Abstract
The Clock Constraint Specification Language (CCSL) is a formalism for specifying logicaltime constraints on events for the design of realtime embedded systems. A central verification problem of CCSL is to check whether events are schedulable under logical constraints. Although many efforts have been made addressing this problem, the problem is still open. In this paper, we show that the bounded scheduling problem is NPcomplete and then propose an efficient SMTbased decision procedure which is sound and complete. Based on this decision procedure, we present a sound algorithm for the general scheduling problem. We implement our algorithm in a prototype tool and illustrate its utility in schedulability analysis in designing realworld systems and automatic proving of algebraic properties of CCSL constraints. Experimental results demonstrate its effectiveness and efficiency.
Keywords
 SMT
 CCSL
 Schedulability
 Logical time
 Realtime system
This work is supported by NSFC grants 61872146, 61532019 and 61761136011.
Download conference paper PDF
1 Introduction
Modelbased design has been widely used, particularly in the design of safetycritical realtime embedded systems. It has achieved industrial successes through languages such as SCADE [12], AADL [15] and UML MARTE [26]. For example, UML MARTE provides syntactic annotations to implement, when the context allows, classical realtime scheduling algorithms such as EDF (Earliest Deadline First). It also provides a domainspecific language–Clock Constraint Specification Language (CCSL) [3], to express the realtime behaviors of a system under development as logical constraints on system events, but independently of any physical time and classical realtime scheduling algorithms. CCSL has been used on several industrial scenarios such as vehicle systems [16] and cyberphysical systems [10, 22].
Modelbased design usually starts with coarsegrained logical models that are progressively refined into more concrete ones until the final code deployment. It is wellknown that the earlier one can detect and fix bugs in the refinement process, the better [7]. Therefore, it is critical to provide efficient methods and tools to check safety, liveness and schedulability on the logical models and not only on the definite deployed system. This has motivated a large body of works on verifying whether events are schedulable under a set of constraints expressed in CCSL [11, 21, 28, 33, 35, 36, 38], though its decidability is still open. These works first transform CCSL constraints into other formal representations such as transition systems [21], Promela [35], Büchi automata [36], timed automata [33], rewriting logics [38], instant relations [28], or timedinterval logics [11], and then apply existing tools. However, their approaches usually suffer from the state explosion problem. Moreover, most of these works only deal with the socalled safe subset of CCSL and the other ones only provide semialgorithms. In our earlier work [39], we proposed an SMTbased verification approach to CCSL and demonstrated several applications of the approach to finding schedules, verifying temporal properties, proving constraint entailment, and analyzing the validity of system traces. Based on the approach, we implemented an efficient tool for verifying LTL properties of CCSL [40].
In this work we are focused on the scheduling problem of CCSL, a fundamental problem to which the aforementioned verification problems of CCSL can be reduced. We first prove that the bounded scheduling problem of CCSL with fixed bounds is NPcomplete. To our knowledge, this is the first result regarding the complexity of the scheduling problem with CCSL. Then, we propose a decision procedure for the bounded scheduling problem with a given bound. The decision procedure is based on the transformation of CCSL into SMT formulas [39]. Our decision procedure is sound, complete, and efficient in practice. Based on this decision procedure, we turn to the general (i.e. unbounded) scheduling problem and present a binarysearch based algorithm. Our algorithm is sound, i.e., if it proves either schedulable or unschedulable, then the result is conclusive. We implemented our algorithms in a prototype tool. The tool was used to analyze a realworld interlocking system in a rail transit system. Using the proposed approach, we also prove some algebraic properties of CCSL. The experimental results demonstrate the effectiveness and efficiency of the SMTbased approach.
The rest of this paper is organised as follows: Section 2 introduces CCSL. Section 3 defines the (bounded) scheduling problem of CCSL and shows that the bounded case is NPcomplete. Section 4 presents an SMTbased decision procedure for the bounded scheduling problem and a sound algorithm for the general scheduling problem. Section 5 shows a case study and experimental results. Section 6 discusses related work, and Section 7 concludes the paper.
2 The Clock Constraint Specification Language
2.1 Logical Clock, History and Schedule
In CCSL, clocks are used to model occurrences of events, where a clock ticks when the corresponding event occurs. For instance, a clock may represent an event that is dispatch of a task, communications between tasks or acquisition of a shared resource by a task. Constraints over clocks are used to specify causal and temporal relations between system events. No global physical time is presumed for the clocks and their constraints. This feature allows CCSL to define a polychronous specification of a system at a logical level.
Definition 1
(Logical clock). A (logical) clock c is an infinite sequence of ticks \((c^i)_{i\in {\mathbb N}^+}\) with each \(c^i\) being tick or idle, where \({\mathbb N}^+\) denotes the set of all the nonzero natural numbers.
The value of \(c^i\) denotes whether an event associated with c occurs or not at step i. If \(c^i\) is tick, then the event occurs, otherwise not. In particular, we denote by a global reference logical clock that always ticks at each step.
Definition 2
(Schedule). Given a set C of clocks, a schedule of C is a total function \(\delta :\mathbb N^{+} \rightarrow 2^{C}\) such that \(\forall i\in \mathbb N^{+}\), \(\delta (i)=\{c\in C \mid c^i=\textit{tick}\}\) and \(\delta (i)\ne \emptyset \).
