Table Of ContentHigher-OrderandSymbolicComputationmanuscriptNo.
(willbeinsertedbytheeditor)
Semantics and Pragmatics of Real-Time Maude
PeterCsabaO¨lveczky · Jose´Meseguer
Received:date/Accepted:date
Abstract At present, designers of real-time systems face a dilemma between expressive-
ness and automatic verification: if they can specify some aspects of their system in some
automaton-basedformalism,thenautomaticverificationispossible;butmorecomplexsys-
temcomponentsmaybehardorimpossibletoexpressinsuchdecidableformalisms.These
morecomplexcomponentsmaystillbesimulated;butthereisthenlittlesupportfortheir
formalanalysis.ThemaingoalofReal-TimeMaudeistoprovideawayoutofthisdilemma,
whilecomplementingbothdecisionproceduresandsimulationtools.Real-TimeMaudeem-
phasizes ease and generality of specification, including support for distributed real-time
object-basedsystems.Becauseofitsgenerality,fallingoutsideofdecidablesystemclasses,
theformalanalysessupported—includingsymbolicsimulation,breadth-firstsearchforfail-
uresofsafetyproperties,andmodelcheckingoftime-boundedtemporallogicproperties—
are in general incomplete (although they are complete for discrete time). These analysis
techniqueshavebeenshownusefulinfindingsubtlebugsofcomplexsystems,clearlyout-
side the scope of current decision procedures. This paper describes both the semantics of
Real-TimeMaudespecifications,andoftheformalanalysessupportedbythetool.Italso
explainsthetool’spragmatics,bothintheuseofitsfeatures,andinitsapplicationtocon-
creteexamples.
Keywords Rewriting logic · real-time systems · object-oriented specification · formal
analysis·simulation·modelchecking
PeterCsabaO¨lveczky
DepartmentofInformatics
UniversityofOslo
Tel.:+47-22852498
Fax:+47-22852401
E-mail:peterol@ifi.uio.no
Jose´Meseguer
DepartmentofComputerScience
UniversityofIllinoisatUrbana-Champaign
Tel.:+1-217-3336733
Fax:+1-217-3339386
E-mail:meseguer@cs.uiuc.edu
Report Documentation Page Form Approved
OMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,
including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington
VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it
does not display a currently valid OMB control number.
1. REPORT DATE 2. REPORT TYPE 3. DATES COVERED
2007 N/A -
4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER
Semantics and Pragmatics of Real-Time Maude
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION
University of Illinois at Urbana-Champaign Department of Computer REPORT NUMBER
Science 201 N. Goodwin Avenue Urbana IL 61801
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT
NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT
Approved for public release, distribution unlimited
13. SUPPLEMENTARY NOTES
14. ABSTRACT
At present, designers of real-time systems face a dilemma between expressiveness and automatic
verification: if they can specify some aspects of their system in some automaton-based formalism, then
automatic verification is possible; but more complex system components may be hard or impossible to
express in such decidable formalisms. These more complex components may still be simulated; but there is
then little support for their formal analysis. The main goal of Real-Time Maude is to provide a way out of
this dilemma, while complementing both decision procedures and simulation tools. Real-Time Maude
emphasizes ease and generality of specification, including support for distributed real-time object-based
systems. Because of its generality, falling outside of decidable system classes, the formal analyses
supportedincluding symbolic simulation, breadth-first search for failures of safety properties, and model
checking of time-bounded temporal logic properties are in general incomplete (although they are complete
for discrete time). These analysis techniques have been shown useful in finding subtle bugs of complex
systems, clearly outside the scope of current decision procedures. This paper describes both the semantics
of Real-Time Maude specifications, and of the formal analyses supported by the tool. It also explains the
tools pragmatics, both in the use of its features, and in its application to concrete examples.
