dependable embedded software systems kim guldstrand larsen ucb
TRANSCRIPT
Dependable Embedded Software Systems
Kim Guldstrand Larsen
UCb
2UCb
BRICS Machine Basic Research in Computer Science, 1993-2006
30+40+40 Millkr
100
100
Aalborg Aarhus
Tools
3UCb
Tools and BRICS
Logic• Temporal Logic• Modal Logic• MSOL • •
Algorithmic• (Timed) Automata Theory• Graph Theory• BDDs• Polyhedra Manipulation• •
Semantics• Concurrency Theory• Abstract Interpretation• Compositionality• Models for real-time & hybrid systems• •
HOL TLP
Applications
PVS ALF
SPINvisualSTATE UPPAAL
4UCb
A very complex system
Klaus Havelund, NASA
5UCb
Rotterdam Storm Surge Barrier
6UCb
Spectacular Software Bugs
ARIANE-5 INTEL Pentium II floating-point division
470 Mill US $
Baggage handling system, Denver 1.1 Mill US $/day for 9 months
Mars Pathfinder Radiation theraphy, Therac-25 …….
7UCb
Embedded Systems
80% af al software er indlejret i interagerende apparater.
Krav om stigende funktionalitet med minimale resourcer
Udvikler skal ideelt set have adskillige kvalifikationer
sofwarekonstr. og –udvikl. hardware platforme, kommunikatíon &
protokoller, validering (test og
verifikation),……….
Indlejrede Systemer =
Pervasive Computing
Indlejrede Systemer =
Pervasive Computing
8UCb
Traditional Software Development
The Waterfall Model
Analyse
Design
Implementation
Testing Costly in time-to-market and money Errors are detected late or never Application of FM’s as early as possible
ProblemArea
Runni
ng
Syst
em
REVI
EWS
REVI
EWS
9UCb
Modelbased Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
10UCb
Modelbased Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
AutomaticCode generation
11UCb
Modelbased Validation
Design Model SpecificationVerification & Refusal
AnalysisValidation
FORMAL
METHODS
Implementation
Testing
UML
AutomaticCode generation
AutomaticTest generation
12UCb
How?
Unified Model = State Machine!
a
b
x
ya?
b?
x!
y!b?
Control states
Inputports
Outputports
13UCb
TamagotchiA C
Health=0 or Age=2.000
B
Passive Feeding Light
Clean
PlayDisciplineMedicine
Care
Tick
Health:=Health-1; Age:=Age+1
AA
A
A
AA
A
A
Meal
Snack
B
B
ALIVE
DEAD
Health:= Health-1
14UCb
Digital Watch Statechart=UML, David HARELStatechart=UML, David HAREL
15UCb
SYNCmaster
16UCb
SP
IN, G
erald H
olzm
ann
AT
&T
17UCb
visualSTATE
Hierarchical state systems
Flat state systems Multiple and
inter-related state machines
Supports UML notation
Device driver access
VVS w Baan Visualstate, DTU (CIT project)
18UCb
UP
PA
AL
19UCb
Tool Support
TOOLTOOL
System Description A
Requirement F Yes, Prototypes Executable Code Test sequences
No!Debugging Information
Tools: UPPAAL, visualSTATE, SPIN, ESTEREL, Rhapsody, TeleLogic, Statemate, Formalcheck,..
Tools: UPPAAL, visualSTATE, SPIN, ESTEREL, Rhapsody, TeleLogic, Statemate, Formalcheck,..
20UCb
‘State Explosion’ problem
a
cb
1 2
43
1,a 4,a
3,a 4,a
1,b 2,b
3,b 4,b
1,c 2,c
3,c 4,c
All combinations = exponential in no. of components
M1 M2
M1 x M2
Provably theoretical
intractable
21UCb
Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476
BUGS ?
VVS
22UCb
Train Simulator1421 machines11102 transitions2981 inputs2667 outputs3204 local statesDeclare state sp.: 10^476
BUGS ?
VVSvisualSTATE
Our techniuqes has reduced verific
ation
time w
ith several orders of magnitude
(ex 14 days to 6 sec)
UPPAALUPPAAL
Modelling and Verification of Real Time systems
UPPAAL2k > 2000 users > 45 countries
UPPAAL2k > 2000 users > 45 countries
See www.uppaal.com
!!!!
See www.uppaal.com
!!!!
