05/04/23 COSC-4301-01, Lecture 10 1

Real-Time Systems, COSC-4301-01, Lecture 10

Stefan Andrei

05/04/23 COSC-4301-01, Lecture 10 2

Reminder of the last lecture Counting true instances Incremental verification of the real-time

systems specifications

05/04/23 COSC-4301-01, Lecture 10 3

Overview of This Lecture

Systematic and Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting

[ACCL05] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Systematic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. The 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'05), San Francisco, United States, 7 March - 10 March, 10 pages, 2005

[ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. IEEE Transaction on Computers, vol. 55(7), pp. 830-842 (2006) Selected as July issue's Feature Article.

05/04/23 COSC-4301-01, Lecture 10 4

References [JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic

Approach for Timing Analysis and its Implementation. IEEE Transactions on Computers. Vol. C-36, No. 8, 1987

[JaS88] Jahanian, F., Stuart, D. A.: A Method for Verifying Properties of Modechart Specifications. Proceedings of 9-th IEEE Real-Time Systems Symposium, pp. 12-21, 1988

[WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive Cycles. Proceedings of Formal Methods Europe Symposium, 873, Lecture Notes in Computer Science, pp. 659-680, 1994

[AnC04] Andrei, S., Chin, W.-N.: Incremental Satisfiability Counting for Real-Time Systems. IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’04), Toronto, Canada, 25 May – 28 May, 2004

05/04/23 COSC-4301-01, Lecture 10 5

References (cont) [MTR96] Mok, A. K., Tsou, Duu-Chung, de Rooij, R. C. M.: The

MSP.RTL real-time scheduler synthesis tool. Proceedings of the 17th IEEE Real-Time Systems Symposium, 1996

[RiC99] Rice, L.E.P., Cheng, A.M.K.: Timing Analysis of the X-38 Space Station Crew Return Vehicle Avionics. Proceedings of the 5-th IEEE-CS Real-Time Technology and Applications Symposium, pp. 255-264, 1999

[Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002

[And2004] Andrei, S.: Counting for Satisfiability by Inverting Resolution. Artificial Intelligence Review, 2004

[SoS94] O. Sokolsky and S.A. Smolka, Incremental Model Checking in the Modal Mu-Calculus, Computer-Aided Verification '94, LNCS 818, Springer-Verlag, 1994

05/04/23 COSC-4301-01, Lecture 10 6

Real-Time Systems [JaM86, JaM87, Che02] Structural-functional specification

Behavioral specification (SP)

An implementation is correct if SP implies the safety assertions (SA)

05/04/23 COSC-4301-01, Lecture 10 7

Verification of Timing Properties [JaM86, JaM87, Che02] In checking SP → SA, we may have the cases:

(safe) SA is a theorem derivable from SP; (inherently unsafe) SA is unsatisfiable with

respect to SP; (safe if additional constraints are added) the

negation of SA is satisfiable under certain conditions.

05/04/23 COSC-4301-01, Lecture 10 8

Our Incremental Approach for Systematic Debugging [AnC04]

05/04/23 COSC-4301-01, Lecture 10 9

Past Work [AnC04] The satisfiability of SPk+1→SAk+1 is expressed

incrementally from the satisfiability of SPk→SAk The manual debugging from step 3 is correlated

with the satisfiability of SPk→SAk

We use #SAT problem rather than SAT problem: To know how “far away” is SP from satisfying SA; The modification of SP and/or SA is useful for

incremental debugging, in which bugs are fixed one at a time until the system is correct.

05/04/23 COSC-4301-01, Lecture 10 10

Motivation of this Work The debugging from step 3 is done systematically, not

manually Since the industrial real-time systems may have large

specifications, it is impractical for the designer to find the proper missing or wrong constraints.

Efficient Java implementation of systematic debugging (http://galaxy.lamar.edu/~sandrei/SDRTL/). Examples of real-time systems have also been successfully tested by SDRTL.

We simulated a real-life scenario, supposing that the designer may forget to include some constraints or may give some incorrect constraints.

05/04/23 COSC-4301-01, Lecture 10 11

Real-Time Logic (RTL) [JaM86] RTL = first-order logic with special features to

capture the timing requirements; Occurrence Function: @:: Event x Occurrence

Time, where Occurrence = Nat - {0} and Time = Nat. @(e, i) = t means the i-th occurrence of event e

occurs at time t. eEvent, iOccurrence, @(e,i) < @(e,i+1) if

@(e,i+1) is defined

05/04/23 COSC-4301-01, Lecture 10 12

Real-Time Logic (cont) Three types of RTL constants:

Actions: schedulable units of work Events constants are temporal markers

External Events: event-name Start Events: event-name Stop Events: event-name Transition Events: event-name

Integers: used for timing constraints.

