-
Structured specification of real time
distributed systems using topological
locative temporal logic
M.J. Wieczorek
Real Time Systems Group, Department of Mathematics and
Computer Science, University of Nijmegen, P.O. Box 9010,
6500 GL Nijmegen, The Netherlands
ABSTRACT
One of the main issues of software quality is the correctness of
programs. Along period of time correctness was understood and
restricted to functionalcorrectness, i.e. the behaviour of a
program in its environment satisfies itsrequirements. That is
adequate for sequential possibly non-deterministicprograms but in
the case of distributed real time systems correctness nolonger can
be restricted only to functionality. Parallel execution of
pro-cesses, correct communication behaviour, and quantitative
timing proper-ties are some of the additional features distributed
real time systems havein common.
To reason about distributed real time systems several logics are
used inthe literature. Among them are Hoare logic [18, 6],
predicate logic [8, 4],and temporal logic [1, 9, 10]. An important
disadvantage of such logics isthat they only allow for reasoning
about the global state of a system, i.e.predicates over data, time,
or control are always globally interpreted (thishas already been
observed for classical temporal logic by Pnueli in [11]). Asa
consequence many different predicates or suitable parametrizations
haveto be defined.
Another solution has been suggested in [16] by the author
himself andW.P. Koole: a two sorted modal logic, called Locative
Temporal Logic (LTL)where the two modalities are used to reason
about locative and temporalproperties. In this paper now, we will
use LTL to introduce a new program-ming logicioi the specification,
programming, and verification of distributedreal time systems.
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
682 Software Quality Management
INTRODUCTION
One of the main issues of software quality is the correctness of
programs.A long period of time correctness was understood and
restricted to func-tional correctness, i.e. the behaviour of a
program in its environment is asrequired in the specification. That
is adequate for sequential possibly non-deterministic programs but
in case of distributed real time systems correct-ness no longer can
be restricted only to functionality. Several distinct kindsof
properties must be taken into account. To get a better
understand-ing of the inherent complexity let us begin with an
informal definition (cf.Sloman and Kramer [14]):
A distributed real time system is one in which several
autonomousprocessors interact in order to cooperate to achieve an
overallgoal. The processes coordinate their activities and exchange
in-formation by means of message transmission over a communi-cation
network. The occurences of events are also related byquantitative
timing properties.
That part of a distributed real time system which is responsible
for theexchange of information between processes including the
communicationnetwork is called communication system.
From the description above it follows that distributed real time
sys-tems have two characteristic aspects in common: distribution of
processesamong processors and time dependency of events occur ing
during execution.When processes are dispersed among processors
three situations can be dis-tinguished: Firstly, the number of
processes is greater than the number ofprocessors. Then there is no
one-to-one correspondence between processesand processors.
Therefore, it will not be possible that each process hasits own
processor and distribution of processes over processors will not
bea simple task. Secondly, the number of processes is less than the
numberof processors. Then there is again no one-to-one
correspondence betweenprocesses and processors. But, this time
there are enough processors toallow each process to have its own
processor and, therefore, distributionof processes over processors
will be a simple task. Thirdly, the numberof processes is equal to
the number of processors. In this case, there is aone-to-one
correspondence between processes and processors and,
therefore,distribution of processes over processors will again be
simple. In this paper,we will only regard the last case.
Another important aspect of the informal definition above is the
factthat processes "exchange information by means of message
transmission
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
Software Quality Management 683
over a communication network". Thus, the topology of the
communicationnetwork, i.e. the set of processors together with
their interconnection, hasgreat impact on the way information is
exchanged between processes. Forexample, in the case that some
processor in the network will not be reach-able from all other
processors because there is no connection available thatprocessor
cannot receive any message of the network. Therefore,
certainproperties of the network must be assumed, for example
strongly connect-edness, i.e. each processor is reachable from
every other processor in thenetwork.
