compositional analysis of timed systems by abstraction

Compositional Analysis of Timed Systems by

Abstraction

Leonid Mokrushin

TAPVES2007-02-08

Info

rmati

onst

ekn

olo

gi

Institutionen för informationsteknologi | www.it.uu.se

Outline

Motivation Arrival/Service Curves Compositional Analysis TA as Curve Transformers Abstracting TA Examples and Demo Conclusions

Info

rmati

onst

ekn

olo

gi


The ABB Robot Controller

ABB robot controller (2 500 000 loc) Real time tasks A,B,C,D Read inputs from channels write output

to channels Task priority order D>C>B>A (FPS) Buffer overflow/underflow, WCRT

A B C DCommands High-level

instructions

Precise moves

Requests

Weldingprogram

Info

rmati

onst

ekn

olo

gi


Old Results (CFSM)

Turing power

Equivalent to finite automata

people: Brand, Zafiropulo, Pachl, Purush Iyer, Finkel, Abdulla, Jonsson

A B A A B

A B С A B

Halfduplex

Info

rmati

onst

ekn

olo

gi


Communicating Timed Automata (CTA)

Replace Finite Automata by Timed Automata Communication via unbounded FIFO channels Time is global (time passes globally and for all

automata in the same pace)

A, B, C – Timed Automata Negative results carry over Positive results – do not carry over (previous

proofs do not work in timed setting)

A B С

Info

rmati

onst

ekn

olo

gi


CTA - Results

CTA with one channel

Accepts non-regular context free languages Only regular languages in the untimed case! Equivalent to Petri Nets with one unbounded

place (Eager reading: One-counter machines)

CTA with two channels

Non-context free context sensitive languages Petri Nets with two unbounded places (Eager

reading: Turing machines)

[CAV06, Pavel & Wang]

A B

A B С

Info

rmati

onst

ekn

olo

gi


The ABB Robot Controller

TAA TAB TAC TAD

TASCH

TaskReadyQueue

Shared variables

TAAxTABxTACxTADxTASCH with queues is TOO BIG

Info

rmati

onst

ekn

olo

gi


In general:

Precise analysis is impossible

Our hope:

Find a suitable abstraction

Info

rmati

onst

ekn

olo

gi


Kahn Process Networks (‘70s)

S1, S2, S3,… – streams possibly infinite sequences of letters

A,B,C – processes mappings from streams to streams, e.g., B:(S2, S6) S5

A

B C

S1

S3S2

S6

S5

S4

Modeling Distributed, Signal Processing Systems

Info

rmati

onst

ekn

olo

gi


Abstract Stream Transformers

Components = Abstract stream transformers Abstract stream defines a timed language

Asynchronous communication Network Calculus (Cruz, Boudec, Thiran ‘91-’04)

Arrival Curves Real-Time Calculus (Thiele, Chakraborty ‘00s)

Upper/Lower Arrival/Service Curves

A2

A3

A1

Q1

Q2

Abstract stream

Abstract stream

Abstract stream

Abstract stream

Abstract stream

Info

rmati

onst

ekn

olo

gi


Arrival/Service Curves

time

events

windowsize

numberof events

window sizetime

availableresources

windowsize

availableservice

window size

upper bound

lower bound

upper bound

lower bound

Arrival Curves(events / data)

Service Curves(resources)

(a,3)(a,3.34)(a,3.39)(a,4)(a,10)... (100%,0)(50%,3.3)(100%,7)...

