Embed Size (px)
Citation preview
04/19/23 COSC-4301-01, Lecture 13 1
Real-Time Systems, COSC-4301-01, Lecture 13
Stefan Andrei
04/19/23 COSC-4301-01, Lecture 13 2
Reminder of the last lecture
Faster Verification of RTL-Specified Systems via Decomposition
Constraint Extension
04/19/23 COSC-4301-01, Lecture 13 3
Overview of This Lecture
Verification, debugging and optimization of Linear RTL
04/19/23 COSC-4301-01, Lecture 13 4
Description a) Given SP and SA expressed in Linear RTL, determine
whether SPSA? b) Given SP and SA expressed in Linear RTL such that
the negation of SA is satisfiable and SP does not imply SA, determine new related SP’ and/or SA’ such that SP’SA’? The election of SP’ and SA’ should be done in conjunction with real-time system advisor or automatically.
c) Given SP and SA expressed in Linear RTL such that SPSA, determine SP’ and SA’ for which SPSP’, SP’SA’, SA’SA. The new SP’ and SA’ should be done using minimal changes by keeping the same set of constraints, but relaxing SP and/or tightening SA.
04/19/23 COSC-4301-01, Lecture 13 5
References Chapter 6 of [Che2002] Cheng, A.M.K.: Real-time
systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002
[AnC07] Andrei, S., Cheng, A.: Verification of Linear RTL-Specifications. Proceedings of the 28-th IEEE Real-Time Systems Symposium, 2007
04/19/23 COSC-4301-01, Lecture 13 6
Description – part a)
a) Given SP and SA expressed in Linear RTL, determine whether SPSA?
04/19/23 COSC-4301-01, Lecture 13 7
Comparison with extended path-RTL class (Lecture 10)
The extended path RTL can only describe a timing constraint between two events.
A timing constraint involving three or more events together cannot be specified by any of these subclasses.
Example: The specification of a phased array radar system. A phased array is a group of antennas in which the relative
phases of the signals feeding the antennas are varied in such a way that the effective radiation is reinforced in a desired direction and suppressed in undesired directions.
04/19/23 COSC-4301-01, Lecture 13 8
The specification of a phased array radar system with four antennas1. The radar system is turned on at time 0.
2. In order to allow time for the initialization routine, the sum of times when all four antennas start radiating must be at least 10 seconds.
3. The sum of all radiating times for neighboring antennas (in this case, three) cannot exceed 1000 seconds in order to avoid overheating of the antenna elements and to reduce interference.
4. The time an antenna should continuously radiate is at least 300 seconds.
04/19/23 COSC-4301-01, Lecture 13 9
Translation to RTL The four antennas of the phased array radar system are
given in a cyclic order, denoted by A1, A2, A3, A4. @(↑A1, i) and @(↓A1, i) mean the ith occurrences when
antenna A1 begins and ends radiating: i ( @(↑A1, i)+ @(↑A2, i)+ @(↑A3, i)+ @(↑A4, i) ≥ 10) ( (@(↓A1, i) - @(↑A1, i)) + (@(↓A2, i) - @(↑A2, i)) +
(@(↓A3, i) - @(↑A3, i)) 1000 ) … ( (@(↓A4, i) - @(↑A4, i)) + (@(↓A1, i) - @(↑A1, i)) +
(@(↓A2, i) - @(↑A2, i)) 1000 ) (@(↓A1, i) - @(↑A1, i) ≥ 300) …
(@(↓A4, i) - @(↑A4, i) ≥ 300).
04/19/23 COSC-4301-01, Lecture 13 10
Our larger class - LRTL So, there is a need to find an RTL subclass able to
describe constrains with three or more events. We call it: Linear Real-Time Logic (LRTL). LRTL is based on a first-order logic with features able
to capture the linear timing requirements of real-time systems.
LRTL includes the existing subclasses of decidable and practical RTL formulas.
To the best of our knowledge, LRTL is a subclass of RTL, with decidable properties, not considered until now for the specification and verification of real-time and embedded systems.
