TASE2017
PATTERN系列之五
I. Introduction
To ease the expression of real-time requirements, Dwyer, and then Konrad, studied a large collection of existing systems in order to identify a set of real-time property patterns covering most of the useful use cases. The goal was to provide a set of reusable patterns that system designers can instantiate to express requirements instead of using complex temporal logic formulas.
These works were mostly oriented towards providing more expressiveness to users, but did not really address the verification cost associated to each new pattern.
An observer-based approach can help in solving this problem
Our contributions are twofold:
-
the definition of a set of atomic pattern combinators for the formal expression of real-time requirements;
-
the definition of a set of elementary observers in order to check our real-time patterns.
TPN::Time Petri Nets
TTS:Time Transition System
TINA:the time Petri net analyzer, a model-checking toolbox
- a toolbox for the edition and analysis of Petri nets.
- supports nets with inhibitor and read arcs, priorities, stopwatches, and its extension TTS
TINA toolset:
- tools for the exploration of reachability graphs (tina and sift) that support
a large choice of state abstractions - model-checkers for LTL (selt)
- for CTL and an existential fragment of \(\mu\)-calculus (muse);
- etc.
(注:reachability 是重点)
define:
- a set of event-based observers at TPN level (12 observers)
- a set of state-based observers at TTS level (4 observers).
Our observers take advantage of the highest possible level of abstraction provided by TINA (marking abstraction in our case) to reduce the size of the abstract state space that needs to be explored during verification.
Sect. II: gives some technical background on model-checking TPN;
Sect. III: introduces the catalog of real-time property patterns
Sect. IV: explains the design of observers;
Sect. V: illustrates the definition of pattern modifiers and the set of observers;
Sect. VI: presents the specification and verification on an example of real-time property;
Sect. VII:gives some concluding remarks.
II. TECHNICAL BACKGROUND
PN(Petri Net):
- each transition is associated with a local clock that starts once it is enabled; then the transition can fire when the clock value is in the time interval associated with the transition. \(\rightarrow\) 只有在时间区间内transition才能fire
Petri网的元素:
- 库所(Place)圆形节点
- 变迁(Transition)方形节点
- 有向弧(Arc)是库所和变迁之间的有向弧
- 令牌(Token)是库所中的动态对象,可以从一个库所移动到另一个库所。
Time Petri nets can be composed like ordinary Petri net, by combining transitions with a common label. This will be used to add an observer to an existing model.
TTS(extension of TINA) extend the semantics of TPN by allowing guards on shared data variables in transitions and expressions that are evaluated when a transition fires.
core concepts used in the specification of patterns:
- occurrence, predicate, scope, events, states
pattern:describes constraints on 3 main kind of (5) elements (below)
- predicate(谓词): the object of the constraint
- scope: the time interval it should happen
- occurrence: how it compares with the other events
- The occurrence of a predicate could be specified as existence, absence, always (exist), or exist with a bounded number of occurrences.
event:an instantaneous and atomic occurrence of an action at a point in time
state:identifiers that designate when some given invariant conditions hold
III. CATALOG OF REAL-TIME PROPERTY PATTERNS
real-time property: A real-time property = a pattern + a scope
qualified patterns(8個):Absence, Existence, Bounded Existence, Precedence, Response, Chain Precedence, Chain Response
qualified scope modifiers(5個):Global, Before, After, Between, After-Until
quantitative modifiers(5個):Minimum Duration, Maximum Duration, Bounded Recurrence, Bounded Response, Bounded Invariance
new quantitative scope modifier:
- \(Periodically\) (for the specification of periodic events related requirements)
new real-time suffixes(3個):
- \(At\) \(least\) & \(At\) \(most\) —— for the specification of bounded time on state related predicates
- \(Within\) —— for the specification of time intervals.
然後作者define a set of elementary constructs for property patterns:(原文此處給出了一個圖示Fig. 2,注意這個圖還說明了各元素之間的層級)
- Basic Predicate = State + Event Modifier ("=" 表示 "base on")
- Scope Modifier = Event Modifier
- Atomic Pattern = Occurrence Modifier + Basic Predicate + Scope Modifier
- Composite Pattern = Atomic Pattern (using binary operators——or, and, imply)
- Real-Time Property Pattern = Atomic Pattern + Composite Pattern
- Real-Time Property = Real-Time Property Pattern
(為了避免與“Atomic Pattern” 和 “Composite Pattern”混淆,之後文中出現的“pattern”皆指“Property Pattern” )
IV. DESIGN PRINCIPLES OF TPN/TTS OBSERVERS
\(A.\) \(Structure\) \(of\) \(Observer\)
A TPN/TTS observer is a sub-net that will be composed with the net capturing the behavior of the system.
