Yuanrui Zhang,Hengyang Wu,Yixiang Chen,Frederic Mallet

DOI: https://doi.org/10.1016/j.scico.2020.102591

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:The Clock Constraint Specification Language (CCSL) is a clock-based specification language for real-time embedded systems. With logical clocks defined as first-class citizens, CCSL provides a natural way for describing clock constraints in synchronous systems — a classical model of concurrency for real-time embedded systems. In this paper, we propose a clock-based dynamic logic called CCSL Dynamic Logic (CDL) for the verification of CCSL specifications in synchronous systems. It extends the first-order dynamic logic with a synchronous execution mechanism in its program model and with CCSL primitives as terms in its logical formulae. We build a sound and relatively complete proof system for CDL to support the verification. Compared with previous approaches for verifying CCSL specifications, which are based on model checking and SMT checking techniques, our approach, which is based on theorem-proving, offers a unified verification framework in which both bounded and unbounded CCSL specifications can be verified. Technically, with the proof system of CDL, a complex CDL formula can be semi-automatically transformed into a set of quantifier-free, arithmetical first-order logic (QF-AFOL) formulae which can be checked by an SMT solver in an efficient way. As a case study, we analyze a simple synchronous system throughout the paper to illustrate how CDL works. We analyze and prove the soundness and completeness of the proof system for CDL. Currently, CDL is partially mechanized in Coq.

Yuanrui Zhang,Frédéric Mallet,Huibiao Zhu,Yixiang Chen

DOI: https://doi.org/10.1109/tase.2019.00-23

2019-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a clock-based formalism for formal specification and analysis of real-time embedded systems. Previous approaches for the schedulability analysis of CCSL specifications are mainly based on model checking or SMT-checking. In this paper we propose a logical approach mainly based on theorem proving. We build a dynamic logic called 'clock-based dynamic logic' (cDL) to capture the CCSL specifications and build a proof calculus to analyze the schedule problem of the specifications. Comparing with previous approaches, our method benefits from the dynamic logic that provides a natural way of capturing the dynamic behaviour of CCSL and a divide-and-conquer way for 'decomposing' a complex formula into simple ones for an SMT-checking procedure. Based on cDL, we outline a method for the schedulability analysis of CCSL. We illustrate our theory through one example.

Yuanrui Zhang,Frederic Mallet,Huibiao Zhu,Yixiang Chen,Bo Liu,Zhiming Liu

DOI: https://doi.org/10.1016/j.scico.2020.102546

IF: 1.039

2020-01-01

Science of Computer Programming

Abstract:The Clock Constraint Specification Language (CCSL) is a clock-based formalism for the specification and analysis of real-time embedded systems. The major goal of schedulability analysis of CCSL specifications is to solve the schedule problem, which is to answer ‘whether there exists a clock behaviour (also called a ‘schedule’) that conforms to a given CCSL specification'. Existing works on schedulability analysis of CCSL specifications are mainly based on model checking or SMT-solving. In this paper, however, we propose a theorem-proving approach to the problem. To this end, we define a clock-based dynamic logic (cDL) in which we can specify the clock behaviours and the clock relations in CCSL. With cDL, given a CCSL specification SP, we can express its schedule problem as a cDL formula ϕsp. Then solving the schedule problem is equivalent to checking the validity of ϕsp in the proof system of cDL. By analyzing the proof tree of ϕsp, we can generate a concrete schedule satisfying SP. Compared to the previous approaches, our method is not limited to special types of CCSL specifications and schedules and does not depend on the bounds that are set for approximate checking. We implement our cDL in Coq. We use an example throughout the paper to illustrate our method.

Ling Yin,Jing Liu,Zuohua Ding,Frédéric Mallet,Robert de Simone

DOI: https://doi.org/10.1109/APSEC.2013.62

2013-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a formal polychronous language based on the notion of logical clock. It defines a set of kernel constraints that can represent both asynchronous and synchronous relations. It was originally developed as part of the UML Profile for MARTE to express causal and temporal constraints of Real-time and Embedded Systems. In this paper, we explore the use of CCSL for modeling scheduling requirements and to conduct schedulability analysis. For this purpose, a dedicated scheduling library of CCSL has been built. This library is endowed with a state-based operational semantics, and is applied to solve issues related to schedulability analysis and latency-insensitive design. We establish schedulability categories and latency-insensitiveness property in the context of the semantics, and solve those issues by using model checking techniques.

Min Zhang,Yunhui Ying

DOI: https://doi.org/10.1145/3078633.3081035

2017-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a formal language companion to MARTE (shorthand for Modeling and Analysis of Real-Time and Embedded systems), a UML profile used to facilitate the design and analysis of real-time and embedded systems. CCSL is proposed to specify constraints on the occurrences of events in systems. However, the language lacks efficient verification support to formally analyze temporal properties, which are important properties to real-time and embedded systems. In this paper, we propose an SMT-based approach to model checking of the temporal properties specified in Linear Temporal Logic (LTL) for CCSL by transforming CCSL constraints and LTL formulas into SMT formulas. We implement a prototype tool for the proposed approach and use the state-of-the-art tool Z3 as its underlying SMT solver. We model two practical real-time and embedded systems, i.e., a traffic light controller and a power window system in CCSL, and model check LTL properties of them using the proposed approach. Experimental results demonstrate the effectiveness and efficiency of our approach.

Yuanrui Zhang,Frederic Mallet,Yixiang Chen

DOI: https://doi.org/10.1007/s11704-018-7054-8

IF: 2.6688

2020-01-01

Frontiers of Computer Science

Abstract:The Spatio-Temporal Consistency Language (STeC) is a high-level modeling language that deals natively with spatio-temporal behaviour, i.e., behaviour relating to certain locations and time. Such restriction by both locations and time is of first importance for some types of real-time systems. CCSL is a formal specification language based on logical clocks. It is used to describe some crucial safety properties for real-time systems, due to its powerful expressiveness of logical and chronometric time constraints. We consider a novel verification framework combining STeC and CCSL, with the advantages of addressing spatio-temporal consistency of system behaviour and easily expressing some crucial time constraints. We propose a theory combining these two languages and a method verifying CCSL properties in STeC models. We adopt UPPAAL as the model checking tool and give a simple example to illustrate how to carry out verification in our framework.

Yuanrui Zhang,Frederic Mallet,Min Zhang,Zhiming Liu

DOI: https://doi.org/10.1145/3670794

2024-01-01

Formal Aspects of Computing

Abstract:The polychronous or multi-clock paradigm is adequate to model large distributed systems where achieving a full timed synchronization is not only very costly, but also often not necessary. It concerns systems made of a set of components with loose synchronization constraints. We study an approach where those components are orchestrated using logical clocks , made popular by L. Lamport and synchronous languages. The temporal and causal specification of those systems is built by defining a set of clock relations that would constrain the instant when clocks can tick or must not tick, thus defining families of valid schedules . In this paper, we propose a specification language, called LTL c / CCSL , for specifying temporal properties of multi-clock systems. While traditional temporal logics (LTL, MTL, CTL*), whether linear or branching, rely on a global step, our language, LTL c / CCSL , builds a partial order on logical clocks, thus allowing both a hierarchical approach based on refinement of clock hierarchies, and compositionality as what happens in one clock domain may remain largely independent of what may happen in other domains. This good property helps preserve the properties without requiring to perform the proofs again. An LTL c / CCSL specification consists of a clock temporal logic LTL c , accompanied with a clock calculus called CCSL for specifying clock relations. We build the syntax and semantics of LTL c and link its semantics with CCSL. After that we mainly focus on the verification aspect of LTL c / CCSL specifications using model checking technique. We show how LTL c / CCSL can be used for specifying multi-clock systems with an example.

Yun-Hui YING,Min ZHANG

DOI: https://doi.org/10.13328/j.cnki.jos.005469

2018-01-01

Abstract:CCSL (abbreviated for clock constraint specification language) is a formal language for specifying the constraints on the occurrences of events in real-time and embedded systems.CCSL is a companion language of MARTE (abbreviated for modeling and analysis of real-time and embedded systems),a UML profile which provides support for specification,design,and verification/validation stages for model-driven development of real time and embedded Systems.Given a set of CCSL constraints,it is necessary to check if there exist schedules that satisfy all the constraints and if all the behaviors that conforming to the constraints will never incur deadlock of systems.Many approaches have been proposed based on state transition system,timed automata,etc.However,most of the existing approaches have some drawbacks,such as being ad hoc to specific formal analysis,and being suited to only subsets of CCSL constraints or inefficient.In this paper,a unified and efficient SMT-based approach to formal analysis of CCSL is proposed.This approach is unified in that it can be applied to various analysis such as validity proving,trace analysis,deadlock detection and LTL model checking.A prototype tool for the new approach is implemented to support the four types of formal analysis,utilizing the state-of-the-art SMT solvers such as Z3 and CVC4.With efficient SMT solvers,verification can be completed in a reasonable time,as demonstrated by the experimental results in the case studies.

