Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Analysis and Verification of Real-Time Systems Albert M. K. Cheng Real-Time Systems Laboratory University of Houston.

Published byDominic Smith Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal Analysis and Verification of Real-Time Systems Albert M. K. Cheng Real-Time Systems Laboratory University of Houston."— Presentation transcript:

1 Formal Analysis and Verification of Real-Time Systems Albert M. K. Cheng Real-Time Systems Laboratory University of Houston

2 Correctness of Real-Time Systems Satisfaction of logical correctness constraints Satisfaction of timing constraints

3 Presentation Outline Model of a real-time system Specification, analysis, and verification Explicit-state and symbolic model checking Real-time logic and constraint-graph analysis Analysis of real-time rule-based system

4 A Real-Time System A D XY S Sensor input Decision, action State

5 Specification, analysis, and verification Structural/Functional Behavioral - Sequence of events and actions Given: Specification (SP), Safety Assertion (SA) Goal: Relate SP to SA Analysis - 3 cases: SA is a theorem derivable from SP. SA is unsatisfiable with respect to SP. Negation of SA is satisfiable under certain conditions.

6 Analysis Techniques Simulation Testing Verification Run-time monitoring

7 Model Checking Specification represented as a labeled finite-state Graph (Kripke structure) Safety assertion written as temporal logic formula Is the finite-state graph a model of the temporal logic formula?

8 Computation Tree Logic CTL Propositional, branching-time temporal logic Next-time operator X, Until operator U A(E)X f : f holds in every (some) immediate successor of current state A(E)[f1 U f2] : for every (some) computation path, there exists an initial prefix of the path such that f2 holds at the last state of the prefix and f1 holds at all other states along the prefix

9 Example; Solution to Mutual Exclusion Problem N1,N2 T1,N2 C1,T2 N1,T2 C1,N2T1,T2 N1,C2 T1,C2

10 CTL abbreviations AF(f) = A[True U f]: f holds in the future along every path from the initial state s0, so f is inevitable EG(f) = NOT AF(NOT f) EF(f) = E[True U f]: there is some path from the initial state s0 that leads to a state at which f holds, so f potentially holds AG(f) = NOT EF(NOT f)

11 Explicit-State Model Checking for (fi=flength; fi >= 1; fi--) labelgraph(fi,s,&correct); labelgraph (fi,s,b) short fi, s; Boolean *b; { short i; switch(nf[fi-1][0].opcode) { case atomic: atf(fi,s,b); break; case nt: ntf(fi,s,b); break; case ad: adf(fi,s,b); break; case ax: axf(fi,s,b); break; case ex: exf(fi,s,b); break;

12 case au: for (i=0; i <= numstates; i++) marked[i] = false; for (i=0; i <= numstates; i++) if (!marked[i]) auf(fi,s,b); break; case eu: euf(fi,s,b); break; } Explicit-State Model Checking

13 Symbolic Model Checking Transition relation between the values of the variables in the current and the next states can be stated as a Boolean formula Use Binary Decision Diagrams (BDDs) to present this Boolean formula Apply model checker to finite-state graph represented as BBDs

14 Real-Time CTL Existentially Bounded Until operator: E[f_1 U[x,y] f_2] at state s_0 means there exists a path beginning at s_0 and some i such that x <= i <= y and f_2 holds at state s_i and forall j < i, f_1 holds at state s_j Min/max delays Min/max number of condition occurrences

15 Event-Action Model Action: schedulable unit of work primitive or composite X;Y X||Y X!N !NY State predicate: assertion about state of the system Timing constraints Event: temporal marker - 4 types external: cannot be cause by system start: begin action stop: end action transition: change in certain state attribute

16 Timing Constraints Periodic: while execute with period = deadline = Sporadic: when execute with deadline = separation =

17 Non-Real-Time Temporal Logic Conventional temporal logic: concerns with relative ordering of events A;(B||C) means ABC or ACB Can model interleaving actions Cannot model parallel actions To deal with absolute timing, add clock variable: clock := clock + c, execute after every action Acceptable only if actions are executed in sequential order

18 Real-Time Logic 3 types of constants action in capital letters: primitive or composite (partial ordering of events) A.B B appears in composite action A start and stop events: ^A event marking the initiation of action A vA event marking the completion of action A ^A.B ^A.B2

19 Real-Time Logic Transition event constants: (S := T) (S := F) External event constants: omega BUTTON1 pressing button number 1 Integer constants: @(E,W) --> W E event, W nonnegative integer @(e,i) = time of the i-th occurrence of event e Timing property can be established by showing there does not exist an occurrence function which is consistent with the specification in conjunction with the negation of the safety property under investigation

