In this paper we describe some aspects of a theory that gives a simple basis for operational models of reactive systems. It allows rigorous reasoning

Transcription

1 Real Time in a TLA-Based Theory of Reactive Systems Reino Kurki-Suonio and Mika Katara Software Systems Laboratory Tampere University of Technology P.O. Box 553, FIN Tampere, Finland freino.kurki-suonio, Mika.Katarag@cs.tut. Abstract A practical theory for operational specication of reactive systems is described. Reasoning on temporal properties is made possible at high levels of abstraction, and rigorous renement towards implementation is supported. The paper discusses how the underlying logic, execution model, and renement methods t together, and how object-orientation, distribution, and real time are supported. A closer look is taken on the specication of real-time properties. The approach is illustrated by a logically layered specication of simple mobile robot control software. 1 Introduction Since conventional thinking of software engineering is dominated by languages, tools, and informal design methods, their inherent complexities burden most attempts to provide theoretical understanding of the fundamentals. In particular, an appropriate theory should allow to ignore unnecessary detail at the level of specication. Ideally, specication languages and tools should also reect an underlying theory, not the other way around. 1

2 In this paper we describe some aspects of a theory that gives a simple basis for operational models of reactive systems. It allows rigorous reasoning on behavioral (temporal) properties already at high levels of abstraction, and provides eective support for a renement methodology by which specications can be rened towards implementations. A comprehensive theory needs dierent kinds of abstractions. To achieve the desired simplicity, these have to support each other eectively, and hence cannot be chosen arbitrarily. Since the logical basis must allow reasoning on reactive properties, the classical bases for \transformational" systems are inadequate. The basis of this theory is in Temporal Logic of Actions (TLA) [16], which provides intuitively natural support for the construction and renement of operational models. This presentation complements that given in [12], and is also kept at a conceptual level where inference rules and language details are ignored. The approach deals with closed-system models. The most important structuring facility is a mechanism for importing, extending, composing, and rening \layers" of closed-system specication. For the associated design methods it is essential that safety properties of imported layers are always preserved and proof obligations are obtained for liveness properties. The rest of the paper is structured as follows. We start with discussing implications of closed-system modeling in Section 2. The basic ideas of TLAbased specication are introduced in Section 3. In Section 4 we analyze how the approach is aected by object-orientation, distributed systems, and real time. An illustrative example of real-time specication is given in Section 5. Some concluding remarks are given in Section 6. 2

3 2 Closed-System Modeling Most commonly advocated specication formalisms are based on the transformational or algoritmic paradigm, where computations are understood as inputoutput mappings or relations. As discussed in [18], this paradigm is inappropriate for interactive computing. In particular, it is inadequate for objectorientation, where objects are designed to interact with their environments. To be more specic, the algorithmic paradigm ignores temporal aspects, which play an essential role in interaction that continues over time. The notion of objects allows convenient encapsulation of decisions that are internal to components. This is especially important for implementation and reuse. A component is then understood as an open system with an interface to an unknown environment. In many areas of engineering, interfaces can be described statically, and conventional use of the word \behavior" gives the false impression that this would be possible also for interactive objects. However, interactive behaviors proceed in time, and an isolated object cannot produce them without dynamic cooperation with its environment. This makes it intuitively natural to use the closed-system principle, where a component is always specied together with its assumed context. In simple situations such a context may just invoke an object's methods nondeterministically in an arbitrary sequence and with arbitrary parameters. It is essential, however, that the same formalism can be used for a system specication, which describes collective behaviors produced by a system and its environment, and component specication, which describes behaviors produced by a component together with an arbitrary environment. Closed-system modeling does not prevent compositional design or reuse of 3

