ebook img

The Inverse Method PDF

161 Pages·2013·2.655 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Inverse Method

The Inverse Method FOCUS SERIES IN COMPUTER ENGINEERING AND IT Series Editor Jean-Charles Pomerol The Inverse Method Parametric Verification of Real-time Embedded Systems Étienne André Romain Soulat Firstpublished2013 inGreatBritainandtheUnitedStatesbyISTELtdandJohnWiley&Sons,Inc. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybereproduced, storedortransmitted,inanyformorbyanymeans,withthepriorpermissioninwritingofthepublishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentionedaddress: ISTELtd JohnWiley&Sons,Inc. 27-37StGeorge’sRoad 111RiverStreet LondonSW194EU Hoboken,NJ07030 UK USA www.iste.co.uk www.wiley.com ©ISTELtd2013 The rights of Étienne André and Romain Soulat to be identified as the author of this work have been assertedbytheminaccordancewiththeCopyright,DesignsandPatentsAct1988. LibraryofCongressControlNumber: 2012953075 BritishLibraryCataloguing-in-PublicationData ACIPrecordforthisbookisavailablefromtheBritishLibrary ISSN:2051-2481(Print) ISSN:2051-249X(Online) ISBN:978-1-84821-447-7 PrintedandboundinGreatBritainbyCPIGroup(UK)Ltd.,Croydon,SurreyCR04YY Contents PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii I.1.Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv I.1.1.Anexampleofasynchronouscircuit . . . . . . . . . . . . . . . . . xiv I.2.Thegoodparametersproblem . . . . . . . . . . . . . . . . . . . . . . . . xv I.3.Contentandorganizationofthebook . . . . . . . . . . . . . . . . . . . . xvi I.3.1.Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi I.3.2.Organizationofthebook . . . . . . . . . . . . . . . . . . . . . . . . xvii I.3.3.Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii CHAPTER1.PARAMETRICTIMEDAUTOMATA . . . . . . . . . . . . . . . . 1 1.1.Constraintsonclocksandparameters . . . . . . . . . . . . . . . . . . . 1 1.1.1.Clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.2.Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.3.Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.Labeledtransitionsystems. . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.Timedautomata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.1.Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.2.Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4.Parametrictimedautomata . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.4.1.Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.4.2.Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.5.1.Representationoftime . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.5.2.Timedautomata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 vi TheInverseMethod 1.5.3.TimePetrinets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.5.4.Hybridsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 CHAPTER 2. THE INVERSE METHOD FOR PARAMETRIC TIMED AUTOMATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.1.Theinverseproblem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.1.1.Amotivatingexample . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.1.2.Theproblem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2.Theinversemethodalgorithm. . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.1.Principle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.2.Atoyexample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.2.3.Remarksonthealgorithm . . . . . . . . . . . . . . . . . . . . . . . 28 2.2.4.Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.2.5.Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.Variantsoftheinversemethod . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.1.Algorithmwithstateinclusioninthefixpoint . . . . . . . . . . . . 41 2.3.2.Algorithmwithunionoftheconstraints . . . . . . . . . . . . . . . 42 2.3.3.Algorithmwithsimplereturn . . . . . . . . . . . . . . . . . . . . . 44 2.3.4.Combination: inclusioninfixpointandunion . . . . . . . . . . . . 45 2.3.5.Combination: inclusioninfixpointanddirectreturn . . . . . . . . 46 2.3.6.Summaryofthealgorithms . . . . . . . . . . . . . . . . . . . . . . 46 2.4.Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.4.1.Historyoftheinversemethod . . . . . . . . . . . . . . . . . . . . . 49 2.4.2.Time-abstractbisimulation . . . . . . . . . . . . . . . . . . . . . . 50 2.4.3.Formaltechniquesofverification . . . . . . . . . . . . . . . . . . . 50 2.4.4.Problemsrelatedtotheinverseproblem . . . . . . . . . . . . . . . 