Mälardalen University Press Licentiate Theses No. 185 ...756834/FULLTEXT02.pdf · regular...
47
Mälardalen University Press Licentiate Theses No. 185 FORMAL VERIFICATION OF ADAPTIVE REAL-TIME SYSTEMS BY EXTENDING TASK AUTOMATA Leo Hatvani 2014 School of Innovation, Design and Engineering
Transcript of Mälardalen University Press Licentiate Theses No. 185 ...756834/FULLTEXT02.pdf · regular...
Mälardalen University Press Licentiate ThesesNo. 185
FORMAL VERIFICATION OF ADAPTIVE REAL-TIME SYSTEMS BY EXTENDING TASK AUTOMATA
Leo Hatvani
2014
School of Innovation, Design and Engineering
Mälardalen University Press Licentiate ThesesNo. 185
FORMAL VERIFICATION OF ADAPTIVE REAL-TIME SYSTEMS BY EXTENDING TASK AUTOMATA
Leo Hatvani
2014
School of Innovation, Design and Engineering
Copyright © Leo Hatvani, 2014ISBN 978-91-7485-172-4ISSN 1651-9256Printed by Arkitektkopia, Västerås, Sweden
Abstract
Recently, we have seen an increase in the deployment of safety critical em-bedded systems in rapidly changing environments, as well as need for on-sitecustomizations and rapid adaptation. To address the extended range of require-ments, adaptation mechanism are added to the systems to handle large numberof situations appropriately. Although necessary, adaptations can cause incon-sistent and unstable configurations that must be prevented for the embeddedsystem to remain dependable and safe. Therefore, verifying the behavior ofadaptive embedded systems during the design phase of the production processis highly desirable.
A hard-real time embedded system and its environment can be modeledusing timed automata. Such model can describe the system at various levels ofabstraction. In this thesis, we model the adaptive responses of a system in termsof tasks that are executed to handle changes in the environmental or internalparameters.
Schedulability, a property that all tasks complete execution within theirrespective deadlines, is a key element in designing hard real-time embeddedsystems. A system that is unschedulable immediately compromises safety andhard real-time requirements and can cause fatal failure. Given specificationsof all tasks in the system, we can model the system, an abstraction of theenvironment, and adaptive strategies to investigate whether the system retainssafety properties, including schedulability, regardless of the changes in theenvironment and adaptations to those changes.
i
Abstract
Recently, we have seen an increase in the deployment of safety critical em-bedded systems in rapidly changing environments, as well as need for on-sitecustomizations and rapid adaptation. To address the extended range of require-ments, adaptation mechanism are added to the systems to handle large numberof situations appropriately. Although necessary, adaptations can cause incon-sistent and unstable configurations that must be prevented for the embeddedsystem to remain dependable and safe. Therefore, verifying the behavior ofadaptive embedded systems during the design phase of the production processis highly desirable.
A hard-real time embedded system and its environment can be modeledusing timed automata. Such model can describe the system at various levels ofabstraction. In this thesis, we model the adaptive responses of a system in termsof tasks that are executed to handle changes in the environmental or internalparameters.
Schedulability, a property that all tasks complete execution within theirrespective deadlines, is a key element in designing hard real-time embeddedsystems. A system that is unschedulable immediately compromises safety andhard real-time requirements and can cause fatal failure. Given specificationsof all tasks in the system, we can model the system, an abstraction of theenvironment, and adaptive strategies to investigate whether the system retainssafety properties, including schedulability, regardless of the changes in theenvironment and adaptations to those changes.
i
To my parents.
To my parents.
Acknowledgments
First of all, I would like to thank my supervisors, Paul Pettersson and CristinaSeceleanu, without whom this thesis would not be possible. Their encourage-ment through the tough times and continuous guidance were essential to itssuccess.
My parents, Gabor and Ljiljana, have provided me with vital support overthe past few years. Although we were separated by more than 1700km, theregular videochat sessions were something that I could always count on. Theirwords of reassurance and new perspectives were there whenever I needed them.
Finally, I would like to thank all1 my friends and colleagues, for the infinitesupply of new insights, extraordinary conversations, and great times.
Leo HatvaniVästerås, November, 2014
1See Figure 1 for a sampling of the individual names.
v
Acknowledgments
First of all, I would like to thank my supervisors, Paul Pettersson and CristinaSeceleanu, without whom this thesis would not be possible. Their encourage-ment through the tough times and continuous guidance were essential to itssuccess.
My parents, Gabor and Ljiljana, have provided me with vital support overthe past few years. Although we were separated by more than 1700km, theregular videochat sessions were something that I could always count on. Theirwords of reassurance and new perspectives were there whenever I needed them.
Finally, I would like to thank all1 my friends and colleagues, for the infinitesupply of new insights, extraordinary conversations, and great times.
Leo HatvaniVästerås, November, 2014
1See Figure 1 for a sampling of the individual names.
v
vi
ABHILASH
ADNAN
AIDA
ALESSIO
ANA
ANNA
ANTONIO
BATU
BOB
BRANKA
DAG
DAMIR
EDUARD
ELENA
FEDERICO
GABRIEL
GIACOMO
GORDANA
HANG
HANS
HUSEYIN
IRFAN
IVAN
IVICA
JAGADISH
JAN
JOSIP
JURAJ
KIVANC
LANA
LUKA
MALIN
MEHRDAD
MENG
MIKAEL
MOHAMMAD
MORIS
NESREDIN
NIKOLA
NIMA
PER
PREDRAG
RAFIA
RALUCA
SAAD
SARA
SEVERINE
SIMIN
SOFIA
SUSANNE
SVETLANA
TEODORA
TIBERIU
WASIF
YUE
ZDRAVKO
THOMAS
GUNNAR
GUILLERMO
MATTHIASCreated with Word Search Creator from: WordSearchCreator.org
M
O
R
I
S
T
E
O
D
O
R
A
H
V
S
Q
M
B
I
F
S
I
M
I
N
M
A
T
T
H
I
A
S
O
O
E
T
V
Z
D
R
A
V
K
O
C
G
U
N
N
A
R
F
J
N
J
I
F
E
D
E
R
I
C
O
K
Z
S
R
A
F
I
A
G
A
C
G
N
S
A
A
D
M
I
K
A
E
L
M
I
A
G
A
N
A
N
I
M
A
K
I
V
A
N
C
V
B
U
A
E
A
D
D
X
N
L
A
N
A
N
B
P
E
R
E
J
O
K
L
D
N
A
A
N
Z
H
C
P
G
E
A
R
F
R
O
H
B
A
I
A
M
L
M
H
T
Y
O
R
A
S
T
Y
I
S
U
A
B
S
N
I
E
O
W
I
L
R
M
E
B
R
U
N
I
S
I
R
H
T
R
S
H
A
B
E
A
P
O
D
R
E
E
P
E
R
A
S
O
A
S
A
S
E
D
L
M
J
E
R
I
D
Y
Y
F
N
A
N
I
I
M
I
R
U
U
E
U
L
I
A
E
I
I
A
K
R
I
D
O
M
F
I
A
C
H
R
E
V
H
G
L
N
N
A
A
O
A
F
A
A
U
R
A
R
A
N
A
A
N
J
T
H
O
M
A
S
F
D
N
J
D
G
D
J
A
N
N
S
V
E
T
L
A
N
A
Y
D
A
S
U
S
A
N
N
E
S
C
A
B
H
I
L
A
S
H
A
N
N
A
V
D
D
A
G
G
O
R
D
A
N
A
N
R
U
N
I
K
O
L
A
H
A
N
G
U
I
L
L
E
R
M
O
S
Figure 1
List of Publications
Papers Included in the Licentiate Thesis2
Paper A: Adaptive Task Automata: A Framework for Verifying AdaptiveEmbedded Systems. Leo Hatvani, Paul Pettersson, and Cristina Seceleanu. InProceedings of the 15th International Conference on Fundamental Approachesto Software Engineering (FASE), ETAPS 2012, volume 7212 of Lecture Notesin Computer Science, pages 115–129. Springer Berlin Heidelberg, 2012. [20]
Paper B: Modeling and Analysis of Adaptive Embedded Systems using Adap-tive Task Automata. Leo Hatvani, Cristina Seceleanu, and Paul Pettersson.ACM SIGBED Review, Special Issue on the 4th Workshop on Adaptive andReconfigurable Embedded Systems (APRES 2012), 10(1):43–47, February2013. [21]
Paper C: Adaptive Task Automata with Earliest-Deadline-First Scheduling.Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson.In Proceedings of the 14th International Workshop on Automated Verificationof Critical Systems (AVoCS 2014), Electronic Communications of the EASST,70, 2014. Submitted for publication. [18]
Paper D: Adaptive Task Automata with Earliest-Deadline-First Scheduling(full paper). Leo Hatvani, Alexandre David, Cristina Seceleanu, and PaulPettersson. Technical Report ISSN 1404-3041 ISRN MDH-MRTC-287/2014-1-SE, Mälardalen Real-Time Research Centre, Mälardalen University, August2014. [19]
2The included articles have been reformatted to comply with the licentiate layout.
vii
vi
ABHILASH
ADNAN
AIDA
ALESSIO
ANA
ANNA
ANTONIO
BATU
BOB
BRANKA
DAG
DAMIR
EDUARD
ELENA
FEDERICO
GABRIEL
GIACOMO
GORDANA
HANG
HANS
HUSEYIN
IRFAN
IVAN
IVICA
JAGADISH
JAN
JOSIP
JURAJ
KIVANC
LANA
LUKA
MALIN
MEHRDAD
MENG
MIKAEL
MOHAMMAD
MORIS
NESREDIN
NIKOLA
NIMA
PER
PREDRAG
RAFIA
RALUCA
SAAD
SARA
SEVERINE
SIMIN
SOFIA
SUSANNE
SVETLANA
TEODORA
TIBERIU
WASIF
YUE
ZDRAVKO
THOMAS
GUNNAR
GUILLERMO
MATTHIASCreated with Word Search Creator from: WordSearchCreator.org
M
O
R
I
S
T
E
O
D
O
R
A
H
V
S
Q
M
B
I
F
S
I
M
I
N
M
A
T
T
H
I
A
S
O
O
E
T
V
Z
D
R
A
V
K
O
C
G
U
N
N
A
R
F
J
N
J
I
F
E
D
E
R
I
C
O
K
Z
S
R
A
F
I
A
G
A
C
G
N
S
A
A
D
M
I
K
A
E
L
M
I
A
G
A
N
A
N
I
M
A
K
I
V
A
N
C
V
B
U
A
E
A
D
D
X
N
L
A
N
A
N
B
P
E
R
E
J
O
K
L
D
N
A
A
N
Z
H
C
P
G
E
A
R
F
R
O
H
B
A
I
A
M
L
M
H
T
Y
O
R
A
S
T
Y
I
S
U
A
B
S
N
I
E
O
W
I
L
R
M
E
B
R
U
N
I
S
I
R
H
T
R
S
H
A
B
E
A
P
O
D
R
E
E
P
E
R
A
S
O
A
S
A
S
E
D
L
M
J
E
R
I
D
Y
Y
F
N
A
N
I
I
M
I
R
U
U
E
U
L
I
A
E
I
I
A
K
R
I
D
O
M
F
I
A
C
H
R
E
V
H
G
L
N
N
A
A
O
A
F
A
A
U
R
A
R
A
N
A
A
N
J
T
H
O
M
A
S
F
D
N
J
D
G
D
J
A
N
N
S
V
E
T
L
A
N
A
Y
D
A
S
U
S
A
N
N
E
S
C
A
B
H
I
L
A
S
H
A
N
N
A
V
D
D
A
G
G
O
R
D
A
N
A
N
R
U
N
I
K
O
L
A
H
A
N
G
U
I
L
L
E
R
M
O
S
Figure 1
List of Publications
Papers Included in the Licentiate Thesis2
Paper A: Adaptive Task Automata: A Framework for Verifying AdaptiveEmbedded Systems. Leo Hatvani, Paul Pettersson, and Cristina Seceleanu. InProceedings of the 15th International Conference on Fundamental Approachesto Software Engineering (FASE), ETAPS 2012, volume 7212 of Lecture Notesin Computer Science, pages 115–129. Springer Berlin Heidelberg, 2012. [20]
Paper B: Modeling and Analysis of Adaptive Embedded Systems using Adap-tive Task Automata. Leo Hatvani, Cristina Seceleanu, and Paul Pettersson.ACM SIGBED Review, Special Issue on the 4th Workshop on Adaptive andReconfigurable Embedded Systems (APRES 2012), 10(1):43–47, February2013. [21]
Paper C: Adaptive Task Automata with Earliest-Deadline-First Scheduling.Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson.In Proceedings of the 14th International Workshop on Automated Verificationof Critical Systems (AVoCS 2014), Electronic Communications of the EASST,70, 2014. Submitted for publication. [18]
Paper D: Adaptive Task Automata with Earliest-Deadline-First Scheduling(full paper). Leo Hatvani, Alexandre David, Cristina Seceleanu, and PaulPettersson. Technical Report ISSN 1404-3041 ISRN MDH-MRTC-287/2014-1-SE, Mälardalen Real-Time Research Centre, Mälardalen University, August2014. [19]
2The included articles have been reformatted to comply with the licentiate layout.
