Verification Verification, Performance Performance Analysis - - PowerPoint PPT Presentation

Verification Verification, Performance Performance Analysis Analysis and Performance Performance Analysis Analysis and Synthesis Synthesis

f E b E b dd d S t

• f Embedd

dded Sys ystems ems Kim G. Larsen Kim G. Larsen A lb U i it – Aalborg University DENMARK

Collaborators Collaborators

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Lars Kim Larsen [2] en [2]

Embedded Systems Embedded Systems

Pl t C t ll

sensors

Plant

Continuous

Controller Program

Discrete

actuators

Discrete

E

R lti P t l

Quantities: Quantities: Eg.:

Realtime Protocols Pump Control Air Bags Robots

Quantities:

• timing
• energy

Quantities:

• timing
• energy

Cruise Control ABS CD Players P d ti Li

• memory
• bandwidth
• uncertainties
• memory
• bandwidth
• uncertainties

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Lars Kim Larsen [3] en [3]

Production Lines

uncertainties uncertainties

Model Checking Model Checking

System Description

No!

Debugging Information

Time Cost Probability

TOOL

Yes

Debugging Information Requirement

Yes

Prototypes Executable Code Test sequences

A฀( req ⇒ A♦ grant) A฀( req ⇒ A♦t<30s grant) A ( A♦ t) A฀( req ⇒ A♦t<30s,c<5$ grant) A฀( req ⇒ A♦t<30s , p>0.90 grant)

Kim Lars Kim Larsen [4] en [4]

AVACS P S PhD S School, Olde denburgh, urgh, M March 2 h 2010

Synthesis Synthesis

System Description

No!

Debugging Information

Time Cost Probability

?

TOOL

Yes

Debugging Information Requirement

Yes

Control Strategy

A฀( req ⇒ A♦ grant) A฀( req ⇒ A♦t<30s grant) A ( A♦ t) A฀( req ⇒ A♦t<30s,c<5$ grant) A฀( req ⇒ A♦t<30s , p>0.90 grant)

AVACS P S PhD S School, Olde denburgh, urgh, M March 2 h 2010

Kim Lars Kim Larsen [5] en [5]

QMC QMC

ITU, Copenhagen, ITU, Copenhagen, 2-5 March, 2-5 March, 2010 2010

http://qmc cs aau dk/

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Lars Kim Larsen [6] en [6]

http://qmc.cs.aau.dk/

Overview Overview

• Timed

Timed Automata utomata

S h d li

• Schedubility

Schedubility Anal Anal sis sis

• Scheduling
• Leader Election
• Priced

Priced Timed Timed Anal Analysis sis

• Stopwatch Automata
• TERMA: Herschel &

CLASSI C CLASSI C CLASSI C CLASSI C

• Priced

Priced Timed Timed Automata Automata

• Optimal Reachability
• TERMA: Herschel &

Planck

• Timed

Timed Games ames

CORA CORA CORA CORA

TI GA TI GA TI GA TI GA

• Optimal Reachability
• Optimal Infinite

Scheduling

• Synthesis
• HYDAC: optimal and
• Multi Objectives
• Aircraft Landing

robust control

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Lars Kim Larsen [7] en [7]

Timed Automata Timed Automata

Timed Automata Timed Automata

[ Alur & Dill’89]

Clock Guard Reset Clock Invariant

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Lars Kim Larsen [9] en [9]

Composition Composition

Resource Task Synchronization Shared variable Sem antics: ( Idle Init B 0) ( Idle , Init , B= 0, x= 0) d(3.1415)  ( Idle , Init , B= 0 , x= 3.1415 ) use  ( InUse , Using , B= 6, x= 0 ) d(6)  ( InUse , Using , B= 6, x= 6 )

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [10] Kim Larsen [10]

done  ( Idle , Done , B= 6 , x= 6 )

Task Graph Scheduling – Task Graph Scheduling – Example Example + *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D 4

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

+ *

P1

5 10 15 20 25 6 5

2 3 6 5

D

P1 P2

1 2 3 6 5 4

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [11] Kim Larsen [11]

time

Task Graph Scheduling – Task Graph Scheduling – Example Example + *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

+ *

P1

5 10 15 20 25 6 5

D

1 3 6 5 4

P1 P2

1 2 3 6 5 4

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [12] Kim Larsen [12]

time

Task Graph Scheduling – Task Graph Scheduling – Example Example + *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

