to do so. The secure processor will send in time the matched or canceled orders to the corresponding investors. In this paper, functional requirements and some transaction properties of the system are analyzed and veri ed formally. Suppose that the message transmission among investors, brokers and the

3.2 Temporal Colored Petri Net Model of the OSTS

In this section, for the sake of graphical conciseness, a graphical folding is used. For instance, the Petri net Na in Fig.1(a) can be graphically replaced with its corresponding folding form in Fig.1(b). In the temporal colored Petri net model of the OSTS, there are two types of tokens: the control tokens with color state and the data tokens with dierent order colors. The color state is a type of control tokens describing a work state of brokers and processors, or a restriction for some transitions. The data tokens must be characterized by a number of attributes (or parameters). Therefore, the data tokens are colored by colors order(o invest, o ty, o id, o price, o time, o numb), and de ned in the form of the following Cartesian product: color order = product o invest  o ty  o id  o price  o time  o numb where o invest = a string distinguishing dierent investors;  o ty = with B jOjCB jCO jhB; Oi, distinguishing order's types or matching results, where B and O denote a bid and an oer, CB and CO, a concealing bid and a concealing oer, respectively, and hB; Oi denotes a matching result of a bid and an oer;  o id = index d with 1; : : : ; l1 ; (l1 + 1); : : : ; l2 ; : : :; (lm 1 + 1); : : : ; n, serving as indices to distinguish the n stocks belonging to n listed companies, and processed on m trading processors, respectively;  o price = a positive real number recording the order's price;  o time = a positive real number recording the order coming time;  o numb = a nonnegative integer describing the stock shares of the order. Var n: nonnegative integer. By means of the description of the OSTS in Subsection 3.1, the frame of a colored Petri net model describing the system is shown in Fig.2. The place Brok i (i = 1; : : : ; k) denotes the broker (i)

Yu-Yue Du et al.: Verifying Functions in Online Stock Trading Systems

207

Fig.1. An illustration of Petri nets folded graphically. (a) A Petri net Na. (b) The folding of Na.

Fig.2. The frame of a colored Petri net model describing the OSTS.

Fig.3. A CP-subnet model describing the order processing procedures of broker ( ) ( = 1 2 ). (i.e., i-th broker) registering at the exchange, and i

i

;

;:::;k

deposits the orders from it on the secure processor. The place Invest i/j (j = 1; : : : ; ri ; i = 1; : : : ; k) represents the j -th investor of the broker (i) and deposits the orders from it. The place Proc i (i = 1; : : : ; m) deposits the orders satisfying o id 2 fli 1 + 1; : : : ; li (l0 = 1, lm = n)g from the secure processor on trading processor (i). A CP (colored Petri) subnet model describing the order processing procedure of broker (i) is shown in Fig.3. The arc expression \1order"

means that exactly one order is transferred for an occurrence of the adjacent transition. The \order" is an abbreviated form of the order(o invest, o ty, o id, o price, o time, o numb) in which the binding of each parameter is not restricted. The arc expression 1state of dotted lines is omitted in Fig.3, Fig.4 and Fig.5. Dashed arcs and places denote the owing direction of the token with color state, while dotted places deposit it. If there is a token marked \1state" in place B Ready i, this indicates that the broker (i) is free. A CP-subnet model describing the order processing procedures in the secure processor is shown in Fig.4. The variable n in front of arc expressions implies that all tokens with the given binding are transferred from the input place to output place of the adjacent transition after ring it. The arc expression n(o id = lj 1 + 1; : : : ; lj ) is an abbreviated form of the norder (o invest , o ty, o id = lj 1 + 1; : : : ; lj , o price, o time, o numb)

Fig.4. A CP-subnet model describing the order processing procedures in the secure processor.

