A formal model of composing components: the TLA+ approach

Innovations Syst Softw Eng (2009) 5:139–148DOI 10.1007/s11334-009-0089-0

ORIGINAL PAPER

A formal model of composing components: the TLA+ approach

Ondrej Rysavy · Jaroslav Rab

Received: 8 April 2009 / Accepted: 30 April 2009 / Published online: 18 May 2009© Springer-Verlag London Limited 2009

Abstract In this paper, a method for writing composableTLA+ specifications that conform to the formal model calledMasaccio is introduced. Specifications are organized inTLA+ modules that correspond to Masaccio componentsby means of a trace-based semantics. Hierarchical TLA+specifications are built from atomic component specifica-tions by parallel and serial composition that can be arbitrarynested. While the rule of parallel composition is a variationof the classical joint-action composition, the authors do notknow about a reuse method for the TLA+ that systematicallyemploys the presented kind of a serial composition. By com-bining these two composition rules and assuming only thenoninterleaving synchronous mode of an execution, the con-current, sequential, and timed compositionality is achieved.

Keywords Composing specifications · Component model ·Hierarchical specifications · Synchronous modeof executions · Temporal logic of actions

1 Introduction

Software running in embedded systems necessary acquiressome properties of the physical world. Usually, these prop-erties form a part of nonfunctional aspects in the softwarerequirements [4]. Among them, the timeliness is the mostimportant one for the class of real-time embedded software.To model embedded software, nonfunctional aspects must beconsidered by a specification method otherwise the model

O. Rysavy (B) · J. RabFIT UIFS, Brno University of Technology,Bozetechova 2, 61266 Brno, Czech Republice-mail: [email protected]

J. Rabe-mail: [email protected]

easily diverges from the reality and becomes inapplicablein further refinement and analysis. Constructing large com-puter-based systems relies on the effective and systematicapplication of a modular approach. Various entities playingthe role of composable building blocks have been proposed,most notably, classes for object-oriented program construc-tion, components in hardware design, procedures and mod-ules in procedural programming, and active objects and actorsfor reactive programming [18].

This paper deals with a method based on a formalismcalled Temporal Logic of Actions (TLA) [16] that is capableto describe embedded control software in a modular man-ner and apply an automatized model-checker tool to verifyrequired functional and certain nonfunctional properties ofa specification. The main contribution of this paper lies inthe demonstration of how to systematically develop TLA+specifications whose interpretation is that of a formal modelcalled Masaccio [7]. This formal model allows for the def-inition of a component hierarchy that is built from atomiccomponents using operations of parallel composition, serialcomposition, renaming of variables, renaming of locations,hiding of variables, and hiding of locations. As the resultingTLA+ specifications have the form of a conjunction of initialpredicate and next-state actions, they are readily explorableby the TLA+ explicit model-checker.

1.1 Related work

The presented approach stems from the research on a com-positional semantics that have been studied, for instance,for hybrid automata [19], algebraic specifications [5], Hoarelogic [11], synchronous languages [20], process algebra [14],and in the frame of architecture description languages, e.g.CODE, Modechart, Wright, MetaH, and AADL. In particu-lar, we refer to Masaccio component model [7] that allows

123

140 O. Rysavy, J. Rab

for arbitrary nested serial and parallel composition and appli-cation of assume-guarantee principle [9] for the purposes ofhierarchical system design, development and analysis. Thesystematic approach to composing TLA+ specifications canbe found in [2,3], which assumes the decomposition of a solidsystem specification into a conjunctively combined parts.Hermann et al. defined an extension of TLA+ with explicitnotion of process [10]. The presented work is based on theprinciples initially elaborated in [21].

2 The component model

This section gives a brief overview of a formal model forembedded components as defined by Henzinger [7]. In thispaper, only discrete components are considered, although theproposed approach employs a specification language that canbe used for description of hybrid systems as well [15].

A fundamental entity of the model is a component. Acomponent A consists of the definition of an interface and aninternal behavior. An interface defines disjoint sets of inputvariables, V in

A , output variables, V outA , and a set of public

locations, Lint fA . An execution of the component consists

of a finite sequence of jumps. A jump is a pair (p, q) ∈[V in,out

A ] × [V in,outA ].1 An observation p is called the source

of jump (p, q) and an observation q is called the sink of jump(p, q). We write p[v] for the value of a variable v ∈ V in,out

Ain an observation p. A jump v is successive to a jump u ifthe source of jump v is equal to the sink of jump u. Formally,an execution of A is a pair (a, w) or a triple (a, w, b), wherea, b ∈ Lint f

A are interface locations and w = w0 . . . wn isa nonempty, finite sequence of jumps of A such that everyjump wi , for 1 ≤ i ≤ n is successive to the immediatelypreceding step wi−1. We write E A for the set of executionsof the component A.

