Download ppt - Dependable Embedded Software Systems

Dependable Embedded Software Systems

Kim Guldstrand Larsen

UCb

2UCb

BRICS Machine Basic Research in Computer Science, 1993-2006

30+40+40 Millkr

100

100

Aalborg Aarhus

Tools

3UCb

Tools and BRICS

Logic• Temporal Logic• Modal Logic• MSOL • •

Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation• •

Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time & hybrid systems• •

HOL TLP

Applications

PVS ALF

SPINvisualSTATE UPPAAL

4UCb

A very complex system

Klaus Havelund, NASA

5UCb

Rotterdam Storm Surge Barrier

6UCb

Spectacular Software Bugs

ARIANE-5 INTEL Pentium II floating-point division

470 Mill US $

Baggage handling system, Denver 1.1 Mill US $/day for 9 months

Mars Pathfinder Radiation theraphy, Therac-25 …….

7UCb

Embedded Systems

80% af al software er indlejret i interagerende apparater.

Krav om stigende funktionalitet med minimale resourcer

Udvikler skal ideelt set have adskillige kvalifikationer

sofwarekonstr. og –udvikl. hardware platforme, kommunikatíon &

protokoller, validering (test og

verifikation),……….

Indlejrede Systemer =

Pervasive Computing

Indlejrede Systemer =

Pervasive Computing

8UCb

Traditional Software Development

The Waterfall Model

Analyse

Design

Implementation

Testing Costly in time-to-market and money Errors are detected late or never Application of FM’s as early as possible

ProblemArea

Runni

ng

Syst

em

REVI

EWS

REVI

EWS

9UCb

Modelbased Validation

Design Model SpecificationVerification & Refusal

AnalysisValidation

FORMAL

METHODS

Implementation

Testing

UML

10UCb



AnalysisValidation

FORMAL

METHODS

Implementation

Testing

UML

AutomaticCode generation

11UCb



AnalysisValidation

FORMAL

METHODS

Implementation

Testing

UML

AutomaticCode generation

AutomaticTest generation

12UCb

How?

Unified Model = State Machine!

a

b

x

ya?

b?

x!

y!b?

Control states

Inputports

Outputports

13UCb

TamagotchiA C

Health=0 or Age=2.000

B

Passive Feeding Light

Clean

PlayDisciplineMedicine

Care

Tick

Health:=Health-1; Age:=Age+1

AA

A

A

AA

A

A

Meal

Snack

B

B

ALIVE

DEAD

Health:= Health-1

14UCb

Digital Watch Statechart=UML, David HARELStatechart=UML, David HAREL

15UCb

SYNCmaster

16UCb

SP

IN, G

erald H

olzm

ann

AT

&T

17UCb

visualSTATE

Hierarchical state systems

Flat state systems Multiple and

inter-related state machines

Supports UML notation

Device driver access

VVS w Baan Visualstate, DTU (CIT project)

18UCb

UP

PA

AL

19UCb

Tool Support

TOOLTOOL

System Description A

Requirement F Yes, Prototypes Executable Code Test sequences

No!Debugging Information

Tools: UPPAAL, visualSTATE, SPIN, ESTEREL, Rhapsody, TeleLogic, Statemate, Formalcheck,..

Tools: UPPAAL, visualSTATE, SPIN, ESTEREL, Rhapsody, TeleLogic, Statemate, Formalcheck,..

20UCb

‘State Explosion’ problem

a

cb

1 2

43

1,a 4,a

3,a 4,a

1,b 2,b

3,b 4,b

1,c 2,c

3,c 4,c

All combinations = exponential in no. of components

M1 M2

M1 x M2

Provably theoretical

intractable

21UCb

Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476

BUGS ?

VVS

22UCb

Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476

BUGS ?

VVSvisualSTATE

Our techniuqes has reduced verific

ation

time w

ith several orders of magnitude

(ex 14 days to 6 sec)

UPPAALUPPAAL

Modelling and Verification of Real Time systems

UPPAAL2k > 2000 users > 45 countries

UPPAAL2k > 2000 users > 45 countries

See www.uppaal.com

!!!!