04/19/23 COSC-4301-01, Lecture 13 11
Linear inequalities - an open problem In fact, the linear inequalities have been
unsolved for long time. For example, [Moller, Lichtenberg, Andersen,
and Hulgaard; 1999] formulates as future work the class of linear inequalities: “One path that could be taken when extending the
results of the paper would be to generalize the difference constraints to linear inequalities.”
04/19/23 COSC-4301-01, Lecture 13 12
Can we still re-use the constraint graph? The previous verification method for formulas expressed in extended path-RTL was the (extended) constraint graph:
A timing constraint @(e1, i) - @(e2, j) k corresponds to two nodes and an arc in the constraint graph.
A timing constraint ± @(e1, i) ± @(e2, j) k corresponds to two arcs between four nodes in the extended constraint graph.
No, a more powerful data structure is needed.
04/19/23 COSC-4301-01, Lecture 13 13
LRTL Compared with the constraint graph technique,
the correctness of a real-time system specified in LRTL can be achieved by solving a system of linear inequalities.
A general timing constraint in LRTL may have the form:
a1 · @(e1, i1) + … + an · @(en, in) «op» b
where «op» is one of the following arithmetic operators {, =, ≥}, and a1, ..., an, and b are integers.
04/19/23 COSC-4301-01, Lecture 13 14
The LRTL normal form
a1 · @(e1, i1) + … + an · @(en, in) b
Even if the normal form seems to restrict «op» only to “”, it has the same expressive power as the general form.
Our method for verification of SPSA expressed in LRTL has 6 basic steps.
04/19/23 COSC-4301-01, Lecture 13 15
The first 3 steps to prove SP SA1. consider F = (SP SA) ≡ SP SA;
2. convert it to a Presburger formula, FPresb , by replacing the time occurrences @(E, i) by a function fE(i);
3. construct the Skolem formula, FCNF , by removing the existential quantifiers and replacing the corresponding variables with constants.
04/19/23 COSC-4301-01, Lecture 13 16
Example SP: i j (@(e1, i) + @(e2, i) 2)
(@(e2, i) - @(e3, j) 1) (@(e1, i) - @(e3, j) 7).
SA: u v (@(e1, u) + @(e2, u) - @(e3, v) 5).
SA is u v (-@(e1, u) - @(e2, u) + @(e3, v) - 6)
Presburger formula: replace @(e1, i) by f1(i), @(e2, i) by f2(i), @(e3, i) by f3(i), etc.
Skolem formula: U and V are two integer constants to replace the variables u and v.
FCNF: i j (f1(i) + f2(i) 2) (f2(i) - f3(j) 1) (f1(i) - f3(j) 7) (-f1(U) - f2(U) + f3(V) - 6).
04/19/23 COSC-4301-01, Lecture 13 17
Step 4: Positive propositional clauses A set S = {f(t1), ..., f(tk)} is unifiable if there exists a substitution ψ such that f(t1)ψ = ... = f(tk)ψ.
Example: The set S = {f1(i), f1(U)} is unifiable due to the
substitution ψ = [i/U].
The method pos(FCNF) generates a new propositional variable for each new inequality after checking the unification.
The FCNF from the example has the following positive clauses: {A1}, {A2}, {A3}, and {A4}.
04/19/23 COSC-4301-01, Lecture 13 18
Step 5: Obtaining the negative propositional clauses FCNF is translated to a system of linear inequalities AX B.
Example: A = , X = , B = .
The column vector X has been obtained after applying the substitution {[i/U], [j/V]}.
111
101
110
011
67
1
2
)(
)(
)(
3
2
1
Vf
Uf
Uf
04/19/23 COSC-4301-01, Lecture 13 19
Definition: Negative linear dependencies Λ = (λi)1in from M1,n is a positive row vector if
λi + - {0} for all i {1, ..., n}.
Let B = (bi)1in be a column vector from Mn,1 such that bi for all i {1, ..., n}.
