Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model-Based Design and Verification of Embedded Systems Radu Grosu SUNY at Stony Brook www.cs.sunysb.edu/~grosu.

Published byGregory Osborne Modified over 9 years ago

Similar presentations

Presentation on theme: "Model-Based Design and Verification of Embedded Systems Radu Grosu SUNY at Stony Brook www.cs.sunysb.edu/~grosu."— Presentation transcript:

1 Model-Based Design and Verification of Embedded Systems Radu Grosu SUNY at Stony Brook www.cs.sunysb.edu/~grosu

2 Talk Outline  Current trends in embedded software  Hierarchic mode diagrams [POPL00,TOPLAS03]  Modular reasoning [POPL00,ASE01,TOPLAS03]  Efficient analysis [CAV00,CAV03,ICSE01]  Extensions and tools [ASE01,HSCC00-01,EW02]  Current research projects [Career02,Reuters02]

3 A Quiet Computing Revolution Most computation no longer occurs on PCs and servers but rather in embedded devices like: automobiles, cell phones, insulin pumps and aircraft. The extent of the embedded systems revolution can be seen in a In-Stat/MDR report : 5.7 billion embedded microprocessors shipped in 2001 98% of all shipped microprocessors 11% forecasted annual growth through 2006.

4 Embedded Controllers Control functionality of embedded processors: Traditionally it was application specific and with minimal amount of software. Today it demands sophisticated services such as networking capabilities and preemptive scheduling, and is typically implemented in software (EOSs). The cost of software-enabled control: Continental estimates it to 18% of the total cost of a vehicle in 2010. For the automotive industry the cost was half of Microsoft revenue in 2001.

5 Embedded Software Properties Written in high level programming languages: Typically in C but increasingly in Java or C++. Very stringent dependability requirements: human safety, consumer expectations, liability and government regulation BMW recalled 15,000 7-series sedans in 2002 at an estimated cost of $50 million. Very difficult to debug because of: concurrency, interrupts, exceptions, process scheduling and hardware-in-the-loop.

6 Trends in Assuring Dependability Maturity and convergence of various methods: Theorem provers, model checkers and compilers use each other techniques, Run-time verification and testing tools use formal models to derive monitors and tests. Typical techniques to combat state explosion: Efficient data structures, Refinement and abstraction, Modular reasoning.

7 Integrative Model Hierarchic state machines as common model: As properties: omega/tree automata, As designs: finite observation (Kripke) structures, As code: structured control-flow graphs. Advantages of using this model: Support: CAV and compiler-based techniques, Abstraction: navigate between code and properties, Structure: modular reasoning and state exploration, Appeal: software engineers happy (UML, SDL).

8 Hierarchic state machine model featuring: hierarchic states, state sharing, group transitions, history. Observational trace semantics: state refinement, compositional and assume/guarantee reasoning. Efficient model checking Symbolic as well as enumerative, Heuristics to exploit the hierarchical structure. Hierarchic Reactive Modules

9 Characteristics Description is hierarchic. Well defined interfaces. Supports black-box view. Model checking Compositional reasoning. Assume/guarantee reasoning. E.g. in SMV, jMocha. Architecture (Telephone Exchange) TelExchange ti 1 to 1 ti n to n TelSw 1 TelExchange Bus TelSw n bo 1 bi 1 bo n bi n ti 1 to 1 ti n to n …

10 Behavior (TelSw) connecting talking ok call gettingNo ok answ onHookoffHook onH call answ rtB ti=rtB/to=bsy read ti : TelI; write to : TelO; local nr : (0..n) Characteristics Description is a hierarchic Kripke structure (EFSM). group transitions, history. Well defined interfaces. data & control interfaces black-box view. Model checking Efficient analysis, Compositional reasoning, Assume/guarantee reasoning.

11 Hierarchic Behavior Diagrams Software engineering Statecharts: introduced in 1987 by David Harel, Key component in OO Methods: UML, ROOM, OMT, etc, Event based. Formal methods Informal diagrams: for LTSs (CCS or CSP processes), Proof diagrams: for FTS (Pnueli, Manna) Event based and state-based respectively. Compilers (program analysis) Structured control-flow graphs, State-based (variables), entry/exit points, Sequential programs: no trace semantics or refinement rules.

