Integrating Formal Model Checking with the RTEdgeTM AADL ...

Integrating Formal Model Checking withthe RTEdgeTM AADL MicrokernelSerban GheorgheEdgewater Computer Systems Incserban.gheorghe@edgewater.ca1

What is RTEdge TMRTEdge TM is a software development environment For Proof Based, Model Driven Development (MDD) of Modal Software Systems Built on a language subset of the AADL and UML2• conceptually similar to the ADA Spark / Ravenscar subsetsMain goal: assist in the construction of theoretically correct real-timeapplications• Hard real-time software systems• Mission critical software systems• Real-time systems distributed over communication networksRTEdge TM approach: convergence of three software engineeringtechnologiesSubset ofAADLsw componentmodelSubset ofAADLexecutionsemantics1. Model Driven Development (MDD)2. Component based specification and design3. Proof based engineering :1. Timing constraints checked by mathematical proofUML2 concepts:Component Interfaces:Ports typed by Protocol contractsComponent Behavior:State Machine Subset2. Functional correctness checked through static analysis and formal modelchecking2

RTEdge TM as a subset of AADL sw component modelComponentTypeSystemAADL component_category ::=abstract_component_categoryComponentImplementationProcessThread GroupThreadData| composite_category| execution_platform_category| software_categoryRTEdge DeploymentObjectsRTEdge Components:Composite Capsule (CC)Atomic Capsule (AC)SpecificationTypesImplementationTypesMemoryProcessorBusDeviceVirtual ProcessorVirtual BusComponentTypeComponentImplementationSubprogramSubprogram GroupComponentTypeComponentImplementationRTEdge Atomic Capsulebehaviour:Finite State Machines withembedded ProgrammingLanguage Functions calls(Misra C, other)33

RTEdge TM as a subset of AADL execution semanticsAADL ModelRTEdge Language SubsetCodeGenerationRTEdge Code generated from AADLSupport AADL Thread Dispatch Modes- Periodic,Sporadic, Aperiodic,Timed and HybridSupport AADL inter-thread communication/synchronization semanticsC CodeGenerationRTEdge Runtime Exec SemanticsAsynchronous Message Passing ExecutiveTime constrained Discrete Events onlyAADL Threads Atomic CapsulesThreads with FSM behavior, purely reactiveFeatures subset- Event/Event Data Ports- Required/Provides Data Ports- FSM behavior, a subset of UML SMAADL Thread Groups Composite CapsulesResolved to communicating Atomic CapsulesPeriodic Timer ServiceBounded OverheadsRun-time Executive4

Analyzing,Deploying and Debugging AADL SoftwareOSATE AADL ModelP1CodeGenerationP2AbstractP3_RTEdgeRTEdge Language SubsetP1_CCP2_CCP3_CC• A mixture of threads with Periodicand Aperiodic behavior• Flow Path Feasibility Analysis• Deadline Monotonic PriorityAssignment based on Flow deadlines• WCRT Analysis• Port Buffer Queue size analysis• Use of RTEdge Formal CheckingMechanismsC CodeGenerationRTEdge Runtime Exec SemanticsExecutable E1Executable E2Debug at model levelConsistent Execution SemanticsBounded Overheads ExecutiveHWPlatform 1HWPlatform 25

Trust Layers for execution semanticsAADL ModelP1P2AbstractP3_RTEdgeSynchronousAnnex FormalSemantics (??)AsynchronousAnnex FormalSemantics (??)RTEdge Language SubsetP3_CCP1_CCP2_CCRTEdge TM Application Formal Properties• User defined Safety and Liveness properties• Formal Model Checking Spin/Promela• Evolution to Formal Compositional VerificationRTEdge RuntimeExec Semantics • Formally defined operational semantics• Axiomatic semantics – Theorem proving• Explore use of BLESS6

