View
220
Download
0
Embed Size (px)
Citation preview
UCb
Verifikation af realtids Verifikation af realtids systemersystemeri i UPPAALUPPAAL
Kim G. LarsenBRICS@Aalborg
2MII’’2001 Kim G. Larsen UCb
Research ProfileDistributed Systems & Semantics Unit
Semantic Models concurrency, mobility, objects real-time, hybrid systems
Validation & Verificationalgorithms & tools
Construction real-time & network systems
3MII’’2001 Kim G. Larsen UCb
BRICS Machine Basic Research in Computer Science
30+40+40 Millkr
100
100
Aalborg Aarhus
ToolsOther revelvant projects UPPAAL, VHS, VVS, WOODDES
4MII’’2001 Kim G. Larsen UCb
Tools and BRICS
Logic• Temporal Logic• Modal Logic• MSOL • •
Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation• •
Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time & hybrid systems• •
HOL TLP
Applications
PVS ALF
SPINvisualSTATE UPPAAL
5MII’’2001 Kim G. Larsen UCb
A REAL real time system
Klaus Havelund, NASA
6MII’’2001 Kim G. Larsen UCb
Embedded Systems
SyncMaster 17GLsi
Telephone
Tamagotchi
Mobile Phone
Digital Watch
7MII’’2001 Kim G. Larsen UCb
Introducing, Detecting and Repairing Errors Liggesmeyer 98
8MII’’2001 Kim G. Larsen UCb
Introducing, Detecting and Repairing Errors Liggesmeyer 98
9MII’’2001 Kim G. Larsen UCb
Suggested Solution?
Model based validation, verfication and testing
of software and hardware
10MII’’2001 Kim G. Larsen UCb
Verification & Validation
Design Model Specification
Analysis
Implementation
Testing
11MII’’2001 Kim G. Larsen UCb
Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
Implementation
Testing
UML
SDL
12MII’’2001 Kim G. Larsen UCb
Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
Implementation
Testing
UML
SDL
ModelExtraction
AutomaticCode generation
13MII’’2001 Kim G. Larsen UCb
Verification & Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
Implementation
Testing
UML
AutomaticCode generation
AutomaticTest generation
SDL
ModelExtraction
14MII’’2001 Kim G. Larsen UCb
How?
Unified Model = State Machine!
a
b
x
ya?
b?
x!
y!b?
Control states
Inputports
Outputports
15MII’’2001 Kim G. Larsen UCb
TamagotchiA C
Health=0 or Age=2.000
B
Passive Feeding Light
Clean
PlayDisciplineMedicine
Care
Tick
Health:=Health-1; Age:=Age+1
AA
A
A
AA
A
A
Meal
Snack
B
B
ALIVE
DEAD
Health:= Health-1
16MII’’2001 Kim G. Larsen UCb
SYNCmaster
17MII’’2001 Kim G. Larsen UCb
Digital Watch
18MII’’2001 Kim G. Larsen UCb
visualSTATE
Hierarchical state systems
Flat state systems Multiple and inter-
related state machines
Supports UML notation
Device driver access
VVS w Baan Visualstate, DTU (CIT project)
19MII’’2001 Kim G. Larsen UCb
The SDL EditorThe SDL EditorThe SDL Editor
Process levelProcess level
20MII’’2001 Kim G. Larsen UCb
SP
IN, G
erald H
olzm
ann
AT
&T
21MII’’2001 Kim G. Larsen UCb
UP
PA
AL
22MII’’2001 Kim G. Larsen UCb
‘State Explosion’ problem
a
cb
1 2
43
1,a 4,a
3,a 4,a
1,b 2,b
3,b 4,b
1,c 2,c
3,c 4,c
All combinations = exponential in no. of components
M1 M2
M1 x M2
Provably theoretical
intractable
23MII’’2001 Kim G. Larsen UCb
Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476
BUGS ?
VVSvisualSTATE
Our techniuqes has reduced verific
ation
time w
ith several orders of magnitude
(ex 14 days to 6 sec)
24MII’’2001 Kim G. Larsen UCb
Tool Support (model checking)
System Description A
Requirement FYes, Prototypes Executable Code Test sequences
No!Debugging Information
Tools: Telelogic, Verilog, UPPAAL, SPIN, MV, Statemate, visualSTATE, FormalCheck, VeriSoft, Java Pathfinder,…
TOOLTOOL
UCb
UPPAALUPPAAL
Modelling and Verification of Real Time systems
UPPAAL2k > 800 users > 35 countries
UPPAAL2k > 800 users > 35 countries
www.uppaal.com
26MII’’2001 Kim G. Larsen UCb
Collaborators@UPPsala
Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Tobias Amnell Oliver Möller
@AALborg Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune Oliver Möller Nicky Oliver Bodentien Lasse Poulsen
@Elsewhere David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo
Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans,Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...