05/04/23 COSC-4301-01, Lecture 10 13

SP of Railroad Crossing – English and RTL When train approaches sensor, a signal will initiate

the lowering of gate, and Gate is moved to down position within 30s from being detected by the sensor, and

x ( @(TrainApproach, x) @(DownGate, x) @(DownGate, x) @(TrainApproach, x) + 30 ) The gate needs at least 15s to lower itself to the

down position. y ( @(DownGate, y) + 15 @(DownGate, y) )

05/04/23 COSC-4301-01, Lecture 10 14

SA of Railroad Crossing – English and RTL If train needs at least 45s to travel from sensor to the

railroad crossing, and the train crossing is completed within 60s from being detected by sensor, then we are assured that at the start of the train crossing, gate

has moved down and that the train leaves the railroad crossing within 45s from

the time the gate has completed moving down. t u ( @(TrainApproach, t) + 45 @(TrainCrossing, u) @(TrainCrossing, u) < @(TrainApproach, t) + 60 @(TrainCrossing, u) @(DownGate, t) @(TrainCrossing, u) @(DownGate, t) + 45 )

05/04/23 COSC-4301-01, Lecture 10 15

The Path-RTL formulas [JaM87, WaM94] The general form of path-RTL formulas: functionOccurrence integerConstant functionOccurrence Industrial real-time systems:

Railroad crossing [JaM87], [JaS88], [Che2002] Moveable control rods in a reactor [JaM87] Boeing 777 Integrated Airplane Information

Management System [MTR96] X-38, an autonomous spacecraft build by NASA

[RiC99]

05/04/23 COSC-4301-01, Lecture 10 16

X-38, an autonomous spacecraft build by NASA [RiC99]

05/04/23 COSC-4301-01, Lecture 10 17

Presburger Arithmetic Formulae Each @(e,i) is replaced by an uninterpreted function fe(i) SP:

x (f(x) g1(x) g2(x) f(x) + 30) y (g1(y) + 15 g2(y))

SA: t u (

f(t) + 45 h1(u) h2(u) < f(t) + 60 g2(t) h1(u) h2(u) g2(t) + 45 )

05/04/23 COSC-4301-01, Lecture 10 18

Railroad Crossing - Clausal Form (SP SA) ( SP SA) SP SA SP SA is a theorem iff SP SA is unsatisfiable; SP:

xy (f(x) g1(x) g2(x) - 30 f(x) g1(y) + 15 g2(y)) Negation of SA: t u (f(t) + 45 h1(u) h2(u) < f(t) + 60 (h1(u) < g2(t) g2(t) + 45 < h2(u)));

Skolem normal form of path-RTL formulas [T/t][U/u]: f(T) + 45 h1(U) h2(U) – 59 f(T) (h1(U) + 1 g2(T) g2(T) + 46 h2(U))

05/04/23 COSC-4301-01, Lecture 10 19

The Constraint Graph Technique [JaM87] F – the initial path-RTL formula; F’ – the corresponding Presburger formula; PF = C1 C2 … Cn is the propositional formula of

SP SA: Ci = Li,1 Li,2 … Li,n and each Li,j has the general form: v1 I v2, I being a

positive integer constant. For each Xi,1, Xi,2,…, Xi,ni the i-th positive cycle, the

clause Xi,1 Xi,2 … Xi,ni is added to PF.

05/04/23 COSC-4301-01, Lecture 10 20

Counting SAT Problem ([And04], [AnC04])

PF={C1,…,Cl} over V. If C1’,…,Ck’ PF and k l, then: mV(C1’,…,Ck’)= number of variables from V which do not

occur in C1’ … Ck’. difV(C1’,…,Ck’)=

0 if i, j {1,…,k}, i j, L literal such that L Ci’ and L Cj’

2mV

(C1’,…,Ck’) otherwise

05/04/23 COSC-4301-01, Lecture 10 21

Incremental Counting SAT ([AnC04]) detV(PF)=

2|V|- k=1l (-1)k+1* 1 i1<…<ikl difV(C1’,…,Ck’)

is called the determinant of PF. Theorem. PF has detV(PF) truth assignments. So, PF is

satisfiable iff detV(PF) 0.

Problem: Knowing the number of true instances of PF, what is the number of true instances of PFυ{C}, for any arbitrary clause C?

