Interface-based Design of Embedded Systems Thomas A. Henzinger University of California, Berkeley.

Slides:

Advertisements

Similar presentations

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Advertisements

Interface Theories in Practice Luca de Alfaro UC Santa Cruz GDV 2006.

An improved on-the-fly tableau construction for a real-time temporal logic Marc Geilen 12 July 2003 /e.

Interface Theories With Component Reuse Laurent DoyenEPFL Thomas HenzingerEPFL Barbara JobstmannEPFL Tatjana PetrovEPFL.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Interface-based design Philippe Giabbanelli CMPT 894 – Spring 2008.

Sensor Network Platforms and Tools

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Fault-Tolerant Real-Time Networks Tom Henzinger UC Berkeley MURI Kick-off Workshop Berkeley, May 2000.

EECS 20 Lecture 38 (April 27, 2001) Tom Henzinger Review.

Overview of PTIDES Project

Interface Automata 29-September Modeling Temporal Behavior of Component Component behaves with Environment Traditional (pessimistic) approach –

Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.

STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.

Advanced Tool Architectures Supporting Interface-Based Design

Type System, March 12, Data Types and Behavioral Types Yuhong Xiong Edward A. Lee Department of Electrical Engineering and Computer Sciences University.

Models and Theory of Computation (MTC) EPFL Dirk Beyer, Jasmin Fisher, Nir Piterman Simon Kramer: Logic for cryptography Marc Schaub: Models for biological.

Department of Electrical Engineering and Computer Sciences University of California at Berkeley Behavioral Types for Actor-Oriented Design Edward A. Lee.

Behavioral Types as Interface Definitions for Concurrent Components Center for Hybrid and Embedded Software Systems Edward A. Lee Professor UC Berkeley.

02/02/20091 Logic devices can be classified into two broad categories Fixed Programmable Programmable Logic Device Introduction Lecture Notes – Lab 2.

EECS 20 Lecture 16 (February 26, 2001) Tom Henzinger Determinization.

Component-Interaction Automata for Specification and Verification of Component Interactions P. Vařeková and B. Zimmerova Masaryk University in Brno Czech.

Rich Interface Theories for Component-based Design Dirk Beyer ┼, Arindam Chakrabarti *, Luca de Alfaro **, Thomas A Henzinger * ┼, Marcin Jurdziński *,

1 Compositional Verification of Hybrid Systems Using Simulation Relations Doctorate Defense Goran Frehse Radboud Universiteit, Nijmegen, Oct. 10, 2005.

An Extensible Type System for Component-Based Design

1/31/20081 Logic devices can be classified into two broad categories Fixed Programmable Programmable Logic Device Introduction Lecture Notes – Lab 2.

Computation Engines: BDDs and SAT (part 2) 290N: The Unknown Component Problem Lecture 8.

Department of Electrical Engineering and Computer Sciences University of California at Berkeley System-Level Types for Component-Based Design Edward A.

Department of Electrical Engineering and Computer Sciences University of California at Berkeley Concurrent Component Patterns, Models of Computation, and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl

Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL.

NFA- to NFA conversion. Purpose This presentation presents an example execution of the algorithm which takes as input an NFA with -transitions and produces.

Automatic synthesis and verification of asynchronous interface controllers Jordi CortadellaUniversitat Politècnica de Catalunya, Spain Michael KishinevskyIntel.

Chapter 4 MATLAB Programming Logical Structures Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Verification of Hierarchical Component-Based Designs in FRESCO Tom Henzinger, Marius Minea, Vinayak Prabhu.

System-Level Types for Component-Based Design Paper by: Edward A. Lee and Yuhong Xiong Presentation by: Dan Patterson.

EECS 20 Lecture 36 (April 23, 2001) Tom Henzinger Safety Control.

Chapter 8 Asynchronous System Model by Mikhail Nesterenko “Distributed Algorithms” by Nancy A. Lynch.

SOLVING SUDOKU WITH MATLAB VERIFICATION FUNCTION correctness verification of the puzzle: checks if the current element appears twice in the same line,

Modeling Process CSCE 668Set 14: Simulations 2 May be several algorithms (processes) runs on each processor to simulate the desired communication system.

Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Automatic Assumption Generation for Compositional Verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.

Modelling III: Asynchronous Shared Memory Model Chapter 9 by Nancy A. Lynch presented by Mark E. Miyashita.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,

ECE/CS 584: PVS Tutorial Part 1 Lecture 05 Sayan Mitra 1.

Paper written by Flavio Oquendo Presented by Ernesto Medina.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems Frits Vaandrager, University of Nijmegen joint work with Dilsun.

6.852: Distributed Algorithms Spring, 2008 Class 13.

Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1.

Linear Algebra. Circuits The circuits in computers and other input devices have inputs, each of which is either a 0 or 1, the output is also 0s and 1s.

1 Black-box conformance testing for real-time systems Stavros Tripakis VERIMAG Joint work with Moez Krichen.

Electrical and Computer Engineering University of Cyprus LAB 1: VHDL.

Shinya Umeno Nancy Lynch’s Group CSAIL, MIT TDS seminar September 18 th, 2009 Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event.

