Download presentation
Presentation is loading. Please wait.
1
Verifikation af realtids systemer i UPPAAL
Kim G. Larsen Formal Methods Automatic Validation and Verification Tools Kim Guldstrand Larsen Institute of Computer Science Aalborg University Formal Methods seems to be finding its way into industrial software engineering practice. In particular, methods based on fully automatic verification tools have for a long time been established practice for hardware designs. Today, an increasing number of (commercial) tools offering automatic verification support for industrial designs of embedded systems, real-time systems, and communication protocols are emerging. The scalability of these tools has been significantly improved due to recent, scientific advances in the underlying algorithmic techniques, which have allowed for large industrial applications to be verified. The talk will present the tool UPPAAL, a tool suite for validating and verifying real-time system models. The tool has been developed since 1995 in collaboration between Aalborg and Uppsala Universities. The presentation will be based on on-line demonstration and survey the industrial applications of UPPAAL. The final part of the talk will address the tool visualSTATE, a commercial tool for automatic validation and verification of embedded system models In addition visualSTATE allows for automatic generation of efficient code for a number of platforms. Resent collaboration between visualSTATE, and DTU has resulted in truely significant advances in the size of systems which may be dealt with.
2
Research Profile Distributed Systems & Semantics Unit
Semantic Models concurrency, mobility, objects real-time, hybrid systems Validation & Verification algorithms & tools Construction real-time & network systems
3
BRICS Machine Basic Research in Computer Science
Millkr 100 100 Tools Other revelvant projects UPPAAL, VHS, VVS, WOODDES Aarhus Aalborg
4
Tools and BRICS visualSTATE UPPAAL Applications SPIN Semantics
PVS HOL ALF TLP Semantics Concurrency Theory Abstract Interpretation Compositionality Models for real-time & hybrid systems Algorithmic (Timed) Automata Theory Graph Theory BDDs Polyhedra Manipulation Logic Temporal Logic Modal Logic MSOL
5
A REAL real time system Klaus Havelund, NASA
6
Embedded Systems SyncMaster 17GLsi Mobile Phone Telephone
Digital Watch Tamagotchi
7
Introducing, Detecting and Repairing Errors Liggesmeyer 98
8
Introducing, Detecting and Repairing Errors Liggesmeyer 98
9
validation, verfication and testing of software and hardware
Suggested Solution? Model based validation, verfication and testing of software and hardware
10
Verification & Validation
Analysis Design Model Specification Implementation Testing
11
Verification & Validation
Analysis Validation Design Model Specification Verification & Refusal UML SDL Implementation Testing
12
Verification & Validation
Analysis Validation Design Model Specification Verification & Refusal UML Model Extraction SDL Automatic Code generation Implementation Testing
13
Verification & Validation
Analysis Validation Design Model Specification Verification & Refusal UML Model Extraction SDL Automatic Test generation Automatic Code generation Hej Implementation Testing
14
How? Unified Model = State Machine! b? y! a x Output ports Input ports
Control states
15
Tamagotchi C A B ALIVE DEAD Health=0 or Age=2.000 Tick Passive Feeding
Light Meal A B A Health:= Health-1 B A Care A Snack Clean Health=0 or Age=2.000 A A Medicine Discipline Play DEAD Tick A A Health:=Health-1; Age:=Age+1
16
SYNCmaster
17
Digital Watch
18
visualSTATE Hierarchical state systems Flat state systems
VVS w Baan Visualstate, DTU (CIT project) Hierarchical state systems Flat state systems Multiple and inter-related state machines Supports UML notation Device driver access
19
The SDL Editor The SDL Editor Process level
20
SPIN, Gerald Holzmann AT&T
21
UPPAAL
22
‘State Explosion’ problem
1 2 b c 3 4 M1 x M2 1,a 4,a 1,b 2,b 1,c 2,c 3,a 4,a 3,b 4,b 3,c 4,c Provably theoretical intractable All combinations = exponential in no. of components
23
Train Simulator BUGS ? VVS visualSTATE
1421 machines 11102 transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS ? Our techniuqes has reduced verification time with several orders of magnitude (ex 14 days to 6 sec)
24
Tool Support (model checking)
System Description A No! Debugging Information TOOL Yes, Prototypes Executable Code Test sequences Requirement F Tools: Telelogic, Verilog, UPPAAL, SPIN, MV, Statemate, visualSTATE, FormalCheck, VeriSoft, Java Pathfinder,…
25
UPPAAL Modelling and Verification of Real Time systems www.uppaal.com
UPPAAL2k > 800 users > 35 countries
26
Collaborators @AALborg @UPPsala @Elsewhere Kim G Larsen Arne Skou
Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune Oliver Möller Nicky Oliver Bodentien Lasse Poulsen @UPPsala Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Tobias Amnell Oliver Möller @Elsewhere David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans, Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson... Here you see all the contributers over the years.
