1 / 47

Real-Time Systems, COSC-4301-01, Lecture 12

Real-Time Systems, COSC-4301-01, Lecture 12. Stefan Andrei. Reminder of the last lecture. Optimization of Specifications expressed in path-RTL. Overview of This Lecture. Faster Verification of RTL-Specified Systems via Decomposition Constraint Extension

kasie
Download Presentation

Real-Time Systems, COSC-4301-01, Lecture 12

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real-Time Systems, COSC-4301-01, Lecture 12 Stefan Andrei COSC-4301-01, Lecture 12

  2. Reminder of the last lecture • Optimization of Specifications expressed in path-RTL COSC-4301-01, Lecture 12

  3. Overview of This Lecture • Faster Verification of RTL-Specified Systems via Decomposition • Constraint Extension • [AnC06] Andrei, S., Cheng, A.M.K.: Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension. Proceedings of the IEEE Real-Time Systems Symposium (RTSS 2006), 10 pages, IEEE Computer Society, Rio de Janeiro, December 5-8, 2006 COSC-4301-01, Lecture 12

  4. Real-Time Systems Specification [JaM87, Che02] • Structural-functional specification • Behavioral specification (SP) • An implementation is correct if • SP implies the safety assertions (SA) • [JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic Approach for Timing Analysis and its Implementation. IEEE Transactions on Computers. Vol. C-36, No. 8, 1987 • [Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002 COSC-4301-01, Lecture 12

  5. Real-Time Logic (RTL) [JaM86] • RTL = first-order logic with special features to capture the timing requirements of the specification and the safety assertion. • Occurrence Function:@:: Event x Occurrence  Time, where Occurrence = Nat - {0} and Time = Nat. • @(e, i) = t means the i-th occurrence of event e occurs at time t. • eEvent, iOccurrence, @(e,i) < @(e,i+1) if @(e,i+1) is defined. • [JaM86] Jahanian, F., Mok, A.K.: Safety analysis of timing properties in real-time systems, IEEE Transactions on Software Engineering, vol. SE-12, no.~9, pp. 890--904, 1986. COSC-4301-01, Lecture 12

  6. Decidable Fragments of RTL • However, the satisfiability problem for RTL, as well as for other first-order logics, is undecidable [WaM94]. • In an effort to find subclasses of RTL having decidable properties, the path real time logic (path RTL) was described in [JaM87, WaM94]. • [WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive Cycles. Proceedings of Formal Methods Europe Symposium, 873, Lecture Notes in Computer Science, pp. 659-680, 1994 COSC-4301-01, Lecture 12

  7. Path Real Time Logic • A typical timing constraint expressed in path RTL is a disjunction of inequalities like i j @(e1, i)-@(e2, j) ≤ k, that has the meaning: • the difference between the time of the ith occurrence of event e1 and the time of the jth occurrence of event e2 is at most k, where the time occurrences, i, j and k are positive integers. • Heuristics that deal with verification of SP SA were described in [JaM87, ACCL05]. • [ACCL05] S. Andrei, W.-N. Chin, A. Cheng, and M. Lupu. Systematic debugging of real-time systems based on incremental satisfiability counting. In Proceedings of RTAS’05, pages 519–528, 2005. COSC-4301-01, Lecture 12

  8. Real-Time Logic (cont) • Three types of RTL constants: • Actions: schedulable units of work • Events constants are temporal markers • External Events: event-name • Start Events: event-name • Stop Events: event-name • Transition Events: event-name • Integers: used for timing constraints. COSC-4301-01, Lecture 12

  9. Path-RTL class [JaM87,WaM94] • The general form of path-RTL formulas: functionOccurrence integerConstant  functionOccurrence • Industrial real-time systems: • Railroad crossing [JaM87], [JaS88], [Che02] • Moveable control rods in a reactor [JaM87] • Boeing 777 Integrated Airplane Information Management System [MTR96] • X-38, an autonomous spacecraft build by NASA [RiC99] COSC-4301-01, Lecture 12

  10. X-38, an autonomous spacecraft build by NASA [RiC99] • [RiC99] Rice, L.E.P., Cheng, A.M.K.: Timing Analysis of the X-38 Space Station Crew Return Vehicle Avionics. Proceedings of the 5-th IEEE-CS Real-Time Technology and Applications Symposium, pp. 255-264, 1999 COSC-4301-01, Lecture 12

