Slicing for Model Reduction in Adaptive Embedded Systems Development

Transcription

1 Slicing for Model Reduction in Adaptive Embedded Systems Development Ina Schaefer and Arnd Poetzsch-Heffter Software Technology Group, TU Kaiserslautern, Germany Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2008) 12 May 2008

2 Adaptive Embedded Systems Embedded systems often operate in safety-critical domains. Adaptation and graceful degradation increase safety and survivability. Goal: Formal verification of adaptation behaviour. 2

3 Adaptive Systems 3

4 Adaptive Systems Environment Adaptation Sequence Chart yaw_rate measured steering_angle measured t 3

5 Adaptive Systems Environment Yaw Rate Sensor unavail Adaptation Sequence Chart yaw_rate measured steering_angle measured t 3

6 Adaptive Systems Environment Yaw Rate Sensor unavail Adaptation Sequence Chart yaw_rate measured By Steering Angle steering_angle measured measured t 3

7 Adaptive Systems Environment Yaw Rate Sensor unavail Steering Angle unavail Adaptation Sequence Chart yaw_rate measured By Steering Angle steering_angle measured measured t 3

8 Adaptive Systems Environment Yaw Rate Sensor unavail Steering Angle unavail Adaptation Sequence Chart yaw_rate measured By Steering Angle By Steering Angle steering_angle measured measured Off t 3

9 Adaptive Systems Environment Yaw Rate Sensor unavail Steering Angle unavail Adaptation Sequence Chart yaw_rate measured By Steering Angle By Steering Angle steering_angle quality = unavail measured measured Off t 3

10 Adaptive Systems Environment Yaw Rate Sensor unavail Steering Angle unavail Adaptation Sequence Chart yaw_rate measured By Steering Angle By Steering Angle By Wheels steering_angle quality = unavail measured measured Off Off t 3

11 The Gap... Adaptive System Models and Properties Verification Tools 4

12 The Gap... Adaptive System Models and Properties Verification Tools Models are too large for automatic verification. Internal structure of models cannot be represented. Data types and operations used in models are not supported by verification tools. 4

13 Bridging the Gap... Adaptive System Models and Properties Verification Tools 5

14 Bridging the Gap... Formal Intermediate Layer Adaptive System Models and Properties Verification Tools 5

15 Bridging the Gap... Formal Intermediate Layer Adaptive System Models and Properties SAS + Property Verification Tools 5

16 Bridging the Gap... Formal Intermediate Layer Adaptive System Models and Properties SAS + Property Model Reduction SAS + Property Verification Tools 5

17 Bridging the Gap... Formal Intermediate Layer Adaptive System Models and Properties SAS + Property Model Reduction SAS + Property Verification Tools 5

18 Bridging the Gap... Formal Intermediate Layer Adaptive System Models and Properties SAS + Property Model Reduction by Slicing SAS + Property Verification Tools 5

19 Outline Formal Intermediate Models and Properties Slicing for Model Reduction Experimental Evaluation Conclusion and Outlook 6

20 Synchronous Adaptive Systems (SAS) 7

21 Synchronous Adaptive Systems (SAS) SAS Module 7

22 Synchronous Adaptive Systems (SAS) SAS Module in next_state next_out Guard [...] Local State next_state next_out Guard out Configuration 1 Configuration m 7

23 Synchronous Adaptive Systems (SAS) SAS Module adapt_in Adaptation Aspect adapt_out in next_state next_out Guard [...] Local State next_state next_out Guard out Configuration 1 Configuration m 7

24 Synchronous Adaptive Systems (2) SAS System M1 M2 M3 M4 8

25 Synchronous Adaptive Systems (2) SAS System M1 M2 M3 M4 8

26 Properties of Adaptation Behaviour No module gets stuck in the default configuration off : AG (useconf = Off EF useconf Off) Every module can reach all configurations at all times: AG ( i EF useconf = configi) No inconsistent states can be reached: AG ( i useconf = configi) No configuration is always only transient: i EF EG useconf = configi 9

27 Integration Framework Formal Intermediate Layer Adaptive System Models and Properties SAS + Property Model Reduction by Slicing SAS + Property Verification Tools 10

