1 / 25

Model-based Analysis and Implementation of Embedded Systems

Model-based Analysis and Implementation of Embedded Systems. Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/. MIT Workshop, August 2005. Model-Based Design. Benefits of model-based design Detecting errors in early stages Powerful and formal analysis

chelsey
Télécharger la présentation

Model-based Analysis and Implementation of Embedded Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model-based Analysis andImplementation of Embedded Systems Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ MIT Workshop, August 2005

  2. Model-Based Design • Benefits of model-based design • Detecting errors in early stages • Powerful and formal analysis • Reusable components • Automatic code generation • Many commercial tools are available for design of embedded control systems (e.g. Simulink) • Typically, semantics is not formal • Typically, only simulation-based analysis • Code generation available, but precise relationship between model and code not understood

  3. Charon Project at Penn Can we formally prove safety properties of models? Formal Specification Environment Model Performance Metrics Can we infer properties of code from properties of models? Programming/Modeling Language Based on Hybrid Automata Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Libraries in Base Language Platform Description Executable Code on Embedded Processor

  4. State machines + Dynamical systems x>68 off on dx=-k’x x>60 dx=kx x<70 x<63 Hybrid Modeling Coordination Protocols Systems Biology Automotive Robotics Animation

  5. CHARON Language Features • Individual components described as agents • Composition, instantiation, and hiding • Individual behaviors described as modes • Encapsulation, instantiation, and Scoping • Support for concurrency • Shared variables as well as message passing • Support for discrete and continuous behavior • Differential as well as algebraic constraints • Discrete transitions can call Java routines • Compositional semantics with refinement rules

  6. CHARON Toolkit

  7. model yes Model Checker temporal property error-trace Advantages Automated formal verification, Effective debugging tool Impressive industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Model checking for discrete systems Enumerative state-space search (SPIN) Symbolic search using Binary decision diagrams (SMV) Bounded model checking using SAT solvers

  8. Symbolic Safety Verification Data type: region to represent state-sets R:=I(X) /* initial set */ Repeat If R intersects target F report “violation” Else if R contains Post(R) report “safe” Else R := R union Post(R) Post(R): Set of successors of states in R Termination may or may not be guaranteed F I

  9. Reachability for Hybrid Systems • What’s a suitable representation of regions? • Region: subset of Rk • Main problem: handling continuous dynamics • Precise solutions available for restricted continuous dynamics • Timed automata (Uppaal, Kronos, …) • Linear hybrid automata (HyTech) • Even for linear systems, over-approximations of reachable set needed

  10. Timed Automata a,x:=0 b,y:=0 y>2,c • Analog of finite-state automata in discrete case • Continuous variables: Clocks increasing at rate 1 • All constraints of the form: x compared to constant • Can express lower and upper bounds on delays • Well-developed theory of automata and logics • Closure properties • Decision problems • Equivalent characterizations x<3,d

  11. Region-based AnalysisFinite partitioning of state space w @ w’ iff they satisfy the same set of constraints of the form xi < c, xi = c, xi – xj < c, xi –xj =c for c <= largest const relevant to xi x2 2 Region equivalence is a time-abstract bisimulation, and corresponding quotient can be used for temporal logic model checking 1 1 2 3 x1 An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

  12. Model Checking for Hybrid Systems • Timed automata tools use matrices as a symbolic representation (all constraints are bounds on differences) • Next step: use polyhedra as a representation (HyTech) • Linear hybrid automaton allows linear constraints in guards/resets • Dynamics: linear constraints among derivates • The set of reachable states at every iteration is union of polyhedra • If dynamics is dX=AX, and R is a polyhedron, Post(R) is not a polyehdron • Many approximate solutions proposed: • Approximate Post(R) with enclosing convex polyhedra (Checkmate)

  13. t6 t5 t7 t4 t3 t8 t2 t9 t1 • divide R[0,T](X0) into [tk,tk+1] segments • enclose each segment with a polyhedron Polyhedral Flow Pipe Approximations X0 • RM[0,T](X0) = union of polyhedra

