1. Automatic Debugging and Verification of RTL-Specified Real-Time Systems
Albert M. K. Cheng
Real-Time Systems Laboratory and
Institute for Space Systems Operations
University of Houston, Texas, USA
11/19/2018
University of Houston

2. Real-Time Systems [JahanianMok86, JahanianMok87, Cheng02]
Structural-functional specification
Behavioral specification (SP)
An implementation is correct if
SP implies the safety assertions (SA)
Structural-functional specification
Behavioral specification (SP)
An implementation is correct if
SP implies the safety assertions (SA)
Structural-functional specification (how its components work);
Behavioral specification (SP) shows the sequence of events allowed by the system in response to actions and events;
An implementation is correct if SP implies the safety assertions (SA), namely that SP → SA is a theorem.
11/19/2018
University of Houston

3. Verification of Timing Properties [JahanianMok86, JahanianMok87, Cheng02]
In checking SP → SA, we may have the cases:
(safe) SA is a theorem derivable from SP;
(inherently unsafe) SA is unsatisfiable with respect to SP;
(safe if additional constraints are added) the negation of SA is satisfiable under certain conditions.
(safe) SP->SA is a tautology. (including the case when SP is unsatisfiable)
(inherently unsafe) SP -> SA is unsatisfiable (opposite to 1)
(potentially safe) if negation of SA is unsatisfiable, then we are in case 1. Otherwise (negation of SA is satisfiable), you can modify both SP and SA to make SP->SA a tautology.
11/19/2018
University of Houston

4. Our Incremental Approach for Systematic Debugging
Green – the old formula
Pink – the incremental part of the formula
Yellow – the new formula
11/19/2018
University of Houston

5. Details of the Approach
The satisfiability of SPk+1→SAk+1 is expressed incrementally from the satisfiability of SPk→SAk
The manual debugging in step 3 is correlated with the satisfiability of SPk→SAk
We use #SAT problem rather than SAT problem:
To know how “far away” is SP from satisfying SA;
The modification of SP and/or SA is useful for incremental debugging, in which bugs are fixed one at a time until the system is correct.
Our approach does not require to re-compile the whole system, but we re-use the old formula.
11/19/2018
University of Houston

6. Motivations and Achievements
Since industrial real-time systems may have large specifications, it is impractical for the designer to find the proper missing or wrong constraints.
The debugging in step 3 is done systematically, not manually.
Efficient Java implementation of systematic debugging. Examples of real-time systems have also been successfully tested by SDRTL.
We simulate a real-life scenario, supposing that the designer may forget to include some constraints or may give some incorrect constraints.
Our approach does not require to re-compile the whole system, but we re-use the old formula
11/19/2018
University of Houston

7. Real-Time Logic (RTL) [JahanianMok86]
RTL = first-order logic with special features to capture the timing requirements;
Occurrence Event x Occurrence  Time, where Occurrence = Nat - {0} and Time = Nat.
@(e, i) = t means the i-th occurrence of event e occurs at time t.
eEvent, is defined
eEvent, i, jOccurrence, i < is defined
11/19/2018
University of Houston

8. Real-Time Logic (cont)
Three types of RTL constants:
Actions: schedulable units of work
Events constants are temporal markers
External Events: event-name
Start Events: event-name
Stop Events: event-name
Integers: used for timing constraints.
11/19/2018
University of Houston

9. Example: Railroad crossing
11/19/2018
University of Houston

10. SP of Railroad Crossing – English and RTL
When train approaches sensor, a signal will initiate the lowering of gate, and Gate is moved to down position within 30s from being detected by the sensor, and
x ( @(TrainApproach, x) x) 
@(DownGate, x) x) + 30 )
The gate needs at least 15s to lower itself to the down position.
y y) + 15 y) )
11/19/2018
University of Houston

