a novel formal communication behavior model based on ......new proposal: timed-pnets timed-event:...
TRANSCRIPT
-
A novel formal communication behavior modelbased on Timed-pNets for Cyber Physical
Systems
Yanwen ChenSupervisor: Yixiang Chen Eric Madelaine
ECNU INRIA
24/06/2013
INRIA ECNU 1/42
-
Outline
Motivation
Related Works
Our methodology: pNets + CCSL
Extend pNets with logical clock constraints—-timed-pNetsPropose rules to generate a timed specification from LTSPropose algorithms to generate a global transition graph interms of clock relationsPropose global clock generation conditions
Conclusion and future work
INRIA ECNU 2/42
-
Intelligent Transportation Systems: CPSs
(a) (b)
Devices(cars) are equipped with sensors to know its relatedinformation ( speed, location, direction ,outsideenvironment such as traffic lights,etc). Local controllerexists in each devices. (Locally synchronous)
Various Embedded devices (cars or infrastructure) areconnected by network(eg. Internet) for remotemonitor/control,etc. (Globally asynchronous)
Requirements: Safety, Reliability
INRIA ECNU 3/42
-
Motivation
Challenges:
challenge 1: physical environment data affects the timeconsuming of system behavior
challenge 2: no a common physical global clock
Our Goal:Build a communication semantic model with time constraintsfor open distributed systems so that we can check the systemsafety and correctness in design time.
INRIA ECNU 4/42
-
Related Work: timed model
Timed-Automata
BIP
MARTE
PTIDES
Timed Petri Nets
Drawbacks:1) depend on common physical global clock2) not flexible enough for open systems3) no enough mechanism to express various communicationbehavior: asynchronous broadcast
INRIA ECNU 5/42
-
Our Methodology
We take advantage of the well-structured pNets
We build logical clocks in pNet for describing systembehaviors
We transfer system to timed specification(CCSL) to checkand verify system properties
Figure: Timed-pNet tree structure
INRIA ECNU 6/42
-
Our Solution: pNets + CCSL
pNets (Parameterized Networks of Automata): A semanticmodel for distributed systems.
parameterized and hierarchical behavioral model
tree-like structure which leaves are LTS
flexible enough for various programming structures,parallel constructions and communication modes.
including data in model
capable to build a finite model
But time property is not including in it.[Eric Madelaine, Oasis INRIA]
INRIA ECNU 7/42
-
Our Solution: pNets + CCSL
CCSL: Clock Constraints Specification Language
high-level time patterns to express multi-clock timespecifications
proposed a time model for real-time systems
defined clock constraints of the time model
[Robert De Simone, Aoste INRIA]
INRIA ECNU 8/42
-
New proposal: Timed-pNets
timed-event: introduce delay time and execution time
build logical clock: a sequence of timed-event occurrences
add constraints between event occurrences
generate timed-specification: present system logicalbehavior
A Timed Specification is a pair < C,R > where C is a set ofclocks, R is a set of clock relations on
⋃c∈C Ic.
INRIA ECNU 9/42
-
timed-events
Definition (Timed-Event)
Let T be a set of discrete time variables with domain in R andBT the set of boolean expressions (guards) over timedexpressions. The Timed-Event Algebra LA,T ,P is built as anextension of the action algebra LA,P by adding two timedexpressions d and e built over T . We call a(p)(d,e)|BT ∈ LA,T ,P atimed-event in which ↑ a(p) ∈ LA,P is the parameterized actionthat is defined as the start action of the timed-event, and↓ a(p) ∈ LA,P is defined as the end action of the timed-event(p ∈ P is a parameter). The time variable d ∈ T describes atime delay before the event starting to execute, the timevariable e ∈ T describes the execution time of the timed-event.