Intuitively, a schedule \(\delta \) defines a partial order between the ticks of the clocks. \(\delta (i)\) is a subset of C such that \(c\in \delta (i)\) iff c ticks at step i. The condition \(\delta (i)\ne \emptyset \) expresses that step i cannot be empty. This forbids stuttering steps in schedules. As one can add or remove finite number of empty steps without effect on schedulability, we exclude them from schedules for succinctness.
A clock can memorize the number of ticks that it has made. We use history to represent the memorization.
Definition 3
(History). Given a schedule \(\delta \) for a set C of clocks, a history of \(\delta \) is a function \(\chi _{\delta }:C \times \mathbb N^+ \rightarrow \mathbb N\) such that for each \(c\in C\) and \(i\in \mathbb N^+\):
\(\chi _{\delta }(c,i)\) represents the number of the ticks that the clock c has made immediately before step i. (Note that the tick of c at step i is excluded in \(\chi _{\delta }(c,i)\).) For simplicity, we may write \(\chi \) for \(\chi _{\delta }\) if it is clear from the context.
2.2 Syntax and Semantics of CCSL
CCSL consists of 11 kinds of constraints, 4 of them are binary relations for specifying the precedence, causality, subclocking, and exclusion relations between clocks, and the others are used to define clocks from existing ones. Clocks defined by constraints may correspond to system events or are just introduced as auxiliary clocks without corresponding to any events.
Definition 4
(Syntax). A CCSL constraint \(\phi \) is defined by the following form:
where \(b\ge 0\), \(d\ge 0\) and \(p>0\) are natural numbers, \(c_1\), \(c_2\), \(c_3\) are logical clocks and w is a (possibly infinite) word over \(\{0,1\}\) expressed as a (\(\omega \))regular expression.
For simplifying presentation, we denote by the constraint , and the constraint such that \(c_2=c_3\).
The semantics of CCSL constraints is defined over schedules. Given a CCSL constraint \(\phi \) and a schedule \(\delta \), the satisfiability relation \(\delta \models \phi \) (i.e., \(\delta \) satisfies constraint \(\phi \)) is defined in Table 1.
The precedence constraint (i.e., ) expresses that the clock \(c_1\) precedes the clock \(c_2\). Suppose there is an unbounded buffer with two operations fetch and store, which respectively fetch data from and store data into the buffer. Fetch is only allowed when the buffer is nonempty. If the buffer is initially empty, store operation must strictly precede fetch operation. This behavior can be expressed by the constraint: . Likewise, the precedence constraint can be used to represent reentrant tasks by replacing store with start and fetch with finish.
The general precedence constraint that can specify the differences b between the number of occurrences of two clocks before the precedence takes effect. Hence, it is able to express more complicated relations. For instance, if the buffer initially is nonempty, fetch operations can be performed prior to any store operation. Figure 1 shows such a scenario where 4 elements are initially presented in the buffer. This behavior can be represented as: .
The causality, subclock and exclusion constraints are straightforward. The causality constraint specifies that the occurrence of \(c_2\) must be caused by the occurrence of \(c_1\), namely at any moment \(c_1\) must have ticked at least as many times as \(c_2\) has. The subclock constraint expresses that \(c_1\) occurs at some step only if \(c_2\) occur at this step as well. The exclusion constraint specifies that two clocks \(c_1\) and \(c_2\) are exclusive, i.e., they cannot occur simultaneously at the same step.
The union and intersection constraints are used to define clocks. defines a clock \(c_1\) such that \(c_1\) ticks iff \(c_2\) or \(c_3\) ticks. Similarly, defines a clock \(c_1\) such that \(c_1\) ticks iff both \(c_2\) and \(c_3\) tick. The infimum (resp. supremum) constraint (resp. ) is used to define a clock \(c_1\) that is the slowest (resp. fastest) clock that is faster (resp. slower) than both \(c_2\) and \(c_3\). These two constraints are useful for expressing delay requirements between two events. Remark that clocks \(c_1\) defined by constraints may correspond to system events, otherwise are auxiliary clocks. In the former case, these constraints can be seen as constraints specifying relations between clocks \(c_1\), \(c_2\) and \(c_3\).
The periodicity constraint defines a clock \(c_1\) such that \(c_1\) has to be performed once every p occurrences of clock \(c_2\). It is worth mentioning that the periodicity constraint defined in such a way is relative because of the logical nature of CCSL clocks. That is, clock \(c_1\) is relatively periodic with respect to clock \(c_2\). CCSL does not assume the existence of a global reference clock, most relations are defined relative to other clocks. These notions extend the equivalent behaviors which are usually defined relative to physical time. If \(c_2\) represents a sensor that measures physical time, then \(c_1\) becomes physically periodic.
The filtering constraint is used to define a clock \(c_1\) which can be seen as snapshots of the clock \(c_2\) at some steps according to the (\(\omega \))regular expression w. For instance, expresses that \(c_1\) simulates \(c_2\) at every even step. It defines a logically periodic behavior of \(c_1\) with respect to \(c_2\).
The delayFor constraint (i.e., ) defines a new clock \(c_1\) that is delayed by the clock \(c_2\) with d steps. The general form defines a new clock \(c_1\) that is delayed by \(c_2\) with d times of the ticks of \(c_3\). \(c_1\) can be seen as a sampled clock of \(c_2\) on the basis of \(c_3\). For instance, , denotes that whenever \(c_2\) ticks at least once between two successive ticks of \(c_3\) at steps m and n, \(c_1\) must tick at step n.