11. SA of Railroad Crossing – English and RTL
If train needs at least 45s to travel from sensor to the railroad crossing, and the train crossing is completed within 60s from being detected by sensor, then
we are assured that at the start of the train crossing, gate has moved down and
that the train leaves the railroad crossing within 45s from the time the gate has completed moving down.
t u (
@(TrainApproach, t) + 45 u) 
@(TrainCrossing, u) t) + 60 
@(TrainCrossing, u) t) 
@(TrainCrossing, u) t) + 45 )
11/19/2018
University of Houston

12. The Path-RTL formulas The general form of path-RTL formulas:
functionOccurrence  integerConstant  functionOccurrence
Industrial real-time systems:
Railroad crossing [JahanianMok87], [JahanianStuart88], [Cheng2002]
Moveable control rods in a reactor [JahanianMok87]
Boeing 777 Integrated Airplane Information Management System [MTR96]
X-38, an autonomous spacecraft build by NASA [RiceCheng99]
Jahanian and Mok motivated that RTL formulas of many real-time systems:
Consist in arithmetic inequalities involving two terms and an integer constant in which a term is either a variable or a function (difference constraints)
Do not contain arithmetic expressions that have a function taking an instance of itself as an argument
11/19/2018
University of Houston

13. Presburger Arithmetic Formulae
is replaced by an uninterpreted function fe(i)
SP:
x (f(x)  g1(x)  g2(x)  f(x) + 30)
y (g1(y) + 15  g2(y))
SA:
t u (
f(t) + 45  h1(u)  h2(u) < f(t) + 60 
g2(t)  h1(u)  h2(u)  g2(t) + 45 )
is replaced by an uninterpreted function fe(i), where e is an event and i is an integer or a variable.
11/19/2018
University of Houston

14. Railroad Crossing - Clausal Form
 (SP  SA)   ( SP  SA)  SP   SA
SP  SA is a theorem iff SP   SA is unsatisfiable;
SP:
xy (f(x)  g1(x)  g2(x) - 30  f(x)  g1(y) + 15  g2(y))
Negation of SA:
t u (f(t) + 45  h1(u)  h2(u) < f(t) + 60 
(h1(u) < g2(t)  g2(t) + 45 < h2(u)));
Skolem normal form of path-RTL formulas [T/t][U/u]:
f(T) + 45  h1(U)  h2(U) – 59  f(T) 
(h1(U) + 1  g2(T)  g2(T) + 46  h2(U))
11/19/2018
University of Houston

15. Constraint Graph Technique
F – the initial path-RTL formula;
F’ – the corresponding Presburger formula;
PF = C1  C2  …  Cn is the propositional formula of SP   SA:
Ci = Li,1  Li,2  …  Li,n and
each Li,j has the general form: v1  I  v2, I being a positive integer constant.
For each Xi,1, Xi,2,…, Xi,ni the i-th positive cycle, the clause Xi,1  Xi,2  …  Xi,ni is added to PF.
11/19/2018
University of Houston

16. Counting SAT Problem
PF={C1,…,Cl} over V. If C1’,…,Cs’  PF and s  l, then:
mV(C1’,…,Cs’)= number of variables from V which do not occur in C1’ …  Cs’.
difV(C1’,…,Cs’)=
0 if  i, j  {1,…,s}, i  j,  L literal such that L  Ci’ and L  Cj’
2mV(C1’,…,Cs’) otherwise
11/19/2018
University of Houston

17. Incremental Counting SAT
detV(PF)=
2n- s=1l (-1)s+1*  1 i1<…<isl difV(C1’,…,Cs’)
is called the determinant of PF.
Theorem. PF has detV(PF) truth assignments. So, PF is satisfiable iff detV(PF)  0.
Problem: Knowing the number of true instances of PF, what is the number of true instances of PFυ{C}, for any arbitrary clause C?
Incremental computation: get detV(PF2) using detV(PF1), without re-computing the common parts of PF2 and PF1
Example: detV(PF)=23-( )=3, so PF is satisfiable having 3 truth assignments.
11/19/2018
University of Houston

