1 / 57

Real-Time Systems, COSC-4301-01, Lecture 13

Real-Time Systems, COSC-4301-01, Lecture 13. Stefan Andrei. Reminder of the last lecture. Faster Verification of RTL-Specified Systems via Decomposition Constraint Extension. Overview of This Lecture. Verification, debugging and optimization of Linear RTL. Description.

dannon
Download Presentation

Real-Time Systems, COSC-4301-01, Lecture 13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real-Time Systems, COSC-4301-01, Lecture 13 Stefan Andrei COSC-4301-01, Lecture 13

  2. Reminder of the last lecture • Faster Verification of RTL-Specified Systems via Decomposition • Constraint Extension COSC-4301-01, Lecture 13

  3. Overview of This Lecture • Verification, debugging and optimization of Linear RTL COSC-4301-01, Lecture 13

  4. Description • Given SP and SA expressed in Linear RTL, determine whether SPSA? • Given SP and SA expressed in Linear RTL such that the negation of SA is satisfiable and SP does not imply SA, determine new related SP’ and/or SA’ such that SP’SA’? The election of SP’ and SA’ should be done in conjunction with real-time system advisor or automatically. • Given SP and SA expressed in Linear RTL such that SPSA, determine SP’ and SA’ for which SPSP’, SP’SA’, SA’SA. The new SP’ and SA’ should be done using minimal changes by keeping the same set of constraints, but relaxing SP and/or tightening SA. COSC-4301-01, Lecture 13

  5. References • Chapter 6 of [Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002 • [AnC07] Andrei, S., Cheng, A.: Verification of Linear RTL-Specifications. Proceedings of the 28-th IEEE Real-Time Systems Symposium, 2007 COSC-4301-01, Lecture 13

  6. Description – part a) • Given SP and SA expressed in Linear RTL, determine whether SPSA? COSC-4301-01, Lecture 13

  7. Comparison with extended path-RTL class (Lecture 10) • The extended path RTL can only describe a timing constraint between two events. • A timing constraint involving three or more events together cannot be specified by any of these subclasses. • Example: The specification of a phased array radar system. • A phased array is a group of antennas in which the relative phases of the signals feeding the antennas are varied in such a way that the effective radiation is reinforced in a desired direction and suppressed in undesired directions. COSC-4301-01, Lecture 13

  8. The specification of a phased array radar system with four antennas • The radar system is turned on at time 0. • In order to allow time for the initialization routine, the sum of times when all four antennas start radiating must be at least 10 seconds. • The sum of all radiating times for neighboring antennas (in this case, three) cannot exceed 1000 seconds in order to avoid overheating of the antenna elements and to reduce interference. • The time an antenna should continuously radiate is at least 300 seconds. COSC-4301-01, Lecture 13

  9. Translation to RTL • The four antennas of the phased array radar system are given in a cyclic order, denoted by A1, A2, A3, A4. • @(↑A1, i) and @(↓A1, i) mean the ith occurrences when antenna A1 begins and ends radiating: • i ( @(↑A1, i)+ @(↑A2, i)+ @(↑A3, i)+ @(↑A4, i) ≥ 10) •  ((@(↓A1, i) -@(↑A1, i)) + (@(↓A2, i) -@(↑A2, i)) + (@(↓A3, i) -@(↑A3, i))1000 ) … • ((@(↓A4, i) -@(↑A4, i)) + (@(↓A1, i) -@(↑A1, i)) + (@(↓A2, i) -@(↑A2, i))1000 ) •  (@(↓A1, i) -@(↑A1, i) ≥300) …  (@(↓A4, i) -@(↑A4, i) ≥300). COSC-4301-01, Lecture 13

  10. Our larger class - LRTL • So, there is a need to find an RTL subclass able to describe constrains with three or more events. • We call it: Linear Real-Time Logic (LRTL). • LRTL is based on a first-order logic with features able to capture the linear timing requirements of real-time systems. • LRTL includes the existing subclasses of decidable and practical RTL formulas. • To the best of our knowledge, LRTL is a subclass of RTL, with decidable properties, not considered until now for the specification and verification of real-time and embedded systems. COSC-4301-01, Lecture 13

