Framework for Inter-Model Analysis of Cyber-Physical Systems

Ivan Ruchkin

With Dionisio De Niz,Sagar Chaki,David Garlan

Carnegie Mellon UniversityPittsburgh, PA, USA

The Summer School on Cyber-Physical SystemsGrenoble, France, July 2014

2

CPS engineering

model

model

model

analysis

analysis

analysis

?

3

Problem

● Engineers' models may be inconsistent– Modeling errors and system failures

● Model-based reasoning may be flawed– Unsound results and system failures

4

Example: real-time scheduling

● Model & analysis 1: Thread-to-CPU assignment– Goal: assign each thread to CPU & check schedulability– Inputs: threads, CPUs (as abstract execution units),

WCETs, periods, deadlines

● Model & analysis 2: CPU frequency scaling– Goal: minimize CPU frequency to reduce energy losses– Inputs: Assignment of threads to CPUs, CPU frequency

● Issue: Frequency scaling implicitly assumes that a policy is deadline monotonic!

5

Simple solutions

● Apply frequency scaling anyway– Unsound: frequency scaling may not preserve

schedulability

● Use labels (“DMS”) to synchronize analyses– Too limiting: excludes frequency scaling for some

cases

6

Our solution: analysis contracts

1. Set up verification domains

2. Specify contracts for analyses

3. Determine the order of analyses

4. Verify the contract when each analysis is used

7

Step 1: verification domain

Contains:

– Atom sets (ℤ, threads, policies)

– Static (period, deadline) & dynamic functions (preemption)

– Execution semantics (Kripke structure) & interpretation

model model

analysis analysis

verification domain

8

Step 2: contract specification

● Analysis contract contains: – I – atoms and static functions that are read

– O – atoms and static functions that are output

– A – set of assumptions

– G – set of guarantees

● Language of A & G: φ ⇒ ψ; φ ∈ FOL, ψ ∈ LTL.● Example for frequency scaling analysis:

– I = {threads, CPUs, CPUBind, Dline}, O = {CPUFreq},

– A = { t∀1, t

2: threads | t

1 ≠ t

2 ∧ CPUBind(t

1) = CPUBind(t

2) :

□ (CanPrmpt(t1, t

2) Dline(t⇒

1) ≤ Dline(t

2)) }, G = { }.

9

Step 3: analysis sequencing

● I/O dependencies form a directional graph– If acyclical: analyses are orderable

– If cyclical: the cycle needs to be broken

● For the example, frequency scaling is dependent on thread-to-CPU assignment

10

Step 4: contract verification

● Given: system model, contract formula φ ⇒ ψ● SMT solver finds solutions for φ● Model checking a behavioral model for ψ

– Promela program implements the execution semantics

● For the example:

– ∀ t1, t

2: threads | CPUBind(t

1) = CPUBind(t

2) :

□ (CanPrmpt(t1, t

2) Dline(t⇒

1) < Dline(t

2))

– SMT for t∀1, t

2: threads | t

1 ≠ t

2 ∧ CPUBind(t

1) = CPUBind(t

2)

– Spin verifies □ (CanPrmpt(t1, t

2) Dline(t⇒

1) < Dline(t

2))

11

Intra-model analysis framework

12

Summary

● Analysis contracts:– Integrates reasoning from different models– Describe verification domains, specify contracts, find

ordering, verify contracts– Implemented in customizable framework

● Future work: – How do model structures affect verification domains?– What modeling aspects should be “contractified”?

13

References

● I. Ruchkin, D. De Niz, S. Chaki, and D. Garlan. Contract-Based Integration of Cyber-Physical Analyses. To appear in EMSOFT 2014.

● A. Rajhans, A. Bhave, I. Ruchkin, B. Krogh, D. Garlan, A. Platzer, and B. Schmerl. Supporting Heterogeneity in Cyber-Physical Systems Architectures. To appear in IEEE Transactions on Automatic Control.