A topological formal treatment for scenario-based software specification of concurrent real-time systems

ICSSEA 2007- C Alves, Dantas, A rai & Silva 1/7 A topolog ical formal treat m ent for scena rio-based softwa re specificati on of concurrent real-t ime syste ms Miriam C. Ber gue Alves Christine C. Dant as Nanci Naomi Arai Rovedy B. da Silva Institute of Aeronautic s and Space - IAE Pca. Mal. Eduard o Gomes, 50 Vila das Acaci as 12.228-904 São J ose dos Campos, Brazi l Tel: +55 12 3947496 9 –Fax: +55 12 3 9475019 e-mail: {miria malves;ccdantas;na om i;r ovedy}@iae.cta.br Abstract: Real-time s ystems are c omputing systems in which t he meeting of their requirements is vital f or their correctness. C onsequentl y , if the real-time require ments of t hese s ystems are poorly u nderstood an d verifie d, t he results can be disastrous and l ead to irr emediable pr oject failures at the earl y phases of development. The prese nt work addresses the pr oblem of det ecting deadlock situati ons earl y in the re quirements specificati on pha se of a concurrent real time s ystem, proposin g a simple “proof -of-concepts” protot y pe that joins scenar io-based requirements s pecifications a nd te chniques ba sed on topol ogy . The eff orts are c oncentrated in the i ntegration of the formal representation of Messa ge Sequence C hart scena rios into the deadloc k detection al gorithm o f Fajstrup et al. [15], based on geometric and algebraic topolo gy. Key words : concurrent systems, requirements spe cific ation, M S C, topology , formal treatment, ve rificati on, deadlocks. 1. INTRODUCTION A predominant character istic of r eal-time s y stems is concurrenc y. Concurrent systems are c omposed of concurrent tas ks, pr o cesses or objects, and the y typicall y m anage shared resources, whic h means a deman d for predictability, flexibility and reliability [10] [5]. Fo r the class of hard-real-time systems addressed by this research, t here should be mechanisms and policies that ensure consistenc y and minimize worst case blocking, any boun dless or e xcessive r un-time overhea ds. Since such aspects are strongl y a ssociat ed with the be havioral model of the s y stem, tec hniques and t ools that more appropriatel y e xpress concurre ncy, distribution a nd parallelism are indispen sable. The c omprehension of concurr ent s ystems i s m ore difficult than the se quential ones for various reasons. Perhaps the most obvious is tha t in a concurrent s y stem all the d ifferent compone nts are i n independent states and the combinations of states grow e xponentially. Deadl ocks can r ise in these s ystems, which means t hat no component can make a ny progress, generall y because eac h is wai ting for com munication wit h others. T he formal understanding and reas oning can help to est ablish propertie s of such a s ystem. A formal sp ecification o f a system is concerned with producing an a mbiguous set of syste m specifications that ca n be formall y verified, so that requirements, as well as the environment c onstraints and de sign intentions, are c orrectly r eflected, thus r educing the chances of accidental fault injections. Recently, techniques based on algebraic to pology [4] have been introduced int o concurrenc y t heory i n order t o deal w ith the high level complexit y of veri fying a nd anal yzing properties of concurrent real-time systems. There i s an entir e assembla ge of well-studied topological techniques that c ould be used, with some adaptations, to f ormall y prov e properties of c oncurrent s y ste ms. H owever, give n the very recent acknowle dgement and i nterest of c omputer scient ists in topological tec hniques, there have been very few actual impleme ntations of such i deas in real case si tuations. The use of formal specificat ion is an important fe ature that adds a great val ue at the i nitial stage of the s oftware development. Howe ver, a certain le vel of non-formalis m i s necessar y in the begi nning of the development w hen the requireme nts are not c ompletel y u nderstood a nd some fl exibility is es sential f o r tr y ing out some alter natives