3 Scheduling Problem of CCSL
3.1 Schedulability
Given a set \(\varPhi \) of CCSL constraints, a schedule \(\delta \) satisfies \(\varPhi \), denoted by \(\delta \models \varPhi \), iff \(\delta \models \phi \) for all constraints \(\phi \in \varPhi \).
Definition 5
(Logical time scheduling problem). Given a set \(\varPhi \) of CCSL constraints, the (logical time) scheduling problem of CCSL is to determine whether there exists a schedule \(\delta \) such that \(\delta \models \varPhi \).
We illustrate the scheduling problem by a simple example. Consider alternative flickering between the green and red light using CCSL. We assume that green light starts first. The timing requirements can be formalized by the following three constraints:
where green and red are clocks respectively representing whether the green (resp. red) light is turned on, the clock tmp is an auxiliary clock used to help specify the constraints on clocks.
There exists exactly one schedule satisfying the three constraints, as shown in Fig. 2. In this schedule, the clock \( tmp \) has the same behavior as \( green \) from step 2, while the clock \( red \) has the opposite behavior to \( green \). Namely, \( red \) and \( green \) operates in an alternative manner. For simplicity, we also write to denote the alternation relation of the two clocks.
Although one may be able to find one or more schedules for some simple constraints, to our knowledge, there is no generally applicable decision procedure solving the scheduling problem of full CCSL. There are two main challenges. First, schedules are essentially infinite, i.e., defined on all the natural numbers. Second, the precedence is stateful, i.e., it depends on the history, and there is no upper bound on how far in the history one must go back. It may then require an infinite memory to store the history. As a first step to tackle this challenging problem, in this work, we first consider the bounded scheduling problem.
3.2 Bounded Scheduling Problem
Given a bound \(k\in \mathbb {N}^+\), let \(\sigma :\mathbb {N}^+_{\le k}\rightarrow 2^C\) be a function. \(\sigma \) is an kbounded schedule of a set \(\varPhi \) of CCSL constraints, denoted by \(\sigma \models _k\varPhi \), iff there exists a schedule \(\delta \) such that \(\delta (i)=\sigma (i)\) for every \(i\in \mathbb {N}^+_{\le k}\) and \(\delta \models \varPhi \) from step 1 up to k, where \(\mathbb {N}^+_{\le k}:=\{1,\cdots ,k\}\).
Definition 6
(Bounded scheduling problem). The bounded scheduling problem is to determine, for a given set \(\varPhi \) of CCSL constraints and a bound k, whether there is an kbounded schedule \(\sigma \) for \(\varPhi \), i.e., \(\sigma \models _k\varPhi \).
Theorem 1
(Sufficient condition of unschedulability). If a set \(\varPhi \) of constraints has no kbounded schedule for some \(k\in \mathbb {N}^+\), then \(\varPhi \) is unschedulable.
The proof is straightforward by contradiction.
It is easy to see that the bounded scheduling problem is decidable, as there are finitely many potential kbounded schedules, i.e., \((2^{C}1)^k\), where C denotes the number of clocks. Furthermore, the satisfiability problem of Boolean formulas can be reduced to the bounded scheduling problem in polynomial time.
Theorem 2
The kbounded scheduling problem of CCSL is \(\mathsf{NP}\)complete, even if \(k=1\).
Proof
The NP upper bound can be proved easily based on the facts that the number of possible kbounded schedules is finite and the universal quantification \(\forall n\in \mathbb {N}^+_{\le k}\) can be eliminated by enumerating all the possible values in \(\mathbb {N}^+_{\le k}\).
We prove the NPhardness by a reduction from the satisfiability problem of Boolean formulas which is known \(\mathsf{NP}\)complete. Consider the Boolean formula \(\phi =\bigwedge _{i=1}^m(l_i^1\vee l_i^2\vee l_i^3)\), where \(m\in \mathbb {N}^+\) and \(l_i^j\) for \(j\in \{1,2,3\}\) is either a Boolean variable x or its negation \(\lnot x\). Let \(\mathsf{Var}(\phi )\) denote the set of Boolean variables appearing in \(\phi \). We construct a set of CCSL constraints \(\varPhi \) as follows.
For each \(x\in \mathsf{Var}(\phi )\), we have two clocks \(x^+\) and \(x^\). Let \(\mathsf{enc}(x)=x^+\) and \(\mathsf{enc}(\lnot x)=x^\). Each clause \(l_i^1\vee l_i^2\vee l_i^3\) in \(\phi \) is encoded as the CCSL constraint \(c_i\triangleq \mathsf{enc}(l_i^1) + \mathsf{enc}(l_i^2)+ \mathsf{enc}(l_i^3)\), denoted by \(\psi _i\). Note that \(c_i\triangleq \mathsf{enc}(l_i^1) + \mathsf{enc}(l_i^2)+ \mathsf{enc}(l_i^3)\) can be transformed into CCSL constraints by introducing one auxiliary clock c, i.e., \(\{c_i\triangleq \mathsf{enc}(l_i^1) + \mathsf{enc}(l_i^2)+ \mathsf{enc}(l_i^3)\}\equiv \{c_i\triangleq \mathsf{enc}(l_i^1) +c,c \triangleq \mathsf{enc}(l_i^2)+ \mathsf{enc}(l_i^3)\}\).
