Modeling and verification of real-time embedded systems with urgency

doi:10.1016/j.jss.2009.03.013

Journal of Systems and Software

Volume 82, Issue 10, October 2009, Pages 1627-1641

https://doi.org/10.1016/j.jss.2009.03.013 Get rights and content

Abstract

Real-time embedded systems are often designed with different types of urgencies such as delayable or eager, that are modeled by several urgency variants of the timed automata model. However, most model checkers do not support such urgency semantics, except for the IF toolset that model checks timed automata with urgency against observers. This work proposes an Urgent Timed Automata (UTA) model with zone-based urgency semantics that gives the same model checking results as absolute urgency semantics of other existing urgency variants of the timed automata model, including timed automata with deadlines and timed automata with urgent transitions. A necessary and sufficient condition, called complete urgency, is formulated and proved for avoiding zone partitioning so that the system state graphs are simpler and model checking is faster. A novel zone capping method is proposed that is time-reactive, preserves complete urgency, satisfies all deadlines, and does not need zone partitioning. The proposed verification methods were implemented in the SGM CTL model checker and applied to real-time and embedded systems. Several experiments, comparing the state space sizes produced by SGM with that by the IF toolset, show that SGM produces much smaller state-spaces.

Introduction

A popular model for real-time embedded systems is Timed Automata (TA) (Alur and Dill, 1994), for which several model checkers such as SGM (Wang and Hsiung, 2002), RED (Wang, 2001), UPPAAL (Bengtsson et al., 1995), and Kronos (Yovine, 1997) have been developed to verify them formally. However, timed automata models assume a lazy semantics, that is, an enabled state transition need not be taken as long as the invariant condition of the state is not violated. Lazy transition semantics are too general to model the urgent behavior found in many real-world systems such as medical devices, home appliances, robotics, and others. Thus, the TA model was extended with urgency semantics such as the Timed Automata with Deadlines (TAD) (Bornot et al., 1997), Timed Automata with Urgent Transitions (TAUT) (Barbuti and Tesei, 2004), Timed I/O Automata with Stopping Condition (Kaynar et al., 2003), and Timed I/O Automata with Urgency (Gebremichael and Vaandrager, 2005). These extended variants incorporate different syntax for accurately modeling urgency. However, system verification using such extended variants has not received as much attention in the area of Computation Tree Logic (CTL) model checking (Clarke and Emerson, 1981). This work focuses on proposing a class of TA with urgencies called Urgent Timed Automata (UTA), its corresponding zone-based urgency semantics, and how an urgent timed system state graph can be model checked against CTL properties.

Before urgency semantics were defined for timed automata, state invariants were used to model urgent behavior by forcing a TA to transit to successor states before the invariants are violated due to time elapse. However, the invariant-based method was only applicable to hard deadlines, where the stopping of time due to urgency and the non-existence of any transition to take when time is stopped resulted in a timelock. Stopping conditions associated with timed I/O automata also result in similar timelocks. Different methods were proposed to avoid timelocks such as associating a transition with a deadline predicate (Bornot and Sifakis, 2000, Bornot et al., 1997, Sifakis and Yovine, 1996), with an urgency predicate (Gebremichael and Vaandrager, 2005), or with a positive rational parameter representing deadline (Barbuti and Tesei, 2004). However, there is very little research on how such models with urgent semantics are to be verified using CTL model checking (Clarke and Emerson, 1981). There is also no CTL model checker that can directly model check these models without workarounds. The IF toolset (Bozga et al., 1999) can model check timed automata with urgency against properties written as observers, which are IF processes that monitor and guide simulation.

The expressiveness of deadline predicates, urgency predicates, and deadline parameters are all same (Gebremichael and Vaandrager, 2005, Barbuti and Tesei, 2004). Further, it has also been shown that deadline predicates can be simplified into urgency types, namely lazy, delayable, and eager. We thus decided that we need only address the model checking of timed automata having transitions associated with urgency types. We call this model as Urgent Timed Automata (UTA). The major issue in this work is how we restrict time progress so that the enabled urgent transitions are taken as required by their semantics and the models can be model checked.

The issues to be resolved in this work are as follows. The first is a soundness issue, which means we need to determine an urgency semantics for UTA models that is consistent with the conventional TA model checking. As a solution, we propose a zone-based urgency semantics that gives the same model checking results as the urgency semantics of TAD and TAUT. The second is a completeness issue, which means we need to determine the class of UTA that can be model checked by a conventional TA model checker. As a solution, we found that UTA under the proposed complete urgency restriction can be model checked. The third is a construction issue, which means we need to find a method for enforcing urgencies while guaranteeing time-reactivity, preserving complete urgency, satisfying all deadlines, and not needing zone partitioning. As a solution, we propose a novel zone-capping operation that is proved to possess all the above characteristics.

