Model-based Analysis and Implementation of Embedded Systems Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ MIT Workshop, August 2005
Download
Report
Transcript Model-based Analysis and Implementation of Embedded Systems Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ MIT Workshop, August 2005
Model-based Analysis and
Implementation of Embedded Systems
Rajeev Alur
University of Pennsylvania
www.cis.upenn.edu/~alur/
MIT Workshop, August 2005
Model-Based Design
Benefits of model-based design
Detecting errors in early stages
Powerful and formal analysis
Reusable components
Automatic code generation
Many commercial tools are available for design
of embedded control systems (e.g. Simulink)
Typically, semantics is not formal
Typically, only simulation-based analysis
Code generation available, but precise relationship
between model and code not understood
Charon Project at Penn
Can we formally prove safety properties of models?
Formal Specification
Environment Model
Can we infer properties of code from properties
of models?
Performance
Metrics
Programming/Modeling Language
Based on Hybrid Automata
Platform Description
Design and Analysis Tools
Simulation, Verification, Optimization
Compiler +
Scheduler
Executable Code on
Embedded Processor
Libraries in Base Language
Hybrid Modeling
State machines + Dynamical systems
on
dx=kx
x<70
Automotive
Coordination
Protocols
x>68
x<63
Robotics
off
dx=-k’x
x>60
Animation
Systems
Biology
CHARON Language Features
Individual components described as agents
Composition, instantiation, and hiding
Individual behaviors described as modes
Encapsulation, instantiation, and Scoping
Support for concurrency
Shared variables as well as message passing
Support for discrete and continuous behavior
Differential as well as algebraic constraints
Discrete transitions can call Java routines
Compositional semantics with refinement rules
CHARON Toolkit
model
temporal
property
Model Checker
yes
error-trace
Advantages
Automated formal verification, Effective debugging tool
Impressive industrial success
In-house groups: Intel, Microsoft, Lucent, Motorola…
Commercial model checkers: FormalCheck by Cadence
Model checking for discrete systems
Enumerative state-space search (SPIN)
Symbolic search using Binary decision diagrams (SMV)
Bounded model checking using SAT solvers
Symbolic Safety Verification
Data type: region to represent state-sets
R:=I(X) /* initial set */
Repeat
If R intersects target F report “violation”
Else if R contains Post(R) report “safe”
Else R := R union Post(R)
Post(R): Set of successors of states in R
Termination may or may not be guaranteed
F
I
Reachability for Hybrid Systems
What’s a suitable representation of regions?
Region: subset of Rk
Main problem: handling continuous dynamics
Precise solutions available for restricted
continuous dynamics
Timed automata (Uppaal, Kronos, …)
Linear hybrid automata (HyTech)
Even for linear systems, over-approximations of
reachable set needed
Timed Automata
a,x:=0
b,y:=0
y>2,c
x<3,d
Analog of finite-state automata in discrete case
Continuous variables: Clocks increasing at rate 1
All constraints of the form: x compared to constant
Can express lower and upper bounds on delays
Well-developed theory of automata and logics
Closure properties
Decision problems
Equivalent characterizations
Region-based Analysis
Finite partitioning of state space
w @ w’ iff they satisfy the same set
of constraints of the form
x2
xi < c, xi = c, xi – xj < c, xi –xj =c
for c <= largest const relevant to xi
2
Region equivalence is a time-abstract
bisimulation, and corresponding
quotient can be used for temporal
logic model checking
1
1
2
3
x1
An equivalence class (i.e. a region)
in fact there is only a finite number of regions!!
Model Checking for Hybrid Systems
Timed automata tools use matrices as a symbolic
representation (all constraints are bounds on differences)
Next step: use polyhedra as a representation (HyTech)
Linear hybrid automaton allows linear constraints in guards/resets
Dynamics: linear constraints among derivates
The set of reachable states at every iteration is union of polyhedra
If dynamics is dX=AX, and R is a polyhedron, Post(R) is
not a polyehdron
Many approximate solutions proposed:
Approximate Post(R) with enclosing convex polyhedra (Checkmate)
Polyhedral Flow Pipe Approximations
t3
t4
t5
t6
t7
t8
t2
t1
X0
t9
• divide R[0,T](X0) into [tk,tk+1] segments
• enclose each segment with a polyhedron
• RM[0,T](X0) = union of polyhedra
Abstraction and Refinement
Abstraction-based verification
Given a model M, build an abstraction A
Check A for violation of properties
Either A is safe, or is adequate to indicate a bug
in M, or gives false negatives (in that case, refine
the abstraction and repeat)
Many projects exploring abstraction-based
verification for hybrid systems
Predicate abstraction (Charon at Penn)
Counter-example guided abstraction refinement
(CEGAR at CMU)
Qualitative abstraction using symbolic derivatives
(SAL at SRI)
Predicate Abstraction
Input is a hybrid automaton and a set of k boolean
predicates, e.g. x+y > 5-z.
