Transcript MoBIES Kickoff Meeting

Design, Implementation, and Validation of
Embedded Software
(DIVES)
Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky
Department of Computer and Information Science
Department of Electrical Engineering
Department of Mechanical Engineering and Applied Mechanics
University of Pennsylvania
30 January 2003
1
Topic Area 1. Administrative
2
Administrative Information
•
Project title: Design, Implementation, and Validation of
Embedded Software (DIVES)
PI: Insup Lee (215-898-3532, [email protected])
•
Co-PI: Rajeev Alur, Vijay Kumar, George Pappas
•
Organization: University of Pennsylvania
•
Contract number: DARPA ITO MOBIES F33615-00-C1707
•
AO Number: K230
•
Award end date: May 16, 2003
•
Agent: Dale Harper, Air Force Research Laboratory
•
3
DIVES Team
Faculty
Rajeev Alur (CIS)
Vijay Kumar (MEAM)
Insup Lee (CIS)
George Pappas (EE)
Oleg Sokolsky (CIS)
Research Associates
Jesung Kim
Li Tan
Herbert Tanner
PhD Students
Calin Belta
Mikhail Bernadsky
Yerang Hur
Franjo Ivancic
Usa Sammapun
Wenkai Tan
Part-time Programmers
Peter Finin
Valya Sokolskaya
4
Topic Area 2. Subcontractors and
Collaborators
5
Collaborators
• CMU-Penn Allenberry Workshop (Jan 9, 2003)
– CMU: Krogh, Rajkumar
– Penn: Alur, Kumar, Lee, Pappas, Sokolsky
– More than 15 students and postdocs
– Hybrid systems modeling, analysis, simulation, test
generation, code generation techniques
• Interactions with HSIF group
– Berkeley, Ford, CMU, Kestrel, GM, SRI, Vanderbilt
6
Topic Area 3. Project Goals and
Problem Description
7
Project Overview
• Project Objective
– Develop languages, algorithms and tools for hybrid systems to
facilitate the development of reliable embedded systems
• Project Description: main research directions
– Compositional semantics to support hierarchical, modular
specifications of hybrid systems
– Reachability analysis of embedded systems
– Compositional analysis and optimal controller synthesis of
hybrid systems
– Model-based testing and validation of hybrid systems to provide
an additional level of reliability
8
Topic Area 4. Project Status (Update
from last PI Meeting)
9
Progress since last meeting
• Progress on schedule
• Recently developed techniques
– Counter-example guided predicate abstraction
– Model-based code generation
– Model-based test generation
– CHARON to HSIF translation
• Publication during last six months
– 5 journal papers, 6 conference and workshop papers
• PhD Theses: Ivancic (Aug 03), Hur (Dec 03)
10
CHARON Toolkit
• Input
– Hierarchical, Concurrent, Hybrid systems
• Functionality: modeling, simulation, assertion checking, test generation, code generation,
reachability analysis
• Output
–
–
–
–
Simulation trace including assertion violation
C++ code
HSIF model
Counter examples
11
CHARON toolkit enhancements
• CHARON language version 2
– Inspired by HSIF development
– Supports signals and shared variables directly
• analog/discrete variable type replaced with signal/shared
– Respects signal dependencies
• Changes in the computation of enabled transitions
– Parser, type checker, export/import routines updated to
new version
• Updated simulator under construction
12
CHARON toolkit enhancements
• Simulator improvements
– Adaptive simulation step-size implemented
– Event detection algorithm implemented
g(x)
x(t)
Event !
– Improved support for parametric simulations
• Parameters can be external to the model
• Allow parameter modification within the same model
• Reachability analysis enhancements
13
Publication List
Selected publications since the last PI meeting
•
•
•
•
•
I. Lee, A. Philippou, O. Sokolsky, "Process Algebraic Modelling and
Analysis of Power-Aware Real-Time Systems", IEE Computing and
Control Engineering Journal, 13(4), pp. 180-188, August 2002.
Insik Shin, Insup Lee, and Sang Lyul Min, “Embedded System Design
Framework for Minimizing Code Size and Guaranteeing Real-Time
Requirements,” Proc. IEEE Real-Time Systems Symposium, Austin,
Dec 2002.
Na Young Lee, Insup Lee, Yerang Hur, Jin Young Choi, Il Soon Hwang,
Seung Rok Oh, “A Framework for the Hybrid Modeling and Analysis
of Nuclear I&C Systems,” Proceedings of ISOFIC 2002 (International
Symposium On the Future I&C for NPP)}, Seoul, Nov 2002.
