The Formal Verification of a Distributed Realtime System. Lecture 2: Overview

Transcription

1 Single ECU Distributed System Notation Wolfgang Paul {sknapp, Institute for Computer Architecture and Parallel Computing, Saarland University Lecture 2: Overview March 19, 2007

2 Overview Single ECU Distributed System Notation Overview Guideline This lecture: proceed in bottom-up style construct a single ECU first connect single ECUs to distributed system argue about the distributed system based on [KP06a]

3 Guideline Single ECU Distributed System Notation Overview Guideline 1 Single ECU Instruction Set Architecture (ISA) VAMP Verification Generic Device Theory Memory Management The high-level Programming Language C0 C0 with Inline Assembler Communicating Virtual Machines 2 Distributed System Introduction to the Distributed System Serial Interfaces FlexRay-Like Interfaces Integrating Devices into the ISA Worst Case Execution Time Distributed OSEKtime-Like Operating System AutoFocus Task Model 3 Notation

4 Guideline Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM 1 Single ECU Instruction Set Architecture (ISA) VAMP Verification Generic Device Theory Memory Management The high-level Programming Language C0 C0 with Inline Assembler Communicating Virtual Machines 2 Distributed System Introduction to the Distributed System Serial Interfaces FlexRay-Like Interfaces Integrating Devices into the ISA Worst Case Execution Time Distributed OSEKtime-Like Operating System AutoFocus Task Model 3 Notation

5 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM Instruction Set Architecture (ISA) Outline specification of a DLX instruction set: consider interrupt handling based on [MP00]

6 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM VAMP Verification Verification of complex processors: scheduling functions considering internal and external interrupts Example: verified architecture micro processor (VAMP) see [BJK + 03]

7 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM Generic Device Theory Introduce generic device theory: specification integration into the processor design

8 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM Memory Management Extend the processor with memory management units (MMUs): enable hardware support for virtual machine simulation [DHP05] required for multi processing operating system kernels

9 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM The high-level programming language C0 Introduction to the C0 semantics: like PASCAL with C syntax Formal correctness proof for a compiler: from C0 to the DLX instruction set [LPP05]

10 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM C0 with Inline Assembler Extend C0 by inline assembler calls: call resulting language C0 A define semantics

11 Single ECU Distributed System Notation ISA VAMP Devices MMU C0 C0 A CVM Communicating Virtual Machines Generic operating system kernel CVM [GHLP05]: abbreviation for communicating virtual machines multi processing operating system kernel providing library of functions for: process management inter-process communication... implement CVM prove correctness

12 Guideline Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM 1 Single ECU Instruction Set Architecture (ISA) VAMP Verification Generic Device Theory Memory Management The high-level Programming Language C0 C0 with Inline Assembler Communicating Virtual Machines 2 Distributed System Introduction to the Distributed System Serial Interfaces FlexRay-Like Interfaces Integrating Devices into the ISA Worst Case Execution Time Distributed OSEKtime-Like Operating System AutoFocus Task Model 3 Notation

13 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM Introduction to the Distributed System Introduction to the distributed System: short outline fix some notation

14 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM Serial Interfaces Data transmission: local oscillators having almost equal clock frequencies no guarantee that setup and hold times of registers are met use serial interfaces review correctness proof from [BBG + 05]

15 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM FlexRay-Like Interfaces Construct specific I/O device: FlexRay-like interface called f-interface [Fle06] argue about: message broadcast local clock synchronization

16 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM Integrating Devices into the ISA Integrate a f-interface into the ISA: using techniques from [HIP05] define instructions getting interrupted by the timer interrupt easy on gate-level (constant number of hardware cycles) execution time of an instruction depends on cache hits memory hierarchy is invisible on ISA level end up with non-deterministic model

17 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM Worst Case Execution Time Pervasive correctness proofs for real-time system: worst case execution time (WCET) analysis done on register transfer level (RTL) classical program correctness proofs done on the ISA level hardware correctness proofs results first published in [KP06b]

18 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM Distributed OSEKtime-Like operating system OSEKtime-like [OSE01b] operating system called OLOS [Kna05]: realtime operating system: user processes are compiled C0 programs communication via FTCom-like [OSE01a] local message buffers specification given by distributed model called DOLOS

19 Single ECU Distributed System Notation DIST Serial f-interface ISA & Devices WCET DOLOS AFTM AutoFocus Task Model Introduce automaton-theoretic model called AutoFocus task model (AFTM): based on execution semantic of the AutoFocus [Aut] CASE tool first reported in [BBG + 06]

20 Guideline Single ECU Distributed System Notation 1 Single ECU Instruction Set Architecture (ISA) VAMP Verification Generic Device Theory Memory Management The high-level Programming Language C0 C0 with Inline Assembler Communicating Virtual Machines 2 Distributed System Introduction to the Distributed System Serial Interfaces FlexRay-Like Interfaces Integrating Devices into the ISA Worst Case Execution Time Distributed OSEKtime-Like Operating System AutoFocus Task Model 3 Notation