  14. Abstraction and Refinement • Abstraction-based verification • Given a model M, build an abstraction A • Check A for violation of properties • Either A is safe, or is adequate to indicate a bug in M, or gives false negatives (in that case, refine the abstraction and repeat) • Many projects exploring abstraction-based verification for hybrid systems • Predicate abstraction (Charon at Penn) • Counter-example guided abstraction refinement (CEGAR at CMU) • Qualitative abstraction using symbolic derivatives (SAL at SRI)

  15. x t Concrete Space: L x Rn Abstract Space: L x {0,1} k Predicate Abstraction • Input is a hybrid automaton and a set of k boolean predicates, e.g. x+y > 5-z. • The partitioning of the concrete state space is specified by the user-defined k predicates.

  16. Overview of the Approach Hybrid system Boolean predicates additional predicates Search in abstract space Safety property No! Counter-example Property holds Analyze counter-example Real counter- example found

  17. Charon Project at Penn Can we formally prove safety properties of models? Formal Specification Environment Model Performance Metrics Can we infer properties of code from properties of models? Programming/Modeling Language Based on Hybrid Automata Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Libraries in Base Language Platform Description Executable Code on Embedded Processor

  18. Shared variable Time triggered 2x==str Event triggered Walking Model: Behavior and Modes v On Ground Up x turn == i dy = kv dt = 1 dx = dy = 0 L1 j1 y==0 -> turn++ L2 j2 t==2 (x, y) y dx = kv x < str /2 dy = -kv Down Forward

  19. Code Generation Case Study • Front-end Translate CHARON objects into modular C++ objects • Back-end Map C++ objects to execution environment front-end back-end CHARON objects C++ objects Executionenvironment Targetplatform agent class agent scheduler mode class mode diff() trans() diff/alge eqn API transition analog var class var

  20. Gap Between Models and Code • Rich theory of sampled control (but mainly for purely continuous systems) • Discrete-time control design • Sampling errors • No theory of interacting control blocks • Mapping individual blocks to periodic real-time tasks does not lead to predictability • Lack of compositionality affects integration • Hybrid systems poses new challenges: How can code ensure that events are not missed ?

  21. u v x C1 C2 Code from Structured Models • How to map control blocks to tasks? • Many choices for code • Two tasks: C1 and C2 with their own periods • One task: Read(x);C1;C2;Actuate • One task: Read(x);C1;Read(x);C2;Actuate • The choice can depend on many parameters: computation times, sensitivity ox x to u and v, performance objective

  22. Quantifying the Gap (1) • Appealing implementation platform: Time-triggered architecture • Time divided into fixed-size slots • Appealing programming paradigm: Fixed Logical Execution Time • Block mapped to slot i reads inputs at the beginning, computes, and outputs at the end of the slot i • Micro-schedule: Map each slot to at most one control block • Given a micro-schedule s, and a plant model, continuous-time trajectory of execution uniquely defined

  23. Compute all Compute all Compute all Compute all From Model to Code Continuous 1. Continuous-time semantics: all blocks at all times 2. Discrete/simulation semantics: all blocks every T s 3. Periodic tasks: Red block every T1 s, Blue every T2 s 4. Micro-schedule on TTA: Fixed-size slots Idle,Red,Blue,Idle, Blue,Red,Idle,Blue, Idle,Red, Blue…

  24. Quantifying the Gap (2) • Define a performance metric: for two continuous-time trajectories t1 and t2, d(t1,t2) measures the distance • Quality of a micro-schedule s is d(t*,ts), where t* is the continuous-time simulation trajectory and ts is the trajectory of code when executed according to s • For linear systems, d(t*,ts) is computable when d is, say, L2-norm, using ideas from PLTIs (Periodic linear time invariant systems) • This allows comparing micro-schedules by precisely quantifying their metrics

  25. Wrap-Up • Modeling and Analysis in symbiosis • Progress on safety verification by combining symbolic representations and abstraction • Many application domains for hybrid systems • Current Focus: Understanding and quantifying the gap between models and code to add rigor in the code generation step • Ongoing: Stochastic hybrid systems

More Related