Abstract
Timed Transition Models (TTMs) are event-based descriptions for specifying real-time systems in a discrete setting. We propose a convenient and expressive event-based textual syntax for TTMs and a corresponding operational semantics using labelled transition systems. A system is specified as a composition of module instances. Each module has a clean interface for declaring input, output, and shared variables. Events in a module can be specified, individually, as spontaneous, fair or real-time. An event action specifies a before-after predicate by a set of (possibly non-deterministic) assignments and nested conditionals. The TTM assertion language, linear-time temporal logic (LTL), allows references to event occurrences, including clock ticks (thus allowing for a check that the behaviour is non-Zeno). We implemented a model checker for the TTM notation (using the PAT framework) that includes an editor with static type checking, a graphical simulator, and a LTL verifier. The tool automatically derives the tick transition and implicit event clocks, removing the burden of manual encoding them. The TTM tool performs significantly better on a nuclear shutdown system than the manually encoded versions analyzed in [6].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In TTM/PAT we consider a discrete time domain, where there is an explicit transition for the tick of a global clock. Zeno behaviour then denotes executions in which the tick transition does not occur infinitely often (i.e., at some point, time stops).
- 2.
Variables \(ri\) and \(last\_ri\) are used in neither event guards nor the right hand side of assignments to non-auxiliary variables.
- 3.
\(H.hbn\) designates the event \(hbn\) in module instance \(H\). The same syntax works for local variables as well.
- 4.
With all the complexity of structures allowed by the syntax of actions, sequential composition is not allowed. This is in an effort to make actions into specifications rather than implementations. This would allow us to generalize TTMs to allow an Event-B style of symbolic reasoning.
- 5.
Suppose that event \(e_2\) also starts \(t_1\), that \(e_3\) establishes \(q\) and events occur in the following order: \(\pi _0 \mathop {\mathbin \rightarrow }\limits ^{e_1} \underset{t_1 = 0}{\pi _1} \mathop {\mathbin \rightarrow }\limits ^{tick^3} \underset{t_1 = 3}{\pi _4} \mathop {\mathbin \rightarrow }\limits ^{e_2} \underset{t_1 = 0}{\pi _5} \mathop {\mathbin \rightarrow }\limits ^{tick^2} \underset{t_1 = 2}{\pi _7} \mathop {\mathbin \rightarrow }\limits ^{e_3} \underset{t_1 = 2 ~\wedge ~ q}{\pi _8} \cdots \). This execution satisfies the first LTL formula but does not satisfy the intended specification: when \(q\) becomes true, \(t_1 = 2\) but it is 5 ticks away from the last occurrence of \(e_1\).
- 6.
The scheduling assumptions are taken care of by the model-checking algorithms [10].
References
Abrial, J.-R.: Modeling in Event-B. Cambridge University Press, Cambridge (2010)
Chandy, K.M., Misra, J.: Parallel Program Design—a Foundation. Addison-Wesley, Reading (1989)
de Moura, L., Owre, S., Ruess, H., Rushby, J., Shankar, N., Sorea, M., Tiwari, A.: SAL 2. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 496–500. Springer, Heidelberg (2004)
Jee, E., Lee, I., Sokolsky, O.: Assurance cases in model-driven development of the pacemaker software. In: Margaria, T., Steffen, B. (eds.) ISoLA 2010, Part II. LNCS, vol. 6416, pp. 343–356. Springer, Heidelberg (2010)
Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. Int. J. Softw. Tools Technol. Transf. 1(1–2), 134–152 (1997)
Lawford, M., Pantelic, V., Zhang, H.: Towards integrated verification of timed transition models. Fund. Inform. 70(1–2), 75–110 (2006)
Ostroff, J.S.: Composition and refinement of discrete real-time systems. ACM Trans. Softw. Eng. Methodol. 8(1), 1–48 (1999)
Ostroff, J.S., Wang, C.-W., Hudon, S.: TTM/PAT: a tool for modelling and verifying timed transition models. Technical Report CSE-2013-05, York University (2013)
Sun, J., Liu, Y., Dong, J.S., Liu, Y., Shi, L., André, É.: Modeling and verifying hierarchical real-time systems using stateful timed CSP. ACM Trans. Softw. Eng. Methodol. 22(1), 3:1–3:29 (2013)
Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards flexible verification under fairness. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 709–714. Springer, Heidelberg (2009)
Vardi, M.Y.: Branching vs. linear time: final showdown. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 1–22. Springer, Heidelberg (2001)
Acknowledgments
The authors would like to thank NSERC and ORF for their generous financial support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Ostroff, J.S., Wang, CW., Hudon, S., Liu, Y., Sun, J. (2014). TTM/PAT: Specifying and Verifying Timed Transition Models. In: Artho, C., Ölveczky, P. (eds) Formal Techniques for Safety-Critical Systems. FTSCS 2013. Communications in Computer and Information Science, vol 419. Springer, Cham. https://doi.org/10.1007/978-3-319-05416-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-05416-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05415-5
Online ISBN: 978-3-319-05416-2
eBook Packages: Computer ScienceComputer Science (R0)