Composing Real-Time Concurrent Objects - Refinement, Compatibility and Schedulability by Jaghoori, M.M. (Mohammad Mahdi)
Composing Real-Time Concurrent Objects
Refinement, Compatibility and Schedulability?
Mohammad Mahdi Jaghoori
LIACS, Leiden, The Netherlands
CWI, Amsterdam, The Netherlands
jaghouri@cwi.nl
Abstract. Concurrent objects encapsulate a processor each and com-
municate by asynchronous message passing; therefore, they can be com-
posed to naturally model distributed and embedded systems. We model
real-time concurrent objects using timed automata and provide each ob-
ject with a context-specific scheduling policy. The envisioned usage and
guaranteed deadlines of each object is specified in its behavioral interface,
given also in timed automata. Furthermore, multiple objects can be com-
posed only if they are compatible, i.e., if they respect the expected use
patterns given in the behavioral interfaces of each other. In this paper,
we define refinement of timed automata with inputs and outputs from a
new perspective and we take account of deadlines in the refinement the-
ory. Within this framework, we study composition and compatibility of
real-time concurrent objects, and apply it in the context of compositional
schedulability analysis of multiple-processor systems.
1 Introduction
Object oriented paradigm is a good basis for modular modeling and composi-
tional analysis. A distributed system can be modeled as the composition of a
set of concurrent objects where each concurrent object conceptually has a dedi-
cated processor. We use timed I/O automata to model the real-time behavior of
concurrent objects at an abstract level, as in our previous work [9]. Automata
theory provides a rich basis for analysis; nevertheless, we need compositional
techniques to overcome the complexity of large asynchronous distributed sys-
tems. A concurrent object is both the unit of concurrency and distribution; it is
also a natural point for compositional analysis.
In this paper, we aim at compositional schedulability analysis of multiple-
processor distributed systems specified with concurrent objects; a real-time sys-
tem is schedulable if it can finish all of its tasks within their deadlines. While an
object comprises a queue, a scheduling policy and several methods and is thus
modeled in several automata, the abstract behavior of the object is given in one
automaton, called the behavioral interface. A behavioral interface specifies at a
high level and in the most general terms how an object may be used; thus it is
? This work is supported by the EU FP7-231620 project: HATS.
used as the key to compositional analysis. Each object is analyzed individually
for schedulability with respect to its behavioral interface. As in modular verifica-
tion [12], which is based on assume-guarantee reasoning, individually schedulable
objects can be used in systems compatible with their behavioral interfaces. The
schedulability of such systems is then guaranteed [10].
In interface-based design, refinement is usually used as the means for compo-
sitional analysis. Given a set of components Cj with interfaces Ij , Cj is consid-
ered a correct implementation if it refines Ij . Then ideally, when the interfaces
are compatible their implementations should also be able to work together. To
capture all incompatibilities, any behavior not allowed in the interfaces should
lead to an error (e.g., [6], cf. related work); however, this is too restrictive in prac-
tice because interfaces are abstract and easily produce spurious counterexamples
to compatibility. An optimistic approach (e.g., [1]) considers two interfaces com-
patible if there exists a common behavior that allows them to work together.
This is useful if we can make sure the implementation of evey components indeed
follows this common behavior. We formalized this last step in [10] by requiring
the composition of the components C =‖j Cj to be a refinement of I =‖j Ij .
In this paper, we give a compositional solution to checking the refinement
between C =‖j Cj and I =‖j Ij . The idea is that the outputs of each component
Cj should be expected as an input by the interface of the receiving component;
this is formalized as every Cj being a refinement of I. Traditional views on
refinement do not allow this relation because Cj and I have incompatible sets of
inputs and outputs. A contribution of this paper is generalizing refinement such
that it considers the common set of actions as the observable behavior. Thus, I
is comparable to each Cj with respect to the inputs and outputs of Cj .
The second contribution of the paper is adding deadlines, as parameters to
actions, to the refinement theory. A deadline on an output specifies when the task
is required to finish. A deadline on an input specifies the guaranteed time before
which the task is finished. Usually parameters are not included in the theory of
refinement; instead, they are handled by expansion, i.e., an action is expanded
to several actions considering different valuations of the parameter. Deadline
parameters cannot be treated by expanding. A component may require weaker
deadlines than its interface on the outputs and provide stronger guarantees for
the inputs. We redefine refinement giving deadlines this special treatment.
Another contribution of this paper is applying the developed refinement the-
ory in checking compatibility of concurrent objects in a compositional way. In
[10], we have defined compatibility in terms of refinement: a closed system made
up of individually schedulable objects is schedulable if it is a refinement of the
composition of the behavioral interfaces. With our general definition of refine-
ment, we can apply our method in open systems of multiple concurrent objects,
too. The behavioral interface of the composite open system is the composition
of the behavioral interfaces of individual objects.
We will explain how to automate refinement checking in the toolUppaal [13].
We show further how to check schedulability and compatibility in Uppaal.
Related Work. Compatibility of real-time systems in automata theory has
been studied for timed interfaces [1] and timed I/O automata [6]. Alfaro et al.
