1. Formal Methods for Real- Time Embedded Software Engineering 正規方法應用於即時嵌入式 軟體工程 熊博安 國立中正大學資訊工程學系 民國九十一年五月二十二日

2. 2002/05/22 2 What will I talk about ? What is a real-time system? What is an embedded system? Why software? Why formal synthesis? What is real-time embedded software engineering? Real-world applications? Future work?

3. 2002/05/22 3 What is a REAL-TIME SYSTEM? Timely Response Predictable Response System Correctness: Timing (period, deadlines, etc.) Function Constraints: Hard (meet ALL deadlines) Soft (miss SOME deadlines)

4. 2002/05/22 4 Examples of Real-Time Systems multimedia servers automobiles air crafts telecommunications

5. 2002/05/22 5 What is an EMBEDDED SYSTEM? Installed in a larger system Dedicated task Small Memory Space (200~400 KB) Low Processing Power (100~200 MHz ) Unstable Environment (mobile, …) Reactive Real-Time

6. 2002/05/22 6 Embedded Systems Example medical instrumentshome appliancesoffice equipments space crafts research lab equipments factory automation

7. 2002/05/22 7 Embedded System Architecture

8. 2002/05/22 8 Why SOFTWARE? more than 70% software in many real- time embedded systems!!! software is more flexible and easily reconfigurable, hence more errors!!! real-time  need for temporally correct software embedded  need for small, efficient software

9. 2002/05/22 9 Why FORMAL SYNTHESIS? More software  high complexity  need for correct design (formal synthesis) Immature formal synthesis techniques for real- time embedded software Need formal verification techniques to eliminate critical errors not found by simulation and testing Automatic code generation Code optimizations decrease size increase efficiency

10. 2002/05/22 10

11. 2002/05/22 11

12. 2002/05/22 12

13. 2002/05/22 13 What is real-time embedded software engineering? Model for real-time embedded systems? Set of concurrent tasks with memory and timing constraints! Feasible execution in an embedded system? (e.g. a 100MHz CPU, 256 KB RAM) Task scheduling! Automatically generate code? Map schedules to software code! Code optimizations? Minimize size, maximize efficiency!

14. 2002/05/22 14 Synthesis Issues and Solutions 2. Real-Time Constraints 1. Bounded Memory Execution Extended Quasi- Static Scheduling (EQSS) Proposed Solutions: Real-Time Scheduling (RTS) Hard Real-Time Firing Interval Bound Synthesis (FIBS) Soft Real-Time

15. 2002/05/22 15 System Model: Petri Nets Petri Net, Carl Adam Petri. Kommunikation mit Automaten. PhD thesis, Institut für instrumentelle Mathematik, Bonn, 1962. Petri Nets have been successfully used for system modeling and analysis concurrent / parallel systems fault-tolerant systems system performance evaluation communication protocol engineering embedded software engineering control systems

16. 2002/05/22 16 Colored Time Petri Nets (with Complex-Choices) A Colored Time Petri Net is a 6-tuple (P, T, C, , M 0,  ): P is a non-empty finite set of places T is a non-empty finite set of transitions C is a finite set of colors representing data classes  :  P  T    T  P  = 2 N  C is a weighted flow relation between transitions and places. M 0 is an initial marking (distribution of tokens to places)  : T  N*   N*   is a timing interval in which firings are valid (earliest and latest firing time)

17. 2002/05/22 17 Colored Time Petri Nets (CTPN) P = {p 0, p 1, p 2, p 3, p 4 }, T = {t 0, t 1, t 2, t 3, t 4, t 5 }, C = {grey, red,blue},  (t 1, p 2 ) = {(3,grey)}, … M 0 ={((1, grey), p 0 ), ((1, red), p 0 ), ((1, blue), p 1 )},   t 1  = (1, 5), …

18. 2002/05/22 18 Colored Time Petri Nets (CTPN) Model Extensions: Models memory usages by colored tokens Models timing behaviors by firing time intervals Allows complex choices (instead of free choice only) Advantages: Explicit memory estimation Explicit worst case timing estimation Larger domain of applications

