Model-based Analysis and Implementation of Embedded Systems Rajeev

Model-based Analysis and Implementation of Embedded Systems Rajeev Alur University of Pennsylvania www. cis. upenn. edu/~alur/ MIT Workshop, August 2005

Model-Based Design q Benefits of model-based design Detecting errors in early stages Powerful and formal analysis Reusable components Automatic code generation q Many commercial tools are available for design of embedded control systems (e. g. Simulink) Typically, semantics is not formal Typically, only simulation-based analysis Code generation available, but precise relationship between model and code not understood

Charon Project at Penn Can we formally prove safety properties of models ? Formal Specification Environment Model Can we infer properties of code from properties of models? Performance Metrics Programming/Modeling Language Based on Hybrid Automata Platform Description Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Executable Code on Embedded Processor Libraries in Base Language

Hybrid Modeling State machines + Dynamical systems on dx=kx x<70 Automotive Coordination Protocols x>68 x<63 Robotics off dx=-k’x x>60 Animation Systems Biology

CHARON Language Features q Individual components described as agents Composition, instantiation, and hiding q Individual behaviors described as modes Encapsulation, instantiation, and Scoping q Support for concurrency Shared variables as well as message passing q Support for discrete and continuous behavior Differential as well as algebraic constraints Discrete transitions can call Java routines q Compositional semantics with refinement rules

CHARON Toolkit

model temporal property Model Checker yes error-trace Advantages Automated formal verification, Effective debugging tool Impressive industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: Formal. Check by Cadence Model checking for discrete systems Enumerative state-space search (SPIN) Symbolic search using Binary decision diagrams (SMV) Bounded model checking using SAT solvers

Symbolic Safety Verification Data type: region to represent state-sets R: =I(X) /* initial set */ Repeat If R intersects target F report “violation” Else if R contains Post(R) report “safe” Else R : = R union Post(R): Set of successors of states in R Termination may or may not be guaranteed F I

Reachability for Hybrid Systems q What’s a suitable representation of regions? Region: subset of Rk Main problem: handling continuous dynamics q Precise solutions available for restricted continuous dynamics Timed automata (Uppaal, Kronos, …) Linear hybrid automata (Hy. Tech) q Even for linear systems, over-approximations of reachable set needed

Timed Automata a, x: =0 b, y: =0 y>2, c x<3, d q Analog of finite-state automata in discrete case Continuous variables: Clocks increasing at rate 1 All constraints of the form: x compared to constant Can express lower and upper bounds on delays q Well-developed theory of automata and logics Closure properties Decision problems Equivalent characterizations

Region-based Analysis Finite partitioning of state space w @ w’ iff they satisfy the same set of constraints of the form xi < c, xi = c, xi – xj < c, xi –xj =c for c <= largest const relevant to xi x 2 2 Region equivalence is a time-abstract bisimulation, and corresponding quotient can be used for temporal logic model checking 1 1 2 3 x 1 An equivalence class (i. e. a region) in fact there is only a finite number of regions!!

Model Checking for Hybrid Systems q Timed automata tools use matrices as a symbolic representation (all constraints are bounds on differences) q Next step: use polyhedra as a representation (Hy. Tech) Linear hybrid automaton allows linear constraints in guards/resets Dynamics: linear constraints among derivates The set of reachable states at every iteration is union of polyhedra q If dynamics is d. X=AX, and R is a polyhedron, Post(R) is not a polyehdron q Many approximate solutions proposed: Approximate Post(R) with enclosing convex polyhedra (Checkmate)

Polyhedral Flow Pipe Approximations t 3 t 4 t 5 t 6 t 7 t 8 t 2 t 1 X 0 t 9 • divide R[0, T](X 0) into [tk, tk+1] segments • enclose each segment with a polyhedron • RM[0, T](X 0) = union of polyhedra

