Slide 1

Download Report

Transcript Slide 1 

Real-Time Systems,
COSC-4301-01,
Lecture 11
Stefan Andrei
7/18/2015
COSC-4301-01, Lecture 11
1
Reminder of the last lecture

Systematic and Automatic Debugging of RealTime Systems based on Incremental
Satisfiability Counting
7/18/2015
COSC-4301-01, Lecture 11
2
Overview of This Lecture

Optimization of Specifications expressed in
path-RTL [AnC06]

7/18/2015
[AnC06] Andrei, S., Cheng, A.M.K.: Optimization of
Real-Time Systems Timing Specifications.
Proceedings of the 12th IEEE International
Conference on Embedded and Real-Time Computing
Systems and Applications (RTCSA 2006), 7 pages,
IEEE Computer Society, Sydney, August 16-18, 2006
COSC-4301-01, Lecture 11
3
Real-Time Systems Specification
[JaM87, Che02]



Structural-functional specification
Behavioral specification (SP)
A specification is correct if



SP implies the safety assertion (SA)
[JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic Approach for Timing
Analysis and its Implementation. IEEE Transactions on Computers.
Vol. C-36, No. 8, 1987
[Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis,
and Verification. Wiley-Interscience, 2002
7/18/2015
COSC-4301-01, Lecture 11
4
Optimization of Specifications [AnC06]



Motivation: After verifying SP -> SA, and the
system implementing SP is deployed, performance
changes as a result of power-saving, faulty
components, and cost-saving in the processing
platform for the tasks specified in SP.
This leads to a different but related SP.
It is desirable to determine an optimal SP with the
slowest possible computation times for its tasks
such that SA holds.
7/18/2015
COSC-4301-01, Lecture 11
5
Examples


A slower processing platform leads to longer tasks’
computation times.
Performance changes in the processing platform can be:





the result of power-saving (a voltage scalable CPU running at a
slower speed),
faulty components (one of two motors moving a railroadcrossing gate malfunctions),
cost-saving (a subset of the water pumps in a process control
system is shutdown),
other unexpected reasons.
Deriving optimal theorems (or quantifying tolerances),
will allow the system designer to determine how far the
performance of the processing platform can drift from
the norm without violating the SA.
7/18/2015
COSC-4301-01, Lecture 11
6
The Main Idea



This is clearly a fundamental issue in the design and
implementation of highly dependable real-time /
embedded systems.
The idea: relax SP and tighten SA such that SP -> SA
is still a theorem.
Example:




SP = {@(e1,x) + 10 ≤ @(e3,y), @(e3,y) - 20 ≤ @(e2,z)} and
SA = {@(e1,x)-15 ≤ @(e2,z)},
then SP  SA is a tautology.
If we relax SP to {@(e1,x) + 5 ≤ @(e3,y), @(e3,y) - 20
≤ @(e2,z)}, then SP  SA is still a tautology (in fact,
this is an optimal one).
7/18/2015
COSC-4301-01, Lecture 11
7
Real-Time Logic (RTL) [JaM86]





RTL = first-order logic with special features to capture
the timing requirements.
Occurrence Function: @:: Event x Occurrence 
Time, where Occurrence = Nat - {0} and Time = Nat.
@(e, i) = t means the i-th occurrence of event e
occurs at time t.
eEvent, iOccurrence, @(e,i) < @(e,i+1) if
@(e,i+1) is defined.
Jahanian, F., Mok, A.K.: Safety analysis of timing properties in realtime systems, IEEE Transactions on Software Engineering, vol. SE12, no.~9, pp. 890--904, 1986.
7/18/2015
COSC-4301-01, Lecture 11
8
Real-Time Logic (cont)

Three types of RTL constants:


Actions: schedulable units of work
Events constants are temporal markers





7/18/2015
External Events: event-name
Start Events: event-name
Stop Events: event-name
Transition Events: event-name
Integers: used for timing constraints.
COSC-4301-01, Lecture 11
9
The Path-RTL formulas [JaM87, WaM94]

The general form of path-RTL formulas:
functionOccurrence  integerConstant  functionOccurrence

Industrial real-time systems:





Railroad crossing [JaM87], [JaS88], [Che02]
Moveable control rods in a reactor [JaM87]
Boeing 777 Integrated Airplane Information Management
System [MTR96]
X-38, an autonomous spacecraft build by NASA [RiC99]
[WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive
Cycles. Proceedings of Formal Methods Europe Symposium, 873,
Lecture Notes in Computer Science, pp. 659-680, 1994
7/18/2015
COSC-4301-01, Lecture 11
10
The Constraint Graph Technique [JaM87]



F – the initial path-RTL formula;
F’ – the corresponding Presburger formula;
PF = C1  C2  …  Cn is the propositional formula
of SP   SA:
 Ci = Li,1  Li,2  …  Li,n and
 Each Li,j has the general form: v1  I  v2, I being a


positive integer constant.
For each literal v1  I  v2, we construct a node labeled
v1, a node labeled v2, and an edge <v1,v2> with weight
I from node v1 to node v2;
For each Xj,1, Xj,2,…, Xj,nj the j-th positive cycle, the
clause Cj =Xj,1  Xj,2  …  Xj,nj is added to PF.
7/18/2015
COSC-4301-01, Lecture 11
11
The Optimization Problem