In summary, our major contribution in this work is the proposal of solutions to the above three issues, the theoretical proofs and analysis of the solutions, and their implementation in the SGM model checker along with application to several examples from the real-time and embedded systems domain. The proposed solutions mainly include the UTA model, the zone-based urgency semantics, the complete urgency restriction, and the zone capping operation, which result in time-reactive state graphs, satisfying all deadlines, and without the need for zone partitioning.

The article is organized as follows. Section 2 describes previous work related to urgency modeling and verification. Basic definitions used in our work are given in Section 3. Section 4 will formulate the solutions to solve the above described issues in model checking UTA. Section 5 describes the algorithm, the theoretical analysis, and its application to several examples. The article is concluded and future research directions are given in Section 6.

Section snippets

Related work

Most works that extend the timed automata model with urgency semantics (Barbuti and Tesei, 2004, Bornot and Sifakis, 2000, Bornot et al., 1997, Gebremichael and Vaandrager, 2005, Sifakis and Yovine, 1996) are focused on the modeling aspects such as expressiveness and compositionality. Except for the IF toolset (Bozga et al., 1999), little attention has been paid to the verification of systems modeled by these urgency extended models. In this section, we first discuss the differences among the

Preliminaries

We first introduce the basic definitions required for the proposed work. Given a set C of clock variables and a set D of discrete variables over integers, a mode predicate $η$ over C and D is defined as: $η : = false | ζ \land β$ , where ζ is a clock constraint over C and $β$ is a Boolean constraint over D. A clock constraint ζ is defined as $ζ : = x \sim c | x - y \sim c | ζ_{1} \land ζ_{2}$ , where $x, y \in C, c \in N, \sim \in {⩽, <, =, ⩾, >}$ , and $ζ_{1}, ζ_{2}$ are all clock constraints. A Boolean constraint $β$ is defined as $β : = d \sim c | β_{1} \land β_{2} | \neg β_{3}$ , where $d \in D$ and $β_{1}, β_{2}, β_{3}$ are

Model checking urgent timed systems

Our target problem is to model and verify urgent timed systems such as real-time embedded systems. A set of urgent timed automata is used to model such a system and model checking is used to verify if the urgent timed system state graph, obtained by merging the set of UTA, satisfies user-given CTL properties. In this section, we will propose solutions to the issues that were introduced in Section 1. A precise definition of the semantics of urgent timed automaton will be given in Section 4.1. A

Implementation, analysis, and application examples

The proposed method for model checking urgent timed systems modeled by UTA has been implemented in the State-Graph Manipulators (SGM) model checker (Wang and Hsiung, 2002), which is a high-level compositional model checker for real-time systems. The implementation of the algorithm for processing urgencies in a state graph using zone capping is described in Section 5.1. UTA can be input to SGM and model checked automatically against user-specified CTL properties. Theoretical results such as

Conclusions

We have proposed the verification of urgent timed systems, modeled by urgent timed automata (UTA), using a zone-based urgency semantics for CTL model checking. We have proposed a novel zone capping operation, which enforces the semantics of urgency types in UTA and produces time-reactive state graphs that satisfy all urgency deadlines. A necessary and sufficient condition, called complete urgency, is also proved for avoiding zone partitioning. It is shown that complete urgency is preserved by

References (25)

R. Alur et al.
A theory of timed automata
Theoretical Computer Science
(1994)
S. Bornot et al.
An algebraic framework for urgency
Information and Computation
(2000)
J.-B. Stefani et al.
Computational model for distributed multimedia application based on a synchronous programming language
Computer Communications (Special Issue on FDTs)
(1992)
Alur, R., Courcoubetis, C., Dill, D.L., 1990. Model-checking for real-time systems. In: Proceedings of the 5th Annual...
R. Barbuti et al.
Timed automata with urgent transitions
Acta Informatica
(2004)
Bengtsson, J., Larsen, K., Larsson, F., Pettersson, P., Wang, Y., 1995. UPPAAL: a tool suite for automatic verification...
Bornot, S., Sifakis, J., Tripakis, S., 1997. Modeling urgency in timed systems. In: Proceedings of the International...
Bowman, H., Faconti, G., Katoen, J.-P., Latella, D., Massink, M., 1998. Automatic verification of a lip synchronisation...
Bozga, M., Fernandez, J.Cl., Ghirvu, L., Graf, S., Krimm, J.P., Mounier, L., 1999. IF: an intermediate representation...
Bozga, M., Graf, S., Mounier, L., Ober, I., Roux, J.-L., Vincent, D., 2001. Timed extensions for SDL. In: Proceedings...

