A Compositional Approach for Schedulability Analysis of Distributed Avionics Systems

This work presents a compositional approach for schedulability analysis of Distributed Integrated Modular Avionics (DIMA) systems that consist of spatially distributed ARINC-653 modules connected by a unified AFDX network. We model a DIMA system as a set of stopwatch automata in UPPAAL to verify its schedulability by model checking. However, direct model checking is infeasible due to the large state space. Therefore, we introduce the compositional analysis that checks each partition including its communication environment individually. Based on a notion of message interfaces, a number of message sender automata are built to model the environment for a partition. We define a timed selection simulation relation, which supports the construction of composite message interfaces. By using assume-guarantee reasoning, we ensure that each task meets the deadline and that communication constraints are also fulfilled globally. The approach is applied to the analysis of a concrete DIMA system.Comment: In Proceedings MeTRiD 2018, arXiv:1806.09330. arXiv admin note: text overlap with arXiv:1803.1105

A Property Specification Pattern Catalog for Real-Time System Verification with UPPAAL

Context: The goal of specification pattern catalogs for real-time requirements is to mask the complexity of specifying such requirements in a timed temporal logic for verification. For this purpose, they provide frontends to express and translate pattern-based natural language requirements to formulae in a suitable logic. However, the widely used real-time model checking tool UPPAAL only supports a restricted subset of those formulae that focus only on basic and non-nested reachability, safety, and liveness properties. This restriction renders many specification patterns inapplicable. As a workaround, timed observer automata need to be constructed manually to express sophisticated requirements envisioned by these patterns. Objective: In this work, we fill these gaps by providing a comprehensive specification pattern catalog for UPPAAL. The catalog supports qualitative and real-time requirements and covers all corresponding patterns of existing catalogs. Method: The catalog we propose is integrated with UPPAAL. It supports the specification of qualitative and real-time requirements using patterns and provides an automated generator that translates these requirements to observer automata and TCTL formulae. The resulting artifacts are used for verifying systems in UPPAAL. Thus, our catalog enables an automated end-to-end verification process for UPPAAL based on property specification patterns and observer automata. Results: We evaluate our catalog on three UPPAAL system models reported in the literature and mostly applied in an industrial setting. As a result, not only the reproducibility of the related UPPAAL models was possible, but also the validation of an automated, seamless, and accurate pattern- and observer-based verification process. Conclusion: The proposed property specification pattern catalog for UPPAAL enables practitioners to specify qualitative and real-time requirements...Comment: Accepted Manuscrip

An Automatic Technique for Checking the Simulation of Timed Systems

International audienceIn this paper, we suggest an automatic technique for checking the timed weak simulation between timed transition systems. The technique is an observation-based method in which two timed transition systems are composed with a timed observer. A μ-calculus property that captures the timed weak simulation is then verified on the result of the composition. An interesting feature of the suggested technique is that it only relies on an untimed μ-calculus model-checker without any specific algorithm needed to analyze the result of the composition. We also show that our simulation relation supports interesting results concerning the trace inclusion and the preservation of linear properties. Finally, the technique is validated using the FIACRE/TINA toolset

Sémantique compositionnelle et raffinement de systèmes temporisés : application aux automates temporisés d'UPPAAL et au langage FIACRE

Les systèmes temps-réel sont massivement impliqués dans de nombreuses applications, dont notre vie dépend comme les logiciels embarqués dans les voitures et les avions. Pour ces systèmes des erreurs inattendues ne sont pas acceptables. De ce fait, assurer la correction de ces systèmes est une tâche primordiale. Les systèmes temps-réel représentent un large spectre de systèmes automatisés dont la correction dépend de la ponctualité des événements (timeliness) et pas seulement de leurs propriétés fonctionnelles. Chaque événement doit être produit selon la date indiquée par la spécification du système. Les systèmes temps-réel sont concurrents et embarqués, et conçus comme un assemblage de composants en interaction. Malgré les progrès réalisés dans les techniques de model checking, la vérification et l'analyse des systèmes temps-réel représentent toujours un défi autant pour les chercheurs que les praticiens. Pour étudier le comportement des systèmes temps-réel, différents formalismes ont été considérés comme les automates temporisés, les réseaux de Petri temporisés et les algèbres de processus. Cela donne lieu à plusieurs points délicats concernant le raffinement, la composition et la vérification. Ces points représentent un champ de recherche intensif. Ma thèse présente une étude des systèmes temps-réel focalisée sur les notions de sémantique, de composition et de raffinement. Elle décrit nos efforts pour explorer et étendre les formalismes temps-réel. Nous avons abordé les concepts de base de la modélisation des systèmes temps réel tels que les variables partagées, la communication, les priorités, la dynamicité, etc. La contribution de cette thèse porte sur la définition d’un cadre formel pour raisonner sur la sémantique, la composition et le raffinement des systèmes temporisés. Nous avons instancié ce cadre pour le formalisme des automates temporisés et le langage Fiacre.Nowadays, real-time systems are intensively involved in many applications on which our life is dependent, like embedded software in cars and planes. For these systems unexpected errors are not acceptable. Real-time systems represent a large spectrum of automated systems of which correctness depends on the timing of events (timeliness) and not only on their functional properties. Each event must be produced on time. Realtime systems can be concurrent and embedded where different interactive modules and components are assembled together. Despite advances in model checking techniques, the verification and analysis of real-time systems still represent a strong challenge for researchers and practitioners. To study the behavior of real-time systems, different formalisms have been considered like timed automata, time Petri nets and timed algebra, and several challenges concerning refinement, composition and verification have emerged. These points represent an intensive field of research. This thesis describes our effort to explore and extend real-time formalisms. We have revisited real-time language semantics, focusing on composition and refinement. We have addressed high level concepts like shared variables, communication, priorities, dynamicity, etc. The main contribution consists of a theoretical study of timed systems where we establish a framework for reasoning on composition, refinement and semantics. We instantiate this framework for timed automata and the Fiacre language