Λ is negative linear dependant of B if and only if ΛB < 0.
04/19/23 COSC-4301-01, Lecture 13 20
Theorem: Negative Linear Dependency Let Λ = (λi)1 i n be a positive row vector that is
a solution of the system of linear equations AtrΛtr =0, where A = (ai,j)mn is a matrix over .
If Λ is negative linear dependant of B, where B is a column vector, then the inequality AX B has no solution for X over , where X is a column vector.
04/19/23 COSC-4301-01, Lecture 13 21
Example
Considering AX B, we need to find the positive row vector Λ = (λ1 λ2 λ3 λ4) such that AtrΛtr =0.
This is: = 0.
The positive solution Λ = (1 1 1 2) leads to ΛB = -2. Therefore, AX B has no solution for X over .
04/19/23 COSC-4301-01, Lecture 13 22
Negative propositional clauses1. initially Fneg = ;2. identify the propositional variables v1, ... vk
corresponding to inequalities from FCNF ;3. identify matrices A and B from the inequality AX B
that represent FCNF;
4. let Ai A and Bi B be such that AiX Bi is a new subsystem of AX B;
5. find Λi a positive solution of Atri Λtr
i = 0;
6. if ΛiBi < 0 then add the negative clause {vi,1, ... vi,k} to Fneg;
7. if there is no new subsystem AiX Bi of AX B, then STOP; otherwise, go to 4.
04/19/23 COSC-4301-01, Lecture 13 23
Some remarks to choose the subsystem At step 4, we have chosen Ai A and Bi B be
such that AiX Bi is a new subsystem of AX B;
The idea is to choose Ai the sub-matrix of A that is a closure of the initial variable, that is: Initial step: add Xi to Ai
Inductive step: add all the variables from the inequalities that contains
variables from Ai; repeat this step until there are no more changes.
04/19/23 COSC-4301-01, Lecture 13 24
Step 6: The final step of our method Let PF be the set of positive and negative
clauses. If PF is unsatisfiable, then SPSA holds.
Example: PF = { {A1}, {A2}, {A3}, {A4}, {A1, A2, A3, A4} } is unsatisfiable, so SPSA holds.
04/19/23 COSC-4301-01, Lecture 13 25
Complexity considerations
Among the many different ways to solve systems of linear inequations, the traditional method is the Gaussian elimination.
It has an order of O(n3) time complexity, where n is the number of variables.
04/19/23 COSC-4301-01, Lecture 13 26
Step 6: Convert PF to a DIMACS file Suppose PF is expressed in Conjunctive Normal Form
and has n variables and l clauses. Then, the first line of the DIMACS file is:
p cnf n l Each positive literal L1, …, Ln corresponds to positive
integers 1, …, n Each negative literal L1, …, Ln corresponds to negative
integers -1, …, -n Any clause is translated to a line of text in the DIMACS
file by replacing each literal with the corresponding integer and each ‘’ is replaced by blank space (the end of clause is marked by a ‘0’): L1 L2 L3 L5 corresponds to 1 -2 3 -5 0
04/19/23 COSC-4301-01, Lecture 13 27
Step 6: Call a state-of-the-art SAT solver Siege - http://www.cs.sfu.ca/research/groups/CL/software/siege/ zChaff - http://www.princeton.edu/~chaff/software.html Cachet - http://www.cs.rochester.edu/u/kautz/Cachet/index.htm SharpSAT -
http://www2.informatik.hu-berlin.de/~thurley/sharpSAT/index.html
Others: http://www.satlive.org/bytype.jsp?reftypefrom=-2 If the answer provided by this SAT solver or #SAT
solver is ‘Unsatisfiable’, then PF is unsatisfiable, so SP SA is a theorem.
04/19/23 COSC-4301-01, Lecture 13 28
Description – part b)
b) Given SP and SA expressed in Linear RTL such that the negation of SA is satisfiable and SP does not imply SA, determine new related SP’ and/or SA’ such that SP’SA’? The election of SP’ and SA’ should be done in conjunction with real-time system designer or automatically.
