2 On TLA TLA is a simple linear-time temporal logic with a relatively complete set of proof rules for reasoning about the safety (i.e. \what the syste

Transcription

1 Reasoning about mobile processes in an ambient using the temporal logic of actions TATJANA KAPUS Faculty of Electrical Engineering and Computer Science University of Maribor Smetanova ul. 17, SI-2000 Maribor SLOVENIA Abstract: - Important characteristics of mobile systems are dynamical linking and eects of environments to the communication capabilities of system components. Some components can, for example, not communicate if there is a physical obstacle between their locations. Formal methods that support the description of the environment and locality of mobile system components in it are necessary in order to be able to rigorously verify if the components can communicate as desired. We propose an approach to the formal specication of mobile systems together with their environments and to the verication of their communication capabilities using the temporal logic of actions. Key-Words: - Mobile system, synchronous communication, dynamical linking, locality, connectivity, formal specication, verication, temporal logic of actions. 1 Introduction Mobile systems like mobile telephone systems and intelligent transport systems (for example, [7, 3]) consist of a number of components (we shall call them processes), such as telephones or cars, that move from one location to another and that from time to time receive information telling them which channel (for example, pseudo noise code sequences for spread spectrum communication or frequency) to use for communication. This is called dynamical linking. Although two processes in dierent locations are ready to send and receive a message on the same channel, respectively, it may happen that the communication is not possible. Such a situation may typically arise due to some physical conditions, for example, if there is a high building between the locations or if an accident happens. In order to be able to formally verify if processes can communicate as desired in such an environment, formal specication and verication methods are needed that can handle the dynamical assignment of channels as well as the location of processes and conditions in the environment. Recently, -calculus ([6]), the popular process algebra for reasoning about processes with the dynamical linking, has been extended with the capability of specifying and reasoning about the environment and locality of processes [2]. In this paper, we show how the temporal logic of actions (TLA) ([4]), which is quite a popular logical formalism, can be employed for specifying and reasoning about the same kind of systems as handled by the extended -calculus. In the next section, we shortly present TLA. In Section 3, we describe our approach to writing TLA specications of concurrently executing processes with synchronous, rendez-vous communication and dynamical linking, which are characteristic of - calculus. Section 4 shows how the TLA approach can be adapted to specify locality of mobile processes to the extent the extended -calculus does. In Section 5, we propose how to verify if communication capabilities of mobile processes in an environment are satisfactory. At the end we evaluate the TLA approach, compare it with the -calculus one, and give some ideas for future work.

2 2 On TLA TLA is a simple linear-time temporal logic with a relatively complete set of proof rules for reasoning about the safety (i.e. \what the system may do") and liveness (i.e. \what the system must do") of concurrent systems. It is usual to write a system specication as a \canonical form" TLA formula 9 x : Init ^ 2[N ] v ^ L. It says the following. Init holds at the start of every system behaviour (i.e. an innite state sequence starting with an initial state). v consists of the variables the system may change. N is a disjunction of action formulas on v and is itself an action formula. For example, if v consists of variables x and y, (x = 0)^(x 0 = x +1)^unchanged y is an action formula that represents an atomic action. If it is executed at a state, the value of x in the next state will be equal to the value of x in the current state plus 1, and the value of y will remain unchanged. In TLA, one must explicitly state that an action does not change a variable, otherwise it may change arbitrarily. One also says that an action is enabled at a state. For example, the above action is enabled (i.e. it can execute) at any state where x = 0. 