Incremental computation: get detV(PF2) using detV(PF1), without re-computing the common parts of PF2 and PF1

05/04/23 COSC-4301-01, Lecture 10 22

The Increment of a Clausal Formula Definition: Given PF={C1,…,Cl} over V and C an

arbitrary clause, then incV(C,PF)=k=0

l(-1)k+1 * 1 i1<…<ikl difV(C,Ci1,…,Cik)

is called the increment of PF with C over V. Theorem: Let PF={C1,…,Cl} be a clausal formula

and PF’={Cl+1,…,Cl+k}. Then: detV(PF υ PF’) = detV(PF) + incV(Cl+1, PF) + incV(Cl+2, PF υ

{Cl+1}) + .. + incV(Cl+k, PF υ {Cl+1,.., Cl+k-1}) Incremental computing is optimal

05/04/23 COSC-4301-01, Lecture 10 23

Related Work: Incremental Approaches An incremental positive cycle detection

algorithm [MTR96] is also based on the constraint-graph technique and uses an algorithm for single source with positive weight in the graph.

An incremental algorithm for model checking using transition systems in the alternation-free fragment of the modal mu-calculus was presented in [SoS94].

Instead, our incremental approach is applied to propositional formulas.

05/04/23 COSC-4301-01, Lecture 10 24

Railroad Crossing - Constraint Graph (1)

PF1={{A1}, {A2}, {A3}, {A4}, {A5}, {A6, A7}, {A2,A4,A6}, {A4,A5,A6,A7}, {A1,A3,A5,A7}}.

detV1(PF1)=0, where V1={A1, ..., A7}.

05/04/23 COSC-4301-01, Lecture 10 25

Re-design of Railroad Example We consider 2 new events (CarCrossingLeft - CCL and

CarCrossingRight – CCR) and 2 new constraints We add to SP:

(English) A car from the left or right needs at most 10 seconds to cross the railroad;

(RTL) z1, @(CCL, z1) – 10 @(CCL, z1) and z2, @(CCR, z2) – 10 @(CCR, z2)

We add to SA: (English) If the train starts to cross the railroad crossing, there is no

car crossing neither from left nor from the right in the last 5 seconds;

(RTL) v1, @(CCL, v1) + 5 @(TrainCrossing, u) and v2, @(CCR, v2) + 5 @(TrainCrossing, u)

05/04/23 COSC-4301-01, Lecture 10 26

Railroad Crossing - Constraint Graph (2) PF2=PF1 {{A8}, {A9}, {A6,

A7, A10, A11}} – {{A6, A7}} detV2(PF2)=detV1(PF1)+

incV2({A8}, PF1)+

incV2({A9}, PF1 {{A8}}) + incV2({A6, A7, A10, A11}, PF1 {{A8}} {{A9}})-

incV2({A6, A7}, PF1 {{A8}} {{A9}} {{A6, A7, A10, A11}}) =3, where V2= V1 {A8, ..., A11}.

As detV2(PF2)>0, then the real-time system is unsafe.

05/04/23 COSC-4301-01, Lecture 10 27

Debugging Computation. Manual versus Systematic Manual debugging [AnC04] is impractical for big

systems. There is a need to consider a systematic way to

solve this matter. The method will automatically generate, in order from

the most probable ones to the less probable ones, all the possible missing/wrong constraints.

Then the designer chooses from this list the proper constraint which is not against the real-time system specifications.

05/04/23 COSC-4301-01, Lecture 10 28

Railroad Crossing - Constraint Graph (2) (Init) construct PF1

(Test & Print) test if the determinant is 0 and if the designer agrees with the suggested constraint according to the systematic debugging computation

(Incremental Computation) compute detVk+1(PFk+1) using detVk(PFk)

(desired == false) is evaluated to false when the designer wishes to stop the systematic debugging and the timing constraints of the real-time system are fulfilled.

Algorithm Main: (Init) desired = false; while (desired == false) { (Test & Print) if (desired == false) { (Incremental Computation) (Debugging Computation) } }

05/04/23 COSC-4301-01, Lecture 10 29

Addition of a New Arc

It shows that the node v has no out-arc;

So the arc (v,w) (pictured with a dashed line) is added to the constraint graph as a member of a new positive cycle.

05/04/23 COSC-4301-01, Lecture 10 30

Transforming a Negative Cycle

The algorithm detects all possible incorrect constraints (i.e. containing a fault).

That is, the algorithm proposes other (bigger) constants I for the literal v1 ± I ≤ v2, and with help of the designer, one such constraint is selected.

Figure 3(b) is more than a “refinement”, because it corresponds to detecting faults in the initial specification, and proposes a new proper constraint.

