Model-based Analysis and Implementation of Embedded Systems Rajeev Alur University of Pennsylvania...
-
Upload
janel-annabel-matthews -
Category
Documents
-
view
214 -
download
0
Transcript of Model-based Analysis and Implementation of Embedded Systems Rajeev Alur University of Pennsylvania...
Model-based Analysis andImplementation of Embedded
Systems
Rajeev Alur
University of Pennsylvania www.cis.upenn.edu/~alur/
MIT Workshop, August 2005
Model-Based Design
Benefits of model-based design Detecting errors in early stages
Powerful and formal analysis
Reusable components
Automatic code generation
Many commercial tools are available for design of embedded control systems (e.g. Simulink)
Typically, semantics is not formal
Typically, only simulation-based analysis
Code generation available, but precise relationship between model and code not understood
Charon Project at Penn
Programming/Modeling LanguageBased on Hybrid Automata
Libraries in Base LanguagePlatform Description
Design and Analysis ToolsSimulation, Verification, Optimization
Formal SpecificationEnvironment ModelPerformance Metrics
Executable Code onEmbedded Processor
Compiler +Scheduler
Can we formally prove safety properties of models?
Can we infer properties of code from properties of models?
Hybrid Modeling
State machines
offon
+ Dynamical systems
dx=kxx<70
dx=-k’xx>60
x>68
x<63
Automotive Robotics AnimationSystemsBiology
CoordinationProtocols
CHARON Language Features
Individual components described as agents Composition, instantiation, and hiding
Individual behaviors described as modes Encapsulation, instantiation, and Scoping
Support for concurrency Shared variables as well as message passing
Support for discrete and continuous behavior
Differential as well as algebraic constraints
Discrete transitions can call Java routines
Compositional semantics with refinement rules
CHARON ToolkitCHARON Toolkit
Model Checker
AdvantagesAutomated formal verification, Effective debugging tool
Impressive industrial successIn-house groups: Intel, Microsoft, Lucent, Motorola…Commercial model checkers: FormalCheck by Cadence
Model checking for discrete systemsEnumerative state-space search (SPIN)Symbolic search using Binary decision diagrams (SMV)Bounded model checking using SAT solvers
model
temporalproperty
yes
error-trace
Symbolic Safety Verification
Data type: region to represent state-setsR:=I(X) /* initial set */Repeat
If R intersects target F report “violation”
Else if R contains Post(R) report “safe”Else R := R union Post(R)
Post(R): Set of successors of states in RTermination may or may not be guaranteed
I
F
Reachability for Hybrid Systems
What’s a suitable representation of regions?
Region: subset of Rk
Main problem: handling continuous dynamics
Precise solutions available for restricted continuous dynamics
Timed automata (Uppaal, Kronos, …)
Linear hybrid automata (HyTech)
Even for linear systems, over-approximations of reachable set needed
Timed Automata
Analog of finite-state automata in discrete case
Continuous variables: Clocks increasing at rate 1
All constraints of the form: x compared to constant
Can express lower and upper bounds on delays
Well-developed theory of automata and logics Closure properties
Decision problems
Equivalent characterizations
a,x:=0 b,y:=0
x<3,d
y>2,c
Region-based AnalysisFinite partitioning of state space
x1
x2
An equivalence class (i.e. a region)in fact there is only a finite number of regions!!
1 2 3
1
2
w w’ iff they satisfy the same set of constraints of the formxi < c, xi = c, xi – xj < c, xi –xj =cfor c <= largest const relevant to xi
Region equivalence is a time-abstractbisimulation, and correspondingquotient can be used for temporallogic model checking
Model Checking for Hybrid Systems
Timed automata tools use matrices as a symbolic representation (all constraints are bounds on differences)
Next step: use polyhedra as a representation (HyTech)
Linear hybrid automaton allows linear constraints in guards/resets
Dynamics: linear constraints among derivates
The set of reachable states at every iteration is union of polyhedra
If dynamics is dX=AX, and R is a polyhedron, Post(R) is not a polyehdron
Many approximate solutions proposed:Approximate Post(R) with enclosing convex polyhedra (Checkmate)
Polyhedral Flow Pipe Approximations
X0
t1
t2
t3
t4
t5t6 t7
t8
t9
• divide R[0,T](X0) into [tk,tk+1] segments
• enclose each segment with a polyhedron
• RM[0,T](X0) = union of polyhedra
Abstraction and Refinement
Abstraction-based verificationGiven a model M, build an abstraction ACheck A for violation of propertiesEither A is safe, or is adequate to indicate a bug in M, or gives false negatives (in that case, refine the abstraction and repeat)
Many projects exploring abstraction-based verification for hybrid systems
Predicate abstraction (Charon at Penn)Counter-example guided abstraction refinement (CEGAR at CMU)Qualitative abstraction using symbolic derivatives (SAL at SRI)
Predicate Abstraction
Input is a hybrid automaton and a set of k boolean predicates, e.g. x+y > 5-z.