to the design. Scenari o-based require ments specification, ex pressed using Me ssage Sequence Charts ( MSCs), has a visual and pr oper se mantics and has increas ingly b eing used by anal ysts f or specif ying requir ements of a software s ystem [20] [ 8] [ 12] [2] [16]. MSCs have been major topic of research and pract ice [ 18] [21] and their semantics is also formalize d [7] [ 6]. ICSSEA 2007- C Alves, Dantas, A rai & Silva 2/7 This work presents a simple me thod that maps scenario-based specific ations, repre sented formall y by MSCs, t o a topological s pace i n order to f ormall y verif y t hese s pecificati ons. The efforts are conce ntrated i n t he inte g rati on of the deadlock detection al gorithm of Fa jstrup et a l. [ 15], based on topol ogical techniques, t o MS C scenarios, addressing the pr oblem of detecting deadlock sit uations earl y in the require ments specifica tion phase, proposing a simple “proof-of-c oncepts” protot ype. This paper is organized in six sect ions. Section 1 is the intr oduction, followe d by Secti on 2 that presents t he approach of modeling p ossible dead locks sce narios u sing MSCs a nd process algebra. Se ction 3 esta blishes the necessar y topological concep ts f or t his w ork a nd Section 4 describes the inte gration between the d eadlock detection algorithm a nd the M SCs m odels as a simple “proof-of-c oncepts” protot y pe. Finally, the c onclusion and future prospects are summarized in Secti on 5. 2. MODELING POSS IBLE DEADLOCKS SCENARIO S WITH MSC A ND PROCESS ALG EBRA 2.1 MSC as a graph ical language f or describing scenarios Message Sequence Chart is one of the most wides pread approaches to documentin g scenario-based specifications, i s re latively ea s y to use, has a wi de accepta nce in industr y and is w ell suit ed for devel oping first approximations of inte nded behavior of a s y stem. Sce narios describe a s equence of e vents or activities [ 11] [13] [9] and t hey refer t o i nteractions between indepe ndent e ntities. A c omplete reference about the MSC la nguage can be found in Recommen dation Z120 [7] . 2.2 The formalization of MSCs in process al gebra The ITU ( International Telecomm unication Union) Recom mendation Z 120 [7] is the standardizati on f or the MSC langua ge. Due t o its wi despread u se and popularity, t he MSC semantics an d static requirements were also formalized [6] [ 17]. [19]. The principal m otivation behind this formal ization is to offer a pr oper base f or the language users to av oid ambiguities, inconsis tencies and obs curities. The description of the s emantics of a MSC uses process algebra, based on the algebraic theory of process description ACP (Al gebra of Comm uni ca ting Process) [14] . A MSC is characteriz ed b y the se quence of eve nts along an instance axi s and it is assumed that there is an async hronous communication bet ween its instances. In order to pre sent s ome as pects of the MSC formalizati on re lated to this work, pr ocess algebra t heory will be avoided a nd the necessar y c oncepts will be intr oduced t hrough some sim ple examples, u sing t he MSC graphical representation. These e xamples do not e xhaustivel y show all the elements o f the b asic language, b ut o nl y presents t he essential idea be hind the formal sema ntics expressed in a proc ess a lgebra sente nce. An excellent tutorial about the formaliza tion of MSC can be found in [19] . The MSC M1 in the Fi gure 1 describe s tw o insta nces P 1 and P 2 , which have two c ommunications with the environment and one commu nication between them. This MSC can be characterize d b y tw o tra ces generated b y P 1 and P 2 . In process algebra, the se mantics of P 1 and P 2 is: Instance P 1 : out (P 1 , P 2 , m 2 ). in (env, P 1 , m 1 ) Instance P 2 : in (P 1 , P 2 , m 2 ). in (env, P 2 , m 3 ) where the opera tor “ . ” is strict seq uential composition. Figure 1: MSC M1 ICSSEA 2007- C Alves, Dantas, A rai & Silva 3/7 As P 1 and P 2 operate in parallel indepe ndently of each oth er, the semantics of the MSC M1 is: out (P 1 , P 2 , m 2 ). in (env, P 1 , m 1 )  in (P 1 , P 2 , m 2 ). in (env, P 2 , m 3 ) where the operator “  ” is parallel c omposition. The operator parallel defines an interleaved e xecution of its operands. T here is a basic stati c requirement, which establishes t hat a message must be sent before it i s received. Therefore, the expression (1), aft er expansion, has several trace s tha t m ust be el iminated. In order to e nforce this basic static require ment, the operator  (state operator) is introduce d. After applying  , the semantics of the MSC M1 is establishe d as follows: out (P 1 , P 2 , m 2 ).