4 existing components. Temporal modeling in terms of closed systems generalizes, however, the intuition of composition as a construction where structural components are put together into more complex units. When understood as a closed system, a component is not a structural unit, but an incomplete view of temporal behaviors in the total system. Composition then means synthesis, where dierent views are combined. In conventional design one may start with recognizing the desired components and dening their interfaces. Obviously, this has to be done before the components can be designed. With closed-system models one can start with precise specication of the intended behaviors of the total system. Decisions on partitioning into components, and determining their interfaces, can be postponed until total behaviors are understood suciently well. For instance, decisions that are based on distributed hardware, or on hardware-software partitioning, need not aect the initial specication, and can be introduced during design. The theoretical basis of such an approach has been discussed in [14]. 3 Basic TLA-Based Specications As the theoretical basis for modeling and reasoning on temporal behaviors we use a variety of temporal logics, Temporal Logic of Actions (TLA) [16], which has some characteristics that make it especially suitable for our purposes. 3.1 Operational Modeling in TLA TLA is a linear-time logic, where expressions are evaluated for sequences of states, or behaviors, which may be nonterminating. Variables that are used to model system properties have unique values in each state. Figure 1 illustrates 4

5 x=1 y=2 x=2 y=3 x=3 y=5 Figure 1: Behavior as a sequence of states. a behavior with two variables x and y. While state predicates are evaluated for states, actions are \step predicates" that are evaluated for state changes or steps. Action A is enabled in a state, if there exists a possible next state for which the resulting step would satisfy A. The use of actions is constrained in TLA so that the satisfaction of formulas is insensitive to addition or deletion of \stuttering steps," in which none of the variables of interest are modied. This characteristic, which is important for a renement methodology, is associated with dening the \stuttering extension" of action A, denoted by [A] X, to be satised by any step that either satises A or does not modify any variables in X. For operational modeling it is important that temporal behaviors can be specied in terms of canonical TLA expressions of the form P ^ 2[A 1 A m ] X ^ F; where X is the set of variables that are of interest, P is a state predicate that gives an initial condition for their values, A i are actions that give the permissible steps in behaviors, and F expresses fairness requirements. In the following we assume F to give a subset of actions A i for which strong fairness is assumed. This requires eventual appearance of an A i -step, if A i is repeatedly enabled without any bound. The rst two conjunts in a canonical expression express pure safety properties (\nothing bad ever happens"), while the third expresses 5

6 pure liveness properties (\something good will eventually happen"). A canonical expression has an obvious operational interpretation: Execution starts in an initial state that satises P, in each state some enabled action A i is chosen for execution, and an action scheduler makes sure that fairness requirements become satised. Notice that the execution may halt in any state where none of the actions specied by F is enabled. 3.2 Simple Language Issues Canonical expressions give a straightforward logical basis for an operational specication language where individual actions are given as syntactic units of the form A i = g i! b i, with g i as an enabling condition or guard, and b i as the body that expresses how variables are modied. We will use the common convention that unprimed and primed variable names refer to variables in the rst and the second state of a step, respectively. In accordance with programming notations, stuttering equations x 0 = x need not be given explicitly. This leads to an action-oriented language with a primitive execution model. In particular, there are no built-in assumptions of sequential execution to support procedural abstraction. On the other hand, for the modeling of concurrent and distributed systems, atomicity of actions is important. This removes some problems that are typical to languages where concurrency is an add-on feature. Expressing all liveness properties by explicit fairness requirements may at rst seem clumsy, as an algorithm is always executed to its end. For concurrency and environment activities, fairness is, however, a useful abstraction of an \execution will." Contrary to common belief it remains useful also in connection with real time, where eventual execution is strengthened by bounded deadlines. 6

7 Language facilities that are helpful for modeling can be introduced without violating the simple connection to logic. For instance, although variables are untyped in TLA, typing can be added in a manner that leads to simple proof obligations. Statechart-like nite-state systems [4] can be introduced in terms of enumeration variables. States in such systems can also be used as scopes for variables, with static checks of their correct use. Another simple language extension is to allow parameterized actions, where the parameters model data values to be transmitted in actions. 3.3 Support for Renement and Composition It is important for a theory to provide support for composition. The closedsystem principle aects these needs in a non-trivial manner. Instead of means for dierent components to invoke procedures or methods in each other, it is important to provide for the synthesis of dierent views on temporal behaviors. A suitable mechanism for this is provided by superposition. Basically, superposition allows extending a specication with new variables, strengthening of action guards, augmenting old bodies to deal with new variables, and introducing new actions that do not modify old variables. In terms of TLA, each action in the new system implies either an old action or mere stuttering in the old system. Therefore, superposition preserves all safety properties, while liveness properties lead to proof obligations [14]. A straightforward use of superposition supports stepwise renement, in which an initial incomplete specication is gradually extended with further detail. At each stage the specication corresponds to a projection of the nal specication, where only part of the variables are present. The same mechanism can also be 7

