Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension

04/22/23 RTSS'06 1

Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension Stefan Andrei1 Albert M. K. Cheng2

1. School of Computing, National University of Singapore2. Department of Computer Science, University of Houston

Albert Cheng

04/22/23 RTSS'06 Andrei & Cheng 2

Real-Time Systems Specification [JaM87, Che02] Structural-functional specification

Behavioral specification (SP) An implementation is correct if

SP implies the safety assertions (SA)

[JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic Approach for Timing Analysis and its Implementation. IEEE Transactions on Computers. Vol. C-36, No. 8, 1987

[Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002


Real-Time Logic (RTL) [JaM86] RTL = first-order logic with special features to capture

the timing requirements of the specification and the safety assertion.

Occurrence Function: @:: Event x Occurrence Time, where Occurrence = Nat - {0} and Time = Nat.

@(e, i) = t means the i-th occurrence of event e occurs at time t.

eEvent, iOccurrence, @(e,i) < @(e,i+1) if @(e,i+1) is defined.

[JaM86] Jahanian, F., Mok, A.K.: Safety analysis of timing properties in real-time systems, IEEE Transactions on Software Engineering, vol. SE-12, no.~9, pp. 890--904, 1986.


Decidable Fragments of RTL However, the satisfiability problem for RTL, as

well as for other first-order logics, is undecidable [WaM94].

In an effort to find subclasses of RTL having decidable properties, the path real time logic (path RTL) was described in [JaM87, WaM94].

[WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive Cycles. Proceedings of Formal Methods Europe Symposium, 873, Lecture Notes in Computer Science, pp. 659-680, 1994


Path Real Time Logic A typical timing constraint expressed in path RTL is a

disjunction of inequalities like i @(e1, i)-@(e2, i) ≤ k, that has the meaning: the difference between the time of the ith occurrence of event

e1 and the time of the ith occurrence of event e2 is at most k, where the time occurrences, i and k are positive integers.

Heuristics that deal with verification of SP SA were described in [JaM87, ACCL05].

[ACCL05] S. Andrei, W.-N. Chin, A. Cheng, and M. Lupu. Systematic debugging of real-time systems based on incremental satisfiability counting. In Proceedings of RTAS’05, pages 519–528, 2005.


Real-Time Logic (cont) Three types of RTL constants:

Actions: schedulable units of work Events constants are temporal markers

External Events: event-name Start Events: event-name Stop Events: event-name Transition Events: event-name

Integers: used for timing constraints.


Path-RTL class [JaM87,WaM94] The general form of path-RTL formulas: functionOccurrence integerConstant functionOccurrence Industrial real-time systems:

Railroad crossing [JaM87], [JaS88], [Che02] Moveable control rods in a reactor [JaM87] Boeing 777 Integrated Airplane Information

Management System [MTR96] X-38, an autonomous spacecraft build by NASA

[RiC99]


X-38, an autonomous spacecraft build by NASA [RiC99]

[RiC99] Rice, L.E.P., Cheng, A.M.K.: Timing Analysis of the X-38 Space Station Crew Return Vehicle Avionics. Proceedings of the 5-th IEEE-CS Real-Time Technology and Applications Symposium, pp. 255-264, 1999


Limitations of Path Real Time Logic The airport radar station specification [Che02]

“Suppose there is a radar station having two radar sensors for detecting actions.

The radar station is turned on at time 0. In order to allow time for the initialization routine, the sum

of times when both sensors initially start sensing must be at least 5 seconds.

If the first sensor starts early, the second sensor must start later, and vice versa.

Both sensors may start at the same time but only after 5 seconds.

Moreover, at most 11 seconds may elapse between the starts of both sensors.”


Limitations of Path Real Time Logic The airport radar station specification can be

translated into RTL: i @(RadarSensor1, i) + @(RadarSensor2, i) ≥ 5 @(RadarSensor1, i) - @(RadarSensor2, i) ≤ 10 @(RadarSensor2, i) - @(RadarSensor1, i) ≤ 10.

But this specification involves inequalities that cannot be expressed in the path RTL (because they contain both + and – operators).