[1] take an optimistic approach in which two interfaces are compatible if there
is a possible way for them to work properly. This leads to a simpler theory
but to implement these interfaces, one needs to adhere to these possibilities to
end up with a working system. David et al. [6] suggest to make specifications
input-enabled by adding an Error state and directing every undesired behavior
to that state. They define two specifications to be compatible if their compo-
sition does not reach the Error state. This is unfortunately too restrictive for
high-level specifications; abstract behavioral interfaces easily fall into spurious
incompatibilities whereas their implementations may still work together. Our
approach bridges the gap between these two methods. In fact, we check whether
the implementations at hand, when composed, indeed follow the behavior that
makes their interfaces compatible (w.r.t. the optimistic approach of [1]).
Analyzing the composition of the concurrent objects is subject to state space
explosion because of their asynchronous nature and all their queues. We proposed
a testing technique for compatibility in [10]. In present paper, we will model check
compatibility in a compositional way with our generalized refinement theory.
Schedulability has been studied for actor languages [15] and event driven dis-
tributed systems [8]. Unlike these works, we work with non-uniformly recurring
tasks as in task automata [7] which fits better the nature of message passing in
object-oriented languages. The advantage of our work over task automata is that
tasks are specified and may in turn create new tasks. Furthermore, we address
schedulability analysis of multiple-processor systems. Compared to [11] we deal
with the problem in a compositional way.
A characteristic of our work is modularity. A behavioral interface models the
most general message arrival pattern for an object. A behavioral interface can be
viewed as a contract as in `design by contract' [14] or as a most general assump-
tion in modular model checking [12] (based on assume-guarantee reasoning);
schedulability is guaranteed if the real use of the object satisfies this assump-
tion. In the literature, a model of the environment is usually the task generation
scheme in a specific situation. For example in TAXYS [4], different models of the
environment can be used to check schedulability of the application in different
situations. However, a behavioral interface in our analysis covers all allowable
usages of the object, and is thus an over-approximation of all environments in
which the object can be used. This adds to the modularity of our approach;
every use of the object foreseen in the interface is verified to be schedulable.
2 Timed Automata
Suppose B(C) is the set of all clock constraints on the set of clocks C. A timed
automaton, as defined by Alur and Dill [2], over actions Σ and clocks C is a
tuple 〈L, l0,−→, I〉 representing
 a finite set of locations L (including an initial location l0);
 the set of edges −→⊆ L× B(C)×Σ × 2C × L; and,
 a function I : L 7→ B(C) assigning an invariant to each location.
An edge (l, g, a, r, l′) implies that action `a' may change the location l to l′
by resetting the clocks in r, if the clock constraints in g (as well as the invariant
of l′) hold. When we use Uppaal [13] for analysis, we allow defining variables of
type boolean and bounded integers. Variables can appear in guards and updates.
A timed automaton is called deterministic if and only if for each a ∈ Σ, if
there are two edges (l, g, a, r, l′) and (l, g′, a, r′, l′′) from l labeled by the same
action a then the guards g and g′ are disjoint (i.e., g ∧ g′ is unsatisfiable).
Semantics A timed automaton defines an infinite labeled transition system
whose states are pairs (l, u) where l ∈ L and u : C → R+ is a clock assignment.
We denote by 0 the assignment mapping every clock in C to 0. The initial state
is s0 = (l0,0). There are two types of transitions from a given state (l, u):
 action transitions (l, u) a→ (l′, u′) where a ∈ Σ, if there exists (l, g, a, r, l′)
such that u satisfies the guard g, u′ is obtained by resetting all clocks in r
and leaving the others unchanged and u′ satisfies the invariant of l′;
 delay transitions (l, u) d→ (l, u′) where d ∈ R+, if u′ is obtained by delaying
every clock for d time units and for each 0 ≤ d′ ≤ d, u′ satisfies the invariant
of location l.
Refinement In general refinement is decidable for deterministic timed au-
tomata [2]. Traditionally, two timed automata are considered comparable if they
have the same set of (observable) actions. We do not define observable and hid-
den actions explicitly for timed automata. Given two timed automata A and B,
we consider them comparable if their common set of actions ΣA ∩ ΣB is not
empty. A meaningful use of this definition is when there is a meaningful relation
between the sets of actions of the two automata.
Definition 1 (TA Refinement). Given two timed automata A and B, we say
A refines B (written A v B) iff there is a relation R between their underlying
transition systems such that (sA0 , s
B
0 ) ∈ R, and if (s, t) ∈ R then
 for a ∈ ΣA ∩ΣB, if s a−→A s′ then t a−→B t′ and (s′, t′) ∈ R;
 if A can delay: s
d−→A s′, then B can also delay: t d−→B t′ and (s′, t′) ∈ R.
3 Timed I/O Automata
In timed I/O automata, the action set Σ is partitioned into inputs (ΣI), outputs
(ΣO) and internal actions (Στ ). This allows us to model different components
of a real-time system using automata while their communication is modeled
by synchronization on matching input and output actions. Internal actions are
not necessarily hidden; as we will see in composition, internal actions may model
internal communication which may still be observable, i.e., included in refinement
checking.
We consider timed I/O automata as a superclass of timed automata such
that in normal timed automata ΣI = ΣO = ∅. For an action a we will write
a!, a? and a to denote that it is treated as an output, input or internal action,
respectively.
