• No results found

Practical verification of real-time systems

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Practical verification of real-time systems"

Copied!
107
0
0

Loading.... (view fulltext now)

Download now ( 107 Page )

Full text

(1)

A LEXANDRE D AVID

UPPSALA UNIVERSITY

Department of Information Technology

(2)
(3)

BY

A LEXANDRE D AVID

September 2001

D EPARTMENT OF C OMPUTER S YSTEMS

I NFORMATION T ECHNOLOGY

U PPSALA U NIVERSITY

U PPSALA

S WEDEN

Dissertation for the degree of Licentiate of Philosophy in Computer Science

at Uppsala University 2001

(4)

Practical Verification of Real-Time Systems

Alexandre David

adavid@docs.uu.se

Department of Computer Systems Information Technology

Uppsala University Box 337 SE-751 05 Uppsala

Sweden

http://www.it.uu.se/

c

Alexandre David 2001 ISSN 1404-5117

Printed by the Department of Information Technology, Uppsala University, Sweden

(5)

Formalmethodsarebecomingmatureenoughto beusedonnontrivialexamples. Theyarepar-

ticularlywell ttedforreal-timesystemswhosecorrectnessisde nedintermsofcorrectresponses

at correct times. Most common real-time systems are of reasonable size and can therefore be

handledbyanautomaticveri cationtoolsuchasUppaal. Unfortunatelytheapplicationofsuch

techniquesisnotwidelyspread.

This thesis presents advances in making formal techniques more accessable technology for

systemdevelopmentandanalysis. Asthe rstcontribution,wereportonanindustrialcasestudy

toshowthatmodelcheckerscanbeusedfordebugginganderrorlocalization. Weshallpresenta

numberofabstractiontechniquesappliedin thecasestudyto avoidthestateexplosionproblem.

As the second contribution, we have developed a hierarchical extension of timed automata to

enablemorestructured,compact,andmorecomplexdescriptionsofsystemsbytheusers. Sucha

hierarchicalrepresentationis better suitedfor abstractionand expected to givebettersearching

algorithms. Finallywepresentahybridanimationsystemservingasaplug-inmoduleformodel-

checkerstoimprovefeatures formodellingandsimulation.

(6)
(7)

List of Publications

 Modeling and Analysis of a Commercial Field Bus Protocol, Alexandre David and Wang

Yi. In Proceedings of the 12th Euromicro Conference on Real Time Systems, Stockholm

Sweden,19-21June2000,pages165-172.Iparticipatedinthediscussions,madethemodels,

conducted theveri cationandwrotethepaper.

 A Realtime Animator for Hybrid Systems, Tobias Amnell, AlexandreDavid, Wang Yi. In

proceedingsofACM SIGPLAN workshop LCTES ,VancouverJune2000, LNCSvol1985.

Iparticipatedinthediscussions,implementedpartsoftheengine,andwrotetheimplemen-

tationsection.

 FormalVeri cationofUMLStatechartswithReal-timeExtensions,AlexandreDavid,Oliver

Moller,WangYi. PresentedattheNordicWorkshop2001, 10-12OctoberDenmark. Tech-

nical report, departmentof Information Technology, UppsalaUniversity. I participated in

thediscussionsandwrotethesectionsonsyntaxandsemantics.

 FromHUppaaltoUppaal,ATranslationfromHierarchicalTimedautomatatoFlatTimed

Automata, AlexandreDavid and OliverMoller. Technical report published in theBRICS

report series, ISSN 0909-0878. I participated in the discussionsand wrote thesections on

syntaxandsemantics.

Acknowledgments

Iwouldliketothankallthepeoplewhohelpedmeduringtheworkonthisthesis. Icannotbe

completebecausemanyhavemoved,but inanattempt theyare: mysupervisorWang Yiforhis

patience, PaulPetterssonforhis humour,the Uppsalapartof theUppaal team ElenaFersman,

Johan Bengtson, Tobias Amnell, Fredrik Larsson,and Leonid Mokrushinfor their support, the

AalborgpartofUppaalteam KimLarsen,GerdBehrman,OliverMoller,andKareKristo ersen

fortheirsupport.

