Automatic Veri cation of Real { TimedSystems Using Epsilon

ing from time quantities ( ). In addition, Epsilon automatically o ers diagnostic information in case of erroneous design steps (a frequently occurring situation), which has proven a valuable feature in the subsequent debugging. The theoretical basis for the generation of diagnostic information is obtained through logical characterizations of the various re nements corresponding to the well known logical characterization of bisimilarity [HM85]. In analogy with TMS being a real{time extension of Modal Speci cations the tool Epsilon is a real{time extension of the veri cation tool for Modal Speci cations, Tav [GLZ89, BLS92]. The automatic re nement checking for TMS implemented in Epsilon is performed through adopting the techniques in [ Cer92] and [LW90]. However, for the extension of Epsilon with the ability of generating diagnostic information it has been necessary to develop new algorithmic techniques [GL94]. Due to space{limitations this paper o ers only an informal presentation. However, the work reported has shown that Epsilon together with the underlying theory TMS does indeed support the above mentioned concepts of generality in design and proofs, and in particular that supply of diagnostic information is a useful feature in case of erroneous re nements. 2 A Timed Stop{and{wait Protocol This section reports on an analysis of a simple \stop{and{wait" protocol [Tan88, Par85] consisting of two subsystems (a sender and a receiver) interconnected by a faulty simplex medium for data and a perfect channel for acknowledgements. a b c del acc M S R We introduce the notion of a timing fault in the medium as follows: Whenever the sender has issued a message, the medium makes it available for the receiver via the b-port for a limited time period, say Y. If the receiver fails to collect the message before Y has elapsed, the medium enters a state where it (non-deterministically) may be lost (via a ?-transition). This is modelled as follows: M(Y) def = a:(b:M(Y) + (Y): ?M(Y)) As for the receiver, we want to model the fact that after having sent an acknowledgement, it takes a certain amount of time, say Z, to become ready to accept a new message from the medium. In Epsilon this may be modelled as follows: R(Z) def = (Z):b:del!!c:R(Z) In the above de nition, we assume that the message will be delivered (via a del-transition) to the environment immediately. To model this, we have used the notation a!!S for urgent action transitions, which simply abbreviates a!!S def = a:S+ :a!!S. 4 Analysis With a Simple Sender Considering the design of the sender process, we rst simply ignore (naively) the fact that messages may be lost, assuming that the receiver is fast enough. The process S is based on this assumption: S def = acc:a:c:S Our timed version of the stop{and{wait protocol is then the parallel composition of the three components: Protocol(Y;Z) def = (S jM(Y) jR(Z))n[a; b; c] In our investigation of the protocol we have rst examined the safety properties using the time{abstracting re nement, and thereafter we have considered the more detailed timed liveness properties. As for safety properties we simply want the behaviour of the protocol to be that of an in nite sequence of alternations between accand del-transitions, i.e. it must be an observational re nement re nement of the following speci cation Spec1 Spec1 def = acc:del:Spec1 By application of Epsilon we have examined the above requirement for various speci c choices of the parameters Y;Z. Intuitively there are three interesting cases: Y > Z, Y = Z and Y < Z depending on whether or not the receiver becomes ready for data acceptance before the medium enters a error prone state. Taking e.g. Y = 2 and Z = 1 Epsilon con rms that indeed Protocol(Y;Z)  Spec1. However, for the instance Y = 1 and Z = 2, Epsilon returns the logical formula [acc]hdelitt as a property enjoyed by Spec1 but not by Protocol(1; 2). The formula indicates that there is a acc-transition1 leading to a state where a del-transition1 of Protocol(1; 2) is not possible. So, due to our logical characterization result, the protocol is not in general a time{abstracted re nement of Spec1 when Y < Z. For additional explanation a closer examination of the computation of the protocol has been carried out. This analysis revealed that there is a risk of entering a deadlocked state (i.e. a state where the only possible transitions are time progress), namely c:S jM(1) j ( (1):b:del!!c:R(2)). For the case Y = Z it is easily seen that the system may also deadlock for the same reason. Timing Properties Having established the safety properties of the protocol when Y > Z (i.e. the receiver is fast enough to prevent the medium from timing out), we now turn to the performance characteristics in this case. Clearly the delay Z of the receiver will be a determining factor for the time delay between an input to the protocol and the succeeding output. So, one might expect the protocol to be an observational re nement of the following speci cation Timedspec(A) which can accept an input, delay A time units, and thereafter deliver its output: Timedspec(A) def = acc: (A):del:Timedspec(A) However, in a test of e.g. Protocol(2; 1) Timedspec(1), Epsilon yields the logical property [1=5][acc][4=5][del]ff enjoyed by Timedspec(1) but not by Protocol(2; 1). This property shows that there is an implementation of the protocol which has a computation in which it can delay 1with respect to a time-abstracting transition relation. 