Embed Size (px)
Citation preview
Formal Analysis and Verification of Real-Time Systems
Albert M. K. Cheng
Real-Time Systems Laboratory
University of Houston
Correctness of Real-Time Systems Satisfaction of logical correctness
constraints Satisfaction of timing constraints
Presentation Outline Model of a real-time system Specification, analysis, and verification Explicit-state and symbolic model
checking Real-time logic and constraint-graph
analysis Analysis of real-time rule-based system
A Real-Time System
A
D
X Y
S
Sensorinput
Decision,action
State
Specification, analysis, and verification Structural/Functional Behavioral - Sequence of
events and actions
Given: Specification (SP), Safety Assertion (SA)
Goal: Relate SP to SA
Analysis - 3 cases: SA is a theorem
derivable from SP. SA is unsatisfiable
with respect to SP. Negation of SA is
satisfiable under certain conditions.
Analysis Techniques Simulation Testing Verification Run-time monitoring
Model Checking
Specificationrepresented asa labeledfinite-stateGraph (Kripkestructure)
Safety assertionwritten as temporallogic formula
Is the finite-state grapha model of the temporallogic formula?
Computation Tree Logic CTL Propositional,
branching-time temporal logic
Next-time operator X, Until operator U
A(E)X f : f holds in every (some) immediate successor of current state
A(E)[f1 U f2] : for every (some) computation path, there exists an initial prefix of the path such that f2 holds at the last state of the prefix and f1 holds at all other states along the prefix
Example; Solution to Mutual Exclusion Problem
N1,N2
T1,N2
C1,T2
N1,T2
C1,N2 T1,T2 T1,T2 N1,C2
T1,C2
CTL abbreviations AF(f) = A[True U f]:
f holds in the future along every path from the initial state s0, so f is inevitable
EG(f) =
NOT AF(NOT f)
EF(f) = E[True U f]: there is some path from the initial state s0 that leads to a state at which f holds, so f potentially holds
AG(f) =
NOT EF(NOT f)
Explicit-State Model Checking
for (fi=flength; fi >= 1; fi--) labelgraph(fi,s,&correct);labelgraph (fi,s,b)short fi, s;Boolean *b;{ short i; switch(nf[fi-1][0].opcode) { case atomic: atf(fi,s,b); break;
case nt: ntf(fi,s,b); break; case ad: adf(fi,s,b); break; case ax: axf(fi,s,b); break; case ex: exf(fi,s,b); break;
case au:
for (i=0; i <= numstates; i++)
marked[i] = false;
for (i=0; i <= numstates; i++)
if (!marked[i])
auf(fi,s,b);
break;
case eu:
euf(fi,s,b);
break;
}
}
Explicit-State Model Checking
Symbolic Model Checking Transition relation between the values of
the variables in the current and the next states can be stated as a Boolean formula
Use Binary Decision Diagrams (BDDs) to present this Boolean formula
Apply model checker to finite-state graph represented as BBDs
Real-Time CTL Existentially Bounded Until operator:
E[f_1 U[x,y] f_2] at state s_0 means there exists a path beginning at s_0 and some i such that x <= i <= y and f_2 holds at state s_i and forall j < i, f_1 holds at state s_j
Min/max delays Min/max number of condition occurrences
Event-Action Model Action: schedulable unit
of work primitive or composite X;Y X||Y X!N !NY State predicate: assertion
about state of the system Timing constraints
Event: temporal marker - 4 types
external: cannot be cause by system
start: begin action stop: end action transition: change in
certain state attribute
Timing ConstraintsPeriodic: while <state predicate> execute <action>
with period = <time1>
deadline = <time2>
Sporadic: when <event> execute <action>
with deadline = <time1>
separation = <time2>
Non-Real-Time Temporal Logic Conventional temporal logic: concerns with
relative ordering of events A;(B||C) means ABC or ACB Can model interleaving actions Cannot model parallel actions To deal with absolute timing, add clock variable:
clock := clock + c, execute after every action Acceptable only if actions are executed in
sequential order
Real-Time Logic
3 types of constants action in capital
letters: primitive or composite (partial ordering of events)
A.B B appears in composite action A
start and stop events:
^A event marking the initiation of action A
vA event marking the completion of action A
^A.B ^A.B2
Real-Time Logic Transition event constants: (S := T) (S := F) External event constants: omega BUTTON1 pressing
button number 1 Integer constants: @(E,W) --> W E event, W nonnegative
integer
@(e,i) = time of the i-th occurrence of event e
Timing property can be established by showing there does not exist an occurrence function which is consistent with the specification in conjunction with the negation of the safety property under investigation