04/19/23 COSC-4301-01, Lecture 13 29
The systematic debugging algorithm (Test & Print) test if PF is
unsatisfiable and if the designer agrees with the suggested constraint
(Incremental Computation) consider all the choices to change SP and SA into new SP’ and SA’.
desired is evaluated to false when the designer wishes to continue the systematic debugging and the timing constraints of the real-time system are fulfilled.
Algorithm Main:
Input: SP, SA and PF, SP SA
Output: SP’, SA’ s.t. SP’ SA’
Method:
desired = false; while (desired == false) {
(Test & Print)
if (desired == false) {
(Incremental Computation)
(Debugging Computation)
}
}
04/19/23 COSC-4301-01, Lecture 13 30
Addition of New Variables
While PF is satisfiable: Test whether each variable appears in at least two
inequalities; If variable Xi appears only once in the system AiX Bi
then we insert it in all inequalities and see whether it leads to unsatisfiability, namely ΛiBi < 0, where Λi a positive solution of Atr
i Λtri = 0.
04/19/23 COSC-4301-01, Lecture 13 31
Transforming a subsystem into one with negative dependencies Consider Λi a positive solution of Atr
i Λtri = 0;
If ΛiBi >= 0 then modify Bi such that ΛiBi < 0.
04/19/23 COSC-4301-01, Lecture 13 32
Make sure there are positive solutions Λi If there are no positive solutions Λi of Atr
i Λtri =
0, then modify Ai to get such a solution.
04/19/23 COSC-4301-01, Lecture 13 33
Automatic Debugging
The automatic approach is similar to the systematic approach, but it should work in the absence of the human beings.
Our solution was to consider in advance all the necessary information such as the designer's guidance: a set of constraints which cannot be modified the specific ranges for the constants which appear
in the constraints.
04/19/23 COSC-4301-01, Lecture 13 34
Automatic Debugging The input files for the automatic approach are
augmented with the lower and upper bounds for the constants.
04/19/23 COSC-4301-01, Lecture 13 35
Example: Systematic Debugging Step 1:
SP: i j (@(e1, i) + @(e2, i) 2)
(@(e2, i) - @(e3, j) 1) (@(e1, i) - @(e3, j) 7).
SA: u v (@(e1, u) + @(e2, u) - @(e3, v) 2).
Step 2: SP: i j (f1(i) + f2(i) 2) (f2(i) - f3(j) 1) (f1(i) - f3(j) 7)
SA: u v f1(u) + f2(u) - f3(v) 2 Step 3:
SP SA: i j (f1(i) + f2(i) 2) (f2(i) - f3(j) 1) (f1(i) - f3(j) 7) Λ (-f1(U) - f2(U) + f3(V) -3).
04/19/23 COSC-4301-01, Lecture 13 36
Example: Systematic Debugging -cont Step 4:
Consider the substitution ψ = {[i/U][j/V]}. The method pos(FCNF) generates a new propositional
variable for each new inequality after checking the unification.
A1 denotes the inequality f1(U)+f2(U) 2 A2 denotes the inequality f2(U)-f3(U) 1 A3 denotes the inequality f1(U)-f3(U) 7 A4 denotes the inequality -f1(U)-f2(U)+f3(V) -9 The FCNF leads to the following positive clauses for PF:
{A1}, {A2}, {A3}, and {A4}.
04/19/23 COSC-4301-01, Lecture 13 37
Example: Systematic Debugging -cont
Step 5: FCNF is translated to a system of linear inequalities AX B.
Example: A = , X = , B = .
111
101
110
011
37
1
2
)(
)(
)(
3
2
1
Vf
Uf
Uf
04/19/23 COSC-4301-01, Lecture 13 38
Example: Systematic Debugging -cont Considering AX B, we need to find the positive row
vector Λ = (λ1 λ2 λ3 λ4) such that AtrΛtr =0.
This is: = 0.
The positive generic solution Λ = (a a a 2a) cannot leads to ΛB <0, where a>0.