简单来说 TPN/TTS observer 是一个子网,这个子网是那些捕获系统行为的网的子网。
a TTS observer for state-based properties is not composed with the system but simply put in parallel (an operation usually referred to as free product).
基于状态的属性的TTS observer不是由系统组成,而是简单地并行(疑:不是很懂什么意思..)
\(mmc\) == modal \(μ\)-calculus (注意是modal)
\(P_{tester}\) (a place) allows properties to be accessed by using accessibility assertions declared within a modal \(μ\)-calculus (mmc) formula.
\(mmc\) formula checks the existence of a specific marking and whether a given set of transitions can be fired.
most basic \(mmc\) formulae: \([T](P_{tester}=1)\) or \(\langle T \rangle (P_{tester}=0)\)
注: \([a]\phi\) == after \(a\) necessarily \(\phi\) ,其中 \(a\) is an action, while \(\phi\) is a formula
注:\(\langle a \rangle \phi\) == after \(a\) possibly \(\phi\) == \(\lnot[a]\lnot \phi\)
\([T](P_{tester}=1)\) or \(\langle T \rangle (P_{tester}=0)\) means that for all (respectively for at least one) successor state, the observer is (respectively is not) in state \(P_{tester}\)
All the necessary formulas are checked on-the-fly using the muse model checker.
The abstractions that only preserve state reachability is more effective than the state space abstraction that preserve the set of traces of a language
\(B.\) \(Soundness\) \(of\) \(Observer\)
what Soundness means:
- an observer should not impact the system’s behavior
- an observer should not be able to stop the evolution of time (introducing some kind of time deadlocks)
soundness == 稳健 == 不影响系统行为 + 不停止时间演变
observers' work in a “read-only” mode, guaranteed by the design "linked \(from\) TPN transitions".
\(C.\) \(Efficiency\) \(of\) \(Observer\)
- system with integrated(集成的) observers should be able to generate state class graphs with a high-level abstraction. This graph should preserve the required semantics of the targeting property(achieved by forbidding some elements in TPN during the design, such as the priority arcs. marking graphs and mmc formulae to transform the quantitative verification problems to reachability problems using the muse model checker)
- the generating state space of a single observer shall be as small as possible.(requires us to experiment on different encoding of an observer, in order to select the relatively optimal one)
- the checking of each property pattern shall be independent to promote parallel computation.
V. ELEMENTARY OBSERVERS FOR THE VERIFICATION OF PROPERTY PATTERNS
\(A.\) \(Basic\) \(Event\) \(Modifiers\)
Predicates are specified based on events and states
An event can be an atomic element \(E\), or a composite one, called event modifier
event modifier == a composite element \(E\) , \(e.g.:\)
- \(E^i\) == the \(i^{th}\) occurrence of event \(E\)
- \(t\) \(u.t.\) \((unit\) \(of\) \(time)\) \(after\) \(event\) \(E^{i–k}\). ——a more complex composite observer
Observer Structure of Event Modifiers: \(E\) transition \(\rightarrow\) Observer,其中Observer = TPN Structure \(\rightarrow\) \(E'\) transition
basic event modifiers(并给出了相应的event observer)(注:注意下面的这些event modifier指的是event与\(E\)之间的时间关系而非event和\(E\)自身, event可能并不只发生一次)
- \(E^{i}\): \(the\) \(i^{th}\) \(occurrence\) \(of\) \(event\) \(E\)
- When \(E\) occurred \(i\) times, the place \(P_{occ}\) has \(i\) tokens, and the transition \(E^{i}\) is enabled,这确保了 \(E^{i}\) 是与the \(i^{th}\) occurrence of \(E^{i}\) 同时发生的。
- The place \(P_{once}\) with one token controls the occurrence times of \(E^{i}\). 确保\(E^{i}\)只occur一次,通过用 其他finite value替换\(P_{once}\)里的token数量可以enable \(E^{i}\) several times. (疑:这里不是很理解,为什么第i次能被重复enable?我觉得就算是enable了的话,之后再occur也不是第\(i\)次了啊?)
- 注:\(E^{i}\) 的\([0,0]\) 代表 \(E^{i}\) should fire immediately (with a delay included in the interval [0, 0]).
- \(E^{-k}\): \(k^{th}\) \(delay\) \(of\) \(E\)
- \(P_{occ}\) stores tokens representing the occurring times of event \(E\). Each time \(P_{occ}\) has \(k\) tokens.
- the read arc enables the transition \(E^{–k}\), which consumes one token in \(P_{occ}\)
- \(E^{/k}:\) \(k\) \(times\) \(slower\) \(sub\)-\(occurrence\) \(of\) \(E\)
- When \(E\) occurs \(k\) times, the place \(P_{occ}\) accumulates \(k\) tokens \(\rightarrow\) the transition \(E^{/k}\) is fired \(+\) all the \(k\) tokens in \(P_{occ}\) are consumed.(简单来说就是:token积累到k就fire+释放, 依此循环)
- \(I+t:\) \(time\) \(t\) \(elapsed\) \(since\) \(system\) \(initialization\) (\(I\) 指代initialize the system,可以看成Event?)
