verifikation af realtids systemer i uppaal

UCb

Verifikation af realtids Verifikation af realtids systemersystemeri i UPPAALUPPAAL

Kim G. LarsenBRICS@Aalborg

2MII’’2001 Kim G. Larsen UCb

Research ProfileDistributed Systems & Semantics Unit

Semantic Models concurrency, mobility, objects real-time, hybrid systems

Validation & Verificationalgorithms & tools

Construction real-time & network systems


BRICS Machine Basic Research in Computer Science

30+40+40 Millkr

100

100

Aalborg Aarhus

ToolsOther revelvant projects UPPAAL, VHS, VVS, WOODDES


Tools and BRICS

Logic• Temporal Logic• Modal Logic• MSOL • •

Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation• •

Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time & hybrid systems• •

HOL TLP

Applications

PVS ALF

SPINvisualSTATE UPPAAL


A REAL real time system

Klaus Havelund, NASA


Embedded Systems

SyncMaster 17GLsi

Telephone

Tamagotchi

Mobile Phone

Digital Watch


Introducing, Detecting and Repairing Errors Liggesmeyer 98


Suggested Solution?

Model based validation, verfication and testing

of software and hardware


Verification & Validation

Design Model Specification

Analysis

Implementation

Testing



Design Model SpecificationVerification & Refusal

AnalysisValidation

Implementation

Testing

UML

SDL




AnalysisValidation

Implementation

Testing

UML

SDL

ModelExtraction

AutomaticCode generation




AnalysisValidation

Implementation

Testing

UML

AutomaticCode generation

AutomaticTest generation

SDL

ModelExtraction


How?

Unified Model = State Machine!

a

b

x

ya?

b?

x!

y!b?

Control states

Inputports

Outputports


TamagotchiA C

Health=0 or Age=2.000

B

Passive Feeding Light

Clean

PlayDisciplineMedicine

Care

Tick

Health:=Health-1; Age:=Age+1

AA

A

A

AA

A

A

Meal

Snack

B

B

ALIVE

DEAD

Health:= Health-1


SYNCmaster


Digital Watch


visualSTATE

Hierarchical state systems

Flat state systems Multiple and inter-

related state machines

Supports UML notation

Device driver access

VVS w Baan Visualstate, DTU (CIT project)


The SDL EditorThe SDL EditorThe SDL Editor

Process levelProcess level


SP

IN, G

erald H

olzm

ann

AT

&T


UP

PA

AL


‘State Explosion’ problem

a

cb

1 2

43

1,a 4,a

3,a 4,a

1,b 2,b

3,b 4,b

1,c 2,c

3,c 4,c

All combinations = exponential in no. of components

M1 M2

M1 x M2

Provably theoretical

intractable


Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476

BUGS ?

VVSvisualSTATE

Our techniuqes has reduced verific

ation

time w

ith several orders of magnitude

(ex 14 days to 6 sec)


Tool Support (model checking)

System Description A

Requirement FYes, Prototypes Executable Code Test sequences

No!Debugging Information

Tools: Telelogic, Verilog, UPPAAL, SPIN, MV, Statemate, visualSTATE, FormalCheck, VeriSoft, Java Pathfinder,…

TOOLTOOL

UCb

UPPAALUPPAAL

Modelling and Verification of Real Time systems

UPPAAL2k > 800 users > 35 countries

UPPAAL2k > 800 users > 35 countries

www.uppaal.com


Collaborators@UPPsala

Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Tobias Amnell Oliver Möller

@AALborg Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune Oliver Möller Nicky Oliver Bodentien Lasse Poulsen

@Elsewhere David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo

Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans,Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...


Hybrid & Real Time Systems

PlantContinuous

Controller ProgramDiscrete

Control Theory Computer Science

Eg.:Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

sensors

actuators

TaskTask

TaskTask


Construction of UPPAAL models

PlantContinuous

Controller ProgramDiscrete

sensors

actuators

TaskTask

TaskTask

a

cb

1 2

43

a

cb

1 2

43

1 2

43

1 2

43

a

cb

UPPAAL Model

Modelofenvironment(user-supplied)

Model oftasks(automatic?)


Timed Automata

n

m

a

Alur & Dill 1990

Clocks: x, y

x<=5 & y>3

x := 0

Guard Boolean combination of integer boundson clocks and clock-differences.

ResetAction perfomed on clocks

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )

a

State ( location , x=v , y=u ) where v,u are in R

Actionused

for synchronization


n

m

a

Clocks: x, y

x<=5 & y>3

x := 0

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )

e(3.2)

x<=5

y<=10

LocationInvariants

g1g2 g3

g4

Timed Automata Invariants

Invariants ensure

progress!!

Invariants ensure

progress!!


The UPPAAL Model= Networks of Timed Automata + Integer Variables +….

l1

l2

a!

x>=2i==3

x := 0i:=i+4

m1

m2

a?

y<=4

………….Two-way synchronizationon complementary actions.

Closed Systems!

Two-way synchronizationon complementary actions.

Closed Systems!

(l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..)

(l1,m1,………,x=2.2, y=3.7, I=3,…..)

0.2

tau

Example transitions

If a URGENT CHANNEL


Timed Automata in UPPAAL

Timed (Safety) Automata+ urgent actions + urgent locations+ committed locations+ data-variables (with bounded domains)+ arrays of data-variables + constants + guards and assignments over data-variables and arrays…+ templates with local clocks, data-variables, and constants.


Declarations in UPPAAL

clock x1, …, xn;

int i1, …, im;

chan a1, …, ao;

const c1 n1, …, cp np;

Examples:

clock x, y;

int i, J0; int[0,1] k[5];

const delay 5, true 1, false 0;

Array k of five booleans.


Timed Automata in UPPAAL

n

m

a

x<=5 & y>3

x := 0

x<=5

y<=10

g1g2 g3

g4

invinvnxnxinv ,||::

clock natural number and

}!,,,,,{

},,,,{

::

|::

,||::

op

ExpropExprg

nyxnxg

ggggg

d

c

dc

nx :

clock guards

data guards

clock assignments

clock assignments

):?(

|/

|*

|

|

||

|][|::

:

ExprExprg

ExprExpr

ExprExpr

ExprExpr

ExprExpr

Exprn

ExpriiExpr

Expri

d

location invariants


Urgent Channels

urgent chan hurry;

Informal Semantics:• There will be no delay if transition with urgent action can be taken.

Restrictions:• No clock guard allowed on transitions with urgent actions.

• Invariants and data-variable guards are allowed.


Urgent Locations

Click “Urgent” in State Editor.

Informal Semantics:• No delay in urgent location.

Note: the use of urgent locations reduces the number of clocks

in a model, and thus the complexity of the analysis.


Committed Locations

Click “Committed” in State Editor.

Informal Semantics:• No delay in committed location.• Next transition must involve automata in committed location.

Note: the use of committed locations reduces the number of

clocks in a model, and allows for more space and time efficient

analysis.

UCb

BRICK SORTING


First UPPAAL modelSorting of Lego Boxes

Conveyer Belt

Exercise: Design Controller so that only black boxes are being pushed out

BoxesPiston

Black

red9 18 81 90

99

BlckRd

remove

eject

Controller

Ken Tindell

MAIN PUSH


NQC programs

task PUSH{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }}

task PUSH{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }}

int active;int DELAY;int LIGHT_LEVEL;

int active;int DELAY;int LIGHT_LEVEL;

task MAIN{ DELAY=75; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1);

start PUSH; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }}

task MAIN{ DELAY=75; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1);

start PUSH; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }}


From RCX to UPPAAL

Model includes Round-Robin Scheduler.

Compilation of RCX tasks into TA models.

Presented at ECRTS 2000

Task MAIN


The Production CellCourse at DTU, Copenhagen

Production Cell

UCb

TRAIN CROSSING


Train Crossing

River

Crossing

Gate

StopableArea

[10,20]

[7,15]

Queue

[3,5]


Train Crossing

River

Crossing

Gate

StopableArea

[10,20]

[7,15]

Queue

[3,5]appr,stop

leave

go

emptynonemptyhd, add,rem

elel

Communication via channels andshared variable.

UCb

Communication ProtocolsCSMA/CDBRP……


CSMA/CD protocol – MAC layer

send - service provided by Mac which reacts by transmitting a message, rec - (receive) service provided by Mac, indicates that a message is ready to be received, b - (begin) Mac begins message transmission to M, e - (end) Mac terminates message transmission to M, br - (begin receive) M begins message delivery to Mac, er - (end receive) M terminates message delivery to Mac, b - (collision) Mac is notified that a collision has occurred on M.

EVENTS

UCb

Philips Bounded Retransmission Protocol

[D’Argenio et.al. 97]


Protocol Overview

Protocol developed by Philips.Transfer data between Audio/Video

components via infra-red communication.Data files sent in smaller chunks.Problem: Unreliable communication

medium.Sender retransmit if receiver respond too

late.Receiver abort if sender sends too late.


Overview of BRP

Sender Receiver

S R

K

L

Input: file = p1, …, pn

lossy

lossy

Output: p1, …, pn

BRP

pi

ack


How It Works

Sender input: file = p1, …, pn.

S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0).

R sends: ack, …, ack.S retransmits pi if timeout.Receiver recives: p1, …, pn.Sender and Receiver receives NOK or OK.

whole file OK

more parts

will followfirst part of file


Case Studies: Protocols

Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]Collision-Avoidance Protocol [SPIN’95]

Bounded Retransmission Protocol [TACAS’97]

Bang & Olufsen Audio/Video Protocol [RTSS’97]

TDMA Protocol [PRFTS’97]

Lip-Synchronization Protocol [FMICS’97]

Multimedia Streams [DSVIS’98]

ATM ABR Protocol [CAV’99]

ABB Fieldbus Protocol [ECRTS’2k]

IEEE 1394 Firewire Root Contention (2000)


Case-Studies: Controllers

Gearbox Controller [TACAS’98]

Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]

SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]

Real-Time RCX Control-Programs [ECRTS’2k]

Experimental Batch Plant (2000)

RCX Production Cell (2000)


BRP Model Overview

Sender Receiver

S R

K

L

Input: file = p1, …, pn

ack

(pi,INDication,abit)

lossy

lossy

ok, nok, dkIND, ok, nok

Output: p1, …, pn

BRP


The Lossy Media

value-passing

lossy = may drop

messages

one-place

capacity

delay


Bounded Retransmission

S sends a chunk pi and waits for ack from R.If timeout the chunk is retransmitted.If too many timeout the transmission fails

(NOK is sent to Sender). If whole file successfully sent OK is sent to

Sender.Receiver is similar.


Process S


Process R


The Sender and Receiver


“If you want to know more”

Test & Verification http://www.cs.auc.dk/~ejersbo/tov/Plan.html

BRICS@Aalborg http://www.cs.auc.dk/research/FS/

UPPAAL http://www.uppaal.com

WOODDES, ATT (VHS): http://www.docs.uu.se/docs/rtmv/wooddes/ http://www-verimag.imag.fr/VHS/main.html

Strategic Directions in Computing Research Formal Methods Working Group, ACM June 1996 http://www.cs.cmu.edu/afs/cs/usr/wing/www/mit/mit.html

verifikation af realtids systemer i uppaal

Documents