Parameter synthesis for hierarchical concurrent real-time systems

Abstract

Modeling and verifying complex real-time systems, involving timing delays, are notoriously difficult problems. Checking the correctness of a system for one particular value for each delay does not give any information for other values. It is thus interesting to reason parametrically, by considering that the delays are parameters (unknown constants) and synthesizing a constraint guaranteeing a correct behavior. We present here Parametric Stateful Timed Communicating Sequential Processes, a language capable of specifying and verifying parametric hierarchical real-time systems with complex data structures. Although we prove that the synthesis is undecidable in general, we present several semi-algorithms for efficient parameter synthesis, which behave well in practice. This work has been implemented in a real-time model checker, PSyHCoS, and validated on a set of case studies.

Appendix: A firing rules for PSTCSP

Given a program \( program \) and a valuation \(V\), the valuation obtained by executing \( program \) with \(V\) is denoted as \( program (V)\). Let \( active (V,P)\) be the set of enabled events given \(P\) and \(V\), i.e., the set of events that can be fired at the current state (and which lead to states with satisfiable constraints). We give below all firing rules for PSTCSP.

$$\begin{aligned} \dfrac{}{(V, \mathtt {Skip}, C) \mathop {\rightsquigarrow }\limits ^{\checkmark }(V, \mathtt {Stop}, {C}^{\uparrow })}(aki) \end{aligned}$$

$$\begin{aligned} \dfrac{}{(V, e \rightarrow P, C) \mathop {\rightsquigarrow }\limits ^{e} (V, P, {C}^{\uparrow })}(aev) \end{aligned}$$

$$\begin{aligned} \dfrac{}{(V, a\{ program \} \rightarrow P, C) \mathop {\rightsquigarrow }\limits ^{a} ( program (V), P, {C}^{\uparrow })}(aac) \end{aligned}$$

$$\begin{aligned} \dfrac{V \vDash b}{(V, \mathtt {if}~b~\mathtt {then}~\{ P \}~\mathtt {else}~\{ Q \}, C) \mathop {\rightsquigarrow }\limits ^{\tau } (V, P, {C}^{\uparrow })}(co2) \end{aligned}$$

$$\begin{aligned} \dfrac{V \not \vDash b}{(V, \mathtt {if}~b~\mathtt {then}~\{ P \}~\mathtt {else}~\{ Q \}, C) \mathop {\rightsquigarrow }\limits ^{\tau } (V, Q, {C}^{\uparrow })}(co3) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{e} (V', P', C')}{(V, P \ {\square }\ Q, C) \mathop {\rightsquigarrow }\limits ^{e} (V', P', C' \wedge idle (Q))}(aex1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, Q, C) \mathop {\rightsquigarrow }\limits ^{e} (V', Q', C)}{(V, P \ {\square }\ Q, C) \mathop {\rightsquigarrow }\limits ^{e} (V', Q', C' \wedge idle (P))}(aex2) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C')}{(V, P \ {\backslash } \, E, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C')}(ahi1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C') \ , \ \ active (V, P, C) \cap E\ne \emptyset \ , \ \ a \notin E}{(V, P \ {\backslash } \, E, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C' \wedge C)}(ahi2) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C'), active (V, P, C) \cap E\ne \emptyset \ , \ \ a \in E}{(V, P \ {\backslash } \, E, C) \mathop {\rightsquigarrow }\limits ^{\tau } (V', Q', C' \wedge C)}(ahi3) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a} (V', P', C') \ , \ \ \checkmark \notin active (V, P, C)}{(V, P; Q, C) \mathop {\rightsquigarrow }\limits ^{a} (V', P'; Q, C')}(ase1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{\checkmark } (V', P', C')}{(V, P; Q, C) \mathop {\rightsquigarrow }\limits ^{\tau } (V, Q, C \wedge C')}(ase2) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a} (V', P', C') \ , \ \ a \notin E}{(V, P \ [\![E ]\!]\ Q, C) \mathop {\rightsquigarrow }\limits ^{a} (V', P' \ [\![E ]\!]\ Q, C' \wedge idle (Q))}(apa1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, Q, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C') \ , \ \ a \notin E}{(V, P \ [\![E ]\!]\ Q, C) \mathop {\rightsquigarrow }\limits ^{a} (V', P \ [\![E ]\!]\ Q', C' \wedge idle (P))}(apa2) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{e} (V, P', C') \ , \ \ (V, Q, C) \mathop {\rightsquigarrow }\limits ^{e} (V, Q', C'') \ , \ \ e \in E}{(V, P \ [\![E ]\!]\ Q, C) \mathop {\rightsquigarrow }\limits ^{e} (V, P' \ [\![E ]\!]\ Q', C' \wedge C'')}(apa3) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, Q, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C') \ , \ \ P \doteq Q}{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a} (V', Q', C')}(ade) \end{aligned}$$

$$\begin{aligned} \dfrac{}{(V, \mathtt {Wait}{}[u]_x, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V, \mathtt {Skip}, {C}^{\uparrow } \wedge x= u)}(await) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V', P', C')}{(V, P~\mathtt {timeout} [u]_x~ Q, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V', P' ~\mathtt {timeout} [u]_x~ Q, C' \wedge x\le u)}(ato1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{e}(V', P', C')}{(V, P ~\mathtt {timeout} [u]_x~ Q, C) \mathop {\rightsquigarrow }\limits ^{e}(V', P', C' \wedge x\le u)}(ato2) \end{aligned}$$

$$\begin{aligned} \dfrac{}{(V, P~\mathtt {timeout} [u]_x~ Q, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V, Q, {C}^{\uparrow } \wedge x= u\wedge idle (P) ) }(ato3) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a}(V', P', C')}{(V, P~\mathtt {interrupt}[u]_x~ Q, C) \mathop {\rightsquigarrow }\limits ^{a}(V', P' ~\mathtt {interrupt}[u]_x~ Q, C' \wedge x\le u)}(ait1) \end{aligned}$$

$$\begin{aligned} \dfrac{}{(V, P~\mathtt {interrupt}[u]_x~ Q, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V, Q, {C}^{\uparrow } \wedge x= u\wedge idle (P))}(ait2) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V', P', C')}{(V, P~\mathtt {within}[u]_x, C) \mathop {\rightsquigarrow }\limits ^{\tau }(V', P'~\mathtt {within}[u]_x, C' \wedge x\le u)}(awi1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{e}(V', P', C')}{(V, P~\mathtt {within}[u]_x, C) \mathop {\rightsquigarrow }\limits ^{e}(V', P', C' \wedge x\le u)}(awi2) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{a}(V', P', C') \ , \ \ a \ne \checkmark }{(V, P~\mathtt {deadline} [u]_x, C) \mathop {\rightsquigarrow }\limits ^{a}(V', P'~\mathtt {deadline} [u]_x, C' \wedge x\le u)}(adl1) \end{aligned}$$

$$\begin{aligned} \dfrac{(V, P, C) \mathop {\rightsquigarrow }\limits ^{\checkmark }(V', P', C')}{(V, P~\mathtt {deadline} [u]_x, C) \mathop {\rightsquigarrow }\limits ^{\checkmark }(V', P', C' \wedge x\le u)}(adl2) \end{aligned}$$