Constraint checking during error recovery

The system-level software onboard a spacecraft is responsible for recovery from communication, power, thermal, and computer-health anomalies that may occur. The recovery must occur without disrupting any critical scientific or engineering activity that is executing at the time of the error. Thus, the error-recovery software may have to execute concurrently with the ongoing acquisition of scientific data or with spacecraft maneuvers. This work provides a technique by which the rules that constrain the concurrent execution of these processes can be modeled in a graph. An algorithm is described that uses this model to validate that the constraints hold for all concurrent executions of the error-recovery software with the software that controls the science and engineering activities of the spacecraft. The results are applicable to a variety of control systems with critical constraints on the timing and ordering of the events they control

Explicit Clock Temporal Logic in Timing Constraints for Real-Time Systems

A form of explicit clock temporal logic (called TLrt) useful in specifying timing constraints on controller actions, a real-time database (rtdb) items, and constraints in a real-time constraint base (rtcb), is presented. Timing as well as other forms of constraints are stored in the rtcb. A knowledge-based approach to ensure the integrity of information in an rtdb is given. The rtcb is realized as a logic program called Constrainer, which is a historyless integrity checker for a real-time database. The consistency and integrity issues for an rtcb and rtdb are investigated. The formal bases for a temporally complete rtdb and knowledgeably complete controller are presented. A partial TLrt specification of a knowledgeable controller for a Gas Burner is given. An illustration of a rtdb and rtcb in the context of the sample real-time system is also given

A Specification and Validation Technique Based on STATEMATE and FNLOG

The original publication is available at http://www.springerlink.comInternational audienceThe paper presents a specification technique borrowing features from an formal and a semi-formal methods each in order to cover all features needed in the development of real-time and critical systems. The work is a contribution to the integration of formal and semi-formal methodsn namely STATEMATE and the temporal logic FNLOG [7]. FNLOG deals with quantitative temporal properties and is compatible with STATEMATE. The proposed integration approach uses the notations of STATEMATE and FNLOG, defines a various transformations rules of a STATEMATE specification towards FNLOG and extends the axiomatic of the temporal logic FNLOG by new lemmas to deal with duration properties. The paper presents the various steps of our integration approach

Modeling and verifying circuits using generalized relative timing

Journal ArticleWe propose a novel technique for modeling and verifying timed circuits based on the notion of generalized relative timing. Generalized relative timing constraints can express not just a relative ordering between events, but also some forms of metric timing constraints. Circuits modeled using generalized relative timing constraints are formally encoded as timed automata. Novel fully symbolic verification algorithms for timed automata are then used to either verify a temporal logic property or to check conformance against an untimed specification. The combination of our new modeling technique with fully symbolic verification methods enables us to verify larger circuits than has been possible with other approaches. We present case studies to demonstrate our approach, including a self-timed circuit used in the integer unit of the Intel® Pentium® 4 processor

Constructing Real-Time Systems from Temporal I/O Automata

A new class of communicating automata called Temporal Input/Output Automata (TAi/os) is introduced. A TAi/o is a predicate automaton used to specify real-time systems. The specification provided by a TAi/o includes state predicates with proof expressions and abstract program syntax as attributes. An abstract program is extracted during a constructive proof of the specification using the proof expressions. A TAi/o specification also includes hard, real-time constraints on program behavior. The predictability of deterministic, temporally complete TAi/o is investigated. The formulation of real-time system transductions and transduction rules for TAi/os in explicit clock temporal logic is given. An illustration of the use of TAi/os in specifying light-controlled vehicles is presented. To illustrate the methodology in constructive reasoning about a TAi/o, a proof which derives a partial abstract program is given

