430 likes | 577 Vues
Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction. FORMATS 2009. The 7th International Conference on Formal Modelling and Analysis of Timed Systems. FACTS:. Mostly theory papers (decidability, recognizability, etc).
E N D
Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction
FORMATS 2009 The 7th International Conference on Formal Modelling and Analysis of Timed Systems FACTS: Mostly theory papers (decidability, recognizability, etc). Some application papers (using Alur-Dill automata and UPPAAL). No parametric approach paper, except for mine.
Keywords of The Talk Real-time System Analysis (Formal Methods) Time-Parametric Verification Timing Parameter Constraint Synthesis Event-Order-Based Abstraction of Timed Systems Case Study Using an “Industrial” Example
Outline Biphase Mark Protocol (BMP) Timing Constraints for Correctness Case Studies by Several Approaches Our Approach: Event Order Abstraction Human Guidance + Automatic Synthesis (Umeno, EMSOFT 2008) Case Study Result Bad Event Orders of BMP Parameter Constraints for Bad EOs
Biphase Mark Protocol (BMP) - is a lower-layer communication protocol for consumer and industrial electronics. - uses timing constraints on system’s behavior to encode and decode bits. - used in a digital audio protocol, S/PDIF (Sony Philips Digital InterFace)
Biphase Mark Protocol (BMP) 1 0 1 1 Bits to be sent: Time Cell: Sub-Cell: (Mark) Signal Represents 1 by Toggling, and 0 by Flat signal
Biphase Mark Protocol (BMP) 1 0 1 1 Bits to be sent: Time Cell: Sub-Cell: (Mark) Signal: Detection: Detects a signal level change
Biphase Mark Protocol (BMP) 1 0 1 1 Bits to be sent: Time Cell: Sub-Cell: (Mark) Signal: Detection: Check a signal level change Detects a signal level change
Biphase Mark Protocol (BMP) 1 0 1 1 Bits to be sent: Time Cell: Sub-Cell: (Mark) Signal: Detection: Decoded Bits: 1 0 1 1 Toggling is detected Flat is detected
Biphase Mark Protocol (BMP) 1 0 1 1 Bits to be sent: Time Cell: Sub-Cell: (Mark) Signal: Detection: Decoded Bits: 1 0 1 1 Timing Parameters: C, M1, D, T (and Metastability H)
Why Parametric Approach? A parametric approach gives the user more information than a fixed-parameter approach (such as the Alur-Dill timed automata approach). • Does the system satisfy a desirable property irrespective to parameter settings? (Undecidable; Alur et al.) • If a parameter setting affects system correctness, then what are parameter setsthat satisfy the correctness? Optimization under parameter constraints
Our Goal for BMP Case Study Correctness: 1. Sent bits = Decoded bits 2. No decoding overflow/underflow - Special module for tracking the information Sender Receiver Signal Toggling Sending Bits Decoded Bits Monitor Goal: Synthesize parameter constraints under which the correctness is guaranteed.
Why is BMP Parametric Verification Challenging? Due to repetitions with timing constraints! Timed execution: s0(DetectF, Δ) s1(DetectF, 2Δ) s2 (DetectF, 3Δ) s3 … All of si’s are different! Reachable state (fixed point) computation will not terminate. (TReX extrapolation technique takes care of this.) Untimed execution: s0DetectFs1DetectFs2 DetectFs3 … All of si’s are same (DetectF is just a stuttering transition).
Modeling: Time-Interval Automata A time-interval automaton (A,b) is an I/O automaton A with an interval boundmapb. An I/O automaton: • Is a classical state transition machine with distinguished input/output/internal actions. • Is typically described using a guarded-command style language. Suitable for concurrent/distributed systems.
Interval Boundmap b (p, P) = [L , U ] An action of A A set of actions that follow p A lower bound L and an upper bound U for the duration between p and any action in P Example from BMP: b (DetectF, {DetectF, DetectT}) = [d, D] (Repeated checks) b (DetectT, {Decode} ) = [t, T] (Sampling distance)
TIA Code of the Encoder Automaton Declaration Transition signatures State variables Precondition (transition guard) Effects (transition commands) Time bounds
Overview of Our Approach (Event Order Abstraction, EOA) We split timed verification into two parts: 1. Verification of Untimed Model + Event Order Constraints Untimed Model Event Order Constraints Model-Checking Event Order Generalization Bad Event Order (Subclass of Regular Expression) 2. Automatic Synthesis of Timing Parameter Constraints from Event Order Constraints Performed by our tool METEORS
Identifying Bad Event Orders • The user first identifies a candidate set of bad event orders (which may be empty). • Monitors are constucted by a support tool from the given orders (for model-checking). A monitor raises a flag if a bad event order is detected in the current model execution. • He/she then model-checks: Untimed Model not Monitor.raiseFlag not SafetyPropertyViolated.
