Dependable Embedded Software Systems Kim Guldstrand Larsen UCb

2 BRICS Machine Basic Research in Computer Science, Millkr 100 Aalborg Aarhus Tools

UCb 3 Tools and BRICS Logic Temporal Logic Modal Logic MSOL Algorithmic (Timed) Automata Theory Graph Theory BDDs Polyhedra Manipulation Semantics Concurrency Theory Abstract Interpretation Compositionality Models for real-time & hybrid systems HOL TLP Applications PVS ALF SPIN visualSTATEUPPAAL

UCb 4 A very complex system Klaus Havelund, NASA

UCb 5 Rotterdam Storm Surge Barrier

UCb 6 Spectacular Software Bugs z ARIANE-5 z INTEL Pentium II floating-point division 470 Mill US $ z Baggage handling system, Denver 1.1 Mill US $/day for 9 months z Mars Pathfinder z Radiation theraphy, Therac-25 z …….

UCb 7 Embedded Systems z80% af al software er indlejret i interagerende apparater. zKrav om stigende funktionalitet med minimale resourcer zUdvikler skal ideelt set have adskillige kvalifikationer xsofwarekonstr. og –udvikl. xhardware platforme, xkommunikatíon & protokoller, xvalidering (test og verifikation),………. Indlejrede Systemer = Pervasive Computing Indlejrede Systemer = Pervasive Computing

UCb 8 Traditional Software Development The Waterfall Model Analyse Design Implementation Testing  Costly in time-to-market and money  Errors are detected late or never  Application of FM’s as early as possible Problem Area Running System REVIEWS

UCb 9 Modelbased Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML

UCb 10 Modelbased Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML Automatic Code generation

UCb 11 Modelbased Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML Automatic Code generation Automatic Test generation

UCb 12 How? Unified Model = State Machine! a b x y a? b? x! y!b? Control states Input ports Output ports

UCb 13 Tamagotchi A C Health=0 or Age=2.000 B PassiveFeeding Light Clean PlayDisciplineMedicine Care Tick Health:=Health-1; Age:=Age+1 A A A A A A A A Meal Snack B B ALIVE DEAD Health:= Health-1

UCb 14 Digital Watch Statechart=UML, David HAREL

UCb 15 SYNCmaster

UCb 16 SPIN, Gerald Holzmann AT&T

UCb 17 visualSTATE zHierarchical state systems zFlat state systems zMultiple and inter- related state machines zSupports UML notation zDevice driver access VVS w Baan Visualstate, DTU (CIT project)

UCb 18 UPPAAL

UCb 19 Tool Support TOOL System Description A Requirement F Yes, Prototypes Executable Code Test sequences No! Debugging Information Tools: UPPAAL, visualSTATE, SPIN, ESTEREL, Rhapsody, TeleLogic, Statemate, Formalcheck,.. Tools: UPPAAL, visualSTATE, SPIN, ESTEREL, Rhapsody, TeleLogic, Statemate, Formalcheck,..

UCb 20 ‘State Explosion’ problem a cb ,a 4,a 3,a 4,a 1,b 2,b 3,b4,b 1,c 2,c 3,c 4,c All combinations = exponential in no. of components M1 M2 M1 x M2 Provably theoretical intractable

UCb 21 Train Simulator 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS ? VVS

UCb 22 Train Simulator 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS ? VVS visualSTATE Our techniuqes has reduced verification time with several orders of magnitude (ex 14 days to 6 sec)

UPPAAL Modelling and Verification of Real Time systems UPPAAL2k > 2000 users > 45 countries UPPAAL2k > 2000 users > 45 countries See !!!! See !!!!

UCb 24 yWang Yi yJohan Bengtsson yPaul Pettersson yFredrik Larsson yAlexandre David yTobias Amnell yOliver yKim G Larsen yArne Skou yPaul Pettersson yCarsten Weise yKåre J Kristoffersen yGerd Behrman yThomas Hune yOliver yDavid Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans, Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...

UCb 25 Real Time Systems Plant Continuous Controller Program Discrete Control Theory Computer Science Eg.: Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines Real Time System A system where correctness not only depends on the logical order of events but also on their timing Real Time System A system where correctness not only depends on the logical order of events but also on their timing sensors actuators Task

UCb 26 Validation & Verification Construction of UPPAAL models Plant Continuous Controller Program Discrete sensors actuators Task a cb a cb a cb UPPAAL Model Model of environment (user-supplied) Model of tasks (automatic)

UCb 27 Intelligent Light Control OffLightBright press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

UCb 28 Intelligent Light Control OffLightBright press? Solution: Add real-valued clock x X:=0 X<=3 X>3

UCb 29 Timed Automata n m a Alur & Dill 1990 Clocks: x, y x 3 x := 0 Guard Boolean combination of integer bounds on clocks and clock-differences. Reset Action perfomed on clocks Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) e(1.1) ( n, x=2.4, y= ) ( m, x=0, y= ) a State ( location, x=v, y=u ) where v,u are in R Action used for synchronization

UCb 30 n m a Clocks: x, y x 3 x := 0 Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) e(1.1) ( n, x=2.4, y= ) e(3.2) x<=5 y<=10 Location Invariants g1 g2 g3 g4 Timed Automata Invariants Invariants ensure progress!!

