Automatic Verification of Real-Time Systems with Rich Data Ernst-R - PowerPoint PPT Presentation

Automatic Verification of Real-Time Systems with Rich Data Ernst-R¨ udiger Olderog RTS+D – p.1/59

Motivation Embedded system = system where computer is invisible part of it to control its function ECUs on board of a cars: Mercedes S class (1998) RTS+D – p.2/59

Motivation Embedded system = system where computer is invisible part of it to control its function ECUs on board of a cars: Mercedes S class (1998) Safety-critical applications : malfunction of computer is costly and dangerous RTS+D – p.2/59

Trains ETCS (European Train Control System) Level 3: Safety Property: Collision Freedom RTS+D – p.3/59

Planes TCAS (Traffic Alert and Collision Avoidance System): Aircraft 1 Aircraft 2 TCAS 1 TCAS 2 Sensor 1 Sensor 2 Pilot 2 Pilot 1 Conflict Conflict Detection 1 Detection 2 Communication Channel 1 Conflict Conflict Resolution 1 Resolution 2 Communication Channel 2 Advisories Advisories case of two aircrafts RTS+D – p.4/59

Real-Time Systems ... are reactive systems where certain inputs require the corresponding outputs within given time bounds. Example: European Train Control System (ETCS) Safety Property: Collision Freedom RTS+D – p.5/59

AVACS Project Group R ... advances the automatic verification and analysis of real-time systems in three complementary projects R1–R3: ➠ R1: Beyond Timed Automata high-level specifications: real-time and complex infinite data ➠ R2: Timing Analysis, Scheduling, and Distribution of Real-Time Tasks implementation level: complex target architectures ➠ R3: Heuristic Search and Abstract Model Checking for Real-Time Systems highly concurrent systems: many clocks and many components RTS+D – p.6/59

R1: Beyond Timed Automata E.-R. Olderog, B. Finkbeiner, M. Fränzle, A. Podelski, V. Sofronie-Stokkermans ... investigates Real-Time Systems with Rich Data: ➠ System specification language: CSP-OZ-DC integrates processes (Comm. Sequ. Processes) data (Object-Z) time (Duration Calculus) ➠ Real-time requirements: DC ➠ Problem: Does specification satisfy requirement ? RTS+D – p.7/59

Specification of Processes CSP Communicating Sequential Processes since 1978: Hoare, Brookes, Roscoe • synchronous communication via channels: c c!e c?x • parallel composition and hiding • mathematical theory RTS+D – p.8/59

Specification of Data Z since 1980: Abrial, Sufrin, Spivey • state spaces and transformations • mathematical tool kit • schema calculus S declarations x ′ > x +1 predicate OZ Object-Z since 1995: Duke, Rose, Smith • class concept • inheritance RTS+D – p.9/59

Specification of Time DC Duration Calculus since 1991: Zhou, Hoare, Ravn, Hansen • real-time logic and calculus for properties of obs : Time → D D Time b e • interval-based properties: e.g. durations RTS+D – p.10/59

Parameterized Elevator Max Hoenicke & Maier (2005) ➠ Elevator specification: parameters Max , Min : integers real-time requirements: e.g. at least 3 sec between two floors current time domain: reals ➠ Safety requirement: Min ≤ current ≤ Max Min RTS+D – p.11/59

Specification: CSP-OZ-DC Hoenicke & Olderog (since 2002) Interface: start , passed , stop , newgoal chan newgoal CSP specifies order of events: c newgoal → start → Drive = main start c ( passed → Drive ) Drive = � ( stop → main ) passed stop RTS+D – p.12/59

Specification: CSP-OZ-DC Object-Z specifies state space ... Min , Max : Z Min < Max current : Z [state space] goal : Z dir : {− 1,0,1 } Init goal = current = Min dir = 0 RTS+D – p.13/59

Specification: CSP-OZ-DC ... and operations: com newgoal ∆ ( goal ) Min ≤ goal ′ ≤ Max [nondeterminism] goal ′ � = current com start ∆ ( dir ) goal > current ⇒ dir ′ = 1 goal < current ⇒ dir ′ = − 1 RTS+D – p.14/59

Specification: CSP-OZ-DC ... operations, cont’d: com passed ∆ ( current ) current ′ = current + dir com stop ∆ () goal = current [precondition] RTS+D – p.15/59

Specification: CSP-OZ-DC Duration Calculus restricts timing of states and events: • More than 3 seconds between two passed events: ¬ ✸ ( � passed ; ℓ ≤ 3 ; � passed ) counterexample trace: passed 1 0 passed passed Time 3 l RTS+D – p.16/59

Specification: CSP-OZ-DC • Event stop within 2 sec after reaching goal : ¬ ✸ ( ⌈ current � = goal ⌉ ; ( ⌈ current = goal ⌉ ∧ ℓ ≥ 2 ∧ ⊟ stop )) counterexample trace: true current goal current goal true Time 2 l no stop event RTS+D – p.17/59

Class Elevator Elevator chan start , passed , stop , newgoal c = newgoal → start → Drive CSP main c Drive = ( passed → Drive ) � ( stop → main ) Init Min , Max : Z current , goal : Z goal = current = Min Min < Max dir : {− 1,0,1 } dir = 0 com newgoal com start ∆ ( goal ) ∆ ( dir ) OZ Min ≤ goal ′ ≤ Max goal > current ⇒ dir ′ = 1 goal ′ � = current goal < current ⇒ dir ′ = − 1 com passed com stop ∆ ( current ) ∆ () current ′ = current + dir goal = current DC ¬ ✸ ( � passed ; ℓ ≤ 3 ; � passed ) ¬ ✸ ( ⌈ current � = goal ⌉ ; ( ⌈ current = goal ⌉ ∧ ℓ ≥ 2 ∧ ⊟ stop )) RTS+D – p.18/59

Semantics of CSP-OZ-DC by translation into Phase-Event-Automata (PEA), a variant of Timed Automata due to Hoenicke (2006) This semantics is compositional: A ( COD ) = A ( CSP ) � A ( OZ ) � A ( DC ) where � synchronises on both phases and events. RTS+D – p.19/59

Phase-Event-Automata p 1 p 2 RTS+D – p.20/59

Phase-Event-Automata p 1 p 2 s ( p 1 ) s ( p 2 ) s ( p i ) state invariant RTS+D – p.20/59

Phase-Event-Automata p 1 p 2 s ( p 1 ) s ( p 2 ) I ( p 1 ) I ( p 2 ) s ( p i ) state invariant I ( p i ) clock invariant RTS+D – p.20/59

Phase-Event-Automata p 1 p 2 guard s ( p 1 ) s ( p 2 ) I ( p 1 ) I ( p 2 ) s ( p i ) state invariant I ( p i ) clock invariant guard conditions over events, state space and time RTS+D – p.20/59

Phase-Event-Automata p 1 p 2 guard s ( p 1 ) s ( p 2 ) resets I ( p 1 ) I ( p 2 ) s ( p i ) state invariant I ( p i ) clock invariant guard conditions over events, state space and time resets reset of clocks RTS+D – p.20/59

Phase-Event-Automata p 1 p 2 guard s ( p 1 ) s ( p 2 ) resets I ( p 1 ) I ( p 2 ) s ( p i ) state invariant I ( p i ) clock invariant guard conditions over events, state space and time resets reset of clocks A 1 � A 2 Parallel Composition: RTS+D – p.20/59

PEA Represent Sets of Runs A run is a sequence of configurations ρ = � ... ,( p i , β i , γ i , Y i , t i ), ... � RTS+D – p.21/59

PEA Represent Sets of Runs A run is a sequence of configurations ρ = � ... ,( p i , β i , γ i , Y i , t i ), ... � each one describing an interval, where ➠ p i is a phase, RTS+D – p.21/59

PEA Represent Sets of Runs A run is a sequence of configurations ρ = � ... ,( p i , β i , γ i , Y i , t i ), ... � each one describing an interval, where ➠ p i is a phase, ➠ β i is a valuation of the variables, RTS+D – p.21/59

PEA Represent Sets of Runs A run is a sequence of configurations ρ = � ... ,( p i , β i , γ i , Y i , t i ), ... � each one describing an interval, where ➠ p i is a phase, ➠ β i is a valuation of the variables, ➠ γ i is a valuation of the clocks at the beginning of the interval, RTS+D – p.21/59

PEA Represent Sets of Runs A run is a sequence of configurations ρ = � ... ,( p i , β i , γ i , Y i , t i ), ... � each one describing an interval, where ➠ p i is a phase, ➠ β i is a valuation of the variables, ➠ γ i is a valuation of the clocks at the beginning of the interval, ➠ Y i is a set of events occurring at the beginning of the interval, RTS+D – p.21/59

PEA Represent Sets of Runs A run is a sequence of configurations ρ = � ... ,( p i , β i , γ i , Y i , t i ), ... � each one describing an interval, where ➠ p i is a phase, ➠ β i is a valuation of the variables, ➠ γ i is a valuation of the clocks at the beginning of the interval, ➠ Y i is a set of events occurring at the beginning of the interval, ➠ t i is a duration of the interval. RTS+D – p.21/59

Semantic Property of PEA Compositionality Lemma ρ ∈ Runs ( A 1 � A 2 ) iff ρ ↓ A 1 ∈ Runs ( A 1 ) and ρ ↓ A 2 ∈ Runs ( A 2 ) This lemma is at the core of a modular verification method for parallel compositions of PEA: if a small set of parallel PEA satisfies a safety property, also a larger set of parallel PEA will satisfy it. RTS+D – p.22/59

Translation of CSP c = newgoal → start → Drive main c ( passed → Drive ) � ( stop → main ) Drive = stop ∧ ¬ newgoal ∧ ¬ start ∧ ¬ passed p 0 p 1 p 2 ( main ) ( Drive ) passed start newgoal true true true ∧ ¬ newgoal ∧ ∧ ¬ start ∧ ¬ start ¬ newgoal ∧ ¬ stop ∧ ¬ stop φ idle φ idle φ idle ∧ ¬ stop ∧ ¬ passed ∧ ¬ passed where φ idle := ¬ newgoal ∧ ¬ start ∧ ¬ passed ∧ ¬ stop RTS+D – p.23/59

Translation of OZ newgoal ∧ com newgoal p p init start ∧ com start true Init φ idle passed ∧ com passed stop ∧ com stop φ idle φ idle where φ idle := ¬ newgoal ∧ ¬ start ∧ ¬ passed ∧ ¬ stop ∧ current = current ′ ∧ goal = goal ′ ∧ dir = dir ′ RTS+D – p.24/59