Quantitative. Kim G. Larsen DENMARK

Transcription

1 Quantitative Verification i and Synthesis, of Embedded Systemss Kim G. Larsen CISS Aalborg University DENMARK

2 Embedded Systems sensors Plant Controller Program Continuous actuators Discrete Eg.: Realtime Protocols Quantities: Pump Control timing Air Bags Robots energy Cruise Control memory ABS bandwidth CD Players uncertainties Production Lines Kim Larsen [2]

3 Verification Plant Continuous sensors Controller Program Discrete actuators Model of tasks (automatic? Model a b c 3 4 a 1 2 non-determinism) SATa?? b c 3 b c 3 4 of environment (user-supplied / UPPAAL Model Kim Larsen [3]

4 Synthesis Plant Continuous sensors actuators Controller Program?? Discrete Synthesis of tasks (automatic) Model of environment (user-supplied) b a c a b c Partial UPPAAL Model SAT!! a b c 3 4 Kim Larsen [4]

5 Embedded Systems Embedded Systems Scheduling Tasks: Computation times Deadlines Dependencies Arrival patterns uncertainties Scheduling Principles (OS) EDF, FPS, RMS, DVS,.. Resources Execution platform PE, Memory Networks Drivers uncertainties Kim Larsen [5]

6 Approach Timed Automata Tasks SP Res. Schedulability Analysis Verify that given SP ensures deadlines. Performance Evaluation Estimate resources (e.g. energy) required by given SP. CLASSIC Scheduling & Synthesis CORA Synthesize (optimal) SP ensuring given objective. TIGA Scheduling: SP controls everything (including TRON ex.time). TALK: Synthesis: What can scheduling we do? under uncertainties (e.g. execution time, availability of resources). What can we do efficiently? What would we like to do? What can not be done? Kim Larsen [6]

7 Overview Scheduling Timed Automata Optimal Scheduling Priced Timed Automata Schedulability Analysis Stop-watch Automata Safety Criticial JAVA (FPGA) Synthesis Timed Game Automata Kim Larsen [7]

8 Timed Automata

9 UPPAAL (1995- Kim G Larsen Gerd Behrman Arne Skou Brian Nielsen Alexandre David Jacob I. Rasmussen Marius Mikucionis Shuhao Total Do ownloads Wang Yi Paul Pettersson 5000 John Håkansson 0 Anders Hessel Pavel Krcal Leonid Mokrushin Shi Xiaochun UPPAAL Downloads y = x x YYMM Kim Larsen [9]

10 Timed Automata [Alur & Dill 89] Resource Synchronization Reset Clock Guard Clock Invariant Semantics: ( Idle, x=0 ) d(2.5) ( Idle, x=2.5) use? ( InUse, x=0 ) d(5) ( InUse, x=5) done! ( Idle, x=5) Kim Larsen [10]

11 Composition Resource Synchronization Task Shared variable Semantics: ( Idle, Init, B=0, x=0) d(3.1415) ( Idle, Init, B=0, x= ) use ( InUse, Using, B=6, x=0 ) d(6) ( InUse, Using, B=6, x=6 ) done ( Idle, Done, B=6, x=6 ) Kim Larsen [11]

12 Task Graph Scheduling Example A 1 B C D + 2 * Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors C * + 5 D * P1 6 P2 1 + P1 (fast) P2 (slow) + * 2ps 3ps + * 5ps 7ps Kim Larsen [12] time

13 Task Graph Scheduling Example A 1 B C D + 2 * Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors 3 4 C * + 5 D * P1 P2 6 + P1 (fast) P2 (slow) + * 2ps 3ps + * 5ps 7ps Kim Larsen [13] time

14 Task Graph Scheduling P 2 P 1 2,3 16,10 2,3 6,6 10,16 P 6 P 3 P 4 2,2 P 7 8,2 P 5 M = {M 1,M 2 } Kim Larsen [14]

15 Task Graph Scheduling P 2 P 1 2,3 16,10 2,3 6,6 10,16 P 6 P 3 P 4 2,2 P 7 8,2 P 5 E<> (Task1 End and and Task7 End) M = {M 1,M 2 } E<> (Task1.End and and Task7.End) Kim Larsen [15]

