1
Design, Implementation, and Validation ofEmbedded Software
(DIVES)
Design, Implementation, and Validation ofEmbedded Software
(DIVES)
Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky
Department of Computer and Information Science
Department of Electrical Engineering
Department of Mechanical Engineering and Applied Mechanics
University of Pennsylvania
24 July 2002
2
Topic Area 1. Administrative Topic Area 1. Administrative
3
Administrative InformationAdministrative Information
• Project title: Design, Implementation, and Validation of Embedded Software (DIVES)
• PI: Insup Lee (215-898-3532, [email protected])
• Co-PI: Rajeev Alur, Vijay Kumar, George Pappas
• Organization: University of Pennsylvania
• Contract number: DARPA ITO MOBIES F33615-00-C-1707
• AO Number: K230
• Award end date: May 16, 2003
• Agent: 1st Lt. Jason Lawson, Air Force Research Laboratory
4
DIVES TeamDIVES Team
FacultyRajeev Alur (CIS)Vijay Kumar (MEAM)Insup Lee (CIS)George Pappas (EE)Oleg Sokolsky (CIS)
Research AssociatesJesung KimSalvatore La TorreHerbert Tanner
PhD StudentsCalin Belta
Joel EspositoYerang HurFranjo IvancicPradyumna Mishra
Usa Sammapun
Part-time ProgrammersDan Huber
Valya Sokolskaya
5
Topic Area 2. Subcontractors and Collaborators
Topic Area 2. Subcontractors and Collaborators
none
6
Topic Area 3. Problem Description and Program Objective
Topic Area 3. Problem Description and Program Objective
7
Project OverviewProject Overview
• Project Objective– Develop languages, algorithms and tools for hybrid systems to
facilitate the development of reliable embedded systems
• Project Description: main research directions
– Compositional semantics to support hierarchical, modular specifications of hybrid systems
– Reachability analysis of embedded systems
– Compositional analysis and optimal controller synthesis of hybrid systems
– Model-based testing and validation of hybrid systems to provide an additional level of reliability
8
Topic Area 4. Milestone Excel Spreadsheet
Topic Area 4. Milestone Excel Spreadsheet
Provided separately.
9
Topic Area 5. Tool DescriptionTopic Area 5. Tool Description
10
Tools at UPenn Tools at UPenn
1. CHARON modeling environment
2. Reachability analysis based on predicate abstraction
3. Adaptive simulation tool
4. Requiem
5. Test generation (under development)
6. Abstraction checker (under development)
7. Code generation (under development)
11
1. CHARON Toolkit1. CHARON Toolkit• Input
– Hierarchical model of Hybrid systems
• Functionality: modeling, simulation, assertion checking
• Output– Simulation trace including assertion violation
– HSIF model
– Input format for reachability analyzer
12
2. Reachability analysis tool2. Reachability analysis tool
• Input (compatible with HSIF ):– Linear hybrid systems
• Modes have linear dynamics:
• Mode invariants and transition guards are linear:
– Initial predicate set
– “Bad” region
• Output:– execution trace reaching a “bad” state
linear hybridsystem
CHARON
Simulink/Stateflow
counterexampleReachability computation
properties predicates
BuAxx 01 xC
13
3. Adaptive simulation tool3. Adaptive simulation tool
• Input:– Matlab model
• Implementation:– Adaptive integration routines for multi-rate and multi-
agent simulation implemented in C
– Used instead of standard Matlab integration routines
• Output:– Matlab simulation trace
• Integration:– Simulink/Stateflow can use custom integration routines
for simulation
– Integration with Charon simulator is under way
14
4. Requiem4. Requiem
• Exact symbolic continuous reachability computation
• Input:– Nilpotent linear differential equation (e.g., V2V)
– Semialgebraic sets as initial conditions
• Output:– A quantifier free formula describing the reachable set.
• Implementation:– A Mathematica 4.0 notebook
– Uses the experimental quantifier elimination package
15
5. Test generation5. Test generation
• Generate a suite of tests from a model based on a given level of coverage
• Input:– A CHARON model of the system
– A coverage criterion
• Output:– A test suite
• Implementation:– In progress
– Test generation algorithms: random test sequences, targeted test sequences
16
6. Abstraction analysis6. Abstraction analysis
ImplementationWe are developing Matlab tools for checking the consistency of modeling abstractions
for discrete-time control systems in the presence of state and input constraints.