Model checking: Algorithmic verification and debugging

Turing Lecture from the winners of the 2007 ACM A.M. Turing Award.In 1981, Edmund M. Clarke and E. Allen Emerson, working in the USA, and Joseph Sifakis working independently in France, authored seminal papers that founded what has become the highly successful field of model checking. This verification technology provides an algorithmic means of determining whether an abstract model-representing, for example, a hardware or software design-satisfies a formal specification expressed as a temporal logic (TL) formula. Moreover, if the property does not hold, the method identifies a counterexample execution that shows the source of the problem.The progression of model checking to the point where it can be successfully used for complex systems has required the development of sophisticated means of coping with what is known as the state explosion problem. Great strides have been made on this problem over the past 28 years by what is now a very large international research community. As a result many major hardware and software companies are beginning to use model checking in practice. Examples of its use include the verification of VLSI circuits, communication protocols, software device drivers, real-time embedded systems, and security algorithms.The work of Clarke, Emerson, and Sifakis continues to be central to the success of this research area. Their work over the years has led to the creation of new logics for specification, new verification algorithms, and surprising theoretical results. Model checking tools, created by both academic and industrial teams, have resulted in an entirely novel approach to verification and test case generation. This approach, for example, often enables engineers in the electronics industry to design complex systems with considerable assurance regarding the correctness of their initial designs. Model checking promises to have an even greater impact on the hardware and software industries in the future.-Moshe Y. Vardi, Editor-in-Chief

On the analysis of stochastic timed systems

The formal methods approach to develop reliable and efficient safety- or performance-critical systems is to construct mathematically precise models of such systems on which properties of interest, such as safety guarantees or performance requirements, can be verified automatically. In this thesis, we present techniques that extend the reach of exhaustive and statistical model checking to verify reachability and reward-based properties of compositional behavioural models that support quantitative aspects such as real time and randomised decisions. We present two techniques that allow sound statistical model checking for the nondeterministic-randomised model of Markov decision processes. We investigate the relationship between two different definitions of the model of probabilistic timed automata, as well as potential ways to apply statistical model checking. Stochastic timed automata allow nondeterministic choices as well as nondeterministic and stochastic delays, and we present the first exhaustive model checking algorithm that allows their analysis. All the approaches introduced in this thesis are implemented as part of the Modest Toolset, which supports the construction and verification of models specified in the formal modelling language Modest. We conclude by applying this language and toolset to study novel distributed control strategies for photovoltaic microgenerators

Preservation of timed properties during an incremental development by components

International audienceWe are interested in the preservation of local properties of timed components during their integration in a timed system. Timed components are modeled as timed automata or timed automata with deadlines. Properties considered are all safety and liveness properties which can be expressed with the timed linear logic Mitl (Metric Interval Linear Logic), as well as non-zenoness and deadlock-freedom. Integration of components is a kind of incremental development which consists in checking locally the properties of the components, before integrating them in the complete system, using some composition operator. Of course, established properties have to be preserved by this integration. Checking preservation can be achieved by means of the verification of timed tau-simulation relations. Composability, compatibility and compositionality of these relations w.r.t. composition operators are properties which allow to reduce the cost of this verification. We examine these properties when integration is achieved with two different timed composition operators: the classic operator usually taken for timed systems and which uses a CSP-like composition paradigm, and a non-blocking operator closer to the CCS paradigm

Verification of timed circuits with failure-directed abstractions

Journal ArticleAbstract-This paper presents a method to address state explosion in timed-circuit verification by using abstraction directed by the failure model. This method allows us to decompose the verification problem into a set of subproblems, each of which proves that a specific failure condition does not occur. To each subproblem, abstraction is applied using safe transformations to reduce the complexity of verification. The abstraction preserves all essential behaviors conservatively for the specific failure model in the concrete description. Therefore, no violations of the given failure model are missed when only the abstract description is analyzed. An algorithm is also shown to examine the abstract error trace to either find a concrete error trace or report that it is a false negative. This paper presents results using the proposed failure-directed abstractions as applied to several large timed circuit designs