The previous approaches were focused on the verification
and debugging of SP  SA [ACCL06], and not the
optimization of this tautology.
However, it may happen that SP contains overly strong
timing constraints or SA can be improved by stronger timing
constraints.
Can we provide the most relaxed specification SP and/or
the most tight safety assertion SA such that SP  SA is a
theorem (without repeating the verification of SP  SA)?
[ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Automatic
Debugging of Real-Time Systems based on Incremental Satisfiability
Counting. IEEE Transaction on Computers, vol. 55(7), pp. 830-842
(2006) Selected as July ToC issue's Feature Article.
7/18/2015
COSC-4301-01, Lecture 11
12
Notations




Given S a set of timing constraints, ground(S) denotes
{(x,y) | x+I≤y  S, where I  Z}.
Example: For S1={x1+3<x2, x2-7<x3}, we have
ground(S1)={(x1,x2), (x2,x3)}.
The timing constraint x+I≤y is (strictly) stronger than
x+I–J≤y if and only if (J>0) J ≥ 0.
Example: x-5<y is a stronger constraint than x-7<y.
7/18/2015
COSC-4301-01, Lecture 11
13
Notations

Given two sets of timing constraints SP1 and SP2,
we say that SP1 is stronger than SP2 (denoted as
SP1  SP2) if and only if for any timing constraint of
SP2 there exists a stronger timing constraint of SP1.

If there exists at least one timing constraint of SP1
that is strictly stronger than any (comparable) timing
constraint of SP2, then SP1 is strictly stronger than
SP2 (denoted as SP1  SP2).

Example: {x-5<y, x+4<z}  {x-7<y, x+3<z}.
7/18/2015
COSC-4301-01, Lecture 11
14
Strong-ness, Implication and Optimality



Theorem. Given S1 and S2 two sets of timing
constraints such that S1  S2 then S1  S2 is a
tautology.
Example: {x1+4 < x2, x2 - 5< x3}{x1+3 < x2, x2 - 7< x3}
is a tautology.
We say that SP  SA is an optimal tautology if there are
no other SP' and SA' where ground(SP)=ground(SP'),
ground(SA)=ground(SA'), SP  SP' and SA' SA, such
that SP'  SA' is a tautology.
7/18/2015
COSC-4301-01, Lecture 11
15
Optimal Tautologies



Example: SP={x+10≤y, y-20≤z} and SA={x-15≤z}.
SP  SA is a tautology, but is not an optimal one!
Examples:
1.
2.
3.

SP1={x+10≤y, y-20≤z}, SA1={x-10≤z};
SP2={x+5≤y, y-20≤z}, SA2={x-15≤z};
SP3={x+8≤y, y-20≤z}, SA3={x-12≤z}.
SP1  SA1, SP2  SA2 and SP3  SA3 are optimal
tautologies.
7/18/2015
COSC-4301-01, Lecture 11
16
Algorithm to Compute Optimal Tautology
7/18/2015
COSC-4301-01, Lecture 11
17
The Key Point




Question: Which SPk+1 and SAk+1 to choose such
that the condition from the if statement (line 5) is
always evaluated to true?
Idea: Preserve PF1 and change only some weights of
arcs from positive cycles of CG1 (e.g., keep the same
positive cycles).
These changes will be reflected back into the original
SP and SA.
Since PF1 is unchanged, there is no need to repeat
the verification of SP  SA.
7/18/2015
COSC-4301-01, Lecture 11
18
Refinement of the Optimization Algorithm
7/18/2015
COSC-4301-01, Lecture 11
19
Experimental Results




OPRATEL (Optimization of Path ReAl-TimE Logic) is our
Java implementation of the optimization algorithm.
The overhead between SDRTL and OPRATEL is only up to
20%.
The verification part was done only once, at the beginning of
checking whether SP  SA is a theorem.
The subsequent task is responsible only for changing SP
and/or SA such that SP  SA becomes an optimal theorem.
7/18/2015
COSC-4301-01, Lecture 11
20
Future Work


Extension to a larger class of RTL formulas
Modularization technique of that class
7/18/2015
COSC-4301-01, Lecture 11
21
Summary
 Optimization of Specifications
7/18/2015
COSC-4301-01, Lecture 11
22
Reading suggestions

[AnC06] Andrei, S., Cheng, A.M.K.: Optimization of RealTime Systems Timing Specifications. Proceedings of the
12th IEEE International Conference on Embedded and
Real-Time Computing Systems and Applications (RTCSA
2006), 7 pages, IEEE Computer Society, Sydney, August
16-18, 2006
7/18/2015
COSC-4301-01, Lecture 11
23
Coming up next


Faster Verification of RTL-Specified Systems
via Decomposition
Constraint Extension

7/18/2015
[AnC06] Andrei, S., Cheng, A.M.K.: Faster Verification
of RTL-Specified Systems via Decomposition and
Constraint Extension. Proceedings of the IEEE RealTime Systems Symposium (RTSS 2006), 10 pages,
IEEE Computer Society, Rio de Janeiro, December 58, 2006
COSC-4301-01, Lecture 11
24
Thank you for your attention!
Questions?
7/18/2015
COSC-4301-01, Lecture 11
25