12 Modes and Contexts A mode (context) is a tuple (C,V,SM,T) consisting of: Control points C = E  X: Entry points E: finite set. Exit points X: finite set Variables V = V r  V w  V l : Read variables V r : finite set Write variables V w : finite set Local variables V l : finite set Submodes m  SM visible or not: m.V r  V r  V l, m.V w  V w  V l Transitions (e, ,x): e  E  SM.X, x  X  SM.E    V r  V l   V w  V l ringing rtBrtE rtB offH onHook answ onH idle offH call ini onH read ti : TelI; write to : TelO; local nr : (0..n)

13 ringing rtBrtE rtB offH onHook answ onH idle offH call ini Semantics of Modes Executions (game semantics) Environment round:from exit points to entry points. Mode round: from entry points to exit points. Example: (ini,s 0 )  (call,s 1 )  (onH,s 2 )  (answ,s 3 ) ~(offH|rtB|rtE) dxde ~(offH|rtB)h=idle h=ringing (ini,s 5 )  (idle,t 6 )  (dx,s 6 ) Micro steps: (ini,s 0 )  (idle,t 1 )  (call,s 1 )

14 answ onHook onH call ini dxde Refinement inclusion of trace sets, modular w.r.t. mode encapsulation. (ini,s 5 )  (idle,t 6 )  (dx,s 6 ) Semantics of Modes Executions (game semantics) Environment round:from exit points to entry points. Mode round: from entry points to exit points. Example: (ini,s 0 )  (call,s 1 )  (onH,s 2 )  (answ,s 3 ) Micro steps: (ini,s 0 )  (idle,t 1 )  (call,s 1 ) Traces (proj. on global vars) traces of the sub-modes the mode’s transitions.

15 Modular Reasoning Compositional Reasoning Central to many formalisms: CCS, I/O Automata,TLA, etc. Circular Assume/Guarantee Reasoning Valid only when the interaction of a module with its environment is non-blocking. Terminology Compositional and assume/guarantee reasoning based on observable behaviors. Application area Only recently is being automated by model checkers, Until now restricted to architecture hierarchies.

16 Compositional Reasoning N N’ < M < M’ N M N’ M < Sub-mode refinement N M < N M’ Super-mode refinement

17 Assume/Guarantee Reasoning MM’ N’ < N M < M’ N’ M’ N’ N <

18 Efficient Reachability Analysis (SS) Mixed representation Control-flow graph has an explicit representation. Sets of states associated to a control point are represented implicitly with BDDs. Transitions between control points are represented implicitly with BDDs. Model checking Control-flow graph traversal. v 4 (x) = (  x. v 3 (x) & t 3 (x,x’))[x/x’] b 1 :B b 2 :B A u2u2 u1u1 u3u3 d :A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t1t1 t2t2 t4t4 t3t3 t5t5 t6t6 t7t7 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 bdd of t 3 (x,x’) bdd of u 1 (x)  y. v 7 (y)

19 Efficient Reachability Analysis (SS) Mixed representation Control-flow graph has an explicit representation. Sets of paths associated to a control point are represented implicitly with BDDs. Transitions between control points are represented implicitly with BDDs. Model checking Control-flow graph traversal. b 1 :B b 2 :B A u2u2 u1u1 u3u3 d :A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t1t1 t2t2 t4t4 t3t3 t5t5 t6t6 t7t7 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 bdd of t 3 (x,x’) bdd of u 1 (x,x’) v 4 (x,x’) = (  x’.t 1 (x,x’) & t 3 (x’,x’’))[x’/x’’]

20 b 1 :B b 2 :B A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t2t2 t5t5 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 Efficient Reachability Analysis (SS) u2u2 u1u1 u3u3 t1t1 t4t4 t3t3 t6t6 t7t7 d :A Mixed representation Control-flow graph has an explicit representation. Sets of paths associated to a control point are represented implicitly with BDDs. Transitions between control points are represented implicitly with BDDs. Complexity O(|A| * 2 k+2d ) |A|- # edges in interproc. CFG, k - max # global/local vars, d – max # of in/out variables.

21 b 1 :B b 2 :B A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t2t2 t5t5 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 Efficient Reachability Analysis (CS) Enabledness not guaranteed Default entry/exit points – the border of a mode. Default entry/exit transitions save/restore current submode. Analysis savings Interrupts are essentially callbacks to the supermode. As before, local variables can be discarded at exit points. u2u2 u1u1 u3u3 t1t1 t4t4 t3t3 t6t6 t7t7 tgtg d :A

22 Other Techniques Structured control-flow representation opens the way to applying various other CAV and compiler analysis techniques: control-flow & counterexample guided abstraction-refinement, shape analysis, live variable analysis, modification / reference sets, pattern-based model extraction.