ECE/CS 584: Verification of Embedded Computing Systems Model Checking Timed Automata Sayan Mitra Lecture 09.

FPGA-Based System Design Copyright  2004 Prentice Hall PTR Topics n Modeling with hardware description languages (HDLs).

I/O & Interface Automata By Josh Lessard, Josh Taylor, Real Xu.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.

CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.

Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Topics Modeling with hardware description languages (HDLs).

Chapter 4 MATLAB Programming

Topics Modeling with hardware description languages (HDLs).

CSEP590 – Model Checking and Automated Verification

Integration Testing CS 4311

Learning Intention I will learn about the standard algorithm for input validation.

Presentation transcript:

Interface-based Design of Embedded Systems Thomas A. Henzinger University of California, Berkeley

Interface-based Design

Compositional Component Models If A||B is defined and A  a and B  b, then a||b is defined and A||B  a||b. enable independent component verification Compositional Interface Models If a||b is defined and A  a and B  b, then A||B is defined and A||B  a||b. enable independent interface implementation

x  Nat  y  Nat\{0}  z = x  y A Component Model x  Nat  y  Nat\{0}  z  Nat An Interface Model -constrains the environment -example: type declaration -(mis)behaves in every environment -examples: circuit; executable code

 x,y.  z. ( x  Nat  y  Nat\{0}  z = x  y ) The Component Model input-universal (adversarial environment)  x,y.  z. ( x  Nat  y  Nat\{0}  z  Nat ) The Interface Model input-existential (helpful environment)

The Interface Model x  Nat y  Nat\{0} z  Nat Prescriptive: “How can the component be put together with other components?” Input assumptionOutput guarantee

x y z x=0  y=0 true Propagation of Environment Constraints

x y z x=0  y=0 true Propagation of Environment Constraints

x y z x=0  y=0 true y = 0  x,z. ( true  x=z  ( x=0  y=0 )) Propagation of Environment Constraints

y z true y = 0 The resulting interface. Propagation of Environment Constraints

y z true y = 0 Illegal connection. Propagation of Environment Constraints

Stateless interface models (traditional “types”): value constraints Stateful interface models (“behavioral types”): temporal ordering constraints, real-time constraints, etc. open_file? close_file? get_block? get_blockclose_fileopen_file put_block! put_block

a! b! a? b? a b

a! b! a? ?

a! b! a? A Component Model: I/O Automata This is an illegal component, because it is not prepared to accept input b. [ Lynch, also Lamport, Alur/H ]

a! b! a? a Another Component Model: CSP Composition may lead to deadlocks, and requires verification if this is undesirable. [ Hoare, also Milner, Harel ]

a! b! a? An Interface Model: Interface Automata These interfaces are incompatible, because the receiver expects the environment to provide input b. [ de Alfaro/H, also Dill ]

Component Models -composition || is conjunction/product -abstraction  is covariant Interface Models -composition || is game-theoretic -implementation  is contravariant

msg?send! nack?fail! ok!ack? acksend msgfailok ack?

msg?send! fail! ok!ack? send msgfailok msg! ok? msgokfail ack? ack

msgsend! fail! okack? acksend Incompatible product state, but environment can prevent this state. ack?

msgsend! fail! okack? send The Composite Interface. ack? ack

44 send! send The Composite Interface. ack? ack send!

Computing the Composite Interface 1.Construct product automaton. 2.Mark deadlock states as incompatible. 3.Until no more incompatible states can be added: mark state q as incompatible if the environment cannot prevent an incompatible state to be entered from q. 4.If the initial state is incompatible, then the two interfaces are incompatible. Otherwise, the composite interface is the product automaton without the incompatible states. This computes the states from which the environment has a strategy to avoid deadlock. The propagated environment constraint is that it will apply such a strategy.

x  Odd  y = 2x x  Nat y y = 2x y Component Abstraction Abstraction is implication (simulation; trace containment). x  Nat  

x  Odd Interface Implementation Implementation is I/O contravariant. x  Nat    x  Even

x  Nat Interface Implementation Implementation must obey output guarantee. x  Nat    x  Oddx  Nat X X

Interface Implementation Implementation must accept all permissible inputs. x  Even    x  Nat X X

msg?send! fail! ok!ack? acksend msgfailok ack?

msg?send! fail! ok!ack? acksend msgfailok msg?send! fail! ok!ack? acksend msgfailok 28 send!once? 2 2 fail! ok!ack? once  ack?

Alternating Simulation Q  q iff 1. for all inputs i, if q –i?-> q’, then there exists Q’ such that Q –i?-> Q’ and Q’  q’, and 2. for all outputs o, if Q –o!-> Q’, then there exists q’ such that q –o!-> q’ and Q’  q’. If there is a helpful environment at q, then there is a helpful environment at Q [Alur/H/Kupferman/Vardi].

Algorithms & Tools -interface compatibility (reachability game) can be checked in linear time -interface implementation (alternating simulation) can be checked in quadratic time We are currently implementing this in JBuilder [Chakrabarti/de Alfaro/H/Jurdzinski/Mang].