Specifying the correctness of complex concurrent and realtime systems is a crucial problem. Many property languages have been proposed to do so; however, these techniques often involve formalisms not easily handled by engineers, and furthermore require dedicated tools. We propose here a set of patterns that encode common specification or verification components when dealing with concurrent real-time systems. We provide a formal semantics for these patterns, as time Petri nets, and show that they can encode previous approaches.
In the past few decades, many formal languages for specifying and verifying
complex concurrent and real-time systems have been proposed. However, these
formalisms are not always easy to handle by industry engineers. Temporal logics
(e.g. [
To overcome these difficulties, several pattern-based solutions have been proposed. Patterns allow to identify frequent components of systems or properties in a standardised manner and (sometimes) to compose them so as to build more complex components. Here, we unify three sets of patterns proposed in the past.
In [
Contribution In this paper, we unify previous approaches to propose a
patternbased language for the specification of real-time systems and/or properties for
their verification. Each pattern has a syntax as human-readable as possible,
so that engineers non-experts in formal methods can use them. Furthermore,
we propose a Time Petri Net [
Our patterns can be used for two distinct purposes: 1. specify a system, by means of simple English-like constructs, rather than using complex formalisms. Nevertheless the translation of our patterns into time Petri nets provides a formal model of the system. 2. verify a system (not necessarily specified by our patterns), by means of the same syntax. In this situation, our patterns are again translated into time Petri nets, and can be used to verify the system model by synchronisation on transitions, and using the sole reachability of some “bad” place. This avoids the use of complex model checking algorithms.
Even though the syntax is identical for both purposes, the translation into time
Petri nets for verification contains a few more places and transitions.
Related Work Concerning the specification of properties for verifying real-time
systems, temporal logics (e.g. [
The idea of reducing (some) properties to reachability checking is not new:
in [
In [
Outline First, Section 2 recalls the earlier definitions of patterns we base on. We
then propose our new set of patterns in Section 3, and formalise them using time
Petri nets in Section 4. The patterns of [
Earlier works we base on ([
In [
The temporal relations [
The temporal relations from [
Task A time d1
D1 d2
D2 (e) A contains ((d1, D1)(d2, D2)) B time d1
D1 d2
D2
time
(f) A
((d1, D1)(d2, D2)) B
parallels
As in [
The synchronisation between tasks can be either bilateral (the execution of any of them is related to the execution of the others), or unilateral (the execution of a task is related to that of the other one, but the converse is not true).
In other words, in a bilateral synchronisation, all tasks occur or none of them
does. Note that in [
time
Fig. 2 depicts the bilateral synchronisation BILATERALSYNCH(A,B).
When the synchronisation is unilateral, a task occurs w.r.t. either a timing or another task, possibly with a delay.
UnilateralSynch = Relation(task1, task2, delay)
| Relation(task, delay) Relation = AFTER | BEFORE | AT
Examples in Fig. 3 depict the following relations: (a) AT(A,10): task A starts at time 10; (b) AFTER(A,10): task A starts after time 10; (c) AT(A,B,15): task A begins 15 units of time after the end of task B; (d) AFTER(A,B,10): task A begins at least 10 units of time after the end of task B. 2.3
In [
The main patterns from this section are depicted in Fig. 4 where the arrows show that the occurrence of an event implies the occurrence of the related event. BeforeDeadline The first pattern relates an event with an absolute timing. BeforeDeadline = a no later than d
10 (a) AT(A,10)
15 (c) AT(A,B,15) time 10
(b) AFTER(A,10)
time time
an time time time a1 10 (d) AFTER(A,B,10) a2 time a1 a2
d time (a) BeforeDeadline (b) Precedence (c) EventualResponse (d) Sequence Precedence The following patterns allow for expressing the precedence of the current event by another, with or without an explicit time frame.
The cyclic version of these patterns denotes that a pattern is repeatedly valid, whereas in the strict cyclic version the pattern is not only repeatedly valid, but no event mentioned in the pattern can happen in between (i.e. the events mentioned in the pattern are alternating).
