Design, Implementation, and Validation of Embedded Software (DIVES) - PowerPoint PPT Presentation

About This Presentation
Title:

Design, Implementation, and Validation of Embedded Software (DIVES)

Description:

Rajeev Alur, Vijay Kumar, Insup Lee (PI), George ... Project title: Design, Implementation, and Validation of Embedded ... Ford, CMU, Kestrel, GM, SRI, ... – PowerPoint PPT presentation

Number of Views:141
Avg rating:3.0/5.0
Slides: 49
Provided by: daves1
Category:

less

Transcript and Presenter's Notes

Title: Design, Implementation, and Validation of Embedded Software (DIVES)


1
Design, Implementation, and Validation
ofEmbedded Software (DIVES)
Rajeev Alur, Vijay Kumar, Insup Lee (PI), George
Pappas, Oleg Sokolsky Department of Computer and
Information Science Department of Electrical
Engineering Department of Mechanical Engineering
and Applied Mechanics University of
Pennsylvania 30 January 2003
2
Topic Area 1. Administrative
3
Administrative Information
  • Project title Design, Implementation, and
    Validation of Embedded Software (DIVES)
  • PI Insup Lee (215-898-3532, lee_at_cis.upenn.edu)
  • Co-PI Rajeev Alur, Vijay Kumar, George Pappas
  • Organization University of Pennsylvania
  • Contract number DARPA ITO MOBIES
    F33615-00-C-1707
  • AO Number K230
  • Award end date May 16, 2003
  • Agent Dale Harper, Air Force Research Laboratory

4
DIVES Team
  • Faculty
  • Rajeev Alur (CIS)
  • Vijay Kumar (MEAM)
  • Insup Lee (CIS)
  • George Pappas (EE)
  • Oleg Sokolsky (CIS)

PhD Students Calin Belta Mikhail
Bernadsky Yerang Hur Franjo Ivancic Usa
Sammapun Wenkai Tan
Research Associates Jesung Kim Li Tan Herbert
Tanner
Part-time Programmers Peter Finin Valya
Sokolskaya
5
Topic Area 2. Subcontractors and Collaborators
6
Collaborators
  • CMU-Penn Allenberry Workshop (Jan 9, 2003)
  • CMU Krogh, Rajkumar
  • Penn Alur, Kumar, Lee, Pappas, Sokolsky
  • More than 15 students and postdocs
  • Hybrid systems modeling, analysis, simulation,
    test generation, code generation techniques
  • Interactions with HSIF group
  • Berkeley, Ford, CMU, Kestrel, GM, SRI, Vanderbilt

7
Topic Area 3. Project Goals and Problem
Description
8
Project Overview
  • Project Objective
  • Develop languages, algorithms and tools for
    hybrid systems to facilitate the development of
    reliable embedded systems
  • Project Description main research directions
  • Compositional semantics to support hierarchical,
    modular specifications of hybrid systems
  • Reachability analysis of embedded systems
  • Compositional analysis and optimal controller
    synthesis of hybrid systems
  • Model-based testing and validation of hybrid
    systems to provide an additional level of
    reliability

9
Topic Area 4. Project Status (Update from last PI
Meeting)
10
Progress since last meeting
  • Progress on schedule
  • Recently developed techniques
  • Counter-example guided predicate abstraction
  • Model-based code generation
  • Model-based test generation
  • CHARON to HSIF translation
  • Publication during last six months
  • 5 journal papers, 6 conference and workshop
    papers
  • PhD Theses Ivancic (Aug 03), Hur (Dec 03)

11
CHARON Toolkit
  • Input
  • Hierarchical, Concurrent, Hybrid systems
  • Functionality modeling, simulation, assertion
    checking, test generation, code generation,
    reachability analysis
  • Output
  • Simulation trace including assertion violation
  • C code
  • HSIF model
  • Counter examples

12
CHARON toolkit enhancements
  • CHARON language version 2
  • Inspired by HSIF development
  • Supports signals and shared variables directly
  • analog/discrete variable type replaced with
    signal/shared
  • Respects signal dependencies
  • Changes in the computation of enabled transitions
  • Parser, type checker, export/import routines
    updated to new version
  • Updated simulator under construction

