Validation, Synthesis Validation, Synthesis and Perform ance - - PowerPoint PPT Presentation
Validation, Synthesis Validation, Synthesis and Perform ance Perform ance Evaluation of of Em bedded System s using UPPAAL using UPPAAL Kim Guldstrand Larsen CI SS: Center for Em bedded S ft Softw are System s S t Kim Guldstrand
Validation, Synthesis Validation, Synthesis and Perform ance Perform ance Evaluation
Em bedded System s
using UPPAAL
Kim Guldstrand Larsen
using UPPAAL
S ft S t gi Softw are System s
Kim Guldstrand Larsen k l@ dk
knolog
kgl@cs.auc.dk 96358893
CI SS www.ciss.dk info@ciss dk
rmatio
info@ciss.dk 96357220 A lb U i it t
Infor
Aalborg Universitet
9220 Aalborg Ø
Kim G Larsen 2 ARTIST PhD School 2011
gi
knolog
Aalborg
rmatio
Infor
lb i i l di i h C i i i f Aalborg University leading Danish ICT University in terms of public investments (33% )
Kim G Larsen 3 ARTIST PhD School 2011
gi
80% of all software is
embedded
knolog
Demands for
increased functionality with
with minimal resources
Requires multitude of skills
Software construction
rmatio
Software construction
Hardware platforms Communication Automation
Infor
Automation
Goal:
Give a qualitative lift to a qua a
!!!!!
Kim G Larsen 4 ARTIST PhD School 2011
gi
National Competence
Center (2003-..)
knolog
Ministry of Tech. & Res. North Jutland Aalborg City
Aalborg City
Aalborg University
50 Industrial Projects
rmatio
50 Industrial Projects 20 CISS employees 25 CISS ass. Res.
Infor
20 Industrial PhDs 10 Elite Students 10 MEUR
Kim G Larsen 5 ARTIST PhD School 2011
gi
knolog
g
p
rmatio
RTX T l
FOSS
Infor
Kim G Larsen 6 ARTIST PhD School 2011
gi
Applications
Home automation
knolog
Home automation Mobile robotter Intelligente sensorer Ad hoc netværk M biltlf
Mobiltlf Audio/Video Konsum elektr Kontrolsystemer Automobile
rmatio
Modeling Methods
X-by wire
Infor
Kim G Larsen 7 ARTIST PhD School 2011
gi
Applications
Home automation
Model based development Intellingent sensor network
knolog
Home automation Mobile robotter Intelligente sensorer Ad hoc netværk M biltlf
Intellingent sensor network IT in automation Embedded and RT OS RT J L b
Mobiltlf Audio/Video Konsum elektr Kontrolsystemer Automobile
Embedded and RT OS RT Java Lab R O ti l S h d li
rmatio
Modeling Methods
X-by wire
Resource Optimal Scheduling HW/SW Co design / Design Space Exploration
Infor
RT
Testing and Verification HW/SW Co-design / Design Space Exploration Embedded Security
RT
Kim G Larsen 8 ARTIST PhD School 2011
gi knolog
Application
ent
HW SW API / OS
Environme
rmatio
network HW
E
Infor
Funded by Danish Advanced Technology Foundation Danish Advanced Technology Foundation Budget 9 MEuro / 4 years
Kim G Larsen 9 ARTIST PhD School 2011
gi
Selfdiagnosic & -repair Test & Verificaiton
knolog
Application
nt
HW SW API / OS
Environme
rmatio
network HW
E
Infor
Development Process Embedded & Distributed Control Execution Platform
Kim G Larsen 10 ARTIST PhD School 2011
gi
Villum -Kahn Rasm ussen Center of Excellence
Opening Novem ber 1 9 , 2 0 0 8 6 .5 MEUR E b dd d S t
knolog
Em bedded System s
Static Analysis Model Checking
rmatio Infor
Service Oriented Architectures
I MM/ DTU, CI SS/ AAU, I TU
Director Flem m ing Nielson Co-Director Kim G Larsen
Kim G Larsen 11 ARTIST PhD School 2011
gi
Foundations for Cyber-Physical Systems Foundations for Cyber-Physical Systems knolog
Fro From Comput Computer Scien Science to to Cyber Physi Cyber Physical al Syste Systems
Topi Topics & Task & Task Over erview view
rmatio
IDEA4 CP CPS
MT MT LA LAB M i 11 1 20 2011 11Features
Infor
IDEA4 CP CPS
MT MT-LA LAB Meet eeting ng 11 11.1.20 2011 11 Ki Kim G m Guldstrand Lar Larsen [6]Kim G Larsen 12 ARTIST PhD School 2011
IDEA4 CP CPS
MT-L gi
Foundations for Cyber-Physical Systems Foundations for Cyber-Physical Systems knolog
Fro From Comput Computer Scien Science to to Cyber Physi Cyber Physical al Syste Systems
Co Collabor llaboration ation
Topi Topics & Task & Task Over erview view
collaborating on research and discussing progress in the project.