27
Hybrid & Real Time Systems
Control Theory Computer Science sensors Task Task Task Task actuators Controller Program Discrete Plant Continuous Eg.: Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines Real Time System A system where correctness not only depends on the logical order of events but also on their timing
28
Construction of UPPAAL models
Controller Program Discrete Plant Continuous sensors Task Task Task Task Model of tasks (automatic?) actuators Model of environment (user-supplied) 1 2 4 3 a c b 1 2 4 3 1 2 4 3 a c b 1 2 4 3 a c b UPPAAL Model
29
Timed Automata Clocks: x, y State
Alur & Dill 1990 Clocks: x, y n Guard Boolean combination of integer bounds on clocks and clock-differences. Action used for synchronization Reset Action perfomed on clocks x<=5 & y>3 State ( location , x=v , y=u ) where v,u are in R a x := 0 Transitions ( n , x=2.4 , y= ) ( m , x=0 , y= ) a m e(1.1) ( n , x=2.4 , y= ) ( n , x=3.5 , y= )
30
Timed Automata Invariants
Clocks: x, y x<=5 Transitions x<=5 & y>3 e(3.2) Location Invariants ( n , x=2.4 , y= ) a e(1.1) ( n , x=2.4 , y= ) ( n , x=3.5 , y= ) x := 0 m Invariants ensure progress!! y<=10 g4 g1 g3 g2
31
The UPPAAL Model = Networks of Timed Automata + Integer Variables +….
Two-way synchronization on complementary actions. Closed Systems! x>=2 i==3 y<=4 …………. a! a? x := 0 i:=i+4 l2 m2 Example transitions (l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..) (l1,m1,………,x=2.2, y=3.7, I=3,…..) tau 0.2 If a URGENT CHANNEL
32
Timed Automata in UPPAAL
Timed (Safety) Automata + urgent actions + urgent locations + committed locations + data-variables (with bounded domains) + arrays of data-variables + constants + guards and assignments over data-variables and arrays… + templates with local clocks, data-variables, and constants.
33
Declarations in UPPAAL
clock x1, …, xn; int i1, …, im; chan a1, …, ao; const c1 n1, …, cp np; Examples: clock x, y; int i, J0; int[0,1] k[5]; const delay 5, true 1, false 0; Array k of five booleans.
34
Timed Automata in UPPAAL
location invariants clock assignments n clock assignments x<=5 clock natural number and x<=5 & y>3 a clock guards x := 0 data guards m y<=10 g4 g1 g3 g2
35
Urgent Channels urgent chan hurry; Informal Semantics:
There will be no delay if transition with urgent action can be taken. Restrictions: No clock guard allowed on transitions with urgent actions. Invariants and data-variable guards are allowed.
36
Click “Urgent” in State Editor.
Urgent Locations Click “Urgent” in State Editor. Informal Semantics: No delay in urgent location. Note: the use of urgent locations reduces the number of clocks in a model, and thus the complexity of the analysis.
37
Click “Committed” in State Editor.
Committed Locations Click “Committed” in State Editor. Informal Semantics: No delay in committed location. Next transition must involve automata in committed location. Note: the use of committed locations reduces the number of clocks in a model, and allows for more space and time efficient analysis.
