Gabor Madl

Verifying distributed real-time properties of embedded systems via graph transformations and model checking

Component middleware provides dependable and efficient platforms that support key functional, and quality of service (QoS) needs of distributed real-time embedded (DRE) systems. Component middleware, however, also introduces challenges for DRE system developers, such as evaluating the predictability of DRE system behavior, and choosing the right design alternatives before committing to a specific platform or platform configuration. Model-based technologies help address these issues by enabling design-time analysis, and providing the means to automate the development, deployment, configuration, and integration of component-based DRE systems. To this end, this paper applies model checking techniques to DRE design models using model transformations to verify key QoS properties of component-based DRE systems developed using Real-time CORBA. We introduce a formal semantic domain for a general class of DRE systems that enables the verification of distributed non-preemptive real-time scheduling. Our results show that model-based techniques enable design-time analysis of timed properties and can be applied to effectively predict, simulate, and verify the event-driven behavior of component-based DRE systems.

Performance estimation of distributed real-time embedded systems by discrete event simulations

Key challenges in the performance estimation of distributed real-time embedded (DRE) systems include the systematic measurement of coverage by simulations, and the automated generation of directed test vectors. This paper investigates how DRE systems can be represented as discrete event systems (DES) in continuous time, and proposes an automated method for the performance evaluation of such systems. The proposed method also provides a way for the verification of dense time properties for a large class of DRE systems. This approach provides a formal executable model allowing to bridge the gap between simulations and formal verification. Our results show that the proposed DES-based evaluation method can achieve better coverage in large-scale DRE systems than alternative methods.

Model-based analysis of distributed real-time embedded system composition

Key challenges in distributed real-time embedded (DRE) system developments include safe composition of system components and mapping the functional specifications onto the target platform. Model-based verification techniques provide a way for the design-time analysis of DRE systems enabling rapid evaluation of design alternatives with respect to given performance measures before committing to a specific platform. This paper introduces a semantic domain for model-based analysis of a general class of DRE systems capturing their key time-based performance measures. We then utilize this semantic domain to develop a verification strategy for preemptive schedulability using available model checking tools. The proposed framework and verification strategy is demonstrated on a mission-critical avionics DRE system case study.

Automatic verification of component-based real-time CORBA applications

Distributed real-time embedded (DRB) systems often need to satisfy various time, resource and fault-tolerance constraints. To manage the complexity of scheduling these systems many methods use rate monotonic scheduling assuming a time-triggered architecture. This paper presents a method that captures the reactive behavior of complex time- and event-driven systems, can provide simulation runs and can provide exact characterization of timed properties of component-based DRE applications that use the publisher/subscriber communication pattern. We demonstrate our approach on real-time CORBA avionics applications.

Formal performance evaluation of AMBA-based system-on-chip designs

The ARM Advanced Microcontroller Bus Architecture (AMBA) is a widely used interconnection standard for SoC design. In order to support high-speed pipelined data transfers, AMBA supports a rich set of bus signals, making the analysis of AMBA-based embedded systems a challenging proposition. This paper makes two main contributions to the analysis and evaluation of AMBA-based SoC designs. The first contribution is to provide a method for the performance analysis and evaluation of AMBA-based SoC designs using formal models. This method provides a way to obtain the end-to-end execution bounds of AMBA-based SoC designs, and guarantees the correctness of the results. The second contribution is to use these formal models to prove the functional correctness of the SoC designs. Using our formal models, we were able to uncover an ambiguous case in the AMBA specification that can lead to deadlocks. This case has not been previously documented by methods focused on AMBA protocol verification. Finally, we validate the proposed performance analysis approach by comparing results with a SystemC implementation of a digital camera case study.

