Cyber Physical System Verification with SAL

Similar documents
Using Different Representations of Synchronous Systems in SAL

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Distributed Systems Programming (F21DS1) Formal Verification

Clock refinement in imperative synchronous languages

Synchronous Statecharts. Christian Motika

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Reinhard v. Hanxleden 1, Michael Mendler 2, J. Aguado 2, Björn Duderstadt 1, Insa Fuhrmann 1, Christian Motika 1, Stephen Mercer 3 and Owen Brian 3

Cyber Physical System Verification Seminar: Event-B

Formal Methods in Software Engineering. Lecture 07

Model checking pushdown systems

Separate Translation of Synchronous Programs to Guarded Actions

Programming Embedded Systems

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

An Introduction to Lustre

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

The SPIN Model Checker

By: Chaitanya Settaluri Devendra Kalia

Formal Specification and Verification

NuSMV Hands-on introduction

Verification Condition Generation for Hybrid Systems described by Synchronous Languages

Design and Analysis of Distributed Interacting Systems

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Software Model Checking: Theory and Practice

Software Engineering using Formal Methods

How Different are Esterel and SystemC?

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

CSC2108: Automated Verification Assignment 1 - Solutions

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

A Verification Approach for GALS Integration of Synchronous Components

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

A Simple Tutorial on NuSMV

Software Engineering using Formal Methods

The Spin Model Checker : Part I/II

Property-based design with HORUS / SYNTHORUS

Application: Programming Language Semantics

Cover Page. The handle holds various files of this Leiden University dissertation

Finite State Verification. CSCE Lecture 14-02/25/2016

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Translating AADL into BIP Application to the Verification of Real time Systems

Monitoring Interfaces for Faults

ECE 587 Hardware/Software Co-Design Lecture 12 Verification II, System Modeling

Model checking Timber program. Paweł Pietrzak

Seminar Software Quality and Safety

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

Finite State Verification. CSCE Lecture 21-03/28/2017

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

M. De Wulf, L. Doyen,J.-F. Raskin Université Libre de Bruxelles Centre Fédéré en Vérification

Sérgio Campos, Edmund Clarke

EE382N.23: Embedded System Design and Modeling

Reasoning About Imperative Programs. COS 441 Slides 10

Symbolic Trajectory Evaluation - A Survey

Tool demonstration: Spin

Formal Verification by Model Checking

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems

Applications of Formal Verification

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Formal Analysis and Verification of a Communication Protocol

Written Presentation: JoCaml, a Language for Concurrent Distributed and Mobile Programming

Formal Verification: Practical Exercise Model Checking with NuSMV

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Parameterized Verification of Deadlock Freedom in Symmetric Cache Coherence Protocols

Principles of Real-Time Programming

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Applications of Formal Verification

Applications of Formal Verification

Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Lecture 6. Abstract Interpretation

The alternator. Mohamed G. Gouda F. Furman Haddix

Action Language Verifier, Extended

Proving liveness. Alexey Gotsman IMDEA Software Institute

An Introduction to UPPAAL. Purandar Bhaduri Dept. of CSE IIT Guwahati

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Introduction to NuSMV

More on Verification and Model Checking

OpenVera Assertions. March Synopsys, Inc.

Modeling a Cache Coherence Protocol with the Guarded Action Language

Operational Semantics. One-Slide Summary. Lecture Outline

StateClock: a Tool for Timed Reactive Modules

Automated Reasoning Lecture 3: The NuSMV Model Checker

Formal Methods for Software Development

Checking the Realizability of BPMN 2.0 Choreographies

Design and Implementation of an Abstract Interpreter for VHDL

Principia lingua SystemJ

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Modeling Asynchronous Circuits in ACL2 Using the Link-Joint Interface

Compilation of Imperative Synchronous Programs with Refined Clocks

Formal Analysis of the ACE Specification for Cache Coherent Systems-On-Chip

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

Lecture 2. The SCADE Language Data Flow Kernel. Daniel Kästner AbsInt GmbH 2012

Verification Finite-state process modeling and reachability analysis

Composition of State Machines

Model-based Analysis of Event-driven Distributed Real-time Embedded Systems

Transcription:

Cyber Physical System Verification with July 22, 2013 Cyber Physical System Verification with

Outline 1 2 3 4 5 Cyber Physical System Verification with

Table of Contents 1 2 3 4 5 Cyber Physical System Verification with

Motivation Cyber Physical Systems (CPS) Systems that interact with the physical world Characterized by a mix of continuous and discrete behavior Often safety-critical Present in industries such as automotive, aerospace, health care, energy, etc. Formal Verification Dramatic improvement over the years Real-world systems have been verified Model-checkers require less user interaction Requires formal semantics of the system Cyber Physical System Verification with

Table of Contents Quartz 1 2 3 4 5 Cyber Physical System Verification with

Quartz Framework for specification, verification and implementation of reactive systems Synchronous programming language Quartz Intermediate Format (AIF) Can be translated to C, Verilog, SystemC and others Cyber Physical System Verification with

Design Flow Quartz Cyber Physical System Verification with

Quartz Quartz Imperative Synchronous Language Program represented as a series of steps Paradigm of perfect synchrony Synchronous MoC For each step: Reads all the inputs I Computes all the outputs O for the present state Updates internal state S for the next step Hence: S I S O Cyber Physical System Verification with

Perfect Synchrony Quartz Macro steps are separated by the command pause All statements in a micro step execute in zero time Concurrent threads run in lockstep Immediate assignment x = 1; pause; y = x; x = 2; pause; Delayed assignment x = 1; next(x) = 2; pause; y = x; pause; Cyber Physical System Verification with

Variable Declarations Quartz Data types Integers, booleans, natural numbers, arrays, tuples, bitvectors and more. Information flow Variables can be classified as input, output or inout. Storage type Event and memorized variables. Cyber Physical System Verification with

Synchronous Guarded Actions Quartz Quartz programs are compiled to a set of guarded actions Guarded actions are pairs of the form (γ, C) Boolean guard γ Atomic commands C All enabled guarded actions executed in parallel Can be easily translated to transition systems Cyber Physical System Verification with

ABRO Quartz Example module ABRO(event?a,?b,?r,!o){ loop abort { {wa: await(a) wb: await(b);} emit(o); wr: await(r); } when(r); } satisfies { property1 : assert A G (o -> a b); property2 : assert A G (o -> X!o); } Cyber Physical System Verification with

Table of Contents 1 2 3 4 5 Cyber Physical System Verification with

Symbolic Analysis Laboratory () Framework for performing abstraction, program analysis, theorem proving and model checking Intermediate language for specification of transition systems Philosophy: One language, many tools Cyber Physical System Verification with

language The language was constructed based on the following principles: Generality Minimality Semantic Regularity Language Modularity Compositionality Cyber Physical System Verification with

language Context: Defines new types, modules, and assertions Module: Defines inputs, outputs, locals, globals, transitions, etc Transitions: Defined either via definitions or guarded commands Composition: Modules can be composed asynchronously or synchronously M 1 M 1 M 1 []M 2 Cyber Physical System Verification with

Types Finite types: booleans, finite arrays, records, tuples, finite ranges on Z Infinite type: naturals (N), integers (Z) Cyber Physical System Verification with

Transitions Definitions x = expression x = expression Guarded Command Let γ be a be a boolean guard and D a set of definitions: γ D Where D is of the form x = expression Non-determinism If more than one transition can be chosen at the same time, one of them is chosen non-deterministically! Cyber Physical System Verification with

Property Specification Language Defined by the keyword THEOREM Supports LTL and a subset of CTL Typical Operators G(p): states that p is always true. F(p): states that p will be eventually true. U(p,q): states that p holds until a state is reached where q holds. X(p): states that p is true in the next state. Past Operators Past temporal operators are not supported. Cyber Physical System Verification with

Property Specification Language Further Operators AG(p): states that p is globally true. EG(p): states that there is a path where p is continuously true. AF(p): states that for all paths p is eventually true. EF(p): states that there is a path where p is eventually true. AU(p,q): states that in all paths p holds until a state is reached where q holds. EU(p,q): states that there is a path where p holds until a state is reached where q holds. AX(p): states that p holds in all successor states. EX(p): states that there is a successor state where p holds. Cyber Physical System Verification with