13
CHARON toolkit enhancements
  • Simulator improvements
  • Adaptive simulation step-size implemented
  • Event detection algorithm implemented
  • Improved support for parametric simulations
  • Parameters can be external to the model
  • Allow parameter modification within the same
    model
  • Reachability analysis enhancements

g(x)
x(t)
Event !
14
Publication List
  • Selected publications since the last PI meeting
  • I. Lee, A. Philippou, O. Sokolsky, "Process
    Algebraic Modelling and Analysis of Power-Aware
    Real-Time Systems", IEE Computing and Control
    Engineering Journal, 13(4), pp. 180-188, August
    2002.
  • Insik Shin, Insup Lee, and Sang Lyul Min,
    Embedded System Design Framework for Minimizing
    Code Size and Guaranteeing Real-Time
    Requirements, Proc. IEEE Real-Time Systems
    Symposium, Austin, Dec 2002.
  • Na Young Lee, Insup Lee, Yerang Hur, Jin Young
    Choi, Il Soon Hwang, Seung Rok Oh, A Framework
    for the Hybrid Modeling and Analysis of Nuclear
    IC Systems, Proceedings of ISOFIC 2002
    (International Symposium On the Future IC for
    NPP), Seoul, Nov 2002.
  • R. Fierro, A. Das, J. Spletzer, Y. Hur, R. Alur,
    J. Esposito, G. Grudic, V. Kumar, I. Lee, J. P.
    Ostrowski, G. Pappas, J. Southall and C. J.
    Taylor, A Framework and Architecture for
    Multirobot Coordination, Int. Journal of
    Robotics Research (IJRR), 2003.
  • Rajeev Alur, Thao Dang, Joel Esposito, Yerang
    Hur, Franjo Ivancic, Vijay Kumar, Insup Lee,
    Pradyumna Mishra, George Pappas, and Oleg
    Sokolsky, Hierarchical Modeling and Analysis of
    Embedded Systems, To appear in Proceedings of
    the IEEE, 2003.

15
Publication List
  • George J. Pappas, Bisimilar Linear Systems,
    Automatica. To appear in 2003.
  • R. Alur, T. Dang, F. Ivancic, Counter-example
    guided predicate abstraction for hybrid systems,
    TACAS 2003
  • R. Alur, T. Dang, F. Ivancic, Progress on
    reachability analysis of hybrid systems using
    predicate abstraction, HSCC 2003
  • R. Alur, La Torre, Madhusudan. Modular
    strategies fo recursive game graphs, TACAS 2003
  • Oleg Sokolsky, Anna Philippou, Insup Lee, and
    Kyriakos Christou, Modeling and Analysis of
    Power-Aware Systems, TACAS 2003.
  • Hyoung Seok Hong, Sung Deok Cha, Insup Lee, Oleg
    Sokolsky, Hasan Ural, Data Flow Testing as Model
    Checking, Int. Conf. on Software Engineering
    (ICSE), May 2003.

16
Counter-Example Guided Refinement of Predicate
Abstraction
  • Rajeev Alur
  • Thao Dang
  • Franjo Ivancic

17
Overall Structure
Hybrid system
Linear predicates
Charon code
additional predicates
Safety property
Counter-example found!
Property holds
?
Concrete counter- example found
?
18
Current Implementation
  • We focus on hybrid systems with linear continuous
    dynamics, linear guards, linear invariants, and
    linear reset expressions.
  • The continuous dynamics can have uncertain,
    bounded input, that is dx/dt Ax Bu, where u
    is uncertain input within a bounded range.
  • We only consider linear predicates.
  • Builds on routines for manipulating polyhedra
    from d/dt.

19
3-State Thermostat Example
  • 2 variables T (Temperature) and t (timer)
  • Initially t 0 , 5 lt T lt 10
  • Unsafe Check, T lt 4.5

Heat dT 2 Tlt10,tlt3
t gt 2 -gt t 0
T gt 9
T lt 6 -gt t 0
Check dT-T/2 tlt1
t gt 0.5 -gt t 0
Cool dT-T Tgt5
20
Thermostat Abstraction
10 predicates t lt 0 , t gt 0.5, , T gt5 , T
lt 6, Only 36 valid continuous abstract
states
temperature
10
9
6
5
4.5
time
3
0
0.5
1
2
21
A Sample Abstract Path
t lt 0 9 lt T lt 10
1 lt t lt 2 9 lt T lt 10
1 lt t lt 2 9 lt T lt 10
35 abstract states reachable. All states are
safe, thus the concrete system is also safe.
0.5 lt t lt 1 9 lt T lt 10
t lt 0 6 lt T lt 9
2 lt t lt 3 9 lt T lt 10
0.5 lt t lt 1 9 lt T lt 10
0.5 lt t lt 1 6 lt T lt 9
t gt 3 5 lt T lt 6
0.5 lt t lt 1 5 lt T lt 6
t lt 0 9 lt T lt 10
t lt 0 5 lt T lt 6
2 lt t lt 3 9 lt T lt 10
22
Whats new ?
  • A variety of optimizations to speed up the search
  • Data structure binary space partition (BSP)
    trees
  • Generalized predicate abstraction
  • Vector flow analysis
  • Guided search
  • Counter-examples in abstract space
  • Are they feasible in concrete system?
  • Can they be used to derive abstraction
    predicates?
  • Theoretical guarantees of the verification
    technique
  • Completeness?
  • Avoiding the same counter example in successive
    searches