A further aspect will be important: in a distributed real time
system wehave local ("autonomous processor") as well as global
properties ("to achievean overall goal"). For clarification, let us
regard the problem of termina-tion in a distributed environment as
discussed by Hooman in [5] (a detaileddiscussion can be found in
[2]): Consider a distributed process TT which isconstructed from
two other processes -K\ and %2, say, by using two
differentprocessors, i.e. TT = TTI || 7T2- Suppose the two
processes TTI and %"2 havedifferent termination times t\ and #2,
say, with t\ ̂ 1%. Then, one would ex-pect that the termination
time t of the distributed process TT is given eitherby no uniform
time expression but a pair of termination times of the
twoprocesses, i.e. t = (£1,^2), or by the maximum of the
termination times ofthe two processes, i.e. t = max(ti,t2). How can
we specify such situations?
One prepositional variable introduced to denote termination of
process?TI is globally true or false and can, therefore, not be
used to denote ter-mination of process 7T2 or even termination of
process TT, provided that thetermination times t\ and t^ are always
different. Therefore, one would needmore than one prepositional
variable, for example one for each process todenote termination of
the corresponding process. Another solution can beprovided by
parametrizing a termination predicate with suitable processnames.
This line has been followed in a different but similar context
byCristian in [4]. But, also in this case the problems around
global interpre-tation will still remain.
An early result to composition of specifications using
prepositional tem-poral logic has been published by Barringer,
Kuiper, and Pnueli in [l] wherethe temporal formulae are
interpreted over labelled sequences of states. Thisapproach uses
beyond global and local individual variables and state
propo-sitions so called edge propositions which allow to
distinguish between tran-sitions effected by a module and
transitions performed by others. Thetemporal framework obtained is
compositional in the sense mentioned byHooman [6].
Another, recently published, considerable result has been
provided in [6]
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
684 Software Quality Management
by Hooman where a metric temporal logic [7] based specification
formalismis used together with a CSP like programming language and
a composi-tional verification method. There, special predicates are
introduced in thetemporal assertion language to reason about
termination and communica-tion. The problem of termination in
parallel composition has been solvedby defining two different proof
rules: one for "simple parallel composition"when the corresponding
termination predicate is not contained in the spec-ifications of
the participating processes and a second for "general
parallelcomposition" which is much more complex.
Our view of a distributed real time system (DRTS) is
characterized bythe fact that an external observer looks at a
particular DRTS and tries toorder the occurence of events onto a
global linear time scale. This view iscommon to sequential systems
and has its deficiencies in the context of reac-tive systems (cf.
Reisig [12]). For example, suppose that the same messagearrives at
the same time but at different processors; how can we order
theseevents? To overcome such deficiencies we have introduced in
[16] a secondglobal scale which is naturally given by the
communication network of adistributed real time system. Doing so,
we can keep the time domain assimple as possible, namely linear,
and can use the second ordering schemeto get the events ordered
just in the case that the time of their occurenceswill not be
different. This leads to a distributed real time model where timeas
well as location of an event (for example a communication event) is
madeexplicit.
This paper is organized as follows: After this introduction, we
will de-fine our programming logic, i.e. distributed real time
model, specificationlanguage, programming language, and proof
system. Afterwards, we willagain discuss the problem of distributed
termination. Finally, we providean outline of possible future
work.
SPECIFYING AND PROGRAMMING NETWORKS
In this section, we will define our programming logic consisting
of the dis-tributed real time model, our specification and
programming languages (in-cluding syntax and semantics), and the
proof system to allow for verifyingthat a particular distributed
real time system satisfies its requirements.
DISTRIBUTED REAL TIME MODELThe computational model defined in
[6] by Hooman will be adopted andextended by a location component
[16], i.e. with each point in time andprocessor in the
communication network a set of channels is associated rep-resenting
the current state of a distributed real time system with respect
tocommunication behaviour. The current state with respect to
communica-
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
Software Quality Management 685
tion behaviour is described by a set of channels along which
synchronizationor communication actually takes place.
