Transcript Slide 1
Verification of Linear RealTime Logic Specifications
Stefan Andrei1, IEEE member
Albert M.K. Cheng2, IEEE senior member
1. Department of Computer Science, Lamar University, Texas
2. Department of Computer Science, University of Houston, Texas
7/20/2015
RTSS 2007
1
Introduction
Real-time and embedded systems are becoming
ubiquitous, ranging from wireless sensors to
complex avionics and phased array radars.
To define these systems, we can use either:
a structural specification or
a behavioral specification.
A behavioral specification serves as a sufficiently
accurate model of the system for the purpose of
verification of the system’s timing properties.
7/20/2015
RTSS 2007
2
Verifying timing properties
Early in a system development cycle, verified timing
properties lead to compliant prototypes that satisfy
safety requirements.
This potentially avoids timing errors in the
implementation, saving the cost of debugging and
ensuring the safe operation of the deployed system.
An implementation is correct if
The behavioral specification (SP) implies the safety assertions (SA)
Real-Time Logic (RTL) is a logic for describing SP and
SA [Jahanian, Mok; 1986].
7/20/2015
RTSS 2007
3
Real-Time Logic (RTL)
Occurrence Function:
@:: Event x Occurrence Time, where
Occurrence = Nat - {0} and Time = Nat.
@(e, i) = t means the i-th occurrence of event e
occurs at time t.
eEvent, iOccurrence, @(e,i) <
@(e,i+1) if @(e,i+1) is defined.
7/20/2015
RTSS 2007
4
Real-Time Logic (cont)
Three types of RTL constants:
Actions: schedulable units of work
Events constants are temporal markers
7/20/2015
External Events: event-name
Start Events: event-name
Stop Events: event-name
Transition Events: event-name
Integers: used for timing constraints.
RTSS 2007
5
Decidable Fragments of RTL
However, the satisfiability problem for RTL, as
well as for other first-order logics, is undecidable
[Wang, Mok; 1994].
In an effort to find subclasses of RTL having
decidable properties, the following subclasses
have been identified:
Path real-time logic (path-RTL) [Jahanian, Mok; 1987].
Extended path real-time logic [Andrei, Cheng; 2006].
7/20/2015
RTSS 2007
6
The previous classes
The path real-time logic: disjunction of
inequalities:
i @(e1, i) - @(e2, j) k
The extended path real-time logic:
disjunction of timing constraints:
i ± @(e1, i) ± @(e2, j) k
7/20/2015
RTSS 2007
7
Examples
The classes of path RTL and extended path RTL
formulas were successfully used to specify several
real-time systems:
7/20/2015
The railroad crossing [Jahanian, Stuart; 1988],
The moveable control rods in a reactor [Jahanian, Mok;
1987],
The Boeing 777, Integrated Airplane Information
Management System [Mok, Tsou, de Rooij; 1996],
The X-38, an autonomous spacecraft designed and built by
NASA as a prototype of the International Space Station
Crew Return Vehicle [Rice, Cheng; 1999], and
The airport radar station [Andrei, Cheng; 2006].
RTSS 2007
8
Limitations
Both path RTL and extended path RTL can only
describe a timing constraint between two events.
A timing constraint involving three or more events
together cannot be specified by any of these
subclasses.
Example: The specification of a phased array radar system.
A phased array is a group of antennas in which the relative
phases of the respective signals feeding the antennas are
varied in such a way that the effective radiation pattern of
the array is reinforced in a desired direction and
suppressed in undesired directions.
7/20/2015
RTSS 2007
9
The specification of a phased array
radar system with four antennas
1.
2.
3.
4.
5.
Suppose there is a phased array radar system consisting
of four antennas.
The radar system is turned on at time 0.
In order to allow time for the initialization routine, the sum
of times when all four antennas start radiating must be at
least 10 seconds.
The sum of all radiating times for neighboring antennas
(in this case, three) cannot exceed 1000 seconds in order
to avoid overheating of the antenna elements and to
reduce interference.
The time an antenna should continuously radiate is at
least 300 seconds.
7/20/2015
RTSS 2007
10
Translation to RTL
The four antennas of the phased array radar system are
given in a cyclic order, denoted by A1, A2, A3, A4.
@(↑A1, i) and @(↓A1, i) mean the ith occurrences when
antenna A1 begins and ends radiating:
i ( @(↑A1, i)+ @(↑A2, i)+ @(↑A3, i)+ @(↑A4, i) ≥ 10)
( (@(↓A1, i) - @(↑A1, i)) + (@(↓A2, i) - @(↑A2, i)) +
(@(↓A3, i) - @(↑A3, i)) 1000 ) …
( (@(↓A4, i) - @(↑A4, i)) + (@(↓A1, i) - @(↑A1, i)) +
(@(↓A2, i) - @(↑A2, i)) 1000 )
(@(↓A1, i) - @(↑A1, i) ≥ 300) …
(@(↓A4, i) - @(↑A4, i) ≥ 300).
