Automatic Debugging and Verification of RTL-Specified Real-Time Systems

1
Automatic Debugging and Verification of
RTL-Specified Real-Time Systems

• Albert M. K. Cheng
• Real-Time Systems Laboratory and
• Institute for Space Systems Operations
• University of Houston, Texas, USA

2
Real-Time Systems JahanianMok86, JahanianMok87,
Cheng02

• Structural-functional specification
• Behavioral specification (SP)
• An implementation is correct if
• SP implies the safety assertions (SA)

• Structural-functional specification
• Behavioral specification (SP)
• An implementation is correct if
• SP implies the safety assertions (SA)

3
Verification of Timing Properties JahanianMok86,
JahanianMok87, Cheng02

• In checking SP ? SA, we may have the cases
• (safe) SA is a theorem derivable from SP
• (inherently unsafe) SA is unsatisfiable with
  respect to SP
• (safe if additional constraints are added) the
  negation of SA is satisfiable under certain
  conditions.

4
Our Incremental Approach for Systematic Debugging
5
Details of the Approach

• The satisfiability of SPk1?SAk1 is expressed
  incrementally from the satisfiability of SPk?SAk
• The manual debugging in step 3 is correlated with
  the satisfiability of SPk?SAk
• We use SAT problem rather than SAT problem
• To know how far away is SP from satisfying SA
• The modification of SP and/or SA is useful for
  incremental debugging, in which bugs are fixed
  one at a time until the system is correct.

6
Motivations and Achievements

• Since industrial real-time systems may have large
  specifications, it is impractical for the
  designer to find the proper missing or wrong
  constraints.
• The debugging in step 3 is done systematically,
  not manually.
• Efficient Java implementation of systematic
  debugging. Examples of real-time systems have
  also been successfully tested by SDRTL.
• We simulate a real-life scenario, supposing that
  the designer may forget to include some
  constraints or may give some incorrect
  constraints.

7
Real-Time Logic (RTL) JahanianMok86

• RTL first-order logic with special features to
  capture the timing requirements
• Occurrence Function _at_ Event x Occurrence ?
  Time, where Occurrence Nat - 0 and Time
  Nat.
• _at_(e, i) t means the i-th occurrence of event e
  occurs at time t.
• ?e?Event, ?i?Occurrence, _at_(e,i) lt _at_(e,i1) if
  _at_(e,i1) is defined

8
Real-Time Logic (cont)

• Three types of RTL constants
• Actions schedulable units of work
• Events constants are temporal markers
• External Events ?event-name
• Start Events ?event-name
• Stop Events ?event-name
• Integers used for timing constraints.

9
Example Railroad crossing
60s
45s
10
SP of Railroad Crossing English and RTL

• When train approaches sensor, a signal will
  initiate the lowering of gate, and Gate is moved
  to down position within 30s from being detected
  by the sensor, and
• ?x ( _at_(TrainApproach, x) ? _at_(?DownGate, x) ?
• _at_(?DownGate, x) ? _at_(TrainApproach, x)
  30
• )
• The gate needs at least 15s to lower itself to
  the down position.
• ?y ( _at_(?DownGate, y) 15 ? _at_(?DownGate, y) )

11
SA of Railroad Crossing English and RTL

• If train needs at least 45s to travel from sensor
  to the railroad crossing, and the train crossing
  is completed within 60s from being detected by
  sensor, then
• we are assured that at the start of the train
  crossing, gate has moved down and
• that the train leaves the railroad crossing
  within 45s from the time the gate has completed
  moving down.
• ?t ?u (
• _at_(TrainApproach, t) 45 ?
  _at_(?TrainCrossing, u) ?
• _at_(?TrainCrossing, u) lt _at_(TrainApproach, t)
  60 ?
• _at_(?TrainCrossing, u) ? _at_(?DownGate, t) ?
• _at_(?TrainCrossing, u) ? _at_(?DownGate, t)
  45
• )

12
The Path-RTL formulas

• The general form of path-RTL formulas
• functionOccurrence ? integerConstant ?
  functionOccurrence
• Industrial real-time systems
• Railroad crossing JahanianMok87,
  JahanianStuart88, Cheng2002
• Moveable control rods in a reactor
  JahanianMok87
• Boeing 777 Integrated Airplane Information
  Management System MTR96
• X-38, an autonomous spacecraft build by NASA
  RiceCheng99

13
Presburger Arithmetic Formulae

• Each _at_(e,i) is replaced by an uninterpreted
  function fe(i)
• SP
• ?x (f(x) ? g1(x) ? g2(x) ? f(x) 30)
• ?y (g1(y) 15 ? g2(y))
• SA
• ?t ?u (
• f(t) 45 ? h1(u) ? h2(u) lt f(t) 60 ?
• g2(t) ? h1(u) ? h2(u) ? g2(t) 45
• )