Composition Composition of two timed I/O automata A and B is written as
S = A ‖ B. The set of locations of S is the Cartesian product of those of A and
B, denoted L(S) = L(A) × L(B). The composed automata synchronize on the
set of sync actions Σ∩ = (ΣIA ∩ΣOB )∪ (ΣOA ∩ΣIB), which are made internal in S:
 input actions: ΣIS = (Σ
I
A ∪ΣIB) \Σ∩
 output actions: ΣOS = (Σ
O
A ∪ΣOB ) \Σ∩
 internal actions: ΣτS = Σ
τ
A ∪ΣτB ∪Σ∩
The set of transitions of S is computed as follows:
 (u, v)
g,a,r−−−→S (u′, v) when u g,a,r−−−→A u′ and a 6∈ Σ∩
 (u, v)
g,a,r−−−→S (u, v′) when v g,a,r−−−→B v′ and a 6∈ Σ∩
 (u, v)
g∧g′,a,r∧r′−−−−−−−→S (u′, v′) when u g,a,r−−−→A u′ and v g
′,a,r′−−−−→B v′ and a ∈ Σ∩
where by r ∧ r′ we mean updating both r and r′. Semantically, S can delay if
both A and B can delay; S can perform a sync action a ∈ Σ∩ if both A and B
can perform a; S can do any other action if either A or B can do that action.
For a finite set of timed I/O automata Ai (1 ≤ i ≤ n) to be composable, they
should have disjoint observable actions: ∀1≤i,j≤n ΣIAi ∩ ΣIAj = ΣOAi ∩ ΣOAj = ∅.
In this case, composition is associative, i.e., (A ‖ B) ‖ C = A ‖ (B ‖ C).
Thus, one could simply write S = A1 ‖ · · · ‖ An to describe the composition of
several composable timed I/O automata communicating with each other. The
composition is called a closed system when ΣIS = Σ
O
S = ∅.
3.1 Refinement for Timed I/O Automata
A recent work by David et al. [6] gives a game-theoretic solution for checking
refinement of timed I/O automata, but they assume input-enabled specifica-
tions. Our definition of refinement for timed automata and timed I/O automata
does not assume input-enabledness; this leads to a more precise notion of com-
patibility (cf. [1, 6]). This is more practical and will be used in Section 6 for
schedulability analysis.
Two timed I/O automata A and B are traditionally (e.g., in [6]) considered
comparable if they have the same sets of input and output actions, i.e., ΣIA =
ΣIB and Σ
O
A = Σ
O
B . Since we want to consider refinement in the context of
composition where inputs and outputs may need to be compared to internal
actions (which are in turn the result of synchronization), we need to be more
liberal with the relation of the action sets. We say the timed I/O automata A
and B are comparable for the relation A v B if:
ΣIA ⊆ ΣIB ∪ΣτB ∧ ΣOA ⊆ ΣOB ∪ΣτB ∧ ΣτA ∩ (ΣIB ∪ΣOB ) = ∅
A1 || A2
B1 || B2
A2A1
B2B1
x == 2
a
x := 0
x > 5
a
x := 0
x == 2
a!
x := 0
a!
x >= 2
a?
x := 0
x > 5
a?
x := 0
Fig. 1. Composition and refinement: A1 v B1 and A2 v B2 but A1 ‖ A2 6v B1 ‖ B2.
This result is expected because A1 v B1 ‖ B2 but A2 6v B1 ‖ B2.
In refinement between timed I/O automata, inputs and outputs are treated
differently, as in alternating refinement [3]. Intuitively, when A refines B, the
refined model A must accept any input that is acceptable in B; and, A may
produce an output only if it is allowed at the abstract level B (e.g., see Fig. 1).
As timed IO automata are used in component-based design, we would like
to be able to use them in compositional analysis, too. Given A1 v B1 and
A2 v B2, B1 and B2 could be abstract interfaces for components A1 and A2,
and one might expect that A1 ‖ A2 v B1 ‖ B2. Such a compositional reasoning
does not hold for timed I/O automata; this is illustrated in the counterexample
in Fig. 1. In this example, A1 admits the input a? in a bigger time interval
than B1; it becomes an internal action after synchronization with a! in A2 (cf.
composition in Section 3), this action would exist in A1 ‖ A2 but not necessarily
in B1 ‖ B2. To compositionally infer A1 ‖ A2 v B1 ‖ B2, we suggest an extra
sufficient step A1 v B1 ‖ B2 and A2 v B1 ‖ B2. Here, we give a definition for
refinement of timed I/O automata that supports such compositional analysis.
Definition 2 (TIOA Refinement). Given two comparable timed I/O automata
A and B, we say A refines B iff there is a relation R between their underlying
transition systems such that (sA0 , s
B
0 ) ∈ R, and if (s, t) ∈ R
 for a ∈ ΣIA, if t a−→B t′, then s a−→A s′ and (s′, t′) ∈ R;
 for a ∈ ΣOA ∪ (ΣτA ∩ΣB), if s a−→A s′, then t a−→B t′ and (s′, t′) ∈ R;
 if A can delay: s
d−→A s′ then B can also delay: t d−→B t′ and (s′, t′) ∈ R.
It is easy to see that when A and B are normal timed automata, i.e., the input
and output action sets are empty, Def. 2 simplifies to Def. 1. Furthermore, we do
not require any direct relation between the inputs (resp. outputs) of A and B;
we may compare inputs or outputs of A with internal actions of B. Thus we can
compare arbitrary automata which helps us check refinement in a compositional
way, described below.
Theorem 1. Given the timed I/O automata A1, A2 and B, we have:
A1 v B ∧ A2 v B =⇒ A1 ‖ A2 v B
The essence of the proof is to consider synchronization of an output in A1
with an input in A2. To show that the resulting transition (with an internal
action) exists in B, we take the corresponding output in A1. In other cases, the
refinement is in fact straightforward because an action in A is due to the same
action in A1 or A2.