19. 2002/05/22 19 FCPN v/s CTPN (a) Free-Choice Petri Net(b) Complex-Choice Petri Net (An Automatic Cruise Controller)

20. 2002/05/22 20 Synthesis Algorithm (Hard RTES) Synthesize_Hard_RTES(S, ,   EQSS = Ext_Quasi_Static_Schedule(S,  if (EQSS == NULL) return MemOverFlow; RTS = Real_Time_Sched(S, QSS,  if (RTS == NULL) return RTS_Error; else Code = Code_Gen(S, QSS, RTS); return Code; 

21. 2002/05/22 21 Synthesis Algorithm (Soft RTES) Synthesize_Soft_RTES(S, ,   EQSS = Ext_Quasi_Static_Schedule(S,  if (EQSS == NULL) return MemOverFlow; FIB = Firing_Interv_Synth(S, QSS,  ); if (FIB == NULL) return FIB_Error; else Code = Code_Gen(S, QSS, FIB); return Code; 

22. 2002/05/22 22 Quasi-Static Scheduling TFCPN net decomposition Conflict-Free Components Quasi-Static Schedules Finite Complete Cycle Deadlock Free Satisfy Memory Reqts Memory OK!!!

23. 2002/05/22 23 Exclusion Set Extended Quasi-Static Scheduling TransitionExclusive Transitions t4 t5 t4, t6 t6 t5, t7 t7 t6 t1 t2 t3 t4 t5 t6 t7 p1 p2 p3 Exclusion Table CTPN

24. 2002/05/22 24 Decomposition of Exclusion Set t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t1 t2 t3 t4 t5 t6 t7 p1 p2 p3 TransitionExclusive Trans t4 t5 t4, t6 t6 t5, t7 t7 t6

25. 2002/05/22 25 Reduction of Decomposed Exclusion Set t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 t4 t5 t6 t7 Reduce

26. 2002/05/22 26 EQSS Schedules t1 t4 p1 t2 t3 t6 p2 p3 t1 t2 t5 p1 p2 t3 t7 p3 f(s) = (t1 t2 t3 t4 t6) f(s) = (t1 t2 t3 t5 t5 t7)

27. 2002/05/22 27 Real-Time Scheduling Single Processor Worst Case Timing Analysis: Rate Monotonic (RM) fixed priority small period  high priority Earliest Deadline First (EDF) dynamic priority early deadline  high priority

28. 2002/05/22 28 Firing Interval Bound Synthesis 2 issues in the synthesis of SOFT real-time embedded systems: Synchronization Wait: (for completion of other tasks) Real-Time Specification: (complete before deadlines) Proposed Solutions: Postpone Release Time:    +  w,  w > 0 Advance Finish Time:      n,  n >0

29. 2002/05/22 29 Code Generation generate_code(S, QSS 1, QSS 2, …, QSS n, RTS) { for i = 1, …, n { D i = create_process(QSS i ); for j = 1, …, Indep_Tasks(A i ) { d ij = create_task(QSS i ); generate_task_code(d ij ); add_task(d ij, D i ); } } create_main(); output “ for(i=0, i<length(RTS); i++) { ”; for k = 1, …, RTS output_code(D ik ); output “ } ”; }

30. 2002/05/22 30 Optimal Code Hierarchy Main Program Process i Task 1Task 2Task k … CTPN # Tasks = # Independent Source Transitions

31. 2002/05/22 31 Illustration Example S = {F 1, F 2 }

32. 2002/05/22 32 Conflict Free Components for F 1 v 12 = (t 11, t 13, t 15, t 15 ) 13   (v 12 )  26 Quasi-Static Scheduling v 11 = (t 11, t 12, t 11, t 12, t 14 ) 11   (v 11 )  22

33. 2002/05/22 33 Conflict Free Components for F 2 v 21 = (t 21, t 22, 2t 24, 4t 26, t 28, t 29, t 26 ) 31   (v 21 )  68 v 22 = (t 21, t 23, t 25, 2t 27, t 28, t 29, t 26 ) 15   (v 22 )  36 Quasi-Static Scheduling

