Real-time specification patterns

PATTERN 系列之三

翻译约定:

temporal 时序的

摘要:

​ 1、基于对 一些工业上的嵌入式系统应用的基于时间的需求, 用三种常用的时序逻辑创造了实时规范模式。

​ 2、为了进一步加强对于一个规范的理解,给出了支持实时属性的结构化英语语法。

1、Introduction

常用的正式的规范语言, 如linear-time temporal logic (LTL),computational tree logic (CTL), graphical interval logic (GIL),都不能用于规范实时属性,因为他们不支持对时间的定量推理(quantitative reasoning)。

本文搜集了一些 可以用于规范嵌入式系统的实时属性 的实时性规范模式,这些模式保留了Dwyer的模式风格,但是是与Dwyer的模式互补的。作者提供了到上面三种常用语言的映射。

别人的工作 ,第一是没有完整的模式系统,二是属性通常仅根据一个实时时间逻辑来规定。对于第二个问题,本文确定了一个“common”的属性集,这个属性集在三种逻辑中都能够表达。最后,别人的工作也没有提供对 类似于Dwyer用于规范模式的 scope的支持。

本文给出了一个双管齐下的方法去解决对 规范实时系统的正式属性 的感知困难(the perceived difficulty with specifying formal properties of real-time systems):实时时间逻辑规范的模版(templates for real-time temporal logic specifications),以及对属性的自然语言规范。

本文的实时规范模式包括了 用三种常用的实时时间逻辑规范实时属性 的模版,这三种实时时间逻辑包括:metric temporal logic(MTL), timed computational tree logic(TCTL), real-time graphical interval logic(RTGIL)。

之所以选择这三种逻辑是因为:

​ 1、便于使用了Dwyer的规范模式的人,这三种逻辑都是与LTL、CTL、GIL直接相关的

​ 2、这三种逻辑都有 有着不同优缺点的工具 的支持,包括模型检查以及定理证明能力——能选择手头上最合适的系统模型

​ 3、MTL 和 TCTL 覆盖了线性时间 和 分支时间,而RTGIL是一个线性时间的时间逻辑——提供了一个易读的对属性的图形化表达。

此外,本文提出的结构化英文语法可以用来创建一个 关于被一个模式包含的一个规范 的自然语言表述。

本论文其余部分内容:

Section 2:回顾模式中使用的规范模式和三种时态逻辑

Section 3:描述实时指定模式模板和迄今为止未发现的模式。还根据它们所处理的属性类型提供模式的分类

Section 4:描述论文的方法在电子控制助力转向系统中的应用

Section 5:相关工作

Section 6:总结

2、Background

在本节中,我们将概述Dwyer等人的规范模式。并简要描述用于我们的模式的实时时间逻辑——MTL、TCTL和RTGIL。实时时间逻辑使用允许定量时间推理的时间运算符来扩展标准时间逻辑。在离散(discrete)时间领域(例如N)上解释的实时时间逻辑被称为离散实时时间逻辑(discrete real-time temporal logics)(例如,MTL),而在稠密(dense)时间领域(例如R)上解释的实时时间逻辑被称为稠密实时时间逻辑(dense real-time temporal logics)(例如,TCTL和RTGIL)。

本文使用不带 旧式时间运算符的 时间逻辑,主要是因为很少有分析工具支持老式的时间运算符了。

分析工具大致可以分成两类:

  • 异构分析工具(Heterogeneous Analysis Tools):用多种规范语言对系统建模,并针对系统检查属性。

  • 同构分析工具(Homogeneous Analysis Tools):使用相同的语言来建模系统和属性。

2.1 Specification Patterns

Dwyer等人描述了适用于以不同形式编写的规范的软件属性的几种模式,例如LTL,CTL,GIL和量化正则表达式(QRE)。

specification pattern又分为两种:

  • occurrence pattern

  • order pattern

虽然给定的规范模式可能有适用范围,但是原始规范模式(original specification pattern)不包含定时信息(timing information)。

2.2 MTL

MTL (Metric Temporal Logic, 标准时序逻辑) 是LTL(Linear-time temporal logic, 线性时间时序逻辑)的拓展,LTL被翻译成一个离散的时间线。