vii
Contents
I Thesis 1
1 Introduction 31.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.1 Adaptive Real-Time Embedded Systems . . . . . . . . 51.1.2 Model-checking Real-time Systems . . . . . . . . . . 61.1.3 Schedulability Analysis . . . . . . . . . . . . . . . . 7
1.2 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Research Problems 112.1 Problem Description . . . . . . . . . . . . . . . . . . . . . . 112.2 Research Goals . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Research Results 133.1 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 133.2 Model-checking ATA with Static-Priority Scheduling . . . . . 143.3 Model-checking ATA with Dynamic-Priority Scheduling . . . 153.4 Contribution of Included Papers . . . . . . . . . . . . . . . . 16
3.4.1 Paper A . . . . . . . . . . . . . . . . . . . . . . . . . 173.4.2 Paper B . . . . . . . . . . . . . . . . . . . . . . . . . 173.4.3 Paper C . . . . . . . . . . . . . . . . . . . . . . . . . 183.4.4 Paper D . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Research Method 19
5 Related Work 235.1 Modeling and Verification of High-level Abstractions of Adap-
tive Embedded Systems . . . . . . . . . . . . . . . . . . . . . 235.2 Analytic Approaches . . . . . . . . . . . . . . . . . . . . . . 24
ix
Contents
I Thesis 1
1 Introduction 31.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.1 Adaptive Real-Time Embedded Systems . . . . . . . . 51.1.2 Model-checking Real-time Systems . . . . . . . . . . 61.1.3 Schedulability Analysis . . . . . . . . . . . . . . . . 7
1.2 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Research Problems 112.1 Problem Description . . . . . . . . . . . . . . . . . . . . . . 112.2 Research Goals . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Research Results 133.1 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 133.2 Model-checking ATA with Static-Priority Scheduling . . . . . 143.3 Model-checking ATA with Dynamic-Priority Scheduling . . . 153.4 Contribution of Included Papers . . . . . . . . . . . . . . . . 16
3.4.1 Paper A . . . . . . . . . . . . . . . . . . . . . . . . . 173.4.2 Paper B . . . . . . . . . . . . . . . . . . . . . . . . . 173.4.3 Paper C . . . . . . . . . . . . . . . . . . . . . . . . . 183.4.4 Paper D . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Research Method 19
5 Related Work 235.1 Modeling and Verification of High-level Abstractions of Adap-
tive Embedded Systems . . . . . . . . . . . . . . . . . . . . . 235.2 Analytic Approaches . . . . . . . . . . . . . . . . . . . . . . 24
ix
x Contents
5.3 Related Verification Approaches . . . . . . . . . . . . . . . . 25
6 Conclusions 276.1 Summary and Conclusions . . . . . . . . . . . . . . . . . . . 276.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Bibliography 29
II Included Papers 35
7 Paper A:Adaptive Task Automata: A Framework for Verifying AdaptiveEmbedded Systems 377.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 397.2 Preliminaries: Task Automata . . . . . . . . . . . . . . . . . 417.3 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 437.4 Encoding of the Adaptive Task Automata . . . . . . . . . . . 45
7.4.1 Encoding the Predicate sched() . . . . . . . . . . . . 477.4.2 Encoding the Fixed Priority Scheduler . . . . . . . . . 487.4.3 Variable Bounding . . . . . . . . . . . . . . . . . . . 51
7.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527.5.1 Admission Control - A Synthetic Example . . . . . . 527.5.2 Smartphone Task Management Example . . . . . . . . 53
7.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8 Paper B:Modeling and Analysis of Adaptive Embedded Systems using Adap-tive Task Automata 598.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 618.2 Overview of Task Automata . . . . . . . . . . . . . . . . . . 618.3 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 638.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.4.1 Robot Teleoperation . . . . . . . . . . . . . . . . . . 658.4.2 Scalability of the Approach . . . . . . . . . . . . . . 68
8.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 688.6 Ongoing and Future Work . . . . . . . . . . . . . . . . . . . 69Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Contents xi
9 Paper C:Adaptive Task Automata with Earliest-Deadline-First Scheduling 759.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 779.2 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 77
9.2.1 Introductory Example . . . . . . . . . . . . . . . . . 789.2.2 Overview of the Existing Framework . . . . . . . . . 79
9.3 Encoding of ATAEDF . . . . . . . . . . . . . . . . . . . . . . 809.3.1 Timed Automata with Updates . . . . . . . . . . . . . 819.3.2 Eearliest-Deadline-First Scheduling Policy . . . . . . 829.3.3 Task Releases . . . . . . . . . . . . . . . . . . . . . . 829.3.4 Schedulability Predicates . . . . . . . . . . . . . . . . 839.3.5 Scheduler and Queue . . . . . . . . . . . . . . . . . . 84
9.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . 889.4.1 Decidability of Timed Automata with Updates . . . . 889.4.2 Model Bisimulation . . . . . . . . . . . . . . . . . . 89
9.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 909.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
10 Paper D:Adaptive Task Automata with Earliest-Deadline-First Scheduling(full paper) 9710.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 9910.2 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 99
10.2.1 Introductory Example . . . . . . . . . . . . . . . . . 10010.2.2 Overview of the Existing Framework . . . . . . . . . 101
10.3 Encoding of ATAEDF . . . . . . . . . . . . . . . . . . . . . . 10210.3.1 Timed Automata with Updates . . . . . . . . . . . . . 10310.3.2 Eearliest-Deadline-First Scheduling Policy . . . . . . 10410.3.3 Task Releases . . . . . . . . . . . . . . . . . . . . . . 10410.3.4 Schedulability Predicates . . . . . . . . . . . . . . . . 10510.3.5 Scheduler and Queue . . . . . . . . . . . . . . . . . . 106
10.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . 11010.4.1 Decidability of Timed Automata with Updates . . . . 11010.4.2 Model Bisimulation . . . . . . . . . . . . . . . . . . 114
10.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 11910.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
x Contents
5.3 Related Verification Approaches . . . . . . . . . . . . . . . . 25
6 Conclusions 276.1 Summary and Conclusions . . . . . . . . . . . . . . . . . . . 276.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Bibliography 29
II Included Papers 35
7 Paper A:Adaptive Task Automata: A Framework for Verifying AdaptiveEmbedded Systems 377.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 397.2 Preliminaries: Task Automata . . . . . . . . . . . . . . . . . 417.3 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 437.4 Encoding of the Adaptive Task Automata . . . . . . . . . . . 45
7.4.1 Encoding the Predicate sched() . . . . . . . . . . . . 477.4.2 Encoding the Fixed Priority Scheduler . . . . . . . . . 487.4.3 Variable Bounding . . . . . . . . . . . . . . . . . . . 51
7.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527.5.1 Admission Control - A Synthetic Example . . . . . . 527.5.2 Smartphone Task Management Example . . . . . . . . 53
7.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8 Paper B:Modeling and Analysis of Adaptive Embedded Systems using Adap-tive Task Automata 598.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 618.2 Overview of Task Automata . . . . . . . . . . . . . . . . . . 618.3 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 638.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.4.1 Robot Teleoperation . . . . . . . . . . . . . . . . . . 658.4.2 Scalability of the Approach . . . . . . . . . . . . . . 68
8.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 688.6 Ongoing and Future Work . . . . . . . . . . . . . . . . . . . 69Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Contents xi
9 Paper C:Adaptive Task Automata with Earliest-Deadline-First Scheduling 759.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 779.2 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 77
9.2.1 Introductory Example . . . . . . . . . . . . . . . . . 789.2.2 Overview of the Existing Framework . . . . . . . . . 79
9.3 Encoding of ATAEDF . . . . . . . . . . . . . . . . . . . . . . 809.3.1 Timed Automata with Updates . . . . . . . . . . . . . 819.3.2 Eearliest-Deadline-First Scheduling Policy . . . . . . 829.3.3 Task Releases . . . . . . . . . . . . . . . . . . . . . . 829.3.4 Schedulability Predicates . . . . . . . . . . . . . . . . 839.3.5 Scheduler and Queue . . . . . . . . . . . . . . . . . . 84
9.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . 889.4.1 Decidability of Timed Automata with Updates . . . . 889.4.2 Model Bisimulation . . . . . . . . . . . . . . . . . . 89
9.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 909.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
10 Paper D:Adaptive Task Automata with Earliest-Deadline-First Scheduling(full paper) 9710.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 9910.2 Adaptive Task Automata . . . . . . . . . . . . . . . . . . . . 99
10.2.1 Introductory Example . . . . . . . . . . . . . . . . . 10010.2.2 Overview of the Existing Framework . . . . . . . . . 101
10.3 Encoding of ATAEDF . . . . . . . . . . . . . . . . . . . . . . 10210.3.1 Timed Automata with Updates . . . . . . . . . . . . . 10310.3.2 Eearliest-Deadline-First Scheduling Policy . . . . . . 10410.3.3 Task Releases . . . . . . . . . . . . . . . . . . . . . . 10410.3.4 Schedulability Predicates . . . . . . . . . . . . . . . . 10510.3.5 Scheduler and Queue . . . . . . . . . . . . . . . . . . 106
10.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . 11010.4.1 Decidability of Timed Automata with Updates . . . . 11010.4.2 Model Bisimulation . . . . . . . . . . . . . . . . . . 114
10.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 11910.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
I
Thesis
1
I
Thesis
1
Chapter 1
Introduction
Starting a modern car does not only turn on the engine, but an array of computers.They are monitoring the status of the car, as well as taking an active rolein the driving experience by increasing safety, regulating fuel consumption,and performing a large number of smaller functions that improve the drivingexperience.
Like cars, functioning of many modern devices is regulated by built-incomputers, sometimes running entire operating systems. Such computers arebuilt specifically for this purpose, which classifies them as embedded systems.They are also often built based on strict requirements regarding how much timecan pass between an input event and the response to that event, thus makingthem real-time systems.
Due to the progress of technology and demand for increased number offunctions, we can encounter real-time embedded systems in many areas of ourlife. In toys, home appliances, medical and industrial equipment, vehicles thattravel underwater, on land, in air, in space, and on other planets. Computersystems built into these devices share the same challenges, that they have to bereliable, respond in a timely manner and are not easily updatable nor replaceable.Since we started building embedded systems, we have been creating methods toensure their reliability and conformity to the specifications.
Many machines containing real-time embedded systems are deployed inhighly dynamic ecosystems where the environment can change suddenly andthe system has to handle the change or otherwise risk failure with seriousconsequences. One can try to make more robust systems, but, due to thetechnological (e.g. limited battery charge) and financial constraints, this can be
3
Chapter 1
Introduction
Starting a modern car does not only turn on the engine, but an array of computers.They are monitoring the status of the car, as well as taking an active rolein the driving experience by increasing safety, regulating fuel consumption,and performing a large number of smaller functions that improve the drivingexperience.
Like cars, functioning of many modern devices is regulated by built-incomputers, sometimes running entire operating systems. Such computers arebuilt specifically for this purpose, which classifies them as embedded systems.They are also often built based on strict requirements regarding how much timecan pass between an input event and the response to that event, thus makingthem real-time systems.
Due to the progress of technology and demand for increased number offunctions, we can encounter real-time embedded systems in many areas of ourlife. In toys, home appliances, medical and industrial equipment, vehicles thattravel underwater, on land, in air, in space, and on other planets. Computersystems built into these devices share the same challenges, that they have to bereliable, respond in a timely manner and are not easily updatable nor replaceable.Since we started building embedded systems, we have been creating methods toensure their reliability and conformity to the specifications.
Many machines containing real-time embedded systems are deployed inhighly dynamic ecosystems where the environment can change suddenly andthe system has to handle the change or otherwise risk failure with seriousconsequences. One can try to make more robust systems, but, due to thetechnological (e.g. limited battery charge) and financial constraints, this can be
3
4 Chapter 1. Introduction
impractical. Because of this, researchers have started considering deploymentof adaptive real-time embedded systems. Such systems have different modes offunctioning and switch between them based on the changes in their environmentor internal parameters.
Ensuring that all the requirements are met for a typical embedded systemis already complex, and adaptivity makes it even more so. To handle thisadded complexity, we can utilize formal analysis techniques. They are a set ofmathematically-based techniques applied on abstract models of system behavior,which facilitate answering to various questions with respect to system correct-ness and reliability. Formal analysis enables designers to completely explore allpossible states of the entire system and ensure their correctness. Usually, thesystem designer creates a model of the system and environment and uses someform of formal analysis to verify that they satisfy all the requirements.
To illustrate this, let us consider a simplified adaptive embedded system. Ifwe were to design a battery powered robotic arm, the following requirementsmight arise:
1. The actuators should respond in less than Xms to the control input.
2. Feedback from the sensors should be presented to the user within Yms..
3. The arm should enter a power saving mode when the battery is low.
4. The microcontrollers should reduce their frequency when there is a riskof overheating.
5. The movement functionality of the arm is prioritized over the feedback.
If we were to test a system against these individual specifications, we mightmiss the combination of high temperatures and power saving, for instance. Insuch situations, formal analysis can be considered as an alternative verificationmethod. A correct model of the environment should allow for the low batteryand high temperature to coincide so formal analysis would explore it as well.
In this thesis, we propose a formal framework for modeling, simulation, andverification of adaptive embedded systems and their environments. By verifyingthe concordance of a model to its specification, we can ensure its correctness toa high degree.
The above example may be too simple to serve as a motivating argument ofour work, yet with proper methods we can model complex systems and discoverrare, yet possible, situations where the system would fail due to a combinationof different factors.
1.1 Background 5
1.1 BackgroundOur work relies mostly on research results in three specific topics. The firstis adaptive embedded systems. This area studies the effects of adaptivity onfunctional and extra-functional properties of embedded systems. The second ismodel checking. To model-check a system implies creation of an abstraction(model) of the system and then applying some approach to check if the systembehaves as expected. And the third is schedulability analysis. Given a set oftasks and restrictions, schedulability analysis answers whether the tasks canbe completed under the given restrictions. In the following three sections, wepresent these areas in more detail.
1.1.1 Adaptive Real-Time Embedded Systems
Embedded systems are microprocessor based systems that control a specificfunction or a predefined set of functions [22]. In contrast, general purposesystems are made to enable simple transitions between functions as well asadding new functionality, e.g. by installing additional software that tends toinvolve heavier resource usage than in most embedded cases.
On the other hand, a real-time system is any system where the correctbehavior is defined by the (logical) correctness of the system outputs as wellas their timeliness [24]. Such systems can be classified as hard real-time orsoft real-time. In hard real-time systems, providing the output outside of thepredefined time-window would result in severe consequences, and so it is notacceptable. For soft real-time systems, output outside of the specified time willhave lower value, but can be still considered usable.
A classical example of a hard real-time embedded system is the air-bagsystem commonly found in modern vehicles. The system consists of threecomponents, a sensor that detects the vehicle crash, an actuator that inflates theair-bag and another one that deflates it. The system has to inflate the air-bag inthe precisely calculated moment before the driver collides with the dashboard.Moments later, the air-bag needs to be deflated to avoid the possibility ofdepriving the driver of air. As the precise timing behavior is critical to the lifeof the driver, this system is considered a safety-critical hard real-time embeddedsystem.
Since the embedded systems are, by design, tailored to perform certainfunctions with as little maintenance as possible, they have to have a largedegree of independence [24]. In many cases this can be achieved by designingthe embedded system to be as robust as possible and to foresee all probable
4 Chapter 1. Introduction
impractical. Because of this, researchers have started considering deploymentof adaptive real-time embedded systems. Such systems have different modes offunctioning and switch between them based on the changes in their environmentor internal parameters.
