BRICS@Aalborg UPPAAL systemer

transcript

UUUUCCCCbbbb

Verifikation af realtids Verifikation af realtids systemersystemeri i UPPAALUPPAAL

Kim G. LarsenBRICS@Aalborg

2MII’’2001 Kim G. LarsenUCUCUCUCb b b b

Research ProfileDistributed Systems & Semantics Unit

Semantic Modelsconcurrency, mobility, objects real-time, hybrid systems

Validation & Verificationalgorithms & tools

Constructionreal-time & network systems

BRICS Machine Basic Research in Computer Science

30+40+40 Millkr

Aalborg Aarhus

ToolsOther revelvant projects

UPPAAL, VHS, VVS, WOODDES

Tools and BRICS

Logic• Temporal Logic• Modal Logic• MSOL ••

Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation••

Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time

& hybrid systems••

HOL TLP

Applications

PVS ALFSPIN

visualSTATE UPPAAL

A REAL real time system

Klaus Havelund, NASA

Embedded Systems

SyncMaster 17GLsi

Telephone

Tamagotchi

Mobile Phone

Digital Watch

Introducing, Detecting and Repairing Errors Liggesmeyer 98

Suggested Solution?

Model based validation, verfication and testing of

software and hardware

Verification & Validation

Design Model Specification

Analysis

Implementation

Testing

Design Model SpecificationVerification & Refusal

AnalysisValidation

Implementation

Testing

AnalysisValidation

Implementation

Testing

ModelExtraction

AutomaticCode generation

AnalysisValidation

Implementation

Testing

AutomaticCode generation

AutomaticTest generation

ModelExtraction

Unified Model = State Machine!

Control states

Inputports

Outputports

TamagotchiA C

Health=0 or Age=2.000

Passive Feeding Light

PlayDisciplineMedicine

Health:=Health-1; Age:=Age+1

Health:=Health-1

SYNCmaster

Digital Watch

visualSTATE

� Hierarchical state systems

� Flat state systems� Multiple and inter-

related state machines

� Supports UML notation

� Device driver access

VVSw Baan Visualstate, DTU (CIT project)

The SDL EditorThe SDL EditorThe SDL Editor

Process levelProcess level

SPIN, G

erald Holzm

ann AT&

‘State Explosion’ problem

1,a 4,a

3,a 4,a

1,b 2,b

3,b 4,b

1,c 2,c

3,c 4,c

All combinations = exponential in no. of components

M1 x M2

Provably theoretical

intractable

Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476

BUGS ?

VVSvisualSTATE

Our techniuqes has reduced verification

time with several orders of magnitude

(ex 14 days to 6 sec)

Tool Support (model checking)

System Description A

Requirement F Yes, PrototypesExecutable CodeTest sequences

No!Debugging Information

Tools: Telelogic, Verilog, UPPAAL, SPIN, MV, Statemate, visualSTATE, FormalCheck, VeriSoft, Java Pathfinder,…

TOOLTOOL

UUUUCCCCbbbb

UPPAALUPPAAL

Modelling and Verification ofReal Time systems

UPPAAL2k> 800 users> 35 countries

www.uppaal.com

Collaborators@UPPsala

�Wang Yi�Johan Bengtsson�Paul Pettersson�Fredrik Larsson�Alexandre David�Tobias Amnell�Oliver Möller

@AALborg�Kim G Larsen�Arne Skou�Paul Pettersson�Carsten Weise �Kåre J Kristoffersen�Gerd Behrman�Thomas Hune�Oliver Möller�Nicky Oliver Bodentien�Lasse Poulsen

@Elsewhere�David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund,

Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans,Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...

Hybrid & Real Time Systems

PlantContinuous

Controller ProgramDiscrete

Control Theory Computer Science

Eg.: Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

sensors

actuators

TaskTask

Construction of UPPAAL models

PlantContinuous

Controller ProgramDiscrete

sensors

actuators

TaskTask

UPPAAL Model

Modelofenvironment(user-supplied)

Model oftasks(automatic?)

Timed Automata

Alur & Dill 1990

Clocks: x, y

x<=5 & y>3

x := 0

Guard Boolean combination of integer boundson clocks and clock-differences.

