1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar,...

1

Design, Implementation, and Validation ofEmbedded Software

(DIVES)

Design, Implementation, and Validation ofEmbedded Software

(DIVES)

Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky

Department of Computer and Information Science

Department of Electrical Engineering

Department of Mechanical Engineering and Applied Mechanics

University of Pennsylvania

24 July 2002

2

Topic Area 1. Administrative Topic Area 1. Administrative

3

Administrative InformationAdministrative Information

• Project title: Design, Implementation, and Validation of Embedded Software (DIVES)

• PI: Insup Lee (215-898-3532, [email protected])

• Co-PI: Rajeev Alur, Vijay Kumar, George Pappas

• Organization: University of Pennsylvania

• Contract number: DARPA ITO MOBIES F33615-00-C-1707

• AO Number: K230

• Award end date: May 16, 2003

• Agent: 1st Lt. Jason Lawson, Air Force Research Laboratory

4

DIVES TeamDIVES Team

FacultyRajeev Alur (CIS)Vijay Kumar (MEAM)Insup Lee (CIS)George Pappas (EE)Oleg Sokolsky (CIS)

Research AssociatesJesung KimSalvatore La TorreHerbert Tanner

PhD StudentsCalin Belta

Joel EspositoYerang HurFranjo IvancicPradyumna Mishra

Usa Sammapun

Part-time ProgrammersDan Huber

Valya Sokolskaya

5

Topic Area 2. Subcontractors and Collaborators

Topic Area 2. Subcontractors and Collaborators

none

6

Topic Area 3. Problem Description and Program Objective

Topic Area 3. Problem Description and Program Objective

7

Project OverviewProject Overview

• Project Objective– Develop languages, algorithms and tools for hybrid systems to

facilitate the development of reliable embedded systems

• Project Description: main research directions

– Compositional semantics to support hierarchical, modular specifications of hybrid systems

– Reachability analysis of embedded systems

– Compositional analysis and optimal controller synthesis of hybrid systems

– Model-based testing and validation of hybrid systems to provide an additional level of reliability

8

Topic Area 4. Milestone Excel Spreadsheet

Topic Area 4. Milestone Excel Spreadsheet

Provided separately.

9

Topic Area 5. Tool DescriptionTopic Area 5. Tool Description

10

Tools at UPenn Tools at UPenn

1. CHARON modeling environment

2. Reachability analysis based on predicate abstraction

3. Adaptive simulation tool

4. Requiem

5. Test generation (under development)

6. Abstraction checker (under development)

7. Code generation (under development)

11

1. CHARON Toolkit1. CHARON Toolkit• Input

– Hierarchical model of Hybrid systems

• Functionality: modeling, simulation, assertion checking

• Output– Simulation trace including assertion violation

– HSIF model

– Input format for reachability analyzer

12

2. Reachability analysis tool2. Reachability analysis tool

• Input (compatible with HSIF ):– Linear hybrid systems

• Modes have linear dynamics:

• Mode invariants and transition guards are linear:

– Initial predicate set

– “Bad” region

• Output:– execution trace reaching a “bad” state

linear hybridsystem

CHARON

Simulink/Stateflow

counterexampleReachability computation

properties predicates

BuAxx 01 xC

13

3. Adaptive simulation tool3. Adaptive simulation tool

• Input:– Matlab model

• Implementation:– Adaptive integration routines for multi-rate and multi-

agent simulation implemented in C

– Used instead of standard Matlab integration routines

• Output:– Matlab simulation trace

• Integration:– Simulink/Stateflow can use custom integration routines

for simulation

– Integration with Charon simulator is under way

14

4. Requiem4. Requiem

• Exact symbolic continuous reachability computation

• Input:– Nilpotent linear differential equation (e.g., V2V)

– Semialgebraic sets as initial conditions

• Output:– A quantifier free formula describing the reachable set.

