# Formalization and Verification of RTPS StatefulWriter Module Using CSP

Jiaqi Yin<sup>1</sup>

Huibiao Zhu<sup>\*1</sup> Yuan Fei<sup>\*2</sup>

Ruobiao Wu<sup>4</sup>

Qiwen Xu<sup>3</sup>

 <sup>1</sup>Shanghai Key Laboratory of Trustworthy Computing East China Normal University, Shanghai, China
 <sup>2</sup>School of Information, Mechanical and Electrical Engineering Shanghai Normal University, Shanghai, China
 <sup>3</sup>Faculty of Science and Technology, University of Macau, China
 <sup>4</sup>Huawei Technology Co., Ltd. China

Abstract—The Real Time Publish Subscribe protocol (RTPS), as a Data Distribution Service (DDS) protocol for computer systems, is composed of several modules. We focus on RTPS StatefulWriter Module which has two patterns, reliable pattern and best-effort pattern. As the main module of sending and receiving messages, its security and reliability are of great concern. The formal method can analyze whether it is a highly credible model from the mathematical point of view. Our research pays attention to the reliable pattern. Thus it is of great importance to model and verify whether the pattern is reliable through formal methods. In this paper, we model seven components of the module using Communicating Sequential Processes (CSP). By feeding the models into the model checker Process Analysis Toolkit (PAT), we verify four properties, divergence free, acknowledgement mechanism, data consistency and sequentiality. Consequently, it can be apparently concluded that the pattern of this module is reliable, which totally caters for its specification.

Index Terms—RTPS StatefulWriter Module, CSP, PAT, Modeling, Verification

# I. INTRODUCTION

Data Distribution Service (DDS) is a new generation of distributed real-time communication middleware technology specification developed by Object Management Organization (OMG) based on HLA and CORBA standards. It adopts publish/subscribe architecture, emphasizes data-centric and provides abundant quality of service strategies. The Real Time Publish Subscribe protocol (RTPS), as a Data Distribution Service (DDS) protocol for computer systems, transfers data from publishers to subscribers. StatefulWriter module is one module of RTPS protocol. It has two modes, which are reliable pattern and best-effort pattern. Reliable pattern means the data must be always transferred to subscribers in the specification. Thus, we follow with interest the reliablity of the reliable pattern in the module.

The behavior of the module contains acknowledgement mechanism and heartbeat mechanism. The former guarantees all messages to be received by subsceibers and the latter assures the messages to reach the subscribers. Besides, data consistency and sequentiality need to be ensured in the reliable pattern. Our work is to model and verify the reliable pattern of

\*Corresponding authors: hbzhu@sei.ecnu.edu.cn (H. Zhu). yuanfei@shnu.edu.cn (Y. Fei). the module. Thus, through formal modeling and verification of StatefulWriter module, the specification can be more precisely modeled and validated, avoiding the ambiguity of natural language description, which has certain guiding significance.

The most related prior work we identifided is a study by Liu et al. [5] that mainly verified the security, activity and priority of DDS in ROS2. In addition, Alaerjan et al. [1] defined the missing functional behavior in DDS dynamic model and the semantics of the new operation using Object Constraint Language (OCL). Some recent research projects [2], [7], [10] have explored analysis and verification of many aspects of DDS, such as real-time performance, security of DDS-based middleware and so on. Our work focuses on the communication dependability of the module's reliable pattern using formal methods.

The remainder of this paper is organized as follows. Section II gives a brief introduction to RTPS StatefulWriter Module, the process algebra CSP and model checker PAT. In Section III, we formalize the seven core components in the module using CSP. We apply the model checker PAT to implement the model and verify four properties in Section IV, including divergence free, acknowledgement mechanism, data consistence and sequentiality. Section V describes the conclusion and future work.

#### II. BACKGROUND

This section detailedly describes the flows of the module which are used in the next section and briefly introduces the process algebra CSP and model checker PAT.

# A. RTPS StatefulWriter Module

RTPS StatefulWriter Module has seven components. There are Publisher, DDSWriter, RTPSWriter, HistoryCache, Subscriber, DDSReader and RTPSReader. Fig. 1 shows the 22 communications in the module. It can be divided into four submodules, which are writing data, heartbeat mechanism, reading data and removing data. Here we combine all of them in Fig. 1. The detailed messages are as follows.