34. 2002/05/22 34 Real-Time Scheduling TaskPriority ii  max (  1 )  max (  2 ) T1T1 11002648 T2T2 211068 SchedulableYesNo AlgorithmsRM, EDF  1 = {v 11, v 12 }  2 = {v 12, t 11 t 12 k  v 12 t 11 t 12 t 14, k  1}

35. 2002/05/22 35 ATM Virtual Private Network Server Example CLASSIFIER CONGESTION CONTROL (MSD) SUPERVISOR WFQ SCHEDULER ATM IN (155 Mbit/s) ATM OUT (155 Mbit/s) DISCARDED CELLS

36. 2002/05/22 36 ATM VPN Server Example Message Selective Discarding (MSD): Avoiding buffer overflow by discarding selected incoming cell Weighted Faired Queuing (WFQ): A bandwidth control policy for the outgoing flows

37. Main Functionalities of an ATM serverExample Start with an incoming cell interrupt. Extract information from cell. MSD algorithm and WFQ algorithm. A periodic task that select cells to be emitted. Involves WFQ algorithm.

38. 2002/05/22 38 CTPN model of MSD Algorithm

39. 2002/05/22 39 14 Schedules of MSD in ATM

40. 2002/05/22 40 0 MSD 1 CID 2 PTI 3 t1 4 READ_STATE_VCC 7 READ_OUT_QUID 10 t2 11 t3 t4 t5 12 t6 UPDATE_STATE_INIT 13 18 12 READ_MAX_QLEN GTH 15 CHECK_QLENGTH1 18 t7 19 t6 UPDATE_STATE_INIT 12 READ_THRESHOLD 15 CHECK_QLENGTH2 18 t8 19 t10 t9 PU SH COMPUTE_OUT_TIME t12 *SCHEDULE _WFQ t10 t9 PU SH COMPUTE_OUT_TIME t12 *SCHEDULE _WFQ PU SH t11 UPDATE_STATE_REJ PU SH *SCHEDULE _WFQ COMPUTE_OUT_TIME t12 *SCHEDULE _WFQ COMPUTE_OUT_TIME t12 *SCHEDULE _WFQ UPDATE_STA TE_ACC t11 UPDATE_S TATE_REJ t6 UPDATE_STATE_INIT 20 21 21 30 431 52 20 21 26 30 36 46 37 58 25 26 31 35 41 51 42 63 25 26 26 35 4 36 57 Schedule Results: 49 markings 14 schedules 63 instructions 12 Kbytes Memory

41. 2002/05/22 41 Master/Slave Role Switch in the Bluetooth Wireless Comm Protocol In Bluetooth protocol: Piconet = 1 master + 7 active slaves Frequently, master and slave switch roles new active slave joining piconet overtaking of master duties creation of a new piconet with old master as slave Model 2 CTPN for Host A and Host B 2 CTPN for Host Control / Link Manager

42. 42 CTPNs for Host A and Host B

43. 43 CTPN for Host Control / Link Manager of Device A

44. 44 CTPN for Host Control / Link Manager of Device B

45. 2002/05/22 45 Synthesis Results for M/S switch CTPN#T#P#SSchedules Host A752, HC/LM A21156,,,,, Host B752Same as for Host A HC/LM B21156Same as for HC/LM A

46. 2002/05/22 46 Mnemonics for Host A Transitions t_0: Initialize, t_1: ACL_Connection, t_2: Send HA2LA_HCI_Switch_Role, t_3: t4, t_4: Receive LA2HA_HCI_Command_status_event, t_5: Receive LA2HA_HCI_Role_change_event, t_6: End.

47. 2002/05/22 47 Mnemonics for HC/LM A Transitions t_0: Initialize, t_1: ACL_Connection, t_2: Receive HA2LA_HCI_Switch_Role, t_3: Receive N2LA_LMP_Switch_reg, t_4: Send LA2HA_HCI_Command_States_event, t_5: Receive N2LA_LMP_Slot_offset_sub1, t_6: Checking NetWork, t_7: Send LA2N_LMP_slot_offset_sub2, t_8: Send LA2N_LMP_not_accepted, t_9: Send LA2N_LMP_accepted, t_10: End Checking Network, t_11: Send LA2N_LMP_Switch_req, t_12: Receive N2LA_LMP_not_accepted, t_13: Receive N2LA_LMP_accepted, t_14: End, t_15: Send TDD_SwitchA, t_16: Receive BA2LA_TimeOut1, t_17: Receive BA2LA_Role_SwitchA_Success, t_18: End, t_19: Send LA2HA_HCI_Role_Change_event, t_20: End

