Modeling & Verification

Transcription

1 Modeling & Verification Of Real-Time Systems using UPPAAL Kim G Larsen Page 1 of 68

2 Verifikation og Test Informationsteknologi Model /* Wait for events */ void /* Wait OS_Waitvoid; for events */ void OS_Waitvoid; /* Operating system visualstate process. Mimics a OS process for a * /* visualstate Operating system system. visualstate In this implementation process. Mimics this a is OS the process mainloop for a * * interfacing visualstate to system. the visualstate In this implementation basic API. */ this is the mainloop void * interfacing OS_VS_Processvoid; to the visualstate basic API. */ void OS_VS_Processvoid; /* Define completion code variable. */ unsigned /* Define char completion cc; code variable. */ unsigned char cc; void HandleErrorunsigned char ccarg { void HandleErrorunsigned char ccarg { printf"error code %c detected exiting application.\n" ccarg; exitccarg; printf"error code %c detected exiting application.\n" ccarg; } exitccarg; } UCb /* In d-241 we only use the OS_Wait call. It is used to simulate a * /* system. In d-241 It we purpose only use is to the generate OS_Wait events. call. It How is this used is to done simulate is up a to * * you. system. It purpose is to generate events. How this is done is up to */ * you. void */ OS_Waitvoid { void OS_Waitvoid { /* Ignore the parameters; just retrieve events from the keyboard and * /* put Ignore them the into parameters; the queue. just When retrieve EVENT_UNDEFINED events from is read the from keyboard the and * * keyboard put them return into the to queue. the calling When EVENT_UNDEFINED process. */ is read from the SEM_EVENT_TYPE * keyboard event; return to the calling process. */ int SEM_EVENT_TYPE num; event; int num; Kode Page 2 of 68 Φ ΦΦΦ Spec System

3 Verifikation og Test Informationsteknologi Model /* Wait for events */ void /* Wait OS_Waitvoid; for events */ void OS_Waitvoid; /* Operating system visualstate process. Mimics a OS process for a * /* visualstate Operating system system. visualstate In this implementation process. Mimics this a is OS the process mainloop for a * * interfacing visualstate to system. the visualstate In this implementation basic API. */ this is the mainloop void * interfacing OS_VS_Processvoid; to the visualstate basic API. */ void OS_VS_Processvoid; /* Define completion code variable. */ unsigned /* Define char completion cc; code variable. */ unsigned char cc; void HandleErrorunsigned char ccarg { void HandleErrorunsigned char ccarg { printf"error code %c detected exiting application.\n" ccarg; exitccarg; printf"error code %c detected exiting application.\n" ccarg; } exitccarg; } UCb /* In d-241 we only use the OS_Wait call. It is used to simulate a * /* system. In d-241 It we purpose only use is to the generate OS_Wait events. call. It How is this used is to done simulate is up a to * * you. system. It purpose is to generate events. How this is done is up to */ * you. void */ OS_Waitvoid { void OS_Waitvoid { /* Ignore the parameters; just retrieve events from the keyboard and * /* put Ignore them the into parameters; the queue. just When retrieve EVENT_UNDEFINED events from is read the from keyboard the and * * keyboard put them return into the to queue. the calling When EVENT_UNDEFINED process. */ is read from the SEM_EVENT_TYPE * keyboard event; return to the calling process. */ int SEM_EVENT_TYPE num; event; int num; Kode Page 3 of 68 Φ ΦΦΦ Spec System