Writing data submodule contains the first six interactions. Publisher writes data by invoking the **write** operation on



Fig. 1. Communications of RTPS StatefulWriter Module

DDSWriter. Then, DDSWriter invokes the **new\_change** operation on RTPSWriter to create a new CacheChange. Each CacheChange has a unique sequence number. Also, DDSWriter uses the **add\_change** operation to store the CacheChange into RTPSWriter's HistoryCache. When functions are invoked, they return the message that means operation has been executed successfully.

HeartBeat mechanism submodule is used to send message heartbeat to Reader endpoint. If the message is received smoothly within the specified time and checked by the Subscribers, RTPSWriter receives the information ACKNACK indicating confirmation.

Reading data submodule consists of four interactions. Subscriber reads data by invoking the **take** operation in DDSReader. Then, DDSReader accesses the changes with data and sequence number from HistoryCache. Ultimately, the **take** operation returns the data and sequence number to Subscriber.

Removing data submodule is composed of the remaining communications. Subscriber invokes the **return\_loan** operation on DDSReader to notify that it no longer uses the data. Next, DDSReader uses the **remove\_change** operation to remove the data from HistoryCache. Then, DDSWriter invokes the **is\_acked\_by\_all** operation to determine whether all the changes are all received by the Reader endpoints. At length, DDSWriter calls the **remove\_change** operation to remove the data from HistoryCache.

### B. A Brief Introduction to CSP and PAT

CSP [3], [4] is a process algebra proposed by Hoare in 1978. As one of the most mature formal methods, it is tailored for describing the interaction between concurrent systems by mathematical theories. For its well-known expressive ability, CSP has been widely used in many fields [6], [8], [9]. CSP processes are constituted by primitive processes and actions. We use the following syntax to define the processes in this paper, whereby P and Q represent processes, a and b denote the atomic actions and c stands for the name of a channel.

$$\begin{split} P,Q &= Skip \mid Stop \mid a \rightarrow P \mid c?x \rightarrow P \mid c!e \rightarrow P \mid \\ P \Box Q \mid P ||Q \mid P ||Q \mid P;Q \mid P[|X|]Q \end{split}$$

where:

- *Skip* stands for a process which only terminates successfully.
- *Stop* represents that the process does nothing and its state is deadlock.
- $a \rightarrow P$  first performs action a, then behaves like P.
- c?x → P receives a message by channel c and assigns it to variable x, then behaves like P.
- *c*!*e* → *P* sends a message *e* through channel *c*, then performs *P*.
- *P*□*Q* acts like either *P* or *Q* and the environment decides the selection.
- *P* || *Q* shows the parallel composition between *P* and *Q*. The || means that actions in the alphabet of both operands require simultaneous participation of them.
- *P*;*Q* executes *P* and *Q* sequentially.
- *P*[|*X*|]*Q* indicates that processes *P* and *Q* perform the concurrent events on the set *X* of channels.

PAT Analysis Toolkit (PAT), is designed as an extensible and modularized framework for automatic system analysis based on CSP. It supports specifying and verifying systems in many different modeling languages and there are already various systems such as concurrent real-time systems, probalistic systems, activity recognition and in other domains that have been verified in PAT. PAT can be applied in verifying various properties such as divergencefree, reachability and LTL propertites with assertions in distributed systems. Here we list some notations as below.

- *#define N* 0 defines a global constant *N* with the initial value 0.
- *channel c* 1 stands for a channel which has the name *c* and the buffer size 1.
- *var cond* = *false* represents a boolean condition with the initial value *false*.
- [cond] P indicates a guarded process, which only executes when its guard condition is satisfied.
- #define goal n>0; #assert P reaches goal; defines an assertion that checks whether process P can reach a state where the condition goal is satisfied.
- #assert  $P() \mid = F$ ; defines an assertion that checks whether process P satisfies the formula F.
- III. MODELING RTPS STATEFULWRITER MODULE

In this section, we give the formal model of RTPS StatefulWriter Module. The formalization is proceeded based on the communications in Fig. 1. Our model is constituted by seven core components: *Publisher*, *DDSWriter*, *RTPSWriter*, *HistoryCache*, *Subscriber*, *DDSReader* and *RTPSReader*.