INRIA ECNU 10/42
-
clock
Definition (Clock)
A Clock (CL,≺) is an ordered set of occurrences oftimed-events. Each occurrence is denoted as a(p)(d,e) i(i ∈ N).The relation ’≺’ between these timed-events is a strict totalorder: (∀a(p)(d1,e1) 1, a(p)(d2,e2) 2 ∈ LA,T ,P .a(p)(d1,e1) 1 6= a(p)(d2,e2) 2 =⇒ a(p)(d1,e1) 1 ≺ a(p)(d2,e2) 2 ora(p)(d2,e2) 2 ≺ a(p)(d1,e1)) 1).
INRIA ECNU 11/42
-
clock offset
Definition (Clock Offset)
Let Cα(p)(d,e) be a clock built over a timed-event action α(p)(d,e).
The nth offset of the clock Cα(p)(d,e) is defined as
C∆(n)
α(p)(d,e)= {α(p)(d,e) (1 + n) ≺ α(p)(d,e) (2 + n) ≺ . . . ≺
α(p)(d,e) (i+ n) . . .}(i, n ∈ N). The clock C∆(n)α(p)(d,e)
is a new
generated logical clock based on the logical clock Cα(p)(d,e) .
INRIA ECNU 12/42
-
clock filtering
Definition
Assume f(n) is a filter function on a nature number n (n ∈ N),then the clock Cα(p)(d,e) filtered by f(n) is denoted as C
f(n)
α(p)(d,e).
For example, C{2n−1}α(p)(d,e)
filters out the odd occurrences of the
clock Cα(p)(d,e) . C{n≤8}α(p)(d,e)
filters out the first 8 occurrences.
INRIA ECNU 13/42
-
Clock Constraints
Definition: Clock constraints are clock relations that apply totwo clock expressions.The syntax of the relations (taken from CCSL) include:
* [|Cα(p)(dα,eα) = Cβ(p)(dβ,eβ) |] = ∀i(α(p)(dα,eα) i =
β(p)(dβ ,eβ) i) = ∀i(↑ (α(p)(dα,eα) i) =↑ (β(p)(dβ ,eβ) i)) ∧ (↓(α(p)(dα,eα) i) =↓ (β(p)(dβ ,eβ) i)), (i ∈ N)
* [|Cα(p)(dα,eα) ≺ Cβ(p)(dβ,eβ) |] = ∀i(α(p)(dα,eα) i ≺
β(p)(dβ ,eβ) i) = ∀i(↓ (α(p)(dα,eα) i) ≺↑ (β(p)(dβ ,eβ) i)),(i ∈N)
INRIA ECNU 14/42
-
Properties of Relations
≺ is transitive:(1) α(p)(dα,eα) ≺ β(p)(dβ ,eβ), β(p)(dβ ,eβ) ≺ γ(p)(dγ ,eγ) ⇒
α(p)(dα,eα) ≺ γ(p)(dγ ,eγ)
= is an equivalence relation (reflexive, symmetric, andtransitive):
(2) α(p)(dα,eα) = α(p)(dα,eα);(3) α(p)(dα,eα) = β(p)(dβ ,eβ) ⇒ β(p)(dβ ,eβ) = α(p)(dα,eα);(4) α(p)(dα,eα) = β(p)(dβ ,eβ), β(p)(dβ ,eβ) = γ(p)(dγ ,eγ) ⇒
α(p)(dα,eα) = γ(p)(dγ ,eγ);
INRIA ECNU 15/42
-
timed-pLTS
A Timed-pLTS is a tuple < P,S, s0, A,C,R,→>, whereP is a finite set of parameters
S is a set of states
s0 ∈ S is the initial stateA is set of timed-events A ⊆ LA,T ,PC is set of clocks over timed-events A, (C ⊆ CL)R is set of constraints between clocks CA, (CA ⊆ C)→ is the set of transition: →⊆ S ×A× S. We writesα(p)(dα,eα) i−−−−−−−−→ s′ for (s, α(p)(dα,eα) i, s′) ∈→, in which
α(p)(dα,eα) i ∈ A.
