Other IFAC Publications AUTOMATICA the journal of IFAC, the International Federation of Automatic Control Editor-in-Chief: G. S. Axelby, 211 Coronet Drive, North Linthicum, Maryland 21090, USA Published bi-monthly IFAC PROCEEDINGS SERIES General Editor: Janos Gertler, Department of Electrical and Computer Engineering, George Mason University, Fairfax, Virginia, USA NOTICE TO READERS If your library is not already a standing/continuation order customer or subscriber to these publications, may we recommend that you place a standing/continuation or subscription order to receive immediately upon publication all new volumes. Should you find that these volumes no longer serve your needs your order can be cancelled at any time without notice. A fully descriptive catalogue will be gladly sent on request. ROBERT MAXWELL Publisher REAL TIME PROGRAMMING 1988 Proceedings of the 15th IFAC/IFIP Worfohop, Valencia, Spain, 25-27 May 1988 Edited by A. CRESPO and J. A. DE LA PUENTE Dpto de Sistemas Informaticos y Computación, Universidad Politecnica de Valencia, Spain Published for the INTERNATIONAL FEDERATION OF AUTOMATIC CONTROL by PERGAMON PRESS OXFORD · NEW YORK · BEIJING · FRANKFURT SÄO PAULO · SYDNEY · TOKYO · TORONTO U.K. Pergamon Press pic, Headington Hill Hall, Oxford OX3 OBW, England U.S.A. Pergamon Press, Inc., Maxwell House, Fairview Park, Elmsford, New York 10523, U.S.A. PEOPLE'S REPUBLIC Pergamon Press, Room 4037, Qianmen Hotel, Beijing, People's Republic of China OF CHINA FEDERAL REPUBLIC Pergamon Press GmbH, Hammerweg 6, D-6242 Kronberg, Federal Republic of Germany OF GERMANY BRAZIL Pergamon Editora Ltda, Rua Eça de Queiros, 346, CEP 04011, Paraiso, Sâo Paulo, Brazil AUSTRALIA Pergamon Press Australia Pty Ltd., P.O. Box 544, Potts Point, N.S.W. 2011, Australia JAPAN Pergamon Press, 5th Floor, Matsuoka Central Building, 1-7-1 Nishishinjuku, Shinjuku-ku, Tokyo 160, Japan CANADA Pergamon Press Canada Ltd., Suite No. 271, 253 College Street, Toronto, Ontario, Canada M5T 1R5 Copyright © 1989 IFAC All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, electrostatic, magnetic tape, mechanical, photo copying, recording or other-wise, without permission in writing from the copyright holders. First edition 1989 British Library Cataloguing in Publication Data Real time programming 1988: proceedings of the IFAC/IFIP workshop, Valencia, Spain, 25-27 May 1988. 1. Real time computer systems. Programming I. Crespo, A. II. Puente, J. A. de la III. International Federation of Automatic Control IV. International Federation for Information Processing 005.1 ISBN 0-08-036236-2 These proceedings were reproduced by means of the photo-offset process using the manuscripts supplied by the authors of the different papers. The manuscripts have been typed using different typewriters and typefaces. The lay-out, figures and tables of some papers did not agree completely with the standard requirements: consequently the reproduction does not display complete uniformity. To ensure rapid publication this discrepancy could not be changed: nor could the English be checked completely. There fore, the readers are asked to excuse any deficiencies of this publication which may be due to the above mentioned reasons. The Editors This title is also published in Annual Review in Automatic Programming, Volume 14 Printed in Great Britain by BPCC Wheatons Ltd, Exeter IFAC WORKSHOP ON REAL TIME PROGRAMMING 1988 Sponsored by IFAC Technical Committee on Computers Co-sponsored by IFIP Working Group WG 5.4 Computerized Process Control Organized by Grupo de Automatica e Informatica Industrial Universidad Politècnica de Valencia On behalf of Comité Espanol de la IF AC International Programme Committee J. Szlankó (Chairman), Hungary A. Alvarez, Spain G. Bull, UK A. Crespo, Spain D. Cronhjort, Sweden W. Ehrenberger, FRG P. Elzer, FRG R. Milovanovic, Yugoslavia J. A. de la Puente, Spain M. Rodd, UK T.J. Williams USA National Organizing Committee J. A. de la Puente (Chairman and General Coordinator) P. Albertos A. Crespo J. Duato M. A. Juan F. Morant R. Ors J. J. Serrano R. Vivo J. Vila Copyright© IFAC Real Time Programming, FORMAL SPECIFICATION Valencia, Spain, 1988 CORRECTNESS VERIFICATION OF REAL-TIME PROGRAMS T. Szmuc Institute of Automatics, Academy of Mining and Metallurgy, Krakow, Poland Abstract, Two approaches to the correctness verification of real-time programs are presented· The first approach, static verification, corre­ sponds to the correctness notion in systems programming, that is infor­ mally described by the software standard (ANSI/IEEE, 1983)· The second one, dynamic correction, is a generalization of the exceptions handling idea CAnderson, 1981}. The formal construction is based on the coupled process notion and the so-called local testability theorem· Automatic correctness verification system and a structure of dynamic correction module result from the formal investigations« Keywords· Concurrent processes; correctness in the sense of criterion; correctness verification. 