Verification of Embedded Systems

1
Verification of Embedded Systems

• David Kendall
• High Integrity Embedded Systems
• Northumbria University

2
More talks

• William Henderson, Timed Automata Models of
  Priority Preemptive Scheduling, Today, 12.00, LIP
  031
• Young Saeng Park, Automatic Schedule Computation
  for Distributed Real-Time Systems using Timed
  Automata , Tomorrow, 13.30, LIP 0026
• Michael Brockway, Dividing and Conquering
  Concurrent Systems, Tomorrow, 14.35, LIP 031

3
Embedded System
more more software
Mobile phone
Concurrency many software and hardware
components Heterogeneity
digital (discrete time) and analog (real time)
Uncertainty environment failure scenarios
4
Distributed Embedded System
5
Complex Systems
100,000
10 states
11
10 stars
6
Managing Complexity
Calculate
Model
Mathematics
Predict
Abstract
Mobile Phone Motor Car
System
Test
7
Preparing to manage complexity

• I conclude that there are two ways of
  constructing a software design One way is to
  make it so simple that there are obviously no
  deficiencies and the other way is to make it so
  complicated that there are no obvious
  deficiencies. The first method is far more
  difficult.
• C.A.R. Hoare, The Emperor's Old Clothes, Comm ACM
  24(2), 75-83 (1981)

Design for Verification
8
Model checking for embedded systems
Plant
sensors
actuators
Model of
Model of controller
Model checker
environment
Yes
or
Property specification
Why not
9
Finite State Machine
bump
smooth
bumpy
damp
Execution smooth bump-gt bumpy damp-gt smooth
--bump-gt bumpy damp-gt smooth bump-gt bumpy
10
Finite State Machine
a
0
1
b
Execution 0 a-gt 1 b-gt 0 a-gt 1 b-gt 0 agt 1
11
Timed automaton
FSM Clocks H, H1, H2, etc
Hgt3, a, H0
0 H lt 5
1 H lt 2
Hgt1, b, H0
Invariant
Location
Resets
Guard
Label
Execution (0,H0) 3.5-gt (0,H3.5) a-gt (1,H0)
1.2-gt (1,H1.2) -b-gt (0,H0) 4-gt (0,H4) a-gt
12
Production Cell
13
Checking the production cell
Program
Timed Automaton
Property
Temporal Logic
Whenever an item appears at the start of the
input belt, it reaches the end of the output belt
within 60s
(P gt ltgtlt60 Q)
14
Problems

• Model Construction
• Property Specification
• Output interpretation
• State explosion
• Our tool currently gives up checking the
  production cell after generating more than 10
  million states
• Store states more compactly
• Generate fewer states
• Check components individually

15
Some lessons so far
-Being formal is a prerequisite for algorithmic
analysis. Formality is not an end by itself.
Only algorithmic ("push button") tools are
likely to be adopted by system designers. -It can
be good to build your own model and tool. A good
model should capture exactly the aspects you are
interested in, and no more. Hence there is not
one model or tool that fits all. -Abstraction and
compositionality are necessary for
scalability. Furthermore, model extraction,
abstraction, and decomposition should be, like
the analysis, automatic.
16
Questions?
17
Thanks to Tom Henzinger and Philip Koopman for
the pictures of phones, cars, stars and
processors!