Classification Schemes to Aid in the Analysis of RealTime Systems PowerPoint PPT Presentation
Title: Classification Schemes to Aid in the Analysis of RealTime Systems
1
Classification Schemes to Aid in the Analysis of
Real-Time Systems
- Paul Z. Kolano
- Trusted Systems
- Laboratories
- paul.kolano_at_
- trustedsyslabs.com
- Richard A. Kemmerer
- University of California,
- Santa Barbara
- kemm_at_cs.ucsb.edu
2
Outline of Presentation
- Introduction
- Brief ASTRAL overview
- Property classifications
- Process classifications
- Transition classifications
- Conclusion
3
Real-Time Systems
Untimed
Concurrency
Asynchrony
Time
Reactivity
Nondeterminism
Difficult to analyze
4
Proof Assistance Is Needed
- Model checkers
- Automatically check state space for violations
- Theorem provers
- Keep reasoning sound, finish off proof details
- Need simplifications and manual abstractions
- Need human guidance and intuition
- Systematic analysis guidance
- How analysis can be performed based on previous
experience - How each approach can be used most effectively
- How results from different approaches can be
combined
5
How Can Analysis Be Systematized?
- Identify distinct proof patterns
- Identify distinguishing features of system
specifications that result in each pattern - Divide and conquer
- Separate specifications with different patterns
- Separate individual proofs into simpler pieces
6
Testbed Systems
- Bakery algorithm
- Cruise control
- Elevator control system
- Olympic boxing scoring system
- Phone system
- Production cell
- Railroad crossing
- Stoplight control system
- Small/Large
- Simple/Complex
- Open/Closed
- Deterministic/ Nondeterministic
- Assumptions not needed/ Assumptions needed
7
Classification Schemes
- Distinct proof styles
- Statically recognizable
- ASTRAL classifications
- Property classifications
- Process classifications
- Transition classifications
8
Outline of Presentation
- Introduction
- Brief ASTRAL overview
- Property classifications
- Process classifications
- Transition classifications
- Conclusion
9
Railroad Crossing
10
ASTRAL Specification
- One or more process type specifications
- Each defines an abstract state machine
- A global specification
- Defines types, constants, etc. shared among
process types - Defines number of statically generated instances
of each process type in the system - Example Railroad Crossing specification
- Process types ? Process instances
- Gate ? 1 Gate instance
- Sensor ? N_Tracks Sensor instances
11
Process Type Specification
- Types
- Variables
- Define state of process
- Initialization
- Defines initial values
- Transitions
- Define changes to variable values
- TYPE
- gate_position (raised, raising, lowered,
lowering) - VARIABLE
- position gate_position
- INITIAL
- position raised
- TRANSITION lower
- ENTRY TIME lower_dur
- ( position lowering
- position lowered )
- EXISTS s sensor_id
- (s.train_in_R)
- EXIT
- position lowering
12
Process Interactions
13
Specification of Properties
- INVARIANT
- Change(train_in_R, now)
- train_in_R
- ? FORALL t time
- ( now - ((dist_R_to_I dist_I_to_out)
- / max_speed - response_time) ? t
- t lt now
- ? past(train_in_R, t))
- ENVIRONMENT
- Call(enter_R, now)
- EXISTS t time
- ( 0 ? t t ? now
- Call2(enter_R, t))
- ? Call(enter_R) - Call2(enter_R) gt
- (dist_R_to_I dist_I_to_out)
- / min_speed
- Requirements
- Invariants
- Schedules
- Assumptions
- Environment
- Imported variable
14
Outline of Presentation
- Introduction
- Brief ASTRAL overview
- Property classifications
- Process classifications
- Transition classifications
- Conclusion
15
Property Classifications
- Untimed properties
- Timed liveness properties
- Forward
- Backward
- Timed safety properties
- Forward
- Backward
16
Context and Requirement Times
- General form of a property
- context ? requirement
- Context times are times referenced in the timed
operator expressions of the context - Requirement times are times referenced in the
timed operator expressions of the requirement
17
Example of Context and Requirement Times
- FORALL t time, s sensor_id
- ( Change(s.train_in_R, now - dist_R_to_I /
max_speed response_time) - past(s.train_in_R, now - dist_R_to_I /
max_speed response_time) - ? EXISTS t time
- ( now - dist_R_to_I / max_speed
response_time ? t - t ? now
- past(position, t) lowered))
- Context times
- now - dist_R_to_I / max_speed response_time
- Requirement times t
18
Untimed Properties
- Context times and requirement times can only be
the current time - With only local state variables
- FORALL d direction
- ( Circle(d) green
- ? Arrow(opp(d)) red)
- With timed operators/imported variables
- Change(number, now)
- Number 0
- ? In_critical
19
Untimed Properties With Only Local State Variables
- State variables only change when transitions end
- These properties hold if the exit assertion of
each transition preserves the property
- maintaining_speed ? cruise_on
- TRANSITION maintain_speed
- ENTRY TIME input_dur
- cruise_on
- maintaining_speed
- EXIT
- cruise_throttle throttle?