• Implementation:– A Mathematica 4.0 notebook

– Uses the experimental quantifier elimination package

15

5. Test generation5. Test generation

• Generate a suite of tests from a model based on a given level of coverage

• Input:– A CHARON model of the system

– A coverage criterion

• Output:– A test suite

• Implementation:– In progress

– Test generation algorithms: random test sequences, targeted test sequences

16

6. Abstraction analysis6. Abstraction analysis

ImplementationWe are developing Matlab tools for checking the consistency of modeling abstractions

for discrete-time control systems in the presence of state and input constraints.

Goal. To develop a formal methodology of deriving consistent abstractions of complex dynamical control systems

Input

linear control systems, subject to

input and state constraints

Output

reduced order linear control systems capturing the behavior of the original systems

abstraction

17

7. Code Generation for CHARON7. Code Generation for CHARON

agent () {}

mode () {}

agent () {}

mode () {}

ISA: MIPSCPU speed: 500 MHzTolerance:εAPI:


CHARONmodel

Platformdescription

Codegenerator

01011011011101111101101001110101

…

Executablecode

To design a software tool that generates platform-dependent executable code from a platform-independent CHARON model


18

Penn’s Tool ChainPenn’s Tool Chain

HSIF

ModelReduction

TestGeneration

ReachabilityAnalysis

CHARON

TejaSimulink

code

Mathlab

19

Topic Area 6. OEP ParticipationTopic Area 6. OEP Participation

20

Automotive OEPAutomotive OEP

• We participate in both vehicle-to-vehicle coordination and ETC challenge problems– Perform analysis of models for the challenge problems using

DIVES analysis tools and methodologies

– Demonstrated the analysis capabilities during the midterm experiments

• We participated in all ESWG meetings and a number of teleconferences– Contributed to the definition of HSIF and its semantics

– Actively participated in formulating the V2V experimental setup

– Helped to define the logistics of the experiments

– V2V POC: Franjo Ivancic; OEP collaborator: Anouck Girard

– ETC POC: Oleg Sokolsky; OEP collaborator: Paul Griffiths

21

HSIF developmentHSIF development

• CHARON-to-HSIF translator is developed– Flattens agent and mode hierarchy

– Retains variables, parameters

• HSIF semantics:– Set of interacting hybrid automata

Agent1

Agent2

Agent3 Agent5

Agent6

Mode1 Mode2

Mode3

Mode4

DNHA

HA3 HA5 HA6

22

Topic Area 7. Project StatusTopic Area 7. Project Status

23

Progress since last meetingProgress since last meeting

• Progress on schedule• Recently developed techniques

– Simulation Relations for Constrained Discrete-Time Linear Systems

– Multi-agent simulation methodology– Composability of abstractions– Model-based test generation for data-flow coverage criteria– CHARON to HSIF translation

• Publication during last six months– 2 journal papers, 13 conference and workshop papers

• Specific milestones accomplished– Q3FY02:Analysis techniques and tool suite

• Sound abstraction techniques for model reduction and reachability analysis tool

• Challenge problems: V2V (completed) and ETC (new approaches explored)

24

Project statusProject status

Selected publications since the last PI meeting

• G.J. Pappas and S. Simic, "Consistent abstractions of affine control systems", IEEE Transactions on Automatic Control, 47(5):745-756, May 2002

• I. Lee, A. Philippou, O. Sokolsky, "Process Algebraic Modelling and Analysis of Power-Aware Real-Time Systems", to appear in IEE Computing and Control Engineering Journal, August 2002.

• R. Alur, T. Dang, and F. Ivancic, "Reachability analysis of hybrid systems via predicate abstraction", Proceedings of Fifth International Workshop on Hybrid Systems: Computation and Control, March 2002, pp. 35-48.

• P. Tabuada, G. J. Pappas, and P. Lima, "Composing Abstractions of Hybrid Systems," Proceedings of Fifth International Workshop on Hybrid Systems: Computation and Control, March 2002, pp. 436-450.

• H. Hong, I. Lee, O. Sokolsky, and H. Ural, "A Temporal Logic Based Theory of Test Coverage and Generation", Procedings of International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS), April 2002.

• Y. Hur, I. Lee, "Distributed Simulation of Multi-Agent Hybrid Systems", Proceeding of IEEE International Symposium on Object-Oriented Real-time distributed Computing (ISORC) , April-May, 2002.