INRIA ECNU 16/42
-
Timed-pNets
A Timed-pNet is a tuple < P,C,AG, R, J, ÕJ , R̃J ,−→V >, where:
P = {pi|pi ∈ Domi} is a finite set of parametersC is a set of clocks, C ⊆ CLAG ⊆ LA,T ,P is a set of global events, CAG ⊆ C is the set of clocks of AGJ is a countable set of argument indexes: each index j ∈ J is called a holeand is associated with a sort Oj ⊆ LA,T ,P and a set of clock relations R̃J ,which are the set of ROj that present the relations among clocks COj
R is a set of relations between clocks COj and COk , (j, k ∈ J)−→V = {−→v } is a set of synchronous vectors of the form:
* (binary communication)−→v =< ..., !α(p)(d1,e1)
(ki1 ), ..., ?α(p)
(d2,e2)(ki2 )
, ... >→ (α(p)(dg,eg)g ), in which
α(p)(dg,eg)g ∈ AG, ki1 ∈ Dom1, ki2 ∈ Dom2, !α(p)(d1,e1) ∈
Oi1 , ?α(p)(d2,e2) ∈ Oi2 , dg = d1 = d2, eg = e1 = e2
* or (visibility) −→v =< ..., α(p)(d1,e1)[k1]
, ... >→ (α(p)(dg,eg)g ), in which
α(p)(dg,eg)g ∈ AG, k1 ∈ Dom1, α(p)(d1,e1) ∈ Oi1 , dg = d1, eg = e1
INRIA ECNU 17/42
-
Channel
Channel can be introduced for asynchronous communicationbetween subsystems. A channel is a transition system withtuple < P,S,A,C,≺,→> in which
P is a finite set of parameters
S is state set in which S = {s, s′},
A is timed-event set in which A = {α(p)(dα,eα), β(p)(dβ ,eβ)},(α(p)(dα,eα), β(p)(dβ ,eβ) ∈ LA,T ,P)
C is a set of clocks over timed-events A,
≺ is a precedence relation between clocksCα(p)(dα,eα) ≺ Cβ(p)(dβ,eβ) ≺ Cα(p)(dα,eα)
∆(1),
→ is a set of two transitions:s α(p)(dα,eα) i−−−−−−−−→ s′ and
s′β(p)(dβ,eβ) i−−−−−−−−→ s, in which α(p)(dα,eα) i, β(p)(dβ ,eβ) i ∈ LA,T ,P ,
(p ⊆ P , i ∈ N), where α(p)(dα,eα) i, β(p)(dβ ,eβ) i are the ithtimed-event occurrence of clock Cα(p)(dα,eα) and Cβ(p)(dβ,eβ)
separately.
INRIA ECNU 18/42
-
Simple Example: Timed-pNets Building
INRIA ECNU 19/42
-
Formalization of the subsystem
P = {k, par, r},CAG = {C
!notify(k,par)(dg1,eg1)
g1
,
C?notify(k,par)
dg2,eg2g2
, C!ack(k,r)
dg3,eg3g3
, C?ack(k,r)
dg4,eg4g4
}
J ={car1.communication, car2.communication, channel1, channel2}Ocar1.communication = {?Cmd(par)(dc,ec),!notify(par)(dn,en), ?ack(k, r)(da,ea), !R(dR,eR)}Ocar2.communication = {?notify(par)(dn,en), !ack(k, r)da,ea}Ochannel1 = {c.?notify(k, par)(dn1,en1),c.!notify(k, par)(dn2,en2)}Ochannel2 = {c.?ack(k, r)da1,ea1 , c.!ack(k, r)da1,ea1}Rcar1.communication ={C?Cmd(par)(dc,ec) ≺ C!notify(par)(dn,en) ≺ C
{2n−1}?ack(k,r)(da,ea)