First Contribution of Our Paper We shall present an extension of the path RTL

class by allowing inequalities like i @(e1, i)+@(e2, i) ≥ k and i @(e1, i)+@(e2, i) ≤ k to be part of the specification.

Obviously, equalities like i @(e1, i)+@(e2, i) = k may be also part of the extended path RTL specification, as they can be easily converted into the above two inequalities.

Then a new and fast algorithm based on a translation to an extended constraint graph is described, too.


Second Contribution of Our Paper For real-time systems with large specifications, there is a lot of room for improvement in the algorithms used for verification and debugging.

There is a need of an efficient method to perform verification and debugging of real-time systems specifications using decomposition techniques.

The idea is to decompose the constraint graph, used in existing approaches, into independent sub-graphs so that it is no longer necessary to analyze the entire specification at once, but rather its individual and smaller components.

Efficient implementation of this method in the Java-based DEVA-RTL tool and tested it on several industrial real-time systems.


Translating from RTL to SAT [JaM87]1. (SP SA) (SP SA) SP SA

SP SA is a theorem iff SP SA is unsatisfiable;F = SP SA

2. F’ = the corresponding Presburger formula by replacing each @(e,i) by an uninterpreted function fe(i)

3. PF = C1 C2 … Cn is the propositional formula of F’: Ci = Li,1 Li,2 … Li,n and Each Li,j has the general form: v1 I v2, I being a positive integer

constant. For each literal v1 I v2, we construct a node labeled v1, a node

labeled v2, and an edge <v1,v2> with weight I from node v1 to node v2; For each Xi,1, Xi,2,…, Xi,ni the i-th positive cycle, the clause Xi,1 Xi,2 …

Xi,ni is added to PF. If PF is unsatisfiable, then F is unsatisfiable, so SP SA is a

theorem.


Extended Constraint Graph The extended constraint graph, defined as ECG = (EN,

EA), where: The set of extended nodes is denoted as EN = {v+, v- | v

V}, where V is the set of literals that appear in SP and SA.

We say that a timing difference constraint is in the normal form if it has one of the following forms:vi - vj ≤ c, vi + vj ≤ c, -vi - vj ≤ c, vi ≤ c and vi ≥ c,

where vi and vj may be variables or functional symbols of one argument (e.g., f(x)) and c an integer constant.


Extended Constraint Graph For each inequality expressed in normal form we

construct the set of arcs EA, such as:1. for any vi - vj ≤ c, i ≠ j: add arcs (vi

-, vj-, -c) and (vi

+, vj

+, -c) to EA;2. for any vi + vj ≤ c, i ≠ j: add arcs (vi

-, vj+, -c) and

(vj-, vi

+, -c) to EA;3. for any -vi - vj ≤ c, i ≠ j: add arcs (vi

+, vj-, -c) and

(vj+, vi

-, -c) to EA;4. for any vi ≤ c: add arc (vi

-, vj+, -2c) to EA;

5. for any vi ≥ c: add arc (vi+, vj

-, 2c) to EA.


Extended Path RTL We generalize the path RTL to the extended path RTL by

simply allowing a timing constraint to have any of the above five forms described in the normal form.

Unlike the traditional construction of the constraint graph where one inequality generates two nodes and one arc, in the case of the extended constraint graph an inequality will generate four nodes and two arcs (e.g., the above first three cases).

This implies that the propositional formula corresponding to real-time systems specified in extended path RTL tends to have twice as many propositional variables and clauses as the propositional formula of the same system specified in traditional path RTL.


Extended Path RTL - Example The tracking/computation part specification of the radar

station ([Che02]): “A radar system searches objects of interest in the desired

coverage area by repeatedly executing the following steps: (1) scanning/ radio signal processing, (2) tracking, and (3) data association/classification.

Here, we specify a simplified version of the specification of the tracking step for four objects.

The safety assertion states that the computing resources (2 CPUs) can feasibly schedule the four object-tracking tasks, each tracking a distinct object of interest.

Each task is fully parallelizable and thus can execute on two CPUs if needed to speed up its execution by a factor of 2.