24UCb
Collaborators@UPPsala
Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Tobias Amnell Oliver Möller
@AALborg Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune Oliver Möller
@Elsewhere David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund,
Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans,Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson...
25UCb
Real Time Systems
PlantContinuous
Controller ProgramDiscrete
Control Theory Computer Science
Eg.:Pump ControlAir BagsRobotsCruise ControlABSCD PlayersProduction Lines
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing
sensors
actuators
TaskTask
TaskTask
26UCb
Validation & VerificationConstruction of UPPAAL models
PlantContinuous
Controller ProgramDiscrete
sensors
actuators
TaskTask
TaskTask
a
cb
1 2
43
a
cb
1 2
43
1 2
43
1 2
43
a
cb
UPPAAL Model
Modelofenvironment(user-supplied)
Model oftasks(automatic)
27UCb
Intelligent Light Control
Off Light Brightpress? press?
press?
press?
WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
28UCb
Intelligent Light Control
Off Light Brightpress? press?
press?
press?
Solution: Add real-valued clock x
X:=0X<=3
X>3
29UCb
Timed Automata
n
m
a
Alur & Dill 1990
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of integer boundson clocks and clock-differences.
ResetAction perfomed on clocks
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
30UCb
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 )
e(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Timed Automata Invariants
Invariants ensure
progress!!
Invariants ensure
progress!!
31UCb
Cruise ControlWhen the car ignition is switched on and the on button is pressed, the current speed is recorded and the system is enabled: it maintains the speed of the car at the recorded setting.
Pressing the brake, accelerator or off button disables the system. Pressing resume or on re-enables the system.
buttons
32UCb
Model Structure
The CONTROL system is structured as two processes.
The main actions and interactions are as shown.
The CONTROL system is structured as two processes.
The main actions and interactions are as shown.
CruiseControl
CruiseControl
SpeedControl
SpeedControl
UserUser
EngineEngine
engineOnengineOffonoffresumebrakeaccelerator clearSpeed
recordSpeedenablecontroldisablecontrol
dSpeedcSpeedacc
33UCb
UserUser EngineEngine
34UCb
The CARA System
Computer Assisted Resuscitation System
Purpose: automate delivery of intravenous fluids to injured persons in catastrophic situations
Comprises: software to: monitor patient’s blood pressure control a high-output infusion pump
35UCb
System Structure
36UCb
System Structure
37UCb
Case Studies: Protocols
Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]Collision-Avoidance Protocol [SPIN’95]
Bounded Retransmission Protocol [TACAS’97]
Bang & Olufsen Audio/Video Protocol [RTSS’97]
TDMA Protocol [PRFTS’97]
Lip-Synchronization Protocol [FMICS’97]
Multimedia Streams [DSVIS’98]
ATM ABR Protocol [CAV’99]
ABB Fieldbus Protocol [ECRTS’2k]
IEEE 1394 Firewire Root Contention (2000)
38UCb
visualSTATE VVS, CIT projectVVS, CIT project
39UCb
No local nor global dead-ends
No never interpreted events
No fired actions No conflicting transactions No unreachable states
All combinations are checked!
visualSTATE Tester Verification
100%Tested!
No bugs allowed!
40UCb
Train Simulator1421 maskiner11102 transitioner2981 inputs2667 outputs3204 lokale tilstandeDeclare state sp.: 10^476
BUGS ?
41UCb
Experimental BreakthroughsPatented
State Space St-of-Art ComBackSystem Mach.Declared Reach
Checks VisualST Sec MB Sec MB
VCR 7 10 5̂ 1279 50 <1 <1 6 <1 7JVC 8 10 4̂ 352 22 <1 <1 6 <1 6HI-FI 9 10 7̂ 1416384 120 1200 1.0 6 3.9 6Motor 12 10 7̂ 34560 123 32 <1 6 2,0AVS 12 10 7̂ 1438416 173 3780 6.7 6 5.7 6Video 13 10 8̂ 1219440 122 --- 1.1 6 1.5 6Car 20 10 1̂1 9.2 10 9̂ 83 --- 3.8 9 1.8 6N6 14 10 1̂0 6399552 443 --- 32.3 7 218 6N5 25 10 1̂2 5.0 10 1̂0 269 --- 56.2 7 9.1 6N4 23 10 1̂3 3.7 10 8̂ 132 --- 622 7 6.3 6Train1 373 10^136 --- 1335 --- --- --- 25.9 6Train2 1421 10^476 --- 4708 --- --- --- 739 11
Machine: 166 MHz Pentium PC with 32 MB RAM
---: Out of memory, or did not terminate after 3 hours.