Crossing the “V”The AADL Spec covers many possible types of execution semantics(95) A method of implementing a system is permitted to choose how executing threads will be scheduled.A method of implementation is required to verify to the required level of assurance that the resultingschedule satisfies the period and deadline properties. (AADL 2 Spec, page 94)Static Model Analysis Tools• huge cost savings benefitsthrough early problem resolutionHOWEVER• must have intimate knowledge of1. Execution State Space2. Target Execution SemanticsModel Transformation toexecutable, target deployablecode creates a semanticdiscontinuitySingle Source of Truth:Deployed Software ComponentsIntegration and Debuggingmust be performed in thecontext of the ModelsThe effectiveness of Real-time and Functional Static Analysis Tools depends onthe enforcement of a well defined Execution State Space and Target ExecutionSemantics7

The RTEdge TM /AADL SolutionRTEdge ToolsProgrammingLanguageSpecificationModelHLD ModelImplementation ModelUser ApplicationHardware Abstraction Layer (HAL)HWPlatform 1Run-Time EXECHWPlatform 2Virtual TimePlatformVirtual Time Simulation Platform• Enable execution of software components onhost desktop computers by emulatingtarget hardware real-time behaviourReal Time AnalysisToolFunctional PropertiesAnalysis ToolCode Generator ToolThe Code Generator andProof Tools for Real-Timeand Functional Propertiesassume a well definedRTEdge/AADL subsetexecution semantics• The AADL subset execution semanticsassumed by the Code Generator and ProofTools is implemented and enforced in a HWindependent Run-Time Exec library• HAL adaptation of Run-Time Exec to multipleplatforms• A host RTOS is assumed on the HW Platform8

Protocol Contracts for Software ComponentsConjugatedRole PortP 1C 1 A 0 C 0BaseRole PortC 1C 0‘protocol’ A 0Output/RequiredEventres_ackres_infoDatares_id_uint16reservation_structInput/ProvidedEventres_requestres_cancelres_queryDatareservation_structres_id_uint16Assumptions SERE Protocol of State Signals on Machines + Data Signal Assertions + Order Data Constraints (IEEE1850) and DataThe UML2 concept of Protocol is used in RTEdge as a specification mechanism:• capturing and refining interaction Assumptions-Guarantee contracts• conformance / consistence when implementing or composing Software Components10

More on RTEdge TM – Application ModelRT Ports Components andProtocols (Capsules)RTEdge TM Application• An Application maps into one RTOS Task- resolves to set of concurrent Atomic Capsule (AC)Finite State Machines (FSM)- built-in FSM event priority scheduling• Closed System Model Definition:- “External Tasks” model environment RTOS TasksI/O behavior and processor demands- Independent Input time arrival specification(Period, Jitter, Jitter bounds)RTEdge Dispatch Event types:• Independent Input arrival• Signal Events received at Port FIFOs• AC Transient State Activity Completion- Static Event priority assignment- Deadline MonotonicApplication Flows Specification:Event Flows with Real-Time Contracts• Arrival spec (Period,Jitter)• DeadlineEvent Flow: a specification of a causal relationship between an ordered pair of RTEdge TM Dispatch EventsKey concepts:• PROCESSOR and COMMS resource scheduling are based on Event Flows• RTEdge automatically calculates:• Application implementation Flow paths and• Worst-Case Response Times for each Event Flow based on Execution costs11

More on RTEdge TM - TransactionsA Transaction is the set of Event Flows originated from an Independent Input• Conditional Flow Paths can happenin AC FSMs• Flows can end on AC FSM StatesTransactions can share ACFSM InstancesCC2DAdjust_ctrlCalibrate_ctrlSensor_InECC1RecalibrateABCalibrate_otherSending a Signal Event through a Portcreates a concurrent Flow Path• A Transaction is complete when all the downstream events caused by the Independent Input have beenconsumed• Indicates no State Machines Deadlock (events not consumed) or Livelock (infinite event loops)12

