Verifying hierarchical Ptolemy II discrete-event models using Real-Time Maude

Kyungmin Bae, Peter Csaba Ölveczky, Thomas Huining Feng, Edward A. Lee, Stavros Tripakis
2012 Science of Computer Programming  
This paper defines a real-time rewriting logic semantics for a significant subset of Ptolemy II discrete-event models. This is a challenging task, since such models combine a synchronous fixed-point semantics with hierarchical structure, explicit time, and a rich expression language. The code generation features of Ptolemy II have been leveraged to automatically synthesize a Real-Time Maude verification model from a Ptolemy II design model, and to integrate Real-Time Maude verification of the
more » ... nthesized model into Ptolemy II. This enables a model-engineering process that combines the convenience of Ptolemy II DE modeling and simulation with formal verification in Real-Time Maude. We illustrate such formal verification of Ptolemy II models with three case studies. the next state of other attributes or the values in messages, but are themselves unchanged, may be omitted from right-hand sides of rules/equations. A subclass inherits all the attributes, equations, and rules of its superclasses 4 , and multiple inheritance is supported. Object-oriented specification in Real-Time Maude A Real-Time Maude timed module specifies a real-time rewrite theory [4], that is, a rewrite theory R = (Σ, E ∪ A, R), such that: 1. (Σ, E ∪ A) contains an equational subtheory (Σ TIME , E TIME ) ⊆ (Σ, E ∪ A), satisfying the TIME axioms in [4], which specifies a sort Time as the time domain (which may be discrete or dense). Although a timed module is parametric on the time domain, Real-Time Maude provides some predefined modules specifying useful time domains. For example, the modules NAT-TIME-DOMAIN-WITH-INF and POSRAT-TIME-DOMAIN-WITH-INF define the time domain to be, respectively, the natural numbers and the nonnegative rational numbers, and contain the subsort declarations Nat < Time and PosRat < Time. These modules also add a supersort TimeInf, which extends the sort Time with an "infinity" value INF. 2. The sort of the "states" of the system has the designated sort System. 3. The rules in R are decomposed into: • "ordinary" rewrite rules that model instantaneous change, and • tick (rewrite) rules that model the elapse of time in a system. Such tick rules have the form l : {t} u −→ {t ′ } if cond, where t and t ′ are of sort System, and {_} is a built-in constructor of a new sort GlobalSystem. To each such tick
doi:10.1016/j.scico.2010.10.002 fatcat:ggelzhjuavdrtlmflojqyn26zu