IamverygratefultoUlfHammarandThomasLindstromforthetimetheyspentindiscussing

implementation issues. I would like also to thank Julien d'Orso, Johann Deneux, and Sergei

Vorobyov for their help and support, Helena Pettersson and Anne Marie Nilson who know all

aboutadministrationandforms,andsavedmemanytimes. I thankmyparentsandmybrother

forgivingmecourage. FinallyIapologizeforthosenotbeingnamedhere. Iwouldprobablyneed

abookforyouall.

TheworkhasbeensupportedbyARTESandASTEC.

(8)
(9)

Thisthesisconsistsof3parts: acasestudyontheanalysis ofa eld protocolthat iscommercial

product,theworkonhierarchicaltimedautomatadoneincollaborationwithAalborgUniversity,

andtheworkonhybridautomata.

Theproblemweareinterestedinistoanalysereal-timesystems. Duetothesizeandcomplexity

of real systems, it is diÆcult to model and verify these systems. This work aims at presenting

a technique for modeling large systems through a case study. This technique decomposes the

system in di erent parts that are abstracted and put together. To improve the modeling and

the veri cation we propose a hierarchicalversion of timed automata. This extension of timed

automata ultimately aims at verifying UML state-charts. Finally to help engineers to \see" if

theirmodeliscorrectandtomakethesimulationmoreinteractive,ananimatorbasedonhybrid

automata hasbeendeveloped. This animator interactstightlywith timed automata and allows

usergeneratedeventsduringthesimulation.

Case Study: Modeling and Analysis of a Field-bus Protocol

In this study we report on an industrial application of the Uppaal toolto model and debug a

commercial eld bus communicationprotocol. This protocol is developed and implemented for

safety-criticalapplication,e.g.processcontrol. Ithasbeenrunninginvarious industrialenviron-

mentsovertheworldforthepast tenyears. Duringitsseven yearson themarket,a numberof

errorshavebeendetected, whichresultin time{outsandretransmissions. Dueto thecomplexity

ithasbeenverytimeandresourceconsumingtotroubleshootthese errors.

Thecompany'sinterestistoimprovethedevelopmentprocess,reducethemaintenancetime/costs

and toimprovequalityof theproductwith thehelp offormalmethods. Thegoaloftheproject

is not to verify the correctness of the protocol in any sense of completeness, which is basically

impossibleduetothesizeandcomplexityofthesystem,buttolocalizetheerrorsourcesinboth

theprotocollogicandtheimplementationatthesourcelevel.

Toourknowledge, thiscasestudy is the largestreportedsofar, where theUppaal toolhas

beenapplied. Thewhole protocol involveshundredsofpages ofprotocol speci cationand more

than 27000lines of source code. The study was carried out on the core of the protocol, which

involved151pagesof documentationand 5541lines ofModula{2 1

, whichpushed Uppaal to its

limits. Weshowtowhichextentanacademictoolcanbeusedinpracticeinanindustrialcontext.

Weadopt anengineering approach to achieveour primary goal, which is to nd bugs. The

protocol is divided into 2 parts to tackle its size and complexity. The larger models are built

incrementallyontopof simpli edmodelsstudied separately. It isanengineeringapproachsince

itisverymuch relatedto thecomponentsusedinindustry.

Duringthecasestudy,anumberoferrorsintheprotocollogicanditsimplementationhavebeen

foundanddebuggedbasedonabstractmodelsoftheprotocol;respectiveimprovementshavebeen

suggested. It turnsoutthat manyoftheproblems aredue toincorrectusageofsynchronization

and timing mechanisms in the implementation of the protocol, in particular, semaphores and

time{outs.

1

guresobtainedwithwc

(10)

Timed Automata Extension: From HUppaal to Uppaal

Weproposeahierarchicalextension of timed automata. Thisformalismis meantto be closeto

UMLstate-chartstoultimatelyallowitsformalveri cation. Thisworkiscarriedoutinconnection

with theWOODDES 2

project,which aims atimprovingdesign process,methods, and toolsfor

real-timeembeddedsystems. Weareparticularlyinvolvedinthestate-chartdiagrams. Wepropose

arichextensionofUppaaltomeet thisgoal.