38
UPPAAL Specification Language
A[] p (AG p) E<> p (EF p) p::= a.l | gd | gc | p and p | p or p | not p | p imply p | ( p ) process location data guards clock guards
39
BRICK SORTING
40
First UPPAAL model Sorting of Lego Boxes
Ken Tindell Piston Boxes eject remove 99 Conveyer Belt red 9 18 81 90 Blck Rd Controller MAIN PUSH Black Exercise: Design Controller so that only black boxes are being pushed out
41
NQC programs int active; int DELAY; int LIGHT_LEVEL; task MAIN{
Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1); start PUSH; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); } task PUSH{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }
42
From RCX to UPPAAL Model includes Round-Robin Scheduler.
Task MAIN Model includes Round-Robin Scheduler. Compilation of RCX tasks into TA models. Presented at ECRTS 2000
43
The Production Cell Course at DTU, Copenhagen
44
TRAIN CROSSING
45
Train Crossing Stopable Area [10,20] [3,5] Crossing [7,15] River Queue
Gate
46
Train Crossing el Communication via channels and shared variable.
Stopable Area [10,20] appr, stop [3,5] leave Crossing [7,15] el go River Queue empty nonempty hd, add,rem Gate
47
Communication Protocols
CSMA/CD BRP ……
48
CSMA/CD protocol – MAC layer
EVENTS send - service provided by Mac which reacts by transmitting a message, rec - (receive) service provided by Mac, indicates that a message is ready to be received, b - (begin) Mac begins message transmission to M, e - (end) Mac terminates message transmission to M, br - (begin receive) M begins message delivery to Mac, er - (end receive) M terminates message delivery to Mac, b - (collision) Mac is notified that a collision has occurred on M.
49
Philips Bounded Retransmission Protocol
[D’Argenio et.al. 97]
50
Protocol Overview Protocol developed by Philips.
Transfer data between Audio/Video components via infra-red communication. Data files sent in smaller chunks. Problem: Unreliable communication medium. Sender retransmit if receiver respond too late. Receiver abort if sender sends too late.
51
Overview of BRP Sender Receiver S R BRP K L Input: file = p1, …, pn
Output: p1, …, pn Sender Receiver S R BRP pi K lossy ack L lossy
52
How It Works Sender input: file = p1, …, pn.
more parts will follow Sender input: file = p1, …, pn. S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0). R sends: ack, …, ack. S retransmits pi if timeout. Receiver recives: p1, …, pn. Sender and Receiver receives NOK or OK. first part of file whole file OK
53
Case Studies: Protocols
Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96] Collision-Avoidance Protocol [SPIN’95] Bounded Retransmission Protocol [TACAS’97] Bang & Olufsen Audio/Video Protocol [RTSS’97] TDMA Protocol [PRFTS’97] Lip-Synchronization Protocol [FMICS’97] Multimedia Streams [DSVIS’98] ATM ABR Protocol [CAV’99] ABB Fieldbus Protocol [ECRTS’2k] IEEE 1394 Firewire Root Contention (2000)
54
Case-Studies: Controllers
Gearbox Controller [TACAS’98] Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k] SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k] Real-Time RCX Control-Programs [ECRTS’2k] Experimental Batch Plant (2000) RCX Production Cell (2000)
55
BRP Model Overview Sender Receiver S R BRP K L Input: file = p1, …, pn
Output: p1, …, pn Sender Receiver ok, nok, dk IND, ok, nok S R BRP (pi,INDication,abit) K lossy L lossy ack
56
The Lossy Media one-place capacity delay value-passing
lossy = may drop messages
57
Bounded Retransmission
S sends a chunk pi and waits for ack from R. If timeout the chunk is retransmitted. If too many timeout the transmission fails (NOK is sent to Sender). If whole file successfully sent OK is sent to Sender. Receiver is similar.
58
Process S
59
Process R
60
The Sender and Receiver
61
“If you want to know more”
Test & Verification UPPAAL WOODDES, ATT (VHS): Strategic Directions in Computing Research Formal Methods Working Group, ACM June 1996
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.