16 Experimental Results Symbolic A* Branch-&-Bound 60 sec Abdeddaïm, Kerbaa, Maler Kim Larsen [16]

17 Zones From infinite to finite State (n, x=3.2, y=2.5 ) y y Symbolic state (set) (n, 1 x 4, 1 y 3) Zone: conjunction of x-y<=n, x<=>n x x Kim Larsen [17]

18 Zones - Operations (n, 2 x 4 Æ 1 y 3 Æ y-x 0 ) (n, 2 x Æ y y 1 y Æ -3 y-x 0 ) y (n, 2 x Æ 1 y 3 Æ y-x 0 ) x x x Delay Delay (stopwatch) y y y (n, x=0 Æ 1 y 3 ) (n, 2 x 4Æ 1 y ) 2 x x x Reset Extrapolation Convex Hull Kim Larsen [18]

19 Datastructures for Zones Difference Bounded Matrices (DBMs) Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] PW List [SPIN03] x1-4 4 x x0 1 5 x3 2 Kim Larsen [19]

20 Datastructures for Zones Difference Bounded Matrices (DBMs) Minimal Constraint Form [RTSS97] Clock Difference Diagrams Alexandre [CAV99] David x1-4 4 x Elegant x0 RUBY bindings x3 for 1 easy implementations 5 2 PW List [SPIN03] Kim Larsen [20]

21 Case Studies: Controllers Gearbox Controller [TACAS 98] Bang & Olufsen Power Controller [RTPS 99,FTRTFT 2k] SIDMAR Steel Production Plant [RTCSA 99, DSVV 2k] Real-Time RCX Control-Programs [ECRTS 2k] Terma, Verification of Memory Management for Radar (2001) Scheduling Lacquer Production (2005) Memory Arbiter Synthesis and Verification for a Radar Memory Interface Card [NJC 05] Adapting the UPPAAL Model of a Distributed Lift System, 2007 Analyzing a χ model of a turntable system using Spin, CADP and Uppaal, 2006 Designing, Modelling and Verifying a Container Terminal System Using UPPAAL, 2008 Model-based system analysis using Chi and Uppaal: An industrial case study, 2008 Kim Larsen [21]

22 Case Studies: Protocols Philips Audio Protocol [HS 95, CAV 95, RTSS 95, CAV 96] Bounded Retransmission Protocol [TACAS 97] Bang & Olufsen Audio/Video Protocol [RTSS 97] TDMA Protocol [PRFTS 97] Lip-Synchronization Protocol [FMICS 97] ATM ABR Protocol [CAV 99] ABB Fieldbus Protocol [ECRTS 2k] IEEE 1394 Firewire Root Contention (2000) Distributed Agreement Protocol [Formats05] Leader Election for Mobile Ad Hoc Networks [Charme05] Analysis of a protocol for dynamic configuration of IPv4 link local addresses using Uppaal, 2006 Formalizing i SHIM6, a Proposed Internet Standard d in UPPAAL, 2007 Verifying the distributed real-time network protocol RTnet using Uppaal, 2007 Analysis of the Zeroconf protocol using UPPAAL, 2009 Analysis of a Clock Synchronization Protocol for Wireless Sensor Networks, 2009 Kim Larsen [22]

23 Using UPPAAL as Back-end Vooduu: verification of object-oriented designs using Uppaal, 2004 Moby/RT: A Tool for Specification and Verification of Real-Time Systems, 2000 Formalising the ARTS MPSOC Model in UPPAAL, 2007 Timed automata t translator t for Uppaal to PVS Component-Based Design and Analysis of Embedded Systems with UPPAAL PORT, 2008 Verification of COMDES-II Systems Using UPPAAL with Model Transformation, 2008 Kim Larsen [23]

24 Priced Timed Automata

25 Task Graph Scheduling Revisited A 1 B C D + 2 * Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors 3 4 C * + 5 D * P1 P2 6 + P1 (fast) P2 (slow) + * Idle 2ps 3ps 1oW + * Idle 5ps 7ps 20W ENERGY: 5 10 In use 90W 30W In use Kim Larsen [25] time

26 Task Graph Scheduling Revisited A 1 B C D + 2 * Compute : (D * ( C * ( A + B )) + (( A + B ) + ( C * D )) using 2 processors 3 4 C * + 5 D * P1 P2 6 + P1 (fast) P2 (slow) + * Idle 2ps 3ps 10W + * Idle 5ps 7ps 20W ENERGY: 5 10 In use 90W 30W In use Kim Larsen [26] time

