brics@aalborg uppaal systemer

UUUUCCCCbbbb

Verifikation af realtids Verifikation af realtids systemersystemeri i UPPAALUPPAAL

Kim G. LarsenBRICS@Aalborg

2MII’’2001 Kim G. LarsenUCUCUCUCb b b b

Research ProfileDistributed Systems & Semantics Unit

Semantic Modelsconcurrency, mobility, objects real-time, hybrid systems

Validation & Verificationalgorithms & tools

Constructionreal-time & network systems


BRICS Machine Basic Research in Computer Science

30+40+40 Millkr

100

100

Aalborg Aarhus

ToolsOther revelvant projects

UPPAAL, VHS, VVS, WOODDES


Tools and BRICS

Logic• Temporal Logic• Modal Logic• MSOL ••

Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation••

Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time

& hybrid systems••

HOL TLP

Applications

PVS ALFSPIN

visualSTATE UPPAAL


A REAL real time system

Klaus Havelund, NASA


Embedded Systems

SyncMaster 17GLsi

Telephone

Tamagotchi

Mobile Phone

Digital Watch


Introducing, Detecting and Repairing Errors Liggesmeyer 98


Suggested Solution?

Model based validation, verfication and testing of

software and hardware


Verification & Validation

Design Model Specification

Analysis

Implementation

Testing



Design Model SpecificationVerification & Refusal

AnalysisValidation

Implementation

Testing

UML

SDL




AnalysisValidation

Implementation

Testing

UML

SDL

ModelExtraction

AutomaticCode generation




AnalysisValidation

Implementation

Testing

UML

AutomaticCode generation

AutomaticTest generation

SDL

ModelExtraction


How?

Unified Model = State Machine!

a

b

x

ya?

b?

x!

y!b?

Control states

Inputports

Outputports


TamagotchiA C

Health=0 or Age=2.000

B

Passive Feeding Light

Clean

PlayDisciplineMedicine

Care

Tick

Health:=Health-1; Age:=Age+1

AA

A

A

AA

A

A

Meal

Snack

B

B

ALIVE

DEAD

Health:=Health-1


SYNCmaster


Digital Watch


visualSTATE

� Hierarchical state systems

� Flat state systems� Multiple and inter-

related state machines

� Supports UML notation

� Device driver access

VVSw Baan Visualstate, DTU (CIT project)


The SDL EditorThe SDL EditorThe SDL Editor

Process levelProcess level


SPIN, G

erald Holzm

ann AT&

T


UPP A

AL


‘State Explosion’ problem

a

cb

1 2

43

1,a 4,a

3,a 4,a

1,b 2,b

3,b 4,b

1,c 2,c

3,c 4,c

All combinations = exponential in no. of components

M1 M2

M1 x M2

Provably theoretical

intractable


Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476

BUGS ?

VVSvisualSTATE

Our techniuqes has reduced verification

time with several orders of magnitude

(ex 14 days to 6 sec)


Tool Support (model checking)

System Description A

Requirement F Yes, PrototypesExecutable CodeTest sequences

No!Debugging Information

Tools: Telelogic, Verilog, UPPAAL, SPIN, MV, Statemate, visualSTATE, FormalCheck, VeriSoft, Java Pathfinder,…

TOOLTOOL

UUUUCCCCbbbb

UPPAALUPPAAL

Modelling and Verification ofReal Time systems

UPPAAL2k> 800 users> 35 countries

UPPAAL2k> 800 users> 35 countries

www.uppaal.com


Collaborators@UPPsala

�Wang Yi�Johan Bengtsson�Paul Pettersson�Fredrik Larsson�Alexandre David�Tobias Amnell�Oliver Möller

@AALborg�Kim G Larsen�Arne Skou�Paul Pettersson�Carsten Weise �Kåre J Kristoffersen�Gerd Behrman�Thomas Hune�Oliver Möller�Nicky Oliver Bodentien�Lasse Poulsen

@Elsewhere�David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund,

Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans,Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...


Hybrid & Real Time Systems

PlantContinuous

Controller ProgramDiscrete

Control Theory Computer Science

Eg.: Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

sensors

actuators

TaskTask

TaskTask


Construction of UPPAAL models

PlantContinuous

Controller ProgramDiscrete

sensors

actuators

TaskTask

TaskTask

a

cb

1 2

43

a

cb

1 2

43

1 2

43

1 2

43

a

cb

UPPAAL Model

Modelofenvironment(user-supplied)

Model oftasks(automatic?)


