Title: Compositional Analysis of Timed Systems by Abstraction
1Compositional Analysis of Timed Systems by
Abstraction
- Leonid Mokrushin
- TAPVES
- 2007-02-08
2Outline
- Motivation
- Arrival/Service Curves
- Compositional Analysis
- TA as Curve Transformers
- Abstracting TA
- Examples and Demo
- Conclusions
3The ABB Robot Controller
Precise moves
Welding program
A
B
C
D
Commands
High-level instructions
Requests
- ABB robot controller (2 500 000 loc)
- Real time tasks A,B,C,D
- Read inputs from channels write output to
channels - Task priority order DgtCgtBgtA (FPS)
- Buffer overflow/underflow, WCRT
4Old Results (CFSM)
- Turing power
- Equivalent to finite automata
- people Brand, Zafiropulo, Pachl, Purush Iyer,
Finkel, Abdulla, Jonsson
A
B
A
A
B
Half duplex
A
B
?
A
B
5Communicating Timed Automata (CTA)
- Replace Finite Automata by Timed Automata
- Communication via unbounded FIFO channels
- Time is global (time passes globally and for all
automata in the same pace) - A, B, C Timed Automata
- Negative results carry over
- Positive results do not carry over (previous
proofs do not work in timed setting)
A
B
?
6CTA - Results
CAV06, Pavel Wang
- CTA with one channel
- Accepts non-regular context free languages
- Only regular languages in the untimed case!
- Equivalent to Petri Nets with one unbounded place
(Eager reading One-counter machines) - CTA with two channels
- Non-context free context sensitive languages
- Petri Nets with two unbounded places (Eager
reading Turing machines)
A
B
A
B
?
7The ABB Robot Controller
TASCH
Task Ready Queue
TAA
TAB
TAC
TAD
Shared variables
TAAxTABxTACxTADxTASCH with queues is TOO BIG
8- In general
- Precise analysis is impossible
- Our hope
- Find a suitable abstraction
9Kahn Process Networks (70s)
- Modeling Distributed, Signal Processing Systems
S1
S4
A
S3
S2
S5
C
B
S6
- S1, S2, S3, streams
- possibly infinite sequences of letters
- A,B,C processes
- mappings from streams to streams, e.g., B(S2,
S6) ? S5
10Abstract Stream Transformers
Q1
A2
Abstract stream
Abstract stream
A1
Abstract stream
Abstract stream
A3
Q2
Abstract stream
- Components Abstract stream transformers
- Abstract stream defines a timed language
- Asynchronous communication
- Network Calculus (Cruz, Boudec, Thiran 91-04)
- Arrival Curves
- Real-Time Calculus (Thiele, Chakraborty 00s)
- Upper/Lower Arrival/Service Curves
11Arrival/Service Curves
Arrival Curves (events / data)
Service Curves (resources)
available resources
events
time
time
window size
window size
upper bound
number of events
available service
upper bound
lower bound
lower bound
window size
window size
(a,3)(a,3.34)(a,3.39)(a,4)(a,10)...
(100,0)(50,3.3)(100,7)...
12Building an Arrival Curve
- Slide a timed window of a fixed size
- Count max/min number of events in the window
events
t
window size
slide
0,4
- Choose another window etc.
t
window size
1,5
13Timing Analysis
worst case request (upper arrival curve)
number of events
guaranteed resource (lower service curve)
required buffer size
response time (flow delay bound)
window size
- Delay bound max vertical distance
- required buffer size
- Backlog bound max horizontal distance
- flow delay bound
14Compositional Timing Analysis
Available Resources
Event Stream
SAR
T1
T3
Output
Input
TASK
SO
SI
Resource Stream
T2
T4
SRR
Remaining Resources
- Component Stream Transformer
- Stream Upper Lower Bounds
- Real-Time Calculus
- SO fE(SI, SAR), SRR fR(SI, SAR)
- Compositional Analysis
- Scheduling, end-to-end delay, backlog
15Resources Scheduling
A
B
C
D
- Fixed priority scheduling policy
- Priority order
- Priority(A)ltPriority(B)ltPriority(C)ltPriority(D)
- Highest priority task has 100 of CPU
- Negative service curve non-schedulable
- Opposite direction gives min resource
16Timed Automata with Tasks
- Events
- Actions
- Timing constraints
- Clocks / Guards / Resets
- Complex event pattern
- Tasks
- Asynchronous execution
- WCET, Deadline
- Scheduling policy
- Precedence constraints
- Resource constraints
xlt3
a!
x0
Task (C,D)
17Run of TAT
(Idle, x0, )
0.1? (Idle, x0.1, )
? (RelP, x0, P(2,8))
1.5? (RelP, x1.5, P(0.5,6.5))
? (RelQ, x1.5, P(0.5,6.5),Q(2,20))
1.5? (RelQ, x3, Q(1,18.5))
? (Idle, x3, Q(1,18.5))
? (RelP, x0, P(2,8),Q(1,18.5))
2? (RelP, x2, Q(1,16.5))
Idle
P
Q
0.1
1.6
2.1
3.1
5.1
18TA as Curve Transformers
Timed Automaton
Task completed
b?
a!