# A. Sets, Messages and Channels

Fig. 2 gives the channels of communication in the module. For more convenience, we give the definitions of sets used in the model. We define the set of **Publisher** of Publisher component, **DDSWriter** of DDSWriter component, **RTPSWriter** of RTPSWriter component, **HistoryCache** of HistoryCache component, **DDSReader** of DDSReader component and **RTP-SReader** of RTPSReader component. In addition, we define the set: **REQ** of request, **SEQ** of sequence number messages and **DATA** of data information; for simplicity, **ALLSETS** defines the unions of all sets of RTPS StatefulWriter module.

Based on the sets defined above, the messages transmitted among components are defined as follows:

$$\begin{split} MSG &= MSG_{req} \cup MSG_{rep} \cup MSG_{data} \\ MSG_{req} &= \{msg_{req}.A.B.content \mid A \in (ALLSETS-Publisher), \\ B &\in ALLSETS, content \in REQ \} \\ MSG_{rep} &= \{msg_{rep}.A.B.content \mid A \in ALLSETS, \\ B &\in ALLSETS, content \in SEQ \cup REQ \} \\ MSG_{data} &= \{msg_{data}.A.B.content \mid A \in ALLSETS, \\ B &\in ALLSETS, content \in DATA \} \end{split}$$

where,  $MSG_{req}$  represents the set of request messages,  $MSG_{rep}$  stands for the set of all kinds of response requests and  $MSG_{data}$  represents the set of messages transmitting data. Each message contains a tag from the set { $msg_{req}$ ,  $msg_{rep}$ ,  $msg_{data}$ }.

Then, we give the definitions of channels. In this paper, the channels using **COM\_PATH** to represent can be defined as follows:

ComPW, ComWP, ComWR, ComRW, ComWC, ComCW, ComCT, ComTC, ComRT, ComTR, ComCD, ComDC, ComSD, ComDS, ComDT, ComTD

The declarations of the channels are as follows:

Channel COM\_PATH : MSG

Table I shows the meanings and functionalities of representative messages transferred in the channels.

 TABLE I

 The explanations of typical messages of the model

| Messages         | Functionalities                                     |
|------------------|-----------------------------------------------------|
| data, DATA       | data transferred in the module                      |
| seq_num, SEQ_NUM | sequence number                                     |
| heartbeat        | judge whether data is received within required time |
| noinvoke         | judge whether invoke functions                      |
| complete         | judge whether execute the function                  |
| take             | read data from cache                                |
| remove           | remove data from cache                              |
| get_change       | get changes from cache                              |

## B. Overall Modelling

System process is composed of all seven subprocesses running in parallel through their own corresponding channel. The subprocesses are *Publisher*, *DDSWriter*, *RTPSWriter*, *HistoryCache*, *Subscriber*, *DDSReader* and *RTPSReader*. The behavior of *System* process is modelled as below.



Fig. 2. Channels of RTPS StatefulWriter Module

## C. Publisher

*Publisher* process is the core part in writing data submodule. It is used to write data to HistoryCache and receives the *complete* information from DDSWriter. The behavior of *Publisher* process is modelled as below.

$$\begin{aligned} Publisher() =_{df} ComPW!msg_{data}.P.W.data \\ \rightarrow ComWP?msg_{rep}.W.P.complete \rightarrow Publisher() \end{aligned}$$

# D. DDSWriter

*DDSWriter* process plays an important role in writing data and removing data submodule. First, it sends and receives messages to write data from Publisher. Then, it applies the acknowldgement mechanism to check if the data has been totally received. If the return message is *ACK*, it invokes function to remove data and sequence numbers from HistoryCache. The behavior of *DDSWriter* process is modelled as below.

| $DDSWriter() =_{df} ComPW?msg_{data}.P.W.data$                    |
|-------------------------------------------------------------------|
| $\rightarrow ComDR!msg_{req}.W.R.data$                            |
| $\rightarrow$ GetSeqNum(); ComRD?msg <sub>rep</sub> .R.D.complete |
| $\rightarrow ComWC!msg_{req}.W.C.data.seq_num$                    |
| $\rightarrow ComCW?msg_{rep}.C.W.complete$                        |
| $\rightarrow ComWP!msg_{rep}$ .W.P.complete                       |
| $\rightarrow$ if (id_acked_by_all(seq_num)==true){                |
| ComRD?msg <sub>rep</sub> .R.D.complete                            |
| $\rightarrow ComWC!msg_{reg}.W.C.remove$                          |
| $\rightarrow$ remove_change(seq_num);                             |
| ComCW?msg <sub>rep</sub> .C.W.complete                            |
|                                                                   |

 $\rightarrow DDSWriter()$  else {Skip} In the above formula, GetSeqNum() is used to set the number of the sequence; id\_acked\_by\_all(seq\_num) is a function that judges whether the data with the seq\_num is acknowledged; remove\_change(seq\_num) is used to remove the

changes in the HistoryCache component.

#### E. RTPSWriter

*RTPSWriter* process works in writing data and heartbeat mechanism submodule. First, it produces the unique sequence number for the uploaded data. Second, it uses heartbeat mechanism to send heartbeat to RTPSReader for assuring the data can be transferred within the required interval. Finally, it helps to check whether the sequence numbers are checked by

all Subscribers. The behavior of *RTPSWriter* is modelled as below.

$$\begin{split} RTPSWriter() &=_{df} ComDR?msg_{req}.D.R.data \\ &\rightarrow ComRD!msg_{rep}.R.D.complete \\ &\rightarrow DATAHeartBeat(); ComRW?msg_{rep}.R.W.ACKNACK \\ &\rightarrow if(head(ACKNACK)==ACK) \{ \\ & acked\_changes\_set(seq\_num); ComDR?msg_{req}.D.R.seq\_num \\ &\rightarrow ComRD?msg_{rep}.R.D.complete \\ &\rightarrow RTPSWriter() \} else \{ Skip \} \end{split}$$

ACKNACK contains ACK and seq\_num, so we use head(ACKNACK) to retrieve the message ACK. acked\_changes\_set(seq\_num) checks whether the changes are set. HeartBeat mechanism is very important in the model. Its detailed behavior is modelled as follows:

$$\begin{split} DATAHeatBeat() &= Clock(0) |\{time\}|] SendHBeat();\\ Clock(i) &= (tick \rightarrow Clock(i+1))\\ &\Box(time?request \rightarrow time!i \rightarrow Clock(i));\\ SendHBeat() &= time!request \rightarrow time?startTime1 \{\\ startTime=startTime1 \}\\ &if (lastTime - startTime > HBeatInterval) \{\\ SendHBeat() \}\\ &else\{ ComWR!msg_req.W.R.heartbeat\\ &\rightarrow event \{lastTime=startTime; \}\\ &\rightarrow SendHBeat() \} \end{split}$$

*time* is the channel between *Clock* and *SendHBeat()*; *Clock(i)* process returns the current time if receives the *request* message. *SendHBeat()* process sends the *heartbeat* message if the time difference is less than *HBeatInterval*; otherwise, the process cycle continues.

## F. HistoryCache

*HistoryCache* process is like a database mainly for storing data and corresponding sequence number. It functions in every submodule, such as writing data and removing data. When receiving the request from Publishers or Subscribers, it invokes the homologous function to handle. The behavior of *HistoryCache* process is modelled as below.

$$\begin{split} \text{HistoryCache}() =_{df} & ComWC?msg_{req}.W.C.data.seq\_num} \\ & \rightarrow ComCW!msg_{rep}.C.W.complete \\ & \rightarrow ComTC?msg_{req}.T.C.data.seq\_num \\ & \rightarrow ComCT!msg_{rep}.C.T.complete \\ & \rightarrow complete12:=get\_changes(seq\_num); \\ & ComCR!msg_{rep}.C.R.complete12 \\ & \rightarrow ComWC?msg_{req}.W.C.remove\_change \\ & \rightarrow complete23:=remove\_changes(seq\_num); \\ & ComCW!msg_{rep}.C.W.complete23 \\ & \rightarrow HistoryCache() \end{split}$$

In the above formula, function *get\_changes(seq\_num)* and *remove\_changes(seq\_num)* is used to get and remove changes from HistoryCache component, respectively. Both of them can return the value 1 to indicate the operation is successful; otherwise, they return 0.

#### G. Subscriber

*Subscriber* process is designed for reading data and removing data submodule. First of all, it calls *take* function to receive data from HistoryCache. Next, it notifies other components that the data will not be used and gets the corresponding feedback. The behavior of *Subscriber* process is modelled as below.

$$\begin{split} &Subscriber() =_{df} ComSR!msg_{req}.S.R.take \\ & \rightarrow DATA := take(); ComRS?msg_{rep}.R.S.DATA \\ & \rightarrow ComSR!msg_{req}.S.R.loan \rightarrow noinvoke := return_loan(); \\ & ComRS?msg_{rep}.R.S.noinvoke \rightarrow Subscriber() \end{split}$$

In the above formula, function *take()* reads data from HistoryCache component and *return\_loan()* indicates the data is not invoked any more, whose value is assigned to *noinvoke*.

#### H. DDSReader

DDSReader process is used for reading data and removing data submodule. First, it helps the Subscriber get data and sequence number from HistoryCache. Then, it invokes remove\_change function to remove changes in HistoryCache. The behavior of DDSReader is modelled as below.

$$\begin{split} DDSReader() =_{df} & ComSR?msg_{req}.S.R.take \\ \rightarrow ComRC!msg_{req}.R.C.get\_change \rightarrow ComCR?msg_{rep}.C.R.complete \\ \rightarrow ComRS!msg_{rep}.R.S.DATA \rightarrow ComSR?msg_{req}.S.R.loan \\ \rightarrow ComRS!msg_{rep}.R.S.noinvoke \rightarrow ComDT!msg_{req}.D.T.remove \\ \rightarrow noinvoke2 := remove\_changes(); ComTD?msg_{rep}.T.D.noinvoke2 \\ \rightarrow DDSReader() \end{split}$$

In the above formula, function *remove\_changes()* is the same as that in process *HistoryCache*. *take* and *get\_change* are the messages to invoke *take()* and *get\_changes()* function, respectively; *loan* and *remove* message are to invoke *return loan()* and *remove changes()* function, respectively.

## I. RTPSReader

*RTPSReader* process is applied to hearbeat mechanism and removing data submodule. First, it receives the heartbeat from RTPSWriter and sends the timely feedback to RTPSWriter. Then, it assists the Subscriber to remove the changes and data in HistoryCache. The behavior of *RTPSReader* is modelled as below.

$$\begin{split} &RTPSReader() =_{df} ComWR?msg_{req}.W.R.heartbeat \\ &\rightarrow ComTC!msg_{req}.T.C.data.seq_num \rightarrow ComCT?msg_{rep}.C.T.complete \\ &\rightarrow ComRW!msg_{rep}.R.W.ACKNACK \rightarrow ComDT?msg_{req}.D.T.remove \\ &\rightarrow ComTD!msg_{rep}.T.D.noinvoke2 \rightarrow RTPSReader() \end{split}$$

In the above formula, *RTPSReader* receives *heartbeat*, sends *data* and *seq\_num* and most importantly, sends *ACKNACK* to complete the procedure of the acknowledgement mechanism.

#### IV. IMPLEMENTATION AND VERIFICATION

In this section, the model in Section III is implemented in the model checker PAT and the properties abstracted from the specification are all verified.