In the example in Figure 1, we can make A2 to be a refinement of B1 ‖ B2
by changing the guard on a!, for example, to x == 6. It is easy to see that in
this case A1 ‖ A2 is also a refinement of B1 ‖ B2.
Corollary 1. Given a finite set of timed I/O automata Ai (1 ≤ i ≤ n) and B,
we have:
A1 v B ∧ . . . ∧ An v B =⇒ A1 ‖ · · · ‖ An v B
In a component-based design where different components Ai implement the
behavioral interfaces Bi, this corollary helps us check the refinement relation
A v B in a compositional way, where A = A1 ‖ · · · ‖ An and B = B1 ‖ · · · ‖ Bn.
Having checked this refinement, one could prove safety properties at the abstract
level for B, which then carries over to the refined and more complex system A.
In Section 6 we use this approach for compositional schedulability analysis of a
multiple processor system modeled in concurrent objects.
4 Timed I/O Automata with Deadlines
A deadline specifies the time before which a task must be done. A common
property to check for real-time systems is schedulability, i.e., whether all tasks
finish within their deadlines. We associate a relative deadline d ∈ N to input and
output actions, i.e., the deadline is d time units after the action is taken. The
interpretation of a deadline depends on the action type:
 An automaton with an input action a(d)? guarantees the deadline d; there-
fore, it naturally also guarantees d+ 1.
 An output action a(d)! requires a deadline d; naturally, a deadline d is a
stronger requirement than d+ 1.
At the lowest level of abstraction, the tasks are implemented and one needs to
check whether they indeed meet their deadlines, as explained in Section 5.
Composition In presence of deadlines, we restrict composition of timed I/O
automata by allowing only compatible actions to synchronize; two actions a(d)?
and a(d′)! are compatible if d ≤ d′, i.e., the required deadline is not stronger than
the guaranteed one. As a result of this synchronization, the composed automaton
will have an internal action a(d, d′). A deadline interval [d..d′] associated to an
internal action a is stronger than [δ..δ′] if the interval [d..d′] is included in [δ..δ′],
i.e., δ ≤ d and d′ ≤ δ′. When two transitions have a sync action as input and
output with incompatible deadlines, they do not synchronize and they do not
appear in the composed automaton.
Refinement When considering deadlines in refinement, the refined model must
provide the same (or stronger) deadline guarantees on its inputs compared to
the abstract model; the refined model may not require stronger deadlines on
its outputs than the abstract model. A common internal action cannot have
a stronger deadline interval than the abstract one. Below, Def. 2 is extended
to include deadlines with the abovementioned considerations. Taking deadline
intervals for internal actions makes this definition of refinement transitive, i.e.,
given A v B and B v C we have A v C.
Definition 3 (Refinement with Deadlines). Given two comparable timed
I/O automata, we say A refines B iff there is a relation R between their under-
lying transition systems such that (sA0 , s
B
0 ) ∈ R, and if (s, t) ∈ R
 for a ∈ ΣIA, if t
a(d)?−−−→B t′ then s a(δ)?−−−→A s′ with d ≥ δ and (s′, t′) ∈ R;
 for a ∈ ΣIA, if t
a(d,d′)−−−−→B t′ then s a(δ)?−−−→A s′ with d ≥ δ and (s′, t′) ∈ R;
 for a ∈ ΣOA , if s
a(δ)!−−−→A s′ then
• t a(d)!−−−→B t′ with d ≤ δ and (s′, t′) ∈ R; or,
• t a(d,d
′)−−−−→B t′ with d′ ≤ δ and (s′, t′) ∈ R;
 for a ∈ ΣτA∩ΣB, if s
a(δ,δ′)−−−−→A s′ then t a(d,d
′)−−−−→B t′ and δ ≤ d and d′ ≤ δ′ and
(s′, t′) ∈ R;
 if A can delay: s
d−→A s′ then B can also delay: t d−→B t′ and (s′, t′) ∈ R.
One can easily extend the proof of Theorem 1 to include deadlines. To do
so, consider again the case when an input with deadline d synchronizes with an
output with deadline d′. The generated internal action has the deadline interval
(d, d′). Considering the definition of refinement, we can easily show that the
corresponding interval in B is stronger than (d, d′).
4.1 Checking Refinement in Uppaal
It has been shown for timed automata that checking refinement A v B is decid-
able when B is deterministic [2]. For input-enabled timed I/O automata, David
et al. [6] use a game-theoretic approach. We gave in [10] a simple algorithm to test
refinement of timed automata, in the flavor of Def. 1, using reachability analysis
in Uppaal. Below, we show how to check refinement for timed I/O automata
with deadlines (cf. Def. 2) again using reachability analysis in Uppaal.
To check the refinement relation A v B, first, we assume no deadlines in
checking refinement (cf. Def. 2). We start from A∗ and B∗ being copies of A and
B, respectively, and continue as below:
 First, we repartition the action sets: ΣIA∗ = Σ
O
B∗ = Σ
I
A and Σ
O
A∗ = Σ
I
B∗ =
ΣOA ∪ (ΣτA ∩ ΣB); other actions are treated as internal. Considering the
requirements that make A and B comparable for the relation A v B (cf.
Section 3.1), it is easy to see that the assignments above do not change the
action set of B∗, i.e., ΣB = ΣB∗ .