23 Concurrent Class Machines +RdCap(m:Monitor) -m: Monitor; -inCS: boolean; +acq():void throws MonExc +rel():void throws MonExc new MonExc ! inCSe +read():int throws MonExc v: int; e:MonExc inCs m.res.read() v e v choice point (nondeterminism) object creation box return variable method invocation box return expression exception exit point local variables RdCap

24 Concurrent Class Machines (cont) +main(): void r: Resource; c: Client -m: Monitor +run(): void Client extends Thread new Resource r new Monitor(r) m new Client(m) c.start new Client(m)c.start c thread start box thread run method c

25 Hierarchic Hybrid Machines (Charon) Agents describe concurrency Modes describe sequential behavior –Control flow between control points –Group transitions describe exceptions Emergency {t = 1} local t, rate global level, infusion Agent ControllerAgent Tank infusion global level global infusion {level = f(infusion)} { level  [2,10] } level level  [2,10] level  [4,8] Compute Normal e dedx x t=10 t:=0 Maintain {t<10} differential constraint invariant

26 Hermes: Top Level

27 Hermes: Looking Inside Modes

28 Ongoing Work Main emphasis on embedded software: Capture sanity checks (deadlock, race conditions), high-level specs (man pages), designs and code with structured CFGs (CCMs). Efficient analysis of consistency between different CFGs (CCMs) and model based test generation. Automated generation of efficient monitored code from high level models. Tool support building on previous experience with jMocha, Hermes and Charon. Main Applications: Dependable Embedded Linux (PDA footprint <500k), Trustworthy Web Agents (e.g. crisis management).

29

30 Conjunctive Modes M2M2 i2i2 M1M1 i1i1 o2o2 o1o1 p1p1 p2p2 Parallel composition of reactive modules Synchronous semantics State s = (i 1, i 2, o 1, o 2, p 1, p 2 ) Execution s 1 s 2 s 3 s 4 … s k … syst env

31 M2M2 M’ 1 svrs Translation with modes Conjunctive Modes read i 1,i 2 ; write o 1,o 2,p 1,p 2 ; local p’ 1 ; p’ 1 := p 1 ;p 1 := p’ 1 ; M2M2 i2i2 M1M1 i1i1 o2o2 o1o1 p1p1 p2p2 Parallel composition of reactive modules

32 b 1 :B b 2 :B A B v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 t2t2 t5t5 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 Efficient Reachability Analysis (CS) Enabledness not guaranteed Default entry/exit points – the border of a mode. Default entry/exit transitions save/restore current submode. Analysis savings Interrupts are essentially callbacks to the supermode. As before, local variables can be discarded at exit points. u2u2 u1u1 u3u3 t1t1 t4t4 t3t3 t6t6 t7t7 tgtg d :A

Download ppt "Model-Based Design and Verification of Embedded Systems Radu Grosu SUNY at Stony Brook www.cs.sunysb.edu/~grosu."

Similar presentations

Embedded System, A Brief Introduction

Embedded System, A Brief Introduction
Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.
Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania www.cis.upenn.edu/~alur,grosu,mmcdougall.

Efficient Reachability Analysis of Hierarchic Reactive Modules R. Alur, R.Grosu, M.McDougall University of Pennsylvania
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.

Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.
System Design Research Lab University of Pennylvania 2/8/2006 CHARON modeling language.

System Design Research Lab University of Pennylvania 2/8/2006 CHARON modeling language.
DIVES: Design, Implementation and Validation of Embedded Software Alur, Kumar, Lee(PI), Pappas, Sokolsky GRASP/SDRL University of Pennsylvania www.cis.upenn.edu/mobies/

DIVES: Design, Implementation and Validation of Embedded Software Alur, Kumar, Lee(PI), Pappas, Sokolsky GRASP/SDRL University of Pennsylvania
CS 425/625 Software Engineering System Models

CS 425/625 Software Engineering System Models
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
SDRL and GRASP University of Pennsylvania 6/27/00 MoBIES 1 Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F33615-00-C-1707.

SDRL and GRASP University of Pennsylvania 6/27/00 MoBIES 1 Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F C-1707.
University of Pennsylvania 1 SDRL CHARON SDRL and GRASP University of Pennsylvania Funded by DARPA ITO.

University of Pennsylvania 1 SDRL CHARON SDRL and GRASP University of Pennsylvania Funded by DARPA ITO.
Models of Computation for Embedded System Design Alvise Bonivento.

Models of Computation for Embedded System Design Alvise Bonivento.
August 2006Scott Stoller, Stony Brook University1 Research in Formal Methods, Concurrent & Distributed Systems, and Programming Languages at Scott D. Stoller.

August 2006Scott Stoller, Stony Brook University1 Research in Formal Methods, Concurrent & Distributed Systems, and Programming Languages at Scott D. Stoller.
Modeling State-Dependent Objects Using Colored Petri Nets

Modeling State-Dependent Objects Using Colored Petri Nets
The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,

The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,
DIVES Alur, Lee, Kumar, Pappas: University of Pennsylvania  Charon: high-level modeling language and a design environment reflecting the current state.

DIVES Alur, Lee, Kumar, Pappas: University of Pennsylvania  Charon: high-level modeling language and a design environment reflecting the current state.

Similar presentations

Ads by Google