8 used to support composition. The synthesis of two views is superposition on both of them, where the variables of both are taken, and some of their actions may be synchronized. Again, safety properties of the synthesized layers are guaranteed to be preserved, while livenes properties lead to proof obligations. In renement it is often necessary to replace \abstract" data structures, which are suitable for mathematical manipulation, by \concrete" data structures that are more appropriate for ecient implementation. Variables for new data representation can be introduced in superposition, but old variables cannot be removed. However, if one proves an invariant for how the value of x depends on other variables y, x no longer needs explicit representation. One can then understand that x has become a non-primitive state function, which provides an abstract view on the concrete data structures y by which it has been replaced. In particular, such transformations are required when decisions on distributed implementation are imposed on abstract specications. 4 Extending the Basic Possibilities In this Section we discuss how object-orientation, distributed systems, and real time aect the approach. Object-orientation requires an extension of language facilities; distributed systems mainly aect the renement methodology; realtime properties can be modeled with a few additional dedicated variables. 4.1 Object-Orientation In TLA, the \world" consists of a collection of variables. Object-orientation is an eort to recognize recurrent patterns in this \world" and in the actions that operate on it. Basically, the notion of objects imposes structure on the 8

9 collection of variables. Each object belongs to a class and is associated with a class-specic set of (local) variables, whose values constitute its local state. In accordance with common ideas of object-oriented modeling, we can also have variables that are interpreted as relations between objects. As variables are not dynamically \created" in behaviors, it is natural to consider that all objects exist throughout a temporal behavior. \Creation" is then interpreted as a change in their local states. To allow potentially unbounded numbers of objects, classes need not be nite. Encapsulating methods in objects allows implementation reuse. This makes it, however, impossible to specify collective (temporal) behaviors at high level of abstraction, which should be the most important concern in initial stages of specication. A simple solution is oered by multi-object actions, which are patterns for actions, parameterized by their participant objects. Fairness requirements then require the possibility to specify fairness of actions with respect to given participants also. The class-specic capability of executing encapsulated methods generalizes into capability to participate in multi-object actions. Inheritance and specialization of inherited actions also generalize to this situation in a natural manner, with a strong interpretation of the \is-a" relation between subclasses and superclasses [13]. 4.2 Distribution From the viewpont of specication, distributed implementation means preparation for certain kinds of design decisions. In terms of TLA, allocating variables to distributed processes imposes constraints on whether and how dierent 9

10 variables can be accessed in the same action. Therefore, there is a need for transformations by which such constraints can be taken into consideration. Details of these constraints depend on the communication primitives that are available. In principle, communication between distributed processes is based on asynchronous messages, but more elaborate mechanisms may have been built on top of them, like synchronous message passing, CSP-like interactions, or more elaborate multi-process interactions. In each case, an initial specication, where the constraints have not been observed, can be understood as an abstract view of what happens in the system. Property-preserving transformations by which the constraints can be taken into account have two goals: to add local variables to reect values of distributed state predicates, and to turn some variables into non-primitive state functions that need no explicit representation. Of special importance in these transformations is that also fairness requirements need to become implementable. This may require imposing a policy by which some competing actions are disabled to avoid \conspiratorial" behavior [9]. When actions describe cooperation between distributed processes, it should be noticed that some assumptions must always be made of the underlying handshaking protocol, in order to avoid situations where some actions are continually enabled, but the protocol is unable to get the processes to agree on executing any of them. The notion of objects supports the design of concurrent and distributed systems, as the participants of an action indicate explicitly the objects that are accessed in it. Therefore, an implementation may freely allow concurrent execution of actions with disjoint participant sets. 10

