1 / 34

The Mana Project

The Mana Project. Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems. The Mana Project. Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems. Background.

aderyn
Télécharger la présentation

The Mana Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems

  2. The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems

  3. Background • Formal methods have been used in a number of safety critical systems • TGV • train signalling system in Paris • Today's safety critical systems use cyclic executives. • Research take for granted that a system consists of processes (scheduling, priorities), and that there is communications between these. • Process based safety critical systems - formal methods (Raven, Enea …)

  4. Ada83 Tasking Rendez-vous Dynamic Hierarchy Termination ... Ada-83 Complex Run-Time No Formal Proofs • For High Integrity Systems • Subsets: • SPARK (No tasking) • Boeing • ...

  5. Ada95 Subsets: Tasking Rendez-vous Dynamic Hierarchy Termination ... Protected Objects ATC requeue delay until new interrupts task attributes ... GNORT (Gnat NO Run-Time) SPARK-95 Ravenscar Ada-95 Tasking Protected Objects delay until new interrupts task attribute

  6. Ada 95 and Ravenscar • The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications. • The subset provides enough functionality for targeted systems .

  7. Ravenscar - tasking • Library level • No dynamic creation • No unchecked deallocation • Non-terminating • No entries • No user defined attributes • Keep task discriminants • No ATC

  8. Ravenscar - Protected Objects • Single Entry • Barrier a single Boolean • Only one task in the entry queue

  9. Ravenscar - Communication • No Rendez vous • No requeue • No select statement • Interrupts are mapped only to PO procedures

  10. Ravenscar - Real Time • delay until for delays • No Calendar • Clock from Real-Time package • No dynamic priorities • Immediate Ceiling Priority

  11. The Mana Project • Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada-95 compiler. • Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft, ...

  12. The Mana Project • Chosen language: • Subset of Ada 95: Ravenscar • Representation model: Timed Automata • FSAs extended with clocks and constraints • Verification scheme: A Real-Time Model Checker • UPPAAL: Modelling, simulation, and verification tool

  13. T2 T3 T1 Application P Delay until Task dispatch E F Run-Time Kernel Delay Queue PO Scheduler Ready Queue T0 Clock A System Model

  14. A Verification Session • Design.Timed Automata Model of 1. An application (user code) 2. Run-time kernel (Mana) • Simulation of design • Verification by checking reachability properties

  15. T2 T3 T1 Application P Delay until Task dispatch E F Run-Time Kernel Delay Queue PO Scheduler Ready Queue T0 Clock A System Model

  16. Delay seq Prot Proc Simple application (T1) task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0; begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop; end T1;

  17. Procedure Start Procedure begin Preemption Release of Entry Protected Procedure Calling Task

  18. Prot Entry Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); endif; Work (4); end loop; end T2;

  19. Entry Start Lock Free and no Barrier Barrier true Released by Procedure Protected Entry Calling Task

  20. Executing Preemption Exception Preemption in exception Normal end Protected Entry Calling Task

  21. task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0; begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop; end T3; Prot Proc Delay Task T3

  22. T2 T3 T1 Delay Queue Scheduler Ready Queue T0 Clock A view of the System Prot Obj F Delay until Task dispatch E P

  23. Miscellaneous Protected Function Delay Queue System Clock

  24. The Run-Time System Prot Obj F E P

  25. Delay seq Prot Proc Task T1 task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0; begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop; end T1;

  26. Building the System T1 Prot Obj F E P

  27. Prot Entry Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); endif; work (4); end loop; end T2;

  28. A more Complete System T1 T2 Prot Obj F E P

  29. task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0; begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop; end T3; Prot Proc Delay Task T3

  30. A Complete System T3 T1 T2 Prot Obj F E P

  31. Start Resume! Resume! Idle Process is running Medium Process available Suspend! Preempt! Medium Process running Resume? Pcpu:= PLow Idle Process Preempted High Process available Preempt? High Process running Medium Process Preempted Scheduler and Idle process Resume? Pcpu:= PMed Resume? Pcpu:= PHigh Idle Process Scheduler

  32. Verifying Reachability Properties • Statements format: Invariant(b) | Possible(b) Where b ::= (atomic-formula) | b1 Ùb2 | Øb | b ®b’ • Examples: • Possible(CPU’Count > 1) • At any point in time, there must be only one task executing • Invariant(P.Completed and E.Queue’Count > 0andE.Barrier implyExec(E.Code, P.Context))

  33. Conclusions and future work • Have today modelled a full Ravenscar compliant RTK • PO: priorities, preemption • Procedure, Function and Entry • Release on behalf • delay until • exception handling in PO • interrupt

  34. Conclusions and future work • Verified the Mana-RTK together with a small application • Next step is to implement the Mana-RTK • Automatic translation from Ada into TA • http://www.docs.uu.se/mana

More Related