An atomic component is the basic form of componentsfound in Masaccio. The behavior of an atomic component issolely specified by its jump action. A jump action J is givenby a predicate ϕ

jumpJ defined on variables in X J ∪ Y ′

J ∪ Z ′J ,

where

– X J is a finite set of source variables,– YJ is a finite set of uncontrolled sink variables, and– Z J is a finite set (disjoint to YJ ) of controlled sink

variables.

For instance, the jump action predicate

ϕjumpJ

�= x ≤ −100 ∧ x ′ = x + dx ∧ dx ′= max(dx + ((50/(dx − 50) ∗ period),−50)

1 [V in,outA ] stands for a set of all possible assignments of values into

input and output variables of a component.

contains source variables x and dx , which are also controlledsink variables at the same time. The variable period is alsoa source variable, but it is not a sink variable. The interfaceof an atomic component publish input variables read by thecomponent and output variables controlled by the compo-nent, which is defined as follows:

– input variables V inA(J ) = (X J \Z J ) ∪ YJ , and

– output variables V outA(J ) = Z J .

The component A(J ) has two interface locations, f romand to; that is, Lint f

A(J ) = { f rom, to}. The entry condition off rom is the projection of the jump predicate to the sourcevariables and the primed uncontrolled sink variables, that isϕen

A(J )( f rom) = (∃Z ′J ϕ

jumpJ ). The entry condition of to is

unsatisfiable.Two components A and B can be combined to form a par-

allel composition C = A ⊗ B if the output variables of Aand B are disjoint and for each interface location a commonto both A and B, the entry conditions of a are equivalent inA and in B. The input variables of the component C form aset V in

C = (V inA \V out

B ) ∪ (V inB \V out

A ). The output variablesof the component C form a set V out

C = V outA ∪ V out

B . Theinterface locations of A ⊗ B are the interface locations of Atogether with the interface locations of B. An interface loca-tion a, which is common to A and B and its entry conditionsagree in both components, has this entry condition also inA ⊗ B. Other interface locations cannot be used to entry thecomponent.

The set of executions of a component C = A ⊗ B isdefined as (1) the pair (a, w) is an execution of A ⊗ B iff(a, w|A) is an execution of A and (a, w|B) is an execution ofB,2 (2) the triple (a, w, b) is an execution of A ⊗ B iff either(a, w|A, b) is an execution of A and (a, w|B) is an executionof B, or (a, w|B, b) is an execution of B and (a, w|A) is anexecution of A.

The definition of parallel composition specifies that eachjump of both subcomponents is performed in synchronousmanner. Moreover, if one component reaches an exit inter-face location then the execution of the other component isterminated. If both components reach their exit locations oneis chosen nondeterministically. As the consequence of theseproperties, parallel composition operation is associative andcommutative.

Two components A and B can be composed in series toform a serial composition C = A ⊕ B if the set of outputvariables are identical; that is, V out

A = V outB . The input vari-

ables of the composed component is V in = V inA ∪ V in

B . Theinterface locations of A ⊕ B are the interface locations of Atogether with the interface locations of B. If a is an interface

2 Expression w|C denotes a restriction of the trace w to values for theI/O variables of the component C .

123

A formal model of composing components: the TLA+ approach 141

location of both A and B, then the entry condition of a inA ⊕ B is the disjunction of the entry conditions of a in thesubcomponents A and B.

The set of executions of the component C = A ⊕ B con-tains 1) the pair (a, w) iff either (a, w|A) is an execution ofA, or (a, w|B) is an execution of B, 2) the triple (a, w, b) iffeither (a, w|A, b) is an execution of A, or (a, w|A, b) is anexecution of B.

The operator of serial composition is associative, com-mutative, and idempotent. To support these two composi-tional operations, renaming and hiding operations are definedfor variables and locations. The renaming operation mapsvariables and locations of different names to each other thatallows for sharing data and control between components.Hiding makes variables or locations internal to the compo-nent, which is useful when a complex behavior is modeledinside the component.

