DCCA 97 System a tic F o rm al V erication fo r F - PowerPoint PPT Presentation

DCCA 97

System a tic F o rm al V eri�cation fo r F ault-T olerant Tim e-T riggered Algo rithm s John Rushb y Com puter Science Lab o rato ry SRI International Menlo P a rk CA USA F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 1 of 24

Overview � Many fault-tolerant algo rithm s a re relatively easy to understand and to verify in an abstract, untim ed fo rm ulation � But veri�cations of im plem enta tions, with all their tim i ng pa ram e ters, a re quite com plex � So split the p roblem into t w o pa rts � V erify abstract algo rithm fo r an untim e d synchronous system m o del ? Must b e done fo r each algo rithm ? Relatively easy|and can itself b e split into t w o pa rts � V erify tim e-tri ggered im plem ent ati on of the untim ed m o del ? Can b e done once-and-fo r-all ? Is the m a in topic of this pap er � Provides sim ple path from veri�ed design to im plem ent ation F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 2 of 24

Synchronous System s � Kno wn upp er b ounds on � Tim e required fo r nonfault y p ro cesso rs to p erfo rm op erations � Messages dela ys in the absence of faults � Assum ptions a re valid fo r em b edded real-tim e control system s � The classical p roblem s of fault-tolerant distributed system s can b e solved under these assum ptions � Consensus (Byzantine Agreem ent) � Group Mem b ership � Etc. Whereas they cannot b e solved in asynchronous system s � F o cus here is exclusively on synchronous system s F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 3 of 24

F o rm al Synchronous System Mo del � Algo rithm s execute in a series of rounds , num b ered 0 ; 1 ; . . . � Each round has t w o phases Com m unication Phase: each p ro cesso r sends m e ssages to (som e o r all) other p ro cesso rs � Messages sent, and where to, dep end on current state � m sg ( s; q ) is the m essage sent b y p to q when p 's state is s p Com putation Phase: each p ro cesso r up dates its state � New state dep ends on p revious state and on m essa ges received during com m unica tion phase � trans ( s; i ) is p 's new state, when its current state is s and p the set of m essages received is i F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 4 of 24

Synchronous System Mo del: Op eration � Pro cesso rs op erate in lo ckstep � All p erfo rm the com m unicat ion phase of the current round � Then the com putat ion phase � Then m ove on to the next round, and so on � Com putation and m e ssage transm ission happ en instantaneously and atom i cally � Pro cesso rs a re p erfectly synchronized and p erfo rm their actions sim ultaneously � No sense of real tim e (hence untim ed system m o del) F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 5 of 24

Exam ple: Oral Messages Algo rithm fo r Consensus, OM(1) T ransm itt er p ro cesso r has a value to b e com m unicat ed reliably to three o r m o re receivers in the p resence of one a rbitra ry fault Round 0: Com m unication Phase: The transm i tte r sends its value to the receivers; receivers send no m essages Com putation Phase: Each receiver sto res the value received from the transm it ter in its state Round 1: Com m unication Phase: Each receiver sends value sto red in its state to all other receivers; transm itt er sends nothing Com putation Phase: Each receiver decides on the m a jo rit y value am ong those received from the other receivers and that (sto red in its state) received from the transm i tte r F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 6 of 24

Im plem e nting Algo rithm s fo r Synchronous System s Have to deal with the realit y that events a re not instantaneous, atom ic, and sim ult aneous � Com m unicat ions and com puta tions tak e tim e � Tim eouts needed to detect failed com m unications � Pro cesso rs a re not p erfectly synchronized � And run at di�erent rates Tw o app roaches Event triggered: p ro cesso rs react to incom ing m essages; set tim eouts on outgoing m essages Tim e triggered: p ro cesso rs p erfo rm actions acco rding to a com m on schedule, driven b y their o wn internal clo cks � Preferred fo r critical app'ns: SAFEbus, TTP , Shink ansen F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 7 of 24

Tim e-T riggered System Mo del D(r) computation communication computation communication P(r) F o rm al V eri�cation of sched(r) Tim e -T rigg ered Algo rithm dur(r) s sched(r+1) 8 of 24

Issues in V erifying the Tim e- T riggered Im plem entation � Pro cesso r clo cks a re not p erfectly synchronized � One p ro cesso r m a y send m essage b efo re o r after another one exp ects it; m a y not even b e on the sam e round � Therefo re require a b ound on synchronization sk ew � Can b e ensured b y clo ck synchronization algo rithm s � Pro cesso r clo cks do not run at the sam e rate � Durations of the phases m a y di�er on di�erent p ro cesso rs � Therefo re require that go o d p ro cesso rs' clo cks run at rates within som e b ound of each other � Unp redictable dela ys in m essage transm ission � Message m a y a rrive after com m unicat ions phase has ended � Therefo re require upp er b ound on nonfault y m essage dela ys � Need to a rrange pacing and tim e outs so that it all w o rks F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 9 of 24

Clo cks � Each p ro cesso r has a clo ck, that reads clo cktim e � Clo cktim es denoted b y upp er-case letters ( T , � etc.), � There is an abstract, universal, tim e called realtim e � Realtim es denoted b y lo w er-case letters ( t , � etc.) � C ( t ) is the clo cktim e on p 's clo ck at realtim e t p F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 10 of 24

Clo ck Assum ptions Monotonicit y: Nonfault y clo cks a re m onotonic increasing functions: t < t ) C ( t ) < C ( t ) p p 1 2 1 2 Clo ck Drift Rate: Nonfault y clo cks drift from realtim e at a rate � 6 b ounded b y a sm al l p ositive quantit y � (t ypically � < 10 ): (1 � � )( t � t ) � C ( t ) � C ( t ) � (1 + � )( t � t ) p p 1 2 1 2 1 2 Clo ck Synchronization: The clo cks of nonfault y p ro cesso rs a re synchronized within som e sm all clo cktim e b ound �: j C ( t ) � C ( t ) j � � p q Achieving these requires ca re in im plem ent ati on, since som e clo ck synchronization algo rithm s violate m onotonicit y . Ho w ever, m onotonicit y can alw a ys b e achieved, with no loss of p recision F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 11 of 24

Tim e-T riggered System Mo del Each p ro cesso r � Sta rts round r at clo cktim e sched ( r ) b y its lo cal clo ck � Sends its m essages D ( r ) clo cktim e units into the round � Sta rts com putat ion phase P ( r ) clo cktim e units into the round � So duration of r 'th com m unicati on phase is P ( r ) � Finishes the round after dur ( r ) clo cktim e units � dur ( r ) = sched ( r + 1) � sched ( r ) � So duration of r 'th com putation phase is dur ( r ) � P ( r ) Additional Assum ption Maxim um Dela y : m e ssages a re received within � realtim e units F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 12 of 24

Constraints 1. dur ( r ) > P ( r ) > D ( r ) > 0 � The com m unicat ion phase is of p ositive duration � The com putati on phase sta rts after the m essages a re sent and is of p ositive duration 2. D ( r ) � � � The dela y b efo re m e ssages a re sent is greater than the clo ck sk ew (so m essages do not a rrive while the receiving p ro cesso r is still in the p revious round) 3. P ( r ) > D ( r ) + � + (1 + � ) � � The com m unicat ion phase m ust last long enough that all m essages have tim e to reach their destination p ro cesso r while it is still in its com m unica tion phase F o rm al V eri�cation of Tim e -T rigg ered Algo rithm s 13 of 24