Cassez, F., Pagetti, C., Roux, O., 2002. A timed extension for AltaRica. Research Report R 12002-13, IRCCyN/CNRS,...

Clarke E.M., Emerson. E.A., 1981. Design and sythesis of synchronization skeletons using branching time temporal logic....

Cited by (3)

Model-based platform-specific co-design methodology for dynamically partially reconfigurable systems with hardware virtualization and preemption
2010, Journal of Systems Architecture
Citation Excerpt :
The combination of simultaneously executing hardware functions in a DPRS changes with time and environment conditions. To model real-time system behaviors, the previously proposed urgency semantics [16] are applied to TA, and thus transitions in such Extended Timed Automata (ETA) are associated with urgency types, including lazy and eager. Lazy transitions need not be taken even if their triggers are satisfied, while eager transitions are triggered as soon as possible.
To facilitate the development of the dynamically partially reconfigurable system (DPRS), we propose a model-based platform-specific co-design (MPC) methodology for DPRS with hardware virtualization and preemption. For DPRS analysis and validation, a model-based verification and estimation framework is proposed to make model-driven architecture (MDA) more realistic and applicable to the DPRS design. Considering inherent characteristics of DPRS and real-time system requirements, a semi-automatic model translator converts the UML models of DPRS into timed automata models with transition urgency semantics for model checking. Furthermore, a UML-based hardware/software co-design platform (UCoP) can support the direct interaction between the UML models and the real hardware architecture. Compared to the existing estimation methods, UCoP can provide accurate and efficient platform-specific verification and estimation. We also propose a hierarchical design that consists of a hardware virtualization mechanism for dynamically linking the device nodes, kernel modules, and on-demand reconfigurable hardware functions and a hardware preemption mechanism for further increasing the utilization of hardware resources per unit time. Further, we realize a dynamically partially reconfigurable network security system (DPRNSS) to show the applicability and practicability of the MPC methodology. The DPRNSS cannot only dynamically adapt some of its hardware functions at run-time to meet different system requirements, but also determine which mechanism will be used. Our experiments also demonstrate that the hardware virtualization mechanism can save the overall system execution time up to 12.8% and the hardware preemption mechanism can reduce up to 41.3% of the time required by reconfiguration-based methods.
A verification-aware design methodology for thread pipelining parallelization
2012, IEICE Transactions on Information and Systems
Model-based verification and estimation framework for dynamically partially reconfigurable systems
2011, IEEE Transactions on Industrial Informatics

Pao-Ann Hsiung Ph.D., received his B.S. in Mathematics and his Ph.D. in Electrical Engineering from the National Taiwan University, Taipei, Taiwan, ROC, in 1991 and 1996, respectively. From 1996 to 2000, he was a post-doctoral researcher at the Institute of Information Science, Academia Sinica, Taipei, Taiwan, ROC. From February 2001 to July 2002, he was an assistant professor and from August 2002 to July 2007 he was an associate professor in the Department of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan, ROC. Since August 2007, he has been a full professor. Dr. Hsiung was the recipient of the 2001 ACM Taipei Chapter Kuo-Ting Li Young Researcher for his significant contributions to design automation of electronic systems. Dr. Hsiung was also a recipient of the 2004 Young Scholar Research Award given by National Chung Cheng University to five young faculty members per year. Dr. Hsiung is a senior member of the IEEE, a senior member of the ACM, and a life member of the IICM. He has been included in several professional listings such as Marquis’ Who’s Who in the World, Marquis’ Who’s Who in Asia, Outstanding People of the 20th Century by International Biographical Centre, Cambridge, England, Rifacimento International’s Admirable Asian Achievers (2006), Afro/Asian Who’s Who, and Asia/Pacific Who’s Who. Dr. Hsiung is an editorial board member of the International Journal of Embedded Systems (IJES), Inderscience Publishers, USA; the International Journal of Multimedia and Ubiquitous Engineering (IJMUE), Science and Engineering Research Center (SERSC), USA; an associate editor of the Journal of Software Engineering (JSE), Academic Journals, Inc., USA; an editorial board member of the Open Software Engineering Journal (OSE), Bentham Science Publishers, Ltd., USA; an international editorial board member of the International Journal of Patterns (IJOP). Dr. Hsiung has been on the program committee of more than 50 international conferences. He served as session organizer and chair for PDPTA’99, and as workshop organizer and chair for RTC’99, DSVV’2000, and PDES’2005. He has published more than 160 papers in international journals and conferences. He has taken an active part in paper refereeing for international journals and conferences. His main research interests include reconfigurable computing and system design, multi-core programming, cognitive radio architecture, System-on-Chip (SoC) design and verification, embedded software synthesis and verification, real-time system design and verification, hardware-software codesign and coverification, and component-based object-oriented application frameworks for real-time embedded systems.

