Shinya Umeno
Nancy Lynch’s Group
CSAIL, MIT
TDS seminar
September 18th, 2009
Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction
Shinya Umeno, TDS seminar, September 18th 2009
FORMATS 2009
The 7th International Conference on Formal Modelling and Analysis of Timed Systems
Mostly theory papers (decidability, recognizability, etc).
Some application papers (using Alur-Dill automata and UPPAAL).
No parametric approach paper, except for mine.
FACTS:
Shinya Umeno, TDS seminar, September 18th 2009
Keywords of The Talk
Time-Parametric Verification
Timing Parameter Constraint Synthesis
Real-time System Analysis (Formal Methods)
Event-Order-Based Abstraction of Timed Systems
Case Study Using an “Industrial” Example
Shinya Umeno, TDS seminar, September 18th 2009
Outline
Biphase Mark Protocol (BMP)
Our Approach: Event Order Abstraction
Case Study Result
Bad Event Orders of BMP
Parameter Constraints for Bad EOs
Timing Constraints for Correctness
Human Guidance + Automatic Synthesis
Case Studies by Several Approaches
(Umeno, EMSOFT 2008)
Shinya Umeno, TDS seminar, September 18th 2009
- is a lower-layer communication protocol for consumer and industrial electronics.
- uses timing constraints on system’s behavior to encode and decode bits.
Biphase Mark Protocol (BMP)
- used in a digital audio protocol, S/PDIF (Sony Philips Digital InterFace)
Shinya Umeno, TDS seminar, September 18th 2009
Biphase Mark Protocol (BMP)Bits to be sent: 1 0 1 1
Cell:
Sub-Cell:(Mark)
Signal
Time
Represents 1 by Toggling, and 0 by Flat signal
Shinya Umeno, TDS seminar, September 18th 2009
Biphase Mark Protocol (BMP)Bits to be sent: 1 0 1 1
Cell:
Sub-Cell:(Mark)
Signal:
Time
Detects a signal level change
Detection:
Shinya Umeno, TDS seminar, September 18th 2009
Biphase Mark Protocol (BMP)Bits to be sent: 1 0 1 1
Cell:
Sub-Cell:(Mark)
Signal:
Time
Detects a signal level change
Detection:
Check a signal level change
Shinya Umeno, TDS seminar, September 18th 2009
Biphase Mark Protocol (BMP)Bits to be sent: 1 0 1 1
Cell:
Sub-Cell:(Mark)
Signal:
Time
Detection:
Decoded Bits: 1 0 1 1
Toggling is detected Flat is detected
Shinya Umeno, TDS seminar, September 18th 2009
Biphase Mark Protocol (BMP)Bits to be sent: 1 0 1 1
Cell:
Sub-Cell:(Mark)
Signal:
Time
Detection:
Decoded Bits: 1 0 1 1
Timing Parameters: C, M1, , T (and Metastability H)
Shinya Umeno, TDS seminar, September 18th 2009
A parametric approach gives the user more information than a fixed-parameter approach (such as the Alur-Dill timed automata approach).
• Does the system satisfy a desirable property irrespective to parameter settings?
• If a parameter setting affects system correctness, then what are parameter sets that satisfy the correctness?
Why Parametric Approach?
Optimization under parameter constraints
(Undecidable; Alur et al.)
Shinya Umeno, TDS seminar, September 18th 2009
Our Goal for BMP Case StudyCorrectness:
Synthesize parameter constraints under which the correctness is guaranteed.
1. Sent bits = Decoded bits
2. No decoding overflow/underflow
- Special module for tracking the information
Goal:
Sender Receiver
Monitor
Signal Toggling
Sending Bits Decoded Bits
Shinya Umeno, TDS seminar, September 18th 2009
Why is BMP Parametric Verification Challenging?
s0 (DetectF, Δ) s1 (DetectF, 2Δ) s2 (DetectF, 3Δ) s3 …
s0 DetectF s1 DetectF s2 DetectF s3 …
Timed execution:
Untimed execution:
All of si’s are different!Reachable state (fixed point) computation will not terminate.
All of si’s are same (DetectF is just a stuttering transition).
(TReX extrapolation technique takes care of this.)
Due to repetitions with timing constraints!
Shinya Umeno, TDS seminar, September 18th 2009
Modeling: Time-Interval Automata
A time-interval automaton (A,b) is an I/O automaton A with an interval boundmap b.
An I/O automaton:
• Is a classical state transition machine with distinguished input/output/internal actions.
• Is typically described using a guarded-command style language.
Suitable for concurrent/distributed systems.