Ensuring that all the requirements are met for a typical embedded systemis already complex, and adaptivity makes it even more so. To handle thisadded complexity, we can utilize formal analysis techniques. They are a set ofmathematically-based techniques applied on abstract models of system behavior,which facilitate answering to various questions with respect to system correct-ness and reliability. Formal analysis enables designers to completely explore allpossible states of the entire system and ensure their correctness. Usually, thesystem designer creates a model of the system and environment and uses someform of formal analysis to verify that they satisfy all the requirements.
To illustrate this, let us consider a simplified adaptive embedded system. Ifwe were to design a battery powered robotic arm, the following requirementsmight arise:
1. The actuators should respond in less than Xms to the control input.
2. Feedback from the sensors should be presented to the user within Yms..
3. The arm should enter a power saving mode when the battery is low.
4. The microcontrollers should reduce their frequency when there is a riskof overheating.
5. The movement functionality of the arm is prioritized over the feedback.
If we were to test a system against these individual specifications, we mightmiss the combination of high temperatures and power saving, for instance. Insuch situations, formal analysis can be considered as an alternative verificationmethod. A correct model of the environment should allow for the low batteryand high temperature to coincide so formal analysis would explore it as well.
In this thesis, we propose a formal framework for modeling, simulation, andverification of adaptive embedded systems and their environments. By verifyingthe concordance of a model to its specification, we can ensure its correctness toa high degree.
The above example may be too simple to serve as a motivating argument ofour work, yet with proper methods we can model complex systems and discoverrare, yet possible, situations where the system would fail due to a combinationof different factors.
1.1 Background 5
1.1 BackgroundOur work relies mostly on research results in three specific topics. The firstis adaptive embedded systems. This area studies the effects of adaptivity onfunctional and extra-functional properties of embedded systems. The second ismodel checking. To model-check a system implies creation of an abstraction(model) of the system and then applying some approach to check if the systembehaves as expected. And the third is schedulability analysis. Given a set oftasks and restrictions, schedulability analysis answers whether the tasks canbe completed under the given restrictions. In the following three sections, wepresent these areas in more detail.
1.1.1 Adaptive Real-Time Embedded Systems
Embedded systems are microprocessor based systems that control a specificfunction or a predefined set of functions [22]. In contrast, general purposesystems are made to enable simple transitions between functions as well asadding new functionality, e.g. by installing additional software that tends toinvolve heavier resource usage than in most embedded cases.
On the other hand, a real-time system is any system where the correctbehavior is defined by the (logical) correctness of the system outputs as wellas their timeliness [24]. Such systems can be classified as hard real-time orsoft real-time. In hard real-time systems, providing the output outside of thepredefined time-window would result in severe consequences, and so it is notacceptable. For soft real-time systems, output outside of the specified time willhave lower value, but can be still considered usable.
A classical example of a hard real-time embedded system is the air-bagsystem commonly found in modern vehicles. The system consists of threecomponents, a sensor that detects the vehicle crash, an actuator that inflates theair-bag and another one that deflates it. The system has to inflate the air-bag inthe precisely calculated moment before the driver collides with the dashboard.Moments later, the air-bag needs to be deflated to avoid the possibility ofdepriving the driver of air. As the precise timing behavior is critical to the lifeof the driver, this system is considered a safety-critical hard real-time embeddedsystem.
Since the embedded systems are, by design, tailored to perform certainfunctions with as little maintenance as possible, they have to have a largedegree of independence [24]. In many cases this can be achieved by designingthe embedded system to be as robust as possible and to foresee all probable
6 Chapter 1. Introduction
fluctuations in the environment within a single design. However, due to thetechnological or production cost constraints, it is often not possible to achievethis level of robustness. In that case, designing an adaptive real-time embeddedsystem (AES) can be used as a solution.
The AES is designed with a set of features that can be modified to accommo-date the possible changes in the environment. The system may be designed withmultiple goals in mind, such as optimal performance or low power consumption,between which a trade-off has to be made. In addition, the effect of the changesto the system has to be considered and accounted for.
The characteristics of adaptation goals, mechanisms, and effects are some-times called modeling dimensions. For a complete review of modeling dimen-sions, we refer the reader to Cheng et al. [10]. The authors have provided ageneral framework that describes modeling dimensions for self-adaptive systemsthat is well applicable to the design of adaptive embedded systems.
1.1.2 Model-checking Real-time SystemsMany techniques are used to ensure a system’s correctness (that is, meeting thespecified requirements), most widely spread being system testing. However,testing can be done only after a prototype of the system has been alreadydeveloped and often requires large amount of manpower. The recent increase inthe available computing power has opened up opportunities for the applicationof theorem-proving and exhaustive model-checking.
By applying model-checking techniques to a model of a system, one canexplore all possible system states and ensure that in every state that is reachablefor a certain environment, the model behaves as required. One of the mainreasons why this approach is still used less than testing is that the number ofsystem states grows exponentially as the complexity of the system increases,and modern model-checkers can handle state spaces of about 109 with explicitstate-space enumeration [4]. Using symbolic representations of the state spaceand cleverer algorithms, this number can be raised up to 10476 for specificproblems [4].
Model-checking of a real-time system requires creation of a model of thesystem that can be verified against a set of requirements specifications. Asshown in Figure 1.1, this model describes possible behaviors of the systemwhich are compared to a formalized requirements specifications. For a givenmodel and each of the requirements specifications, the verifier outputs eithera confirmation that the requirement is satisfied or a counterexample provingotherwise.
1.1 Background 7
Real system
Model of system(possible behaviors)
Requirement spec(desired behaviors)
modeling
Requirements
formalizing
Verifier
Counterexample
modify
Yes
check next
done
Figure 1.1: An overview of the model-checking process [4].
The counterexample can be used to refine the model and solve the discoveredconflicts. After the model has been refined, the process starts from the beginning.Once the model satisfies all requirement specifications, the model can be usedas a basis for development or generation of the real system.
The greatest limit to model-checking tends not to be the verification tool, butthat the model representing the system is not an accurate representation of thesystem. Thus there is a constant search for more user-friendly and semanticallyunderstandable modeling frameworks.
1.1.3 Schedulability Analysis
In the context of this thesis, a task is a computation that is executed sequen-tially on a CPU. Every task is characterized by its worst-case execution time(WCET) denoted by C, a relative deadline denoted by D, and, if required bythe scheduling algorithm, priority denoted by P .
Another parameter that commonly characterizes tasks is minimum inter-arrival time, denoted by T , which is the shortest amount of time between twoconsecutive releases of the same task. In the context of this thesis, this is
6 Chapter 1. Introduction
fluctuations in the environment within a single design. However, due to thetechnological or production cost constraints, it is often not possible to achievethis level of robustness. In that case, designing an adaptive real-time embeddedsystem (AES) can be used as a solution.
The AES is designed with a set of features that can be modified to accommo-date the possible changes in the environment. The system may be designed withmultiple goals in mind, such as optimal performance or low power consumption,between which a trade-off has to be made. In addition, the effect of the changesto the system has to be considered and accounted for.
The characteristics of adaptation goals, mechanisms, and effects are some-times called modeling dimensions. For a complete review of modeling dimen-sions, we refer the reader to Cheng et al. [10]. The authors have provided ageneral framework that describes modeling dimensions for self-adaptive systemsthat is well applicable to the design of adaptive embedded systems.
1.1.2 Model-checking Real-time SystemsMany techniques are used to ensure a system’s correctness (that is, meeting thespecified requirements), most widely spread being system testing. However,testing can be done only after a prototype of the system has been alreadydeveloped and often requires large amount of manpower. The recent increase inthe available computing power has opened up opportunities for the applicationof theorem-proving and exhaustive model-checking.
By applying model-checking techniques to a model of a system, one canexplore all possible system states and ensure that in every state that is reachablefor a certain environment, the model behaves as required. One of the mainreasons why this approach is still used less than testing is that the number ofsystem states grows exponentially as the complexity of the system increases,and modern model-checkers can handle state spaces of about 109 with explicitstate-space enumeration [4]. Using symbolic representations of the state spaceand cleverer algorithms, this number can be raised up to 10476 for specificproblems [4].
Model-checking of a real-time system requires creation of a model of thesystem that can be verified against a set of requirements specifications. Asshown in Figure 1.1, this model describes possible behaviors of the systemwhich are compared to a formalized requirements specifications. For a givenmodel and each of the requirements specifications, the verifier outputs eithera confirmation that the requirement is satisfied or a counterexample provingotherwise.
1.1 Background 7
Real system
Model of system(possible behaviors)
Requirement spec(desired behaviors)
modeling
Requirements
formalizing
Verifier
Counterexample
modify
Yes
check next
done
Figure 1.1: An overview of the model-checking process [4].
The counterexample can be used to refine the model and solve the discoveredconflicts. After the model has been refined, the process starts from the beginning.Once the model satisfies all requirement specifications, the model can be usedas a basis for development or generation of the real system.
The greatest limit to model-checking tends not to be the verification tool, butthat the model representing the system is not an accurate representation of thesystem. Thus there is a constant search for more user-friendly and semanticallyunderstandable modeling frameworks.
1.1.3 Schedulability Analysis
In the context of this thesis, a task is a computation that is executed sequen-tially on a CPU. Every task is characterized by its worst-case execution time(WCET) denoted by C, a relative deadline denoted by D, and, if required bythe scheduling algorithm, priority denoted by P .
Another parameter that commonly characterizes tasks is minimum inter-arrival time, denoted by T , which is the shortest amount of time between twoconsecutive releases of the same task. In the context of this thesis, this is
8 Chapter 1. Introduction
replaced by task automata models that specify when the tasks can be released.While alternative forms of computation exist, in this thesis, we are looking
at the sequential execution of multiple tasks on a single CPU. To enable this, theoperating system uses a concept of a ready queue, a sequence of tasks that willbe executed on the CPU one after another [9]. The algorithm that defines howtasks are ordered in the ready queue is the scheduling algorithm that implementsa scheduling policy.
Within this thesis, we will observe two specific scheduling policies, thefixed priority first (FPS), and the earliest deadline first (EDF) scheduling policy.
The FPS policy requires that the task priorities are defined before the execu-tion of the system. During the system execution, the priorities remain constant.The ready queue is sorted in such manner that the currently executing task hasthe highest priority among the tasks in the queue.
For the EDF policy, the priorities are determined at runtime such that thetask in the ready queue that is the closest to its deadline is currently executing.The EDF policy is a dynamic priority scheduling policy since we do not knowthe relative ordering of tasks in the ready queue before the system execution.
Tasks in the task queue can be in one of the following states: ready - a task iswaiting for execution on the CPU, running - a task is currently executing on theCPU, or preempted - a task of a higher priority was selected for execution on theCPU so the current task is waiting to resume. After the task has been executingon the CPU for C time units before its deadline expires, it is considered finished,since that amount of the execution accounts for even the worst case scenario. Ifall tasks in the queue can complete their execution before their deadlines, wesay that the queue is schedulable by the assumed scheduling policy. Verifyingthat all tasks complete by their deadlines is called schedulability analysis.
Generally, real-time tasks are divided into three types, hard, firm, and soft.A hard real-time task has to be completed before the deadline or otherwisecause catastrophic consequences. A firm real-time task is any task that does notdamage the system by missing the deadline, but the computed output has novalue. A soft real-time task is any task for which the computed output is valuableeven if it is computed after the deadline has expired, the output usefulness isdecreasing with its tardiness [9]. In this work, all the tasks are considered hardreal-time tasks.
Tasks can be also distinguished based on their periodicity. They can beperiodic, aperiodic, and sporadic. Periodic tasks are indefinitely released intothe queue in regular intervals, as shown in Figure 1.2(a). Aperiodic tasks, shownin Figure 1.2(b), are also indefinitely released into the system, but we do notknow their arrival times in advance. A variant on aperiodic tasks are sporadic
1.1 Background 9
(a)
(b)
(c)0 1 2 3 4 5 6 8 9 10 11 12 13 14 157
Figure 1.2: Task periodicity: (a) periodic, (b) aperiodic, and (c) task pattern.
t1 t1 t1
t1 t1 t1
x ≤ 2x ≥ 2
x ≤ 3x ≥ 3
x ≤ 5x ≥ 7
x ≤ 11
x ≥ 11
x ≤ 13
x ≥ 5x ≤ 7
x ≥ 13
x ≤ 15
x ≥ 15x := 0
Figure 1.3: A task automaton for the task release pattern in Figure 1.2(c).
tasks. While we do not know the exact arrival pattern of a sporadic task, weknow the minimum interval between two consecutive task releases [9].
In this thesis we are observing yet another type of task periodicity. InFigure 1.2(c) a task is presented that is not periodic, and yet its arrival patternis exactly known. In this case, the task is released when the value of time is aprime number. These are tasks with a known task release pattern, and they canbe modeled by task automata1.
Schedulability Analysis with Timed Automata. Timed automata [3] areautomata with continuous real clocks. Properties of timed automata, suchas location reachability and liveness, can be verified using UPPAAL2 model-checking tool. The current location in a timed automaton as well as values ofall variables make up the state of the timed automaton. The state is said to bereachable if there exists a path from the initial state to the state in question.Liveness properties are relevant to the infinite sequences of transitions and
1In order to model this specific task release pattern as a verifiable task automaton, the sequenceof prime numbers would need to repeat itself at an arbitrary point.
2UPPAAL model-checking tool can be found at http://www.uppaal.org/
8 Chapter 1. Introduction
replaced by task automata models that specify when the tasks can be released.While alternative forms of computation exist, in this thesis, we are looking
at the sequential execution of multiple tasks on a single CPU. To enable this, theoperating system uses a concept of a ready queue, a sequence of tasks that willbe executed on the CPU one after another [9]. The algorithm that defines howtasks are ordered in the ready queue is the scheduling algorithm that implementsa scheduling policy.
Within this thesis, we will observe two specific scheduling policies, thefixed priority first (FPS), and the earliest deadline first (EDF) scheduling policy.
The FPS policy requires that the task priorities are defined before the execu-tion of the system. During the system execution, the priorities remain constant.The ready queue is sorted in such manner that the currently executing task hasthe highest priority among the tasks in the queue.
