290 likes | 510 Views
Compositional Analysis of Timed Systems by Abstraction. Leonid Mokrushin TAPVES 2007-02-08. Outline. Motivation Arrival/Service Curves Compositional Analysis TA as Curve Transformers Abstracting TA Examples and Demo Conclusions. The ABB Robot Controller. Precise moves. Welding
E N D
Compositional Analysis of Timed Systems by Abstraction Leonid Mokrushin TAPVES 2007-02-08
Outline • Motivation • Arrival/Service Curves • Compositional Analysis • TA as Curve Transformers • Abstracting TA • Examples and Demo • Conclusions
The ABB Robot Controller Precise moves Welding program A B C D • ABB robot controller (2 500 000 loc) • Real time tasks A,B,C,D • Read inputs from channels write output to channels • Task priority order D>C>B>A (FPS) • Buffer overflow/underflow, WCRT Commands High-level instructions Requests
Old Results (CFSM) • Turing power • Equivalent to finite automata • people: Brand, Zafiropulo, Pachl, Purush Iyer, Finkel, Abdulla, Jonsson A B A A B Half duplex A B С A B
Communicating Timed Automata (CTA) • Replace Finite Automata by Timed Automata • Communication via unbounded FIFO channels • Time is global (time passes globally and for all automata in the same pace) • A, B, C – Timed Automata • Negative results carry over • Positive results – do not carry over (previous proofs do not work in timed setting) A B С
CTA - Results [CAV06, Pavel & Wang] A B • CTA with one channel • Accepts non-regular context free languages • Only regular languages in the untimed case! • Equivalent to Petri Nets with one unbounded place (Eager reading: One-counter machines) • CTA with two channels • Non-context free context sensitive languages • Petri Nets with two unbounded places (Eager reading: Turing machines) A B С
The ABB Robot Controller TASCH Task Ready Queue TAA TAB TAC TAD Shared variables TAAxTABxTACxTADxTASCH with queues is TOO BIG
In general: Precise analysis is impossible Our hope: Find a suitable abstraction
Kahn Process Networks (‘70s) • Modeling Distributed, Signal Processing Systems S1 S4 A • S1,S2,S3,…– streams • possibly infinite sequences of letters • A,B,C – processes • mappings from streams to streams, e.g., B:(S2,S6) S5 S3 S2 S5 C B S6
Abstract Stream Transformers Q1 A2 Abstract stream Abstract stream A1 Abstract stream • Components = Abstract stream transformers • Abstract stream defines a timed language • Asynchronous communication • Network Calculus (Cruz, Boudec, Thiran ‘91-’04) • Arrival Curves • Real-Time Calculus (Thiele, Chakraborty ‘00s) • Upper/Lower Arrival/Service Curves Abstract stream A3 Q2 Abstract stream
Arrival/Service Curves Arrival Curves (events / data) Service Curves (resources) available resources events time time window size window size upper bound available service number of events upper bound lower bound lower bound window size window size (a,3)(a,3.34)(a,3.39)(a,4)(a,10)... (100%,0)(50%,3.3)(100%,7)...
Building an Arrival Curve • Slide a timed window of a fixed size • Count max/min number of eventsin the window events t window size slide [0,4] • Choose another window etc. t window size [1,5]
Timing Analysis worst case request (upper arrival curve) number of events guaranteed resource (lower service curve) • Delay bound = max vertical distance • required buffer size • Backlog bound = max horizontal distance • flow delay bound required buffer size response time (flow delay bound) window size
Compositional Timing Analysis Available Resources Event Stream SAR = T1 T3 Input Output • Component = Stream Transformer • Stream = Upper & Lower Bounds • Real-Time Calculus • SO = fE(SI, SAR), SRR = fR(SI, SAR) • Compositional Analysis • Scheduling, end-to-end delay, backlog TASK SI SO Resource Stream T2 T4 SRR = Remaining Resources
100% <100% Resources & Scheduling • Fixed priority scheduling policy • Priority order: Priority(A)<Priority(B)<Priority(C)<Priority(D) • Highest priority task has 100% of CPU • Negative service curve = non-schedulable • Opposite direction gives min resource A B C D
Timed Automata with Tasks • Events • Actions • Timing constraints • Clocks / Guards / Resets • Complex event pattern • Tasks • Asynchronous execution • WCET, Deadline • Scheduling policy • Precedence constraints • Resource constraints x<3 a! x:=0 Task (C,D)
