Parametric Real-Time System Feasibility Analysis Using Parametric Timed Automata

(1)

PhD Dissertation Yusi Ramadian Advisor : Luigi Palopoli

Co‐advisor : Alessandro Cimatti

Parametric

Real

‐

Time

System

Feasibility

Analysis

Using

Parametric

Timed

Automata

(2)

Real

‐

Time

System

Applications

•

A

computer

based

system,

which

produces

results

to

inputs

complying

with

some

temporal

constraints

(3)

Main

Research

Idea

3

Real Time System Design Process

Correct and Robust

Real Time System

Feasibility Analysis on

Parametric Real Time

System

Parameters

Parameter1 Parameter2

(4)

•

Parametric

Timed

Automata

(PTA)

definition

and

representation

of

Real

Time

System

•

Parametric

Verification

of

Temporal

Properties

(PVTP)

method

•

Implementation

in

tool

Quinq

•

Application

in

case

problems

:

– periodic task system [RTSS08],

– heterogeneous system [ETFA10],

– collaboration with Modular Performance Analysis Toolbox

(MPA) [CASES11].

Contribution

of

PhD

research

(5)

•

Motivation

– Real time system design

– Example scenario

– Problem Statement

•

Solution

– Parametric Timed Automata

– Parametric Verification of Temporal Property Method

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(6)

•

Safety

consideration

•

Manufacturing

consideration

•

Variability

in

environment

and

run

‐

time

Æ

Need

for

formalization

of

design

process

The

Importance

of

CORRECT

&

ROBUST

Real

Time

System

(7)

Design

Process

•

Design

&

Modelling

– Activation pattern

– Timing properties

– Scheduling Algorithm

•

Robustness

&

Parameter

Tuning

– Assign values

– Evaluate system

robustness w.r.t to

parameters

Page 7

Functional Specification Architecture Design Functional Design

Mapping on RTS

RTS Model Design Parameter Environment Exogenous Parameter Parametric Feasibility Analysis

Correct and Robust RTS

Schedulability Region

(8)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(9)

Sensitivity

Analysis

:

Example

Scenario

Page 9

11

9

11

2

?

0

5

10

15

20

25

30

Task

1

Task

2

Parameters Task 1 Task 2

Period 20 30

Deadline 20 30

Computation Time 11 12

(10)

•

Classical

scheduling

theory

Æ

system

failure

Task

system

is

not

schedulable

•

Solution

‐ Stronger machine (Hardware solution)

‐ Tweaking offset..

Sensitivity

Analysis

:

Example

Scenario

Discussion

#1

(11)

Sensitivity

Analysis

:

Region

of

Schedulability on

Offsets

Page 11 1 3 5 7 9 11 13 15 17

0 3 5 7 9 11 13 15 17 19

Parameters Task 1 Task 2

Period 20 30

Deadline 20 30

Computation

Time

11 12

Offset 0 0

Parameters Task 1 Task 2

Period 20 30

Deadline 20 30

Computation

Time

11 12

Offset ? ?

O2

(12)

Sensitivity

Analysis:

Corrected

Scenario

Page 12 Page 12

11

5

11

7

0

5

10

15

20

25

30

Task

1

Task

2

9

Parameters Task 1 Task 2

Period 20 30

Deadline 20 30

Offset 0 0

Period 20 30

Deadline 20 30

(13)

Period 20 30

Deadline 20 30

Computation Time

11 12

Offset 5 0

Period 20 30

Deadline 20 30

Computation Time

? ?

Offset 5 ?

Sensitivity

Analysis:

Example

Scenario

Discussion

#2:

Robustness

Page 13 1 3 5 7 9 11 13 15 17 19

0 3 5 7 9 11 13 15 17 19

C2

C1

21 23 25 27 29

System robustness = ?

