The Invisible Programmers Mordechai (Moti) Ben-Ari - - PowerPoint PPT Presentation

The Invisible Programmers

Mordechai (Moti) Ben-Ari

http://stwww.weizmann.ac.il/g-cs/benari/ Department of Science Teaching Weizmann Institute of Science

Methods, Materials and Tools for Programming Education Tampere, Finland, 4 May 2006

c 2006, M. Ben-Ari. – p. 1

An (Expensive) Personal Computer Don’t You Wish You Had One?

c 2006, M. Ben-Ari. – p. 2

Automotive Computing

c 2006, M. Ben-Ari. – p. 3

Automotive Computing is Complex

Courtesy of Klaus Grimm, DaimlerChrysler AG

c 2006, M. Ben-Ari. – p. 4

Automotive Computing Expensive!

Courtesy of Klaus Grimm, DaimlerChrysler AG

c 2006, M. Ben-Ari. – p. 5

The Future is Embedded Systems

√ The amount of code for embedded systems, to be

implemented by programmers, doubles every 10 months and will reach 90% of all code being written by about the year 2010. Quoted by Rainer Hartenstein, The Digital Divide

• f Computing, Proceedings of the 1st Conference
• n Computing Frontiers, 2004.

c 2006, M. Ben-Ari. – p. 6

Characteristics of Embedded Systems

√ Longed-lived and difficult to upgrade. √ Responsibility for reliability.

c 2006, M. Ben-Ari. – p. 7

Microsoft End-User License Agreement

√ Microsoft warrants that the Software will perform

substantially in accordance with the [documentation] for a period of ninety (90) days

√ YOU ARE NOT ENTITLED TO ANY DAMAGES √ Microsoft . . . provide[s] the Software . . . AS IS

AND WITH ALL FAULTS, and hereby disclaim[s] all other . . . implied warranties . . . of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence, . . .

c 2006, M. Ben-Ari. – p. 8

Characteristics of Embedded Systems

√ Longed-lived and difficult to upgrade. √ Responsibility for reliability. √ Systems knowledge needed for development. √ Parallel development of hardware and software. √ Difficult to test. √ Integration with subcontractors. √ Cost and schedule pressures. √ Specialized technology.

c 2006, M. Ben-Ari. – p. 9

Technology for Embedded Systems

√ Architectures: ⋆ Digital signal processors. ⋆ Field programmable gate arrays. ⋆ Morphware; reconfigurable computing. √ Languages: VHDL, Verilog.

c 2006, M. Ben-Ari. – p. 10

Checking Ads—Employment in “IT”

√ Gallivan, Truex & Kvasny (The DATA BASE for

Advances in Information Systems 35(3), 2004) also used Computerworld as well as an Atlanta newspaper. The words “science” and “mathematics” do not appear in the article!

√ Sami Surakka (DSc thesis, HUT, 2005) examined

Computerworld. “Physics and continuous mathematics were not important for software developers.”

c 2006, M. Ben-Ari. – p. 11

Employment Opportunity at Boeing—Description

√ Perform Avionics System and Software

Requirements Analysis, Design, Development, Unit Test and Integration for Real Time Embedded Software for the International Space Station program in Houston.

√ Specifically, program real-time embedded

software and code in Ada, in a Vax and Windows 2000/NT/XP environment; develop/update and execute unit/integration tests; and develop/update supporting documentation. Debug problems encountered on-orbit. Assist with the resolution of complex programmatic and technical problems.

c 2006, M. Ben-Ari. – p. 12

Employment Opportunity at Boeing—Qualifications

√ Competencies Requires the education credentials

meeting the classification standards for engineers (such as a bachelor’s degree in computer science, math or engineering). Programming experience and Software Engineering knowledge are desirable. Strong skills in verbal and written communication are also desirable. Must work well in teams.

√ Education BS in Computer Science, Software

Engineering, Math, Physics, Electrical Engineering or Aerospace Engineering.

c 2006, M. Ben-Ari. – p. 13

Employment Opportunity at DaimlerChrysler—Description

√ In this role you will be responsible for the design,

development and implementation of embedded transmission / engine controller software. This individual will work within a team of software engineers in the development of powertrain controller production software to be used for DaimlerChrysler vehicles. He or she will interface with powertrain and electrical systems engineers to specify, develop, and verify powertrain controller functionality.

c 2006, M. Ben-Ari. – p. 14

Employment Opportunity at DaimlerChrysler—Qualifications

√ Minimum of two years embedded C/C++ software

experience.