R. Fierro, A. Das, J. Spletzer, Y. Hur, R. Alur, J. Esposito, G. Grudic, V.
Kumar, I. Lee, J. P. Ostrowski, G. Pappas, J. Southall and C. J. Taylor,
“A Framework and Architecture for Multirobot Coordination,” Int.
Journal of Robotics Research (IJRR), 2003.
Rajeev Alur, Thao Dang, Joel Esposito, Yerang Hur, Franjo Ivancic,
Vijay Kumar, Insup Lee, Pradyumna Mishra, George Pappas, and
Oleg Sokolsky, “Hierarchical Modeling and Analysis of Embedded
Systems,” To appear in Proceedings of the IEEE, 2003.
14
Publication List
• George J. Pappas, Bisimilar Linear Systems, Automatica. To appear in
2003.
• R. Alur, T. Dang, F. Ivancic, Counter-example guided predicate abstraction for
hybrid systems, TACAS 2003
• R. Alur, T. Dang, F. Ivancic, Progress on reachability analysis of hybrid
systems using predicate abstraction, HSCC 2003
• R. Alur, La Torre, Madhusudan. Modular strategies fo recursive game graphs,
TACAS 2003
• Oleg Sokolsky, Anna Philippou, Insup Lee, and Kyriakos Christou, Modeling
and Analysis of Power-Aware Systems, TACAS 2003.
• Hyoung Seok Hong, Sung Deok Cha, Insup Lee, Oleg Sokolsky, Hasan Ural,
Data Flow Testing as Model Checking, Int. Conf. on Software Engineering
(ICSE), May 2003.
15
Counter-Example Guided Refinement of
Predicate Abstraction
Rajeev Alur
Thao Dang
Franjo Ivancic
16
Overall Structure
Hybrid
system
Charon
code
Safety
property
Concrete
counterexample
found
Linear
predicates
additional
predicates
Search in abstract space
Property
holds

Counter-example
found!

Analyze counter-example
17
Current Implementation
• We focus on hybrid systems with linear continuous
dynamics, linear guards, linear invariants, and linear
reset expressions.
• The continuous dynamics can have uncertain, bounded
input, that is dx/dt = Ax + Bu, where u is uncertain
input within a bounded range.
• We only consider linear predicates.
• Builds on routines for manipulating polyhedra from
d/dt.
18
3-State Thermostat Example
• 2 variables: T (Temperature) and t (timer)
• Initially: t = 0 , 5 <= T <= 10
• Unsafe: Check, T <= 4.5
T >= 9
Heat
dT = 2
T<=10,t<=3
t >= 2 -> t := 0
T <= 6 -> t := 0
Cool
dT=-T
T>=5
t >= 0.5 -> t := 0
Check
dT=-T/2
t<=1
19
Thermostat Abstraction
10 predicates: t <= 0 , t >= 0.5, … , T >=5 , T <= 6, …
Only 36 “valid” continuous abstract states
10
9
6
5
4.5
0
0.5
1
2
3
time
20
A Sample Abstract Path
t <= 0
9 <= T <= 10
1<t<2
9 <= T <= 10
1<t<2
9 <= T <= 10
0.5 <= t <= 1
9 <= T <= 10
t <= 0
6<T<9
2 <= t <= 3
9 <= T <= 10
0.5 <= t <= 1
9 <= T <= 10
0.5 <= t <= 1
6<T<9
t>3
5 <= T <= 6
0.5 <= t <= 1
5 <= T <= 6
t <= 0
9 <= T <= 10
t <= 0
5 <= T <= 6
2 <= t <= 3
9 <= T <= 10
35 abstract states
reachable.
All states are safe,
thus the concrete
system is also safe.
Heat
Cool
Check
21
What’s new ?
• A variety of optimizations to speed up the search
– Data structure: binary space partition (BSP) trees
– Generalized predicate abstraction
– Vector flow analysis
– Guided search
• Counter-examples in abstract space
– Are they feasible in concrete system?
– Can they be used to derive abstraction predicates?
• Theoretical guarantees of the verification technique
– Completeness?
– Avoiding the same counter example in successive searches
22
Bounded Completeness
• Simulation can show unsafe behavior.