J. Comput. Sci. & Technol., Mar. 2004, Vol.19, No.2

208

Fig.5. A CP-subnet model describing the order matching procedures in trading processor ( ) ( = 1 2 i

(j = 1; 2; : : : ; m; l0 = 1, lm = n). This means that all tokens with the bindings o id = lj 1 + 1; : : :, o id = lj will be transferred from an input place to an output place of the adjacent transition when it occurs. If the two arc expressions of input and output solid arcs of a transition are the same, the bindings in the output arc expression are omitted to save space. For instance, the arc expression n( ) of the arc (Send p 1, Proc 1) represents n(o id = 1; : : : ; l1 ). To assure that the orders of some broker can be transmitted wholly to corresponding trading processors by the secure processor, an occurrence of the transition t BK i/2 must satisfy also the temporal formula (F1) below besides ring conditions of the colored Petri net. For 1 6 i 6 k: (F1) : 2((t BK i =2; order ) ) :s Proc ) (F1) means that if the secure processor intends to transfer the orders of broker (i) to place s Proc, all orders of another broker in the place must rst be assigned to the corresponding trading processor. A CP-subnet model describing the matching procedures of orders on trading processor (i) (i = 1; 2; : : : ; m) is shown in Fig.5, where arc expressions are as follows: g1 (n) = n(o invest = o invest with o ty = CB); g2 = select a bid with the largest o price and smallest o time; g3 = select an offer with the smallest o price and o time; g4 = if o price with o ty = O is lower than or equal to

i

;

).

;:::;m

o price with o ty = B, then transmit a matching order with o ty = hB; Oi and an order with o ty = B or o ty = O when their o numb's values are not the same, or transmit only rst one when they are the same, else two orders selected by g2 and g3 ; g5 (n) = n (o invest = o invest with o ty = CO). In Fig.5, the double-direction dotted arcs connecting transition t and place p mean that p is an input and an output place of t, and the number of tokens in p does not change when t occurs. Places Bid j and Oer j deposit bids and oers of the j th stock respectively, and are in two dierent elds of the database in the exchange. Based on trading rules, the orders to be withdrawn must be processed before any match of orders is made. And after a match of a bid and an oer is made, the rest of shares of the bid or the oer, seen also as an order, are entered into the database as a potential match if they exist. An occurrence of transition t CB/j 2 or t CO/j 2 will remove the bids or oers to withdraw from places Bid j or Oer j to place Trad Res i, respectively. However, an occurrence of transition Matc j should satisfy yet the following temporal formula (F2) besides the ring rules of the colored Petri net. For 8j : 1 6 j 6 n: (F2): 2 ((Matc j, (g2 ; g3 )) ) :Ord j ^ :C Bid j ^:C Of j ^:M Res j ) (F2) denotes that before a new match is made