the first half year.
rmatio
IDEA4 CP CPS
MT MT LA LAB M i 11 1 20 2011 11Features
Yearly (internal) progress reports highlighting main research achievements and challenges as well as experimental findings from case studies.
year, potentially in combination with
month
Infor
IDEA4 CP CPS
MT MT-LA LAB Meet eeting ng 11 11.1.20 2011 11 Ki Kim G m Guldstrand Lar Larsen [6]IDEA4 CPS CPS
month.
Kim G Larsen 13 ARTIST PhD School 2011
IDEA4 CP CPS
MT-L gi
Quasimodo
Part rtners ners
Quasimodo
WP WP5 Case 5 Case St Studies
Accumu mulator Charge r Charge Control Controller (HYDAC)
– Design of robust and optimal control for hydralic pump
knolog
hydralic pump – (UPPAAL Tiga, Phaver, Simulink)
Wireless Senso Sensor Net Network (CHESS)
– Analysis of gMAC protocol (UPPAAL) Potential of time synchronization failing Identified, demonstrated and partially corrected (UPPAAL) – Testing (jTorX, TorXakis, TRON) – Trade-off between energy comsumption and collision rates (MODEST)
and collision rates (MODEST)
ntrol So Soft ftwa ware fo for r sat satell llites H Hersh rshel an and P d Plan anck ck (TERMA)
– Schedulability and WCET analysis (UPPAAL)
Quasimodo, ESWEEK, Scottsdale, October 24, 2010rmatio
Quasimodo
Work Workpl plan S an Strat rategy gy
WP5
“Well documented API’s &Quasimodo
WP WP5 A 5 Addi diti tional Ca Case se S Studie ies
alancing S Scooter (CHESS)
– Highlevel control-modes modeled by engineers (UPPAAL) – Schedulability (UPPAAL)
Infor
Timed, hybrid, stochastic, priced, .. automata
xLTS API s & exchange formats”y
Adaptive sched scheduling of
ta paths paths (OCE)
– Synthesis of optimal data path (CORA)
Rapid Inp Input- t-Outp tput ut Packet Packet Switch Switch (ASML)
Si l ti d ifi t i f t
Kim G Larsen 14 ARTIST PhD School 2011
WP1 WP2 WP3 WP4
Page 5 Quasimodo, ESWEEK, Scottsdale, October 24, 2010 Page 7– Simulation and verificatoin ofworst-case latencies (POOSL, UPPAAL)
Quasimodo, ESWEEK, Scottsdale, October 24, 2010 gi
Quasimodo
Part rtners ners
Quasimodo
WP WP5 Case 5 Case St Studies
Accumu mulator Charge r Charge Control Controller (HYDAC)
– Design of robust and optimal control for hydralic pump
knolog
hydralic pump – (UPPAAL Tiga, Phaver, Simulink)
Wireless Senso Sensor Net Network (CHESS)
– Analysis of gMAC protocol (UPPAAL) Potential of time synchronization failing Identified, demonstrated and partially corrected (UPPAAL) – Testing (jTorX, TorXakis, TRON) – Trade-off between energy comsumption and collision rates (MODEST)
and collision rates (MODEST)
ntrol So Soft ftwa ware fo for r sat satell llites H Hersh rshel an and P d Plan anck ck (TERMA)
– Schedulability and WCET analysis (UPPAAL)
Quasimodo, ESWEEK, Scottsdale, October 24, 2010rmatio
Quasimodo
Work Workpl plan S an Strat rategy gy
WP5
“Well documented API’s &Quasimodo
WP WP5 A 5 Addi diti tional Ca Case se S Studie ies
alancing S Scooter (CHESS)
– Highlevel control-modes modeled by engineers (UPPAAL) – Schedulability (UPPAAL)
Infor
Timed, hybrid, stochastic, priced, .. automata
xLTS API s & exchange formats”y
Adaptive sched scheduling of
ta paths paths (OCE)
– Synthesis of optimal data path (CORA)
Rapid Inp Input- t-Outp tput ut Packet Packet Switch Switch (ASML)
Si l ti d ifi t i f t
Kim G Larsen 15 ARTIST PhD School 2011
WP1 WP2 WP3 WP4
Page 5 Quasimodo, ESWEEK, Scottsdale, October 24, 2010 Page 7– Simulation and verificatoin ofworst-case latencies (POOSL, UPPAAL)