Goal. To develop a formal methodology of deriving consistent abstractions of complex dynamical control systems
Input
linear control systems, subject to
input and state constraints
Output
reduced order linear control systems capturing the behavior of the original systems
abstraction
17
7. Code Generation for CHARON7. Code Generation for CHARON
agent () {}
mode () {}
agent () {}
mode () {}
ISA: MIPSCPU speed: 500 MHzTolerance:εAPI:
ISA: MIPSCPU speed: 500 MHzTolerance:εAPI:
CHARONmodel
Platformdescription
Codegenerator
01011011011101111101101001110101
…
Executablecode
To design a software tool that generates platform-dependent executable code from a platform-independent CHARON model
To design a software tool that generates platform-dependent executable code from a platform-independent CHARON model
18
Penn’s Tool ChainPenn’s Tool Chain
HSIF
ModelReduction
TestGeneration
ReachabilityAnalysis
CHARON
TejaSimulink
code
Mathlab
19
Topic Area 6. OEP ParticipationTopic Area 6. OEP Participation
20
Automotive OEPAutomotive OEP
• We participate in both vehicle-to-vehicle coordination and ETC challenge problems– Perform analysis of models for the challenge problems using
DIVES analysis tools and methodologies
– Demonstrated the analysis capabilities during the midterm experiments
• We participated in all ESWG meetings and a number of teleconferences– Contributed to the definition of HSIF and its semantics
– Actively participated in formulating the V2V experimental setup
– Helped to define the logistics of the experiments
– V2V POC: Franjo Ivancic; OEP collaborator: Anouck Girard
– ETC POC: Oleg Sokolsky; OEP collaborator: Paul Griffiths
21
HSIF developmentHSIF development
• CHARON-to-HSIF translator is developed– Flattens agent and mode hierarchy
– Retains variables, parameters
• HSIF semantics:– Set of interacting hybrid automata
Agent1
Agent2
Agent3 Agent5
Agent6
Mode1 Mode2
Mode3
Mode4
DNHA
HA3 HA5 HA6
22
Topic Area 7. Project StatusTopic Area 7. Project Status
23
Progress since last meetingProgress since last meeting
• Progress on schedule• Recently developed techniques
– Simulation Relations for Constrained Discrete-Time Linear Systems
– Multi-agent simulation methodology– Composability of abstractions– Model-based test generation for data-flow coverage criteria– CHARON to HSIF translation
• Publication during last six months– 2 journal papers, 13 conference and workshop papers
• Specific milestones accomplished– Q3FY02:Analysis techniques and tool suite
• Sound abstraction techniques for model reduction and reachability analysis tool
• Challenge problems: V2V (completed) and ETC (new approaches explored)
24
Project statusProject status
Selected publications since the last PI meeting
• G.J. Pappas and S. Simic, "Consistent abstractions of affine control systems", IEEE Transactions on Automatic Control, 47(5):745-756, May 2002
• I. Lee, A. Philippou, O. Sokolsky, "Process Algebraic Modelling and Analysis of Power-Aware Real-Time Systems", to appear in IEE Computing and Control Engineering Journal, August 2002.
• R. Alur, T. Dang, and F. Ivancic, "Reachability analysis of hybrid systems via predicate abstraction", Proceedings of Fifth International Workshop on Hybrid Systems: Computation and Control, March 2002, pp. 35-48.
• P. Tabuada, G. J. Pappas, and P. Lima, "Composing Abstractions of Hybrid Systems," Proceedings of Fifth International Workshop on Hybrid Systems: Computation and Control, March 2002, pp. 436-450.
• H. Hong, I. Lee, O. Sokolsky, and H. Ural, "A Temporal Logic Based Theory of Test Coverage and Generation", Procedings of International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS), April 2002.
• Y. Hur, I. Lee, "Distributed Simulation of Multi-Agent Hybrid Systems", Proceeding of IEEE International Symposium on Object-Oriented Real-time distributed Computing (ISORC) , April-May, 2002.