+ *

P1

5 10 15 20 25 6 5

D

1 3 6 5 4

P1 P2

1 2 3 6 5 4

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [13] Kim Larsen [13]

time

Task Graph Scheduling – Task Graph Scheduling – Example Example + *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

+ *

P1

5 10 15 20 25 6 5

D

1 3 6 5 4

P1 P2

1 2 3 6 5 4

E<> (Task1 End and and Task6 End)

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [14] Kim Larsen [14]

time

E<> (Task1.End and … and Task6.End)

Experimental Results Experimental Results

Symbolic A* Branch-&-Bound 60 sec 60 sec

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [15] Kim Larsen [15]

Abdeddaïm, Kerbaa, Maler

Zones – Zones – From infinite to

From infinite to finite finite

State Symbolic state (set) State (n, x= 3.2, y= 2.5 ) Symbolic state (set)

Zone:

(n, 1≤x≤4, 1≤y≤ 3) y y

conjunction of x-y< = n, x< = > n

x x

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [16] Kim Larsen [16]

Zones - Zones - Operations Operations

y y y

(n, 2≤x≤4 Æ 1≤y≤3 Æ y-x≤0 ) (n, 2≤x Æ 1≤y Æ -3≤ y-x≤0 ) (n, 2≤x Æ 1≤y≤3 Æ y-x≤0 )

x x x

Delay Delay (stopwatch)

y y y

(n, x= 0 Æ 1≤y≤3 ) (n, 2≤x≤4Æ 1≤y )

2

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [17] Kim Larsen [17]

x x x

Reset Extrapolation Convex Hull

Datastructures for Zones Datastructures for Zones

• Difference Bounded

Matrices (DBMs)

• 4
• Minimal Constraint

Form

x1 x2

4 2 2 3 3

• 2
• 2

Form

[RTSS97]

l k ff

x3 x0

2 5 1

• Clock Difference

Diagrams

[CAV99]

• PW List

[SPIN03]

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [18] Kim Larsen [18]

[S 03]

Leader Leader Election Election Leader Leader Election Election Protocol Protocol Protocol Protocol

Protocol analysed in UPPAAL by Protocol analysed in UPPAAL by Leslie Lamport CHARME’05

Leader Election Leader Election

2 1 3 Protocol by Leslie Lamport Leslie Lamport

Kim Larsen [20] Kim Larsen [20] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Leader Election Leader Election

(leader,hops) 2 1 (0,0) (2,0) (1,0) (0,0) 3 (3,0)

Kim Larsen [21] Kim Larsen [21] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Timeout Timeout

2 1 (0,0) (2,0) (1,0) (0,0) 3 (3,0)

Kim Larsen [22] Kim Larsen [22] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Flooding Flooding

2 1 (0,0) (2,0) (1,0) (1,2,1,0) (0,0)

(1,0,1,0)

(1,3,1,0) 3 (3,0) (src,dst,leader,hops) p

Kim Larsen [23] Kim Larsen [23] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Flooding Flooding

2 1 (0,0) (2,0) (1,0) (1,2,1,0) (0,0)

(1,0,1,0)

3 (1,3,1,0) (3,0)

Kim Larsen [24] Kim Larsen [24] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Flooding Flooding

2 1 (0,0) (2,0) (1,0) (1,2,1,0) (0,0)

(1,0,1,0)

3 (1,1)

Kim Larsen [25] Kim Larsen [25] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Forwarding Forwarding

2 1 (0,0) (2,0) (1,0) (1,2,1,0) (0,0)

(1,0,1,0)

3 (3,2,1,1) (1,1)

Kim Larsen [26] Kim Larsen [26] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Forwarding Forwarding

2 1 (0,0) (2,0) (1,0) (1,2,1,0) (0,0)

(1,0,1,0)

3 (3,2,1,1) (1,1)

Kim Larsen [27] Kim Larsen [27] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Forwarding Forwarding

2 1 (0,0) (1,1) (1,0)

(2 0 1 1)

(0,0) (2,3,1,1)

(2,0,1,1)

(1,0,1,0)

3 (3,2,1,1) (1,1)

Kim Larsen [28] Kim Larsen [28] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Leader Election Leader Election

2 1 (0,0) (1,1) (1,0) (0,0) 3 (1,1)

Kim Larsen [29] Kim Larsen [29] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Leader Election Leader Election

2 1 (0,0) (1,1) (1,0) (0,0) 3 (1,1)

Kim Larsen [30] Kim Larsen [30] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Leader Election Leader Election

2 1 (0,0) (0,1) (0,1) (0,0) 3 (0,2)

Kim Larsen [31] Kim Larsen [31] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Variable timeout Variable timeout

timeout hops 2 timer 1 2 time

Kim Larsen [32] Kim Larsen [32] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Leader Election Leader Election

Claim to be Claim to be verified verified

Correct leader is known at a node i after t(i) = ΔTO + ΔTDELAY + di·ΔMDELAY ( )

TO TDELAY i MDELAY

A A model checking problem model checking problem

IMP ² l(i) L(i) IMP ² ▫>t(i) l(i)=L(i) for all i.