UCb 31 Cruise Control When the car ignition is switched on and the on button is pressed, the current speed is recorded and the system is enabled: it maintains the speed of the car at the recorded setting. Pressing the brake, accelerator or off button disables the system. Pressing resume or on re- enables the system. buttons

UCb 32 Model Structure The CONTROL system is structured as two processes. The main actions and interactions are as shown. The CONTROL system is structured as two processes. The main actions and interactions are as shown. Cruise Control Cruise Control Speed Control Speed Control User Engine engineOn engineOff on off resume brake accelerator clearSpeed recordSpeed enablecontrol disablecontrol dSpeed cSpeed acc

UCb 33 User Engine

UCb 34 The CARA System Computer Assisted Resuscitation System Purpose: automate delivery of intravenous fluids to injured persons in catastrophic situations Comprises: software to: monitor patient’s blood pressure control a high-output infusion pump

UCb 35 System Structure

UCb 36 System Structure

UCb 37 Case Studies: Protocols zPhilips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96 ] zCollision-Avoidance Protocol [SPIN’95] zBounded Retransmission Protocol [TACAS’97] zBang & Olufsen Audio/Video Protocol [RTSS’97] zTDMA Protocol [PRFTS’97] zLip-Synchronization Protocol [FMICS’97] zMultimedia Streams [DSVIS’98] zATM ABR Protocol [CAV’99] zABB Fieldbus Protocol [ECRTS’2k] zIEEE 1394 Firewire Root Contention (2000)

UCb 38 visualSTATE VVS, CIT project

UCb 39 zNo local nor global dead-ends zNo never interpreted events zNo fired actions zNo conflicting transactions zNo unreachable states zAll combinations are checked! visualSTATE Tester Verification 100% Tested! No bugs allowed!

UCb 40 Train Simulator 1421 maskiner transitioner 2981 inputs 2667 outputs 3204 lokale tilstande Declare state sp.: 10^476 BUGS ?

UCb 41 Experimental Breakthroughs Patented Machine: 166 MHz Pentium PC with 32 MB RAM ---: Out of memory, or did not terminate after 3 hours.

UCb 42 Experimental Breakthroughs Patented Machine: 166 MHz Pentium PC with 32 MB RAM ---: Out of memory, or did not terminate after 3 hours. Vore teknikker har reduceret verifikationstiden med flere størrelsesordner (ex fra 14 dage til 6 sec)

UCb 43 Who is CISS ? Institute of Computer Science Institute of Computer Science Institute of Electronic Systems Institute of Electronic Systems Modelling and Validation; Programming Languages; Software Engineering Modelling and Validation; Programming Languages; Software Engineering Embedded Systems Communication; HW/SW Power Management Embedded Systems Communication; HW/SW Power Management Distributed Real Time Systems Control Theory; Real Time Systems; Networking. Distributed Real Time Systems Control Theory; Real Time Systems; Networking. UCb ICT Companies

UCb 44 Who is CISS ? Institute of Computer Science Institute of Computer Science Institute of Electronic Systems Institute of Electronic Systems Modelling and Validation; Programming Languages; Software Engineering Modelling and Validation; Programming Languages; Software Engineering Embedded Systems Communication; HW/SW Power Management Embedded Systems Communication; HW/SW Power Management Distributed Real Time Systems Control Theory; Real Time Systems; Networking. Distributed Real Time Systems Control Theory; Real Time Systems; Networking. UCb ICT Companies VTU 25.5 MDKK VTU 25.5 MDKK Regional Councils of Northern Jutland & Aalborg City 12 MDKK Regional Councils of Northern Jutland & Aalborg City 12 MDKK AAU MDKK AAU MDKK Companies MDKK Companies MDKK

UCb 45 Typical Activities zCo-financed R&D projects and case-studies zIndustrial training and education zSeminars, workshops and networks of knowledge transfer and exchange zPh.D. and industrial Ph.D. projects zVisiting Guest researchers zStudent projects

UCb 46 Organisation Søren Damgaard, IBM Jørgen Elbæk, RTX Steen Rasmussen, S-Card Frands Voss, MCI & Danfoss Flemming Fredriksen Anders P. Ravn Wladyslaw Pietraszek Søren Damgaard, IBM Jørgen Elbæk, RTX Steen Rasmussen, S-Card Frands Voss, MCI & Danfoss Flemming Fredriksen Anders P. Ravn Wladyslaw Pietraszek Henrik Schiøler Arne Skou Peter Koch Henrik Schiøler Arne Skou Peter Koch Kim Guldstrand Larsen

UCb 47 Member Companies

UCb 48 Where is CISS ? Aalborg University