Anumberofmodelingandveri cationtoolsforreal-timesystemshavebeendevelopedbasedon

thetheoryoftimed automata. Theyhavebeensuccessfullyappliedinvarious casestudies. They

havemainlybeenusedinacademiccommunityandtheybecometoenterindustry,thoughstillas

academicproducts. Onthe otherhand the commerciallyavailable toolso erdesigncapabilities

[Rha,HG97,Vis] with simulation while veri cation is limited. Some of them o er strong proof

capabilitiesbutareweakeronthemodelingside[pro].

The state-charts formalism is appreciatedby engineers because it is intuitive and graphical.

The veri cation partis usable because it is automated and error traces are generated to allow

graphicaldebuggingof systems. Hierarchicalmodelsareconcisewhichallowcomplexsystemsto

behandled. Thechallengeliesinthemodel-checkingtolimittheexplosionduetothisconciseness.

Thoughwehaveaworkingprototypeforagrammarand atranslation,it isto beconsidered

workinprogress. Wemadetheimplementationaccessibleforfuturereferenceasfrozenversionat

http://www.brics.dk/~omoeller/hta/vanilla-1/.

Thetranslationversion-edVanilla-1isdocumentedasamilestonetomakeexperimentswith.

It is notable to translatesome powerful modeling constructs, thoughthey are already present

syntactically.

Unresolved Issues in Vanilla-1 are in particular local declarations, scope overriding, history

entries, synchronization mechanisms other than handshake communication, and parameterized

templates.

Innearfuture,itisplanedtoimplementaneditorforthehierarchicalgrammarintheUppaal

tool. Simulationandveri cationofhierarchicalmodels,however,aredoneon atUppaaltimed

automata,constructedbyfutureversionsofVanilla-1.

Thereisastrongcorrespondencebetweenhierarchicaland attraces. However,theimperative

ofintroducingfreshandunambiguousnamesfor attenedconstructsmakesitdiÆcultforahuman

usertoseethisimmediately. OnepossibleremedyforthisistoequiptheUppaalsimulatorwith

theappropriatemapping,soitcandisplaynamesasspeci edinthehierarchicalsystem. Wefeel

that itis alsonecessaryto provideatranslationof TCTLformulasto correspondingones in the

attenedversion. Thisseemstobepurelysyntactical,butstronglydependentonthemappingof

localandglobalvariables.

Lookingahead,webelievethatthereisagreatpotentialforexploitingthehierarchicalstructure

directlyin termsofshapingmoreeÆcientmodelcheckingalgorithms.

A Real-Time Animator for Hybrid Systems

Uppaal is a software tool for modeling, simulation and veri cation of real time systems that

can be described as timed automata. In recent years, it hasbeen applied in a numberof case

studies[KrJKW,LPY98,LP97,HSLL97,RT],whichdemonstratesthepotentialapplicationareas

of the tool. It suits best the class of systems that contain only discrete components with real

timeclocks. Butitcan nothandle hybridsystems,which hasbeenaseriousrestrictiononmany

industrial applications. Thisworkis to extendtheUppaal tool withfeatures for modelingand

simulationofhybridsystems. This partisbasedonthepaper[ADY00].

Ahybridsystemisadynamicalsystemthatmaycontainbothdiscreteandcontinuouscompo-

nentswhosebehaviorfollowsphysicallaws[Hen],e.g. processcontrolandautomotivesystems. In

thispaper,weshalladopthybridautomataasabasicmodelforsuchsystems. Ahybridautomaton

2

(11)

isa niteautomatonextendedwithdi erentialequationsassignedtocontrolnodes,describingthe

physical laws. Timed automata[AD94]canbeseenasspecial classofhybridautomatawith the

equation x_ =1forall clocksx. Weshall presentan operationalsemantics forhybridautomata

withdensetimeanditsdiscreteversionforagiventimegranularity. Thediscretesemantics ofa

hybridsystemshallbeconsidered asanapproximationofthecontinuousbehaviorofthesystem,

correspondingtosamplingin controltheory.