Tasks T1, T2, T3, and T4 have respectively computation times c1, c2, c3, and c4, all with the same period of p.”


Extended Path RTL - Example We denote by Tj_CPUk the fact that task j is executing

in CPUk. For any j {1, ..., 4} and k {1, 2}, we denote by

@(↑Tj_CPUk, i) and @(↓Tj_CPUk, i) the i-th occurrence of the starting and the ending time of task Tj_CPUk, respectively.

The above specification can be written in the extended path RTL as SP: @(↓T1_CPU1, i) + @(↓T1_CPU2, i) ≤ c1+ c2+ c3+ c4

@(↓T2_CPU1, i) + @(↓T2_CPU2, i) ≤ c2+ c3+ c4 @(↓T3_CPU1, i) + @(↓T3_CPU2, i) ≤ c3+ c4 @(↓T4_CPU1, i) + @(↓T4_CPU2, i) ≤ c4


Extended Path RTL - Example The next eight identities express that the computation

time of each task equals the difference between the ending time point and the starting time point: j {1, ..., 4} and k {1, 2}, we have @(↓Tj_CPUk, i) -

@(↑Tj_CPUk, i) = cj

There exists a task priorities sequence: the task T4 is the highest, and T1 is the lowest.

This implies the extended path RTL formulas: j {1, 2, 3} and k {1, 2}, we have @(↑Tj_CPUk, i) >

@(↑Tj+1_CPUk, i), where the margin cases are @(↑T1_CPUk, i) < p and @(↑T4_CPUk, i) = 0.


Extended Path RTL - Example The above SP can be checked now for

feasibility (i.e., there exists a schedule for all tasks in each period) by the following extended path RTL formula, denoted with SA (stands here for the ‘schedulling assertion’): j {1, ..., 4} and k {1, 2}, we have @(↓Tj_CPUk,

i) ≤ p. Since it makes use of both arithmetic operators

“+” and “-”, the specification cannot be done using only the traditional path RTL formulas.


Extended Path RTL - Example To illustrate the verification and debugging of SA in the

context of SP, we consider a specific system configuration by assigning values for the constants that occur in SP.

Let these be c1 = 32, c2 = 8, c3 = 28, c4 = 12 and the period p = 40.

For simplicity, we omit the argument i, so we associate to each time occurrence function a functional symbol of arity 0, such as: @(↑Tj_CPUk, i) will be denoted as sj,k (where ‘s’ stands for

‘start’) and @(↓Tj_CPUk, i) will be denoted as ej,k (where ‘e’ stands for

‘end’).


Extended Path RTL - Example


Extended Constraint Graph - Example The schedulling assertion to be checked is:

i,j ei,j ≤ 40, i {1, ..., 4}, j {1, 2} Thus, the negation of the schedulling

assertion is i,j ei,j ≥ 41. The extended constraint graph corresponding

to SP SA is given below. Because of its large size, we split it into four

components, one for each task, and their interconnections.


Extended Constraint Graph - Example The variables si,j and ei,j correspond to the

nodes of the extended constraint graph si,j-,

si,j+ and ei,j

-, ei,j+.

There exist 12 more arcs that correspond to the starting times of both CPU1 and CPU2.

These arcs link some of the internal nodes of the above four tasks’ extended constraint graphs, namely (si,j

-, si-1,j-, 1) and (si,j

+, si-1,j+, 1),

i {2, 3, 4}, j {1, 2}.


Extended Constraint Graph - Example


Propositional Formula - Example For each new arc there exists a new propositional variable

and for each positive cycle there exists a negative clause. The corresponding propositional formula for the whole

extended path RTL formula has 60 variables and 72 clauses. The arc (e1,2

-, e1,1+, -80) corresponds to a propositional variable

denoted as ee1,2,1,1-+.

