1 / 47

Real-Time Systems, COSC-4301-01, Lecture 10

Real-Time Systems, COSC-4301-01, Lecture 10. Stefan Andrei. Reminder of the last lecture. Counting true instances Incremental verification of the real-time systems specifications. Overview of This Lecture.

amandla
Download Presentation

Real-Time Systems, COSC-4301-01, Lecture 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real-Time Systems, COSC-4301-01, Lecture 10 Stefan Andrei COSC-4301-01, Lecture 10

  2. Reminder of the last lecture • Counting true instances • Incremental verification of the real-time systems specifications COSC-4301-01, Lecture 10

  3. Overview of This Lecture • Systematic and Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting • [ACCL05] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Systematic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. The 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'05), San Francisco, United States, 7 March - 10 March, 10 pages, 2005 • [ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. IEEE Transaction on Computers, vol. 55(7), pp. 830-842 (2006) Selected as July issue's Feature Article. COSC-4301-01, Lecture 10

  4. References • [JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic Approach for Timing Analysis and its Implementation. IEEE Transactions on Computers. Vol. C-36, No. 8, 1987 • [JaS88] Jahanian, F., Stuart, D. A.: A Method for Verifying Properties of Modechart Specifications. Proceedings of 9-th IEEE Real-Time Systems Symposium, pp. 12-21, 1988 • [WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive Cycles. Proceedings of Formal Methods Europe Symposium, 873, Lecture Notes in Computer Science, pp. 659-680, 1994 • [AnC04] Andrei, S., Chin, W.-N.: Incremental Satisfiability Counting for Real-Time Systems. IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’04), Toronto, Canada, 25 May – 28 May, 2004 COSC-4301-01, Lecture 10

  5. References (cont) • [MTR96] Mok, A. K., Tsou, Duu-Chung, de Rooij, R. C. M.: The MSP.RTL real-time scheduler synthesis tool. Proceedings of the 17th IEEE Real-Time Systems Symposium, 1996 • [RiC99] Rice, L.E.P., Cheng, A.M.K.: Timing Analysis of the X-38 Space Station Crew Return Vehicle Avionics. Proceedings of the 5-th IEEE-CS Real-Time Technology and Applications Symposium, pp. 255-264, 1999 • [Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002 • [And2004] Andrei, S.: Counting for Satisfiability by Inverting Resolution. Artificial Intelligence Review, 2004 • [SoS94] O. Sokolsky and S.A. Smolka, Incremental Model Checking in the Modal Mu-Calculus, Computer-Aided Verification '94, LNCS 818, Springer-Verlag, 1994 COSC-4301-01, Lecture 10

  6. Real-Time Systems [JaM86, JaM87, Che02] • Structural-functional specification • Behavioral specification (SP) • An implementation is correct if • SP implies the safety assertions (SA) COSC-4301-01, Lecture 10

  7. Verification of Timing Properties [JaM86, JaM87, Che02] • In checking SP → SA, we may have the cases: • (safe) SA is a theorem derivable from SP; • (inherently unsafe) SA is unsatisfiable with respect to SP; • (safe if additional constraints are added) the negation of SA is satisfiable under certain conditions. COSC-4301-01, Lecture 10

  8. Our Incremental Approach for Systematic Debugging [AnC04] COSC-4301-01, Lecture 10

  9. Past Work [AnC04] • The satisfiability of SPk+1→SAk+1 is expressed incrementally from the satisfiability of SPk→SAk • The manual debugging from step 3 is correlated with the satisfiability of SPk→SAk • We use #SAT problem rather than SAT problem: • To know how “far away” is SP from satisfying SA; • The modification of SP and/or SA is useful for incremental debugging, in which bugs are fixed one at a time until the system is correct. COSC-4301-01, Lecture 10

  10. Motivation of this Work • The debugging from step 3 is done systematically, not manually • Since the industrial real-time systems may have large specifications, it is impractical for the designer to find the proper missing or wrong constraints. • Efficient Java implementation of systematic debugging (http://galaxy.lamar.edu/~sandrei/SDRTL/). Examples of real-time systems have also been successfully tested by SDRTL. • We simulated a real-life scenario, supposing that the designer may forget to include some constraints or may give some incorrect constraints. COSC-4301-01, Lecture 10

  11. Real-Time Logic (RTL) [JaM86] • RTL = first-order logic with special features to capture the timing requirements; • Occurrence Function:@:: Event x Occurrence  Time, where Occurrence = Nat - {0} and Time = Nat. • @(e, i) = t means the i-th occurrence of event e occurs at time t. • eEvent, iOccurrence, @(e,i) < @(e,i+1) if @(e,i+1) is defined COSC-4301-01, Lecture 10

