Formal Analysis and Verification of Real-Time Systems Albert M. K. Cheng Real-Time Systems Laboratory University of Houston

Correctness of Real-Time Systems Satisfaction of logical correctness constraints Satisfaction of timing constraints

Presentation Outline Model of a real-time system Specification, analysis, and verification Explicit-state and symbolic model checking Real-time logic and constraint-graph analysis Analysis of real-time rule-based system

A Real-Time System A D XY S Sensor input Decision, action State

Specification, analysis, and verification Structural/Functional Behavioral - Sequence of events and actions Given: Specification (SP), Safety Assertion (SA) Goal: Relate SP to SA Analysis - 3 cases: SA is a theorem derivable from SP. SA is unsatisfiable with respect to SP. Negation of SA is satisfiable under certain conditions.

Analysis Techniques Simulation Testing Verification Run-time monitoring

Model Checking Specification represented as a labeled finite-state Graph (Kripke structure) Safety assertion written as temporal logic formula Is the finite-state graph a model of the temporal logic formula?

Computation Tree Logic CTL Propositional, branching-time temporal logic Next-time operator X, Until operator U A(E)X f : f holds in every (some) immediate successor of current state A(E)[f1 U f2] : for every (some) computation path, there exists an initial prefix of the path such that f2 holds at the last state of the prefix and f1 holds at all other states along the prefix

Example; Solution to Mutual Exclusion Problem N1,N2 T1,N2 C1,T2 N1,T2 C1,N2T1,T2 N1,C2 T1,C2

CTL abbreviations AF(f) = A[True U f]: f holds in the future along every path from the initial state s0, so f is inevitable EG(f) = NOT AF(NOT f) EF(f) = E[True U f]: there is some path from the initial state s0 that leads to a state at which f holds, so f potentially holds AG(f) = NOT EF(NOT f)

Explicit-State Model Checking for (fi=flength; fi >= 1; fi--) labelgraph(fi,s,&correct); labelgraph (fi,s,b) short fi, s; Boolean *b; { short i; switch(nf[fi-1][0].opcode) { case atomic: atf(fi,s,b); break; case nt: ntf(fi,s,b); break; case ad: adf(fi,s,b); break; case ax: axf(fi,s,b); break; case ex: exf(fi,s,b); break;

case au: for (i=0; i <= numstates; i++) marked[i] = false; for (i=0; i <= numstates; i++) if (!marked[i]) auf(fi,s,b); break; case eu: euf(fi,s,b); break; } Explicit-State Model Checking

Symbolic Model Checking Transition relation between the values of the variables in the current and the next states can be stated as a Boolean formula Use Binary Decision Diagrams (BDDs) to present this Boolean formula Apply model checker to finite-state graph represented as BBDs

Real-Time CTL Existentially Bounded Until operator: E[f_1 U[x,y] f_2] at state s_0 means there exists a path beginning at s_0 and some i such that x <= i <= y and f_2 holds at state s_i and forall j < i, f_1 holds at state s_j Min/max delays Min/max number of condition occurrences

Event-Action Model Action: schedulable unit of work primitive or composite X;Y X||Y X!N !NY State predicate: assertion about state of the system Timing constraints Event: temporal marker - 4 types external: cannot be cause by system start: begin action stop: end action transition: change in certain state attribute

Timing Constraints Periodic: while execute with period = deadline = Sporadic: when execute with deadline = separation =

Non-Real-Time Temporal Logic Conventional temporal logic: concerns with relative ordering of events A;(B||C) means ABC or ACB Can model interleaving actions Cannot model parallel actions To deal with absolute timing, add clock variable: clock := clock + c, execute after every action Acceptable only if actions are executed in sequential order

Real-Time Logic 3 types of constants action in capital letters: primitive or composite (partial ordering of events) A.B B appears in composite action A start and stop events: ^A event marking the initiation of action A vA event marking the completion of action A ^A.B ^A.B2

Real-Time Logic Transition event constants: (S := T) (S := F) External event constants: omega BUTTON1 pressing button number 1 Integer --> W E event, W nonnegative = time of the i-th occurrence of event e Timing property can be established by showing there does not exist an occurrence function which is consistent with the specification in conjunction with the negation of the safety property under investigation