For the EDF policy, the priorities are determined at runtime such that thetask in the ready queue that is the closest to its deadline is currently executing.The EDF policy is a dynamic priority scheduling policy since we do not knowthe relative ordering of tasks in the ready queue before the system execution.
Tasks in the task queue can be in one of the following states: ready - a task iswaiting for execution on the CPU, running - a task is currently executing on theCPU, or preempted - a task of a higher priority was selected for execution on theCPU so the current task is waiting to resume. After the task has been executingon the CPU for C time units before its deadline expires, it is considered finished,since that amount of the execution accounts for even the worst case scenario. Ifall tasks in the queue can complete their execution before their deadlines, wesay that the queue is schedulable by the assumed scheduling policy. Verifyingthat all tasks complete by their deadlines is called schedulability analysis.
Generally, real-time tasks are divided into three types, hard, firm, and soft.A hard real-time task has to be completed before the deadline or otherwisecause catastrophic consequences. A firm real-time task is any task that does notdamage the system by missing the deadline, but the computed output has novalue. A soft real-time task is any task for which the computed output is valuableeven if it is computed after the deadline has expired, the output usefulness isdecreasing with its tardiness [9]. In this work, all the tasks are considered hardreal-time tasks.
Tasks can be also distinguished based on their periodicity. They can beperiodic, aperiodic, and sporadic. Periodic tasks are indefinitely released intothe queue in regular intervals, as shown in Figure 1.2(a). Aperiodic tasks, shownin Figure 1.2(b), are also indefinitely released into the system, but we do notknow their arrival times in advance. A variant on aperiodic tasks are sporadic
1.1 Background 9
(a)
(b)
(c)0 1 2 3 4 5 6 8 9 10 11 12 13 14 157
Figure 1.2: Task periodicity: (a) periodic, (b) aperiodic, and (c) task pattern.
t1 t1 t1
t1 t1 t1
x ≤ 2x ≥ 2
x ≤ 3x ≥ 3
x ≤ 5x ≥ 7
x ≤ 11
x ≥ 11
x ≤ 13
x ≥ 5x ≤ 7
x ≥ 13
x ≤ 15
x ≥ 15x := 0
Figure 1.3: A task automaton for the task release pattern in Figure 1.2(c).
tasks. While we do not know the exact arrival pattern of a sporadic task, weknow the minimum interval between two consecutive task releases [9].
In this thesis we are observing yet another type of task periodicity. InFigure 1.2(c) a task is presented that is not periodic, and yet its arrival patternis exactly known. In this case, the task is released when the value of time is aprime number. These are tasks with a known task release pattern, and they canbe modeled by task automata1.
Schedulability Analysis with Timed Automata. Timed automata [3] areautomata with continuous real clocks. Properties of timed automata, suchas location reachability and liveness, can be verified using UPPAAL2 model-checking tool. The current location in a timed automaton as well as values ofall variables make up the state of the timed automaton. The state is said to bereachable if there exists a path from the initial state to the state in question.Liveness properties are relevant to the infinite sequences of transitions and
1In order to model this specific task release pattern as a verifiable task automaton, the sequenceof prime numbers would need to repeat itself at an arbitrary point.
2UPPAAL model-checking tool can be found at http://www.uppaal.org/
10 Chapter 1. Introduction
specify properties such as “if action A occurs infinitely often, so does the actionB” [2].
Task automata [14] are an extension of timed automata designed for model-ing and verification of requirements related to task execution within a real-timeembedded system. They have well-defined formal semantics, so that schedulingby model-checking can be applied. The semantics of task automata are given interms of timed transition systems.
In Figure 1.3 we can see an example of a task automaton. It consists of oneinitial location and six locations in which the task t1 is released. The variablex is a continuous real clock that can be reset to an integer value and increaseslinearly. The locations are connected by edges.
Each of the locations is annotated by an invariant that determines how muchtime the automaton can spend in that location. The edges are annotated byguards that determine when the edge can be traversed. Just before reenteringthe initial location, the clock x is reset.
Properties regarding schedulability of task automata can be verified usingTimes Tool3.
1.2 Thesis OutlineThe remainder of the thesis is organized into two parts:
Part I includes the first six chapters. Chapter 2 describes the researchproblem addressed in this thesis as well as introduces the individual researchgoals. Chapter 3 provides a brief overview of the research results and theircorrelation to the research goals. Chapter 4 presents a brief overview of theresearch method applied in this thesis. Chapter 5 positions the work presentedin this thesis with respect to other relevant work in the field. Chapter 6 presentsour general conclusions and possible future extensions.
Part II presents the technical contributions of the thesis in the form of fourpapers that are organized in Chapters 7 to 10.
3Times Tool can be found at http://www.timestool.com/
Chapter 2
Research Problems
2.1 Problem Description
Although there are significant advancements in the domain of schedulabilityanalysis for periodic and sporadic tasks in the adaptive contexts [23, 26, 27],few works address the issues of analyzing tasks that are neither truly periodicnor sporadic, but have a known release pattern that can be influenced by eitherinternal or external triggers that react to changes in the environment. In a systemthat changes task release patterns in response to environmental fluctuations,adaptivity can be of great benefit. The goal is to create a system that can grace-fully handle exceptional changes in the environmental factors while ensuringthe highest quality of service in other situations.
2.2 Research Goals
In order to meet the above desideratum, we have defined the following researchgoal that our research has tried to address:
Goal. To provide a framework for the design of adaptive hard real-time embed-ded systems with non-uniformly recurring computation tasks.
As we have previously described, the need for adaptive hard real-timeembedded systems has motivated us to proceed with the development of aframework for designing adaptive, formally verifiable, embedded systems. Since
11
10 Chapter 1. Introduction
specify properties such as “if action A occurs infinitely often, so does the actionB” [2].
Task automata [14] are an extension of timed automata designed for model-ing and verification of requirements related to task execution within a real-timeembedded system. They have well-defined formal semantics, so that schedulingby model-checking can be applied. The semantics of task automata are given interms of timed transition systems.
In Figure 1.3 we can see an example of a task automaton. It consists of oneinitial location and six locations in which the task t1 is released. The variablex is a continuous real clock that can be reset to an integer value and increaseslinearly. The locations are connected by edges.
Each of the locations is annotated by an invariant that determines how muchtime the automaton can spend in that location. The edges are annotated byguards that determine when the edge can be traversed. Just before reenteringthe initial location, the clock x is reset.
Properties regarding schedulability of task automata can be verified usingTimes Tool3.
1.2 Thesis OutlineThe remainder of the thesis is organized into two parts:
Part I includes the first six chapters. Chapter 2 describes the researchproblem addressed in this thesis as well as introduces the individual researchgoals. Chapter 3 provides a brief overview of the research results and theircorrelation to the research goals. Chapter 4 presents a brief overview of theresearch method applied in this thesis. Chapter 5 positions the work presentedin this thesis with respect to other relevant work in the field. Chapter 6 presentsour general conclusions and possible future extensions.
Part II presents the technical contributions of the thesis in the form of fourpapers that are organized in Chapters 7 to 10.
3Times Tool can be found at http://www.timestool.com/
Chapter 2
Research Problems
2.1 Problem Description
Although there are significant advancements in the domain of schedulabilityanalysis for periodic and sporadic tasks in the adaptive contexts [23, 26, 27],few works address the issues of analyzing tasks that are neither truly periodicnor sporadic, but have a known release pattern that can be influenced by eitherinternal or external triggers that react to changes in the environment. In a systemthat changes task release patterns in response to environmental fluctuations,adaptivity can be of great benefit. The goal is to create a system that can grace-fully handle exceptional changes in the environmental factors while ensuringthe highest quality of service in other situations.
2.2 Research Goals
In order to meet the above desideratum, we have defined the following researchgoal that our research has tried to address:
Goal. To provide a framework for the design of adaptive hard real-time embed-ded systems with non-uniformly recurring computation tasks.
As we have previously described, the need for adaptive hard real-timeembedded systems has motivated us to proceed with the development of aframework for designing adaptive, formally verifiable, embedded systems. Since
11
12 Chapter 2. Research Problems
the goal above is still fairly abstract, we have further split it into three moreconcrete subgoals.
In order to be able to provide a framework for designing adaptive ES,we need an expressive model with well-defined semantics that would supportdescribing adaptive behavior at an abstract level. This justifies the first subgoalgiven below:
Subgoal 1. Develop a formal model for adaptive hard real-time embeddedsystems in which the system adapts based on its state and the state of theenvironment, plus the schedulability of potentially released tasks.
The first subgoal establishes the basis for the next two subgoals, in thatit results in a model that can be verified and formally examined. The nextstep is then concerned with proposing means of verifying the assumed modelscheduled by a given fixed-priority scheduling policy (FPS), which gives rise tothe second subgoal as follows:
Subgoal 2. Describe a way to formally verify the proposed model assumingstatic (task) priorities (e.g. FPS) w.r.t. schedulability, reachability and livenessproperties.
In the second subgoal, we analyze the decidability (possibility to computethe truth value) of the verification of our newly created model. This subgoal isspecific in that it analyzes only systems in which the relative task priorities arestatic and predicted before the verification of the system.
To address dynamic scheduling policies also, which are deemed optimal(meaning that all tasks that pass the specific schedulability test can be scheduledby the policy), we have formulated the third subgoal as follows:
Subgoal 3. Describe a way to formally verify the proposed model assumingdynamic (task) priorities (e.g. EDF) w.r.t. schedulability, reachability andliveness properties.
The last subgoal partially relaxes the restrictions on the previous subgoal inthat we are verifying the systems that have dynamic task priorities during theverification, but they are consistent after the tasks are released into the system.
Chapter 3
Research Results
In this section we will give an overview of our research results that addressthe subgoals presented in Section 2.2. The chapter is divided into four parts.First we present our modeling framework proposed in this thesis called adaptivetask automata (Section 3.1). Next, we present the model-checking specifics andresults of verifying the two variants of ATA – with fixed-priority scheduling(Section 3.2) and dynamic-priority scheduling (Section 3.3).
3.1 Adaptive Task Automata
In this thesis we introduce adaptive task automata (ATA) for modeling adaptivehard real-time systems. ATA consists of task automata [14] extended by theschedulability predicates.
Adding schedulability predicates to ATA makes it possible to model tasksthat have release patterns dependent on events of other tasks in the system,or alter task release patterns based on the influence of potential task releaseson already released tasks. Thus providing an effective approach to modelingadaptive hard real time systems.
Here, we provide a brief overview of the ATA framework; for the fulldescription of ATA, we refer the reader to Chapters 7 to 10.
In the adaptive task automata framework, we model task release patternsusing timed automata, an extension of automata with continuous time variablescalled clocks [2, 3, 6].
Let us introduce ATA by Figure 3.1, in which an example of an adaptive
13
12 Chapter 2. Research Problems
the goal above is still fairly abstract, we have further split it into three moreconcrete subgoals.
In order to be able to provide a framework for designing adaptive ES,we need an expressive model with well-defined semantics that would supportdescribing adaptive behavior at an abstract level. This justifies the first subgoalgiven below:
Subgoal 1. Develop a formal model for adaptive hard real-time embeddedsystems in which the system adapts based on its state and the state of theenvironment, plus the schedulability of potentially released tasks.
The first subgoal establishes the basis for the next two subgoals, in thatit results in a model that can be verified and formally examined. The nextstep is then concerned with proposing means of verifying the assumed modelscheduled by a given fixed-priority scheduling policy (FPS), which gives rise tothe second subgoal as follows:
Subgoal 2. Describe a way to formally verify the proposed model assumingstatic (task) priorities (e.g. FPS) w.r.t. schedulability, reachability and livenessproperties.
In the second subgoal, we analyze the decidability (possibility to computethe truth value) of the verification of our newly created model. This subgoal isspecific in that it analyzes only systems in which the relative task priorities arestatic and predicted before the verification of the system.
To address dynamic scheduling policies also, which are deemed optimal(meaning that all tasks that pass the specific schedulability test can be scheduledby the policy), we have formulated the third subgoal as follows:
Subgoal 3. Describe a way to formally verify the proposed model assumingdynamic (task) priorities (e.g. EDF) w.r.t. schedulability, reachability andliveness properties.
The last subgoal partially relaxes the restrictions on the previous subgoal inthat we are verifying the systems that have dynamic task priorities during theverification, but they are consistent after the tasks are released into the system.
Chapter 3
Research Results
In this section we will give an overview of our research results that addressthe subgoals presented in Section 2.2. The chapter is divided into four parts.First we present our modeling framework proposed in this thesis called adaptivetask automata (Section 3.1). Next, we present the model-checking specifics andresults of verifying the two variants of ATA – with fixed-priority scheduling(Section 3.2) and dynamic-priority scheduling (Section 3.3).
3.1 Adaptive Task Automata
In this thesis we introduce adaptive task automata (ATA) for modeling adaptivehard real-time systems. ATA consists of task automata [14] extended by theschedulability predicates.
Adding schedulability predicates to ATA makes it possible to model tasksthat have release patterns dependent on events of other tasks in the system,or alter task release patterns based on the influence of potential task releaseson already released tasks. Thus providing an effective approach to modelingadaptive hard real time systems.
Here, we provide a brief overview of the ATA framework; for the fulldescription of ATA, we refer the reader to Chapters 7 to 10.
In the adaptive task automata framework, we model task release patternsusing timed automata, an extension of automata with continuous time variablescalled clocks [2, 3, 6].
Let us introduce ATA by Figure 3.1, in which an example of an adaptive
13
14 Chapter 3. Research Results
t1t2x ≥ 3 ∧ sched(t1, t2)
t′2x ≥ 3 ∧ ¬sched(t1, t2)
x ≤ 31
23 4
x := 0x := 0
x ≥ 5
5
trigger?
6
Figure 3.1: An example of adaptive task automaton.
task automaton is shown. The automaton consists of three locations, one initial(1), and two ordinary locations (5). The initial location is associated with atask t1 and has an invariant (2). The model contains one clock variable x thatis initialized to 0 when the systems starts and then progresses until it is resetto zero (4) on the edges between locations with the task t1 and tasks t2, t′2,respectively. The tasks t′2 can be considered an alternative to the task t2 thatachieves the same purpose at a lower quality and thus has reduced computationtime. The invariant (2) is a clock constraint that limits the amount of time thesystem can spend in a location, whereas guards (3) are also Boolean conditionsthat need to be satisfied in order for an edge to be traversed.