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF
ABSTRACT OF PAGES RESPONSIBLE PERSON
a. REPORT b. ABSTRACT c. THIS PAGE SAR 35
unclassified unclassified unclassified
Standard Form 298 (Rev. 8-98)
Prescribed by ANSI Std Z39-18
2
1 Introduction
Atpresent,designersofreal-timesystemsfaceadilemmabetweenexpressivenessandau-
tomatic verification. If they can specify some aspects of their system in a more restricted
automaton-based formalism, then automatic verification of system properties may be ob-
tainedbyspecializedmodelcheckingdecisionprocedures.Butthismaybedifficultorim-
possibleformorecomplexsystemcomponentswhichmaybehardorimpossibletoexpress
insuchdecidableformalisms.Inthatcase,simulationoffersgreatermodelingflexibility,but
istypicallyquiteweakinthekindsofformalanalysesthatcanbeperformed.Themaingoal
of Real-Time Maude is to provide a way out of this dilemma, while complementing both
decisionproceduresandsimulationtools.
Ontheonehand,Real-TimeMaudecanbeseenascomplementingtoolsbasedontimed
andlinearhybridautomata,suchasUPPAAL[19,5],HyTech[15],andKronos[32].While
therestrictivespecificationformalismofthesetoolsensuresthatinterestingpropertiesare
decidable,suchfinite-controlautomatadonotsupportwellthespecificationoflargersys-
temswithdifferentcommunicationmodelsandadvancedobject-orientedfeatures.Bycon-
trast,Real-TimeMaudeemphasizeseaseandgeneralityofspecification,includingsupport
for distributed real-time object-based systems. The price to pay for increased expressive-
ness is that many system properties may no longer be decidable. However, this does not
diminish either the need for analyzing such systems, or the possibility of using decision
procedureswhenapplicable.Ontheotherhand,Real-TimeMaudecanalsobeseenascom-
plementing traditional testbeds and simulation tools by providing a wide range of formal
analysistechniquesandamoreabstractspecificationformalisminwhichdifferentformsof
communication can be easily modeled and can be both simulated and formally analyzed.
Finally,sometoolsgearedtowardmodelingandanalyzinglargerreal-timesystems,suchas,
e.g., IF [6], extend timed automaton techniques with explicit UML-inspired constructions
for modeling objects, communication, and some notion of data types. Real-Time Maude
complementssuchtoolsnotonlybythefullgeneralityofthespecificationlanguageandthe
rangeofanalysistechniques,but,mostimportantly,byitssimplicityandclarity:Asimple
andintuitiveformalismisusedtospecifyboththedatatypes(byequations)anddynamic
andreal-timebehaviorofthesystem(byrewriterules).Furthermore,theoperationalseman-
ticsofaReal-TimeMaudespecificationisclearandeasytounderstand.
A key goal of this work is to document the tool’s theoretical foundations, based on a
simplifiedsemanticsofreal-timerewritetheories[23,28]madepossiblebysomerecentde-
velopmentsinthefoundationsofrewritinglogic[7];thesesimplifiedtheoreticalfoundations
areexplainedinSection3.WealsogiveaprecisedescriptionofthesemanticsofReal-Time
Maude specifications and of its symbolic execution and formal analysis commands. Such
semanticsisgivenbymeansofafamilyoftheorytransformations,thatassociatetoareal-
timerewritetheoryandacommandacorrespondingordinaryrewritetheory(aMaude[9,
10] system module) and a Maude command with the intended semantics (Section 5). Be-
sidesthusgivingapreciseaccountofthetool’ssemantics,wealsoexplainandillustrateits
pragmaticsinseveralways:
1. Wediscussdifferenttimedomains(bothdiscreteandcontinuous)providedbythesys-
tem,whichalsoallowstheusertodefinenewsuchtimedomainsinMaudemodules.
2. We then explain the general methods by which tick rules for advancing time in the
systemcanbedefined.
3
3. We also explain some general techniques to specify object-oriented real-time systems
inReal-TimeMaude;suchtechniqueshavebeendevelopedthroughagoodnumberof
substantialcasestudiesandhaveprovedveryusefulinpractice.
4. Wegiveanoverviewofthetool’slanguagefeatures,commands,andanalysiscapabili-
ties(Section4).
