View
216
Download
1
Category
Tags:
Preview:
Citation preview
Compositional Verification of Timed Systems. A Concept.
Bengt JonssonLeonid Mokrushin
Xiaochun ShiWang Yi
Uppsala UniversitySweden
Distributed Embedded Systems Workshop23.11.05, Lorentz Center
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
The Problem: Robot Controller
A B C D100 13 1
10Commands High-level
instructions
Precise moves
Requests
Weldingprogram
2.5·106 LoC
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Properties of Interest
Buffer Overflow/Underflow component D never stops when welding
Sufficient Buffer Sizes Schedulability
components execute tasks on a single CPU Task Response Times (and its reserve)
A B C D100 13 1
10Commands High-level
instructions
Precise moves
Requests
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Verification Using TA Models
System abstraction TA model Tasks, Scheduler TA model Properties TCTL formulae UPPAAL/TIMES: trying to search for bugs in
”all the combinations of local states”:
S1 || S2 || ... || Sm || q1 || q2 || ... || qn
Very difficult, often impossible
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Stream Transformers
System/Component = Stream Transformer
Kahn Process Networks [Kahn74] One-way Infinite FIFO Queues Deterministic Model
Queue data is independent of the process firing order
A2
A3
A1
Q1
Q2
......eee..e.ee
....aa..a...a
...bb..b
...cc..ccc
...dd..d..dd
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Abstract Stream Transformers
Network Calculus Arrival Curves [Recent work, 90s-2005]
A2
A3
A1
Q1
Q2
Set of streams
Set of streams
Set of streams
Set of streams
Set of streams
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Abstract Stream
t
window size slide
Slide a timed window of a fixed size Count max/min number of events in the window
Choose another window etc.
t
window size
events
[0,4]
[1,5]
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Arrival Curve
# ofevents
windowsize
C
L(C)=Set of streams (set of event streams satisfying all bounds for all window sizes)
lower bound
upper bound
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Modular Analysis (no feedback)
A1
System/Component = Arrival Curve Transformer
A2Assumption
On TheEnvironment
The “MaximalComponentCapability”
Q1
This can be done modularly if there is no feedback We may need a buffer to connect them Comparing the curves we will answer:
if A1 and A2 can “work together”? (all the events generated by A1 will be received and processed by A2)
what is the sufficient size of the buffer? what is the output curve of A2?
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Transforming Curves Using TA
TA Modelof a SystemComponent
Event Generator
Event Observer
L(EG) = L(AC)
ArrivalCurve
DepartureCurve
Verification(s) in UPPAAL
input output
F
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
What About Feedback?
We may first assume some input curves e.g. the “worst case” or the “maximum capability”
Compute the output curves by approximations
Iterate…
A B C D
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Resources & Scheduling
FPS, priority order:Priority(A)<Priority(B)<Priority(C)<Priority(D)
Service Curves Same as arrival curves but express
available resource within windows Service Curve Generators/Observers
A B C D100%
<100%
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Putting It All Together
Given input data and resource curves
1. Propagate resource to the left Assuming “worst case” for data
2. Propagate “real” data to the right Using pre-computed resources
3. Using new data refine step 1.
4. Using new resource refine step 2.
5. Iterate until it stabilizes (e.g. output/resource)
A B C D100%
Input
RESOURCE
DATA
Info
rmati
onst
ekn
olo
gi
Institutionen för informationsteknologi | www.it.uu.se
Cons & Pros One component at a
time (no big product, GALP)
Composability analysis (buffers)
Possibility to parallelize verification
Heterogeneous systems (a potential to combine different formalisms)
Preemptive FPS
Feedback Bound on max
window size EDF Shared resources Precedence
constraints
Recommended