In order to create models of systems that choose tasks to be released de-pending on their schedulability, we have introduced schedulability predicates aspart of the ATA framework. These predicates determine the schedulability of atask within the context of the current ready queue. In Figure 3.1, the predicatesched(t1, t2) is part of the guard. This predicate is true when the task t1 willcomplete in a timely manner even if the task t2 is released into the system.
3.2 Model-checking ATA with Static-PriorityScheduling
Our first result [20] is proving the decidability of ATA with fixed-priorityscheduling, with respect to schedulability properties. In order to achieve this,we transform our model into timed automata that can be verified by UPPAALand show that the new timed automata model is indeed decidable.
The procedure of encoding can be summarized in the following steps. First,we define an automaton that represents the scheduler and the queue. Second,for each location that is annotated with tasks, e.g. shown in Figure 3.2(a), we
3.3 Model-checking ATA with Dynamic-Priority Scheduling 15
l1
{t0}
x = 0
x = 5l1
x = 0release0!
x = 5
release0!
Idle Busyrelease0?
(a) (b) (c)
Figure 3.2: Example of encoding a task release: (a) the original location thatreleases the task t0, (b) the encoded location that replaces the task release withthe synchronization channel release0!, and (c) a snippet from the scheduler andqueue automaton that is triggered on the task release.
remove the task annotation and mark every incoming edge with a synchroniza-tion channel, Figure 3.2(b), that synchronizes that edge with an edge from thescheduler automaton that models the task release, Figure 3.2(c). Third, weexpress all the adaptive predicates as conjunctions to guards.
We have met several challenges in trying to achieve the above. First, weneed to encode the implicit scheduler as a timed automaton. This in itself hasproved not trivial since the scheduler not only has to keep information abouttasks executing, but also has to provide variables that could be encoded intoguards to represent the adaptivity predicates. Then, we need to link it up ina non-intrusive way to the automaton modeling the task release pattern. Bynon-intrusive, we mean that it should not change the behaviors nor the timingproperties of the automaton that is being encoded. This has been achieved bycreating a model of a scheduler that is non-blocking, meaning that at any timepoint there is a traversable edge representing task release of every task.
The basic insight used in creating this model is that the tasks always haveconsistent relative priorities to each other, under fixed-priority scheduling poli-cies. Thus we have created a scheduler that keeps track of all tasks at all times.Even when the tasks are not active, the values used to evaluate their schedulabil-ity predicates are kept active. This implies that the schedulability predicates canbe evaluated with little overhead at any time during the system verification.
3.3 Model-checking ATA with Dynamic-PriorityScheduling
Our next goal has been to try to address the verification of schedulability withATA, in the context of dynamic priority scheduling, by assuming a variant of
14 Chapter 3. Research Results
t1t2x ≥ 3 ∧ sched(t1, t2)
t′2x ≥ 3 ∧ ¬sched(t1, t2)
x ≤ 31
23 4
x := 0x := 0
x ≥ 5
5
trigger?
6
Figure 3.1: An example of adaptive task automaton.
task automaton is shown. The automaton consists of three locations, one initial(1), and two ordinary locations (5). The initial location is associated with atask t1 and has an invariant (2). The model contains one clock variable x thatis initialized to 0 when the systems starts and then progresses until it is resetto zero (4) on the edges between locations with the task t1 and tasks t2, t′2,respectively. The tasks t′2 can be considered an alternative to the task t2 thatachieves the same purpose at a lower quality and thus has reduced computationtime. The invariant (2) is a clock constraint that limits the amount of time thesystem can spend in a location, whereas guards (3) are also Boolean conditionsthat need to be satisfied in order for an edge to be traversed.
In order to create models of systems that choose tasks to be released de-pending on their schedulability, we have introduced schedulability predicates aspart of the ATA framework. These predicates determine the schedulability of atask within the context of the current ready queue. In Figure 3.1, the predicatesched(t1, t2) is part of the guard. This predicate is true when the task t1 willcomplete in a timely manner even if the task t2 is released into the system.
3.2 Model-checking ATA with Static-PriorityScheduling
Our first result [20] is proving the decidability of ATA with fixed-priorityscheduling, with respect to schedulability properties. In order to achieve this,we transform our model into timed automata that can be verified by UPPAALand show that the new timed automata model is indeed decidable.
The procedure of encoding can be summarized in the following steps. First,we define an automaton that represents the scheduler and the queue. Second,for each location that is annotated with tasks, e.g. shown in Figure 3.2(a), we
3.3 Model-checking ATA with Dynamic-Priority Scheduling 15
l1
{t0}
x = 0
x = 5l1
x = 0release0!
x = 5
release0!
Idle Busyrelease0?
(a) (b) (c)
Figure 3.2: Example of encoding a task release: (a) the original location thatreleases the task t0, (b) the encoded location that replaces the task release withthe synchronization channel release0!, and (c) a snippet from the scheduler andqueue automaton that is triggered on the task release.
remove the task annotation and mark every incoming edge with a synchroniza-tion channel, Figure 3.2(b), that synchronizes that edge with an edge from thescheduler automaton that models the task release, Figure 3.2(c). Third, weexpress all the adaptive predicates as conjunctions to guards.
We have met several challenges in trying to achieve the above. First, weneed to encode the implicit scheduler as a timed automaton. This in itself hasproved not trivial since the scheduler not only has to keep information abouttasks executing, but also has to provide variables that could be encoded intoguards to represent the adaptivity predicates. Then, we need to link it up ina non-intrusive way to the automaton modeling the task release pattern. Bynon-intrusive, we mean that it should not change the behaviors nor the timingproperties of the automaton that is being encoded. This has been achieved bycreating a model of a scheduler that is non-blocking, meaning that at any timepoint there is a traversable edge representing task release of every task.
The basic insight used in creating this model is that the tasks always haveconsistent relative priorities to each other, under fixed-priority scheduling poli-cies. Thus we have created a scheduler that keeps track of all tasks at all times.Even when the tasks are not active, the values used to evaluate their schedulabil-ity predicates are kept active. This implies that the schedulability predicates canbe evaluated with little overhead at any time during the system verification.
3.3 Model-checking ATA with Dynamic-PriorityScheduling
Our next goal has been to try to address the verification of schedulability withATA, in the context of dynamic priority scheduling, by assuming a variant of
16 Chapter 3. Research Results
Subgoal 1 Subgoal 2 Subgoal 3Paper A � �Paper B � �Paper C � �Paper D �
Table 3.1: Contribution of the individual papers to the research subgoals
an EDF scheduler. As pointed out earlier, the difference from an FPS policy isthat the relative priorities of the tasks are not known before the execution, or inthis case verification, of the system. Although our approach is based around amodified EDF scheduling policy, it equally applies to any scheduling policy inwhich relative priorities of tasks are not known before the release, but once theyare released the relative priorities remain the same.
As with FPS, we have adopted a similar strategy of proving the decidabilityof model-checking ATA with EDF. We have encoded the ATA model as updat-able timed automata and analyzed the decidability of the encoded model. Thescheduler has been upgraded to not keep all the tasks active but to be able tocompletely deactivate tasks and then switch them to a new relative placement.To encode this as a timed automaton we needed to enable timed automata toexecute clock to clock assignments. In regular timed automata [2], clocks can beonly assigned values of 0 or compared to other clocks whereas we basically needa clock copying mechanism. The clock copying mechanism has been addedto the UPPAAL model-checker, as a results of our cooperation with AalborgUniversity that is presented in Paper C [18].
While this was already achieved in updatable timed automata by Bouyeret al. [7], their progression criteria is different from ours that use invariantsto model time progression, so we have had to prove that reachability analysisof timed automata with clock to clock assignments is decidable in order toestablish schedulability of ATA with dynamic scheduling.
3.4 Contribution of Included Papers
This thesis includes four research papers. In the following we summarize thecontributions of the thesis per paper, as well as my specific contributions to eachpaper. The relationship of each paper to the subgoals is presented in Table 3.1.
3.4 Contribution of Included Papers 17
3.4.1 Paper A
Adaptive Task Automata: A Framework for Verifying Adaptive EmbeddedSystems. Leo Hatvani, Paul Pettersson, and Cristina Seceleanu. In Proceedingsof the 15th International Conference on Fundamental Approaches to SoftwareEngineering (FASE), ETAPS 2012, volume 7212 of Lecture Notes in ComputerScience, pages 115 - 129. Springer Berlin Heidelberg, 2012. [20]
Summary. In this paper, we introduce the adaptive task automata frameworkand by that address the Subgoal 1 and Subgoal 2. At this point, we have proposeda framework for verifying the schedulability of adaptive systems that assume afixed-priority task scheduling policy. The framework is based on timed automatawith tasks and extended with primitives that support testing of schedulability ofa given task. By addressing the fixed priority scheduling first, we have covereda large number of possible uses of our system, while at the same time coveringan entire class of fixed priority schedulers.
Contribution. The initial idea of maintaining the response times for all thetasks in the queue was presented by Fersman et al. [15], and brought to myattention by my supervisors. I have done most of the work on the developmentof the idea into a functioning framework and proof of concept implementationin the UPPAAL tool.
3.4.2 Paper B
Modeling and Analysis of Adaptive Embedded Systems Using Adaptive TaskAutomata. Leo Hatvani, Cristina Seceleanu, and Paul Pettersson. ACMSIGBED Review, Special Issue on the 4th Workshop on Adaptive and Re-configurable Embedded Systems (APRES 2012), 10(1):43–47, February 2013.[21]
Summary. In this paper, we present a summary of the first paper as well assome additional, more general examples. The examples outline the potential forour framework in practical applications for designing adaptive hard real-timeembedded systems. As a natural extension of Paper A, this paper continues toaddress Subgoals 1 and 2.
Contribution. I have done most of the work on conceiving and implement-ing the examples, as well as writing the corpus of the paper.
16 Chapter 3. Research Results
Subgoal 1 Subgoal 2 Subgoal 3Paper A � �Paper B � �Paper C � �Paper D �
Table 3.1: Contribution of the individual papers to the research subgoals
an EDF scheduler. As pointed out earlier, the difference from an FPS policy isthat the relative priorities of the tasks are not known before the execution, or inthis case verification, of the system. Although our approach is based around amodified EDF scheduling policy, it equally applies to any scheduling policy inwhich relative priorities of tasks are not known before the release, but once theyare released the relative priorities remain the same.
As with FPS, we have adopted a similar strategy of proving the decidabilityof model-checking ATA with EDF. We have encoded the ATA model as updat-able timed automata and analyzed the decidability of the encoded model. Thescheduler has been upgraded to not keep all the tasks active but to be able tocompletely deactivate tasks and then switch them to a new relative placement.To encode this as a timed automaton we needed to enable timed automata toexecute clock to clock assignments. In regular timed automata [2], clocks can beonly assigned values of 0 or compared to other clocks whereas we basically needa clock copying mechanism. The clock copying mechanism has been addedto the UPPAAL model-checker, as a results of our cooperation with AalborgUniversity that is presented in Paper C [18].
While this was already achieved in updatable timed automata by Bouyeret al. [7], their progression criteria is different from ours that use invariantsto model time progression, so we have had to prove that reachability analysisof timed automata with clock to clock assignments is decidable in order toestablish schedulability of ATA with dynamic scheduling.
3.4 Contribution of Included Papers
This thesis includes four research papers. In the following we summarize thecontributions of the thesis per paper, as well as my specific contributions to eachpaper. The relationship of each paper to the subgoals is presented in Table 3.1.
3.4 Contribution of Included Papers 17
3.4.1 Paper A
Adaptive Task Automata: A Framework for Verifying Adaptive EmbeddedSystems. Leo Hatvani, Paul Pettersson, and Cristina Seceleanu. In Proceedingsof the 15th International Conference on Fundamental Approaches to SoftwareEngineering (FASE), ETAPS 2012, volume 7212 of Lecture Notes in ComputerScience, pages 115 - 129. Springer Berlin Heidelberg, 2012. [20]
Summary. In this paper, we introduce the adaptive task automata frameworkand by that address the Subgoal 1 and Subgoal 2. At this point, we have proposeda framework for verifying the schedulability of adaptive systems that assume afixed-priority task scheduling policy. The framework is based on timed automatawith tasks and extended with primitives that support testing of schedulability ofa given task. By addressing the fixed priority scheduling first, we have covereda large number of possible uses of our system, while at the same time coveringan entire class of fixed priority schedulers.
Contribution. The initial idea of maintaining the response times for all thetasks in the queue was presented by Fersman et al. [15], and brought to myattention by my supervisors. I have done most of the work on the developmentof the idea into a functioning framework and proof of concept implementationin the UPPAAL tool.
3.4.2 Paper B
Modeling and Analysis of Adaptive Embedded Systems Using Adaptive TaskAutomata. Leo Hatvani, Cristina Seceleanu, and Paul Pettersson. ACMSIGBED Review, Special Issue on the 4th Workshop on Adaptive and Re-configurable Embedded Systems (APRES 2012), 10(1):43–47, February 2013.[21]
Summary. In this paper, we present a summary of the first paper as well assome additional, more general examples. The examples outline the potential forour framework in practical applications for designing adaptive hard real-timeembedded systems. As a natural extension of Paper A, this paper continues toaddress Subgoals 1 and 2.
Contribution. I have done most of the work on conceiving and implement-ing the examples, as well as writing the corpus of the paper.
18 Chapter 3. Research Results
3.4.3 Paper CAdaptive Task Automata with Earliest-Deadline-First Scheduling. Leo Hatvani,Alexandre David, Cristina Seceleanu, and Paul Pettersson. In Proceedings ofthe 14th International Workshop on Automated Verification of Critical Systems(AVoCS 2014), Electronic Communications of the EASST, 70, 2014. Submittedfor publication. [18]
Summary. In this paper, we start from the framework introduced in Paper Aand improve it with the earliest deadline first scheduling policy. Our extensionto dynamic scheduling policies has required the exploration of decidability of asubclass of timed automata with clock-to-clock assignments. The third paperaddresses Subgoals 1 and 3.
Contribution. I have defined the specific theorems and proof sketches,based on the proofs developed in previous work [3, 14].