• Safety can only be shown using verification, but
undecidable.
• Predicate abstraction introduces errors by
– approximating reachable sets with polyhedra
– coarse abstraction using predicates
• Predicate abstraction can prove “bounded safety”
– upto n discrete switches
– upto total time flow t
– if reachable set is separated from unsafe set by Delta
23
Guided Search
• Search of the abstract state-space is guided by a
priority function that measures the distance of
abstract states to unsafe states
• Several priority functions considered
– Discrete Location Graph Measure
• Locations that are closer get higher priority
– Mask Priority
• Based on boolean vector representation of predicate values. Fast!!!
– Euclidean Distance Measure
– Reset Euclidean Distance Measure
• Accounts for the effect of resets by discrete transitions
24
Generalized Predicate Abstraction
• Cluster certain abstract states
• Reduction of abstract state-space!
• Example: Location-specific predicates
– Specify per location which predicates are to be used in
particular location (invariant may be important only in one
location)
– Abstract states are now (loc, (TF* FFT **T))
– Computation of continuous successors is not affected!
– Discrete updates need to consider switch of predicates
25
Binary Space Partition
• Frequent calls to create polyhedra that correspond to
abstract states
P1
P
P1
P12 P12
P123
P123
P123
P123
first predicate
P
P1
P12
P123
P1
P12


P123
second predicate
P12
P123
P123
third
P123
26
Counter-example Analysis Algorithm
Perform reachability following the path specified
by the counter-example.
For each abstract state si, compute the sub-space
Ri that is concretely reachable.
R0 = conc(s0) ∩ Init
for 1 <= i <= n
Ri = Post(Ri-1,ti-1)∩conc(si)
continuous
if Ri empty
SPURIOUS!
if Rn∩Bad not empty
FEASIBLE!
s1
s0
R1
Init
R0
CPost (R0)
27
Computing Separating Predicates
Given a spurious counter-example and the series of
concretely reachable sub-spaces, find a small new set
of predicates that will disallow a similar counterexample to reappear.
Rk+1 empty
Rk
Pre(sk+1)
28
Thermostat Example
• Remove predicate t <= 0 from predicate set.
• First run: Spurious counter-example is found!
• Separation routine suggest to use 4 predicates
–
–
–
–
0.979265 * T + 0.202584 * t <= 9.34423
0.872555 * T + 0.488515 * t <= 8.16961
0.428587 * T + 0.9035 * t <= 4.11184
-0.0680518 * T + 0.997682 * t <= -0.439659
• Second and third run still find counter-examples. One
of 15 suggested predicates:
– 0.0139043 * T + 0.999903 * t <= 0.152558
• 28 predicates are enough to prove safety in fourth
iteration with 358 reachable states.
29
Summary
• Tool applied to V-2-V and ETC
– New V2V will be a good benchmark
– Integrated into HSIF tool chain
• Improving scalability of hybrid systems verification is
ongoing long-term project
– Innovations in algorithms
– Engineering of the tool
• Has Mobies made a difference?
– 2000 d/dt: about 4 continuous variables (subsets of R4)
– 2003 Charon: about 8 continuous variables (subsets of R8)
• Caveat: Key to successful application of verification
technology is scaling down of the problem (zooming to
the critical core)
30
Generating Embedded Software from
Hierarchical Hybrid Models
Rajeev Alur
Franjo Ivancic
Jesung Kim
Insup Lee
Oleg Sokolsky
31
Objective
• To design a software tool that generates platform-specific
executable code from a platform-independent CHARON model
• Input: CHARON model + Platform description
• Output: Executable code “faithful” to the model
CHARON
model
Platform
description
agent () {
}
mode () {
}
Code
generator
01011011
01110111
11011010
01110101
…
Executable
code
x: API_x()
y: API_y()
32
Example: Robot dog “AIBO”
GetUp
x
L1
Walk
token==MYTOKEN
OnGround
j1
UpDown(1)
token = (token+1)%4
L2
j2
y
y >= y_lift
ground
(x, y)
j2 = acos(f(x, y))
Walk
UpDown(-1)
g_stop
Forward
d(x) = -v
33
Challenges & Our Approach
• Discretization of the continuous model
– Fixed step-size simulation
• Validation
– Transition errors
• Δ-lookahead agent
– Numerical errors
• Instrumented Hybrid Automata
• Code quality
– Modular C++ code
– Platform-independent optimization
• Static scheduling
• Platform dependency
– Makefile-like script
34
Current Work
• Code validation
– Numerical errors
– Computation / IO delays
• Code optimization
– Platform-independent / platform-specific
• Platform-specific (glue) code generation
• Case study: Penn UAV testbed
35
Penn UAV Testbed
• Avionics:
– CloudCapTech’s Piccolo
• Totally user-customizable architecture
• Airframe:
– ¼ Scale Piper J-3 Cub 104’
• Higher level Control:
– Onboard Laptop PC
• CHARON
• G. Pappas
36
Topic Area 5. Technology Integration
into OEP(s)
37
HSIF WG participation
• We actively participated in the HSIF working
group
– Syntax development
– Semantics development
• New synchronous semantics proposed and implemented
– Bi-weekly HSIF teleconferences
– Selection and preparation of HSIF examples
38
HSIF semantics
• New synchronous semantics developed
• Signals vs. shared variables
– Automata interact by means of signals
• Single-writer property for each signal
– Semantics preserves signal dependencies
• A new signal value is simultaneously observed by all automata
that depend on it
– For shared variables dependencies are not preserved
• Multiple writers are allowed
– Having both signals and shared variables allows us to
express both control and computer system problems.