The precedence pattern requires that, whenever event a2 happens, then the event a1 must have happened before (at least once). Note that a2 is not required to happen. In the CyclicPrecedence pattern, every time a2 happens, then the event a1 must have happened before (at least once) since the last occurrence of a2. In the strict cyclic version, every time a2 happens, then event a1 must have happened exactly once since the last occurrence of a2, i.e. a1 and a2 alternate. (They do not need to alternate forever though.) For example, in the CyclicPrecedence, the sequence a1 a1 a2 can happen but not a1 a2 a2, while in the StrictCyclicPrecedence none of them can happen.
This pattern is extended to a timed version in a straightforward manner. Precedence = if a2 then a1 has happened before CyclicPrecedence = everytime a2 then a1 has happened before StrictCyclicPrecedence = everytime a2 then
a1 has happened exactly once before Response Expressing that the current event will be followed by a response is formulated by the following pattern. This pattern is equivalent to the “eventually” in linear temporal logics. None of the two events is required to happen; however, if the first one does, then second must eventually happen too. The cyclic and strictly cyclic versions are defined as for precedence. A timed extension (as in timed temporal logics) is also defined.
EventualResponse = if a1 then eventually a2 CyclicEventualResponse = everytime a1 then eventually a2 StrictCyclicEventualResponse = everytime a1 then
eventually a2 once before next a1 TimedResponse = if a1 then eventually a2 within d CyclicTimedResponse = everytime a1 then eventually a2 within d StrictCyclicTimedResponse = everytime a1 then eventually a2 within d once before next a1 Sequence Events can also be ordered as a sequence. None of the n events is required to happen; however, if some (or all) do, then they must follow exactly the order defined by the sequence. The cyclic version is straightforward. However, no strict cyclic version is defined, as it would be identical to the cyclic version. Sequence = SEQUENCE a1, ..., an CyclicSequence = always SEQUENCE a1, ..., an eventlist =
eventlist EVENT | EVENT interval = (d, D) | [d, D] | [d, D) | (d, D] timing = WITHIN interval simplePattern =
EVENT AT timing | EVENT EVENTUALLY timing EVENT | EVENT timing AFTER EVENT | SEQUENCE (eventlist) pattern =
pattern OR simplePattern | pattern AND simplePattern | ALWAYS simplePattern | simplePattern SYNTACTIC SUGAR:
AT LEAST d = WITHIN [d, infinity)
AT MOST d = WITHIN [0, d]
EXACTLY d = WITHIN [d, d]
Unreachability The last pattern of [
Unreachable = UNREACHABLE(Bad) 3
The primitives in the grammars of Section 2.1 and Section 2.2 are dedicated
to temporal or causal relations between tasks which are characterised by both
their starting and ending times. But, in practice, most systems are concerned
with individual events, as is the case in [
We introduce a grammar for unified patterns Fig. 5. Our grammar considers individual events that can form a list of events in order to construct a sequence. The timing of events can be specified as being within a time frame (from d to D time units, where d ∈ R+ and D ∈ R+ ∪ {∞}). The only restriction is that the interval [d, D] 6= [0, ∞) (see Remark 1 infra).
Simple patterns express basic relations between individual events. An event can happen w.r.t. an absolute timing constraint. An event can eventually entail the occurrence of another event w.r.t. some timing constraint. Conversely, an event can occur only w.r.t. a timing after another event already occurred. Events can be ordered in a sequence, thus all occurring one after another. Simple Patterns The simple patterns contain four kinds of relationships, that we describe in more details in the following.
The pattern fragment EVENT AT encodes an absolute timing; it is used to describe events that must happen exactly at an (absolute) time.
The pattern fragment EVENT EVENTUALLY timing EVENT encodes that, whenever the first event happens, then the second will eventually happen, with the timing constraint specified by timing. That is, if the first event happens, the second must happen. The converse is not true: if the second event happens, the first one did not necessarily happen before.