  11. Limitations of Path Real Time Logic • The airport radar station specification [Che02] • “Suppose there is a radar station having two radar sensors for detecting actions. The radar station is turned on at time 0. In order to allow time for the initialization routine, the sum of times when both sensors initially start sensing must be at least 5 seconds. If the first sensor starts early, the second sensor must start later, and vice versa. Both sensors may start at the same time but only after 5 seconds. Moreover, at most 11 seconds may elapse between the starts of both sensors.” COSC-4301-01, Lecture 12

  12. Limitations of Path Real Time Logic • The airport radar station specification can be translated into RTL: • i @(RadarSensor1, i) + @(RadarSensor2, i) ≥5  @(RadarSensor1, i) -@(RadarSensor2, i) ≤10  @(RadarSensor2, i) - @(RadarSensor1, i) ≤10. • But this specification involves inequalities that cannot be expressed in the path RTL (because they contain both + and – operators). COSC-4301-01, Lecture 12

  13. First Contribution of Our Paper • We shall present an extension of the path RTL class by allowing inequalities like i @(e1, i)+@(e2, i) ≥ k and i @(e1, i)+@(e2, i) ≤ k to be part of the specification. • Obviously, equalities like i @(e1, i)+@(e2, i) =k may be also part of the extended path RTL specification, as they can be easily converted into the above two inequalities. • Then a new and fast algorithm based on a translation to an extended constraint graph is described, too. COSC-4301-01, Lecture 12

  14. Second Contribution of Our Paper • For real-time systems with large specifications, there is a lot of room for improvement in the algorithms used for verification and debugging. • There is a need of an efficient method to perform verification and debugging of real-time systems specifications using decomposition techniques. • The idea is to decompose the constraint graph, used in existing approaches, into independent sub-graphs so that it is no longer necessary to analyze the entire specification at once, but rather its individual and smaller components. • Efficient implementation of this method in the Java-based DEVA-RTL tool and tested it on several industrial real-time systems. COSC-4301-01, Lecture 12

  15. Translating from RTL to SAT [JaM87] • (SP SA) (SP SA) SP  SA SP SA is a theorem iff SP  SA is unsatisfiable; F = SP  SA • F’ = the corresponding Presburger formula by replacing each @(e,i) by an uninterpreted function fe(i) • PF = C1 C2 …  Cn is the propositional formula of F’: • Ci = Li,1 Li,2 …  Li,n and • Each Li,j has the general form: v1 I  v2, I being a positive integer constant. • For each literal v1 I  v2, we construct a node labeled v1, a node labeled v2, and an edge <v1,v2> with weight I from node v1 to node v2; • For each Xi,1, Xi,2,…, Xi,ni the i-th positive cycle, the clause Xi,1 Xi,2 … Xi,ni is added to PF. • If PF is unsatisfiable, then F is unsatisfiable, so SP SA is a theorem. COSC-4301-01, Lecture 12

  16. Extended Constraint Graph • The extended constraint graph, defined as ECG = (EN, EA), where: • The set of extended nodes is denoted as EN = {v+, v- | v  V}, where V is the set of literals that appear in SP and SA. • We say that a timing constraint is in the normal form if it has one of the following forms: vi - vj≤ c, vi+ vj≤ c, -vi - vj≤ c, vi≤ c and vi≥ c, • where viand vjmay be variables or functional symbols of one argument (e.g., f(x)) and c an integer constant. COSC-4301-01, Lecture 12

  17. Extended Constraint Graph • For each inequality expressed in normal form we construct the set of arcs EA, such as: • for any vi - vj≤ c, i ≠j: add arcs (vi-, vj-, -c) and (vi+, vj+, -c) to EA; • for any vi+ vj≤ c, i ≠j: add arcs (vi-, vj+, -c) and (vj-, vi+, -c) to EA; • for any -vi - vj≤ c, i ≠j: add arcs (vi+, vj-, -c) and (vj+, vi-, -c) to EA; • for any vi≤ c: add arc (vi-, vi+, -2c) to EA; • for any vi≥ c: add arc (vi+, vi-, 2c) to EA. COSC-4301-01, Lecture 12

  18. Extended Path RTL • We generalize the path RTL to the extended path RTL by simply allowing a timing constraint to have any of the above five forms described in the normal form. • Unlike the traditional construction of the constraint graph where one inequality generates two nodes and one arc, in the case of the extended constraint graph an inequality will generate four nodes and two arcs (e.g., the above first three cases). • This implies that the propositional formula corresponding to real-time systems specified in extended path RTL tends to have twice as many propositional variables and clauses as the propositional formula of the same system specified in traditional path RTL. COSC-4301-01, Lecture 12