Abstraction and Refinement q Abstraction-based verification Given a model M, build an abstraction A Check A for violation of properties Either A is safe, or is adequate to indicate a bug in M, or gives false negatives (in that case, refine the abstraction and repeat) q Many projects exploring abstraction-based verification for hybrid systems Predicate abstraction (Charon at Penn) Counter-example guided abstraction refinement (CEGAR at CMU) Qualitative abstraction using symbolic derivatives (SAL at SRI)

Predicate Abstraction q Input is a hybrid automaton and a set of k boolean predicates, e. g. x+y > 5 -z. q The partitioning of the concrete state space is specified by the user-defined k predicates. x t Concrete Space: Lx. Rn Abstract Space: L x {0, 1} k

Overview of the Approach Hybrid system Safety property Boolean predicates additional predicates Search in abstract space No! Counter-example Real counterexample found Property holds Analyze counter-example

Charon Project at Penn Can we formally prove safety properties of models ? Formal Specification Environment Model Can we infer properties of code from properties of models? Performance Metrics Programming/Modeling Language Based on Hybrid Automata Platform Description Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Executable Code on Embedded Processor Libraries in Base Language

Walking Model: Behavior and Modes v Shared variable On Ground Up dx = dy = 0 turn == i dy = kv dt = 1 Time triggered y==0 -> turn++ dy = -kv t==2 2 x==str dx = kv x < str /2 Down Forward Event triggered x L 1 L 2 j 1 j 2 y (x, y)

Code Generation Case Study q Front-end Translate CHARON objects into modular C++ objects q Back-end Map C++ objects to execution environment front-end back-end Execution environment CHARON objects C++ objects agent class agent scheduler class mode diff() trans() API mode diff/alge eqn transition analog var class var Target platform

Gap Between Models and Code q Rich theory of sampled control (but mainly for purely continuous systems) Discrete-time control design Sampling errors q No theory of interacting control blocks Mapping individual blocks to periodic real-time tasks does not lead to predictability Lack of compositionality affects integration q Hybrid systems poses new challenges: How can code ensure that events are not missed ?

Code from Structured Models q How to map control blocks to tasks? u x C 1 v C 2 q Many choices for code Two tasks: C 1 and C 2 with their own periods One task: Read(x); C 1; C 2; Actuate One task: Read(x); C 1; Read(x); C 2; Actuate q The choice can depend on many parameters: computation times, sensitivity ox x to u and v, performance objective

Quantifying the Gap (1) q Appealing implementation platform: Timetriggered architecture Time divided into fixed-size slots q Appealing programming paradigm: Fixed Logical Execution Time Block mapped to slot i reads inputs at the beginning, computes, and outputs at the end of the slot i q Micro-schedule: Map each slot to at most one control block q Given a micro-schedule s, and a plant model, continuous-time trajectory of execution uniquely defined

From Model to Code 1. Continuous-time semantics: all blocks at all times Continuous 2. Discrete/simulation semantics: all blocks every T s Compute all 3. Periodic tasks: Red block every T 1 s, Blue every T 2 s 4. Micro-schedule on TTA: Fixed-size slots Idle, Red, Blue, Idle, Blue, Red, Idle, Blue, Idle, Red, Blue…

Quantifying the Gap (2) q Define a performance metric: for two continuous-time trajectories t 1 and t 2, d(t 1, t 2) measures the distance q Quality of a micro-schedule s is d(t*, ts), where t* is the continuous-time simulation trajectory and ts is the trajectory of code when executed according to s q For linear systems, d(t*, ts) is computable when d is, say, L 2 -norm, using ideas from PLTIs (Periodic linear time invariant systems) q This allows comparing micro-schedules by precisely quantifying their metrics

Wrap-Up q Modeling and Analysis in symbiosis q Progress on safety verification by combining symbolic representations and abstraction q Many application domains for hybrid systems q Current Focus: Understanding and quantifying the gap between models and code to add rigor in the code generation step q Ongoing: Stochastic hybrid systems