Let \(\mathsf{enc}(\phi )\) denote the following set of CCSL constraints
where and enforce that either \(x^+\) or \(x^\) ticks at each step, but not both. This encodes that either x is true or \(\lnot x\) is true. Note that \(\tau \triangleq *_{i=1}^m c_i\) is a shorthand of \(\tau \triangleq c_1*\cdots *c_m\), and can also be expressed in CCSL constraints by introducing polynomial number of auxiliary clocks. For instance, \(\{c \triangleq c_1*c_2*c_3\}\equiv \{c \triangleq c_1*c',c'\triangleq c_2*c_3\}\). We can show that \(\phi \) is satisfiable iff \(\mathsf{enc}(\phi )\) is 1bounded schedulable. The satisfiability problem of Boolean formulas is NPcomplete, we get that the 1bounded scheduling problem of CCSL is NPhard. The kbounded scheduling problem for \(k>1\) immediately follows by repeating the ticks of clocks at the first step. \(\square \)
Theorem 2 indicates the time complexity of the bounded scheduling problem. Thus, we need to find practical solutions that are algorithmically efficient for it. In the next section, we propose an SMTbased decision procedure for the bounded scheduling problem and a sound algorithm for the scheduling problem. Thanks to advances in stateoftheart SMT solvers such as Z3 [25], our approach is usually efficient in practice.
4 Decision Procedure for the Scheduling Problem
4.1 Transformation from CCSL into SMT
Let us fix a set of CCSL constraints \(\varPhi \) defined over a set C of clocks. Each clock \(c\in C\) is interpreted as a predicate \(t_c:\mathbb {N}^+\rightarrow \mathsf{Bool}\) such that for all \(i \in \mathbb {N}^+\), \(t_c(i)\) is true iff the clock c ticks at i, where \(\mathsf{Bool}\) denotes Boolean sort. A schedule \(\delta \) of \(\varPhi \) is encoded as a set of predicates \(\mathcal {T}_C=\{t_cc\in C\}\) such that the following condition holds: for all \(t_c\in \mathcal{T}_C\),
Recalling that schedules forbid stuttering steps, this condition is enforced by restricting the predicates \(t_{c}\) in \(\mathcal {T}_C\) to satisfy the following condition:
Formula F1 specifies that at each step i at least one clock c ticks, i.e., \(t_c(i)\) holds.
For each clock \(c\in C\), we introduce an auxiliary function \(h_c:\mathbb {N}^+\rightarrow \mathbb {N}\) to encode its history. For each \(i\in \mathbb {N}^+\),
Intuitively, \(h_c(i)\) is equivalent to \(\chi (c,i)\) for each \(i\in \mathbb {N}^+\). The set of all the auxiliary functions is denoted by \(\mathcal {H}_C\).
By replacing each occurrence of clock c in \(\delta (n)\) (resp. \(c\not \in \delta (n)\)) with \(t_c(n)\) (resp. \(\lnot t_c(n)\)) and \(\chi (c,n)\) with \(h_c(n)\) in the definition of each CCSL constraint, each CCSL constraint \(\phi \) can be encoded as an SMT formula \(\llbracket \phi \rrbracket \).
We use \(\llbracket \varPhi \rrbracket \) to denote the conjunction of Formulas F1, F2 and the SMT encodings of CCSL constraints in \(\varPhi \). Formally,
Finding a schedule for \(\varPhi \) amounts to finding a solution, i.e., definitions of predicates in \(\mathcal {T}_C\), which satisfies \(\llbracket \varPhi \rrbracket \).
Proposition 1
\(\varPhi \) has a schedule iff \(\llbracket \varPhi \rrbracket \) is satisfiable.
The scheduling problem of \(\varPhi \) is transformed into the satisfiability problem of the formula \(\llbracket \varPhi \rrbracket \). However, according to the SMTLIB standard [4], \(\llbracket \varPhi \rrbracket \) belongs to the logic of UFLIA (formulas with Uninterpreted Functions and Linear Integer Arithmetic), whose satisfiability problem is undecidable in general. Nevertheless, the SMT encoding is still useful to solve the bounded scheduling problem, which we will present in the next subsection.
4.2 Decision Procedure for the Bounded Scheduling Problem
For kbounded scheduling problem, it suffices to consider schedules \(\delta :\mathbb {N}^+_{\le k}\rightarrow 2^C\). Moreover, the quantifiers in \(\llbracket \varPhi \rrbracket \) can be eliminated once the bound k is fixed. Hence, we can resort to stateoftheart SMT solvers. Formally, let \(\llbracket \varPhi \rrbracket _k\) be the formula obtained from \(\llbracket \varPhi \rrbracket = F1 \wedge F2 \wedge (\bigwedge _{\phi \in \varPhi }\llbracket \phi \rrbracket )\) by

restricting the domain of predicates \(t_c\in \mathcal {T}_C\) and functions \(h_c\in \mathcal {H}_C\) to \(\mathbb {N}^+_{\le k}\);

replacing quantifications \(\forall n\in \mathbb {N}^+\) and \(\exists m\in \mathbb {N}^+\) with \(\forall n\in \mathbb {N}^+_{\le k}\) and \(\exists m\in \mathbb {N}^+_{\le k}\) in \((\bigwedge _{\phi \in \varPhi }\llbracket \phi \rrbracket )\).
Proposition 2
\(\varPhi \) is kbounded schedulable iff \(\llbracket \varPhi \rrbracket _k\) is satisfiable.
Moreover, if \(\llbracket \varPhi \rrbracket _k\) is satisfiable, then \(\llbracket \varPhi \rrbracket _{k'}\) is satisfiable for all \(k'\le k\).