27MII’’2001 Kim G. Larsen UCb
Hybrid & Real Time Systems
PlantContinuous
Controller ProgramDiscrete
Control Theory Computer Science
Eg.:Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing
sensors
actuators
TaskTask
TaskTask
28MII’’2001 Kim G. Larsen UCb
Construction of UPPAAL models
PlantContinuous
Controller ProgramDiscrete
sensors
actuators
TaskTask
TaskTask
a
cb
1 2
43
a
cb
1 2
43
1 2
43
1 2
43
a
cb
UPPAAL Model
Modelofenvironment(user-supplied)
Model oftasks(automatic?)
29MII’’2001 Kim G. Larsen UCb
Timed Automata
n
m
a
Alur & Dill 1990
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of integer boundson clocks and clock-differences.
ResetAction perfomed on clocks
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
30MII’’2001 Kim G. Larsen UCb
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 )
e(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Timed Automata Invariants
Invariants ensure
progress!!
Invariants ensure
progress!!
31MII’’2001 Kim G. Larsen UCb
The UPPAAL Model= Networks of Timed Automata + Integer Variables +….
l1
l2
a!
x>=2i==3
x := 0i:=i+4
m1
m2
a?
y<=4
………….Two-way synchronizationon complementary actions.
Closed Systems!
Two-way synchronizationon complementary actions.
Closed Systems!
(l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..)
(l1,m1,………,x=2.2, y=3.7, I=3,…..)
0.2
tau
Example transitions
If a URGENT CHANNEL
32MII’’2001 Kim G. Larsen UCb
Timed Automata in UPPAAL
Timed (Safety) Automata+ urgent actions + urgent locations+ committed locations+ data-variables (with bounded domains)+ arrays of data-variables + constants + guards and assignments over data-variables and arrays…+ templates with local clocks, data-variables, and constants.
33MII’’2001 Kim G. Larsen UCb
Declarations in UPPAAL
clock x1, …, xn;
int i1, …, im;
chan a1, …, ao;
const c1 n1, …, cp np;
Examples:
clock x, y;
int i, J0; int[0,1] k[5];
const delay 5, true 1, false 0;
Array k of five booleans.
34MII’’2001 Kim G. Larsen UCb
Timed Automata in UPPAAL
n
m
a
x<=5 & y>3
x := 0
x<=5
y<=10
g1g2 g3
g4
invinvnxnxinv ,||::
clock natural number and
}!,,,,,{
},,,,{
::
|::
,||::
op
ExpropExprg
nyxnxg
ggggg
d
c
dc
nx :
clock guards
data guards
clock assignments
clock assignments
):?(
|/
|*
|
|
||
|][|::
:
ExprExprg
ExprExpr
ExprExpr
ExprExpr
ExprExpr
Exprn
ExpriiExpr
Expri
d
location invariants
35MII’’2001 Kim G. Larsen UCb
Urgent Channels
urgent chan hurry;
Informal Semantics:• There will be no delay if transition with urgent action can be taken.
Restrictions:• No clock guard allowed on transitions with urgent actions.
• Invariants and data-variable guards are allowed.
36MII’’2001 Kim G. Larsen UCb
Urgent Locations
Click “Urgent” in State Editor.
Informal Semantics:• No delay in urgent location.
Note: the use of urgent locations reduces the number of clocks
in a model, and thus the complexity of the analysis.
37MII’’2001 Kim G. Larsen UCb
Committed Locations
Click “Committed” in State Editor.
Informal Semantics:• No delay in committed location.• Next transition must involve automata in committed location.
Note: the use of committed locations reduces the number of
clocks in a model, and allows for more space and time efficient
analysis.
38MII’’2001 Kim G. Larsen UCb
UPPAAL Specification Language
A[] p (AG p)
E<> p (EF p)
p::= a.l | gd | gc | p and p |
p or p | not p | p imply p |
( p )
clock guardsdata guardsprocess location
UCb
BRICK SORTING
40MII’’2001 Kim G. Larsen UCb
First UPPAAL modelSorting of Lego Boxes
Conveyer Belt
Exercise: Design Controller so that only black boxes are being pushed out
BoxesPiston
Black
red9 18 81 90
99
BlckRd
remove
eject
Controller
Ken Tindell
MAIN PUSH
41MII’’2001 Kim G. Larsen UCb
NQC programs
task PUSH{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }}
task PUSH{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }}
int active;int DELAY;int LIGHT_LEVEL;
int active;int DELAY;int LIGHT_LEVEL;
task MAIN{ DELAY=75; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1);
start PUSH; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }}
task MAIN{ DELAY=75; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1);
start PUSH; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }}
42MII’’2001 Kim G. Larsen UCb
From RCX to UPPAAL
Model includes Round-Robin Scheduler.