1. INTRODUCTION Por any relation T c χ x Y domain (range) of the relation will be denoted The paper deals with the correctness veri­ by Dom T (Ran T)· If T is the relation fication of real-time programs (systems')· defined above, then for any x € X : The correctness is defined as a relation between the process describing the con­ [tyl Cx,y) £ T} if x e Dom T T(x) current system (Szmuc,1985b}, and the otherwise· process that specifies the correctness requirements (criterion process). The cri- For any subset A Q χ , the image of the terion process and the relation constitu­ subset will be denoted by T(A)» U TCx)· te the correctness criterion· The correct· xe A ness in the sense of correctness cri­ terion is considered (Szmuc, 1985a)· Two ways of correctness verification are pro­ 2. PROCESS AND CORRECTNESS posed: - static verification that consiste in The sequential nondeterministic process proving if the verified process is is a fundamental notion in the correct­ correct (or not) in the sense of a ness definition· This process is described given correctness criterion; by a quadruple (Bartoi, 1977), consisting - dynamic correction that is carried out of a set of states, set of initial states, by blocking incorrect (with regard to set of final states and transition rela­ the correctness criterion) transitions tion· This general formal notion is in­ during any computation in the verified terpreted in two ways* as a sequential process· description of the system of concurrent processes (Henessy, 1985; Kasai, 1982; The coupled process notion and local Szmuc, 1985b) and as a specification of testability theorem are the basic formal the correctness requirements (e.g. proper tools in the investigations· The coupled sequences of selected operations)· The process is defined for the verified pro­ correctness is defined as a relation be­ cess and the correctness criterion· This tween the verified process (the first in­ process describes transitions in the ver­ terpretation) and the criterion process ified process and corresponding transi­ (the second one)· A domain of the rela­ tions in the criterion process· This the­ tion appoints a subset of the verified orem reduces the criterion to the local process set of states - the so-called set conditions, determined for selected of characteristic states·,The correctness states of the verified process. specifies the following demand: the charac­ teristic states have to appear in the ver­ The conception of a system automatic cor­ ified process in the order determined by rectness verification and the structure a given correctness criterion. of dynamic correction module result from Definition 1. By a process we mean a re­ the formal investigations that are based lational structure P«(S,B,P,T), where S on the two notions mentioned above· An is a countable set of states, B c s is a example of control program for coopera­ set of initial states, P Q S is a set of ting robots is presented as an illustra­ final states, T ç S x S is a transition tion of the introduced notions and veri­ relation, and the following condition is fication tools. satisfied: The notation used in the paper was intro­ B c Dom T and P o Dom T * 0 · duced in the former works of the author· Any process P»(S,Β,Ρ,Τ) is called 1 2 T. Szmuc a prime process iff card S ^ 2 and a· sc^Cs,·) β SLCs') A sCgC· »8n) e S«te,8 5 -* T-iCe.e^i r SU(s^) t Any sequence of n Çn 4 1) states of b. sCjCs,·) e SLCs') A ac C· »8) 6 2 n process P , secs-,·) »s-,s ,··· is 2 SÜCs^) , and 0 is the called semicomputation iff any two suc composition of semicomputations, cess ive"T^5TEeHe"ôqu5nce) elements i*e· for semicomputations sc-« 8i,si+1 are in rela1:ion» ^8i»8i+i^ € T · A semicomputation that begins (ends) in a »8,8^,···,8^ sc2»sn,sn+1,.