Verifikation af realtids systemer i UPPAAL Kim G. Larsen BRICS@Aalborg Formal Methods Automatic Validation and Verification Tools Kim Guldstrand Larsen BRICS@Aalborg Institute of Computer Science Aalborg University Formal Methods seems to be finding its way into industrial software engineering practice. In particular, methods based on fully automatic verification tools have for a long time been established practice for hardware designs. Today, an increasing number of (commercial) tools offering automatic verification support for industrial designs of embedded systems, real-time systems, and communication protocols are emerging. The scalability of these tools has been significantly improved due to recent, scientific advances in the underlying algorithmic techniques, which have allowed for large industrial applications to be verified. The talk will present the tool UPPAAL, a tool suite for validating and verifying real-time system models. The tool has been developed since 1995 in collaboration between Aalborg and Uppsala Universities. The presentation will be based on on-line demonstration and survey the industrial applications of UPPAAL. The final part of the talk will address the tool visualSTATE, a commercial tool for automatic validation and verification of embedded system models In addition visualSTATE allows for automatic generation of efficient code for a number of platforms. Resent collaboration between visualSTATE, BRICS@Aalborg and DTU has resulted in truely significant advances in the size of systems which may be dealt with.
Research Profile Distributed Systems & Semantics Unit Semantic Models concurrency, mobility, objects real-time, hybrid systems Validation & Verification algorithms & tools Construction real-time & network systems
BRICS Machine Basic Research in Computer Science 30+40+40 Millkr 100 100 Tools Other revelvant projects UPPAAL, VHS, VVS, WOODDES Aarhus Aalborg
Tools and BRICS visualSTATE UPPAAL Applications SPIN Semantics PVS HOL ALF TLP Semantics Concurrency Theory Abstract Interpretation Compositionality Models for real-time & hybrid systems Algorithmic (Timed) Automata Theory Graph Theory BDDs Polyhedra Manipulation Logic Temporal Logic Modal Logic MSOL
A REAL real time system Klaus Havelund, NASA
Embedded Systems SyncMaster 17GLsi Mobile Phone Telephone Digital Watch Tamagotchi
Introducing, Detecting and Repairing Errors Liggesmeyer 98
Introducing, Detecting and Repairing Errors Liggesmeyer 98
validation, verfication and testing of software and hardware Suggested Solution? Model based validation, verfication and testing of software and hardware
Verification & Validation Analysis Design Model Specification Implementation Testing
Verification & Validation Analysis Validation Design Model Specification Verification & Refusal UML SDL Implementation Testing
Verification & Validation Analysis Validation Design Model Specification Verification & Refusal UML Model Extraction SDL Automatic Code generation Implementation Testing
Verification & Validation Analysis Validation Design Model Specification Verification & Refusal UML Model Extraction SDL Automatic Test generation Automatic Code generation Hej Implementation Testing
How? Unified Model = State Machine! b? y! a x Output ports Input ports Control states
Tamagotchi C A B ALIVE DEAD Health=0 or Age=2.000 Tick Passive Feeding Light Meal A B A Health:= Health-1 B A Care A Snack Clean Health=0 or Age=2.000 A A Medicine Discipline Play DEAD Tick A A Health:=Health-1; Age:=Age+1
SYNCmaster
Digital Watch
visualSTATE Hierarchical state systems Flat state systems VVS w Baan Visualstate, DTU (CIT project) Hierarchical state systems Flat state systems Multiple and inter-related state machines Supports UML notation Device driver access
The SDL Editor The SDL Editor Process level
SPIN, Gerald Holzmann AT&T
UPPAAL
‘State Explosion’ problem 1 2 b c 3 4 M1 x M2 1,a 4,a 1,b 2,b 1,c 2,c 3,a 4,a 3,b 4,b 3,c 4,c Provably theoretical intractable All combinations = exponential in no. of components
Train Simulator BUGS ? VVS visualSTATE 1421 machines 11102 transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS ? Our techniuqes has reduced verification time with several orders of magnitude (ex 14 days to 6 sec)
Tool Support (model checking) System Description A No! Debugging Information TOOL Yes, Prototypes Executable Code Test sequences Requirement F Tools: Telelogic, Verilog, UPPAAL, SPIN, MV, Statemate, visualSTATE, FormalCheck, VeriSoft, Java Pathfinder,…
UPPAAL Modelling and Verification of Real Time systems www.uppaal.com UPPAAL2k > 800 users > 35 countries
Collaborators @AALborg @UPPsala @Elsewhere Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune Oliver Möller Nicky Oliver Bodentien Lasse Poulsen @UPPsala Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Tobias Amnell Oliver Möller @Elsewhere David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans, Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson... Here you see all the contributers over the years.
