Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems.

Published byOswin Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems."— Presentation transcript:

1 The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems

2 The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems

3 Background Formal methods have been used in a number of safety critical systems –TGV –train signalling system in Paris Today's safety critical systems use cyclic executives. Research take for granted that a system consists of processes (scheduling, priorities), and that there is communications between these. Process based safety critical systems - formal methods (Raven, Enea …)

4 Ada-83 Tasking Rendez-vous Dynamic Hierarchy Termination... Ada83 For High Integrity Systems Subsets: SPARK (No tasking) Boeing... Complex Run-Time No Formal Proofs

5 Ada-95 Tasking Rendez-vous Dynamic Hierarchy Termination... Protected Objects ATC requeue delay until new interrupts task attributes... Ada95Subsets: GNORT (Gnat NO Run-Time) SPARK-95 Ravenscar Tasking Protected Objects delay until new interrupts task attribute

6 Ada 95 and Ravenscar The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications. The subset provides enough functionality for targeted systems.

7 Ravenscar - tasking Library level No dynamic creation No unchecked deallocation Non-terminating No entries No user defined attributes Keep task discriminants No ATC

8 Ravenscar - Protected Objects Single Entry Barrier a single Boolean Only one task in the entry queue

9 Ravenscar - Communication No Rendez vous No requeue No select statement Interrupts are mapped only to PO procedures

10 Ravenscar - Real Time delay until for delays No Calendar Clock from Real-Time package No dynamic priorities Immediate Ceiling Priority

11 Ravenscar Key real-time features include: Fixed set of processes (tasks), with fixed priority scheduling. –No hierarchy of tasks. –Tasks are non-terminating. ‘Delay until’ operations, allowing the implementation of periodic tasks. Basic provision for releasing sporadic processes in response to interrupts.

12 Two approaches Build and test –Raven Formally verify –Mana

13 The Mana Project Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada- 95 compiler. Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft,...

14 The Mana Project Chosen language: –Subset of Ada 95: Ravenscar Representation model: Timed Automata –FSAs extended with clocks and constraints Verification scheme: A Real-Time Model Checker –UPPAAL: Modelling, simulation, and verification tool

15 A System Model Scheduler PO T1 T2T3 Delay Queue Clock T0 Application Run-Time Kernel P E F Delay until Task dispatch Ready Queue

16 A Verification Session Design.Timed Automata Model of 1. An application (user code) 2. Run-time kernel (Mana) Simulation of design Verification by checking reachability properties

17 A System Model Scheduler PO T1 T2T3 Delay Queue Clock T0 Application Run-Time Kernel P E F Delay until Task dispatch Ready Queue

18 Simple application (T1) task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0; begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop; end T1; Delay seq Prot Proc

19 Protected Procedure Calling Task Procedure Start Procedure begin Preemption Release of Entry

20 Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); end if; Work (4); end loop; end T2; Prot Entry

21 Protected Entry Calling Task Entry Start Lock Free and no Barrier Barrier true Released by Procedure

22 Protected Entry Calling Task ExecutingPreemption ExceptionPreemption in exception Normal end

23 Task T3 task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0; begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop; end T3; Prot Proc Delay

24 A view of the System F P E Prot Obj Scheduler T1 T2T3 Delay Queue Clock T0 Delay until Task dispatch Ready Queue

25 Miscellaneous Protected Function Delay Queue System Clock

26 The Run-Time System F P E Prot Obj

27 Task T1 task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0; begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop; end T1; Delay seq Prot Proc

28 Building the System F P E Prot Obj T1

29 Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); end if; work (4); end loop; end T2; Prot Entry

30 A more Complete System F P E Prot Obj T1 T2

31 Task T3 task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0; begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop; end T3; Prot Proc Delay

32 A Complete System F P E Prot Obj T1 T2 T3

33 Scheduler and Idle process Resume! Suspend! Resume! Preempt! Resume? Pcpu:= PLow Preempt? Start Idle Process is running Resume? Pcpu:= PMed Resume? Pcpu:= PHigh Medium Process available Medium Process running Idle Process Preempted High Process available High Process running Medium Process Preempted Idle Process Scheduler

34 Verifying Reachability Properties Statements format: Invariant(  )  Possible(  ) Where  (atomic-formula) |      |  ’ Examples: –Possible(CPU’Count > 1) At any point in time, there must be only one task executing –Invariant(P.Completed and E.Queue’Count > 0 and E.Barrier imply Exec(E.Code, P.Context))

35 Conclusions and future work Have today modelled a full Ravenscar compliant RTK –PO: priorities, preemption Procedure, Function and Entry Release on behalf –delay until –exception handling in PO –interrupt

36 Conclusions and future work Verified the Mana-RTK together with a small application Next step is to implement the Mana-RTK –Automatic translation from Ada into TA http://www.docs.uu.se/mana

Download ppt "The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Chapter 7 - Resource Access Protocols (Critical Sections) Protocols: No Preemptions During Critical Sections Once a job enters a critical section, it cannot.

