Collaborators @ AALborg @UPPsala Real Tim e − Kim G Larsen − Wang Yi Informationsteknologi − Gerd Behrman − Paul Pettersson − Arne Skou Model Checking − John Håkansson − Brian Nielsen − Anders Hessel − Alexandre David using UPPAAL − Pavel Krcal − Jacob Illum Rasmussen − Marius Mikucionis − Leonid Mokrushin Shi Xiaochun − Kim G Larsen @Elsew here Emmanuel Fleury, Didier Lime, Johan Bengtsson, Fredrik Larsson, − Kåre J Kristoffersen, Tobias Amnell, Thomas Hune, Oliver Möller, Elena Fersman, Carsten Weise, David Griffioen, Ansgar Fehnker, Frits Vandraager, Theo Ruys, Pedro D’Argenio, J-P Katoen, Jan Tretmans, Judi Romijn, Ed Brinksma, Martijn Hendriks, Klaus Havelund, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson... Overview � UPPAAL: a short look Informationsteknologi − Demo’s − Architecture � Train Crossing Example Druzba � UPPAAL Syntax − Declarations − Expressions − Locations and Synchronizations − Logical Properties � UPPAAL Verificaiton Engine � UPPAAL Verification Options � UPPAAL Modelling Patterns � Scheduling using UPPAAL. The Druzba MUTEX Problem The Druzba MUTEX Problem Informationsteknologi Informationsteknologi Gerd Kim
The Druzba MUTEX Problem Using the light as semaphor Informationsteknologi BRI CK SORTI NG LEGO Mindstorm s/ RCX A Real Tim ed System 3 output ports Informationsteknologi Informationsteknologi � Sensors: temperature, light, rotation, pressure. Controller The Plant � Actuators: motors, lamps, Program Conveyor Belt & LEGO MINDSTORM � Virtual machine: Bricks − 10 tasks, 4 timers, 3 input ports 1 infra-red port 16 integers. � Several Programming Languages: − NotQuiteC, Mindstorm, Robotics, legOS, etc. What is suppose to happen? First UPPAAL m odel NQC program s int active; int active; Sorting of Lego Boxes int DELAY; int DELAY; Ken Tindell int LIGHT_LEVEL ; int LIGHT_LEVEL ; task MAIN{ Informationsteknologi Informationsteknologi task MAIN{ Piston DELAY=75; DELAY=75; task PUSH{ LIGHT_LEVEL=35; task PUSH{ LIGHT_LEVEL=35; Boxes while(true){ active=0; while(true){ active=0; eject wait(Timer(1)>DELAY && active==1); Sensor(IN_1, IN_LIGHT); wait(Timer(1)>DELAY && active==1); Sensor(IN_1, IN_LIGHT); remove active=0; Fwd(OUT_A,1); active=0; Fwd(OUT_A,1); 99 Rev(OUT_C,1); Display(1); Rev(OUT_C,1); Display(1); Sleep(8); Sleep(8); Conveyer Belt Fwd(OUT_C,1); red start PUSH; Fwd(OUT_C,1); start PUSH; 81 18 90 Sleep(12); 9 Sleep(12); Blck Off(OUT_C); while(true){ Off(OUT_C); Rd while(true){ } } } Controller wait(IN_1<=LIGHT_LEVEL); } wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); ClearTimer(1); MAI N PUSH Black active=1; active=1; PlaySound(1); PlaySound(1); wait(IN_1>LIGHT_LEVEL); wait(IN_1>LIGHT_LEVEL); Exercise: Design Controller so that only black boxes are being pushed out } } } }
From RCX to UPPAAL The Production Cell Course at DTU, Copenhagen Task MAI N Informationsteknologi Informationsteknologi � Model includes Round-Robin Scheduler. � Compilation of RCX tasks into TA models. � Presented at ECRTS 2000 Production Cell UPPAAL’s architecture Informationsteknologi Overview of the UPPAAL Toolkit Linux, W indow s, Solaris, MacOS GUI Informationsteknologi Train Crossing Sim ulator Editor Verifier
Train Crossing Train Crossing Communication via channels and shared variable. Informationsteknologi Informationsteknologi Stopable Stopable Area Area [10,20] [10,20] appr, leave [3,5] [3,5] stop Crossing Crossing [7,15] [7,15] el el go River River empty Queue Queue nonempty hd, add,rem Gate Gate Declarations Informationsteknologi Tim ed Autom ata in UPPAAL Constants Constants Bounded integers Bounded integers Channels Channels Clocks Clocks Arrays Arrays Templates Templates Processes Processes Systems Systems Expressions Expressions Informationsteknologi Informationsteknologi used in used in guards, guards, invariants, invariants, assignments, assignments, synchronizations synchronizations properties, properties,