28 Model Reduction Original Model satifies Original Property Transformation b implies Transformation Transformed Model satifies Transformed Property Theorem 1 (Preservation by Bisimulation). Let T and T b be two SAS transition systems and ϕ a property such that T and T b are consistently bisimilar with respect to ϕ, T = [ϕ] T b. Then, T b = ϕ is true iff T = ϕ is true. 11

29 Slicing of Intermediate Models Slicing on System Level Slicing on Module Level Adaptive Slicing 12

30 System Slicing M1 M2 M3 M4 13

31 System Slicing M1 M2 M3 M4 AG ( x3 > 0 && useconf3 = derived) 13

32 System Slicing M1 M2 M3 M4 AG ( x3 > 0 && useconf3 = derived) 13

33 System Slicing M1 M2 M3 M4 AG ( x3 > 0 && useconf3 = derived) 13

34 System Slicing M1 M2 M3 AG ( x3 > 0 && useconf3 = derived) 13

35 Module Slicing adapt_in in1 Adaptation Aspect adapt_out out1 in2 next_state next_out Guard [...] Local State next_state next_out Guard out2 Configuration 1 Configuration m 14

36 Module Slicing adapt_in in1 Adaptation Aspect adapt_out out1 in2 next_state next_out Guard [...] Local State next_state next_out Guard out2 Configuration 1 Configuration m A G ( in1 > 0 out1 = 5) 14

37 Module Slicing adapt_in in1 Adaptation Aspect adapt_out out1 next_state next_out Guard Configuration 1 [...] Local State next_state next_out Guard Configuration m A G ( in1 > 0 out1 = 5) 14

38 Module Slicing adapt_in in1 Adaptation Aspect adapt_out out1 next_state next_out Guard Configuration 1 [...] in1 Local out1 State next_state next_out Guard Configuration m A G ( in1 > 0 out1 = 5) 14

39 Module Slicing adapt_in in1 Adaptation Aspect adapt_out out1 next_state next_out Guard [...] Local State next_state next_out Guard Configuration 1 Configuration m A G ( in1 > 0 out1 = 5) 14

40 Module Slicing adapt_in in1 Adaptation Aspect adapt_out out1 next_state next_out Guard [...] Local State next_state next_out Guard Configuration 1 Configuration m A G ( in1 > 0 out1 = 5) Module Slicing is iteratively performed on system modules. 14

41 Adaptive Slicing M1 M2 M3 M4 15

42 Adaptive Slicing M1 M2 M3 M4 AG ( useconf = Off EF useconf Off) 15

43 Adaptive Slicing M1 M2 M3 M4 AG ( useconf = Off EF useconf Off) 15

44 Experimental Evaluation Case Study: Adaptive Vehicle Stability Control System Number of Modules 20 Number of Configurations 70 Lines of Generated Code 40 k Number of Reachable States 5 * Properties verified: All modules satisfy generic adaptation properties. Controller modules correctly implement of fallback layer. 16

45 Experimental Evaluation %IIIII %IIII 2-'./0,0)J,1#)K0L %III %II %I % 25#+#0$) :(#-#+,6; 25#+#0$) :B',.C0'B#; G9!7H) :(#-#+,6; G9!7H) :B',.C0'B#; *+,(,-'.)!/0$#1 23'4$,5#)!.,6#3!/0$#1)!.,6# #)!.,6#3 17

46 Related Work Slicing of programming languages [Weiser:1984, Tip:1995] Slicing for model checking, e.g Cone of influence reduction [Clarke et al.:1999] BANDERA [Hatcliff et al.:2000] SPIN [Millett & Teitelbaum:2000] Slicing of Design Level Models, e.g. Software Architectures [Colangelo et al.:2006] SAL [Bensalem et al., 2000] IF [Bozga et al., 2004] 18

47 Conclusion Main Results: Integration of model-based development with formal verification for adaptive systems Automatic verification complexity reduction by slicing of design models 19

48 Future Work More fine-grained property analysis for better reductions by slicing Further verification complexity reduction by abstraction and compositional reasoning 20