Quasimodo, ESWEEK, Scottsdale, October 24, 2010 European Netw ork
gi
32 partners
knolog
rmatio Infor
Joseph Sifakis
Co-w inner of Turing Aw ard 2 0 0 7 ARTI ST Director
Modeling & Verification CI SS coordinator
Kim G Larsen 16 ARTIST PhD School 2011
Verification and Testing
gi Model R
knolog
/* Wait for events */ void OS Wait(void);
Req
_ ( ); /* Operating system visualSTATE process. Mimics a OS process for a * visualSTATE system. In this implementation this is the mainloop * interfacing to the visualSTATE basic API. */ void OS_VS_Process(void); /* Define completion code variable. */ unsigned char cc;
rmatio
g void HandleError(unsigned char ccArg) { printf("Error code %c detected, exiting application.\n", ccArg); exit(ccArg); }
Infor
/* In d-241 we only use the OS_Wait call. It is used to simulate a * system. It purpose is to generate events. How this is done is up to * you. */ void OS_Wait(void) { /* Ignore the parameters; just retrieve events from the keyboard and * put them into the queue. When EVENT UNDEFINED is read from the _ * keyboard, return to the calling process. */ SEM_EVENT_TYPE event; int num;
Code Running System
Kim G Larsen 17 ARTIST PhD School 2011
Verification and Testing
gi
Model R
knolog
/* Wait for events */ void OS Wait(void);
Req
_ ( ); /* Operating system visualSTATE process. Mimics a OS process for a * visualSTATE system. In this implementation this is the mainloop * interfacing to the visualSTATE basic API. */ void OS_VS_Process(void); /* Define completion code variable. */ unsigned char cc;
rmatio
g void HandleError(unsigned char ccArg) { printf("Error code %c detected, exiting application.\n", ccArg); exit(ccArg); }
Infor
/* In d-241 we only use the OS_Wait call. It is used to simulate a * system. It purpose is to generate events. How this is done is up to * you. */ void OS_Wait(void) { /* Ignore the parameters; just retrieve events from the keyboard and * put them into the queue. When EVENT UNDEFINED is read from the _ * keyboard, return to the calling process. */ SEM_EVENT_TYPE event; int num;
Code Running System
Kim G Larsen 18 ARTIST PhD School 2011
Verification and Testing
gi
Model R
knolog
/* Wait for events */ void OS Wait(void);
Req
_ ( ); /* Operating system visualSTATE process. Mimics a OS process for a * visualSTATE system. In this implementation this is the mainloop * interfacing to the visualSTATE basic API. */ void OS_VS_Process(void); /* Define completion code variable. */ unsigned char cc;
rmatio
g void HandleError(unsigned char ccArg) { printf("Error code %c detected, exiting application.\n", ccArg); exit(ccArg); }
Infor
/* In d-241 we only use the OS_Wait call. It is used to simulate a * system. It purpose is to generate events. How this is done is up to * you. */ void OS_Wait(void) { /* Ignore the parameters; just retrieve events from the keyboard and * put them into the queue. When EVENT UNDEFINED is read from the _ * keyboard, return to the calling process. */ SEM_EVENT_TYPE event; int num;
Code Running System
Kim G Larsen 19 ARTIST PhD School 2011
gi
Airbus Control Panel
A B
TEST Verification
knolog
A A B B
E F E E G H … H A
A A A A B B B B
rmatio
2n sequences of length n
Infor
Deadlock identified using
Verification
After sequence of
T1 T3 T5 T1 … T4 T3
After sequence of 2000 telegrams / < 1min.