4 Verifikation og Test Informationsteknologi Model /* Wait for events */ void /* Wait OS_Waitvoid; for events */ void OS_Waitvoid; /* Operating system visualstate process. Mimics a OS process for a * /* visualstate Operating system system. visualstate In this implementation process. Mimics this a is OS the process mainloop for a * * interfacing visualstate to system. the visualstate In this implementation basic API. */ this is the mainloop void * interfacing OS_VS_Processvoid; to the visualstate basic API. */ void OS_VS_Processvoid; /* Define completion code variable. */ unsigned /* Define char completion cc; code variable. */ unsigned char cc; void HandleErrorunsigned char ccarg { void HandleErrorunsigned char ccarg { printf"error code %c detected exiting application.\n" ccarg; exitccarg; printf"error code %c detected exiting application.\n" ccarg; } exitccarg; } UCb /* In d-241 we only use the OS_Wait call. It is used to simulate a * /* system. In d-241 It we purpose only use is to the generate OS_Wait events. call. It How is this used is to done simulate is up a to * * you. system. It purpose is to generate events. How this is done is up to */ * you. void */ OS_Waitvoid { void OS_Waitvoid { /* Ignore the parameters; just retrieve events from the keyboard and * /* put Ignore them the into parameters; the queue. just When retrieve EVENT_UNDEFINED events from is read the from keyboard the and * * keyboard put them return into the to queue. the calling When EVENT_UNDEFINED process. */ is read from the SEM_EVENT_TYPE * keyboard event; return to the calling process. */ int SEM_EVENT_TYPE num; event; int num; Kode Page 4 of 68 Φ ΦΦΦ Spec System

5 Modelling Behaviour using State Machines UCb Page 5 of 68

6 Modelling processes UCb A process is the execution of a sequential program. modeled as a finite state machine LTS transits from state to state by executing a sequence of atomic actions. a light switch LTS onoffonoffonoff. a sequence of actions or trace Page 6 of 68 6

7 Modelling Choices UCb Who or what makes the choice? Is there a difference between input and output actions? Page 7 of 68 7

8 Non-deterministic Choice UCb Tossing a coin Possible traces? Both outcomes possible Nothing said about relative frequency If coin is fair the outcome is 50/50 Page 8 of 68 8

9 Non-Deterministic Choice modelling failure UCb How do we model an unreliable communication channel which accepts packets and if a failure occurs produces no output otherwise delivers the packet to the receiver? Use non-determinism... Page 9 of 68 9

10 Internal-Actions UCb Spontaneous actions Internal actions Tau-actions Internal transitions can be taken on the initiative of a single machine without communication with others Page 10 of 68 10

11 Extended FSM UCb EFSM = FSM + variables + enabling conditions + assignments Transition still atomic Can be translated into FSM if variables have bounded domain State: control location+variable states: statetotalcapacity s0510 Kim G. Page Larsen 11 of 68 11

12 Parallel Composition: interleaving UCb Flipper 2 states Speaker 3 states 2*3 states Lecturer = Speaker Flipper from Flipper Page 12 of 68 from Speaker 12

13 Process Interaction! = Output? = Input Handshake communication Two-way Coffee Machine Lecturer UCb University= Coffee Machine Lecturer LTS? How many states? Traces? 4 states 4 states synchronization results in internal actions 4 states:interaction constrain overall behavior Page 13 of 68 13

14 Composition UCb M1 a 1 2 M2 b c 3 4 M1 x M2 1a 4a 1b 2b 1c 2c 3a 4a 3b 4b 3c 4c Page 14 of 68 All All combinations= exponential in in no no of of machines 14

15 Train Simulator 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 UCb VVS visualstate BUGS? Our techniuqes has reduced verification time with several orders of magnitude ex 14 days to 6 sec Page 15 of 68 15

16 Modelling Exercise The Vending Machine UCb Simulate model w Random User Model Fair User Model Non-Thirsty User Machine User Deadlocks? Machine canout coinout User Cans requested will be delivered? Cancellations are obeyed? coinin requestcan cancel Assumption: 1 can = 1 coin! Page 16 of 68 What happens if multiple users? Exercise 16

17 Modelling Exercise The Vending Machine UCb Machine User Extend model of Machine and FairUser Do extensive simulation Can_Price=5 coins canout coinout Max_Coins=10 Machine User pendingcoins coinin requestcan cancel pendingcoins Exercise Page 17 of 68 17

