Real Time Validation of Embedded Systems

1
Real Time Validation of Embedded Systems

• Gerd Behrmann
• Kim G Larsen

2
Collaborators

• _at_UPPsala
• Wang Yi
• Paul Pettersson
• John Håkansson
• Anders Hessel
• Pavel Krcal
• Leonid Mokrushin
• Shi Xiaochun

• _at_AALborg
• Kim G Larsen
• Gerd Behrman
• Arne Skou
• Brian Nielsen
• Alexandre David
• Jacob Illum Rasmussen
• Marius Mikucionis

• _at_Elsewhere
• Emmanuel Fleury, Didier Lime, Johan Bengtsson,
  Fredrik Larsson, Kåre J Kristoffersen, Tobias
  Amnell, Thomas Hune, Oliver Möller, Elena
  Fersman, Carsten Weise, David Griffioen, Ansgar
  Fehnker, Frits Vandraager, Theo Ruys, Pedro
  DArgenio, J-P Katoen, Jan Tretmans, Judi Romijn,
  Ed Brinksma, Martijn Hendriks, Klaus Havelund,
  Franck Cassez, Magnus Lindahl, Francois
  Laroussinie, Patricia Bouyer, Augusto Burgueno,
  H. Bowmann, D. Latella, M. Massink, G. Faconti,
  Kristina Lundqvist, Lars Asplund, Justin
  Pearson...

3
UPPAAL Branches
CLASSIC

• Real Time Verification
• Real Time Scheduling Planning
• Real Time Controller Synthesis
• Real Time Testing

CORA
TIGA
TRON
4
Real Time Systems
sensors
actuators
Controller Program Discrete
Plant Continuous
Eg.
Realtime Protocols Pump Control Air
Bags Robots Cruise Control ABS CD
Players Production Lines
Real Time System A system where correctness not
only depends on the logical order of events but
also on their timing!!
5
Real Time Model Checking
Plant Continuous
Controller Program Discrete
sensors
actuators
SAT ? ??
6
Real Time Control Synthesis
Plant Continuous
Controller Program Discrete
sensors
??
actuators
SAT ? !!
7
Overview

• Real Time Verification
• Modelling Specification
• Datastructures Algorithms
• Options Patterns
• Protocol Validation
• UPPAAL 4.0 demo
• Real Time Scheduling Planning
• Timed Automata Scheduling
• Priced Timed Automata Optimal Scheduling

8
Real Time Verification
CLASSIC
9
Timed AutomataAlur Dill 1989
10
Dumb Light Control
press?
Off
Light
Bright
press?
press?
press?
WANT if press is issued twice quickly then
the light will get brighter otherwise the light
is turned off.
11
Dumb Light Control
press?
Off
Light
Bright
X0
press?
press?
Xlt3
press?
Xgt3
Solution Add real-valued clock x
12
Timed Automata review
Alur Dill 1990
Clocks x, y
Guard Boolean combination of integer bounds on
clocks
n
Reset Action performed on clocks
Action used for synchronization
xlt5 ygt3
State ( location , xv , yu ) where v,u are
in R
a
Transitions
x 0
a
( n , x2.4 , y3.1415 )
( m , x0 , y3.1415 )
Discrete Trans
m
e(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
Delay Trans
13
Timed Automata review Invariants
n
Clocks x, y
xlt5
Transitions
xlt5 ygt3
e(3.2)
Location Invariants
( n , x2.4 , y3.1415 )

a
e(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
x 0
m
Invariants ensure progress!!
ylt10
g4
g1
g3
g2
14
Networks of Timed Automata (ala CCS)
m1
l1
Two-way synchronization on complementary
actions. Closed Systems!
xgt2
ylt4
.

a!
a?

x 0

l2
m2
Example transitions
(l1, m1,, x2, y3.5,..)
(l2,m2,..,x0, y3.5, ..)
(l1,m1,,x2.2, y3.7, ..)
tau
0.2
If a URGENT CHANNEL
15
Network Semantics
where
?
?
?
?
X
X
!
?
?
?
?
?
X
X
16
Network Semantics (URGENT synchronization)
Urgent synchronization
where
?
?
?
?
X
X
!
?
?
?
?
?
X
X
17
LEGO Mindstorms/RCX

• Sensors temperature, light, rotation, pressure.
• Actuators motors, lamps,
• Virtual machine
• 10 tasks, 4 timers, 16 integers.
• Several Programming Languages
• NotQuiteC, Mindstorm, Robotics, legOS, etc.