7/20/2015
RTSS 2007
11
Our larger class - LRTL
So, there is a need to describe specification involving
inequalities with three or more events variables.
We call this larger RTL subclass:
Linear Real-Time Logic (LRTL).
LRTL includes the existing subclasses of decidable
and practical RTL formulas.
To the best of our knowledge, LRTL is a subclass of
RTL with decidable properties and was not
considered until now for the specification and
verification of real-time and embedded systems.
7/20/2015
RTSS 2007
12
Can we still re-use the constraint graph?
The previous verification methods for formulas expressed
in (extended) path RTL were the so-called (extended)
constraint graph:
A timing constraint @(e1, i) - @(e2, j) k
corresponds to two nodes and an arc in the
constraint graph.
A timing constraint ± @(e1, i) ± @(e2, j)
k corresponds to two arcs between four
nodes in the extended constraint graph.
No, a more powerful data structure is needed.
7/20/2015
RTSS 2007
13
LRTL
Is based on a first-order logic with features able to
capture the linear timing requirements of real-time
systems.
The correctness of a real-time system specification
can be achieved by solving a system of linear
inequalities.
A general timing constraint in LRTL may have the
form:
a1 · @(e1, i1) + … + an · @(en, in) «op» b
where «op» is one of the following arithmetic operators
{, =, ≥}, and a1, ..., an, and b are integers.
7/20/2015
RTSS 2007
14
The LRTL normal form
a1 · @(e1, i1) + … + an · @(en, in) b
Even if the normal form seems to restrict «op»
only to “”, it has the same expressive power
like the general form.
Our method for verification of SPSA
expressed in LRTL has 6 basic steps.
7/20/2015
RTSS 2007
15
The first 3 steps to prove SP SA
1.
2.
3.
consider F = (SP SA) ≡ SP SA;
convert it to a Presburger formula, FPresb , by
replacing the time occurrences @(E, i) by a
function fE(i);
construct the Skolem formula, FCNF , by
removing the existential quantifiers and the
replacement of the corresponding variables
with constants.
7/20/2015
RTSS 2007
16
Example
SP: i j (@(e1, i) + @(e2, i) 2)
(@(e2, i) - @(e3, j) 1)
(@(e1, i) - @(e3, j) 7).
SA: u v (@(e1, u) + @(e2, u) - @(e3, v) 5).
SA is u v (-@(e1, u) - @(e2, u) + @(e3, v) - 6)
Presburger formula: replace @(e1, i) by f1(i), @(e2, i) by f2(i),
@(e3, i) by f3(i), etc.
Skolem formula: U and V are two integer constants to
replace the variables u and v.
FCNF: i j (f1(i) + f2(i) 2) (f2(i) - f3(j) 1) (f1(i) - f3(j)
7) (-f1(U) - f2(U) + f3(V) - 6).
7/20/2015
RTSS 2007
17
Step 4: Positive propositional clauses
A set S = {f(t1), ..., f(tk)} is unifiable if there exists
a substitution ψ such that f(t1)ψ = ... = f(tk)ψ.
Example:
The set S = {f1(i), f1(U)} is unifiable due to the
substitution ψ = [i/U].
The method pos(FCNF) generates a new
propositional variable for each new inequality
after checking the unification.
The FCNF from the example has the following
positive clauses: {A1}, {A2}, {A3}, and {A4}.
7/20/2015
RTSS 2007
18
Step 5: Obtaining the negative
propositional clauses
FCNF is translated to a system of linear inequalities AX
B.
1 1 0
2
f1 (U )
0 1 1
1
f 2 (U )
1 0 1
7
Example: A =
, X = f 3 (V ) , B = .
1 1 1
6
The column vector X has been obtained after applying the
substitution {[i/U], [j/V]}.
7/20/2015
RTSS 2007
19
Definition: Negative linear dependencies
Λ = (λi)1in from M1,n is a positive row vector
if λi + - {0} for all i {1, ..., n}.
Let B = (bi)1in be a column vector from Mn,1
such that bi for all i {1, ..., n}.
Λ is negative linear dependant of B if and
only if ΛB < 0.
7/20/2015
RTSS 2007
20
Theorem: Sufficient condition
Let Λ = (λi)1 i n be a positive row vector that
is a solution of the system of linear equations
AtrΛ =0, where A = (ai,j)mn is a matrix over .
If Λ is negative linear dependant of B, where B
is a column vector, then the inequality AX B
has no solution for X over , where X is a
column vector.
7/20/2015
RTSS 2007
21
Example
Considering AX B, we need to find the positive row
vector Λ= (λ1 λ2 λ3 λ4) such that AtrΛ =0.
This is:
The positive solution Λ= (1 1 1 2) leads to ΛB=-2.
Therefore, AX B has no solution for X over .
7/20/2015
=0.
RTSS 2007
22
Negative propositional clauses
1.
2.
3.
4.
5.
6.