23
Bounded Completeness
  • Simulation can show unsafe behavior.
  • Safety can only be shown using verification, but
    undecidable.
  • Predicate abstraction introduces errors by
  • approximating reachable sets with polyhedra
  • coarse abstraction using predicates
  • Predicate abstraction can prove bounded safety
  • upto n discrete switches
  • upto total time flow t
  • if reachable set is separated from unsafe set by
    Delta

24
Guided Search
  • Search of the abstract state-space is guided by a
    priority function that measures the distance of
    abstract states to unsafe states
  • Several priority functions considered
  • Discrete Location Graph Measure
  • Locations that are closer get higher priority
  • Mask Priority
  • Based on boolean vector representation of
    predicate values. Fast!!!
  • Euclidean Distance Measure
  • Reset Euclidean Distance Measure
  • Accounts for the effect of resets by discrete
    transitions

25
Generalized Predicate Abstraction
  • Cluster certain abstract states
  • Reduction of abstract state-space!
  • Example Location-specific predicates
  • Specify per location which predicates are to be
    used in particular location (invariant may be
    important only in one location)
  • Abstract states are now (loc, (TF FFT T))
  • Computation of continuous successors is not
    affected!
  • Discrete updates need to consider switch of
    predicates

26
Binary Space Partition
  • Frequent calls to create polyhedra that
    correspond to abstract states

P123
P12
P12
P1
P123
P123
P
P1
P123
P
first predicate
P1
P1
second predicate
P12
P12
P12
?
third
P123
P123
P123
P123
P123
?
27
Counter-example Analysis Algorithm
  • Perform reachability following the path specified
    by the counter-example.
  • For each abstract state si, compute the sub-space
    Ri that is concretely reachable.

R0 conc(s0) n Init
s1
s0
for 1 lt i lt n
Ri Post(Ri-1,ti-1)nconc(si)
continuous
if Ri empty
R1
SPURIOUS!
if RnnBad not empty
Init
FEASIBLE!
R0
CPost (R0)
28
Rk1 empty
Rk
Pre(sk1)
29
Thermostat Example
  • Remove predicate t lt 0 from predicate set.
  • First run Spurious counter-example is found!
  • Separation routine suggest to use 4 predicates
  • 0.979265 T 0.202584 t lt 9.34423
  • 0.872555 T 0.488515 t lt 8.16961
  • 0.428587 T 0.9035 t lt 4.11184
  • -0.0680518 T 0.997682 t lt -0.439659
  • Second and third run still find counter-examples.
    One of 15 suggested predicates
  • 0.0139043 T 0.999903 t lt 0.152558
  • 28 predicates are enough to prove safety in
    fourth iteration with 358 reachable states.

30
Summary
  • Tool applied to V-2-V and ETC
  • New V2V will be a good benchmark
  • Integrated into HSIF tool chain
  • Improving scalability of hybrid systems
    verification is ongoing long-term project
  • Innovations in algorithms
  • Engineering of the tool
  • Has Mobies made a difference?
  • 2000 d/dt about 4 continuous variables (subsets
    of R4)
  • 2003 Charon about 8 continuous variables
    (subsets of R8)
  • Caveat Key to successful application of
    verification technology is scaling down of the
    problem (zooming to the critical core)

31
Generating Embedded Software from Hierarchical
Hybrid Models
  • Rajeev Alur
  • Franjo Ivancic
  • Jesung Kim
  • Insup Lee
  • Oleg Sokolsky

32
Objective
  • To design a software tool that generates
    platform-specific executable code from a
    platform-independent CHARON model
  • Input CHARON model Platform description
  • Output Executable code faithful to the model

33
Example Robot dog AIBO
GetUp
Walk
Walk
x
tokenMYTOKEN
UpDown(1)
OnGround
L1
j1
y gt y_lift
token (token1)4
L2
ground
j2
Forward
UpDown(-1)
(x, y)
g_stop
j2 acos(f(x, y))
y
d(x) -v
34
Challenges Our Approach
  • Discretization of the continuous model
  • Fixed step-size simulation
  • Validation
  • Transition errors
  • ?-lookahead agent
  • Numerical errors
  • Instrumented Hybrid Automata
  • Code quality
  • Modular C code
  • Platform-independent optimization
  • Static scheduling
  • Platform dependency
  • Makefile-like script