MTL假设了一个数字时钟(或者假想时钟,fictitious-clock),这个外部的离散的时钟以一个固定的速度运行(progress)。这个时钟与系统中其他元件是异步的,但是其他元件能随着时钟的每一次滴答同步地提高自己离散的时间变量。可以得知时钟的两次跳动之间的状态顺序,但不能得知其确切的发生时间。MTL包含了 always(□), eventually(◇), next(○), strong until(U), weak until(W) 等运算符的时间约束版本。

作为样例的异构分析工具包括了作者最近修订的UML形式化框架,这个框架使用一个 UML类的 Promela 表述和带有时间信息的状态图 ,去建模一个系统,并且使用MTL去规范正确属性(correctness properties)。

此外,Temporal Rover 支持将 MTL公式生成的代码 包含在程序代码中,以监视运行过程中 MTL规范的满足性。

2.3 TCTL

TCTL (Timed Computational Tree Logic, 定时计算逻辑) 是CTL (Computational Tree Logic) 的拓展。TCTL被解释成一个连续的时间线,包含always(G), eventually(F), strong until(U), weak until(W) 等运算符, 这些运算符都是被existentially(E) 或者 universally(A) 所量化的。

存在 支持TCTL(包括 UPPAAL, HyTech, Kronos等)的 异构分析工具。时间自动机被用于建模一个系统,而TCTL被用于规范属性的正确性。Kronos 完全支持TCTL,但UPPAAL和HyTech只在时序公式的开头支持量化,之后则专注于可达性分析(reachability analysis)。

2.4 RTGIL

RTGIL(Real-time graphical interval logic, 实时图形区间逻辑),以及它相应的文字表示RTFIL(Real-time future interval logic, 实时将来区间逻辑),都是对GIL(graphical interval logic) 和 GIL的文字表示 FIL(future interval logic),

RTGIL是一个连续时间(dense time)上解释的命题线性时间时序逻辑(propositional linear-time temporal logic)。

在RTGIL中,时间线用来显示计算的进展(progression)。间隔(interval) 可以在这个时间线上构造,间隔由两个状态分隔的时间线段表示(左闭右开)。

Intervals are constructed using search patterns with associated target formulae.

A search locates the first state in the future from the current position on the time line where the target formula holds (which might be the current state if the formula holds there).

Initial properties as well as henceforth or eventuality properties can be assigned to an interval.

RTGIL 只支持一个实时运算符——谓词len( len(d, D] ) ,指代间隔的持续时间($\gt d \bigwedge \le D, D可以是 \infin $)

RTGIL 由 RTGIL环境支持, RTGIL environment 包括:graphical editor, automated theorem prover, data base, proof manager component.

2.5 Discussion

RTGIL 和 MTL/TCTL的区别:

​ RTGIL constructs an interval by denoting the states that serve as endpoints to the interval and then places a bound on the duration of this interval.

​ MTL/TCTL construct an interval with a time-bounded operator and denote the states that can occur in this interval.

​ 简单来说就是:RTGIL——将state表示为端点, MUL/TCTL——表示state所发生的区间

所以,RTGIL 与 其他linear-time real-time temporal logic 互相是无法表达的。但是,RTGIL是少数decidable的dense real-time temporal logics之一。

a property expressed in one real-time temporal logic cannot be considered truly equivalent to the same property expressed in a different temporal logic.

3、Real-time Patterns

Our pattern system is intended to provide strategies for how to specify real-time properties in a formal specification language, where the properties are amenable to automated analysis.

Due to the selected temporal logics, certain properties are not expressible, for example:

  • properties that only apply to one path of execution (MTL and RTGIL formulas are always universally quantified)
  • certain properties with strict timing constraints (due to the limited expressiveness of the len predicate in RTGIL)

Selecting a different set of temporal logics leads to a different set of specification patterns.