See www.uppaal.com

!!!!

http://www.uppaal.com/






24UCb

Collaborators@UPPsala

Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Tobias Amnell Oliver Möller

@AALborg Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune Oliver Möller

@Elsewhere David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund,

Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans,Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...

25UCb

Real Time Systems

PlantContinuous

Controller ProgramDiscrete

Control Theory Computer Science

Eg.:Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing

sensors

actuators

TaskTask

TaskTask

26UCb

Validation & VerificationConstruction of UPPAAL models

PlantContinuous

Controller ProgramDiscrete

sensors

actuators

TaskTask

TaskTask

a

cb

1 2

43

a

cb

1 2

43

1 2

43

1 2

43

a

cb

UPPAAL Model

Modelofenvironment(user-supplied)

Model oftasks(automatic)

27UCb

Intelligent Light Control

Off Light Brightpress? press?

press?

press?

WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

28UCb

Intelligent Light Control

Off Light Brightpress? press?

press?

press?

Solution: Add real-valued clock x

X:=0X<=3

X>3

29UCb

Timed Automata

n

m

a

Alur & Dill 1990

Clocks: x, y

x<=5 & y>3

x := 0

Guard Boolean combination of integer boundson clocks and clock-differences.

ResetAction perfomed on clocks

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )

a

State ( location , x=v , y=u ) where v,u are in R

Actionused

for synchronization

30UCb

n

m

a

Clocks: x, y

x<=5 & y>3

x := 0

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )

e(3.2)

x<=5

y<=10

LocationInvariants

g1g2 g3

g4

Timed Automata Invariants

Invariants ensure

progress!!

Invariants ensure

progress!!

31UCb

Cruise ControlWhen the car ignition is switched on and the on button is pressed, the current speed is recorded and the system is enabled: it maintains the speed of the car at the recorded setting.

Pressing the brake, accelerator or off button disables the system. Pressing resume or on re-enables the system.

buttons

32UCb

Model Structure

The CONTROL system is structured as two processes.

The main actions and interactions are as shown.

The CONTROL system is structured as two processes.

The main actions and interactions are as shown.

CruiseControl

CruiseControl

SpeedControl

SpeedControl

UserUser

EngineEngine

engineOnengineOffonoffresumebrakeaccelerator clearSpeed

recordSpeedenablecontroldisablecontrol

dSpeedcSpeedacc

33UCb

UserUser EngineEngine

34UCb

The CARA System

Computer Assisted Resuscitation System

Purpose: automate delivery of intravenous fluids to injured persons in catastrophic situations

Comprises: software to: monitor patient’s blood pressure control a high-output infusion pump

35UCb

System Structure

36UCb

System Structure

37UCb

Case Studies: Protocols

Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]Collision-Avoidance Protocol [SPIN’95]

Bounded Retransmission Protocol [TACAS’97]

Bang & Olufsen Audio/Video Protocol [RTSS’97]

TDMA Protocol [PRFTS’97]

Lip-Synchronization Protocol [FMICS’97]

Multimedia Streams [DSVIS’98]

ATM ABR Protocol [CAV’99]

ABB Fieldbus Protocol [ECRTS’2k]

IEEE 1394 Firewire Root Contention (2000)

38UCb

visualSTATE VVS, CIT projectVVS, CIT project

39UCb

No local nor global dead-ends

No never interpreted events

No fired actions No conflicting transactions No unreachable states

All combinations are checked!

visualSTATE Tester Verification

100%Tested!

No bugs allowed!

40UCb

Train Simulator1421 maskiner11102 transitioner2981 inputs2667 outputs3204 lokale tilstandeDeclare state sp.: 10^476

BUGS ?

