compositional verification of timed systems. a concept. bengt jonsson leonid mokrushin xiaochun shi...

Compositional Verification of Timed Systems. A Concept.

Bengt JonssonLeonid Mokrushin

Xiaochun ShiWang Yi

Uppsala UniversitySweden

Distributed Embedded Systems Workshop23.11.05, Lorentz Center

Info

rmati

onst

ekn

olo

gi

Institutionen för informationsteknologi | www.it.uu.se

The Problem: Robot Controller

A B C D100 13 1

10Commands High-level

instructions

Precise moves

Requests

Weldingprogram

2.5·106 LoC

Info

rmati

onst

ekn

olo

gi


Properties of Interest

Buffer Overflow/Underflow component D never stops when welding

Sufficient Buffer Sizes Schedulability

components execute tasks on a single CPU Task Response Times (and its reserve)

A B C D100 13 1

10Commands High-level

instructions

Precise moves

Requests

Info

rmati

onst

ekn

olo

gi


Verification Using TA Models

System abstraction TA model Tasks, Scheduler TA model Properties TCTL formulae UPPAAL/TIMES: trying to search for bugs in

”all the combinations of local states”:

S1 || S2 || ... || Sm || q1 || q2 || ... || qn

Very difficult, often impossible

Info

rmati

onst

ekn

olo

gi


Stream Transformers

System/Component = Stream Transformer

Kahn Process Networks [Kahn74] One-way Infinite FIFO Queues Deterministic Model

Queue data is independent of the process firing order

A2

A3

A1

Q1

Q2

......eee..e.ee

....aa..a...a

...bb..b

...cc..ccc

...dd..d..dd

Info

rmati

onst

ekn

olo

gi


Abstract Stream Transformers

Network Calculus Arrival Curves [Recent work, 90s-2005]

A2

A3

A1

Q1

Q2

Set of streams

Set of streams

Set of streams

Set of streams

Set of streams

Info

rmati

onst

ekn

olo

gi


Abstract Stream

t

window size slide

Slide a timed window of a fixed size Count max/min number of events in the window

Choose another window etc.

t

window size

events

[0,4]

[1,5]

Info

rmati

onst

ekn

olo

gi


Arrival Curve

# ofevents

windowsize

C

L(C)=Set of streams (set of event streams satisfying all bounds for all window sizes)

lower bound

upper bound

Info

rmati

onst

ekn

olo

gi


Modular Analysis (no feedback)

A1

System/Component = Arrival Curve Transformer

A2Assumption

On TheEnvironment

The “MaximalComponentCapability”

Q1

This can be done modularly if there is no feedback We may need a buffer to connect them Comparing the curves we will answer:

if A1 and A2 can “work together”? (all the events generated by A1 will be received and processed by A2)

what is the sufficient size of the buffer? what is the output curve of A2?

Info

rmati

onst

ekn

olo

gi


Transforming Curves Using TA

TA Modelof a SystemComponent

Event Generator

Event Observer

L(EG) = L(AC)

ArrivalCurve

DepartureCurve

Verification(s) in UPPAAL

input output

F

Info

rmati

onst

ekn

olo

gi


What About Feedback?

We may first assume some input curves e.g. the “worst case” or the “maximum capability”

Compute the output curves by approximations

Iterate…

A B C D

Info

rmati

onst

ekn

olo

gi


Resources & Scheduling

FPS, priority order:Priority(A)<Priority(B)<Priority(C)<Priority(D)

Service Curves Same as arrival curves but express

available resource within windows Service Curve Generators/Observers

A B C D100%

<100%

Info

rmati

onst

ekn

olo

gi


Putting It All Together

Given input data and resource curves

1. Propagate resource to the left Assuming “worst case” for data

2. Propagate “real” data to the right Using pre-computed resources

3. Using new data refine step 1.

4. Using new resource refine step 2.

5. Iterate until it stabilizes (e.g. output/resource)

A B C D100%

Input

RESOURCE

DATA

Info

rmati

onst

ekn

olo

gi


Cons & Pros One component at a

time (no big product, GALP)

Composability analysis (buffers)

Possibility to parallelize verification

Heterogeneous systems (a potential to combine different formalisms)

Preemptive FPS

Feedback Bound on max

window size EDF Shared resources Precedence

constraints

compositional verification of timed systems. a concept. bengt jonsson leonid mokrushin xiaochun shi...

Documents

abcd slide

loc slide

impossible slide

dd slide

lorentz center slide

ta ta model

timed window

t window size events