The Mana Project

Lars AsplundKristina Lundqvist

Uppsala University, Information Technology, Dept of Computer Systems

The Mana Project

Lars AsplundKristina Lundqvist

Uppsala University, Information Technology, Dept of Computer Systems

Background

• Formal methods have been used in a number of safety critical systems– TGV – train signalling system in Paris

• Today's safety critical systems use cyclic executives.• Research take for granted that a system consists of

processes (scheduling, priorities), and that there is communications between these.

• Process based safety critical systems - formal methods (Raven, Enea …)

Ada-83

•Tasking•Rendez-vous•Dynamic•Hierarchy•Termination•...

Ada83

•For High Integrity Systems•Subsets:

•SPARK (No tasking)•Boeing•...

•Complex Run-Time•No Formal Proofs

Ada-95

•Tasking•Rendez-vous•Dynamic•Hierarchy•Termination•...

•Protected Objects•ATC•requeue•delay until•new interrupts•task attributes•...

Ada95 Subsets:

GNORT (Gnat NO Run-Time)SPARK-95

Ravenscar•Tasking•Protected Objects•delay until•new interrupts•task attribute

Ada 95 and Ravenscar

• The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications.

• The subset provides enough functionality for targeted systems .

Ravenscar - tasking

• Library level• No dynamic creation• No unchecked deallocation• Non-terminating• No entries• No user defined attributes• Keep task discriminants• No ATC

Ravenscar - Protected Objects

• Single Entry• Barrier a single Boolean• Only one task in the entry queue

Ravenscar - Communication

• No Rendez vous• No requeue• No select statement• Interrupts are mapped only to PO

procedures

Ravenscar - Real Time

• delay until for delays• No Calendar• Clock from Real-Time package• No dynamic priorities• Immediate Ceiling Priority

The Mana Project

• Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada-95 compiler.

• Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft, ...

The Mana Project

• Chosen language:– Subset of Ada 95: Ravenscar

• Representation model: Timed Automata– FSAs extended with clocks and constraints

• Verification scheme: A Real-Time Model Checker– UPPAAL: Modelling, simulation, and verification

tool

A System Model

SchedulerPO

T1 T2 T3

Delay Queue

ClockT0

Application

Run-Time KernelP EF

Delay untilTask dispatch

Ready Queue

A Verification Session

• Design.Timed Automata Model of1. An application (user code)2. Run-time kernel (Mana)

• Simulation of design• Verification by checking reachability

properties

A System Model

SchedulerPO

T1 T2 T3

Delay Queue

ClockT0

Application

Run-Time KernelP EF

Delay untilTask dispatch

Ready Queue

Simple application (T1)

task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0;begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop;end T1;

Delay seq

Prot Proc

Protected Procedure

Calling Task

Procedure StartProcedure beginPreemptionRelease of Entry

Task T2

task body T2 is -- at priority 2 Cond : Boolean := false;begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); end if; Work (4); end loop;end T2;

Prot Entry

Protected Entry

Calling Task

Entry Start

Lock Free and no Barrier

Barrier trueReleased by Procedure

Protected Entry

Calling Task

ExecutingPreemption

ExceptionPreemption in exceptionNormal end

Task T3task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0;begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop;end T3;

Prot Proc

Delay

A view of the System

F

PE

Prot Obj

Scheduler

T1 T2 T3

Delay Queue

Clock

T0

Delay untilTask dispatch

Ready Queue

Miscellaneous

Protected Function

Delay Queue

System Clock

The Run-Time System

F

PE

Prot Obj

Task T1

task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0;begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop;end T1;

Delay seq

Prot Proc

Building the System

F

PE

Prot Obj

T1

Task T2

task body T2 is -- at priority 2 Cond : Boolean := false;begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); end if; work (4); end loop;end T2;

Prot Entry

A more Complete System

F

PE

Prot Obj

T1

T2

Task T3task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0;begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop;end T3;

Prot Proc

Delay

A Complete System

F

PE

Prot Obj

T1

T2

T3

Scheduler and Idle process

Resume!

Suspend!

Resume!

Preempt!

Resume? Pcpu:= PLow

Preempt?

StartIdle Process is running

Resume? Pcpu:= PMed

Resume? Pcpu:= PHighMedium Process availableMedium Process runningIdle Process PreemptedHigh Process availableHigh Process running

Medium Process PreemptedIdle Process

Scheduler

Verifying Reachability Properties

• Statements format:Invariant()Possible()Where (atomic-formula) | | ’

• Examples:– Possible(CPU’Count > 1)

• At any point in time, there must be only one task executing– Invariant(P.Completed and E.Queue’Count > 0 and

E.Barrier imply Exec(E.Code, P.Context))

Conclusions and future work

• Have today modelled a full Ravenscar compliant RTK– PO: priorities, preemption

• Procedure, Function and Entry• Release on behalf

– delay until– exception handling in PO– interrupt

Conclusions and future work

• Verified the Mana-RTK together with a small application

• Next step is to implement the Mana-RTK – Automatic translation from Ada into TA

• http://www.docs.uu.se/mana