1 Modelling and Validation of Real Time Systems Kim Guldstrand Larsen Paul Pettersson
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 2 BRICS Machine Basic Research in Computer Science Millkr 100 Aalborg Aarhus Tools Other revelvant projects UPPAAL, VHS, VVS
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 3 Tools and BRICS Logic Temporal Logic Modal Logic MSOL Algorithmic (Timed) Automata Theory Graph Theory BDDs Polyhedra Manipulation Semantics Concurrency Theory Abstract Interpretation Compositionality Models for real-time & hybrid systems HOL TLP Applications PVS ALF SPIN visualSTATEUPPAAL
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 4 What? Validation and Verification of software and hardware DESIGNS! (E.g., real time systems, embedded systems, communication protocols)
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 5 A REAL real time system Klaus Havelund, NASA
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 6 Embedded Systems SyncMaster 17GLsi Telephone Tamagotchi Mobile Phone Digital Watch
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 7 Why? zTesting/simulation of designs/implementations may not reveal error (e.g., no errors revealed after 2 days) zFormal verification (=exhaustive testing) of design provides 100% coverage (e.g., error revealed within 5 min). zTOOL support.
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 8 Traditional Software Development The Waterfall Model Analysis Design Implementation Testing Costly in time-to-market and money Errors are detected late or never Application of FM’s as early as possible Problem Area Running System REVIEWS
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 9 Introducing, detecting and repairing errors Liggesmeyer 98
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 10 Formal Verification & Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 11 Formal Verification & Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML TOOLS: UPPAAL visualSTATE SPIN
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 12 Formal Verification & Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML Automatic Code generation TOOLS: UPPAAL visualSTATE …..
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 13 Formal Verification & Validation Design ModelSpecification Verification & Refusal Analysis Validation FORMAL METHODS Implementation Testing UML Automatic Code generation Automatic Test generation TOOLS: UPPAAL visualSTATE …..
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 14 How? Unified Model = State Machine! a b x y a? b? x! y!b? Control states Input ports Output ports
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 15 UPPAAL
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 16 SPIN, Gerald Holzmann AT&T
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 17 visualSTATE zHierarchical state systems zFlat state systems zMultiple and inter- related state machines zSupports UML notation zDevice driver access VVS w Baan Visualstate, DTU (CIT project)
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 18 Train Simulator 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS ? VVS visualSTATE Our techniuqes has reduced verification time with several orders of magnitude (ex 14 days to 6 sec)
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 19 ‘State Explosion’ problem a cb ,a 4,a 3,a4,a 1,b2,b 3,b4,b 1,c2,c 3,c4,c All combinations = exponential in no. of components M1 M2 M1 x M2 Provably theoretical intractable
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 20 Tool Support TOOL System Description A Requirement F Yes, Prototypes Executable Code Test sequences No! Debugging Information Tools: UPPAAL, SPIN, VisualSTATE, Statemate, Verilog, Formalcheck,... Course Objectives: Model systems and specify requirements Validate models using TOOLS Understand main underlying theoretical and practical problems
IDA foredrag UPPAAL Modelling and Verification of Real Time systems Uppsala (6 persons), Aalborg (10 persons), papers, 6 invited talks/tutorials 9 industrial case studies Pump Controls Airbags Robots Cruise Control ABS CD players E.g.
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 22 Collaborators yWang Yi yJohan Bengtsson yPaul Pettersson yFredrik Larsson yAlexandre David yJustin Pearson y... yKim G Larsen yArne Skou yPaul Pettersson yCarsten Weise yKåre J Kristoffersen yGerd Behrman yThomas Hune y….. yMagnus Lindahl, Francois Laroussinie, Augusto Burgueno, David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Carsten Weise...
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 23 Dec’96Sep’98
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 24 Dec’96Sep’98 from 7.5 hrs / 527 MB on ONYX with 2GB (4Mill DKK) to sec / 2.1 MB on Pentium 150 MHz, 32 MB or Every 9 month 10 times better performance!
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 25 Hybrid & Real Time Systems Plant Continuous Controller Program Discrete Control Theory Computer Science Eg.: Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines Real Time System A system where correctness not only depends on the logical order of events but also on their timing Real Time System A system where correctness not only depends on the logical order of events but also on their timing sensors actuators Task
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 26 Validation & Verification Construction of UPPAAL models Plant Continuous Controller Program Discrete sensors actuators Task a cb a cb a cb UPPAAL Model Model of environment (user-supplied) Model of tasks (automatic)
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 27 Intelligent Light Control OffLightBright press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 28 Intelligent Light Control OffLightBright press? Solution: Add real-valued clock x X:=0 X<=3 X>3
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 29 Timed Automata n m a Alur & Dill 1990 Clocks: x, y x 3 x := 0 Guard Boolean combination of comp with integer bounds Reset Action perfomed on clocks Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) e(1.1) ( n, x=2.4, y= ) ( m, x=0, y= ) a State ( location, x=v, y=u ) where v,u are in R Action used for synchronization
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 30 n m a Clocks: x, y x 3 x := 0 Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) e(1.1) ( n, x=2.4, y= ) e(3.2) x<=5 y<=10 Location Invariants g1 g2 g3 g4 Invariants insure progress!! Timed Automata - Invariants
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 31 The UPPAAL Model = Networks of Timed Automata + Integer Variables +…. l1 l2 a! x>=2 i==3 x := 0 i:=i+4 m1 m2 a? y<=4 …………. Two-way synchronization on complementary actions. Closed Systems! (l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..) (l1,m1,………,x=2.2, y=3.7, I=3,…..) 0.2 tau Example transitions If a URGENT CHANNEL
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 32 Lego RCX Brick LEGO MINDSTORMS, LEGO ROBOLAB 3 Input (sensors) Light, rotation, temperature, pressure, Output ports (actuators) motor, light 1 Infra-red port
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 33 First UPPAAL model Sorting of Lego Boxes Conveyer Belt Exercise: Design Controller so that only black boxes are being pushed out Boxes Piston Black Red Blck Rd remove eject Controller Ken Tindell MainSkub_af
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 34 NQC programs task skub_af{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); } task skub_af{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); } int active; int DELAY; int LIGHT_LEVEL; int active; int DELAY; int LIGHT_LEVEL; task main{ DELAY=25; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1); start skub_af; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); } task main{ DELAY=25; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1); start skub_af; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); }
IDA foredrag UPPAAL Demo
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 36 Exercise 2 Each message must be delivered before next message can be accepted. 1. perfect media 2. loosy media 3. retransmission 4. delaying media 5. XXXX Each message must be delivered before next message can be accepted. 1. perfect media 2. loosy media 3. retransmission 4. delaying media 5. XXXX Synchronization between two processes. Sender Receiver K L in sndpass out ack pack
Real Time Systems, DTU, February 1., 2000 Kim G. Larsen & Paul Pettersson UCb 37 Exercise 3 Machine Person Observer cof coin pub Wait y<=3 Ready Wait y<=2 Go coin! y:=0 y=3 cof? y:=0 y=2 pub! Design Machine and Observer