Modeling and Verification OUTLINE of Real Time Systems A Brief - - PDF document

Modeling and Verification

• f Real Time Systems

Paul Pettersson and Wang Yi Uppsala University

OUTLINE

A Brief Introduction

• Historical remarks, what are the problems to solve

Untimed Systems

• Transition systems, and composition
• Basic model-checking algorithms: CTL and LTL

Timed Systems

• Timed automata, and timed automata in UPPAAL
• Verification problems
• What is inside UPPAAL
• Zones and Symbolic verification

Further Topics

• Optimal reachability analysis
• Scheduling and Verification
• What is inside TIMES
• RT UML
• Synchronous programming

Main references (Papers)

• Computation Tree Logics (CTL)
• Edmund M. Clarke, E. Allen Emerson, A. Prasad Sistla: Automatic Verification of Finite

State Concurrent Systems Using Temporal Logic Specifications: A Practical

• Approach. POPL 1983: 117-126, also as ”Automatic Verification of Finite-State Concurrent

Systems Using Temporal Logic Specifications. ACM Trans. Program. Lang. Syst. 8(2): 244- 263 (1986) ”

• Linear Temporal Logic (LTL)
• Moshe Y. Vardi, Pierre Wolper: An Automata-Theoretic Approach to Automatic

Program Verification (Preliminary Report). LICS 1986: 332-344. Also as ” Reasoning About Infinite Computations. Inf. Comput. 115(1): 1-37 (1994)”

• Timed Systems (Timed Automata, TCTL)
• Rajeev Alur, David L. Dill: Automata For Modeling Real-Time Systems. ICALP 1990:

322-335 also as ”A Theory of Timed Automata. Theor. Comput. Sci. 126(2): 183-235 (1994)”

• Kim Guldstrand Larsen, Paul Pettersson, Wang Yi: UPPAAL in a Nutshell. STTT 1(1-2):

134-152 (1997)

• Johan Bengtsson and Wang Yi: Timed Automata – Semantics, Algorithms and Tools,

a tutorial on timed automata (a book chapter in Rozenberg et al, 2004, LNCS).

Main references (Books)

Model Checking Edmund M. Clarke, Orna Grumberg and Doron A. Peled Design and Validation of Computer Protocols, G.J. Holzmann, Prentice Hall 1991 (new book: The SPIN MODEL CHECKER Primer and Reference

Manual , 2003)

Concepts, Algorithms, and Tools for Model Checking, Joost-Pieter Katoen (draft book on the web)

Main Goal

What is inside the tools

• UPPAAL
• TIMES

UPPAAL: www.uppaal.com

developed jointly by Uppsala university and Aalorg university UPPsala + AALborg = UPPAAL

• SWEDEN + DENMARK = SWEDEN
• SWEDEN + DENMARK = DENMARK

TIMES: www.timestool.com

developed by Uppsala University TIMES = a Tool for Modeling and Implemenation of

Embedded Systems

Modeling and Verification

Lecture 1

a brief introduction

History: how the dream started 35 years ago

• Program verification, Hoare logic: {P} program {Q} [Floyd 1967, Hoare 1969]

start

y1;y2:=x1,x2

print(y1)

stop

y2:=y2-y1 y1:=y1-y2 y1>y2 y1==y2 Y N N Y

(An example from Pierre Wolper: what does this program do?)

What does this program do?

(Partial correctness)

It computes the greatest common divisor (gcd) of x1 and x2 and you can prove it [Floyd 67]:

• Initially

x1>0, x2>0

• At each iteration of the loop:

y1>0, y2>0, gcd(x1,x2) = gcd(y1,y2)

• When done

y1=gcd(x1,x2)

What this program does?

(Partial correctness)

start

y1,y2:=x1,x2

print(y1)

stop

y2:=y2-y1 y1:=y1-y2 y1>y2 y1==y2 Y N N Y x1>0, x2>0 y1>0, y2>0, gcd(y1,y2)=gcd(x1,x2)

One more example (from Pierre Wolper)

(Total correctness)

Function foo(n :integer): integer begin if n==1 then 1 else if even(n) then foo(n/2) else foo(3*n+1) end

Does this program terminate for any n? (WCET?)

Reality: 10 years later (1980)

The majority of programs are never proven correct! what went wrong?

• Difficult to find and prove invariants:

partial correctness

• Difficult to prove termination:
• total correctness (theoretically impossible)
• Difficult to write complete specifications:

what I really want?

What to do?

• Start another research program! In 20 years, the problems will be

solved, hopefully

History: Model checking for reative systems invented in

the early 80s [Pnueli 77, Clarke et al 83, POPL83, Sifakis et al 82] Temporal logics/verification, Model╞ φ (mainly in US)

• nonterminination, control-intensive, less data
• Finite state systems [ABP ca 140 states, 1984]

(Infinite state systems, a hot topic right now)

• BDD-based symbolic technique [Bryant 86]
• SMV 1990 Clarke, McMillan et al, state-space 1020 (Hardware)
• Many followers e.g SPIN, COSPAN ... were developed
• ...

Concurrency theory (mainly in Europe)

• CCS, CSP (”hundreds of” process equivalences)
• Petri Nets
• (In)Finite Automata
• Specification languages etc
• ...

History: Model checking for real time

systems, started in the 80s

• Timed automata, timed process algebras

[Alur&Dill 1990, I was also doing this]

• Kronos, Hytech, 1993-1995
• TAB, 1993, UPPAAL 1995, TIMES 2002

Reality 35 years later (2004)

Many extensions and improvements have been proposed, various tools exist: (non-)commercial Good complete specifications are still hard to obtain However this is not a real problem !

Reality 35 years later (2004)

Checking simple properties (e.g. Is a program deadlock free?) is already extremely useful! The goal is no longer seen as proving that a system is completely, absolutely and undoutedly correct (bug-free) The objective is to have tools that can help a developer find errors and gain confidence in her design. That is achievable Now widely used in hardware design, protocol design, embedded systems... The Waterfall Model

Analysis Design

Implementation

Testing

Problem Area Running System

Traditional software development

Analysis Design

Implementation

Testing

Problem Area Running System

Software development: the future

Modelling and verification Automatic Code generation

Analysis Design

Implementation

Testing

Problem Area Running System

Software development: the future

Modelling and verification Automatic Code generation

Analysis Design

Implementation

Testing

Problem Area Running System

Software development

Modelling and verification Automatic Code generation Test case generation

Software Development: the Future

Components Design/modelling Verification Production Error? Testing

Test case generation

Model Checking

in a Nutshell (why and how)

The Waterfall Model

Analysis Design

Implementation

Testing

♦Errors are detected late or never: 30-50% of time for testing ♦ Errors detected: the late the more expensive

Problem Area Running System R E V I E W S R E V I E W S

Traditional software development

Introducing, Detecting and Correcting errors Finding errors as early as possible!

HOW?

Reachable? Reachable? (bug?) (bug?)

An ’abstract’ version of a fieled bus protocol

Example: Petersson’s algorithm

Process 1 Loop flag1:=1; turn:=2 While (flag2 and turn=2) wait CS1 flag1:=0 End loop

Process 2 Loop flag2:=1; turn:=1 While (flag1 and turn=1) wait CS2 flag2:=0 End loop

turn, flag1, flag2: shared variable Question: no more than one process run in CS?

A1 B1 CS1

V:=1 V=1

A2 B2 CS2

V:=2 V=2

Init

V=1

8

´ V

Criticial Section

Example: Fischer’s Protocol

Y<100 X:=0 Y:=0 X>100 Y>100 X<100

Example: the Vikings Problem

Real time scheduling UNSAFE SAFE 5 10 20 25 At most 2 crossing at a time Need torch At most 2 crossing at a time Need torch Mines Can they make it within 60 minutes ? Can they make it within 60 minutes ?

Torch What is the fastest time for getting all vikings on the safe side ? What is the fastest time for getting all vikings on the safe side ?

Performance Estimation in H/S Co-Design

Micro-processor

Hardware Circuit 1

Hardware Circuits m

• Improve the performance by 50%

using Hardware for some of the Pi’s

• A program P which contains

modules/blocks P1, P2, ..., Pn

• What is the optimal partition ?

This is an optimal reachability problem !

How do we know they all work?

Alternating bit protocol Sliding window protocol Leader selection algorithm Start-up synchronization protocols TTCAN, TTP ... ...

Tools for modelling and verification

Logic

• Temporal Logic
• Modal Logic
• MSOL
• Algorithmic
• (Timed) Automata Theory
• Graph Theory
• BDDs
• Polyhedra Manipulation
• Semantics
• Concurrency Theory
• Abstract Interpretation
• Compositionality
• Models for real-time

& hybrid systems

• Applications

SMV SPIN COSPAN CESAR MONA UPPAAL KRONOS Hyteck vUML VisualSTATE Statemate TAU Rhapsody ... ... HOL PVS NP-tool ALF ... ...

UPPAAL = UPPsala + AALborg

A tool set for modelling and verification of real-time systems developed jointly by Uppsala and Aalborg University

UPPAAL

System Model A

network of timed automata

Question Q (Requirement) Yes Debugging Information Prototypes Executable Code

TIMES will do this for you!

No! Debugging Information

MODELING

How to construct Model ?

Modeling = programming+abstraction

Program as State Machine!

a

b x y X!

a?

b? y! Control states Input ports Output ports

Modeling Real Time Systems

Events

• synchronization
• interrupts

Timing constraints

• specifying event arrivals
• e.g. Periodic and sporadic

Dat variables

• Guards
• assignments

a

X>10 X:=0 & v==100

; v:=v+1

Intelligent Light Control

Off Light Bright

press? press? press? press?

WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

Intelligent Light Control (with timer)

Off Light Bright

press? press? press? press?

Solution: Add real-valued clock x

X:=0 X<=3 X>3

Construction of Models: Concurrency

Plant

Continuous

Controller Program

Discrete

sensors actuators Task Task Task Task

a c b 1 2 4 3 a c b 1 2 4 3 1 2 4 3 1 2 4 3 a c b

UPPAAL Model Model

• f

environment (user-supplied) Model

• f

tasks (automatic)

Modeling in UPPAAL: Example

P1 :: while True do T1 : wait(turn=1) C1 : CS1; turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : CS2; turn:=1 endwhile P1 :: while True do T1 : wait(turn=1) C1 : CS1; turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : CS2; turn:=1 endwhile Mutual Exclusion Program

SPECIFICATION

How to ask questions: Specs ? Specification=Requirement, Lamport 1977 Safety

• Something (bad) will not happen

Liveness

• Something (good) must happen

Realizability (Schedulability)

Specification: Examples

AG not (CS1 and CS2)

• never CS1 and CS2
• Safety property

AG (a <=10 b)

• if a then b within 10
• Bounded liveness property

EF p.test

• Useful for debugging

EF false

• Generate the whole state space
• Report deadlocks etc.

AF rich and EG happy (liveness) AG (try => AF critical-section) (liveness)

VERIFICATION

Model meets Specs ?

Verification

Semantics of a system = all states + state transitions

(all possible executions)

Verification

= state space exploration + examination

Verificatioin = Searching

A

…

...

B

: : : ... :

(1) Is it possible to fire the bombs? (2) Is it possible to go from A to B within 10 sec?

State-Space of a Program

Approaches to Verification

Manual: Proof systems, paper and pen

• Find invariants (difficult !)
• Induction: Assume nth-state OK, check (n+1)th OK
• Boring (more fun with programming)

Semi-automatic: Theorem proving

• Use theorem provers to prove the induction step
• e.g. PVS, HOL, ALF
• Require too much expertise

Automatic: Model-Checking ☺

• State-Space Exploration and Examination
• e.g. SPIN, SMV, UPPAAL

Two basic verification algorithms

Reachability analysis

• Checking safety properties

Loop detection

• Checking liveness properties

Modelling in UPPAAL: example

P1 :: while True do T1 : wait(turn=1) C1 : CS1; turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : CS2; turn:=1 endwhile P1 :: while True do T1 : wait(turn=1) C1 : CS1; turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : CS2; turn:=1 endwhile Mutual Exclusion Program

Is it possible that P1 and P2 reach C1 and C2 simultaneously?

Verification: example

I1 I2 t=0 T1 I2 t=0 T1 T2 t=0 I1 T2 t=0 I1 C2 t=0 T1 C2 t=0 C1 I2 t=1 T1 T2 t=1 C1 T2 t=1 T1 I2 t=1 I1 T2 t=1 I1 I2 t=1

(C1 C2) is never reachable!

Problem with verification: ‘State Explosion’

a c b 1 2 4 3 1,a 4,a 3,a 4,a 1,b 2,b 3,b 4,b 1,c 2,c 3,c 4,c

All combinations = exponential in no. of components M1 M2 M1 x M2

Provably theoretical intractable

EXAMPLE

10 components and each with10 states # of control states = 10,000,000,000 =10 G Each state needs 4*(10 x 10) = 400 B Worst case memory usage >> 4000 GB

Why testing not good enough ? Testing/simulation of designs/implementations may not reveal error (e.g., no errors revealed after 2 days) Formal verification (=exhaustive testing) of design provides 100% coverage (e.g., error revealed within 5 min).

• TOOL support.

Solutions

Theorem provers Symbolic Techniques e.g. BDD [Bryant 86] Abstraction techniques [Cosot and Cosot] Approximation methods [Holzman, Wang-Toi ...] On-the-fly verification [Holzman] Partial order reduction [Wolper et al] Compositional verification [too many] Combining theorem provers and model checkers ... ...

Symbolic Techniques:

Compute Sets of States instead of one-by-one

b … ...

Initial set

... Converge! Or fire the bombs Start

• Overlap with bad states
• or Converge (fixed point)
• Use formulas to represent sets of states
• Compute the fixed point

Dec’96 Sep’98

A Protocol by Philips for Audio Products

• 6 months for manual proof in 1993
• 24 hours for Hytech in 1994
• 50 sec for Uppaal in 1995
• 0.2 sec for Uppaal now!

Every 9 month 10 times better performance!

The dream goes on ... ...

Automatic Verification, a useful and applicable technique as compiler theory! End of INTRODUCTION