27 Optimal Task Graph Scheduling Energy-rates: C : M N Compute schedule with minimum completion-cost?? 16,10 2,3 P 2 P 1 2,3 6,6 10,16 P 6 P 3 P 4 2,22 P 7 8,2 P 5 4W 3W Kim Larsen [27]

28 Priced Timed Automata Timed Automata + COST variable Behrmann, Fehnker, et all (HSCC 01) Alur, Torre, Pappas (HSCC 01) cost rate l l 1 2 x 2 l 3 3 y 0 y 4 c =4 c =2 x:=0 c+=4 c+=1 x:=0 y 4 cost update Kim Larsen [28]

29 Priced Timed Automata Timed Automata + COST variable Behrmann, Fehnker, et all (HSCC 01) Alur, Torre, Pappas (HSCC 01) cost rate TRACES l l 1 2 x 2 l 3 3 y 0 y 4 c =4 c =2 x:=0 c+=4 c+=1 x:=0 y 4 cost update (3) (l 1,x=y=0) (l 1,x=y=3) (l 2,x=0,y=3) (l 3,_,_) c=17 Kim Larsen [29]

30 Priced Timed Automata Timed Automata + COST variable Behrmann, Fehnker, et all (HSCC 01) Alur, Torre, Pappas (HSCC 01) cost rate TRACES l l 1 2 x 2 l 3 3 y 0 y 4 c =4 c =2 x:=0 c+=4 c+=1 x:=0 y 4 cost update (3) (l 1,x=y=0) (l 1,x=y=3) (l 2,x=0,y=3) (l 3,_,_) c=17 (2.5) (l 1,x=y=0) (l 1,x=y=2.5) (l 2,x=0,y=2.5) (l 2,x=0.5,y=3) x=05y=3) (l 3,_,_) (3) (l 1,x=y=0) (l 2,x=0,y=0) (l 2,x=3,y=3) (l 2,x=0,y=3) (l 3,_,_) (.5) c=16 c=11 Kim Larsen [30]

31 Cost-Optimality Reachability Behrmann, Fehnker, et all (HSCC 01) Alur, Torre, Pappas (HSCC 01) Cost of step n c 3 c 1 c 2 3 c n GOAL Value Competitive of path : with val( ) and = Complementary c 1 + c c to MILP n Optimal Schedule * : val( * ) = inf val( ) Kim Larsen [31]

32 Optimal Infinite Scheduling Maximize throughput: i.e. maximize Reward / Time in the long run! Kim Larsen [32]

33 Optimal Infinite Scheduling Minimize Energy Consumption: i.e. minimize Cost / Time in the long run Kim Larsen [33]

34 Optimal Infinite Scheduling Maximize throughput: i.e. maximize Reward / Cost in the long run Kim Larsen [34]

35 Mean Pay-Off Optimality Bouyer, Brinksma, Larsen: HSCC04,FMSD07 Accumulated cost c 3 c n c 1 c 2 r 3 r n r 1 r 2 BAD Accumulated reward Value of path : val( ) = lim n c n /r n Optimal Schedule * : val( * ) = inf val( ) Kim Larsen [35]

36 Discount Optimality 1 : discounting factor Larsen, Fahrenberg: INFINITY 08 Cost of time t n ) c(t 3) c(t n ) c(t 1 ) c(t 2) t 1 t 2 t 3 t n BAD Time of step n Value of path : val( ) = Optimal Schedule * : val( * ) = inf val( ) Kim Larsen [36]

37 Consuming & Harvesting Energy Bouyer, Fahrenberg, Larsen, Markey, Srba: FORMATS 2008 Maximize throughput while respecting: 0 E MAX Kim Larsen [37]

38 Energy-Bounded Infinite Runs Bouyer, Fahrenberg, Larsen, Markey, Srba: FORMATS 2008 Cost of time t n c(t c(t 4 ) c(t n ) c(t 1 ) 2) t 4 t n t 1 t 2 BAD Time of step n MAX t 1 t 2 t 3 t 4 Kim Larsen [38]