33 33 AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Modelling (RT) protocols Modelling (RT) protocols

Users P l k

All,

Protocol stacks

Thanks for the spec. It seems to run fine. As expected, it's 2 or 3 orders of magnitude

Medium

faster than TLC. I'm wondering if your algorithms could be used for checking specs written in a hi h l l l higher level language like TLA+.

Kim Larsen [34] Kim Larsen [34] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Modelling the Modelling the election protocol election protocol

1

P

2

Per process disti: N leaderi: Node timeouti: N

i

Message Message src: Node dst: Node leader: Node hopss: N

Kim Larsen [35] Kim Larsen [35] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Global Declaration Global Declaration

Kim Larsen [36] Kim Larsen [36] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Message Message

Kim Larsen [37] Kim Larsen [37] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Node[id] Node[id]

Kim Larsen [38] Kim Larsen [38] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Local Declarations (Node[id]) Local Declarations (Node[id])

Kim Larsen [39] Kim Larsen [39] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Demo Demo

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [40] Kim Larsen [40]

Optimisations Optimisations

• Reducin

Reducing the number of active variables g

• If variable is never used until next reset,

then the value does not matter.

Symmetry Symmetry of message processes

• Symmetry

Symmetry of message processes

• The message processes are symmetric: It

does not matter which is used to transfer a does not matter which is used to transfer a message.

41 41 AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Priced Priced Timed Timed Priced Priced Timed Timed Automata Automata Automata Automata

Task Graph Scheduling Task Graph Scheduling – Revisited Revisited

+ *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

1oW

Idle

20W

Idle

+ *

P1

5 10 15 20 25 6 5

D

1 3 6 5 4

90W

In use

1oW

Idle

30W

In use

20W

Idle

ENERGY:

P1 P2

1 2 3 6 5 4

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [43] Kim Larsen [43]

time

Task Graph Scheduling Task Graph Scheduling – Revisited Revisited

+ *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

10W

Idle

20W

Idle

+ *

P1

5 10 15 20 25 6 5

D

90W

In use

10W

Idle

30W

In use

20W

Idle

ENERGY:

1 3 4

P1 P2

1 2 3 6 5 4

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [44] Kim Larsen [44]

time

Task Graph Scheduling Task Graph Scheduling – Revisited Revisited

+ *

2 1

Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors

A B C D

* + +

3 4

using 2 processors

P1 (fast) P2 (slow)

C

* + *

3ps

*

2ps

+

7ps

*

5ps

+

6 5

C

10W

Idle

20W

Idle

+ *

P1

5 10 15 20 25 6 5

D

90W

In use

10W

Idle

30W

In use

20W

Idle

ENERGY:

1 3 4

P1 P2

1 2 3 6 5 4

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [45] Kim Larsen [45]

time

A simple example A simple example

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [46] Kim Larsen [46]

A simple example A simple example

Q: What is cheapest cost for reaching ?

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [47] Kim Larsen [47]

A simple example A simple example

THM [Behrmann, Fehnker ..01] [Alur,Torre,Pappas 01] Optimal reachability is decidable for PTA THM [Bouyer, Brojaue, Briuere, Raskin 07]

Q: What is cheapest cost for reaching ?