• H. G. Tanner and G. J. Pappas, "Simulation Relations for Discrete-Time Linear Systems", Proceeding of 15th IFAC World Congress on Automatic Control, May 2002.
• H. G. Tanner, V. Kumar and G. J. Pappas, "The Effect of Feedback and Feedforward on Formation ISS", Proceedings of the 2002 International Conference on Robotics and Automation, May 2002, pp. 3448-3453.
• P. Mishra and G.J. Pappas, "Flying Hot Potatoes", Proceedings of the 2002 American Control Conference, Anchorage, Alaska, pp. 754-759, May 2002
• R. Alur, M. McDougall, and Z. Yang, "Exploiting Behavioral Hierarchy for Efficient Model Checking." To appear in 14th International Conference on Computer-Aided Verification (CAV), July 2002.
25
Formal Verification of Hybrid Systems using Predicate Abstraction and Counter-
Example Analysis
Formal Verification of Hybrid Systems using Predicate Abstraction and Counter-
Example Analysis
(slides provided separately)
26
Reachability Analysis via Predicate Abstraction
Reachability Analysis via Predicate Abstraction
• Goal: To improve scalability of reachability analysis for hybrid systems using predicate abstraction
• Input– Hybrid automaton with linear dynamics– Initial and bad regions– Linear predicates used by the abstractor
• Tool performs on-the-fly search of the abstract state-space to discover a path to a bad state
• Reported in last PI meeting– Theory and implementation of the search algorithm– Application to V-2-V challenge problem
• Recent work: What should we do if search in abstract state-space discovers a counter-example?
27
Counter Example AnalysisCounter Example Analysis
• Input: Sequence of abstract states and transitions• Step 1: Check if this path is feasible in the actual
system– This requires computing reachable sets along the path
• If the path is feasible, a real bug is found, else we need to execute the second step
• Step 2: Find predicates that are adequate to rule out this path in the abstract space– At the infeasible transition find a hyper-plane
separating reachable polyhedron from pre-image of the next state
– Implemented using linear programming
• Tool has been able to find “interesting” predicates on a number of examples (including ETC)