  11. Linear inequalities - an open problem • In fact, the linear inequalities have been unsolved for long time. • For example, [Moller, Lichtenberg, Andersen, and Hulgaard; 1999] formulates as future work the class of linear inequalities: • “One path that could be taken when extending the results of the paper would be to generalize the difference constraints to linear inequalities.” COSC-4301-01, Lecture 13

  12. Can we still re-use the constraint graph? • The previous verification method for formulas expressed in extended path-RTL was the (extended)constraint graph: • A timing constraint @(e1, i) -@(e2, j)  k corresponds to two nodes and an arc in the constraint graph. • A timing constraint ± @(e1, i) ±@(e2, j)  k corresponds to two arcs between four nodes in the extended constraint graph. • No, a more powerful data structure is needed. COSC-4301-01, Lecture 13

  13. LRTL • Compared with the constraint graph technique, the correctness of a real-time system specified in LRTL can be achieved by solving a system of linear inequalities. • A general timing constraint in LRTL may have the form: a1·@(e1, i1) + … + an·@(en, in) «op» b • where «op»is one of the following arithmetic operators {, =, ≥}, and a1,..., an, and b are integers. COSC-4301-01, Lecture 13

  14. The LRTL normal form • a1· @(e1, i1) + … + an· @(en, in)  b • Even if the normal form seems to restrict «op»only to “”, it has the same expressive power as the general form. • Our method for verification of SPSA expressed in LRTL has 6 basic steps. COSC-4301-01, Lecture 13

  15. The first 3 steps to prove SP  SA • consider F = (SP  SA) ≡ SP SA; • convert it to a Presburger formula, FPresb , by replacing the time occurrences @(E, i) by a function fE(i); • construct the Skolem formula, FCNF , by removing the existential quantifiers and replacing the corresponding variables with constants. COSC-4301-01, Lecture 13

  16. Example • SP: i j (@(e1, i) + @(e2, i) 2)  (@(e2, i) - @(e3, j) 1)  (@(e1, i) -@(e3, j) 7). • SA: u v (@(e1, u) + @(e2, u) -@(e3, v) 5). • SA is u v (-@(e1, u) - @(e2, u) +@(e3, v)  - 6) • Presburger formula: replace @(e1, i) by f1(i), @(e2, i) by f2(i), @(e3, i) by f3(i), etc. • Skolem formula: U and V are two integer constants to replace the variables u and v. • FCNF: i j (f1(i) + f2(i) 2)  (f2(i) - f3(j) 1)  (f1(i) - f3(j) 7)  (-f1(U) - f2(U) + f3(V)  - 6). COSC-4301-01, Lecture 13

  17. Step 4: Positive propositional clauses • A set S = {f(t1),..., f(tk)}is unifiable if there exists a substitution ψ such that f(t1)ψ = ... = f(tk)ψ. • Example: • The set S = {f1(i), f1(U)}is unifiable due to the substitution ψ = [i/U]. • The method pos(FCNF) generates a new propositional variable for each new inequality after checking the unification. • The FCNF from the example has the following positive clauses: {A1},{A2},{A3}, and {A4}. COSC-4301-01, Lecture 13

  18. Step 5: Obtaining the negative propositional clauses • FCNFis translated to a system of linear inequalities AX  B. • Example:A = , X = , B = . • The column vector X has been obtained after applying the substitution {[i/U], [j/V]}. COSC-4301-01, Lecture 13

  19. Definition: Negative linear dependencies • Λ = (λi)1in from M1,n is a positive row vector if λi+ - {0} for all i {1, ..., n}. • Let B = (bi)1in be a column vector from Mn,1 such that bi for all i {1, ..., n}. • Λ is negative linear dependant of B if and only if ΛB < 0. COSC-4301-01, Lecture 13

  20. Theorem: Negative Linear Dependency • Let Λ = (λi)1 i  n be a positive row vector that is a solution of the system of linear equations AtrΛtr =0, where A = (ai,j)mn is a matrix over . • If Λis negative linear dependant of B, where B is a column vector, then the inequality AX  B has no solution for X over , where X is a column vector. COSC-4301-01, Lecture 13

  21. Example • Considering AX  B, we need to find the positive row vector Λ = (λ1λ2λ3λ4) such that AtrΛtr =0. • This is: = 0. • The positive solution Λ = (1 1 1 2) leads to ΛB = -2. • Therefore, AX  B has no solution for X over . COSC-4301-01, Lecture 13