Yu-Yue Du et al.: Verifying Functions in Online Stock Trading Systems 209 In the OSTS, every broker, the secure processor on trading processor (i), all received orders must be classi ed and deposited in places C Bid j, C Of j, and every trading processor examine and receive Bid j and Oer j for the withdrawing buying or- rotationally the orders from its investors, brokers ders, withdrawing selling ones, buying ones and and the secure processor, respectively. If they exselling ones, respectively, and if there exist with- ist, all or a part of them must be processed within a time slice. Thus, the following temporal propdrawing ones, they must rst be withdrawn. Only when a match of the orders in places Bid j, erty PR4 is valid for the OSTS by examining the Oer j and M Res j cannot be found, or M Res j structures of the subnets in Fig.3{Fig.5. PR4: hM; i ` 2((t; b) r ) 3(t; b)). and one of Bid j and Oer j are empty, the tradPR4 means that if t with a binding b is rable, ing processor can end the processing procedure for the j -th stock. That is, an occurrence of transi- it must occur eventually. In fact, almost all transition Halt j or End j should satisfy temporal formula tions in Fig.3{Fig.5 are used to transmit the orders (F3) or (F4) below, respectively, besides satisfying with speci c type or trading results from one place to another. Consequently, the transitions satisfy ring rules of the colored Petri net. property PR4. Although there may exist concurFor 8j : 1 6 j 6 n: rence among some transitions, such as t CB/j 2, (F3): 2 ((Halt j, state) ) :M Res j ) t (F4): 2 ((End j, state) ) :Ord j ^ : C Bid j CO/j 2 and Matc j in Fig.5, they still satisfy PR4 based on (F2), (F3) and (F4). At the same time, ^(:Bid j _ : Oer j ) ^ :C Of j ^ :M Res j ) (F3) means that when any match of the orders PR4 can also be veri ed by means of the reachaof the j -th stock is not found, its matching process bility graphs of the nets. ends. (F4) shows that if no buying or selling order of the j -th stock is found, its processing procedure 4 Correctness Veri cation and Properties comes to a close. Analysis of OSTS A complete order matching process is shown in In this section, based on the temporal colored Fig.5 and can be explained as follows. All orders of the j -th type of stock will be assigned to places Petri net model TCNS and requirement speci caC Bid j, Bid j, Oer j and C Of j through ring tions of the OSTS, certain main properties and transitions t Ord j, t CB/j 1, t B/j 1, t O/j 1 and functional correctness of the system are analyzed t CO/j 1 by means of the binding values of their and veri ed formally. The properties and funcparameter o ty. If there exist orders to be with- tional behaviors of the system are described by drawn in C Bid j or C Of j, t CB/j 2 or t CO/j 2 production rules and corresponding temporal logic must re before ring Matc j, based on (F2). A formulas. trading result is generated in place M Res j while ring Matc j in terms of FPFT rule. If there is some 4.1 Verifying Correctness residual share, seen as a token, of the buying or selling order in M Res j, it is transferred to Bid j or Since investors commit concurrently orders to Oer j by ring t B/j 2 or t O/j 2 respectively. If their corresponding brokers on a transaction day, there is no matching result in M Res j, non-match we suppose that the initial marking M0 of the orders are processed similarly, else the matching TCNS consists of the tokens generated stochastiresult is removed from M Res j to Trad Res i by cally in places Invest i/j, j = 1; : : : ; ri ; i = 1; : : : ; k, ring t Res j. All matches of the j -th stock are and the given tokens with color state shown in accomplished after ring Halt j or End j based on Fig.3{Fig.5. The proofs of some lemmas below are (F3) or (F4). omitted to save space. Lemma 1. (If an investor requires to comNote that the trading results or orders withdrawn in place Trad Res i will be sent in time to mit an order to a corresponding broker at any mocorresponding brokers or investors by the secure ment, the order will eventually be transferred to the exchange.) Let M be a reachable marking of processor. The temporal colored Petri net model describ- the TCNS from M0 , then for any ring sequence ing the OSTS is de ned to be a pair TCNS = (CNS,  from M, 8j : 1 6 j 6 ri , 8i: 1 6 i 6 k, we have FS), where CNS is the colored Petri net model comhM; i ` 2(Invest i =j ) 3Brok i ) prising three subnets shown in Fig.3{Fig.5, and the Proof. Based on the descriptions of the OSTS, temporal constraint formula FS is the conjunction if place B Ready i is empty in Fig.3, this means of formulas (F1){(F4).

210

that broker (i) is checking and transmitting the order from the other investor in the current time slice. But there exists a time slice when the broker examines the memory region shared with the investor. Thus, by the structure of the subnet in Fig.3, we have hM; i ` 2(Invest i =j ) 3(Invest i =j (1) ^ B Ready i )) hM; i ` 2(Invest i =j ^ B Ready i (2) ) (t Inv i =j 1; order ) r ) From (2) and PR4, we have hM; i ` 2((t Inv i =j 1; order ) r (3) ) 3(t Inv i =j 1; order )) hM; i ` 2((t Inv i =j 1; order ) (4) ) Æp Inv i =j ) hM; i ` 2(p Inv i =j ) (t Inv i =j 2; order ) r ) (5) From (5) and PR4, we have hM; i ` 2((t Inv i =j 2; order ) ) ÆBrok i ) (6) By PR1, PR2, PR3, and (1){(6), the lemma holds. 2 Similarly, from the structure of the subnet in Fig.4 and (F1), we obtain Lemma 2 below. Lemma 2. (If the orders from some broker arrive at the exchange, they are eventually assigned to corresponding trading processors by the secure processor.) Let M be a reachable marking of the TCNS from M0 , then for any ring sequence  from M, 8i: 1 6 i 6 k, we have hM; i ` 2(Brok i ) 3(Proc 1 _