5. Weillustratethetool’suseinpracticebymeansoftwoexamples(Section6).
Real-Time Maude specifications are executable formal specifications. Our tool offers
varioussimulation,search,andmodelcheckingtechniqueswhichcanuncoversubtlemis-
takesinaspecification.Timedrewritingcansimulateoneofthemanypossibleconcurrent
behaviorsofthesystem.Timedsearchandtime-boundedlineartemporallogicmodelcheck-
ingcananalyzeallbehaviors—relativetoagiventimesamplingstrategyfordensetimeas
explainedinSection4.2.1—fromagiveninitialstateuptoacertaintimebound.Byrestrict-
ing search and model checking to behaviors up to a certain time bound and with a given
timesamplingstrategy,thesetofreachablestatesistypicallyrestrictedtoafiniteset,which
canbesubjectedtomodelchecking.Searchandmodelcheckingare“incomplete”fordense
time,sincethereisnoguaranteethatthechosentimesamplingstrategycoversallinterest-
ingbehaviors.However,allthelargesystemswehavemodeledinReal-TimeMaudesofar
havehadadiscretetimedomain,andinthiscasesearchandmodelcheckingcancompletely
coverallbehaviorsfromtheinitialstate.Forfurtheranalysis,theusercanwritehis/herown
specificanalysisandverificationstrategiesusingReal-TimeMaude’sreflectivecapabilities.
TheReal-TimeMaudetooldescribedinthispaperisamatureandquiteefficienttool
available free of charge (with sources, a tool manual, examples, case studies, and papers)
from http://www.ifi.uio.no/RealTimeMaude. The tool has been used in a number of
substantial applications, a subset of which is listed in Section 6.4. Real-Time Maude is
based on earlier theoretical work on the rewriting logic specification of real-time and hy-
bridsystems[23,28],andhasbenefitedfromtheextensiveexperiencegainedwithanearlier
toolprototype[27,23],whichwasappliedtospecifyandanalyzeasophisticatedmulticast
protocolsuite[23,26].Asmentionedabove,thecurrenttoolhassimplerfoundationsbased
onmorerecenttheoreticaladvances.Furthermore,thankstotheefficientsupportofbreadth-
firstsearchandofon-the-flyLTLmodelcheckingintheunderlyingMaude2system[10],on
topofwhichitisimplemented,thecurrenttoolsupportssymbolicsimulation,searchforvi-
olationsofsafetyproperties,andmodelcheckingoftime-boundedtemporallogicproperties
withgoodefficiency.
2 EquationalLogic,RewritingLogic,andMaude
Since Real-Time Maude extends Maude and its underlying rewriting logic formalism, we
firstpresentsomebackgroundonequationallogic,rewritinglogic,andMaude.
2.1 EquationalandRewritingLogic
Membership equational logic (MEL) [22] is a typed equational logic in which data are
first classified by kinds and then further classified by sorts, with each kind k having an
associated set S of sorts, so that a datum having a kind but not a sort is understood as
k
an error or undefined element. Given a MEL signature Σ, we write T and T (X)
Σ,k Σ k
todenote,respectively,thesetofgroundΣ-termsofkindk,andofΣ-termsofkindk over
4
variablesinX,whereX ={x :k ,...,x :k }isasetofkindedvariables.Atomicformulas
1 1 n n
haveeithertheformt =t0 (Σ-equation)ort :s (Σ-membership)witht,t0∈T (X) and
Σ k
s ∈S ;andΣ-sentencesareuniversallyquantifiedHornclausesonsuchatomicformulas.
k
A MEL theory is then a pair (Σ,E) with E a set of Σ-sentences. Each such theory has
an initial algebra T whose elements are equivalence classes of ground terms modulo
Σ/E
provableequality.