Kim G Larsen 20 ARTIST PhD School 2011
W hy Verification and Testing
gi
30-40% of production time is currently
spend on elaborate, ad-hoc testing: knolog p , g
Errors expensive and difficult to fix!
p
The potential of existing/ improved
rmatio testing methods and tools is enormous! Ti t k t b h t d Infor
Time-to-market may be shortened
considerable by verification and performance analyses of early designs! performance analyses of early designs!
Kim G Larsen 21 ARTIST PhD School 2011
gi knolog
rmatio Infor
Kim G Larsen 22 ARTIST PhD School 2011
W hy Verification and Testing
gi
I MPORTANCE for
EMBEDDED SYSTEMS
knolog
Often safety critical Often economical critical
Hard to patch
Hard to patch
CHALLENGES for EMBEDDED SYSTEMS
rmatio
Correctness of embedded systems depend
crucially on use of
resources Infor resources
e.g. real-time, memory, bandwidth, energy.
Need for
q antitati e models quantitative models
Kim G Larsen 23 ARTIST PhD School 2011
Spectacular softw are bugs Ariane 5 gi
The first Ariane 5 rocket was
knolog
The first Ariane 5 rocket was launched in June, 1996. It used software developed for the successful Ariane 4. The rocket carried two computers
rocket carried two computers, providing a backup in case
maiden flight the rocket
Ariane 5 was a much more
rmatio
maiden flight, the rocket veered off course and
with $500 million worth of satellites was destroyed
Ariane 5 was a much more powerful rocket and generated forces that were larger than the computer
Infor
satellites, was destroyed. could handle. Shortly after launch, it received an input value that was too large. The main and backup computers main and backup computers shut down, causing the rocket to veer off course.
Kim G Larsen 24 ARTIST PhD School 2011
Spectacular softw are bugs Therac 2 5
Safety Critical
gi
The Therac-25 was withdrawn from use after it was determined that it could
knolog
deliver fatal overdoses under certain conditions. The software would shut down the machine before delivering an
The Therac-25 radiation therapy machine was a medical device that used beams of electrons or
machine before delivering an
messages it displayed were so unhelpful that operators beams of electrons or photons to kill cancer cells. Between 1985-1987, at least six people got very sick after Therac 25 treatments Four
rmatio
couldn't tell what the error was, or how serious it was. In some cases, operators ignored the message Therac-25 treatments. Four
manufacturer was confident that their software made it impossible fo the machine to
Infor
ignored the message completely. impossible for the machine to harm patients.
IEEE Computer IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18 , Vol. 26, No. 7, July 1993, pp. 18-
41 IEEE Computer IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18 , Vol. 26, No. 7, July 1993, pp. 18-
41
Kim G Larsen 25 ARTIST PhD School 2011
Spectacular Softw are Bugs …. continued gi knolog
INTEL Pentium II floating-point division
470 Mill US $
Baggage handling system, Denver
1.1 Mill US $/ day for 9 months rmatio
Mars Pathfinder …
… . Infor
Kim G Larsen 26 ARTIST PhD School 2011
gi knolog
rmatio
Infor
g
Kim G Larsen ARTIST PhD School 2011 27
gi
knolog
1 0 0 processors
rmatio
Infor
au t to e a t
d l
..
Kim G Larsen ARTIST PhD School 2011 28
gi
int x=100; Process INC
knolog
Process INC do :: x<200 --> x:=x+1
Which values may
x take ?
Process DEC do :: x>0 --> x:=x-1
Questions/ Properties: E<>(x>100)
rmatio
:: :
Process RESET d
( ) E<>(x>200) A[](x<=200) E<>(x<0) A[](x>=0)
Possibly
Infor
do :: x=200 --> x:=0
[]( )
Possibly Always
( INC || DEC || RESET )
y
Kim G Larsen 29 ARTIST PhD School 2011
gi
What are the possible final values of x ?
knolog
int x=0;
What are the possible final values of x ?