O2 – O1 = 10 O2 – O1 = 8

(14)

Requirement conclusion #1:

We want to find out :

the schedulability regions in the space of parameters

Æ

most robust design for our real-time systems

Sensitivity

Analysis

(15)

•

System

model

not

in

classical

RTS

•

Examples:

– System with buffers

– Complex activation

pattern

– Heterogeneous,

distributed system

– Flexible deadline

(e.g. Firm Deadline)

Sensitivity

Analysis:

Example

Scenario

Discussion

#3:

(16)

•

Requirement

conclusion

#2

Sensitivity

analysis

for

general

real

‐

time

system

Sensitivity

Analysis

(17)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(18)

•

Problem

1

:

Sensitivity

Analysis:

Formal

problem

definition

Page 18

Task 1 System S

Task 2 … Task n

P :{P1, P2, … Pn}

P2 P1

R

Scheduling

(19)

•

Problem

2

:

Sensitivity

Analysis:

Formal

problem

definition

Page 19

Task 1 System S

Task 2 … Task n

P :{P1, P2, … Pn}

P2 P1

R

(20)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(21)

•

Timed

automata

with

parameters

extension

•

Main

differences:

– Parameters

– Auxiliary variables

– General update statement

Parametric

Timed

Automata

(22)

•

Allow

complex

activation

pattern

Real

Time

System

in

PTA:

Activation

Pattern

Page 22

Activation

depending on

other tasks

Activation

depending on

environment

Wait

for

offset

Wait

for Q2

Wait

for

event Wait

for Q1

Clock≤O1

Release τ1 Clock=O1 Clock:= 0

Release τ2 Clock=Q2 Clock:= 0

Release τ3

Event_e = True Clock:= 0

Release τ1 Clock=Q1

Clock:= Clock – Q2

Clock≤Q2 Clock≤Q1

Activation

depending

on time Avoiding

restrictive 0

offset General

(23)

Real

Time

System

in

PTA:

Feasibility

Checker

Page 23

Idle Check

Busy

Error Release τ1

Clock_x:=0 r:= C1

Release τ1 Clock_x:=0 r:= C1

Clock_x=r

Clock_x=D1 ∧

Clock_x≤ r

Clock_x=r

Release τ1 Clock_x:=0

r:= r + C1–Clock_x Release τ1

Release τ1 r:= r + C1 Parameter

Auxiliary

(24)

•

PTA

:

•

Feasibility

region

R:

Sensitivity

Analysis

via

PTA

Page 24

(25)

•

Current

state

variables

V:

Discrete

vars D:

Location,

transitions

as

boolean

Continuous

vars X:

Clocks

and

other

variables

as

real

•

Symbolic

model

of

PTA

:

set

of

constraints

on

boolean and

real

variables

•

Examples:

Loc

_i

Æ

x

‐

y

≤

O1

Trans

_i

Æ

(x

≥

C1)

∧

(x’

=

C1+x)

∧

(y’

=

y)

Symbolic

representation

of

PTA

(26)

•

Look

only

for

counterexample

made

of

k‐

states

•

BMC(

k

):

•

I(V

0

)

∧

R(V

0

,V

1

)

∧

…

∧

R(V

k‐1

,V

k

)

∧

Error(V

k

)

•

Completeness

of

the

solution

is

not

guaranteed

•

Complementing

method

:

inductive

reasoning

Bounded

Model

Checking

(BMC)

Page 26

S0 S1 … Sk

…

(27)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(28)

•

Verification

on

reachability problem

using

BMC:

An error trace for every found counterexample

•

Alternatively,

error

trace

can

be

searched

via

non

‐

parametric

model

checker

•

An

error

trace

π

:

PTVP

algorithm

intuition:

Search

for

an

error

trace

Page 28

(29)

•

Along

with

the

trace,

an

assignment

for

the

parameters

that

validate

the

trace

is

produced

PTVP

algorithm

intuition:

An

error

trace

π

P2

?

P1

Γ

Page 29

(30)

•

By

processing

the

trace,

the

surrounding

region

of

parameters

that

make

the

trace

true

is

identified

•

…And

we

rule

this

region

out

from

the

PTVP

algorithm

intuition:

Sensitivity

analysis

to

an

error

trace

Page 30

P2

?