[ in (P 1 , P 2 , m 2 ) ( in (env, P 1 , m 1 ). in (env, P 2 , m 3 )+ in (env, P 2 , m 3 ).in (env, P 1 , m 1 )) + in (env, P 1 , m 1 ).in (P 1 , P 2 , m 2 ). in (env, P 2 , m 3 )] where the operator “ + ” represents alter natives. The MSC M2 i n the Figure 2 describes t wo insta nces P 1 and P 2 . As the instance P 2 has a coregion, t he o r dering of the events is comple tely free. Instead of using the seque ntial composition operat or, the  op erat or is used. The se mantics of P1 is: out (P 1 , P 2 , m 1 ).in (P 2 , P 1 , m 2 ).action (P 1 , a). The semantics of P 2 is: in (P 1 , P 2 , m 1 )  out (P 2 , P 1 , m 2 ). So, the semantics of the MSC M2 is: out (P 1 , P 2 , m 1 ). [ (in (P 1 , P 2 , m 1 ). out (P 2 , P 1 , m 2 ). in (P 2 , P 1 , m 2 )+ out (P 2 , P 1 , m 2 ). in (P 1 , P 2 , m 1 ). in (P 2 , P 1 , m 2 )+ out (P 2 , P 1 , m 2 ). in (P 2 , P 1 , m 2 ). in (P 1 , P 2 , m 1 ) ] . action (P 1 ,a) + out (P 2 , P 1 , m 2 ). [ out (P 1 , P 2 , m 1 ).(in (P 1 , P 2 , m 1 ). in (P 2 , P 1 , m 2 ) + in (P 2 , P 1 , m 2 ). in (P 1 , P 2 , m 1 ) ]. action (P 1 ,a) Figure 2: MSC M2 In general, the semantics of a MSC is a set of alternative traces that ca n be represented as shown in the Figure 3. Figure 3: A general re presentati on for a process algebra sent ence. 2.3 Description of possible deadlock sce narios There are two possible ways that concurr ency c an be raise d from MSC scenarios: internal (w ithin t he MSC) and external ( among different MSC sce narios). If deadlock conditi ons ar e de tected earl y, changes in the s y ste m model can be ma de not only to eliminate the m, but also to ci rcumvent them in t he future. Some considerations have to be done in order to represent possible deadlock scenarios using MSCs. The identification of processes, res ources a nd me ssages must reflect situations w here there are a certain number of processes sharing res ources in a mutual e xclusion regime. (1) ICSSEA 2007- C Alves, Dantas, A rai & Silva 4/7 The pr ocesses will se nd tw o t yp es o f messa ges to the resources: loc k and unlock (release). When a pr o ces s sends a me ssage lock t o a re source, it w ill take that res ource exclusi vely f or a cer tain time i n order to realize some processing an d after that, this sa me process will release the res ource b y se nding the messa ge unlock. The resources a re pas sive instances tha t only receive i nput messages f o r locking and unlocking themselve s. As a result of these considera tions, each in stance of a MSC wi ll to be a proces s or a r esource. Fi gure 4 shows a scenario that illustrates t wo processes P1 e P 2 sharing a resource R1. Figure 4: Lock-unl ock scenario 2.4 The process al gebra expression f or possible deadl ock scenarios According to t he as sumptions establis hed in the pre vious section, a MSC that represent s a c oncurrent s cenario will have only two possible t ypes of messages: lock a nd unlock . So, the general expressi ons in process algebra can be established a s follows: Messages sent b y processes : out (proce ss, resource, lock/unlock) ; Messages received by resources : in (proce ss, resource, lock/unlock) ; As the resource s are c onsidered passive insta nces, w here the ordering that the y will rece ive the messages loc k and unlock i s not determined in concurr ent systems, the y will be re presented with c oregion. So, assuming that there will be no l ost m essages, all the possible traces that c o rres pond to all t he wa ys the resource can be l ocked and unloc ked will be the parallel compositi on of its process instances. This ass umption e