7.
initially Fneg = ;
identify the propositional variables v1, ... vk
corresponding to inequalities from FCNF ;
identify matrices A and B from the inequality AX B
that represent FCNF;
let Ai A and Bi B be such that AiX Bi is a new
subsystem of AX B;
find Λi a positive solution of Atri Λi = 0;
if ΛiBi < 0 then add the negative clause {vi,1, ...
vi,k} to Fneg;
if there is no new subsystem AiX Bi of AX B,
then STOP; otherwise, go to step 4.
7/20/2015
RTSS 2007
23
Step 6: The final step of our method
Let PF be the set of positive and negative
clauses.
If PF is unsatisfiable, then SPSA holds.
Example: PF = { {A1}, {A2}, {A3}, {A4}, {A1,
A2, A3, A4} } is unsatisfiable, so SPSA
holds.
7/20/2015
RTSS 2007
24
Correctness Theorem
A clausal normal formula FCNF is unsatisfiable
if and only if there is a finite unsatisfiable set
of ground instances and PFi for 1 i n,
where each PFi is an arbitrary clause
returned by the negative generating clauses
of FCNF .
7/20/2015
RTSS 2007
25
Complexity considerations
Among the many different ways to solve
systems of linear inequations, the traditional
method is the Gaussian elimination.
It has an order of O(n3) time complexity,
where n is the number of variables.
7/20/2015
RTSS 2007
26
Comparison with similar works
Our Java programming language implementation of
Algorithm A is called VerLRTL (‘Verifier for LRTL’).
Other tools:
SDRTL (‘Systematic Debugging for path Real-Time Logic’,
[Andrei, Chin, Cheng, Lupu; 2005])
DEVA-RTL (‘Decompositional Extended path RTL Verifierdebugger-Analyzer’, [Andrei, Cheng; 2006]).
All three techniques (VerLRTL, SDRTL, DEVA-RTL)
have two big steps:
1.
2.
the conversion of the initial RTL formula into a propositional
formula PF, and
the call of a SAT solver for PF.
7/20/2015
RTSS 2007
27
Differencies between the three tools
For step (1), the differences in execution times
needed by SDRTL, DEVA-RTL, and VerLRTL are not
big as they refer to the same input RTL formula.
Instead, the gap in execution times comes from step
(2) as the propositional formula of DEVA-RTL has
twice as many propositional variables and clauses as
SDRTL and VerLRTL.
VerLRTL is more expressive than the other two
previous implementations.
7/20/2015
RTSS 2007
28
Differencies between the three tools
The size of propositional formulae associated to
SDRTL and VerLRTL is the same, where the size of
propositional formula associated to DEVA-RTL is
double than SDRTL and VerLRTL.
The current implementation of VerLRTL focuses on
the verification of SP SA, not debugging.
We ran all these three implementations on the same
machine, a Pentium IV computer system, with 2.4GHz
using 512MB of main memory.
7/20/2015
RTSS 2007
29
Experimental Results – Table 1
The execution times of VerLRTL are very close to execution times
of SDRTL (that is, the difference is less than 18%).
This 18% difference is due to the fact the heuristics for detecting
the subsystems with negative linear dependencies has a higher
time complexity than the heuristics for detecting the positive cycles
in the constraint graph.
7/20/2015
RTSS 2007
30
Related and future work 1
In order to achieve an automatic way of describing
path-RTL timing constraints, the graphical
specification language, called Modechart, was
introduced [Jahanian, Stuart; 1988] and [Jahanian,
Mok; 1994].
Our LRTL class is a potential candidate to extend
the current expressive power of Modechart to
describe linear timing constraints between three or
more event variables.
7/20/2015
RTSS 2007
31
Related and future work 2
CHARON is a language for modular specification of
interacting hybrid systems using the notions of agent
and mode [Alur, Grosu, Lee, Sokolsky; 2001].
There are three kinds of constraints:
Differential constraints (e.g., by equations such as x’ =f(x, u)),
Algebraic constraints (e.g., by equations such as y = g(x, u)),
Invariants (e.g., x-y < c) which limit the allowed durations of
flows.
We believe that it is worth to investigate the possibility
of enlarging the class of CHARON constraints with
our LRTL class of constraints.
7/20/2015
RTSS 2007
32
Related and future work 3
PTIDES is based on discrete-event (DE) modeling
approaches where DE models consist of concurrent
compositions of components interacting via events
[Zhao, Liu, Lee; 2007].
Given an actor a with input port p1 and output port p2,
if δa(p1, p2) = d, then an event e1 = (t1, v1) produced at
p1 causing any event e2 = (t2, v2) produced at p2 will
satisfy t2 ≥ t1 + d.
With our LRTL class, it may be possible to extend
these causality interfaces to describe three or more
events and their relationships.
7/20/2015
RTSS 2007
33
Future work 4
To find larger classes of RTL, if there exist
some.
Inverse technique as the top-down technique,
not as a bottom-up one.
7/20/2015
RTSS 2007
34
Thank you for your attention!
Questions?
7/20/2015
RTSS 2007
35