≺ C{2n}?ack(k,r)(da,ea)
≺ C!R(dR,eR) ≺ C∆(1)
?Cmd(par)(dc,ec)}
(n ∈ N)Rcar2.communication = {C?notify(par)(dn,en) ≺ C!ack(k,r)da,ea}Rchannel1 = {Cc.?notify(k,par)(dn1,en1) ≺Cc.!notify(k,par)(dn2,en2)}Rchannel2 = {Cc.?ack(k,r)da1,ea1 ≺ Cc.!ack(k,r)da1,ea1 }−→V = {→!notify(k, par)
(dg1,eg1)g1 . . .}
R = {!notify(par)(dn,en) = c.?notify(k, par)(dn1,en1) . . .}
INRIA ECNU 20/42
-
Deduce global clock Relations
Given a timed-pNets, < P,AG, R, J, C, ÕJ , R̃J ,−→V >, assume there is no clock relation conflict
in R̃j (j ∈ J), let the timed-event ep1, ep2 ∈ Op, the timed-event eq1, eq2 ∈ Oq , thetimed-event es1, es2 ∈ Os, (Op, Oq, Os ⊂ ÕJ , Op
⋂Oq
⋂Os = ∅). We define
R(Ca, Cb) = {∝ |Ca ∝ Cb} (a, b ∈ Oj).(Case1:) Assume the synchronous vector between Op and Oq are < ep1, eq1 >→ eg1,< eq2, ep2 >→ eg2 as shown in Fig. (1). We denote R1 = R(Cep1 , Ceq1 ),R2 = R(Ceq1 , Ceq2 ), R3 = R(Cep2 , Ceq2 ), R4 = R(Cep2 , Cep1 ). Then R1, R2, R3, R4 are
the minimal number of relations needed to reduce the global clock relation R(Ceg1 , Ceg2 ).
(Case2:) Assume we have synchronous vectors < eq2, ep2 >→ eg2 and < eq1, es1 >→ eg1 as
shown in Fig.(2). We denote R1 = R(Cep2 , Ceq2 ), R2 = R(Ceq1 , Ceq2 ), R3 = R(Ceq1 , Ces1 ).
Then the the relations R1, R2 and R3 are the minimal number of relations needed to reduce
the global clock relation R(Ceg1 , Ceg2 ).
INRIA ECNU 21/42
-
global clock deduction rules
Case 1:
(1). If R2 =′=′, then R4 must be ’=’, and we haveR(Ceg1 , Ceg2) =
′=′, otherwise, conflict occurs.
(2). If R2 =′≺′, R4 must follow the same direction as R2, andR(Ceg1 , Ceg2)) =
′≺′ with the same direction as R2 or R4,otherwise, conflict occurs.
Case 2:
(1). If R2 =′=′, then we have R(Ceg1 , Ceg2) =′=′,
(2). If R2 =′≺′, then R(Ceg1 , Ceg2) =′≺′ with the same direction asR2.
INRIA ECNU 22/42
-
Timed specification of timed-pNets
1. If PreAct(s0) 6∈ ∅, then PreAct(s0) ≺ PostAct(s0), [guard: PostActIndex(s0) = PreActIndex(s0) + 1 ];
2. ∀s\s0, PreAct(s) ≺ PostAct(s), [ guard:PostActIndex(s) = PreActIndex(s) ];
3. ∀s, if Posts(s, α(dα,eα)) = s, thenPreAct(s)\PreAct(s, s) ≺ PreAct(s, s),[guard:PreActIndex(s, s) = PreActIndex(s)\PreActIndex(s, s) ],P reAct(s, s) ≺ PostAct(s, s),[ guard: PostActIndex(s, s) = PreActIndex(s, s) + 1 ],PostAct(s, s) ≺ PostAct(s)\PostAct(s, s),[ guard: PostActIndex(s)\PostActIndex(s, s) =PreActIndex(s)\PreActIndex(s, s) ].