InthegeneralversionofrewritetheoriesoverMELtheoriesdefinedin[7],arewrite
theory is a tuple R =(Σ,E,ϕ,R) consisting of: (i) a MEL theory (Σ,E); (ii) a func-
tion ϕ:Σ →P(N) assigning to each function symbol f:k ···k →k in Σ a set ϕ(f)⊆
f 1 n
{1,...,n}offrozenargumentpositions;(iii)asetRof(universallyquantified)labeledcon-
ditionalrewriterulesr havingthegeneralform
(∀X) r : t−→t0 if V p =q ∧ V w :s ∧ V t −→t0
i∈I i i j∈J j j l∈L l l
where,forappropriatekindsk andk ,t,t0∈T (X) andt ,t0∈T (X) forl ∈L.
l Σ k l l Σ kl
Thefunctionϕ specifieswhichargumentsofafunctionsymbolf cannotberewritten,
which are called frozen positions. Given a rewrite theory R =(Σ,E,ϕ,R), a sequent of
R is a pair of (universally quantified) terms of the same kind t,t0, denoted (∀X)t−→t0
withX ={x :k ,...,x :k }asetofkindedvariablesandt,t0∈T (X) forsomek.We
1 1 n n Σ k
say that R entails the sequent (∀X)t−→t0, and write R ‘(∀X)t−→t0, if the sequent
(∀X)t−→t0 can be obtained by means of the inference rules of reflexivity, transitivity,
congruence,andnestedreplacementgivenin[7].
ToanyrewritetheoryR=(Σ,E,ϕ,R)wecanassociateaKripkestructureK(R,k)
LΠ
inanaturalwayprovidedwe:(i)specifyakindk inΣ sothatthesetofstatesisdefinedas
T ,and(ii)defineasetΠ of(possiblyparametric)atomicpropositionsonthosestates;
Σ/E,k
suchpropositionscanbedefinedequationallyinaprotectingextension(Σ∪Π,E∪D)⊇
(Σ,E), and give rise to a labeling function L on the set of states T in the obvious
Π Σ/E,k
way.ThetransitionrelationofK(R,k) istheone-steprewritingrelationofR,towhich
LΠ
aself-loopisaddedforeachdeadlockedstate.Thesemanticsoflinear-timetemporallogic
(LTL) formulas is defined for Kripke structures in the well-known way (e.g., [8,10]). In
particular,foranyLTLformulaψ ontheatomicpropositionsΠ andaninitialstate[t],we
have a satisfaction relation K(R,k) ,[t]|=ψ which can be model checked, provided
LΠ
thenumberofstatesreachablefrom[t]isfinite.Maude[10]providesanexplicit-stateLTL
modelcheckerpreciselyforthispurpose.
2.2 MaudeanditsFormalAnalysisFeatures
A Maude module specifies a rewrite theory (Σ,E∪A,ϕ,R), with E a set of conditional
equations and memberships, and A a set of equational axioms such as associativity, com-
mutativity, and identity, so that equational deduction is performed modulo the axioms A.
Intuitively,thetheory(Σ,E∪A)specifiesthesystem’sstatespaceasanalgebraicdatatype,
andeachrewriteruler inRspecifiesa(familyof)one-steptransition(s)fromasubstitution
instanceoft tothecorrespondingsubstitutioninstanceoft0,providedthatthesubstitution
satisfiestheconditionoftherule.TherewriterulesareappliedmodulotheequationsE∪A.1
1 Operationally,atermisreducedtoitsE-normalformmoduloAbeforeanyrewriteruleisappliedin
Maude.Underthecoherenceassumption[31]thisisacompletestrategytoachievetheeffectofrewritingin
E∪A-equivalenceclasses.
5
We briefly summarize the syntax of Maude. Functional modules and system modules
are,respectively,MELtheoriesandrewritetheories,andaredeclaredwithrespectivesyn-
taxfmod ... endfmandmod ... endm.Object-orientedmodulesprovidespecialsyntax
tospecifyconcurrentobject-orientedsystems,butareentirelyreducibletosystemmodules;
theyaredeclaredwiththesyntax(omod ... endom).2Immediatelyafterthemodule’skey-
word, the name of the module is given. After this, a list of imported submodules can be
added.Onecanalsodeclaresorts3,subsorts,andoperators.Operatorsareintroducedwith
theopkeyword.Theycanhaveuser-definablesyntax,withunderbars‘_’markingtheargu-
mentpositions,andaredeclaredwiththesortsoftheirargumentsandthesortoftheirresult.