First of all, let us provide some preliminary notions which will
be neededin the subsequent text:
# The fime domain is defined as T™ = (Qo U {oc}, denotes the
direct reachability relation onP [16]. We assume that the relation
i—> is at least irreflexive andsymmetric.
In our programming language, which is an extended subset of
Hooman'sRT-CSP [6], the communication primitives for sending and
receiving signalsor messages syntactically refer to undirected
channels. Because our commu-nication network is modelled by a
finite directed graph we have to providemeans to fill the gap
between the undirected channels and the directed graph.Therefore,
we introduce some more preliminary notions:
• A set of undirected channels is defined as C = {ci,. . ., c^}
where eachundirected channels c^ (i — 1,.. . , m) connects a pair
of processors.
• An incidence function I : C » P x P assigning to each
undirectedchannel c £ C an ordered pair (pi,pi) E P x P of directly
reachableprocessors, i.e. p\ is connected to p? by c, in the
following way:
1. for all c E C there exist pi,p
-
686 Software Quality Management
During execution of a distributed real time system communication
ismodelled by a set of actually used undirected channels associated
with eachpoint in time and processor in the communication network.
A communica-tion action itself is divided into two phases (cf.
Sloman and Kramer [14]and Hooman [6]: a synchronization phase which
involves the coordinationof actions with respect to time between
processes and a transmission phasewhich involves the exchange of
information between processes and does notnecessarily imply
synchronization. However, we will consider in this paperonly
synchronous communication.
The separation between synchronization and transmission is
reflected inour model by a state indicator which is added to a
particular channel whenthis channel is in use: a channel c £ C is
used for communication by a cer-tain processor p £ P at time t £
T°° if it is either used for synchronizationor transmission of
information between the linked (by c) processors. Withrespect to
our model this means that c is contained in a model a and usedfor
synchronization if (c,sync) £ &(t,p) or c is contained in a
model a andused for transmission if (c, trans] £ cr(t,p).
From the model of the overall system we can build a restricted
modelwhich describes the communication behaviour of a certain
processor in thecommunication network:
Definition 2 (P-Restriction of a Model) Let p' £ P and let a be
a model.A restricted model w.r.t. processor p' or, for short, a
P-restricted model,denoted a j p'', is defined by:
r(t,p) for p — p' and all t
Note that, in general, a P-restricted model will not be the same
as a (non-restricted) model. But, from the definition above we can
directly prove thefollowing
Lemma 1 Only when the number of processors is exactly one, i.e.
\P\ = 1,then P-restricted model and (non restricted) model
coincide, that is
W P')(Z, P) = 4W- .
Next, we define the set of P-restricted models to be the set of
all suchmodels which have the same associated processor:
Definition 3 (Set of P-Models) Let p £ P and let £ be a set of
models.The set of all restricted models w.r.t. processor p or, for
short, a set ofP-models, denoted E J, p, is defined by:
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
Software Quality Management 687
Start time, termination time, and length can be defined for a
P-modelas well as for a (non-restricted) model. We will provide
here definitions forboth cases and all three notions.
Definition 4 (Start, Termination, Length of a P-Model) Let be
given a P-model cr.
1. The start time of a P-model is defined by: Ap(cr) =
2. The termination time of a P-model is defined by:
3. The length of a P-model is defined by: \a\^ = H((j) - A(cr)
•
Based on the definitions for a P-model we can now define the
corre-sponding notions for start, termination, and length of a
(non-restricted)model by quantifying over all P-models.
Definition 5 (Start, Termination, Length of a Model) Let a be a
model.
1. The start time of a model is defined by: A(cr) =
2. The termination time of a model is defined by: fi(
3. The length of a model is defined by: |
-
688 Software Quality Management
To define sequential composition of programs we need a notion of
se-quential composition of models and sets of models:
Definition 8 (Concatenation of P-Models) Let
-
Software Quality Management 689
qualitative temporal properties but also quantitative ones. This
is neededfor real time aspects such as bounded response. Two
operators are addedfor the locative part: a from-somewhere-operator
which is useful when talk-ing about whether a certain message has
arrived from somewhere. And atopological operator which allows in a
restricted fashion for absolute refer-encing to a particular
processor. The syntax of the specification languageis given in
table 1.