  22. Negative propositional clauses • initially Fneg= ; • identify the propositional variables v1, ... vkcorresponding to inequalities from FCNF; • identify matrices A and B from the inequality AX  B that represent FCNF; • let Ai A and Bi B be such that AiX  Biis a new subsystem of AX  B; • find Λia positive solution of AtriΛtri= 0; • if ΛiBi < 0 then add the negative clause {vi,1, ... vi,k}to Fneg; • if there is no new subsystem AiX  Biof AX  B, then STOP; otherwise, go to 4. COSC-4301-01, Lecture 13

  23. Some remarks to choose the subsystem • At step 4, we have chosen Ai A and Bi B be such that AiX  Biis a new subsystem of AX  B; • The idea is to choose Ai the sub-matrix of A that is a closure of the initial variable, that is: • Initial step: add Xi to Ai • Inductive step: • add all the variables from the inequalities that contains variables from Ai; • repeat this step until there are no more changes. COSC-4301-01, Lecture 13

  24. Step 6: The final step of our method • Let PF be the set of positive and negative clauses. • If PF is unsatisfiable, then SPSA holds. • Example:PF = {{A1},{A2},{A3}, {A4}, {A1,A2,A3, A4} } is unsatisfiable, so SPSA holds. COSC-4301-01, Lecture 13

  25. Complexity considerations • Among the many different ways to solve systems of linear inequations, the traditional method is the Gaussian elimination. • It has an order of O(n3) time complexity, where n is the number of variables. COSC-4301-01, Lecture 13

  26. Step 6: Convert PF to a DIMACS file • Suppose PF is expressed in Conjunctive Normal Form and has n variables and l clauses. • Then, the first line of the DIMACS file is: • p cnf n l • Each positive literal L1, …, Ln corresponds to positive integers 1, …, n • Each negative literal L1, …, Ln corresponds to negative integers -1, …, -n • Any clause is translated to a line of text in the DIMACS file by replacing each literal with the corresponding integer and each ‘’ is replaced by blank space (the end of clause is marked by a ‘0’): • L1  L2  L3  L5 corresponds to 1 -2 3 -5 0 COSC-4301-01, Lecture 13

  27. Step 6: Call a state-of-the-art SAT solver • Siege - http://www.cs.sfu.ca/research/groups/CL/software/siege/ • zChaff - http://www.princeton.edu/~chaff/software.html • Cachet - http://www.cs.rochester.edu/u/kautz/Cachet/index.htm • SharpSAT - http://www2.informatik.hu-berlin.de/~thurley/sharpSAT/index.html • Others: http://www.satlive.org/bytype.jsp?reftypefrom=-2 • If the answer provided by this SAT solver or #SAT solver is ‘Unsatisfiable’, then PF is unsatisfiable, so SP  SA is a theorem. COSC-4301-01, Lecture 13

  28. Description – part b) • Given SP and SA expressed in Linear RTL such that the negation of SA is satisfiable and SP does not imply SA, determine new related SP’ and/or SA’ such that SP’SA’? The election of SP’ and SA’ should be done in conjunction with real-time system designer or automatically. COSC-4301-01, Lecture 13

  29. The systematic debugging algorithm • (Test & Print) test if PF is unsatisfiable and if the designer agrees with the suggested constraint • (Incremental Computation) consider all the choices to change SP and SA into new SP’ and SA’. • desired is evaluated to false when the designer wishes to continue the systematic debugging and the timing constraints of the real-time system are fulfilled. Algorithm Main: Input: SP, SA and PF, SP SA Output: SP’, SA’ s.t. SP’ SA’ Method: desired = false; while (desired == false) { (Test & Print) if (desired == false) { (Incremental Computation) (Debugging Computation) } } COSC-4301-01, Lecture 13

  30. Addition of New Variables • While PF is satisfiable: • Test whether each variable appears in at least two inequalities; • If variable Xi appears only once in the system AiX  Bi then we insert it in all inequalities and see whether it leads to unsatisfiability, namely ΛiBi < 0, where Λia positive solution of AtriΛtri= 0. COSC-4301-01, Lecture 13