Someoperatorscanhaveequationalattributes,suchasassoc,comm,andid,stating,forex-
ample,thattheoperatorisassociativeandcommutativeandhasacertainidentityelement.
SuchattributesarethenusedbytheMaudeenginetomatchtermsmodulothedeclaredax-
ioms.Theoperatorattributectordeclaresthattheoperatorisaconstructor,asopposedtoa
definedfunction.ThisattributedoesnothaveanycomputationaleffectinReal-TimeMaude.
Therearethreekindsoflogicalstatements:equations,introducedwiththekeywordseqand,
forconditionalequations,ceq;memberships,declaringthatatermhasacertainsortandin-
troducedwiththekeywordsmbandcmb;andrewriterules,introducedwiththekeywordsrl
andcrl.Themathematicalvariablesinsuchstatementsareeitherexplicitlydeclaredwith
the keywords var and vars, or can be introduced on the fly in a statement without being
declaredpreviously,inwhichcasetheymusthavetheformvar:sort.Finally,acommentis
precededby‘***’or‘---’andlastsuntiltheendoftheline.
Maude modules are executable under reasonable assumptions. The high performance
Maude engine—which can perform up to millions of rewrites per second—provides the
followinganalysiscommands:
– Arewrite(rew)anda“fair”rewrite(frew)command,whichexecuteonerewritesequence—
outofpossiblymany—fromagiveninitialstate.
– Asearchcommand(search)foranalyzingallpossiblerewritesequencesfromagiven
initial state t , by performing a breadth-first search to check whether terms matching
0
certainpatternscanbereachedfromt .Thesearchdoesnotterminateifthesetofstates
0
reachablefromt isinfiniteandthedesiredstate(s)arenotreachablefromt .
0 0
– Alineartemporallogicmodelchecker [14],comparabletoSpin[17]inperformance,
which checks whether each rewrite sequence from a given initial state t satisfies a
0
certain linear temporal logic (LTL) formula. LTL model checking will normally not
terminateifthestatespacereachablefromt isinfinite.
0
ApropositionalLTLformulaisconstructedbytheusualLTLoperators(see,e.g.,[10,
14]andSection4.2.2)andasetΠ ofuser-defined(possiblyparametric)atomicpropo-
sitions.Suchatomicpropositionsshouldbedefinedastermsofthebuilt-insortProp,in
amodulethatincludesthebuilt-inMaudemoduleMODEL-CHECKER.Thelabelingfunc-
tionL isdefinedbyequationsoftheformt |=p =b ifC,fora(possibly)paramet-
Π
ric atomic proposition p (i.e., for p a term of sort Prop), a term t of the built-in kind
[State],atermb ofkind[Bool],andaconditionC.Itissufficienttodefinewhena
predicate holds. For example, if p were the only proposition, then L ([u])={σ(p)|
Π
σ groundsubstitution∧(E∪A)‘(∀0/)u|=σ(p)=true}[10].
– Finally,theusermaydefineherownspecificexecutionstrategiesusingMaude’sreflec-
tivecapabilities[11,12].
2 InFullMaude,andinitsextensionReal-TimeMaude,moduledeclarationsandexecutioncommands
mustbeenclosedbyapairofparentheses.
3 Kindsarenotdeclaredexplicitly;thekindtowhichsortsbelongsiswritten[s].
6
We refer to the Maude manual [10] for a more thorough description of Maude’s analysis
capabilities.
