Formal Methods for Real-Time Embedded Software Engineering

What will I talk about ?What is a real-time system?What is an embedded system?Why software?Why formal synthesis?What is real-time embedded software engineering?Real-world applications?Future work?

What is a REAL-TIME SYSTEM?Timely ResponsePredictable ResponseSystem Correctness: Timing (period, deadlines, etc.)FunctionConstraints:Hard (meet ALL deadlines)Soft (miss SOME deadlines)

Examples of Real-Time Systemsmultimedia servers automobiles air craftstelecommunications

What is an EMBEDDED SYSTEM?Installed in a larger systemDedicated taskSmall Memory Space (200~400 KB)Low Processing Power (100~200 MHz)Unstable Environment (mobile, )ReactiveReal-Time

Embedded Systems Examplemedical instrumentshome appliancesoffice equipments space crafts research lab equipments factory automation

Embedded System Architecture

Why SOFTWARE?more than 70% software in many real-time embedded systems!!!software is more flexible and easily reconfigurable, hence more errors!!!real-time need for temporally correct softwareembedded need for small, efficient software

Why FORMAL SYNTHESIS?More software high complexity need for correct design (formal synthesis)Immature formal synthesis techniques for real-time embedded softwareNeed formal verification techniques to eliminate critical errors not found by simulation and testingAutomatic code generationCode optimizationsdecrease sizeincrease efficiency

What is real-time embedded software engineering?Model for real-time embedded systems? Set of concurrent tasks with memory and timing constraints!Feasible execution in an embedded system? (e.g. a 100MHz CPU, 256 KB RAM) Task scheduling!Automatically generate code? Map schedules to software code!Code optimizations? Minimize size, maximize efficiency!

Synthesis Issues and SolutionsProposed Solutions:

System Model: Petri NetsPetri Net, Carl Adam Petri. Kommunikation mit Automaten. PhD thesis, Institut fr instrumentelle Mathematik, Bonn, 1962.Petri Nets have been successfully used for system modeling and analysisconcurrent / parallel systemsfault-tolerant systemssystem performance evaluationcommunication protocol engineeringembedded software engineeringcontrol systems

Colored Time Petri Nets (with Complex-Choices) A Colored Time Petri Net is a 6-tuple (P, T, C, , M0, ):P is a non-empty finite set of placesT is a non-empty finite set of transitionsC is a finite set of colors representing data classes : P T T P = 2N C is a weighted flow relation between transitions and places.M0 is an initial marking (distribution of tokens to places) : T N* N* is a timing interval in which firings are valid (earliest and latest firing time)

Colored Time Petri Nets (CTPN)P = {p0, p1, p2, p3, p4}, T = {t0, t1, t2, t3, t4, t5}, C = {grey, red ,blue}, (t1, p2) = {(3,grey)}, M0={((1, grey), p0), ((1, red), p0), ((1, blue), p1)}, t1 = (1, 5),

t0

t1

p0

p1

p2

t4

t3

t2

p3

p4

t5

[3, 6]

[1, 5]

[7, 7]

[1, 2]

[2, 5]

{(2, blue), (1, grey)}

{(3, grey)}

[1, ]

8

Colored Time Petri Nets (CTPN)Model Extensions:Models memory usages by colored tokensModels timing behaviors by firing time intervalsAllows complex choices (instead of free choice only)Advantages:Explicit memory estimationExplicit worst case timing estimationLarger domain of applications

FCPN v/s CTPN(a) Free-Choice Petri Net(b) Complex-Choice Petri Net (An Automatic Cruise Controller)

proceeding vehicle distance sensor

speed limit sensor

distance > threshold

current speed < speed limit

decelerate

accelerate

no

yes

yes

no

no

yes

no speed limit?

Synthesis Algorithm (Hard RTES)Synthesize_Hard_RTES(S, , ) {EQSS = Ext_Quasi_Static_Schedule(S, );if (EQSS == NULL) return MemOverFlow;RTS = Real_Time_Sched(S, QSS, );if (RTS == NULL) return RTS_Error; else Code = Code_Gen(S, QSS, RTS);return Code;}

Synthesis Algorithm (Soft RTES)Synthesize_Soft_RTES(S, , ) {EQSS = Ext_Quasi_Static_Schedule(S, );if (EQSS == NULL) return MemOverFlow;FIB = Firing_Interv_Synth(S, QSS, );if (FIB == NULL) return FIB_Error; else Code = Code_Gen(S, QSS, FIB);return Code;}

Quasi-Static SchedulingTFCPNConflict-Free ComponentsQuasi-Static SchedulesMemory OK!!!

t1

t3(5, 10)

t2(1, 4)

2

p1

p2

p3

t1

t2(1, 4)

2

p1

p2

t1

t3(5, 10)

p1

p3

Extended Quasi-Static SchedulingExclusion TableCTPN

TransitionExclusive Transitionst4 t5t5 t4, t6t6 t5, t7t7 t6

Decomposition of Exclusion Set

Reduction of Decomposed Exclusion SetReduce

EQSS Schedules f(s) = (t1 t2 t3 t4 t6) f(s) = (t1 t2 t3 t5 t5 t7)

Real-Time SchedulingSingle ProcessorWorst Case Timing Analysis:

Rate Monotonic (RM)fixed prioritysmall period high priorityEarliest Deadline First (EDF)dynamic priorityearly deadline high priority

Firing Interval Bound Synthesis2 issues in the synthesis of SOFT real-time embedded systems:Synchronization Wait: (for completion of other tasks)Real-Time Specification: (complete before deadlines)Proposed Solutions:Postpone Release Time: + w, w> 0Advance Finish Time: n, n>0

Code Generationgenerate_code(S, QSS1, QSS2, , QSSn, RTS) { for i = 1, , n { Di = create_process(QSSi); for j = 1, , Indep_Tasks(Ai) { dij = create_task(QSSi); generate_task_code(dij); add_task(dij, Di); } } create_main(); output for(i=0, i

Optimal Code HierarchyMain ProgramCTPN# Tasks = # Independent Source Transitions

Illustration ExampleS = {F1, F2}

t11(2, 3)

t12(1, 3)

t13(3, 5)

p1

p2

p3

2

t14(5, 10)

t15(4, 9)

2

F1:

t21(0, 1)

t22(1, 2)

t23(1, 2)

p7

p2

p3

2

t24(2, 4)

t25(2, 4)

2

2

p4

p5

p6

t27(4, 8)

t26(5, 10)

2

t28(0, 5)

t29(1, 2)

F2:

p1

Conflict Free Components for F1v12 = (t11, t13, t15, t15)13 (v12) 26Quasi-Static Schedulingv11 = (t11, t12, t11, t12, t14)11 (v11) 22

t11(2, 3)

t12(1, 3)

p1

p2

2

t14(5, 10)

2

t15(4, 9)

p3

R12:

p1

t13(3, 5)

R11:

t11(2, 3)

Conflict Free Components for F2v21 = (t21, t22, 2t24, 4t26, t28, t29, t26) 31 (v21) 68v22 = (t21, t23, t25, 2t27, t28, t29, t26) 15 (v22) 36Quasi-Static Scheduling

t21(0, 1)

t22(1, 2)

p7

p2

2

t24(2, 4)

2

p4

t26(5, 10)

t28(0, 5)

t29(1, 2)

t29(1, 2)

t28(0, 5)

2

t26(5, 10)

t27(4, 8)

p6

p5

p4

2

t25(2, 4)

p1

p1

p3

R22:

p7

t23(1, 2)

R21:

t21(0, 1)

Real-Time Scheduling1 = {v11, v12} 2 = {v12, t11 t12 k v12 t11 t12 t14, k 1}

TaskPriorityimax(1)max(2)T111002648T221106868SchedulableYesNoAlgorithmsRM, EDF

ATM Virtual Private Network Server ExampleCLASSIFIERCONGESTION CONTROL (MSD)SUPERVISORWFQ SCHEDULERATM IN(155 Mbit/s)ATM OUT(155 Mbit/s)DISCARDED CELLS

ATM VPN Server ExampleMessage Selective Discarding (MSD): Avoiding buffer overflow by discarding selected incoming cellWeighted Faired Queuing (WFQ): A bandwidth control policy for the outgoing flows

Main Functionalities of an ATM serverExampleExtract information from cell.MSD algorithm andWFQ algorithm.A periodic task that select cells to be emitted.Involves WFQ algorithm.

MSD

CID

PTI

t1

p1

p2

p3

p4

p5

p6

p7

p8

p10

UPDATE_STATE_INIT

t6

PTI=1/3?

Y

N

p24

*WFQ

COMPUTE_OUT_TIME

t12

Qlength = 0?