18 Verification = Model Checking Reachability Generic properties UCb Page 18 of 68

19 Mutual Exclusion Token UCb Page 19 of 68 19

20 Mutual Exclusion Semafor UCb Page 20 of 68 20

21 UCb Udforskning af Tilstandsrum Erklæret tilstandsrum 1 2 Reachable 3 4 a b c Start tilstand Page 21 of 68 21

22 UCb Udforskning af tilstandrum Forward Reachability Analysis Erklæret tilstandsrum Waiting Passed start Passed:=Ø Waiting:={s 0 } WhileWaiting!=Ø { select s Waiting Waiting:=Waiting\{s} if s Passed whenever s t then Waiting:=Waiting {t} Passed:=Passed {s} } Page 22 of 68 22

23 UCb Udforskning af tilstandrum Forward Reachability Analysis Erklæret tilstandsrum Waiting Passed start Passed:=Ø Waiting:={s 0 } WhileWaiting!=Ø { select s Waiting Waiting:=Waiting\{s} if s Passed whenever s t then Waiting:=Waiting {t} Passed:=Passed {s} } Page 23 of 68 23

24 UCb Udforskning af tilstandrum Forward Reachability Analysis Erklæret tilstandsrum Waiting Passed start Passed:=Ø Waiting:={s 0 } WhileWaiting!=Ø { select s Waiting Waiting:=Waiting\{s} if s Passed whenever s t then Waiting:=Waiting {t} Passed:=Passed {s} } Page 24 of 68 24

25 UCb Udforskning af tilstandrum Forward Reachability Analysis Erklæret tilstandsrum Waiting Passed start Passed:=Ø Waiting:={s 0 } WhileWaiting!=Ø { select s Waiting Waiting:=Waiting\{s} if s Passed whenever s t then Waiting:=Waiting {t} Passed:=Passed {s} } Page 25 of 68 25

26 Udforskning af tilstandrum UCb Forward Reachability Analysis Passed:=Ø Waiting:={s 0 } WhileWaiting!=Ø { select s Waiting Waiting:=Waiting\{s} if s Passed whenever s t then Waiting:=Waiting {t} Passed:=Passed {s} } Depth-first search: organize Waiting as a Stack Order: Breadth-first search: organize Waiting as a Queue Order: Page 26 of 68 26

27 Gensidig Udelukkelse UCb Page 27 of 68 Token 27

28 Gensidig udelukkelse Forward Reachability UCb I1 I2 0 Page 28 of 68 Token 28

29 Gensidig udelukkelse Forward Reachability UCb I1 I2 0 T1 I2 0 I1 T2 0 Page 29 of 68 Token 29

30 Gensidig udelukkelse Forward Reachability UCb I1 I2 0 T1 I2 0 I1 T2 0 T1 T2 0 C1 I2 0 Page 30 of 68 Token 30

31 Gensidig udelukkelse Forward Reachability UCb I1 I2 0 I1 I2 T T1 I2 0 I1 T2 0 T1 T2 0 C1 I2 0 C1 T2 0 Page 31 of 68 Token 31

32 Gensidig udelukkelse Forward Reachability UCb I1 I2 0 I1 I2 T T1 I2 0 I1 T2 0 I1 T2 T T1 I2 T T1 T2 0 C1 I2 0 I1 C2 T T1 T2 T C1 T2 0 T1 C2 T Page 32 of 68 Token 32

33 Gensidig udelukkelse Forward Reachability UCb I1 I2 F T1 I2 F I1 T2 F C1 I2 T T1 T2 F I1 C2 T C1 T2 T T1 C2 T Page 33 of 68 Semafor 33

34 UCb Generiske egenskaber Non-determinisme Tilstande der ikke aktiveres Transitioner der ikke bruges Input der ikke processeres Output der ikke genereres Lokal deadlock System deadlock Kan alle reduceres til til REACHABILITY Page 34 of 68 34

