About the Compilation of CSL, a Real-Time – pattern based – Specification Language

1

About the Compilation of CSL,

a Real-Time

– pattern based –

Specification Language

Vered Gafni, IAI

2

• Work initiation in SPEEDS, IP of 6th framework EC IST program.

• Speculative and Exploratory Design in Systems Engineering,

namely: SPEEDS is about

‘Components based formal development of embedded systems’

Development = specification + analysis (by formal methods)

Scope

3

Partners:

– Academies: INRIA, Rennes, France,

OFFIS, Oldenburg, Germany,

VERIMAG, Grenoble, France,

Parade, Rome, Italy

– Industries: AirBus, IAI, Carmeq (VW), Bosch

– Tool providers: Telelogic, Esterel, GreenSys

• People:

– Roberto Passerone, University of Trento, Italy

– Albert Benveniste, Benoit Caillaud, INRIA

– Joseph Sifakis, Susanne Graf, VERIMAG

– Werner Damm, Bernhard Josko, OFFIS

– Alberto Sangiovanni, Berkeley

SPEEDS

4

UAV

GroundStation

AirVehicle

Payload

SensorINS

Building systems from library of

components

Distributed development

Clear splitting of responsibilities

Heterogeneous behavior: Discrete & continuous

various viewpoints:FunctionalityReal time Safety,…

Component Based Development

5

SPEEDS Component View

6

Assumption, Promise – assertions regarding component behavior

Assumption:

- Minimal delay of 50 sec. between successive trains. - At startup no train is already in XR - Trains move in one direction Promise: - Gate closed as long as a train is in XR. - Gate open whenever XR is empty for more than 10 sec.

Component

Assumption Promise

Contract: Basic Specification element

7

• Refinement:

Functionality Performance Safety

Component

Component: Viewpoints & Refinement

• Viewpoints:

8

Analysis: based on algebra of contracts (w.r.t. composition)

within a component (same interface) Consistency,

Compatibility,

Dominance,

Simulation,

Satisfiability

Functionality Time performance

Safety

Component

ComponentComponentComponent

contracts contracts contracts

along components (a certain viewpoint)

Contract

contract contract contract

Refinement

9

Assertions Expression – Hybrid Automata (HRC formalism)

H = X, , G=(V,E), VL=(init, inv, flow), EL=(ET, EC)

• X = {x1,…xn} - finite set of real-numbered variables.

• - finite set of events (atomic entities)

• G=(V,E) - control graph, (V - control modes, E - control switches).

• VL - mode labeling functions:

init: V {predicates over x} -- initial condition

inv: V {predicates over x} -- invariant condition

flow: V {predicates over x,x∂ } -- continuous evolvement.

• EL – switch labeling functions

ET: E -- assigns a transition event to each edge.

EC: E {predicates over x,x’} -- discrete transition condition.

- x∂ - the derivatives of x during continuous change.- x’ - values at the conclusion of discrete change.

10

CloseCmdDly OpenCmdDly

approachinv=(clk<K)

Idle

flow=(clkK

init=(True)

flow=(clkK flow=(clkK

inv=(clk<K)

exitexit

approach

approachclk’=0

exitclk’=0

open_cmdclose_cmd

MoveUp MoveDownopen_cmd

Up

flow=(y

open_cmd y=0

init=(True)y=90 close_cmd

close_cmd

inv=(y=90)

flow=(y

inv=(y<90)

flow=(y

inv=(y>0)

close_cmd

Down

flow=(y

inv=(y=0)

close_cmdopen_cmd

Far

Near

flow=(-50<X inv=(X>1000)init=(X<5000)

flow=(-50<X

inv=(X>0)

Passing

flow=(-50<X

inv=(X>-100)

approachx=1000

exitx=-100 &1900x’4900

x=0

Train

Controller

Gate

11

In practice,

• Contract’s assertions must be expressed in formal language; but,

HA is ‘too formal’ (low level) to be used by normal engineers.

• Alternative options like (Metric) LTL were examined; did better

The gate is closed when a train traverses GR (gate region). (EnterGR ClosedUExitGR)

but for normal properties

Between the time an elevator is called at a floor and the time it opens its doors at that floor the elevator can pass that floor at most twice.

((call Open) (Move U (Open (Stop U (Open (Move U (Open (Stop U (Open (Move U Open)))))))))) still too difficult – not accepted!.

Assertions Expression – Formal Language

12

Next attempt: ‘patterns’

• English like fixed sentence embedded with parameters’ place holders, e.g.:

inv [Q] while [P] after [N] steps

represents a fixed property up to parameters' instantiation.• Semantics: a fixed automaton.

