© 2012 Carnegie Mellon University Compositional Sequentialization of Periodic Programs Sagar Chaki 1, Arie Gurfinkel 1, Soonho Kong 2, Ofer Strichman 3.

Slides:

Advertisements

Similar presentations

Chapter 7 - Resource Access Protocols (Critical Sections) Protocols: No Preemptions During Critical Sections Once a job enters a critical section, it cannot.

Advertisements

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

A Hierarchical Co-ordination Language for Interacting Real-time Tasks Arkadeb Ghosal, UC Berkeley Thomas A. Henzinger, EPFL Daniel Iercan, "Politehnica"

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2011 Carnegie Mellon University Time Bounded Analysis of Real-Time Systems Arie Gurfinkel, Sagar Chaki, and Ofer Strichman Software Engineering Institute.

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

Chapter 5 CPU Scheduling. CPU Scheduling Topics: Basic Concepts Scheduling Criteria Scheduling Algorithms Multiple-Processor Scheduling Real-Time Scheduling.

© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

© Katz, 2003 Formal Specifications of Complex Systems-- Real-time 1 Adding Real-time to Formal Specifications Formal Specifications of Complex Systems.

CPSC 668Set 16: Distributed Shared Memory1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.

Chess Review May 11, 2005 Berkeley, CA Composable Code Generation for Distributed Giotto Tom Henzinger Christoph Kirsch Slobodan Matic.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

USER LEVEL INTERPROCESS COMMUNICATION FOR SHARED MEMORY MULTIPROCESSORS Presented by Elakkiya Pandian CS 533 OPERATING SYSTEMS – SPRING 2011 Brian N. Bershad.

© Katz, 2007 Formal Specifications of Complex Systems-- Real-time 1 Adding Real-time to Formal Specifications Formal Specifications of Complex Systems.

5: CPU-Scheduling1 Jerry Breecher OPERATING SYSTEMS SCHEDULING.

Real-Time Kernels and Operating Systems. Operating System: Software that coordinates multiple tasks in processor, including peripheral interfacing Types.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Scheduling Master - Slave Multiprocessor Systems Professor: Dr. G S Young Speaker:Darvesh Singh.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

Advances in Language Design

© 2010 Carnegie Mellon University Team Software Process.

Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.

REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Lecture 5 Operating Systems.

OPERATING SYSTEMS CPU SCHEDULING.  Introduction to CPU scheduling Introduction to CPU scheduling  Dispatcher Dispatcher  Terms used in CPU scheduling.

Advanced Operating Systems CIS 720 Lecture 1. Instructor Dr. Gurdip Singh – 234 Nichols Hall –

© 2013 Carnegie Mellon University Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki 1, Arie Gurfinkel 1, Ofer Strichman 2 FMCAD,

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Real-Time Scheduling CS4730 Fall 2010 Dr. José M. Garrido Department of Computer Science and Information Systems Kennesaw State University.

CS6133 Software Specification and Verification

Conformance Test Experiments for Distributed Real-Time Systems Rachel Cardell-Oliver Complex Systems Group Department of Computer Science & Software Engineering.

© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

ICS 313: Programming Language Theory Chapter 13: Concurrency.

Network Computing Laboratory A programming framework for Stream Synthesizing Service.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Concurrency & Dynamic Programming.

Author Software Engineering Institute

Software Transactional Memory Should Not Be Obstruction-Free Robert Ennals Presented by Abdulai Sei.

13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.

A presentation for Brian Evans’ Embedded Software Class By Nate Forman Liaison Technology Inc. 3/30/2000 For Real-Time Scheduling.

Lecture 2, CS52701 The Real Time Computing Environment I CS 5270 Lecture 2.

1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,

CGS 3763 Operating Systems Concepts Spring 2013 Dan C. Marinescu Office: HEC 304 Office hours: M-Wd 11: :30 AM.

CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 16: Distributed Shared Memory 1.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

1.  System Characteristics  Features of Real-Time Systems  Implementing Real-Time Operating Systems  Real-Time CPU Scheduling  An Example: VxWorks5.x.

Agenda  Quick Review  Finish Introduction  Java Threads.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

RTAS 2014 Bounding Memory Interference Delay in COTS-based Multi-Core Systems Hyoseung Kim Dionisio de Niz Bj ӧ rn Andersson Mark Klein Onur Mutlu Raj.

1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.

Secure Software Workforce Development Panel Session

Temporal Protection in Real-Time Systems

Michael Spiegel, Esq Timothy Shimeall, Ph.D.

EEE Embedded Systems Design Process in Operating Systems 서강대학교 전자공학과

Applied Operating System Concepts -

Metrics-Focused Analysis of Network Flow Data

Real-time Software Design

Over-Approximating Boolean Programs with Unbounded Thread Creation

Threads and Memory Models Hal Perkins Autumn 2009

CS 501: Software Engineering Fall 1999

CPU SCHEDULING.