P1

Γ

(31)

•

Feasibility

region

:

found

by

iteratively

bounding

the

parameter

space

from

the

unschedulability regions

PTVP

algorithm

intuition:

Schedulability region

31

P2

P1

Γ

L1 L2

…

Error

Final

(32)

Parametric

Verification

of

Temporal

Properties

(PVTP)

Algorithm

Page 32

Error Trace Search

Sensitivity Analysis

Region Exclusion

(33)

•

Given

Polyhedron

in

the

space

of

clocks

and

parameters

Poly{P,

X}

•

Obtain

Poly{P}

<

‐

>

∃

X,

Poly

{P,

X}

Æ

Existential

Quantifier

Elimination

Sensitivity

Analysis

(34)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(35)

•

Based

on

NuSMV3

symbolic

model

checker

with

underlying

MathSAT SMT

solver

•

Main

functionalities

:

– Input handling

– PVTP algorithm implementation

– Completion check

– Output handling

•

Components

– Sensitivity add‐on

– High level periodic system analysis

– Search optimization

– Model checker drivers

– Graph generator

•

Blackbox components

:

UPPAAL,

JUNT,

existelim

Implementation

in

Quinq

(36)

Architecture

Page 36

Input Handling

PVTP

Implementation

Output handling

NuSMV3 UPPAAL

RTS Model

(37)

Input

Handling

37

Input

Handling

NuSMV Model

Periodic System Input UPPAAL Model

Automatic Periodic

Analysis JUNT

(38)

Input

via

UPPAAL

Model

Page 38

UPPAAL Model

NuSMV Model (Parametric) JUNT

Parametric

Model

Generator Parameters

NuSMV Model (Non‐Parametric)

•

Point

of

Considerations:

– Integer vs Real domain

– Array data structure

– Clocks

(39)

Architecture

Page 39

Input Handling

PVTP

Implementation

Output handling

NuSMV3 UPPAAL

RTS Model

(40)

Parametric

Verification

of

Temporal

Property

Implementation

40

Error Trace

Search

Sensitivity

Analysis PVTP

Implementation

NuSMV Model

Feasibility

(41)

PTVP

Algorithm

Implementation

Page 41

Error Trace Search

Error Trace NuSMV Model

Non–parametric

search Parametric

search

(42)

Non

‐

Parametric

Search

Page 42

Search Point

Generator

Trace Replication Trace Translation

Error Trace

UPPAAL Model+Parameters

Non–parametric search UPPAAL

(43)

Sensitivity

Analysis

:

Implementation

Page 43

Trace

Extraction

After Processing Constraint Processing

Parametric Constraints Model + Error Trace

Sensitivity Analysis

Polyhedral region in

clocks and variables

space

Polyhedral region in

(44)

Constraint

Processing

Page 44

Reorder

expression Constraint Processing

Case Handling

Equality Constraint

Propagation Existelim

(45)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(46)

•

Previously

Illustrated

example:

2

periodic

tasks

system

with

3

parameters

•

S

=

{task1,

task2}

•

Periodic

tasks

:

T1=D1=20,

T2=D2=30

•

Offset

:

O1

=

0

•

Parameters

:

– Computation time: C1 , C2

– Offset : O2

DEMO

(47)

•

Offset2

=

1

Demo:result

•

Offset2

=

5

•

Offset2

=

8

(48)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(49)

Tool Flexible

RTS

Expression System

known

apriori

Inference Point

Number of

Parameters

Feasibility Region

Bini _‐ _‐ _‐ _‐ _No_limit 9

MAST _‐ _‐ _‐ 9 _‐ _‐

SMART 9 _* 9 _‐ _{No limit*} 9

IMITATOR 9 _* _‐ 9 ₂ 9

QUINQ 9 9 _‐ _‐ _{No limit*} 9

Sensitivity

Analysis

Tools

(50)

•

Motivation

•

Solution

•

Implementation

in

Quinq

– Architecture

– Demo

•

State

of

the

art

•

Conclusion

Presentation

Outline

(51)

•

PTA

representation

Æ

flexible

activation

pattern

,

general

RTS

presentation

•

PVTP

algorithm

Æ

General

method

to

obtain

feasibility

region

•

Implemented

in

Quinq with

applications

on

some

example

cases

•

Edge

on

comparison

with

other

tools:

– Flexible RTS representation

– No reference point input needed

– Whole region of schedulability result

Conclusion

(52)

•

Does

there

exist

k

such

that

the

following

formula

is

unsatisfiable

•

if

unsatisfiable

and

BMC(

k

)

unsatisfiable

then

error

state

unreachable

K

‐

Induction

52

Error

S0 S1 … Sk‐1

Error Error Error

Sk