Embed Size (px)
DESCRIPTION
Formal Verification of Embedded Real-Time Software in Component-Based Application Frameworks. Pao-Ann Hsiung*, Win-Bin See, Trong-Yen Lee, Jih-Ming Fu, and Sao-Jie Chen *National Chung Cheng University Chiayi-621, Taiwan. Asia-Pacific Software Engineering Conference, December 2001, Macau. - PowerPoint PPT Presentation
Citation preview
11
Formal Verification of Formal Verification of Embedded Real-Time Embedded Real-Time
Software in Component-Software in Component-Based Application Based Application
FrameworksFrameworksPao-Ann Hsiung*, Win-Bin See, Trong-Yen Lee,Pao-Ann Hsiung*, Win-Bin See, Trong-Yen Lee,
Jih-Ming Fu, and Sao-Jie ChenJih-Ming Fu, and Sao-Jie Chen*National Chung Cheng University*National Chung Cheng University
Chiayi-621, Taiwan.Chiayi-621, Taiwan.
Asia-Pacific Software Engineering Conference, December 2001, Macau
22
OutlineOutline
Why Verification of Software?Why Verification of Software?What Issues?What Issues?Previous WorkPrevious WorkFormal Object-Oriented ModelFormal Object-Oriented ModelFormal Synthesis & Model CheckingFormal Synthesis & Model CheckingApplication ExampleApplication ExampleConclusions & Future WorkConclusions & Future Work
33
Why Verification of Software?Why Verification of Software?Software accounts for almost Software accounts for almost 80%80% of total of total
system functions!system functions!ExamplesExamples of real-time embedded of real-time embedded
systems: systems: home appliances, telecommunication home appliances, telecommunication devices, transportation facilities, ...devices, transportation facilities, ...
FlexibilityFlexibility COMPLEXITYCOMPLEXITY!!More complexMore complex than hardware! than hardware!Simple Simple glitches glitches system system FAILURE FAILURE!!
44
What Issues?What Issues?
Component-Based Object-Oriented AppliComponent-Based Object-Oriented Application Framework (COAF)cation Framework (COAF)
Formal Verification (FV)Formal Verification (FV)How to integrate FV into COAF???How to integrate FV into COAF???
System System ModelModel??Design Design MethodologyMethodology v/s Verification v/s Verification FramewFramew
orkorkGoals: Goals: SeamlessSeamless + + ScalableScalable Integration!!! Integration!!!
55
System Model?System Model?COAF View: Set of interacting objectsCOAF View: Set of interacting objects
FV View: Network of concurrent tasksFV View: Network of concurrent tasks
D
A
B
C
Complex Behaviors
!!!
………
………
………
………
………
Formal Syntax + Precise
Semantics
66
Design v/s Verification?Design v/s Verification? COAF: Design MethodologyCOAF: Design Methodology
FV: Verification FrameworkFV: Verification Framework
for x = 1…8 {
…………… …
while(1) { … }
}components
software
automata
Error Trace:….….….