Example Properties Example 1 th1 : THEOREM main - AG( request => AF( state = busy )); Example 2 th2 : THEOREM main - G( request => F( state = busy )); Example 3 th3 : THEOREM main - ltllib! responds_to ( state = busy, request ); Cyber Physical System Verification with

Transitions as definitions Example 1 short : CONTEXT = BEGIN State : TYPE = { ready, busy }; main : MODULE = BEGIN INPUT request : BOOLEAN OUTPUT state : State INITIALIZATION state = ready TRANSITION state IN IF ( state = ready ) AND request THEN { busy } ELSE { ready, busy } ENDIF END ; END Cyber Physical System Verification with

Transitions as guarded commands Example 2 meter : CONTEXT = BEGIN m : MODULE = BEGIN INPUT temp : INTEGER LOCAL high : BOOLEAN, ctr : NATURAL OUTPUT danger : BOOLEAN DEFINITION high = temp > 100 INITIALIZATION ctr = 0; danger = FALSE TRANSITION [ ctr > 3 --> danger = danger OR high [] ctr <= 3 AND high --> ctr = ctr + 1 [] ELSE --> ctr = 0 ] END ; END thm1 : THEOREM main - G ( high => F( danger )) Cyber Physical System Verification with

Tools sal-wfc: Well-formedness Checker sal-deadlock-checker: Deadlock Checker sal-smc: Symbolic Model Checker sal-bmc: Bounded Model Checker sal-inf-bmc: Infinite Bounded Model Checker sal-path-finder: Random trace generator sal-sim: Simulator (front end) Cyber Physical System Verification with

Table of Contents 1 2 3 4 5 Cyber Physical System Verification with

Translating Quartz to Issues: Storage type (reaction to absence) Immediate and delayed assignments Non-determinism in transitions Representing macro steps Cyber Physical System Verification with

Handling event variables EX01 : CONTEXT = BEGIN main : MODULE = BEGIN... TRANSITION [... --> ev0 = true ; [] ELSE --> ev0 = false; ] END ; END Cyber Physical System Verification with

Immediate and delayed assignments... TRANSITION gcimm: [ a and b --> o = true ; ] gcnxt: [ a and b --> o = true ; ]... Cyber Physical System Verification with

Conflicting guarded commands EX02 : CONTEXT = BEGIN main : MODULE = BEGIN... TRANSITION [ st --> wa = true ; [] st --> wb = true ;... ] END ; END property : THEOREM main - AG ( o => a b); Cyber Physical System Verification with

Solution to conflicting guarded commands EX02 : CONTEXT = BEGIN main : MODULE = BEGIN... TRANSITION [ en0 & st --> wa = true ; en0 = false; en1 = true; [] en1 & st --> wb = true ; en1 = false; endstep = true;... ] END ; END property : THEOREM main - endstep => AG ( o => a b); Cyber Physical System Verification with

Proposed approach Create a new module representing each label and output The newly created module has all labels and inputs as input (except itself) The newly created module has a single output, namely the variable itself Synchronous composition of all the generated modules Cyber Physical System Verification with

output wam : MODULE = BEGIN INPUT a, b, r, st, wb, wr : BOOLEAN OUTPUT wa : BOOLEAN INITIALIZATION wa = FALSE ; TRANSITION [ st --> wa = TRUE ; [] ( NOT (r) AND wa AND NOT (a)) OR (r AND wr) OR (r AND (wr OR wa OR wb)) --> wa = TRUE ; [] ELSE --> wa = FALSE ; ] END ; Guarded action!r&!r&wa &!a r&wr r&( wr wa wb) => next (wa) = True Cyber Physical System Verification with

output BEGIN stm : MODULE =... wam : MODULE =... wam : MODULE =... wrm : MODULE =... om : MODULE =... main : MODULE = stm wam wbm wrm om; END Cyber Physical System Verification with

Table of Contents 1 2 3 4 5 Cyber Physical System Verification with

The ABRO program was successfully translated and verified with the proposed approach Automatic translation is possible Quartz guarded commands are simple but powerful provides a very complete environment for specification, verification and analysis qrz2sal? Cyber Physical System Verification with

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback