Model-Based Design and Verification of Embedded Systems Radu Grosu SUNY at Stony Brook

Talk Outline  Current trends in embedded software  Hierarchic mode diagrams [POPL00,TOPLAS03]  Modular reasoning [POPL00,ASE01,TOPLAS03]  Efficient analysis [CAV00,CAV03,ICSE01]  Extensions and tools [ASE01,HSCC00-01,EW02]  Current research projects [Career02,Reuters02]

A Quiet Computing Revolution Most computation no longer occurs on PCs and servers but rather in embedded devices like: automobiles, cell phones, insulin pumps and aircraft. The extent of the embedded systems revolution can be seen in a In-Stat/MDR report : 5.7 billion embedded microprocessors shipped in % of all shipped microprocessors 11% forecasted annual growth through 2006.

Embedded Controllers Control functionality of embedded processors: Traditionally it was application specific and with minimal amount of software. Today it demands sophisticated services such as networking capabilities and preemptive scheduling, and is typically implemented in software (EOSs). The cost of software-enabled control: Continental estimates it to 18% of the total cost of a vehicle in For the automotive industry the cost was half of Microsoft revenue in 2001.

Embedded Software Properties Written in high level programming languages: Typically in C but increasingly in Java or C++. Very stringent dependability requirements: human safety, consumer expectations, liability and government regulation BMW recalled 15,000 7-series sedans in 2002 at an estimated cost of $50 million. Very difficult to debug because of: concurrency, interrupts, exceptions, process scheduling and hardware-in-the-loop.

Trends in Assuring Dependability Maturity and convergence of various methods: Theorem provers, model checkers and compilers use each other techniques, Run-time verification and testing tools use formal models to derive monitors and tests. Typical techniques to combat state explosion: Efficient data structures, Refinement and abstraction, Modular reasoning.

Integrative Model Hierarchic state machines as common model: As properties: omega/tree automata, As designs: finite observation (Kripke) structures, As code: structured control-flow graphs. Advantages of using this model: Support: CAV and compiler-based techniques, Abstraction: navigate between code and properties, Structure: modular reasoning and state exploration, Appeal: software engineers happy (UML, SDL).

Hierarchic state machine model featuring: hierarchic states, state sharing, group transitions, history. Observational trace semantics: state refinement, compositional and assume/guarantee reasoning. Efficient model checking Symbolic as well as enumerative, Heuristics to exploit the hierarchical structure. Hierarchic Reactive Modules

Characteristics Description is hierarchic. Well defined interfaces. Supports black-box view. Model checking Compositional reasoning. Assume/guarantee reasoning. E.g. in SMV, jMocha. Architecture (Telephone Exchange) TelExchange ti 1 to 1 ti n to n TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n …

Behavior (TelSw) connecting talking ok call gettingNo ok answ onHookoffHook onH call answ rtB ti=rtB/to=bsy read ti : TelI; write to : TelO; local nr : (0..n) Characteristics Description is a hierarchic Kripke structure (EFSM). group transitions, history. Well defined interfaces. data & control interfaces black-box view. Model checking Efficient analysis, Compositional reasoning, Assume/guarantee reasoning.

Hierarchic Behavior Diagrams Software engineering Statecharts: introduced in 1987 by David Harel, Key component in OO Methods: UML, ROOM, OMT, etc, Event based. Formal methods Informal diagrams: for LTSs (CCS or CSP processes), Proof diagrams: for FTS (Pnueli, Manna) Event based and state-based respectively. Compilers (program analysis) Structured control-flow graphs, State-based (variables), entry/exit points, Sequential programs: no trace semantics or refinement rules.

Modes and Contexts A mode (context) is a tuple (C,V,SM,T) consisting of: Control points C = E  X: Entry points E: finite set. Exit points X: finite set Variables V = V r  V w  V l : Read variables V r : finite set Write variables V w : finite set Local variables V l : finite set Submodes m  SM visible or not: m.V r  V r  V l, m.V w  V w  V l Transitions (e, ,x): e  E  SM.X, x  X  SM.E    V r  V l   V w  V l ringing rtBrtE rtB offH onHook answ onH idle offH call ini onH read ti : TelI; write to : TelO; local nr : (0..n)

ringing rtBrtE rtB offH onHook answ onH idle offH call ini Semantics of Modes Executions (game semantics) Environment round:from exit points to entry points. Mode round: from entry points to exit points. Example: (ini,s 0 )  (call,s 1 )  (onH,s 2 )  (answ,s 3 ) ~(offH|rtB|rtE) dxde ~(offH|rtB)h=idle h=ringing (ini,s 5 )  (idle,t 6 )  (dx,s 6 ) Micro steps: (ini,s 0 )  (idle,t 1 )  (call,s 1 )

answ onHook onH call ini dxde Refinement inclusion of trace sets, modular w.r.t. mode encapsulation. (ini,s 5 )  (idle,t 6 )  (dx,s 6 ) Semantics of Modes Executions (game semantics) Environment round:from exit points to entry points. Mode round: from entry points to exit points. Example: (ini,s 0 )  (call,s 1 )  (onH,s 2 )  (answ,s 3 ) Micro steps: (ini,s 0 )  (idle,t 1 )  (call,s 1 ) Traces (proj. on global vars) traces of the sub-modes the mode’s transitions.

Modular Reasoning Compositional Reasoning Central to many formalisms: CCS, I/O Automata,TLA, etc. Circular Assume/Guarantee Reasoning Valid only when the interaction of a module with its environment is non-blocking. Terminology Compositional and assume/guarantee reasoning based on observable behaviors. Application area Only recently is being automated by model checkers, Until now restricted to architecture hierarchies.