2[N ] v says that at every execution step (this is expressed by the temporal operator 2), either N executes (i.e. some of its disjuncts), which changes some of the variables from v, or nothing happens. 9 x says that variables x v serve for internal purposes. L species liveness requirements for some of the actions of N. We shall not consider them in this paper since liveness is also of no concern in -calculus and its extension. One often adds other conjuncts to the canonical form formula in order to express some behavioural assumptions. For F and G TLA formulas and x ; y tuples of variables, the implication (9 x : F ) ) (9 y : G) can be proved by exhibiting the validity of F ) G, where G is obtained by substituting y i for the free occurrences of y i in G for all i. Each y i is a function of variables that occur in F. The functions are collectively called a renement mapping. Complete formal denitions of TLA syntax and semantics together with TLA proof rules can be found in [4]. 3 TLA and dynamical linking Throughout the paper, we shall use example processes adapted from [2] in order to present our approach. Let P, Q, and R be sequential processes which behave as follows. Process P may either rst send b on channel a and then terminate or rst synchronise (i.e. receive an empty message) on channel c and terminate. Process Q may either rst send an empty message on channel c and then terminate or rst receive a value on channel a and store it in variable x, afterwards send an empty message on the channel with the name stored in x and then terminate. Process R may only receive an empty message on channel b and terminate. Let S denote parallel composition of processes P, Q, and R, in which processes communicate synchronously: a process may send a number (possibly zero) of messages on a channel (i.e. execute a sending action) i another process is ready to receive the same number of messages on the same channel and to store them (i.e. execute a complementary receiving action), and vice-versa. As in -calculus, at most two processes may communicate at a time. Formulas P, Q, R in Fig. 1 and S in Fig. 2 are TLA specications of equally named processes and their parallel composition. We succeeded to specify processes with completely the same behaviour as those specied by -calculus and in such a way that the specication S is simply the conjunction of single processes' specications accompanied by a behaviour assumption and a hiding requirement. In order to be able to easily describe the dynamical linking, processes P, Q, and R share the variable Eth (Fig. 1). On this common \ether", processes send messages of the form hch; v i (notice the abbreviation Snd(ch; v)) where ch is the name of the channel on which a vector of values or channel names to be used as new links by the receiving process is sent. The receiving of v on channel ch is represented by the action formula Rcv(ch; v). hi denotes an empty vector (i.e. an empty message in the above informal description). Rcvar(ch; v) means that the value or the channel name received on ch is stored to variable v. Each process i has a corresponding variable mu[i]. It is used to record the type of each TLA action, i.e. whether it is a sending (notice the abbreviation S(v)) or receiving one (see the abbreviation R(v)). The S and R actions on mu are used to require the rendez-vous communication in Com and that Eth be only changed by processes P, Q, and R, which is expressed by B (Fig. 2). Since TLA does not contain operators for sequential composition and choice, the ordering of action executions in each process is specied by an internal \program counter" pc.