Formula
-
690 Software Quality Management
• Transmission predicate (trans): During execution of a DRTS the
cur-rent processor is engaged, via some channel, in transmission at
thecurrent point in time.
cr, t,p \= trans iff (c, trans) £ iff noi a,t,p\=(p (5)
• Disjunction (yi V (p?): In the current model, at the current
positioneither (pi is true or y?2 is true or both (p\ and (pi are
true.
or,t,p)f=
-
Software Quality Management 691
• To Somewhere ({(§)_,, y>): In the current model, there
exists a proces-sor which is directly reachable from the current
processor such that yis true at the current point in time at the
reachable processor.
cr,t,p\= (©Lc^ iff there exists p' such that p *-+ p' and
From Somewhere ((©}̂ )̂' ̂ the current model, there exists a
pro-cessor from which the current processor is directly reachable
such thaty? is true at the current time point at the reachable
processor.
a,t,p \= (©)=c^ iff there exists p' such that p' H-» p and
• There (£p/(v?)): In the current model, at the current time
point y istrue at processor p' given by the index. Note that we
allow the twoprocessors (the current one and p'} to be reachable
from one another oreven to be the same. However, we do not require
their reachability (seealso discussion by Rescher and Urquhart [13]
and Stuhlmann-Laeisz[15]).
-
692 Software Quality Management
Program 7 ::= skip | suspend 8 \send via c within 8 \ receive
via c within 8
7i;72Process TT ::— p| K\ \\ ̂2
Table 2: Syntax of Programming Language
framework with variables.
In the sequel, we will informally discuss the constructs of our
program-ming language and provide its denotational semantics:
Definition 13 (Denotational Semantics) Let II be a set of
programminglanguage constructs and E be a set of models. Then, a
mapping M :II —» E assigning to each construct a set of models is
called denotationalsemantics ofH. •
• Skip (skip): Immediately terminates on the current
processor.
g& {
-
Software Quality Management 693
The two phases are modelled by the following two sets:
SendSync(c) = {cr j p : there exists p' E P such that p »
and J(c) = (p,p') and there exists t E
such that A
0"(Z,P') = {(for all f < Z : <
Send(c) = {cr j p : \a\^ =
such that p i-+
and for all f E
then
-
694 Software Quality Management
• Parallel Composition (KI || 7̂ ): Execution of processes -K\
and 1̂ 2is done truely parallel because the corresponding programs
are dis-tributed statically over the available processors.
M(*i || TTs) = PAR(A4(7ri),Af(7T2)) (19)
To prove that a process satisfies its specification we will
define a relationsat between the set of processes II, written in
our programming language,and the set of specifications $, written
in our specification languages.
Definition 14 (Satisfaction) Let TT £ II be some process term
and lety> £ $ be some specification formula. Then, we say
process TT satisfiesspecification y, denoted TT sat y, if and only
if a |= (p for all a £ A4(TT). •
In this paper, we only provide a rudimentary proof system for
our pro-gramming logic. The axioms and rules are presented in
appendix PROOFSYSTEM. Further elaboration on the proof system is
still needed (cf. CON-CLUSIONS).
EXAMPLE: DISTRIBUTED TERMINATION
In the proof system above we have seen how a certain message
diffusionprinciple is implemented by a programming language such as
CSP, namely,information is sent over a particular channel to the
connected processor.Nothing more is said about diffusing of
information over the whole network.This problem must then be
considered on a higher system level. Therefore,RT-CSP can be used
to implement a certain higher level diffusion principle,for
example, that by Cristian [3].
But let us now shortly discuss the problem of distributed
termination(a detailed investigation can be found in [2] by Chandy
and Misra). Ourversion of the termination problem is adopted from
Hooman [5]. The termi-nation problem as discussed above (cf.
