Modelling and Validation of Real Time Systems Kim Guldstrand Larsen Paul Pettersson BRICS@Aalborg

1. Modelling and Validationof Real Time SystemsKim Guldstrand LarsenPaul PetterssonBRICS@Aalborg

2. BRICS Machine Basic Research in Computer Science 30+40+40 Millkr 100 100 Tools Other revelvant projects UPPAAL, VHS, VVS Aarhus Aalborg

3. Tools andBRICS Applications visualSTATE UPPAAL SPIN PVS HOL ALF TLP • Semantics • Concurrency Theory • Abstract Interpretation • Compositionality • Models for real-time • & hybrid systems • Algorithmic • (Timed) Automata Theory • Graph Theory • BDDs • Polyhedra Manipulation • Logic • Temporal Logic • Modal Logic • MSOL

4. What? Validation and Verification of software and hardwareDESIGNS! (E.g., real time systems, embedded systems, communication protocols)

5. A REAL real time system Klaus Havelund, NASA

6. Embedded Systems SyncMaster 17GLsi Mobile Phone Telephone Digital Watch Tamagotchi

7. Why? • Testing/simulation of designs/implementations may not reveal error (e.g., no errors revealed after 2 days) • Formal verification (=exhaustive testing) of design provides 100% coverage (e.g., error revealed within 5 min). • TOOL support.

8. Traditional Software Development The Waterfall Model REVIEWS Problem Area Analysis Design REVIEWS Implementation Testing • Costly in time-to-market and money • Errors are detected late or never • Application of FM’s as early as possible Running System

9. Introducing, detecting and repairing errors Liggesmeyer 98

10. Formal Verification & Validation Analysis Validation Design Model • Specification FORMAL METHODS Verification & Refusal UML Implementation Testing

11. Formal Verification & Validation Analysis Validation Design Model • Specification FORMAL METHODS Verification & Refusal UML TOOLS: UPPAAL visualSTATE SPIN Implementation Testing

12. Formal Verification & Validation Analysis Validation Design Model • Specification FORMAL METHODS Verification & Refusal UML TOOLS: UPPAAL visualSTATE ….. Automatic Code generation Implementation Testing

13. Formal Verification & Validation Analysis Validation Design Model • Specification FORMAL METHODS Verification & Refusal UML TOOLS: UPPAAL visualSTATE ….. Automatic Code generation Automatic Test generation Implementation Testing

14. How? Unified Model=State Machine! b? y! a Output ports x Input ports b? y b a? x! Control states

15. UPPAAL

16. SPIN, Gerald Holzmann AT&T

17. visualSTATE VVS w Baan Visualstate, DTU (CIT project) • Hierarchical state systems • Flat state systems • Multiple and inter-related state machines • Supports UML notation • Device driver access

18. Train Simulator VVS visualSTATE 1421 machines 11102 transitions 2981 inputs 2667 outputs 3204 local states Declare state sp.: 10^476 BUGS ? Our techniuqes has reduced verification time with several orders of magnitude (ex 14 days to 6 sec)

19. ‘State Explosion’ problem M2 M1 a 1 2 b c 3 4 M1 x M2 1,a 4,a 1,b 2,b 1,c 2,c 3,a 4,a 3,b 4,b 3,c 4,c Provably theoretical intractable All combinations = exponential in no. of components

20. Tool Support System DescriptionA No! Debugging Information TOOL Yes, Prototypes Executable Code Test sequences RequirementF • Course Objectives: • Model systems and specify requirements • Validate models using TOOLS • Understand main underlying theoretical and practical problems Tools:UPPAAL, SPIN, VisualSTATE, Statemate, Verilog, Formalcheck,...

21. Uppsala (6 persons), Aalborg (10 persons), 1995- 21 papers, 6 invited talks/tutorials 9 industrial case studies http://www.docs.uu.se/docs/rtmv/uppaal/index.shtml UPPAAL Modelling and Verification of Real Time systems E.g. Pump Controls Airbags Robots Cruise Control ABS CD players IDA foredrag 20.4.99

22. @UPPsala Wang Yi Johan Bengtsson Paul Pettersson Fredrik Larsson Alexandre David Justin Pearson ... @AALborg Kim G Larsen Arne Skou Paul Pettersson Carsten Weise Kåre J Kristoffersen Gerd Behrman Thomas Hune ….. Collaborators • @Elsewhere • Magnus Lindahl, Francois Laroussinie, Augusto Burgueno, David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D’Argenio, J-P Katoen, J. Tretmans, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Carsten Weise...