## A. Implementation

First, we need to define important channels, message type flags and delivery objects as enumerations, and define messages communicated between channels as global variables. For the definition of the above variables, we give the following list as a reference:

| channel ComPW 0;      | $enum \{msg_{req}, msg_{rep}, msg_{data}\};$ |
|-----------------------|----------------------------------------------|
| enum {P, W, D, R, C   | , T, S}; var seq_num;                        |
| var ACK = 0;          | var index = 0;                               |
| var DATA1;            | var SEQ_NUM;                                 |
| <i>var dt</i> [5][2]; | #define HBeatInterval 5;                     |

All other channels in the model are defined by the above channel format syntax like ComPW; the enumerated types are the type of the flag message, including  $msg_{req}$  to represent the request,  $msg_{rep}$  to stand for the reply, and  $msg_{data}$  to represent the data; P, W, D, R, C, T, S represent the English capital initials of the seven modules in the RPTS StatefulWriter module model section. Global variable ACK initialized to 0 means no data received is checked by the Subscriber; global variable index initialized to 0 means the number of the data stored in the array in HistoryCache. seq\_num means the initialized sequence number is zero; DATA1 and SEQ\_NUM are the variable representing data and sequence number in Subscriber component. Array dt[5][2] stores data and corresponding suguence number in HistoryCache component. Also, we give the definitions of some constant variables, for example, HBeatInterval, whose manual value is set to 5.

Then, we give the code of one of the processes in PAT as an example. Here we take the implementation of the *DDSWriter()* process as an example:

 $DDSWriter() = ComPW!msg_data.P.W.data1{data=data1}$  $\rightarrow ComWR!msg_req.W.R.data \rightarrow GetSeqNum();$ 

- ComRW?msg\_rep.R.W.complete3{complete3}
- $\rightarrow ComWC!msg\_req.W.C.data.seq\_num$
- $\rightarrow ComCW?msg\_rep.C.W.complete5{complete5}$
- $\rightarrow ComWP!msg\_rep.W.P.complete$
- $\rightarrow$  ComWR!msg\_req.W.R.is\_acked\_all
- $\rightarrow$  if (call(is\_acked\_by\_all,seq\_num)==1) {
- $ComRW?msg\_rep.R.W.complete21{complete=complete21} \rightarrow ComWC!msg\_req.W.C.remove$
- $\rightarrow Remove()$  else {Skip};

From the above process execution code, it can be seen that *data1* event assigns variables and ensures variable values of all processes in the entire system are consistently changed. The function *is\_acked\_by\_all* is invoked by *call. GetSeqNum()* and *Remove()* are other processes used to enhance the readability. Apparently, *GetSeqNum()* is used to get the sequence number; *Remove()* is used to remove the changes from the HistoryCache component. Their details are as follows.

$$GetSeqNum() = getSeqNum\{$$

$$seq\_num = seq\_num + 1; \} \rightarrow Skip;$$

If GetSeqNum() is executed once, seq\_num pluses 1, which can keep the sequence number always different and unique.

$$\begin{aligned} Remove() &= atomic \{ \\ if(call(remove\_change,seq\_num)==1) \\ ComCW?msg\_rep.C.W.complete23 \{ \\ complete=complete23 \} \rightarrow Skip \} \\ else \{ ComCW?msg\_rep.C.W.nocomplete23 \{ \\ complete=complete-1; \\ complete=nocomplete23 \} \rightarrow Skip \}; \end{aligned}$$

We use *atomic* to define *Remove()* process, which means that the event cannot be disturbed until it is finished. *complete23* and *nocomplete23* are the event used to transimitting corresponding *complete* meassge.

Finally, the full definition of the entire system is given as follows:

#### **B.** Properties Verification

Based on the implementation of the model in PAT above, we verify four properties as follows:

# 1) Divergence free

#assert System() divergencefree;

Divergence free means that any traces of the system can diverge rather than behave chaotically.

#### 2) Consistency

Property data consistency is so important that the data from Publisher or HistoryCache or Subscriber component must be completely identical. In the implementation, the original value of the transferred data is equal to 2 and its corresponding sequence number should be equal to 1. If the data and sequence number are consistent in different components, the property is satisfied. Thus, we give the definition and assertion as follows:

#### 3) Acknowledgement Mechanism

The reliable pattern has an acknowledgement mechanism. In our model, if the final value of the global variable *ACK* and *index* are all changed from 0 to 1, the property is satisfied. Thus, we give the LTL formula and reachability to verify whether the property is safe. Their definitions and assertions are as follows:

> #define goal2(ACK==1&&index==1); #assert SYSTEM() reaches goal2; #assert SYSTEM() | =<> goal2;