  12. Real-Time Logic (cont) • Three types of RTL constants: • Actions: schedulable units of work • Events constants are temporal markers • External Events: event-name • Start Events: event-name • Stop Events: event-name • Transition Events: event-name • Integers: used for timing constraints. COSC-4301-01, Lecture 10

  13. SP of Railroad Crossing – English and RTL • When train approaches sensor, a signal will initiate the lowering of gate, and Gate is moved to down position within 30s from being detected by the sensor, and • x ( @(TrainApproach, x)  @(DownGate, x)  @(DownGate, x)  @(TrainApproach, x) + 30 ) • The gate needs at least 15s to lower itself to the down position. • y ( @(DownGate, y) + 15  @(DownGate, y) ) COSC-4301-01, Lecture 10

  14. SAof Railroad Crossing – English and RTL • If train needs at least 45s to travel from sensor to the railroad crossing, and the train crossing is completed within 60s from being detected by sensor, then • we are assured that at the start of the train crossing, gate has moved down and • that the train leaves the railroad crossing within 45s from the time the gate has completed moving down. • t u ( @(TrainApproach, t) + 45 @(TrainCrossing, u)  @(TrainCrossing, u) < @(TrainApproach, t) + 60  @(TrainCrossing, u)  @(DownGate, t)  @(TrainCrossing, u)  @(DownGate, t) + 45 ) COSC-4301-01, Lecture 10

  15. The Path-RTL formulas [JaM87, WaM94] • The general form of path-RTL formulas: functionOccurrence integerConstant  functionOccurrence • Industrial real-time systems: • Railroad crossing [JaM87], [JaS88], [Che2002] • Moveable control rods in a reactor [JaM87] • Boeing 777 Integrated Airplane Information Management System [MTR96] • X-38, an autonomous spacecraft build by NASA [RiC99] COSC-4301-01, Lecture 10

  16. X-38, an autonomous spacecraft build by NASA [RiC99] COSC-4301-01, Lecture 10

  17. Presburger Arithmetic Formulae • Each @(e,i) is replaced by an uninterpreted function fe(i) • SP: • x (f(x)  g1(x)  g2(x)  f(x) + 30) • y (g1(y) + 15  g2(y)) • SA: • t u ( f(t) + 45 h1(u)  h2(u) < f(t) + 60  g2(t)  h1(u)  h2(u)  g2(t) + 45 ) COSC-4301-01, Lecture 10

  18. Railroad Crossing - Clausal Form •  (SP SA)  (SP SA) SP  SA • SP SA is a theorem iff SP  SA is unsatisfiable; • SP: • xy (f(x)  g1(x)  g2(x) - 30  f(x)  g1(y) + 15  g2(y)) • Negation of SA: t u (f(t) + 45 h1(u)  h2(u) < f(t) + 60  (h1(u) < g2(t)  g2(t) + 45 < h2(u))); • Skolem normal form of path-RTL formulas [T/t][U/u]: f(T) + 45 h1(U)  h2(U) – 59  f(T)  (h1(U) + 1 g2(T)  g2(T) + 46  h2(U)) COSC-4301-01, Lecture 10

  19. The Constraint Graph Technique [JaM87] • F – the initial path-RTL formula; • F’ – the corresponding Presburger formula; • PF = C1 C2 …  Cn is the propositional formula of SP  SA: • Ci = Li,1 Li,2 …  Li,n and • each Li,j has the general form: v1 I  v2, I being a positive integer constant. • For each Xi,1, Xi,2,…, Xi,ni the i-th positive cycle, the clause Xi,1 Xi,2 … Xi,ni is added to PF. COSC-4301-01, Lecture 10

  20. Counting SAT Problem ([And04], [AnC04]) • PF={C1,…,Cl} over V. If C1’,…,Ck’  PF and k  l, then: • mV(C1’,…,Ck’)= number of variables from V which do not occur in C1’ …  Ck’. • difV(C1’,…,Ck’)= • 0 if  i, j  {1,…,k}, i  j,  L literal such that L  Ci’ and L  Cj’ • 2mV(C1’,…,Ck’) otherwise COSC-4301-01, Lecture 10