2.2.1 Object-OrientedSpecificationinMaude
Inobject-oriented(Full)Maude4 modulesonecandeclareclassesandsubclasses.Aclass
declaration
class C | att1 : s1, ... , attn : sn .
declaresanobjectclassC withattributesatt toatt ofsortss tos .AnobjectofclassC
1 n 1 n
inagivenstateisrepresentedasaterm
<O:C |att1:val1,...,attn :valn>
of the built-in sort Object, where O is the object’s name or identifier, and where val1 to
val arethecurrentvaluesoftheattributesatt toatt andhavesortss tos .Objectscan
n 1 n 1 n
interactwitheachotherinavarietyofways,includingthesendingofmessages.Amessage
isatermofthebuilt-insortMsg,wherethedeclaration
msg m : p1...pn -> Msg .
definesthenameofthemessage(m)andthesortsofitsparameters(p ...p ).Inaconcur-
1 n
rentobject-orientedsystem,thestate,whichisusuallycalledaconfigurationandisaterm
ofthebuilt-insortConfiguration,hastypicallythestructureofamultisetmadeupofob-
jectsandmessages.Multisetunionforconfigurationsisdenotedbyajuxtapositionoperator
(emptysyntax)thatisdeclaredassociativeandcommutativeandhavingthenonemultiset
asitsidentityelement,sothatorderandparenthesesdonotmatter,andsothatrewritingis
multisetrewritingsupporteddirectlyinMaude.Thedynamicbehaviorofconcurrentobject
systemsisaxiomatizedbyspecifyingeachofitsconcurrenttransitionpatternsbyarewrite
rule.Forexample,theconfigurationontheleft-handsideoftherule
rl [l] : m(O,w) < O : C | a1 : x, a2 : y, a3 : z > =>
< O : C | a1 : x + w, a2 : y, a3 : z > m’(y,x) .
contains a message m, with parameters O and w, and an object O of class C. The message
m(O,w) does not occur in the right-hand side of this rule, and can be considered to have
beenremovedfromthestatebytherule.Likewise,themessagem’(y,x)onlyoccursinthe
configurationontheright-handsideoftherule,andisthusgeneratedbytherule.Theabove
rule,therefore,definesa(parameterizedfamilyof)transition(s)inwhichamessagem(O,w)
isread,andconsumed,byanobjectOofclassC,withtheeffectofalteringtheattributea1
oftheobjectandofsendinganewmessagem’(y,x).Attributes,suchasa3inourexample,
whose values do not change and do not affect the next state of other attributes need not
be mentioned in a rule. Attributes, like a2, whose values influence the next state of other
attributes or the values in messages, but are themselves unchanged, may be omitted from
right-handsidesofrules.Thustheaboverulecouldalsobewritten
rl [l] : m(O,w) < O : C | a1 : x, a2 : y > =>
< O : C | a1 : x + w > m’(y,x) .
Asubclassinheritsalltheattributesandrulesofitssuperclasses5.
4 Real-TimeMaudeisbuiltontopofFullMaude[10,PartII],whichextendsMaudewithsupportfor
object-orientedspecificationandadvancedmoduleoperations.
5 The attributes and rules of a class cannot be modified by its subclasses, which may of course have
additionalattributesandrules.
7
3 Real-TimeRewriteTheoriesRevisited
In[28]weproposedtospecifyreal-timeandhybridsystemsinrewritinglogicasreal-time
rewrite theories, and defined an extension of the basic model to include the possibility of
defining eager and lazy rewrite rules. This section first recalls the definition of real-time
rewritetheories,andthenexplainswhythegeneralizationofrewritinglogicgivenin[7]has
madethepartitionintoeagerandlazyrulesunnecessary.
3.1 Real-TimeRewriteTheories
Areal-timerewritetheoryisarewritetheorywheresomerules,calledtickrules,modeltime
elapseinasystem,while“ordinary”rewriterulesmodelinstantaneouschange.