• H. G. Tanner and G. J. Pappas, "Simulation Relations for Discrete-Time Linear Systems", Proceeding of 15th IFAC World Congress on Automatic Control, May 2002.

• H. G. Tanner, V. Kumar and G. J. Pappas, "The Effect of Feedback and Feedforward on Formation ISS", Proceedings of the 2002 International Conference on Robotics and Automation, May 2002, pp. 3448-3453.

• P. Mishra and G.J. Pappas, "Flying Hot Potatoes", Proceedings of the 2002 American Control Conference, Anchorage, Alaska, pp. 754-759, May 2002

• R. Alur, M. McDougall, and Z. Yang, "Exploiting Behavioral Hierarchy for Efficient Model Checking." To appear in 14th International Conference on Computer-Aided Verification (CAV), July 2002.

25

Formal Verification of Hybrid Systems using Predicate Abstraction and Counter-

Example Analysis

Formal Verification of Hybrid Systems using Predicate Abstraction and Counter-

Example Analysis

(slides provided separately)

26

Reachability Analysis via Predicate Abstraction

Reachability Analysis via Predicate Abstraction

• Goal: To improve scalability of reachability analysis for hybrid systems using predicate abstraction

• Input– Hybrid automaton with linear dynamics– Initial and bad regions– Linear predicates used by the abstractor

• Tool performs on-the-fly search of the abstract state-space to discover a path to a bad state

• Reported in last PI meeting– Theory and implementation of the search algorithm– Application to V-2-V challenge problem

• Recent work: What should we do if search in abstract state-space discovers a counter-example?

27

Counter Example AnalysisCounter Example Analysis

• Input: Sequence of abstract states and transitions• Step 1: Check if this path is feasible in the actual

system– This requires computing reachable sets along the path

• If the path is feasible, a real bug is found, else we need to execute the second step

• Step 2: Find predicates that are adequate to rule out this path in the abstract space– At the infeasible transition find a hyper-plane

separating reachable polyhedron from pre-image of the next state

– Implemented using linear programming

• Tool has been able to find “interesting” predicates on a number of examples (including ETC)

28

Refining the VerifierRefining the Verifier

• Ongoing effort: Verification of ETC challenge problem

• Optimizations – Elimination of spurious counter-examples due to

multiple continuous transitions

– Guided search in the abstract state space

– Local greedy feasibility checks to analyze counter-examples quickly

• Future Work– Lazy abstraction to merge counter-example analysis

with abstract search

– Flow-field analysis to speed up abstract search

– Better algorithms for computing separating predicates

29

ETC test generation experimentETC test generation experiment

• Goals: – demonstrate model-based test generation techniques

• Status:– Test suites for mode and transition coverage, as well as

definition-use dependency coverage have been generated manually

– Test generation from ETC model

– Tool under development

30

Strategy of test generationStrategy of test generation

1. Generate test sequences from a model specified in CHARON

2. Convert each test sequence to a test case (I/O sequence)

3. Execute test

4. Compare the output from test execution with the expected output from the test case.

Model in CHARON

Test generator

Test sequences

Implementation

Converter Test cases

Test execution

Output

Test evaluation

input

output

31

Model translationModel translation

ETC

MATLAB model

ETC

CHARON model

ManagerDriving m2

Human

Inactive m8

Cruise m7

Limiting m1

Inactive m6

Tc_limit m5

Inactive m4

Rev_limit m3

t7t8

t3t4

t5t6

t1

t2

Servo controller

t11

Human m15

Inactive m10

Cruise m9t9t10

Inactive m14

Tc_limit m13

Inactive m12

Rev_limit m11t12

t13t14

Boolean Output; a1

Manager

Servo Controller

Inputs

Which_mode

Which_driving_ cruise

Which_limiting_ rev

Which_limiting_ traction

32

Model in CHARONModel in CHARON

Model in CHARON

Test generator

Test sequences

Implementation


Test execution

Output

Test evaluation

input

output

mode in CHARON mode variables(read) variable(write) constraintsManagerMode we,te Do_d