  31. Transforming a subsystem into one with negative dependencies • Consider Λia positive solution of AtriΛtri= 0; • If ΛiBi >= 0 then modify Bi such that ΛiBi < 0. COSC-4301-01, Lecture 13

  32. Make sure there are positive solutions Λi • If there are no positive solutions Λiof AtriΛtri= 0, then modify Ai to get such a solution. COSC-4301-01, Lecture 13

  33. Automatic Debugging • The automatic approach is similar to the systematic approach, but it should work in the absence of the human beings. • Our solution was to consider in advance all the necessary information such as the designer's guidance: • a set of constraints which cannot be modified • the specific ranges for the constants which appear in the constraints. COSC-4301-01, Lecture 13

  34. Automatic Debugging • The input files for the automatic approach are augmented with the lower and upper bounds for the constants. COSC-4301-01, Lecture 13

  35. Example: Systematic Debugging • Step 1: • SP: i j (@(e1, i) + @(e2, i) 2)  (@(e2, i) - @(e3, j) 1)  (@(e1, i) -@(e3, j) 7). • SA: u v (@(e1, u) + @(e2, u) -@(e3, v)  2). • Step 2: • SP: i j (f1(i) + f2(i) 2)  (f2(i) - f3(j) 1)  (f1(i) - f3(j) 7) • SA:  u  v f1(u) + f2(u) - f3(v)  2 • Step 3: • SP  SA: i  j (f1(i) + f2(i) 2)  (f2(i) - f3(j) 1)  (f1(i) - f3(j) 7) Λ(-f1(U) - f2(U) + f3(V)  -3). COSC-4301-01, Lecture 13

  36. Example: Systematic Debugging -cont • Step 4: • Consider the substitution ψ = {[i/U][j/V]}. • The method pos(FCNF) generates a new propositional variable for each new inequality after checking the unification. • A1 denotes the inequality f1(U)+f2(U) 2 • A2 denotes the inequality f2(U)-f3(U) 1 • A3 denotes the inequality f1(U)-f3(U) 7 • A4 denotes the inequality -f1(U)-f2(U)+f3(V) -9 • The FCNF leads to the following positive clauses for PF: {A1},{A2},{A3}, and {A4}. COSC-4301-01, Lecture 13

  37. Example: Systematic Debugging -cont • Step 5: • FCNFis translated to a system of linear inequalities AX  B. • Example:A = , X = , B = . COSC-4301-01, Lecture 13

  38. Example: Systematic Debugging -cont • Considering AX  B, we need to find the positive row vector Λ = (λ1λ2λ3λ4) such that AtrΛtr =0. • This is: = 0. • The positive generic solution Λ = (a a a 2a) cannot leads to ΛB <0, where a>0. • So, the set of negative clauses is empty. COSC-4301-01, Lecture 13

  39. Example: Systematic Debugging - cont • Step 6: Convert PF to a DIMACS file • p cnf 4 4 • 1 0 • 2 0 • 3 0 • 4 0 • Call Siege or zChaff • The previous DIMACS file is input for Siege. • The output of Siege will be: ‘satisfiable’ • Since PF is satisfiable, then we need to do debugging to make SP  SA a theorem. COSC-4301-01, Lecture 13

  40. Example: Systematic Debugging - cont • Step 7: All the lines have at least two non-zero coefficients, so we don’t do debugging for this case (slide 39). • We need to change B to have ΛB <0. • ΛB=(a a a 2a)(2 1 7 -3)tr=4a, where a>0: • Change b1=2 to b1=-3 • Change b2=1 to b2=-4 • Change b3=7 to b3=2 • Change b4=-3 to b4=-6 COSC-4301-01, Lecture 13

  41. Example: Systematic Debugging - cont • Step 8: The designer is asked which of the changes are the best: • Changing @(e1, i) + @(e2, i) 2 to @(e1, i) + @(e2, i) -3. • Changing @(e2, i) - @(e3, j) 1 to @(e2, i) - @(e3, j) -4. • Changing @(e1, i) -@(e3, j) 7 to @(e1, i) -@(e3, j)  2. • Changing -f1(U) - f2(U) + f3(V)  -3 to -f1(U) - f2(U) + f3(V)  -6. This corresponds to @(e1, u) + @(e2, u) -@(e3, v)  5. COSC-4301-01, Lecture 13