3 TLA+

The TLA is a variant of the linear–time temporal logic. It wasdeveloped by Lamport [16] primarily for specifying distrib-uted algorithms but several works shown that the scope ofpossible applications is much broader. The system of TLA+extends TLA with data structures allowing for easier descrip-tion of complex specification patterns. TLA+ specificationsare organized into modules. Modules can contain declara-tions, definitions, and assertions by means of logicalformulas. Declarations consist of constants and variables.Constants can be uninterpreted until an automated verifica-tion procedure is used to verify the properties of the specifi-cation. A collection of values assigned to variables describecompletely a state of the system being analyzed. Transitionformulas asserts the values of the variables in every twosuccessive states. A specification of the system is given bymeans of a temporal formula defined as a conjunction of theform I ni t ∧ �[Next]v ∧ L , where I ni t is the initial condi-tion, Next is the next-state relation (composed from transi-tion formulas), and L is a conjunction of fairness properties.Transition formulas, also called actions, are ordinary formu-las of an untyped first-order logic defined on a denumera-ble set of variables, partitioned into sets of rigid variables,flexible and primed flexible variables. Transition formulascan reference these variables to express a relation betweentwo consecutive states. The generation of a transition sys-tem for the purpose of model checking verification or sim-ulation is governed by the enabled transition formulas. Theformula �[Next]v admits transitions that leave a set of vari-ables v unchanged. This is known as stuttering, which is akey concept that enables the refinement and compositionalspecifications. The initial condition and the next-state rela-tion specify the possible behavior of the system. Fairness

conditions strengthen the specification by asserting that givenactions must occur. The TLA+ does not formally distinguishbetween a system specification and a property specification.Both specifications are expressed as formulas of the tem-poral logic and are connected by the implication S ⇒ F ,where S is a specification and F is a property. Confirmingthe validity of this implication stands for showing that thespecification S has the property F. The TLA+ is accompa-nied with a set of tools. The TLA+ model checker, calledTLC, is a state-of-the-art model analyzer that attempts toexplore all reachable states in finite TLA+ models. The inputto TLC consists of a specification file and a configuration file,which gives an interpretation to constants, which is neces-sary for model computation procedure. An execution of theTLC produces a result that gives an answer to the questionof whether S ⇒ F . In the case of negative answer, theexecution violating the implementation is presented to theuser. A technique known as symmetry reduction is imple-mented helping to scale the verification method for largerspecifications.

4 Specification of components

Using a simple example, this section explains the construc-tion of TLA+ specifications that corresponds to Masaccioembedded components.

The example represents a specification of a componentEngine taken from [7]. This component is a part of a morecomplex specification that models the control of a railwaycrossing. In particular, the Engine component controls accel-eration and deceleration of a train that is moving in a neardistance to the railway crossing. Although this example israther trivial, it is sufficient to demonstrate basic principlesof the specification method as it contains both parallel andserial compositions.

The component Engine and its subcomponents are mod-eled in Fig. 1. The components are represented by rectangleswith rounded corners. Input and output variables are repre-sented by open arrows connected to component boundaries.The position of an arrow determines the direction of a vari-able. The locations are drawn as solid disks and are positionedat the boundaries of components. Jump actions are repre-sented by solid arrows labeled with condition predicates andaction predicates.

The component Engine consists of a serial composi-tion of two subcomponents, namely, Drive and Halt . Anentry location is directly connected with one of the loca-tions of Drive component. There is one exit location that isaccessible from both subcomponents. Other interface loca-tions, namely slowdown and speedup, serve for passingthe control between Drive and Halt components. Further,the component interacts with the environment by reading an

123


Fig. 1 The component engine

Engine

entry

exit

Halt

brake:BOOLEAN

x:Int dx:Int

exit

speedup

entry

DriveTestBrake

J1: ¬brake

J2: brake

Accelerate

J1: x > -100/diff

slowdown

exitJ2: x < = - 100/

diff ==x' = x + dxdx' = max(dx+ ((50 / (dx -50)) * period),-50)speedup

diff

input variable brake and controlling output variables x anddx . These variables are also available to both subcompo-nents.

The component Drive governs train acceleration. Thecomponent is a parallel composition of two atomic compo-nents, namely T est Brake and Accelerate. The inputvariable brake determines whether the train accelerates ordecelerates. Its value is observed by T est Brake componentthat removes the control from Drive component if the var-iable brake signalizes the application of emergency brake.In component Accelerate, the actual speed and the distanceof the train to the rail crossing is computed.

The component Halt has similar structure to the compo-nent Drive. It’s purpose is to slow the train down until brakeis released. After that the control passes back to Drive com-ponent through the location speedup.