Precise specification matching for adaptive reuse in embedded systems

AbstractSpecification matching is a key to reuse of components in embedded systems. Existing specification matching techniques for embedded systems are designed to match reactive behaviors using adaptive techniques to dynamically alter behaviors. However, correct specification matching demands both behavioral matching (that checks component adaptability) and functional matching (that ensures that proper functionality is reused). While approaches for behavioral matching exist, combined functional and behavioral matching during component reuse in embedded systems is lacking. This paper presents a precise specification matching, including both behavioral and functional matching. We introduce attributed labeled transition systems (ALTS) to formally specify component behavior and functionalities. Given ALTS of a new specification (a function F) and an existing component (a device D), a new refinement relation from F to D, called an S-matching relation, is proposed for precise specification matching. The existence of an S-matching relation is also shown to be a necessary and sufficient condition for the existence of a correct adapter to adapt D to match F both behaviorally and functionally. Automated component adaptation is facilitated by a matching tool implemented in a tabled logic programming environment, which provides distinct advantages for rapid implementation. Practical examples are given to illustrate how the concrete adapter is derived automatically from specification matching

Towards a verified transformation from AADL to the formal component-based language FIACRE

International audienceDuring the last decade, aadl  is an emerging architecture description languages addressing the modeling of embedded systems. Several research projects have shown that aadl  concepts are well suited to the design of embedded systems. Moreover, aadl  has a precise execution model which has proved to be one key feature for effective early analysis. In this paper, we are concerned with the foundational aspects of the verification support for aadl. More precisely, we propose a verification toolchain for aadl  models through its transformation to the Fiacre language which is the pivot verification language of the TOPCASED project: high level models can be transformed to Fiacre  models and then model-checked. Then, we investigate how to prove the correctness of the transformation from AADL into Fiacre and present related elementary ingredients: the semantics of aadl  and Fiacre  subsets expressed in a common framework, namely timed transition systems. We also briefly discuss experimental validation of the work

Constructively Typed Timed Automata

A new class of communicating automata called typed Timed lnput/Output Automata (tTAi/os) is introduced. A tTAi/o is a predicate automaton used for specifying and reasoning about real-time systems. The typing discipline suggested for predicate automata is in the tradition of Martin-Löf\u27s constructive type theory. A type A is a proposition, which is defined when a prescription for constructing a proof of A is given. A fragment of Girard\u27s linear logic is used in classifying state types. An illustration of the use of tTAi/os in specifying a light-controller is presented. An abstract program is extracted during a proof of an automaton specification. To illustrate the methodology in constructive reasoning about a tTAi/o, a proof which derives a partial abstract program is given

Safe code transfromations for speculative execution in real-time systems

Although compiler optimization techniques are standard and successful in non-real-time systems, if naively applied, they can destroy safety guarantees and deadlines in hard real-time systems. For this reason, real-time systems developers have tended to avoid automatic compiler optimization of their code. However, real-time applications in several areas have been growing substantially in size and complexity in recent years. This size and complexity makes it impossible for real-time programmers to write optimal code, and consequently indicates a need for compiler optimization. Recently researchers have developed or modified analyses and transformations to improve performance without degrading worst-case execution times. Moreover, these optimization techniques can sometimes transform programs which may not meet constraints/deadlines, or which result in timeouts, into deadline-satisfying programs. One such technique, speculative execution, also used for example in parallel computing and databases, can enhance performance by executing parts of the code whose execution may or may not be needed. In some cases, rollback is necessary if the computation turns out to be invalid. However, speculative execution must be applied carefully to real-time systems so that the worst-case execution path is not extended. Deterministic worst-case execution for satisfying hard real-time constraints, and speculative execution with rollback for improving average-case throughput, appear to lie on opposite ends of a spectrum of performance requirements and strategies. Deterministic worst-case execution for satisfying hard real-time constraints, and speculative execution with rollback for improving average-case throughput, appear to lie on opposite ends of a spectrum of performance requirements and strategies. Nonetheless, this thesis shows that there are situations in which speculative execution can improve the performance of a hard real-time system, either by enhancing average performance while not affecting the worst-case, or by actually decreasing the worst-case execution time. The thesis proposes a set of compiler transformation rules to identify opportunities for speculative execution and to transform the code. Proofs for semantic correctness and timeliness preservation are provided to verify safety of applying transformation rules to real-time systems. Moreover, an extensive experiment using simulation of randomly generated real-time programs have been conducted to evaluate applicability and profitability of speculative execution. The simulation results indicate that speculative execution improves average execution time and program timeliness. Finally, a prototype implementation is described in which these transformations can be evaluated for realistic applications