39
CHARON – HSIF conversion
• CHARON-to-HSIF
converter:
– Flattens mode and agent
hierarchies
– Each atomic agent becomes
an automaton
– The top-level agent
becomes the network
– Each atomic mode becomes
a location in an automaton
Agent1
Agent6
Agent2
Agent3
Agent5
Mode4
Mode3
Mode1
Mode2
DNHA
HA3
HA5
HA6
40
CHARON – HSIF conversion
• HSIF-to-CHARON converter:
– Translates automata into agents
– Translates states into modes
– Produces flat CHARON
DNHA
HA3
HA5
HA6
DNHA
Agent1
HA3
Agent2
HA5
Agent3
HA6
Agent4
41
Topic Area 6. Project Plans and
Capability Advances
42
Project Plans
•
Describe your project's plans for next 6 months
–
Optimize reachability analysis techniques
–
Improve the simulation and analysis tools
–
Perform OEP experiments using these techniques and tools
–
Refine model-based code generation techniques and tool
implementation
–
Refine model-based test generation techniques
• Randomization coverage method
• Property-based coverage
•
– Participate in HSIF development
Identify specific performance goals
–
Demonstrate superior performance of the counterexample-guided
analysis tool on large case studies
–
Demonstrate the feasibility of model-based test generation
–
Demonstrate the faithfulness of generated code, both theoretically
and in case studies
43
Project schedule and milestones
1. Design
language
HSIF
development
2. Software
toolkit
3a. Semantics
3e. Controller
synthesis
3f. Abstraction
techniques
3g. Code
generation
3h. Test
generation
3FY00
4FY00
1FY01
2FY01
3FY01
4FY01
1FY02
2FY02
3FY02
4FY02
1FY03
2FY03
Milestone on schedule
Milestone completed ahead of schedule
Deliverable
44
Project schedule and milestones
•
Past milestones:
–
Q3FY02: Analysis Techniques and Tool Suite. Milestone achieved
but research and enhancement continue
•
–
Q1FY03: Optimal control synthesis. Milestone achieved but
research continues
•
•
Deliverables: 2 research reports on abstraction techniques and analysis
algorithms + tool implementation
Deliverables: 2 research reports on input-to-state stability; prototype
implementation
Upcoming milestones:
–
–
Q2FY03: Model-based generation. Progress on schedule. Research
report available, prototype implementation for a robot platform
Additional self-imposed milestone: algorithms and tools for test
generation. Two research reports available. Implementation in
progress
45
Topic Area 7. Technology
Transition/Transfer
46
Technology Transition
• Use of CHARON and its toolkit
– CARA (Computer Assisted Resuscitation Algorithm)
Infusion pump system developed by WRAIR (Walter
Reid Army Institute for Research)
• Design specification, analysis, code generation
• Goal: enhance FDA approval process for embedded medical
devices
– NIST: conformance test suite generation from metrology
interface specifications
– Modeling and analysis of biological processes such as
protein transduction (DARPA BioComp program)
• fits the hybrid systems paradigm very well
• enhances state-of-the-art in biological research with analysis
capabilities
• Commercialization of bio sketch pad (powered by Charon)
47
The End.
48