Docstoc

課程名稱

Document Sample
課程名稱 Powered By Docstoc
					Symbolic Verification of Complex
Synchronizations in Distributed
Real-Time Systems

                            Farn Wang
             National Taiwan University

                                                ICFEM 2005


2005/11/02   Farn Wang. ICFEM'2005-Manchester            1
     Complex Synchronizations
       in Distributed Real-Time
                       Systems

            explosion


explosion
                    hitting


   explosion
  Modeling granularity ?
Did the hit and explosion happen at the
 same time ?
• No, at the fine level of quantum mechanics
  – Extremely fine models
  – Extreme confidence in the verification result
• Yes, for the complexity of verification
  – Intuitive, natural, and acceptable
  – Usable analysis result
  2005/11/02      Farn Wang. ICFEM'2005-Manchester   3
          Complex Synchronizations
                   in the CSP style
                 ?explosion


?explosion               !explosion
         !explosion

                       ?hitting
                                  !hitting
                  !explosion



   ?explosion
Complex Synchronizations
in the CSP style
• Multiple-party synchronizations constructed
  through binary synchronizations
     – Global transitions constructed through process
       transitions
     – For each channel,
                 # input event = # output event
     – For interleaving semantics
                 Minimality of global transitions
• Modular descriptions and specifications
     – Flexibility in the descriptions of process response
       variations

2005/11/02          Farn Wang. ICFEM'2005-Manchester         5
   Process Timed Automata (PTA)
   A=á ∑, X, Q, I0, m, E, g, l,t, pñ
Q={m, h}                              E={e1,e2}                 p(e1)= {z}
∑={sample, explode}                   g(e1) = (m,m)             p (e2)= {}
X={x,z} /* local clocks */            g(e1) = (m,h)             l(e1,sample)=-1
I=m                                   t(e1)= z =50              l(e1,explode)=0
m(m)= x £ 500Ùz £ 50
                                      t(e2)= true               l(e2,sample)=0
m(h)= true
                                                                l(e2,explode)=+1

                         m: monitor
 x:=0; z:=0               x £ 500ms
                           z £ 50ms             !explode
                 ?sample
                 z=50ms                                                 h: hit
    2005/11/02               Farn Wang. ICFEM'2005-Manchester                    6
                  z:=0
Communicating Timed Automata
(CTA)
áΣ,A1,A2, . . .,Amñ
• PTA Ap= á Σp, Xp, Qp, Ip, mp, Ep, gp, lp,tp, ppñ
• Σp ÍΣ
• Xp Ç Xp’ = Æ, 1£p<p’£m
• Qp Ç Qp’ = Æ, 1£p<p’£m
• Ep Ç Ep’ = Æ, 1£p<p’£m


2005/11/02     Farn Wang. ICFEM'2005-Manchester   7
CTA
á{start,end,collision},Sender1,Sender2,Busñ
      ?collision                       ?collision
              7                               14
                    Idle                            Idle                 Idle
               6           2                13             9        15        18
      ?collision     1     !end       ?collision    8     !end           17 !collision
                    !start                         !start       ?start ?end
                           x1<=5                          x1<=5
                    x1=0;                          x1=0;                         !collision
?collision                     ?collision
                   4                              11                      16
             ?collision                     ?collision          busy          collision
   5 retry             send 12 retry                  send             ?start
              !start                         !start
           3                              10                                Bus
              x1=0;                          x1=0;

            Sender 1                  Sender 2
                           Sender1,Sender2, and Bus are all PTAs.
       2005/11/02                Farn Wang. ICFEM'2005-Manchester                  8
State of CTA áΣ,A1,A2, . . .,Amñ

• State ν: a valuation that
   – ν(modep) ∈ Qp
   – for each x ∈ ∪1≤p≤m Xp, ν(x) ∈ R+
   – ν╞ /\1≤p≤m μp(ν(modep))
• ν+δ: Time progression of ν by δ∈ R+
     – "x∈X, (ν+ δ ) (x) = ν(x) + δ