39 Multiple Objective Scheduling 16,10 P 2 P 1 2,3 2,3 cost 1 ==4 cost 2 ==3 1 cost 2 6,6 10,16 P 6 P 3 P 4 Pareto Frontier P 7 P 5 2,22 8,2 4W 3W cost1 Kim Larsen [39]

40 Schedulability Analysis

41 Task Scheduling utilization of CPU T 1 T 2 ready done P(i), [E(i), L(i)],.. : period or earliest/latest arrival or.. for T i C(i): execution time for T i D(i): deadline for T i Scheduler T n stop run T 2 is running { T 4, T 1, T 3 } ready ordered according to some given priority: (e.g. Fixed Priority, Earliest Deadline,..) Kim Larsen [41]

42 Modeling Task T 1 T 2 T n ready done stop run Scheduler Kim Larsen [42]

43 Modeling Scheduler T 1 T 2 T n ready done stop run Scheduler Kim Larsen [43]

44 Modeling Queue In UPPAAL 4.0 User Defined Function T 1 T 2 T n ready done stop run Scheduler Kim Larsen [44]

45 Schedulability = Safety Property May be extended with preemption (Task0.Error E or Task1.Error or ) A (Task0.Error or Task1.Error or ) Kim Larsen [45]

46 Preemption Stopwatches! Scheduler Task Defeating undecidability Kim Larsen [46]

47 Handling realistic applications? Jan Madsen / DTU Smart phone: MP3 Decoder [Application from Marcus Schmitz, TU Linkoping] Kim Larsen [47]

48 Smart phone MP3 Decoder Tasks: 114 Deadlines: [0.02: 02: 0.5] sec Execution: [52 : ] cycles Platform: 6 processors, 25 MHz 1 bus Verified in 1.5 hours! Kim Larsen [48]

49 Safety Critical Java Schedulability Analysis With Bent Thomsen Petur Olesen Thomas Bøghholm

50 A Safety Critical System Kim Larsen [50]

51 Hardware JOP (Java Optimized Processor) Native execution of Java Bytecode Bytecode implemented in Microcode Avoid unpredictable data-cache Time predictable Developed new method and stack cache Implemented in FPGA Kim Larsen [51]

52 Java Optimizing Processor FPGA Martin Schöberl University of Tech., Vienna Kim Larsen [52]

53 JOP Block Diagram FPGA 3-4 different FPGAs 6 different boards Kim Larsen [53]

54 Safety Critical Java Min interarrival Tasks public static void main(string[] args) { new SporadicPushMotor( new SporadicParameters(4, 4000, 60), 0); new SporadicPushMotor( new SporadicParameters(2, 4000, 60), 1); PeriodicMotorSpooler motorspooler = new PeriodicMotorSpooler( new PeriodicParameters(4000)); new PeriodicReadSensor( new PeriodicParameters(2000), motorspooler); Deadline } RealtimeSystem.start(); Kim Larsen [54]

55 Byte code Micro code Method: run ()Z 0: aload_0 1: getfield 4: ifeq -> 20 7: aload_0 8: dup protected boolean run() if i<5 { i = i + 4; } else{ 9: getfield i = i * 4; } return true; } 12: iconst_1 13: iadd 14: putfield 17: goto -> 30 20: aload_0 21: dup 22: getfield 25: iconst_1 26: isub 27: putfield 30: iconst_1 31: ireturn Kim Larsen [55]

56 Byte code Timed Automata protected boolean run() if i<5 { i = i + 4; }else{ i = i * 4; } return true; } Data abstracted Timing = WCET from microcode Kim Larsen [56]

