![Page 1: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/1.jpg)
Verifying Distributed Real-time Properties of Embedded Systems via
Graph Transformations and Model Checking
Gabor Madl [email protected] Abdelwahed [email protected]
Douglas C. Schmidt [email protected]
This work was supported by the NSF ITR Grant CCR-0225610 “Foundations of Hybrid and Embedded Software Systems.”
![Page 2: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/2.jpg)
Outline
Challenge problems Approach Verification tool chain using GME Generic timed automata model Case study: Verification of a Bold
Stroke application Boeing Bold Stroke execution framework Embedded Systems Modeling Language
(ESML) Transformation of the example application Verifying properties with UPPAAL
![Page 3: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/3.jpg)
Challenge problems
Distributed Real-Time Embedded (DRE) systems are traditionally hard to verify
In the Model Integrated Computing approach we create application models using Domain Specific Modeling Languages (DSML)
We verify application models by mapping them to formally defined Models of Computations using well-defined model transformations (e.g. graph transformations) and checking the desired properties in that semantic domain
![Page 4: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/4.jpg)
Approach
Trace VerificationProperty Verification
Designfeedback
Designfeedback
Generator
Model Checker
Simulator
InputInput
AnalysisModel
Semantic mapping
Domain Specific Model
Semantic Domain
ExecutableCode
![Page 5: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/5.jpg)
Verification tool chain using GME
Component-based Modeling
Language (ESML)
Model Checker Input Domain
(Timed Automata)
UPPAAL
Model Checker
We provide a common framework based on the Graph Rewriting and Transformation (GREAT) tool, which utilizes graph transformations, and the UPPAAL model checker to verify the non-preemptive scheduling of embedded systems
![Page 6: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/6.jpg)
Generic timed automata model
![Page 7: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/7.jpg)
Case study:Verification of a Bold Stroke
application
![Page 8: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/8.jpg)
Boeing Bold Stroke Execution Framework
Unsynchronized software timers trigger the periodic processing, event passing is asynchronous
Priority bands are executing same-priority actions Preemptive scheduling between bands, non-
preemptive between actions with the same priority Priority bands are implemented using 3 threads
(Thread-Pool policy for multi-threading)
Actioni Actioni
Process1 Actions
Actioni Actioni
Process2 Actions
IPC Priority Band #1
Priority Band #2
Priority Band #3
Priority Band #4
Priority Band #5
ORB
ORB
ORB
ORB
ORB
Priority Band #1
Priority Band #2
Priority Band #3
Priority Band #4
Priority Band #5
ORB
ORB
ORB
ORB
ORB
Timeout Dispatch ORB ORB Dispatch Timeout
Sc he du l er
Sc he du l er
![Page 9: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/9.jpg)
Modeling the Bold Stroke application using the ESML language
ESML is a modeling language for component-based, event-driven systems
It uses the publisher/subscriber communication pattern
The models contain information about priorities, sub-priorities, worst case execution times and deadlines for actions
![Page 10: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/10.jpg)
Proposed Model of Computation for Bold Stroke
![Page 11: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/11.jpg)
Graph transformation using GREAT
Pattern of components
OR decomposition
![Page 12: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/12.jpg)
Verifying properties with UPPAAL
DeadlockA[] not deadlock
The system is schedulable if all tasks can be executed within their deadlines
Verifying this property does not require additional property checking because the Timeout state deadlocks the model in our design
Additional properties can also be checked because dependencies and dense time information are captured in the network of timed automata
![Page 13: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/13.jpg)
Conclusion and future directions
We presented a solution to verify dense timed properties of periodic event-driven systems
We have formalized the graph transformation as well as the computational model behind Bold Stroke
The verification process can provide simulation runs and pinpoint components that fail to meet their deadlines
Modeling preemption while avoiding the state explosion problem is our long-term goal
![Page 14: Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu](https://reader035.vdocument.in/reader035/viewer/2022062301/56649d625503460f94a44b30/html5/thumbnails/14.jpg)
Questions?