Operators Guards, I nvariants, Assignm ents Guards : Assignm ents � It is side-effect free, type � It has a side effect and is Informationsteknologi Informationsteknologi correct, and evaluates to type correct boolean � Only clock variable, � Only clock variables, integer variables and integer variables, constants are referenced constants are referenced (or arrays of such) (or arrays of such) � Only integer are assigned � Clocks and differences are to clocks only compared to integer expressions I nvariants � Guards over clocks are � It forms conjunctions of essentially conjunctions conditions of the form x<e (I.e. disjunctions are only or x<=e where x is a clock allowed over integer reference and e evaluates conditions) to an integer Synchronization Tem plates � Templates may be Broadcast Synchronization Binary Synchronization parameterised: Informationsteknologi Informationsteknologi � Declared like � Declared like: − int v; const min; broadcast chan a, b, c[2]; chan a, b, c[3]; const max � If a is a broadcast channel: � If a is channel then: − a! = Emmision of broadcast − int[0,N] e; const id − a! = Emmision − a? = Reception of broadcast − a? = Reception � Templates are instantiated � A set of edges in different to form processes: � Two edges in different processes can synchronize if processes can synchronize one is emitting and the others − P:= A(i,1,5); if one is emitting and the are receiving on the same b.c. − Q:= A(j,0,4); other is receiving on the channle. A process can always emit. same channel. − Train1:=Train(el, 1); Receivers MUST synchronize if − Train2:=Train(el, 2); they can. No blocking. Logical Specifications Urgency & Com m itm ent Urgent Channels Urgent Locations � Validation Properties − Possibly: E < > P Informationsteknologi Informationsteknologi The expressions P and � No delay – time is freezed! � No delay if the Q must be type safe, � May reduce number of synchronization edges can � Safety Properties clocks! side effect free, and be taken ! − Invariant: A[ ] P evaluate to a boolean. − Pos. Inv.: E[ ] P Com m itted Locations � No clock guard allowed. � Guards on data-variables. � Liveness Properties Only references to � No delay. − Eventually: A < > P integer variables, � Next transition MUST � Declarations: P � Q Leadsto: involve edge in one of the − constants, clocks, and urgent chan a, b, processes in committed locations are allowed c[3]; location � Bounded Liveness (and arrays of these). � May reduce considerably P � · t Q − Leads to within: state space
Logical Specifications Logical Specifications � Validation Properties � Validation Properties − Possibly: E < > P − Possibly: E< > P Informationsteknologi Informationsteknologi � Safety Properties � Safety Properties − Invariant: A[ ] P − Invariant: A[ ] P − Pos. Inv.: E[ ] P − Pos. Inv.: E[ ] P � Liveness Properties � Liveness Properties − Eventually: A< > P − Eventually: A< > P P � Q P � Q − Leadsto: − Leadsto: � Bounded Liveness � Bounded Liveness P � · t Q P � · t Q − Leads to within: − Leads to within: Logical Specifications Logical Specifications � Validation Properties � Validation Properties Possibly: E< > P Possibly: E< > P − − Informationsteknologi Informationsteknologi � Safety Properties � Safety Properties Invariant: A[ ] P Invariant: A[ ] P − − · t − Pos. Inv.: E[ ] P − Pos. Inv.: E[ ] P � Liveness Properties � Liveness Properties · t Eventually: A < > P Eventually: A< > P − − P � Q P � Q − Leadsto: − Leadsto: � Bounded Liveness � Bounded Liveness P � · t Q P � · t Q − Leads to within: − Leads to within: Bounded Liveness Bounded Liveness Informationsteknologi Informationsteknologi
Recommend
More recommend