Optimal reachability is PSPACE-complete for PTA

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [48] Kim Larsen [48]

Priced Zones Priced Zones

[CAV01] [CAV01]

A zone Z: 1≤ x ≤ 2 Æ 0≤ y ≤ 2 Æ x - y ≥ 0 A cost function C x - y ≥ 0 A cost function C C(x,y)= 2·x - 1·y + 3

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [49] Kim Larsen [49]

Priced Zones Priced Zones – Reset

[CAV01] [CAV01]

A zone Z: 1≤ x ≤ 2 Æ 0≤ y ≤ 2 Æ x - y ≥ 0 Z[x=0]: x=0 Æ A cost function C x - y ≥ 0 x 0 Æ 0≤ y ≤ 2 C = 1·y + 3 A cost function C C(x,y) = 2·x - 1·y + 3 C 1 y + 3 C= -1·y + 5

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [50] Kim Larsen [50]

Symbolic Symbolic Branch Branch & Bound & Bound Algorithm Algorithm

Z’ is bigger & cheaper than Z

Z Z  '

cheaper than Z ≤ is a well-quasi ≤ is a well quasi

• rdering which

guarantees termination!

Kim Larsen [51] Kim Larsen [51] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Cost- Cost-Optimality Reachability Optimality Reachability

Behrmann, Fehnker, et all (HSCC’01) Alur, Torre, Pappas (HSCC’01) Behrmann, Fehnker, et all (HSCC’01) Alur, Torre, Pappas (HSCC’01)

c3

Cost of step n

c1 c2

3

cn



GOAL

C C

Value of path : val() = c1 + c2 + ... + cn Optimal Schedule * : val(* ) = inf val()

Competitive with and Complementary to MILP

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [52] Kim Larsen [52]

Optimal Schedule  : val( ) inf val()

Aircraft Aircraft Landing Problem Landing Problem

t cost E earliest landing time T target time L latest time e*(T-t) d+l*(t-T) t E e cost rate for being early l

cost rate for being late

d fixed cost for being late E L T

Planes have to keep separation distance to avoid turbulences caused by preceding planes

Runway

Kim Larsen [53] Kim Larsen [53] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Modeling ALP with PTA Modeling ALP with PTA

129: Earliest landing time 153: Target landing time 559: Latest landing time 10: Cost rate for early 20: Cost rate for late Runway handles 2 types of Runway handles 2 types of planes

Planes have to keep separation distance to avoid turbulences caused by preceding planes

Runway

Kim Larsen [54] Kim Larsen [54] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Modelling ALP Modelling ALP with MILP with MILP

[Beasley00]

minimize i=1 P( ei i + di i) where where

ti: landing time of plane i i : how early plane i lands before target Ti i : how late plane i lands after target Ti  : if i lands before then 0 otherwise 1 ij : if i lands before then 0 otherwise 1

Kim Larsen [55] Kim Larsen [55] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Aircraft Landing Aircraft Landing

Kim Larsen [56] Kim Larsen [56] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Optimal Optimal Infinite Infinite Schedule Schedule

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [57] Kim Larsen [57]

Optimal Optimal Infinite Infinite Scheduling Scheduling

Maximize throughput: i.e. maximize Reward / Time in the long run!

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [58] Kim Larsen [58]

Optimal Optimal Infinite Infinite Scheduling Scheduling

Minimize Energy Consumption: i.e. minimize Cost / Time in the long run

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [59] Kim Larsen [59]

Optimal Optimal Infinite Infinite Scheduling Scheduling

Maximize throughput: i.e. maximize Reward / Cost in the long run

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [60] Kim Larsen [60]

Mean Pay-Off Mean Pay-Off Optimality Optimality

Bouyer, Brinksma, Larsen: HSCC04,FMSD07 Bouyer, Brinksma, Larsen: HSCC04,FMSD07

Accumulated cost

c c c3 cn c1 c2 r1 r2 r3 rn



Accumulated reward

¬ BAD

Value of path : val() = limn→∞ cn/rn Optimal Schedule * : val(* ) = inf val()

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [61] Kim Larsen [61]

Optimal Schedule  : val( ) inf val()

Discount Discount Optimality Optimality

 1 : discounting factor

Larsen, Fahrenberg: INFINITY’08 Larsen, Fahrenberg: INFINITY’08

Cost of time tn

(t ) c(t ) c(t3) c(tn) c(t1) c(t2) t1 t2 t3 tn



Time of step n

¬ BAD

Value of path : val() = Optimal Schedule

* : val( * )

inf val( )

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [62] Kim Larsen [62]

Optimal Schedule  : val( ) = inf val()

Soundness Soundness of

• f

Corner Corner Point Point Abstraction Abstraction

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [63] Kim Larsen [63]

Consuming Consuming & Harvesting Harvesting Energy Energy

Bouyer, Fahrenberg, Larsen, Markey, Srba: FORMATS 2 0 0 8 Bouyer, Fahrenberg, Larsen, Markey, Srba: FORMATS 2 0 0 8 FORMATS 2 0 0 8 HSCC 2 0 1 0 FORMATS 2 0 0 8 HSCC 2 0 1 0