Algorithm NegGuard
for every location l ∈ L(A) do
for every action m ∈ ΣIA do
let gf =
W
i
gi for all transitions l
gi,m,ri−−−−−→ l′ in A
add l
¬gf ,m,∅−−−−−→ Error
endfor
endfor
Algorithm NegInv
for every location l ∈ L(A) do
let h be the invariant of l in A
add l
¬h,τ,∅−−−−→ Error
change every transition l
g,m,r−−−→ l′ to l g∧h,m,r−−−−−→ l′
endfor
Remove all location invariants
Fig. 2. Adding transitions to the Error Location to find incompatibilities.
 We add an Error location to each of A∗ and B∗.
Next, with the algorithms in Fig. 2, we produce A∗E = NegGuard(A
∗) and B∗E =
NegGuard(NegInv(B∗)). A∗E and B
∗
E basically have the same behavior as A
∗ and
B∗ but they are made input-enabled such that every incompatible action in A or
B leads to a designated Error location, i.e., intuitively, unexpected inputs in A
and unexpected output or delay in B. Finally, A∗E and B
∗
E have matching inputs
and outputs and thus their composition can be analyzed in a tool like Uppaal.
The Error locations of A∗E and B
∗
E is not reachable iff A v B. To sketch the
proof of this, NegInv and NegGuard help detect the possible incompatibilities
between delay and action transitions, respectively, with respect to Def. 2.
In order to consider deadlines in Uppaal, we add an extra step in computing
A∗ and B∗:
 For every a ∈ ΣIA, we change a(d) to a(d, 0) in both A∗ and B∗.
 For every a ∈ ΣOA , we change a(d) to a(0, d) in both A∗ and B∗.
Obviously, the above rules leave the internal actions of B (which already have
the form a(d, d′)) unchanged. Thus, every input and output action of A∗ and
B∗ has two deadline values. Next, we add two fresh global variables δ and δ′; in
Uppaal, global variables are used to pass parameter values. We transform input
and output actions to Uppaal format as follows:
 We change every output transition s
g,a(d,d′)!,r−−−−−−−→A∗ s′ to s g,a!,r∧δ:=d∧δ
′:=d′−−−−−−−−−−−−→A∗ s′.
 We change every output transition s
g,a(d,d′)!,r−−−−−−−→B∗ s′ to s g,a!,r∧δ:=d−−−−−−−→B∗ s′.
 We change every input transition s
g,a(d,d′)?,r−−−−−−−→A∗ s′ to s g∧d≤δ,a?,r−−−−−−−→A∗ s′.
 We change every input transition s
g,a(d,d′)?,r−−−−−−−→B∗ s′ to s g∧d≤δ∧δ
′≤d′,a?,r−−−−−−−−−−−−→B∗ s′.
x < MAX_REL
release[self][i]?
delta = d
permit[i][self]!
x = 0
req[self][i]?
delta = d
ERROR
!(x < MAX_REL)
x < MAX_REL
release[self][i]?
delta = 0
permit[i][self]!
x = 0
req[self][i]?
delta = 0
Fig. 3. The abstract behavioral interface of a resource and applying NegInv on it.
The outputs set the values of δ and δ′ to their deadline values which are checked
against the input deadline guarantees in the input actions. This way the deadline
values and the corresponding checks are integrated into the guards and updates
of the automata. Then we can continue in the same way as explained above
without deadlines, i.e., compute A∗E and B
∗
E and check for the reachability of
the Error locations. An example of computing B∗E is given in the next section.
5 Real-Time Concurrent Objects
Concurrent objects encapsulate a processor each and communicate by asyn-
chronous message passing; therefore, they can be composed to naturally model
distributed and embedded systems. An object is an instance of a class with a
context-specific scheduler; a class implements a behavioral interface. In this sec-
tion, we use timed I/O automata with deadlines to model behavioral interfaces,
classes and schedulers.
The observable actions of concurrent objects are the messages they commu-
nicate. For their automata models to be composable, they should have disjoint
sets of inputs (resp. outputs). To achieve this, we consider an action to be a
triple (m, r, s) where m is the message name, r is the receiver object identity,
and s is the sender object identity. The keyword self refers to the identity of the
owner object itself.
Behavioral interfaces A behavioral interface provides an abstract overview
of the object behavior in a single automaton in terms of the messages it may
receive and send. We assume a finite global set M for method names; sending
and receiving messages are written as m! and m?, respectively. We use natural
values d ∈ N to represent deadlines. A behavioral interface B providing a set
of method names MB ⊆ M is formally defined as a deterministic timed I/O
automaton over alphabet ΣB which is partitioned into two sets of actions:
 object outputs received by the environment: ΣBO = {m!|m ∈M∧m 6∈MB}
 object inputs sent by the environment: ΣBI = {m(d)?|m ∈MB ∧ d ∈ N}
We allow underspecified actions where no deadline is given, e.g., for out-
put actions above. An underspecified deadline is potentially stronger than any
specified deadline value d ∈ N; therefore, to be able to reuse the definition of
refinement, we assume that underspecified actions have a deadline zero.
x1 < MAX_REL
x1 < MAX_REL
x1 < MAX_REL
x1 < MAX_REL
req[self][Right]?
deadline=5
reqL[self][Left]?
deadline=5
release[self][Right]?
deadline=5
permit[Right][self]!
x1=0
release[self][Left]?
deadline=5
permit[Left][self]!
x1=0
release[self][Left]?
deadline=5
permit[Left][self]!
x1=0
release[self][Right]?
deadline=5
permit[Right][self]!
x1=0
req[self][Right]?
deadline=5
req[self][Left]?
deadline=5
req[self][Left]?
deadline=5req[self][Right]?deadline=5
Fig. 4. A mutually exclusive resource.