limiting(sub) m1 we,te Do_d=falsedriving(sub) m2 we,te Do_d=true

from to transitions(guard) actiont1 m1 m2

t2 m2 m1we<h*weMax and

te<h*teMax l to d

t3 m3 m4we>weMax or

te>teMax d to l

33

Generated Test SequencesGenerated Test Sequences

Model in CHARON

Test generator

Test sequences

Implementation


Test execution

Output

Test evaluation

input

output

Transition Test sequence Guardt1 t1,t3,t11 we>weMaxt2 t1,t3,t11 we>weMax

t2,t4,t12we<hysteresis*weMax

andtc<hysteresis*tcMax

34

Test casesTest cases

Model in CHARON

Test generator

Test sequences

Implementation


Test execution

Output

Test evaluation

input

output

Transition Test sequence Guard Test case Expected output

t1 t1,t3,t11 we>weMax we=weMax+1 MotorAmps=0

t2 t1,t3,t11 we>weMax we=weMax+1 MotorAmps=0

t2,t4,t12we<hysteresis*weMax and

tc<hysteresis*tcMaxwe=weMax*h-1 tc=tcMax*h-1

MotorAmps_h

35

Test cases from BerkeleyTest cases from Berkeley

Inputs from the manager and the resulting function calls

which_mode SelectStartup 0

SelectDriving 1

SelectLimiting 2

SelectLimpHome 3

SelectShutdown 4

which_driving_cruise SelectDrivingCruise 0

SelectDrivingCruiseInactive 1

which_limiting_rev SelectLimitingRev 0

SelectLimitingRevInactive 1

which_limiting_traction SelectLimitingTraction 0

SelectLimitingTractionInactive 1

All the possible permutations

of input values Previous

Statewhich_mode

which_driving_cruise

which_limiting_rev

which_limiting_traction

Function Calls

XSelectSt

artupX X X DoStartUp

XSelectDriving

SelectDrivingCruise

X XDoHumanCtrl DoCruiseCtrl

XSelectDriving

SelectDrivingCruiseInactive

X X DoHumanCtrl

XSelectLimiting

X SelectLimitingRevSelectLimitingTr

action

DoRevLimitingCtrl

DoTractionCtrl

XSelectLimiting

X SelectLimitingRevSelectLimitingTr

actionInactiveDoRevLimiting

Ctrl

XSelectLimiting

XSelectLimitingRev

InactiveSelectLimitingTr

actionDoTractionCtrl

XSelectLimiting

XSelectLimitingRev

InactiveSelectLimitingTr

actionInactive

XSelectLimpHom

eX X X DoLimpHome

XSelectShutdow

nX X X DoShutdown

Shutdown X X X X DoShutdown

36

Test case conversion for Berkeley codeTest case conversion for Berkeley code

DescriptionTest

sequenceguard

Converted input

correspondent inputs Execution output CHARON output

t3default to limiting

t1, t3, t11

we>weMax or te>teMax

(2,X,0,X)

(2, 0, 0, 0)DoRevLimitingCtrl: 0.4

DoTractionCtrl: 0.5DoRevLimitingCtrl (0.4) DoTractionCtrl (0.5)

Min (Rev, TC)

we>weMax and Do_d=false(2,1,0,0)

DoRevLimitingCtrl: 0.4 DoTractionCtrl: 0.5

(2,0,0,1) DoRevLimitingCtrl: 0.4

Do_rl=true (2,1,0,1) DoRevLimitingCtrl: 0.4

t4

limiting t1, t3, t11 same as t3 (2,X,0,X) same as t3

driving t2, t4, t12

we<h*weMax and te<h*teMax

(1,X,1,X)

(1,0,1,0)DoHumanCtrl: 0.0 DoCruiseCtrl: 1.0

DoHumanCtrl (0.0) DoCruiseCtrl (1.0) Max (human,

cruise)we<h*weMax or Do_d=true

(1,0,1,1)DoHumanCtrl: 0.0 DoCruiseCtrl:1.0

(1,1,1,0) DoHumanCtrl: 0.0

Do_rl=false (1,1,1,1) DoHumanCtrl: 0.0

37

Comparison of Test casesComparison of Test cases

• Test cases generated from the mode coverage criteria equally cover all the possible permutation of input values from Berkeley

• Test cases generated from transition coverage criteria cover more than those from mode coverage criteria.