23. Dec’96 Sep’98

24. from 7.5 hrs / 527 MB on ONYX with 2GB (4Mill DKK) to 12.75 sec / 2.1 MB on Pentium 150 MHz, 32 MB or Every 9 month 10 times better performance! Dec’96 Sep’98

25. Hybrid & Real Time Systems Computer Science Control Theory sensors Task Task Task Task actuators Controller Program Discrete Plant Continuous Eg.: Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines Real Time System A system where correctness not only depends on the logical order of events but also on their timing

26. a a a 1 1 1 1 2 2 2 2 b b b c c c 3 3 3 3 4 4 4 4 Validation & VerificationConstruction of UPPAAL models Controller Program Discrete Plant Continuous sensors Task Task Task Model of tasks (automatic) Task actuators Model of environment (user-supplied) UPPAAL Model

27. Intelligent Light Control press? Off Light Bright press? press? press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

28. Intelligent Light Control press? X<=3 Off Light Bright X:=0 press? press? press? X>3 Solution: Add real-valued clock x

29. Timed Automata Alur & Dill 1990 Clocks:x, y Guard Boolean combination of comp with integer bounds n Reset Action perfomed on clocks Action used for synchronization x<=5 & y>3 State (location , x=v , y=u ) where v,u are in R a Transitions x := 0 a (n , x=2.4 , y=3.1415 ) (m , x=0 , y=3.1415 ) m e(1.1) (n , x=2.4 , y=3.1415 ) (n , x=3.5 , y=4.2415 )

30. Timed Automata - Invariants n Clocks:x, y x<=5 Transitions x<=5 & y>3 e(3.2) Location Invariants (n , x=2.4 , y=3.1415 ) a e(1.1) (n , x=2.4 , y=3.1415 ) (n , x=3.5 , y=4.2415 ) x := 0 m y<=10 g4 g1 Invariants insure progress!! g3 g2

31. The UPPAAL Model= Networks of Timed Automata + Integer Variables +…. m1 l1 x>=2 i==3 y<=4 …………. Two-way synchronization on complementary actions. Closed Systems! a! a? x := 0 i:=i+4 l2 m2 Example transitions (l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..) (l1,m1,………,x=2.2, y=3.7, I=3,…..) tau 0.2 If aURGENT CHANNEL

32. Lego RCX BrickLEGO MINDSTORMS, LEGO ROBOLAB 3 Input (sensors) Light, rotation, temperature, pressure,..... 1 Infra-red port 3 Output ports (actuators) motor, light

33. First UPPAAL modelSorting of Lego Boxes Ken Tindell Piston Boxes eject remove 99 Conveyer Belt Red 81 18 90 9 Blck Rd Controller Main Skub_af Black Exercise: Design Controller so that only black boxes are being pushed out

34. NQC programs int active; int DELAY; int LIGHT_LEVEL; task main{ DELAY=25; LIGHT_LEVEL=35; active=0; Sensor(IN_1, IN_LIGHT); Fwd(OUT_A,1); Display(1); start skub_af; while(true){ wait(IN_1<=LIGHT_LEVEL); ClearTimer(1); active=1; PlaySound(1); wait(IN_1>LIGHT_LEVEL); } } task skub_af{ while(true){ wait(Timer(1)>DELAY && active==1); active=0; Rev(OUT_C,1); Sleep(8); Fwd(OUT_C,1); Sleep(12); Off(OUT_C); } }

35. UPPAAL Demo IDA foredrag 20.4.99

36. Exercise 2 Each messagemustbe deliveredbeforenext message can be accepted. 1. perfect media 2. loosy media 3. retransmission 4. delaying media 5. XXXX Synchronization between two processes. L ack pack Sender Receiver out in K snd pass

37. Exercise 3 Person Machine Observer coin! y:=0 pub! cof Wait y<=3 pub Go y=3 coin Ready cof? y:=0 y=2 Wait y<=2 DesignMachine andObserver