51 2.4.5.Parametersynthesisforparametrictimedautomata. . . . . . . . . 53 CHAPTER3.THEINVERSEMETHODINPRACTICE: APPLICATIONTO CASESTUDIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.1.IMITATOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.1.1.History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.1.2.Architectureandfeatures . . . . . . . . . . . . . . . . . . . . . . . 56 3.2.Flip-flop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.3.SR-Latch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.3.1.Parametersynthesis . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.4.AND–OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5.IEEE1394RootContentionProtocol . . . . . . . . . . . . . . . . . . . 62 3.5.1.Descriptionofthemodel . . . . . . . . . . . . . . . . . . . . . . . 62 3.5.2.Synthesisofconstraints . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6.BoundedRetransmissionProtocol . . . . . . . . . . . . . . . . . . . . . 64 3.7.CSMA/CDprotocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.8.TheSPSMALLmemory . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Contents vii 3.8.1.Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.8.2.Ashorthistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.8.3.Manuallyabstractedmodel . . . . . . . . . . . . . . . . . . . . . . 72 3.8.4.Automaticallygeneratedmodel . . . . . . . . . . . . . . . . . . . . 75 3.9.Networkedautomationsystem . . . . . . . . . . . . . . . . . . . . . . . 77 3.9.1.Descriptionofthemodel . . . . . . . . . . . . . . . . . . . . . . . 77 3.9.2.Definitionofazoneofgoodbehavior . . . . . . . . . . . . . . . . 78 3.9.3.Comparisonwithothermethods . . . . . . . . . . . . . . . . . . . 79 3.10.ToolsrelatedtoIMITATOR . . . . . . . . . . . . . . . . . . . . . . . . . 79 CHAPTER4.BEHAVIORALCARTOGRAPHYOFTIMEDAUTOMATA . . . 81 4.1.Thebehavioralcartographyalgorithm . . . . . . . . . . . . . . . . . . . 82 4.2.Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4.2.1.Acyclicparametrictimedautomata. . . . . . . . . . . . . . . . . . 83 4.2.2.Generalcase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 4.3.Casestudies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 4.3.1.Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.3.2.SRlatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.3.3.Flip-flop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 4.3.4.Therootcontentionprotocol . . . . . . . . . . . . . . . . . . . . . 95 4.3.5.SPSMALLmemory . . . . . . . . . . . . . . . . . . . . . . . . . . 95 4.4.Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 CHAPTER5.PARAMETERSYNTHESISFORHYBRIDAUTOMATA . . . . . 103 5.1.Hybridautomatawithparameters . . . . . . . . . . . . . . . . . . . . . . 105 5.1.1.Basicdefinitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 5.1.2.Symbolicsemanticsoflinearhybridautomata . . . . . . . . . . . 108 5.2.Algorithmsforhybridautomata. . . . . . . . . . . . . . . . . . . . . . . 109 5.2.1.Theinversemethodforhybridautomata . . . . . . . . . . . . . . . 109 5.2.2.Behavioralcartographyofhybridautomata . . . . . . . . . . . . . 111 5.2.3.Enhancementofthemethodforaffinedynamics . . . . . . . . . . 114 5.3.Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 5.4.Discussion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 5.5.Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 CHAPTER 6. APPLICATION TO THE ROBUSTNESS ANALYSIS OF SCHEDULINGPROBLEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 6.1.Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 6.1.1.Schedulingproblems. . . . . . . . . . . . . . . . . . . . . . . . . . 121 6.1.2.Timedautomataaugmentedwithstopwatches . . . . . . . . . . . 122 6.2.Schedulinganalysisusingtheinversemethod . . . . . . . . . . . . . . . 123 6.2.1.Modelingschedulabilitywithtimedautomata. . . . . . . . . . . . 123 viii TheInverseMethod 6.2.2.Robustnessanalysisusingtheinversemethod. . . . . . . . . . . . 124 6.2.3.Schedulabilityzonesynthesis . . . . . . . . . . . . . . . . . . . . . 124 6.3.Applicationtoschedulingproblems . . . . . . . . . . . . . . . . . . . . 126 6.3.1.Jobswithdeadlines. . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.3.2.Schedulabilityzonesynthesis . . . . . . . . . . . . . . . . . . . . . 126 6.3.3.Nextgenerationspacecraftflightcontrolsystem . . . . . . . . . . 127 6.4.Discussion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 6.5.Relatedwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 CHAPTER7.CONCLUSIONANDPERSPECTIVES . . . . . . . . . . . . . . . 