4.3 A Sound Algorithm for the Scheduling Problem
According to Theorem 1, Propositions 1 and 2, (1) if \(\llbracket \varPhi \rrbracket \) is satisfiable, then \(\varPhi \) is schedulable, and (2) if \(\llbracket \varPhi \rrbracket _k\) for some \(k \in \mathbb {N}^+\) is unsatisfiable, then \(\varPhi \) is unschedulable. We can deduce a sound algorithm for checking the general scheduling problem. However, randomly choosing a bound k and checking whether or not \(\llbracket \varPhi \rrbracket _k\) is unsatisfiable may be inefficient, as the kbounded scheduling problem is NPhard (cf. Theorem 2), and larger bound k may result in time out, but smaller bound k may result in that \(\llbracket \varPhi \rrbracket _k\) is satisfiable. Indeed, if we consider the maximal bound B, then the random approach may have to call SMT solving \(\mathbf{O}(B)\) times. Alternatively, we propose a binarysearch based approach as shown in Algorithm 1 for a given maximal bound B, which invokes SMT solving at most \(\mathbf{O}(\log _2B)\) times.
Given a set \(\varPhi \) of constraints in CCSL, a timeout threshold T and a maximal bound B, Algorithm 1 first invokes an SMTSolver to decide whether \(\llbracket \varPhi \rrbracket \) is satisfiable or not within \(\mathsf T\) time. If \(\llbracket \varPhi \rrbracket \) is satisfiable, then Algorithm 1 returns (SAT,0), meaning that \(\varPhi \) is schedulable. Otherwise, it binary searches a bound \(k\le B\) such that \(\llbracket \varPhi \rrbracket _{k}\) is satisfiable while \(\llbracket \varPhi \rrbracket _{k+1}\) (if \(k+1\le B\)) is unsatisfiable or cannot be verified in time T.
Theorem 3
Algorithm 1 has the following three properties:

1.
If it returns \((\mathtt{SAT,0})\), then \(\varPhi \) is schedulable.

2.
If it returns \((\mathtt{UNSAT, k})\), then \(\varPhi \) is unschedulable. If \(k\ne 0\), then \(\varPhi \) has kbounded schedulable, otherwise does not have any bounded schedulable.

3.
If it returns \((\mathtt{Timeout, k})\), then \(\varPhi \) is kbounded schedulable if \(k\ne 0\), otherwise no bounded schedule is found for \(\varPhi \).
5 Case Study and Performance Evaluation
We implemented our approach in a prototype tool with Z3 [25] as its underlying SMT solver. We conduct a case study on expressing requirements of an interlocking system in CCSL constraints and analyzing its schedulability. Then, we prove 12 algebraic properties of CCSL constraints using the tool. Finally, we evaluate the performance of the tool using 9 sets of CCSL constraints.
5.1 Schedulability of an Interlocking System
The interlocking system is a subsystem of a rail transit system. It is used to prevent trains from collisions and derailments when they are moving under the control of signal lights. As shown in Fig. 3, the interlocking system monitors the occupancy status of the individual track section, and sends signals to inform drivers whether they are allowed to enter the route or not. The railway tracks are divided into sections. Each section is associated with a track circuit for detecting whether it is occupied by a train or not. Signal lights are placed between track sections. They can be red and green to indicate proceeding and stopping, respectively.
The mechanism and operation procedure of the interlocking system are summarized as follows.

1.
To enter a track, a train first sends a request to the control center.

2.
On receiving the request, the control center sends an inquiry to the track circuit to detect the status of the track.

3.
If the track is occupied, it sends checkFail to the control center, and otherwise checkSucc.

4.
On receiving the message checkFail (resp. checkSucc), the control center sends a red (resp. green) signal pulse to the signal light.

5.
The signal light turns red (resp. green) on receiving the red (resp. green) signal pulse.

6.
The train will enter after seeing the light is green, and the track becomes occupied. In case of the red light, the train must stop and wait.

7.
The track becomes unoccupied after the train leaves. If the train is waiting, it must send a request again after some time.
There are time constraints on the above operations. For instance, the control center needs to get a response from the track circuit within 30 ms after sending an inquiry to it. The train must make decision within 50 ms after it sends a request to the control center. The light should turn to the corresponding color within 30 ms after it receives a pulse. After the track becomes occupied (resp. unoccupied), the light must turn red (resp. green) within 40 ms.
Table 2 shows the main logical constraints on the operations in the system and their timing constraints. We use some nonstandard constraint expressions for the sake of compactness. Constraint denotes that b must tick within n steps after a ticks. It equals the set of the following three constraints:
Note that in this example the unit of time is millisecond (ms). Thus, there is an implicit assumption in the constraints that every tick of a logic clock means the elapse of one millisecond.
Most constraints in Table 2 are straightforward, except the six constraints marked with waved underlines. The first three constraints specify that \(\mathtt {checkFail}\) only can occur between the occurrences of \(\mathtt {getUnoccupied}\) and \(\mathtt {getOccupied}\). The others specify the following two requirements:

1.
\(\mathtt {checkSucc}\) only can occur after \(\mathtt {getUnoccupied}\) and before \(\mathtt {getOccupied}\);

2.
\(\mathtt {getUnoccupied}\) precedes \(\mathtt {getOccupied}\).
Given these constraints, our tool found a bounded schedule as depicted in Fig. 4. From step 1 to step 7, one complete process is finished. Initially, the track gets unoccupied. At step 2, a request is made, which causes subsequent operations to occur from step 3 to step 7. At step 29, a fail case occurs because another train enters (step 26) but has not left (step 31). The train that made the request has to wait (step 33).