A behavioral interface abstracts from specific method implementations, the
queue in the object and the scheduling strategy. It can also be seen as the highest
level of abstraction (i.e., an over-approximation) of the environments that can
communicate with the object.
Fig. 3 (left) gives the behavioral interface of a resource object which guaran-
tees the deadline d on its inputs req and release. Furthermore, when a requester
is permitted to take the resource, it has to release it before MAX_REL time
units. This automaton is parameterized in i which must be instantiated with the
identity of the requester object when the requester and the resource objects are
composed. If there are two requesters, the behavioral interface of the resource
can be obtained by composing two instances of this automaton with different
values for i.
Fig. 4 gives the behavioral interface of a mutually exclusive resource shared
by two objects Right and Left. When there are two requests at a time, only one
of them is granted in this model. This model is a refinement of the unrestricted
model in Fig. 3 if 5 <= d. To check refinement, we must apply the algorithm
NegGuard to Fig. 4 and both algorithms NegGuard and NegInv to Fig. 3 (the
result of the latter is shown in Fig. 3 right).
Classes One can define a class R as a set of methods implementing a specific
behavioral interface B, which must include at least the methods MB . For an
input action m(d)! in the behavioral interface, a correct implementation should
be able to finish method m before d time units. A class R implementing the
behavioral interface B is a set {(m1, A1), . . . , (mn, An)} of methods, where
 MR = {m1, . . . ,mn} ⊆ M is a set of method names such that MB ⊆MR;
 for all i, 1 ≤ i ≤ n, Ai is a timed I/O automaton representing method mi
with the output alphabet Σi = {m!|m ∈ MR} ∪ {m(d)! | m ∈ M∧ d ∈ N}
and no explicit inputs.
Classes have an initial method which is implicitly called upon initialization
and is used for the system startup. Method automata only send messages while
computations are abstracted into time delays. Sending a message m ∈ MR is
called a self call. Self calls may or may not be assigned an explicit deadline. The
self calls with no explicit deadline are called delegation. Delegation implies that
the internal task (triggered by the self call) is in fact the continuation of the
parent task; therefore, the delegated task inherits the (remaining) deadline of
the task that triggers it.
Schedulers Receiving and buffering messages and executing the corresponding
methods is handled by the scheduler automata. A scheduler automaton imple-
ments a queue for storing messages and their deadlines. The scheduler of a
concurrent object is input enabled, i.e., it can receive any message in MR at any
time; this is to model the asynchronous nature of communication between the
objects. Whenever a method is finished, the scheduler selects another message
from the queue (based on its scheduling strategy) and starts the corresponding
method (called context-switch).
Since the object is strongly input-enabled, i.e., it may accept any input at any
time, it is not per se a refinement of the behavioral interface; because the object
may wait (i.e., have a delay transition) for an input while it is not allowed (i.e.,
expected) in the behavioral interface. Next, we describe how we may restrict the
object behavior so that it is schedulable; in this case, it is a correct refinement
of its behavioral interface.
Schedulable Objects An object is an instance of a class together with a
scheduler automaton. An object is called schedulable if it can finish all of its
tasks within their deadlines. An unrestricted object is trivially non-schedulable,
because it may accept too many inputs in a short time. To restrict the possible
ways in which the methods of an object could be called, we consider only the
incoming messages specified in its behavioral interface. To check an object for
schedulability (e.g., in Uppaal), the inputs of B are changed to outputs m! so
that they match the inputs in the scheduler written as m? and the outputs of
B are changed to inputs written as m? so that they match outputs of method
automata written as m!.
The scheduler automaton moves to an Error location with no outgoing transi-
tions when a task in the queue misses its deadline. Furthermore, as shown in [9],
a schedulable object never puts more than ddmax/bmine messages in the queue,
where dmax is the longest deadline for any method called on any transition of
the automata (method automata or the input actions of the behavioral interface)
and bmin is the shortest termination time of any of the method automata. Thus
we can put a finite bound on the queue length such that queue overflow implies
non-schedulability. We can calculate the best case runtime for timed automata
as shown in [5].
We explained in [9] how the restricted behavioral model of an object can be
constructed as one automaton. The actions of this automaton are the same as its
behavioral interface. We have also shown in [9] how to model an object in Up-
paal. To capture possible design errors, one can start with checking for deadlock
in Uppaal. A deadlock may be caused by a mismatching invariant and guards in
a method implementation, or if the Error location in the scheduler is reached. To
ensure schedulability at the same time, one should add a check for queue over-
flow. This can be written in Uppaal as A not deadlock and tail ≤MAX.
Furthermore, one may check other properties on the restricted object behavior.
It is easy to see that when the restricted object model is schedulable, it is also
a true refinement of the behavioral interface.
6 Real-Time Distributed Systems
Once an object is checked for schedulability with respect to its behavioral inter-
face, it can be used as an off-the-shelf component to compose distributed systems.
If the assumptions in the behavioral interface of the object are satisfied, the cor-
rect behavior of the object is guaranteed (with respect to the properties already
checked for the object, e.g., its schedulability). Checking this is usually referred
to as compatibility check.