Bad Scenario Example of BMP Edge0 New Edge (0 or 1) Flat Decode 1 !!
Bad Scenario Example of BMP Edge0 New Edge (0 or 1) Flat Decode 1 !! DetectF-DetectF-DetectF-Edge0-DetectT-Edge0-Decode • This event order specifies the order of consecutive actions in an automaton execution.
Bad Scenario Example of BMP Edge0 New Edge (0 or 1) Flat Decode 1 !! > c
Bad Scenario Example of BMP Edge0 New Edge (0 or 1) Flat Decode 1 !! > c < D < T
Bad Scenario Example of BMP Edge0 New Edge (0 or 1) Flat Decode 1 !! > c c >D +T < D < T
Bad Scenario Example of BMP Edge0 New Edge (Edge0) Metastability Flat signal for 0 is completely missed!
Bad Scenario Example of BMP Edge0 New Edge (Edge0) Edge0-(DetectF)*- DetectT- Settle-Edge0
Bad Scenario Example of BMP Edge0 New Edge (Edge0) Edge0-(DetectF)*- DetectT- Settle-Edge0 < T
Bad Scenario Example of BMP Edge0 New Edge (Edge0) Edge0-(DetectF)*- DetectT- Settle-Edge0 > c < H < T
Bad Scenario Example of BMP Edge0 New Edge (Edge0) Edge0-(DetectF)*- DetectT- Settle-Edge0 > c c >H+T < H < T
Bad Scenario Example of BMP Edge1S Edge1T Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Bad Scenario Example of BMP Edge1S Edge1T Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Bad Scenario Example of BMP Edge1S Edge1T Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T
Bad Scenario Example of BMP Edge1S Edge1T Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T > m1
Bad Scenario Example of BMP Edge1S Edge1T Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T > m1 < H
Bad Scenario Example of BMP Edge1S Edge1T Decode- (DetectF)*- Edge1S-(DetectF)*-Settle-Edge1T > m1 < H < D ??
Bad Scenario Example of BMP Edge1S Edge1T Unwinding! Decode- (DetectF)*- Edge1S-(DF)*- DF -Settle-Edge1T > m1 < H m1>H+D < D !
Our Tool: METEORS One event order: Disjunction of linear inequalities - All derivable bounds - Automatic decomposition Multiple event orders: Conjunction of disjunction of linear inequalities Simplification of resulting constraint
Bad Scenarios of BMP From page 269 of the proceedings:
Sufficient Parameter Constraints METEORS reported: m1> H +D It is sufficient to satisfy three constraints for correctness of BMP. t> M1+ H c > H + D + T
Related Work (BMP Verification) Verification Vaandrager, F.W., de Groot, A.: Analysis of a biphase mark protocol with UPPAAL and PVS. 2006 UPPAAL and PVS: - Bad event order are found using UUPAAL - Constraints are manually derived from bad orders. - Correctness under the derived constraints is proved using PVS. Brown, G.M., Pike, L.: Easy parameterized verification of biphase mark and 8N1 protocols. 2006 Calendar Automata: - BMP is modeled using Calendar Automata framework for SAL - Correctness under the derived constraints is proved using SAL (inductive invariants must be used though proof is automatic.) Synthesis Henzinger, T., Preussig, J., Wong-Toi, H.: Some lessons from the HYTECH experience. 2001 HyTech: - Some parameters are fixed. - Model is modified: no repetitive checks with time bounds
Other Case Studies of EOA • IEEE 1394 (FireWire / i-Link), Root Contention Protocol (Randomness is abstracted) • Train-Gate Toy Problem • Fischer’s Mutual Exclusion Algorithm
Summary and Future Work We synthesized parameter constraints of BMP using Event Order Abstraction (METEORS and SAL are used). Future work: Automatic bad event order identification - List of counter examples from model-checking - Automatic “chopping” and generalization??