Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shinya Umeno Nancy Lynch’s Group CSAIL, MIT TDS seminar September 18 th, 2009 Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event.

Published byMelinda Jade Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "Shinya Umeno Nancy Lynch’s Group CSAIL, MIT TDS seminar September 18 th, 2009 Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event."— Presentation transcript:

1 Shinya Umeno Nancy Lynch’s Group CSAIL, MIT TDS seminar September 18 th, 2009 Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction

2 Shinya Umeno, TDS seminar, September 18 th 2009 FORMATS 2009 The 7th International Conference on Formal Modelling and Analysis of Timed Systems Mostly theory papers (decidability, recognizability, etc). Some application papers (using Alur-Dill automata and UPPAAL). No parametric approach paper, except for mine. FACTS:

3 Shinya Umeno, TDS seminar, September 18 th 2009 Keywords of The Talk Time-Parametric Verification Timing Parameter Constraint Synthesis Real-time System Analysis (Formal Methods) Event-Order-Based Abstraction of Timed Systems Case Study Using an “Industrial” Example

4 Shinya Umeno, TDS seminar, September 18 th 2009 Outline Biphase Mark Protocol (BMP) Our Approach: Event Order Abstraction Case Study Result Bad Event Orders of BMP Parameter Constraints for Bad EOs Timing Constraints for Correctness Human Guidance + Automatic Synthesis Case Studies by Several Approaches (Umeno, EMSOFT 2008)

5 Shinya Umeno, TDS seminar, September 18 th 2009 - is a lower-layer communication protocol for consumer and industrial electronics. - uses timing constraints on system’s behavior to encode and decode bits. Biphase Mark Protocol (BMP) - used in a digital audio protocol, S/PDIF (Sony Philips Digital InterFace)

6 Shinya Umeno, TDS seminar, September 18 th 2009 Biphase Mark Protocol (BMP) Bits to be sent: 1011 Cell: Sub-Cell: (Mark) Signal Time Represents 1 by Toggling, and 0 by Flat signal

7 Shinya Umeno, TDS seminar, September 18 th 2009 Biphase Mark Protocol (BMP) Bits to be sent: 1011 Cell: Sub-Cell: (Mark) Signal: Time Detects a signal level change Detection:

8 Shinya Umeno, TDS seminar, September 18 th 2009 Biphase Mark Protocol (BMP) Bits to be sent: 1011 Cell: Sub-Cell: (Mark) Signal: Time Detects a signal level change Detection: Check a signal level change

9 Shinya Umeno, TDS seminar, September 18 th 2009 Biphase Mark Protocol (BMP) Bits to be sent: 10 11 Cell: Sub-Cell: (Mark) Signal: Time Detection: Decoded Bits: 10 11 Toggling is detectedFlat is detected

10 Shinya Umeno, TDS seminar, September 18 th 2009 Biphase Mark Protocol (BMP) Bits to be sent: 10 11 Cell: Sub-Cell: (Mark) Signal: Time Detection: Decoded Bits: 10 11 Timing Parameters: C, M 1, , T (and Metastability H)

11 Shinya Umeno, TDS seminar, September 18 th 2009 A parametric approach gives the user more information than a fixed-parameter approach (such as the Alur-Dill timed automata approach). Does the system satisfy a desirable property irrespective to parameter settings? If a parameter setting affects system correctness, then what are parameter sets that satisfy the correctness? Why Parametric Approach? Optimization under parameter constraints (Undecidable; Alur et al.)

12 Shinya Umeno, TDS seminar, September 18 th 2009 Our Goal for BMP Case Study Correctness: Synthesize parameter constraints under which the correctness is guaranteed. 1. Sent bits = Decoded bits 2. No decoding overflow/underflow - Special module for tracking the information Goal: SenderReceiver Monitor Signal Toggling Sending BitsDecoded Bits

13 Shinya Umeno, TDS seminar, September 18 th 2009 Why is BMP Parametric Verification Challenging? s 0 (DetectF, Δ ) s 1 (DetectF, 2 Δ ) s 2 (DetectF, 3 Δ ) s 3 … s 0 DetectF s 1 DetectF s 2 DetectF s 3 … Timed execution: Untimed execution: All of s i ’s are different! Reachable state (fixed point) computation will not terminate. All of s i ’s are same (DetectF is just a stuttering transition). (TReX extrapolation technique takes care of this.) Due to repetitions with timing constraints!

14 Shinya Umeno, TDS seminar, September 18 th 2009 Modeling: Time-Interval Automata A time-interval automaton (A,b) is an I/O automaton A with an interval boundmap b. An I/O automaton: Is a classical state transition machine with distinguished input/output/internal actions. Is typically described using a guarded- command style language. Suitable for concurrent/distributed systems.