57 SARTS from Safety Critical Java public static void main(string[] args) { new SporadicPushMotor( new SporadicParameters(4, 4000, 60), 0); new SporadicPushMotor( private void handlebrick() { new SporadicParameters(2, Sensors.synchronizedReadSensors(); private void 4000, handlebrick() 60), 1); { int Sensors.synchronizedReadSensors(); input private = (Sensors.getBufferedSensor(0) void handlebrick() { + Sensors.getBufferedSensor(1)) >> 1; PeriodicMotorSpooler motorspooler int Sensors.synchronizedReadSensors(); input private = = (Sensors.getBufferedSensor(0) void handlebrick() { + Sensors int input Sensors.synchronizedReadSensors(); = (Sensors.getBufferedSensor(0).getBufferedSensor(1)) >> 1; + Sensors new PeriodicMotorSpooler( if (awaitingbrick) int input private i = { (Sensors.getBufferedSensor(0).getBufferedSensor(1)) void idhandlebrick() dlbik(){ >> 1; + Sensors new PeriodicParameters(4000)); if (awaitingbrick) Sensors.synchronizedReadSensors(); if (input {.getbufferedsensor(1)) > lastread) { >> 1; if (awaitingbrick) int input if private (input = {(Sensors.getBufferedSensor(0) > void lastread) handlebrick() { = input; { + Sensors new PeriodicReadSensor( if (awaitingbrick) } else Sensors.synchronizedReadSensors(); if if (input ((lastread {.getbufferedsensor(1)) > lastread) - input) { = >= input; TRESHOLD) >> 1; { new PeriodicParameters(2000), } int else motorspooler); input if (input ((lastread = (Sensors.getBufferedSensor(0) awaitingbrick > lastread) - input) = { >= input; false; TRESHOLD) + { Sensors if (awaitingbrick) } else if ((lastread if (lastread { awaitingbrick.getbufferedsensor(1)) aitingbrick lastread - input) > BRICK_DETECTED) >= = false; input; TRESHOLD) >> 1; { { } else if if (input ((lastread brickfound(lastread); RealtimeSystem.start(); if (lastread awaitingbrick > lastread) - input) > BRICK_DETECTED) { = >= false; TRESHOLD) { if (awaitingbrick) } if (lastread { awaitingbrick lastread > brickfound(lastread); BRICK_DETECTED) = input; false; { } } } else } if if (input ((lastread if (lastread > lastread) - input) brickfound(lastread); > BRICK_DETECTED) { >= TRESHOLD) { { } } awaitingbrick lastread brickfound(lastread); = input; false; } } else } if ((lastread if (lastread - input) > BRICK_DETECTED) >= TRESHOLD) { { } awaitingbrick brickfound(lastread); = false; TASKS } if (lastread > BRICK_DETECTED) { } brickfound(lastread); } } METHODS Kim Larsen [57]

58 SARTS to Timed Automata 18 methods + 4 tasks = 76 components Detection of Deadline Violation Integrated SARTS w ECLIPSE Visualize WCET in ECLIPSE Kim Larsen [58]

59 METAMOC Modular Execution Time Analysis using Model Chekcing With Rene R Hansen Andreas Dalsgaard Mads Olesen Martin Toft

60 WCET: Worst Case Execution Time Isolated, non-blocking code Annotation with loop counts. Cache used for speeding up access of memory blocks. Full associatively. LRU replacement strategy. var A; var B; var C; var D; var E; while (E < 11) 10 { output B; output C; output A; output D; output C } Kim Larsen [60]

61 WCET: Worst Case Execution Time Probability BCET WCET In general: hard or impossible to predict Minimum execution time observed JOP: No data caching No pipelining No branch prediction Maximal observed execution time Kim Larsen [61] Time Sound Upper Bound

62 Tool Chain Kim Larsen [62]

63 Disassembler - Dissy Kim Larsen [63]

64 Model Creation - pyuppaal Kim Larsen [64]

65 Prototype Implementation Kim Larsen [65]

66 Experiments Kim Larsen [66]

67 Experiments Kim Larsen [67]

68 Future Work Still work in progress UPPAAL provides flexible framework for modularization Analysis times acceptable. Integration of abstract caches Better value analysis Integration ti of WCET and Schedulability Analysis Kim Larsen [68]

69 More Information Kim Larsen [69]

70 Timed Games

71 Scheduling When you are under Uncertainty ( Task1.End Task2.End Task3._id2 Task4.End Task5._id0 Task6._id0 Task7._id0 M1._id4 M2._id7 ) f1=1 f2=1 f3=0 f4=1 f5=0 f6=0 f7=0 f0=1 B1=0 B2=6 (4<=x2 && time==18 && x2<=8), Take transition Task6._id0->Task6._id1 { a == 1 && b == 1, use1!, B1 := D1 } M1._id4->M1._id5 { 1, use1?, x1 := 0 } When you are in (Task1 Task1.End Task2.End Task3.End Task4.End Task5._id0 Task6._id1 Task7._id0 M1._id5 M2._id6 ) f1=1 f2=1 f3=1 f4=1 f5=0 f6=0 f7=0 f0=1 B1=3 B2=10 (18<=time && x1<=6 && time<=22 && time-x1<=18), Take transition Task5._id0->Task5._id2 { a == 1 && b == 1, use2!, B2 := D2 } M2._id6->M2. M2._id7 { 1, use2?, x2 := 0 } When you are in ( Task1.End Task2.End Task3.End Task4._id0 Task5._id0 Task6._id1 Task7._id0 M1._id5 M2._id6 ) f1=1 f2=1 f3=1 f4=0 f5=0 f6=0 f7=0 f0=1 B1=3 B2=2 (x1-time==-10 && time==10), Take transition Task4._id0->Task4._id2 { a == 1 && b == 1, use2!, B2 := D2 } M2._id6->M2._id7 { 1, use2?, x2 := 0 } When you are in (Task1 Task1.End Task2.End Task3.End Task4.End Task5._id1 Task6._id0 Task7._id0 M1._id5 M2._id6 ) f1=1 f2=1 f3=1 f4=1 f5=0 f6=0 f7=0 f0=1 B1=8 B2=8 CONCUR05, (x1<=3 && x1-time==-18) (20<=time && x1-time<=-12 && time<=21 && time-x1<18), Take transition CAV07, Task6._id0->Task6._id2 { a == 1 && b == 1, use2!, B2 := D2 } M2. _ id6->m2. _ id7 { 1, use2?, x2 := 0 } FORMATS07 When you are in... Kim Larsen [71]

72 Optimal Scheduling under Uncertainty Decidable with 1 clock [BLMR06] Acyclic [LTMM02] Bounded length [ABM04] Strong non-zeno cost-behaviour [BCFL04] Undecidable with 3 clocks or more [BBR05, BBM06] Open problem with 2 clocks, cost =4, cost =3 Kim Larsen [72]

73 Model Checking (ex Train Gate) Controller Environment Never two trains at the crossing at the same time Kim Larsen [73]

74 Synthesis (ex Train Gate)? Controller Environment Never two trains at the crossing at the same time Kim Larsen [74]

75 Synthesis Controllable Uncontrollable Controller Environment Find strategy for controllable actions st behaviour satisfies Never two trains at the crossing at the same time Kim Larsen [75]

76 Timed Games Reachability Memoryless strategy: F : Q E c x>1 1 x!= 1 : x=1 : c x<1 x 1 Winning Run: States( ) Å G Ø x<2 : x 2 : c 2 x 2 x<1 Winning Strategy: Runs(F) WinRuns x 1 Uncontrollable Controllable Kim Larsen [76] 3 x:=0 4 x<1 : x 1 : c x!= 1 : x=1 : c

77 UPPAAL Tiga Synthesis of winning strategies for TIMED GAMES CONCUR05, CAV07, FORMATS07 Efficient on-the-fly generation of winning strategies for safety & liveness objectives Kim Larsen [77]

78 Synthesis of Hydralic Controller Quasimodo (Cassez, Jessen Larsen, Rainier, Raskin - HSCC09) Tool Chain Synthesis: UPPAAL TIGA Verification: PHAVer Performance: SIMULINK 40% improvement of existing solutions.. Kim Larsen [78]

79 Oil Pump Control Problem R1: stay within safe interval [ 5, 25 ] R2: minimize average/overall erall oil volume Kim Larsen [79]

80 Tool Chain Synthesis TIGA Performance Evaluation SIMULINK Guaranteed Correctness Robustness Verification PHAVER with 40% Improvement Kim Larsen [80]

81 Conclusion & Open Problems Effic iency Decidabi ility Priced Timed Games Reachability & Model Checking Energy-Bounded Prb. Safety Probabilistic Priced Timed Automata Timed Automata Fully Symbolic (CDD) Static Analysis & Slicing of C-code Timed Games Partial Observability Alternating Logics CEGAR Priced Timed Automata Optimal Infinite Schedules for PTA (zone Thanks based) for your Multi-Objective Optimal Scheduling attention! Code Generation From TA models of controllers From stategies APPLICATIONS Live Sequence Charts Gantt Chart Probabilistic Timed Automata Us sability Kim Larsen [81]