Maximize throughput while respecting: 0 ≤ E ≤ MAX

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [64] Kim Larsen [64]

while respecting: 0 ≤ E ≤ MAX

Energy-Bounded Energy-Bounded Infinite Runs Infinite Runs

Bouyer, Fahrenberg, Larsen, Markey, Srba: FORMATS 2008 Bouyer, Fahrenberg, Larsen, Markey, Srba: FORMATS 2008

Cost of time tn

FORMATS 2008 FORMATS 2008

c(t ) c(t2) c(t4) c(tn) t c(t1) t1 t2 t4 tn



Time of step n

¬ BAD MAX MAX

t t t t

…

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [65] Kim Larsen [65]

t1 t2 t3 t4

Multiple Multiple Objective Objective Scheduling Scheduling

P2 P1

1 6 ,1 0 2 ,3

P6 P3 P4

2 ,3 6 ,6 1 0 ,1 6 cost1’==4 cost2’==3 cost2

Pareto Frontier P P

2 2

1

P7 P5

2 ,2 8 ,2

4 W 3 W cost1

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [66] Kim Larsen [66]

1

”Experimental” Results ”Experimental” Results

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [67] Kim Larsen [67]

Schedulability Analysis Schedulability Analysis

Embedded Systems Embedded Systems

Tasks:

Computation times Deadlines

Resources

Execution platform Dependencies Arrival patterns uncertainties p CPU, Memory Networks Drivers uncertainties

Scheduling Principles (OS)

EDF, FPS, RMS, DVS, .. uncertainties

Kim Larsen [69] Kim Larsen [69] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Task Scheduling Task Scheduling

utilization of CPU

P(i), [E(i), L(i)], .. : period or earliest/ latest arrival or .. for Ti C(i): execution time for Ti D(i): deadline for Ti

T1 T1

Scheduler Scheduler

ready done D(i): deadline for Ti

T2 T2 T 2

1 4 3 stop run T2 is running { T4 , T1 , T3 } ready

• rdered according to some

given priority:

Tn Tn

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [70] Kim Larsen [70]

g p y (e.g. Fixed Priority, Earliest Deadline,..)

Modeling Task Modeling Task

T

ready

T1 T1 T2 T2

Scheduler Scheduler

2

1 4 3

done

Tn Tn

stop run

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [71] Kim Larsen [71]

Modeling Scheduler Modeling Scheduler

T

ready

T1 T1 T2 T2

Scheduler Scheduler

2

1 4 3

done

Tn Tn

stop run

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [72] Kim Larsen [72]

Modeling Queue Modeling Queue

In UPPAAL 4.0 User Defined Function

T

ready

T1 T1 T2 T2

Scheduler Scheduler

2

1 4 3

done

Tn Tn

stop run

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [73] Kim Larsen [73]

……

Schedulability = Safety Property Schedulability = Safety Property

May be extended with preemption

(T k0 E T k1 E )

¬(Task0.Error or Task1.Error or …)

A฀ ¬(Task0.Error or Task1.Error or …)

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [74] Kim Larsen [74]

Preemption – Preemption – Stopwatches Stopwatches!

Scheduler Task D f ti d id bilit 

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [75] Kim Larsen [75]

Task Defeating undecidability 

Stopwatches Stopwatches & Zones Zones

Z: x=y=z Z*: x=0 Æ y=z x=0 Æ y-x=z Z**: z≥0 Æ y-x=z Not a Zone Not a Zone

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [76] Kim Larsen [76]

Handling realistic applications? Handling realistic applications?

Jan Madsen / DTU

Smart phone:

Jan Madsen / DTU

MP3 Decoder

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [77] Kim Larsen [77]

[Application from Marcus Schmitz, TU Linkoping]

Timed Automata for a task Timed Automata for a task

78 78 AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Smart phone Smart phone

• Tasks: 114
• Deadlines: [0 02: 0 5] sec
• Deadlines: [0.02: 0.5] sec
• Execution: [52 : 266.687]

cycles cycles

• Platform:
• 6 processors 25 MHz

MP3 Decoder

• 6 processors, 25 MHz
• 1 bus
• Verified in 1 5 hours!

Verified in 1.5 hours!