Towards Scalable Verification of Commercial Avionics Software

We describe a model-based approach for the automated verification of avionics systems that has been applied in Honeywell for the certification of complex commercial avionics applications, such as flight controls and engine controls. The approach uses a symbolic analysis framework for MATLAB Simulink models, utilizing range arithmetic to represent both test cases and equivalence-class transformations within a model of behavioral requirements. Backwards search from a set of desired test-case values within the model is combined with forward-directed simulation to resolve constraints and compute values in the visited paths, leading to a set of model-level input/output values that produce the test cases. We also describe a common design flaw that was uncovered in an early design phase by utilizing this approach. We argue that finding such designs flaws is extremely difficult by alternative methods such as directed or random simulations and traditional model checkers. Utilizing our approach, Honeywell has achieved better than 20 speedup on average in certification costs compared to traditional analysis and testing methods, while maintaining scalability on complex real-life problems.

A Conservative Approximation Method for the Verification of Preemptive Scheduling Using Timed Automata

This paper presents a conservative approximation method for the real-time verification of asynchronous event-driven distributed systems. This problem is known to be undecidable in the generic setting. The proposed approach is based on composable timed automata models that provide a sufficient condition to determine schedulability. We demonstrate the method on a real-time CORBA avionics design.

Cross-Abstraction Functional Verification and Performance Analysis of Chip Multiprocessor Designs

This paper introduces the cross-abstraction real-time analysis (Carta) framework for the model-based functional verification and performance estimation of chip multiprocessors (CMPs) utilizing bus matrix (crossbar switch) interconnection networks. We argue that the inherent complexity in CMP designs requires the synergistic use of various models of computation to efficiently manage the tradeoffs between accuracy and complexity. Our approach builds on domain-specific modeling languages (DSMLs) driving an open-source tool-chain that provides a cross-abstraction bridge between the finite-state machine (FSM), discrete-event (DE), and timed automata (TA) models of computation, and utilizes multiple model checkers to analyze formal properties at the cycle-accurate and transaction-level abstractions. The cross-abstraction analysis exploits accuracy for functional verification, and achieves significant speedups for performance estimation with marginal accuracy loss. We demonstrate results on an industrial strength networking CMP design utilizing a bus matrix interconnection network. To the best of our knowledge, the Carta framework is the first model-based tool-chain that utilizes multiple abstractions and model checkers for the comprehensive and formal functional verification, performance estimation, and real-time verification of bus matrix-based CMP designs.

Fine-grain analysis of common coupling and its application to a Linux case study

Common coupling (sharing global variables across modules) is widely accepted as a measure of software quality and maintainability; a low level of common coupling is necessary (but not sufficient) to ensure maintainability. But when the global variables in question are large multi-field data structures, one must decide whether to consider such data structures as single units, or examine each of their fields individually. We explore this issue by re-analyzing a case study based on the Linux operating system. We determine the common coupling at the level of granularity of the component fields of large, complex data structures, rather than at the level of the data structures themselves, as in previous work. We claim that this is the appropriate level of analysis based on how such data structures are used in practice, and also that such a study is required due to concern that coarse-grained analysis leads to false coupling. We find that, for this case study, the granularity does not have a decisive effect on the results. In particular, our results for coupling based on individual fields are similar in spirit to the results reported previously (by others) based on using complete data structures. In both cases, the coupling indicates that the system kernel is vulnerable to modifications in peripheral modules of the system.

Enabling heterogeneous cycle-based and event-driven simulation in a design flow integrated using the SPIRIT consortium specifications

The practical application of electronic system-level (ESL) design has been a key challenge of transaction-level modeling (TLM) methodologies in the past few years. While the benefits of ESL are well known, making the investment pay-off has required two key factors to be resolved: the simulation speed of the virtual platform model has to be fast enough to enable software design, and the flow from ESL design to implementation has to be seamless. We introduce two themes to address these issues: cycle-based simulation and a multi-vendor design-flow integrated using the IP-XACTTM specifications from The SPIRIT Consortium. Through experimentation with the ARM RealView® SoC Designer flow, and the Synopsys coreAssembler tool and Galaxy suite of tools, we show that competent solutions to both of these adoption issues exist in the industry today.