Run of TAT (Idle, x=0, []) 0.1 (Idle, x=0.1, []) (RelP, x=0, [P(2,8)]) 1.5(RelP, x=1.5, [P(0.5,6.5)]) (RelQ, x=1.5, [P(0.5,6.5),Q(2,20)]) 1.5(RelQ, x=3, [Q(1,18.5)]) (Idle, x=3, [Q(1,18.5)]) (RelP, x=0, [P(2,8),Q(1,18.5)]) 2(RelP, x=2, [Q(1,16.5)]) Idle P Q 0.1 1.6 2.1 3.1 5.1
TA as Curve Transformers Timed Automaton Task completed b? • Timed Automata as complex task release patterns • We have to make them operate on curves a! TA1 T1 Task released a! Ready queue c! b? T2 TA2 T3 OS Scheduling Policy TIMES Tool CPU
number of events number of events upper bound upper bound lower bound lower bound window size window size TA <-> Curve Transformation Arrival Curve Curve transformation using UPPAAL TA Model of a System Component input output Event Observer Event Generator F L(F(AC))L(EO) L(EG)=L(AC) Assumption: AEG || AFi || AEO Departure Curve for every component Fi is possible
Encoding Arrival Curves as TA Generator Invariant lower bound circular clock buffer x1 x2 x3 x4 x5 x6 x7 Guard upper bound pointer time const int LB = 12; const int UB = 12; const int m[LB] = {0,0,0,1,1,1,2,2,3,3,3,4}; const int M[UB] = {2,2,4,4,4,4,5,5,7,7,7,7}; const int CN = m[LB-1]<M[UB-1]?M[UB-1]:m[LB-1]; clock x[CN]; int[0,CN-1] index; int[0,CN] counter; int[0,UB] v; int[0,CN-1] getIndex(int backtrack) { int i = index-backtrack; if(i<0) i += CN; return i; } void addNewEvent() { x[index]:=0; index = (index==CN-1?0:index+1); if(counter<CN) counter++; } X4>M[i-1] X3>M[i-2] X2>M[i-3] X1>M[i-4] M[UB] number of events m[LB] CN=7 window size
time time dt dt time dt Approximating TA with Arrival Curves Observer • ASYSTEM || AOBSERVER • One clock & one integer • Non-deterministic window offset • One window one state space exploration • Max considerable window size (dt) must be specified clock x; int counter; number of events max & min x==0 x==dt dt
We need to know “safe” value of dt A Problem with Approximation Last measured dt number of events Overapproximated stream Actual stream window size t
Sometimes we can still perform timing analysis using “precise” data An adaptive approach? A Problem with Approximation number of events Service curve response time window size
Search for the segment that touches the curve Find the smallest intersection point and repeat Encoding of the intersection criterion into TA Another algorithm number of events a=m/n • Angle a is rational • m,n - integers • LCM(m,n) can become very big (hyperperiod) • Rapid slow down window size
Simple Scheduling Example • 4 tasks: 3 periodic+1 aperiodic (TA) • Preemptive fixed priority scheduling • Given BCET/WCET • Abstracting release pattern with streams • Analysis • Worst case response time • Required OS ready queue size
100% An Example with Feedback CPU Initial Condition AND TASK1 TASK2 Input Stream • TASK1 input depends on the TASK2 output • TASK1 uses TASK2’s remaining resource • TASK2 input depends on TASK1 output • Given • TASK1 input stream • Initial condition on activation of TASK2 • Iterative computation until fixed point
Books & Papers • Rene L. Cruz. A Calculus for Network Delay. IEEE Transactions on Information Theory, 1991 • J.-Y. Le Boudec, P. Thiran. Network Calculus. A Theory of Deterministic Queuing Systems for the Internet. 2004 • L. Thiele and S. Chakraborty and M. Naedele. Real-time Calculus for Scheduling Hard Real-Time Systems. Proc. of ISCAS, 2000 • L. Thiele and S. Chakraborty and M. Gries and A. Maxiaguine and J. Greutert. Embedded Software in Network Processors - Models and Algorithms. Proc. of EMSOFT, 2001 • E. Wandeler, L. Thiele. Real-Time Interfaces for Interface-Based Design of Real-Time Systems with Fixed Priority Scheduling. 2005 • P. Krcal, L. Mokrushin, W. Yi. A Tool for Compositional Analysis of Timed Systems by Abstraction. Tool paper submitted to CAV 2007. …
Abstraction technique for timed component systems One component at a time no big product (GALP) Possibility to parallelize verification Heterogeneous systems a potential tocombine different formalisms Prototype Conclusions • How good is our abstraction? (Examples) • Feedback? (Termination) • Bound on max window size? (Adaptation?) • Shared resources? (Priority Ceiling Protocol)