  21. Incremental Counting SAT ([AnC04]) • detV(PF)= 2|V|- k=1l (-1)k+1* 1 i1<…<ikl difV(C1’,…,Ck’) is called the determinant of PF. • Theorem. PF has detV(PF) truth assignments. So, PF is satisfiable iff detV(PF)  0. • Problem: Knowing the number of true instances of PF, what is the number of true instances of PFυ{C}, for any arbitrary clause C? • Incremental computation: get detV(PF2) using detV(PF1), without re-computing the common parts ofPF2 and PF1 COSC-4301-01, Lecture 10

  22. The Increment of a Clausal Formula • Definition: Given PF={C1,…,Cl} over V and C an arbitrary clause, then incV(C,PF)=k=0l(-1)k+1 * 1 i1<…<ikl difV(C,Ci1,…,Cik) is called the increment of PF with C over V. • Theorem: Let PF={C1,…,Cl} be a clausal formula and PF’={Cl+1,…,Cl+k}. Then: • detV(PFυPF’) = detV(PF) + incV(Cl+1, PF) + incV(Cl+2, PFυ{Cl+1}) + .. + incV(Cl+k, PFυ{Cl+1,.., Cl+k-1}) • Incremental computing is optimal COSC-4301-01, Lecture 10

  23. Related Work: Incremental Approaches • An incremental positive cycle detection algorithm [MTR96] is also based on the constraint-graph technique and uses an algorithm for single source with positive weight in the graph. • An incremental algorithm for model checking using transition systems in the alternation-free fragment of the modal mu-calculus was presented in [SoS94]. • Instead, our incremental approach is applied to propositional formulas. COSC-4301-01, Lecture 10

  24. Railroad Crossing - Constraint Graph (1) • PF1={{A1}, {A2}, {A3}, {A4}, {A5}, {A6, A7}, {A2,A4,A6}, {A4,A5,A6,A7}, {A1,A3,A5,A7}}. • detV1(PF1)=0, where V1={A1, ..., A7}. COSC-4301-01, Lecture 10

  25. Re-design of Railroad Example • We consider 2 new events (CarCrossingLeft - CCL and CarCrossingRight – CCR) and 2 new constraints • We add to SP: • (English) A car from the left or right needs at most 10 seconds to cross the railroad; • (RTL)  z1, @(CCL, z1) – 10  @(CCL, z1) and  z2, @(CCR, z2) – 10  @(CCR, z2) • We add to SA: • (English) If the train starts to cross the railroad crossing, there is no car crossing neither from left nor from the right in the last 5 seconds; • (RTL)  v1, @(CCL, v1) + 5  @(TrainCrossing, u) and  v2, @(CCR, v2) + 5  @(TrainCrossing, u) COSC-4301-01, Lecture 10

  26. Railroad Crossing - Constraint Graph (2) • PF2=PF1 {{A8}, {A9}, {A6, A7, A10, A11}} – {{A6, A7}} • detV2(PF2)=detV1(PF1)+ incV2({A8}, PF1)+ incV2({A9}, PF1 {{A8}}) + incV2({A6, A7, A10, A11}, PF1 {{A8}}  {{A9}})- incV2({A6, A7}, PF1 {{A8}}  {{A9}}  {{A6, A7, A10, A11}}) =3, where V2= V1 {A8, ..., A11}. • As detV2(PF2)>0, then the real-time system is unsafe. COSC-4301-01, Lecture 10

  27. Debugging Computation. Manual versus Systematic • Manual debugging [AnC04] is impractical for big systems. • There is a need to consider a systematic way to solve this matter. • The method will automatically generate, in order from the most probable ones to the less probable ones, all the possible missing/wrong constraints. • Then the designer chooses from this list the proper constraint which is not against the real-time system specifications. COSC-4301-01, Lecture 10

  28. Railroad Crossing - Constraint Graph (2) • (Init) construct PF1 • (Test & Print) test if the determinant is 0 and if the designer agrees with the suggested constraint according to the systematic debugging computation • (Incremental Computation) compute detVk+1(PFk+1) using detVk(PFk) • (desired == false) is evaluated to false when the designer wishes to stop the systematic debugging and the timing constraints of the real-time system are fulfilled. Algorithm Main: (Init) desired = false; while (desired == false) { (Test & Print) if (desired == false) { (Incremental Computation) (Debugging Computation) } } COSC-4301-01, Lecture 10

  29. Addition of a New Arc • It shows that the node v has no out-arc; • So the arc (v,w) (pictured with a dashed line) is added to the constraint graph as a member of a new positive cycle. COSC-4301-01, Lecture 10