Compilation of RCX tasks into TA models.
Presented at ECRTS 2000
Task MAIN
43MII’’2001 Kim G. Larsen UCb
The Production CellCourse at DTU, Copenhagen
Production Cell
UCb
TRAIN CROSSING
45MII’’2001 Kim G. Larsen UCb
Train Crossing
River
Crossing
Gate
StopableArea
[10,20]
[7,15]
Queue
[3,5]
46MII’’2001 Kim G. Larsen UCb
Train Crossing
River
Crossing
Gate
StopableArea
[10,20]
[7,15]
Queue
[3,5]appr,stop
leave
go
emptynonemptyhd, add,rem
elel
Communication via channels andshared variable.
UCb
Communication ProtocolsCSMA/CDBRP……
48MII’’2001 Kim G. Larsen UCb
CSMA/CD protocol – MAC layer
send - service provided by Mac which reacts by transmitting a message, rec - (receive) service provided by Mac, indicates that a message is ready to be received, b - (begin) Mac begins message transmission to M, e - (end) Mac terminates message transmission to M, br - (begin receive) M begins message delivery to Mac, er - (end receive) M terminates message delivery to Mac, b - (collision) Mac is notified that a collision has occurred on M.
EVENTS
UCb
Philips Bounded Retransmission Protocol
[D’Argenio et.al. 97]
50MII’’2001 Kim G. Larsen UCb
Protocol Overview
Protocol developed by Philips.Transfer data between Audio/Video
components via infra-red communication.Data files sent in smaller chunks.Problem: Unreliable communication
medium.Sender retransmit if receiver respond too
late.Receiver abort if sender sends too late.
51MII’’2001 Kim G. Larsen UCb
Overview of BRP
Sender Receiver
S R
K
L
Input: file = p1, …, pn
lossy
lossy
Output: p1, …, pn
BRP
pi
ack
52MII’’2001 Kim G. Larsen UCb
How It Works
Sender input: file = p1, …, pn.
S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0).
R sends: ack, …, ack.S retransmits pi if timeout.Receiver recives: p1, …, pn.Sender and Receiver receives NOK or OK.
whole file OK
more parts
will followfirst part of file
53MII’’2001 Kim G. Larsen UCb
Case Studies: Protocols
Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]Collision-Avoidance Protocol [SPIN’95]
Bounded Retransmission Protocol [TACAS’97]
Bang & Olufsen Audio/Video Protocol [RTSS’97]
TDMA Protocol [PRFTS’97]
Lip-Synchronization Protocol [FMICS’97]
Multimedia Streams [DSVIS’98]
ATM ABR Protocol [CAV’99]
ABB Fieldbus Protocol [ECRTS’2k]
IEEE 1394 Firewire Root Contention (2000)
54MII’’2001 Kim G. Larsen UCb
Case-Studies: Controllers
Gearbox Controller [TACAS’98]
Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]
SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]
Real-Time RCX Control-Programs [ECRTS’2k]
Experimental Batch Plant (2000)
RCX Production Cell (2000)
55MII’’2001 Kim G. Larsen UCb
BRP Model Overview
Sender Receiver
S R
K
L
Input: file = p1, …, pn
ack
(pi,INDication,abit)
lossy
lossy
ok, nok, dkIND, ok, nok
Output: p1, …, pn
BRP
56MII’’2001 Kim G. Larsen UCb
The Lossy Media
value-passing
lossy = may drop
messages
one-place
capacity
delay
57MII’’2001 Kim G. Larsen UCb
Bounded Retransmission
S sends a chunk pi and waits for ack from R.If timeout the chunk is retransmitted.If too many timeout the transmission fails
(NOK is sent to Sender). If whole file successfully sent OK is sent to
Sender.Receiver is similar.
58MII’’2001 Kim G. Larsen UCb
Process S
59MII’’2001 Kim G. Larsen UCb
Process R
60MII’’2001 Kim G. Larsen UCb
The Sender and Receiver
61MII’’2001 Kim G. Larsen UCb
“If you want to know more”
Test & Verification http://www.cs.auc.dk/~ejersbo/tov/Plan.html
BRICS@Aalborg http://www.cs.auc.dk/research/FS/
UPPAAL http://www.uppaal.com
WOODDES, ATT (VHS): http://www.docs.uu.se/docs/rtmv/wooddes/ http://www-verimag.imag.fr/VHS/main.html
Strategic Directions in Computing Research Formal Methods Working Group, ACM June 1996 http://www.cs.cmu.edu/afs/cs/usr/wing/www/mit/mit.html