Examples of RTL Formulas Forall i @(E,i) = t -> t >= 0 Forall i forall j [@(E,i) = t and @(E,j)=t‘ and i < j
] -> t < t‘ forall x @(TrainApproach, x) <= @(^Downgate,
x) and
@(vDowngate, x) <= @(TrainApproach, x) + 30
forall y @(^Downgate, y) + 15 <= @(vDowngate, y)
Example: Safety Assertion in RTLforall t forall u
@(TrainApproach, t) + 45 <= @(Crossing, u) and
@(Crossing,u)<@(TrainApproach, t) + 60 -> @(vDowngate, t) <= @(Crossing, u) and
@(Crossing, u) <= @(vDowngate, t) + 45
Analysis of Rule-Based Systems The RULES section is composed of a finite set of
rules each of which is of the form: a1 := b1 ! a2 := b2 ! … ! am := bm IF enabling condition VAR = set of variables on left-hand side of the
assignment, i.e., the ai’s VAL = expressions on right-hand side of
assignment, i.e., the bi’s EC = enabling condition
Simple Rule-Based Program(* 1 *) object_detected := true IF sensor_a =
1 AND sensor_a_status = good (* 2 *) []object_detected := true IF sensor_b
= 1 AND sensor_b_status = good(* 3 *) []object_detected := false IF sensor_a
= 0 AND sensor_a_status = good(* 4 *) []object_detected := false IF sensor_b
= 0 AND sensor_b_status = good
State Space RepresentationA
D
E F
GH
FP1 FP2
C
L
J
K
B
I
M
N
P
FP3
Problem Complexity In general, the analysis problem is
undecidable if the program variables can have infinite domains, i.e., there is no general procedure for answering all instances of the decision problem.
Proof Outline Any two-counter machine can be encoded by an
equational rule-based program that uses only `+' and `-' as operations on integer variables and `>', `=' as atomic predicates such that a two-counter machine accepts an input if and only if the corresponding equational rule-based program can reach a fixed point from an initial condition determined by the input to the two-counter machine.
Analysis Problem is Solvable for some Cases All the variables of an equational rule-
based program range over finite domains. Set of variables in VAR and set of
variables in VAL and EC are disjoint.
Enabling conditions are mutually exclusive.
Only constants are assigned to variables in VAR.
Compatibility of RulesLet L_x denote the set of
variables appearing in LHS of rule x.
Two rules a and b are said to be compatible iff at least one of the following conditions holds:
(CR1) Test a and test b are mutually exclusive.
(CR2) L_a and L_b are disjoint.
(CR3) Suppose L_a and L_b are not disjoint . Then for every common variable v in L_a and L_b, the same expression must be assigned to v in both rule a and b.
Special Form ALet L and T be sets of variables in VAR and
EC of rules. A set of rules are in special form A if the following conditions hold:
(1) Constant terms are assigned to all the variables in L.
(2) All of the rules are compatible pairwise.
(3) L and T are disjoint.
Example1. a1 := true IF b = true AND c = true 2. [] a1 := true IF b = true AND c = false 3. [] a2 := false IF c = true
Rules 1 and 2 are compatible by conditions CR1 and CR3. Rules 1 and 3 are compatible by condition CR2. Rules 2 and 3 are compatible by condition CR2.
General Analysis StrategyRule-based program
Simpler programs
Rule rewriterState-space analyzer
Special formrecognizer
No independentruleset in special form
Independent rulsetsin special form(s)
Exampleinput: read(b, c)1. a1 := true IF b = true AND c
= true2.[]a1 := true IF b = true
AND c = false3.[]a2 := false IF c = true4.[]a3 := true IF a1 = true
AND a2 = false 5.[]a4 := true IF a1 = false
AND a2 = false6.[]a4 := false IF a1 = false
AND a2 = true
input: read(b, c)
1. a1 := true IF b = true AND c = true
2.[]a1 := true IF b = true AND c = false
3.[]a2 := false IF c = true
Applications of Analysis Tools Cryogenic Hydrogen Pressure Malfunction
Procedure in the Pressure Control System of the Space Shuttle Vehicle
Integrated Status Assessment Expert System
Fuel Cell Expert System Orbital Maneuvering and Reaction Control
System
New Textbook Albert Cheng - Real-Time Systems: Scheduling,
Analysis, and Verification (John Wiley & Sons) ISBN # 0471-184063, 2002. www.cs.uh.edu/~acheng/~acheng.html
For senior-level undergraduate/first-year graduate courses in real-time systems, embedded systems (software and hardware) engineering, and formal methods. Serves as a supplement to courses in operating systems and system design, as well as a reference for practitioners and researchers.