analysis results
77
Previous WorkPrevious WorkCOAFsCOAFs for designing real-time embedded sof for designing real-time embedded sof
tware applications: tware applications: OORTSF, SESAG, VERTAF [RTAS’01]OORTSF, SESAG, VERTAF [RTAS’01]
Formal SynthesisFormal Synthesis: : Quasi-Static Scheduling of Free-Choice Petri netQuasi-Static Scheduling of Free-Choice Petri net
ssSynthesis of Codesign FSMSynthesis of Codesign FSM
Formal VerificationFormal Verification::When, Where, How to verify embedded sw?When, Where, How to verify embedded sw?Hybrid automata-based coverificationHybrid automata-based coverification
88
Formal Object-Oriented ModelFormal Object-Oriented Model
Compromise between OO and formal Compromise between OO and formal modelsmodels
For Task Specification:For Task Specification:Autonomous Timed ObjectAutonomous Timed Object (ATO) (ATO)
For Modeling Behavior:For Modeling Behavior:Autonomous Timed ProcessAutonomous Timed Process (ATP) (ATP)ATOs
ATPs
99
Autonomous Timed Object Autonomous Timed Object (ATO)(ATO)
ATO = PBO + TMOATO = PBO + TMOPBO = PBO = Port-Based ObjectPort-Based Object [IEEE-TSE’97] [IEEE-TSE’97]TMO = TMO = Time-triggered Message-triggered Time-triggered Message-triggered
ObjectObject [IEEE-Computer’00] [IEEE-Computer’00]Generic structure for embedded systemsGeneric structure for embedded systemsModels:Models:
PeriodicPeriodic Task TaskAperiodicAperiodic Task Task
1010
ATO Generic StructureATO Generic Structure
ATO Name
Event-Triggered Methods
Time-Triggered Methods
In Ports Out Ports
Resource Ports
Configuration Ports
1111
Autonomous Timed Process Autonomous Timed Process (ATP)(ATP)
1 or more ATP associated with 1 ATO1 or more ATP associated with 1 ATOCreate ATP on ATO declarationCreate ATP on ATO declarationUpdateUpdate system state system state2 types of interrupts:2 types of interrupts:
EventEvent: aperiodic task, ETM: aperiodic task, ETMTimerTimer: periodic task, TTM: periodic task, TTM
After method exec, After method exec, check violationcheck violation If violated, Error state, handle error, resetIf violated, Error state, handle error, reset
1212
ATP State DiagramATP State Diagram
Created
ATO Declaration
Instantiated
Configuration
Status Update
Updated
Periodic Task Activated
Timer Interrupt
Aperiodic Task
Activated
Event Interrupt
Event-Triggered Method
Execution
Time-Triggered Method
Execution
Error Terminated
Constraint Checking
Constraint Violated Kill Signal
Reset Kill Signal
1313
Event & Process Tables, Call Event & Process Tables, Call GraphGraph
Event TableEvent Table: record all inter ATP events: record all inter ATP events Call GraphCall Graph: event relationships: event relationships Process TableProcess Table: record all ATPs and related info: record all ATPs and related info
rmationrmation Purposes:Purposes:
resource allocation,resource allocation, conflict resolution,conflict resolution, schedulability analysis, andschedulability analysis, and verification.verification.
1414
Formal Synthesis & Model Formal Synthesis & Model CheckingChecking
What is What is formal synthesisformal synthesis??A formally modeled system is synthesized A formally modeled system is synthesized to satisfy a given logic specification.to satisfy a given logic specification.Eg: TFCPN / TRSEg: TFCPN / TRS
What is What is model checkingmodel checking??A formally modeled system is checked for A formally modeled system is checked for satisfaction of a given logic specification.satisfaction of a given logic specification.Eg: TA / TCTLEg: TA / TCTL
1515
Target ProblemTarget Problem
COAF-FV Technology IntegrationCOAF-FV Technology Integration
Given an embedded real-time system Given an embedded real-time system described in a Component-Based described in a Component-Based Object-Oriented Application Framework Object-Oriented Application Framework ((COAFCOAF) using the Formal Object-) using the Formal Object-Oriented Model (Oriented Model (FOOMFOOM) along with a set ) along with a set of temporal constraints, the of temporal constraints, the generated generated software code is to besoftware code is to be formally verified formally verified to satisfy all given constraintsto satisfy all given constraints..
1616
Timed Automaton (TA)Timed Automaton (TA)
x ≤ 3
y ≤ 7
x=0 y=0
x = 3
y 7
x:=0 y:=0
y := 0
M0
M1 M2
M3
invariant conditio
n
triggering
condition
initial conditio
n
clock resets
state
transition
1717
Timed Computation Tree Logic Timed Computation Tree Logic (TCTL)(TCTL)
A logic for specification of A logic for specification of propertiesproperties of of embedded real-time systemsembedded real-time systems
Syntax:Syntax: ::= ::= | | □□ ' | ' | 'U'U~c~c | | ' | ' | ' '
Reachability propertiesReachability propertiesLiveness propertiesLiveness propertiesTemporal propertiesTemporal properties
1818
Compositional VerificationCompositional Verification
Compositionally_Verify(ATP_Set, Constraints) {Compositionally_Verify(ATP_Set, Constraints) { = = Gen_TCTLGen_TCTL(Constraints);(Constraints);ATA_Set = ATA_Set = Gen_TAGen_TA(ATP_Set);(ATP_Set);STA_Set = STA_Set = ScheduleSchedule(ATA_Set, SchedAlg);(ATA_Set, SchedAlg);while (|STA_Set|>1) {while (|STA_Set|>1) {
MROFMROF(STA_Set);(STA_Set); // merging// mergingrr = = FBRSFBRS(STA_Set);(STA_Set); // reduction sequen// reduction sequen
ceceReduceReduce(STA_Set, (STA_Set, rr); }); }
if (if (Model_CheckModel_Check(STA_Set, (STA_Set, ) return Verified;) return Verified;else return Constraints_Violated;else return Constraints_Violated;
}}
1919
Compositional VerificationCompositional Verification
………
Constraints
Autonomous Timed
Process
Timed Automato
n
Scheduled Timed
Automaton
Merged Timed
Automaton
Reduced Timed
Automaton
TCTL
formula
Model Checking(S ┝ ?)