Info

rmati

onst

ekn

olo

gi


Building an Arrival Curve

t

window size slide

Slide a timed window of a fixed size Count max/min number of events in the window

Choose another window etc.

t

window size

events

[0,4]

[1,5]

Info

rmati

onst

ekn

olo

gi


Timing Analysis

Delay bound = max vertical distance required buffer size

Backlog bound = max horizontal distance flow delay bound

requiredbuffersize

guaranteedresource(lowerservicecurve)

worst caserequest(upperarrivalcurve)

windowsize

numberof events

response time(flow delay bound)

Info

rmati

onst

ekn

olo

gi


Compositional Timing Analysis

Component = Stream Transformer Stream = Upper & Lower Bounds Real-Time Calculus

SO = fE(SI, SAR), SRR = fR(SI, SAR)

Compositional Analysis Scheduling, end-to-end delay, backlog

TASK

AvailableResources

RemainingResources

OutputInputT1

T2

T3

T4

=

=

Event Stream

Resource StreamSO

SRR

SI

SAR

Info

rmati

onst

ekn

olo

gi


Resources & Scheduling

Fixed priority scheduling policy Priority order:

Priority(A)<Priority(B)<Priority(C)<Priority(D) Highest priority task has 100% of CPU Negative service curve = non-schedulable Opposite direction gives min resource

A B C D100%

<100%

Info

rmati

onst

ekn

olo

gi


Timed Automata with Tasks Events

Actions

Timing constraints Clocks / Guards / Resets Complex event pattern

Tasks Asynchronous execution WCET, Deadline Scheduling policy Precedence constraints Resource constraints

Task (C,D)Task (C,D)

x<3

a!

x:=0

Info

rmati

onst

ekn

olo

gi


Run of TAT

(Idle, x=0, [])

Idle

P

Q

0.1 (Idle, x=0.1, [])

(RelP, x=0, [P(2,8)]) 1.5 (RelP, x=1.5, [P(0.5,6.5)])

(RelQ, x=1.5, [P(0.5,6.5),Q(2,20)])

1.5 (RelQ, x=3, [Q(1,18.5)])

(Idle, x=3, [Q(1,18.5)])

(RelP, x=0, [P(2,8),Q(1,18.5)])

0.1 1.6 2.1 3.1

2 (RelP, x=2, [Q(1,16.5)])

5.1

Info

rmati

onst

ekn

olo

gi


TA as Curve Transformers

Timed Automata as complex task release patterns We have to make them operate on curves

TA1

T2

T1

TA2

a!

b? c! T3

Ready queue

a!

Timed Automaton

OS SchedulingPolicy

Safe

Stop

Crossx<=5

Apprx<=20

Startx<= 15

x>=10x=0

x<=10stop[id]?

x>=3leave[id]!

appr[id]!x=0

x>=7x=0

go[id]?x=0

CPU

b?Taskcompleted

Taskreleased

TIMESTool

Info

rmati

onst

ekn

olo

gi


TA <-> Curve Transformation

TA Modelof a SystemComponent

Event Generator Event Observer

L(EG) = L(AC)

ArrivalCurve

DepartureCurve

Curve transformation using UPPAAL

input output

F L(F(AC)) L(EO)

window size

numberof events

upper bound

lower bound

window size

numberof events

upper bound

lower boundAEG || AFi

|| AEOfor every component Fi is possible

Assumption:

Info

rmati

onst

ekn

olo

gi


Encoding Arrival Curves as TA

wait forall(j:int[0,LB-1])m[j]==0 ||x[getIndex(m[j])]<j+1

upper

v<UB &&M[v]<=counter &&x[getIndex(M[v])]>vv++

v==UB ||M[v]>countera!addNewEvent(),v:=0

const int LB = 12;const int UB = 12;const int m[LB] = {0,0,0,1,1,1,2,2,3,3,3,4};const int M[UB] = {2,2,4,4,4,4,5,5,7,7,7,7};const int CN = m[LB-1]<M[UB-1]?M[UB-1]:m[LB-1];

clock x[CN];int[0,CN-1] index;int[0,CN] counter;int[0,UB] v;

int[0,CN-1] getIndex(int backtrack) { int i = index-backtrack; if(i<0) i += CN; return i;}

void addNewEvent() { x[index]:=0; index = (index==CN-1?0:index+1); if(counter<CN) counter++;}

const int LB = 12;const int UB = 12;const int m[LB] = {0,0,0,1,1,1,2,2,3,3,3,4};const int M[UB] = {2,2,4,4,4,4,5,5,7,7,7,7};const int CN = m[LB-1]<M[UB-1]?M[UB-1]:m[LB-1];

clock x[CN];int[0,CN-1] index;int[0,CN] counter;int[0,UB] v;

int[0,CN-1] getIndex(int backtrack) { int i = index-backtrack; if(i<0) i += CN; return i;}

void addNewEvent() { x[index]:=0; index = (index==CN-1?0:index+1); if(counter<CN) counter++;}

time

window size

numberof events

M[UB]

m[LB] CN=7

circular clock buffer

x1 x2 x3 x4 x5 x6 x7

pointer

X4>M[i-1]