48. 2002/05/22 48 C Code Sample void *thread_run0 (void *arg) { t0(); mutex_operation(t0,p0,’-’); switch(p0) { case 1 : ……; break; case 2 : ……; break; case 3 : ……; do { …… } while(1); break; default : break; } void main() { pthread_t task0; while(1) { if polled(t0) pthread_creation (&task0, NULL, thread_run0, NULL); } t0 p0

49. 2002/05/22 49 Conclusions Software needs to be synthesized automatically and formally because it is getting more and more complex! Hard RTES Synthesis Method = EQSS + RTS + Code-Generation Soft RTES Synthesis Method = EQSS + FIBS + Code-Generation ATM VPN Server and Bluetooth examples show feasibility of our approach

50. 2002/05/22 50 Current and Future Work Integrate Real-Time Scheduling & EQSS Extend Petri Net system model coverage Java Implementation: install into embedded systems such as PDA for dynamic code change and management by user (web computing) C Code Generation: for embedding into prototyping systems such as SoC design and verification platform

51. 2002/05/22 51 References (EQSS, FIBS, etc.) All papers are downloadable at http://www.cs.ccu.edu.tw/~pahsiung/publications/publications.html F.-S. Su and P.-A. Hsiung, “Extended Quasi-Static Scheduling for Formal Synthesis and Code Generation of Embedded Software,” Proc. of the 10th IEEE/ACM International Symposium on Hardware/Software Codesign, (CODES'02), Colorado, USA, May 6-8, 2002 (accepted for presentation). P.-A. Hsiung, “Formal Synthesis and Control of Soft Embedded Real- Time Systems,” Proc. 21st IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems (FORTE'01), (Cheju Island, Korea), pp. 35-50, Kluwer Academic Publishers, August 2001. P.-A. Hsiung, "Formal Synthesis and Code Generation of Embedded Real-Time Software," Proc. ACM/IEEE 9th International Symposium on Hardware/Software Codesign (CODES'01), (Copenhagen, Denmark), pp. 208-213, ACM Press, New York, USA, April 2001.

52. 2002/05/22 52 References (Time-Mem Sched.) P.-A. Hsiung and C.-H. Gau, “Formal Synthesis of Real-Time Embedded Software by Time-Memory Scheduling of Colored Time Petri Nets,” Proc. of the Workshop on Theory and Practice of Timed Systems (TPTS'2002, Grenoble, France), April 6-7, 2002. C.-H. Gau and P.-A. Hsiung, “Time-Memory Scheduling and Code Generation of Real-Time Embedded Software,” Proc. of the 8th International Conference on Real-Time Computing Systems and Applications (RTCSA'02, Tokyo, Japan), pp. 19-27, March 18-20, 2002.

53. 2002/05/22 53 References (VERTAF) P.-A. Hsiung, T.-Y. Lee, W.-B. See, J.-M. Fu, and S.-J. Chen, "VERTAF: An Object-Oriented Application Framework for Embedded Real-Time Systems," Proc. of the 5th IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC'2002, Washington, D.C., USA), April 29-May 1, 2002 (accepted for presentation). P.-A. Hsiung, W.-B. See, T.-Y. Lee, J.-M. Fu, and S.-J. Chen, "Formal Verification of Embedded Real-Time Software in Component-Based Application Frameworks," Proc. 8th Asia-Pacific Software Engineering Conference (APSEC'01), (Macau SAR, China), pp. 71-78, IEEE CS Press, December 2001. P.-A. Hsiung, F.-S. Su, C.-H. Gau, S.-Y. Jeng, and Y.-M. Chang, "Verifiable Embedded Real-Time Application Framework," Proc. IEEE International Real-Time Technology and Applications Symposium (RTAS'01), Work-In-Progress Session, (Taipei, Taiwan), pp. 109-110, IEEE Computer Society Press, May 2001.