S
Verified OK!or
CounterEx
2020
Merge Related Objects First Merge Related Objects First (MROF)(MROF)
Hierarchical Merge StrategyHierarchical Merge StrategySame FamilySame Family: (Syntax): (Syntax)
Merge all TA representing the same ATO.Merge all TA representing the same ATO.Near RelativesNear Relatives: (Semantics): (Semantics)
(A(Aii, A, Ajj) = ) = #Shared_Vars(A#Shared_Vars(Aii, A, Ajj) + ) + #Channels(A#Channels(Aii, A, Ajj))
Highest proximity Highest proximity merge first! merge first!
2121
Find Best Reduction Sequence Find Best Reduction Sequence (FBRS)(FBRS)
State-Graph Manipulators (SGM) Tool:State-Graph Manipulators (SGM) Tool:http://www.cs.ccu.edu.tw/~pahsiung/sgm/http://www.cs.ccu.edu.tw/~pahsiung/sgm/
Four reduction techniques Four reduction techniques (manipulators):(manipulators):Symmetry ReductionSymmetry ReductionClock ShieldingClock ShieldingRead-Write ReductionRead-Write ReductionInternal Transition BypassInternal Transition Bypass
Experiment with different sequencesExperiment with different sequences
2222
Find Best Reduction Sequence Find Best Reduction Sequence (FBRS)(FBRS)
No clock variables No clock variables skip clock skip clock shieldingshielding
No discrete variables No discrete variables skip read-write skip read-write reductionreduction
Perform symmetry reduction after Perform symmetry reduction after read-write reductionread-write reduction
Perform internal transition bypass Perform internal transition bypass after read-write and clock shieldingafter read-write and clock shielding
Permute reduction sequence to decide Permute reduction sequence to decide symmetry reduction ordersymmetry reduction order
2323
Application ExampleApplication Example
Autonomous Intelligent Cruise ControllerAutonomous Intelligent Cruise Controller (AICC), Saab automobile [Hansson 1996].(AICC), Saab automobile [Hansson 1996].