  19. Extended Path RTL - Example • The tracking/computation part specification of the radar station ([Che02]): • “A radar system searches objects of interest in the desired coverage area by repeatedly executing the following steps: • (1) scanning/ radio signal processing, • (2) tracking, and • (3) data association/classification. • Here, we specify a simplified version of the specification of the tracking step for four objects. • The safety assertion states that the computing resources (2 CPUs) can feasibly schedule the four object-tracking tasks, each tracking a distinct object of interest. • Each task is fully parallelizable and thus can execute on two CPUs if needed to speed up its execution by a factor of 2. • Tasks T1, T2, T3, and T4 have respectively computation times c1, c2, c3, and c4, all with the same period of p.” COSC-4301-01, Lecture 12

  20. Extended Path RTL - Example • We denote by Tj_CPUkthe fact that task j is executing in CPUk. • For any j  {1,..., 4} and k  {1,2}, we denote by @(↑Tj_CPUk, i) and @(↓Tj_CPUk, i) the i-th occurrence of the starting and the ending time of task Tj_CPUk, respectively. • The above specification can be written in the extended path RTL as SP: • @(↓T1_CPU1, i) + @(↓T1_CPU2, i) ≤ c1+ c2+ c3+ c4 • @(↓T2_CPU1, i) + @(↓T2_CPU2, i) ≤ c2+ c3+ c4 • @(↓T3_CPU1, i) + @(↓T3_CPU2, i) ≤ c3+ c4 • @(↓T4_CPU1, i) + @(↓T4_CPU2, i) ≤ c4 COSC-4301-01, Lecture 12

  21. Extended Path RTL - Example • The next eight identities express that the computation time of each task equals the difference between the ending time point and the starting time point: •  j  {1, ..., 4} and k  {1,2}, we have @(↓Tj_CPUk, i) - @(↑Tj_CPUk, i) = cj • There exists a task priorities sequence: the task T4 is the highest, and T1 is the lowest. • This implies the extended path RTL formulas: •  j  {1,2,3} and k  {1,2}, we have @(↑Tj_CPUk, i) > @(↑Tj+1_CPUk, i), where the margin cases are @(↑T1_CPUk, i) < p and @(↑T4_CPUk, i) =0. COSC-4301-01, Lecture 12

  22. Extended Path RTL - Example • The above SP can be checked now for feasibility (i.e., there exists a schedule for all tasks in each period) by the following extended path RTL formula, denoted with SA (stands here for the ‘schedulling assertion’): •  j  {1,..., 4} and k  {1,2}, we have @(↓Tj_CPUk, i) ≤ p. • Since it makes use of both arithmetic operators “+” and “-”, the specification cannot be done using only the traditional path RTL formulas. COSC-4301-01, Lecture 12

  23. Extended Path RTL - Example • To illustrate the verification and debugging of SA in the context of SP, we consider a specific system configuration by assigning values for the constants that occur in SP. • Let these be c1 = 32, c2 = 8, c3 = 28, c4 = 12 and the period p = 40. • For simplicity, we omit the argument i, so we associate to each time occurrence function a functional symbol of arity 0, such as: • @(↑Tj_CPUk, i) will be denoted as sj,k(where ‘s’ stands for ‘start’) and • @(↓Tj_CPUk, i) will be denoted as ej,k(where ‘e’ stands for ‘end’). COSC-4301-01, Lecture 12

  24. Extended Path RTL - Example COSC-4301-01, Lecture 12

  25. Extended Constraint Graph - Example • The schedulling assertion to be checked is: • i,j ei,j≤40,  i  {1, ..., 4}, j  {1,2} • Thus, the negation of the schedulling assertion is i,j ei,j≥41. • The extended constraint graph corresponding to SP  SAis given below. • Because of its large size, we split it into four components, one for each task, and their interconnections. COSC-4301-01, Lecture 12

  26. Extended Constraint Graph - Example • The variables si,jand ei,jcorrespond to the nodes of the extended constraint graph si,j-, si,j+and ei,j-, ei,j+. • There exist 12 more arcs that correspond to the starting times of both CPU1 and CPU2. • These arcs link some of the internal nodes of the above four tasks’ extended constraint graphs, namely (si,j-, si-1,j-, 1) and (si,j+, si-1,j+, 1),  i  {2, 3,4}, j  {1, 2}. COSC-4301-01, Lecture 12