5 15 , then receive an input, delay45 before delivering the output. Clearly such a computationis not permitted by the speci cation Timedspec(1). In reality, the receiver{delay Z gives theupper limit of the input/output delay, expressed correctly by the a speci cation Spec2(Z) withthe behaviour given below. Note that time is never required to pass!ttt???accdeldelzSpec2(Z)Spec2(Z)Spec2(Z)Our claim is now that Protocol(Y;Z) Spec2(Z) holds whenever Y > Z and Epsilon hascon rmed this for given Y;Z-values.A Retransmitting SenderIn the general case we cannot ensure Y > Z, that is, we cannot guarantee the receiver to beready for data collection before the medium will time-out. In this case (Y Z) data may be lostby the medium, and the standard technique ([Tan88]) to handle this case is to let the senderretransmit after a certain time-out period, say X. This strategy is de ned through the followingsender S1(X) | introducing an additional parameter in the corresponding Protocol(X;Y;Z):Protocol(X;Y;Z) def= (S1(X) jM(Y) jR(Z))n[a; b; c]S1(X) def= acc:S2(X)S2(X) def= a:(c:S1(X) + (X): :S2(X))As before we rst analyse the safety properties of the protocol | however, because of thepossibility for retransmission, we only demand the speci cation to be included in that of a1{place bu er (with respect to time{abstracting language inclusion). This is expressed in thefollowing speci cation:Spec3 def= acc?del?Spec3Intuitively there are three interesting cases, i.e. X > Z, X = Z and X < Z, depending on whetheror not the receiver becomes ready with a frequency which is faster than the time-out period ofthe sender.For the case X > Z, the fact that Protocol(3; 1; 2)  Spec3 does indeed hold is con rmedby Epsilon.Consider now the case X = Z and e.g. the question Protocol(2; 1; 2)  Spec3. In this caseEpsilon returns the property [acc][del][del]ff enjoyed by Spec3 and not by the protocol, i.e.there is a computation of the protocol in which a message is being delivered twice. Analysing theprotocol carefully, it may be seen that the receiver is able to collect a message from the mediumin a state where the sender has already (incorrectly) decided (via a time-out) to retransmit themessage again. This also holds for the case X < Z. A detailed analysis leads to the condition6 X > Z as being su cient for Protocol(X; Y;Z)  Spec3 to hold. Again this may be con rmedby Epsilon for given values.As for the timing analysis of the retransmitting protocol, let us now investigate if the delayparameter Z of the receiver de nes the upper limit of the input/output delay. Examiningwhether e.g. Protocol(3; 1; 2) Spec2(2), Epsilon returns the property [acc][2]hdelitt as oneenjoyed by Spec2(2) but not by the protocol. That is, the system may delay more than 2 timeunits between input/output. The reason for this is that the data may be lost in the mediumbefore the time Z elapses, thereby forcing the timer X to elapse before retransmission can place.So, the time-out period X de nes the upper limit of the the delay, and we may con rm thisvia Epsilon by proving Protocol(X;Y;Z) Spec2(X) for arbitrary parameter values satisfyingX > Z.References[BL90] G. Boudol and K.G. Larsen. Graphical versus logical speci cations. In Proceedingsof CAAP'90, volume 431 of Lecture Notes in Computer Science, 1990.[BLS92] A. B rjesson, K.G. Larsen, and A. Skou. Generality in design and compositionalveri cation using tav. In Proceedings of FORTE'92, 1992.[Cer92] K. Cerans. Decidability of bisimulation equivalences for processes with parallel timers.In Proceedings of CAV'92, 1992.[CGL93] K. Cerans, J.C. Godskesen, and K.G. Larsen. Timed modal speci cations | theoryand tools. In Proceedings of CAV'93, volume 697 of Lecture Notes in ComputerScience. Springer Verlag, 1993.[GL94] Jens Chr. Godskesen and Kim G. Larsen. Synthesis of distinguishing formulae for realtime systems. To appear, 1994.[GLZ89] J. Godskesen, K. Larsen, and M. Zeeberg. Tav (tools for automatic veri cation). usersmanual. Aalborg University. Denmark, 1989.[HL89] H. Huttel and K.G. Larsen. The use of static constructs in a modal process logic.In Proceedings of Logic at Botik'89, volume 363 of Lecture Notes in ComputerScience. Springer-Verlag, 1989.[HM85] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency.Journal of the Association for Computing Machinery, pages 137{161, 1985.[Lar90] K.G. Larsen. Modal speci cations. In Proceedings of Workshop on AutomaticVeri cation Methods for Finite State Systems, volume 407 of Lecture Notes inComputer Science, 1990.[LT88] K. Larsen and B. Thomsen. A modal process logic. In Proceedings LICS'88, 1988.[LW90] K.G. Larsen and Y. Wang. Time abstracted bisimulation: Implicit speci cations anddecidability. In Proceedings of MFPS'93, 1990.7 [Mil89] Robin Milner. Communication and Concurrency. Series in Computer Science.Prentice{Hall International, 1989.[Par81] D. Park. Concurrency and automata on in nite sequences. In P. Deussen, editor, 5thGI Conference, volume 104 of Lecture Notes in Computer Science, pages 167{183,1981.[Par85] J. Parrow. Fairness Properties in Process Algebra. PhD thesis, Uppsala University,Sweden, 1985.[Tan88] A. Tanenbaum. Computer Networks. Englewood Cli s, 1988.[Wan90] Y. Wang. Real{time behaviour of asynchronous agents. In Proceedings of CON-CUR'90, volume 458 of Lecture Notes in Computer Science. Springer-Verlag, 1990.8