3.4.4 Paper DAdaptive Task Automata with Earliest-Deadline-First Scheduling (full paper).Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson. Tech-nical Report ISSN 1404-3041 ISRN MDH-MRTC-287/2014-1-SE, MälardalenReal-Time Research Centre, Mälardalen University, August 2014. [19]
Summary. We conclude this collection of papers with a technical reportthat provides a detailed proof of decidability and bisimiliarity between ATAand its encoding in the framework of timed automata (TA) sketched in Paper C.Since the framework itself is not changed in this paper, it contributes only toSubgoal 3.
Contribution. Similar to Paper C. The structure of the proofs is inspired byprevious work and I have developed the proofs needed in our case.
Chapter 4
Research Method
The research method used for this thesis is derived from the scientific methodfor computer science [13], and software architecture [33].
Question? Hypothesis Test
Prediction
Consistency
Figure 4.1: A simplified illustration of the scientific method
The scientific method for computer science [13] proposes the followingapproach to the process of research, as illustrated in Figure 4.1: (i) first, aquestion is proposed in the context of the existing knowledge, (ii) second, ahypothesis is formed as a tentative answer to the question, (iii) third, predictionsare made about the hypothesis, (iv) fourth, the hypothesis is tested carefully andchecked if it fits within the current knowledge or if adjustments to the alreadyexisting knowledge need to be made, and (v) fifth, when consistency is reached,the hypothesis becomes a theory and provides a coherent set of propositionsthat define a new theoretical concept.
Our research method was mostly based on the scientific method for com-puter science with a strong accent on the influence of the related work on the
19
18 Chapter 3. Research Results
3.4.3 Paper CAdaptive Task Automata with Earliest-Deadline-First Scheduling. Leo Hatvani,Alexandre David, Cristina Seceleanu, and Paul Pettersson. In Proceedings ofthe 14th International Workshop on Automated Verification of Critical Systems(AVoCS 2014), Electronic Communications of the EASST, 70, 2014. Submittedfor publication. [18]
Summary. In this paper, we start from the framework introduced in Paper Aand improve it with the earliest deadline first scheduling policy. Our extensionto dynamic scheduling policies has required the exploration of decidability of asubclass of timed automata with clock-to-clock assignments. The third paperaddresses Subgoals 1 and 3.
Contribution. I have defined the specific theorems and proof sketches,based on the proofs developed in previous work [3, 14].
3.4.4 Paper DAdaptive Task Automata with Earliest-Deadline-First Scheduling (full paper).Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson. Tech-nical Report ISSN 1404-3041 ISRN MDH-MRTC-287/2014-1-SE, MälardalenReal-Time Research Centre, Mälardalen University, August 2014. [19]
Summary. We conclude this collection of papers with a technical reportthat provides a detailed proof of decidability and bisimiliarity between ATAand its encoding in the framework of timed automata (TA) sketched in Paper C.Since the framework itself is not changed in this paper, it contributes only toSubgoal 3.
Contribution. Similar to Paper C. The structure of the proofs is inspired byprevious work and I have developed the proofs needed in our case.
Chapter 4
Research Method
The research method used for this thesis is derived from the scientific methodfor computer science [13], and software architecture [33].
Question? Hypothesis Test
Prediction
Consistency
Figure 4.1: A simplified illustration of the scientific method
The scientific method for computer science [13] proposes the followingapproach to the process of research, as illustrated in Figure 4.1: (i) first, aquestion is proposed in the context of the existing knowledge, (ii) second, ahypothesis is formed as a tentative answer to the question, (iii) third, predictionsare made about the hypothesis, (iv) fourth, the hypothesis is tested carefully andchecked if it fits within the current knowledge or if adjustments to the alreadyexisting knowledge need to be made, and (v) fifth, when consistency is reached,the hypothesis becomes a theory and provides a coherent set of propositionsthat define a new theoretical concept.
Our research method was mostly based on the scientific method for com-puter science with a strong accent on the influence of the related work on the
19
20 Chapter 4. Research Method
General researchproblem
Ideas
Scientific knowledge(related work)
Refined researchproblem Study Validation
Solution design
Solution tests
Research goal
Understanding
Conceptualization
Novelty Comparison
Legend:
main research stage research elementinfluence factor
Figure 4.2: Overview of the research process (design based on the originaldesign by Vulgarakis [36])
research. As illustrated in Figure 4.2, the research starts with a formulation of ageneral research problem based on the currently available scientific knowledge.This research problem is then ported into the research setting and is furtherrefined into more tangible research problems. After the research problem hasbeen understood, it is conceptualized. A conceptualized research problem corre-sponds to the question of the scientific method. From the conceptualization, aresearch goal is derived, which corresponds to the hypothesis.
Once a research goal is defined, using original ideas and the ideas fromrelated work, a solution is designed, together with tests for testing the validityof this solution within the context of the research goal. Using informationgained from testing the solution, we can further refine both the research goal,and the solution design until consistency is achieved. Further, when all theconceptualizations have been assembled in a study, the study is validated bycomparing it to the related work.
The general research problem that initiated our research was on how to
21
address the challenges of creating safe adaptive embedded systems. Withinthis topic we have then located specific goals of verifying schedulability inan adaptive hard real-time embedded system, as presented in Goal 2.2 andSubgoals 1-3.
From this point, we have constructed the concept of the adaptive taskautomata framework. In the first iteration, the framework was refined for staticpriority scheduling, and adjusted for dynamic priority scheduling. Each of therefinements of the theoretical model was supported by mathematical proofs ofthe claims. Although we have mathematically showed correctness of our claims,we have have not done validation on real-world case study or in an industrialenvironment.
20 Chapter 4. Research Method
General researchproblem
Ideas
Scientific knowledge(related work)
Refined researchproblem Study Validation
Solution design
Solution tests
Research goal
Understanding
Conceptualization
Novelty Comparison
Legend:
main research stage research elementinfluence factor
Figure 4.2: Overview of the research process (design based on the originaldesign by Vulgarakis [36])
research. As illustrated in Figure 4.2, the research starts with a formulation of ageneral research problem based on the currently available scientific knowledge.This research problem is then ported into the research setting and is furtherrefined into more tangible research problems. After the research problem hasbeen understood, it is conceptualized. A conceptualized research problem corre-sponds to the question of the scientific method. From the conceptualization, aresearch goal is derived, which corresponds to the hypothesis.
Once a research goal is defined, using original ideas and the ideas fromrelated work, a solution is designed, together with tests for testing the validityof this solution within the context of the research goal. Using informationgained from testing the solution, we can further refine both the research goal,and the solution design until consistency is achieved. Further, when all theconceptualizations have been assembled in a study, the study is validated bycomparing it to the related work.
The general research problem that initiated our research was on how to
21
address the challenges of creating safe adaptive embedded systems. Withinthis topic we have then located specific goals of verifying schedulability inan adaptive hard real-time embedded system, as presented in Goal 2.2 andSubgoals 1-3.
From this point, we have constructed the concept of the adaptive taskautomata framework. In the first iteration, the framework was refined for staticpriority scheduling, and adjusted for dynamic priority scheduling. Each of therefinements of the theoretical model was supported by mathematical proofs ofthe claims. Although we have mathematically showed correctness of our claims,we have have not done validation on real-world case study or in an industrialenvironment.
Chapter 5
Related Work
This thesis focuses on providing a framework for schedulability analysis viaformal verification of real-time task sets, in the context of adaptive embeddedsystems. Although not many research results have been published on the exacttopic, there are several related works that are relevant to our research.
The related research can be classified into three clusters. In the first, weencompass the research that is considering design and verification of higherabstractions of the adaptive embedded systems. The second analyzes adaptiveembedded systems and their task sets using analytic approaches. The thirdconsiders verification of schedulability by automated model checking, yetwithout any focus on adaptive characteristics.
5.1 Modeling and Verification of High-levelAbstractions of Adaptive Embedded Systems
Most of the research on the adaptive embedded systems considers higher leveldescriptions of the adaptation behavior. The following are some examples thatare most closely related to our work. All of the following examples supportmodeling of adaptive behaviors and some form of verification while, in contrastto our research, verification of schedulability is not directly supported.
Schaefer [30] has provided several approaches on verifying adaptive em-bedded systems specified as Synchronous Adaptive Systems - high level rep-resentations of modeling concepts used in the MARS modeling approach [35].The solution integrates model slicing of various granularities to reduce the
23
Chapter 5
Related Work
This thesis focuses on providing a framework for schedulability analysis viaformal verification of real-time task sets, in the context of adaptive embeddedsystems. Although not many research results have been published on the exacttopic, there are several related works that are relevant to our research.
The related research can be classified into three clusters. In the first, weencompass the research that is considering design and verification of higherabstractions of the adaptive embedded systems. The second analyzes adaptiveembedded systems and their task sets using analytic approaches. The thirdconsiders verification of schedulability by automated model checking, yetwithout any focus on adaptive characteristics.
5.1 Modeling and Verification of High-levelAbstractions of Adaptive Embedded Systems
Most of the research on the adaptive embedded systems considers higher leveldescriptions of the adaptation behavior. The following are some examples thatare most closely related to our work. All of the following examples supportmodeling of adaptive behaviors and some form of verification while, in contrastto our research, verification of schedulability is not directly supported.
Schaefer [30] has provided several approaches on verifying adaptive em-bedded systems specified as Synchronous Adaptive Systems - high level rep-resentations of modeling concepts used in the MARS modeling approach [35].The solution integrates model slicing of various granularities to reduce the
23
24 Chapter 5. Related Work
complexity and enable automated model checking of the models by means oftheorem proving. The technique is tested on adaptive vehicle stability controlsystem.
Schneider et al. [31] have proposed a method to describe and analyzeadaptation behavior in embedded systems in which the data flow is augmentedwith quality descriptions used by configuration rules to determine potentialadaptations. Then, the augmented system can be transformed into a transitionsystem and serve as input for a model checker.
Adler et al. [1] use Kripke structures as the underlying system model andspecify the system’s properties using LTL. This representation of the system isthen verified using the Averest1 framework.
Goldsby et al. [16] provide the AMOEBA-RT model focused on run-timeverification and monitoring.
Tan [34] has introduced a design workflow that takes a system specifiedas hybrid automata, augments it with reconfiguration information and buildsa self-adaptive model. Self-adaptive models are achieved by transformationand addition of monitoring automata. Further, such models can be transformedinto program code. While self-adaptivity is an interesting venue, design timeverification of such system has not been investigated yet.
5.2 Analytic ApproachesIn the area of adaptive scheduling, most of the work [23, 26, 27] aimed atachieving a lower energy consumption by exploiting dynamic voltage scalingfeatures of modern CPUs. While such approaches can be used to analyzeschedulability in some adaptive contexts, our approach is more general in someaspects. Besides periodic, aperiodic, and sporadic tasks, we can analyze tasksthat are released into the system based on complex interactions with internaland environmental events.
The work by Shakhlevich et al. [32] proposes an adaptive approach for finetuning of a realistic heuristic scheduling algorithm. While the paper is focusedmore on job shop scheduling rather than tasks, the approach could eventuallyprovide a heuristic that can be verified as correct by our framework.
Lawrence et al. [25] have proposed a control-theoretic approach to dis-tribution of computing resources. However, with the growing complexity ofthe scheduling algorithm, verification complexity of schedulability in a hardreal-time system increases.
1The Averest framework is available at http://www.averest.org.
5.3 Related Verification Approaches 25
Another relevant line of research, but based on different set of assumptionsis fault-tolerant scheduling [29, 17]. While our work assumes that any errorswill lead to failure, fault-tolerant scheduling tries to recover from errors whileminimizing loss.
Beccari et al. [5] analyze adaptive soft real-time tasks and alter the rate oftask releases depending on the available resources. While this work proposesanalytical solutions over our verification solution, the main other difference is inthe definition of tasks. This work defines ranges of acceptable admission ratesfor tasks, while our framework can define arbitrary admission criteria.
5.3 Related Verification ApproachesThe application of schedulability verification has already targeted multiprocessorsystems in the work by Yu et al. [38], or satellite systems in the work byMikucionis et al. [28], and results on generalized frameworks for schedulabilityanalysis have also been provided by David et al. [11]. However, in these studiesthe non-schedulability of the system cannot be predicted soon enough such thatthe system does not reach an error state, but only after a task misses its deadline.
Wang et al. [37] have proposed usage of verification techniques to find theoptimal schedule for energy constrained systems. The authors have developed acost-reward variant of timed automata that makes it possible to directly modelenergy expenditure of different tasks.
24 Chapter 5. Related Work
complexity and enable automated model checking of the models by means oftheorem proving. The technique is tested on adaptive vehicle stability controlsystem.
Schneider et al. [31] have proposed a method to describe and analyzeadaptation behavior in embedded systems in which the data flow is augmentedwith quality descriptions used by configuration rules to determine potentialadaptations. Then, the augmented system can be transformed into a transitionsystem and serve as input for a model checker.
Adler et al. [1] use Kripke structures as the underlying system model andspecify the system’s properties using LTL. This representation of the system isthen verified using the Averest1 framework.
Goldsby et al. [16] provide the AMOEBA-RT model focused on run-timeverification and monitoring.
Tan [34] has introduced a design workflow that takes a system specifiedas hybrid automata, augments it with reconfiguration information and buildsa self-adaptive model. Self-adaptive models are achieved by transformationand addition of monitoring automata. Further, such models can be transformedinto program code. While self-adaptivity is an interesting venue, design timeverification of such system has not been investigated yet.
5.2 Analytic ApproachesIn the area of adaptive scheduling, most of the work [23, 26, 27] aimed atachieving a lower energy consumption by exploiting dynamic voltage scalingfeatures of modern CPUs. While such approaches can be used to analyzeschedulability in some adaptive contexts, our approach is more general in someaspects. Besides periodic, aperiodic, and sporadic tasks, we can analyze tasksthat are released into the system based on complex interactions with internaland environmental events.
The work by Shakhlevich et al. [32] proposes an adaptive approach for finetuning of a realistic heuristic scheduling algorithm. While the paper is focusedmore on job shop scheduling rather than tasks, the approach could eventuallyprovide a heuristic that can be verified as correct by our framework.
Lawrence et al. [25] have proposed a control-theoretic approach to dis-tribution of computing resources. However, with the growing complexity ofthe scheduling algorithm, verification complexity of schedulability in a hardreal-time system increases.
1The Averest framework is available at http://www.averest.org.