  42. Example: Systematic Debugging - cont • The tool will compute for each of these changes the corresponding propositional formula PF, that is: • PF = {{A1},{A2},{A3}, {A4}, {A1,A2,A3, A4} } • Then #SAT solver will compute the number of truth assignments of PF. • Since this number is 0, the algorithm terminates. • Otherwise, the algorithm would repeat from Step 7. COSC-4301-01, Lecture 13

  43. Example: Automatic Debugging - cont • Consider a file showing intervals for the constants in B: • b1,-3,2,7 means -2  b1  7, where b1 implicit initial value is 2. • b2,-4,1,6 means -3  b2  6, where b2 implicit initial value is 1. • b3,2,7,12 means 3 b3 12, where b3 implicit initial value is 7. • b4,-6,-3,0 means -6 b4  0, where b4 implicit initial value is -3. COSC-4301-01, Lecture 13

  44. Example: Automatic Debugging - cont • As such, the automatic debugging tool will not ask the designer, but it will check the file against the proposed specification. • In our case, the tool will choose • -f1(U) - f2(U) + f3(V)  -6 • This leads to a negative dependency and its constant belongs to the interval [-6,0]. • This corresponds to @(e1, u) + @(e2, u) -@(e3, v)  5. COSC-4301-01, Lecture 13

  45. Description – part c) • Given SP and SA expressed in Linear RTL such that SPSA, determine SP’ and SA’ for which SPSP’, SP’SA’, SA’SA. The new SP’ and SA’ should be done using minimal changes by keeping the same set of constraints, but relaxing SP and/or tightening SA. COSC-4301-01, Lecture 13

  46. The Optimization Problem • The previous approaches were focused on the verification and debugging of SP  SA, and not the optimization of this tautology. • However, it may happen that SP contains overly strong timing constraints or SA can be improved by stronger timing constraints. • Can we provide the most relaxed specification SP and/or the most tight safety assertion SA such that SP  SA is a theorem (without repeating the verification of SP  SA)? COSC-4301-01, Lecture 13

  47. Refinement of the Optimization Algorithm • Input: SP, SA such that SPSA holds, and A(1)XB(1) the initial linear system; • Output: SP’, SA’ such that SP’SA’ is an optimal tautology. • Method: • k=1; SP1=SP; SA1=SA; • while (there exists Λ such that ΛB < -1) { • Identify the inequality ∑j=1n aij xjbi that does not occur in any other subsystem Ai X  Bi; • Decrease bi such that ΛB=-1 and denote the new system A(k+1)XB(k+1); • Change SPk and SAk according to the new weight; • k= k+1; } • SP’=SPk; SA’=SAk. COSC-4301-01, Lecture 13

  48. Example: Optimization • Step 1: • SP: i j (@(e1, i) + @(e2, i) 2)  (@(e2, i) - @(e3, j) 1)  (@(e1, i) -@(e3, j) 7). • SA: u v (@(e1, u) + @(e2, u) -@(e3, v)  8). • Step 2: • SP: i j (f1(i) + f2(i) 2)  (f2(i) - f3(j) 1)  (f1(i) - f3(j) 7) • SA:  u  v f1(u) + f2(u) - f3(v)  8 • Step 3: • SP  SA: i  j (f1(i) + f2(i) 2)  (f2(i) - f3(j) 1)  (f1(i) - f3(j) 7) Λ(-f1(U) - f2(U) + f3(V)  -9). COSC-4301-01, Lecture 13

  49. Example: Optimization -cont • Step 4: • Consider the substitution ψ = {[i/U][j/V]}. • The method pos(FCNF) generates a new propositional variable for each new inequality after checking the unification. • A1 denotes the inequality f1(U)+f2(U) 2 • A2 denotes the inequality f2(U)-f3(U) 1 • A3 denotes the inequality f1(U)-f3(U) 7 • A4 denotes the inequality -f1(U)-f2(U)+f3(V) -9 • The FCNF leads to the following positive clauses for PF: {A1},{A2},{A3}, and {A4}. COSC-4301-01, Lecture 13

  50. Example: Optimization -cont • Step 5: • FCNFis translated to a system of linear inequalities AX  B. • Example:A = , X = , B = . COSC-4301-01, Lecture 13

More Related