To show that TLA+ specifications conform to intendedMasaccio interpretation, the interpretation of TLA+ expres-sions is provided. The following simplified system is used(for complete semantics see, e.g. [12]). The meaning of amodule depends on a context. A basic context consist of dec-larations and definitions of all built-in operators of TLA+together with definitions and declarations of modulesextended or instantiated. The meaning of a module M ina context C is given by the following sets:

– DclCM is a set of declarations.– Def C

M is a set of definitions.– AsmC

M is a set of assumptions.– T hmC

M is a set of theorems.

The TLA+ module can examined by means of simula-tion and formal verification if it contains a definition in thestandard form:

I ni t ∧ �[Next]vars ∧ T emporal

where I ni t is the initial predicate, Next is the next-stateaction, vars is the tuple of all variables, and T emporal isa temporal formula that usually specifies a liveness condi-tion. A set of behaviors can computed such that it satisfiesthe specification given by this definition. Using a model-checking technique the computational method tries to find areachable graph describing all states and behaviors satisfyingthe specification; that is a smallest graph Gspec

MC = consistingof

– N specMC , which is a set of all reachable states of module

M in a context C with specification given by a standardform definition spec ∈ DefM. At least, the set containsall states s in which I ni t is satisfied.

– EspecMC , which is a set of edges such that (r, s) ∈ Espec

MC iffthe unprimed fraction of Next is satisfied in state r andthe primed fraction of Next is satisfied in state s.

– DspecMC (s, x), which is a value assigning function that for

each variable x ∈ DclM gives its actual value in thegiven state s.

We write s |GspecMC

F for asserting that a formula F is sat-

isfied in a state s of the reachability graph GspecMC . Similarly,

(s, r) |GspecMC

A asserts that action formula A is satisfied in a

123


Fig. 2 The TLA+ specificationof accelerate

pair of states (s, r) ∈ EspecMC . If s |Gspec

MCF for all s ∈ N spec

MCwe simply write |Gspec

MCF .

Masaccio interpretation is defined in terms of executiontraces. Obviously, an execution trace corresponds veryclosely to TLA+ behavior, which can be generated by tra-versing a graph M. This similarity will be very useful infurther development, where rules of conformance of TLA+specifications and Masaccio models are built upon the exe-cution semantics.

4.1 Specifying atomic components

According to Masaccio semantics, an atomic discrete com-ponent A(J ) is completely specified by a jump predicate thatdefines a set of legal jumps J . Further, an atomic componenthas an arbitrary number of input and output variables. Ineach atomic component, there are only two interface loca-tions, denoted as f rom and to.

The representation of atomic component is straightfor-ward in TLA+ language. In Fig. 2, TLA+ description ofAccelerate component is shown. A set of jumps is a con-junction of two next-state actions. Action J1 is executed iftrain is moving in a near distance. Action J2 is enabled if thetrain leaves the perimeter of the rail crossing. The differen-tial computation is done in function di f f . Train accelerationis expressed as ((50/(dx − 50)) ∗ period), where perioddefines an amount of time that equals time difference dt . Thisconstant comes, together with a bundle of other declarationand definition from module Components (see appendix forthe full specification of this module) which is open in themodule Accelerate using extends statement.

An atomic component A(J ) is equally represented by aTLA+ module MA(J ) = 〈DclA(J ), Def A(J )〉 with a reach-ability graph GA(J ) = 〈NA(J ), E A(J ), DA(J )〉 induced by the

specification I ni t ∧�[Next]vars if the following conditionsare satisfied:

– Module M declares a variable for each I/O variable of theatomic component; that is, for every vT ∈ V in,out

A(J ) there

is v ∈ DeclA(J ) such that |GA(J )v ∈ T . Notation vT

states that set T is a domain of variable v.3

– The meaning of next-state action Next agrees with thepredicate ϕ

jumpJ (a); that is, for every jump w = (p, q):

– if (a, w) is an execution of A(J ) then there is a pair ofstates ( p̂, q̂) such that ( p̂, q̂) |GA(J )

N and locationa is active in both states p̂ and q̂ .

– if (a, w, b) is an execution of A(J ) then there is a pairof states ( p̂, q̂) such that ( p̂, q̂) |GA(J )

N . Locationa is active only in state p̂ and location b is active onlyin state q̂ .

Moreover, it has to hold for both cases that values ofevery variable of v ∈ VA(J ) in both interpretations areequal; that is, D( p̂, v) = p[v].

– The meaning of initial predicate I ni t agrees with thepredicate ϕen

A(J )( f rom); that is, for every trace of atomiccomponent A(J ) with prefix ( f rom, (p, q)) there existsa state p̂ that corresponds to state p and p̂ |GA(J )

I ni t .

As it can be seen from the specification of Acceleratemodule in Fig. 2, the jump actions of atomic specificationcontains reference to Jump Atom function that depends onthe variable clock. This variable serves to synchronizationpurposes. It enforces that parallel actions are executed at thesame time. Therefore all jumps include the condition stating

3 In Masaccio, the notation v : T is used but we stick to vT to avoidconfusion if overloading operator ’:’.

123


Fig. 3 The TLA+ specificationof drive

clock′ = ¬clock. Except proper actions, there are also spe-cific actions supporting serial compositions as described laterin this section. These specific actions violate this conditionrequiring that the time is stopped; that is, clock′ = clock.

4.2 Specifying parallel composition of components

The component Drive, which is a part of component Engineshown in Fig. 1, is a result of parallel composition of two sub-components. The corresponding TLA+ specification is givenin Fig. 3. The semantics of parallel composition correspondsto joint-action specification as described by Lamport [16,p. 147]. Its encoding in TLA is straightforward.

The Drive module contains input and output variablesbrake, x , dx . The module instantiates its submodules-T est Brake and Accelerate. The constant current of eachsubmodule is set to corresponding component identification,which allows for referencing the subcomponents in the speci-fication. Line 9 defines a collection of initial states of the sub-components. The initial predicate I ni t is a conjunction of theinitial predicates of all its subcomponents and I ni t Parallelpredicate that is defined in Components module. This statepredicate gives an initial value to the element of activi t yarray that corresponds to the composed component. In thiscase, it is activi t y[current], where the value of currentconstant is allowed to be given in a component that includesDrive as its subcomponent. In fact, such a component is thecomponent Engine as shown later. For parallel composition,the value of activi t y[current] amounts to the value givenby logical conjunction of activity values of all its immediatesubcomponents. The state predicate I ni t Parallel is definedas follows:

I ni t Parallel(S)�=

∧ activi t y ∈ [Com ponents → boolean]∧ activi t y[current] = ∀ s ∈ S : activi t y[s]The next-state action predicate Next is a conjunction

of next-state predicates of subcomponents, which givesthe intended execution interpretation of the component;that is, the jumps of subcomponents are executed inparallel and in synchronous manner. This style of specifi-cation is usually known as joint-action noninterleaving com-position [1]. The next-state action predicate of the parallelycomposed component is supplied with JumpParallel pred-icate as the new value of activi t y[current] element has tobe computed after every execution of the action. The pred-icate JumpParallel is defined in Components module asfollows:

JumpParallel(S)�=

∧ activi t y[current] = true∧ activi t y′ ∈ [Com ponents → boolean]∧ activi t y′[current] = ∀ s ∈ S : activi t y′[s]∧ clock′ = ¬clock

A component C = A ⊗ B composed in parallel fromsubcomponents A and B is equally represented by a TLA+module MC = 〈DclC , DefC 〉 with a reachability graphGC = 〈NC , EC , DC 〉 induced by the specification I ni t ∧�[Next]vars if the following conditions are met:

– A set of module variables includes all I/O variables thatappears in both of its subcomponents; that is, for eachvT ∈ V in,out

A ∪ V in,outB there is v ∈ DclC such that |GC

v ∈ T .

123


– The meaning of next-state action Next agrees with thepredicate ϕ

jumpA ∧ ϕ

jumpB ; that is, for execution w =

w0 . . . wn

– if (a, w) is an execution of component A ⊗ B thenthere is a sequence of states p̂0 . . . p̂n such that( p̂i , p̂i+1) |GC Next for 0 ≤ i < n. Location ais active at least at states p̂0 and p̂n .

– if (a, w, b) is an execution of component A ⊗ B thenthere is a sequence of states p̂0 . . . p̂n such that( p̂i , p̂i+1) |GC Next for 0 ≤ i < n. Location ais active at state p̂0 and location b is active at state p̂n .

Moreover, it has to hold for both cases that values of everyvariable of v ∈ VA(J ) in both interpretations equal; thatis, D( p̂, v) = p[v].