_ Proc m )) Lemma 3. (If the orders of some stock arrive in a corresponding trading processor, all matches of them with the orders of the same stock depositing in the database are nished eventually.) Let M be a reachable marking of the TCNS from M0 , then for any ring sequence  from M , 8j : li 1 +1 6 j 6 li , 8i: 1 6 i 6 m, we have hM; i ` 2(Proc i ) 3((Halt j ; state ) _ (End j ; state ))) Proof. By the subnet structure in Fig.5 and the similar analysis in the proof of Lemma 1, we obtain hM; i ` 2(Proc i ) 3(Proc i ^ p Ready i )) (7) hM; i ` 2(Proc i ^ p Ready i (8) ) (t Ord j ; o id = j ) r )

J. Comput. Sci. & Technol., Mar. 2004, Vol.19, No.2 From (8) and PR4, we have hM; i ` 2((t Ord j ; o id = j ) ) (9) Æ(Ord j ^ Ctrl =j 3)) hM; i ` 2(Ord j ^ Ctrl =j 3 ) (t CB =j 1; o ty = CB ) r _ (t CO =j 1; o ty = CO ) r _ (t B =j 1; o ty = B ) r (10) _ (t O =j 1; o ty = O) r ) Here, from (10), if t CB/j 1 or t CO/j 1 is rable, then the orders to be canceled in Bid j or Oer j will be moved to Trad Res i by ring transition sequence t CB/j 1 t CB/j 2 or t CO/j 1 t CO/j 2, respectively, before ring Matc j. For the sake of convenience, suppose that only t B/j 1 or t O/j 1 is rable, and that Bid j and Oer j are non-empty, that is, hM; i ` 2j(Ord j ^ Ctrl =j 3 ) (t B =j 1; o ty = B ) r _ (t O =j 1; o ty = O) r ) (11) From (11), (f5), PR4 and the supposition above, we have hM; i ` 2((t B =j 1; o ty = B ) _ (t O =j 1; o ty = O) ) Æ(:Ord j ^ :C Bid j ^ :C Of j ^ :M Res j ^ Ctrl =j 1 ^ Bid j ^ Oer j )) (12) From (12) and (F2), we have hM; i ` 2(:Ord j ^ :C Bid j ^ :C Of j ^ :M Res j ^ Ctrl =j 1 ^ Bid j ^ Oer j (13) ) (Matc j ; (g2 ; g3 )) r ) hM; i ` 2(((Matc j ; (g2 ; g3 )) ) Æ(M Res j ^ Ctrl =j 2 ^ :Ord j ^ :C Bid j ^ :C Of j )) (14) CASE 1. If t Res j with binding o ty = hB; Oi is not rable here, by (14), we obtain hM; i ` 2(M Res j ^ Ctrl =j 2 ^ :Ord j ^ :C Bid j ^ :C Of j ) (t B =j 2; o ty = B ) r (15) ^ (t O =j 2; o ty = O) r ) hM; i ` 2((t B =j 2; o ty = B ) ^ (t O =j 2; o ty = O) (16) ) Æ(Ctrl =j 2 ^ :M Res j ))