The partitioning of the concrete state space is
specified by the user-defined k predicates.
x
t
Concrete Space:
LxRn
Abstract Space:
L x {0,1} k
Overview of the Approach
Hybrid
system
Safety
property
Boolean
predicates
additional
predicates
Search in abstract space
No!
Counter-example
Real
counterexample
found
Property
holds
Analyze counter-example
Charon Project at Penn
Can we formally prove safety properties of models?
Formal Specification
Environment Model
Can we infer properties of code from properties
of models?
Performance
Metrics
Programming/Modeling Language
Based on Hybrid Automata
Platform Description
Design and Analysis Tools
Simulation, Verification, Optimization
Compiler +
Scheduler
Executable Code on
Embedded Processor
Libraries in Base Language
Walking Model: Behavior and Modes
v
Shared variable
On Ground
Up
dx = dy = 0
turn == i
dy = kv
dt = 1
Time triggered
y==0
->
turn++
dy = -kv
t==2
2x==str
dx = kv
x < str /2
Down
Forward
Event triggered
x
L1
L2
j1
j2
y
(x, y)
Code Generation Case Study
Front-end
Translate CHARON objects into modular C++ objects
Back-end
Map C++ objects to execution environment
front-end
back-end
Execution
environment
CHARON objects
C++ objects
agent
class agent
scheduler
class mode
diff()
trans()
API
mode
diff/alge eqn
transition
analog var
class var
Target
platform
Gap Between Models and Code
Rich theory of sampled control (but mainly for
purely continuous systems)
Discrete-time control design
Sampling errors
No theory of interacting control blocks
Mapping individual blocks to periodic real-time
tasks does not lead to predictability
Lack of compositionality affects integration
Hybrid systems poses new challenges: How can
code ensure that events are not missed ?
Code from Structured Models
How to map control blocks to tasks?
u
x
C1
v
C2
Many choices for code
Two tasks: C1 and C2 with their own periods
One task: Read(x);C1;C2;Actuate
One task: Read(x);C1;Read(x);C2;Actuate
The choice can depend on many parameters: computation
times, sensitivity ox x to u and v, performance objective
Quantifying the Gap (1)
Appealing implementation platform: Timetriggered architecture
Time divided into fixed-size slots
Appealing programming paradigm: Fixed Logical
Execution Time
Block mapped to slot i reads inputs at the
beginning, computes, and outputs at the end of the
slot i
Micro-schedule: Map each slot to at most one
control block
Given a micro-schedule s, and a plant model,
continuous-time trajectory of execution
uniquely defined
From Model to Code
1. Continuous-time semantics: all blocks at all times
Continuous
2. Discrete/simulation semantics: all blocks every T s
Compute all
Compute all
Compute all
Compute all
3. Periodic tasks: Red block every T1 s, Blue every T2 s
4. Micro-schedule on TTA: Fixed-size slots
Idle,Red,Blue,Idle, Blue,Red,Idle,Blue, Idle,Red, Blue…
Quantifying the Gap (2)
Define a performance metric: for two
continuous-time trajectories t1 and t2,
d(t1,t2) measures the distance
Quality of a micro-schedule s is d(t*,ts),
where t* is the continuous-time simulation
trajectory and ts is the trajectory of code
when executed according to s
For linear systems, d(t*,ts) is computable when
d is, say, L2-norm, using ideas from PLTIs
(Periodic linear time invariant systems)
This allows comparing micro-schedules by
precisely quantifying their metrics
Wrap-Up
Modeling and Analysis in symbiosis
Progress on safety verification by combining
symbolic representations and abstraction
Many application domains for hybrid systems
Current Focus: Understanding and quantifying the
gap between models and code to add rigor in the
code generation step
Ongoing: Stochastic hybrid systems