5.3 Related Verification Approaches 25
Another relevant line of research, but based on different set of assumptionsis fault-tolerant scheduling [29, 17]. While our work assumes that any errorswill lead to failure, fault-tolerant scheduling tries to recover from errors whileminimizing loss.
Beccari et al. [5] analyze adaptive soft real-time tasks and alter the rate oftask releases depending on the available resources. While this work proposesanalytical solutions over our verification solution, the main other difference is inthe definition of tasks. This work defines ranges of acceptable admission ratesfor tasks, while our framework can define arbitrary admission criteria.
5.3 Related Verification ApproachesThe application of schedulability verification has already targeted multiprocessorsystems in the work by Yu et al. [38], or satellite systems in the work byMikucionis et al. [28], and results on generalized frameworks for schedulabilityanalysis have also been provided by David et al. [11]. However, in these studiesthe non-schedulability of the system cannot be predicted soon enough such thatthe system does not reach an error state, but only after a task misses its deadline.
Wang et al. [37] have proposed usage of verification techniques to find theoptimal schedule for energy constrained systems. The authors have developed acost-reward variant of timed automata that makes it possible to directly modelenergy expenditure of different tasks.
Chapter 6
Conclusions
6.1 Summary and ConclusionsThe main goal of this thesis is to improve the state-of-the-art regarding modelingand verification of adaptive embedded systems. To achieve this, we have focusedour efforts on adaptive hard real-time embedded systems and their task-levelabstractions.
A key component to our work is that we can model networks of adaptivetask automata. We have achieved this by grounding our work in task automatathat already had this feature. Networks of task automata provide support forcompartmentalization of adaptive task automata models so that different func-tions can be modeled separately. While this does not influence their decidabilityor expressiveness, for us, it means that a designer can clearly distinguish themodel of the environment from the model describing internal responses to thechanges in the environment. The internal responses are then reflected in thechange of task release patterns, which can also be described in our framework.
Tasks in our framework can be released periodically, sporadically, or ape-riodically, as long as their behavior can be modeled using task automata. Theresulting pattern of task releases allowed by the task automata model constitutesour assumed task release pattern.
A change in the task release pattern to adjust to the altered environmentalconditions can cause already existing tasks in the system to miss their deadlinesand result in system failure. Thus, as the main contribution of this thesis, wehave defined and shown decidability for a set of predicates that can inspect thestate of the scheduler and queue. By combining these predicates with the model
27
Chapter 6
Conclusions
6.1 Summary and ConclusionsThe main goal of this thesis is to improve the state-of-the-art regarding modelingand verification of adaptive embedded systems. To achieve this, we have focusedour efforts on adaptive hard real-time embedded systems and their task-levelabstractions.
A key component to our work is that we can model networks of adaptivetask automata. We have achieved this by grounding our work in task automatathat already had this feature. Networks of task automata provide support forcompartmentalization of adaptive task automata models so that different func-tions can be modeled separately. While this does not influence their decidabilityor expressiveness, for us, it means that a designer can clearly distinguish themodel of the environment from the model describing internal responses to thechanges in the environment. The internal responses are then reflected in thechange of task release patterns, which can also be described in our framework.
Tasks in our framework can be released periodically, sporadically, or ape-riodically, as long as their behavior can be modeled using task automata. Theresulting pattern of task releases allowed by the task automata model constitutesour assumed task release pattern.
A change in the task release pattern to adjust to the altered environmentalconditions can cause already existing tasks in the system to miss their deadlinesand result in system failure. Thus, as the main contribution of this thesis, wehave defined and shown decidability for a set of predicates that can inspect thestate of the scheduler and queue. By combining these predicates with the model
27
28 Chapter 6. Conclusions
of the task release pattern, we can prevent deadline misses in the tasks alreadypresent in the system and thus mitigate the effects of the adaptive processes onthe performance of the system.
In conclusion, we have created a framework that is suitable for modelingtask-level abstractions of adaptive hard real-time embedded systems. We havealso proved the model’s decidability, and implemented one of its variants inUPPAAL1.
6.2 Future WorkDuring working on the thesis’ topic and writing the dissertation, we haveencountered many possibilities to further explore and extend our work.
A significant value could be gained by creating a dedicated tool that supportsschedulability verification using the ATA framework. This can be done byextending the already existing tool TIMES2 or building a new tool tied to theUPPAAL1 verification engine. To improve usability, additional research can becarried out to determine the optimal way to represent the adaptivity features.
Another possible extension of our work could be towards adopting statisticalmodel checking (SMC) [12] to replace the full state space exploration that wecurrently use. This would introduce additional challenges, such as ensuring thatthe state space exploration is not biased, and determining a safe bound for theprobabilistic verification. On the positive side, the model checking is done at anexponentially higher speed, and there is a possibility of using distributed modelchecking [8].
In our framework, the tasks are described using only their fixed worst-caseexecution time as the main definition of the length of task’s execution time. Aninteresting venue to explore would be to allow the execution time of tasks to bedescribed as intervals, or in the case of statistical model checking as probabilitydistributions.
Once the tasks are released into the queue, with the current framework, theycannot be significantly modified due to the constraints of the model. It could beinteresting to create an encoding where tasks can be arbitrarily removed fromthe queue, which would free up the time that the task is supposed to spend if itneeds to be replaced by another task. This extension would further improve theadaptation capabilities of the framework.
1The Uppaal tool is available at http://www.uppaal.org/.2The TIMES Tool is available at http://www.timestool.com/.
Bibliography
[1] Rasmus Adler, Ina Schaefer, Tobias Schuele, and Eric Vecchié. Frommodel-based design to formal verification of adaptive embedded systems.In Michael Butler, Michael G. Hinchey, and María M. Larrondo-Petrie,editors, Formal Methods and Software Engineering, volume 4789 of Lec-ture Notes in Computer Science, pages 76–95. Springer Berlin Heidelberg,2007.
[2] Rajeev Alur. Timed automata. In Nicolas Halbwachs and Doron Peled,editors, Computer Aided Verification, volume 1633 of Lecture Notes inComputer Science, pages 8–22. Springer Berlin Heidelberg, 1999.
[3] Rajeev Alur and David L. Dill. A theory of timed automata. TheoreticalComputer Science, 126(2):183–235, April 1994.
[4] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking.The MIT Press, 2008.
[5] G. Beccari, S. Caselli, and F. Zanichelli. A technique for adaptive schedul-ing of soft real-time tasks. Real-Time Systems, 30(3):187–215, 2005.
[6] Johan Bengtsson and Wang Yi. Timed automata: Semantics, algorithmsand tools. In Jörg Desel, Wolfgang Reisig, and Grzegorz Rozenberg,editors, Lectures on Concurrency and Petri Nets, volume 3098 of LectureNotes in Computer Science, pages 87–124. Springer Berlin Heidelberg,2004.
[7] Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, and Antoine Petit.Updatable timed automata. Theoretical Computer Science, 321(23):291 –345, 2004.
29
28 Chapter 6. Conclusions
of the task release pattern, we can prevent deadline misses in the tasks alreadypresent in the system and thus mitigate the effects of the adaptive processes onthe performance of the system.
In conclusion, we have created a framework that is suitable for modelingtask-level abstractions of adaptive hard real-time embedded systems. We havealso proved the model’s decidability, and implemented one of its variants inUPPAAL1.
6.2 Future WorkDuring working on the thesis’ topic and writing the dissertation, we haveencountered many possibilities to further explore and extend our work.
A significant value could be gained by creating a dedicated tool that supportsschedulability verification using the ATA framework. This can be done byextending the already existing tool TIMES2 or building a new tool tied to theUPPAAL1 verification engine. To improve usability, additional research can becarried out to determine the optimal way to represent the adaptivity features.
Another possible extension of our work could be towards adopting statisticalmodel checking (SMC) [12] to replace the full state space exploration that wecurrently use. This would introduce additional challenges, such as ensuring thatthe state space exploration is not biased, and determining a safe bound for theprobabilistic verification. On the positive side, the model checking is done at anexponentially higher speed, and there is a possibility of using distributed modelchecking [8].
In our framework, the tasks are described using only their fixed worst-caseexecution time as the main definition of the length of task’s execution time. Aninteresting venue to explore would be to allow the execution time of tasks to bedescribed as intervals, or in the case of statistical model checking as probabilitydistributions.
Once the tasks are released into the queue, with the current framework, theycannot be significantly modified due to the constraints of the model. It could beinteresting to create an encoding where tasks can be arbitrarily removed fromthe queue, which would free up the time that the task is supposed to spend if itneeds to be replaced by another task. This extension would further improve theadaptation capabilities of the framework.
1The Uppaal tool is available at http://www.uppaal.org/.2The TIMES Tool is available at http://www.timestool.com/.
Bibliography
[1] Rasmus Adler, Ina Schaefer, Tobias Schuele, and Eric Vecchié. Frommodel-based design to formal verification of adaptive embedded systems.In Michael Butler, Michael G. Hinchey, and María M. Larrondo-Petrie,editors, Formal Methods and Software Engineering, volume 4789 of Lec-ture Notes in Computer Science, pages 76–95. Springer Berlin Heidelberg,2007.
[2] Rajeev Alur. Timed automata. In Nicolas Halbwachs and Doron Peled,editors, Computer Aided Verification, volume 1633 of Lecture Notes inComputer Science, pages 8–22. Springer Berlin Heidelberg, 1999.
[3] Rajeev Alur and David L. Dill. A theory of timed automata. TheoreticalComputer Science, 126(2):183–235, April 1994.
[4] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking.The MIT Press, 2008.
[5] G. Beccari, S. Caselli, and F. Zanichelli. A technique for adaptive schedul-ing of soft real-time tasks. Real-Time Systems, 30(3):187–215, 2005.
[6] Johan Bengtsson and Wang Yi. Timed automata: Semantics, algorithmsand tools. In Jörg Desel, Wolfgang Reisig, and Grzegorz Rozenberg,editors, Lectures on Concurrency and Petri Nets, volume 3098 of LectureNotes in Computer Science, pages 87–124. Springer Berlin Heidelberg,2004.
[7] Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, and Antoine Petit.Updatable timed automata. Theoretical Computer Science, 321(23):291 –345, 2004.
29
30 Bibliography
[8] Peter Bulychev, Alexandre David, Kim Gulstrand Larsen, Marius Mikucio-nis, Danny Bøgsted Poulsen, Axel Legay, and Zheng Wang. Uppaal-smc:Statistical model checking for priced timed automata. In Herbert Wiklickyand Mieke Massink, editors, Proceedings 10th Workshop on QuantitativeAspects of Programming Languages and Systems, Tallinn, Estonia, 31March and 1 April 2012, volume 85 of Electronic Proceedings in The-oretical Computer Science, pages 1–16. Open Publishing Association,2012.
[9] G. C. Buttazzo. Hard Real-Time Computing Systems. Predictable Schedul-ing Algorithms and Applications. Kluwer Academic Publishers, 1997.
[10] Betty H.C. Cheng, Rogério Lemos, Holger Giese, Paola Inverardi, JeffMagee, Jesper Andersson, Basil Becker, Nelly Bencomo, Yuriy Brun,Bojan Cukic, Giovanna Marzo Serugendo, Schahram Dustdar, AnthonyFinkelstein, Cristina Gacek, Kurt Geihs, Vincenzo Grassi, Gabor Karsai,Holger M. Kienle, Jeff Kramer, Marin Litoiu, Sam Malek, Raffaela Mi-randola, Hausi A. Müller, Sooyong Park, Mary Shaw, Matthias Tichy,Massimo Tivoli, Danny Weyns, and Jon Whittle. Software engineering forself-adaptive systems: A research roadmap. In Betty H.C. Cheng, RogérioLemos, Holger Giese, Paola Inverardi, and Jeff Magee, editors, SoftwareEngineering for Self-Adaptive Systems, volume 5525 of Lecture Notes inComputer Science, pages 1–26. Springer Berlin Heidelberg, 2009.
[11] Alexandre David, Jacob Illum, Kim Larsen, and Arne Skou. Model-basedframework for schedulability analysis using uppaal 4.1. In Model-BasedDesign for Embedded Systems, pages 93–119. CRC Press, November2009.
[12] Alexandre David, KimG. Larsen, Axel Legay, Marius Mikucionis, andZheng Wang. Time for statistical model checking of real-time systems.In Ganesh Gopalakrishnan and Shaz Qadeer, editors, Computer AidedVerification, volume 6806 of Lecture Notes in Computer Science, pages349–355. Springer Berlin Heidelberg, 2011.
[13] Gordana Dodig-Crnkovic. Scientific methods in computer science. InProceedings of the Conference for the Promotion of Research in IT at NewUniversities and at University Colleges in Sweden, pages 126–130, April2002.
Bibliography 31
[14] Elena Fersman, Pavel Krcal, Paul Pettersson, and Wang Yi. Task au-tomata: Schedulability, decidability and undecidability. Information andComputation, 205(8):1149 – 1172, 2007.
[15] Elena Fersman, Leonid Mokrushin, Paul Pettersson, and Wang Yi. Sched-ulability analysis using two clocks. In Proceedings of the 9th internationalconference on Tools and algorithms for the construction and analysis ofsystems, TACAS’03, pages 224–239, Berlin, Heidelberg, 2003. Springer-Verlag.
[16] Heather J. Goldsby, Betty H.C. Cheng, and Ji Zhang. Amoeba-rt: Run-time verification of adaptive software. In Holger Giese, editor, Models inSoftware Engineering, volume 5002 of Lecture Notes in Computer Science,pages 212–224. Springer Berlin Heidelberg, 2008.
[17] Oscar González, H Shrikumar, John A Stankovic, and Krithi Ramam-ritham. Adaptive fault tolerance and graceful degradation under dynamichard real-time scheduling. In Real-Time Systems Symposium, 1997. Pro-ceedings., The 18th IEEE, pages 79–89, Dec 1997.
[18] Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson.Adaptive task automata with earliest-deadline-first scheduling. Proceed-ings of the 14th International Workshop on Automated Verification ofCritical Systems (AVoCS 2014), Electronic Communications of the EASST,70, 2014. Submitted for publication.
[19] Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson.Adaptive task automata with earliest-deadline-first scheduling. TechnicalReport ISSN 1404-3041 ISRN MDH-MRTC-287/2014-1-SE, MälardalenReal-Time Research Centre, Mälardalen University, August 2014.