Hybrid & Real Time Systems Control Theory Computer Science sensors Task Task Task Task actuators Controller Program Discrete Plant Continuous Eg.: Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines Real Time System A system where correctness not only depends on the logical order of events but also on their timing
Construction of UPPAAL models Controller Program Discrete Plant Continuous sensors Task Task Task Task Model of tasks (automatic?) actuators Model of environment (user-supplied) 1 2 4 3 a c b 1 2 4 3 1 2 4 3 a c b 1 2 4 3 a c b UPPAAL Model
Timed Automata Clocks: x, y State Alur & Dill 1990 Clocks: x, y n Guard Boolean combination of integer bounds on clocks and clock-differences. Action used for synchronization Reset Action perfomed on clocks x<=5 & y>3 State ( location , x=v , y=u ) where v,u are in R a x := 0 Transitions ( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 ) a m e(1.1) ( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
Timed Automata Invariants Clocks: x, y x<=5 Transitions x<=5 & y>3 e(3.2) Location Invariants ( n , x=2.4 , y=3.1415 ) a e(1.1) ( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 ) x := 0 m Invariants ensure progress!! y<=10 g4 g1 g3 g2
The UPPAAL Model = Networks of Timed Automata + Integer Variables +…. Two-way synchronization on complementary actions. Closed Systems! x>=2 i==3 y<=4 …………. a! a? x := 0 i:=i+4 l2 m2 Example transitions (l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..) (l1,m1,………,x=2.2, y=3.7, I=3,…..) tau 0.2 If a URGENT CHANNEL
Timed Automata in UPPAAL Timed (Safety) Automata + urgent actions + urgent locations + committed locations + data-variables (with bounded domains) + arrays of data-variables + constants + guards and assignments over data-variables and arrays… + templates with local clocks, data-variables, and constants.
Declarations in UPPAAL clock x1, …, xn; int i1, …, im; chan a1, …, ao; const c1 n1, …, cp np; Examples: clock x, y; int i, J0; int[0,1] k[5]; const delay 5, true 1, false 0; Array k of five booleans.
Timed Automata in UPPAAL location invariants clock assignments n clock assignments x<=5 clock natural number and x<=5 & y>3 a clock guards x := 0 data guards m y<=10 g4 g1 g3 g2
Urgent Channels urgent chan hurry; Informal Semantics: There will be no delay if transition with urgent action can be taken. Restrictions: No clock guard allowed on transitions with urgent actions. Invariants and data-variable guards are allowed.
Click “Urgent” in State Editor. Urgent Locations Click “Urgent” in State Editor. Informal Semantics: No delay in urgent location. Note: the use of urgent locations reduces the number of clocks in a model, and thus the complexity of the analysis.
Click “Committed” in State Editor. Committed Locations Click “Committed” in State Editor. Informal Semantics: No delay in committed location. Next transition must involve automata in committed location. Note: the use of committed locations reduces the number of clocks in a model, and allows for more space and time efficient analysis.