- used to assess properties, such as worst/best case execution time.
- (place) \(P_{Init}\) representing the initialization of the system
- (transition) \(E'\) representing \(t\) \(u.t.\) has elapsed
- \(E+t:\) \(time\) \(t\) \(elapsed\) \(since\) \(the\) \(occurrence\) \(of\) \(event\) \(E\) (其实把 \(I+t\)中的\(I\)看成一个事件那么\(I+t\)可视为\(E+t\)的一个特例?)
- 其 event observer 构造类似于\(I+t\)的 event observer
- \(S^{S}\) & \(S^{E}:\) \(entering\) \(and\) \(exiting\) \(events\) \(of\) \(a\) \(State\) \(S\)
- the transitions \(S^{S}/S^{E}\) represent the entering \(/\) exiting events of the state \(S\).
- When a system enters the state \(S\) \(\rightarrow\) (the assertion \(S\) in \(P_{RE}(S)\) is true \(\rightarrow\) enable the transition \(S_{S}\)) \(\rightarrow\) transit the token in the place \(P_{S}\) to the place \(P_{E}\). (注意与from...to...的区别)
- when the system exits state \(S\) \(\rightarrow\) the assertion \(\lnot S\) in \(P_{RE}(\lnot S)\) is true \(\rightarrow\) transit the token in the place \(P_{E}\) to the place \(P_{S}\).
\(B. Basic\) \(Predicates\)
generic TPN structure of predicate observers 中:
- the transition \(E^{M}\) is an event
- the predicate is assessed using the observer and a set of \(mmc\) assertions
basic predicates:
-
\(O(E^{i})\) \(=\) \(true\) :\(for\) \(the\) \(occurrence\) \(of\) \(event\) \(E^{i}\)
- The place \(P_{occ}\) is used to observe the occurrence times of event \(E_{M}\)
- Once the transition \(E_{M}\) has fired \(i\) times, the token in \(P_{occ}\) is observed, which is assessed using the
- \(mmc\) assertion :\(P_{occ}\) \(\ge\) \(i\)
- TINA takes \(P_{occ}\) as the number of tokens in the place \(P_{occ}\)
- (疑:在这里好像transition == event?表达一致,行为后果也一致)
-
\(isFinite(E)\) \(=\) \(True\):\(for\) \(the\) \(bounded\) \(occurrence\) \(of\) \(E\)
- used to assess whether the occurrence of an event is finite.
- \(P_{occ}\) accumulates the occurrence times of event \(E_{M}\)
- The transition \(T_{Overflow}\) is not fired \(==\) no overflow is detected \(==\) \(E_{M}\) does not exceed the occurring bound \(Occ_{max}\)
- \(mmc\) assertion: \(\lnot T_{Overflow}\)
-
\(Freq(E_{A})\) \(\sdot\) \(N_{A}\) \(=\) \(Freq(E_{B})\) \(\sdot\) \(N_{B}\) :\(for\) \(equivalent\) \(occurrence\) \(of\) \(E_{A}\) \(and\) \(E_{B}\): (frequency * number == frequency * number,两个frequency 存在最小公倍数)(疑:不是很懂这个equivalent occurrence,是不是跟\(E^{i}\)之于\(E\)一样是同一个Event但是在不同时间发生?...直译过来的“等效发生”有点理解不能)
- used to identify equivalent occurrences between two periodic events with different (or equal) frequencies
- \(N_{A}\) and \(N_{B}\) is minimal coefficients(\(N_{A},N_{B}\in \mathbb{Z}^{+}\))
- \(N_{A}\) and \(N_{B}\) can be computed using the Least Common Multiple (lcm, 最小公倍数) and the Greatest Common Divisor (gcd, 最大公因数)
- \(N_{A}= \frac{lcm(F_{A},F_{B})}{gcd(lcm(F_{A},F_{B}), F_{A})}\)
- \(N_{B}= \frac{lcm(F_{A},F_{B})}{gcd(lcm(F_{A},F_{B}), F_{B})}\)
- \(N_{A}\) and \(N_{B}\) should be introduced to identify the corresponding occurrence between \(E_{A}\) and \(E_{B}\)
- places \(Tester_{A}/Tester_{B}\) counts the occurring times of events \(E_{A}/E_{B}\).
-
\(T(E_{A}, E_{B})\) \(>\) \(t\) :\(for\) \(minimal\) \(Time\) \(Interval\) \(between\) \(Events\)
- \(E_{A}\) and \(E_{B}\) can be periodic or aperiodic.
