Framework for Inter-Model Analysis of Cyber-Physical Systems
-
Upload
ivan-ruchkin -
Category
Technology
-
view
87 -
download
1
description
Transcript of Framework for Inter-Model Analysis of Cyber-Physical Systems
Framework for Inter-Model Analysis of Cyber-Physical Systems
Ivan Ruchkin
With Dionisio De Niz,Sagar Chaki,David Garlan
Carnegie Mellon UniversityPittsburgh, PA, USA
The Summer School on Cyber-Physical SystemsGrenoble, France, July 2014
2
CPS engineering
model
model
model
analysis
analysis
analysis
?
3
Problem
● Engineers' models may be inconsistent– Modeling errors and system failures
● Model-based reasoning may be flawed– Unsound results and system failures
4
Example: real-time scheduling
● Model & analysis 1: Thread-to-CPU assignment– Goal: assign each thread to CPU & check schedulability– Inputs: threads, CPUs (as abstract execution units),
WCETs, periods, deadlines
● Model & analysis 2: CPU frequency scaling– Goal: minimize CPU frequency to reduce energy losses– Inputs: Assignment of threads to CPUs, CPU frequency
● Issue: Frequency scaling implicitly assumes that a policy is deadline monotonic!
5
Simple solutions
● Apply frequency scaling anyway– Unsound: frequency scaling may not preserve
schedulability
● Use labels (“DMS”) to synchronize analyses– Too limiting: excludes frequency scaling for some
cases
6
Our solution: analysis contracts
1. Set up verification domains
2. Specify contracts for analyses
3. Determine the order of analyses
4. Verify the contract when each analysis is used
7
Step 1: verification domain
Contains:
– Atom sets (ℤ, threads, policies)
– Static (period, deadline) & dynamic functions (preemption)
– Execution semantics (Kripke structure) & interpretation
model model
analysis analysis
verification domain
8
Step 2: contract specification
● Analysis contract contains: – I – atoms and static functions that are read
– O – atoms and static functions that are output
– A – set of assumptions
– G – set of guarantees
● Language of A & G: φ ⇒ ψ; φ ∈ FOL, ψ ∈ LTL.● Example for frequency scaling analysis:
– I = {threads, CPUs, CPUBind, Dline}, O = {CPUFreq},
– A = { t∀1, t
2: threads | t
1 ≠ t
2 ∧ CPUBind(t
1) = CPUBind(t
2) :
□ (CanPrmpt(t1, t
2) Dline(t⇒
1) ≤ Dline(t
2)) }, G = { }.
9
Step 3: analysis sequencing
● I/O dependencies form a directional graph– If acyclical: analyses are orderable
– If cyclical: the cycle needs to be broken
● For the example, frequency scaling is dependent on thread-to-CPU assignment
10
Step 4: contract verification
● Given: system model, contract formula φ ⇒ ψ● SMT solver finds solutions for φ● Model checking a behavioral model for ψ
– Promela program implements the execution semantics
● For the example:
– ∀ t1, t
2: threads | CPUBind(t
1) = CPUBind(t
2) :
□ (CanPrmpt(t1, t
2) Dline(t⇒
1) < Dline(t
2))
– SMT for t∀1, t
2: threads | t
1 ≠ t
2 ∧ CPUBind(t
1) = CPUBind(t
2)
– Spin verifies □ (CanPrmpt(t1, t
2) Dline(t⇒
1) < Dline(t
2))
11
Intra-model analysis framework
12
Summary
● Analysis contracts:– Integrates reasoning from different models– Describe verification domains, specify contracts, find
ordering, verify contracts– Implemented in customizable framework
● Future work: – How do model structures affect verification domains?– What modeling aspects should be “contractified”?
13
References
● I. Ruchkin, D. De Niz, S. Chaki, and D. Garlan. Contract-Based Integration of Cyber-Physical Analyses. To appear in EMSOFT 2014.
● A. Rajhans, A. Bhave, I. Ruchkin, B. Krogh, D. Garlan, A. Platzer, and B. Schmerl. Supporting Heterogeneity in Cyber-Physical Systems Architectures. To appear in IEEE Transactions on Automatic Control.