Receive info from road signs (speed limit) Receive info from road signs (speed limit) adapt speedadapt speed
Slow front vehicleSlow front vehicle maintain safe distancemaintain safe distance
Receive info from traffic lights Receive info from traffic lights avoid stop and goavoid stop and go
2424
AICC Example: System AICC Example: System ArchitectureArchitecture
ElectronicServo Throttle
(SW)
EBS Gateway(HW/SW)
DS Gateway(HW/SW)
SRC Gateway(SW)
SRC MMI(SW)
System ControlUnit (HW)
Main InstrumentController(HW/SW)
ElectronicBrake System
DistanceSensor
Short RangeCommunication
TransponderDisplay
Throttle speed brake
RS232 RS232
Cruise ControlSwitches
Controller Area Network (CAN)-bus
RS232
2525
AICC Example: FOOM ModelAICC Example: FOOM Model
Traffic
Light Info
(SRC)
Speed
Limit Info
(SRC)
SRC
T=200ms
Preceding Vehicle
Estimator
(Distance Sensor)
Speed
Sensor
(EBC)
Distance
Control
Greenwave
Control
Speed Limit
ControlICC Regulator
T=100ms
CruiseSwitches
(MainInstrumentController)
ICC
Main
Control
Coordination &
Final Control
CruiseInfo(Main
InstrumentController)
SpeedActuator
(EST)
T=100msSupervisor
Final ControlEST
T=50ms
• 5 ATO,
• 12 functions (11 software, 1 hardware) 11 ATP,
Call Graph
2626
AICC Example: Process TableAICC Example: Process TableIndex ATP ATO
Period (ms)
Execution Time (ms)
Deadline
1 Traffic Light Info SRC 200 10 400
2 Speed Limit Info SRC 200 10 400
3 Proceeding Vehicle Estimator ICCReg 100 8 100
4 Speed Sensor ICCReg 100 5 100
5 Distance Control ICCReg 100 15 100
6 Green Wave Control ICCReg 100 15 100
7 Speed Limit Control ICCReg 100 15 100
8 Coordination & Final Control(HARDWARE)
Final_Control 50 20 50
9 Cruise Switches Supervisor 100 15 100
10 ICC Main Control Supervisor 100 20 100
11 Cruise Info Supervisor 100 20 100
12 Speed Actuator EST 50 5 50
2727
AICC Example: ExperimentsAICC Example: Experiments
Sun UltraSPARC II 450 MHz (1 CPU)Sun UltraSPARC II 450 MHz (1 CPU)1 GB physical RAM1 GB physical RAMModel Versions:Model Versions:
FullFull: 11 TA: 11 TASimpleSimple: 6 TA: 6 TA
Communication Models:Communication Models:Shared MemoryShared MemoryMessage PassingMessage Passing
2828
AICC Example: ResultsAICC Example: Results## nn CC SeqSeq #M#M #T#T TimeTime
(sec)(sec)MeMemm
(MB)(MB)11 11
11SMSM
<mg1><mg1>>125>125
KK>1869>1869
KKN/AN/A O/MO/M
22 1111
SMSM<mg1, rw, sc, sm><mg1, rw, sc, sm> 270270 1,1381,138 50,2150,21
336262
33 66 MPMP<mg1><mg1>
19,7719,7766
26,67726,677 1,3911,391 211211
44 66 MPMP <mg2><mg2> 19,77619,776 26,67726,677 234234 7777
55 66 MPMP <mg1, rw, sc, sm><mg1, rw, sc, sm> 141141 320320 873873 1919
66 66 SMSM <mg1><mg1> 7,9127,912 16,55716,557 303303 5252
77 66 SMSM <mg1, rw, sc, bit, sm><mg1, rw, sc, bit, sm> 101101 290290 183183 66
88 66 SMSM <mg1, rw, sm, sc, bit><mg1, rw, sm, sc, bit> 7171 180180 193193 66
mg1: sequential merge, mg2: near-relatives merge
2929
AICC Example: ObservationsAICC Example: Observations
Near-relativesNear-relatives merge better than sequenti merge better than sequential merge (time, memory)al merge (time, memory)
SMSM better than MP (broadcast expensive) better than MP (broadcast expensive)11 TA, no reduction 11 TA, no reduction Out of memoryOut of memory! (Ex! (Ex
ponentially large state-space)ponentially large state-space)ReductionsReductions give smaller state-spaces give smaller state-spacesBest sequence: Best sequence: <mg1, rw, sm, sc, bit><mg1, rw, sm, sc, bit> (#m (#m
odes, #transitions)odes, #transitions)
3030
ConclusionsConclusions
Technology integrationTechnology integration: : Component-Based OO Application FrameworkComponent-Based OO Application FrameworkFormal VerificationFormal Verification
Common system model: Common system model: FOOMFOOM (ATO/ATP) (ATO/ATP)Proposed scheme implemented in Proposed scheme implemented in VERTAFVERTAF
A separate Verifier componentA separate Verifier component
Autonomous Intelligent Cruise ControllerAutonomous Intelligent Cruise Controller
3131
Future WorkFuture Work
Use Use design patternsdesign patterns to develop new to develop new state-space reduction techniquesstate-space reduction techniques
APIAPI for users to develop new state- for users to develop new state-space reduction techniquesspace reduction techniques
UML UML FOOMFOOM Integration of software Integration of software synthesissynthesis and and
verificationverification based on based on Petri NetsPetri Nets
