Cyber Physical System Verification with SAL

Transcription

1 Cyber Physical System Verification with July 22, 2013 Cyber Physical System Verification with

2 Outline Cyber Physical System Verification with

3 Table of Contents Cyber Physical System Verification with

4 Motivation Cyber Physical Systems (CPS) Systems that interact with the physical world Characterized by a mix of continuous and discrete behavior Often safety-critical Present in industries such as automotive, aerospace, health care, energy, etc. Formal Verification Dramatic improvement over the years Real-world systems have been verified Model-checkers require less user interaction Requires formal semantics of the system Cyber Physical System Verification with

5 Table of Contents Quartz Cyber Physical System Verification with

6 Quartz Framework for specification, verification and implementation of reactive systems Synchronous programming language Quartz Intermediate Format (AIF) Can be translated to C, Verilog, SystemC and others Cyber Physical System Verification with

7 Design Flow Quartz Cyber Physical System Verification with

8 Quartz Quartz Imperative Synchronous Language Program represented as a series of steps Paradigm of perfect synchrony Synchronous MoC For each step: Reads all the inputs I Computes all the outputs O for the present state Updates internal state S for the next step Hence: S I S O Cyber Physical System Verification with

9 Perfect Synchrony Quartz Macro steps are separated by the command pause All statements in a micro step execute in zero time Concurrent threads run in lockstep Immediate assignment x = 1; pause; y = x; x = 2; pause; Delayed assignment x = 1; next(x) = 2; pause; y = x; pause; Cyber Physical System Verification with

10 Variable Declarations Quartz Data types Integers, booleans, natural numbers, arrays, tuples, bitvectors and more. Information flow Variables can be classified as input, output or inout. Storage type Event and memorized variables. Cyber Physical System Verification with

11 Synchronous Guarded Actions Quartz Quartz programs are compiled to a set of guarded actions Guarded actions are pairs of the form (γ, C) Boolean guard γ Atomic commands C All enabled guarded actions executed in parallel Can be easily translated to transition systems Cyber Physical System Verification with

12 ABRO Quartz Example module ABRO(event?a,?b,?r,!o){ loop abort { {wa: await(a) wb: await(b);} emit(o); wr: await(r); } when(r); } satisfies { property1 : assert A G (o -> a b); property2 : assert A G (o -> X!o); } Cyber Physical System Verification with

13 Table of Contents Cyber Physical System Verification with

14 Symbolic Analysis Laboratory () Framework for performing abstraction, program analysis, theorem proving and model checking Intermediate language for specification of transition systems Philosophy: One language, many tools Cyber Physical System Verification with

15 language The language was constructed based on the following principles: Generality Minimality Semantic Regularity Language Modularity Compositionality Cyber Physical System Verification with

16 language Context: Defines new types, modules, and assertions Module: Defines inputs, outputs, locals, globals, transitions, etc Transitions: Defined either via definitions or guarded commands Composition: Modules can be composed asynchronously or synchronously M 1 M 1 M 1 []M 2 Cyber Physical System Verification with

17 Types Finite types: booleans, finite arrays, records, tuples, finite ranges on Z Infinite type: naturals (N), integers (Z) Cyber Physical System Verification with

18 Transitions Definitions x = expression x = expression Guarded Command Let γ be a be a boolean guard and D a set of definitions: γ D Where D is of the form x = expression Non-determinism If more than one transition can be chosen at the same time, one of them is chosen non-deterministically! Cyber Physical System Verification with

19 Property Specification Language Defined by the keyword THEOREM Supports LTL and a subset of CTL Typical Operators G(p): states that p is always true. F(p): states that p will be eventually true. U(p,q): states that p holds until a state is reached where q holds. X(p): states that p is true in the next state. Past Operators Past temporal operators are not supported. Cyber Physical System Verification with

20 Property Specification Language Further Operators AG(p): states that p is globally true. EG(p): states that there is a path where p is continuously true. AF(p): states that for all paths p is eventually true. EF(p): states that there is a path where p is eventually true. AU(p,q): states that in all paths p holds until a state is reached where q holds. EU(p,q): states that there is a path where p holds until a state is reached where q holds. AX(p): states that p holds in all successor states. EX(p): states that there is a successor state where p holds. Cyber Physical System Verification with