LimitingDriving

we>weMax

we<h*weMaxDriving

Driving

Limiting

Driving

Limitingh*weMax

weMax

38

Code Generation for CHARONCode Generation for CHARON

agent () {}

mode () {}

agent () {}

mode () {}



CHARONmodel

Platformdescription

Codegenerator

01011011011101111101101001110101

…

Executablecode



39

GoalsGoals

• Exploit features of CHARON– Analog variables

– Modularity, hierarchy

– Parallel composition

• Bounding difference between model and implementation– Tuning of the update rate of analog variables

• Flexible to be adapted to various platforms– Easy-to-plug-in interface

40

Our Approach Our Approach

agent

mode

analog var

differential eq

transition

class agent

class mode diff() trans()

class var

scheduler

API

CHARON features C++ objectsExecution

environmentTarget

platform

41

Under developmentUnder development

• Modular compilation– Each agent/mode can be compiled separately

• Concurrent execution of agents and analog variables– Parallel agents can be distributed to different systems

– Communication is handled transparently by the variable class

– Update analog variables at desired rates

• Flexible interface– New functions can be plugged in to override default variable

read/write functions• Ex: Plugging in file I/O functions result in a trace generator

– Interfacing with APIs of real-world platforms• Currently Sony robot dogs, eventually Automotive OEP platform

(MPC555)

• Derive RT scheduling requirements from CHARON model

42

Topic Area 8. Project Plans Topic Area 8. Project Plans

43

Project PlansProject Plans

• Describe your project's plans for next 6 months– Refine abstraction, analysis, test generation techniques

– Develop tools to support the new techniques

– Perform OEP experiments using these techniques and tools

– Interface with other tools through HSIF

– Develop model-based code generation techniques

• Identify specific performance goals– Demonstrate improved capability to verify linear hybrid systems in

terms of number of modes and number of state variables

– Demonstrate the feasibility of model-based test generation

– Demonstrate control of simple tasks on a real robot using automatically generated code

44

Topic Area 9. Project schedule and milestones

Topic Area 9. Project schedule and milestones

45

Project schedule and milestonesProject schedule and milestones

3FY00 4FY00 1FY01 2FY01 3FY01 4FY01 1FY02 2FY02

1. Design language

2. Software toolkit

3a. Compositional semantics

3b. Simulation techniques

3e. Controller synthesis

3f. Abstraction techniques

3FY02

Milestone on schedule

Milestone completed ahead of schedule

Deliverable

4FY02 1FY03 2FY03

46

Project schedule and milestonesProject schedule and milestones

• Past milestones:– Q3FY01: Compositional Semantics. Completed ahead of schedule

• Deliverable: research report on compositional semantics

– Q1FY02: Advanced Simulation Techniques. Completed on schedule• Deliverables: research reports on event detection, modular and multi-

agent simulation algorithms

– Q3FY02: Analysis Techniques and Tool Suite. Milestone achieved but research and enhancement continue• Deliverables: 2 research reports on abstraction techniques and analysis

algorithms + tool implementation

• Upcoming milestones:– Q1FY03: Optimal control and run-time monitoring

• Progress on schedule, research reports published

– Additional milestones: algorithms and tools for test generation and code generation

47

Technology TransitionTechnology Transition

• Use of CHARON and its toolkit – The CARA (Computer Assisted Resuscitation

Algorithm) Infusion pump system developed by WRAIR (Walter Reid Army Institute for Research)• Design specification, analysis, code generation

• Goal: enhance FDA approval process for embedded medical devices

– Design and evaluation of strategies for soccer playing Sony dogs

– Modeling and analysis of biological processes such as protein transduction• fits the hybrid systems paradigm very well

• enhances state-of-the-art in biological research with analysis capabilities

48

The End.The End.

1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar,...

Documents

Transcript of 1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar,...