Threads Chapter 4.

A Refinement Calculus for Promela

Verifying Periodic Programs with Priority Inheritance Locks

Presentation transcript:

© 2012 Carnegie Mellon University Compositional Sequentialization of Periodic Programs Sagar Chaki 1, Arie Gurfinkel 1, Soonho Kong 2, Ofer Strichman 3 Jan 22, Software Engineering Institute, CMU 2 Computer Science Department, CMU 3 Technion, Israel Institute of Technology TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAA A A A AA

2 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Time-Bounded Verification of Periodic Programs Periodic Program Collection of periodic tasks Execute concurrently with fixed-priority scheduling Priorities respect RMS Communicate through shared memory Synchronize through preemption and priority ceiling locks Time-Bounded Verification Assertion A violated within X ms of a system’s execution from initial state I? A, X, I are user specified Time bounds map naturally to program’s functionality (e.g., air bags) Assumptions System is schedulable WCET of each task is given

3 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Motivation: Real-Time Embedded Systems Avionics Mission System * Rate Monotonic Scheduling (RMS) * Locke, Vogel, Lucas, and Goodenough. “Generic Avionics Software Specification”. SEI/CMU Technical Report CMU/SEI-90-TR-8-ESD-TR , December, 1990 TaskPeriod weapon release10ms radar tracking40ms target tracking40ms aircraft flight data50ms display50ms steering80ms

4 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Periodic Program (PP) An N-task periodic program PP is a set of tasks {  1, …,  N } A task  is a tuple  I, T, P, C, A , where I is a task identifier T is a task body (i.e., code) P is a period C is the worst-case execution time A is the release time: the time at which task becomes first enabled Semantics of PP is given by an asynchronous concurrent program: Hyper-period = Least Common Multiple of all periods Program is harmonic if periods are multiples of each other k i = 0; while (Wait( i, k i )) T i (); k i = k i + 1; k i = 0; while (Wait( i, k i )) T i (); k i = k i + 1; parallel execution w/ priorities parallel execution w/ priorities blocks task i until next arrival time blocks task i until next arrival time

5 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Time Bounded Semantics of Periodic Program Assumptions (A1) Time window W is divisible by the hyper-period (i.e., W | H ) (A2) Each task arrives in time to complete in 1 st period (i.e., A i + RT i  P i ) The time bound imposes a natural bound on # of jobs: J i = W / P i Time-Bounded Semantics of PP is Job-Bounded Abstraction Abstracts away time Approximates Wait() by a non-deterministic delay Preserves logical (time-independent) properties! k i = 0; while (k i < J i && Wait( i, k i )) T i (); k i = k i + 1; k i = 0; while (k i < J i && Wait( i, k i )) T i (); k i = k i + 1;

6 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Our tool: REK Supports C programs w/ tasks, priorities, priority ceiling protocol, shared variables Works in two stages: 1.Sequentialization – reduction to sequential program w/ prophecy variables 2.Bounded program analysis: CBMC, HAVOC, others SequentializationAnalysis Periodic Program in C Sequential ProgramOK BUG + CEX Periods, WCETs, Initial Condition, Time bound Contribution 1: Compositional Sequentialization – allows fewer interleavings between tasks and shorter counterexamples without losing soundness Contribution 2: Empirical evaluation showing improvement Uses non-determinism (prophecy variables) to allow all possible interleavings between jobs

7 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Example: A Harmonic PP DEFG BC A 22 TaskWCET (C i ) Period (P i ) Arrival Time (A i ) 22 140 11 280 0 00 11 3 processors

8 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Example: One Task Schedule DEFG BC AAA 22 00 11 1 processor TaskWCET (C i ) Period (P i ) Arrival Time (A i ) 22 140 11 280 00 5160

9 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Compositional sequentialization Leverages two types of temporal separation between jobs Intra-Hyper-Period Between jobs within the same hyper-period Prevents certain jobs in the same hyper-period from interleaving based on their priorities, arrival times, and worst-case execution times Inter-Hyper-Period Between jobs across different hyper-periods Prevents interleaving between jobs from different hyper-periods Relies on assumption A2, which guarantees that all jobs in hyper-period i complete before any job in hyper-period (i+1) starts.