21 Example Properties Example 1 th1 : THEOREM main - AG( request => AF( state = busy )); Example 2 th2 : THEOREM main - G( request => F( state = busy )); Example 3 th3 : THEOREM main - ltllib! responds_to ( state = busy, request ); Cyber Physical System Verification with

22 Transitions as definitions Example 1 short : CONTEXT = BEGIN State : TYPE = { ready, busy }; main : MODULE = BEGIN INPUT request : BOOLEAN OUTPUT state : State INITIALIZATION state = ready TRANSITION state IN IF ( state = ready ) AND request THEN { busy } ELSE { ready, busy } ENDIF END ; END Cyber Physical System Verification with

23 Transitions as guarded commands Example 2 meter : CONTEXT = BEGIN m : MODULE = BEGIN INPUT temp : INTEGER LOCAL high : BOOLEAN, ctr : NATURAL OUTPUT danger : BOOLEAN DEFINITION high = temp > 100 INITIALIZATION ctr = 0; danger = FALSE TRANSITION [ ctr > 3 --> danger = danger OR high [] ctr <= 3 AND high --> ctr = ctr + 1 [] ELSE --> ctr = 0 ] END ; END thm1 : THEOREM main - G ( high => F( danger )) Cyber Physical System Verification with

24 Tools sal-wfc: Well-formedness Checker sal-deadlock-checker: Deadlock Checker sal-smc: Symbolic Model Checker sal-bmc: Bounded Model Checker sal-inf-bmc: Infinite Bounded Model Checker sal-path-finder: Random trace generator sal-sim: Simulator (front end) Cyber Physical System Verification with

25 Table of Contents Cyber Physical System Verification with

26 Translating Quartz to Issues: Storage type (reaction to absence) Immediate and delayed assignments Non-determinism in transitions Representing macro steps Cyber Physical System Verification with

27 Handling event variables EX01 : CONTEXT = BEGIN main : MODULE = BEGIN... TRANSITION [... --> ev0 = true ; [] ELSE --> ev0 = false; ] END ; END Cyber Physical System Verification with

28 Immediate and delayed assignments... TRANSITION gcimm: [ a and b --> o = true ; ] gcnxt: [ a and b --> o = true ; ]... Cyber Physical System Verification with

29 Conflicting guarded commands EX02 : CONTEXT = BEGIN main : MODULE = BEGIN... TRANSITION [ st --> wa = true ; [] st --> wb = true ;... ] END ; END property : THEOREM main - AG ( o => a b); Cyber Physical System Verification with

30 Solution to conflicting guarded commands EX02 : CONTEXT = BEGIN main : MODULE = BEGIN... TRANSITION [ en0 & st --> wa = true ; en0 = false; en1 = true; [] en1 & st --> wb = true ; en1 = false; endstep = true;... ] END ; END property : THEOREM main - endstep => AG ( o => a b); Cyber Physical System Verification with

31 Proposed approach Create a new module representing each label and output The newly created module has all labels and inputs as input (except itself) The newly created module has a single output, namely the variable itself Synchronous composition of all the generated modules Cyber Physical System Verification with

32 output wam : MODULE = BEGIN INPUT a, b, r, st, wb, wr : BOOLEAN OUTPUT wa : BOOLEAN INITIALIZATION wa = FALSE ; TRANSITION [ st --> wa = TRUE ; [] ( NOT (r) AND wa AND NOT (a)) OR (r AND wr) OR (r AND (wr OR wa OR wb)) --> wa = TRUE ; [] ELSE --> wa = FALSE ; ] END ; Guarded action!r&!r&wa &!a r&wr r&( wr wa wb) => next (wa) = True Cyber Physical System Verification with

33 output BEGIN stm : MODULE =... wam : MODULE =... wam : MODULE =... wrm : MODULE =... om : MODULE =... main : MODULE = stm wam wbm wrm om; END Cyber Physical System Verification with

34 Table of Contents Cyber Physical System Verification with

35 The ABRO program was successfully translated and verified with the proposed approach Automatic translation is possible Quartz guarded commands are simple but powerful provides a very complete environment for specification, verification and analysis qrz2sal? Cyber Physical System Verification with