machine-assisted parameter synthesis of the biphase mark protocol using event order abstraction

Shinya Umeno

Nancy Lynch’s Group

CSAIL, MIT

TDS seminar

September 18th, 2009

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction

Shinya Umeno, TDS seminar, September 18th 2009

FORMATS 2009

The 7th International Conference on Formal Modelling and Analysis of Timed Systems

Mostly theory papers (decidability, recognizability, etc).

Some application papers (using Alur-Dill automata and UPPAAL).

No parametric approach paper, except for mine.

FACTS:


Keywords of The Talk

Time-Parametric Verification

Timing Parameter Constraint Synthesis

Real-time System Analysis (Formal Methods)

Event-Order-Based Abstraction of Timed Systems

Case Study Using an “Industrial” Example


Outline

Biphase Mark Protocol (BMP)

Our Approach: Event Order Abstraction

Case Study Result

Bad Event Orders of BMP

Parameter Constraints for Bad EOs

Timing Constraints for Correctness

Human Guidance + Automatic Synthesis

Case Studies by Several Approaches

(Umeno, EMSOFT 2008)


- is a lower-layer communication protocol for consumer and industrial electronics.

- uses timing constraints on system’s behavior to encode and decode bits.

Biphase Mark Protocol (BMP)

- used in a digital audio protocol, S/PDIF (Sony Philips Digital InterFace)


Biphase Mark Protocol (BMP)Bits to be sent: 1 0 1 1

Cell:

Sub-Cell:(Mark)

Signal

Time

Represents 1 by Toggling, and 0 by Flat signal



Cell:

Sub-Cell:(Mark)

Signal:

Time

Detects a signal level change

Detection:



Cell:

Sub-Cell:(Mark)

Signal:

Time

Detects a signal level change

Detection:

Check a signal level change



Cell:

Sub-Cell:(Mark)

Signal:

Time

Detection:

Decoded Bits: 1 0 1 1

Toggling is detected Flat is detected



Cell:

Sub-Cell:(Mark)

Signal:

Time

Detection:

Decoded Bits: 1 0 1 1

Timing Parameters: C, M1, , T (and Metastability H)


A parametric approach gives the user more information than a fixed-parameter approach (such as the Alur-Dill timed automata approach).

• Does the system satisfy a desirable property irrespective to parameter settings?

• If a parameter setting affects system correctness, then what are parameter sets that satisfy the correctness?

Why Parametric Approach?

Optimization under parameter constraints

(Undecidable; Alur et al.)


Our Goal for BMP Case StudyCorrectness:

Synthesize parameter constraints under which the correctness is guaranteed.

1. Sent bits = Decoded bits

2. No decoding overflow/underflow

- Special module for tracking the information

Goal:

Sender Receiver

Monitor

Signal Toggling

Sending Bits Decoded Bits


Why is BMP Parametric Verification Challenging?

s0 (DetectF, Δ) s1 (DetectF, 2Δ) s2 (DetectF, 3Δ) s3 …

s0 DetectF s1 DetectF s2 DetectF s3 …

Timed execution:

Untimed execution:

All of si’s are different!Reachable state (fixed point) computation will not terminate.

All of si’s are same (DetectF is just a stuttering transition).

(TReX extrapolation technique takes care of this.)

Due to repetitions with timing constraints!


Modeling: Time-Interval Automata

A time-interval automaton (A,b) is an I/O automaton A with an interval boundmap b.

An I/O automaton:

• Is a classical state transition machine with distinguished input/output/internal actions.

• Is typically described using a guarded-command style language.

Suitable for concurrent/distributed systems.


Interval Boundmapb (, ) = [L , U ]

An action of A

A set of actions that follow

A lower bound L and an upper bound U for the duration between and any

action in

b (DetectF, {DetectF, DetectT}) = []

Example from BMP:

b (DetectT, {Decode} ) = [] (Sampling distance)

(Repeated checks)


TIA Code of the Encoder

Precondition (transition guard)

State variables

Transition signatures

Effects (transition commands)

Time bounds

Automaton Declaration


Overview of Our Approach (Event Order Abstraction, EOA)

Performed by our tool METEORS

1. Verification of Untimed Model + Event Order Constraints

2. Automatic Synthesis of Timing Parameter Constraints from Event Order Constraints

We split timed verification into two parts:

Untimed Model

Event Order Constraints

Bad Event Order

Model-Checking Event Order Generalization

(Subclass of Regular Expression)


• He/she then model-checks:

• The user first identifies a candidate set of bad event orders (which may be empty).

• Monitors are constucted by a support tool from the given orders (for model-checking).

not SafetyPropertyViolated.

A monitor raises a flag if a bad event order is detected in the current model execution.

Untimed Model not Monitor.raiseFlag

Identifying Bad Event Orders


Bad Scenario Example of BMP

Edge0 New Edge (0 or 1)

Decode 1 !!

Flat




Decode 1 !!

Flat

DetectF-DetectF-DetectF-Edge0-DetectT-Edge0-Decode•This event order specifies the order of

consecutive actions in an automaton execution.




Decode 1 !!

Flat

> c




Decode 1 !!

Flat

> c

< <




Decode 1 !!

Flat

> c

< < c >



Edge0 New Edge (Edge0)

Flat signal for 0 is completely missed!

Metastability



Edge0-(DetectF)*- DetectT- Settle-Edge0






<





> c

< <





> c

< <

c >



Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T

Edge1S Edge1T




Edge1S Edge1T

> m1




Edge1S Edge1T

> m1

< H




Edge1S Edge1T

> m1

< < H



Decode- (DetectF)*- Edge1S-(DF)*- DF -Settle-Edge1T

Edge1S Edge1T

> m1

< < H

Unwinding!

m1 >


Our Tool: METEORS

One event order: Disjunction of linear inequalities

Multiple event orders: Conjunction of disjunction of linear inequalities

- Automatic decomposition

Simplification of resulting constraint

- All derivable bounds


Bad Scenarios of BMP

From page 269 of the proceedings:


Sufficient Parameter Constraints

m1 > H +

> M1 + Hc > H + + T

It is sufficient to satisfy three constraints for correctness of BMP.

METEORS reported:


Related Work (BMP Verification)

UPPAAL and PVS:

Calendar Automata:

HyTech:

Vaandrager, F.W., de Groot, A.: Analysis of a biphase mark protocol with UPPAAL and PVS. 2006

Brown, G.M., Pike, L.: Easy parameterized verification of biphase mark and 8N1 protocols. 2006

Henzinger, T., Preussig, J., Wong-Toi, H.: Some lessons from the HYTECH experience. 2001

- Bad event order are found using UUPAAL- Constraints are manually derived from bad orders.

- Correctness under the derived constraints is proved using PVS.

- BMP is modeled using Calendar Automata framework for SAL

- Correctness under the derived constraints is proved using SAL (inductive invariants must be used though proof is automatic.)

Verification

Synthesis

- Some parameters are fixed.

- Model is modified: no repetitive checks with time bounds


Other Case Studies of EOA

• IEEE 1394 (FireWire / i-Link), Root Contention Protocol

• Train-Gate Toy Problem

• Fischer’s Mutual Exclusion Algorithm

(Randomness is abstracted)


Summary and Future Work

We synthesized parameter constraints of BMP using Event Order Abstraction (METEORS and SAL are used).

Future work:

Automatic bad event order identification

- List of counter examples from model-checking

- Automatic “chopping” and generalization??

machine-assisted parameter synthesis of the biphase mark protocol using event order abstraction

Documents