NSF. Hybrid Systems: From Models to Code. Tom Henzinger. UC Berkeley. French Guyana, June 4, 1996 $800 million embedded software failure

Transcription

1 Hybrid Systems: From Models to Code Tom Henzinger UC Berkeley NSF UC Berkeley: Chess Vanderbilt University: ISIS University of Memphis: MSI Foundations of Hybrid and Embedded Software Systems French Guyana, June 4, 1996 $800 million embedded software failure

2 Mars, December 3, 1999 Crashed due to uninitialized variable ITR Kickoff / Chess 3 $4 billion development effort 40-50% system integration & validation cost

3 Sources of Complexity -concurrency -real time -heterogeneity A hybrid system consists of multiple continuous (physical) and discrete (computational) components that interact with each other in real time. ITR Kickoff / Chess 5 Embedded Software Design: Current State Design Simulate Model (e.g., Simulink) No formal connection between requirements, model, and resources: expensive development cycle iterates all stages Redesign Code generation Optimize Test Code No exact correspondence between model and code: -difficult to upgrade code -difficult to reuse code ITR Kickoff / Chess 6

4 Embedded Software Design: Our Vision Design Verify Model Compilation (analysis, optimization, and code generation) Code ITR Kickoff / Chess 7 The FRESCO Project (Formal Real-Time Software Components) Hybrid System Model MASACCIO: correctness by formal verification against requirements Time-Safe Code GIOTTO: correctness by schedulability analysis against resources ITR Kickoff / Chess 8

5 Continuous (Euclidean) Systems State space: R n Dynamics: initial condition + differential equations x Room temperature: x(0) = x 0 x (t) = -K x(t) x 0 t Analytic complexity. ITR Kickoff / Chess 9 Discrete (Boolean) Systems State space: B m Dynamics: initial condition + transition relation heat Heater: off on off on t Combinatorial complexity. ITR Kickoff / Chess 10

6 The Curse of Concurrency 300,000 latches stars stars 100, states

7 Hybrid Systems m n State space: B R Dynamics: initial condition + transition relation + differential equations x 0 off on Thermostat: t off x = -K x x L x l x u on x = K (H-x) x U ITR Kickoff / Chess 13 Hybrid Automata y x ITR Kickoff / Chess 14

8 Hybrid Automata far x [-50,-40] x 1000 x = 1000 app! near x [-50,-30] x 0 app train x = 100 exit! x : [2000, ) past x [30,50] x 100 x = 0 exit ITR Kickoff / Chess 15 Hybrid Automata up y = 9 y 90 y = 90 open y = 0 raise raise? lower? raise? down y = -9 y 0 y = 0 closed y = 0 lower gate lower? ITR Kickoff / Chess 16

9 Hybrid Automata app exit t := 0 t := 0 t = 1 t α app? lower! idle exit? raise! t = 1 t α controller lower raise ITR Kickoff / Chess 17 Requirements Safety:! ( x 10 loc[gate] = closed ) Liveness:! " ( loc[gate] = open ) Real time:! z :=0. ( z = 1 " ( loc[gate] = open z 60 )) Verification and failure analysis by model checking (e.g., HyTech). ITR Kickoff / Chess 18

10 Two Problems with Hybrid Automata 1. Scalability Possible solutions: -hierarchy (MASACCIO) -assume-guarantee decomposition (interfaces) 2. Robustness Possible solutions: -ε-variability -discounted future ITR Kickoff / Chess 19 MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 20

11 MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 21 MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 22

12 MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 23 MASACCIO ITR Kickoff / Chess 24

13 Two Problems with Hybrid Automata 1. Scalability Possible solutions: -hierarchy (MASACCIO) -assume-guarantee decomposition (interfaces) 2. Robustness Possible solutions: -ε-variability -discounted future ITR Kickoff / Chess 25 The Robustness Problem Hybrid Automaton Property slightly perturbed automaton ITR Kickoff / Chess 26

14 The Robustness Problem Hybrid Automaton x = 3 Safe ITR Kickoff / Chess 27 The Robustness Problem Hybrid Automaton x = 3+ε Unsafe ITR Kickoff / Chess 28

15 A Possible Solution of the Robustness Problem: Metrics on Traces Model Property instead of Yes or No consider ε-variation ITR Kickoff / Chess 29 A More Radical Solution of the Robustness Problem: Discounting the Future value(model,property): States {Yes, No} value(model,property): States R ITR Kickoff / Chess 30

16 A More Radical Solution of the Robustness Problem: Discounting the Future value(model,property): States {Yes, No} value(m,"t) = µx. (T pre(x)) discountedvalue(model,property): States R discountedvalue(m,"t) = µx. max(t, λ pre(x)) discount factor 0<λ<1 ITR Kickoff / Chess 31 A More Radical Solution of the Robustness Problem: Discounting the Future Robustness Theorem: If discountedbisimilarity(m 1,m 2 ) > 1 - ε, then discountedvalue(m 1,p) - discountedvalue(m 2,p) < f(ε). Further Advantages of Discounting: -approximability because of geometric convergence (avoids non-termination of verification algorithms) -applies also to probabilistic systems and to games (enables reasoning under uncertainty and control) ITR Kickoff / Chess 32