UPPAAL Specification Language A[] p (AG p) E<> p (EF p) p::= a.l | gd | gc | p and p | p or p | not p | p imply p | ( p ) process location data guards clock guards
BRICK SORTING
First UPPAAL model Sorting of Lego Boxes Ken Tindell Piston Boxes eject remove 99 Conveyer Belt red 9 18 81 90 Blck Rd Controller MAIN PUSH Black Exercise: Design Controller so that only black boxes are being pushed out
NQC programs int active; int DELAY; int LIGHT_LEVEL; task MAIN{ Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1); start PUSH; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); } task PUSH{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); }
From RCX to UPPAAL Model includes Round-Robin Scheduler. Task MAIN Model includes Round-Robin Scheduler. Compilation of RCX tasks into TA models. Presented at ECRTS 2000
The Production Cell Course at DTU, Copenhagen
TRAIN CROSSING
Train Crossing Stopable Area [10,20] [3,5] Crossing [7,15] River Queue Gate
Train Crossing el Communication via channels and shared variable. Stopable Area [10,20] appr, stop [3,5] leave Crossing [7,15] el go River Queue empty nonempty hd, add,rem Gate
Communication Protocols CSMA/CD BRP ……
CSMA/CD protocol – MAC layer EVENTS send - service provided by Mac which reacts by transmitting a message, rec - (receive) service provided by Mac, indicates that a message is ready to be received, b - (begin) Mac begins message transmission to M, e - (end) Mac terminates message transmission to M, br - (begin receive) M begins message delivery to Mac, er - (end receive) M terminates message delivery to Mac, b - (collision) Mac is notified that a collision has occurred on M.
Philips Bounded Retransmission Protocol [D’Argenio et.al. 97]
Protocol Overview Protocol developed by Philips. Transfer data between Audio/Video components via infra-red communication. Data files sent in smaller chunks. Problem: Unreliable communication medium. Sender retransmit if receiver respond too late. Receiver abort if sender sends too late.
Overview of BRP Sender Receiver S R BRP K L Input: file = p1, …, pn Output: p1, …, pn Sender Receiver S R BRP pi K lossy ack L lossy
How It Works Sender input: file = p1, …, pn. more parts will follow Sender input: file = p1, …, pn. S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0). R sends: ack, …, ack. S retransmits pi if timeout. Receiver recives: p1, …, pn. Sender and Receiver receives NOK or OK. first part of file whole file OK
Case Studies: Protocols Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96] Collision-Avoidance Protocol [SPIN’95] Bounded Retransmission Protocol [TACAS’97] Bang & Olufsen Audio/Video Protocol [RTSS’97] TDMA Protocol [PRFTS’97] Lip-Synchronization Protocol [FMICS’97] Multimedia Streams [DSVIS’98] ATM ABR Protocol [CAV’99] ABB Fieldbus Protocol [ECRTS’2k] IEEE 1394 Firewire Root Contention (2000)
Case-Studies: Controllers Gearbox Controller [TACAS’98] Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k] SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k] Real-Time RCX Control-Programs [ECRTS’2k] Experimental Batch Plant (2000) RCX Production Cell (2000)
BRP Model Overview Sender Receiver S R BRP K L Input: file = p1, …, pn Output: p1, …, pn Sender Receiver ok, nok, dk IND, ok, nok S R BRP (pi,INDication,abit) K lossy L lossy ack
The Lossy Media one-place capacity delay value-passing lossy = may drop messages
Bounded Retransmission S sends a chunk pi and waits for ack from R. If timeout the chunk is retransmitted. If too many timeout the transmission fails (NOK is sent to Sender). If whole file successfully sent OK is sent to Sender. Receiver is similar.
Process S
Process R
The Sender and Receiver
“If you want to know more” Test & Verification http://www.cs.auc.dk/~ejersbo/tov/Plan.html BRICS@Aalborg http://www.cs.auc.dk/research/FS/ UPPAAL http://www.uppaal.com WOODDES, ATT (VHS): http://www.docs.uu.se/docs/rtmv/wooddes/ http://www-verimag.imag.fr/VHS/main.html Strategic Directions in Computing Research Formal Methods Working Group, ACM June 1996 http://www.cs.cmu.edu/afs/cs/usr/wing/www/mit/mit.html