In an optimistic approach [1] two interfaces are considered compatible when
there is a way that they can work together. In this case, there exists at least
one implementation of those interfaces that are compatible, too. What actually
needs to be done next is to check whether the implementations at hand indeed
follow the traces that make their interfaces work together.
For concurrent objects, the composition of their behavioral interfaces shows
the acceptable sequences of messages that may be communicated between the
objects. As compatibility is defined in [10], the system implementation at hand
must be a refinement of the composition of the behavioral interfaces. It is shown
in [10] that, assuming individually schedulable concurrent objects, their compo-
sition is schedulable if they are compatible.
Since our definition of refinement in this paper is not restricted to closed
systems, we can generalize compatibility to any open or closed system. When
compatible concurrent objects form an open component, the composition of their
behavioral interfaces serves as the behavioral interface of their composition. Be-
low, we write A : B to denote an object A with its input behavior restricted to
a behavioral interface B (as explained in the previous section).
Definition 4 (Compatibility). We define the concurrent objects Ai : Bi (1 ≤
i ≤ n) to be compatible iff A1 ‖ · · · ‖ An v B1 ‖ · · · ‖ Bn.
Since the compsition of concurrent objects is usually too big (due to their
asynchrony and message queues), model checking compatibility is subject to
state-space explosion; therefore, a testing method has been proposed in [10].
Here, we propose to use the compositional refinement check to verify compati-
bility in this sense.
Given Ai : Bi (1 ≤ i ≤ n) when Ai : Bi v B1 ‖ · · · ‖ Bn for all 1 ≤ i ≤ n,
it follows from Theorem 1 that the composition of the restricted objects A′ =
A1 : B1 ‖ · · · ‖ An : Bn is a refinement of B = B1 ‖ · · · ‖ Bn. We still need to
show that the composition of the unrestricted objects A = A1 ‖ · · · ‖ An is also
a refinement of B; in fact, in this setting the behavior of A and A′ is the same.
Theorem 2. The closed system A1 ‖ · · · ‖ An is trace equivalent to the re-
stricted system A1 : B1 ‖ · · · ‖ An : Bn if ∀1≤i≤nAi : Bi v B1 ‖ · · · ‖ Bn.
Theorems 1 and 2 result in the following corollary:
Corollary 2. The concurrent objects Ai : Bi (1 ≤ i ≤ n) are compatible iff
Ai : Bi v B1 ‖ · · · ‖ Bn for all 1 ≤ i ≤ n.
This implies that given individually schedulable objects, their composition is
also schedulable if we can show that each object is a refinement of the composi-
tion of the behavioral interfaces of all objects.
7 Conclusions and Future Work
We bridge the gap between automata theory and object orientation. In previous
work, we developed schedulability analysis techniques for concurrent objects
modeled in timed I/O automata. In this work, we further developed the related
automata theory such that we can check compatibility in a compositional way.
To be able to argue about schedulability, we extended timed I/O automata
with deadlines. Furthermore, we extended the definition of composition and re-
finement to include deadlines. On the other hand, our definition of refinement is
not restricted to automata with the same sets of inputs and outputs; this allows
us to compare a component, modeled as an automaton, with a composition of
components for refinement.
We applied the refinement theory for timed I/O automata with deadlines
to compositional schedulability analysis of systems modeled with concurrent
objects. Each concurrent object is model checked to be schedulable when its
input behavior is restricted as specified in its behavioral interface; a system is
schedulable when all objects receive inputs as they expect according to their
behavioral interface. This compatibility can be ensured by checking whether the
system is a refinement of the composition of the behavioral interfaces. We showed
in this paper how to model check this in a compositional way.
A possible line of future research is considering network delays between con-
current objects when composed. Network delays both affect the deadlines of
messages and the input assumptions of the object receiving that message. More-
over, complex network structures can also be added to coordinate distributed
schedulable services; for example, to balance the load of a fast client between
multiple slow servers.
References
1. de Alfaro, L., Henzinger, T.A., Stoelinga, M.: Timed interfaces. In: Proc. Embed-
ded Software (EMSOFT). LNCS, vol. 2491, pp. 108122 (2002)
2. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science
126(2), 183235 (1994)
3. Alur, R., Henzinger, T.A., Kupferman, O., Vardi, M.Y.: Alternating refinement
relations. In: CONCUR '98. LNCS, vol. 1466, pp. 163178 (1998)
4. Closse, E., Poize, M., Pulou, J., Sifakis, J., Venter, P., Weil, D., Yovine, S.: TAXYS:
A tool for the development and verification of real-time embedded systems. In:
Proc. CAV'01. LNCS, vol. 2102, pp. 391395. Springer (2001)
5. Courcoubetis, C., Yannakakis, M.: Minimum and maximum delay problems in real-
time systems. Formal Methods in System Design 1(4), 385415 (1992)
6. David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Timed I/O au-
tomata: a complete specification theory for real-time systems. In: Proc. Hybrid
Systems: Computation and Control (HSCC'10). pp. 91100. ACM (2010)
7. Fersman, E., Krcal, P., Pettersson, P., Yi, W.: Task automata: Schedulability,
decidability and undecidability. Information and Computation 205(8), 11491172
(2007)
8. Garcia, J.J.G., Gutierrez, J.C.P., Harbour, M.G.: Schedulability analysis of dis-
tributed hard real-time systems with multiple-event synchronization. In: Proc. 12th
Euromicro Conference on Real-Time Systems. pp. 1524. IEEE (2000)
9. Jaghoori, M.M., de Boer, F.S., Chothia, T., Sirjani, M.: Schedulability of asyn-
chronous real-time concurrent objects. J. Logic and Alg. Prog. 78(5), 402  416
(2009)
10. Jaghoori, M.M., Longuet, D., de Boer, F.S., Chothia, T.: Schedulability and com-
patibility of real time asynchronous objects. In: Proc. RTSS'08. pp. 7079. IEEE
CS (2008)
11. Krcal, P., Stigge, M., Yi, W.: Multi-processor schedulability analysis of preemp-
tive real-time tasks with variable execution times. In: Proc. Formal Modeling and
Analysis of Timed Systems. LNCS, vol. 4763, pp. 274289 (2007)
12. Kupferman, O., Vardi, M.Y., Wolper, P.: Module checking. Information and Com-
putation 164(2), 322344 (2001)
13. Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. STTT 1(1-2), 134152
(1997)
14. Meyer, B.: Eiffel: The language. Prentice-Hall (1992)
15. Nigro, L., Pupo, F.: Schedulability analysis of real time actor systems using
coloured petri nets. In: Proc. Concurrent Object-Oriented Programming and Petri
Nets. LNCS, vol. 2001, pp. 493513. Springer (2001)
Proofs Omitted From Text
Theorem 1. Given the timed I/O automata A1, A2 and B, we have:
A1 v B ∧ A2 v B =⇒ A1 ‖ A2 v B
Proof. For simplicity, we give the proof without considering deadlines. Deadlines
can be added to the proof in a straightforward way.