The partitioning of the concrete state space is specified by the user-defined k predicates.
t
x
Concrete Space:L x R n
Abstract Space:L x {0,1} k
Overview of the Approach
Safetyproperty
Hybridsystem
Booleanpredicates
Search in abstract space
Analyze counter-example
Propertyholds
No!Counter-example
Realcounter-examplefound
additionalpredicates
Charon Project at Penn
Programming/Modeling LanguageBased on Hybrid Automata
Libraries in Base LanguagePlatform Description
Design and Analysis ToolsSimulation, Verification, Optimization
Formal SpecificationEnvironment ModelPerformance Metrics
Executable Code onEmbedded Processor
Compiler +Scheduler
Can we formally prove safety properties of models?
Can we infer properties of code from properties of models?
x
y
j1
j2
L1
(x, y)
v
L2
Walking Model: Behavior and Modes
dx = dy = 0 dy = kvdt = 1
dy = -kv dx = kvx < str /2
On Ground Up
ForwardDown
y==0->
turn++
turn == i
t==2
Shared variable
Time triggered
2x==str
Event triggered
Code Generation Case Study
Front-endTranslate CHARON objects into modular C++ objects
Back-endMap C++ objects to execution environment
agent
mode
analog var
diff/alge eqn
transition
class agent
class mode diff() trans()
class var
scheduler
API
CHARON objects C++ objectsExecution
environment Targetplatform
front-end back-end
Gap Between Models and Code
Rich theory of sampled control (but mainly for purely continuous systems)
Discrete-time control design
Sampling errors
No theory of interacting control blocks Mapping individual blocks to periodic real-time tasks does not lead to predictability
Lack of compositionality affects integration
Hybrid systems poses new challenges: How can code ensure that events are not missed ?
Code from Structured Models
How to map control blocks to tasks?
The choice can depend on many parameters: computation times, sensitivity ox x to u and v,
performance objective
Many choices for code Two tasks: C1 and C2 with their own periods
One task: Read(x);C1;C2;Actuate
One task: Read(x);C1;Read(x);C2;Actuate
C1x C2
u v
Quantifying the Gap (1)
Appealing implementation platform: Time-triggered architecture
Time divided into fixed-size slotsAppealing programming paradigm: Fixed
Logical Execution Time Block mapped to slot i reads inputs at the beginning, computes, and outputs at the end of the slot i
Micro-schedule: Map each slot to at most one control block
Given a micro-schedule s, and a plant model, continuous-time trajectory of execution uniquely defined
From Model to Code1. Continuous-time semantics: all blocks at all times
Continuous
2. Discrete/simulation semantics: all blocks every T s
3. Periodic tasks: Red block every T1 s, Blue every T2 s
Compute all Compute all Compute all Compute all
4. Micro-schedule on TTA: Fixed-size slots
Idle,Red,Blue,Idle, Blue,Red,Idle,Blue, Idle,Red, Blue…
Quantifying the Gap (2)
Define a performance metric: for two continuous-time trajectories t1 and t2, d(t1,t2) measures the distance
Quality of a micro-schedule s is d(t*,ts), where t* is the continuous-time simulation trajectory and ts is the trajectory of code when executed according to s
For linear systems, d(t*,ts) is computable when d is, say, L2-norm, using ideas from PLTIs (Periodic linear time invariant systems)
This allows comparing micro-schedules by precisely quantifying their metrics
Wrap-Up
Modeling and Analysis in symbiosis Progress on safety verification by combining
symbolic representations and abstraction Many application domains for hybrid
systems Current Focus: Understanding and
quantifying the gap between models and code to add rigor in the code generation step
Ongoing: Stochastic hybrid systems