21 Notation Single ECU Distributed System Notation Given bit string a = a[n 1 : 0] {0, 1} n of length n. Denote natural number with binary representation a by: n 1 X a = a i 2 i i=0 Given natural numbers x {0,..., 2 n 1}. Denote binary representation of x with length n by bin n(x) {0, 1} n : bin n(x) = x Denote n bit binary addition function by + n : {0, 1} n {0, 1} n {0, 1} n a + n b = bin n( a + b mod 2 n )

22 Notation Single ECU Distributed System Notation Given bit string a = a[n 1 : 0] {0, 1} n of length n. Denote natural number with binary representation a by: n 1 X a = a i 2 i i=0 Given natural numbers x {0,..., 2 n 1}. Denote binary representation of x with length n by bin n(x) {0, 1} n : bin n(x) = x Denote n bit binary addition function by + n : {0, 1} n {0, 1} n {0, 1} n a + n b = bin n( a + b mod 2 n )

23 Notation Single ECU Distributed System Notation Given bit string a = a[n 1 : 0] {0, 1} n of length n. Denote natural number with binary representation a by: n 1 X a = a i 2 i i=0 Given natural numbers x {0,..., 2 n 1}. Denote binary representation of x with length n by bin n(x) {0, 1} n : bin n(x) = x Denote n bit binary addition function by + n : {0, 1} n {0, 1} n {0, 1} n a + n b = bin n( a + b mod 2 n )

24 Noation Single ECU Distributed System Notation Given bit x {0, 1} and natural number n, a and b. Denote bit string concatenation by : {0, 1} a {0, 1} b {0, 1} a+b, e.g.: bin 4(3) 10 = = = 14 Denote bit string where x is replicated n times by x n : x n = x... x

25 Noation Single ECU Distributed System Notation Given bit x {0, 1} and natural number n, a and b. Denote bit string concatenation by : {0, 1} a {0, 1} b {0, 1} a+b, e.g.: bin 4(3) 10 = = = 14 Denote bit string where x is replicated n times by x n : x n = x... x

26 Single ECU Distributed System Notation AutoFocus Project. S. Beyer, P. Böhm, M. Gerke, M. Hillebrand, T. In der Rieden, S. Knapp, D. Leinenbach, and W.J. Paul. Towards the Formal Verification of Lower System Layers in Automotive Systems. In 23nd IEEE International Conference on Computer Design: VLSI in Computers and Processors (ICCD 2005), 2 5 October 2005, San Jose, CA, USA, Proceedings, pages IEEE, J. Botaschanjan, M. Broy, A. Gruler, A. Harhurin, S. Knapp, L. Kof, W. Paul, and M. Spichkova. On the Correctness of Upper Layers of Automotive Systems To appear. Sven Beyer, Christian Jacobi, Daniel Kröning, Dirk Leinenbach, and Wolfgang Paul. Instantiating uninterpreted functional units and memory system: Functional verification of the VAMP. In Proc. of the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME), Lecture Notes in Computer Science (LNCS), pages Springer, Iakov Dalinger, Mark Hillebrand, and Wolfgang Paul. On the Verification of Memory Management Mechanisms. In Proceedings of the 13th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2005), volume 3725 of LNCS, pages Springer, FlexRay Consortium Mauro Gargano, Mark Hillebrand, Dirk Leinenbach, and Wolfgang Paul. On the Correctness of Operating System Kernels. In J. Hurd and T. F. Melham, editors, 18th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2005), volume 3603 of LNCS, pages Springer, Mark Hillebrand, Thomas In der Rieden, and Wolfgang Paul. Dealing with I/O Devices in the Context of Pervasive System Verification. In ICCD 05, pages IEEE Computer Society, Towards the Verification of Functional and Timely Behavior of an ecall Implementation.

27 Single ECU Distributed System Notation Master s thesis, Universität des Saarlandes, and Wolfgang Paul. Pervasive Verification of Distributed Real-Time Systems To appear. and Wolfgang Paul. Realistic Worst Case Execution Time Analysis in the Context of Pervasive System Verification. In Program Analysis and Compilation, Theory and Practice: Essays Dedicated to Reinhard Wilhelm, volume 4444, Dirk Leinenbach, Wolfgang Paul, and Elena Petrova. Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctness. In Bernhard Aichernig and Bernhard Beckert, editors, 3rd International Conference on Software Engineering and Formal Methods (SEFM 2005), 5-9 September 2005, Koblenz, Germany, pages 2 11, Silvia M. Müller and Wolfgang J. Paul. Computer Architecture: Complexity and Correctness. Springer, OSEK group. Fault Tolerant Communication (OSEK/VDX), OSEK group. Time-Triggered Operating System (OSEK/VDX),