Satisfiability Modulo Theories Applications to Real-time - PowerPoint PPT Presentation

Computer Science Laboratory, SRI International Satisfiability Modulo Theories Applications to Real-time Fault-Tolerant Systems SAT/SMT Summer School Trento, Italy, June 2012 Bruno Dutertre SRI International

Computer Science Laboratory, SRI International Outline Fault-tolerant Systems SMT-Based Model Checking Three Examples ◦ Timed Systems ◦ TTA Startup Protocol ◦ TTE Clock Synchronization 1

Computer Science Laboratory, SRI International Fault Tolerance 2

Computer Science Laboratory, SRI International Example: Avionics Control Systems Flight Control System (Fly-by-Wire) ◦ Reads pilot input + physical sensors (airspeed, pressure, angle of attack, etc.) ◦ Computes commands that moves the planes control surfaces ◦ Must be extremely reliable: the probability of failure must be less than 10 − 9 per flight hour (for civil aircraft) ◦ Hardware is not reliable enough (estimates are about 10 − 6 to 10 − 7 failure probability per hour for CPU, RAM, etc.) 3

Computer Science Laboratory, SRI International Highly Reliable Digital Systems +/12*1%*$ +/12*1%*$ +/12*1%*$ ./*.)+. %3$2%$)+. 3)042$/+. !"#"$%&'()*$+)& ,-.$/0 !"#"$%&'()*$+)& ,-.$/0 !"#"$%&'()*$+)& ,-.$/0 Redundant system of sensors, actuators, computers, communication links 4

Computer Science Laboratory, SRI International Fault Tolerance Issues Goal ◦ The full system must work (possibly in a degraded mode) even if some of its components are faulty Issues ◦ Ensure the non-faulty computers agree on the control output (within some margin), under some fault assumptions on the number and types of faults ◦ Example Fault Types – Fail-stop (crash, sends nothing) – Inconsistent omissions (send correct data to some component, nothing to others) – Symmetric faults (sends same incorrect data to all) – Byzantine faults (arbitrary, asymmetric behavior) 5

Computer Science Laboratory, SRI International Approaches to Fault Tolerance Synchronous Systems ◦ maintain all the non-faulty components synchronized ◦ use voting algorithms to ensure that they process the same input data ◦ all redundant computers are exact replicas of each other: they maintain identical states, process the same input, produce identical output Asynchronous Systems ◦ each controller works at its own rate: no synchronization ◦ lack of synchronization implies: distinct controllers may operate on different input values, so exact agreement on output is impossible ◦ voting + thresholding + error detection scheme are used to select one control value of out those produced by the redundant controllers 6

Computer Science Laboratory, SRI International Example Architecture: Timed-Triggered Ethernet (TTE) End System Dataflow Switch Switch Switch End System Ethernet for fault-tolerant, real-time distributed systems: ◦ Guarantees for real-time messages: low jitter, predictable latency, no collisions ◦ All nodes are synchronized (fault-tolerant clock synchronization protocol) ◦ All communication and computation follow a system-wide, cyclic schedule 7

Computer Science Laboratory, SRI International Main Fault-Tolerant Protocols in TTE Startup: ◦ bring up the network into the synchronized state Clock Synchronization: ◦ executed periodically to maintain all clocks within a fixed bound of each other Clique Detection and Resolution: ◦ to recover from network-wide transient upsets Fault Assumptions: ◦ Single Fault Configuration: at most one faulty component – Faulty end system: Byzantine – Faulty switch: inconsistent omission ◦ Dual Fault Configuration: no more than two faulty components – Fault type: inconsistent omission 8

Computer Science Laboratory, SRI International Verification Problems for TTE Goal ◦ Show protocol correctness under the stated fault assumption(s) ◦ Get counterexamples if the protocols are not correct Issues ◦ deal with real-time protocol aspects (timers, communication delays, etc.) ◦ model fault assumptions ◦ model clocks and clock drift ◦ make the proofs as automatic as possible 9

Computer Science Laboratory, SRI International SMT-Based Models + Induction 10

Computer Science Laboratory, SRI International Symbolic Modeling State-transition systems M = � X, I ( X ) , T ( X, X ′ ) � ◦ X set of state variables ◦ formula I ( X ) defines the initial states ◦ formula T ( X, X ′ ) defines the transition relation Traces ◦ Sequences of states x 0 → x 1 → x 2 . . . such that – x 0 satisfies I ( X ) – for every t ∈ N , ( x t , x t +1 ) satisfies T ( X, X ′ ) 11