√ Matlab experience; Simulink and/or Stateflow

experience; and familiarity with microprocessor based controls and development tools (emulators, debuggers, etc.).

√ Bachelor Degree in Electrical or Computer

Engineering.

c 2006, M. Ben-Ari. – p. 15

The Sad Truth from a Project Leader

“It is easier to teach computing to a physics graduate than it is to teach physics to a computer science graduate.”

c 2006, M. Ben-Ari. – p. 16

Rotations: Pitch, Roll, Yaw

c 2006, M. Ben-Ari. – p. 17

Coordinate Rotation by Euler Angles

               cos ψ cos θ sin ψ cos θ − sin θ cos ψ cos θ sin φ− sin ψ sin θ sin φ+ cos θ sin φ sin ψ cos φ cos ψ cos φ cos ψ cos θ cos φ+ sin ψ sin θ cos φ− cos θ cos φ sin ψ sin φ cos ψ sin φ               

c 2006, M. Ben-Ari. – p. 18

Complex numbers

√ z = a + bi, where i2 = −1, so i = √−1. √ Polar coordinates can be used to describe

rotations in two dimensions:

r =

• (a2 + b2) and ψ = tan−1(b/x).

c 2006, M. Ben-Ari. – p. 19

The Quaternion Plaque

In 1843, Sir William Rowan Hamilton thought of a generalization of complex numbers while walking along a canal in Dublin and carved the equation on a nearby bridge.

c 2006, M. Ben-Ari. – p. 20

Quaternions

√ Four dimensional vector: q = a + bi + cj + dk,

where |q| = 1.

√ i2 = j2 = k2 = ijk = −1, ij = −ki = k, jk = −kj = i, ki = −ik − j. √ Coordinate rotation in three dimensions given by q′ = Q∗qQ. √ Only four numbers need be stored and roundoff

errors are reduced because quaternions can be easily normalized.

c 2006, M. Ben-Ari. – p. 21

Techniques for high-reliability software

√ Praxis High Integrity Systems

(http://www.praxis-his.com/).

√ They developed a 100,000-line project for Mondex

with strict security requirements.

√ Four (!) bugs were found after delivery and were

fixed under the Praxis guarantee (!!). Three were fixed in a few hours and one took two days.

√ The formal specification language Z. √ Programming languages for reliable software:

Ada and Spark.

c 2006, M. Ben-Ari. – p. 22

Ada

Download for free at: http://stwww.weizmann.ac.il/g-cs/benari/books/

c 2006, M. Ben-Ari. – p. 23

Spark

c 2006, M. Ben-Ari. – p. 24

SPARK Program for Integer Division

• -# main_program;

procedure Divide( X1,X2: in Integer; Q,R : out Integer)

• -# derives Q, R from X1,X2;
• -# pre (X1>=0) and (X2>0);
• -# post (X1=Q*X2+R) and (X2>R) and (R>=0);

is N: Integer; begin Q := 0; R := 0; N := X1; while N /= 0

• -# assert(X1=Q*X2+R+N)and(X2>R)and(R>=0);

loop ... end loop; end Divide;

c 2006, M. Ben-Ari. – p. 25

SPARK Program for Integer Division

while N /= 0

• -# assert (X1=Q*X2+R+N)and(X2>R)and(R>=0);

loop if R+1 = X2 then Q := Q + 1; R := 0; else R := R + 1; end if; N := N - 1; end loop;

c 2006, M. Ben-Ari. – p. 26

Spark Examiner - Flow Analysis

****************************************** SPARK95 Examiner with VC and RTC Generator Release 6.3 / 11.02 Demonstration Version ****************************************** Examining main program Divide ... +++ Flow analysis of subprogram Divide performed: no errors found.