We decided to reflect the component hierarchy in struc-ture of TLA+ modules although for meeting the same inter-pretation the other options are possible too. However, thisapproach enables us to structure TLA+ specification in thesame manner as Masaccio models. A state space of a com-posed component is generated according the initial predicatesand next-state actions of its subcomponents. The conjunction

of next-state actions requires that there are simultaneousjumps in each of the subcomponent. Moreover if one of thesubcomponent reaches its end location, which causes thatsuch component has not enabled action, it is not possible toexecute any jump in any of the contained components. Thisconfiguration is then recognized as the end location of thecomponent. The identification of end locations in behaviorsis important for serial composition of components as the endlocations determine the moments when currently active com-ponent looses the control and passes it to another component.

4.3 Specifying serial composition of components

The serial composition of components insists on the require-ment that only one contained component has control at atime. This needs to be reflected in a location configuration.To enable the passing of control between components, spe-cific actions that modify only activity array are added intothe specification. Their purpose is similar to that of connec-tor elements that can be found in architecture descriptionlanguages, e.g. [17]. The example of a component com-posed in series is shown in Fig. 4. The module Engine

Fig. 4 The TLA+ specificationof engine

123


Fig. 5 A trace of componentswitch behavior

instantiates two subcomponents, namely Drive and Halt .Constants ini t activi t y are used to specify which compo-nent has granted a focus when the compound componentis activated. Component Halt can get focus only throughinterface location slowdown that is not accessible outsideEngine component. Component Drive will get focus ifcomponent Engine gets one. Lines 9–12 and 14–17 con-tain definition of connectors that stand for transfer of con-trol between Drive and Halt components as depicted byslowdown and speedup component interconnection in Fig. 1.Connector action C slowdown is enabled if Drive compo-nent is at slowdown location, which is tested byL slowdown predicate introduced in Drive module (seeFig. 3, line 19).

The connector activates Halt component and keep thecomponent Drive at the end location. Also, it activates itselfby including Activate in the conjunction of the next-stateaction. Predicate Activate simply sets the corresponding ele-ment of activi t y array to true without the modifying clockvariable:

Activate�= Activation of the current component.

∧ activi t y′ ∈ [Com ponents → boolean]∧ activi t y′[current] = true∧ unchanged 〈clock〉Predicate Suspend is included in the action predicate in

order to fully define activi t y array in the next state. With-out this predicate, activi t y[Drive] can be arbitrary bool-ean value. Instead, elements of activi t y array that definesstates of component Drive and its subcomponents are set toundef . An example sequence demonstrating componentsswitching is show in Fig. 5. The state of the system is rep-resented only by the actual value of activi t y array. Initially,component Drive is active. In the second step, the compo-nent Drive enters its end location, which is forced by compo-nent DriveBrake. This leads to inactivation of Drive andEngine components too. Component switching is done inthe transition between the second and third step. ComponentHalt is activated, which allows to set Engine componentto active state too. The state of Drive component set as sus-pended. Note that clock variables remains unchanged duringthe switch step.

In TLA+ specification, the end locations can be identi-fied by reading activi t y array. The presence of an atomiccomponent A in its end location can be checked by expres-sion activi t y[A] = false. In a specification of componentC obtained by parallel compositions of components A =A1, . . . An , reaching the end location by one of the subcom-ponents is propagated to the top level, which is encoded asactivi t y[C] = ∀ s ∈ A : activi t y[s]. Serial compositionC of components A = A1, . . . An , reaching the end loca-tion by subcomponents is propagated to the top level, whichis encoded as activi t y[C] = ∃ s ∈ A : activi t y[s]. Thismeans that all the components must be inactive in order tomark the serial composition as inactive too.

Once a component reaches its end location it shouldremain there until the control flow enter the component againvia one of its entry interface location. In other words, the com-ponent waits in this state for the resume action. The compos-ability requires that the component does permit the evolutionof its environment (or container component) and therefore theglobal clocks are allowed to run, while the component is atthe end location.

A component C = A ⊕ B composed in serial from sub-components A and B is equally represented by a TLA+module MC = 〈DclC , DefC 〉 with a reachability graphGC = 〈NC , EC , DC 〉 induced by the specification I ni t ∧�[Next]vars if the following conditions are met:

– A set of module variables includes all input and outputvariables that occur in both of its subcomponents; that is,for every vT ∈ V in,out

A ∪ V in,outB there exists v ∈ DclC

such that |GC v ∈ T .– The meaning of next-state action Next agrees with the

predicate ϕjumpA ∨ ϕ

jumpB ; that is, for execution w =

w0 . . . wn

– if (a, w) is an execution of module A⊕B then there is asequence of states p̂0 . . . p̂n such that ( p̂i , p̂i+1) |GC

Next for 0 ≤ i < n. Location a is active at least atstates p̂0 and p̂n .