Yu-Yue Du et al.: Verifying Functions in Online Stock Trading Systems 211 ) (Matc j ; (g2 ; g3 )) r ) (24) From (16) and (F3), we have hM; i ` 2(Ctrl =j 2 ^ :M Res j Here, the inference process from (14), (19), (23) to (24) is done repeatedly until CASE 1 or CASE (17) ) (Halt j ; state ) r ) 2 becomes true. From (7){(17), PR1, PR2, PR3 and PR4, we have Therefore, from (18), (22) and (f5), Lemma 3 is 2 hM; i ` 2(Proc i ) 3(Halt j ; state )) (18) proved. Based on the three Lemmas given above, PR2 CASE 2. When t Res j and one of t B/j 2 and and (f5), the following Theorem 1 can be obtained t O/j 2 with corresponding bindings are rable, if directly. one of Bid j and Oer j is empty after ring them, Theorem 1. (The orders from any investor of by (14), we obtain every broker will be processed eventually in a corresponding trading processor.) Let M be a reachable hM; i ` 2(M Res j ^ Ctrl =j 2 ^ :Ord j marking of the TCNS from M0 . For any ring se^ :C Bid j ^ :C Of j quence  from M, 8j : 1 6 j 6 ri , 8i: 1 6 i 6 k, ) (t Res j ; o ty = hB; Oi) r then 9u: 1 6 u 6 m, 9v: lu 1 + 1 6 v 6 lu , and we ^ ((t B =j 2; o ty = B ) r have (19) _ (t O =j 2; o ty = O) r ))) hM; i ` 2(Invest i =j (o invest = `j ') hM; i ` 2((t Res j ; o ty = hB; Oi) ) 3(Bid v (o invest = `j ') ^ ((t B =j 2; o ty = B ) _ Oer v (o invest = `j ') _ (t O =j 2; o ty = O)) _ Trad Res u (o invest = `j ')): ) Æ(Ctrl =j 1 ^ Ctrl =j 3 ^ :M Res j ^ :Ord j ^ :C Bid j ^ :C Of j 4.2 Property Analysis (20) ^ (:Bid j _ :Oer j ))) Some principal properties of the OSTS are forFrom (20) and (F4), we have mally represented and analyzed in this section. The proofs of the properties are omitted to save space. hM; i ` 2(Ctrl =j 1 ^ Ctrl =j 3 ^ :M Res j They can be easily proved by means of the subnet ^ :Ord j ^ :C Bid j ^ :C Of j structures in Fig.3{Fig.5, Lemma 1{Lemma 3, (f5), ^ (:Bid j _ :Oer j ) ) (End j ; state ) r ) (f12), etc. (21) Theorem 2 (Safeness Property). At any From (7){(14), (19){(21) and PR1-PR4, we have moment only the orders from at most one stock are in every trading processor. Let M be a hM; i ` 2(Proc i ) 3(End j ; state )) (22) processed reachable marking of the TCNS from M0 , then for CASE 3. In CASE 2, if Bid j and Oer j are any ring sequence  from M, 8j , u: li 1 + 1 6 j , non-empty after ring t Res j and one of t B/j 2 u 6 li , u 6= j , 8i: 1 6 i 6 k, we have and t O/j 2, then Matc j is rable. By (19) and hM; i ` 2((t Ord j ; o id = j ) PR4, we obtain ) 2(:(t Ord u ; o id = u) r hM; i ` 2((t Res j ; o ty = hB; Oi) U ((Halt j ; state ) _ (End j ; state ))) ^ ((t B =j 2; o ty = B ) Theorem 3 (Fairness Property). The se_ (t O =j 2; o ty = O)) cure processor does not discriminate any broker, ) Æ(Bid j ^ Oer j while each broker does not discriminate any of its investors. And each trading processor does not dis^ Ctrl =j 1 ^ Ctrl =j 3 criminate any stock. Let M be a reachable marking ^ :Ord j ^ :C Bid j the TCNS from M0 , then for any ring sequence (23) of ^ :C Of j ^ :M Res j ))  from M, 8j : 1 6 j 6 ri , 8i: 1 6 i 6 k, 8v: lu 1 + 1 6 v 6 lu , 8u: 1 6 u 6 m, we have From (23) and (F2), we have hM; i ` 2((Bid j ^ Oer j ^ Ctrl =j 1 ^ Ctrl =j 3 hM; i ` 23Invest i =j ^ :Ord j ^ :C Bid j ^ :C Of j ) 23(t Inv i =j 1; order ) ^ :M Res j ) hM; i ` 23Brok i

J. Comput. Sci. & Technol., Mar. 2004, Vol.19, No.2

212

) 23(t BK i =1; order ) hM; i ` 23Proc u (n(o id = v)) ) 23(t Ord v ; o id = v)

Theorem 3 states that if there is often at least one order in places Invest i/j, Brok i and Proc u respectively at in nite markings, and the orders in Proc u are con ned by a binding o id = v, then they must occur in nitely often. Theorem 4 (Liveness Property). If investors commit orders to corresponding brokers in nitely often, then the matches of them are often made in nitely. Let M be a reachable marking of the TCNS from M0 , then for any ring sequence from M, we have hM; i ` 23j((Invest 1=1 _