35 UCb Train Simulator 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 VVS visualstate BUGS? Page 35 of 68 35

36 Train Simulator 1421 machines transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 UCb VVS visualstate BUGS? Our techniuqes has reduced verification time with several orders of magnitude ex 14 days to 6 sec Page 36 of 68 36

37 Modelbased Testing UCb Page 37 of 68

38 UCb Motivation Testing = sample executions of system compared with requirements Testing may identify errors but can not be used to exclude their presence. Testing is the de-facto used method of validation 30-40% of the entire development process is concerned with testing. Page 38 of 68 38

39 UCb Black Box Testing input stimuli IMPLEMENTATION TESTER conclusion State State Machine Machine State State Machine Machine output Page 39 of 68 39

40 UCb Black Box Testing input stimuli IMPLEMENTATION TESTER conclusion State State Machine Machine State State Machine Machine output closed/open Page 40 of 68 TEST TEST EXPECTED EXPECTED OUTPUT OUTPUT gogoobb gogoobb closed closed gooobo gooobo open open ggggggggg ggggggggg closed closed ooooggobo ooooggobo open open

41 UCb Black Box Testing input stimuli MOORE s MOORE stheorem: Hvis Hvis IMP IMP antages antages at at have have m tilstande tilstande og og SPEC SPEC har har nn tilstande tilstande da da er er det det nok nok at at teste teste mht mhtalle sekvenser sekvenser af af lgd lgdn+m-1 IMPLEMENTATION TESTER conclusion State State Machine Machine State State Machine Machine output closed/open Page 41 of 68 TEST TEST EXPECTED EXPECTED OUTPUT OUTPUT gogoobb gogoobb closed closed gooobo gooobo open open ggggggggg ggggggggg closed closed ooooggobo ooooggobo open open

42 UCb Black Box Testing input stimuli MOORE s MOORE stheorem: Hvis Hvis IMP IMP antages antages at at have have m tilstande tilstande og og SPEC SPEC har har nn tilstande tilstande da da er er det det nok nok at at teste teste mht mhtalle sekvenser sekvenser af af lgd lgdn+m-1 IMPLEMENTATION TESTER konklusion Tilstandsmaskine Tilstandsmaskine Tilstandsmaskine output closed/open Page 42 of 68 TEST TEST EXPECTED EXPECTED OUTPUT OUTPUT ggggobo ggggobo open open closed closed gggggoo gggggoo closed closed open open

43 UCb Black Box Testing input stimuli MOORE s MOORE stheorem: Hvis Hvis IMP IMP antages antages at at have have m tilstande tilstande og og SPEC SPEC har har nn tilstande tilstande da da er er det det nok nok at at teste teste mht mhtalle sekvenser sekvenser af af lgd lgdn+m-1 IMPLEMENTATION TESTER konklusion Tilstandsmaskine Tilstandsmaskine Tilstandsmaskine Problem: Antal test er ASTRONOMISK: k n+m-1 hvor k er antal symboler output closed/open Page 43 of 68 TEST TEST EXPECTED EXPECTED OUTPUT OUTPUT ggggobo ggggobo open open closed closed gggggoo gggggoo closed closed open open

44 UCb Black Box Testing input stimuli Control ControlFlow FlowCoverage Enhver Enhver transition transition skal skal fyres fyres Enhver Enhver lokal lokal tilstand tilstand skal skal nås nås Enhver Enhver ikke-triviel ikke-triviel guard guardskal kunne kunne være være både både sand/falsk sand/falsk Dataflow DataflowCoverage IMPLEMENTATION TESTER konklusion Problem: Coverage Coveragekun kun af af specifikation specifikation implementation implementationbehøver kun kun at at være være dækket dækket ganske ganske lidt! lidt! output closed/open Page 44 of 68 UPPAAL Tron Løsning: Brug specifikation automata til at randomiseret stimulering og løbende check konsistens af implementations reaktion 44