– if (a, w, b) is an execution of module A ⊕ B thenthere is a sequence of states p̂0 . . . p̂n such that( p̂i , p̂i+1) |GC Next for 0 ≤ i < n. Location ais active at state p̂0 and location b is active at state p̂n .

123


Moreover, it has to hold for both cases that values of everyvariable of v ∈ VA(J ) in both interpretations equal; thatis, D( p̂, v) = p[v].

Execution in a serial component consists of possibly alter-nating finite sequences of jumps. Each sequence belongs tobehavior of some subcomponent. This principle is reflectedin Next predicate of a composite component which is definedas a disjunction of Next predicates of the subcomponents.The other possibility is to have Next predicate defined as aconjunction of subcomponent’s Next predicates and addinga distinguished action to all atomic components, which isenabled if the component is suspended. This activity statesthat the component does not engage in system behavior.

4.4 Composition rules

In the following, we generalize the previously informallydefined compositional operations to the TLA+ compositionrules and shows that they obey the required properties.

Definition 1 (Rule of Parallel Composition) For any set C ,if

(∀k ∈ C : v′k = vk) ≡ (v′ = v)

then(⊗k ∈ C : I ni tk ∧ �[Nextk]〈varsk 〉) ≡

∧ (∧

k ∈ C : I ni tk) ∧ I ni t Parallel(C)

∧ �[(∧ k ∈ C : Nextk) ∧ JumpParallel(C)]〈varsk 〉.

The rule of parallel composition gives a hint on how to cre-ate a joint specification by composing specifications of com-ponents in set C such that their instantaneous state changesare performed as joint actions. This rule is very close to theprinciples defined in [2]. The composition is reduced to con-junction of components specifications.

Definition 2 (Rule of Serial Composition) For a set of com-ponents C and a set of connectors S, if

(∀k ∈ C : v′k = vk) ≡ (v′ = v)

then(⊕k ∈ C : I ni tk ∧ �[Nextk]〈varsk 〉) ≡

∧ (∧

k ∈ C : I ni tk) ∧ I ni t Serial(C)

∧ �

⎡

⎣∨(∧ (

∨k ∈ C : Nextk)

∧ JumpSerial(C)

)

∨ (∨

j ∈ S : Fj )

⎤

⎦

〈varsk 〉.

The rule of serial composition catch an aspect of switchingconstituent components in behaviors of the composite com-ponent. The basic idea is that composition can be reducedto disjunction of steps that can be performed by constituentcomponents. Nevertheless, this solely is not sufficient as weneed to be sure that only one component is running at a time.To do this, an explicit control flow mechanism is introduced

by means of activi t y ∈ [Components → tristate ] vec-tor and connector set S. A connector is responsible for acti-vate a selected constituent component according to specifiedactivation rules. A connector that can switch from componenti to component j is written in the form

Fi j�= Li ∧ Activate( j) ∧ (

∧k ∈ C\ j : Activate(k)),

where state formula Li specifies the end location of com-ponent i . Reaching this location by a component i triggersswitch action of connector Fi j yielding the connector j inactive mode and all others in the suspended mode.

5 Conclusion

In this paper, an overview of the method capable of for-mal specifying and verifying embedded control systems hasbeen presented. The method is based on the TLA+ , whichis equipped with a highly expressive language allowing forwriting clear and readable specifications. An accompanyingtool, the TLC model checker, can be employed to show thatthe specification implies the intended properties. We illus-trated the method on a simple example and provided a formaldescription of composition rules.

In addition to clarification of basic properties of the com-ponent model and specification method, the perspectives forfuture research were revealed:

– Deeper understanding of the assume-guarantee refine-ment in the TLA+ specification framework is requiredand the proof that these specifications obey assume-guar-antee principle as specified for Masaccio model shouldbe given. It enables to apply the formal verification tech-niques to construct proofs of design correctness for indi-vidual components and their compositions.

– Specifying hybrid systems as proposed by Masaccio wasnot fully addressed in this paper. In particular, continuouscomponents and related issues were not considered at all.As shown in [15], TLA+ is expressive enough to capture alarge class of hybrid systems specifications. The questionis whether the verification can be adequately supportedby the tools available for TLA+ .

– A refinement relation that has been defined for conjoiningcompositions of specifications [1] shows the capability ofTLA+ to develop the system implementation from an ini-tial high-level to a high-level timed program (e.g. [6,8])in a step-wise manner.

The formal model and presented specification method issuitable, in particular, for application to the domain of dis-tributed time-triggered systems [13] or to support designmethods based on architecture description languages withformal reasoning tools.

