340 likes | 446 Views
The Mana Project. Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems. The Mana Project. Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems. Background.
E N D
The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems
The Mana Project Lars Asplund Kristina Lundqvist Uppsala University, Information Technology, Dept of Computer Systems
Background • Formal methods have been used in a number of safety critical systems • TGV • train signalling system in Paris • Today's safety critical systems use cyclic executives. • Research take for granted that a system consists of processes (scheduling, priorities), and that there is communications between these. • Process based safety critical systems - formal methods (Raven, Enea …)
Ada83 Tasking Rendez-vous Dynamic Hierarchy Termination ... Ada-83 Complex Run-Time No Formal Proofs • For High Integrity Systems • Subsets: • SPARK (No tasking) • Boeing • ...
Ada95 Subsets: Tasking Rendez-vous Dynamic Hierarchy Termination ... Protected Objects ATC requeue delay until new interrupts task attributes ... GNORT (Gnat NO Run-Time) SPARK-95 Ravenscar Ada-95 Tasking Protected Objects delay until new interrupts task attribute
Ada 95 and Ravenscar • The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications. • The subset provides enough functionality for targeted systems .
Ravenscar - tasking • Library level • No dynamic creation • No unchecked deallocation • Non-terminating • No entries • No user defined attributes • Keep task discriminants • No ATC
Ravenscar - Protected Objects • Single Entry • Barrier a single Boolean • Only one task in the entry queue
Ravenscar - Communication • No Rendez vous • No requeue • No select statement • Interrupts are mapped only to PO procedures
Ravenscar - Real Time • delay until for delays • No Calendar • Clock from Real-Time package • No dynamic priorities • Immediate Ceiling Priority
The Mana Project • Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada-95 compiler. • Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft, ...
The Mana Project • Chosen language: • Subset of Ada 95: Ravenscar • Representation model: Timed Automata • FSAs extended with clocks and constraints • Verification scheme: A Real-Time Model Checker • UPPAAL: Modelling, simulation, and verification tool
T2 T3 T1 Application P Delay until Task dispatch E F Run-Time Kernel Delay Queue PO Scheduler Ready Queue T0 Clock A System Model
A Verification Session • Design.Timed Automata Model of 1. An application (user code) 2. Run-time kernel (Mana) • Simulation of design • Verification by checking reachability properties
T2 T3 T1 Application P Delay until Task dispatch E F Run-Time Kernel Delay Queue PO Scheduler Ready Queue T0 Clock A System Model
Delay seq Prot Proc Simple application (T1) task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0; begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop; end T1;
Procedure Start Procedure begin Preemption Release of Entry Protected Procedure Calling Task
Prot Entry Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); endif; Work (4); end loop; end T2;
Entry Start Lock Free and no Barrier Barrier true Released by Procedure Protected Entry Calling Task
Executing Preemption Exception Preemption in exception Normal end Protected Entry Calling Task
task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0; begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop; end T3; Prot Proc Delay Task T3
T2 T3 T1 Delay Queue Scheduler Ready Queue T0 Clock A view of the System Prot Obj F Delay until Task dispatch E P
Miscellaneous Protected Function Delay Queue System Clock
The Run-Time System Prot Obj F E P
Delay seq Prot Proc Task T1 task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0; begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop; end T1;
Building the System T1 Prot Obj F E P
Prot Entry Task T2 task body T2 is -- at priority 2 Cond : Boolean := false; begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); endif; work (4); end loop; end T2;
A more Complete System T1 T2 Prot Obj F E P
task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0; begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop; end T3; Prot Proc Delay Task T3
A Complete System T3 T1 T2 Prot Obj F E P
Start Resume! Resume! Idle Process is running Medium Process available Suspend! Preempt! Medium Process running Resume? Pcpu:= PLow Idle Process Preempted High Process available Preempt? High Process running Medium Process Preempted Scheduler and Idle process Resume? Pcpu:= PMed Resume? Pcpu:= PHigh Idle Process Scheduler
Verifying Reachability Properties • Statements format: Invariant(b) | Possible(b) Where b ::= (atomic-formula) | b1 Ùb2 | Øb | b ®b’ • Examples: • Possible(CPU’Count > 1) • At any point in time, there must be only one task executing • Invariant(P.Completed and E.Queue’Count > 0andE.Barrier implyExec(E.Code, P.Context))
Conclusions and future work • Have today modelled a full Ravenscar compliant RTK • PO: priorities, preemption • Procedure, Function and Entry • Release on behalf • delay until • exception handling in PO • interrupt
Conclusions and future work • Verified the Mana-RTK together with a small application • Next step is to implement the Mana-RTK • Automatic translation from Ada into TA • http://www.docs.uu.se/mana