• ----------End of SPARK Examination-------

c 2006, M. Ben-Ari. – p. 27

Finding a Mistake with Flow Analysis

procedure Divide(X1,X2: in Integer; Q: out Integer; R: in out Integer) 4

• -# derives Q, R from X1,X2;

ˆ *** Semantic Error :504: Parameter R is of mode in out and must appear as an import.

c 2006, M. Ben-Ari. – p. 28

Verification Conditions for Integer Division

(X1 ≥ 0) ∧ (X2 > 0) → (X1 = Q · X2 + R + N) ∧ (X2 > R) ∧ (R ≥ 0). (X1 = Q · X2 + R + N) ∧ (X2 > R) ∧ (R ≥ 0) ∧ (N = 0) → (X1 = Q · X2 + R) ∧ (X2 > R) ∧ (R ≥ 0). (X1 = Q · X2 + R + N) ∧ (X2 > R) ∧ (R ≥ 0) ∧ (R + 1 = X2) → (X1 = Q′ · X2 + R′ + N′) ∧ (X2 > R′) ∧ (R′ ≥ 0). (X1 = Q · X2 + R + N) ∧ (X2 > R) ∧ (R ≥ 0) ∧ (R + 1 = X2) → (X1 = Q′ · X2 + R′ + N′) ∧ (X2 > R′) ∧ (R′ ≥ 0).

c 2006, M. Ben-Ari. – p. 29

Spark Examiner - Generated VC 1

From start to assertion of line 11: procedure_divide_1. H1: x1 >= 0 . H2: x2 > 0 . H3: x1 >= integer__first . H4: x1 <= integer__last . H5: x2 >= integer__first . H6: x2 <= integer__last .

• >

C1: x1 = x2 * 0 + 0 + x1 . C2: x2 > 0 . C3: 0 >= 0 .

c 2006, M. Ben-Ari. – p. 30

Spark Examiner - Generated VC 2

From assertion of line 11 to assertion of line 11: procedure_divide_2. H1: x1 = x2 * q + r + n . H2: x2 > r . H3: r >= 0 . H4: n <> 0 . H5: r + 1 = x2 .

• >

C1: x1 = x2 * (q + 1) + 0 + (n - 1) . C2: x2 > 0 . C3: 0 >= 0 .

c 2006, M. Ben-Ari. – p. 31

Spark Examiner - Generated VC 3

procedure_divide_3. H1: x1 = x2 * q + r + n . H2: x2 > r . H3: r >= 0 . H4: n <> 0 . H5: not (r + 1 = x2) .

• >

C1: x1 = x2 * q + (r + 1) + (n - 1) . C2: x2 > r + 1 . C3: r + 1 >= 0 .

c 2006, M. Ben-Ari. – p. 32

Spark Examiner - Generated VC 4

From assertion of line 11 to finish: procedure_divide_4. H1: x1 = x2 * q + r + n . H2: x2 > r . H3: r >= 0 . H4: not (n <> 0) .

• >

C1: x1 = q * x2 + r . C2: r < x2 . C3: r >= 0 .

c 2006, M. Ben-Ari. – p. 33

Spark Simplifier - VC 1

@@@@@@@@@@ VC: procedure_divide_1. Simplified C1 on reading formula in, to give: C1: true Simplified C3 on reading formula in, to give: C3: true Proved C1: true Proved C2: x2 > 0 using hypothesis H2. Proved C3: true PROVED VC.

c 2006, M. Ben-Ari. – p. 34

Spark Simplifier - VC 2

@@@@@@@@@@ VC: procedure_divide_2. Simplified C1: x1 = x2 * (q + 1) + (n - 1) Simplified C3: true Proved C2: x2 > 0 using H3 & H5 Proved C3: true Eliminated hypothesis H2 (redundant by H5) Eliminated hypothesis H1 by replacing x1 by: x2 * q + r + n. New C1: x2*q+r+n = x2*(q+1)+(n-1) Eliminated hypothesis H5 by replacing x2 by: r + 1. New C1: (r+1)*q+r+n = (r+1)*(q+1)+(n-1) Proved C1 via its standard form: true PROVED VC.

c 2006, M. Ben-Ari. – p. 35

Spark Simplifier - VC 3

@@@@@@@@@@ VC: procedure_divide_3. Simplified C3 to give: C3: r >= - 1 Proved C3: r >= - 1 using hypothesis H3. Restructured hypothesis H5 into: H5: r + 1 <> x2 Proved C1: x1 = x2 * q + (r + 1) + (n - 1) via its standard form, which is: Std.Fm C1: n + q * x2 + r - x1 = 0 using hypothesis H1. Eliminated hypothesis H1, which only specifies a value for x1. This is not referred to anywhere else in the VC.

c 2006, M. Ben-Ari. – p. 36

Spark Simplifier - VC 4

@@@@@@@@@@ VC: procedure_divide_4. Proved C2: r < x2 using hypothesis H2. Proved C3: r >= 0 using hypothesis H3. Restructured hypothesis H4 into: n = 0 Eliminated hypothesis H1. This was achieved by replacing x1 by: x2 * q + r + n. New C1: x2 * q + r + n = q * x2 + r Eliminated hypothesis H4. This was achieved by replacing n by: 0. New C1: x2 * q + r = q * x2 + r Proved C1: x2 * q + r = q * x2 + r via its standard form, which is: Std.Fm C1: PROVED VC.