10 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Intra-Hyper-Period Temporal Separation Monolithic Sequentialization (FMCAD11) (A) || (B;C) || (D;E;F;G) Monolithic Sequentialization (FMCAD11) (A) || (B;C) || (D;E;F;G) D starts and finishes before B B starts and finishes before A G starts and finished after every other job Compositional Sequentialization (VMCAI13) D;B; (A || (E;F;C)); G Compositional Sequentialization (VMCAI13) D;B; (A || (E;F;C)); G F starts and finishes before C E starts and finishes before F

11 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Inter-Hyper-Period Temporal Separation Monolithic Sequentialization (FMCAD11) (A;A) || (B;C;B;C) || (D;E;F;G; D;E;F;G) Monolithic Sequentialization (FMCAD11) (A;A) || (B;C;B;C) || (D;E;F;G; D;E;F;G) Under assumptions A1 and A2, All HP1 jobs end before any HP2 job starts Compositional Sequentialization (VMCAI13) D;B; (A || (E;F;C)); G ; D;B; (A || (E;F;C)); G Compositional Sequentialization (VMCAI13) D;B; (A || (E;F;C)); G ; D;B; (A || (E;F;C)); G HP1HP2

12 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Partition Execution into Rounds Execution starts in round 0 A round ends, and a new one begins, each time a job finishes # rounds == # of jobs DEFG BC AAA 22 00 11 0 Rounds

13 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Compositional Sequentialization Sequential Program for execution of R rounds: 1.for each global variable g, let g[i] be the value of g in round i 2.(ScheduleJobs) choose for each job j – start round: start[j] – end round: end[j] 3.(RunJobs) execute job bodies sequentially – in some well-defined total order – for global variables, use g[i] instead of g when running in round i – non-deterministically decide where to context switch – at a context switch jump to a new round (cannot preempt a higher task) 4.(CheckAssumptions) check that initial value of round i+1 is the final value of round i 5.(CheckAssertions) check user assertions Constrained by /, Done as soon as job ending at round i is over. Done as soon as job (containing the assertion) and step 4 are over. Ordered Define three job orderings based on priorities, WCET, and arrival time: /,

14 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Job Ordering J 1 / J 2  (¼(J 1 ) · ¼(J 2 ) Æ D(J 1 ) · D(J 2 )) Ç (¼(J 1 ) > ¼(J 2 ) Æ A(J 1 ) · A(J 2 )) J 1 completes before J 2 starts J 1 " J 2  (¼(J 1 ) < ¼(J 2 ) Æ A(J 1 ) < A(J 2 ) < D(J 1 )) J 1 “could be” (due to WCET) preempted by J 2 J J 2  (J 1 / J 2 ) Ç (J 1 " J 2 ) Total order: lexicographic by (A,-¼) (see Lemma 1) Priority Departure Time Arrival Time

15 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Compositional Sequentialization: ScheduleJobs

16 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Case Study: A Metal Stamping Robot a.k.a. LEGO Turing Machine Image courtesy of Taras Kowaliw

17 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Turing Machine: Task Structure

18 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University When writer flips a bit, the tape motor and read motor should stop. Controller Task Writer Task An Example Property

19 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University NXTway-GS: a 2 wheeled self-balancing robot Original: nxt (2 tasks) balancer (4ms) – Keeps the robot upright and responds to BT commands obstacle (50ms) – monitors sonar sensor for obstacle and communicates with balancer to back up the robot Ours: aso (3 tasks) balancer as above but no BT obstacle as above bluetooth (100ms) – responds to BT commands and communicates with the balancer Verified consistency of communication between tasks

20 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Results: Turing Machine 400x speedup Timeout (1 day)success

21 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Results: Self-Balancing Robot

22 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Results: Self-Balancing Robot

23 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Related Work Sequentialization of Concurrent Programs (Lal & Reps ‘08, and others) Context Bounded Analysis of concurrent programs via sequentialization Arbitrary concurrent software Non-deterministic round robin scheduler Preserve executions with bounded number of thread preemptions Allow for arbitrary number of preemptions between tasks Sequentialization of Periodic Programs (Kidd, Jagannathan, Vitek ’10) Same setting as this work Alternative sol’n: replace preemptions by non-deterministic function calls Additionally, supports recursion and inheritance locks No publicly available implementation – would be interesting to compare Verification of Time Properties of (Models of) Real Time Embedded Systems

24 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University Conclusion Past (FMCAD’11) Time Bounded Verification of Periodic C Programs Small (but hard) toy programs Reader/Writer protocols (with locks and lock-free versions) A robot controller for LEGO MINDSTORM from nxtOSEK examples Present (VMCAI’13) Taking into account additional timing constraints for improved scheduling – arrival times, harmonicity, etc. A Lego Metal Stamping Robot (a.k.a. Turing Machine) (look for Turing Machine demo) Current Work Verification without the time bound Back-End Verification engine Abstraction / Refinement Additional communication and synchronization – Priority-inheritance locks, message passing Modeling physical aspects (i.e., environment) more faithfully More Case studies and model problems

25 Verifying Periodic Real-Time Software Chaki, Gurfinkel, Strichman © 2012 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM

© 2012 Carnegie Mellon University QUESTIONS? Sagar Chaki