Compositional Analysis of Timed Systems by Abstraction

1
Compositional Analysis of Timed Systems by
Abstraction

• Leonid Mokrushin
• TAPVES
• 2007-02-08

2
Outline

• Motivation
• Arrival/Service Curves
• Compositional Analysis
• TA as Curve Transformers
• Abstracting TA
• Examples and Demo
• Conclusions

3
The ABB Robot Controller
Precise moves
Welding program
A
B
C
D
Commands
High-level instructions
Requests

• ABB robot controller (2 500 000 loc)
• Real time tasks A,B,C,D
• Read inputs from channels write output to
  channels
• Task priority order DgtCgtBgtA (FPS)
• Buffer overflow/underflow, WCRT

4
Old Results (CFSM)

• Turing power
• Equivalent to finite automata
• people Brand, Zafiropulo, Pachl, Purush Iyer,
  Finkel, Abdulla, Jonsson

A
B
A
A
B
Half duplex
A
B
?
A
B
5
Communicating Timed Automata (CTA)

• Replace Finite Automata by Timed Automata
• Communication via unbounded FIFO channels
• Time is global (time passes globally and for all
  automata in the same pace)
• A, B, C Timed Automata
• Negative results carry over
• Positive results do not carry over (previous
  proofs do not work in timed setting)

A
B
?
6
CTA - Results
CAV06, Pavel Wang

• CTA with one channel
• Accepts non-regular context free languages
• Only regular languages in the untimed case!
• Equivalent to Petri Nets with one unbounded place
  (Eager reading One-counter machines)
• CTA with two channels
• Non-context free context sensitive languages
• Petri Nets with two unbounded places (Eager
  reading Turing machines)

A
B
A
B
?
7
The ABB Robot Controller
TASCH
Task Ready Queue
TAA
TAB
TAC
TAD
Shared variables
TAAxTABxTACxTADxTASCH with queues is TOO BIG
8

• In general
• Precise analysis is impossible
• Our hope
• Find a suitable abstraction

9
Kahn Process Networks (70s)

• Modeling Distributed, Signal Processing Systems

S1
S4
A
S3
S2
S5
C
B
S6

• S1, S2, S3, streams
• possibly infinite sequences of letters
• A,B,C processes
• mappings from streams to streams, e.g., B(S2,
  S6) ? S5

10
Abstract Stream Transformers
Q1
A2
Abstract stream
Abstract stream
A1
Abstract stream
Abstract stream
A3
Q2
Abstract stream

• Components Abstract stream transformers
• Abstract stream defines a timed language
• Asynchronous communication
• Network Calculus (Cruz, Boudec, Thiran 91-04)
• Arrival Curves
• Real-Time Calculus (Thiele, Chakraborty 00s)
• Upper/Lower Arrival/Service Curves

11
Arrival/Service Curves
Arrival Curves (events / data)
Service Curves (resources)
available resources
events
time
time
window size
window size
upper bound
number of events
available service
upper bound
lower bound
lower bound
window size
window size
(a,3)(a,3.34)(a,3.39)(a,4)(a,10)...
(100,0)(50,3.3)(100,7)...
12
Building an Arrival Curve

• Slide a timed window of a fixed size
• Count max/min number of events in the window

events
t
window size
slide
0,4

• Choose another window etc.

t
window size
1,5
13
Timing Analysis
worst case request (upper arrival curve)
number of events
guaranteed resource (lower service curve)
required buffer size
response time (flow delay bound)
window size

• Delay bound max vertical distance
• required buffer size
• Backlog bound max horizontal distance
• flow delay bound

14
Compositional Timing Analysis
Available Resources
Event Stream

SAR
T1
T3
Output
Input
TASK
SO
SI
Resource Stream
T2
T4
SRR

Remaining Resources

• Component Stream Transformer
• Stream Upper Lower Bounds
• Real-Time Calculus
• SO fE(SI, SAR), SRR fR(SI, SAR)
• Compositional Analysis
• Scheduling, end-to-end delay, backlog

15
Resources Scheduling
A
B
C
D

• Fixed priority scheduling policy
• Priority order
• Priority(A)ltPriority(B)ltPriority(C)ltPriority(D)
• Highest priority task has 100 of CPU
• Negative service curve non-schedulable
• Opposite direction gives min resource