15 Shinya Umeno, TDS seminar, September 18 th 2009 Interval Boundmap b ( ,  ) = [L, U ] An action of A A set of actions that follow  A lower bound L and an upper bound U for the duration between  and any action in  b ( DetectF, {DetectF, DetectT}) = [  ] Example from BMP: b ( DetectT, {Decode} ) = [  ] (Sampling distance) (Repeated checks)

16 Shinya Umeno, TDS seminar, September 18 th 2009 TIA Code of the Encoder Precondition (transition guard) State variables Transition signatures Effects (transition commands) Time bounds Automaton Declaration

17 Shinya Umeno, TDS seminar, September 18 th 2009 Overview of Our Approach (Event Order Abstraction, EOA) Performed by our tool METEORS 1. Verification of Untimed Model + Event Order Constraints 2. Automatic Synthesis of Timing Parameter Constraints from Event Order Constraints We split timed verification into two parts: Untimed Model Event Order Constraints Bad Event Order Model-Checking Event Order Generalization (Subclass of Regular Expression)

18 Shinya Umeno, TDS seminar, September 18 th 2009 He/she then model-checks: The user first identifies a candidate set of bad event orders (which may be empty). Monitors are constucted by a support tool from the given orders (for model-checking). not SafetyPropertyViolated. A monitor raises a flag if a bad event order is detected in the current model execution. Untimed Model not Monitor.raiseFlag Identifying Bad Event Orders

19 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0New Edge (0 or 1) Decode 1 !! Flat

20 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0New Edge (0 or 1) Decode 1 !! Flat DetectF-DetectF-DetectF-Edge0-DetectT-Edge0-Decode This event order specifies the order of consecutive actions in an automaton execution.

21 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0New Edge (0 or 1) Decode 1 !! Flat > c

22 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0New Edge (0 or 1) Decode 1 !! Flat > c <  < 

23 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0New Edge (0 or 1) Decode 1 !! Flat > c <  <  c > 

24 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0New Edge (Edge0) Flat signal for 0 is completely missed! Metastability

25 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0-(DetectF)*- DetectT- Settle-Edge0 Edge0New Edge (Edge0)

26 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0-(DetectF)*- DetectT- Settle-Edge0 Edge0New Edge (Edge0) < 

27 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0-(DetectF)*- DetectT- Settle-Edge0 Edge0New Edge (Edge0) > c <  < 

28 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Edge0-(DetectF)*- DetectT- Settle-Edge0 Edge0New Edge (Edge0) > c <  <  c > 

29 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T Edge1SEdge1T

30 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T Edge1SEdge1T

31 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T Edge1SEdge1T

32 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T Edge1SEdge1T > m 1

33 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T Edge1SEdge1T > m 1 < H

34 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T Edge1SEdge1T > m 1 <  < H

35 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenario Example of BMP Decode- (DetectF)*- Edge1S-(DF)*- DF -Settle-Edge1T Edge1SEdge1T > m 1 <  < H Unwinding ! m1 > m1 > 

36 Shinya Umeno, TDS seminar, September 18 th 2009 Our Tool: METEORS One event order: Disjunction of linear inequalities Multiple event orders: Conjunction of disjunction of linear inequalities - Automatic decomposition Simplification of resulting constraint - All derivable bounds

37 Shinya Umeno, TDS seminar, September 18 th 2009 Bad Scenarios of BMP From page 269 of the proceedings:

38 Shinya Umeno, TDS seminar, September 18 th 2009 Sufficient Parameter Constraints m 1 > H +   > M 1 + H c > H +  + T It is sufficient to satisfy three constraints for correctness of BMP. METEORS reported:

39 Shinya Umeno, TDS seminar, September 18 th 2009 Related Work (BMP Verification) UPPAAL and PVS: Calendar Automata: HyTech: Vaandrager, F.W., de Groot, A.: Analysis of a biphase mark protocol with UPPAAL and PVS. 2006 Brown, G.M., Pike, L.: Easy parameterized verification of biphase mark and 8N1 protocols. 2006 Henzinger, T., Preussig, J., Wong-Toi, H.: Some lessons from the HYTECH experience. 2001 - Bad event order are found using UUPAAL - Constraints are manually derived from bad orders. - Correctness under the derived constraints is proved using PVS. - BMP is modeled using Calendar Automata framework for SAL - Correctness under the derived constraints is proved using SAL (inductive invariants must be used though proof is automatic.) Verification Synthesis - Some parameters are fixed. - Model is modified: no repetitive checks with time bounds

40 Shinya Umeno, TDS seminar, September 18 th 2009 Other Case Studies of EOA IEEE 1394 (FireWire / i-Link), Root Contention Protocol Train-Gate Toy Problem Fischer’s Mutual Exclusion Algorithm (Randomness is abstracted)

41 Shinya Umeno, TDS seminar, September 18 th 2009 Summary and Future Work We synthesized parameter constraints of BMP using Event Order Abstraction (METEORS and SAL are used). Future work: Automatic bad event order identification - List of counter examples from model-checking - Automatic “chopping” and generalization??

Download ppt "Shinya Umeno Nancy Lynch’s Group CSAIL, MIT TDS seminar September 18 th, 2009 Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Analysis of Computer Algorithms

Analysis of Computer Algorithms
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Timed Automata.

Timed Automata.
UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.

UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Presenter: PCLee – 2011.03.02. This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

Similar presentations

Ads by Google