17 The FRESCO Project (Formal Real-Time Software Components) Hybrid System Model MASACCIO: correctness by formal verification against requirements Time-Safe Code GIOTTO: correctness by schedulability analysis against resources ITR Kickoff / Chess 33 The History of Computer Science: Lifting the Level of Abstraction High-level languages: Programming to the application Requirements focused code Compilation The assembly age : Programming to the platform Resource focused code -Traditional high-level languages abstract time. -This abstraction is unsuitable for real-time applications, which are still programmed in terms of platform time ( priority tweaking ). -GIOTTO: Real-time programming in terms of application time. ITR Kickoff / Chess 34

18 MASACCIO GIOTTO Time-Triggered Programming ITR Kickoff / Chess 35 MASACCIO GIOTTO Time-Triggered Programming ITR Kickoff / Chess 36

19 MASACCIO GIOTTO Time-Triggered Programming 200 Hz 400 Hz 200 Hz 1 khz ITR Kickoff / Chess 37 MASACCIO GIOTTO Time-Triggered Programming 1. Concurrent Periodic Tasks: -sensing -control law computation -actuating 2. Multiple Modes of Operation: -navigational modes (autopilot, manual, etc.) -maneuver modes (taxi, takeoff, cruise, etc.) -degraded modes (sensor, actuator, CPU failures) ITR Kickoff / Chess 38

20 MASACCIO GIOTTO Time-Triggered Programming Mode 1 Task S 400 Hz Task C 200 Hz Task A 1 khz Condition 1.2 Condition 2.1 Mode 2 Task S 400 Hz Task C 200 Hz Task A 1 khz Task A 1 khz Mode 3 Task S 400 Hz Task C 200 Hz Task A 2 khz Mode 4 Task C 100 Hz Task A 1 khz ITR Kickoff / Chess 39 MASACCIO GIOTTO Separation of Concerns Host code e.g. C Functionality. -No time. -Atomic. -Sequential. Glue code Giotto Timing and interaction. -Real time. -Reactive. -Concurrent. This kind of software is reasonably well understood. The software complexity lies in the glue code. ITR Kickoff / Chess 40

21 Two Opposing Forces Requirements Verification automatic (model checking) Model Environment Implementation automatic (compilation) Resources ITR Kickoff / Chess 41 Two Opposing Forces Requirements Verification Model Environment Implementation property preserving Resources ITR Kickoff / Chess 42

22 Two Opposing Forces Requirements Verification Composition Component Component Implementation Resources ITR Kickoff / Chess 43 Two Opposing Forces Requirements (time, fault tolerance, etc.) Verification no change Component Component Implementation no change Deep Compositionality Resources ITR Kickoff / Chess 44

23 Achieving Verifiability and Compositionality in GIOTTO: The FLET (Fixed Logical Execution Time) Assumption Software Task read sensor input at time t d>0 is the task's "logical execution time" write actuator output at time t+d, for fixed d ITR Kickoff / Chess 45 Embedded Programming in GIOTTO The programmer specifies sample rate d and jitter j to solve the control problem at hand. The compiler ensures that d and j are met on a given platform (hardware resources and performance); otherwise it rejects the program. ITR Kickoff / Chess 46

24 Implementing the FLET Assumption time t possible physical execution on CPU time t+d buffer output ITR Kickoff / Chess 47 Contrast the FLET with Standard Practice output as soon as ready ITR Kickoff / Chess 48

25 Advantages of the FLET and GIOTTO -predictable timing and value behavior (no internal race conditions, minimal jitter) -portable, composable code (as long as the platform offers sufficient performance) ITR Kickoff / Chess 49 Research Agenda From Hybrid Models -robust hybrid models (tube topologies, discounting) -model checking for hierarchical and stochastic hybrid models -multi-aspect assume-guarantee decomposition of hybrid models (interface theories for time, resources, fault tolerance) To Embedded Code -distributed schedulability analysis and code generation -on-line code modification and fault tolerance ITR Kickoff / Chess 50

26 Credits Scalable and Robust Hybrid Systems: Luca de Alfaro, Arkadeb Ghosal, Marius Minea, Vinayak Prabhu, Marcin Jurdzinski, Rupak Majumdar GIOTTO: Ben Horowitz, Christoph Kirsch, Rupak Majumdar, Slobodan Matic, Marco Sanvido ITR Kickoff / Chess 51 Collaborators of the FRESCO Project -Alex Aiken on time-safety analysis of embedded code -Karl Hedrick on Giotto implementation of electronic throttle control -Edward Lee on Giotto modeling and code generation in Ptolemy -Edward Lee on rich interface theories as type theories for component interaction -George Necula on model checking device drivers -George Necula on scheduler-carrying embedded code -Alberto Sangiovanni-Vincentelli on synthesis of protocol converters from interfaces -Alberto Sangiovanni-Vincentelli and Shankar Sastry on platform-based design of a helicopter flight control system using Giotto -Shankar Sastry on hybrid automata ITR Kickoff / Chess 52