introduction to embedded systems chapter 14 reachability analysis (14.1, 14.2.1 – 14.2-2)
DESCRIPTION
Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2). Hao Zheng U of South Florida. The Challenge of Dependable Software in Embedded Systems. Today ’ s medical devices run on software… software defects can have life-threatening consequences. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/1.jpg)
Introduction to Embedded Systems
Chapter 14 Reachability Analysis(14.1, 14.2.1 – 14.2-2)
Hao Zheng
U of South Florida
![Page 2: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/2.jpg)
2
The Challenge of Dependable Software in Embedded Systems
“In 1 of every 12,000 settings, the software can cause an error in the programming resulting in the possibility of producing paced rates up to 185 beats/min.”
Today’s medical devices run on software… software defects can have life-threatening consequences.
“the patient collapsed while walking towards the cashier after refueling his car […] A week later the patient complained to his physician about an increasing feeling of unwell-being since the fall.”
[different device]
[Journal of Pacing and Clinical Electrophysiology, 2004]
![Page 3: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/3.jpg)
3
Graph of FSM modeling 2 trains
and a bridge traffic controller.
Is it possible for the trains to be on a collision path?
[Moritz Hammer, Uni. Muenchen]
![Page 4: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/4.jpg)
4
Reachability Analysis and Model Checking
Reachability analysis is the process of computing the set of reachable states for a system. all three problems can be solved using
reachability analysis
Model checking is an algorithmic method for determining if a system satisfies a formal specification expressed in temporal logic.
Model checking typically performs reachability analysis.
![Page 5: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/5.jpg)
5
A General View of Model Checking
S
E
Compose Verify
Property
System
Environment
YES[proof]
NOcounterexample
M
![Page 6: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/6.jpg)
6
Open vs. Closed Systems
A closed system is one with no inputs
For verification, we obtain a closed system by composing the system and environment models
![Page 7: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/7.jpg)
7
Model Checking G p
Consider an LTL formula of the form Gp where p is a proposition (p is a property on a single state)
To verify Gp on a system M, one simply needs to enumerate all the reachable states and check that they all satisfy p.
The state space found is typically represented as a directed graph called a state graph.
When M is a finite-state machine, this reachability analysis will terminate (in theory).
In practice, though, the number of states may be prohibitively large consuming too much run-time or memory (the state explosion problem).
![Page 8: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/8.jpg)
8
Traffic Light Controller Example
![Page 9: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/9.jpg)
9
Composed FSM for Traffic Light Controller
This FSM has 188 states (due to different values of count)
![Page 10: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/10.jpg)
10
Reachability Analysis Through Graph Traversal
Construct the state graph on the fly
Start with initial state, and explore next states using a suitable graph-traversal strategy.
A state is a collection of a FSM state and values of all variables.
initial state: (red, crossing, count==0)
A successor: (red, crossing, count==1
![Page 11: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/11.jpg)
11
Depth-First Search (DFS)
Maintain 2 data structures:1.Set of visited states R2.Stack with current path from the initial state
Potential problems for a huge graph? State explosion
![Page 12: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/12.jpg)
12
Explicit State Model Checking Example
R = { (red, crossing, 0) }
![Page 13: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/13.jpg)
13
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1) }
![Page 14: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/14.jpg)
14
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60) }
![Page 15: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/15.jpg)
15
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60),
(green, none, 0) }
![Page 16: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/16.jpg)
16
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60),
(green, none, 0), (green, none, 1) }
![Page 17: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/17.jpg)
17
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60),
(green, none, 0), (green, none, 1), …, (green, none, 60) }
![Page 18: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/18.jpg)
18
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60),
(green, none, 0), (green, none, 1), …, (green, none, 60),
(yellow, waiting, 0) }
![Page 19: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/19.jpg)
19
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60),
(green, none, 0), (green, none, 1), …, (green, none, 60),
(yellow, waiting, 0), … (yellow, waiting, 5) }
![Page 20: Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2)](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813a47550346895da23999/html5/thumbnails/20.jpg)
20
Explicit State Model Checking Example
R = { (red, crossing, 0), (red, crossing, 1), … (red, crossing, 60),
(green, none, 0), (green, none, 1), …, (green, none, 60),
(yellow, waiting, 0), … (yellow, waiting, 5),
(pending, waiting, 1), …, (pending, waiting, 60) }