Formal Analysis and Verification of Real-Time Systems

1
Formal Analysis and Verification of Real-Time
Systems

• Albert M. K. Cheng
• Real-Time Systems Laboratory
• University of Houston

2
Correctness of Real-Time Systems

• Satisfaction of logical correctness constraints
• Satisfaction of timing constraints

3
Presentation Outline

• Model of a real-time system
• Specification, analysis, and verification
• Explicit-state and symbolic model checking
• Real-time logic and constraint-graph analysis
• Analysis of real-time rule-based system

4
A Real-Time System
A
Sensor input
Decision, action
X
Y
D
S
State
5
Specification, analysis, and verification

• Structural/Functional
• Behavioral - Sequence of events and actions
• Given Specification (SP), Safety Assertion (SA)
• Goal Relate SP to SA

• Analysis - 3 cases
• SA is a theorem derivable from SP.
• SA is unsatisfiable with respect to SP.
• Negation of SA is satisfiable under certain
  conditions.

6
Analysis Techniques

• Simulation
• Testing
• Verification
• Run-time monitoring

7
Model Checking
Is the finite-state graph a model of the
temporal logic formula?
Specification represented as a labeled finite-stat
e Graph (Kripke structure)
Safety assertion written as temporal logic formula
8
Computation Tree Logic CTL

• Propositional, branching-time temporal logic
• Next-time operator X, Until operator U
• A(E)X f f holds in every (some) immediate
  successor of current state

• A(E)f1 U f2 for every (some) computation
  path, there exists an initial prefix of the path
  such that f2 holds at the last state of the
  prefix and f1 holds at all other states along the
  prefix

9
Example Solution to Mutual Exclusion Problem
N1,N2
T1,N2
N1,T2
C1,N2
T1,T2
T1,T2
N1,C2
C1,T2
T1,C2
10
CTL abbreviations

• AF(f) ATrue U f
• f holds in the future along every path from
  the initial state s0, so f is inevitable
• EG(f)
• NOT AF(NOT f)

• EF(f) ETrue U f there is some path from the
  initial state s0 that leads to a state at which f
  holds, so f potentially holds
• AG(f)
• NOT EF(NOT f)

11
Explicit-State Model Checking

• for (fiflength fi gt 1 fi--)
• labelgraph(fi,s,correct)
• labelgraph (fi,s,b)
• short fi, s
• Boolean b
• short i
• switch(nffi-10.opcode)
• case atomic
• atf(fi,s,b)
• break

• case nt
• ntf(fi,s,b)
• break
• case ad
• adf(fi,s,b)
• break
• case ax
• axf(fi,s,b)
• break
• case ex
• exf(fi,s,b)
• break

12
Explicit-State Model Checking
case au for (i0 i
lt numstates i)
markedi false for (i0 i
lt numstates i) if
(!markedi)
auf(fi,s,b) break
case eu euf(fi,s,b)
break
13
Symbolic Model Checking

• Transition relation between the values of the
  variables in the current and the next states can
  be stated as a Boolean formula
• Use Binary Decision Diagrams (BDDs) to present
  this Boolean formula
• Apply model checker to finite-state graph
  represented as BBDs

14
Real-Time CTL

• Existentially Bounded Until operator
• Ef_1 Ux,y f_2 at state s_0 means there
  exists a path beginning at s_0 and some i such
  that x lt i lt y and f_2 holds at state s_i and
  forall j lt i, f_1 holds at state s_j
• Min/max delays
• Min/max number of condition occurrences

15
Event-Action Model

• Action schedulable unit of work
• primitive or composite
• XY XY X!N !NY
• State predicate assertion about state of the
  system
• Timing constraints

• Event temporal marker - 4 types
• external cannot be cause by system
• start begin action
• stop end action
• transition change in certain state attribute

16
Timing Constraints

• Periodic while ltstate predicategt execute
  ltactiongt
• with period lttime1gt
• deadline lttime2gt
• Sporadic when lteventgt execute ltactiongt
• with deadline lttime1gt
• separation lttime2gt

17
Non-Real-Time Temporal Logic

• Conventional temporal logic concerns with
  relative ordering of events
• A(BC) means ABC or ACB
• Can model interleaving actions
• Cannot model parallel actions
• To deal with absolute timing, add clock variable
  clock clock c, execute after every action
• Acceptable only if actions are executed in
  sequential order

18
Real-Time Logic

• 3 types of constants
• action in capital letters primitive or composite
  (partial ordering of events)
• A.B B appears in composite action A

• start and stop events
• A event marking the initiation of action A
• vA event marking the completion of action A
• A.B A.B2

19
Real-Time Logic

• Transition event constants
• (S T) (S F)
• External event constants
• omega BUTTON1 pressing button number 1
• Integer constants
• _at_(E,W) --gt W
• E event, W nonnegative integer

• _at_(e,i) time of the i-th occurrence of event e
• Timing property can be established by showing
  there does not exist an occurrence function which
  is consistent with the specification in
  conjunction with the negation of the safety
  property under investigation