2005/11/02       Farn Wang. ICFEM'2005-Manchester   9
CTA áΣ, A1,..,Amñ
Global transition T
a mapping:
• " 1≤p≤m, T(p) ∈Ep∪{⊥}
• ⊥ means no transition
         T
• νàν’ iff " 1≤p≤m s.t. T(p)≠⊥
   nν╞τp(T(p))
   n(ν(modep), ν’(modep)) = g(T(p))
   nν’(x)=0 if x∈πp(T(p))
2005/11/02   Farn Wang. ICFEM'2005-Manchester   10
CTA áΣ, A1,..,Amñ
Global transition T
Legitimacy of global transitions
• synchronized
      "T"sÎΣ (sum 1 £ p£m; T(p)¹⊥ lp (e,s)=0)
• minimal
     – Cannot be broken down to more than one
       nontrivial global ones.




2005/11/02        Farn Wang. ICFEM'2005-Manchester   11
      System model
      Communicating timed automaton (CTA)
   Legitimate global transitions
   start: (1,15), (1,18), (2,15), (2,18), (8,15), (8,18), (9,15), (9,18)
   collision: (4,11,18)
      ?collision                     ?collision
             7                              14
                   Idle                           Idle                   Idle
               6          3               13             10         15       18
      ?collision     1     !end     ?collision       8     !end          17 !collision
                    !start                          !start       ?start ?end
                           x1<=5                           x1<=5
                    x1=0;                           x1=0;                       !collision
?collision                     ?collision
                   4                              11                       16
             ?collision                     ?collision            busy          collision
   5 retry             send 12 retry                  send             ?start
              !start                         !start
           2                              9                                 Bus
              x1=0;                          x1=0;
            Sender 1                       Sender 2
      2005/11/02               Farn Wang. ICFEM'2005-Manchester                    12
  Legitimate global transitions
  with n senders
When n = 3, collision: (4,11,19,25) (4,11,20,25) (4,11,21,25)
                        (4,12,18,25) (4,13,18,25) (4,14,18,25)
                        (5,11,18,25) (6,11,18,25) (7,11,18,25)
               ?collision
                     7i
                            Idle                                  Idle
                   7i-1       7i-4                      7n+1        7n+4
             ?collision 7i-6    !end                           7n+3
                         !start x1<=5                   ?start ?end !collision
                         x1=0;                                         ….
      ?collision                                                       !collision
                     7i-3
       7i-2 retry ?collisionsend                        busy 7n+2 collision
                   !start                                         ?start
                7i-5
                   x1=0;                                               Bus
                     Sender i
  2005/11/02                   Farn Wang. ICFEM'2005-Manchester                     13
Pre/post condition calculation
in the traditional style
y:= false;
for each global transition T {

             Ù
 for each 1£p£m with T(p)¹^ and g(T(p))=(q,q’) {
   f:= hÙ (   x Î pp(e) x=0) Ùmodep=q’;
                                    An
    f := FM_elim(f , pp(e)È{ modep}) ;
  }                                 enumeration
                                    of global
  Add in the triggering conditions of participating transitions in
    T to f.
  y:= yÚ f;                         transitions
}
Return y;
2005/11/02         Farn Wang. ICFEM'2005-Manchester        14
   Legitimate global transitions
   with n senders in the traditional style
      7i-2                             7j-2                           7k-2
  ... 7i-1          ...    7a-3    ... 7j-1        ...     7b-3   ... 7k-1 ...
       7i                               7j                             7k
  ?collision
               7i
                    Idle                        Idle
                                     n-2 /27n+3 cannot
             7i-1       7i-4            7n+1             7n+4
                  7i-6
                               3 ?startti?ends ….
                                          We !collision  even
       ?collision         !end
                                         o n
                             1) si enumerate the
                   !start x1<=5

                         (n- ran
                   x1=0;
                7i-3 n
?collision                                     !collision

             ?collisionsend l
                              t
       retry            o ba           global transitions!
                                 busy 7n+2 collision
              !start gl
7i-2
                                        ?start
           7i-5
               x1=0;                                 Bus
   2005/11/02 Sender i       Farn Wang. ICFEM'2005-Manchester               15
Efficient representation for global transitions
á{start,end,collision},Sender1,Sender2,Sender3,Busñ
                                       T1
                       [1,2]                             [5,7]
                                   ^        3        4