3 output ports
1 infra-red port
3 input ports
18
A Real Real Timed System
Controller Program LEGO MINDSTORM
The Plant Conveyor Belt Bricks
19
First UPPAAL modelSorting of Lego Boxes
Ken Tindell
Piston
Boxes
eject
remove
99
Conveyer Belt
Red
81
18
90
9
Blck Yel
Controller
MAIN
PUSH
Black
Exercise Design Controller so that black
boxes are being pushed out
20
NQC programs
int active int DELAY int LIGHT_LEVEL
task MAIN DELAY75 LIGHT_LEVEL35
active0 Sensor(IN_1, IN_LIGHT)
Fwd(OUT_A,1) Display(1) start PUSH
while(true) wait(IN_1ltLIGHT_LEVEL)
ClearTimer(1) active1 PlaySound(1)
wait(IN_1gtLIGHT_LEVEL)
task PUSH while(true) wait(Timer(1)gtDELAY
active1) active0 Rev(OUT_C,1)
Sleep(8) Fwd(OUT_C,1) Sleep(12)
Off(OUT_C)
21
UPPAAL Demo
22
A Black Brick
23
Control Tasks Piston
GLOBAL DECLARATIONS const int ctime
75 int0,1 active clock x, time chan
eject, ok urgent chan blck, red, remove, go
24
From RCX to UPPAAL and back

• Model includes Round-Robin Scheduler.
• Compilation of RCX tasks into TA models.
• Presented at ECRTS 2000 in Stockholm.
• From UPPAAL to RCX Martijn Hendriks.

Task MAIN
25
The Production Cell in LEGO
Course at DTU, Copenhagen
Rasmus Crüger Lund Simon Tune Riemanni
Production Cell
26
Train Crossing
Stopable Area
10,20
3,5
Crossing
7,15
River
Queue
Gate
27
Train Crossing
Communication via channels and shared variable.
Stopable Area
10,20
appr, stop
3,5
leave
Crossing
7,15
el
go
River
empty nonempty hd, add,rem
Queue
Gate
28
Queries Specification Language
29
Logical Specifications

• Validation Properties
• Possibly Eltgt P
• Safety Properties
• Invariant A P
• Pos. Inv. E P
• Liveness Properties
• Eventually Altgt P
• Leadsto P ? Q
• Bounded Liveness
• Leads to within P ? t Q

• The expressions P and Q must be type safe,
  side effect free, and evaluate to a boolean.
• Only references to integer variables, constants,
  clocks, and locations are allowed (and arrays of
  these).

30
Logical Specifications

• Validation Properties
• Possibly Eltgt P
• Safety Properties
• Invariant A P
• Pos. Inv. E P
• Liveness Properties
• Eventually Altgt P
• Leadsto P ? Q
• Bounded Liveness
• Leads to within P ? t Q

31
Logical Specifications

• Validation Properties
• Possibly Eltgt P
• Safety Properties
• Invariant A P
• Pos. Inv. E P
• Liveness Properties
• Eventually Altgt P
• Leadsto P ? Q
• Bounded Liveness
• Leads to within P ? t Q

32
Logical Specifications

• Validation Properties
• Possibly Eltgt P
• Safety Properties
• Invariant A P
• Pos. Inv. E P
• Liveness Properties
• Eventually Altgt P
• Leadsto P ? Q
• Bounded Liveness
• Leads to within P ? t Q

33
Logical Specifications

• Validation Properties
• Possibly Eltgt P
• Safety Properties
• Invariant A P
• Pos. Inv. E P
• Liveness Properties
• Eventually Altgt P
• Leadsto P ? Q
• Bounded Liveness
• Leads to within P ? t Q

t
t
34
Train Crossing
Communication via channels and shared variable.
Stopable Area
10,20
appr, stop
3,5
leave
Crossing
7,15
el
go
River
empty nonempty hd, add,rem
Queue
Gate
35
Case-Studies Controllers

