This is simple, simple, simple … … Model Checking of Timed Systems A UPPAAL Tutorial Wang Yi Uppsala University, Sweden SFM 2010, Bertinoro LESLIE LAMPORT 1 2 UPPAAL A model checker for real-time systems Main Authors/Contributors of UPPAAL Johan Bengtsson Gerd Behrman System Model No! Alexandre David (Modeling) (Debugging Information) Kim Larsen UPPAAL Fredrik Larsson Questions Yes Paul Pettersson and (specification) (Debugging Information) Wang Yi Developed by UPPsala Univ + AALborg Univ = UPPAAL 3 OUTLINE Main references Temporal Logics (CTL) Model Checking in a Nutshell Automatic Verification of Finite State Concurrent Systems Using Temporal Logic Specifications: A Practical Approach. Edmund M. Clarke, E. Allen Emerson, A. Prasad Sistla, POPL 1983: 117-126, also as ”Automatic Verification of Finite -State Concurrent Systems Using Temporal Logic Specifications. Timed automata and TCTL ACM Trans. Program. Lang. Syst. 8(2): 244- 263 (1986) ” Timed Systems (Timed Automata, TCTL) A UPPAAL Tutorial A Theory of Timed Automata. Rajeev Alur, David L. Dill. Theor. Comput. Sci. 126(2): 183-235 (1994)” Symbolic Model Checking for Real-Time Systems, Thomas A. Henzinger, Xavier Nicollin, Joseph Data stuctures & central algorithms Sifakis, and Sergio Yovine. Information and Computation 111:193-244, 1994. UPPAAL in a Nutshell. Kim Guldstrand Larsen, Paul Pettersson, Wang Yi. STTT 1(1-2): 134-152 UPPAAL input languages (1997) Timed Automata – Semantics, Algorithms and Tools , a tutorial on timed automata Johan (Recent Work: Multi-core Timing Analysis) Bengtsson and Wang Yi: (a book chapter in Rozenberg et al, 2004, LNCS). On-line help of UPPAAL : www.uppaal.com 5 6 1
Merits of model checking … Checking simple properties (e.g. deadlock-free) is already extremely useful! It is not to prove that a system is completely correct (bug-free) Model-Checking The goal is to have tools that can help a developer find errors and improve the quality of her/his design. It is to complement testing in a Nutshell Now widely used in hardware design, protocol design, and hopefully soon, embedded systems! 7 8 History: Model- checking invented in 70’s/80s [Pnueli 77, Clarke et al 83, POPL83, Sifakis et al 82] History: Model checking for real time systems, started in the 80s/90s Restrict attention to finite-state systems Control skeleton + boolean (finite-domain) variables Models of timed systems Found in hardware design, communication protocols, process control • Timed automata, [Alur&Dill 1990] Specification using CTL, LTL etc [Pnueli, Lamport, Clarke] • Timed process algebras, Timed CSP, Timed CCS [Wang 1990] Safety, Progress/Liveness, Responsiveness etc Extension of model checking to consider time quantities BDD-based symbolic technique [Bryant 86] • Timed variants of temporal logics e.g TCTL SMV 1990 Clarke, McMillan et al, state-space 10 20 Tools Now powerful tools used in hardware design • KRONOS, Hytech: 1993 -- On-the-fly enumerative technique [Holzman 89] • UPPAAL 1995 – SPIN, COSPAN, CAESAR, KRONOS, IF/BIP, UPPAAL (since 1993) etc o TAB 1993/Prototype of UPPAAL [FORTE94, Wang et al] SAT-based techniques [Clarke et al ...] 9 10 Example: the Vikings Problem Example: Fischer’s Protocol Real time scheduling 8 UNSAFE SAFE ´ Mines V Criticial Section X<100 X:=0 X>100 5 10 25 20 Init V := 1 V=1 A1 CS1 B1 V=1 What is the fastest time At most 2 for getting all vikings on Torch Can they make crossing at a time the Y<100 Y:=0 Y>100 it within 60 minutes ? safe side ? Need torch V := 2 V=2 B2 CS2 A2 11 12 2