Min Zhang,Frédéric Mallet

DOI: https://doi.org/10.1007/978-3-319-29510-7_2

2016-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a language to specify logical and timed constraints between logical clocks. Given a set of clock constraints specified in CCSL, formal analysis is preferred to check if there exists a schedule that satisfies all the constraints, if the constraints are valid or not, and if the constraints satisfy expected properties. In this paper, we present a formal executable semantics of CCSL in rewriting logic and demonstrate some applications of the formal semantics to its formal analysis: (1) to automatically find bounded or periodic schedules that satisfy all the given constraints; (2) to simulate the execution of schedules with customized simulation policies; and (3) to verify LTL properties of CCSL constraints by bounded model checking. Compared with other existing modeling approaches, advantages with the rewriting-based semantics of CCSL are that we do not need to assume a bounded number of steps for the formalization, and we can exhaustively explore all the solutions within a given bound for the analysis.

Ming Hu,Jiepin Ding,Min Zhang,Frédéric Mallet,Mingsong Chen

DOI: https://doi.org/10.1109/rtss52674.2021.00030

2021-01-01

Abstract:The Clock Constraint Specification Language (CCSL) has become popular for modeling and analyzing timing behaviors of real-time embedded systems. However, it is difficult for requirement engineers to accurately figure out CCSL specifications from natural language-based requirement descriptions. This is mainly because: i) most requirement engineers lack expertise in formal modeling; and ii) few existing tools can be used to facilitate the generation of CCSL specifications. To address these issues, this paper presents a novel approach that combines the merits of both Reinforcement Learning (RL) and deductive techniques in logical reasoning for efficient co-synthesis of CCSL specifications. Specifically, our method leverages RL to enumerate all the feasible solutions to fill the holes of incomplete specifications and deductive techniques to judge the quality of each trial. Our proposed deductive mechanisms are useful for not only pruning enumeration space, but also guiding the enumeration process to reach an optimal solution quickly. Comprehensive experimental results on both well-known benchmarks and complex industrial examples demonstrate the performance and scalability of our method. Compared with the state-of-the-art, our approach can drastically reduce the synthesis time by several orders of magnitude while the accuracy of synthesis can be guaranteed.

Ming Hu,Tongquan Wei,Min Zhang,Frederic Malle,Mingsong Chen

DOI: https://doi.org/10.1145/3316781.3317904

2019-01-01

Abstract:The Clock Constraint Specification Language (CCSL) has been widely investigated in verifying causal and temporal timing behaviors of real-time embedded systems. However, due to limited expertise in formal modeling, it is difficult for requirement engineers to completely and accurately derive CCSL specifications from natural language-based design descriptions. To address this problem, we present a novel approach that facilitates automated synthesis of CCSL specifications under the guidance of sampled (expected) timing behaviors of target systems. By encoding sampled behaviors and incomplete CCSL constraints provided by requirement engineers using our proposed transformation templates, the CCSL specification synthesis problem can be naturally converted into a SKETCH synthesis problem, which enables the automated generation of CCSL specifications with high accuracy. Experiments on both well-known benchmarks and synthetic examples demonstrate the effectiveness and scalability of our approach.

Min Zhang,Fu Song,Frédéric Mallet,Xiaohong Chen

DOI: https://doi.org/10.1007/978-3-030-16722-6_4

2019-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a formalism for specifying logical-time constraints on events for the design of real-time embedded systems. A central verification problem of CCSL is to check whether events are schedulable under logical constraints. Although many efforts have been made addressing this problem, the problem is still open. In this paper, we show that the bounded scheduling problem is NP-complete and then propose an efficient SMT-based decision procedure which is sound and complete. Based on this decision procedure, we present a sound algorithm for the general scheduling problem. We implement our algorithm in a prototype tool and illustrate its utility in schedulability analysis in designing real-world systems and automatic proving of algebraic properties of CCSL constraints. Experimental results demonstrate its effectiveness and efficiency.

