(Nom du fichier) - D1 - 01/03/2000FTR&D/VERIMAG
TAXYS : a tool for the Development and Verification
of RT Systems
a joint project between France Telecom R&D and VERIMAG
E. Closse, M. Poize, J. Pulou, P. Venier, D. Weil (FTR&D)
J. Sifakis and S. Yovine (VERIMAG)
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
TAXYS Goals
Verify Timing Constraints on RT Embedded Software
RT Embedded Software applications with tight energy&memory constraints
GSM terminal, Airplanes, Automobiles...Critical Timing constraints :
missing inputs or emitting data too late leads to failureTesting system in its real environment is long and difficult
Reduce development time by a priori static analysismodel the temporal behavior of the executing code, not of the
specificationexpressing quantitative timing constraints on this code
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
TAXYS Approach
Synchronous languages + Timed Automata : SAXO-RT ESTEREL Compiler (FTR&D)
Finite State Timed Automata
OPEN-KRONOS Model Checker (VERIMAG)
TAXYS application = ESTEREL + Cself-sequenced code control path : ESTEREL
SAXORT ESTEREL compiler efficient code
time spent in control path is negligibledata path : C
C-functions are called by the control pathMin & Max Execution Time of each C-function is known (e.g. by profiling,
…)
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
Global Model
Environment
Application
Embedded System
Event Handler
Throughput constraint : no buffer overflow
Deadline constraint : tout – tin < d
tin
tout
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
TAXYS Specification
Application Model = ESTEREL + timing pragmasthe Embedded Code and its timed model are generated from the same
ESTEREL codetiming pragmas contains profiling information and deadline constraints
Event Handler Model : C-codea simple FIFO model
Environment Model : ESTEREL + timing pragmas + « npause »non-deterministic timed automata represent all the possible scenarios
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
A Small ExampleE A
HTA
TB
Filter F
Shared Memory
Compute G
ActuatorThroughput constraint : no buffer overflow
Sensor
A
B
tA
Deadline constraint : tg – ta < d tg
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
ESTEREL Model
E A
H
[ loop npause; emit A; %{# TA cA TA; cA:=0} end loop || loop npause; emit B; %{# TB cB TB; cB:=0} end loop]
[ loop await A; call F(); %{cpu(Fmin, Fmax)}% end loop || loop await B ; call G(); %{cpu(Gmin, Gmax)}% end loop]
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
Specifying Deadline Constraints
E A
HTA
TB
Filter F
Shared Memory
Compute G
Actuator
tA
Deadline constraint : tG – tA < d tG
Sensor
A
B
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
y1:=0[ loop
await A;
call F();
end loop || loop
await B ;call G();
end loop]
Specifying Deadline Constraints
EA!
SA
A! B!
SA& SB
G(x)
H
A
x1:=0
tSAtSB
x2:=0
F(x)
freshness constraint :
%{# Y = clock(A) %}
%{# Y <d %}
x1 < d’
x3:=0
A!
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
TAXYS Design Flow
counter-example
OKconstraint violated
Application
Environment
Handler
A
SAX
O-R
T E
STE
RE
L
Com
pile
r
E
HTaxys
verification module
C c
ompi
ler
OP
EN
-K
RO
NO
S
Implicit timed automata on-the-fly composition
Embedded Code
SAXO-RT graphical debugger
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
Experimental Results
ISDN telephone prototypeimplemented on a experimental DSP at FTR&Dperiodic audio data + aperiodic data produced by a graphic tablet
Proof : a buffer of size > 6 is required No need to simplify application model more 10 million symbolic states explored find appropriate environment model approximations preserving
verified properties
La communication de ce document est soumise à autorisation de France Télécom R&D
(CAV’01 TAXYS) - Daniel Weil – 21/7/2001
FTR&D/VERIMAG
Conclusion
Seamless Design Flow from specification to embedded code and verificationa unified language for specifying application model, environment model and timing
constraints : “timed ESTEREL’’ no specific knowledge required for the user counter-example replayed at specification level
Verification is trustworthy : embedded code is executed during verification
Scalable tool: on-the-fly techniques : no intermediate state explosion validated industrial-size examples
Alcatel GSM application, France Telecom phone prototypeOn Monday at RV’01 : «Timing Analysis and Code Generation of Automated
Vehicle Control Software with TAXYS »more than 107 symbolic states complexity can reduced by simplifying environment model
Top Related