41UCb

Experimental BreakthroughsPatented

State Space St-of-Art ComBackSystem Mach.Declared Reach

Checks VisualST Sec MB Sec MB

VCR 7 10 5̂ 1279 50 <1 <1 6 <1 7JVC 8 10 4̂ 352 22 <1 <1 6 <1 6HI-FI 9 10 7̂ 1416384 120 1200 1.0 6 3.9 6Motor 12 10 7̂ 34560 123 32 <1 6 2,0AVS 12 10 7̂ 1438416 173 3780 6.7 6 5.7 6Video 13 10 8̂ 1219440 122 --- 1.1 6 1.5 6Car 20 10 1̂1 9.2 10 9̂ 83 --- 3.8 9 1.8 6N6 14 10 1̂0 6399552 443 --- 32.3 7 218 6N5 25 10 1̂2 5.0 10 1̂0 269 --- 56.2 7 9.1 6N4 23 10 1̂3 3.7 10 8̂ 132 --- 622 7 6.3 6Train1 373 10^136 --- 1335 --- --- --- 25.9 6Train2 1421 10^476 --- 4708 --- --- --- 739 11

Machine: 166 MHz Pentium PC with 32 MB RAM

---: Out of memory, or did not terminate after 3 hours.

42UCb

Experimental BreakthroughsPatented

State Space St-of-Art ComBackSystem Mach.Declared Reach

Checks VisualST Sec MB Sec MB

VCR 7 10 5̂ 1279 50 <1 <1 6 <1 7JVC 8 10 4̂ 352 22 <1 <1 6 <1 6HI-FI 9 10 7̂ 1416384 120 1200 1.0 6 3.9 6Motor 12 10 7̂ 34560 123 32 <1 6 2,0AVS 12 10 7̂ 1438416 173 3780 6.7 6 5.7 6Video 13 10 8̂ 1219440 122 --- 1.1 6 1.5 6Car 20 10 1̂1 9.2 10 9̂ 83 --- 3.8 9 1.8 6N6 14 10 1̂0 6399552 443 --- 32.3 7 218 6N5 25 10 1̂2 5.0 10 1̂0 269 --- 56.2 7 9.1 6N4 23 10 1̂3 3.7 10 8̂ 132 --- 622 7 6.3 6Train1 373 10^136 --- 1335 --- --- --- 25.9 6Train2 1421 10^476 --- 4708 --- --- --- 739 11

Machine: 166 MHz Pentium PC with 32 MB RAM

---: Out of memory, or did not terminate after 3 hours.

Vore teknikker h

ar reduceret

verifikationstid

en med flere

større

lsesordner

(ex fra 14 dage til

6 sec)

43UCb

Who is CISS ?

Institute ofComputer Science


Institute ofElectronic Systems


BRICS@AalborgModelling and Validation;Programming Languages;

Software Engineering



Embedded SystemsCommunication;

HW/SWPower Management



Distributed Real Time Systems

Control Theory;Real Time Systems;

Networking.



Networking.

UCb

ICT CompaniesICT Companies

44UCb

Who is CISS ?















Networking.



Networking.

UCb

ICT CompaniesICT Companies

VTU25.5 MDKK

VTU25.5 MDKK

RegionalCouncils of Northern Jutland &Aalborg City12 MDKK

RegionalCouncils of Northern Jutland &Aalborg City12 MDKK

AAU12.75 MDKK

AAU12.75 MDKK

Companies12.75 MDKK

Companies12.75 MDKK

45UCb

Typical Activities

Co-financed R&D projects and case-studies

Industrial training and education

Seminars, workshops and networks of knowledge transfer and exchange

Ph.D. and industrial Ph.D. projects

Visiting Guest researchers Student projects

46UCb

Organisation

T echnicalIntegration Board

Adm inistrator

Director

CISS Board

Søren Damgaard, IBM

Jørgen Elbæk, RTXSteen Rasmussen, S-CardFrands Voss, MCI & Danfoss

Flemming FredriksenAnders P. RavnWladyslaw Pietraszek

Søren Damgaard, IBM

Jørgen Elbæk, RTXSteen Rasmussen, S-CardFrands Voss, MCI & Danfoss

Flemming FredriksenAnders P. RavnWladyslaw Pietraszek

Henrik SchiølerArne SkouPeter Koch

Henrik SchiølerArne SkouPeter Koch

Kim Guldstrand LarsenKim Guldstrand Larsen

47UCb

Member Companies

48UCb

Where is CISS ?

Aalborg University