Timed Automata

n

m

a

Alur & Dill 1990

Clocks: x, y

x<=5 & y>3

x := 0

Guard Boolean combination of integer boundson clocks and clock-differences.

ResetAction perfomed on clocks

Transitions

( n , x=2.4 , y=3.1415 )( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )( m , x=0 , y=3.1415 )

a

State( location , x=v , y=u ) where v,u are in R

Actionused

for synchronization


n

m

a

Clocks: x, y

x<=5 & y>3

x := 0

Transitions

( n , x=2.4 , y=3.1415 )( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )e(3.2)

x<=5

y<=10

LocationInvariants

g1g2 g3

g4

Timed Automata Invariants

Invariants ensure progress!!

Invariants ensure progress!!


The UPPAAL Model= Networks of Timed Automata + Integer Variables +….

l1

l2

a!

x>=2i==3

x := 0i:=i+4

m1

m2

a?

y<=4

………….Two-way synchronizationon complementary actions.

Closed Systems!

Two-way synchronizationon complementary actions.

Closed Systems!

(l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..)

(l1,m1,………,x=2.2, y=3.7, I=3,…..)0.2

tau

Example transitions

If a URGENT CHANNEL


Timed Automata in UPPAAL

�Timed (Safety) Automata+ urgent actions + urgent locations+ committed locations+ data-variables (with bounded domains)+ arrays of data-variables + constants + guards and assignments over data-variables and

arrays…+ templates with local clocks, data-variables, and

constants.


Declarations in UPPAAL

clock x1, …, xn;

int i1, …, im;

chan a1, …, ao;

const c1 n1, …, cp np;

Examples:clock x, y;

int i, J0; int[0,1] k[5];

const delay 5, true 1, false 0;

Array k of five booleans.


Timed Automata in UPPAAL

n

m

a

x<=5 & y>3

x := 0

x<=5

y<=10

g1g2 g3

g4

invinvnxnxinv ,||:: ≤<=

clock natural number and

}!,,,,,{},,,,{

::|::

,||::

=>>==<=<∈>>==<=<∈

=+=

=

op

ExpropExprgnyxnxg

ggggg

d

c

dc

�

��

nx =:

clock guards

data guards

clock assignments

clock assignments

):?(|/|*||

|||][|::

:

ExprExprgExprExprExprExprExprExprExprExpr

ExprnExpriiExpr

Expri

d

−+

−=

=

location invariants


Urgent Channels

urgent chan hurry;

Informal Semantics:• There will be no delay if transition with urgent action can be taken.

Restrictions:• No clock guard allowed on transitions with urgent actions.• Invariants and data-variable guards are allowed.


Urgent Locations

Click “Urgent” in State Editor.

Informal Semantics:• No delay in urgent location.

Note: the use of urgent locations reduces the number of clocks in a model, and thus the complexity of the analysis.


Committed Locations

Click “Committed” in State Editor.

Informal Semantics:• No delay in committed location.• Next transition must involve automata in committed location.

Note: the use of committed locations reduces the number of clocks in a model, and allows for more space and time efficient analysis.

UUUUCCCCbbbb

BRICK SORTING


First UPPAAL modelSorting of Lego BoxesSorting of Lego BoxesSorting of Lego BoxesSorting of Lego Boxes

Conveyer Belt

Exercise: Design Controller so that only black boxes are being pushed out

BoxesPiston

Black

red9 18 81 90

99

BlckRd

remove

eject

Controller

Ken Tindell

MAIN PUSH


NQC programs

task PUSH{while(true){

wait(Timer(1)>DELAY && active==1);active=0;Rev(OUT_C,1);Sleep(8);Fwd(OUT_C,1);Sleep(12);Off(OUT_C);

}}

task PUSH{while(true){

wait(Timer(1)>DELAY && active==1);active=0;Rev(OUT_C,1);Sleep(8);Fwd(OUT_C,1);Sleep(12);Off(OUT_C);

}}

int active;int DELAY;int LIGHT_LEVEL;

int active;int DELAY;int LIGHT_LEVEL;

task MAIN{DELAY=75;LIGHT_LEVEL=35;active=0;Sensor(IN_1, IN_LIGHT);Fwd(OUT_A,1);Display(1);

start PUSH;

while(true){wait(IN_1<=LIGHT_LEVEL);ClearTimer(1);active=1;PlaySound(1);wait(IN_1>LIGHT_LEVEL);

}}

task MAIN{DELAY=75;LIGHT_LEVEL=35;active=0;Sensor(IN_1, IN_LIGHT);Fwd(OUT_A,1);Display(1);

start PUSH;

while(true){wait(IN_1<=LIGHT_LEVEL);ClearTimer(1);active=1;PlaySound(1);wait(IN_1>LIGHT_LEVEL);

}}


From RCX to UPPAAL

�Model includes Round-Robin Scheduler.

�Compilation of RCX tasks into TA models.

�Presented at ECRTS2000

Task MAIN


The Production CellCourse at DTU, Copenhagen

Production Cell

UUUUCCCCbbbb

TRAIN CROSSING


Train Crossing

River

Crossing

Gate

StopableArea

[10,20]

[7,15]

Queue

[3,5]


Train Crossing

River

Crossing

Gate

StopableArea

[10,20]

[7,15]

Queue

[3,5]appr,stop

leave

go

emptynonemptyhd, add,rem

elel

Communication via channels andshared variable.

UUUUCCCCbbbb

Communication ProtocolsCSMA/CDBRP……


CSMA/CD protocol – MAC layer

send - service provided by Mac which reacts by transmitting a message,

rec - (receive) service provided by Mac, indicates that a message is ready to be received,

b - (begin) Mac begins message transmission to M, e - (end) Mac terminates message transmission to M, br - (begin receive) M begins message delivery to Mac, er - (end receive) M terminates message delivery to Mac, b - (collision) Mac is notified that a

collision has occurred on M.

EVENTS

UUUUCCCCbbbb

Philips Bounded Retransmission Protocol

[D’Argenio et.al. 97]


Protocol Overview�Protocol developed by Philips.�Transfer data between Audio/Video components

via infra-red communication.�Data files sent in smaller chunks.�Problem: Unreliable communication medium.�Sender retransmit if receiver respond too late.�Receiver abort if sender sends too late.


Overview of BRP

Sender Receiver

S R

K

L

Input: file = p1, …, pn

lossy

lossy

Output: p1, …, pn

BRP

pi

ack


How It Works

�Sender input: file = p1, …, pn.

�S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0).

�R sends: ack, …, ack.�S retransmits pi if timeout.�Receiver recives: p1, …, pn.�Sender and Receiver receives NOK or OK.

whole file OK

more parts will followfirst part of file


Case Studies: Protocols

�Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]�Collision-Avoidance Protocol [SPIN’95]

�Bounded Retransmission Protocol [TACAS’97]

�Bang & Olufsen Audio/Video Protocol [RTSS’97]

�TDMA Protocol [PRFTS’97]

�Lip-Synchronization Protocol [FMICS’97]

�Multimedia Streams [DSVIS’98]

�ATM ABR Protocol [CAV’99]

�ABB Fieldbus Protocol [ECRTS’2k]

�IEEE 1394 Firewire Root Contention (2000)


Case-Studies: Controllers

�Gearbox Controller [TACAS’98]

�Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]

�SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]

�Real-Time RCX Control-Programs [ECRTS’2k]

�Experimental Batch Plant (2000)

�RCX Production Cell (2000)


BRP Model OverviewSender Receiver

S R

K

L

Input: file = p1, …, pn

ack

(pi,INDication,abit)

lossy

lossy

ok, nok, dk IND, ok, nok

Output: p1, …, pn

BRP


The Lossy Media

value-passing

lossy = may dropmessages

one-place capacity

delay


Bounded Retransmission

�S sends a chunk pi and waits for ack from R.�If timeout the chunk is retransmitted.�If too many timeout the transmission fails

(NOK is sent to Sender). �If whole file successfully sent OK is sent to

Sender.�Receiver is similar.


Process S


Process R


The Sender and Receiver


“If you want to know more”

�Test & Verification � http://www.cs.auc.dk/~ejersbo/tov/Plan.html

�BRICS@Aalborg� http://www.cs.auc.dk/research/FS/

�UPPAAL� http://www.uppaal.com

�WOODDES, ATT (VHS):� http://www.docs.uu.se/docs/rtmv/wooddes/� http://www-verimag.imag.fr/VHS/main.html

�Strategic Directions in Computing Research Formal Methods Working Group, ACM June 1996� http://www.cs.cmu.edu/afs/cs/usr/wing/www/mit/mit.html

brics@aalborg uppaal systemer

Documents