## 4) Sequentiality

If the Publisher component sends several pieces of data in sequence, the pattern needs to guarantee that the data stored in the HistoryCache component must be in order. Thus, we give three atomic processes *SYSTEM02()*, *SYSTEM03()*  and *SYSTEM04()* on the basis of process *SYSTEM()*. If their storage order is correct in HistoryCache, the property is satisfied. Their definitions and assertions are as follows:

```
\begin{split} &SYSTEM02() = atomic \{event \{ data=2; \} \rightarrow SYSTEM() \}; \\ &SYSTEM03() = atomic \{ event \{ data=4; \} \rightarrow SYSTEM() \}; \\ &SYSTEM04() = atomic \{ event \{ data=6; \} \rightarrow SYSTEM() \}; \\ &SYSTEM05() = SYSTEM04() || SYSTEM03() || SYSTEM02(); \\ &#define \ goal3 \ (dt[0][1] == 2\&\&dt[1][1] == 4\&\&dt[2][1] == 6); \\ &#assert \ SYSTEM05() \ reaches \ goal3; \end{split}
```

## C. Verification and Results

According to the definitions and assertions, we implement the code in PAT and as a result, Fig. 3 shows the properties are all valid, which means the pattern of the module with no intruders is exactly reliable and also caters for the specification.

## V. CONCLUSION AND FUTURE WORK

RTPS StatefulWriter module is a vital component in RTPS protocol. This paper has formalized seven components comprising the *Publisher*, *DDSWriter*, *RTPSWriter*, *DDSWriter*, *HistoryCache*, *Subscriber*, *DDSReader* and *RTPSReader* with CSP. Our work also has applied the model checker PAT to implement the constructed model. Four properties abstracted from the specification, including divergence free, acknowledgement mechanism, data consistency and sequentiality, have been verified. The results are all valid. Consequently, we conclude that from the perspective of process algebra, the constructed model meets these properties and the pattern is absolutely reliable and caters for the specification.

It is naturally a great challenge to model and verify the whole RTPS protocol. We will explore security analysis and verification of the module by adding intruders in the future.

#### VI. ACKNOWLEDGEMNET

This work was partly supported by National Natural Science Foundation of China (Grant No. 61872145), Shanghai Collaborative Innovation Center of Trustworthy Software for Internet of Things (No.ZF1213) and Special Fund for International Academic Conferences of Graduate Students in East China Normal University.

#### REFERENCES

- [1] Alaerjan, A., Kim, D., Kafaf, D.A.: Modeling functional behaviors of DDS. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation, SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI 2017, San Francisco, CA, USA, August 4-8, 2017. pp. 1–7 (2017)
- [2] Beckman, K., Reininger, J.: Adaptation of the DDS security standard for resource-constrained sensor networks. In: 13th IEEE International Symposium on Industrial Embedded Systems, SIES 2018, Graz, Austria, June 6-8, 2018. pp. 1–4 (2018)
- [3] Brookes, S.D., Hoare, C.A.R., Roscoe, A.W.: A theory of communicating sequential processes. J. ACM 31(3), 560–599 (1984)
- [4] Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall (1985)
- [5] Liu, Y., Guan, Y., Li, X., Wang, R., Zhang, J.: Formal analysis and verification of DDS in ROS2. In: 16th ACM/IEEE International Conference on Formal Methods and Models for System Design, MEMOCODE 2018, Beijing, China, October 15-18, 2018. pp. 62–66 (2018)



Fig. 3. Verification Result

- [6] Lowe, G., Roscoe, A.W.: Using CSP to detect errors in the TMN protocol. IEEE Trans. Software Eng. 23(10), 659–669 (1997)
- [7] Pérez, H., Gutiérrez, J.J.: Modeling the qos parameters of DDS for eventdriven real-time applications. Journal of Systems and Software 104, 126– 140 (2015)
- [8] Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall (1997)
- [9] Roscoe, A.W.: Understanding Concurrent Systems. Texts in Computer Science, Springer (2010)
- [10] Youssef, T.A., Hariri, M.E., Elsayed, A.T., Mohammed, O.A.: A ddsbased energy management framework for small microgrid operation and control. IEEE Trans. Industrial Informatics 14(3), 958–968 (2018)