  27. Extended Constraint Graph - Example COSC-4301-01, Lecture 12

  28. Propositional Formula - Example • For each new arc there exists a new propositional variable and for each positive cycle there exists a negative clause. • The corresponding propositional formula for the whole extended path RTL formula has 60 variables and 72 clauses. • The arc (e1,2-, e1,1+, -80) corresponds to a propositional variable denoted as ee1,2,1,1-+. • The positive cycle given by the arcs (e1,2-, e1,1+, -80), (e1,1+, e1,1-, 82), (e1,1-, e1,2+, -80), (e1,2+, e1,2-, 82) leads to the negative clause ee1,2,1,1-+ee1,1,1,1+-ee1,1,1,2-+ ee1,2,1,2+-. • The propositional formula is unsatisfiable, that means SP  SA is unsatisfiable, too. • This implies that SP  SA is a theorem, so the airport radar station is feasible. COSC-4301-01, Lecture 12

  29. Decomposition Problem. Motivation • Industrial examples have many components that are not time-related or are loosely time-related. • Examples: • The timing constraints of the braking component of a car are not necessarily related to the front headlights component of a car. • The flight-critical loop of the X-38 is not time-related with the non-flight critical loop of the X-38. • By exploiting this issue, we provide an efficient divide and conquer method to solve the verification and debugging of large real-time systems specifications using decomposition techniques. COSC-4301-01, Lecture 12

  30. Main Idea • Decompose the constraint graph into independent sub-graphs so that it does not have to analyze the entire specification at once, but only the smaller components (i.e., strongly connected components). • The satisfiability of one or all strongly connected component(s) can be used to determine the satisfiability of the entire specification. • Notations: • Given the negation of the path RTL specification F, we denote by CGFthe constraints graph associated with F. • Given the constraints sub-graph CG’F CGF , we denote by PFCG’the propositional formula obtained from F by considering only the nodes and arcs of CG’F. COSC-4301-01, Lecture 12

  31. Independent Components • Let us consider that SCC1, ..., SCCn are the strongly connected components of CGF and PFSCC1 , ..., PFSCCn are their corresponding propositional formulæ. • For a given i  {1, ..., n}, we say that: • SCCi is globally independent if and only if there is no arc (u, v)  E(CGF) for which (u  V(SCCi) and v  V(SCCi)) or (u  V(SCCi) and v  V(SCCi)); • SCCi is locally independent of SCCj, where j ≠ i, if and only if u  V(SCCj), v  V(SCCi), the corresponding literal in PFSCCi of the arc (u, v) does not appear in a disjunction of other arcs of SCCi; • SCCi is locally neighbour independent if and only if there exists a j such that SCCi is locally independent of SCCj; • SCCi is locally neighbours independent if and only if for all j such that SCCj is connected with an arc to SCCi, we have that SCCi is locally independent of SCCj. COSC-4301-01, Lecture 12

  32. Modular Satisfiability Theorem • The following facts hold: • if there exists an i ∈ {1, ..., n} such that SCCiis globally or locally neighbour independent and PFSCCiis unsatisfiable, then F and PF are unsatisfiable, too. • if all SCC1, ..., SCCnare globally or locally neighbours independent and PFSCC1, ..., PFSCCnare all satisfiable, then PF is satisfiable, too. COSC-4301-01, Lecture 12

  33. X-38 Constraint Graph • Three different strongly connected components: • two referring to 50 and 10 Hz flight-critical loops (denoted as SCC1 and SCC2, respectively), and • the third one referring to the non-flight critical loop (denoted as SCC3). COSC-4301-01, Lecture 12

  34. Structure of the X-38 Constraint Graph • SCC1, SCC2 and SCC3 are locally neighbours independent because the arcs corresponding to the constraints • @(↓FCP_I50FC, i) −@(↑FCP_I10FC, i) ≤ 0 and • @(↓FCP_I50FC, i) −@(↑FCP_I50NFC, i) ≤ 0 • are the only ones from SCC1 to SCC2 and from SCC1 to SCC3, respectively. • Moreover, these arcs are not involved in any disjunction of the specification. • So, the (un)satisfiability of the general formula can be done using the (un)satisfiability of all strongly connected components (because they are locally neighbours independent). COSC-4301-01, Lecture 12