Xiaohong Chen,Ling Yin,Yijun Yu,Zhi Jin

DOI: https://doi.org/10.1007/978-3-319-68690-5_4

2017-01-01

Abstract:The timing requirements of embedded cyber-physical systems (CPS) constrain CPS behaviors made by scheduling analysis. Lack of physical entity properties modeling and the need of scheduling analysis require a systematic approach to specify timing requirements of CPS at the early phase of requirements engineering. In this work, we extend the Problem Frames notations to capture timing properties of both cyber and physical domain entities into Clock Constraint Specification Language (CCSL) constraints which is more explicit that LTL for scheduling analysis. Interpreting them using operational semantics as finite state machines, we are able to transform these timing requirements into CCSL scheduling constraints, and verify their consistency on NuSMV. Our TimePF tool-supported approach is illustrated through the verification of timing requirements for a representative problem in embedded CPS.

Ming Hu,Jun Xia,Min Zhang,Xiaohong Chen,Frederic Mallet,Mingsong Chen

DOI: https://doi.org/10.1109/tcad.2023.3285412

IF: 2.9

2023-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:As a promising requirement-level specification language for timing behavior modeling, the clock constraint specification language (CCSL) has become popular in the model-driven design community for safety-critical embedded systems. However, due to the skyrocketing design complexity, in practice, it is hard for requirement engineers to accurately construct requirement models with expected timing behaviors using CCSL, especially, for safe timing behaviors. Although more and more CCSL synthesis approaches are designed to facilitate the generation of CCSL specifications, most of them cannot be used directly for the synthesis of requirements models. This is because existing CCSL synthesis methods: 1) focus on filling the holes of CCSL constraints rather than completing requirements models and 2) rely heavily on limited observations of system behaviors, while the (temporal) safety properties of target systems are neglected. To address these issues, this article proposes a novel method that enables the automated synthesis of safe timing behaviors for requirements models. By specifying the safety timing properties of target systems using safely-LTL, our approach adopts CCSL as an intermediate representation of requirement synthesis, where incomplete requirements models coupled with safely-LTL-based properties are encoded into CCSL constraints with holes. Guided by the samples (expected behaviors) provided by requirement engineers, our approach can automatically figure out the complete version of incomplete requirements models. Comprehensive experimental results on two complex case studies demonstrate that our approach can not only quickly and efficiently synthesize requirement models but also guarantee that the synthesized models satisfy specified safety properties in Safely-LTL form.

Fei Gao,Frederic Mallet,Min Zhang,Mingsong Chen

DOI: https://doi.org/10.23919/date48585.2020.9116344

2020-01-01

Abstract:The Clock Constraint Specification Language (CCSL) is a logical time based modeling language to formalize timing behaviors of real-time and embedded systems. However, it cannot capture timing behaviors that contain uncertainties, e.g., uncertainty in execution time and period. This limits the application of the language to real-world systems, as uncertainty often exists in practice due to both internal and external factors. To capture uncertainties in timing behaviors, in this paper we extend CCSL by introducing parameters into constraints. We then propose an approach to transform parametric CCSL constraints into SMT formulas for efficient verification. We apply our approach to an industrial case which is proposed as the FMTV (Formal Methods for Timing Verification) Challenge in 2015, which shows that timing behaviors with uncertainties can be effectively modeled and verified using the parametric CCSL.

Ming Hu,Min Zhang,Frederic Mallet,Xin Fu,Mingsong Chen

DOI: https://doi.org/10.1109/tc.2022.3197956

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:The Clock Constraint Specification Language (CCSL) has been widely acknowledged as a promising system-level specification for the modeling and analysis of timing behaviors of real-time and embedded systems. However, along with the increasing complexity of modern systems coupled with strict time-to-market constraints, it becomes more and more difficult for requirement engineers to accurately figure out CCSL specifications from natural language-based requirement documents, since they lack both expertise in formal CCSL modeling and design automation tools to support quick and automatic generation of CCSL specifications. To solve the above problem, in this paper we introduce a novel and efficient Reinforcement Learning (RL)-based synthesis approach that can facilitate requirement engineers to quickly figure out their expected CCSL specifications. For a given incomplete CCSL specification, our approach adopts RL-based enumeration to explore all the feasible solutions to fill the holes within CCSL constraints, and leverages curiosity-driven exploration to accelerate the enumeration process. Based on the combination of our proposed curiosity-driven exploration heuristic and deductive reasoning techniques, our approach can not only prune unfruitful enumeration solutions effectively, but also optimize the enumeration process to search for the tightest solution quickly, thus the overall synthesis process can be accelerated dramatically. Comprehensive experimental results demonstrate that our approach significantly outperforms state-of-the-art methods in terms of both synthesis time and synthesis accuracy.

