Soundness of the Quasi-Synchronous Abstraction Guillaume Baudart - - PowerPoint PPT Presentation
Soundness of the Quasi-Synchronous Abstraction Guillaume Baudart Timothy Bourke Marc Pouzet cole normale suprieure, INRIA Paris, UPMC FMCAD16 Mountain View, 06-10-2016 Distributed Embedded Systems Distributed controllers for critical
Guillaume Baudart Timothy Bourke Marc Pouzet
École normale supérieure, INRIA Paris, UPMC
FMCAD’16 Mountain View, 06-10-2016
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Example: Flight Control System Generate pitch and roll guidance commands
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Two redundant Flight Guidance Systems Only one active side (pilot side) Example: Flight Control System Generate pitch and roll guidance commands
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Two redundant Flight Guidance Systems Only one active side (pilot side) Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Two redundant Flight Guidance Systems Only one active side (pilot side) Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Two redundant Flight Guidance Systems Only one active side (pilot side) Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands The two modules must share their state to avoid control glitch
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Two redundant Flight Guidance Systems Only one active side (pilot side) Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands Run embedded application... The two modules must share their state to avoid control glitch
switch
Distributed controllers for critical embedded systems
2
Actuators Sensors Sensors Transfer Switch
Example from [Miller et al. 2015]
FGS FGS
cmd1 cmd2 sensor1 sensor2 cmd
Two redundant Flight Guidance Systems Only one active side (pilot side) Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands Run embedded application... ...on distributed architectures The two modules must share their state to avoid control glitch
A B
the time between two activations. clock activations
message inversion or loss
C D
0 ≤ τmin ≤ τ ≤ τmax 0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax (κi)i∈N For each process, activations are triggered by a local clock Execution: infinite sequence of activations
3
A B
the time between two activations. clock activations
message inversion or loss
C D
0 ≤ τmin ≤ τ ≤ τmax 0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax (κi)i∈N For each process, activations are triggered by a local clock Execution: infinite sequence of activations
3
A B
the time between two activations. clock activations
message inversion or loss
C D
0 ≤ τmin ≤ τ ≤ τmax 0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax (κi)i∈N For each process, activations are triggered by a local clock Execution: infinite sequence of activations
3
A B
the time between two activations. clock activations
message inversion or loss
C D
0 ≤ τmin ≤ τ ≤ τmax 0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax (κi)i∈N For each process, activations are triggered by a local clock Execution: infinite sequence of activations
3
A B
the time between two activations. clock activations
message inversion or loss
C D
0 ≤ τmin ≤ τ ≤ τmax 0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax (κi)i∈N For each process, activations are triggered by a local clock Execution: infinite sequence of activations
3
VERIMAG
UNITE MIXTE DE RECHERCHE Centre Equation 2 avenue de Vignate 38610 GIERES4
Industrial practices observed at Airbus
[Caspi 2000]
VERIMAG
UNITE MIXTE DE RECHERCHE Centre Equation 2 avenue de Vignate 38610 GIERESVerification
Verifying safety critical applications running on quasi-periodic architectures Quasi-Synchronous Abstraction
4
Industrial practices observed at Airbus
[Caspi 2000]
ACSD'06
VERIMAG
UNITE MIXTE DE RECHERCHE Centre Equation 2 avenue de Vignate 38610 GIERESVerification
Verifying safety critical applications running on quasi-periodic architectures Quasi-Synchronous Abstraction
Verimag'08 DASC'14 Memocode'14 Memocode'15 Air Force'15
4
Industrial practices observed at Airbus
[Caspi 2000]
ACSD'06
VERIMAG
UNITE MIXTE DE RECHERCHE Centre Equation 2 avenue de Vignate 38610 GIERESVerification
Verifying safety critical applications running on quasi-periodic architectures Quasi-Synchronous Abstraction
Verimag'08 DASC'14 Memocode'14 Memocode'15 Air Force'15
4
Contributions Abstraction is not sound in general Give exact conditions of application
Industrial practices observed at Airbus
[Caspi 2000]
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax 0 < τmin ≤ τA, τB ≤ τmax
τA τB
A B
A B
Scheduler
cA cB
A B
Real-time Model (RT)
5
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax 0 < τmin ≤ τA, τB ≤ τmax
τA τB
A B
A B
Scheduler
cA cB
A B
Real-time Model (RT)
5
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax 0 < τmin ≤ τA, τB ≤ τmax
τA τB
A B
A B
Scheduler
cA cB
A B
Real-time Model (RT)
Soundness
DT | = ϕ. l, RT | = ϕ
5
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax 0 < τmin ≤ τA, τB ≤ τmax
τA τB
A B
A B
Scheduler
cA cB
A B
Real-time Model (RT)
Soundness
DT | = ϕ. l, RT | = ϕ Why discretize?