PUSH

UPDATE_STATE_ACC

UPDATE_STATE_REJ

CHECK_QLENGTH

READ_THRESHOLD

CHECK_QLENGTH

READ_MAX_QLENGTH

t3

t4

t5

st=2

st=1

st=0

p9

p11

p12

p13

p14

p15

p16

p17

p18

p20

p19

p21

p22

p23

READ_STATE_VCC

READ_OUT_QUID

t2

t7

t8

Qlength < max?

Qlength < thres?

N

Y

Y

N

t9

t10

t11

N

Y

*WFQ

READ_LAST

READ_BW

t13

t15

t14

INSERT_CELL

LAST + BW>GLOBAL_TIME?

p30

p29

p28

p27

p26

p25

TICK

I=I+1

I = N?

N

Y

I=0

t16

READ_SORTER

CELL_OUT_TIME

CTPN model of MSD Algorithm

CID

READ_STATE_VCC

UPDATE_STATE_INIT

p1

p2

p3

p4

p5

p6

p7

p8

p10

MSD

PTITI

t1

READ_OUT_QUID

t2

t6

t9

p9

p11

p12

p15

p16

p19

p13

p14

p17

p18

p20

p22

p23

t3

t4

t5

READ_MAX_QLENGTH

CHECK_QLENGTH

t8

READ_THRESHOLD

CHECK_QLENGTH

t7

t11

UPDATE_STATE_REJ

t10

t12

PUSH

Qlength < thres ?

UPDATE_STATE_ACC

N

Y

Qlength

14 Schedules of MSD in ATM

Schedule Results:49 markings14 schedules63 instructions12 Kbytes Memory

Master/Slave Role Switch in the Bluetooth Wireless Comm ProtocolIn Bluetooth protocol:Piconet = 1 master + 7 active slavesFrequently, master and slave switch rolesnew active slave joining piconetovertaking of master dutiescreation of a new piconet with old master as slaveModel2 CTPN for Host A and Host B2 CTPN for Host Control / Link Manager

CTPNs for Host A and Host B

Host_A

ACL_Connection

Initialize

Send HA2LA_HCI_Switch_Role

Receive LA2HA_HCI_Command_status_event

Send LA2HA_HCI_Role_change_event

End

Host_B

ACL_Connection

Initialize

Send HB2LB_HCI_Switch_Role

Receive LB2HB_HCI_Command_status_event

Send LB2HB_HCI_Role_change_event

End

CTPN for Host Control / Link Manager of Device A

HC/LM_A

Initialize

ACL_Connection

End

Receive HA2LA_HCI_Switch_Role

Receive N2LA_LMP_Switch_reg

Send LA2HA_HCI_Command_States_event

Send LA2N_LMP_slot_offset_sub2

Send LA2N_LMP_Switch_req

Receive N2LA_LMP_Slot_offset_sub1

Checking NetWork

Send LA2N_LMP_accepted

Send LA2N_LMP_not_accepted

Receive N2LA_LMP_accepted

Receive N2LA_LMP_not_accepted

Send TDD_SwitchA

Receive BA2LA_TimeOut1

Receive BA2LA_Role_SwitchA_Success

End

Send LA2HA_HCI_Role_Change_event

End

End Checking NetWork

CTPN for Host Control / Link Manager of Device B

HC/LM_B

Initialize

ACL_Connection

End

Receive HB2LB_HCI_Switch_Role

Receive N2LB_LMP_Switch_reg

Send LB2HB_HCI_Command_States_event

Send LB2N_LMP_slot_offset_sub2

Send LB2N_LMP_Switch_req

Receive N2LB_LMP_Slot_offset_sub1

Checking NetWork

Send LB2N_LMP_accepted

Send LB2N_LMP_not_accepted

Receive N2LB_LMP_accepted

Receive N2LB_LMP_not_accepted

Send TDD_SwitchB

Receive BB2LB_TimeOut1

Receive BB2LB_Role_SwitchB_Success

End

Send LB2HB_HCI_Role_Change_event

End

End Checking NetWork

Synthesis Results for M/S switch

CTPN#T#P#SSchedulesHost A752,HC/LM A21156, , , , , Host B752Same as for Host AHC/LM B21156Same as for HC/LM A

Mnemonics for Host A Transitionst_0: Initialize,t_1: ACL_Connection,t_2: Send HA2LA_HCI_Switch_Role,t_3: t4,t_4: Receive LA2HA_HCI_Command_status_event,t_5: Receive LA2HA_HCI_Role_change_event,t_6: End.