14
Railroad Crossing - Clausal Form

• ? (SP ? SA) ? ? (? SP ? SA) ? SP ? ? SA
• SP ? SA is a theorem iff SP ? ? SA is
  unsatisfiable
• SP
• ?x?y (f(x) ? g1(x) ? g2(x) - 30 ? f(x) ? g1(y)
  15 ? g2(y))
• Negation of SA
• ?t ?u (f(t) 45 ? h1(u) ? h2(u) lt f(t) 60 ?
• (h1(u) lt g2(t) ? g2(t) 45 lt
  h2(u)))
• Skolem normal form of path-RTL formulas
  T/tU/u
• f(T) 45 ? h1(U) ? h2(U) 59 ? f(T) ?
• (h1(U) 1 ? g2(T) ? g2(T) 46 ? h2(U))

15
Constraint Graph Technique

• F the initial path-RTL formula
• F the corresponding Presburger formula
• PF C1 ? C2 ? ? Cn is the propositional
  formula of SP ? ? SA
• Ci Li,1 ? Li,2 ? ? Li,n and
• each Li,j has the general form v1 ? I ? v2, I
  being a positive integer constant.
• For each Xi,1, Xi,2,, Xi,ni the i-th positive
  cycle, the clause ?Xi,1 ? ?Xi,2 ? ? ?Xi,ni is
  added to PF.

16
Counting SAT Problem

• PFC1,,Cl over V. If C1,,Cs ? PF and s ? l,
  then
• mV(C1,,Cs) number of variables from V which
  do not occur in C1 ? ? Cs.
• difV(C1,,Cs)
• 0 if ? i, j ? 1,,s, i ? j, ? L literal such
  that L ? Ci and ?L ? Cj
• 2mV(C1,,Cs) otherwise

17
Incremental Counting SAT

• detV(PF)
• 2n- ?s1l (-1)s1 ? 1? i1ltltis?l
  difV(C1,,Cs)
• is called the determinant of PF.
• Theorem. PF has detV(PF) truth assignments. So,
  PF is satisfiable iff detV(PF) ? 0.
• Problem Knowing the number of true instances of
  PF, what is the number of true instances of
  PF?C, for any arbitrary clause C?
• Incremental computation get detV(PF2) using
  detV(PF1), without re-computing the common parts
  of PF2 and PF1

18
Increment of a Clausal Formula

• Definition Given PFC1,,Cl over V and C an
  arbitrary clause, then
• incV(C,PF)?s0l(-1)s1 ?1? i1ltltis?l
  difV(C,Ci1,,Cis)
• is called the increment of PF with C over V.
• Theorem Let PFC1,,Cl be a clausal formula
  and PFCl1,,Clk. Then
• detV(PF ? PF) detV(PF) incV(Cl1, PF)
  incV(Cl2, PF ? Cl1) .. incV(Clk, PF ?
  Cl1,.., Clk-1)
• Incremental computing is optimal

19
Related Work Incremental Approaches

• An incremental positive cycle detection algorithm
  MTR96 is also based on the constraint-graph
  technique and uses an algorithm for single source
  with positive weight in the graph.
• An incremental algorithm for model checking using
  transition systems in the alternation-free
  fragment of the modal mu-calculus was presented
  in SoS94.
• Instead, our incremental approach is applied to
  propositional formulas.

20
History of SAT and SAT problems

• The SAT problem
• Valiant, 1979

• The SAT problem
• Cook, 1971

• The incremental SAT problem
• Andrei Chin, 2004

• The incremental SAT problem
• Hooker, 1993

21
Railroad Crossing - Constraint Graph (1)

• PF1A1, A2, A3, A4, A5, A6, A7,
  ?A2,?A4,?A6, ?A4,?A5,?A6,?A7,
  ?A1,?A3,?A5,?A7.
• detV1(PF1)0, where V1A1, ..., A7.

22
Re-design of Railroad Example

• We consider 2 new events (CarCrossingLeft - CCL
  and CarCrossingRight CCR) and 2 new constraints
• We add to SP
• (English) A car from the left or right needs at
  most 10 seconds to cross the railroad
• (RTL) ? z1, _at_(?CCL, z1) 10 ? _at_(?CCL, z1) and ?
  z2, _at_(?CCR, z2) 10 ? _at_(?CCR, z2)
• We add to SA
• (English) If the train starts to cross the
  railroad crossing, there is no car crossing
  neither from left nor from the right in the last
  5 seconds
• (RTL) ? v1, _at_(?CCL, v1) 5 ? _at_(?TrainCrossing,
  u) and ? v2, _at_(?CCR, v2) 5 ? _at_(?TrainCrossing,
  u)

23
Railroad Crossing - Constraint Graph (2)

• PF2PF1? A8, A9, A6, A7, A10, A11
  A6, A7
• detV2(PF2)detV1(PF1)
• incV2(A8, PF1)
• incV2(A9, PF1 ? A8) incV2(A6, A7,
  A10, A11, PF1 ? A8 ? A9)-
• incV2(A6, A7, PF1 ? A8 ? A9 ? A6,
  A7, A10, A11) 3, where V2 V1 ? A8, ...,
  A11.
• As detV2(PF2)gt0, then the real-time system is
  unsafe.

24
Debugging Computation. Manual versus Systematic

• Manual debugging is impractical for big systems.
• There is a need to consider a systematic way to
  solve this matter.
• The method will automatically generate, in order
  from the most probable ones to the less probable
  ones, all the possible missing constraints.
• Then the designer chooses from this list the
  proper constraint which is not against the
  real-time system specifications.