Formal Model Checking WorkflowsDefine, Translate and Verify Application Annotations expressing UserDefined Formal PropertiesStep-wiseModelRefinementApplicationModel inRTEdgeCounter-exampleInterpretationUser Defined Behavioral AssumptionsRTEdge to PromelaTranslationUser Defined Assertions (Safety)Translation OptionsApplicationModel inPromelaCounter-examplesSpinStatic Analysis ToolsCodeGenerationUser Defined Safety or LivenessProperties expressed as LTLRTEdge Application AnnotationsPromela Assertions and Invalid End StatesLTL FormulaRTEdge TMToolsetApplicationExecutablePromela-SpinTool Framework1313

Solution Issues -Mapping RTEdge TM Applications into PromelaRTEdge TM Application as a Closed SystemExtTask1Sensor_InRecalibrateCC2DEACC1BAdjust_ctrlCalibrate_ctrlExtTask2Calibrate_otherLTLIndependentInputsGeneratorPromelaProcesstranslatedfrom ExternalTasksDispatchProcessenforcesRTEdge TMEventsdispatchusingrendez-vouschannelsPromelaInputGeneratorProcessEach AC Instance istranslated into aPromela ProcessEEach two-way Port Connectionis mapped into two receiveFIFO channelsInput Generation TranslationDRTExec Dispatch Promela ProcessABPromelaNever ClaimProcess14

Solution Issues -Annotating the RTEdge TM Application ModelRTEdgeApplication+PropertySpecifications Checking properties are specified as Annotations to a deployable RTEdgeApplication: Seven types of Annotations have been defined:ANNOTATION TYPE INTENDED USE - GCV (GCC) Global Checking Vars/Const - AC Instance Behaviour Annotation - Checking Assertions:• Inline Checking Assertion• AC Instance Checking Assertion• Application Scope Checking Assertion Input Data Range Constraints User Defined LTL Formula Transient State Behavioural Annotation Execution Condition AnnotationDefine Verification Meta-Variables andtheir behavior through assignmentsDefine Assertions on Meta-Variablesand App State Variables Expressionswith Different Evaluation ScopeControl Size of the Input State SpaceDefine Temporal Logic App PropertiesAbstract out State Machine ActivityC Code15

Defining meta-behavior Annotations(Application Checking View)Global Checking Variables/Constants (GCV or GCC)ApplicationInputsUser-defined or Tool-generated meta-variablesdeclared outside the RTEdge Application statespace and accessible in any AnnotationAny basic data type supported by Promela/SpinTool-generated GCVs are created for use by thetool-generated LTL formula;documented behaviorthey can also be used in other user-defined AnnotationsAtomicCapsule(AC)InstancesAC Instance Behavior AnnotationsUsed to define GCV behavior through conditionalassignmentsCheck_GCV = (attr.y > 1) -> (attr.x + Increment_GCC) : (Fail_GCV)Attached to an AC Instance state machine TransitionExecuted inline wherever the Annotation is placedCounter-examples16

Defining AssertionsApplication Checking ViewApplicationInputsCapsuleInstancesChecking AssertionRelational Expressions of GCVs, GCCs and in scopeAtomic Capsule AttributesUsed to verify safety conditions to which anApplication must complyA finding is raised if condition returns falseApplication Scope Checking Assertionsattached to an Application and evaluated on everychange of the global RTEdge Application state space(every AC instance state machine Transition)AC Instance Checking Assertionsattached to capsule instances and evaluated on everyTransition within its state machineIn-line Checking Assertionsattached to state machine Transitions and evaluatedwhen the Transition is takenCounter-examplesExamples:Check_GCV >= 10(myDap.x < Status_GCC) && (Check_GCV < attr.y)17

Defining Input Data Range Constraints(Application Checking View)ApplicationInputsInput Data Range ConstraintsCapsuleInstancesAffect the Application state spaceRestrict the range of values for SystemInputs Mechanism for reducing the size of theApplication input space Attached to Application Inputs in theApplication Checking View Can reference Global CheckingConstantsCounter-examplesExample:(sd_struct.b[0]: 5,8,12..15;);18