Chapter 7 - Resource Access Protocols (Critical Sections) Protocols: No Preemptions During Critical Sections Once a job enters a critical section, it cannot.
Real-Time Systems and Programming Languages © Alan Burns and Andy Wellings Chapter 12: Programming Schedulable Systems.

Real-Time Systems and Programming Languages © Alan Burns and Andy Wellings Chapter 12: Programming Schedulable Systems.
Priority INHERITANCE PROTOCOLS

Priority INHERITANCE PROTOCOLS
Slide: 1 The Implementation of Ada 2005 Synchronized Interfaces in the GNAT Compiler Javier Miranda Hristian Kirtchev Edmond Schonberg Presentation cover.

Slide: 1 The Implementation of Ada 2005 Synchronized Interfaces in the GNAT Compiler Javier Miranda Hristian Kirtchev Edmond Schonberg Presentation cover.
CprE 458/558: Real-Time Systems (G. Manimaran)1 CprE 458/558: Real-Time Systems Resource Access Control Protocols.

CprE 458/558: Real-Time Systems (G. Manimaran)1 CprE 458/558: Real-Time Systems Resource Access Control Protocols.
Concurrency Important and difficult (Ada slides copied from Ed Schonberg)

Concurrency Important and difficult (Ada slides copied from Ed Schonberg)
Simulation Verification of Different Constraints in System Level Design in SystemC Piyush Ranjan Satapathy CS220 Class Project Presentation.

Simulation Verification of Different Constraints in System Level Design in SystemC Piyush Ranjan Satapathy CS220 Class Project Presentation.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Copyright © 2001 Praxis Critical Systems Limited  New and Exciting Things in the World of SPARK Roderick Chapman Praxis Critical Systems.

Copyright © 2001 Praxis Critical Systems Limited  New and Exciting Things in the World of SPARK Roderick Chapman Praxis Critical Systems.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Adapted from A. Burns, B. Dobbing, T. Vardanega: Guide for the use of the Ada Ravenscar Profile in high integrity systems, Univ. of York Tech. Report YCS-2003-348,

Adapted from A. Burns, B. Dobbing, T. Vardanega: Guide for the use of the Ada Ravenscar Profile in high integrity systems, Univ. of York Tech. Report YCS ,
From HRT-HOOD to ADA95 Real-Time Systems Lecture 5 Copyright, 2001 © Adam Czajka.

From HRT-HOOD to ADA95 Real-Time Systems Lecture 5 Copyright, 2001 © Adam Czajka.
Tasks Periodic The period is the amount of time between each iteration of a regularly repeated task Time driven The task is automatically activated by.

Tasks Periodic The period is the amount of time between each iteration of a regularly repeated task Time driven The task is automatically activated by.
Automatic Verification of Component-Based Real-Time CORBA Applications Gabor Madl Sherif Abdelwahed

Automatic Verification of Component-Based Real-Time CORBA Applications Gabor Madl Sherif Abdelwahed
..................................... Model for Supporting High Integrity and Fault Tolerance Brian Dobbing, Aonix Europe Ltd Chief Technical Consultant.

Model for Supporting High Integrity and Fault Tolerance Brian Dobbing, Aonix Europe Ltd Chief Technical Consultant.
Transparent Environment for Replicated Ravenscar Applications Luís Miguel Pinho Francisco Vasques Ada-Europe 2002 Vienna, Austria 18-20 June 2002.

Transparent Environment for Replicated Ravenscar Applications Luís Miguel Pinho Francisco Vasques Ada-Europe 2002 Vienna, Austria June 2002.
Chapter 5 Processes and Threads Copyright © 2008.

Chapter 5 Processes and Threads Copyright © 2008.
Building Reliable Software Requirements and Methods.

Building Reliable Software Requirements and Methods.

Similar presentations

Ads by Google