05/04/23 COSC-4301-01, Lecture 10 31

Key Point: the Increment

SDRTL will compute for each change (new arc and/or new cost) the increment.

Then, SDRTL will sort all these increments in an increasing order.

Starting from the minimum increment, the designer will be asked for his agreement.

The increments which are zero do not count.

05/04/23 COSC-4301-01, Lecture 10 32

Monotony of det and inc

05/04/23 COSC-4301-01, Lecture 10 33

The Execution Run

05/04/23 COSC-4301-01, Lecture 10 34

The Execution Run (cont)

05/04/23 COSC-4301-01, Lecture 10 35

Railroad Crossing - Constraint Graph (3)

PF3=PF2 {C12, C13, C14, C15}, over V2.

As detV2(PF3)=0, then the real-time system is safe.

The unification should be done carefully.

05/04/23 COSC-4301-01, Lecture 10 36

Systematic Debugging Results

Denote by niz the number of increments which are zero, and by tni the total number of increments.

The effectiveness is efct = (tni-niz)/(tni). The closer effectiveness to 0, the faster algorithm is (because

useless clauses are not generated). The more bugs the system has, the bigger execution time we get.

05/04/23 COSC-4301-01, Lecture 10 37

Real-Time Systems Debugging Times

On the X-axis, we have the number of missing constraints and on the Y-axis, we have the debugging time in seconds.

For each number of missing constraints, three real-time systems are considered, in this order, from the left to the right: the railroad crossing, the reactor, and the X-38.

As the missing number of constraints increases, the debugging time increases linearly rather than exponentially.

05/04/23 COSC-4301-01, Lecture 10 38

Real-Time Systems Debugging Effectiveness

On the X-axis, we have the number of missing constraints and on the Y-axis, we have the effectiveness, as a subunit real number.

As the missing number of constraints increases, the effectiveness tends to decrease.

In other words, our incremental approach is significantly better than the non-incremental approach.

05/04/23 COSC-4301-01, Lecture 10 39

Automatic Debugging The automatic approach is similar to the

systematic approach, but it should work in the absence of the human beings.

Our solution was to consider in advance all the necessary information such as the designer's guidance: a set of constraints which cannot be modified; the specific ranges for the constants which appear

in the constraints.

05/04/23 COSC-4301-01, Lecture 10 40

Automatic Debugging The input files for the automatic approach are

augmented with the lower and upper bounds for the constants.

Example: the formula

h1(U),-9,1,11,g2(T) || g2(T),36,46,56,h2(U) denotes the following set of formulas:

h1(U)+ a ≤ g2(T) g2(T)+ b ≤ h2(U), where a{-9, ..., 11} and b {36, ..., 56} have the implicit initial values a=1 and b=46.

05/04/23 COSC-4301-01, Lecture 10 41

Automatic versus Systematic Debugging

The tool ADRTL (Automatic Debugging using RTL) contains the set of all possible arcs – compared with SDRTL.

05/04/23 COSC-4301-01, Lecture 10 42

Automatic versus Systematic Debugging

When 1, 2, or 3 constraints are missing, ADRTL (filled boxes) may be faster than SDRTL (empty boxes), whereas for 4 missing constraints, ADRTL is always slower than SDRTL.

Conclusions: The more bugs a real-time system has, the faster the systematic tool

we get when compared with the automatic tool. The human experience may outperform an automatic tool, when talking

about a considerable number of bugs in the real-time system.

05/04/23 COSC-4301-01, Lecture 10 43

Future Work: Replacement of SAT solvers Counting SAT solvers are more efficient than

SAT solvers when there are two many choices to consider (like re-design and debugging problems)

Applications: Finding a feasible scheduling Model checking

05/04/23 COSC-4301-01, Lecture 10 44

Summary Systematic and Automatic Debugging of Real-

Time Systems based on Incremental Satisfiability Counting

05/04/23 COSC-4301-01, Lecture 10 45

Reading suggestions

[ACCL05] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Systematic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. The 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'05), San Francisco, United States, 7 March - 10 March, 10 pages, 2005

[ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. IEEE Transaction on Computers, vol. 55(7), pp. 830-842 (2006) Selected as July issue's Feature Article.

05/04/23 COSC-4301-01, Lecture 10 46

Coming up next

Optimization of Specifications expressed in path-RTL [AnC06]

[AnC06] Andrei, S., Cheng, A.M.K.: Optimization of Real-Time Systems Timing Specifications. Proceedings of the 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2006), 7 pages, IEEE Computer Society, Sydney, August 16-18, 2006

05/04/23 COSC-4301-01, Lecture 10 47

Thank you for your attention!

Questions?