Multicore Challenges Worst-Case Execution Time Analysis of Concurrent Programs on Multicores Off-chip memory CPU CPU CPU CPU Bandwidth Core 0 Core 1 L1 L1 L1 L1 L1 L1 L1 L1 L2 Cache I-Cache D-Cache I-Cache D-Cache L1 L1 L1 L1 Shared Memory Bus CPU CPU CPU CPU Off-Chip Memory A duo-core processor with private L1 cache and shared memory bus 13 13 Shared Resources -- cpu’s, caches, bandwidth, energy budget etc. 14 Combining Static Analysis & Model-Checking UPPAAL A model checker for real-time systems [RTSS 2010, submitted] Core 1 Core 2 System Model No! Task 1 Task 2 L1 Cache L1 Cache Config. CFG Config. CFG (Modeling) (Debugging Information) (1) Local cache analysis by abstract interpretation L1 Cache L1 Cache UPPAAL Analysis Analysis (2) Construct a timed automaton for each program to model the L1 CHMC L1 CHMC Questions Yes precise timing information on when to access the shared bus (specification) (Debugging Information) (3) Construct the timed Shared Bus WCET of WCET of automaton for the given bus Analysis Task 1 Task 2 arbitration Using MC (4) Explore the TA models using UPPAAL to get the WCETs Bus Configurations 15 16 Modeling Real Time Systems Events synchronization interrupts M ODELING Timing constraints specifying event arrivals X>10 e.g. Periodic and sporadic a How to construct Model ? X:=0 17 18 3
Modeling Real Time Systems A Light Controller Events synchronization press? interrupts Timing constraints press? press? specifying event arrivals && v==100 Off Light Bright X>10 e.g. Periodic and sporadic a Data variables & C-subset ; v++ Guards press? X:=0 assignments WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. 19 20 Construction of Models: Concurrency A Light Controller (with timer) Plant Controller Program Continuous Discrete sensors press? Task Task Task Task Model X:=0 press? X<=3 press? Off Light Bright actuators of tasks (automatic) X>3 press? Model 1 2 a 1 2 of 3 4 environment b c 3 4 (user-supplied) Solution: Add real-valued clock x 1 2 a 1 2 a b c 3 4 b c 3 4 UPPAAL Model 21 22 Specification=Requirement, Lamport 1977 Safety Something (bad) should not happen Liveness SPECIFICATION Something (good) must happen/should be repeated And for systems with limited resources How to ask questions: Specs ? Realizability Schedulability, enough resources 23 24 4
Computation Tree Logic, CTL Liveness: p - -> q ”p leads to q” Clarke & Emerson 1980 Syntax AG (p imply AF q) :: = P | | | EX | E[ U ] | A[ U ] where P AP (atomic propositions) Derived Operators p p AG p EG p EF p AF p q q q p p q q q 25 26 Specification: Examples Safety AG (P1.CS1 & P2.CS2) Invariant AG ( temp > 10 & speed < 120) VERIFICATION EF (time>60 imply viking4.safe) Reachability EF (viking1.safe & viking2.safe & viking3.safe & viking4.safe) Model meets Specs ? Liveness AF (speed >100) Eventually AG (P1.try imply AF P1.CS1) Leads to 27 28 Verification Two basic verification algorithms Semantics of a system Reachability analysis Checking safety properties = all states + state transitions (all possible executions) Loop detection Checking liveness properties Verification = state space exploration + examination 29 30 5
OUTLINE Model Checking in a Nutshell Timed automata and TCTL A UPPAAL Tutorial UPPAAL DEMO Data stuctures & central algorithms UPPAAL input languages (Recent Work: Multicore Timing Analysis) 31 32 Timed Automata: Syntax Clocks: x, y n Guard =clock constraint Timed Automata, TCTL Reset Action x<=5 & y>3 Action perfomed on clocks & Verification Problems used for synchronization a x := 0 m 33 34 Timed Automata: Semantics Timed Automata with Invariants Clocks: x, y Guard =clock constraint n n x<=5 Clocks: x, y Reset Action x<=5 & y>3 x<=5 & y>3 used Action perfomed on clocks Transitions Location for synchronization 3.2 a Invariants a ( n , x =2.4 , y =3.1415 ) 1.1 State ( n , x =2.4 , y =3.1415 ) ( n , x =3.5 , y =4.2415 ) x := 0 x := 0 ( location , x =v , y =u ) where v,u are in R m m Transitions a y<=10 ( n , x =2.4 , y =3.1415 ) ( m , x =0 , y =3.1415 ) g4 1.1 ( n , x =2.4 , y =3.1415 ) ( n , x =3.5 , y =4.2415 ) g1 g2 g3 Invariants insure progress!! 35 36 6
Timed Automata: Example Timed Automata: Example X>=2 X>=2 X:=0 X:=0 l l X:=0 X:=0 37 38 Timed Automata: Example Timed Automata: Example X>=2 2<=x<=3 X:=0 X:=0 l l X <=3 X:=0 X:=0 39 40 Clock Constraints g ::= x n | g & g Timed Automata where = x is a clock variable Finite Automata + Clock Constraints + Clock resets {<, >, ≤, ≥} n is a natural number and 42 41 7
Recommend
More recommend