INRIA ECNU 23/42
-
Example
State Relations Index Guard
s0 !R m ≺?Cmd(par) n n = m+ 1s1 ?Cmd(par) n ≺!notify(k, par) i i = ns2 !notify(k, par) i ≺?ack[k](r) j j = i
?ack[k](r) j ≺?ack[k](r) j′ j′ = j + 1, j = j′?ack[k](r) j ≺!R m m = i;
INRIA ECNU 24/42
-
example
for the transitions: s0 → s1 → s2 → s2 → s0 → s1
(a) (b)
Transition Relations Index Guard Memory Result
s0 → s1 → s2 ?Cmd(par) n ≺!notify(k, par) i i = n i = n = 1 ?Cmd(par) 1 ≺!notify(k, par) 1s1 → s2 → s2 !notify(k, par) i ≺?ack[k](r) j j = i j = i = n = 1 !notify(k, par) 1 ≺?ack[k](r) 1s2 → s2 → s2 ?ack[k](r) j =?ack[k](r) j′ j′ = j + 1, j = j′ j = 2; i = n = 1 ?ack[k](r) 1 ≺?ack[k](r) 2s2 → s2 → s0 ?ack[k](r) j ≺!R m m = i; j = 2;m = i = n = 1 ?ack[k](r) 2 ≺!R 1s2 → s0 → s1 !R m ≺?Cmd(par) n n = m+ 1 n = j = 2,m = i = 1 !R 1 ≺?Cmd(par) 2
. . . . . . . . . . . . . . .
C?Cmd(par)(dc,ec)
≺ C!notify(par)(dn,en)
≺ C{2n−1}?ack(k,r)(da,ea)
≺ C{2n}?ack(k,r)(da,ea)
≺ C!R(dR,eR)
≺ C∆(1)?Cmd(par)(dc,ec)
INRIA ECNU 25/42
-
Clock Relation Generation
1. If PreAct(s0) 6∈ ∅, then CPreAct(s0) ≺ CPostAct(s0)∆(1)2. ∀s\s0, CPreAct(s) ≺ CPostAct(s)3. ∀s, if Posts(s, α(dα,eα)) = s and the event α(dα,eα) occurs k
(k ∈ N)times, thenCPreAct(s)\PreAct(s,s) ≺ C
{kn−(k−1)}α(dα,eα)
C{kn−(k−1)}α(dα,eα)
≺ C{kn−(k−2)}α(dα,eα)
≺ C{kn−(k−3)}α(dα,eα)
. . . ≺C{kn−(k−i)}α(dα,eα)
. . . ≺ C{kn}α(dα,eα)
(n ∈ N, n = 1, 2, 3 . . .)C{kn}α(dα,eα)
≺ CPostAct(s)\α(dα,eα)
INRIA ECNU 26/42
-
Algorithms for generating global state transition graph
1. Generate global initial state S0 := (s10, s
20, . . . , s
i0, . . . , s
n0 )
and put it into queue;