28
Refining the VerifierRefining the Verifier
• Ongoing effort: Verification of ETC challenge problem
• Optimizations – Elimination of spurious counter-examples due to
multiple continuous transitions
– Guided search in the abstract state space
– Local greedy feasibility checks to analyze counter-examples quickly
• Future Work– Lazy abstraction to merge counter-example analysis
with abstract search
– Flow-field analysis to speed up abstract search
– Better algorithms for computing separating predicates
29
ETC test generation experimentETC test generation experiment
• Goals: – demonstrate model-based test generation techniques
• Status:– Test suites for mode and transition coverage, as well as
definition-use dependency coverage have been generated manually
– Test generation from ETC model
– Tool under development
30
Strategy of test generationStrategy of test generation
1. Generate test sequences from a model specified in CHARON
2. Convert each test sequence to a test case (I/O sequence)
3. Execute test
4. Compare the output from test execution with the expected output from the test case.
Model in CHARON
Test generator
Test sequences
Implementation
Converter Test cases
Test execution
Output
Test evaluation
input
output
31
Model translationModel translation
ETC
MATLAB model
ETC
CHARON model
ManagerDriving m2
Human
Inactive m8
Cruise m7
Limiting m1
Inactive m6
Tc_limit m5
Inactive m4
Rev_limit m3
t7t8
t3t4
t5t6
t1
t2
Servo controller
t11
Human m15
Inactive m10
Cruise m9t9t10
Inactive m14
Tc_limit m13
Inactive m12
Rev_limit m11t12
t13t14
Boolean Output; a1
Manager
Servo Controller
Inputs
Which_mode
Which_driving_ cruise
Which_limiting_ rev
Which_limiting_ traction
32
Model in CHARONModel in CHARON
Model in CHARON
Test generator
Test sequences
Implementation
Converter Test cases
Test execution
Output
Test evaluation
input
output
mode in CHARON mode variables(read) variable(write) constraintsManagerMode we,te Do_d
limiting(sub) m1 we,te Do_d=falsedriving(sub) m2 we,te Do_d=true
from to transitions(guard) actiont1 m1 m2
t2 m2 m1we<h*weMax and
te<h*teMax l to d
t3 m3 m4we>weMax or
te>teMax d to l
33
Generated Test SequencesGenerated Test Sequences
Model in CHARON
Test generator
Test sequences
Implementation
Converter Test cases
Test execution
Output
Test evaluation
input
output
Transition Test sequence Guardt1 t1,t3,t11 we>weMaxt2 t1,t3,t11 we>weMax
t2,t4,t12we<hysteresis*weMax
andtc<hysteresis*tcMax
34
Test casesTest cases
Model in CHARON
Test generator
Test sequences
Implementation
Converter Test cases
Test execution
Output
Test evaluation
input
output
Transition Test sequence Guard Test case Expected output
t1 t1,t3,t11 we>weMax we=weMax+1 MotorAmps=0
t2 t1,t3,t11 we>weMax we=weMax+1 MotorAmps=0
t2,t4,t12we<hysteresis*weMax and
tc<hysteresis*tcMaxwe=weMax*h-1 tc=tcMax*h-1
MotorAmps_h
35
Test cases from BerkeleyTest cases from Berkeley
Inputs from the manager and the resulting function calls
which_mode SelectStartup 0
SelectDriving 1
SelectLimiting 2
SelectLimpHome 3
SelectShutdown 4
which_driving_cruise SelectDrivingCruise 0
SelectDrivingCruiseInactive 1
which_limiting_rev SelectLimitingRev 0
SelectLimitingRevInactive 1
which_limiting_traction SelectLimitingTraction 0
SelectLimitingTractionInactive 1
All the possible permutations
of input values Previous
Statewhich_mode
which_driving_cruise
which_limiting_rev
which_limiting_traction
Function Calls
XSelectSt
artupX X X DoStartUp
XSelectDriving
SelectDrivingCruise
X XDoHumanCtrl DoCruiseCtrl
XSelectDriving
SelectDrivingCruiseInactive
X X DoHumanCtrl
XSelectLimiting
X SelectLimitingRevSelectLimitingTr
action
DoRevLimitingCtrl
DoTractionCtrl
XSelectLimiting
X SelectLimitingRevSelectLimitingTr
actionInactiveDoRevLimiting
Ctrl
XSelectLimiting
XSelectLimitingRev
InactiveSelectLimitingTr
actionDoTractionCtrl
XSelectLimiting
XSelectLimitingRev
InactiveSelectLimitingTr
actionInactive
XSelectLimpHom
eX X X DoLimpHome
XSelectShutdow
nX X X DoShutdown
Shutdown X X X X DoShutdown
36
Test case conversion for Berkeley codeTest case conversion for Berkeley code
DescriptionTest
sequenceguard
Converted input
correspondent inputs Execution output CHARON output
t3default to limiting
t1, t3, t11
we>weMax or te>teMax
(2,X,0,X)
(2, 0, 0, 0)DoRevLimitingCtrl: 0.4
DoTractionCtrl: 0.5DoRevLimitingCtrl (0.4) DoTractionCtrl (0.5)
Min (Rev, TC)
we>weMax and Do_d=false(2,1,0,0)
DoRevLimitingCtrl: 0.4 DoTractionCtrl: 0.5
(2,0,0,1) DoRevLimitingCtrl: 0.4
Do_rl=true (2,1,0,1) DoRevLimitingCtrl: 0.4
t4
limiting t1, t3, t11 same as t3 (2,X,0,X) same as t3
driving t2, t4, t12
we<h*weMax and te<h*teMax
(1,X,1,X)
(1,0,1,0)DoHumanCtrl: 0.0 DoCruiseCtrl: 1.0
DoHumanCtrl (0.0) DoCruiseCtrl (1.0) Max (human,
cruise)we<h*weMax or Do_d=true
(1,0,1,1)DoHumanCtrl: 0.0 DoCruiseCtrl:1.0
(1,1,1,0) DoHumanCtrl: 0.0
Do_rl=false (1,1,1,1) DoHumanCtrl: 0.0
37
Comparison of Test casesComparison of Test cases
• Test cases generated from the mode coverage criteria equally cover all the possible permutation of input values from Berkeley
• Test cases generated from transition coverage criteria cover more than those from mode coverage criteria.