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [79] Kim Larsen [79]

ESA Mission ESA Mission

Quasiomodo

• Solar System, cold dust clouds and cores, star and galaxy

formations cataloging galaxies gravitational lensing cosmic formations, cataloging galaxies, gravitational lensing, cosmic microwave background, topology of the universe...

• Terma: Develop software for Attitude and Orbit Control System

Kim Larsen [80] Kim Larsen [80] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Herschel & Herschel & Planck Planck

• Launch: http://www.youtube.com/watch?v=x4siTwB4LSc

Kim Larsen [81] Kim Larsen [81] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Herschel & Herschel & Planck Satelites Planck Satelites

• Application so

Application soft ftware (ASW) ware (ASW)

• built and tested by Terma:

y

• does attitude and orbit control, tele-

commanding, fault detection isolation and recovery.

Basic soft are (BSW)

• Basic software (BSW)
• low level communication and scheduling

periodic events.

• Real-time operating system (RTEMS)
• Real time operating system (RTEMS),
• Hardware
• single processor, a few communication

buses, sensors and actuators. buses, se so s a d actuato s

• Requi

Requirements: ements:

• Software tasks should be schedulable.
• CPU utilization should not exceed 50% load.

Kim Larsen [82] Kim Larsen [82] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Results Results

System System Herschel Herschel Planck Planck d l l Mode Nominal +Events Nominal +Events Max Max Utiliz Utilization tion 58.7% 58.7% 62.4 62.4 66.1% 66.1% 70.8 70.8

h d l bl f

• Not schedulable in one configuration

(without harmful effects) W t tili ti t hi h ( 50%)

• Worst case utilization too high (>50%)

Kim Larsen [83] Kim Larsen [83] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

UPPAAL Model UPPAAL Model

Kim Larsen [84] Kim Larsen [84] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Periodic Periodic Task Task – no Resources esources

Global

Kim Larsen [85] Kim Larsen [85] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

BSW Task BSW Task Using Using Resource esource

Kim Larsen [86] Kim Larsen [86] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

PrimaryF PrimaryF and SecondaryF and SecondaryF using using lcb_R cb_R and Sgm_R and Sgm_R

Kim Larsen [87] Kim Larsen [87] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Verification Verification

Kim Larsen [88] Kim Larsen [88] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Gantt Gantt Chart hart 1. cycle . cycle

Kim Larsen [89] Kim Larsen [89] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Blocking Blocking & WCRT & WCRT

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Page 90 Page 90

Conclusion Conclusion

Kim Larsen [91] Kim Larsen [91] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Priced Priced Timed Games Timed Games

Scheduling under Scheduling under Uncertainty Uncertainty

When you are in ( Task1.End Task2.End Task3._id2 Task4.End Task5._id0 Task6._id0 Task7._id0 M1._id4 M2._id7 ) f1=1 f2=1 f3=0 f4=1 f5=0 f6=0 f7=0 f0=1 B1=0 B2=6 (4<=x2 && time==18 && x2<=8), Take transition Take transition Task6._id0->Task6._id1 { a == 1 && b == 1, use1!, B1 := D1 } M1._id4->M1._id5 { 1, use1?, x1 := 0 } When you are in ( Task1.End Task2.End Task3.End Task4.End Task5. id0 Task6. id1 Task7. id0 M1. id5 M2. id6 ) ( _ _ _ _ _ ) f1=1 f2=1 f3=1 f4=1 f5=0 f6=0 f7=0 f0=1 B1=3 B2=10 (18<=time && x1<=6 && time<=22 && time-x1<=18), Take transition Task5._id0->Task5._id2 { a == 1 && b == 1, use2!, B2 := D2 } M2._id6->M2._id7 { 1, use2?, x2 := 0 } When you are in ( Task1.End Task2.End Task3.End Task4._id0 Task5._id0 Task6._id1 Task7._id0 M1._id5 M2._id6 ) f1=1 f2=1 f3=1 f4=0 f5=0 f6=0 f7=0 f0=1 B1=3 B2=2 (x1-time==-10 && time==10), Take transition Take transition Task4._id0->Task4._id2 { a == 1 && b == 1, use2!, B2 := D2 } M2._id6->M2._id7 { 1, use2?, x2 := 0 } When you are in ( Task1.End Task2.End Task3.End Task4.End Task5._id1 Task6._id0 Task7._id0 M1._id5 M2._id6 )

CONCUR05, CAV07, FORMATS07

( _ _ _ _ _ ) f1=1 f2=1 f3=1 f4=1 f5=0 f6=0 f7=0 f0=1 B1=8 B2=8 (x1<=3 && x1-time==-18) || (20<=time && x1-time<=-12 && time<=21 && time-x1<18), Take transition Task6._id0->Task6._id2 { a == 1 && b == 1, use2!, B2 := D2 } M2._id6->M2._id7 { 1, use2?, x2 := 0 } AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [93] Kim Larsen [93]

HSCC’09

When you are in ...

Optimal Optimal Scheduling under Scheduling under Uncertainty Uncertainty

Decidable with 1 clock [BLMR06] Acyclic [LTMM02] Acyclic [LTMM02] Bounded length [ABM04] Strong non-zeno cost-behaviour [BCFL04] g [ ] Undecidable with 3 clocks or more [BBR05, BBM06]

, cost’=4 , cost’=3

Open problem with 2 clocks

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [94] Kim Larsen [94]

Two Tank Example Two Tank Example

T1 T’=-0.1*T + 10

• n/off

T’=-0.1*T + 10

• ff?
• n?

ff?

• n?

T’=-0.1*T

• n/off
• ff?
• n?

T2 T’=-0.1*T

Kim Larsen [95] Kim Larsen [95] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Two Tank Example Two Tank Example

T1 Temp

• n/off

Temp

• n/off

T2

time

Kim Larsen [96] Kim Larsen [96] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Two Tank Example Two Tank Example

T1 Temp

[80,100]

• n/off

Temp

[60,70] [30,40] [0,10]

• n/off

[60,70] [80,100]

T2

time

[30,40] [0,10]

4

[ ]

8

Kim Larsen [97] Kim Larsen [97] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Two Tank Example Two Tank Example

T1

[80,100]

• n/off

[60,70] [30,40] [0,10]

• n/off

[60,70] [80,100]

T2

[30,40] [0,10] [ ]

Kim Larsen [98] Kim Larsen [98] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Two Two Tank Example ank Example

Kim Larsen [99] Kim Larsen [99] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Plastic Injection Molding Machine Plastic Injection Molding Machine

Quasiomodo

• Robust and optimal

[HSCC’09]

control Tool Chain

• Tool Chain
• Synthesis: UPPAAL

UPPAAL TIGA TIGA

• Verification: PHAVer

PHAVer

• Performance: SIMULINK

SIMULINK

• 40% improvement of

existing solutions..

Kim Larsen [100] Kim Larsen [100] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Oil Pump Control Problem Oil Pump Control Problem

• R1: stay within safe

interval [4.9,25.1]

• R2: minimize

average/overall oil l volume

Kim Larsen [101] Kim Larsen [101] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

The Machine The Machine (consumption)

• Infinite cyclic demand

to be satisfied by our

• F: noise 0.1 l/s

to be satisfied by our control strategy.

• P: latency 2 s between

state change of pump state change of pump

Kim Larsen [102] Kim Larsen [102] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Hybrid Game Model Hybrid Game Model

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [103] Kim Larsen [103]

Abstract Game Model Abstract Game Model

• UPPAAL Tiga
• ffers games of perfect information
• ffers games of perfect information
• Abstract game model such that states only

g y contain information about:

• Volume of oil at the beginning of cycle

Th id l l di d b h

• The ideal volume as predicted by the

consumption cycle

• Current time within the cycle

D V V rate y

• State of the Pump (on/off)
• Discrete model

V, V_rate V_acc time

Kim Larsen [104] Kim Larsen [104] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Machine Machine (uncontrollable)

Checks whether V Checks whether V under noise gets

• utside

[Vmin+0 1 Vmax-0 1] [Vmin+0.1,Vmax 0.1]

Kim Larsen [105] Kim Larsen [105] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Pump Pump (controllable)

Every 1 (one) seconds

Kim Larsen [106] Kim Larsen [106] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Global Approach Global Approach

• Find some interval I1=[V1,V2]

⊆ [4.9,25.1] s.t

25 0 s 20 s

⊆ [4.9,25.1] s.t

• I1 is m-stable i.e. from any

20

V0 in I1 there is strategy st whatever fluctuation volume is always within [5 25] and

15

is always within [5,25] and at the end within I2=[V1+m,V1-m]

10

I1 I2

• I1 is optimal among all m-

stable intervals

5

I1 I2

AVACS PhD School, Oldenburgh AVACS PhD School, Oldenburgh, , March 2010 March 2010 Kim G. Kim G. Larsen Larsen [107] [107]

stable intervals.