• Gearbox Controller TACAS98
• Bang Olufsen Power Controller
  RTPS99,FTRTFT2k
• SIDMAR Steel Production Plant RTCSA99, DSVV2k
• Real-Time RCX Control-Programs ECRTS2k
• Experimental Batch Plant (2000)
• RCX Production Cell (2000)
• Terma, Verification of Memory Management for
  Radar (2001)
• Scheduling Lacquer Production (2005)
• Memory Arbiter Synthesis and Verification for a
  Radar Memory Interface Card NJC05

36
Case Studies Protocols

• Philips Audio Protocol HS95, CAV95, RTSS95,
  CAV96
• Collision-Avoidance Protocol SPIN95
• Bounded Retransmission Protocol TACAS97
• Bang Olufsen Audio/Video Protocol RTSS97
• TDMA Protocol PRFTS97
• Lip-Synchronization Protocol FMICS97
• Multimedia Streams DSVIS98
• ATM ABR Protocol CAV99
• ABB Fieldbus Protocol ECRTS2k
• IEEE 1394 Firewire Root Contention (2000)
• Distributed Agreement Protocol Formats05
• Leader Election for Mobile Ad Hoc Networks
  Charme05

37
The UPPAALVerification Engine
38
Overview

• Zones and DBMs
• Minimal Constraint Form
• Clock Difference Diagrams
• Distributed UPPAAL CAV2000, STTT2004
• Unification Sharing FTRTFT2002, SPIN2003
• Acceleration
  FORMATS2002
• Static Guard Analysis TACAS2003,TACAS2004
• Storage-Strategies
  CAV2003

39
ZonesFrom infinite to finite
Symbolic state (set)
State (n, x3.2, y2.5 )
(n, 1x4, 1y 3)
Zone conjunction of x-yltn, xltgtn
40
Symbolic Transitions
delays to
n
xgt3
conjuncts to
a
y0
projects to
m
Thus (n,1ltxlt4,1ltylt3) a gt (m,3ltx, y0)
41
Symbolic Exploration
y
x
Reachable?
42
Symbolic Exploration
y
x
Delay
Reachable?
43
Symbolic Exploration
y
x
Left
Reachable?
44
Symbolic Exploration
y
x
Left
Reachable?
45
Symbolic Exploration
y
x
Delay
Reachable?
46
Symbolic Exploration
y
x
Left
Reachable?
47
Symbolic Exploration
y
x
Left
Reachable?
48
Symbolic Exploration
y
x
Delay
Reachable?
49
Symbolic Exploration
y
x
Down
Reachable?
50
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else (explore) add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Final
Waiting
Init
Passed
51
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else (explore) add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Final
Waiting
n,Z
n,Z
Init
Passed
52
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
53
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
54
Canonical Datastructures for Zones Difference
Bounded Matrices
Bellman 1958, Dill 1989
Inclusion
x
1
2
xlt1 y-xlt2 z-ylt2 zlt9
D1
Graph
y
0
9
2
z
? ?
D2
xlt2 y-xlt3 ylt3 z-ylt3 zlt7
x
2
3
3
Graph
y
0
7
3
z
55
Canonical Datastructures for Zones Difference
Bounded Matrices
Inclusion
x
x
1
2
xlt1 y-xlt2 z-ylt2 zlt9
1
2
Shortest Path Closure
4
D1
3
Graph
y
0
y
0
9
5
2
z
2
z
? ?
D2
x
xlt2 y-xlt3 ylt3 z-ylt3 zlt7
x
2
3
Shortest Path Closure
2
3
3
3
y
Graph
0
y
0
6
6
3
7
3
z
z
56
Canonical Datastructures for Zones Difference
Bounded Matrices
Emptiness
x
1
xlt1 ygt5 y-xlt3
D
3
Graph
0
y
-5
Negative Cycle iff empty solution set
Compact
57
Canonical Datastructures for Zones Difference
Bounded Matrices
Future
y
y
Future D
D
x
x
1lt x lt4 1lt y lt3
1ltx, 1lty -2ltx-ylt3
x
4
4
x
x
Remove upper bounds on clocks
-1
Shortest Path Closure
-1
-1
3
3
0
0
0
3
3
2
2
-1
y
y
-1
y
-1
58
Canonical Datastructures for Zones Difference
Bounded Matrices
Reset
y
y
yD
D
x
x
1ltx, 1lty -2ltx-ylt3
y0, 1ltx
x
x
Remove all bounds involving y and set y to 0
-1
-1
3
0
0
0
2
-1
y
0
y
59
Canonical Datastructures for Zones Difference
Bounded Matrices
-4
-4
x1-x2lt4 x2-x1lt10 x3-x1lt2 x2-x3lt2 x0-x1lt3 x3-x
0lt5
x1
x2
x1
x2
Shortest Path Closure O(n3)
4
10
2
3
3
2
3
-2
-2
2
2
x3
x0
x3
x0
1
5
5
60
Canonical Datastructures for Zones Minimal
Constraint Form
RTSS 1997
-4
-4
x1-x2lt4 x2-x1lt10 x3-x1lt2 x2-x3lt2 x0-x1lt3 x3-x
0lt5
x1
x2
x1
x2
Shortest Path Closure O(n3)
4
10
2
3
3
2
3
-2
-2
2
2
x3
x0
x3
x0
1
5
5
-4
x1
x2
Shortest Path Reduction O(n3)
Space worst O(n2) practice O(n)
3
2
3
2
x3
x0
61
(No Transcript)
62
(No Transcript)
63
Earlier Termination
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
64
Earlier Termination
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
65
Earlier Termination
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some (n,Z) in Passed then STOP
- else /explore/ add (m,U) (n,Z) gt (m,U)
to Waiting Add
(n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z1
n,Z2
n,Zk
Init
Passed
66
Clock Difference Diagrams Binary Decision
Diagrams Difference Bounded Matrices
CAV99
CDD-representations