3 Snd(ch; v) = Eth 0 = Eth hch; v i Rcv(ch; v) = Snd(ch; v) Rcvar(ch; v) = 9 u : (Eth 0 = Eth hch; hu ii) ^ (v 0 = u) S(v) = v 0 = v h\o"i R(v) = v 0 = v h\i"i v P = hmu[\p"]; Eth; pc i Init P = (mu[\p"] = hi)^(pc =\s") N P = _ (pc = \s") ^ Snd(\a"; h\b"i) ^ S(mu[\P"]) ^ (pc 0 = \d") _ (pc = \s") ^ Rcv(\c"; hi)^r(mu[\p"]) ^ (pc 0 = \d") P = 9 pc : Init P ^ 2[N P _ unchanged hmu[\p"]; pc i] v P v Q = hmu[\q"]; Eth; pc; x i Init Q = (mu[\q"] = hi)^(pc =\s") N Q = _ (pc = \s") ^ Rcvar(\a"; x) ^ R(mu[\Q"]) ^ (pc 0 = \sx") _ (pc = \sx") ^ Snd(x ; hi)^s(mu[\q"]) ^ (pc 0 = \d") ^ unchanged x _ (pc = \s") ^ Snd(\c"; hi)^s(mu[\q"]) ^ (pc 0 = \d") ^ unchanged x Q = 9 pc; x : Init Q ^ 2[N Q _ unchanged hmu[\q"]; pc; x i] v Q v R = hmu[\r"]; Eth; pc i Init R = (mu[\r"] = hi)^(pc =\s") N R = (pc =\s") ^ Rcv(\b"; hi)^r(mu[\r"]) ^ (pc 0 = \d") R = 9 pc : Init R ^ 2[N R _ unchanged hmu[\r"]; pc i] v R Fig. 1: TLA specications of processes P, Q, and R Notice that canonical form TLA process specications P, Q, and R contain a part of the form 2[N _ unchanged v] where N represents the actions from the informal process description and v contains variable mu and all internal variables of the process. The unchanged v represents an execution step in which the process does nothing and the communication may take place in the other processes. The fact that variable mu is hidden in S means that we are only interested in what communications take place in the system. The communications are recorded in variable Eth, which is the only free variable of S. 4 TLA and locality So far, we were not interested in where processes P, Q, and R were located. Now, suppose that they are located in an environment consisting of four locations: 1, 2, 3, and 4. Let us further suppose that physically, the communication is only possible between locations 1 and 4, 1 and 2, and 2 and 3. Additionally, suppose that the communication between locations 1 and 4 is possible only in one direction, from 1 to 4. In [2] it is proposed that the facts of this kind be expressed in a eld F = hloc; RLi where Loc is the set of locations and RL the set of pairs (l 1 ; l 2 ) of locations from Loc, such that (l 1 ; l 2 ) 2 RL i the communication from l 1 to l 2 is possible. For every process, one may dene in which location from Loc it resides. It can also be dened how processes may move between the locations. This is done with a set MV. It contains a triple of the form hp ; l 1 ; hl 21 ;:::;l 2n ii for every process P which may move from location l 1 to any of locations l 21 ;:::;l 2n. Apair A = hf;mv i completely denes the environment of a mobile system and is called an ambient in [2]. Let us suppose that our process P is initially located in location 1, process Q in 2, and R in 4. Let only process R be allowed to move to location 3, but only when it is located in location 4. Let system L consist of concurrently executed processes P, Q,

4 Proc = f\p"; \Q"; \R"g Com = 9 i ; j 2 Proc : ^ (i 6= j ) ^ S(mu[i]) ^ R(mu[j ]) ^ 8 k 2 Proc n fi ; j g : unchanged mu[k] B = (Eth = hi)^2[com] heth ;mu i S = 9 mu : P ^ Q ^ R ^ B Loc = f1; 2; 3; 4g RL = fh1; 4i; h1; 2i; h2; 1i; h2; 3i; h3; 2ig MV = fh\r"; 4; f3gig Fig. 2: TLA specication of system S with dynamical linking B init = (loc[\p"] = 1) ^ (loc[\q"] = 2) ^ (loc[\r"] = 4) Com l = ^ 9 i ; j 2 Proc : ^ (i 6= j ) ^ ((loc[i]; loc[j ]) 2 RL) ^ S(mu[i]) ^ R(mu[j ]) ^ 8 k 2 Proc n fi ; j g : unchanged mu[k] Move ^ unchanged loc = ^ 9 p; l ; s : ^ (hp; l ; s i 2 MV ) ^ (loc[p] = l) ^ (loc 0 [p] 2 s) ^ 8 k 2 Proc n fpg : unchanged loc[k] ^ unchanged heth; mu i B l = (Eth = hi)^2[com l _ Move] heth ;mu ;loc i L = 9 mu : P ^ Q ^ R ^ B init ^ B l Fig. 3: TLA specication of system L with dynamical linking in an ambient and R located in the described ambient. Formula L in Fig. 3 is its TLA specication. P, Q, R, and Proc, referred to in Fig. 3, are as dened in Fig. 1 and Fig. 2, respectively. In order to obtain a TLA specication of L, we had to dene a set of locations Loc, connections between the locations RL, and possible moves with MV similarly as with -calculus, to introduce a new variable loc for storing current locations of processes, and to write the following TLA formulas. B init determines initial locations of the processes. B l is similar to B in Fig. 2, except that it further restricts communication and species how processes may move. Like the reduction rule for the movement of processes in [2], it says with help of Move that whenever a process mentioned in MV is in a location that MV allows to leave, the process may move to one of the allowed locations. It also species that only one process at a time may move, which is as in [2]. As in the latter, it is not possible that a communication takes place and that a process moves simultaneously. Notice that it would also be possible not to dene MV and write a separate action formula for each possible move instead of writing the general formula Move using the quantication over the elements of MV. However, if there are many possible moves for dierent processes, it is certainly easier to specify this with the set MV and always write the same general formula Move. Similarly as in the reduction rule dening the semantics of communication in [2], the constraint on the communication depending on the locality of processes could be expressed with a small change of the Com formula in Fig. 2. Just the condition (loc[i]; loc[j ]) 2 RL had to be added, thus obtaining the new action formula Com l. As expected, the TLA specication L of the mobile system in an ambient diers from the TLA specication S only in the behaviour assumptions. L contains free variables Eth and loc, so we can also

