model-based code generation - omgmotivation • formal specification of hybrid systems –subject to...
TRANSCRIPT
![Page 1: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/1.jpg)
Model-based Code Generation– CHARON Case Study
Jesung Kimin collaboration with
Rajeev Alur, Yerang Hur, Franjo Ivancic,Insup Lee, and Oleg Sokolsky
University of Pennsylvania
![Page 2: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/2.jpg)
Contents
• Motivation• CHARON overview• Example: Sony dog• Code generation procedure• Soundness of generated code• Preventing switching errors• Conclusion
![Page 3: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/3.jpg)
Motivation
• Formal specification of hybrid systems– Subject to formal verification
• Automatic generation of the code– Elimination of coding errors
• Formulation of the differences between themodel and the generated code– Bounded difference desired
• Case study in a robotic platform (AIBO)– Code generation for fairly complicated systems
![Page 4: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/4.jpg)
CHARON Framework
• Language for formal specification of hybrid systems– Analog variable– Differential/algebraic equation– Discrete state transition
• Hierarchical specification– Architectural hierarchy
• agent: communicating entity– Behavioral hierarchy
• mode: hierarchical state machinewith continuous dynamics
• Simulation• Model checking• Code generation• Run-time verification
![Page 5: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/5.jpg)
Example: Four Legged Robot
• Control objective– v = c
• High-level control laws
• Low-level control laws
)LL2
LLarccos(
)L2
LLarccos()/arctan(
21
22
21
22
2
221
22
21
22
1
−++=
+
−++−=
yxj
yxyxyxj
x
y
j1
j2
L1
(x, y)
2/stride−≥
−=
xvx&
kvy =&2/stride≤
=
xkvx&
kvy −=&
v
L2
*[LCTES 2003] R. Alur, F. Ivancic, J. Kim, I. Lee, and O. Sokolsky.Generating embedded software from hierarchical hybrid models.
![Page 6: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/6.jpg)
CHARON Code Generator
• CHARON code generator translates CHARON modelsinto C++ code– Each object of CHARON models is translated into a C++
structure• Generated C++ code is compiled by the target compiler
along with additional code– Run-time scheduler: invokes active components periodically– API interface routines: associates variables with devices
![Page 7: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/7.jpg)
Translation of CHARON models• Analog variable
– C++ class: read and write to variables can be mapped to system API• Differential equation
– Euler’s method: x’ == 10 x += 10 * h (h: step size)– Runge-Kutta method
• Algebraic equation– Assignment statement executed in a data dependency order
• x == 2y; y == 2z y = 2z; x = 2y;• Invariant
– Assertion statement for runtime verification– Instrumented for safer check
• Discrete transition– If-then statement
• urgent transition policy– “Instrumented” if-then statement
• not-so-urgent transition policy• Mode
– C++ class: collection of variables, equations, transitions, and reference to submodes• Agent
– C++ class: interleave execution of each step of subagents
![Page 8: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/8.jpg)
Soundness of Generated Code• Code may behave differently from the model:
– Numerical errors (numerical integration)– Floating-point errors (fixed precision arithmetic)– Switching errors
• Missed switching: enabled transition is missed due to discrete testing ofswitching conditions [LCTES 2003]
• Invalid switching: disabled transition is evaluated as enabled due to differentupdate frequencies of shared variables [HSCC 2004]
Properties held in the model may not be guaranteed in the code evenif automatically generated!
• How to check / prevent switching errors?– Exploit non-determinism of the model
• Check the model if it gives sufficient room for the code to take a switch– Design the switching policy
• Take switching conservatively to prevent an invalid switch
[LCTES 2003] R. Alur, F. Ivancic, J. Kim, I. Lee, and O. Sokolsky. Generating embedded software from hierarchical hybrid models.[HSCC 2004] Y. Hur, J. Kim, J. Choi, and I. Lee. Sound code generation from communicating hybrid models.
![Page 9: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/9.jpg)
Switch Misspo
sitio
n of
the
tai
l
time
25
-25
x == 25 x == -25d(x) = 1x <= 25
d(x) = -1x >= -25
d(x) = 1x <= 25
invariant violation
![Page 10: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/10.jpg)
Analysis of Switch Miss• Given a step size Δ and a CHARON model, check whether
for all pairs of invariants I and guards G of switch (= Δ-lookahead agent)
• If so, the generated code will produce a valid executiontrace– The code performs a switch immediately when the guard is true
• Otherwise, even for the generated code we cannotguarantee a valid execution trace.€
PostΦ(I \G,Δ)⊆ I
![Page 11: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/11.jpg)
Invalid Switch• Variables x1, x2, … are updated by different steps ∆1, ∆2, …• Code evaluates switching conditions f(x1, x2, …) by referencing x1(t1), x2(t2),
…– (x1(t1), x2(t2), …) may not on the trajectory of (x1, x2, …) unless t1 == t2 == …
x2
guard of the model
instrumented guard of the code
γ
false-enabled transition conditionmaximum error x1
![Page 12: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/12.jpg)
Preventing Invalid Switch throughGuard Instrumentation• Exploit non-determinism in the guard conditions
– Transition can (but need not immediately) be takenwhen the guard is enabled
• Compute a maximum error due to asynchrony– max(|x’|*∆)
• assumption: independent dynamics and rectangular guardsets
• “Tighten” the guards such that transitions are notfalsely enabled at the presence of the maximumerror– Trace of discrete states is equivalent to that of the
model
![Page 13: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/13.jpg)
Example
1=y& 0=y&
1200100
=
+−=
zzx
&
&
11
=
−=
zx&
&
-150
2
50
3>z
x≥50+γ, y>2
γ max(h))max x(t) (=0.002max (-100t + 200)=
= 0.4switching error
h=0.002
h=0.001
γ
*[HSCC 2004] Y. Hur, J. Kim, J. Choi, and I. Lee. Sound code generation from Communicating Hybrid models.
0:150:
=
−=
zx
0:=y
![Page 14: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/14.jpg)
i nvaria nt
gua rd
Transition Policy
lead to future invariant violation model checking
inconsistent behavior due to noisy values instrumentation
sound behavior
trajectory
sound behavior performing better
event detection
![Page 15: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/15.jpg)
Design Flow of our Framework
• Communicating Hybrid Automata– Continuous time domain
• Discretized CommunicatingHybrid Automata– Single discrete time domain
• Instrumented CommunicatingHybrid Automata– Each automaton having its own
discrete time domain– Guard “instrumented” to prevent
errors due to different timedomains
• Code– Machine executable
Communicating HybridAutomata
Discretized CommunicatingHybrid Automata
InstrumentedCommunicating Hybrid
Automata
Code
Continuous time
Discrete synchronous time
Discretetime domain
Heterogeneousdiscrete time domain
Real-time constraints Discrete asynchronous time
![Page 16: Model-based Code Generation - OMGMotivation • Formal specification of hybrid systems –Subject to formal verification • Automatic generation of the code –Elimination of coding](https://reader034.vdocuments.us/reader034/viewer/2022042300/5ecaa0cb3d077d7ca90ecd59/html5/thumbnails/16.jpg)
Summary
• CHARON code generator automates translation ofcomplicated hybrid systems specification into modularC++ code
• Each C++ module can be mapped to a periodic task ofRTOS of the target system to approximate continuousupdate
• Even automatically generated code is not semanticallyequivalent to the original model:– Numerical errors, floating-point errors, switching errors…
• Switching errors due to different update rates of sharedvariables can be prevented through instrumentation ofthe switching conditions