ResetAction perfomed on clocks

Transitions

( n , x=2.4 , y=3.1415 )( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )( m , x=0 , y=3.1415 )

State( location , x=v , y=u ) where v,u are in R

Actionused

for synchronization

Clocks: x, y

x<=5 & y>3

x := 0

Transitions

( n , x=2.4 , y=3.1415 )( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )e(3.2)

LocationInvariants

g1g2 g3

Timed Automata Invariants

Invariants ensure progress!!

The UPPAAL Model= Networks of Timed Automata + Integer Variables +….

x>=2i==3

x := 0i:=i+4

………….Two-way synchronizationon complementary actions.

Closed Systems!

Two-way synchronizationon complementary actions.

Closed Systems!

(l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..)

(l1,m1,………,x=2.2, y=3.7, I=3,…..)0.2

Example transitions

If a URGENT CHANNEL

Timed Automata in UPPAAL

�Timed (Safety) Automata+ urgent actions + urgent locations+ committed locations+ data-variables (with bounded domains)+ arrays of data-variables + constants + guards and assignments over data-variables and

arrays…+ templates with local clocks, data-variables, and

constants.

Declarations in UPPAAL

clock x1, …, xn;

int i1, …, im;

chan a1, …, ao;

const c1 n1, …, cp np;

Examples:clock x, y;

int i, J0; int[0,1] k[5];

const delay 5, true 1, false 0;

Array k of five booleans.

Timed Automata in UPPAAL

x<=5 & y>3

x := 0

g1g2 g3

invinvnxnxinv ,||:: ≤<=

clock natural number and

}!,,,,,{},,,,{

=>>==<=<∈>>==<=<∈

ExpropExprgnyxnxg

��

clock guards

data guards

clock assignments

):?(|/|*||

|||][|::

ExprExprgExprExprExprExprExprExprExprExpr

ExprnExpriiExpr

location invariants

Urgent Channels

urgent chan hurry;

Informal Semantics:• There will be no delay if transition with urgent action can be taken.

Restrictions:• No clock guard allowed on transitions with urgent actions.• Invariants and data-variable guards are allowed.

Urgent Locations

Click “Urgent” in State Editor.

Informal Semantics:• No delay in urgent location.

Note: the use of urgent locations reduces the number of clocks in a model, and thus the complexity of the analysis.

Committed Locations

Click “Committed” in State Editor.

Informal Semantics:• No delay in committed location.• Next transition must involve automata in committed location.

Note: the use of committed locations reduces the number of clocks in a model, and allows for more space and time efficient analysis.

UPPAAL Specification Language

A[] p (AG p)E<> p (EF p)

p::= a.l | gd | gc | p and p |

p or p | not p | p imply p |

clock guardsdata guardsprocess location

UUUUCCCCbbbb

BRICK SORTING

First UPPAAL modelSorting of Lego BoxesSorting of Lego BoxesSorting of Lego BoxesSorting of Lego Boxes

Conveyer Belt

Exercise: Design Controller so that only black boxes are being pushed out

BoxesPiston

red9 18 81 90

BlckRd

remove

Controller

Ken Tindell

MAIN PUSH

NQC programs

task PUSH{while(true){

wait(Timer(1)>DELAY && active==1);active=0;Rev(OUT_C,1);Sleep(8);Fwd(OUT_C,1);Sleep(12);Off(OUT_C);

task PUSH{while(true){

wait(Timer(1)>DELAY && active==1);active=0;Rev(OUT_C,1);Sleep(8);Fwd(OUT_C,1);Sleep(12);Off(OUT_C);

int active;int DELAY;int LIGHT_LEVEL;

task MAIN{DELAY=75;LIGHT_LEVEL=35;active=0;Sensor(IN_1, IN_LIGHT);Fwd(OUT_A,1);Display(1);

start PUSH;

while(true){wait(IN_1<=LIGHT_LEVEL);ClearTimer(1);active=1;PlaySound(1);wait(IN_1>LIGHT_LEVEL);

task MAIN{DELAY=75;LIGHT_LEVEL=35;active=0;Sensor(IN_1, IN_LIGHT);Fwd(OUT_A,1);Display(1);

start PUSH;

while(true){wait(IN_1<=LIGHT_LEVEL);ClearTimer(1);active=1;PlaySound(1);wait(IN_1>LIGHT_LEVEL);

From RCX to UPPAAL

�Model includes Round-Robin Scheduler.