25
Railroad Crossing - Constraint Graph (2)

• (Init) construct PF1
• (Test Print) test if the determinant is 0 and
  if the designer agrees with the suggested
  constraint according to the systematic debugging
  computation
• (Incremental Computation) compute detVk1(PFk1)
  using detVk(PFk)
• (desired false) is evaluated to false when the
  designer wishes to stop the systematic debugging
  and the timing constraints of the real-time
  system are fulfilled.

Algorithm Main (Init) desired false
while (desired false) (Test Print)
if (desired false) (Incremental
Computation) (Debugging Computation)

26
Addition of a New Arc

• It shows that the node v has no out-arc
• So the arc (v,w) (pictured with a dashed line) is
  added to the constraint graph as a member of a
  new positive cycle.

27
Transforming a Negative Cycle

• The algorithm detects all possible incorrect
  constraints (i.e. containing a fault).
• That is, the algorithm proposes other (bigger)
  constants I for the literal v1 I v2, and with
  help of the designer, one such constraint is
  selected.
• Figure 3(b) is more than a refinement, because
  it corresponds to detecting faults in the initial
  specification, and proposes a new proper
  constraint.

28
Key Point the Increment

• SDRTL will compute for each change (new arc
  and/or new cost) the increment
• Then, SDRTL will sort all these increments in an
  increasing order
• Starting from the minimum increment, the designer
  will be asked for his agreement
• The increments which are zero do not count

29
The Execution Run
30
The Execution Run (cont)
31
Railroad Crossing - Constraint Graph (3)

• PF3PF2 ? C12, C13, C14, C15, over V2.
• As detV2(PF3)0, then the real-time system is
  safe.
• The unification should be done carefully.

32
Monotony of det and inc
33
Systematic Debugging Results

• Denote by niz the number of increments which are
  zero, and by tni the total number of increments.
• The effectiveness is efct (tni-niz)/(tni).
• The closer effectiveness to 0, the faster
  algorithm is (because useless clauses are not
  generated).
• The more bugs the system has, the bigger
  execution time we get.

34
X-38, an autonomous spacecraft build by NASA
RiceCheng99
35
Automatic Debugging

• autonomous systems (human operators are absent)
  generate automatically real-time control plan
  on-the-fly

36
Future Work Replacement of SAT solvers

• Counting SAT solvers are more efficient than SAT
  solvers when there are two many choices to
  consider (like re-design and debugging problems)
• Applications
• Finding a feasible scheduling
• Model checking

37
Joint work with Stefan Andrei, Wei-Ngan Chin, and
Mihai Lupu of the National University of
Singapore. Work supported in part by the NSF and
the Institute for Space Systems
Operations.Thanks!Questions?
38
References

• JahanianMok87 Jahanian, F., Mok, A. A
  Graph-Theoretic Approach for Timing Analysis and
  its Implementation. IEEE Transactions on
  Computers. Vol. C-36, No. 8, 1987
• JaS88 Jahanian, F., Stuart, D. A. A Method for
  Verifying Properties of Modechart Specifications.
  Proceedings of 9-th IEEE Real-Time Systems
  Symposium, pp. 12-21, 1988
• WaM94 Wang, F., Mok, A. K. RTL and Refutation
  by Positive Cycles. Proceedings of Formal Methods
  Europe Symposium, 873, Lecture Notes in Computer
  Science, pp. 659-680, 1994
• AndreiChin04 Andrei, S., Chin, W.-N.
  Incremental Satisfiability Counting for Real-Time
  Systems. IEEE Real-Time and Embedded Technology
  and Applications Symposium (RTAS04), Toronto,
  Canada, 25 May 28 May, 2004
• S. Andrei, W.-N. Chin, A. M. K. Cheng, and M.
  Lupu. Automatic Debugging of Real-Time Systems
  Based on Incremental Satisfiability Counting,
  accepted 2/2006, to appear in IEEE Transactions
  on Computers, 2006

39
References (cont)

• MTR96 Mok, A. K., Tsou, Duu-Chung, de Rooij, R.
  C. M. The MSP.RTL real-time scheduler synthesis
  tool. Proceedings of the 17th IEEE Real-Time
  Systems Symposium, 1996
• RiceCheng99 Rice, L.E.P., Cheng, A.M.K. Timing
  Analysis of the X-38 Space Station Crew Return
  Vehicle Avionics. Proceedings of the 5-th IEEE-CS
  Real-Time Technology and Applications Symposium,
  pp. 255-264, 1999
• Cheng02 Cheng, A.M.K. Real-time systems.
  Scheduling, Analysis, and Verification.
  Wiley-Interscience, 2002
• Andrei2004 Andrei, S. Counting for
  Satisfiability by Inverting Resolution.
  Artificial Intelligence Review, 2004
• SoS94 O. Sokolsky and S.A. Smolka. Incremental
  Model Checking in the Modal Mu-Calculus,
  Computer-Aided Verification '94, LNCS 818,
  Springer-Verlag, 1994