INTRODUCTION) is characterizedas follows: take as PI the process
suspend 6%, for which
suspend 6% sat -'done U-s done
holds, i.e. termination precisely happens after Si time units
and up to thistime termination does not happen, and take as PI the
process suspend 62,for which
suspend 6% sat -^done U=? done
holds, i.e. termination precisely happens after 82 time units
and uptothis time termination does not happen;
however, for the compound processPI || f-z, i.e. suspend 6% ||
suspend 6%,the formula
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
Software Quality Management 695
(suspend 6% || suspend 61) sat (-"done U=6i done) A (-"done U=^
done)
does not hold because done is true at time 81 (cf. first
formula) and doneis false at time Si (cf. second formula) is a
contradiction. Therefore, twodifferent proof rules have been
provided in [6]: one for specifications of PIand P2 that do not
contain a constant predicate done and a proof rule forthe general
case which is more complex and not as intuitive as the simple
one.In LTL the above formulae are given as follows:
p^ sat £^ (-"done U=$i done)
holds, i.e. in the context of processor PI done becomes true at
timepoint ($1 and is false from the beginning on upto but not
including this time
point;
< suspend 61 >^ sat Cp^ (-"done U=^ done)
holds, i.e. in the context of processor P^ the formula
(< suspend & >pj|< suspend 6%
sat
r^ (--done U=f, done) A Tp^ (-̂ done U=^ done)
holds, i.e. the termination times are considered
independently.
CONCLUSIONS
We have introduced a new programming logic based on our two
sortedmodal logic LTL [16]. Essential part of this logic is our
distributed realtime model which makes detailed use of two global
ordering schemes: alinear temporal scheme and a quasi-order
(branching) locative scheme. Thisleads to a programming logic which
regards distributed programming as thenormal case and sequential
programming as the special case. In this sense,the proof system
becomes simpler and intuitive also with respect to theparallel
composition rule.
In the future, we must elaborate on the proof system to get a
completeone and to get some properties proved, e.g. soundness.
Additional rules willbe needed to be able to derive from local
properties such as termination ofprocessors a global property. An
example is given by the following formula:
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
696 Software Quality Management
(< suspend 6% >pj|< suspend 61
sat
(--done U=max(6iM done)
holds, i.e. the strongest temporal properties of the compound
processP — PI || Jp2 provided that max is a function on the
corresponding timedomain T which computes the maximum of two time
points.
ACKNOWLEDGEMENTSWe are indebted to Wim Koole for many
encouraging and fruitful discus-sions about the logical aspects of
our research.
We are grateful to the participants of the "NS-Bereikbaarheid"
Collo-quium, especially John-Jules Meyer, Jos Coenen, and Wiebe van
der Hoek,for many stimulating discussions. Thanks also to Jozef
Hooman who tookthe time for discussions about his real time model,
programming language,and compositional proof system.
We thank Hanno Wupper, Jan Vytopil, and Harry Buys for
carefulreading and commenting earlier versions of this paper.
Supported partially by SIGN (Dutch Foundation for Research in
Com-puter Science) under grant number 612-317-016 "A Specification
Languagefor Reliable Real-Time Systems", by CEC (Commission of the
EuropeanCommunity) under ESPRIT Basic Research Action 3096 (SPEC)
"FormalMethods and Tools for the Development of Distributed and
Real-Time Sys-tems", and by STW (Dutch Technology Foundation) under
grant numberNWI88.1517 "Fault Tolerance: Paradigms, Models, Logics,
Construction".
References
[l] H. Barringer, R. Kuiper, A. Pnueli. Now You May Compose
TemporalLogic Specifications. In: Proceedings of the 8th ACM
Symposium onTheory of Computing, pp. 51-63, 1984.
[2] K.M. Chandy and J. Misra. Parallel Program Design: A
Foundation.Addison- Wesley 1988.