3.1 Pattern Repository and Classification

three broad categories of real-time properties:

  • duration:captures properties that can be used to place bounds on the duration of an occurrence.
  • periodic: describes properties that address periodic occurrences.
  • real-time order: captures properties that place time bounds on the order of two occurrences.

real-time specification patterns

Category Pattern Name Description
Duration Minimum Duration Describes the minimum amount of time a state formula has to hold once it becomes true.
Maximum Duration Captures that a state formula always holds for less than a specified amount of time.
Periodic Bounded Recurrence Denotes the amount of time in which a state formula has to hold at least once.
Real-time Order Bounded Response Restricts the maximum amount of time that passes after a state formula holds until another state
Bounded Invariance Specifies the minimum amount of time a state formula must hold once another state formula is

3.2 Structured English

作者提出的 structured English grammar 支持定性的(qualitative) 也支持实时的 规范模式。

注:property的意思是scope后面接个\(逗号“,”\),再接specification,最后放个\(句号“.”\)。 事实上其他的语句也是一样,有点像字符串拼接 “xxx”+ str + “xxx”

注:语法的结构需要结合下面的rules

structured English Grammar's structure

Start

​ 1、property: scope \(“,”\) specification \(“.”\)

Scope:

​ 2、scope: \(“Globally”\) | \(“Before”\) R | \(“After”\) Q | \(“Between”\) Q \(“and”\) R| \(“After”\) Q \(“until”\) R

General:

​ 3、specification: \(qualitative Type\)| \(realtime Type\)

Qualitative:

​ 4、qualitativeType: \(occurrenceCategory\) | \(orderCategory\)

​ 5、occurrenceCategory: \(absencePattern\) | \(universalityPattern\) | \(existencePattern\) | \(boundedExistencePattern\)

​ 6、absencePattern: “it is never the case that” P “holds”

​ 7、universalityPattern: “it is always the case that” P “holds”

​ 8、existencePattern: P “eventually holds”

​ 9、boundedExistencePattern: “transitions to states in which” P “holds occur at most twice”

​ 10、orderCategory: “it is always the case that if ” P “holds“ \((precedencePattern\) | \(precedenceChainPattern1\)-\(2\) | \(precedenceChainPattern2\)-\(1\) | \(responsePattern\) | \(responseChainPattern1\)-\(2\) |\(responseChainPattern2\)-\(1\) | \(constrainedChainPattern1\)-\(2)\)

​ 11、precedencePattern: “, then ” S “previously held”

​ 12、precedenceChainPattern1-2: “and is succeeded by ” S “, then ” T “ previously held”

​ 13、precedenceChainPattern2-1: “, then ” S “ previously held and was preceded by ” T

​ 14、responsePattern: “, then ” S “ eventually holds”

​ 15、responseChainPattern1-2: “, then ” S “ eventually holds and is succeeded by ” T

​ 16、responseChainPattern2-1: “ and is succeeded by ” S “, then ” T “ eventually holds after ” S

​ 17、constrainedChainPattern1-2: “, then ” S “ eventually holds and is succeeded by ” T “, where ” Z “ does not hold between ” S “ and ” T

Realtime:

​ 18、realtimeType: “it is always the case that ” \((durationCategory\) | \(periodicCategory\) | \(realtimeOrderCategory)\)

​ 19、durationCategory: “once ” P “ becomes satisfied, it holds for ” \((minDurationPattern\) | \(maxDurationPattern)\)

​ 20、minDurationPattern: “at least ” c “ time unit(s)”

​ 21、maxDurationPattern: “less than ” c “ time unit(s)”

​ 22、periodicCategory: P “ holds ” \(boundedRecurrencePattern\)

​ 23、boundedRecurrencePattern: “at least every ” c “ time unit(s)”

​ 24、realtimeOrderCategory: “if ” P “ holds, then ” S “ holds ” \((boundedResponsePattern\) | \(boundedInvariancePattern)\)

​ 25、boundedResponsePattern: “after at most ” c “ time unit(s)”

​ 26、boundedInvariancePattern: “for at least ” c “ time unit(s)”

rules:

  • literal terminals are delimited by quotation marks “”

  • non-literal terminals are given in a san serif font

  • non-terminals are given in italics

  • property is the start symbol

  • the language L(G) is finite (since the grammar is non-circular and has no repetition)

  • Each sentence (or string) s with s \(\in\) L(G) serves as a handle that accompanies a scoped formula of a qualitative or real-time specification pattern.

注:literal terminal 指的是用引号括起来的”输出结果“,如“Globally, it is always the case that if P holds, then S holds after at most c time unit(s).”