20 Examples of RTL Formulas Forall i @(E,i) = t -> t >= 0 Forall i forall j [@(E,i) = t and @(E,j)=t‘ and i t < t‘t and @(E,j)=t‘ and forall x @(TrainApproach, x) <= @(^Downgate, x) and @(vDowngate, x) <= @(TrainApproach, x) + 30 forall y @(^Downgate, y) + 15 <= @(vDowngate, y)

21 Example: Safety Assertion in RTL forall t forall u @(TrainApproach, t) + 45 <= @(Crossing, u) and @(Crossing,u) @(vDowngate, t) <= @(Crossing, u) and @(Crossing, u) <= @(vDowngate, t) + 45

22 Analysis of Rule-Based Systems The RULES section is composed of a finite set of rules each of which is of the form: a1 := b1 ! a2 := b2 ! … ! am := bm IF enabling condition VAR = set of variables on left-hand side of the assignment, i.e., the ai’s VAL = expressions on right-hand side of assignment, i.e., the bi’s EC = enabling condition

23 Simple Rule-Based Program (* 1 *) object_detected := true IF sensor_a = 1 AND sensor_a_status = good (* 2 *) []object_detected := true IF sensor_b = 1 AND sensor_b_status = good (* 3 *) []object_detected := false IF sensor_a = 0 AND sensor_a_status = good (* 4 *) []object_detected := false IF sensor_b = 0 AND sensor_b_status = good

24 State Space Representation A D E F G H FP1 FP2 C L J K B I M N P FP3

25 Problem Complexity In general, the analysis problem is undecidable if the program variables can have infinite domains, i.e., there is no general procedure for answering all instances of the decision problem.

26 Proof Outline Any two-counter machine can be encoded by an equational rule-based program that uses only `+' and `-' as operations on integer variables and `>', `=' as atomic predicates such that a two-counter machine accepts an input if and only if the corresponding equational rule-based program can reach a fixed point from an initial condition determined by the input to the two-counter machine.

27 Analysis Problem is Solvable for some Cases All the variables of an equational rule- based program range over finite domains. Set of variables in VAR and set of variables in VAL and EC are disjoint. Enabling conditions are mutually exclusive. Only constants are assigned to variables in VAR.

28 Compatibility of Rules Let L_x denote the set of variables appearing in LHS of rule x. Two rules a and b are said to be compatible iff at least one of the following conditions holds: (CR1) Test a and test b are mutually exclusive. (CR2) L_a and L_b are disjoint. (CR3) Suppose L_a and L_b are not disjoint. Then for every common variable v in L_a and L_b, the same expression must be assigned to v in both rule a and b.

29 Special Form A Let L and T be sets of variables in VAR and EC of rules. A set of rules are in special form A if the following conditions hold: (1) Constant terms are assigned to all the variables in L. (2) All of the rules are compatible pairwise. (3) L and T are disjoint.

30 Example 1. a1 := true IF b = true AND c = true 2. [] a1 := true IF b = true AND c = false 3. [] a2 := false IF c = true Rules 1 and 2 are compatible by conditions CR1 and CR3. Rules 1 and 3 are compatible by condition CR2. Rules 2 and 3 are compatible by condition CR2.

31 General Analysis Strategy Rule-based program Simpler programs Rule rewriter State-space analyzer Special form recognizer No independent ruleset in special form Independent rulsets in special form(s)

32 Example input: read(b, c) 1. a1 := true IF b = true AND c = true 2.[]a1 := true IF b = true AND c = false 3.[]a2 := false IF c = true 4.[]a3 := true IF a1 = true AND a2 = false 5.[]a4 := true IF a1 = false AND a2 = false 6.[]a4 := false IF a1 = false AND a2 = true input: read(b, c) 1. a1 := true IF b = true AND c = true 2.[]a1 := true IF b = true AND c = false 3.[]a2 := false IF c = true

33 Applications of Analysis Tools Cryogenic Hydrogen Pressure Malfunction Procedure in the Pressure Control System of the Space Shuttle Vehicle Integrated Status Assessment Expert System Fuel Cell Expert System Orbital Maneuvering and Reaction Control System

34 New Textbook Albert Cheng - Real-Time Systems: Scheduling, Analysis, and Verification (John Wiley & Sons) ISBN # 0471-184063, 2002. www.cs.uh.edu/~acheng/~acheng.html(John Wiley & Sons) ISBN # 0471-184063, 2002. For senior-level undergraduate/first-year graduate courses in real-time systems, embedded systems (software and hardware) engineering, and formal methods. Serves as a supplement to courses in operating systems and system design, as well as a reference for practitioners and researchers.

Download ppt "Formal Analysis and Verification of Real-Time Systems Albert M. K. Cheng Real-Time Systems Laboratory University of Houston."

Similar presentations

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Predicate Calculus Formal Methods in Verification of Computer Systems Jeremy Johnson.

Predicate Calculus Formal Methods in Verification of Computer Systems Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Similar presentations

Ads by Google