16
Timed Automata with Tasks

• Events
• Actions
• Timing constraints
• Clocks / Guards / Resets
• Complex event pattern
• Tasks
• Asynchronous execution
• WCET, Deadline
• Scheduling policy
• Precedence constraints
• Resource constraints

xlt3
a!
x0
Task (C,D)
17
Run of TAT
(Idle, x0, )
0.1? (Idle, x0.1, )
? (RelP, x0, P(2,8))
1.5? (RelP, x1.5, P(0.5,6.5))
? (RelQ, x1.5, P(0.5,6.5),Q(2,20))
1.5? (RelQ, x3, Q(1,18.5))
? (Idle, x3, Q(1,18.5))
? (RelP, x0, P(2,8),Q(1,18.5))
2? (RelP, x2, Q(1,16.5))
Idle
P
Q
0.1
1.6
2.1
3.1
5.1
18
TA as Curve Transformers
Timed Automaton
Task completed
b?
a!
TA1
T1
a!
Task released
Ready queue
b?
c!
T2
TA2
T3
OS
Scheduling Policy
TIMES Tool
CPU

• Timed Automata as complex task release patterns
• We have to make them operate on curves

19
TA lt-gt Curve Transformation
Arrival Curve
Curve transformation using UPPAAL
TA Model of a System Component
input
output
Event Observer
Event Generator
F
L(F(AC)) ? L(EO)
L(EG) L(AC)
Assumption
AEG AFi AEO
Departure Curve
for every component Fi is possible
20
Encoding Arrival Curves as TA
Generator
Invariant ? lower bound
circular clock buffer
x1
x2
x3
x4
x5
x6
x7
Guard ? upper bound
pointer
time
const int LB 12 const int UB 12 const int
mLB 0,0,0,1,1,1,2,2,3,3,3,4 const int
MUB 2,2,4,4,4,4,5,5,7,7,7,7 const int CN
mLB-1ltMUB-1?MUB-1mLB-1 clock
xCN int0,CN-1 index int0,CN
counter int0,UB v int0,CN-1 getIndex(int
backtrack) int i index-backtrack
if(ilt0) i CN return i void
addNewEvent() xindex0 index
(indexCN-1?0index1) if(counterltCN)
counter
X4gtMi-1
X3gtMi-2
X2gtMi-3
X1gtMi-4
MUB
number of events
mLB
CN7
window size
21
Approximating TA with Arrival Curves
Observer

• ASYSTEM AOBSERVER
• One clock one integer
• Non-deterministic window offset
• One window ? one state space exploration
• Max considerable window size (dt) must be
  specified

clock x int counter
number of events
max min
x0
xdt
dt
22
A Problem with Approximation
Last measured dt
number of events
Overapproximated stream
Actual stream
window size
t

• We need to know safe value of dt

23
A Problem with Approximation
number of events
Service curve
response time
window size

• Sometimes we can still perform timing analysis
  using precise data
• An adaptive approach?

24
Another algorithm
number of events
am/n

• Angle a is rational
• m,n - integers
• LCM(m,n) can become very big (hyperperiod)
• Rapid slow down

window size

• Search for the segment that touches the curve
• Find the smallest intersection point and repeat
• Encoding of the intersection criterion into TA

25
Simple Scheduling Example

• 4 tasks 3 periodic1 aperiodic (TA)
• Preemptive fixed priority scheduling
• Given BCET/WCET
• Abstracting release pattern with streams
• Analysis
• Worst case response time
• Required OS ready queue size

26
An Example with Feedback
CPU
Initial Condition
TASK1
TASK2
AND
Input Stream

• TASK1 input depends on the TASK2 output
• TASK1 uses TASK2s remaining resource
• TASK2 input depends on TASK1 output
• Given
• TASK1 input stream
• Initial condition on activation of TASK2
• Iterative computation until fixed point

27
Books Papers

• Rene L. Cruz. A Calculus for Network Delay. IEEE
  Transactions on Information Theory, 1991
• J.-Y. Le Boudec, P. Thiran. Network Calculus. A
  Theory of Deterministic Queuing Systems for the
  Internet. 2004
• L. Thiele and S. Chakraborty and M. Naedele.
  Real-time Calculus for Scheduling Hard Real-Time
  Systems. Proc. of ISCAS, 2000
• L. Thiele and S. Chakraborty and M. Gries and A.
  Maxiaguine and J. Greutert. Embedded Software in
  Network Processors - Models and Algorithms. Proc.
  of EMSOFT, 2001
• E. Wandeler, L. Thiele. Real-Time Interfaces for
  Interface-Based Design of Real-Time Systems with
  Fixed Priority Scheduling. 2005
• P. Krcal, L. Mokrushin, W. Yi. A Tool for
  Compositional Analysis of Timed Systems by
  Abstraction. Tool paper submitted to CAV 2007.

28
Conclusions

• Abstraction technique for timed component systems
• One component at a time
• no big product (GALP)
• Possibility to parallelize verification
• Heterogeneous systems
• a potential to combine different formalisms
• Prototype

• How good is our abstraction? (Examples)
• Feedback? (Termination)
• Bound on max window size? (Adaptation?)
• Shared resources? (Priority Ceiling Protocol)

29
Thank you!