18. Increment of a Clausal Formula
Definition: Given PF={C1,…,Cl} over V and C an arbitrary clause, then
incV(C,PF)=s=0l(-1)s+1 * 1 i1<…<isl difV(C,Ci1,…,Cis)
is called the increment of PF with C over V.
Theorem: Let PF={C1,…,Cl} be a clausal formula and PF’={Cl+1,…,Cl+k}. Then:
detV(PF υ PF’) = detV(PF) + incV(Cl+1, PF) + incV(Cl+2, PF υ {Cl+1}) incV(Cl+k, PF υ {Cl+1,.., Cl+k-1})
Incremental computing is optimal
CITred(C,PF) is similar with CTred corresponding to detV(PF), but instead of empty root will be now C.
11/19/2018
University of Houston

19. Related Work: Incremental Approaches
An incremental positive cycle detection algorithm [MTR96] is also based on the constraint-graph technique and uses an algorithm for single source with positive weight in the graph.
An incremental algorithm for model checking using transition systems in the alternation-free fragment of the modal mu-calculus was presented in [SoS94].
Instead, our incremental approach is applied to propositional formulas.
11/19/2018
University of Houston

20. History of SAT and #SAT problems
The #SAT problem
[Valiant, 1979]
The SAT problem
[Cook, 1971]
The incremental SAT problem
[Hooker, 1993]
The incremental #SAT problem
[Andrei & Chin, 2004]
11/19/2018
University of Houston

21. Railroad Crossing - Constraint Graph (1)
PF1={{A1}, {A2}, {A3}, {A4}, {A5}, {A6, A7}, {A2,A4,A6}, {A4,A5,A6,A7}, {A1,A3,A5,A7}}.
detV1(PF1)=0, where V1={A1, ..., A7}.
11/19/2018
University of Houston

22. Re-design of Railroad Example
We consider 2 new events (CarCrossingLeft - CCL and CarCrossingRight – CCR) and 2 new constraints
We add to SP:
(English) A car from the left or right needs at most 10 seconds to cross the railroad;
(RTL)  z1) – 10 z1) and  z2) – 10 z2)
We add to SA:
(English) If the train starts to cross the railroad crossing, there is no car crossing neither from left nor from the right in the last 5 seconds;
(RTL)  v1) + 5 u) and  v2) + 5 u)
11/19/2018
University of Houston

23. Railroad Crossing - Constraint Graph (2)
PF2=PF1 {{A8}, {A9}, {A6, A7, A10, A11}} – {{A6, A7}}
detV2(PF2)=detV1(PF1)+
incV2({A8}, PF1)+
incV2({A9}, PF1  {{A8}}) + incV2({A6, A7, A10, A11}, PF1  {{A8}}  {{A9}})-
incV2({A6, A7}, PF1  {{A8}}  {{A9}}  {{A6, A7, A10, A11}}) =3, where V2= V1  {A8, ..., A11}.
As detV2(PF2)>0, then the real-time system is unsafe.
11/19/2018
University of Houston

24. Debugging Computation. Manual versus Systematic
Manual debugging is impractical for big systems.
There is a need to consider a systematic way to solve this matter.
The method will automatically generate, in order from the most probable ones to the less probable ones, all the possible missing constraints.
Then the designer chooses from this list the proper constraint which is not against the real-time system specifications.
11/19/2018
University of Houston

25. Railroad Crossing - Constraint Graph (2)
(Init) construct PF1
(Test & Print) test if the determinant is 0 and if the designer agrees with the suggested constraint according to the systematic debugging computation
(Incremental Computation) compute detVk+1(PFk+1) using detVk(PFk)
(desired == false) is evaluated to false when the designer wishes to stop the systematic debugging and the timing constraints of the real-time system are fulfilled.
Algorithm Main:
(Init)
desired = false;
while (desired == false) {
(Test & Print)
if (desired == false) {
(Incremental Computation)
(Debugging Computation) }
11/19/2018
University of Houston

26. Addition of a New Arc It shows that the node v has no out-arc;
So the arc (v,w) (pictured with a dashed line) is added to the constraint graph as a member of a new positive cycle.
11/19/2018
University of Houston