[20] Leo Hatvani, Paul Pettersson, and Cristina Seceleanu. Adaptive taskautomata: A framework for verifying adaptive embedded systems. In JuanLara and Andrea Zisman, editors, Fundamental Approaches to SoftwareEngineering, volume 7212 of Lecture Notes in Computer Science, pages115–129. Springer Berlin Heidelberg, 2012.
[21] Leo Hatvani, Cristina Seceleanu, and Paul Pettersson. Modeling andanalysis of adaptive embedded systems using adaptive task automata.ACM SIGBED Review, Special Issue on the 4th Workshop on Adaptive andReconfigurable Embedded Systems (APRES 2012), 10(1):43–47, February2013.
30 Bibliography
[8] Peter Bulychev, Alexandre David, Kim Gulstrand Larsen, Marius Mikucio-nis, Danny Bøgsted Poulsen, Axel Legay, and Zheng Wang. Uppaal-smc:Statistical model checking for priced timed automata. In Herbert Wiklickyand Mieke Massink, editors, Proceedings 10th Workshop on QuantitativeAspects of Programming Languages and Systems, Tallinn, Estonia, 31March and 1 April 2012, volume 85 of Electronic Proceedings in The-oretical Computer Science, pages 1–16. Open Publishing Association,2012.
[9] G. C. Buttazzo. Hard Real-Time Computing Systems. Predictable Schedul-ing Algorithms and Applications. Kluwer Academic Publishers, 1997.
[10] Betty H.C. Cheng, Rogério Lemos, Holger Giese, Paola Inverardi, JeffMagee, Jesper Andersson, Basil Becker, Nelly Bencomo, Yuriy Brun,Bojan Cukic, Giovanna Marzo Serugendo, Schahram Dustdar, AnthonyFinkelstein, Cristina Gacek, Kurt Geihs, Vincenzo Grassi, Gabor Karsai,Holger M. Kienle, Jeff Kramer, Marin Litoiu, Sam Malek, Raffaela Mi-randola, Hausi A. Müller, Sooyong Park, Mary Shaw, Matthias Tichy,Massimo Tivoli, Danny Weyns, and Jon Whittle. Software engineering forself-adaptive systems: A research roadmap. In Betty H.C. Cheng, RogérioLemos, Holger Giese, Paola Inverardi, and Jeff Magee, editors, SoftwareEngineering for Self-Adaptive Systems, volume 5525 of Lecture Notes inComputer Science, pages 1–26. Springer Berlin Heidelberg, 2009.
[11] Alexandre David, Jacob Illum, Kim Larsen, and Arne Skou. Model-basedframework for schedulability analysis using uppaal 4.1. In Model-BasedDesign for Embedded Systems, pages 93–119. CRC Press, November2009.
[12] Alexandre David, KimG. Larsen, Axel Legay, Marius Mikucionis, andZheng Wang. Time for statistical model checking of real-time systems.In Ganesh Gopalakrishnan and Shaz Qadeer, editors, Computer AidedVerification, volume 6806 of Lecture Notes in Computer Science, pages349–355. Springer Berlin Heidelberg, 2011.
[13] Gordana Dodig-Crnkovic. Scientific methods in computer science. InProceedings of the Conference for the Promotion of Research in IT at NewUniversities and at University Colleges in Sweden, pages 126–130, April2002.
Bibliography 31
[14] Elena Fersman, Pavel Krcal, Paul Pettersson, and Wang Yi. Task au-tomata: Schedulability, decidability and undecidability. Information andComputation, 205(8):1149 – 1172, 2007.
[15] Elena Fersman, Leonid Mokrushin, Paul Pettersson, and Wang Yi. Sched-ulability analysis using two clocks. In Proceedings of the 9th internationalconference on Tools and algorithms for the construction and analysis ofsystems, TACAS’03, pages 224–239, Berlin, Heidelberg, 2003. Springer-Verlag.
[16] Heather J. Goldsby, Betty H.C. Cheng, and Ji Zhang. Amoeba-rt: Run-time verification of adaptive software. In Holger Giese, editor, Models inSoftware Engineering, volume 5002 of Lecture Notes in Computer Science,pages 212–224. Springer Berlin Heidelberg, 2008.
[17] Oscar González, H Shrikumar, John A Stankovic, and Krithi Ramam-ritham. Adaptive fault tolerance and graceful degradation under dynamichard real-time scheduling. In Real-Time Systems Symposium, 1997. Pro-ceedings., The 18th IEEE, pages 79–89, Dec 1997.
[18] Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson.Adaptive task automata with earliest-deadline-first scheduling. Proceed-ings of the 14th International Workshop on Automated Verification ofCritical Systems (AVoCS 2014), Electronic Communications of the EASST,70, 2014. Submitted for publication.
[19] Leo Hatvani, Alexandre David, Cristina Seceleanu, and Paul Pettersson.Adaptive task automata with earliest-deadline-first scheduling. TechnicalReport ISSN 1404-3041 ISRN MDH-MRTC-287/2014-1-SE, MälardalenReal-Time Research Centre, Mälardalen University, August 2014.
[20] Leo Hatvani, Paul Pettersson, and Cristina Seceleanu. Adaptive taskautomata: A framework for verifying adaptive embedded systems. In JuanLara and Andrea Zisman, editors, Fundamental Approaches to SoftwareEngineering, volume 7212 of Lecture Notes in Computer Science, pages115–129. Springer Berlin Heidelberg, 2012.
[21] Leo Hatvani, Cristina Seceleanu, and Paul Pettersson. Modeling andanalysis of adaptive embedded systems using adaptive task automata.ACM SIGBED Review, Special Issue on the 4th Workshop on Adaptive andReconfigurable Embedded Systems (APRES 2012), 10(1):43–47, February2013.
32 Bibliography
[22] Steve Heath. Embedded Systems Design. Butterworth-Heinemann, New-ton, MA, USA, 2nd edition, 2002.
[23] Ravindra Jejurikar, Cristiano Pereira, and Rajesh Gupta. Leakage awaredynamic voltage scaling for real-time embedded systems. In Proceedingsof the 41st Annual Design Automation Conference, DAC ’04, pages 275–280, New York, NY, USA, 2004. ACM.
[24] Hermann Kopetz. Real-Time Systems: Design Principles for DistributedEmbedded Applications. Springer Publishing Company, Incorporated, 2ndedition, 2011.
[25] D.A Lawrence, Jianwei Guan, S. Mehta, and L.R. Welch. Adaptivescheduling via feedback control for dynamic real-time systems. In Per-formance, Computing, and Communications, 2001. IEEE InternationalConference on., pages 373–378, Apr 2001.
[26] Y.-H. Lee, K.P. Reddy, and C.M. Krishna. Scheduling techniques forreducing leakage power in hard real-time systems. In Real-Time Systems,2003. Proceedings. 15th Euromicro Conference on, pages 105–112, July2003.
[27] Pedro Mejia-Alvarez, Eugene Levner, and Daniel Mossé. Adaptivescheduling server for power-aware real-time tasks. ACM Trans. Embed.Comput. Syst., 3(2):284–306, May 2004.
[28] Marius Mikucionis, Kim Larsen, Jacob Rasmussen, Brian Nielsen, ArneSkou, Steen Palm, Jan Pedersen, and Poul Hougaard. Schedulabilityanalysis using uppaal: Herschel-planck case study. In Tiziana Margariaand Bernhard Steffen, editors, Leveraging Applications of Formal Methods,Verification, and Validation, volume 6416 of Lecture Notes in ComputerScience, pages 175–190. Springer Berlin / Heidelberg, 2010.
[29] Paul Richardson, Larry Sieh, and Ali M. Elkateeb. Fault-tolerant adaptivescheduling for embedded real-time systems. IEEE Micro, 21(5):41–51,2001.
[30] Ina Schaefer. Integrating Formal Verification into the Model-Based Devel-opment of Adaptive Embedded Systems. PhD thesis, TU Kaiserslautern,Kaiserslautern, Germany, October 2008. ISBN 978-3-89963-862-2.
[31] Klaus Schneider, Tobias Schuele, and Mario Trapp. Verifying the adapta-tion behavior of embedded systems. In Proceedings of the 2006 interna-tional workshop on Self-adaptation and self-managing systems, SEAMS’06, pages 16–22, New York, NY, USA, 2006. ACM.
[32] N.V. Shakhlevich, Y.N. Sotskov, and F. Werner. Adaptive schedulingalgorithm based on mixed graph model. IEE Proceedings - Control Theoryand Applications, 143(1):9–16, Jan 1996.
[33] Mary Shaw. The coming-of-age of software architecture research. In Pro-ceedings of the 23rd International Conference on Software Engineering,pages 656–665, Washington, DC, USA, 2001. IEEE Computer Society.
[34] Li Tan. Model-based self-adaptive embedded programs with temporallogic specifications. In Quality Software, 2006. QSIC 2006. Sixth Interna-tional Conference on, pages 151–158, Oct 2006.
[35] Mario Trapp, Rasmus Adler, Marc Förster, and Janosch Junger. Runtimeadaptation in safety-critical automotive systems. In Proceedings of the25th Conference on IASTED International Multi-Conference: SoftwareEngineering, pages 308–315, Anaheim, CA, USA, 2007. ACTA Press.
[36] Aneta Vulgarakis. A Resource-Aware Framework for Designing Pre-dictable Component-Based Embedded Systems. PhD thesis, MälardalenUniversity, June 2012. Mälardalen University Press Dissertations, ISSN1651-4238; 122.
[37] Wei Wang, Guo Dong, Zhigang Deng, Guosun Zeng, Wei Liu, and Huan-liang Xiong. Reachability analysis of cost-reward timed automata forenergy efficiency scheduling. In Proceedings of Programming Models andApplications on Multicores and Manycores, PMAM’14, pages 140:140–140:148, New York, NY, USA, 2007. ACM.
[38] Fei Yu, Guoqiang Li, and Naixue Xiong. Schedulability analysis of multi-processor real-time systems using uppaal. In Information Science andEngineering (ICISE), 2010 2nd International Conference on, pages 1–6,December 2010.
32 Bibliography
[22] Steve Heath. Embedded Systems Design. Butterworth-Heinemann, New-ton, MA, USA, 2nd edition, 2002.
[23] Ravindra Jejurikar, Cristiano Pereira, and Rajesh Gupta. Leakage awaredynamic voltage scaling for real-time embedded systems. In Proceedingsof the 41st Annual Design Automation Conference, DAC ’04, pages 275–280, New York, NY, USA, 2004. ACM.
[24] Hermann Kopetz. Real-Time Systems: Design Principles for DistributedEmbedded Applications. Springer Publishing Company, Incorporated, 2ndedition, 2011.
[25] D.A Lawrence, Jianwei Guan, S. Mehta, and L.R. Welch. Adaptivescheduling via feedback control for dynamic real-time systems. In Per-formance, Computing, and Communications, 2001. IEEE InternationalConference on., pages 373–378, Apr 2001.
[26] Y.-H. Lee, K.P. Reddy, and C.M. Krishna. Scheduling techniques forreducing leakage power in hard real-time systems. In Real-Time Systems,2003. Proceedings. 15th Euromicro Conference on, pages 105–112, July2003.
[27] Pedro Mejia-Alvarez, Eugene Levner, and Daniel Mossé. Adaptivescheduling server for power-aware real-time tasks. ACM Trans. Embed.Comput. Syst., 3(2):284–306, May 2004.
[28] Marius Mikucionis, Kim Larsen, Jacob Rasmussen, Brian Nielsen, ArneSkou, Steen Palm, Jan Pedersen, and Poul Hougaard. Schedulabilityanalysis using uppaal: Herschel-planck case study. In Tiziana Margariaand Bernhard Steffen, editors, Leveraging Applications of Formal Methods,Verification, and Validation, volume 6416 of Lecture Notes in ComputerScience, pages 175–190. Springer Berlin / Heidelberg, 2010.
[29] Paul Richardson, Larry Sieh, and Ali M. Elkateeb. Fault-tolerant adaptivescheduling for embedded real-time systems. IEEE Micro, 21(5):41–51,2001.
[30] Ina Schaefer. Integrating Formal Verification into the Model-Based Devel-opment of Adaptive Embedded Systems. PhD thesis, TU Kaiserslautern,Kaiserslautern, Germany, October 2008. ISBN 978-3-89963-862-2.
[31] Klaus Schneider, Tobias Schuele, and Mario Trapp. Verifying the adapta-tion behavior of embedded systems. In Proceedings of the 2006 interna-tional workshop on Self-adaptation and self-managing systems, SEAMS’06, pages 16–22, New York, NY, USA, 2006. ACM.
[32] N.V. Shakhlevich, Y.N. Sotskov, and F. Werner. Adaptive schedulingalgorithm based on mixed graph model. IEE Proceedings - Control Theoryand Applications, 143(1):9–16, Jan 1996.
[33] Mary Shaw. The coming-of-age of software architecture research. In Pro-ceedings of the 23rd International Conference on Software Engineering,pages 656–665, Washington, DC, USA, 2001. IEEE Computer Society.
[34] Li Tan. Model-based self-adaptive embedded programs with temporallogic specifications. In Quality Software, 2006. QSIC 2006. Sixth Interna-tional Conference on, pages 151–158, Oct 2006.
[35] Mario Trapp, Rasmus Adler, Marc Förster, and Janosch Junger. Runtimeadaptation in safety-critical automotive systems. In Proceedings of the25th Conference on IASTED International Multi-Conference: SoftwareEngineering, pages 308–315, Anaheim, CA, USA, 2007. ACTA Press.
[36] Aneta Vulgarakis. A Resource-Aware Framework for Designing Pre-dictable Component-Based Embedded Systems. PhD thesis, MälardalenUniversity, June 2012. Mälardalen University Press Dissertations, ISSN1651-4238; 122.
[37] Wei Wang, Guo Dong, Zhigang Deng, Guosun Zeng, Wei Liu, and Huan-liang Xiong. Reachability analysis of cost-reward timed automata forenergy efficiency scheduling. In Proceedings of Programming Models andApplications on Multicores and Manycores, PMAM’14, pages 140:140–140:148, New York, NY, USA, 2007. ACM.
[38] Fei Yu, Guoqiang Li, and Naixue Xiong. Schedulability analysis of multi-processor real-time systems using uppaal. In Information Science andEngineering (ICISE), 2010 2nd International Conference on, pages 1–6,December 2010.