                T2       T2                     T2         T2       T2
                   [8,9]    10
               ^          ^                          ^    11 [12,14] 11


 GM             T3
               ^ [15,16]
                         T3
                                     17
                                                T3
                                                  ^
                                                            T3
                                                             [19,21]
                                                                       T3
                                                                        18
                T4                              T4                     T4
                                                24
                                                                 25
                                       True
  2005/11/02         Farn Wang. ICFEM'2005-Manchester                   16
Symbolic procedure for GM
global-transitions (CTA M) {
   F := Æ; f := false;
   for each 1£ p £ m, e Î Ep, {
     H := Æ;
     for each sÎ∑ {
        H := [s ßlp(e, s)];
        f:= fÚTp=e Ù rec-global-transitions(H, p);
   } }
   return f;
}
2005/11/02     Farn Wang. ICFEM'2005-Manchester   17
Symbolic procedure for GM
rec-global-transitions(H,K) {
    if $ f (H,K, f) Î F, return f; ……..…………………….(b)
    else if " sÎ∑ (H(s)=0) {
         F:= FÈ{(H,K, fÙ"pÏK(Tp=^))};
         return f"ÙpÏK(Tp=^); ….(c)
    }
    f:=false; get one sÎ∑ such that H(s)¹ 0;
    for each 1£ p £ m such that pÏK {
        for each eÎ Ep such that H(s) lp(e, s) < 0 {
           H':=H; for s’Î∑, H’:= H [s’ ßH(s’)+lp(e, s’)]; ….(d)
           f := f Ú Tp=eÙrec-global-transitions(H', KÈ{p};
    } }
    F:= FÈ{(H,K, f)}; return f; ………………………….(e)
2005/11/02            Farn Wang. ICFEM'2005-Manchester     18
}
Xplans_bck(h)
Let h := hÙGM;
for p:=1 to m {
  y:= hÙTp=^;

                 Ù
 for each e ÎEp with g(e)=(q,q’) {
   f:= hÙTp=e Ù(    x Î pp(e) x=0) Ùmodep=q’;

    y:= y ÚFM_elim(f , pp(e)È{ modep}) ;
  }
  h := y;
}
Add in all the triggering conditions of the participating
   process transitions to h.
return FM_elim(h, {T1,…,Tm});
2005/11/02         Farn Wang. ICFEM'2005-Manchester         19
 Implementation
RED 5.5, model-checker/simulator for dense-time systems
• BDD-like data-structures (CRD) for timed systems
   (VMCAI’2003 & STTT 4(1), July 2004)
• Symbolic coverage estimation (FORTE’2003)
• Speedup techniques (CIAA’2003, CAV’2004, ICFEM’2005)
• BDD-like data-structures (HR) for linear hybrid systems
   (CAV 2004 & IEEE TSE, Jan. 2005)
• Library for C/C++ (announced in an ICFEM 2005 tutorial)
• http://cc.ee.ntu.edu.tw/~val/


 2005/11/02      Farn Wang. ICFEM'2005-Manchester   20
Fischer’s mutual exclusion




2005/11/02   Farn Wang. ICFEM'2005-Manchester   21
CSMA/CD




2005/11/02   Farn Wang. ICFEM'2005-Manchester   22
An observation in the
experiments
• Simple synchronizations
     – 2 or 3 processes involved
     – Perform well with the traditional style
• Complex synchronizations
     – Perform well with the new style
• Strategy, b : a parameter
     Synchronization
     – < b à traditional style
     – ³ b à new style

2005/11/02          Farn Wang. ICFEM'2005-Manchester   23
Performance
Data




 2005/11/02   Farn Wang. ICFEM'2005-Manchester   24
Summary
• Complex synchronization
     –   constructed from binary CSP-style synchronization
     –   modular descriptions
     –   appropriate abstraction
     –   Control verification complexity
• Symbolic procedures
     – for symbolic representation of complex
       synchronizations
     – precondition/postcondition procedure taking
       advantage of the complex synchronizations
2005/11/02           Farn Wang. ICFEM'2005-Manchester   25

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:7/28/2013
language:English
pages:25