_ Invest 1=r1 ) _


_ (Invest k =1 _


_ Invest k =r k )) ) 23((Halt 1 _


_ Halt n) _ (End 1 _


_ End n)) 5 Conclusion and Discussion

In this paper, we introduce the temporal colored Petri nets as a new modeling tool for describing concurrent systems. It can provide both the power of dynamic representation graphically and the function of logical inference formally. The use of temporal colored Petri nets is illustrated with a useful example of modeling and formal veri cation of an Internet-based stock trading system. The requirement speci cations of the modeled system are explicitly represented using temporal assertions. The functional correctness of the system is formally veri ed on the basis of its temporal colored Petri net model and temporal inference. Certain main properties of the system, such as safeness, fairness and liveness properties, are analyzed. It has been demonstrated suÆciently that temporal colored Petri nets can verify formally and eÆciently the correctness, consistency, and completeness of concurrent systems. As a future eld of research, it is planned to develop the implementing tool of the temporal colored Petri nets based on the CPN tool[19] and to apply our approach to modeling and analysis of Internet-based dynamic stock trading systems and the secure electronic transfer protocol (SET) for Electronic Commerce. We would also like to investigate further the union of timed Petri nets and temporal logic to handle the concurrent systems in which an event must occur within a time interval if it is enabled.

References

[1] [2] [3] [4] [5] [6] [7]

[8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19]

NASDAQ. http://www.nasdaq.com. The New York Stock Exchange. http://www.nyse.com. The Shanghai Stock Exchange. http://www.sse.com.cn. Grimm R, Ochsenschlager P. Binding telecooperation { A formal model for electronic commerce. Computer Networks, 2001, 37(2): 171{193. Lee R M. Distributed electronic trade scenarios: Representation, design, prototyping. International Journal on Electronic Commerce: Special Issue on Formal Aspects of Digital Commerce, 1999, 3(2): 105{136. Caminada M W A. Towards a formal model for contract execution. In Proc. the 5th International Workshop on the Language-Action Perspective on Communication Modelling (LAP2000), Schoop M, Quix C (eds.), Aachen, Germany, Sept. 2000, pp.107{129. Daskalopulu A. Model checking contractual protocols. In Legal Knowledge and Information Systems, JURIX 2000: The 13th Annual Conference, Frontiers in Arti cial Intelligence and Applications Series, Breuker J, Leenes R & Winkels R (eds.), IOS Press, Enschede, Netherland, Dec. 2000, pp.35{47. Jiang C J, Lu W M. On properties of concurrent system based on Petri net language. J. of Software, 2001, 12(4): 512{520. Murata T. Petri nets: Properties, analysis and applications. In Proc. the IEEE, 1989, 77(4): 541{580. Wang H Q, Jiang C J, Liao S Y. Behaviour relations in synthesis process of Petri net models. IEEE Trans. Robotics and Automation, 2000, 16(8): 834{843. Wang J, Deng Y, Xu G. Reachability analysis of realtime systems using time Petri nets. IEEE Trans. Systems, Man, and Cybernetics-Part B: Cybernetics, 2000, 30(5): 727{736. Vicario E. Static analysis and dynamic steering of timedependent systems. IEEE Transactions on Software Engineering, 2001, 27(8): 728{748. Suzuki I, Lu H. Temporal Petri nets and their application to modeling and analysis of a handshake daisy chain arbiter. IEEE Trans. Comput., 1989, 38(5): 696{704. Du Y Y, Jiang C J. Formal analysis of an online stock trading system by temporal Petri nets. In Proc. Int. Workshop on Computer Networks and Mobile Computing, IEEE Computer Society Press, Beijing, China, Oct. 2001, pp.197{202. Zurawski R. Verifying correctness of interfaces of design models of manufacturing systems using functional abstractions. IEEE Trans. Ind. Electron., 1997, 44(3): 307{320. Jensen K. Colored Petri Nets. Volume 1, SpringerVerlag, Berlin, 1997. Cost R S, Chen Y, Finin T et al. Modeling agent conversations with colored Petri nets. In Working Notes of the Workshop on Specifying and Implementing Conversation Policies, Seattle, Washington, 1999, pp.59{66. Padberg J. Abstract Petri nets as a uniform approach to high level Petri nets. In Proc. WADT 98, Springer Verlag, Lecture Notes in Computer Science 1589, 1998, pp.240{259. Jensen K et al. Design/CPN manuals. Meta Software Corporation and Department of Computer Science, University of Aarhus, Denmark. On-line version: http://www.daimi.aau.dk/designCPN/.