A patterns library developed by OFFIS (Oldenburg)

- Parameters instantiation – state expressions

- Semantics over discrete time model

Idea acceptable by users (format, less) but shortly patterns became complex, like:inv [P] triggers [Q] unless [S] within [B] after_reaching [R]

and library grew up to ~400 patterns, not manageable.

Assertions Expression – Patterns (SafeAir Project)

13

HRC {HRC-Id}

Interface

controlled: {variables declaration}

uncontrolled: {variables declaration}

Contracts

{viewpoint-id} contract {contract-id} *

Assumption: {assertion}

Promise: {assertion}

SPEEDS - CSL (Contracts Specification Language)

CSL – A pattern based specification language for hybrid systems

14

CSL – What’s new (I)

• Time model: R.

• Variables: Discrete range Continuous range - pwc evolution pw derivable

• Events (non-Zenon)

15

CSL Patterns – What’s new?

• whenever [E] occurs [C] holds during following [I]

I

EC

• whenever [E1] occurs [E2] occurs within [I]

I

E1 E2

• [C] during [I] raises [E]

I

EC

More intuitive names

• Temporal/Continuous expressions for parameters:

Events

Conditions

Intervals

16

Pattern parameters: Events & Conditions

Events:

• Primitive: a, b, c,… Startup, e~v (e valued event)

• Derived: e defined-by state-change ,e.g., tr(C), fs(C)

• Time delay: e+T

• Expressions: e1e2, e1e2, e1-e2, e1;e2, e when C

Conditions• Boolean variable: A, B, C,…

• Boolean expression constructed by: , , , ,

• Relations over x, x∂: x>5, x∂=-x+5

predefined functions: Timer(T) at e, PeriodicTimer(T) at e

17

Timers

• PeriodicTimer(T) at e

• Timer(T) at e

e+T tr(c=T) where c=Timer(T) at e

18

Intervals

ba a a b b a b

1 2 43|a,b|

• Interval definition: |e1,e2,…,en| where n1, and |..|{ [ ], [ ), ( ], ( ) }

• Occurs when e1;e2;…;en occurs, and lasts from e1 to en.

Special cases:• |n:e| |e,e,…,e|, for n>2 - sliding window

• Singletons appear only as closed intervals: [e]

• For periodic e: |n+1:e| |n e|, thus |3 sec| defines 3 sec. interval.

• For condition C: |C| |tr(C), fs(C)|,

19

CSL Examples

Whenever the request button is pressed a car should arrives at the station within 3 minutes

Whenever [car-request] occurs [car-arrives] occurs within [3min]

Dispatching commands will be refused during first 5 seconds

after a car arrives at station

Whenever [car-arrives] occurs [dispatch-cmd] implies [refuse-msg] during following [5sec]

40 sec. minimal delay between trains:

Whenever [Tin] occurs [Tin] does not occur during following (40 sec]

Between the time an elevator is called at a floor and the time it stops at that floor the elevator can pass that floor at most twice.

[PassFloor[m]] occurs at most [2] times during (CallAtFloor[m], StopAtFloor[m])

20

Pattern Occurrence Types

car-request

Occurrence instance

car-arrives car-request

Occurrence instance

car-arrivescar-requestX


• Flowing occurrences - interleaving occurrence's instances

• Iterative occurrences – non interleaving occurrence's instances

AF<3m3/s AA

[F<3] during [3 Sec] raises [AlarmSignal]

21

Pattern 1: Automaton Representation

Pattern #1: whenever [E_1] occurs [C] holds during following [E_2, E_3]

22

Pattern 2: Automaton Representation (by Verimag)

23

whenever [E] occurs [ER] occurs within [ES,EF]

Pattern 4: Automaton Representation

24

Event Identification Automata

state change event: tr(C)

state change event: e, e1e2, e1e2, e1-e2

delay event: e+T

sequence event: e1;e2

25

CSL

Why ?

• Number of patterns starts increasing (14); some simpler,

some more complex.

• Compilation is not trivial, needs experts.

Idea motivated by the observation:

Pattern behavior: triggering behavior implies promised behavior

Hence: few simple patterns + combination operators

Triggering behavior


Promised behavior

26

• 3 basic (simple) patterns:

• [C: condition] during |I: interval|

• [E: event] occurs within |I: interval|

• [E: event] does not occur during |I: interval|

• Compound patterns by 2 composition operators:

• pattern implies pattern

• pattern entails pattern

Examples:

[Gate_closed] during [Car_in, Car_out]

[Car_request] entails [Car_arrives] occurs within [3min]

Extends expressive power while reducing complexity

Compilation into HRC becomes simpler

Improved Version of CSL

27

• [e] occurs within [e] is abbreviated to [e].