The pattern fragment EVENT timing AFTER EVENT encodes that, whenever the first event happens it is necessarily after the second one, together with some timing constraint. For example, e2 WITHIN(d,D) AFTER e1 denotes that e2 may or may not happen, but if e2 happens, then it must be at least d and at most D time units after the first occurrence of e1. Also note that, if e2 does not happen, then e1 may or may not happen.
Finally, the SEQUENCE ensures that a list of events happen in the particular order specified.
Complex Patterns Patterns can be combined in order to form more complex ones. First, we can use Boolean AND and OR operators to express the conjunction of patterns (i.e. both must be executed, for patterns expressing systems, or must be valid, for patterns expressing the properties) or the disjunction (i.e. either one of them can be executed/valid).
The ALWAYS is a sort of fixpoint, with a semantics similar as the notion of
“cyclic” pattern in [
Finally, it is often convenient to use some syntactic sugar for expressing timing constraints: AT LEAST, AT MOST and EXACTLY.
Remark 1 (untimed patterns). We could encode untimed patterns using our
timed patterns (by allowing a syntactic sugar construct UNTIMED = WITHIN [0,
1 Furthermore, while designing the patterns in [
Time Petri nets [
Observers Let us recall the concept of observers, as formalised in [
For the verification, we define a “bad” place (labelled in Fig. 6a–6h using the “/” symbol); this place is assumed to be unique, i.e. one must fuse all occurrences of this place when composing patterns. The verification can then be carried out as follows: given a model of the system specified using time Petri nets (but not necessarily specified using our specification patterns), and given a property of the system specified using our patterns and translated into a time Petri nets, we perform the synchronisation (on transitions) of the entire system. Then, the property (expressed by the pattern) is satisfied iff the “ /” place is unmarkable, i.e. cannot be marked in any marking of the synchronised net.
In order to differentiate between the specification of systems and the specification of properties, we depict in dotted red the places and transitions necessary to add to our translated patterns so as to be able to perform verification. In other words, these dotted red places and transitions shall be omitted when specifying systems and not properties. Conversely, we depict in plain light blue the places and transitions only necessary for the system specification, but that must be omitted for the verification.
A1 A2
Fig. 6: Translation of our patterns into time Petri nets Simple Patterns Fig. 6a gives the translation of the A AT WITHIN (d, D) pattern. For the property, the translation is straightforward: a place is followed by a timed transition with firing time [d, D] labelled with A. This correctly encodes the fact that A must occur within [d, D] after the system start. (We assume closed intervals in the remainder of the translation; open or semi-open intervals can be handled similarly.) Concerning the verification, in addition to the correct behaviour, we need also to specify the bad behaviour, hence in this case another transition that can occur only if the timing is not satisfied, leading to the “bad” place. That is, the bad place is reachable iff the property is violated. Additionally, for our pattern to be a good “observer” (i.e. that must not disturb the system), it must be able to synchronise at any time with the system on the transition the pattern declares (here only A). This explains the loop on transition A on the right-hand side of Fig. 6a. (In fact, self-loops should also be added to the bad place; we omit them for sake of space, but also because it is less important to block the system once the property has been proved invalid.)
Pattern A1 EVENTUALLY WITHIN (d, D) A2 is modelled by the TPN in Fig. 6b. For the specification, two cases are admitted: one where A1 is fired, and one where it is not. Moreover the possibility of firing A1 depends on other actions in the system which may put a token in the initial place of the pattern (depicted by an incoming arrow). The additional places and transitions for the verification counterpart of this pattern are explained as follows: the first selfloop allows A2 to happen anytime as long as A1 has not happened. Then, if A2 happens strictly before or strictly after [d, D], the observer enters the bad place. Otherwise, the property is satisfied, and both A1 and A2 can happen anytime, which is depicted using the two self-loops.