20
Examples of RTL Formulas

• Forall i _at_(E,i) t -gt t gt 0
• Forall i forall j _at_(E,i) t and _at_(E,j)t and i
  lt j -gt t lt t
• forall x _at_(TrainApproach, x) lt _at_(Downgate, x)
  and
• _at_(vDowngate, x) lt _at_(TrainApproach, x) 30
• forall y _at_(Downgate, y) 15 lt _at_(vDowngate, y)

21
Example Safety Assertion in RTL

• forall t forall u
• _at_(TrainApproach, t) 45 lt _at_(Crossing, u) and
  
• _at_(Crossing,u)lt_at_(TrainApproach, t) 60 -gt
  _at_(vDowngate, t) lt _at_(Crossing, u) and
• _at_(Crossing, u) lt _at_(vDowngate, t) 45

22
Analysis of Rule-Based Systems

• The RULES section is composed of a finite set of
  rules each of which is of the form
• a1 b1 ! a2 b2 ! ! am bm
• IF enabling condition
• VAR set of variables on left-hand side of
  the assignment, i.e., the ais
• VAL expressions on right-hand side of
  assignment, i.e., the bis
• EC enabling condition

23
Simple Rule-Based Program

• ( 1 ) object_detected true IF sensor_a 1
  AND sensor_a_status good
• ( 2 ) object_detected true IF sensor_b
  1 AND sensor_b_status good
• ( 3 ) object_detected false IF sensor_a
  0 AND sensor_a_status good
• ( 4 ) object_detected false IF sensor_b
  0 AND sensor_b_status good

24
State Space Representation
C
A
B
L
I
D
J
M
E
F
P
K
H
N
G
FP2
FP3
FP1
25
Problem Complexity

• In general, the analysis problem is undecidable
  if the program variables can have infinite
  domains, i.e., there is no general procedure for
  answering all instances of the decision problem.

26
Proof Outline

• Any two-counter machine can be encoded by an
  equational rule-based program that uses only '
  and -' as operations on integer variables and
  gt', ' as atomic predicates such that a
  two-counter machine accepts an input if and only
  if the corresponding equational rule-based
  program can reach a fixed point from an initial
  condition determined by the input to the
  two-counter machine.

27
Analysis Problem is Solvable for some Cases

• All the variables of an equational rule-based
  program range over finite domains.
• Set of variables in VAR and set of variables in
  VAL and EC are disjoint.
• Enabling conditions are mutually exclusive.
• Only constants are assigned to variables in
  VAR.

28
Compatibility of Rules

• Let L_x denote the set of variables appearing in
  LHS of rule x.
• Two rules a and b are said to be compatible iff
  at least one of the following conditions holds

• (CR1) Test a and test b are mutually exclusive.
• (CR2) L_a and L_b are disjoint.
• (CR3) Suppose L_a and L_b are not disjoint .
  Then for every common variable v in L_a and L_b,
  the same expression must be assigned to v in both
  rule a and b.

29
Special Form A

• Let L and T be sets of variables in VAR and EC of
  rules. A set of rules are in special form A if
  the following conditions hold
• (1) Constant terms are assigned to all the
  variables in L.
• (2) All of the rules are compatible pairwise.
• (3) L and T are disjoint.

30
Example

• 1. a1 true IF b true AND c true
• 2. a1 true IF b true AND c false
• 3. a2 false IF c true
• Rules 1 and 2 are compatible by conditions CR1
  and CR3. Rules 1 and 3 are compatible by
  condition CR2. Rules 2 and 3 are compatible by
  condition CR2.

31
General Analysis Strategy
Rule-based program
Special form recognizer
Simpler programs
No independent ruleset in special form
Independent rulsets in special form(s)
Rule rewriter
State-space analyzer
32
Example

• input read(b, c)
• 1. a1 true IF b true AND c true
• 2.a1 true IF b true AND c false
• 3.a2 false IF c true
• 4.a3 true IF a1 true AND a2 false
• 5.a4 true IF a1 false AND a2 false
• 6.a4 false IF a1 false AND a2 true

• input read(b, c)
• 1. a1 true IF b true AND c true
• 2.a1 true IF b true AND c false
• 3.a2 false IF c true

33
Applications of Analysis Tools

• Cryogenic Hydrogen Pressure Malfunction Procedure
  in the Pressure Control System of the Space
  Shuttle Vehicle
• Integrated Status Assessment Expert System
• Fuel Cell Expert System
• Orbital Maneuvering and Reaction Control System

34
New Textbook

• Albert Cheng - Real-Time Systems Scheduling,
  Analysis, and Verification (John Wiley Sons)
  ISBN 0471-184063, 2002. www.cs.uh.edu/acheng/
  acheng.html
• For senior-level undergraduate/first-year
  graduate courses in real-time systems, embedded
  systems (software and hardware) engineering, and
  formal methods. Serves as a supplement to courses
  in operating systems and system design, as well
  as a reference for practitioners and researchers.