Luigi Sassoli

Timed state space analysis of real-time preemptive systems

A modeling notation is introduced which extends time Petri nets with an additional mechanism of resource assignment making the progress of timed transitions be dependent on the availability of a set of preemptable resources. The resulting notation, which we call preemptive time Petri nets, permits natural description of complex real-time systems running under preemptive scheduling, with periodic, sporadic, and one-shot processes, with nondeterministic execution times, with semaphore synchronizations and precedence relations deriving from internal task sequentialization and from interprocess communication, running on multiple processors. A state space analysis technique is presented which supports the validation of preemptive time Petri net models, combining tight schedulability analysis with exhaustive verification of the correctness of logical sequencing. The analysis technique partitions the state space in equivalence classes in which timing constraints are represented in the form of difference bounds matrixes. This permits it to maintain a polynomial complexity in the representation and derivation of state classes, but it does not tightly encompass the constraints deriving from preemptive behavior, thus producing an enlarged representation of the state space. False behaviors deriving from the approximation can be cleaned-up through an algorithm which provides a necessary and sufficient condition for the feasibility of a behavior along with a tight estimation of its timing profile.

Using Stochastic State Classes in Quantitative Evaluation of Dense-Time Reactive Systems

In the verification of reactive systems with nondeterministic densely valued temporal parameters, the state-space can be covered through equivalence classes, each composed of a discrete logical location and a dense variety of clock valuations encoded as a difference bounds matrix (DBM). The reachability relation among such classes enables qualitative verification of properties pertaining events ordering and stimulus/response deadlines, but it does not provide any measure of probability for feasible behaviors. We extend DBM equivalence classes with a density-function which provides a measure for the probability of individual states. To this end, we extend time Petri nets by associating a probability density-function to the static firing interval of each nondeterministic transition. We then explain how this stochastic information induces a probability distribution for the states contained within a DBM class and how this probability evolves in the enumeration of the reachability relation among classes. This enables the construction of a stochastic transition system which supports correctness verification based on the theory of TPNs, provides a measure of probability for each feasible run, enables steady-state analysis based on Markov renewal theory. In so doing, we provide a means to identify feasible behaviors and to associate them with a measure of probability in models with multiple concurrent generally distributed nondeterministic timers.

Correctness verification and performance analysis of real-time systems using stochastic preemptive time Petri nets

Time Petri nets describe the state of a timed system through a marking and a set of clocks. If clocks take values in a dense domain, state space analysis must rely on equivalence classes. These support verification of logical sequencing and quantitative timing of events, but they are hard to be enriched with a stochastic characterization of nondeterminism necessary for performance and dependability evaluation. Casting clocks into a discrete domain overcomes the limitation, but raises a number of problems deriving from the intertwined effects of concurrency and timing. We present a discrete-time variant of time Petri nets, called stochastic preemptive time Petri nets, which provides a unified solution for the above problems through the adoption of a maximal step semantics in which the logical location evolves through the concurrent firing of transition sets. We propose an analysis technique, which integrates the enumeration of a succession relation among sets of timed states with the calculus of their probability distribution. This enables a joint approach to the evaluation of performance and dependability indexes as well as to the verification of sequencing and timeliness correctness. Expressive and analysis capabilities of the model are demonstrated with reference to a real-time digital control system.

Modeling flexible real time systems with preemptive time Petri nets

Preemptive Time Petri nets are obtained by extending Time Petri nets with an additional mechanism of resource assignment which makes the progress of timed transitions be dependent on the availability of a set of preemptable resources, and with the capability to make transition times and priorities be dependent on the marking. The combination of these capabilities supports description and verification of flexible real time systems running under preemptive scheduling, with periodic, sporadic and one shot processes, with non-deterministic execution times, with semaphore synchronizations and precedence relations deriving from internal task sequentialization and from interprocess communication. The expressive capabilities of the model and the type of results that can be derived through symbolic enumeration of its dense-timed state space are illustrated with reference to a flexible system mixing dynamic acceptance and performance polymorphism.