  30. Transforming a Negative Cycle • The algorithm detects all possible incorrect constraints (i.e. containing a fault). • That is, the algorithm proposes other (bigger) constants I for the literal v1 ± I ≤ v2, and with help of the designer, one such constraint is selected. • Figure 3(b) is more than a “refinement”, because it corresponds to detecting faults in the initial specification, and proposes a new proper constraint. COSC-4301-01, Lecture 10

  31. Key Point: the Increment • SDRTL will compute for each change (new arc and/or new cost) the increment. • Then, SDRTL will sort all these increments in an increasing order. • Starting from the minimum increment, the designer will be asked for his agreement. • The increments which are zero do not count. COSC-4301-01, Lecture 10

  32. Monotony of det and inc COSC-4301-01, Lecture 10

  33. The Execution Run COSC-4301-01, Lecture 10

  34. The Execution Run (cont) COSC-4301-01, Lecture 10

  35. Railroad Crossing - Constraint Graph (3) • PF3=PF2 {C12, C13, C14, C15}, over V2. • As detV2(PF3)=0, then the real-time system is safe. • The unification should be done carefully. COSC-4301-01, Lecture 10

  36. Systematic Debugging Results • Denote by niz the number of increments which are zero, and by tni the total number of increments. • The effectiveness is efct = (tni-niz)/(tni). • The closer effectiveness to 0, the faster algorithm is (because useless clauses are not generated). • The more bugs the system has, the bigger execution time we get. COSC-4301-01, Lecture 10

  37. Real-Time Systems Debugging Times • On the X-axis, we have the number of missing constraints and on the Y-axis, we have the debugging time in seconds. • For each number of missing constraints, three real-time systems are considered, in this order, from the left to the right: the railroad crossing, the reactor, and the X-38. • As the missing number of constraints increases, the debugging time increases linearly rather than exponentially. COSC-4301-01, Lecture 10

  38. Real-Time Systems Debugging Effectiveness • On the X-axis, we have the number of missing constraints and on the Y-axis, we have the effectiveness, as a subunit real number. • As the missing number of constraints increases, the effectiveness tends to decrease. • In other words, our incremental approach is significantly better than the non-incremental approach. COSC-4301-01, Lecture 10

  39. Automatic Debugging • The automatic approach is similar to the systematic approach, but it should work in the absence of the human beings. • Our solution was to consider in advance all the necessary information such as the designer's guidance: • a set of constraints which cannot be modified; • the specific ranges for the constants which appear in the constraints. COSC-4301-01, Lecture 10

  40. Automatic Debugging • The input files for the automatic approach are augmented with the lower and upper bounds for the constants. • Example: • the formula • h1(U),-9,1,11,g2(T) || g2(T),36,46,56,h2(U) • denotes the following set of formulas: • h1(U)+ a ≤ g2(T)  g2(T)+ b ≤ h2(U), where a{-9, ..., 11} and b  {36, ..., 56} have the implicit initial values a=1 and b=46. COSC-4301-01, Lecture 10

  41. Automatic versus Systematic Debugging • The tool ADRTL (Automatic Debugging using RTL) contains the set of all possible arcs – compared with SDRTL. COSC-4301-01, Lecture 10

  42. Automatic versus Systematic Debugging • When 1, 2, or 3 constraints are missing, ADRTL (filled boxes) may be faster than SDRTL (empty boxes), whereas for 4 missing constraints, ADRTL is always slower than SDRTL. • Conclusions: • The more bugs a real-time system has, the faster the systematic tool we get when compared with the automatic tool. • The human experience may outperform an automatic tool, when talking about a considerable number of bugs in the real-time system. COSC-4301-01, Lecture 10

  43. Future Work: Replacement of SAT solvers • Counting SAT solvers are more efficient than SAT solvers when there are two many choices to consider (like re-design and debugging problems) • Applications: • Finding a feasible scheduling • Model checking COSC-4301-01, Lecture 10

  44. Summary • Systematic and Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting COSC-4301-01, Lecture 10

  45. Reading suggestions • [ACCL05] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Systematic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. The 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'05), San Francisco, United States, 7 March - 10 March, 10 pages, 2005 • [ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. IEEE Transaction on Computers, vol. 55(7), pp. 830-842 (2006) Selected as July issue's Feature Article. COSC-4301-01, Lecture 10

  46. Coming up next • Optimization of Specifications expressed in path-RTL [AnC06] • [AnC06] Andrei, S., Cheng, A.M.K.: Optimization of Real-Time Systems Timing Specifications. Proceedings of the 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2006), 7 pages, IEEE Computer Society, Sydney, August 16-18, 2006 COSC-4301-01, Lecture 10

  47. Thank you for your attention!Questions? COSC-4301-01, Lecture 10

More Related