c 2006, M. Ben-Ari. – p. 37

c 2006, M. Ben-Ari. – p. 38

Concurrent and Distributed Computation

According to David Patterson (President of the ACM):

√ Von Neumann architectures are limited. √ Moore’s Law no longer holds. √ The way to achieve more performance is through

parallelism.

c 2006, M. Ben-Ari. – p. 39

Proving Correctness Properties with State Diagrams

√ Are there solutions to the puzzle? √ From any non-final state, is there always a path to

a solution?

√ Does the existence of a solution depend on which

side makes the first move?

√ What is the minimum number of steps before

deadlock?

√ What is the minimum number of steps before

reaching a non-final state from which a solution cannot be reached?

c 2006, M. Ben-Ari. – p. 40

Frogs—Transition Between States

Diagrams courtesy Shmuel Schwarz

c 2006, M. Ben-Ari. – p. 41

Frogs—Final States

c 2006, M. Ben-Ari. – p. 42

Frogs—The State Diagram

c 2006, M. Ben-Ari. – p. 43

The Spin Model Checker

√ Spin is a model checker developed by Gerard

Holzmann, originally at Bell Labs and now at NASA.

√ It is widely used in industry. √ The installation and running of Spin is trival. √ Spin simulates and verifies models written in the

Promela language; the use of a programming language means that programs are familiar and understandable.

√ Correctness properties are easy to express in

linear temporal logic (LTL).

c 2006, M. Ben-Ari. – p. 44

Spin Program for Frogs Puzzle (1)

#define STONES 7 mtype = { none, male, female } mtype stones[STONES]; proctype mF(byte at) { do :: atomic { (at < STONES-1) && (stones[at+1] == none) -> stones[at] = none; stones[at+1] = male; at = at + 1; }

c 2006, M. Ben-Ari. – p. 45

Spin Program for Frogs Puzzle (2)

:: atomic { (at < STONES-2) && (stones[at+1] != none) && (stones[at+2] == none) -> stones[at] = none; stones[at+2] = male; at = at + 2; }

• d

}

c 2006, M. Ben-Ari. – p. 46

Solving the Frogs Puzzle with Spin

√ Define the propositional symbol:

#define success (\ (stones[0]==female)&&(stones[1]==female)&&\ (stones[2]==female)&&(stones[4]==male) &&\ (stones[5]==male) &&(stones[6]==male))

√ Specify (in)correctness in linear temporal logic:

[]!success.

√ Verify correctness:

pan: claim violated! (at depth 48) pan: wrote frogs.pml.trail errors: 1

c 2006, M. Ben-Ari. – p. 47

Examine the Trail for a Counterexample

0 :in run fF(((7-I)-1)) male male male none female female female 6 fF at = (at-1) male male male female none female female 5 mF at = (at+2) male male none female male female female 3 mF at = (at+1) male none male female male female female 6 fF at = (at-2) male female male none male female female 4 fF at = (at-2) male female male female male none female 2 fF at = (at-1) male female male female male female none 5 mF at = (at+2) male female male female none female male 3 mF at = (at+2) male female none female male female male 1 mF at = (at+2) none female male female male female male 6 fF at = (at-1) female none male female male female male 4 fF at = (at-2) female female male none male female male 2 fF at = (at-2) female female male female male none male 3 mF at = (at+1) female female male female none male male 1 mF at = (at+2) female female none female male male male 2 fF at = (at-1) female female female none male male male spin: trail ends after 48 steps

c 2006, M. Ben-Ari. – p. 48

Subjects Required of All CS Graduates

√ Discrete mathematics: set theory and logic. √ Continuous mathematics: calculus, linear algebra

and differential equations.

√ Architecture and assembly language

programming.

√ Application area: ⋆ Electronics ⋆ Physics ⋆ Economics ⋆ Biology

c 2006, M. Ben-Ari. – p. 49

Diversity at the Introductory Level

√ Object-oriented programming. √ Mathematical software tools like Matlab. √ Tools for reliable software: Ada, Spark. √ Hardware languages and systems. √ Concurrent and distributed computation.

c 2006, M. Ben-Ari. – p. 50