X3>M[i-2]

X2>M[i-3]

X1>M[i-4]

Invariant lower bound

Guard upper bound

Generator

Info

rmati

onst

ekn

olo

gi


Approximating TA with Arrival Curves

idle

countx<=dt+1

stop

x:=0

x<=dta?counter++

x>dt

clock x;int counter;

clock x;int counter;

ASYSTEM || AOBSERVER

One clock & one integer Non-deterministic window offset One window one state space

exploration Max considerable window size (dt)

must be specified

numberof events

dt

time

dt

max & min

Observer

dt

time

dttime

x==0 x==dt

Info

rmati

onst

ekn

olo

gi


A Problem with Approximation

numberof events

window size

Last measured dt

Actual stream

Overapproximated stream

t

We need to know “safe” value of dt

Info

rmati

onst

ekn

olo

gi


A Problem with Approximation

numberof events

window size

response time

Service curve

Sometimes we can still perform timing analysis using “precise” data

An adaptive approach?

Info

rmati

onst

ekn

olo

gi


Another algorithm

numberof events

window size

Search for the segment that touches the curve Find the smallest intersection point and repeat Encoding of the intersection criterion into TA

=m/n

Angle is rational

m,n - integers LCM(m,n) can

become very big (hyperperiod)

Rapid slow down

Info

rmati

onst

ekn

olo

gi


Simple Scheduling Example

4 tasks: 3 periodic+1 aperiodic (TA) Preemptive fixed priority scheduling Given BCET/WCET Abstracting release pattern with streams Analysis

Worst case response time Required OS ready queue size

Info

rmati

onst

ekn

olo

gi


An Example with Feedback

TASK1 input depends on the TASK2 output TASK1 uses TASK2’s remaining resource TASK2 input depends on TASK1 output Given

TASK1 input stream Initial condition on activation of TASK2

Iterative computation until fixed point

TASK1 TASK2AND

CPUInitial

Condition

InputStream

100%

Info

rmati

onst

ekn

olo

gi


Books & Papers

Rene L. Cruz. A Calculus for Network Delay. IEEE Transactions on Information Theory, 1991

J.-Y. Le Boudec, P. Thiran. Network Calculus. A Theory of Deterministic Queuing Systems for the Internet. 2004

L. Thiele and S. Chakraborty and M. Naedele. Real-time Calculus for Scheduling Hard Real-Time Systems. Proc. of ISCAS, 2000

L. Thiele and S. Chakraborty and M. Gries and A. Maxiaguine and J. Greutert. Embedded Software in Network Processors - Models and Algorithms. Proc. of EMSOFT, 2001

E. Wandeler, L. Thiele. Real-Time Interfaces for Interface-Based Design of Real-Time Systems with Fixed Priority Scheduling. 2005

P. Krcal, L. Mokrushin, W. Yi. A Tool for Compositional Analysis of Timed Systems by Abstraction. Tool paper submitted to CAV 2007.…

Info

rmati

onst

ekn

olo

gi


Conclusions Abstraction technique for timed component

systems One component at a time

no big product (GALP) Possibility to parallelize verification Heterogeneous systems

a potential to combine different formalisms Prototype

How good is our abstraction? (Examples) Feedback? (Termination) Bound on max window size? (Adaptation?) Shared resources? (Priority Ceiling Protocol)

Info

rmati

onst

ekn

olo

gi


Thank you!

compositional analysis of timed systems by abstraction

Documents