5 express properties relating to process locations. 5 Verication of communication capabilities If F is a TLA specication of system F, and G is a TLA formula, then system F satises G i implication F ) G is valid. Suppose that G is also a system specication. Then one may also be interested in proving equivalence F G, i.e. that the system F behaves exactly like G. With the method of renement mappings, one can prove for S from Fig. 2 that S O where O = 9 pc : Init S ^ 2[N S ] heth ;pc i Init S = (pc = \s") ^ (Eth = hi) N S = Nc _ Na _ Nb Nc = ^ (pc = \s") ^ Snd(Eth; h\c"; hii) ^ (pc 0 =\d") Na = ^ (pc = \s") ^ Snd(Eth; h\a"; h\b"ii) ^ (pc 0 = \sb") Nb = ^ (pc = \sb") ^ Snd(Eth; h\b"; hii) ^ (pc 0 =\d") It means that rst, either process P and Q synchronise on channel c and the system execution terminates, or P sends channel name b to Q on channel a and nally, Q and R synchronise on channel b. Notice that the system may also stop forever at any point as we deal only with safety as in [2]. In [2], the so-called connectivity of pairs of processes is used as the criterion for deciding if the possibility of communications in an ambient is satisfactory. Informally, two processes are connectable if a message from one process can be sent to and received by another one, possibly through several processes in dierent locations. As this is an existential property (i.e., it says that there exists a behaviour such that...), it cannot directly and uniformly be expressed in a linear-time temporal logic. We therefore propose a more general criterion. It is reasonable to require that after a system, such as S, is put into an ambient, its possible behaviours are the same as without the ambient. Generally, the only free variable of the specication of the system without an ambient will be Eth and the free variables of the one in an ambient will be Eth and loc. One should then prove that the rst specication and the second one with the loc variable hidden are equivalent. It is clear that the second one implies the rst one as an ambient may only disable some communications. So one only has to prove the validity of implication in the other direction. For our systems S (Fig. 2) and L (Fig. 3), S 9 loc : L although it can also be proved that L ) Prop l where Prop l = 2(loc(\R") = 4) ) 2(8 i 2 OneTo(Length(Eth)) : 8 v : (Eth[i] 6= h\b"; v i)), i.e. if process R in L always stays in location 4, the communication on channel b never takes place (OneTo(Length(Eth)) denotes the set of integers from 1 to the length of sequence Eth). The connectivity of all pairs of processes in L is namely still the same as in S because R has the possibility to move to location 3. However, if MV were empty in L, Q and R could never communicate, the connectivity of processes in S and L would be dierent and S and 9 loc : L would no longer be equivalent. Now, suppose that one builds a system with an ambient in which processes communicate just as required and that eventually nds out that the ambient is damaged, i.e., some of RL, MV, or even Loc are changed in such a way that some communications are no more possible. Let us suppose that a maintenance method is employed on the sets in order to reestablish connectivity. One way to check if the method is satisfactory would be to verify if the specications of the systems with the loc variable hidden are equivalent. In [2], a relation called located bisimulation is dened to compare two systems in ambients. It is similar to the usual bisimulation relation, except that it also checks if each communication takes place between the same locations in both systems. We think that it might be more useful to be able to check if each communication takes place between the same processes in both systems. One could, for example, make a mistake during the maintenance and enable direct communication of two processes which was not possible be-