Mnemonics for HC/LM A Transitionst_0: Initialize,t_1: ACL_Connection,t_2: Receive HA2LA_HCI_Switch_Role,t_3: Receive N2LA_LMP_Switch_reg,t_4: Send LA2HA_HCI_Command_States_event,t_5: Receive N2LA_LMP_Slot_offset_sub1,t_6: Checking NetWork,t_7: Send LA2N_LMP_slot_offset_sub2,t_8: Send LA2N_LMP_not_accepted,t_9: Send LA2N_LMP_accepted,t_10: End Checking Network,t_11: Send LA2N_LMP_Switch_req,t_12: Receive N2LA_LMP_not_accepted,t_13: Receive N2LA_LMP_accepted,t_14: End,t_15: Send TDD_SwitchA,t_16: Receive BA2LA_TimeOut1,t_17: Receive BA2LA_Role_SwitchA_Success,t_18: End,t_19: Send LA2HA_HCI_Role_Change_event,t_20: End

C Code Samplevoid *thread_run0 (void *arg){ t0(); mutex_operation(t0,p0,-); switch(p0) { case 1 : ; break; case 2 : ; break; case 3 : ; do { } while(1); break; default : break; } }void main(){ pthread_t task0; while(1) { if polled(t0) pthread_creation (&task0, NULL, thread_run0, NULL); }}

t0p0

ConclusionsSoftware needs to be synthesized automatically and formally because it is getting more and more complex!Hard RTES Synthesis Method = EQSS + RTS + Code-GenerationSoft RTES Synthesis Method = EQSS + FIBS + Code-GenerationATM VPN Server and Bluetooth examples show feasibility of our approach

Current and Future WorkIntegrate Real-Time Scheduling & EQSSExtend Petri Net system model coverageJava Implementation: install into embedded systems such as PDA for dynamic code change and management by user (web computing)C Code Generation: for embedding into prototyping systems such as SoC design and verification platform

References (EQSS, FIBS, etc.)All papers are downloadable at http://www.cs.ccu.edu.tw/~pahsiung/publications/publications.htmlF.-S. Su and P.-A. Hsiung, Extended Quasi-Static Scheduling for Formal Synthesis and Code Generation of Embedded Software, Proc. of the 10th IEEE/ACM International Symposium on Hardware/Software Codesign, (CODES'02), Colorado, USA, May 6-8, 2002 (accepted for presentation). P.-A. Hsiung, Formal Synthesis and Control of Soft Embedded Real-Time Systems, Proc. 21st IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems (FORTE'01), (Cheju Island, Korea), pp. 35-50, Kluwer Academic Publishers, August 2001. P.-A. Hsiung, "Formal Synthesis and Code Generation of Embedded Real-Time Software," Proc. ACM/IEEE 9th International Symposium on Hardware/Software Codesign (CODES'01), (Copenhagen, Denmark), pp. 208-213, ACM Press, New York, USA, April 2001.

References (Time-Mem Sched.)P.-A. Hsiung and C.-H. Gau, Formal Synthesis of Real-Time Embedded Software by Time-Memory Scheduling of Colored Time Petri Nets, Proc. of the Workshop on Theory and Practice of Timed Systems (TPTS'2002, Grenoble, France), April 6-7, 2002. C.-H. Gau and P.-A. Hsiung, Time-Memory Scheduling and Code Generation of Real-Time Embedded Software, Proc. of the 8th International Conference on Real-Time Computing Systems and Applications (RTCSA'02, Tokyo, Japan), pp. 19-27, March 18-20, 2002.

References (VERTAF)P.-A. Hsiung, T.-Y. Lee, W.-B. See, J.-M. Fu, and S.-J. Chen, "VERTAF: An Object-Oriented Application Framework for Embedded Real-Time Systems," Proc. of the 5th IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC'2002, Washington, D.C., USA), April 29-May 1, 2002 (accepted for presentation).P.-A. Hsiung, W.-B. See, T.-Y. Lee, J.-M. Fu, and S.-J. Chen, "Formal Verification of Embedded Real-Time Software in Component-Based Application Frameworks," Proc. 8th Asia-Pacific Software Engineering Conference (APSEC'01) , (Macau SAR, China), pp. 71-78, IEEE CS Press, December 2001.P.-A. Hsiung, F.-S. Su, C.-H. Gau, S.-Y. Jeng, and Y.-M. Chang, "Verifiable Embedded Real-Time Application Framework," Proc. IEEE International Real-Time Technology and Applications Symposium (RTAS'01), Work-In-Progress Session, (Taipei, Taiwan), pp. 109-110, IEEE Computer Society Press, May 2001.

Free choice branch, complex-choice branch and concurrency