Definition1 Areal-timerewritetheoryR isatuple(R,φ,τ),whereR=(Σ,E,ϕ,R)
φ,τ
isa(generalized)rewritetheory,suchthat
– φ is an equational theory morphism φ :TIME→(Σ,E) from the theory TIME to
the underlying equational theory of R, that is, φ interprets TIME in R; the theory
TIME [28]definestimeabstractlyasanorderedcommutativemonoid(Time,0,+,<)
. .
withadditionaloperatorssuchas−(wherex−ydenotesx−yify<x,and0otherwise)
and≤;
– (Σ,E) contains a sort System (denoting the state of the system), and a specific sort
GlobalSystemwithnosubsortsorsupersortsandwithonlyoneoperator
{ }:System→GlobalSystem
whichsatisfiesnonon-trivial6 equations;furthermore,thesortGlobalSystemdoesnot
appearinthearityofanyfunctionsymbolinΣ;
– τ isanassignmentofatermτ ofsortφ(Time)toeveryrewriterule
l
l : {t}−→{t0} ifcond
involvingtermsofsortGlobalSystem7;ifτl6=φ(0)wecalltheruleatickruleandwrite
l : {t}−τ→l {t0} ifcond.
Thetermτ denotingthedurationofthetickrulemaycontainvariables,includingvari-
l
ablesthatdonotoccurint,t0,and/orcond.Forexample,ifτ isavariablex notoc-
l
curringineithert orcond,thentimecanadvancenondeterministicallybyanyamount
fromasubstitutioninstanceof{t}wherethesubstitutionsatisfiescond.
The global state of the system should have the form {u}, in which case the form of the
tick rules ensures that time advances uniformly in all parts of the system. The total time
elapse τ(α) of a rewrite α : {t}−→{t0} of sort GlobalSystem is the sum of the times
elapsedineachtickruleapplication[28].WewriteRφ,τ ‘{t}−r→{t0}ifthereisaproof
α:{t}−→{t0}inRφ,τ withτ(α)=r.Furthermore,wewriteTimeφ,0φ,...,forφ(Time),
φ(0),etc.
6 By“trivial”equationswemeanequationsoftheformt=t.
7 AllrulesinvolvingtermsofsortGlobalSystemareassumedtohavedifferentlabels.
8
3.2 EagerandLazyRulesRevisited
Themotivationbehindhavingeagerandlazyrewriteruleswastomodelurgencybyletting
the application of instantaneous eager rules take precedence over the application of lazy
tickrules[28].Thisfeaturewassupportedinversion1ofReal-TimeMaude.Theabilityto
definefrozenoperatorsinrewritinglogic[7]meansthatitisnolongernecessarytoexplicitly
defineeagerandlazyrules.Instead,onemaydefineafrozenoperator8
eagerEnabled : s →[Bool] [frozen (1)]
foreachsorts thatcanberewritten,introduceanequation
eagerEnabled(t)=true ifcond
foreach“eager”rulet−→t0ifcond,andaddanequation
eagerEnabled(f(x1,...,xn))=true ifeagerEnabled(xi)=true
foreachoperatorf andeachpositioni whichisnotafrozenpositioninf.A“lazy”tickrule
shouldnowhavetheform
l : {t}−τ→l {t0} ifcond∧eagerEnabled({t})6=true.
Thistechniquemakesunnecessaryanyexplicitsupportforeagerandlazyrulesatthesystem
definitionleveltomodelurgency.Inaddition,thelazy/eagerfeaturehasnotbeenneededin
anyReal-TimeMaudeapplicationwehavedevelopedsofar.Real-TimeMaude2therefore
doesnotprovideexplicitsupportfordefiningeagerandlazyrules.
4 SpecificationandExecutioninReal-TimeMaude
This section gives an overview of how to specify real-time rewrite theories in Real-Time
Maudeastimedmodules,andhowtoexecutesuchmodulesinthetool.Inparticular,Sec-
tion4.1.5presentssomeusefultechniquesforspecifyingobject-orientedreal-timesystems
inReal-TimeMaude.Themanual[24]explainsourtoolinmuchmoredetail.