2. Take a state from queue and explore the possibletransitions.
3. Check the action relations among these transitions andgenerate possible global state transitions.
4. Put the new generated transitions into queue.
5. Repeat from step 2 till the queue is empty.
INRIA ECNU 27/42
-
Algorithm Steps
INRIA ECNU 28/42
-
System transition graph
INRIA ECNU 29/42
-
Global Transition Generation Rules
(1) Interleaving rule:s1
α(dα,eα)−−−−−→s′1
α(dα,eα)−−−−−→;
s2β
(dβ,eβ)
−−−−−→s′2
β(dβ,eβ)
−−−−−→
(2) “α ≺ β”: s1α(dα,eα)−−−−−→s′1;s2
β(dβ,eβ)
−−−−−→s′2
α(dα,eα)−−−−−→β
(dβ,eβ)
−−−−−→;
(3) “α = β”:s1
α(dα,eα)−−−−−→s′1∧s2β
(dβ,eβ)
−−−−−→s′2
γ(dγ,eγ )−−−−−→(dγ = dα = dβ, eγ = eα = eβ)
INRIA ECNU 30/42
-
timestamp in visual common clock
INRIA ECNU 31/42
-
timestamp
Definition
Let [x1, x2] , {x ∈ R|x1 ≤ x ≤ x2|} be a non-negative realnumber interval. T S : LA,T ,P → [x1, x2] be a mapping functionthat assigns a timed-event to a non-negative real numberinterval. “T Scl(α(p)(dα,eα))” (α(p)(dα,eα) ∈ LA,T ,P) which iscalled the Timestamp of event “α(p)(dα,eα)” refers to a timerecord on a physical clock cl when the action “α” occurs. Thestarting point of the timestamp is denoted as↑ T Scl(α(p)(dα,eα)) ∈ R and its ending point is denoted as↓ T Scl(α(p)(dα,eα)) ∈ R.
INRIA ECNU 32/42
-
timestamp mapping
Definition (Timestamp Mapping)
Assume a physical clock cl with frequency fl and a visualcommon clock cz with frequency fz, and the phase differencebetween the two clock is ∆p ∈ R, then the timestamp(T Scl(α(p)(dα,eα)) = [t1, t2]) of event α(p)(dα,eα) on the physicalclock cl can be map to the visual common clock cr withtimestampe T Scr(α(p)(dα,eα)) = [f(t1), f(t2)] by the functionf(t) = t · fz/fc + ∆p.
INRIA ECNU 33/42
-
time guard constraints:new global action generatingconditions
Proposition (new global action generating conditions)
Given two timed-pLTS TS1 and TS2, the timed-action α(dα,eα)
∈ TS1 and β(dβ ,eβ) ∈ TS2. (dα, eα, dβ, eβ ∈ N). Let ldα ∈ Nand udα ∈ N be the lower bound and upper bound of dα.Ddα , [ldα , udα ], dα ∈ Ddα. Similarly, let eα ∈ Deα , [leα , ueα ],dβ ∈ Ddβ , [ldβ , udβ ], eβ ∈ Deβ , [leβ , ueβ ]. If we have therelation α(dα,eα) = β(dβ ,eβ) or α(dα,eα) ⊂ β(dβ ,eβ) then antimed-action γ(dγ ,eγ) can be a global action of α(dα,eα) andβ(dβ ,eβ) if and only if the two conditions are satisfied
(1) Ddα ∩Ddβ 6= ∅,(2) Deα ∩Deβ 6= ∅.
INRIA ECNU 34/42
-
Full Use Case
INRIA ECNU 35/42
-
second layer
INRIA ECNU 36/42
-
third layer
INRIA ECNU 37/42
-
Discussion
Why our model is flexible—logical clock, without physicalcommon clock
What properties can be checked—timed specification:system safety, liveness
How to check—TimeSquare, transfer to promela
INRIA ECNU 38/42
-
Conclusion
Introduce logical clock and clock constraints into pNets
Generate system timed specification for simulation andverification
Propose algorithm for clock constrained transition graph
Propose global clock generation condition
INRIA ECNU 39/42
-
future work
Design system properties
Use timeSquare or Spin to check the properties
Or investigate other solutions for verification
INRIA ECNU 40/42
-
Reference
E.A. Lee. Cyber physical systems: Design challenges.
J. Bengtsson, K. G. Larsen, F. Larsson, P. Pettersson, andWang Yi. Uppaal a Tool Suite for Automatic Verificationof Real Time Systems.
T. Barros, R. Ameur-Boulifa, A. Cansado, L. Henrio, andE. Madelaine. Behavioural models for distributed fractalcomponents.
Frederic Mallet. CCSL: specifying clock constraints withUML/MARTE.
Julien Deantoni and Frederic Mallet. TimeSquare: Treatyour Models with Logical Time.
INRIA ECNU 41/42
-
Questions
INRIA ECNU 42/42