注:non-literal terminal 指 用the grammar 初步导出的literal terminal :“Globally, it is always the case that if P holds, then S holds after at most c time unit(s).”中的PcS等未被实例化的"形参",PS 是 Boolean propositional formulae,它们都是需要被实例化的(need to be instantiated)

注:instantiate 实例化是指用具体的Boolean propositional formula对“形参”进行代换。如replacing P with (x = 0)。

supported specifications:

  • TLT,CTL,CIL —— Dwyer's specification patterns

  • MTL,TCTL,RTGIL —— our real-time specification patterns

The process to create a natural language representation:

  • Initially, choose the scope of the specified property(\(globally / before / after / between / after\)-\(until\)), followed by the type(\(qualitative / real\)-\(time\))

  • Then, select the category of the specified property(\(duration\), \(periodic\), or \(real\)-\(time\) \(order\) for real-time properties, and \(occurrence\) or \(order\) for qualitative properties)

  • Finally, construct structed English sentence by choosing the corresponding specification pattern.

    ​ ——"precede" denote strict past

    ​ ——"succeed" denote strict future

    ​ ——"held previously" denote non-strict past

    ​ ——"hold eventually" denote non-strict future

3.3 Pattern Template

Our real-time specification pattern template contains the following fields

  • Pattern Name :serves as a handle for the pattern's use and describes the nature of the pattern.

  • Classification:denotes if the pattern belongs to the duration, periodic, or real-time order category

  • Structured English Specification:The structured English sentence captures the property. The sentence is given in its unscoped version; a scope will be added as a pre x to the sentence when the pattern is instantiated.

  • Pattern Intent:A short description of properties for which the pattern is applicable.

  • Real-time Temporal Logic Mappings:Contains mappings of the pattern to MTL, TCTL, and RTGIL for each of the 5 possible scopes.

  • Examples and Known Uses:Gives example instantiations of the pattern and describes common situations where the pattern is useful in real-world scenarios.

  • Relationships:Describes relations to other qualitative as well as real-time specification patterns. Additionally, this field contains information about other commonly used properties and techniques that are related to this pattern.

[Figure 4] 是一个例子——\(Bounded\) \(Recurrence\) \(Real\)-\(time\) \(Specification\) \(Pattern\)

4. Case Study

以 electronically controlled steering (ECS) system 为例,使用 object analysis patterns创建一个UML模型(UML:Unified Modeling Language ,统一建模语言)

Object analysis patterns contain structural and behavioral information to guide the creation of UML models of the system.

本例涉及到了时间粒度(time granularity)的概念,有fine-grained(细粒度)和coarse-grained(粗粒度)两种

We construct two distinct (UML) system models with different timing granularities (fine-grained and coarse-grained), thus offering different views of the system. (Modeling all timed behaviors at one level of timing granularity would require large clock values and make it difficult to understand the analysis results.)

以其中一个requirement为例:

Requirement 1(c): “Operational checks must be done every 10 milliseconds.”

​ 1、This requirement describes a periodic occurrence,and it denotes ...(字面意思)

​ 2、assume that an operational check happening more often than every 10 milliseconds is considered correct system behavior.

​ 3、Hence,use the \(Bounded\) \(Recurrence\) \(Pattern\)

​ 4、Because one time unit corresponds to 0.5 milliseconds in the fine-grained
model, 10 milliseconds are captured as 20 time units.(MTL 的\(Eventually​\) 亦即是\(\lozenge​\),下标单位为time units。在这个例子中,1 time unit == 0.5ms,所以10ms == 20 time units,故在MTL formula中用20 time units 表达10ms)

​ 5、用MTL formula 表达出来: \(\square (\lozenge _{\leq20}\)$ (in(OperationalCheck)))$

​ 6、生成structured English grammar:

"Globally, it is always the case that (in(OperationalCheck)) holds at least every 20 time unit(s)." (Grammar: 1, 2, 3, 18, 22, 23)

概括一下步骤:

​ analyze the scope&category of the specified property,根据结果choose the corresponding specification patterns,对每一个pattern分别用temporal logic formula 表达成formula,再用3.2中的grammar表达这个formula(具体过程在3.2)

posted @ 2018-12-29 14:40  Khunkin  阅读(586)  评论(2编辑  收藏  举报