The A2 WITHIN (d, D) AFTER A1 pattern (given in Fig. 6c) is similar to the previous one but, in this case, it is not possible to have A2 without A1. As for the verification, note that A2 cannot occur before A1, hence the transition between the initial place and the bad place. Furthermore, several A1 may occur before A2 occurs: this is encoded using the second output from A1 and a self-loop. Thus the time for firing A2 is counted from the first occurrence of A1. The rest of the pattern is similar to the previous one.
The SEQUENCE(A1,A2,...,An) pattern is given in Fig. 6h. Naturally, it is made of a sequence of transitions. Additionally, the verification version is such that, as soon as a transition violates the order imposed by the sequence, the system goes to the bad place. An additional self-loop in the last good place, synchronising on any transition, makes the observer non-blocking. Complex Patterns These patterns are used to combine the previous ones (eventually with complex patterns as well). In Fig. 6d to Fig. 6g, they are pictured in dashed boxes, which would also include the “bad” place. For the specification, the complex patterns are straightforward: they syntactically combine existing patterns. For the verification, this is a little less simple: first, recall that all “bad” locations must be fused into a single one. Second, the “and” verification pattern becomes identical to the. . . “or” specification pattern: this is because the property P1 AND P2 is violated if P1 is violated (i.e. the bad place is reachable in the corresponding pattern) or P2 is violated. The “or” pattern is not translated for verification; this is because this cannot be checked with sole unreachability (see Section 6). Concerning the ALWAYS pattern for verification, one must fuse the last non-dotted place of the pattern (usually the right-most place in the figures) with the initial place. However, the self-loops (generally on A1 and A2) on the last non-dotted place must be removed.
Initial Marking In addition to the tokens introduced by the absolute time patterns (A AT WITHIN (d,D)), a single initial token must be put in the top-most pattern of the composed pattern expression. (We assume that, if the top-most expression is a pattern A AT WITHIN (d,D), then no further token is added.) 5
In this section we show how all primitives from Section 2 can be expressed using our new set of patterns.
In order to express the relations between tasks described in Section 2.1 and Section 2.2 with these new primitives, a task A is transformed into two events, specifying the task Beginning (A.start) and its end (A.end). 5.1
The expression of patterns from Section 2.1 is summarised in Table 1.
Note that several rules are expressed identically. For example, rule 2 is reflecting the point of view from event A, and rule 4 the one of event B, while in our patterns we express the relation as seen from an external observer. 5.2
Table 2 shows the mapping for the patterns of Section 2.2.
Note that formula 5 implies that if B does not occur, neither does A. On the contrary, if B occurs, A can occur or not. If it does, it is d units of time after B ended. A similar remark applies to formula 6. Finally, in formula 7, A necessarily occurs d units of time after the end of B. 5.3
Patterns from Section 2.3 are presented in Table 3. Our translation is
straightforward. The only “trick” is the translation of the “strict cyclic” patterns of [
We proposed a unified pattern mechanism to both specify and verify real-time
systems, together with a semantics using time Petri nets. Our new set of patterns
unifies the patterns of [
Second, more patterns from the literature should be integrated to our
encoding. Although we shall not develop too complex a pattern system, so as to avoid
giving birth to a complicated property language, the patterns in [
Third, although it is relatively easy to convince oneself that we correctly
encoded the patterns of [
Finally, our translation to time Petri nets was done manually. An alternative
option would be to define an ad-hoc domain specific language (DSL), and then
to use model transformation techniques (such as in [
We are grateful to the anonymous reviewers for useful comments. Formula 1 BILATERALSYNCH(A,B) A.start EXACTLY 0 AFTER B.start
OR A.end EXACTLY 0 AFTER B.end Formula 2 AT(A,d) A.start AT EXACTLY d Formula 3 AFTER(A,d) A.start AT AT LEAST d Formula 4 BEFORE(A,d) A.start AT AT MOST d Formula 5 AT(A,B,d) A.start EXACTLY d AFTER B.end Formula 6 AFTER(A,B,d) A.start AT LEAST d AFTER B.end Formula 7 BEFORE(A,B,d) B.end EVENTUALLY AT MOST d A.start
Table 2: Encoding patterns from [