45 Adding Time FSM Timed Automata UCb Page 45 of 68

46 Collaborators Wang Yi Paul Pettersson John Håkansson Anders Hessel Pavel Krcal Leonid Mokrushin Kim G Larsen Gerd Behrman Arne Skou Brian Nielsen Alexandre David Jacob Illum Rasmussen Marius Mikucionis Emmanuel Fleury Didier Lime Johan Bengtsson Fredrik Larsson Kåre J Kristoffersen Tobias Amnell Thomas Hune Oliver Möller Elena Fersman Carsten Weise David Griffioen Ansgar Fehnker Frits Vandraager Theo Ruys Pedro D Argenio J-P Katoen Jan Tretmans Judi Romijn Ed Brinksma Martijn Hendriks Klaus Havelund Franck Cassez Magnus Lindahl Francois Laroussinie Patricia Bouyer Augusto Burgueno H. Bowmann D. Latella M. Massink G. Faconti Kristina Lundqvist Lars Asplund Justin Pearson... Page 46 of 68

47 Real Time Systems Informationsteknologi Plant Continuous Eg.: Realtime Protocols Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines sensors actuators Controller Program Discrete Real Time System A system where correctness not not only only depends on on the the logical order of of events but but also also on on their their timing!! Page 47 of 68

48 Dumb Light Control Informationsteknologi Off Light Bright WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. Page 48 of 68

49 Dumb Light Control Alur & Dill 1990 Informationsteknologi x:=0 Off Light Bright x>3 x 3 Solution: Add real-valued clock x Page 49 of 68

50 Timed Automata Alur & Dill 1990 Informationsteknologi Reset x:=0 Off Light Bright x: real-valued clock States: States: location location x=v x=v where where v R v R x>3 x 3 Synchronizing action Guard Conjunctions of x~n Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=2.51 x=2.51 Bright Bright x=2.51 x=2.51 Page 50 of 68

51 Timed Automata Alur & Dill 1990 Informationsteknologi Reset x:=0 Off Light Bright x: real-valued clock States: States: location location x=v x=v where where v R v R x>3 x 3 Synchronizing action Guard Conjunctions of x~n Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=2.51 x=2.51 Bright Bright x=2.51 x=2.51 Page 51 of 68

52 Timed Automata Alur & Dill 1990 Informationsteknologi Reset x:=0 Off Light Bright x: real-valued clock States: States: location location x=v x=v where where v R v R x>3 x 3 Synchronizing action Guard Conjunctions of x~n Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=2.51 x=2.51 Bright Bright x=2.51 x=2.51 Page 52 of 68

53 Timed Automata Alur & Dill 1990 Informationsteknologi Reset x:=0 Off Light Bright x: real-valued clock States: States: location location x=v x=v where where v R v R x>3 x 3 Synchronizing action Guard Conjunctions of x~n Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=2.51 x=2.51 Bright Bright x=2.51 x=2.51 Page 53 of 68

54 Timed Automata Alur & Dill 1990 Informationsteknologi Reset x:=0 Off Light Bright x: real-valued clock States: States: location location x=v x=v where where v R v R x>3 x 3 Synchronizing action Guard Conjunctions of x~n Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=2.51 x=2.51 Bright Bright x=2.51 x=2.51 Page 54 of 68

55 Intelligent Light Control Using Invariants Informationsteknologi x:=0 Off Light Bright x:=0 x:=0 x=100 x 100 x>3 x:=0 x=100 x 3 x:=0 X:=0 x 100 Off Light Bright X<=3 x:=0 X>3 Page 55 of 68

56 Intelligent Light Control Using Invariants x:=0 x=100 Informationsteknologi x:=0 Off Light Bright x:=0 x=100 Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=4.51 x=4.51 Light Light x=0 x=0 delay delay Light Light x=100 x=100 τ Off Off x=0 x=0 τ x 100 Page 56 of 68 x 3 x:=0 x>3 x:=0 x 100 x:=0 X Note: Note: Light Light x=0 x=0 delay delay Invariants ensures progress