Verification in a simpler discrete-time model Use discrete-time model checking tools (Lesar-Verimag, Kind2-UIowa)
[Halbwachs et al 1992] [Hagen, Tinelli 2008]
5
6
Abstracting execution time
6
Abstracting execution time
τexec τsend
6
Abstracting execution time
τexec τsend τ = τexec + τsend
6
Abstracting execution time
6
7
Abstracting execution time
Abstracting communication
7
Abstracting execution time
Abstracting communication
7
Abstracting execution time
Abstracting communication
7
Abstracting execution time
Abstracting communication Problems:
7
Abstracting execution time
Abstracting communication Problems:
Can we do better using real-time assumptions?
7
Abstracting execution time
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
8
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
8
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
(one step of the logical clock)
8
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
(one step of the logical clock)
8
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
(one step of the logical clock)
8
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
(one step of the logical clock)
8
Replace transmission with precedence
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
(one step of the logical clock) A process is at most twice as fast as another
8
Replace transmission with precedence
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive executions of another process.” Focus on 'almost' synchronous architectures with fast transmissions
(one step of the logical clock) A process is at most twice as fast as another
8
Replace transmission with precedence
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
τmax τmax τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable. Always possible if transmissions are not instantaneous
9
Some traces are not captured by the discrete abstraction Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
10
x 1 − → y = ⇒ f(x) < f(y) x 0 − → y = ⇒ f(x) ≤ f(y) x y x y Gather all contraints on the unitary discretization f in a weighted graph After reception Before reception
10
x 1 − → y = ⇒ f(x) < f(y) x 0 − → y = ⇒ f(x) ≤ f(y) x y x y Gather all contraints on the unitary discretization f in a weighted graph After reception Before reception Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
10
x 1 − → y = ⇒ f(x) < f(y) x 0 − → y = ⇒ f(x) ≤ f(y) x y x y Gather all contraints on the unitary discretization f in a weighted graph After reception Before reception Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph.
τmax
τmax τmax
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
10
x 1 − → y = ⇒ f(x) < f(y) x 0 − → y = ⇒ f(x) ≤ f(y) x y x y Gather all contraints on the unitary discretization f in a weighted graph After reception Before reception Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph.
τmax
τmax τmax
1
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
10
x 1 − → y = ⇒ f(x) < f(y) x 0 − → y = ⇒ f(x) ≤ f(y) x y x y Gather all contraints on the unitary discretization f in a weighted graph After reception Before reception Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph.
τmax
τmax τmax
1
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
10
x 1 − → y = ⇒ f(x) < f(y) x 0 − → y = ⇒ f(x) ≤ f(y) x y x y Gather all contraints on the unitary discretization f in a weighted graph After reception Before reception Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph.