Shinya Umeno, TDS seminar, September 18th 2009
Interval Boundmapb (, ) = [L , U ]
An action of A
A set of actions that follow
A lower bound L and an upper bound U for the duration between and any
action in
b (DetectF, {DetectF, DetectT}) = []
Example from BMP:
b (DetectT, {Decode} ) = [] (Sampling distance)
(Repeated checks)
Shinya Umeno, TDS seminar, September 18th 2009
TIA Code of the Encoder
Precondition (transition guard)
State variables
Transition signatures
Effects (transition commands)
Time bounds
Automaton Declaration
Shinya Umeno, TDS seminar, September 18th 2009
Overview of Our Approach (Event Order Abstraction, EOA)
Performed by our tool METEORS
1. Verification of Untimed Model + Event Order Constraints
2. Automatic Synthesis of Timing Parameter Constraints from Event Order Constraints
We split timed verification into two parts:
Untimed Model
Event Order Constraints
Bad Event Order
Model-Checking Event Order Generalization
(Subclass of Regular Expression)
Shinya Umeno, TDS seminar, September 18th 2009
• He/she then model-checks:
• The user first identifies a candidate set of bad event orders (which may be empty).
• Monitors are constucted by a support tool from the given orders (for model-checking).
not SafetyPropertyViolated.
A monitor raises a flag if a bad event order is detected in the current model execution.
Untimed Model not Monitor.raiseFlag
Identifying Bad Event Orders
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0 New Edge (0 or 1)
Decode 1 !!
Flat
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0 New Edge (0 or 1)
Decode 1 !!
Flat
DetectF-DetectF-DetectF-Edge0-DetectT-Edge0-Decode•This event order specifies the order of
consecutive actions in an automaton execution.
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0 New Edge (0 or 1)
Decode 1 !!
Flat
> c
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0 New Edge (0 or 1)
Decode 1 !!
Flat
> c
< <
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0 New Edge (0 or 1)
Decode 1 !!
Flat
> c
< < c >
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0 New Edge (Edge0)
Flat signal for 0 is completely missed!
Metastability
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0-(DetectF)*- DetectT- Settle-Edge0
Edge0 New Edge (Edge0)
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0-(DetectF)*- DetectT- Settle-Edge0
Edge0 New Edge (Edge0)
<
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0-(DetectF)*- DetectT- Settle-Edge0
Edge0 New Edge (Edge0)
> c
< <
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Edge0-(DetectF)*- DetectT- Settle-Edge0
Edge0 New Edge (Edge0)
> c
< <
c >
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Edge1S Edge1T
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Edge1S Edge1T
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Edge1S Edge1T
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Edge1S Edge1T
> m1
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Edge1S Edge1T
> m1
< H
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Edge1S Edge1T
> m1
< < H
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenario Example of BMP
Decode- (DetectF)*- Edge1S-(DF)*- DF -Settle-Edge1T
Edge1S Edge1T
> m1
< < H
Unwinding!
m1 >
Shinya Umeno, TDS seminar, September 18th 2009
Our Tool: METEORS
One event order: Disjunction of linear inequalities
Multiple event orders: Conjunction of disjunction of linear inequalities
- Automatic decomposition
Simplification of resulting constraint
- All derivable bounds
Shinya Umeno, TDS seminar, September 18th 2009
Bad Scenarios of BMP
From page 269 of the proceedings:
Shinya Umeno, TDS seminar, September 18th 2009
Sufficient Parameter Constraints
m1 > H +
> M1 + Hc > H + + T
It is sufficient to satisfy three constraints for correctness of BMP.
METEORS reported:
Shinya Umeno, TDS seminar, September 18th 2009
Related Work (BMP Verification)
UPPAAL and PVS:
Calendar Automata:
HyTech:
Vaandrager, F.W., de Groot, A.: Analysis of a biphase mark protocol with UPPAAL and PVS. 2006
Brown, G.M., Pike, L.: Easy parameterized verification of biphase mark and 8N1 protocols. 2006
Henzinger, T., Preussig, J., Wong-Toi, H.: Some lessons from the HYTECH experience. 2001
- Bad event order are found using UUPAAL- Constraints are manually derived from bad orders.
- Correctness under the derived constraints is proved using PVS.
- BMP is modeled using Calendar Automata framework for SAL
- Correctness under the derived constraints is proved using SAL (inductive invariants must be used though proof is automatic.)
Verification
Synthesis
- Some parameters are fixed.
- Model is modified: no repetitive checks with time bounds
Shinya Umeno, TDS seminar, September 18th 2009
Other Case Studies of EOA
• IEEE 1394 (FireWire / i-Link), Root Contention Protocol
• Train-Gate Toy Problem
• Fischer’s Mutual Exclusion Algorithm
(Randomness is abstracted)
Shinya Umeno, TDS seminar, September 18th 2009
Summary and Future Work
We synthesized parameter constraints of BMP using Event Order Abstraction (METEORS and SAL are used).
Future work:
Automatic bad event order identification
- List of counter examples from model-checking
- Automatic “chopping” and generalization??