LimitingDriving
we>weMax
we<h*weMaxDriving
Driving
Limiting
Driving
Limitingh*weMax
weMax
38
Code Generation for CHARONCode Generation for CHARON
agent () {}
mode () {}
agent () {}
mode () {}
ISA: MIPSCPU speed: 500 MHzTolerance:εAPI:
ISA: MIPSCPU speed: 500 MHzTolerance:εAPI:
CHARONmodel
Platformdescription
Codegenerator
01011011011101111101101001110101
…
Executablecode
To design a software tool that generates platform-dependent executable code from a platform-independent CHARON model
To design a software tool that generates platform-dependent executable code from a platform-independent CHARON model
39
GoalsGoals
• Exploit features of CHARON– Analog variables
– Modularity, hierarchy
– Parallel composition
• Bounding difference between model and implementation– Tuning of the update rate of analog variables
• Flexible to be adapted to various platforms– Easy-to-plug-in interface
40
Our Approach Our Approach
agent
mode
analog var
differential eq
transition
class agent
class mode diff() trans()
class var
scheduler
API
CHARON features C++ objectsExecution
environmentTarget
platform
41
Under developmentUnder development
• Modular compilation– Each agent/mode can be compiled separately
• Concurrent execution of agents and analog variables– Parallel agents can be distributed to different systems
– Communication is handled transparently by the variable class
– Update analog variables at desired rates
• Flexible interface– New functions can be plugged in to override default variable
read/write functions• Ex: Plugging in file I/O functions result in a trace generator
– Interfacing with APIs of real-world platforms• Currently Sony robot dogs, eventually Automotive OEP platform
(MPC555)
• Derive RT scheduling requirements from CHARON model
42
Topic Area 8. Project Plans Topic Area 8. Project Plans
43
Project PlansProject Plans
• Describe your project's plans for next 6 months– Refine abstraction, analysis, test generation techniques
– Develop tools to support the new techniques
– Perform OEP experiments using these techniques and tools
– Interface with other tools through HSIF
– Develop model-based code generation techniques
• Identify specific performance goals– Demonstrate improved capability to verify linear hybrid systems in
terms of number of modes and number of state variables
– Demonstrate the feasibility of model-based test generation
– Demonstrate control of simple tasks on a real robot using automatically generated code
44
Topic Area 9. Project schedule and milestones
Topic Area 9. Project schedule and milestones
45
Project schedule and milestonesProject schedule and milestones
3FY00 4FY00 1FY01 2FY01 3FY01 4FY01 1FY02 2FY02
1. Design language
2. Software toolkit
3a. Compositional semantics
3b. Simulation techniques
3e. Controller synthesis
3f. Abstraction techniques
3FY02
Milestone on schedule
Milestone completed ahead of schedule
Deliverable
4FY02 1FY03 2FY03
46
Project schedule and milestonesProject schedule and milestones
• Past milestones:– Q3FY01: Compositional Semantics. Completed ahead of schedule
• Deliverable: research report on compositional semantics
– Q1FY02: Advanced Simulation Techniques. Completed on schedule• Deliverables: research reports on event detection, modular and multi-
agent simulation algorithms
– Q3FY02: Analysis Techniques and Tool Suite. Milestone achieved but research and enhancement continue• Deliverables: 2 research reports on abstraction techniques and analysis
algorithms + tool implementation
• Upcoming milestones:– Q1FY03: Optimal control and run-time monitoring
• Progress on schedule, research reports published
– Additional milestones: algorithms and tools for test generation and code generation
47
Technology TransitionTechnology Transition
• Use of CHARON and its toolkit – The CARA (Computer Assisted Resuscitation
Algorithm) Infusion pump system developed by WRAIR (Walter Reid Army Institute for Research)• Design specification, analysis, code generation
• Goal: enhance FDA approval process for embedded medical devices
– Design and evaluation of strategies for soccer playing Sony dogs
– Modeling and analysis of biological processes such as protein transduction• fits the hybrid systems paradigm very well
• enhances state-of-the-art in biological research with analysis capabilities
48
The End.The End.
Top Related