The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems
The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems
Background Formal methods have been used in a number of safety critical systems –TGV –train signalling system in Paris Today's safety critical systems use cyclic executives. Research take for granted that a system consists of processes (scheduling, priorities), and that there is communications between these. Process based safety critical systems - formal methods (Raven, Enea …)
Ada-83 Tasking Rendez-vous Dynamic Hierarchy Termination... Ada83 For High Integrity Systems Subsets: SPARK (No tasking) Boeing... Complex Run-Time No Formal Proofs
Ada-95 Tasking Rendez-vous Dynamic Hierarchy Termination... Protected Objects ATC requeue delay until new interrupts task attributes... Ada95Subsets: GNORT (Gnat NO Run-Time) SPARK-95 Ravenscar Tasking Protected Objects delay until new interrupts task attribute
Ada 95 and Ravenscar The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications. The subset provides enough functionality for targeted systems.
Ravenscar - tasking Library level No dynamic creation No unchecked deallocation Non-terminating No entries No user defined attributes Keep task discriminants No ATC
Ravenscar - Protected Objects Single Entry Barrier a single Boolean Only one task in the entry queue
Ravenscar - Communication No Rendez vous No requeue No select statement Interrupts are mapped only to PO procedures
Ravenscar - Real Time delay until for delays No Calendar Clock from Real-Time package No dynamic priorities Immediate Ceiling Priority
Ravenscar Key real-time features include: Fixed set of processes (tasks), with fixed priority scheduling. –No hierarchy of tasks. –Tasks are non-terminating. ‘Delay until’ operations, allowing the implementation of periodic tasks. Basic provision for releasing sporadic processes in response to interrupts.
Two approaches Build and test –Raven Formally verify –Mana
The Mana Project Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada- 95 compiler. Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft,...
The Mana Project Chosen language: –Subset of Ada 95: Ravenscar Representation model: Timed Automata –FSAs extended with clocks and constraints Verification scheme: A Real-Time Model Checker –UPPAAL: Modelling, simulation, and verification tool
A System Model Scheduler PO T1 T2T3 Delay Queue Clock T0 Application Run-Time Kernel P E F Delay until Task dispatch Ready Queue
A Verification Session Design.Timed Automata Model of 1. An application (user code) 2. Run-time kernel (Mana) Simulation of design Verification by checking reachability properties
A System Model Scheduler PO T1 T2T3 Delay Queue Clock T0 Application Run-Time Kernel P E F Delay until Task dispatch Ready Queue
Simple application (T1) task body T1 is -- at priority 1 NextTime : Time := Clock ; begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime ; end loop; end T1; Delay seq Prot Proc
Protected Procedure Calling Task Procedure Start Procedure begin Preemption Release of Entry
Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); end if; Work (4); end loop; end T2; Prot Entry
Protected Entry Calling Task Entry Start Lock Free and no Barrier Barrier true Released by Procedure
Protected Entry Calling Task ExecutingPreemption ExceptionPreemption in exception Normal end
Task T3 task body T3 is -- at priority 3 NextTime : Time := Clock ; begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime ; end loop; end T3; Prot Proc Delay
A view of the System F P E Prot Obj Scheduler T1 T2T3 Delay Queue Clock T0 Delay until Task dispatch Ready Queue
Miscellaneous Protected Function Delay Queue System Clock
The Run-Time System F P E Prot Obj
Task T1 task body T1 is -- at priority 1 NextTime : Time := Clock ; begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime ; end loop; end T1; Delay seq Prot Proc
Building the System F P E Prot Obj T1
Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); end if; work (4); end loop; end T2; Prot Entry
A more Complete System F P E Prot Obj T1 T2
Task T3 task body T3 is -- at priority 3 NextTime : Time := Clock ; begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime ; end loop; end T3; Prot Proc Delay
A Complete System F P E Prot Obj T1 T2 T3
Scheduler and Idle process Resume! Suspend! Resume! Preempt! Resume? Pcpu:= PLow Preempt? Start Idle Process is running Resume? Pcpu:= PMed Resume? Pcpu:= PHigh Medium Process available Medium Process running Idle Process Preempted High Process available High Process running Medium Process Preempted Idle Process Scheduler
Verifying Reachability Properties Statements format: Invariant( ) Possible( ) Where (atomic-formula) | | ’ Examples: –Possible(CPU’Count > 1) At any point in time, there must be only one task executing –Invariant(P.Completed and E.Queue’Count > 0 and E.Barrier imply Exec(E.Code, P.Context))
Conclusions and future work Have today modelled a full Ravenscar compliant RTK –PO: priorities, preemption Procedure, Function and Entry Release on behalf –delay until –exception handling in PO –interrupt
Conclusions and future work Verified the Mana-RTK together with a small application Next step is to implement the Mana-RTK –Automatic translation from Ada into TA