133 7.1.Trace-basedinversemethodandpartialorders . . . . . . . . . . . . . . 134 7.2.Preservationoftemporallogics . . . . . . . . . . . . . . . . . . . . . . . 134 7.3.Applicationtootherformalisms . . . . . . . . . . . . . . . . . . . . . . 135 BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Preface This book introduces state-of-the-art verification techniques for real-time embedded systems, based on the inverse method for parametric timed automata. It reviewspopularformalismsforthespecificationandverificationoftimedconcurrent systemsand,inparticular,timedautomataaswellasseveralextensionssuchastimed automata equipped with stopwatches, linear hybrid automata and affine hybrid automata. The inverse method is introduced, and its benefits for guaranteeing robustnessinreal-timesystemsareshown.Then, itisshownhowaniterationofthe inverse method can solve the good parameters problem for parametric timed automatabycomputingabehavioralcartographyofthesystem.Differentextensions areproposedparticularlyforhybridsystemsandapplicationstoschedulingproblems using timed automata with stopwatches. Various examples, both from the literature and industry, illustrate the techniques throughout the book. Various parametric verificationsareperformed, inparticularofabstractionsofamemorycircuitsoldby the chipset manufacturer ST-Microelectronics, as well as of the prospective flight control system of the next generation of spacecraft designed by ASTRIUM Space Transportation. Acknowledgments The authors wish to thank the numerous colleagues and students who have contributed to the development of the inverse method, its implementation and its practical applications. The authors are very grateful to Laurent Fribourg for his strong support with respect to this book, and for providing valuable feedback on earlier versions of the manuscript. The authors wish to thank Thomas Chatain, EmmanuelleEncrenaz, UlrichKühneandJeremySprostonfortheircontributionsto the inverse method and its extensions. The authors also wish to acknowledge the contributions of Abdelrezzak Bara, Pirouz Bazargan-Sabet, Remy Chevallier, DominiqueLeDûandPatriciaRenaulttotheVALMEMprojectpresentedinsection 3.8; the contributions of Olivier De Smet, Bruno Denis and Silvain Ruel to the SIMOP project presented in section 3.9; and the contributions of David Lesens and PierreMorototheprojectpresentedinsection6.3. Introduction Theimportanceofcomputersystemshasdramaticallyincreasedinrecentdecades. Critical systems, involving human lives, need to be perfectly reliable, with a total absence of any inappropriate behavior, such as failures or unexpected sequences of actions. Letusconsiderthecaseofhardwareverification.Whenweanalyzesynchronous clocked digital circuits, it is possible to separate the functional analysis from the timinganalysis: theclockcycleisdeterminedbycomputingtheaccumulateddelays along the longest path from input to latches, and, assuming that the cycle time is large enough, the functional verification can proceed by ignoring gate and wire delays and by treating the whole circuit at the abstraction level of an untimed finite state automaton. Symbolic methods of model checking relying on efficient and compact representation and manipulation of sets of states are thus very useful for verifyingthecorrectnessofhardwarecircuits. Such a separation between logic and time is rarely possible when we want to analyze computerized systems that are often made up of dozens of reactive components that are in permanent interaction all together and with the physical environment, with few or no mechanisms of global synchronization. In this context, the delays taken by the individual tasks and their logical interdependency have an immediate impact on the global order in which the actions are taken, and on the functionalityofthesystem.Manycounterintuitivephenomenamayoccur,suchasthe observation of an increasing global response time to an input when a local delay is decreased. Also, in contrast with what happens in the synchronous world, the delay betweentwoeventscannolongerbegivenbyadiscretemeasure,suchasthenumber ofclockticksbetweenthem,butcouldbearbitrarilyclosetoeachother. In this context, the theory of timed automata, which appeared in the early 1990s andmakesuseofdensetimedomains,turnsouttobeaveryusefultoolformodeling such concurrent asynchronous systems. On the other hand, the determination and

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.