Examples of RTL Formulas Forall = t -> t >= 0 Forall i forall j = t and i t < t‘t and forall x) x) x) x) + 30 forall y) + 15 y)

Example: Safety Assertion in RTL forall t forall t) t) u) u) t) + 45

Analysis of Rule-Based Systems The RULES section is composed of a finite set of rules each of which is of the form: a1 := b1 ! a2 := b2 ! … ! am := bm IF enabling condition VAR = set of variables on left-hand side of the assignment, i.e., the ai’s VAL = expressions on right-hand side of assignment, i.e., the bi’s EC = enabling condition

Simple Rule-Based Program (* 1 *) object_detected := true IF sensor_a = 1 AND sensor_a_status = good (* 2 *) []object_detected := true IF sensor_b = 1 AND sensor_b_status = good (* 3 *) []object_detected := false IF sensor_a = 0 AND sensor_a_status = good (* 4 *) []object_detected := false IF sensor_b = 0 AND sensor_b_status = good

State Space Representation A D E F G H FP1 FP2 C L J K B I M N P FP3

Problem Complexity In general, the analysis problem is undecidable if the program variables can have infinite domains, i.e., there is no general procedure for answering all instances of the decision problem.

Proof Outline Any two-counter machine can be encoded by an equational rule-based program that uses only `+' and `-' as operations on integer variables and `>', `=' as atomic predicates such that a two-counter machine accepts an input if and only if the corresponding equational rule-based program can reach a fixed point from an initial condition determined by the input to the two-counter machine.

Analysis Problem is Solvable for some Cases All the variables of an equational rule- based program range over finite domains. Set of variables in VAR and set of variables in VAL and EC are disjoint. Enabling conditions are mutually exclusive. Only constants are assigned to variables in VAR.

Compatibility of Rules Let L_x denote the set of variables appearing in LHS of rule x. Two rules a and b are said to be compatible iff at least one of the following conditions holds: (CR1) Test a and test b are mutually exclusive. (CR2) L_a and L_b are disjoint. (CR3) Suppose L_a and L_b are not disjoint. Then for every common variable v in L_a and L_b, the same expression must be assigned to v in both rule a and b.

Special Form A Let L and T be sets of variables in VAR and EC of rules. A set of rules are in special form A if the following conditions hold: (1) Constant terms are assigned to all the variables in L. (2) All of the rules are compatible pairwise. (3) L and T are disjoint.

Example 1. a1 := true IF b = true AND c = true 2. [] a1 := true IF b = true AND c = false 3. [] a2 := false IF c = true Rules 1 and 2 are compatible by conditions CR1 and CR3. Rules 1 and 3 are compatible by condition CR2. Rules 2 and 3 are compatible by condition CR2.

General Analysis Strategy Rule-based program Simpler programs Rule rewriter State-space analyzer Special form recognizer No independent ruleset in special form Independent rulsets in special form(s)

Example input: read(b, c) 1. a1 := true IF b = true AND c = true 2.[]a1 := true IF b = true AND c = false 3.[]a2 := false IF c = true 4.[]a3 := true IF a1 = true AND a2 = false 5.[]a4 := true IF a1 = false AND a2 = false 6.[]a4 := false IF a1 = false AND a2 = true input: read(b, c) 1. a1 := true IF b = true AND c = true 2.[]a1 := true IF b = true AND c = false 3.[]a2 := false IF c = true

Applications of Analysis Tools Cryogenic Hydrogen Pressure Malfunction Procedure in the Pressure Control System of the Space Shuttle Vehicle Integrated Status Assessment Expert System Fuel Cell Expert System Orbital Maneuvering and Reaction Control System

New Textbook Albert Cheng - Real-Time Systems: Scheduling, Analysis, and Verification (John Wiley & Sons) ISBN # , Wiley & Sons) ISBN # , For senior-level undergraduate/first-year graduate courses in real-time systems, embedded systems (software and hardware) engineering, and formal methods. Serves as a supplement to courses in operating systems and system design, as well as a reference for practitioners and researchers.