35
Current Work
  • Code validation
  • Numerical errors
  • Computation / IO delays
  • Code optimization
  • Platform-independent / platform-specific
  • Platform-specific (glue) code generation
  • Case study Penn UAV testbed

36
Penn UAV Testbed
  • Avionics
  • CloudCapTechs Piccolo
  • Totally user-customizable architecture
  • Airframe
  • ¼ Scale Piper J-3 Cub 104
  • Higher level Control
  • Onboard Laptop PC
  • CHARON
  • G. Pappas

37
Topic Area 5. Technology Integration into OEP(s)
38
HSIF WG participation
  • We actively participated in the HSIF working
    group
  • Syntax development
  • Semantics development
  • New synchronous semantics proposed and
    implemented
  • Bi-weekly HSIF teleconferences
  • Selection and preparation of HSIF examples

39
HSIF semantics
  • New synchronous semantics developed
  • Signals vs. shared variables
  • Automata interact by means of signals
  • Single-writer property for each signal
  • Semantics preserves signal dependencies
  • A new signal value is simultaneously observed by
    all automata that depend on it
  • For shared variables dependencies are not
    preserved
  • Multiple writers are allowed
  • Having both signals and shared variables allows
    us to express both control and computer system
    problems.

40
CHARON HSIF conversion
  • CHARON-to-HSIF converter
  • Flattens mode and agent hierarchies
  • Each atomic agent becomes an automaton
  • The top-level agent becomes the network
  • Each atomic mode becomes a location in an
    automaton

41
CHARON HSIF conversion
  • HSIF-to-CHARON converter
  • Translates automata into agents
  • Translates states into modes
  • Produces flat CHARON

Agent1
Agent3
Agent4
Agent2
42
Topic Area 6. Project Plans and Capability
Advances
43
Project Plans
  • Describe your project's plans for next 6 months
  • Optimize reachability analysis techniques
  • Improve the simulation and analysis tools
  • Perform OEP experiments using these techniques
    and tools
  • Refine model-based code generation techniques and
    tool implementation
  • Refine model-based test generation techniques
  • Randomization coverage method
  • Property-based coverage
  • Participate in HSIF development
  • Identify specific performance goals
  • Demonstrate superior performance of the
    counterexample-guided analysis tool on large case
    studies
  • Demonstrate the feasibility of model-based test
    generation
  • Demonstrate the faithfulness of generated code,
    both theoretically and in case studies

44
Project schedule and milestones
1. Design language
HSIF development
2. Software toolkit
3a. Semantics
3e. Controller synthesis
3f. Abstraction techniques
3g. Code generation
3h. Test generation
3FY00
4FY00
1FY01
2FY01
3FY01
4FY01
1FY02
2FY02
3FY02
4FY02
1FY03
2FY03
Milestone on schedule
Milestone completed ahead of schedule
Deliverable
45
Project schedule and milestones
  • Past milestones
  • Q3FY02 Analysis Techniques and Tool Suite.
    Milestone achieved but research and enhancement
    continue
  • Deliverables 2 research reports on abstraction
    techniques and analysis algorithms tool
    implementation
  • Q1FY03 Optimal control synthesis. Milestone
    achieved but research continues
  • Deliverables 2 research reports on
    input-to-state stability prototype
    implementation
  • Upcoming milestones
  • Q2FY03 Model-based generation. Progress on
    schedule. Research report available, prototype
    implementation for a robot platform
  • Additional self-imposed milestone algorithms and
    tools for test generation. Two research reports
    available. Implementation in progress

46
Topic Area 7. Technology Transition/Transfer
47
Technology Transition
  • Use of CHARON and its toolkit
  • CARA (Computer Assisted Resuscitation Algorithm)
    Infusion pump system developed by WRAIR (Walter
    Reid Army Institute for Research)
  • Design specification, analysis, code generation
  • Goal enhance FDA approval process for embedded
    medical devices
  • NIST conformance test suite generation from
    metrology interface specifications
  • Modeling and analysis of biological processes
    such as protein transduction (DARPA BioComp
    program)
  • fits the hybrid systems paradigm very well
  • enhances state-of-the-art in biological research
    with analysis capabilities
  • Commercialization of bio sketch pad (powered by
    Charon)

48
The End.
Write a Comment
User Comments (0)
About PowerShow.com