123


Acknowledgments The research has been supported by the CzechMinistry of Education in the frame of Research Intentions MSM0021630528, and by the Grant Agency of the Czech Republic throughthe grants GACR 201/07/P544 and GACR 102/08/1429. We thankMiroslav Sveda, Tom Hilburn and anonymous reviewers for their sug-gestions to improve this paper.

References

1. Abadi M, Lamport L (1993) Composing specifications. ACMTrans Program Lang Syst 15(1):73–132

2. Abadi M, Lamport L (1993) Conjoining specifications. ResearchReport 118, Digital Equipment Corporation

3. Abadi M, Merz S (1995) An abstract account of composition. In:Wiedermann J, Hajek P (eds) Mathematical foundations of com-puter science. Lecture notes in computer science, vol 969. Springer,Prague, pp 499–508

4. Cousot P, Cousot R (2001) Verification of embedded software:problems and perspectives. Lecture notes in computer science,vol 2211. Springer, Berlin, pp 97–114

5. Diaconescu R, Futatsugi K, Iida S (1999) Component-based alge-braic specification and verification in cafeobj. In: FM’99—formalmethods. Lecture notes in computer science, vol 1709. Springer,Berlin, pp 1644–1663

6. Ghosal A, Henzinger TA, Iercan D, Kirsch C, Sangiovanni-Vincen-telli AL (2006) Hierarchical timing language. Technical ReportTechnical Report No. UCB/EECS-20, EECS Department, Univer-sity of California, Berkeley

7. Henzinger TA (2000) Masaccio: a formal model for embeddedcomponents. In: TCS ’00: Proceedings of the international confer-ence IFIP on theoretical computer science, exploring new frontiersof theoretical informatics. Springer, London, pp 549–563

8. Henzinger TA, Horowitz B, Kirsch CM (2001) Giotto: a time-triggered language for embedded programming. Lecture notes incomputer science, vol 2211. Springer, Berlin, pp 166–184

9. Henzinger TA, Minea M, Prabbu V (2001) Hybrid systems: com-putation and control. Lecture notes in computer science, chap-ter Assume-guarantee reasoning for hierarchical hybrid systems,vol 2034. Springer, Berlin, pp 275–290

10. Herrmann P, Graw G, Krumm H (1998) Compositional specifica-tion and structured verification of hybrid systems in ctla. In: Pro-ceedings of 1st IEEE international symposium on object-orientedreal-time distributed computing. IEEE Computer Society Press,New York, pp 335–340

11. Hooman J (1993) A compositional approach to the design of hybridsystems. In: Hybrid systems. Springer, London, pp 121–148

12. Kaminski M, Yariv Y (2001) A real-time semantics of temporallogic of actions. J Logic Comput 13(6):921–937

13. Kopetz H (2002) Real-time systems: design principles for dis-tributed embedded applications. The Springer international seriesin engineering and computer science, chapter The time-triggeredarchitecture, vol 395. Springer, Netherlands, pp 285–297

14. Koymans R, Shyamasundar RK, de Roever WP, Gerth R,Arun-Kumar S (1988) Compositional semantics for real-time dis-tributed computing. Inf Comput 79(3):210–256

15. Lamport L (1992) Hybrid systems in tla+. In: Hybrid systems.Lecture notes in computer science, vol 736. Springer, Berlin,pp 77–102

16. Lamport L (2003) Specifying systems: the TLA+ language andtools for hardware and software engineers. Addison-Wesley,Reading

17. Lau K-K, Ukis V, Velasco P, Wang Z (2006) A component model forseparation of control flow from computation in component-basedsystems. Electron Notes Theor Comput Sci 163(1):57–69

18. Lee E (2002) Advances in computers, chapter Embedded software.Academic Press, New York

19. Lynch N, Segala R, Vaandrager F (1996) Hybrid i/o automata.Lecture notes in computer science. Springer, Berlin, pp 496–510

20. Ramakrishna YS, Shyamasundar RK (1995) A compositionalsemantics of esterel in duration calculus. In: Proceedings of sec-ond AMAST workshop on real-time systems: models and proofs,bordeux. Springer, Berlin

21. Rysavy O, Rab J (2008) A component-based approach to verifica-tion of embedded control systems using tla. In: IEEE proceedings ofinternational multiconference on computer science and informationtechnology. IEEE Computer Society Press, New York, pp 719–725

123

A formal model of composing components: the TLA+ approach

Documents

Transcript of A formal model of composing components: the TLA+ approach