57 Networks x:=0 Light Controller & User x=100 Informationsteknologi x:=0 Off Light Bright Rest x:=0 Synchronization y 10 y:=0 press! press! x=100 x 100 y:=0 Busy y 10 x>3 x:=0 x 3 x:=0 x 100 x:=0 Transitions: Transitions: Off Off Rest Rest x=0 x=0 y=0 y=0 delay delay Off Off Rest Rest x=20 x=20 y=20 y=20!! Light Light Busy Busy x=0 x=0 y=0 y=0 delay delay 2 2 Light Light Busy Busy x=2 x=2 y=2 y=2!! Bright Bright Rest Rest x=0 x=0 y=0 y=0 Page 57 of 68

58 Networks of Timed Automata a la CCS UCb l1 x>=2 a! x := 0 m1 y<=4 a?. Two-way Two-way synchronization synchronization on on complementary complementary actions. actions. Closed Closed Systems! Systems! l2 m2 Example transitions l1 m1 x=2 y=3.5.. tau l2m2..x=0 y= l1m1 x=2.2 y=3.7.. Page 58 of 68 If a URGENT CHANNEL 58

59 UCb Light Control Interface touch! touch! Interface starthold! starthold! Control Program release? release? endhold! endhold! L++/L--/L:=0 L++/L--/L:=0 Light User Page 59 of 68 59

60 UCb Light Control Interface release? release? touch! touch! starthold! starthold! endhold! endhold! Control Program L++/L--/L:=0 L++/L--/L:=0 User Page 60 of 68 60

61 UCb Light Control Network release? release? touch! touch! starthold! starthold! endhold! endhold! Control Program Page 61 of 68 61

62 BRICK SORTING Page 62 of 68

63 LEGO Mindstorms/RCX 3 output ports Informationsteknologi Sensors: temperature light rotation pressure. Actuators: motors lamps Virtual machine: 10 tasks 4 timers 16 integers. 1 infra-red port Several Programming Languages: NotQuiteC Mindstorm Robotics legos etc. 3 input ports Page 63 of 68

64 A Real Timed System Informationsteknologi The Plant Conveyor Belt & Bricks Controller Program LEGO MINDSTORM What is suppose to happen? Page 64 of 68

65 First UPPAAL model Sorting of Lego Boxes Ken Tindell Informationsteknologi Boxes Conveyer Belt Blck Rd Controller MAIN PUSH eject remove Black Piston 99 red Exercise: Design Controller so that only black boxes are being pushed out Page 65 of 68

66 NQC programs int int active; active; int int DELAY; DELAY; int int LIGHT_LEVEL; LIGHT_LEVEL; Informationsteknologi task task MAIN{ MAIN{ DELAY=75; DELAY=75; LIGHT_LEVEL=35; LIGHT_LEVEL=35; active=0; active=0; SensorIN_1 SensorIN_1 IN_LIGHT; IN_LIGHT; FwdOUT_A1; FwdOUT_A1; Display1; Display1; start start PUSH; PUSH; whiletrue{ whiletrue{ waitin_1<=light_level; ClearTimer1; ClearTimer1; active=1; active=1; PlaySound1; PlaySound1; waitin_1>light_level; } } task task PUSH{ PUSH{ whiletrue{ whiletrue{ waittimer1>delay && && active==1; active==1; active=0; active=0; RevOUT_C1; RevOUT_C1; Sleep8; Sleep8; FwdOUT_C1; FwdOUT_C1; Sleep12; Sleep12; OffOUT_C; OffOUT_C; } } Page 66 of 68

67 From RCX to UPPAAL Informationsteknologi Model includes Round-Robin Scheduler. Compilation of RCX tasks into TA models. Presented at ECRTS 2000 Task MAIN Page 67 of 68

68 The Production Cell Course at DTU Copenhagen Informationsteknologi Production Cell Page 68 of 68