• whenever [E] occurs [C] holds during following |I|

[E] entails [C] during |I|

• whenever [E1] occurs [E2] implies [E3] during following |I|

[E1] entails [E2-E3] does not occur during |I|

• [C] during [I] raises [E]

[C] during [I] entails [E] occurs within [0]

Derived patterns & examples

28

Compilation of Basic Patterns

Wait Interval

Start Event

Within Interval

(e1-e)

[e] occurs within [e1,e2]

e/sig

Failuree2-e

{e1,e}/sig

Wait Interval

Start Event

Within Interval

(e1-e)

[e] does not occur during [e1,e2]

(e2-e)/sig

Failuree

{e1,e}

29

Compound Patterns: Front-Back Fusion (I)

Wait Interval

Start Event

Within Interval

(e1-e)


e/sig

Failuree2-e

{e1,e}/sig

30

Compound Patterns: Front-Back Fusion (II)

Wait Interval

Start Event

Within Interval

(e1-e)


e/sig

Failuree2-e

{e1,e}/sig

Fusion algorithm ?

[e] occurs within [e1,e2] entails [C] during [e3,e4]

31

Fusion by Composition (I)

]e [occurs within [e1,e2] entails [e’] occurs within [e3,e4]

Triggering behavior

Promised behavior

32

Three forms of a basic pattern

]e [occurs within [e1,e2] entails [e’] occurs within [e3,e4]

Wait Interval

Start Event

Within Interval

(e1-e)


e/sig

Failuree2-e

{e1,e}/sig

33

Wait Interval

Start Event

Within Interval

[C]sig-e3

Wait Interval

Start Event

Within Interval

(e1-e)


WaitResponse

e2-e

{sig’,{e,e1}/sig}

sig'

{e,e1}/sig-sig’

e/sig-sig’

{sig’,e/sig}

Wait Interval

Start Evente3[C]

(sig,e3[C])

[C]e4/sig’

WithinInterval II

[C]

Wait Interval I

Start Event

Within Interval I

(e1-e)


WaitInterval II

e2-e

{e,e1}-e3

e3[C]

[C]e4

{e,e3[C]}

{e,e1,e3[C]}

e-e3

Fusion by Composition (II)

34

Wait Interval

Start Event

Within Interval

[C]sig-e3

Wait Interval

Start Event

Within Interval

(e1-e)


WaitResponse

e2-e

{sig’,{e,e1}/sig}

sig'

{e,e1}/sig-sig’

e/sig-sig’

{sig’,e/sig}

Wait Interval

Start Evente3[C]

(sig,e3[C])

[C]e4/sig’

Indevedual vs. fusion version

35

Wait Interval I

Start Event

Within Interval I

[C]

Wait Interval II

Start Evente1[C] [C]e2-e3

Failure

[C] during [e1,e2] entails [e’] occurs within [e3,e4]

Within Interval II

e’

{[C]e2,e3,e’}

e3-e’

{e3,e’}

e4-e’

Wait Interval

Start Event

Within Interval[C]

Wait Interval

Start Evente1[C] [C]e2/sig-sig’

Wait Interval

Start Event

Within Interval

sig-e3

{e3,e’}/sig’Failuree4-e’

{sig,{e’,e3}/sig’}

[C] during [e1,e2] entails [e’] occurs within [e3,e4]

Wait Interval

Start Evente3-e’

(sig,e3-e’)

e’/sig’

{sig’,[C]e2/sig}

sig’

Fusion by Composition (III)

36

Fusion by Composition

Result:

• Each basic pattern appears in 3 versions:

Individual,

Front fusion

Back fusion

then fusion reduces to composition of automata (well defined)

37

Further work

Practical:

• Build a compiler for CSL (then gain all the power of analysis tools created in SPEEDS).

Theoretical:

• Examine the expressive power of CSL (w.r.t. metric LTL, HA)

• Examine different sets of basic patterns + operators (is there a ‘minimal’ configuration?, more expressive one? (is it needed in practice),• Examine different models of intervals deployment

About the Compilation of CSL, a Real-Time – pattern based – Specification Language

Documents

Transcript of About the Compilation of CSL, a Real-Time – pattern based – Specification Language