- == \(\mathrm{T}\)(\(E_{A}\)) \(-\) \(\mathrm{T}\)(\(E_{B}\)) \(>\) \(t\)
- \(mmc\) assertion:\(\lnot(OverflowA\or OverflowB)\and \lnot((Tester_{B} = N_{B}) \and (Tester_{A} < N_{A}) )\) (When \(E_{A}\) and \(E_{B}\) are aperiodic, \(N_{A}\) = \(N_{B}\) = 1)
-
\(T(E_{A}, E_{B})\) \(<\) \(t\): \(for\) \(maximum\) \(Time\) \(Interval\) \(between\) \(Events\)
- == \(\mathrm{T}\)(\(E_{A}\)) \(-\) \(\mathrm{T}\)(\(E_{B}\)) \(<\) \(t\)
- \(mmc\) assertion: \(Overflow_{A} \lnot Overflow_{B}\) (疑:为什么不是\(\lnot(OverflowA\or OverflowB)\)?)
-
\(D(S) \ge t\) \(\And\) $ D(S) \le t$ : \(for\) \(minimal/maximal\) \(time\) \(duration\) \(of\) \(a\) \(state\) \(S\)
- use the \(\mathrm{P_{RE}}\) function of \(\mathrm{TTS}\)
- transition with constraint [t,t] is enabled when state \(S\) holds at least/at most \(t\) \(u.t.\)
- transition with constraint [0,0] will fire when state \(S\) does not hold any more. ——to clear the marking in the place \(Tester\)(因为系统运行的过程中S可能多次hold)
- \(mmc\) assertion:
- \(D(S) \ge t\): \(S \and (Tester = 1)\)
- $ D(S) \le t\(:\)S \and (Tester = 0)$
- 以\(D(S) \ge t\)为例说明: 当 time ≥ t 时, [t,t] 的那个transition的time interval已满足,transition fire,于是 \(Tester = 1\)
\(C. Basic\) \(Scope\) \(Modifiers\)
Basic Scope Modifiers
- \(\mathit{Globally}\):
- 不需要observer
- requires all states of the system,
- denoted as \(\mathcal{A}\)
- \(\mathit{Before}\) \(E^{i}\) \(\And\) \(\mathit{After}\) \(E^{i}\)
- \(mmc\) assertion:
- Before: \(Tester <i\)
- After: \(Tester\ge i\)
- \(mmc\) assertion:
- \(\mathit{Between}\) \(E_{A}\) \(\mathit{and}\) \(E_{B}\)
- means between the equivalent occurrences of \(E_{A}\) and \(E_{B}\)
- IF both \(E_{A}\) and \(E_{B}\) are periodic events, their occurrence frequencies must be equal
- IF \(E_{A}\) and \(E_{B}\) occur only once, 则默认 \(F_{A}\) = \(F_{B}\)
- \(mmc\) assertion: \((Tester_{A}=1)\and (Tester_{B}=0)\)
- \(\mathit{After}\) \(E_{A}\) \(\mathit{until}\) \(E_{B}\)
- \(E_{B}\) occurs after \(E_{A}\): == \(\mathit{Exist}\) \(E_{B}\) \(\mathit{After}\) \(E_{A}\) == \(\mathit{Between}\) \(E_{A}\) \(\mathit{and}\) \(E_{B}\)
- \(E_{B}\) does not occur after \(E_{A}\): == \(\mathit{Absent}\) \(E_{B}\) \(\mathit{After}\) \(E_{A}\) == \(\mathit{After}\) \(E_{A}\)
\(D.\) \(Occurrence\) \(Modifiers\)
\(N(P)\):number of states that match the predicate \(P\)
\(N(S)\):number of states that match the scope \(S\)
\(N(P\and S)\):number of states that match both the predicate and the scope
-
\(Exist\) \(P\) \(in\) \(S\) == \(P\) must occur within \(S\)
- \(\begin{cases} {N(P\and S)\ge 1\ \ \ \ \ \ \mathrm{if}\ \mathrm{N(S)}>0}\\ {True\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \mathrm{if}\ \mathrm{N(S)}=0} \end{cases}\)
-
\(Absent\) \(P\) \(in\) \(S\) == \(P\) must not occur in \(S\)
- \(N(P\and S) = 0\)
-
\(Always\) \(P\) \(in\) \(S\) == \(P\) occur through the whole \(S\):
- \(N(P\and S) = N(S)\)
when \(N(S) = 0\), the scope is false, the predicate for any occurrence modifier (\(Exist, Absent, Always\)) is always true. \(Absent\) and \(Always\)的assertion默认满足此要求,\(Exist\)中的"True, if N(S)=0"也是为此而定义的。