View
216
Download
3
Tags:
Embed Size (px)
Citation preview
1
Modelling and Validationof Real Time Systems
Kim Guldstrand LarsenPaul Pettersson
BRICS@Aalborg
2Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
BRICS Machine Basic Research in Computer Science
30+40+40 Millkr
100
100
Aalborg Aarhus
Tools
Other revelvant projects UPPAAL, VHS, VVS
3Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Tools and BRICS
Logic• Temporal Logic• Modal Logic• MSOL • •
Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation• •
Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time & hybrid systems• •
HOL TLP
Applications
PVS ALF
SPINvisualSTATE UPPAAL
4Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
What?
Validation and Verification of
software and hardware DESIGNS!
(E.g., real time systems, embedded systems,communication protocols)
5Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
A REAL real time system
Klaus Havelund, NASA
6Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Embedded Systems
SyncMaster 17GLsi
Telephone
Tamagotchi
Mobile Phone
Digital Watch
7Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Why?
Testing/simulation of designs/implementations may not reveal error (e.g., no errors revealed after 2 days)
Formal verification (=exhaustive testing) of design provides 100% coverage (e.g., error revealed within 5 min).
TOOL support.
8Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Traditional Software Development
The Waterfall Model
Analysis
Design
Implementation
Testing Costly in time-to-market and money Errors are detected late or never Application of FM’s as early as possible
ProblemArea
Runni
ng
Syst
em
REVI
EWS
REVI
EWS
9Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Introducing, detecting and repairing errors Liggesmeyer 98
10Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Formal Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
11Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Formal Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
TOOLS:
UPPAAL
visu
alSTATE
SPIN
12Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Formal Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
AutomaticCode generation
TOOLS:
UPPAAL
visu
alSTATE
…..
13Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Formal Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
AutomaticCode generation
AutomaticTest generation
TOOLS:
UPPAAL
visu
alSTATE
…..
14Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
How?
Unified Model = State Machine!
a
b
x
ya?
b?
x!
y!b?
Control states
Inputports
Outputports
15Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
UP
PA
AL
16Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
SP
IN, G
erald H
olzm
ann
AT
&T
17Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
visualSTATE
Hierarchical state systems
Flat state systems Multiple and inter-
related state machines
Supports UML notation
Device driver access
VVS w Baan Visualstate, DTU (CIT project)
18Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476
BUGS ?
VVSvisualSTATE
Our techniuqes has reduced verific
ation
time w
ith several orders of magnitude
(ex 14 days to 6 sec)
19Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
‘State Explosion’ problem
a
cb
1 2
43
1,a 4,a
3,a 4,a
1,b 2,b
3,b 4,b
1,c 2,c
3,c 4,c
All combinations = exponential in no. of components
M1 M2
M1 x M2
Provably theoretical
intractable
20Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Tool Support
TOOLTOOL
System Description A
Requirement F Yes, Prototypes Executable Code Test sequences
No!Debugging Information
Tools: UPPAAL, SPIN, VisualSTATE, Statemate, Verilog, Formalcheck,...
Course Objectives:• Model systems and specify requirements• Validate models using TOOLS• Understand main underlying theoretical and practical problems
21IDA foredrag 20.4.99
UPPAAL
Modelling and Verification of Real Time systems
Uppsala (6 persons), Aalborg (10 persons), 1995-
21 papers, 6 invited talks/tutorials
9 industrial case studies
http://www.docs.uu.se/docs/rtmv/uppaal/index.shtml
Pump ControlsAirbagsRobotsCruise ControlABSCD players
E.g.
22Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Collaborators
@UPPsala Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Justin Pearson ...
@AALborg Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune …..
@Elsewhere Magnus Lindahl, Francois Laroussinie, Augusto Burgueno, David Griffioen,
Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Carsten Weise...
23Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Dec’96 Sep’98
24Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Dec’96 Sep’98
from7.5 hrs / 527 MB on ONYX with 2GB (4Mill DKK)to12.75 sec / 2.1 MB on Pentium 150 MHz, 32 MBorEvery 9 month 10 times better performance!
25Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Hybrid & Real Time Systems
PlantContinuous
Controller ProgramDiscrete
Control Theory Computer Science
Eg.:Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing
sensors
actuators
TaskTask
TaskTask
26Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Validation & VerificationConstruction of UPPAAL models
PlantContinuous
Controller ProgramDiscrete
sensors
actuators
TaskTask
TaskTask
a
cb
1 2
43
a
cb
1 2
43
1 2
43
1 2
43
a
cb
UPPAAL Model
Modelofenvironment(user-supplied)
Model oftasks(automatic)
27Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Intelligent Light Control
Off Light Brightpress? press?
press?
press?
WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
28Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Intelligent Light Control
Off Light Brightpress? press?
press?
press?
Solution: Add real-valued clock x
X:=0X<=3
X>3
29Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Timed Automata
n
m
a
Alur & Dill 1990
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of comp withinteger bounds
ResetAction perfomed on clocks
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
30Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 )
e(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Invariants insure progress!!
Timed Automata - Invariants
31Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
The UPPAAL Model= Networks of Timed Automata + Integer Variables +….
l1
l2
a!
x>=2i==3
x := 0i:=i+4
m1
m2
a?
y<=4
…………. Two-way synchronizationon complementary actions.
Closed Systems!
(l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..)
(l1,m1,………,x=2.2, y=3.7, I=3,…..)
0.2
tau
Example transitions
If a URGENT CHANNEL
32Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Lego RCX BrickLEGO MINDSTORMS, LEGO ROBOLAB
3 Input (sensors)Light, rotation, temperature, pressure,.....
3 Output ports (actuators)motor, light
1 Infra-redport
33Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
First UPPAAL modelSorting of Lego Boxes
Conveyer Belt
Exercise: Design Controller so that only black boxes are being pushed out
BoxesPiston
Black
Red9 18 81 90
99
BlckRd
remove
eject
Controller
Ken Tindell
Main Skub_af
34Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
NQC programs
task skub_af{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }}
task skub_af{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }}
int active;int DELAY;int LIGHT_LEVEL;
int active;int DELAY;int LIGHT_LEVEL;
task main{ DELAY=25; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1);
start skub_af; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }}
task main{ DELAY=25; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1);
start skub_af; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }}
IDA foredrag 20.4.99 35
UPPAAL Demo
36Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Exercise 2 Each message must be delivered before next message can be accepted. 1. perfect media 2. loosy media 3. retransmission 4. delaying media 5. XXXX
Each message must be delivered before next message can be accepted. 1. perfect media 2. loosy media 3. retransmission 4. delaying media 5. XXXX
Synchronizationbetween two processes.
Sender Receiver
K
L
in
snd pass
out
ackpack
37Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb
Exercise 3
Machine
Person
Observer
cof
coin
pub
Waity<=3
Ready
Waity<=2
Go
coin!y:=0
y=3
cof?y:=0
y=2
pub!
Design Machine and Observer