4.1 SpecificationinReal-TimeMaude2.1
Real-TimeMaudeextendsFullMaude[10]tosupportthespecificationofreal-timerewrite
theoriesastimedmodulesandobject-orientedtimedmodules.Suchmodulesareenteredat
the user level by enclosing them in parentheses and including the module body between
thekeywordstmodandendtm,andbetweentomodandendtom,respectively.Tostatenon-
executableproperties,Real-TimeMaudeallowstheusertospecifyreal-timeextensionsof
abstract Full Maude theories. Since Real-Time Maude extends Full Maude, we can also
define Full Maude modules in the tool. All the usual operations on modules provided by
FullMaudearesupportedinReal-TimeMaude.
8 By‘[frozen (1)]’wemeanthatthefirst(andinthiscaseonly)argumentofthecorrespondingoper-
ator(eagerEnabled)cannotberewritten(seeSection2.1).Thatis,eveniftrewritestou,itisnotthecase
thateagerEnabled(t)rewritestoeagerEnabled(u).
9
4.1.1 SpecifyingtheTimeDomain
Theequationaltheorymorphismφ inareal-timerewritetheoryR isnotgivenexplicitly
φ,τ
atthespecificationlevel.Instead,bydefault,anytimedmoduleautomaticallyimportsthe
followingfunctionalmoduleTIME9:
fmod TIME is
sorts Time NzTime . subsort NzTime < Time .
op zero : -> Time .
op _plus_ : Time Time -> Time [assoc comm prec 33 gather (E e)] .
op _monus_ : Time Time -> Time [prec 33 gather (E e)] .
ops _le_ _lt_ _ge_ _gt_ : Time Time -> Bool [prec 37] .
eq zero plus R:Time = R:Time .
eq R:Time le R’:Time = (R:Time lt R’:Time) or (R:Time == R’:Time) .
eq R:Time ge R’:Time = R’:Time le R:Time .
eq R:Time gt R’:Time = R’:Time lt R:Time .
endfm
ThemorphismφimplicitlymapsTimetoTime,0tozero, + to_plus_, ≤ to_le_,etc.
EventhoughReal-TimeMaudeassumesafixedsyntaxfortimeoperations,thetooldoesnot
buildinafixedmodeloftime.Infact,theuserhascompletefreedomtospecifythedesired
datatypeoftimevalues—whichcanbeeitherdiscreteordenseandneednotbelinear—by
specifying the data elements of sort Time, and by giving equations interpreting the con-
stantzeroandtheoperators_plus_,_monus_,and_lt_,sothattheaxiomsofthetheory
TIME [28]aresatisfied.ThepredefinedReal-TimeMaudemoduleNAT-TIME-DOMAINde-
finesthetimedomaintobethenaturalnumbersasfollows:
fmod NAT-TIME-DOMAIN is including LTIME . protecting NAT .
subsort Nat < Time . subsort NzNat < NzTime .
vars N N’ : Nat .
eq zero = 0 .
eq N plus N’ = N + N’ .
eq N monus N’ = if N > N’ then sd(N, N’) else 0 fi .
eq N lt N’ = N < N’ .
endfm
To have dense time, the user can import the predefined module POSRAT-TIME- DOMAIN,
whichdefinesthenonnegativerationalstobethetimedomain.Thesetofpredefinedmod-
ulesinReal-TimeMaudealsoincludesamoduleLTIME,whichassumesalineartimedo-
mainanddefinestheoperatorsmaxandminonthetimedomain,andthemodulesTIME-INF,
LTIME-INF,NAT-TIME-DOMAIN-WITH-INF,andPOSRAT-TIME-DOMAIN-WITH-INFwhichex-
tend the respective time domains with an “infinity” value INF in a supersort TimeInf of
Time.Detailedspecificationsforallthesetimedomainscanbefoundin[24,AppendixA].
4.1.2 TickRules
AtimedmoduleautomaticallyimportsthemoduleTIMED-PRELUDEwhichcontainsthedec-
larations
sorts System GlobalSystem .
op {_} : System -> GlobalSystem [ctor] .
Aconditionaltickrulel : {t}−τ→l {t0} ifcond iswrittenwithsyntax
9 Theoperatorattributesprecandgatherdealwithparsing;theirmeaningisexplainedin[10].