Simon Lunel,Stefan Mitsch,Benoit Boyer,Jean-Pierre Talpin

DOI: https://doi.org/10.48550/arXiv.1907.02881

2019-07-08

Abstract:Computer-Controlled Systems (CCS) are a subclass of hybrid systems where the periodic relation of control components to time is paramount. Since they additionally are at the heart of many safety-critical devices, it is of primary importance to correctly model such systems and to ensure they function correctly according to safety requirements. Differential dynamic logic $d\mathcal{L}$ is a powerful logic to model hybrid systems and to prove their correctness. We contribute a component-based modeling and reasoning framework to $d\mathcal{L}$ that separates models into components with timing guarantees, such as reactivity of controllers and controllability of continuous dynamics. Components operate in parallel, with coarse-grained interleaving, periodic execution and communication. We present techniques to automate system safety proofs from isolated, modular, and possibly mechanized proofs of component properties parameterized with timing characteristics.

Logic in Computer Science

Eun-Young Kang,Li Huang

DOI: https://doi.org/10.48550/arXiv.1806.07702

2018-06-20

Software Engineering

Abstract:Modeling and analysis of timing constraints is crucial in automotive systems. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. In most cases, a bounded number of violations of timing constraints in systems would not lead to system failures when the results of the violations are negligible, called Weakly-Hard (WH). We have previously specified EAST-ADL timing constraints in Clock Constraint Specification Language (CCSL) and transformed timed behaviors in CCSL into formal models amenable to model checking. Previous work is extended in this paper by including support for probabilistic analysis of timing constraints in the context of WH: Probabilistic extension of CCSL, called PrCCSL, is defined and the EAST-ADL timing constraints with stochastic properties are specified in PrCCSL. The semantics of the extended constraints in PrCCSL is translated into Proof Objective Models that can be verified using SIMULINK DESIGN VERIFIER. Furthermore, a set of mapping rules is proposed to facilitate guarantee of translation. Our approach is demonstrated on an autonomous traffic sign recognition vehicle case study.

Zhang Yuanrui,Mallet Frédéric,Liu Zhiming

DOI: https://doi.org/10.1007/s11704-022-1374-4

IF: 2.6688

2022-01-01

Frontiers of Computer Science

Abstract:Synchronous model is a type of formal models for modelling and specifying reactive systems. It has a great advantage over other real-time models that its modelling paradigm supports a deterministic concurrent behaviour of systems. Various approaches have been utilized for verification of synchronous models based on different techniques, such as model checking, SAT/SMT sovling, term rewriting, type inference and so on. In this paper, we propose a verification approach for synchronous models based on compositional reasoning and term rewriting. Specifically, we initially propose a variation of dynamic logic, called synchronous dynamic logic (SDL). SDL extends the regular program model of first-order dynamic logic (FODL) with necessary primitives to capture the notion of synchrony and synchronous communication between parallel programs, and enriches FODL formulas with temporal dynamic logical formulas to specify safety properties -- a type of properties mainly concerned in reactive systems. To rightly capture the synchronous communications, we define a constructive semantics for the program model of SDL. We build a sound and relatively complete proof system for SDL. Compared to previous verification approaches, SDL provides a divide and conquer way to analyze and verify synchronous models based on compositional reasoning of the syntactic structure of the programs of SDL. To illustrate the usefulness of SDL, we apply SDL to specify and verify a small example in the synchronous model SyncChart, which shows the potential of SDL to be used in practice.

Min Zhang,Frédéric Mallet,Huibiao Zhu

DOI: https://doi.org/10.1007/978-3-319-47846-3_27

2016-01-01

Abstract:MARTE (abbreviated for Modeling and Analysis of Real-Time and Embedded systems) is a UML profile which provides a general modeling framework to design and analyze real-time embedded systems. CCSL (abbreviated for Clock Constraint Specification Language) is a formal language companion to MARTE, used to specify the constraints between the occurrences of events in real-time embedded systems. Many approaches have been proposed to the formal analysis of CCSL such as simulation and model checking. We propose in this paper an SMT-based approach to the formal analysis of CCSL. It is well-known that the SMT-based approach can effectively overcome the state-explosion problem for model checking, and can also be used for theorem proving. The latter feature allows us to prove the invalidity of ccsl constraints, which most of the existing approaches lack. We implement the proposed approach in a prototype tool clyzer on top of \(\mathbb {K}\) framework and use Z3 as the underlying SMT solver.