Synthesized Strategy Synthesized Strategy

D=1, m=0.4: Optimal stable interval I1=[5.1,10]

1

Kim Larsen [108] Kim Larsen [108] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Verification Using PHAVER Verification Using PHAVER

Bang-Bang safe and robust HyDAC optimized HyDAC optimized possibly unsafe under fluctuation

Kim Larsen [109] Kim Larsen [109] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Performance Performance SIMULINK SIMULINK

Uniform Cycle Uniform distribution in [-0.1,+0.1] UPPAAL Tiga strategy in m-format

Kim Larsen [110] Kim Larsen [110] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Results Results

Kim Larsen [111] Kim Larsen [111] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Results Results

Kim Larsen [112] Kim Larsen [112] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Case Studies: Case Studies: Controllers

• Gearbox Controller [TACAS’98]
• Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]
• SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]

R l Ti RCX C l P [ECRTS’2k]

• Real-Time RCX Control-Programs [ECRTS’2k]
• Terma, Verification of Memory Management for Radar (2001)
• Scheduling Lacquer Production (2005)
• Memory Arbiter Synthesis and Verification for a Radar Memory Interface Card [NJC’05]
• Adapting the UPPAAL Model of a Distributed Lift System, 2007
• Analyzing a χ model of a turntable system using Spin, CADP

and Uppaal, 2006

• De

Designing, Mo signing, Modelling delling and Ve nd Verif rifying a ying a Co Container T ntainer Terminal rminal System Using UPPAAL, 2008 System Using UPPAAL, 2008

• Model-based system analysis using Chi and Uppaal: An

industrial case study, 2008

Kim Larsen [113] Kim Larsen [113] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Case Studies: Case Studies: Protocols

• Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]
• Bounded Retransmission Protocol [TACAS’97]
• Bang & Olufsen Audio/Video Protocol [RTSS’97]
• TDMA Protocol [PRFTS’97]
• Lip Synchronization Protocol [FMICS’97]
• Lip-Synchronization Protocol [FMICS 97]
• ATM ABR Protocol [CAV’99]
• ABB Fieldbus Protocol [ECRTS’2k]
• IEEE 1394 Firewire Root Contention (2000)
• Distributed Agreement Protocol [Formats05]
• Leader Election for Mobile Ad Hoc Networks [Charme05]

Leader Election for Mobile Ad Hoc Networks [Charme05]

• Analysis of a protocol for dynamic configuration of IPv4 link

local addresses using Uppaal, 2006 F li i SHIM6 P d I S d d i UPPAAL

• Formalizing SHIM6, a Proposed Internet Standard in UPPAAL,

2007

• Verifying the distributed real-time network protocol RTnet

i U l 2007 using Uppaal, 2007

• Anal

Analysi ysis of

• f a

a Clock Synchron Clock Synchronizati zation Protoco Protocol for Wireless for Wireless Sensor Networks, 2009 Sensor Networks, 2009

• Analysis of the Zeroconf protocol using UPPAAL, 2009

Kim Larsen [114] Kim Larsen [114] AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010

Using Using UPPAAL PPAAL as Back-end

• Vooduu: verification of object-oriented designs

using Uppaal 2004 using Uppaal, 2004

• Moby/RT: A

Moby/RT: A Tool for Specification and Verification of Tool for Specification and Verification of Real-Time Systems, 2000 Real-Time Systems, 2000

• Formalising the ARTS MPSOC Model in UPPAAL,

2007 Ti d t t t l t f U l t PVS

• Timed automata translator for Uppaal to PVS
• Component-Based Design and Analysis of

Embedded Systems with UPPAAL PORT, 2008 Embedded Systems with UPPAAL PORT, 2008

• Verification of COMDES-II Systems Using UPPAAL

with Model Transformation, 2008

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [115] Kim Larsen [115]

Conclusions Conclusions & Future Future Directions

• TA mature verification technology
• PTA competitive technology for optimal

p gy p planning and scheduling

• Stopwatch TA framework for schedulability

analysis for multiprocessor systems analysis for multiprocessor systems

• TGA emerging for synthesis
• RT Testing
• WCET analysis

y

• Fault Tree analysis
• Probabilistic Timed Automata for QoS

AVACS PhD AVACS PhD School, Oldenburgh, March School, Oldenburgh, March 2010 2010 Kim Larsen [116] Kim Larsen [116]