TA1
T1
a!
Task released
Ready queue
b?
c!
T2
TA2
T3
OS
Scheduling Policy
TIMES Tool
CPU
- Timed Automata as complex task release patterns
- We have to make them operate on curves
19TA lt-gt Curve Transformation
Arrival Curve
Curve transformation using UPPAAL
TA Model of a System Component
input
output
Event Observer
Event Generator
F
L(F(AC)) ? L(EO)
L(EG) L(AC)
Assumption
AEG AFi AEO
Departure Curve
for every component Fi is possible
20Encoding Arrival Curves as TA
Generator
Invariant ? lower bound
circular clock buffer
x1
x2
x3
x4
x5
x6
x7
Guard ? upper bound
pointer
time
const int LB 12 const int UB 12 const int
mLB 0,0,0,1,1,1,2,2,3,3,3,4 const int
MUB 2,2,4,4,4,4,5,5,7,7,7,7 const int CN
mLB-1ltMUB-1?MUB-1mLB-1 clock
xCN int0,CN-1 index int0,CN
counter int0,UB v int0,CN-1 getIndex(int
backtrack) int i index-backtrack
if(ilt0) i CN return i void
addNewEvent() xindex0 index
(indexCN-1?0index1) if(counterltCN)
counter
X4gtMi-1
X3gtMi-2
X2gtMi-3
X1gtMi-4
MUB
number of events
mLB
CN7
window size
21Approximating TA with Arrival Curves
Observer
- ASYSTEM AOBSERVER
- One clock one integer
- Non-deterministic window offset
- One window ? one state space exploration
- Max considerable window size (dt) must be
specified
clock x int counter
number of events
max min
x0
xdt
dt
22A Problem with Approximation
Last measured dt
number of events
Overapproximated stream
Actual stream
window size
t
- We need to know safe value of dt
23A Problem with Approximation
number of events
Service curve
response time
window size
- Sometimes we can still perform timing analysis
using precise data - An adaptive approach?
24Another algorithm
number of events
am/n
- Angle a is rational
- m,n - integers
- LCM(m,n) can become very big (hyperperiod)
- Rapid slow down
window size
- Search for the segment that touches the curve
- Find the smallest intersection point and repeat
- Encoding of the intersection criterion into TA
25Simple Scheduling Example
- 4 tasks 3 periodic1 aperiodic (TA)
- Preemptive fixed priority scheduling
- Given BCET/WCET
- Abstracting release pattern with streams
- Analysis
- Worst case response time
- Required OS ready queue size
26An Example with Feedback
CPU
Initial Condition
TASK1
TASK2
AND
Input Stream
- TASK1 input depends on the TASK2 output
- TASK1 uses TASK2s remaining resource
- TASK2 input depends on TASK1 output
- Given
- TASK1 input stream
- Initial condition on activation of TASK2
- Iterative computation until fixed point
27Books Papers
- Rene L. Cruz. A Calculus for Network Delay. IEEE
Transactions on Information Theory, 1991 - J.-Y. Le Boudec, P. Thiran. Network Calculus. A
Theory of Deterministic Queuing Systems for the
Internet. 2004 - L. Thiele and S. Chakraborty and M. Naedele.
Real-time Calculus for Scheduling Hard Real-Time
Systems. Proc. of ISCAS, 2000 - L. Thiele and S. Chakraborty and M. Gries and A.
Maxiaguine and J. Greutert. Embedded Software in
Network Processors - Models and Algorithms. Proc.
of EMSOFT, 2001 - E. Wandeler, L. Thiele. Real-Time Interfaces for
Interface-Based Design of Real-Time Systems with
Fixed Priority Scheduling. 2005 - P. Krcal, L. Mokrushin, W. Yi. A Tool for
Compositional Analysis of Timed Systems by
Abstraction. Tool paper submitted to CAV 2007. -
28Conclusions
- Abstraction technique for timed component systems
- One component at a time
- no big product (GALP)
- Possibility to parallelize verification
- Heterogeneous systems
- a potential to combine different formalisms
- Prototype
- How good is our abstraction? (Examples)
- Feedback? (Termination)
- Bound on max window size? (Adaptation?)
- Shared resources? (Priority Ceiling Protocol)
29Thank you!