11 4.3 Real Time Modeling of real-time properties requires no change in the basic notions described above. Only an implicit layer of superposition is needed for augmenting a model with two dedicated variables. For simplicity, the assumption is made that each action is executed instantaneously, and time will only pass between consecutive actions. Notice, however, that the underlying logic associates properties with individual behaviors, which means that average eciency properties, for instance, are not expressible. In the following, will denote a clock variable, which is used to record the most recent execution moment of any action. Each action is augmented with an implicit parameter, whose value will indicate the execution moment. Implicit strengthening of all guards by and bodies by 0 = has the eect that actions are modeled to be executed in non-decreasing order of time parameters, and will grow monotonically. Another implicit variable,, is introduced for deadlines. Whenever a deadline + d is needed for some future action, an explicit \statement" of the form x 0 = on(d), \executed" in an action body, adds it to. An implicit conjunct min() in all guards then prevents advancing beyound this deadline, and an eventual \execution" of o(x) will remove it from. Unlike for explicit variables, subsequent layers of superposition may aect the values of and. However, disallowing explicit access to these variables maintains the desired characteristic that all safety properties are always preserved. Obviously, expressing real-time properties does not need or. Fairness still remains as the only \force" that can force actions into execution. It is the role of to make sure that an \eventual" execution will take 11

12 place soon enough. An advantage of this approach is that real time has no aect on how properties are reasoned about. There is no axiom that would require to grow unboundedly, even when an innite number of actions are executed. Obviously, Zeno behaviors, where an innite number of actions are executed in nite time, are not possible in reality. As discussed in [1, 11], they are not harmful in specications, unless no other alternatives remain possible in some situations. In general, this gives an additional proof obligation for real-time specications. Starting with a logical specication with no real time is natural for eventtriggered systems. The simple example in Section 5 demonstrates that the approach can also be used for time-triggered systems, where real-time scheduling considerations usually dominate over issues of logical correctness. In connection with real time, the closed-system principle raises the need for modeling also continuously changing state functions in the environment. As discussed in [10], the approach can be extended in a natural manner to deal with this kind of hybrid modeling. 5 Example To illustrate some of the possibilities decribed above, we discuss the specication of a mobile robot (toy car) that moves following a tape on the oor. 1 As input the control software receives readings from an odometer and from sensors that sense the relative position of the car with respect to the tape. The outputs control engine speed and steering. In addition, there is a switch to start and 1 The specication has been used as a basis for an implementation in our laboratory. 12

13 stop the car. For simplicity, a constant target speed is assumed. With only a few variables and little need for component structuring, objectorientation does not seem to oer much help for this case study. Instead, we will show how layered derivation by superposition and composition allows to separate dierent aspects of the specication into dierent layers. 5.1 Basic Actions In the rst layer we include variables r dist and r tape to record the distance driven after previous odometer reading and the position of the car with respect to the tape. Similarly, c engine and c steer contain control parameters given to the engine and the steering. All are assumed to be initialized as 0. In superposition-based design, all actions that modify given variables must be given in the layer where the variables are introduced. Three actions are introduced to deal with the above variables: Clear clears them all, Read models reading of sensors, and Control the setting of control parameters. For clarity, subscripts are used to indicate the layer in which an action has been dened: Clear 0 = true! r dist 0 = r tape 0 = c engine 0 = c steer 0 = 0; Read 0 (x; y : real) = true! r dist 0 = x ^ r tape 0 = y; Control 0 (x; y : real) = true! c engine 0 = x ^ c steer 0 = y: At this level, actions can be executed in an arbitrary order, parameter values are arbitrary reals, and no liveness properties have been specied. 13

14 5.2 Drive States In the next layer we impose logical control on driving, without paying attention to control algorithms. Variable switch : fon; o g, initialized as o, is used to model the switch, and a three-state system d state : fstart; read ; controlg; initialized as start, is introduced for drive control. Turning the switch is expressed by the simple action Turn 1 = true! switch 0 = (if switch = o then on else o ): Once the switch is on, driving can start, and the state will then alternate between read (for rened Read actions) and control (for rened Control actions): Start 1 = (switch = on) ^ d state = start! d state 0 = read ; Read 1(x; y : real) = Read 0 (x; y) ^ switch = on ^ d state = read! d state 0 = control; Control 1(x; y : real) = Control 0 (x; y) ^ switch = on ^ d state = control! d state 0 = read : The asterisks in these and subsequent actions indicate the fairness requirement that repeated enabling forces these actions into eventual execution. If the switch is turned o, the initial state is reentered by a rened action Clear: Stop 1 = Clear 0 ^ switch = o! d state 0 = start: 14

