The Mana Project
description
Transcript of The Mana Project
![Page 1: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/1.jpg)
The Mana Project
Lars AsplundKristina Lundqvist
Uppsala University, Information Technology, Dept of Computer Systems
![Page 2: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/2.jpg)
The Mana Project
Lars AsplundKristina Lundqvist
Uppsala University, Information Technology, Dept of Computer Systems
![Page 3: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/3.jpg)
Background
• Formal methods have been used in a number of safety critical systems– TGV – train signalling system in Paris
• Today's safety critical systems use cyclic executives.• Research take for granted that a system consists of
processes (scheduling, priorities), and that there is communications between these.
• Process based safety critical systems - formal methods (Raven, Enea …)
![Page 4: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/4.jpg)
Ada-83
•Tasking•Rendez-vous•Dynamic•Hierarchy•Termination•...
Ada83
•For High Integrity Systems•Subsets:
•SPARK (No tasking)•Boeing•...
•Complex Run-Time•No Formal Proofs
![Page 5: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/5.jpg)
Ada-95
•Tasking•Rendez-vous•Dynamic•Hierarchy•Termination•...
•Protected Objects•ATC•requeue•delay until•new interrupts•task attributes•...
Ada95 Subsets:
GNORT (Gnat NO Run-Time)SPARK-95
Ravenscar•Tasking•Protected Objects•delay until•new interrupts•task attribute
![Page 6: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/6.jpg)
Ada 95 and Ravenscar
• The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications.
• The subset provides enough functionality for targeted systems .
![Page 7: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/7.jpg)
Ravenscar - tasking
• Library level• No dynamic creation• No unchecked deallocation• Non-terminating• No entries• No user defined attributes• Keep task discriminants• No ATC
![Page 8: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/8.jpg)
Ravenscar - Protected Objects
• Single Entry• Barrier a single Boolean• Only one task in the entry queue
![Page 9: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/9.jpg)
Ravenscar - Communication
• No Rendez vous• No requeue• No select statement• Interrupts are mapped only to PO
procedures
![Page 10: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/10.jpg)
Ravenscar - Real Time
• delay until for delays• No Calendar• Clock from Real-Time package• No dynamic priorities• Immediate Ceiling Priority
![Page 11: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/11.jpg)
The Mana Project
• Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada-95 compiler.
• Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft, ...
![Page 12: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/12.jpg)
The Mana Project
• Chosen language:– Subset of Ada 95: Ravenscar
• Representation model: Timed Automata– FSAs extended with clocks and constraints
• Verification scheme: A Real-Time Model Checker– UPPAAL: Modelling, simulation, and verification
tool
![Page 13: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/13.jpg)
A System Model
SchedulerPO
T1 T2 T3
Delay Queue
ClockT0
Application
Run-Time KernelP EF
Delay untilTask dispatch
Ready Queue
![Page 14: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/14.jpg)
A Verification Session
• Design.Timed Automata Model of1. An application (user code)2. Run-time kernel (Mana)
• Simulation of design• Verification by checking reachability
properties
![Page 15: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/15.jpg)
A System Model
SchedulerPO
T1 T2 T3
Delay Queue
ClockT0
Application
Run-Time KernelP EF
Delay untilTask dispatch
Ready Queue
![Page 16: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/16.jpg)
Simple application (T1)
task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0;begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop;end T1;
Delay seq
Prot Proc
![Page 17: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/17.jpg)
Protected Procedure
Calling Task
Procedure StartProcedure beginPreemptionRelease of Entry
![Page 18: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/18.jpg)
Task T2
task body T2 is -- at priority 2 Cond : Boolean := false;begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); end if; Work (4); end loop;end T2;
Prot Entry
![Page 19: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/19.jpg)
Protected Entry
Calling Task
Entry Start
Lock Free and no Barrier
Barrier trueReleased by Procedure
![Page 20: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/20.jpg)
Protected Entry
Calling Task
ExecutingPreemption
ExceptionPreemption in exceptionNormal end
![Page 21: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/21.jpg)
Task T3task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0;begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop;end T3;
Prot Proc
Delay
![Page 22: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/22.jpg)
A view of the System
F
PE
Prot Obj
Scheduler
T1 T2 T3
Delay Queue
Clock
T0
Delay untilTask dispatch
Ready Queue
![Page 23: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/23.jpg)
Miscellaneous
Protected Function
Delay Queue
System Clock
![Page 24: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/24.jpg)
The Run-Time System
F
PE
Prot Obj
![Page 25: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/25.jpg)
Task T1
task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0;begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop;end T1;
Delay seq
Prot Proc
![Page 26: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/26.jpg)
Building the System
F
PE
Prot Obj
T1
![Page 27: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/27.jpg)
Task T2
task body T2 is -- at priority 2 Cond : Boolean := false;begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); end if; work (4); end loop;end T2;
Prot Entry
![Page 28: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/28.jpg)
A more Complete System
F
PE
Prot Obj
T1
T2
![Page 29: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/29.jpg)
Task T3task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0;begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop;end T3;
Prot Proc
Delay
![Page 30: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/30.jpg)
A Complete System
F
PE
Prot Obj
T1
T2
T3
![Page 31: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/31.jpg)
Scheduler and Idle process
Resume!
Suspend!
Resume!
Preempt!
Resume? Pcpu:= PLow
Preempt?
StartIdle Process is running
Resume? Pcpu:= PMed
Resume? Pcpu:= PHighMedium Process availableMedium Process runningIdle Process PreemptedHigh Process availableHigh Process running
Medium Process PreemptedIdle Process
Scheduler
![Page 32: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/32.jpg)
Verifying Reachability Properties
• Statements format:Invariant()Possible()Where (atomic-formula) | | ’
• Examples:– Possible(CPU’Count > 1)
• At any point in time, there must be only one task executing– Invariant(P.Completed and E.Queue’Count > 0 and
E.Barrier imply Exec(E.Code, P.Context))
![Page 33: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/33.jpg)
Conclusions and future work
• Have today modelled a full Ravenscar compliant RTK– PO: priorities, preemption
• Procedure, Function and Entry• Release on behalf
– delay until– exception handling in PO– interrupt
![Page 34: The Mana Project](https://reader035.fdocuments.in/reader035/viewer/2022081418/5681683b550346895dde0859/html5/thumbnails/34.jpg)
Conclusions and future work
• Verified the Mana-RTK together with a small application
• Next step is to implement the Mana-RTK – Automatic translation from Ada into TA
• http://www.docs.uu.se/mana