If we extend the bounded schedule by infinitely repeating the behaviors of all the clocks between step 51 and 69 from step 70, we obtain an infinite schedule. The extended schedule satisfies all the constraints, and thus it is a witness of the schedulability of designed mechanism for the interlocking system.
In this paper, we are only concerned with the schedulability of the constraints in the example. Some other kinds of temporal properties also need to verify. For instance, we must guarantee that whenever a train requests to enter the station, it must eventually enter. We also need to verify the system is deadlockfree. Such temporal properties can be verified by LTL model checking of CCSL constraints using SMT technique [40]. We omit it because it is beyond the scope of this paper.
5.2 Automatic Proof of CCSL Algebraic Properties
Using the proposed approach, we can also prove automatically algebraic properties of CCSL constraints such as the commutativity of exclusion and transitivity of causality. Algebraic properties of CCSL constraints can be represented as \(\varPhi \Rightarrow \phi \), where \(\varPhi \) is a set of CCSL constraints and \(\phi \) is a constraint derived from \(\varPhi \). Proving \(\varPhi \Rightarrow \phi \) is valid equals proving the unsatisfiability of \(\llbracket \varPhi \rrbracket \wedge \lnot \llbracket \phi \rrbracket \), which can be solved by Algorithm 1.
Let us consider the proof of the slowestness of infimum as an example. The slowestness of infimum means that an infimum constraint defines the slowest clock \(c_1\) among those that are faster than both \(c_2\) and \(c_3\).
Proposition 3
(Slowestness of infimum). Given two clocks \(c_2,c_3\), let and \(c_4\) be an arbitrary clock such that and , then .
This is proved by transforming CCSL constraints into the following SMT formula according the SMT encoding method:
Algorithm 1 returns (UNSAT, 0), which means that the formula is proved unsatisfiable. The proposition is proved.
Table 3 lists the algebraic properties that have been successfully proved in our approach. Algebraic properties are useful to help understand the relation among CCSL constraints. Using them we can also verify whether some CCSL constraints are redundant or inconsistent for a given set of CCSL constraints.
5.3 Performance Evaluation
To evaluate the performance our tool, we collected 9 sets of CCSL constraints from the literature and realworld applications, and analyzed their schedulability using our tool. Under different time thresholds, we calculate the maximal bounds under which the constraints are schedulable.
Table 4 shows all the experimental results including the corresponding execution time. All the experiments were conducted on a Win 10 running on an i7 CPU with 2.70 GHz and 16 GB memory. The numbers followed by asterisks are the maximal bounds such that the corresponding constraints are bounded schedulable, but unschedulable in the next step. It is interesting to observe from Table 4 that time cost is loosely related to size (the number of clocks and constraints), thanks to efficient search strategies of SMT solvers. This is in striking contrasts to automatabased [29, 35] and the rewritingbased approaches [38], whose scalability suffers from both the numbers of clocks and constraints.
6 Related Work
CCSL is directly derived from the family of synchronous languages, such as Lustre [9], Esterel [6] and Signal [5], and its the scheduling problem of CCSL is akin to what synchronous languages call clock calculus. The main differences are: CCSL is a specification language, while others are programming languages; and CCSL partially describes what is expected to happen in a declarative way and does not give a direct operational deterministic description of what must happen. Furthermore, CCSL only deals with pure clocks while the others deal with signals and extract the clocks when needed.
The Esterel compiler [31] applies a constructive approach to decide when a signal must occur (compute its clock) and what its value should be. This requires a detection of causality cycles, or intracycle data dependencies, which are also naturally addressed by our approach. However, the Esterel compiler compiles an imperative program into a Boolean circuit, or equivalently a finite state machine. Consequently, it cannot deal with CCSL unbounded schedules.
The clock calculus in Signal attempts to detect whether the specification is endochronous [30], in which case it can generate some efficient code. This analysis is mainly based on the subclock relationship that also exists in CCSL. In CCSL, we consider the problem whether there is at least one possible schedule or not.
In Lustre and its extensions, clocks are regarded as abstract types [13] and the clock calculus computes the relative rates of clocks while rejecting the program when computing the rates is not possible. In most cases, the compiler attempts to build bounded buffers and to ensure that the functional determinism can be preserved with a finite memory. In our case, we do not seek to reach a finite representation, as in the first specification steps this is not a primary goal for the designers. Indeed, this might lead to an overspecification of the problem.
Classical realtime scheduling problem [32] usually relies on task models, arrival patterns and constraints (e.g., precedence, resources) to propose algorithms for the scheduling problem with analytical results [19] or heuristics depending on the specific model (e.g., priorities, preemptive). Other solutions, based on timed automata [1, 2, 17] or timed Petri nets [8, 18], propose a general framework for describing all the relevant aspects without assuming a specific task model. CCSL offers an alternative method based on logical time. It is believed that logical time and multiform time bases offer some flexibility to unify functional requirements and performance constraints. We rely on CCSL and we claim that after encoding a task model in CCSL, finding a schedule for the CCSL model also gives a schedule for the encoded task model [24].