liminates the necessit y of applying the operator  . In a ddition, the fact t hat the res ource instances will recei ve all t he messa ges se nt to them in an y order, a nd considering the geometric a nd topological treat ment that will be use d later (section 3 and 4), there will be no need t o expand the whole process algebra expression for the semantic s of the MSC. The semantics of its processes, written in a pr ocess a lgebra expression, will hav e all the information nece ssary to seek f or deadlock scenarios. There is a s ignificant s implification when considerin g t hat the semantics of a MSC representing a possible deadlock sce nario can be only character ized by the semant ics of its identifie d processes. The resultin g pr ocess algebra ex pression i s now simple to understand and easier to create. The Figure 5 s hows an e xample of a MSC that represents a pos sible deadlock scenari o and the correspo nding process al gebra expressi on of its processes. Figure 5: MSC a nd its algebra process sentence. ICSSEA 2007- C Alves, Dantas, A rai & Silva 5/7 3. TOPOLOGICAL FORMAL TREA TMENT In recent years, t opological m ethods ha v e been i ntroduced i nto concurrenc y theor y ( e.g., [4]). Most notabl y , the development of pa rtial order reduction technique s base d on topolog y ha ve bee n used to tackle the well know n “state-space explosi on problem” [ 3]. Concurrenc y t heory deals wit h a ver y large, a lthough finite, space of states (a discrete s pace), whereas t opology deals with the properties of geometrical figures that ar e preser ved under continuous deformati ons. In order to appl y the c ontinuous topological tec hniques to the discrete space of concurrency, the latter is re presented as a subset of the Eucl idean space R n : the uni t cube in n-space, I n = I 1 x … x I n , where I is the unit inter val [ 0,..,1]. Each coordinate axis corresponds t o a pr ocess ( from a set of n conc urrent processes defi ned b y the system). The set of c oordinate points on each axis c ompose a n ordered seque nce of r eal numbers between 0 an d 1, representin g t he scheduled action s (a transaction) t hat a given process will exec ute. For in stance, consider a fi nite set o f transact ions acted u pon a ce ntralized database. E ach tra nsaction can be abstracted as a seq uence of locking (repre sented by P, acc ording t o Dijkstra’s nomenclature [ 1]) and unlocking (V) to the databa se’s shar ed r esources (e.g., data r ecords). The state of t he database correspond s to a point in the n-cube space ; partic ularly, t he initial state is the n-dimens ional vector wi th c oordinates (0,…,0), whereas the final state i s the (1, …,1) vector. If we consider that only two t ransactions, T1={PaP bVbVa} and T2={PbPaVaVb } (where a and b labe l the shared resources that ar e being locked and unl ocked), will be ac ted upon t he database, it is a lready clear from the ge ometrical representati on t hat t here will be three types of critical regions: u nsafe, f orbidden, an d unreac hable. An illustration of t his tw o-transaction e xample is show n in Figure 6 (adapted from [15] ). Hence, if a concurrent s ystem, c omposed of a certain number of i ndependent proces ses, share one or several resources, a trajectory or p ath in the n-cube space c orresponds to the c orrect synchr onization b etween the processes onl y if t he path does not cross the cr itical r egions mentioned above. The forbi dden re gion is actuall y a “hole” in the n-cube space that is inaccessible t o the proc esses due to mutual exclusi on. The unsafe region indicates a deadloc k, whereas the unre achable re gion represents the set of impossible s tates of t he system. Such a geometrical model of concurrency is refer red to as a “progress graph”. Figure 6: A two-tran saction progress graph. Given the existence of critical regions in t he progress grap h, it is already intuitive ly cle ar that it is possible to identify different sets of equivalent paths, in the se nse that t hey will be perf orming esse ntially the same scheduling. For instance, if t wo or more executi on paths can be c ontinuousl y deformed into each other, t hen in topological terms the y are homotopically e quivalent. If a path ca nnot be deformed int o another one, d ue to t he presence of the excl uded region between it a nd the other path, then it performs a diff erent scheduling. A progress graph is actually a topological space in which p oints representin g the states of the c oncurrent s y stem are ordered global ly through time. Thus, it is alr eady qualit atively evident fr om s imple exa mples that the “ state- space explosion proble m” c an be naturall y ta ckled b y s uch a t opological f ormalism [ 3], given t hat there is no need t o traverse al l executi on pa ths to check for gi ven properties of the s y stem. I n particular, the existence of deadlocks can be geometrical ly determi ned by a simple algo rithm developed b y Fajstrup et al. [15] . 4. IN TEGRATING A DEADLOCK DE TECTION ALGORITHM BAS ED ON TOPOLOGICAL METHODS TO MESSAG E SEQUENCE CHARTS The mai n phil osophy behi nd t he “pr oof-of-concepts” prototype proposed in this paper is the f ormal verification of t he implementabilit y of MSC s pecifications, concern ing t o deadlocks scenarios, at an e arly stage of development of a c oncurrent system, based on ready-to-use topol ogical concepts. ICSSEA 2007- C Alves, Dantas, A rai & Silva 6/7 Such an integrabilit y can be a chieved in a relativel y straight forward manner b y recognizin g t hat the fundamental actions of t he sema ntics of each process i dentified in the MSC sce nario (secti on 2.3) will be mapped in one coordinate axis, which c orresponds t o a proces s from a set of n conc urrent processes defined by the system, in the topological s pace. The actions out (proce ss, re source, lock/unl ock) that a ce rtain process perf o rms correspond t o the set of coordinate points on each a xis comp osed b y a n ordered sequence of real numbers betw een 0 a nd 1, representing the scheduled actions (a transaction) that a gi ven process will execute. For e v er y c oncurrent process in the MSC, each ac tion out (proce ss, resource, lock) upon the shared i nstance resource , will be identifi ed with a l o ck (P ) action and ea ch acti on out (proce ss, resource, unloc k) upon the shared instance resource , wi ll be identified wit h an unl ock (V) a ction. Consequentl y for each conc urrent proces s, there wil l be its c orrespondi ng partiall y ordere d acti ons, i nto a seque nce of ordered real numbers along the axis interval [0, ..,1]. The r esources ide ntified in e ach action out (process , resource, lock/unlock) wil l be la beled shared resources that ar e being locked and unlocked. Once thi s mapping is realize d, the progress graph is creat ed. The ne xt step is the a pplication of the deadlock detection al gorithm [ 15] t o each res ulting t opological s paces. Figure 7 i s a simple illustration of t he correspondence between MSC and progress gra ph, with two sce narios i dentified b y the topologi cal techni que: a safe execution path ( 1) and a deadlock situa tion (2). Figure 7: Corresponde nce between MSC and progress graph 5. CONCLUSION S AND FUTURE P ROSPECTS This paper proposes a simple “pr oof-of-concepts” pr ototype to f ormally tre at c oncurrency in real time s ystems by c onsidering t he i ntegration of a deadl ock detection algor ithm based on topolog y , to MSC. One of t he initial results of t his inte gration is the possi bility of f ormally verif yi ng MSC scenari os and reli ably fin ding f o rbi dden scenarios at the earl y phases of developme nt. The use of geometric and al gebraic topolog y c oncepts allows t o promptl y ide ntifying critical re gions for decisi on making considera tions. The u se of M SC as a l anguage t o express scenarios of a s ystem practicall y pr ovides a one-to-one corre spondence be tween both forma lisms. This fact guarantees tha t the use o f the proposed method does not affect t he necessar y flexibility. Relia bility is also accomplis hed b y the i mplementation of a sim ple and precise algorithm deri ved from the geome trical configuration of the state space of the system. The inte gration of formal methods wit