• Nodes labeled with differences
• Maximal sharing of substructures (also across
  different CDDs)
• Maximal intervals
• Linear-time algorithms for set-theoretic
  operations.
• NDDs Maler et. al
• DDDs Møller, Lichtenberg

67
(No Transcript)
68
(No Transcript)
69
Verification Options
70
Verification Options
Search Order Depth First Breadth First State
Space Reduction None Conservative Aggressive S
tate Space Representation DBM Compact
Form Under Approximation Over
Approximation Diagnostic Trace Some Shortest Fa
stest
71
State Space Reduction
However, Passed list useful for efficiency
No Cycles Passed list not needed for termination
72
State Space Reduction
Cycles Only symbolic states involving
loop-entry points need to be saved on Passed
list
73
To Store or Not To Store
Behrmann, Larsen, Pelanek 2003
117 statestotal ! 81 statesentrypoint ! 9
states
Time OH less than 10
Audio Protocol
74
To Store or Not to Store
Behrmann, Larsen, Pelanek 2003
75
Over-approximation Convex Hull
y
5
3
1
x
1
3
5
Convex Hull
TACAS04 An EXACT method performing as well as
Convex Hull has been developed based on
abstractions taking max constants into
account distinguishing between clocks, locations
and
76
Under-approximation Bitstate Hashing
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
77
Under-approximation Bitstate Hashing
1
Passed Bitarray
Waiting
Final
m,U
0
1
n,Z
0
UPPAAL 8 Mbits
Hashfunction F
n,Z
0
Init
Passed
1
78
ModellingPatterns
79
Variable Reduction

• Reduce size of state space by explicitely
  resetting variables when they are not used!
• Automatically performed for clock variables
  (active clock reduction)

80
Variable Reduction
x is only active in location S1
xlt7
81
Synchronous Value Passing
82
Bounded Liveness

• Intent Check for properties that are guaranteed
  to hold eventually within some upper (time)
  bound.
• Provide additional information (with a valid
  bound).
• More efficient verification.
• f leadstot ? reduced to A?(b?z t)with bool b
  set to true and clock z reset when f starts to
  hold. When ? starts to hold, set b to false.

83
Bounded Liveness

• The truth value of b indicates whether or not ?
  should hold in the future.

f
?
A (b imply zt) b --gt not b (for non
zenoness) Eltgt b (for meaningful check)
btrue z0
bfalse
bfalse
f
?
b true, check z t