Close form derivation of state-density functions over DBM domains in the analysis of non-Markovian models

Quantitative evaluation of models allowing multiple concurrent non-exponential timers requires enumeration and analysis of non-Markovian processes. In general, these processes may be not isomorphic to those obtained from the corresponding untimed models, due to implicit precedences induced by timing constraints on concurrent events. The analysis of stochastic Time Petri Nets (sTPNs) copes with the problem by covering the state space with stochastic classes, which extend Difference Bounds Matrix (DBM) theory with a state density function providing a measure of probability for the variety of states collected within a class. In this paper, we extend the theory of stochastic classes providing a close form calculus for the derivation of the state density function under the assumption that all transitions have an expolynomial distribution. The characterization provides insight on how the form of the state density function evolves when transitions fire and the stochastic class accumulates memory and provide the basis for an efficient implementation which drastically reduces analysis complexity.

Introducing probability within state class analysis of dense-time-dependent systems

Several techniques have been proposed for symbolic enumeration and analysis of the state space of reactive systems with nondeterministic temporal parameters taking values within a dense domain. In a large part of these techniques, the state space is covered by collecting states within equivalence classes each comprised of a discrete logical location and a dense variety of clock valuations encoded as a difference bounds matrix (DBM). The reachability relation among such classes enables qualitative verification of properties pertaining the ordering of events along critical runs and the satisfaction of stimulus/response deadlines. However, up to now, no results have been proposed which extend state class enumeration so as to combine the verification of the possibility of critical behaviors with a quantitative evaluation of their probability. In this paper, we extend the concept of equivalence classes based on DBM encoding with a density function which provides a measure for the probability associated with individual states collected in the class itself. To this end, we extend the formalism of time Petri nets by associating the static firing interval of each transition with a probability density function. We then expound how this probabilistic information determines a probability for the states collected within a class and how this probability evolves in the enumeration of the reachability relation among state classes. This opens the way to characterizing the possibility of critical behaviors with a quantitative measure of probability.

ORIS: a tool for state-space analysis of real-time preemptive systems

Formal methods based on state-space enumeration, such as timed automata and time Petri nets (TPN), have been proposed for designing and validating reactive real-time systems. The great expressiveness of these methods is counterbalanced by the increased complexity of the analysis, which may grow exponentially. Furthermore, the enumerated state-space needs to be inspected to identify critical behaviors with respect to sequencing and timing requirements. This naturally leads to the implementation of tools supporting the different stages of the development process. In this paper we present Oris, an environment for building, simulating, analyzing and validating complex real time systems specified in terms of an extended TPN formalism, named preemptive time Petri nets. Oris includes not only the state-space enumeration engine, but also a number of modules which ease user interaction, and make it usable also by a designer with no specific experience in formal modelling.

Analysis of Real Time Systems through the ORIS Tool

This paper gives an overview of the Oris tool. Oris comprises a rich set of modules for building, simulating, analyzing and validating real-time systems described through various TPN formalisms. After an introduction of the Oris framework, we describe a number of Oris plug-ins that have been implemented to support some recently-developed analysis techniques

Casting Preemptive Time Petri Nets in the Development Life Cycle of Real-Time Software

We describe a methodology for the construction of real-time tasking sets, which smoothly integrates a formal approach in both development and verification processes of the software life cycle. In the design stage, a timeline schema is used to specify concurrent processes with their dependencies and their expected temporal parameters. The schema is automatically translated into an equivalent preemptive time Petri net, which supports verification of the process architecture with respect to timeliness and sequencing requirements through state space analysis. The specification model drives the implementation stage enabling a disciplined coding of the process architecture on top of conventional primitives of a real-time operating system. At the same time, the preemptive Time Petri Net specification and the results of its state space analysis support functional testing enabling the construction of a time-sensitive Oracle and providing a metrics for coverage analysis. Computational experience in the Linux RTAI environment is reported to demonstrate the capability of the method to be effectively integrated in a practical approach.

Sensitization of symbolic runs in real-time testing using the ORIS tool

We address the problem of test case selection and path sensitization in the process of testing real-time preemptive systems, following a formal methodology based on the theory of preemptive Time Petri Nets (pTPN) implemented in the Oris tool. We discuss practical factors that limit feasible behaviors in the implementation of a nondeterministic specification and we motivate the assumption of test cases defined as paths selected in the symbolic state space of a pTPN specification. Feasibility and effectiveness of the proposed sensitization technique are demonstrated through experimentation on a real-time operating system.