[3] F. Cristian, H. Aghili, R. Strong, D. Dolev. Atomic
Broadcast: FromSimple Diffusion to Byzantine Agreement. In:
Proceedings of the 15thInternational Conference on Fault-Tolerance
Computing, 1985.
[4] F. Cristian. Reaching Agreement on Processor Group
Membership inSynchronous Distributed Systems. IBM Research
Division, AlmadenResearch Center, San Jose, California, Research
Report, RJ 5964(59426) rev., 1990.
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
Software Quality Management 697
[5] J. Hooman and J. Widom. A Temporaf-lo^cProo/̂ ŝ /̂or
Aea/-!nme Message fassm̂ . In: LNCS 366, Proceed-ings PARLE'89,
Vol. II, pp. 424-441, Springer 1989.
[6] J. Hooman. Spec^WfW and Composzh'oW Veri/zca^on oIn: LNCS
558, Springer 1991.
[7] R. Koymans. 5pecz/i/m̂ Afeasa^elô c. Ph.D. Thesis,
Eindhoven University of Technol-
ogy, 1989.
[8] L. Lamport. Specz/i/m̂ Concurred Program MocMes. In: ACM
Trans-actions on Programming Languages and Systems, Vol. 5, No. 2,
pp.
190-222, 1983.
[9] Z. Manna and A. Pnueli. yer#cafmn of Concurred Programs;
/ITemporal f roo/̂ ?/sfem. In: Foundations of Computer Science IV,
Dis-tributed Systems: Part 2, Mathematical Centre Tracts, Vol. 159,
pp.
163-255, 1982.
[10] Z. Manna and A. Pnueli. TAe Anchored Version o/f/te Tempom/
Frame-work. In: LNCS 354, "Linear Time, Branching Time and Partial
Orderin Logics and Models for Concurrency", de Bakker, de Roever,
Rozen-
berg (eds.), Springer 1989.
[11] A. Pnueli. 7%e rempora/Semamh'cs o/CWc%rre%f fYô roms. In:
The-oretical Computer Science, Vol. 13, pp. 45-60, 1981.
[12] W. Reisig. Das l/erWfe% uerWfer Sterne. Gesellschaft fur
Mathe-matik und Datenverarbeitung, Bericht Nr. 170, 1987.
[13] N. Rescher and A. Urquhart. Temporal lô 'c. Springer
1971.
[14] M. Sloman and J. Kramer. D2sfr26iz(e(f 5z/s2ems ancf
Comp%!(er A^e^-works. Prentice-Hall 1987.
[15] R. Stuhlmann-Laeisz. Ma%z/-D2'mens2oW Topo/o^m/ Afoffaf lô
zc. In:
Logique et Analyse, September 1987.
[16] M.J. Wieczorek and W.P. Koole. 7wo-SorW AWa/ lô zc azzcf
zfs Ap-p/zca^oM ^o D̂ rz6̂ (e(f #eaf Tzme ̂ ŝ ems. In: Proceedings
"AppliedLogic Conference", December 1992 (to appear).
[17] N. Wirth. Toward a D^czp/me o/#ea/-]lme Prô aznmu?̂ . In:
Com-munications of the ACM, Vol. 20, No. 8, 1977.
[18] J. Zwiers. Compoŝ oWzZz/, Conc%r?^enci/ a/%(f Par^a/
Correĉ ê . In:LNCS 321, Springer 1989.
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517
-
698 Software Quality Management
SYNTACTIC ABBREVIATIONS
Some useful syntactic abbreviations will be provided in the
sequel:
J_ = -iT (20)
(fiAyz = -"(-"yiV-%) (21)
yi -» V?2 = -"̂ i V (fg) (22)
2
Pi C y?2
at Tp(̂
2 sat 1^2
ô;
(29)
(30)
(31)
(32)
(33)
(34)
(35)
(w\
Transactions on Information and Communications Technologies vol
4, © 1993 WIT Press, www.witpress.com, ISSN 1743-3517