  35. Decomposition Technique Debugging Results • In fact, the more strongly connected components the constraint graph has, the better the performance of the decomposition technique. COSC-4301-01, Lecture 12

  36. Example • Step 1 (Express specification in extended path-RTL): • SP:  x  t  u  y @(e1,x)-@(e2,t)<= 5 Λ@(e1,u)+@(e2,y)<= 15 • SA:  u @(e1,u)<=10 • Step 2 (Conversion to Presburger Arithmetic Formulae): • SP:  x  t  u  y (f(x)-g(t)<= 5) Λ (f(u)+g(y)<= 15) • SA:  u f(u)<=10 COSC-4301-01, Lecture 12

  37. Example - cont • Step 3 (Conversion to Clausal Form): • SA:  u f(u)>10 Equivalently, that is,  u f(u) >= 11 • Skolem normal form of RTL formulas needs the substitution [U/u]: f(U) >= 11 • We consider SP  SA: •  x  t  u  y (f(x)-g(t)<= 5) Λ (f(u)+g(y)<= 15) Λ (f(U) >= 11) COSC-4301-01, Lecture 12

  38. Example - cont • Step 4: Extended constraint graph: COSC-4301-01, Lecture 12

  39. Example - cont • A1 denotes the arc (Vf-, Vg-) • A2 denotes the arc (Vg+, Vf+) • A3 denotes the arc (Vf-, Vg+) • A4 denotes the arc (Vg-, Vf+) • A5 denotes the arc (Vf+, Vf-) • PF has the positive clauses: {A1}, {A2}, {A3}, {A4}, {A5} • The positive Cycle1 = (Vf- , Vg- , Vf+, Vf-) implies in PF the negative clause {A1, A4, A5} • The positive Cycle2 = (Vf- , Vg+ , Vf+, Vf-) implies in PF the negative clause {A3, A2, A5} COSC-4301-01, Lecture 12

  40. Example - cont • PF is: • {A1}, {A2}, {A3}, {A4}, {A5}, {A1, A4, A5}, {A3, A2, A5} • Step 5: Convert PF to a DIMACS file: • p cnf 5 7 • 1 0 • 2 0 • 3 0 • 4 0 • 5 0 • -1 -4 -5 0 • -2 -3 -5 0 COSC-4301-01, Lecture 12

  41. Example - cont • Step 6: Call Siege or zChaff • The previous DIMACS file is input for Siege. • The output of Siege will be: ‘unsatisfiable’ • Since PF is unsatisfiable, the F is unsatisfiable, too. • So, SP  SA is a theorem. • The verification problem has been done! COSC-4301-01, Lecture 12

  42. Step 6: Call a state-of-the-art SAT solver • Siege - http://www.cs.sfu.ca/research/groups/CL/software/siege/ • zChaff - http://www.princeton.edu/~chaff/software.html • Cachet - http://www.cs.rochester.edu/u/kautz/Cachet/index.htm • SharpSAT - http://www2.informatik.hu-berlin.de/~thurley/sharpSAT/index.html • Others: http://www.satlive.org/bytype.jsp?reftypefrom=-2 • If the answer provided by this SAT solver or #SAT solver is ‘Unsatisfiable’, then PF is unsatisfiable, so SP  SA is a theorem. COSC-4301-01, Lecture 12

  43. Future Work • Identify new subclasses of timing formulae for which the satisfiability problem is decidable: • by considering a non-unit scalar integer, e.g., ± a * @(X, i) ± b * @(Y, j) ≤ c • by considering more than two variables, e.g. ± @(X, i) ± @(Y, j) ± @(Z, k) ≤ c COSC-4301-01, Lecture 12

  44. Summary • Faster Verification of RTL-Specified Systems via Decomposition • Constraint Extension COSC-4301-01, Lecture 12

  45. Reading suggestions • [AnC06] Andrei, S., Cheng, A.M.K.: Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension. Proceedings of the IEEE Real-Time Systems Symposium (RTSS 2006), 10 pages, IEEE Computer Society, Rio de Janeiro, December 5-8, 2006 COSC-4301-01, Lecture 12

  46. Coming up next • Verification, debugging and optimization of Linear RTL • [AnC07] Andrei, S., Cheng, A.: Verification of Linear RTL-Specifications. Proceedings of the 28-th IEEE Real-Time Systems Symposium, 2007 COSC-4301-01, Lecture 12

  47. Thank you for your attention!Questions? COSC-4301-01, Lecture 12

More Related