Computer Science Laboratory, SRI International Bounded Model Checking Goal ◦ Find counterexamples to a property ◦ Usually the property is an invariant ✷ P ◦ The goal is then to find a reachable state that does not satisfy P . Technique ◦ Fix a bound k ◦ Search for a state reachable in k steps that falsifies P ◦ This is the same as checking the satisfiability of the formula I ( x 0 ) ∧ T ( x 0 , x 1 ) ∧ T ( x 1 , x 2 ) ∧ . . . ∧ T ( x k − 1 , x k ) ∧ ¬ P ( x k ) 12

Computer Science Laboratory, SRI International Induction Goal ◦ Prove that P is invariant Standard Induction ◦ Show that the following formulas are valid (their negation is not satisfiable) I ( x 0 ) → P ( x 0 ) P ( x 0 ) ∧ T ( x 0 , x 1 ) → P ( x 1 ) ◦ If this succeeds then P is an inductive invariant 13

Computer Science Laboratory, SRI International What if induction fails? Case 1: I ( x 0 ) → P ( x 0 ) is not valid ◦ some initial state x 0 fails to satisfy P , so P is not invariant Case 2: P ( x 0 ) ∧ T ( x 0 , x 1 ) → P ( x 1 ) is not valid ◦ there are two successive states x 0 and x 1 such that x 0 satisfies P and x 1 does not satisfy P ◦ if x 0 is reachable, then P is not invariant (but checking whether x 0 is reachable is not easy) ◦ otherwise, we can’t tell whether P is invariant or not we can try other things: – invariant strengthening – use an auxiliary invariant as a lemma – use k -induction, a stronger induction rule 14

Computer Science Laboratory, SRI International Invariant Strengthening Idea: find an inductive invariant Q that implies P This amounts to showing that the following formulas are valid I ( x 0 ) → Q ( x 0 ) Q ( x 0 ) ∧ T ( x 0 , x 1 ) → Q ( x 1 ) Q ( x 0 ) → P ( x 0 ) If they are, then P is invariant 15

Computer Science Laboratory, SRI International Auxiliary Lemma Assume we know another auxiliary invariant L , we can try to use it as a lemma to prove that P is invariant Proof Rule: If the following formulas are valid I ( x 0 ) ⇒ P ( x 0 ) P ( x 0 ) ∧ L ( x 0 ) ∧ T ( x 0 , x 1 ) ⇒ P ( x 1 ) and L is invariant, then P is invariant ( P is inductive relative to L ) 16

Computer Science Laboratory, SRI International k -induction Generalizes induction to k steps ◦ Base case: I ( x 0 ) ∧ T ( x 0 , x 1 ) ∧ . . . ∧ T ( x k − 1 , x k ) ⇒ P ( x 0 ) ∧ . . . ∧ P ( x k ) ◦ Induction step: T ( x 0 , x 1 ) ∧ . . . ∧ T ( x k , x k +1 ) ∧ P ( x 0 ) ∧ . . . ∧ P ( x k ) ⇒ P ( x k +1 ) How good is it? ◦ In most cases, k -induction is stronger than standard induction (when k � 2 ) ✷ P is provable by k -induction iff ✷ ( P ∧ ◦ P ∧ . . . ∧ ◦ k P ) is provable by induction, so k -induction can be viewed as a form of invariant strengthening ◦ There are counterexamples: For example, if T is reflexive, then ✷ P is provable by k -induction iff ✷ P is provable by standard induction. 17

Computer Science Laboratory, SRI International ,+ ,+ + + "#$%&$'(# "#$%&$'(# )*$*#) )*$*#) ! ! P invariant P invariant but not inductive ,+ + "#$%&$'(# - )*$*#) ! P inductive relative to L 18

Computer Science Laboratory, SRI International Timed Systems 19

Computer Science Laboratory, SRI International Modeling Real-time Systems Constraints ◦ Model timed systems as state-transition systems ◦ Make the model amenable to analysis using: – bounded model checking – k -induction Possible Models ◦ Implicit time – Timed Automata (Alur & Dill) and many variants. – Many other models (e.g., timed process algebras) ◦ Explicit time – use an explicit time variable (e.g., Lamport & Abadi) – transition relation encodes time progress: time’ = time + delta 20

Computer Science Laboratory, SRI International Timed Automata [lock = 0] Waiting Sleeping x:=0 x<=1 [x<=1] lock := 0 lock := i, x:=0 [lock /= i] Critical Trying [lock = i, x>=2] ◦ The clock x is a real-valued variable ◦ It can be reset on discrete transitions ◦ x increases continuously at a constant rate ( ˙ x = 1 ) between discrete transitions ◦ Guards specify when transitions can be taken 21