So, the set of negative clauses is empty.
04/19/23 COSC-4301-01, Lecture 13 39
Example: Systematic Debugging - cont Step 6: Convert PF to a DIMACS file
p cnf 4 4 1 0 2 0 3 0 4 0
Call Siege or zChaff The previous DIMACS file is input for Siege. The output of Siege will be: ‘satisfiable’ Since PF is satisfiable, then we need to do debugging
to make SP SA a theorem.
04/19/23 COSC-4301-01, Lecture 13 40
Example: Systematic Debugging - cont Step 7: All the lines have at least two non-zero
coefficients, so we don’t do debugging for this case (slide 39).
We need to change B to have ΛB <0. ΛB=(a a a 2a)(2 1 7 -3)tr=4a, where a>0:
Change b1=2 to b1=-3
Change b2=1 to b2=-4
Change b3=7 to b3=2
Change b4=-3 to b4=-6
04/19/23 COSC-4301-01, Lecture 13 41
Example: Systematic Debugging - cont
Step 8: The designer is asked which of the changes are the best: Changing @(e1, i) + @(e2, i) 2 to @(e1, i) + @(e2, i) -3.
Changing @(e2, i) - @(e3, j) 1 to @(e2, i) - @(e3, j) -4.
Changing @(e1, i) - @(e3, j) 7 to @(e1, i) - @(e3, j) 2.
Changing -f1(U) - f2(U) + f3(V) -3 to -f1(U) - f2(U) + f3(V) -6. This corresponds to @(e1, u) + @(e2, u) - @(e3, v) 5.
04/19/23 COSC-4301-01, Lecture 13 42
Example: Systematic Debugging - cont The tool will compute for each of these
changes the corresponding propositional formula PF, that is: PF = { {A1}, {A2}, {A3}, {A4}, {A1, A2, A3, A4} }
Then #SAT solver will compute the number of truth assignments of PF.
Since this number is 0, the algorithm terminates.
Otherwise, the algorithm would repeat from Step 7.
04/19/23 COSC-4301-01, Lecture 13 43
Example: Automatic Debugging - cont Consider a file showing intervals for the
constants in B: b1,-3,2,7 means -2 b1 7, where b1 implicit initial
value is 2. b2,-4,1,6 means -3 b2 6, where b2 implicit initial
value is 1. b3,2,7,12 means 3 b3 12, where b3 implicit initial
value is 7. b4,-6,-3,0 means -6 b4 0, where b4 implicit initial
value is -3.
04/19/23 COSC-4301-01, Lecture 13 44
Example: Automatic Debugging - cont As such, the automatic debugging tool will not
ask the designer, but it will check the file against the proposed specification.
In our case, the tool will choose -f1(U) - f2(U) + f3(V) -6
This leads to a negative dependency and its constant belongs to the interval [-6,0].
This corresponds to @(e1, u) + @(e2, u) - @(e3, v) 5.
04/19/23 COSC-4301-01, Lecture 13 45
Description – part c)
c) Given SP and SA expressed in Linear RTL such that SPSA, determine SP’ and SA’ for which SPSP’, SP’SA’, SA’SA. The new SP’ and SA’ should be done using minimal changes by keeping the same set of constraints, but relaxing SP and/or tightening SA.
04/19/23 COSC-4301-01, Lecture 13 46
The Optimization Problem
The previous approaches were focused on the verification and debugging of SP SA, and not the optimization of this tautology.
However, it may happen that SP contains overly strong timing constraints or SA can be improved by stronger timing constraints.
Can we provide the most relaxed specification SP and/or the most tight safety assertion SA such that SP SA is a theorem (without repeating the verification of SP SA)?
