Real-Time Model Checking is Really Simple Leslie Lamport Microsoft Research 13 June 2005 To be presented at Charme 2005, to be held 3-6 October 2005, in SaarbrÄucken, Germany. This version is formatted di®erently, with di®erent line and page breaks, from the version to appear in the Charme proceedings. Contents 1 Introduction 1 Introduction 1 2 Writing Explicit-Time Speci¯cations 2 3 Model Checking Explicit-Time Speci¯cations 4 3.1 Speci¯cations and Temporal Properties . 4 3.2 Symmetry . 5 3.3 Model Checking . 5 3.4 View Symmetry . 7 3.5 Symmetry Under Time Translation . 7 3.6 Periodicity and Zeno Behaviors . 8 4 Comparison with Uppaal 10 4.1 The Leader Algorithm . 10 4.2 Fischer's Algorithm . 14 5 Conclusion 15 References 16 Real-Time Model Checking is Really Simple Leslie Lamport Microsoft Research 13 June 2005 Abstract It is easy to write and verify real-time speci¯cations with existing languages and methods; one just represents time as an ordinary vari- able and expresses timing requirements with special timer variables. The resulting speci¯cations can be veri¯ed with an ordinary model checker. This basic idea and some less obvious details are explained, and results are presented for two examples. 1 Introduction Numerous special languages and logics have been proposed for specifying and verifying real-time algorithms. There is an alternative that I call the explicit-time approach, in which the current time is represented as the value of a variable now and the passage of time is modeled by a Tick action that increments now. Timing constraints are expressed with timer variables. Hardly anything has been written about the explicit-time approach, per- haps because it is so simple and obvious. As a result, most people seem to believe that they must use special real-time languages and logics. It has already been shown that an explicit-time approach works ¯ne for specifying and proving properties of real-time algorithms [1]. Here, I consider model checking explicit-time speci¯cations. The major advantage of the explicit-time approach is that it can be used with any language and logic for describing concurrent algorithms. This is especially important for complex algorithms that can be quite di±cult to represent in the lower-level, inexpressive languages typical of real-time model checkers. For example, distributed message-passing algorithms have queues or sets of messages in transit, each with a bound on its delivery time. Such algorithms are di±cult or impossible to handle with most real-time model checkers. Section 2 briefly explains the explicit-time approach with a simple distributed algorithm. A complete speci¯cation of the algorithm in TLA+ [8], a high-level mathematics-based language, appears in [9]. Explicit-time descriptions can use either continuous or discrete time. Section 3 shows that when discrete time is used, these descriptions can be checked with ordinary model checkers. This simple fact has been known for quite a while and is implicit in several published results [5]. However, a direct statement of it does not seem to have appeared before in print. Moreover, there are some aspects of model checking explicit-time speci¯cations that may not be obvious, including the use of view symmetry and a method for checking that a speci¯cation is nonZeno [1]. Section 4 describes the result of checking the algorithm described in Section 2 with TLC, a model checker for TLA+ speci¯cations, and with Uppaal [10], the only real-time model checker I know of that can handle this example. It also compares TLC, Spin [6], and SMV [11] with Uppaal on the Fischer mutual exclusion algorithm [13]. More details appear in [9]. 2 Writing Explicit-Time Speci¯cations In an explicit-time speci¯cation, time is represented with a variable now that is incremented by a Tick action. For a continuous-time speci¯cation, Tick might increment now by any real number; for a discrete-time speci¯cation, it increments now by 1. Timing bounds on actions are speci¯ed with one of three kinds of timer variables: a countdown timer is decremented by the Tick action, a count-up timer is incremented by Tick, and an expiration timer is left unchanged by Tick.1 A countdown or count-up timer expires when its value reaches some value; an expiration timer expires when its value minus now reaches some value. An upper-bound timing constraint on when an action A must occur is expressed by an enabling condition on the Tick action that prevents an increase in time from violating the constraint; a lower-bound constraint on when A may occur is expressed by an enabling condition on A that prevents it from being executed earlier than it should be. I illustrate how one writes explicit-time speci¯cations using the example of a simple version of a classic distributed algorithm of Radia Perlman [12]. The original algorithm constructs a spanning tree rooted at the lowest- numbered node, called the leader. The tree is maintained by having the 1Dutertre and Sorea [3] use a di®erent kind of timer variable that predicts the time at which an action will occur. 