15 5.3 Control Algorithms Algorithms for determining control values for engine and steering can be introduced independently of drive states. Therefore, this layer is given as another superposition on the initial layer. Because of friction, three engine states are distinguished in movement control: the value of a new enumeration variable e state is power up when no movement has been sensed, moves when movement has just been sensed, or normal. The P algorithm is used in the normal state. The PID algorithm is used for steering. This needs two new variables, r tape old for the previous recording of tape position, and r tape ma for the moving average of n most recent readings. Action Clear is augmented at this stage to reinitialize the new variables: Clear 2 = Clear 0! e state 0 = power up ^ r tape old 0 = r tape ma 0 = 0: Omitting details of control functions, actions Read and Control are rened as Read 2 (x; y : real) = Read 0 (x; y)! e state 0 = (if x = r dist = 0 then power up else if x > r dist = 0 then moves else normal) ^ r tape ma 0 = ((n? 1) r tape ma? r tape)=n ^ r tape old 0 = r tape; Control 2 (x; y : real) = Control 0 (x; y) ^ x = (if jr tapej > limit then 0 else f(e state; c engine; r dist)) ^ y = g(r tape; r tape old ; r tape ma): 15

16 Basic Actions Drive States Control Algorithms Interrupts Combined Specication Figure 2: Layers of specication. 5.4 Interrupts To design time-triggered execution of the read-control cycle, timeouts at constant intervals d are modeled in an independent specication layer. To distinguish whether a timeout has been set, another enumeration variable is introduced, i state : funinitialized ; initialized g: Variable next is used to store the deadline needed for the timeout. The rst timeout is set by Set timeout 3 = (i state = uninitialized)! i state 0 = initialized ^ next 0 = on(d); which simply inserts deadline + d into. After that, action Timeout will be executed at constant intervals d: Timeout 3 = (i state = initialized) ^ = next! o(next) ^ next 0 = on(d): Obviously, clock readings in these actions will grow unboundedly, and Zeno behaviors are therefore not possible. 5.5 Combining the Layers When the layers are combined (see Fig. 2), actions that have the same ancestors in Basic Actions must be synchronized. For instance, Stop 1 must always be 16

17 executed together with Clear 2. Independent actions, like Start 1 and Timeout 3, may or may not be synchronized. Read actions are intended to be triggered by Timeout. This eect is achieved by their synchronization. Action Control should be executed immediately after this. Denoting the duration of Read by e, e < d, and using variable now to record when it nishes, the resulting Read action is Read (x; y : real) = Read 1 (x; y) ^ Read 2 (x; y) ^ Timeout 3 When Control is rened into! now 0 = on(e): Control (x; y : real) = Control 1 ^ Control 2 ^ = now! o(now); it will then be executed immediately after Read. Since timeouts should not be disabled when the drive state is not in the read-control cycle, a non-synchronized renement of Timeout 3 is also needed: Mere timeout = Timeout 3 ^ d state = start: Furthermore, if the car is stopped between Read and Control, the timeout for the latter must be removed: Stop = Stop 1 ^ Clear 2! o(now): Without these, or if e > d, the construction would be incorrect, since the liveness properties of the Interrupts layer would not be preserved. 17

18 6 Concluding Remarks As stated in the Introduction, emphasis on tools and techniques often overshadows theoretical understanding. In particular, abstractions that are suitable for implementation are too low-level for specication and for theoretically justied design methods. In this paper we have outlined how a TLA-based theory reects some important concerns in the specication of reactive systems. Although tool aspects have been omitted here, the underlying notions also give a suitable basis for tool development and graphical visualization [17, 8]. Except for explicit indication of fairness requirements, our execution model for operational specications is similar to the one in UNITY [3]. Ours was originally developed for the design of distributed systems [2], and was adapted to modeling of generalized object-oriented patterns in the DisCo language [7, 6]. Combining experimental work in DisCo with the theoretical foundations given by TLA led to the theory described in this paper. For another TLA-based approach to compositional specication the reader is referred to ctla [5]. The treatment of time was inspired by related work in TLA [1]. The facilities described here are further development of those discussed in [9, 10], and we feel that they make the transition from non-timed to timed specications smoother than the separate \tick" actions and general timer constructions used elsewhere. One of the unique characteristics of this theory is its support for layered structuring of specications. As illustrated by the above example, this structure need not coincide with component structure, which is not necessarily suitable for understanding temporal behaviors. For instance, consider the nal action Read, which in its complete form is 18