τmax
τmax τmax
1
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
11
A B D C A B C A B D C Forbidden topologies in the static communication graph
u-cycle balanced u-cycle cycle
11
A B D C A B C A B D C Forbidden topologies in the static communication graph
u-cycle balanced u-cycle cycle
11
A B D C A B C A B D C Forbidden topologies in the static communication graph
u-cycle balanced u-cycle cycle
can be allowed at the cost of additional timing constraints
11
A B D C A B C A B D C Forbidden topologies in the static communication graph
u-cycle balanced u-cycle cycle
can be allowed at the cost of additional timing constraints Theorem: A quasi-periodic architecture is unitary discretizable if and only if, in the communication graph
Lc: size of the longest elementary cycle τmin = τmax Tmin ≥ Lcτmax τmax = 0
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmin
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmin
1
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmin τmin
1
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmin
1
τmin
1
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0 ε
τmax τmin
1
τmin
1
12
A B C D E
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0 ε
τmax τmin
1
τmin
1
12
A B C D E
ε
τmax
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0 ε
τmax τmin
1
τmin
1
12
A B C D E
ε
τmax
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0 ε
τmax τmin
1
τmin
1
12
A B C D E
ε
τmax
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmax
ε
ε
τmax τmin
1
τmin
1
12
A B C D E
ε
τmax
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmax
ε
ε
τmax τmin
1
τmin
1
12
A B C D E
ε
τmax
Proof: If there is a u-cycle, construction of a counter-example
A B C D E
Communications q = 3: # p = 2: #
q > p = ⇒ ε = (qτmax − pτmin)/q > 0
τmax
ε We built a cycle of positive weight!
ε
τmax τmin
1
τmin
1
12
Proof: On the other hand, by contraposition,
13
Proof: On the other hand, by contraposition, PC/u-cycle
13
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle
13
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced
13
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced
13
+1 =
⇒
τmax = 0
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced Condition 1.
13
+1 =
⇒
τmax = 0
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced
+1 =
⇒
τmin < τmax Condition 1.
13
+1 =
⇒
τmax = 0
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced
+1 =
⇒
τmin < τmax Condition 2. Condition 1.
13
+1 =
⇒
τmax = 0
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced
+1 =
⇒
Tmin ≥ Lcτmax
+1 =
⇒
τmin < τmax Condition 2. Condition 1.
13
+1 =
⇒
τmax = 0
Proof: On the other hand, by contraposition, PC/u-cycle cycle cycle balanced balanced Condition 3.
+1 =
⇒
Tmin ≥ Lcτmax
+1 =
⇒
τmin < τmax Condition 2. Condition 1.
13
+1 =
⇒
τmax = 0
A B C D
A B C D E F
A B C D E A B C D E A B C D E daisy chain: Tmin ≥ 2τmax star: Tmin ≥ 2τmax unidirectional ring: Tmin ≥ 5τmax bidirectional ring: τmax = 0 fully connected: τmax = 0
14
Communications of the application
A B C D
A B C D E F
A B C D E A B C D E A B C D E daisy chain: Tmin ≥ 2τmax star: Tmin ≥ 2τmax unidirectional ring: Tmin ≥ 5τmax bidirectional ring: τmax = 0 fully connected: τmax = 0
Require instantaneous communications
14
Communications of the application
15
“It is not the case that a component process executes more than twice between two successive executions of another process.” For any node:
Condition 1. Condition 2.
16
“It is not the case that a component process executes more than twice between two successive executions of another process.” Theorem: A real-time model is quasi-synchronous if and only if,
2Tmin + τmin ≥ Tmax + τmax
16
“It is not the case that a component process executes more than twice between two successive executions of another process.” Theorem: A real-time model is quasi-synchronous if and only if,
2Tmin + τmin ≥ Tmax + τmax Worst-case scenario
16
“It is not the case that a component process executes more than twice between two successive executions of another process.” Theorem: A real-time model is quasi-synchronous if and only if,
2Tmin + τmin ≥ Tmax + τmax
τmin
Worst-case scenario
16
“It is not the case that a component process executes more than twice between two successive executions of another process.” Theorem: A real-time model is quasi-synchronous if and only if,
2Tmin + τmin ≥ Tmax + τmax
Tmax τmax τmin
Worst-case scenario
16
“It is not the case that a component process executes more than twice between two successive executions of another process.” Theorem: A real-time model is quasi-synchronous if and only if,
2Tmin + τmin ≥ Tmax + τmax
Tmax τmax τmin
Worst-case scenario
16
“It is not the case that a component process executes more than twice between two successive executions of another process.” Theorem: A real-time model is quasi-synchronous if and only if,
2Tmin + τmin ≥ Tmax + τmax
Tmax τmax τmin Tmin Tmin
Worst-case scenario
17
The quasi-synchronous abstraction:
Contributions:
Constrain both the communication graph and the real-time characteristics of the architecture to recover soundness of the quasi-synchronous abstraction.