Compositional Reasoning N N’ < M < M’ N M N’ M < Sub-mode refinement N M < N M’ Super-mode refinement

Assume/Guarantee Reasoning MM’ N’ < N M < M’ N’ M’ N’ N <

Efficient Reachability Analysis (SS) Mixed representation Control-flow graph has an explicit representation. Sets of states associated to a control point are represented implicitly with BDDs. Transitions between control points are represented implicitly with BDDs. Model checking Control-flow graph traversal. v 4 (x) = (  x. v 3 (x) & t 3 (x,x’))[x/x’] b 1 :B b 2 :B A u2u2 u1u1 u3u3 d :A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t1t1 t2t2 t4t4 t3t3 t5t5 t6t6 t7t7 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 bdd of t 3 (x,x’) bdd of u 1 (x)  y. v 7 (y)

Efficient Reachability Analysis (SS) Mixed representation Control-flow graph has an explicit representation. Sets of paths associated to a control point are represented implicitly with BDDs. Transitions between control points are represented implicitly with BDDs. Model checking Control-flow graph traversal. b 1 :B b 2 :B A u2u2 u1u1 u3u3 d :A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t1t1 t2t2 t4t4 t3t3 t5t5 t6t6 t7t7 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 bdd of t 3 (x,x’) bdd of u 1 (x,x’) v 4 (x,x’) = (  x’.t 1 (x,x’) & t 3 (x’,x’’))[x’/x’’]

b 1 :B b 2 :B A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t2t2 t5t5 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 Efficient Reachability Analysis (SS) u2u2 u1u1 u3u3 t1t1 t4t4 t3t3 t6t6 t7t7 d :A Mixed representation Control-flow graph has an explicit representation. Sets of paths associated to a control point are represented implicitly with BDDs. Transitions between control points are represented implicitly with BDDs. Complexity O(|A| * 2 k+2d ) |A|- # edges in interproc. CFG, k - max # global/local vars, d – max # of in/out variables.

b 1 :B b 2 :B A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t2t2 t5t5 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 Efficient Reachability Analysis (CS) Enabledness not guaranteed Default entry/exit points – the border of a mode. Default entry/exit transitions save/restore current submode. Analysis savings Interrupts are essentially callbacks to the supermode. As before, local variables can be discarded at exit points. u2u2 u1u1 u3u3 t1t1 t4t4 t3t3 t6t6 t7t7 tgtg d :A

Other Techniques Structured control-flow representation opens the way to applying various other CAV and compiler analysis techniques: control-flow & counterexample guided abstraction-refinement, shape analysis, live variable analysis, modification / reference sets, pattern-based model extraction.

Concurrent Class Machines +RdCap(m:Monitor) -m: Monitor; -inCS: boolean; +acq():void throws MonExc +rel():void throws MonExc new MonExc ! inCSe +read():int throws MonExc v: int; e:MonExc inCs m.res.read() v e v choice point (nondeterminism) object creation box return variable method invocation box return expression exception exit point local variables RdCap

Concurrent Class Machines (cont) +main(): void r: Resource; c: Client -m: Monitor +run(): void Client extends Thread new Resource r new Monitor(r) m new Client(m) c.start new Client(m)c.start c thread start box thread run method c

Hierarchic Hybrid Machines (Charon) Agents describe concurrency Modes describe sequential behavior –Control flow between control points –Group transitions describe exceptions Emergency {t = 1} local t, rate global level, infusion Agent ControllerAgent Tank infusion global level global infusion {level = f(infusion)} { level  [2,10] } level level  [2,10] level  [4,8] Compute Normal e dedx x t=10 t:=0 Maintain {t<10} differential constraint invariant

Hermes: Top Level

Hermes: Looking Inside Modes

Ongoing Work Main emphasis on embedded software: Capture sanity checks (deadlock, race conditions), high-level specs (man pages), designs and code with structured CFGs (CCMs). Efficient analysis of consistency between different CFGs (CCMs) and model based test generation. Automated generation of efficient monitored code from high level models. Tool support building on previous experience with jMocha, Hermes and Charon. Main Applications: Dependable Embedded Linux (PDA footprint <500k), Trustworthy Web Agents (e.g. crisis management).

Conjunctive Modes M2M2 i2i2 M1M1 i1i1 o2o2 o1o1 p1p1 p2p2 Parallel composition of reactive modules Synchronous semantics State s = (i 1, i 2, o 1, o 2, p 1, p 2 ) Execution s 1 s 2 s 3 s 4 … s k … syst env

M2M2 M’ 1 svrs Translation with modes Conjunctive Modes read i 1,i 2 ; write o 1,o 2,p 1,p 2 ; local p’ 1 ; p’ 1 := p 1 ;p 1 := p’ 1 ; M2M2 i2i2 M1M1 i1i1 o2o2 o1o1 p1p1 p2p2 Parallel composition of reactive modules

b 1 :B b 2 :B A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t2t2 t5t5 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 Efficient Reachability Analysis (CS) Enabledness not guaranteed Default entry/exit points – the border of a mode. Default entry/exit transitions save/restore current submode. Analysis savings Interrupts are essentially callbacks to the supermode. As before, local variables can be discarded at exit points. u2u2 u1u1 u3u3 t1t1 t4t4 t3t3 t6t6 t7t7 tgtg d :A