Defining Transient State Behavior Annotation(Application Checking View)ApplicationInputsTransient State Behavior Annotations andExecution ConditionsCapsuleInstancesUsed as an abstraction mechanism for ACActivities attached to Transient States they do modify the Application state space (ACAttributes)Transient State Behavior Annotation: used todefine how the state’s Activity code wouldmodify local dataExecution Condition: attached to Transitionsthat exit Transient States, used to defineconditions under which that Transition is takenCounter-examplesDefault Promela Translation OptionUse Transient State C Activity Codec_track, c-code, c_expr fetaures of Spin for embeddingimplementation code in the Verifier executableEdgewater Computer Systems – Confidential Commercial Information 19

Solution Issues -RTEdge TM -Promela Verification OptionsChecking Context Translation Options SelectionsOption Value LTL RunDefault in redSafety RunsInclude Priorities On X XOffXSafety X XVerification TypeIndependent InputSignal GenerationLTL OptionAcceptanceNon-ProgressGuaranteed Arrival In Hyper-Period (WeakFairness & Bounded Jitter)XX X XAll orders in Hyper-Period (Weak Fairnessor X or X or Xand Unbounded Jitter)All orders (no Weak Fairness & UnboundedJitter)Tool Generatedor Xor XXor XNo LTL X XUser DefinedOther conditions:all Activity C-Code IncludedAbstraction Level relative to the concreteRTEdge TM ApplicationYes Yes YesBi-simulation ofRTEdgeDispatchEventsBi-simulationof RTEdgeDispatchEventsOverapproximationFalse Positives NO NO NOFalse Negatives (Counter-Examples) NO NO Possible21

Solution Issues -Interpreting the counter-exampleOpen InterpretedCounter-ExampleHover to displayfully qualified ACInstance nameCtrl-Click to navigate tothe AC Instance FSM Support is provided to relate a line from the counter-example file to theRTEdge TM Application model Atomic Capsules in the concrete Application are mapped into Promelaprocesses with shortened names Meta-data is generated in the Promela files to help map short form PromelaProcess names to fully qualified names for AC instances22

Verifying through Model Checking the RTEdge TMSchedulability Analysis AlgorithmModified Lehoczky, Harbour Klein Algorithm for Fixed Priority Task Set with Precedence Linear precedence sub-tasks of original algorithm supplemented with Conditional execution nodes Parallel (fork) nodes Bounded Cyclesto reflect RTEdge Transaction graphs1. Static Priorities are assigned per event and state based on deadlines (DMS)2. Priorities are statically adjusted based on resource usage (priority ceiling protocol)3. Create task system from model (all RTEdge Transactions originated in Independent Inputs) each task is modeled as a graph of subtasks (AC Activities) with cycles and conditional paths ensure cycles are bounded by user-supplied bounds4. calculate Worst Case Response Time (WCRT) calculate utilization, give up if greater than one for each task• determine worst case phasing, interference, blocking• calculate WCRT for each subtask, compare with deadlinesUsing Formal Link Annotations, we can verify the correctness of the WCRT analysis for a model1) Assume tool calculated WCRT is correct2) Define an execution time accumulator GCV per Transaction and behavior to keep updated233) Prove as a safety property on every execution path that WCRT can’t be exceeded 23Edgewater Computer Systems – Confidential Commercial Information 23

Formal Link Next Stage Additional Annotations Adaptation of IEEE 1850 Property Specification Language (PSL) to RTEdgeProtocols, Capsule Interfaces and Capsule compositions Signal sequences specified as IEEE1850 PSL Sequential Extended RegularExpressions (SERE) of Signals• Regular Expressions of Signals on Protocols• Regular Expressions of Signals on Capsule Interfaces• Regular Expressions of Signals on Ports of Capsule Roles contained in aComposite Capsule type Provide a formal framework for hierarchical Compositional Verification forcomponent based applications Individual Component implementations investigated for conformance to formalCapsule Interface specification Specification of aggregated components can be checked for• consistency and conformance to the container Capsule Interface formal spec24