We write the states of (the underlying transition system of) A = A1 ‖ A2 as
(s1, s2) where si is a state in (the underlying transition system of) Ai. We write
(s1, s2)R(t) to relate a state (s1, s2) in A to t in B using a relation R. We assume
A1 v B and A2 v B with the refinement relations R1 and R2, respectively, as
defined in Def. 2. We define R such that (s1, s2)R(t) if and only if (s1, t) ∈ R1 or
(s2, t) ∈ R2. We show below that the relation R satisfies the requirements put
forward in Def. 2 and therefore A v B.
ObviouslyR relates the initial states ofA andB. Let's assume that (s1, s2)R(t).
The set of sync actions of A1 and A2 are Σ∩ = (ΣIA1 ∩ΣOA2) ∪ (ΣOA1 ∩ΣIA2). By
definition of composition, we have Σ∩ ⊆ ΣτA.
 For a ∈ ΣIA, we know that a ∈ ΣIA1 or a ∈ ΣIA2 and a is not a sync action.
Without loss of generality, we take a ∈ ΣIA1 . Since A1 v B, by Def. 2, we
know that if t
a−→ t′ in B there is a transition s1 a−→ s′1 in A1 and (s′1, t′) ∈ R1.
Since a is not a sync action, there is a transition (s1, s2)
a−→ (s′1, s2) in A,
too. Since (s′1, t
′) ∈ R1, we have (s′1, s2)R(t′).
 For a ∈ ΣOA ∪ ((ΣτA ∩ ΣB) \ Σ∩), i.e., excluding sync actions, we assume,
without loss of generality, that a ∈ ΣOA1∪(ΣτA1∩ΣB). In this case, Amay have
a transition (s1, s2)
a−→ (s′1, s2) only if there is s1 a−→ s′1 in A1. From A1 v B,
we can say that there is also a transition t
a−→ t′ in B and (s′1, t′) ∈ R1. Since
(s′1, t
′) ∈ R1, we have (s′1, s2)R(t′).
 For a ∈ ΣτA ∩ ΣB ∩ Σ∩, A may have a transition (s1, s2) a−→ (s′1, s′2) only
if there are s1
a−→ s′1 in A1 and s2 a−→ s′2 in A2. Without loss of generality,
we assume a ∈ ΣOA1 ∩ ΣIA2 . By considering A1 v B and s1
a−→ s′1, we can
conclude that there is a transition t
a−→ t′ in B and (s′1, t′) ∈ R1. Since
(s′1, t
′) ∈ R1, we have (s′1, s′2)R(t′).
 Finally, if A can delay for d time units, both A1 and A2 can delay and
therefore B can delay for d time units. It is easy to see that the target states
are related by R.
uunionsq
Theorem 2. The closed system A1 ‖ · · · ‖ An is trace equivalent to the restricted
system A1 : B1 ‖ · · · ‖ An : Bn if ∀1≤i≤nAi : Bi v B1 ‖ · · · ‖ Bn.
Proof (idea). It is easy to see that every trace in A′ also exists in A, because
every Ai : Bi is a in fact restriction of Ai.
To show the other direction, take a trace σ = (t1, a1) . . . (tn, an) from A.
We use induction to show that σ is also a trace in A′. As the base case, since
A and A′ start in the same initial states, they can generate the same initial
outputs. Therefore, A′ can output a1 at time t1. Assume that for j < n, σj =
(t1, a1) . . . (tj−1, aj−1) exists in A′ and furthermore A′ can output aj at time tj .
We must show that aj is also an acceptable input at time tj .
Suppose aj is an output action of Aj1 and an input action of Aj2. Since
Aj1 : Bj1 is a refinement of B, the action aj exists in B; and since Aj2 : Bj2 is
also a refinement of B, the action aj is acceptable in Aj2 : Bj2 at time tj . Next,
A′ can produce the output action aj+1 at time tj+1 because it has the same
methods as A. uunionsq