h behavioral m odels tha t are f lexible enough to be used a t t he earl y phase s of the software de velopment is a step f o rwar d in the char acterization of a ri gorous trea tment of concurrenc y. Although t he method wa s proposed to be pri marily a pplied during the s y stem requireme nts ana lysis, it can also be used to formall y verif y refined MSC sce narios in the deta iled design. There are still many as pects to be c onsidered in this research. Future im plementation of the pr ototype has to ai m at the development of a f riendly u ser interfac e. The pr oposed method can also be e xtended with a pparently ICSSEA 2007- C Alves, Dantas, A rai & Silva 7/7 minor m odifications in o rder to implement the case o f semaphores. The use of more advance d t opological techniques, such as “direct h omotopy”, to more genera lized and/or com plex situati ons, like th ose i nvolving a varying number of concurr ent processe s, is a promising line of research in t he emer gent di scipline o f t opological concurrency theor y. 6. REFERENCES [1] Edgester W. Dijkstra: Co-operati ng sequential pr ocesses, Programming Langua ges; F. Ge nu y s, e d., Academic Press, New York, pp. 43-110, 196 8. [2] Ekkart Rudolph, P eter Gr aubmann, and Je n Ga bowski: T uto ria l on message seque nce charts; Computer Networks and ISDN Systems, vol. 28, 1996. [3] Eric Goubault and Martin Raussen: Dih omotopy as a Tool in Sta te Space Anal ysis; Latin American Theoretical Inf o r matics, pp 16-37, 20 02. [4] Eric Goubault : Ge ometry and concurrenc y: a user’s guide; Math. Struct. In C omputer Science, vol. 10, pp. 441-425, 2000. [5] Eric Goubault: T he Pra gmatics of HDA for Concurrent Program A nal y sis; on -line art icle (access: Ma y 2006), http://citeseer.ist. psu.edu/goubault 97pragmatic.html, 1997. [6] ITU-TS: ITU-TS Recomm endation Z.120 Annex B: Algebraic se mantics of Message Sequence Cha rts; ITU- TS, Geneva, 1998. [7] ITU-TS: ITU-TS Rec ommendation Z.1 20: Message Sequence Charts; ITU-TS, Gene va, 2004 [8] Ivar Jacobson et a l.: Objected-oriente d Software Engineer ing; Addison-Wesle y, Reading, MA, 1992. [9] Ivar Jacobson et a l: The Unified Software Development P rocess; Addis on-Wesley, Harlow, 1999. [10] Ivika Cr nkovic and Magnus Larrsson: Bu ilding relia ble component-base d software systems; Ar tech House, Inc., Norwood, MA, 2002. [11] J. Pe arsall: The new Oxford dictionar y of English. Oxfo rd Universit y Press, Oxf ord, 1998. [12] James Rumbau gh et al.:Object-Orient ed Modeling and De sign; Prentice Hall, E nglewood Cliffs, NJ , 1991. [13] John M. Carroll: Sce nario-based design: envisioning w ork and techn ology i n system developme nt; Wiley, New York, 1995. [14] Jos Baeten an d W. P. Weijland: Pr ocess Algebra; Cambri gde Tracts in Theorical C omputer Science, vol. 18, Cambridge Universit y Pres s, Cambridge, 199 0. [15] Lisbeth Fajstr up, Eric. Goubault and Martin Raus en: Detectin g Deadloc ks in Concurrent Systems: International Confere nce on Concurrenc y Theory, pp. 332-347, 1998. [16]Rajeev Alur and Mihalis Ya nnakakis: Model Checkin g o f Messa ge Sequence Charts; Pr oc. 10t h Intl. C onf. on Concurrenc y Theory, Springer Verla g, pp. 114-129, 1999. [17] Sjouke Mauw and Michael A. Reniers: Formalizati on of static requirements for Message Sequence Chart s; Joint rapporteurs meeti ng SG10, Gene va TD9010, ITU- TS-1994. [18] Sjouke Mauw, Michael A. Reniers, and T.A.C. Willemse: Messa ge Sequence Charts in the software engineering process; S.K. Chang, editor, Handbook of S oftware Engineerin g and Knowledge Engineeri ng , pp.437-463, Worl d Scientific P ublishing Co., 2001. [19] Sjouke Mauw: T he f ormalization of Me ssage Sequence Chart s; Computer Netw orks and ISDN S ystems , vol. 28, No 12, pp.164 3-1657, 1996. [20] TIMe: Tutorial on MSC’96; TIMe Eletronic Textbooks, July 19 99, on-line article (acce ss: A ugust 2007), http://www.sintef.n o/time/ ELB40/ELB/ MSC96/MSC96.pdf. [21] Werner D amm and D avid Harel : LSCs: Breathin g Life Into Me ssage Seq uence Cha rts; Fo r mal Met hods in System Design, Kluwer Academic Publis hers, Netherlands, pp. 45-80, 2001.