·. the composition se* O sc state 8. Can") is denoted as scCs-,·) *s,s1 'β an,a8 n+1' 2 (8cC*,8 )) · The eet of all elements CSzmuc, 1986)· which are in semicomputation se is de noted by Z(sc) . Let us notice, that by the correctness definition, some characteristic states may Any semicomputation scCs^,·) such that appear in a sequential way although they are specified as non-sequential ones CPig« s-| € B is called computation iff e € P n 1.a,b). This property may be interpreted for sc(e.p·) *scCs.j,8) or this eemicom- as a sequential realization (in the veri­ n fied process) of the parallelly specified putation is infinitive. The following no Cby the criterion process) transitions· On tions will be useful in the correctness the other hand, some semicomputations of definition· the verified process may be observed Cby relation k) as parallel transitions in Let P»CS,B,P,T) , P'«CS^,B',F',T') be the criterion process CPig· 1.c)· processes and k ^ S x S a relation· Por every pair (β,β') G k we definet - lower semicomputation referring to a state s" - such a aernieomputaîttiïo n sees,.) that the condition is sat- isfied: CVs 6 ZCscCs,.))) CVs^ € kCs^Ks'.s^) £ τ'; /a/ 1 - u1p2p1e r semicomputation referrinagg to a sittast e e" - such a semicomputation scc« 8) that the condition is sat­ t isfied: CVs € ZCscO,s))) CV8Q 6 kCs^Ks^e') 4 τ'· 0 A set of lower semicomputations referring to a state s' e Ran k is denoted by SL(s') , while the set of the upper ones by SU(s#) · We additionally introduce /b/ closures of the sets: SLCs ') »SLCs') u { sc Cs,s ) i scCe s ) e 0 fl Qt n-e1 SL(s')ì; SüCsO-SUCsO u {scCs^s^ iscCs.,^) e SUCs')}, where 8°^βο»8η-ΐ) CscCs..,8}) means the semicomputation that is derived from the SCC8Q9S ) after the elimination of the /c/ last Cfirst) element· Definition 2« Let P«CS,B P,T) , f P'»CS',B',P',T') be processes and k c s * S' a relation· We say that pro­ cess P is correct in the sense of the correctness criterion CP^k) iff the fol­ Pig· 1. Sequential and parallel realiz­ lowing conditions are satisfied: ation of transitions« 1. {s'!(3s e B)(3scCs,·)) scCa.O € The above definition may be treated as a SUCs')} CB' ; generalization of the partial and total correctness CManna, 1974) , for which the 2· {s'!(3s € P)(3scO s)) scC«,s) 6 f reachability to final states is verified SL(s')ï çp' ; Ccompare with CManna, 1981)). On the other hand, the proposed correctness notion is 3· for any s * £ Ran k Π Ran T* there f similar to the observation equivalence, —1 exist such a state s# € T' Cs^) introduced by Milne C1980). and semicomputation 8c(e,s ) that: scCs^-sc^s,·)© 8C (« s ) , 3· COUPLED PROCESS AND LOCAL 2 f n TESTABILITY THEOREM where the semicomputations sc-,sc 2 satisfy one of the two conditions: The coupled process will described tran­ sitions in the verified process and cor- Correctness Verification of Real-time Programs 3 responding (by relation k) transitions CT^CkCs^)? . in the criterion process· The local test­ ability theorem will specify conditions In further considerations, any state of that must be held in any characteristic memory will be shortly denoted by state in order to obtain the correstness m«CpS',pB')· in the sense of the criterion· These ob­ jects are fundamental in the correctness Let us notice, that two different states verification. (s,m), (s,iO such that mjfaU| may occur in process $ · It means that state s may be reached by different semicomputa- 3.1· Coupled process tione in process P and connected with them Cby relation k) different semicom- The coupled process is constructed by ad­ putations Chistories) in P' · ding a memory to the verified one· Any state of the verified process is extended by a memory state, in which a history of 3·2· Local correctness testability semicomputatione in the criterion procees connected with reaching this state in the The coupled process describes transitions verified process is stored· Any state of in the verified process and corresponding the memory contains the information about transitions in the criterion process· The occurrences of only those states which f first element of memory state specifies are necessary for the determination of the states, the appearance of which is the set of correct Cin the sense of a permissible from the criterion point of given criterion) transitions» Any memory view· Hence, for any transition state is represented by the corresponding subsets of states of the criterion pro­ C(8,m), Cs^mp) G $ we may test the con cess· Coding function is omitted, in or­ der to simplify the notation· dition kCs^) c pS' in order to verify the correctness of this transition· The Definition 3« Let Ρ,Ρ' be processes and second element specifies the set of the states appearing later and is used in k C s x S' a relation. By the coupled final states of process P· process we mean quadruple $»(§,$,$,$) , where s Theorem 1. CLocal testability theorem^)· - § C S U, M C 2 S' x 2S' ; Let Ρ,Ρ' be processes and k 0* S x S* a relation· Process P is correct in,the - S « {Cs,(pS',pF')) I aeBA(pS' = sense of the correctness criterion (P',k) «(B'u T'(kCs^) Π Ran k \ k(s)) A iff for the coupled process £ the fol­ lowing conditions are satisfieds pF'-kOO} ; 1. if B t 0 , thent - *£l Ce C-.O) I e e Pi ; f CVs € B) k(s) C B' ; - $ C § x § - relation such that for 2. if F'n Ran k + 0 , thent any CCs,CpS',pF')) , Cs^CpS^pPp» 6 * CV(*,C*,pF')) 6 *) pF'C F' ; the following conditions are satisfied* 3· for any transition 1. (s sp e T , f 2. pSf-pS'uCT'CkC8^)0 Ran k)\kC·^, C(*,CpS',0),Cs1$C·,·))) e * t 3. pF-i-pF'u kCs^ \ T'-1(kCep) . kCsp c pS' · Proof may be found in the paper (Szmuc, It is easy to notice, that the coupled 1988)· process is a procees by mesas of defini­ tion 1 when f Q § . 4. CORRECTNESS VERIFICATION Let us explain the presented above defi­ In this chapter, two ways of the correct­ nition. Conditions 2, 3 of the definition ness verification are presented! static describe the modifications of the memory verification and dynamic correction· state when the coupled process reaches the next state. Any state of the memory is specified by a pair CpSfpF*) . The 4.1· Static verification first element of this pair is a set of the criterion process states that may ap­ pear Cfrom the criterion point of view) A conception of the correctness verifica­ during transition to the next state of tion system will be presented« Verified process P , and correctness criterion process ? . In the second element the CP%k) are input data for the system· states of process P' appearing later, The correctness verification consists of are stored. By the second condition, the the four phases s transition to the next state in process 1· description of process P using ex« pressions E composed by elementary Ê causes the removal of all the states processes (proof of theorem 2 (Szmuc, appearing in the state s^ (k(s.p) from 1986)); set pS' , and addition of the set of the 2· extension of the expression E (Szmuc, next (with regard to the removed ones) 1986); states (T'CkCs.p) r\ Ran k) to pS* . The 3· reduction of the extended expression by removing all those processes* sym­ modification described by condition 3 bols that represent non-characteristic consists in the addition of the states states (s φ Dom k) - expression E is z that have appeared (k(s.j)) and in the re a result of the reduction (compare moval of the preceding states with theorem 4 (Szmuc, 1986)); 4 T. Szmuc 4. the correctness verification by simu­ tions that are to be executed by differ­ lation of the process P% the coup­ ent component processes« In this case the led process in which verified process system of processes and the module are modelled by the controlled system of con­ is described by E . z current processes CSzmuc, 1985b) The # Three initial stages perform the reduc­ correction module may be implemented as tion of the verified process description operating system macroprocedures when the to the simplified form (expression E ). component processes are situated at the user tasks layer. The simulation of the process Pjg is carried out by an analysis of "character­ istic computations" corresponding to 5. EXAMPLE - SYSTEM OP every sequential subexpression Ez r The COOPERATING ROBOTS conditions of theorem 1 are examined in Let us consider a system of cooperating every transition (state) of the computa­ tion. If at least one of them is not sat- robots connected like in Pig« 2. Robots isfied, then the verified process is in­ R ,...,R (R ,... R2) perform assembly 1 1 2 t correct in the transition (state). The process is correct in the sense of a operations of products collocated in con­ given criterion when such transitions tainers of assembly line M^ (Mp)· Robot (states) are not found. Let us notice, R1 ^τ) Pu*s Products into store line M^ that the complexity of the process repre­ sented by E may be greatly reduced (M^) . Robot R gets products from line M, z Caccording to P) . The simulation of (M.) and tests tneir quality. If one of process ?E is simplified correspon­ these elements is assembled incorrectly Z then the robot puts it into store line dingly. JÄ£ and the corresponding get-test se More detailed description of the system quence is repeated. Otherwise, when cor may be found in the paper (Szmuc, 1988). rectly assembled product from line M^ Pig. 2. Cooperating robots. 4*2· Dynamic correction and the complementary one from line M. The static verification is based on the are obtained - robot R assembles the reduced description of the verified pro two elements and the resulting product is cess and simulation of the corresponding put into store line Mc · Line M1 CMp) coupled process, Another approach to the performes one step movement when the verification consists in adding a correc tion module to the real verified process cycle of operations by robots XRV; ,...,R1 running in the computer system« The real process and the module constitute the CR2,...jR^ ) is completed· Lines Μ^,Μ., coupled process. Transitions in the non- Mc,M£ perform the movement when the next characteristic states of process P are performed without any interference with element is put. the module. In the characteristic states process P calls the module, the condi Design and correctness analysis of the tions of theorem 1 are examined. If they system may be realized by the construc­ are satisfied, then the transition may be tion and modification of the criterion realized in process P , otherwise the processes· Criterion process for robot R transition must be blocked. Process P is presented in Pig· 3. Any state of the may be interpreted as a sequential de process is defined by the operation that scription of the system of concurrent begins at the state and ends in the next processes CSzmuc, 1985b), and process P' one. Broken lines specify subprocesses may specify correct sequence of opera- that may be concurrently executed. Correctness Verification of Real-time Programs 5 put (M_) b ^ L /*/*! co/rect M, correct (M, ) / * /correct (Μ^ΚΛ correct (M^) Fig. 3· Criterion process for robot R · The presented above criterion process may be a starting point for design and cor­ rectness verification of the system· Having this process we may move on into a init (R) more detailed description· This procedure refers to the design stage« The correct­ ness verification will be performed by reductions and modifications of the cor­ responding processes· The system may be time_out applied for the correctness verification (last-state) for any pair: verified process and cor­ rectness criterion· We may replace the verified process by the criterion process when the correctness is proved· In this case the criterion process may be treated as a reduced description of the verified process. This procedure may be continued Canother criterion process or next reduc­ tion) or classical methods Ctemporal logic) may be applied for the reduced de­ scription· Criterion process for dynamic correction CFig. 4) is a reduced form of the one presented in Fig· 3 and which contains some extentions· These extentions con­ sist in adding the time-out state and end (R) transitions coming to this state from others· Fig· 4· Criterion process for dynamic correction· 5· FINAL REMARKS It seems , that the correctness verifica­ Bartol, W., Z. Rai, and A. Skowron C1977)· tion system is a good tool assisting the Theory of computing systems· In A· design and verification of concurrent Mazurkiewicz, and Z· Pawlak CEds·), systems· On the other hand, dynamic cor~ Mathematical Foundations of Computer rection may be directly implemented using Science· PWH - Polish Scientific Pub­ the exceptions handling method CAnderson, lishers· 101-165. 1981). Henessy, M·, and R· Mi Iner (1985)· Alge­ braic laws of non-determinism and concurrency· J. Assoc. Comp· Machin­ REFERENCES ery, 32, 137-T5T: " ~ KasaïTr·, and R*E· Miller C1982). Homo- Anderson, T., and P.A. Lee C198I). Fault morphisms between models of parallel Tolerance· Principles and Practice· computations· J· of Computer and Sys Prentice Hall Internat· Chap·3, b3-91· tems Sciences, 25* 285-331· ANSI/IEEE Software Standard C1983). 729· 6 T. Szmuc Manna, Z., and A. Pnueli (1974). Axio matic approach to total correctness of programs. Acta Informatica« 3, 243-263. - Manna, Z., and A. Pnueli (1981). Verifi cation of concurrent programs! The temporal framework· In R.S· Boyer, and S. J. Moore CEds.) , The Correct ness Problem in Computer Science·"" Academic Press, 215-273. Milne, R. (1980)· A calculus of Communi cating Systems· Lecture Notes in Com puter Science« 92. Springer Verlag, 21-62. Szmuc, T. C1985a)· Process description of the correctness of concurrent systems, Elektroteohnika. 4, 427-438. Szmuc, T. C1985b). The correctness of system of processes. Elektrctechnika, 4, 439-454. Szmuc, T. C1986). Correctness verifica tion of parallel control programs. In V.H. Haase, and E· Khuth CEds.) , Proceedings of the 4th IFAC/IFIP Sym- f~ôslum on Software for Computer CorP roi - gOflOÇO'Bb« riWGJT Szmuc, T. CI988)· Correctness of Concur rent Systems. In preparation.