

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.

References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

Carnegie Mellon<sup>®</sup> is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM17-0337

Carı



2

## **Verification of CPS**

#### **CPS Concerns**

- Logic: correct value
- Timing: at the right time
- Scalability: for real-size systems



[Distribution Statement A] Approved for public release and unlimited distribution

3

# Approach

#### Logical Verification

- Model Checking
- Source-Code Logical Verification: CBMC, FRAMA-C

#### **Timing Verification**

- Real-Time Scheduling
- Variety of Applications: Mixed-Criticality, Distributed Pipelines
- Complex Hardware: Multicore Processors

#### Scalable Combination

- Reduced Interleavings: In Rate-Monotonic Ignore lower-priority threads
- Verified Timing Guarantees of Scheduler Code: Time as ghost variables Improved Scalability
  - Domain Specific Language: constrained executable
  - Distributed Shared-Variables Middleware: synchronous computation
  - Statistical Model Checking:
    - Montecarlo Simulations
    - Important Sampling / Semantic Important Sampling



ları

## **Project 1: Distributed Adaptive Real-Time**



[Distribution Statement A] Approved for public release and unlimited distribution

5

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

## **DART Programming : AADL + DMPL**

AADL : Architecture Analysis and Description Language DMPL : DART Modeling and Programming Language

AADL : High level architecture + threads + real-time attributes

- Perform ZSRM schedulability via OSATE Plugin
- Generate appropriate DMPL annotations

#### **DMPL** : Behavior

- Roles : leader, protector
- Functions : mapped to real-time threads
  - Period, priority, criticality (generated from AADL)
  - Behavior : C-style syntax. Can call-out to arbitrary libraries.
- Functional properties (safety) : software model checking
- Probabilistic properties (expectation) : statistical model checking

ları

Implemented as a DART Workbench. Happy to share.

- Software Engineering Institute [Distribution Statement A] Approved for public release and unlimited distribution

## **Real-Time Schedulability**



Carı



#### Verification



#### **Model Checking**

Automatic verification technique for finite state concurrent systems.

- Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980's.
- ACM Turing Award 2007

## Specifications are written in propositional temporal logic. (Pnueli 77)

• Computation Tree Logic (CTL), Linear Temporal Logic (LTL), ...

Verification procedure is an intelligent exhaustive search of the state space of the design



#### **Code Generation**



#### **MADARA Middleware**

A database of facts:  $DB = Var \mapsto Value$ 

Node *i* has a local copy:  $DB_i$ 

- update *DB<sub>i</sub>* arbitrarily
- publish new variable mappings
  - Immediate or delayed
  - Multiple variable mappings
    transmitted atomically

Implicit "receive" thread on each node

- Receives and processes variable updates from other nodes
- Updates ordered via Lamport clocks

Portable to different OSes (Windows, Linux, Android etc.) and networking technology (TCP/IP, UDP, DDS etc.)

Software Engineering Institute

#### Carı

#### **Project 2: Certifiable Distributed Runtime Assurance**





#### **Sense Actuation Loop + Logical Enforcer**





#### **Fixed-Priority Scheduling + Rate Monotonic**



Carı

Icons credit: http://www.doublejdesign.co.uk



#### **Overload => old sensed data + late actuation**



Icons credit: http://www.doublejdesign.co.uk



# Solution: Enforce timing budgets (timing enforcement)





# Solution step 1: enforce timing budgets (timing enforcement)



ları



#### Solution step 2: fast actuation on timing enforcement



Carı







[Distribution Statement A] Approved for public release and unlimited distribution

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

17









[Distribution Statement A] Approved for public release and unlimited distribution

#### **Project 3: Real-Time Scheduling for Multicore**



Software Engineering Institute

#### Shared Hardware: Multicore Memory System











Carı

Software Engineering Institute
 [Distribution Statement A] Approved for public release and unlimited distribution

## **Different for Applications (PARSEC Benchmark)**



[Distribution Statement A] Approved for public release and unlimited distribution

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

#### **Solution 1: Partitioning**



[Distribution Statement A] Approved for public release and unlimited distribution

## Solutions 1: Virtual Memory "Coloring"







[Distribution Statement A] Approved for public release and unlimited distribution

## **Solution 2: Coordinated Approaches**



#### **Challenge: Small Number of Partitions**



## **Solution 3: Predictable Sharing of Partitions**



[Distribution Statement A] Approved for public release and unlimited distribution

Copyright 2017 Carnegie Mellon University. All Rights Reserved.





Carı

32



# The blue, red, and green tasks execute at different times $\Rightarrow$ no slowdown





The blue and red tasks execute at

Carı

the same time  $\Rightarrow$  slowdown  $\Rightarrow$  increased execution time of blue and red.





The blue, red, and green tasks execute at the same time  $\Rightarrow$  slowdown  $\Rightarrow$  increased execution time of all tasks.

Carı





The blue, red, and green tasks execute at the same time  $\Rightarrow$  slowdown  $\Rightarrow$  increased execution time of all tasks.





The blue, red, and green tasks execute at the same time  $\Rightarrow$  slowdown  $\Rightarrow$  increased execution time of all tasks.

Carı









Carı

Able to offer real-time guarantee even for h/w that is not documented (assuming that task parameters are OK)



## Summary

#### **CPS** Verification Involves Multiple Domains

- Logic
- Timing

#### Addressing Scalability

- Restrict Behavior
  - Domain Specific Language + Restricted Communication (middleware)

Carı

- Enforcers
- Scalable Verification
  - Statistical Model Checking: Semantic Important Sampling
- **Evolving Hardware** 
  - Multicore Scheduling



40