There have been many efforts made towards the scheduling problem of CCSL, though no conclusion is drawn on its decidability. TimeSquare [14] is a simulation tool for CCSL which can produce a possible schedule for a given set of CCSL, up to a given userdefined bound. It also supports different simulation strategies for producing desired execution traces. Some earlier work [20] define the notion of safe CCSL specifications that can be encoded with a finitestate machine. The scheduling problem is decidable for safe specifications, as one can merely enumerate all the (finite) solutions. A semialgorithm can build the finite representation when the specification is safe [21]. In [37], Zhang et al. proposed a statebased approach and a sufficient condition to decide whether safe and unsafe specifications accept a socalled periodic schedule [39]. This allows to build a finite solution for unsafe specifications, while there may also exist infinite solutions. Xu et al. proposed a notion of divergence of CCSL to study the schedulability of CCSL, and proved that a set of CCSL constraints is schedulable if all the constraints are divergent [34]. They resorted to the theorem prover PVS [27] to assist the divergence proof.
The scheduling problem of CCSL constraints in this work resorts to SMT solving to deal with the bounded and unbounded schedules. Using SMT solving has two advantages: (1) it is usually efficient in practice, and (2) it can deal with unsafe CCSL constraints such as infimum and supremum [21].
Some basic algebraic properties on CCSL relations have been established manually before [23] but we provide here an automatic framework to do so.
7 Conclusion and Future Work
In this work, we proved that the bounded scheduling problem of CCSL is NPcomplete, and proposed an SMTbased decision procedure for the bounded scheduling problem. The procedure is sound and complete. The experimental results also show its efficiency in practice. Based on this decision procedure, we devised a sound algorithm for the general scheduling problem. We evaluated the effectiveness of the proposed approach on an interlocking system. We also showed our approach can be used to prove algebraic properties of CCSL constraints.
Our approach to the bounded scheduling problem of CCSL makes us one step closer to tackling the general (i.e. unbounded) scheduling problem. As the case study demonstrates, one may find an infinite schedule by extending a bounded one such that the extended infinite schedule still satisfies the constraints. This observation inspires future work to investigate mechanisms of finding such bounded schedules, hopefully with SMT solvers by extending our algorithm. In our earlier work [37], we proposed a similar approach to search for periodical schedules in bounded steps. In that approach, CCSL constraints are transformed into finite state machine and consequently suffers from the state explosion problem. We believe our SMTbased approach can be extended to their work while still avoiding state explosion. We leave it to future work.
References
Abdeddaïm, Y., Asarin, E., Maler, O.: Scheduling with timed automata. Theor. Comput. Sci. 354(2), 272–300 (2006)
Amnell, T., Fersman, E., Mokrushin, L., Pettersson, P., Yi, W.: TIMES: a tool for schedulability analysis and code generation of realtime systems. In: Larsen, K.G., Niebert, P. (eds.) FORMATS 2003. LNCS, vol. 2791, pp. 60–72. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540409038_6
André, C., Mallet, F., de Simone, R.: Modeling time(s). In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds.) MODELS 2007. LNCS, vol. 4735, pp. 559–573. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540752097_38
Barrett, C., Fontaine, P., Tinelli, C.: The SMTLIB standard (2016)
Benveniste, A., Guernic, P.L., Jacquemot, C.: Synchronous programming with events and relations: the SIGNAL language and its semantics. Sci. Comput. Program. 16(2), 103–149 (1991)
Berry, G., Gonthier, G.: The esterel synchronous programming language: design, semantics, implementation. Sci. Comput. Program. 19(2), 87–152 (1992)
Boehm, B., Basili, V.R.: Software defect reduction top 10 list. Computer 34(1), 135–137 (2001)
Bucci, G., Fedeli, A., Sassoli, L., Vicario, E.: Modeling flexible real time systems with preemptive time petri nets. In: Proceedings of the 15th ECRTS, Porto, Portugal, pp. 279–286. IEEE (2003)
Caspi, P., Pilaud, D., Halbwachs, N., Plaice, J.: LUSTRE: a declarative language for programming synchronous systems. In: Proceedings of 14th POPL, Tucson, USA, pp. 178–188. ACM Press (1987)
Chen, X., Yin, L., Yu, Y., Jin, Z.: Transforming timing requirements into CCSL constraints to verify cyberphysical systems. In: Duan, Z., Ong, L. (eds.) ICFEM 2017. LNCS, vol. 10610, pp. 54–70. Springer, Cham (2017). https://doi.org/10.1007/9783319686905_4
Chen, Y., Chen, Y., Madelaine, E.: TimedpNets: a communication behavioural semantic model for distributed systems. Front. Comput. Sci. 9(1), 87–110 (2015)
Colaço, J., Pagano, B., Pouzet, M.: SCADE 6: a formal language for embedded critical software development. In: Proceedings of the 11th TASE, Sophia Antipolis, France, pp. 1–11. IEEE (2017)
Colaço, J.L., Pouzet, M.: Clocks as first class abstract types. In: Alur, R., Lee, I. (eds.) EMSOFT 2003. LNCS, vol. 2855, pp. 134–155. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540452126_10