19 Read (x; y : real) = (switch = on) ^ d state = read ^ i state = initialized ^ = next! r dist 0 = x ^ r tape 0 = y ^ d state 0 = control ^ e state 0 = (if x = r dist = 0 then power up else if x > r dist = 0 then moves else normal) ^ r tape ma 0 = ((n? 1) r tape ma? r tape)=n ^ r tape old 0 = r tape ^ o(next) ^ next 0 = on(d) ^ now 0 = on(e): No component structure would help in analyzing its contributions to global behaviors, but specication layers organize its parts logically, giving the specication a structure that is similar to \slices" advocated in [19] for program testing, and to \projections" proposed in [15] for verication. Acknowledgements The work described in this paper was supported by the Academy of Finland (projects and 29110). References [1] Abadi, M., Lamport, L., An old-fashioned recipe for real time, ACM Trans. Program. Lang. Syst. 16, 5, Sep. 1994, 1543{1571. [2] Back, R. J. R., Kurki-Suonio, R., Decentralization of process nets with a centralized control, Distributed Computing 1989, 3: 73{87. An earlier version in Proc. 2nd ACM SIGACT-SIGOPS Symp. on Principles of Distributed Computing, 1983, 131{142. [3] Chandy, K. M., Misra, J., Parallel Program Design, A Foundation, Addison-Wesley

20 [4] Harel, D., Statecharts: a visual formalism for complex systems, Science of Computer Programming 8, 1987, 231{274. [5] Herrmann, P., Krumm, H., Compositional specication and verication of high-speed transfer protocols, Protocol Specication, Testing, and Verication XIV (Eds. S. T. Vuong, S. T. Chanson), Chapman & Hall 1994, 339{346. [6] Jarvinen, H.-M., The Design of a Specication Language for Reactive Systems. Tampere University of Technology, Publication 95, [7] Jarvinen, H.-M., Kurki-Suonio, R., Sakkinen, M, Systa, K., Object-oriented specication of reactive systems, Proc. 12th Int. Conf. on Software Eng., 1990, 63{71. [8] Kellomaki, P., Verication of reactive systems using DisCo and PVS, FME'97: Industrial Applications and Strengthened Foundations of Formal Methods (Eds. J. Fitzgerald, C. B. Jones, P. Lucas), Springer-Verlag LNCS 1313, 1997, [9] Kurki-Suonio, R., Stepwise renement of real-time systems, IEEE Trans. Software Eng. 19, 1, Jan 1993, 56{69. [10] Kurki-Suonio, R., Hybrid models with fairness and distributed clocks, Hybrid Systems (Eds. R. L. Grossman, A. Nerode, A. P. Ravn and H. Rischel), Springer-Verlag LNCS 736, 1993, 103{120. [11] Kurki-Suonio, R., Real time: further misconceptions (or half-truths), IEEE Computer 27, 6, June 1994, 71{76. [12] Kurki-Suonio, R., Fundamentals of object-oriented specication and modeling of collective behaviors, Object-Oriented Behavioral Specications (Eds. H. Kilov and W. Harvey), Kluwer 1996, 101{120. [13] Kurki-Suonio, R., Aggregation and inheritance in a temporal theory of object-oriented models. Submitted for publication. [14] Kurki-Suonio, R., Renement and composition in TLA-based closed-system specications. Submitted for publication. [15] Lam, S. S., Shankar, A. U., Protocol verication via projections, IEEE Trans. Software Eng. SE-10, 4, July 1984, 325{342. [16] Lamport, L., The temporal logic of actions, ACM Trans. Program. Lang. Syst. 16, 3, May 1994, 872{923. [17] Systa, K., A graphical tool for specication of reactive systems, Proc. Euromicro'91 Workshop on Real-Time Systems, 1991, 12{19. [18] Wegner, P., Why interaction is more powerful than algorithms, Comm. ACM 40, 5, May 1997, 80{91. [19] Weiser, M., Programmers use slices when debugging, Comm. ACM 25, 7, July 1982, 446{