2 Tick =¢ 9 d 2 fr 2 Real : r > 0g : ^ 8 n 2 Node : timer[n] + TODelay ¸ d ^ 8 ms 2 BagToSet(msgs): ms:rcvTimer ¸ d ^ now 0 = now + d ^ timer 0 = [n 2 Node 7! timer[n] ¡ d] ^ msgs0 = let Updated(ms) =¢ [ms except !:rcvTimer = ms:rcvTimer ¡ d] in BagOfAll(Updated; msgs) ^ unchanged hldr; disti Figure 1: The Tick action's de¯nition for the leader algorithm. leader periodically propagate an I'm Leader message down it that informs each node of its distance to the leader. A new tree is constructed if a failure causes some node to time out before receiving the I'm Leader message. I have simpli¯ed it by eliminating failures, so correctness means simply that every node learns the leader within some ¯xed length of time. A complete TLA+ speci¯cation of the algorithm appears in [9]. Here, I describe only the TLA+ speci¯cation of the Tick action. The algorithm has three timing parameters, Period, MsgDelay, and TODelay. Each node n has a countdown timer timer[n]. Setting timer[n] to ¿ causes a timeout to occur between ¿ and ¿ +TODelay seconds later. By letting ¿ be the minimum timeout interval, this models both delay in react- ing to a timeout and variation in the running rate of physical timers. When its timeout occurs, node n sends an I'm Leader message and sets timer[n] to Period. If n receives an I'm Leader message from a lower-numbered node, it resets timer[n] to a suitable value. A message is assumed to be re- ceived at most MsgDelay seconds after it is sent, a constraint enforced with a rcvTimer countdown timer ¯eld in the message. The algorithm achieves stability if, upon receiving a message from its leader, a node n sets timer[n] to a value no smaller than Period + TODelay + dist[n] ¤ MsgDelay, where dist[n] is the distance from n to the leader. Figure 1 contains the de¯nition of the Tick action from the TLA+ spec- i¯cation. It can't be completely understood without seeing the rest of the speci¯cation and having some knowledge of TLA+ (including the de¯nitions of the operators BagToSet and BagOfAll from the standard Bags module). However, it will indicate how timing constraints are speci¯ed and also give an idea of the high-level nature of TLA+. This version is for a continuous-time speci¯cation, in which now is incremented by some real value d. We obtain 3 a discrete-time speci¯cation by replacing \ 9d 2 fr 2 Real : r > 0g :" with \ let d =¢ 1 in ". The action's ¯rst two conjuncts enforce the upper-bound constraints. The ¯rst prevents timer[n] from becoming less than ¡TODelay, for each node n. The second prevents the timer ms:rcvTimer from becoming nega- tive, for all messages ms in the bag (multiset) msg of messages in transit. The action's remaining conjuncts assert how the variables are changed. The third conjunct asserts that now is incremented by d. The fourth and ¯fth conjuncts assert that all the timers are decremented by d, the fourth for each timer[n] and the ¯fth for the timer component ms:rcvTimer of each message ms. The ¯nal conjunct asserts that the speci¯cation's other variables are unchanged. The complete speci¯cation asserts the additional timing constraint that a timeout action of node n cannot occur before timer[n] has counted down past 0. This constraint is expressed by the conjunct timer[n] < 0 in that action's de¯nition. 3 Model Checking Explicit-Time Speci¯cations Most real-time system speci¯cations are symmetric under time translation, meaning that system actions depend only on the passage of time, not on ab- solute time values. This section explains what symmetry and model check- ing under symmetry mean and describes a simple method of model checking explicit-time speci¯cations that are symmetric under time translation. 3.1 Speci¯cations and Temporal Properties Let a state of a speci¯cation be an assignment of values to all the speci¯- cation's variables, and let its state space be the set of all such states. A state predicate is a predicate (Boolean function) on states, and an action is a predicate on pairs of states. The formula s ¡!A t asserts that action A is true on the pair s, t of states.