Deantoni, J., Mallet, F.: TimeSquare: treat your models with logical time. In: Proceedings of the 50th TOOLS, Prague, Czech Republic, pp. 34–41. IEEE (2012)
Feiler, P.H., Gluch, D.P.: Modelbased engineering with AADL  an introduction to the SAE architecture analysis and design language. SEI, AddisonWesley (2012)
Kang, E., Schobbens, P.: Schedulability analysis support for automotive systems: from requirement to implementation. In: Proceedings of the 29th SAC, Gyeongju, Korea, pp. 1080–1085. ACM (2014)
Krčál, P., Yi, W.: Decidable and undecidable problems in schedulability analysis using timed automata. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 236–250. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540247302_20
Lime, D., Roux, O.: A translation based method for the timed analysis of scheduling extended time petri nets. In: Proceedings of the 25th RTSS, pp. 187–196. IEEE (2004)
Liu, C.L., Layland, J.W.: Scheduling algorithms for multiprogramming in a hardrealtime environment. J. ACM 20(1), 46–61 (1973)
Mallet, F., Millo, J.V.: Boundness issues in CCSL specifications. In: Groves, L., Sun, J. (eds.) ICFEM 2013. LNCS, vol. 8144, pp. 20–35. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642412028_3
Mallet, F., de Simone, R.: Correctness issues on MARTE/CCSL constraints. Sci. Comput. Program. 106, 78–92 (2015)
Mallet, F., Villar, E., Herrera, F.: MARTE for CPS and CPSoS. In: Nakajima, S., Talpin, J.P., Toyoshima, M., Yu, H. (eds.) CyberPhysical System Design from an Architecture Analysis Viewpoint, pp. 81–108. Springer, Singapore (2017). https://doi.org/10.1007/9789811044366_4
Mallet, F., Millo, J., de Simone, R.: Safe CCSL specifications and marked graphs. In: Proceedings of the 11th MEMOCODE, Portland, OR, USA, pp. 157–166. IEEE (2013)
Mallet, F., Zhang, M.: Workinprogress: from logical time scheduling to realtime scheduling. In: Proceedings of the 39th RTSS, Nashville, USA, pp. 143–146. IEEE (2018)
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_24
OMG: UML profile for MARTE: modeling and analysis of realtime embedded systems (2015)
Owre, S., Rushby, J.M., Shankar, N.: PVS: a prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992). https://doi.org/10.1007/3540556028_217
Peters, J., Przigoda, N., Wille, R., Drechsler, R.: Clocks vs. instants relations: verifying CCSL time constraints in UML/MARTE models. In: Proceedings of the 14th MEMOCODE, Kanpur, India, pp. 78–84. IEEE (2016)
Peters, J., Wille, R., Przigoda, N., Kühne, U., Drechsler, R.: A generic representation of CCSL time constraints for UML/MARTE models. In: Proceedings of the 52nd DAC, pp. 122:1–122:6. ACM (2015)
PotopButucaru, D., Caillaud, B., Benveniste, A.: Concurrency in synchronous systems. Formal Methods Syst. Des. 28(2), 111–130 (2006)
PotopButucaru, D., Edwards, S.A., Berry, G.: Compiling Esterel. Springer, Boston (2007). https://doi.org/10.1007/9780387706283
Sha, L., et al.: Real time scheduling theory: a historical perspective. RealTime Syst. 28(2–3), 101–155 (2004)
Suryadevara, J., Seceleanu, C., Mallet, F., Pettersson, P.: Verifying MARTE/CCSL mode behaviors using UPPAAL. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) SEFM 2013. LNCS, vol. 8137, pp. 1–15. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642405617_1
Xu, Q., de Simone, R., DeAntoni, J.: Divergence detection for CCSL specification via clock causality chain. In: Fränzle, M., Kapur, D., Zhan, N. (eds.) SETTA 2016. LNCS, vol. 9984, pp. 18–37. Springer, Cham (2016). https://doi.org/10.1007/9783319476773_2
Yin, L., Mallet, F., Liu, J.: Verification of MARTE/CCSL time requirements in Promela/SPIN. In: Proceedings of the 16th ICECCS, USA, pp. 65–74. IEEE (2011)
Yu, H., Talpin, J., Besnard, L., et al.: Polychronous controller synthesis from MARTE/CCSL timing specifications. In: Proceedings of the 9th MEMOCODE, Cambridge, UK, pp. 21–30. IEEE (2011)
Zhang, M., Dai, F., Mallet, F.: Periodic scheduling for MARTE/CCSL: theory and practice. Sci. Comput. Program. 154, 42–60 (2018)
Zhang, M., Mallet, F.: An executable semantics of clock constraint specification language and its applications. In: Artho, C., Ölveczky, P.C. (eds.) FTSCS 2015. CCIS, vol. 596, pp. 37–51. Springer, Cham (2016). https://doi.org/10.1007/9783319295107_2
Zhang, M., Mallet, F., Zhu, H.: An SMTbased approach to the formal analysis of MARTE/CCSL. In: Ogata, K., Lawford, M., Liu, S. (eds.) ICFEM 2016. LNCS, vol. 10009, pp. 433–449. Springer, Cham (2016). https://doi.org/10.1007/9783319478463_27
Zhang, M., Ying, Y.: Towards SMTbased LTL model checking of clock constraint specification language for realtime and embedded systems. In: Proceedings of the 18th LCTES, Barcelona, Spain, pp. 61–70. ACM (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2019 The Author(s)
About this paper
Cite this paper
Zhang, M., Song, F., Mallet, F., Chen, X. (2019). SMTBased Bounded Schedulability Analysis of the Clock Constraint Specification Language. In: Hähnle, R., van der Aalst, W. (eds) Fundamental Approaches to Software Engineering. FASE 2019. Lecture Notes in Computer Science(), vol 11424. Springer, Cham. https://doi.org/10.1007/9783030167226_4
Download citation
DOI: https://doi.org/10.1007/9783030167226_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030167219
Online ISBN: 9783030167226
eBook Packages: Computer ScienceComputer Science (R0)