�Compilation of RCX tasks into TA models.

�Presented at ECRTS2000

Task MAIN

The Production CellCourse at DTU, Copenhagen

Production Cell

UUUUCCCCbbbb

TRAIN CROSSING

Train Crossing

Crossing

StopableArea

[10,20]

[7,15]

Train Crossing

Crossing

StopableArea

[10,20]

[7,15]

[3,5]appr,stop

emptynonemptyhd, add,rem

Communication via channels andshared variable.

UUUUCCCCbbbb

Communication ProtocolsCSMA/CDBRP……

CSMA/CD protocol – MAC layer

send - service provided by Mac which reacts by transmitting a message,

rec - (receive) service provided by Mac, indicates that a message is ready to be received,

b - (begin) Mac begins message transmission to M, e - (end) Mac terminates message transmission to M, br - (begin receive) M begins message delivery to Mac, er - (end receive) M terminates message delivery to Mac, b - (collision) Mac is notified that a

collision has occurred on M.

EVENTS

UUUUCCCCbbbb

Philips Bounded Retransmission Protocol

[D’Argenio et.al. 97]

Protocol Overview�Protocol developed by Philips.�Transfer data between Audio/Video components

via infra-red communication.�Data files sent in smaller chunks.�Problem: Unreliable communication medium.�Sender retransmit if receiver respond too late.�Receiver abort if sender sends too late.

Overview of BRP

Sender Receiver

Input: file = p1, …, pn

Output: p1, …, pn

How It Works

�Sender input: file = p1, …, pn.

�S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0).

�R sends: ack, …, ack.�S retransmits pi if timeout.�Receiver recives: p1, …, pn.�Sender and Receiver receives NOK or OK.

whole file OK

more parts will followfirst part of file

Case Studies: Protocols

�Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]�Collision-Avoidance Protocol [SPIN’95]

�Bounded Retransmission Protocol [TACAS’97]

�Bang & Olufsen Audio/Video Protocol [RTSS’97]

�TDMA Protocol [PRFTS’97]

�Lip-Synchronization Protocol [FMICS’97]

�Multimedia Streams [DSVIS’98]

�ATM ABR Protocol [CAV’99]

�ABB Fieldbus Protocol [ECRTS’2k]

�IEEE 1394 Firewire Root Contention (2000)

Case-Studies: Controllers

�Gearbox Controller [TACAS’98]

�Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]

�SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]

�Real-Time RCX Control-Programs [ECRTS’2k]

�Experimental Batch Plant (2000)

�RCX Production Cell (2000)

BRP Model OverviewSender Receiver

Input: file = p1, …, pn

(pi,INDication,abit)

ok, nok, dk IND, ok, nok

Output: p1, …, pn

The Lossy Media

value-passing

lossy = may dropmessages

one-place capacity

Bounded Retransmission

�S sends a chunk pi and waits for ack from R.�If timeout the chunk is retransmitted.�If too many timeout the transmission fails

(NOK is sent to Sender). �If whole file successfully sent OK is sent to

Sender.�Receiver is similar.

Process S

Process R

The Sender and Receiver

“If you want to know more”

�Test & Verification � http://www.cs.auc.dk/~ejersbo/tov/Plan.html

�BRICS@Aalborg� http://www.cs.auc.dk/research/FS/

�UPPAAL� http://www.uppaal.com

�WOODDES, ATT (VHS):� http://www.docs.uu.se/docs/rtmv/wooddes/� http://www-verimag.imag.fr/VHS/main.html

�Strategic Directions in Computing Research Formal Methods Working Group, ACM June 1996� http://www.cs.cmu.edu/afs/cs/usr/wing/www/mit/mit.html

BRICS@Aalborg UPPAAL systemer

Documents