27. Transforming a Negative Cycle
The algorithm detects all possible incorrect constraints (i.e. containing a fault).
That is, the algorithm proposes other (bigger) constants I for the literal v1 ± I ≤ v2, and with help of the designer, one such constraint is selected.
Figure 3(b) is more than a “refinement”, because it corresponds to detecting faults in the initial specification, and proposes a new proper constraint.
11/19/2018
University of Houston

28. Key Point: the Increment
SDRTL will compute for each change (new arc and/or new cost) the increment
Then, SDRTL will sort all these increments in an increasing order
Starting from the minimum increment, the designer will be asked for his agreement
The increments which are zero do not count
11/19/2018
University of Houston

29. The Execution Run
11/19/2018
University of Houston

30. The Execution Run (cont)
11/19/2018
University of Houston

31. Railroad Crossing - Constraint Graph (3)
PF3=PF2  {C12, C13, C14, C15}, over V2.
As detV2(PF3)=0, then the real-time system is safe.
The unification should be done carefully.
11/19/2018
University of Houston

32. Monotony of det and inc
11/19/2018
University of Houston

33. Systematic Debugging Results
Denote by niz the number of increments which are zero, and by tni the total number of increments.
The effectiveness is efct = (tni-niz)/(tni).
The closer effectiveness to 0, the faster algorithm is (because useless clauses are not generated).
The more bugs the system has, the bigger execution time we get.
11/19/2018
University of Houston

34. X-38, an autonomous spacecraft build by NASA [RiceCheng99]
11/19/2018
University of Houston

35. Automatic Debugging
autonomous systems (human operators are absent) generate automatically real-time control plan on-the-fly
11/19/2018
University of Houston

36. Future Work: Replacement of SAT solvers
Counting SAT solvers are more efficient than SAT solvers when there are two many choices to consider (like re-design and debugging problems)
Applications:
Finding a feasible scheduling
Model checking
11/19/2018
University of Houston

37. Joint work with Stefan Andrei, Wei-Ngan Chin, and Mihai Lupu of the National University of Singapore. Work supported in part by the NSF and the Institute for Space Systems Operations. Thanks! Questions?
11/19/2018
University of Houston

38. References
[JahanianMok87] Jahanian, F., Mok, A.: A Graph-Theoretic Approach for Timing Analysis and its Implementation. IEEE Transactions on Computers. Vol. C-36, No. 8, 1987
[JaS88] Jahanian, F., Stuart, D. A.: A Method for Verifying Properties of Modechart Specifications. Proceedings of 9-th IEEE Real-Time Systems Symposium, pp , 1988
[WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive Cycles. Proceedings of Formal Methods Europe Symposium, 873, Lecture Notes in Computer Science, pp , 1994
[AndreiChin04] Andrei, S., Chin, W.-N.: Incremental Satisfiability Counting for Real-Time Systems. IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’04), Toronto, Canada, 25 May – 28 May, 2004
S. Andrei, W.-N. Chin, A. M. K. Cheng, and M. Lupu. Automatic Debugging of Real-Time Systems Based on Incremental Satisfiability Counting, accepted 2/2006, to appear in IEEE Transactions on Computers, 2006
11/19/2018
University of Houston

39. References (cont)
[MTR96] Mok, A. K., Tsou, Duu-Chung, de Rooij, R. C. M. The MSP.RTL real-time scheduler synthesis tool. Proceedings of the 17th IEEE Real-Time Systems Symposium, 1996
[RiceCheng99] Rice, L.E.P., Cheng, A.M.K. Timing Analysis of the X-38 Space Station Crew Return Vehicle Avionics. Proceedings of the 5-th IEEE-CS Real-Time Technology and Applications Symposium, pp , 1999
[Cheng02] Cheng, A.M.K. Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002
[Andrei2004] Andrei, S. Counting for Satisfiability by Inverting Resolution. Artificial Intelligence Review, 2004
[SoS94] O. Sokolsky and S.A. Smolka. Incremental Model Checking in the Modal Mu-Calculus, Computer-Aided Verification '94, LNCS 818, Springer-Verlag, 1994
11/19/2018
University of Houston