Wehavedeveloped areal time animatorfor hybridsystemsbased onthediscrete semantics.

Itcanbeusedtosimulatethedynamicalbehaviorofahybridsysteminarealtimemanner. The

animatorimplementsthediscretesemanticsforagivenautomatonandsamplingperiod,usingthe

di erentialequationsolverCVODE.Currentlytheengineoftheanimatorhasbeenimplemented

inJavaandCusingCVODE.Weareaimingatagraphicaluserinterfaceforeditingandshowing

movinggraphicalobjectsandplotting curves. Thegraphicalobjectsactonthescreenaccording

to physicallawsdescribedasdi erentialequationsandsynchronizewithcontrollersdescribedas

timedautomata inUppaal.

(12)
(13)

I Modeling and Analysis of a Field Bus Protocol 7

1 The FieldBusProtocol 9

1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 FieldInterface: TheTransportLayer . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.2.1 TheStructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.2.2 TheProtocolLogic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.3 BusCoupler: TheDataLinkLayer . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.1 TheStructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.2 TheProtocolLogic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 Modeling and Abstraction 17 2.1 TheModelingProcess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.2 ADetailedModeloftheBusCoupler . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.3 AbstractionTechniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.3.1 AbstractionMechanismsinUppaal . . . . . . . . . . . . . . . . . . . . . . 19

2.3.2 ErrorPruning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.3.3 Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.3.4 AtomicityandDelays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.3.5 Re ningtheModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.4 AbstractModelsoftheBusCoupler . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.5 RelatingtheModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.5.1 ErrorLocalisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.5.2 ReductionRelation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.5.3 RelationsbetweentheModels. . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.6 ModelingFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.7 DetailedModelsofFIMaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.8 DetailedModelsofFISlave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.9 ValidationofFIModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3 Veri cation 27 3.1 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.2 BusCoupler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2.1 DetailedModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2.2 AbstractModels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.3 FieldInterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.3.1 MasterModel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.3.2 SlaveModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.3.3 CompleteModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

References

Download now ( PDF - 107 Page - 0.90 MB )

Related documents

The euro effect – the impact of EU bilateral real exchange rates on German net FDI : evidence from Germany and seven EU-countries

As a consequence of the lack of empirics and theories about German net inward FDI from EU countries and the effect of the euro on heterogenous FDI flows reflected through the RER-

Annual report, extension service, Colorado Agricultural College, 1936: Jackson County

The annual report should be a summa:ry, with analysis and interpretations, for presentation to the people of the county, the State, and the Nation of the extension activities

Musikterapi inom palliativ vårdEn litteraturöversikt

Därför är det viktigt att sjuksköterskor som arbetar inom palliativ vård har kunskap om musikterapins inverkan och hur den används i vården för att patienten skall

Security-Driven Design of Real-Time Embedded Systems

Several techniques are presented in this thesis for designing secure RTESs, including hardware/software co-design techniques for communication confidentiality on

Testability of Dynamic Real-Time Systems

Department of Computer and Information Science Linköpings universitet. SE-581 83 Linköping

När förskolan möter neurovetenskap: Kunskapsteoretiska möten i teori och i praktik

Undervisning, med pedagogiska och didaktiska metoder, utgår från olika antaganden om hur lärande går till och kunskap produceras beroende på vad det är för

Anomaly Detection in the Surveillance Domaineav Christoffer BraxAkademisk avhandling

The proposed method is evaluated with respect to detection performance and computatio- nal cost on a number datasets, recorded from real-world sensors, in different application areas

Övergångsprocessen till en BIM-baserad projektledning för små företag

Planen för övergångsprocessen var att alla skulle börja använda arbetssättet samtidigt, eftersom 3Con vid implementeringen inte bestod av tillräckligt med anställda för att