Process P do x:=x+1 int x=0; Process P
rmatio
10 times ( P || P ) Process P int r do r:=x; r++; x:=r
Infor
; ; 10 times ( P || P )
Atomic stm.
Kim G Larsen 30 ARTIST PhD School 2011
gi
h h ibl l h
knolog
int x=1;
What are the possible values that x may posses during execution?
Process P do x:=x+x int x=1; Process P
rmatio
forever ( P || P ) int r do r:=x; r:=x+r; x:=r f
Infor
forever ( P || P )
Atomic stm
Kim G Larsen 31 ARTIST PhD School 2011
Models
gi
A model is a
simplified representation of
knolog
representation of the real world.
User gains
fid i th
Rhapsody
confidence in the adequacy and validity of a d t
rmatio
proposed system.
Models selected
i l d il
Infor
irrelevant details.
Early design
exploration. p
Kim G Larsen 33 ARTIST PhD School 2011
gi Unified Model = State Machine! knolog
a x b? y! b? Input ports Output ports
rmatio
b y a? x! ports
Infor
Control states
Kim G Larsen 34 ARTIST PhD School 2011
gi
A C B ALIVE
knolog
Passive Feeding Light A A Meal B
Clean Care A A Snack B Health:= Health-1
rmatio
Health= 0 or Age= 2.000
Play Discipline Medicine
Tick
A A
DEAD
Infor
Tick
A A Health:= Health-1; Age:= Age+ 1
Kim G Larsen 35 ARTIST PhD School 2011
gi knolog
rmatio Infor
Kim G Larsen 36 ARTIST PhD School 2011
gi knolog
rmatio Infor
Kim G Larsen 37 ARTIST PhD School 2011
VVS
gi
VVS
w Baan Visualstate, DTU (CIT project)
knolog
Hierarchical state
Hierarchical state systems
Flat state systems
Multiple and inter-
rmatio
Multiple and inter related state machines
Supports UML
Infor
pp notation
Device driver access
Kim G Larsen 38 ARTIST PhD School 2011
gi knolog
rmatio Infor
Kim G Larsen 39 ARTIST PhD School 2011
ESTEREL
gi knolog
rmatio Infor
Kim G Larsen 40 ARTIST PhD School 2011
gi knolog
rmatio Infor
Kim G Larsen 41 ARTIST PhD School 2011
gi knolog
System Description No! Debugging
Tim e Cost Probability
Yes gg g I nformation
rmatio
Requirement Prototypes Executable Code Test sequences
A( req ⇒ A♦ grant)
Infor
est seque ces
A( req ⇒ A♦t< 3 0 s grant) A( req ⇒ A♦t< 3 0 s,c< 5 $ grant) A( req ⇒ A♦t< 3 0 s , p> 0 .9 0 grant)
Kim G Larsen 42 ARTIST PhD School 2011
gi knolog
System Description No! Debugging
Tim e Cost Probability
Yes gg g I nformation
rmatio
Requirement Prototypes Executable Code Test sequences
Infor
est seque ces
A( req ⇒ A♦t< 3 0 s grant) A( req ⇒ A♦t< 3 0 s,c< 5 $ grant) A( req ⇒ A♦t< 3 0 s , p> 0 .9 0 grant)
Kim G Larsen 43 ARTIST PhD School 2011
gi
Real Tim e
Modelling & Verification
CLASSI C CLASSI C CLASSI C CLASSI C
knolog
Modelling & Verification Decidability Engine
Real Tim e
Scheduling & Schedulability Analysis
CORA CORA CORA CORA
rmatio
Real Tim e
Controller Synthesis Com positionality
TI GA TI GA TI GA TI GA ECDAR ECDAR ECDAR ECDAR Infor
Com positionality
Real Tim e
Testing
TI GA TI GA TI GA TI GA ECDAR ECDAR ECDAR ECDAR
g Perform ance Analysis
SMC SMC SMC SMC
Kim G Larsen 44 ARTIST PhD School 2011
TRON TRON TRON TRON
Slides, Reading Material, Exer …
gi www.cs.aau.dk/ ~ kgl/ China11 knolog
rmatio Infor … / Material.html ../ Exercises.html
Kim G Larsen 45 ARTIST PhD School 2011