Shang-Wei Lin received his B.S. in management information system from National Chung Cheng University, Chiayi, Taiwan, ROC, in 2002. He is currently working towards his Ph.D. in the Department of Computer Science and Information Engineering at National Chung Cheng University, Chiayi, Taiwan, ROC. He is a teaching and research assistant in the Department of Computer Science and Information Engineering at National Chung Cheng University. His research interests include formal verification, formal synthesis, scheduling, embedded system design, and object-oriented software synthesis.

Yean-Ru Chen received her B.S. in Computer Science and Information Engineering from the National Chiao Tung University, Hsinchu, Taiwan, ROC in 2002. From 2002 to 2003, she was employed as an engineer in SoC Technology Center, Industrial Technology Research Institute, Hsinchu, Taiwan, ROC. She received her M.S. in Computer Science and Information Engineering from the National Chung Cheng University, ChiaYi, Taiwan, ROC in 2006. She is currently a Ph.D. candidate in Graduate Institute of Electronics Engineering of National Taiwan University, Taipei, Taiwan, ROC. Her current research interests include model checking, safety-critical systems and Electronic System Level (ESL) Design.

Chun-Hsian Huang received his B.S. degree in Information and Computer Education from National TaiTung University, TaiTung, Taiwan, ROC, in 2004. He is currently working toward his Ph.D. in the Department of Computer Science and Information Engineering at National Chung Cheng University, Chiayi, Taiwan, ROC. He is a teaching and research assistant in the Department of Computer Science and Information Engineering at National Chung Cheng University. His research interests include dynamically partially reconfigurable systems, UML-based hardware/software co-design methodology, hardware/software co-verification, and formal verification.

Chihhsiong Shih received his BSc degree from Chung Yuan Christian University, Taiwan, in 1984 and his MSc in computer science, and PhD degree in mechanical engineering in 1997, all from Rensselaer Polytechnic Institute. Since then, he has been working in the CAD software industry. From 1997–2000, he has worked for a CAD simulation company, Simmetrix, while from 2000–2002, he worked for the EDA team of microelectronic division of IBM Corp. He has broad interests in the software-assisted CAD applications, including engineering simulation and electrical properties analysis. He is currently involved with graphics and vision assisted 3D applications, e.g., reverse engineering and embedded software engineering research in Tunghai University, Taiwan, as an assistant professor.

William Cheng-Chung Chu is the dean of Engineering College, a professor of the Department of Computer Science, and the Director of Software Engineering and Technologies Center of Tunghai University. He had served as the Dean of Research and Development office at Tunghai University from 2004 to 2007, Taiwan. From 1994 to 1998, he was an associate professor at the Department of Information Engineering and Computer Science at Feng Chia University. He was a research scientist at the Software Technology Center of the Lockheed Missiles and Space Company, Inc., where he received special contribution awards in both 1992 and 1993 and a PIP award in 1993. In 1992, he was also a visiting scholar at Stanford University. He is serving as the associate editor for Journal of Software Maintenance and Evolution (JSME) and Journal of Systems and Software (JSS). His current research interests include software engineering, embedded systems, and E-learning. Dr Chu received his MS and PhD degrees from Northwestern University in Evanston Illinois, in 1987 and 1989, respectively, both in computer science. He has edited several books and published over 100 referred papers and book chapters, as well as participating in many international activities, including organizing international conferences.

View full text

Modeling and verification of real-time embedded systems with urgency

Abstract

Introduction

Section snippets

Related work

Preliminaries

Model checking urgent timed systems

Implementation, analysis, and application examples

Conclusions

Theoretical Computer Science

Information and Computation

Computer Communications (Special Issue on FDTs)

Timed automata with urgent transitions

Acta Informatica