6 fore. We could verify this by leaving the mu variables in the compared system specications free. 6 Conclusion The aim of this paper was to show that the idea to extend -calculus for the specication of and reasoning about mobile processes in an ambient can readily be employed to use the temporal logic of actions for the same purpose. We proposed how to specify the rendez-vous communication and dynamical linking. We showed how to write specications of systems with this kind of communication in such a way that system components can be specied separately like in process algebras and composed into the system specication practically by conjunction. Notice that composition of components with rendez-vous communication is not treated in [1]. We then devised a way for writing TLA specications of mobile systems together with their ambients. It was even easier to incorporate ambients into the specications than with - calculus since TLA is state-based and the information on process locations is an additional state information. As TLA is based on states and even without any control operators such as : or +, one might say that it is more dicult to specify actions and synchronously communicating processes with TLA than with a process algebra. It is, however, a matter of taste, whether reasoning about processes using algebraic or logical rules is easier. We used very simple examples for illustration, but it is easy to specify processes that also send or receive vectors of more than one message, and several processes may have a sending or a receiving action using the same channel. In fact, the formalism in [2] allows broadcast or multicast rendez-vous communication between located processes, but we avoided to talk about it for space reasons. In order to allow it in the TLA specications, the Com l action formula could be adapted with minor changes. It is also easy to write TLA specications of actions whose enabledness depends on recently received values. It would be useful to automate composition of processes in such a way that one would immediately get only those actions that are enabled in reachable states. One might be interested in the description of changes of an ambient over time and how they could be circumvented. It would be dicult to adapt - calculus for such purposes because, for example, RL would behave like a global variable, but process algebras do not know variables in this sense. On the contrary, it would be easy to describe changes of the ambient with TLA by making its constant sets variables and dening appropriate actions on them. We could try to introduce fault and correcting actions and verify if communication capabilities are as desired. This would be a kind of fault-tolerance investigation for mobile systems (c.f. [5]). We were interested in a TLA specication method with the sole purpose of specifying and reasoning about mobile systems in the so-called ambients, but it would also be worth investigating how TLA could be used for similar purposes as, for example, mobile UNITY [8]. References: [1] M. Abadi and L. Lamport, Conjoining specications, ACM Transactions on Programming Languages and Systems, Vol. 15, No. 1, January 1993, pp. 73{132. [2] T. Ando, K. Takahashi, Y. Kato, N. Shiratori, Maintenance of Mobile System Ambients Using a Process Calculus, Computer Networks, Vol. 32, 2000, pp. 229{256. [3] Japanese Ministry of Construction ITS homepage, html. [4] L. Lamport, The Temporal Logic of Actions, ACM Transactions on Programming Languages and Systems, Vol. 16, No. 3, May 1994, pp. 872{ 943. [5] Z. Liu and M. Joseph, Specication and verication of fault-tolerance, timing, and scheduling, ACM Transactions on Programming Languages and Systems, Vol. 21, No. 1, January 1999, pp. 46{89. [6] R. Milner, The poliadic -calculus: a tutorial, Technical Report ECS-LFCS , Lab. Foundations Comp. Sci., Dept. Comp. Sci., University of Edinburgh, United Kingdom, [7] J. E. Padgett, C. G. Gunter, T. Hattori, Overview of Wireless Personal Communications, IEEE Communication Magazine, Vol. 33, No. 1, January 1995, pp. 28{41. [8] G.-C. Roman, P. J. McCann, and J. Y. Plun, Mobile UNITY: Reasoning and specication in mobile computing, ACM Transactions on Software Engineering and Methodology, Vol. 6, No. 3, July 1997, pp. 250{282.