- desired_speed speedometer.speed
- maintaining_speed
20
Forward vs. Backward
- Forward
- EXISTS ct context time
- FORALL rt requirement time
- ct ? rt
- Backward
- EXISTS rt requirement time
- FORALL ct context time
- rt ? ct
FORALL t time, s sensor_id (
Change(s.train_in_R, now - dist_R_to_I /
max_speed response_time)
past(s.train_in_R, now - dist_R_to_I /
max_speed response_time) ? EXISTS t time
( now - dist_R_to_I / max_speed
response_time ? t t ? now
past(position, t) lowered))
Change(train_in_R, now) train_in_R ? FORALL
t time ( now - ((dist_R_to_I
dist_I_to_out) / max_speed -
response_time) ? t t lt now ?
past(train_in_R, t))
21
Forward vs. Backward
- The execution tree of a process
22
Safety vs. Liveness
- Safety properties
- Must hold at all times in an interval
- Liveness properties
- Must hold at least once in an interval
- Can abstract away details of execution
- Must derive exact executions
23
Safety Properties
- Change(train_in_R, now)
- train_in_R
- ? FORALL t time
- ( now - ((dist_R_to_I dist_I_to_out)
- / max_speed - response_time) ? t
- t lt now
- ? past(train_in_R, t))
TRANSITION exit_I ENTRY TIME exit_dur
train_in_R now - Start(enter_R)
? (dist_R_to_I dist_I_to_out)
/ min_speed - exit_dur EXIT
train_in_R
24
Liveness Properties
- FORALL t time, s sensor_id
- ( Change(s.train_in_R, now - dist_R_to_I /
max_speed response_time) - past(s.train_in_R, now - dist_R_to_I /
max_speed response_time) - ? EXISTS t time
- ( now - dist_R_to_I / max_speed
response_time ? t - t ? now
- past(position, t) lowered))
25
Property Classifications ofTestbed Systems
26
Outline of Presentation
- Introduction
- Brief ASTRAL overview
- Property classifications
- Process classifications
- Transition classifications
- Conclusion
27
Process Classifications
- Multi-threaded process
- Iterative single-threaded process
- Simple single-threaded process
28
Multi-Threaded Process
- Multiple independent threads interleaved on a
single process
29
Liveness Properties in a Multi-Threaded Process
- Must take scheduling policy into account
- Example fixed priority scheduling
30
Iterative Single-Threaded Process
- Cyclic behavior with stored iteration count
31
Liveness Properties in anIterative
Single-Threaded Process
- Properties may need to be proved between
arbitrary values of the iteration count
32
Simple Single-Threaded Process
- May have cyclic behavior, but iteration count not
stored - Properties usually need to be proved over only a
single full cycle
33
Process Classifications of Testbed Systems
- Multi-threaded processes (2/25)
- Central_Control (phone system)
- Controller (stoplight control system)
- Iterative single-threaded processes (4/25)
- Elevator (elevator control system)
- Proc (bakery algorithm)
- Timer and Tabulate (Olympic boxing system)
- Simple single-threaded processes (19/25)
34
Outline of Presentation
- Introduction
- Brief ASTRAL overview
- Property classifications
- Process classifications
- Transition classifications
- Conclusion
35
Transition Classifications
- Transition enablement
- Local state (L)
- External environment (E)
- Imported state (O)
- Current time (T)
- Eight classifications based on these factors
- L, E, O, T, EO, ET, OT, EOT
TRANSITION lower ENTRY TIME lower_dur
( position lowering position
lowered ) EXISTS s sensor_id
(s.train_in_R) EXIT position lowering
36
Determining Transition Delays
- e.g., L transitions
- Local state only changes when transitions end
- Must immediately follow previous transition
- e.g., T transitions
- Delayed from some local state/event
- e.g., now End(trans1) ? delay1
- Other transition types
- Examine relevant clauses
37
Transition Classifications of Testbed Systems
38
Outline of Presentation
- Introduction
- Brief ASTRAL overview
- Property classifications
- Process classifications
- Transition classifications
- Conclusion
39
Conclusions
- Three classification schemes were developed from
existing specifications - Property classifications
- Process classifications
- Transition classifications
- Statically recognizable
- Each aids in the proof process
40
Future Work
- Examine more real-time systems
- Are there additional classification schemes that
are useful? - Examine other specification languages
- Are the existing classification schemes
applicable to many specification languages?
41
The End
- For complete details, see dissertation...
- http//www.cs.ucsb.edu/kolano
Recommended