42UCb
Experimental BreakthroughsPatented
State Space St-of-Art ComBackSystem Mach.Declared Reach
Checks VisualST Sec MB Sec MB
VCR 7 10 5̂ 1279 50 <1 <1 6 <1 7JVC 8 10 4̂ 352 22 <1 <1 6 <1 6HI-FI 9 10 7̂ 1416384 120 1200 1.0 6 3.9 6Motor 12 10 7̂ 34560 123 32 <1 6 2,0AVS 12 10 7̂ 1438416 173 3780 6.7 6 5.7 6Video 13 10 8̂ 1219440 122 --- 1.1 6 1.5 6Car 20 10 1̂1 9.2 10 9̂ 83 --- 3.8 9 1.8 6N6 14 10 1̂0 6399552 443 --- 32.3 7 218 6N5 25 10 1̂2 5.0 10 1̂0 269 --- 56.2 7 9.1 6N4 23 10 1̂3 3.7 10 8̂ 132 --- 622 7 6.3 6Train1 373 10^136 --- 1335 --- --- --- 25.9 6Train2 1421 10^476 --- 4708 --- --- --- 739 11
Machine: 166 MHz Pentium PC with 32 MB RAM
---: Out of memory, or did not terminate after 3 hours.
Vore teknikker h
ar reduceret
verifikationstid
en med flere
større
lsesordner
(ex fra 14 dage til
6 sec)
43UCb
Who is CISS ?
Institute ofComputer Science
Institute ofComputer Science
Institute ofElectronic Systems
Institute ofElectronic Systems
BRICS@AalborgModelling and Validation;Programming Languages;
Software Engineering
BRICS@AalborgModelling and Validation;Programming Languages;
Software Engineering
Embedded SystemsCommunication;
HW/SWPower Management
Embedded SystemsCommunication;
HW/SWPower Management
Distributed Real Time Systems
Control Theory;Real Time Systems;
Networking.
Distributed Real Time Systems
Control Theory;Real Time Systems;
Networking.
UCb
ICT CompaniesICT Companies
44UCb
Who is CISS ?
Institute ofComputer Science
Institute ofComputer Science
Institute ofElectronic Systems
Institute ofElectronic Systems
BRICS@AalborgModelling and Validation;Programming Languages;
Software Engineering
BRICS@AalborgModelling and Validation;Programming Languages;
Software Engineering
Embedded SystemsCommunication;
HW/SWPower Management
Embedded SystemsCommunication;
HW/SWPower Management
Distributed Real Time Systems
Control Theory;Real Time Systems;
Networking.
Distributed Real Time Systems
Control Theory;Real Time Systems;
Networking.
UCb
ICT CompaniesICT Companies
VTU25.5 MDKK
VTU25.5 MDKK
RegionalCouncils of Northern Jutland &Aalborg City12 MDKK
RegionalCouncils of Northern Jutland &Aalborg City12 MDKK
AAU12.75 MDKK
AAU12.75 MDKK
Companies12.75 MDKK
Companies12.75 MDKK
45UCb
Typical Activities
Co-financed R&D projects and case-studies
Industrial training and education
Seminars, workshops and networks of knowledge transfer and exchange
Ph.D. and industrial Ph.D. projects
Visiting Guest researchers Student projects
46UCb
Organisation
T echnicalIntegration Board
Adm inistrator
Director
CISS Board
Søren Damgaard, IBM
Jørgen Elbæk, RTXSteen Rasmussen, S-CardFrands Voss, MCI & Danfoss
Flemming FredriksenAnders P. RavnWladyslaw Pietraszek
Søren Damgaard, IBM
Jørgen Elbæk, RTXSteen Rasmussen, S-CardFrands Voss, MCI & Danfoss
Flemming FredriksenAnders P. RavnWladyslaw Pietraszek
Henrik SchiølerArne SkouPeter Koch
Henrik SchiølerArne SkouPeter Koch
Kim Guldstrand LarsenKim Guldstrand Larsen
47UCb
Member Companies
48UCb
Where is CISS ?
Aalborg University