04/19/23 COSC-4301-01, Lecture 13 47
Refinement of the Optimization Algorithm Input: SP, SA such that SPSA holds, and A(1)XB(1) the
initial linear system; Output: SP’, SA’ such that SP’SA’ is an optimal
tautology. Method:
k=1; SP1=SP; SA1=SA; while (there exists Λ such that ΛB < -1) {
Identify the inequality ∑j=1n aij xjbi that does not occur in any
other subsystem Ai X Bi; Decrease bi such that ΛB=-1 and denote the new system
A(k+1)XB(k+1); Change SPk and SAk according to the new weight; k= k+1; }
SP’=SPk; SA’=SAk.
04/19/23 COSC-4301-01, Lecture 13 48
Example: Optimization Step 1:
SP: i j (@(e1, i) + @(e2, i) 2)
(@(e2, i) - @(e3, j) 1) (@(e1, i) - @(e3, j) 7).
SA: u v (@(e1, u) + @(e2, u) - @(e3, v) 8).
Step 2: SP: i j (f1(i) + f2(i) 2) (f2(i) - f3(j) 1) (f1(i) - f3(j) 7)
SA: u v f1(u) + f2(u) - f3(v) 8 Step 3:
SP SA: i j (f1(i) + f2(i) 2) (f2(i) - f3(j) 1) (f1(i) - f3(j) 7) Λ (-f1(U) - f2(U) + f3(V) -9).
04/19/23 COSC-4301-01, Lecture 13 49
Example: Optimization -cont Step 4: Consider the substitution ψ = {[i/U][j/V]}. The method pos(FCNF) generates a new propositional
variable for each new inequality after checking the unification.
A1 denotes the inequality f1(U)+f2(U) 2 A2 denotes the inequality f2(U)-f3(U) 1 A3 denotes the inequality f1(U)-f3(U) 7 A4 denotes the inequality -f1(U)-f2(U)+f3(V) -9 The FCNF leads to the following positive clauses for PF:
{A1}, {A2}, {A3}, and {A4}.
04/19/23 COSC-4301-01, Lecture 13 50
Example: Optimization -cont
Step 5: FCNF is translated to a system of linear inequalities AX B.
Example: A = , X = , B = .
111
101
110
011
97
1
2
)(
)(
)(
3
2
1
Vf
Uf
Uf
04/19/23 COSC-4301-01, Lecture 13 51
Example: Optimization -cont
Considering AX B, we need to find the positive row vector Λ = (λ1 λ2 λ3 λ4) such that AtrΛtr =0.
This is: = 0.
The positive solution Λ = (1 1 1 2) leads to ΛB =-8. Therefore, AX B has no solution for X over . PF={{A1}, {A2}, {A3}, {A4}, {A1, A2, A3, A4}}
04/19/23 COSC-4301-01, Lecture 13 52
Example: Optimization - cont Step 6: Convert PF to a DIMACS file
p cnf 4 5 1 0 2 0 3 0 4 0 -1 -2 -3 -4 0
Call Siege or zChaff The previous DIMACS file is input for Siege. The output of Siege will be: ‘satisfiable’ Since PF is satisfiable, then we need to do
debugging to make SP SA a theorem.
04/19/23 COSC-4301-01, Lecture 13 53
Example: Optimization - cont Step 7: ΛB=-8, so we’ll do some change to ΛB=-1. There are four ways to do that:
Change b1=2 to b1=9 Change b2=1 to b2=8 Change b3=7 to b3=14 Change b4=-9 to b4=-6
By doing any of these changes, ΛB=-1. SP1 SA1, SP2 SA2, SP3 SA3 and SP4
SA4 are optimal tautologies.
04/19/23 COSC-4301-01, Lecture 13 54
Summary
Verification, debugging and optimization of Linear RTL.
04/19/23 COSC-4301-01, Lecture 13 55
Reading suggestions
Chapter 6 of [Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002
[AnC07] Andrei, S., Cheng, A.: Verification of Linear RTL-Specifications. Proceedings of the 28-th IEEE Real-Time Systems Symposium, 2007
04/19/23 COSC-4301-01, Lecture 13 56
Coming up next
Decomposition technique of LRTL formulas
04/19/23 COSC-4301-01, Lecture 13 57
Thank you for your attention!
Questions?