The positive cycle given by the arcs (e1,2-, e1,1

+, -80), (e1,1+, e1,1

-, 82), (e1,1

-, e1,2+, -80), (e1,2

+, e1,2-, 82) leads to the negative clause ee1,2,1,1

-+ ee1,1,1,1

+- ee1,1,1,2-+ ee1,2,1,2

+-. The propositional formula is unsatisfiable, that means SP

SA is unsatisfiable, too. This implies that SP SA is a theorem, so the airport radar

station is feasible.


Decomposition Problem. Motivation Industrial examples have many components that are not

time-related or are loosely time-related. Examples:

The timing constraints of the braking component of a car are not necessarily related to the front headlights component of a car.

The flight-critical loop of the X-38 is not time-related with the non-flight critical loop of the X-38.

By exploiting this issue, we provide an efficient divide and conquer method to solve the verification and debugging of large real-time systems specifications using decomposition techniques.


Main Idea Decompose the constraint graph into independent

sub-graphs so that it does not have to analyze the entire specification at once, but only the smaller components (i.e., strongly connected components).

The satisfiability of one or all strongly connected component(s) can be used to determine the satisfiability of the entire specification.

Notations: Given the negation of the path RTL specification F, we denote

by CGF the constraints graph associated with F. Given the constraints sub-graph CG’F CGF , we denote by

PFCG’ the propositional formula obtained from F by considering only the nodes and arcs of CG’F .


Independent Components Let us consider that SCC1, ..., SCCn are the strongly

connected components of CGF and PFSCC1 , ..., PFSCCn are their corresponding propositional formulæ.

For a given i {1, ..., n}, we say that:a) SCCi is globally independent if and only if there is no arc (u, v)

E(CGF) for which (u V(SCCi) and v V(SCCi)) or (u V(SCCi) and v V(SCCi));

b) SCCi is locally independent of SCCj, where j ≠ i, if and only if u V(SCCj), v V(SCCi), the corresponding literal in PFSCCi of the arc (u, v) does not appear in a disjunction of other arcs of SCCi;

c) SCCi is locally neighbour independent if and only if there exists a j such that SCCi is locally independent of SCCj;

d) SCCi is locally neighbours independent if and only if for all j such that SCCj is connected with an arc to SCCi, we have that SCCi is locally independent of SCCj.


Modular Satisfiability Theorem The following facts hold:

a) if there exists an i {∈ 1, ..., n} such that SCCi is globally or locally neighbour independent and PFSCCi is unsatisfiable, then F and PF are unsatisfiable, too.

b) if all SCC1, ..., SCCn are globally or locally neighbours independent and PFSCC1, ..., PFSCCn are all satisfiable, then PF is satisfiable, too.


X-38 Constraint Graph Three different strongly connected components:

two referring to 50 and 10 Hz flight-critical loops (denoted as SCC1 and SCC2, respectively), and

the third one referring to the non-flight critical loop (denoted as SCC3).


Structure of the X-38 Constraint Graph SCC1, SCC2 and SCC3 are locally neighbours

independent because the arcs corresponding to the constraints @(↓FCP_I50FC, i) −@(↑FCP_I10FC, i) ≤ 0 and @(↓FCP_I50FC, i) −@(↑FCP_I50NFC, i) ≤ 0

are the only ones from SCC1 to SCC2 and from SCC1 to SCC3, respectively.

Moreover, these arcs are not involved in any disjunction of the specification.

So, the (un)satisfiability of the general formula can be done using the (un)satisfiability of all strongly connected components (because they are locally neighbours independent).


Decomposition Technique Debugging Results

In fact, the more strongly connected components the constraint graph has, the better the performance of the decomposition technique.


Concluding Remarks and Future Work Extended path-RTL class and applied compositional

analysis (current work) Tackle local minima and maxima Sensitivity analysis Identify new subclasses of timing formulae for which

the satisfiability problem is decidable: by considering a non-unit scalar integer, e.g., ± a * @(X, i)

± b * @(Y, j) ≤ c by considering more than two variables, e.g. ± @(X, i) ±

@(Y, j) ± @(Z, k) ≤ c

*Work supported in part by an Institute for Space Systems Operations (ISSO) Grant and a GEAR Grant.


Thank you!

Questions or comments?

Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension

Documents

Transcript of Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension