A dynamically reconfigurable system can change its configuration during operation, and studies of such systems are being carried out in many fields. In particular, medical technology and aerospace engineering must ensure system safety because any defect will have serious consequences. Model checking is a method for verifying system safety. In this paper, we propose the Dynamic Linear Hybrid Automaton (DLHA) specification language and show a method to analyze reachability for a system consisting of several DLHAs.
Dynamically reconfigurable systems can change their configuration during operation. Such systems are being used in a number of areas [
In this paper, we propose the Dynamic Linear Hybrid Automaton (DLHA) specification language for describing dynamically reconfigurable systems and provide a reachability analysis algorithm for verifying system safety.
The target of our research is an embedded system in which a CPU and dynamically reconfigurable hardware, e.g., DRP (Dynamically Reconfigurable Processor) or dynamically reconfigurable FPGA (Field-Programmable Gate Array) [
・ Dynamic creation/destruction of functions: when a process occurs, the DRP constitutes a private circuit for processing it. The circuit configuration is released after the process finishes.
・ Hybrid property: the operation frequency changes whenever a context switch occurs.
・ Parallel execution: the DRP executes several processes on the same board at the same time.
・ Queue for communication: the DRP asynchronously receives processing requests from the CPU.
We devised the following new specification techniques for dynamically reconfigurable systems consisting of CPUs and DRPs:
・ We use linear hybrid automata [
・ We use linear hybrid automata that have creation/destruction events describing dynamic creations and destructions of configuration components.
・ We use FIFO queues describing asynchronous communication.
We developed a new specification language (DLHA) based on a linear hybrid automaton with both creation/destruction events and unbounded FIFO queues. DLHA is different from existing research in the following points:
・ V. Varshavsky and J. Esparza proposed the GALA (Globally Asynchronous - Locally Arbitrary) modeling approach including timed guards [
・ S. Minami and others have specified a dynamically reconfigurable system using linear hybrid automata and have verified it by using a model checker, H YT ECH [
The originality of our work on the verification method is twofold:
・ Our method targets systems that dynamically change their configurations, which is something the existing work, such as H YT ECH, has studied. We extend the syntax and semantics of linear hybrid automata with special actions called creation actions and destruction actions. We define a state in which an automaton does not exist and transitions for creation and destruction.
・ Our method is a comprehensive symbolic verification for hybrid properties, FIFO queues and creation/destruction of tasks.
For the experiments, we specified a dynamically reconfigurable embedded system consisting of a CPU and DRP, and verified some of its important features. This is the first time that specification and verification of dynamic changes have been tried in a practical case.
Here, we describe related work and how it differs from our work.
・ P. C. Attie and N. A. Lynch specified systems whose components are dynamically created/destroyed by using I/O automata [
・ H. Yamada and others proposed hierarchical linear hybrid automata for specifying dynamically reconfigurable systems [
・ B. Boigelot and P. Godefroid specified a communication protocol in terms of finite-state machines and unbounded FIFO buffers (queues), and they verified it [
・ A. Bouajjani and others proposed a reachability analysis for pushdown automata and a symbolic reachability analysis for FIFO-channel systems [
Definition 1 (Constraint). Let V be a finite set of variables. A constraint
where
Definition 2 (Flow condition). Let
where
For each variable x, we use the dotted variable
Definition 3 (Update Expression). Let V be a finite set of variables. An update expression upd on V is defined as
where
A dynamic linear hybrid automaton (DLHA) is a tuple
・
・
・
・
・
-
-
-
Moreover, we formalize the following special actions:
- A creation action that has the form
- A destruction action that has the form
- An enqueue action that has the form
- A dequeue action that has the form
・
・
・
A state
where
We define the semantics
・
・
・
The following rules define time and discrete transitions:
Definition 4 (Time transition of a DLHA). For any
・
・
where
Definition 5 (Discrete transition of a DLHA). For an evaluation
・ For any transition
・ (Creation of a DLHA) For the initial transition
・ (Destruction of a DLHA) For any destruction-transition
For the initial transition
To describe an asynchronous communication among DLHAs in a dynamically reconfigurable system (DRS), we use a queue (unbounded FIFO buffer) as a model of the communication channel. We assume that the system performs lossless transmission, so we can let the queue be unbounded.
A dynamically reconfigurable system (DRS)
A state
・
・
Definition 6 (Time Transition of a DRS). For an arbitrary
Definition 7 (Discrete Transition of a DRS). Let
・ For any output action
An output action is broadcasted to all DLHAs, and a DLHA receiving the action moves by synchronization if the guard condition holds in the state.
・ For an internal action
- in the case of
- while in the case of
- otherwise,
A run (or path)
where
The initial state
Example 1 (DLHA and DRS). A DLHA is represented by a directed graph, where each node represents a location and each edge represents a transition.
where
This system runs as follows:
1)
2) When
3) After
4) This system infinitely repeats steps 1) to 3).
For example, (1) shows a run
We define reachability and the reachability problem for a DRS as follows:
Definition 8 (Reachability). For a DRS
where
Definition 9 (Reachability Problem). Given a DRS
Our method introduces convex polyhedra for the reachability analysis in accordance with [
A polyhedron is convex if it can be defined by a formula which is a conjunction of linear formulae. For a set
Example 2 (Convex Polyhedron). The formula
We define a state s in the reachability analysis as
・
・
・
1. Compute an initial state
2. Initialize a traversed set
3. While
(a) Take a state
(b) If the set
(c) If the state has not been traversed yet (
i. add the state into
ii. compute the set
iii. add all components of
Subroutine Succ
where
Let the initial state of
Here,
Let the set of all variables in the system and their derivatives be
where
For a convex polyhedron
where
Given a state
1. For each transition
(a) Compute the convex polyhedron for the time transition (line 4).
(b) If a is an internal action,
i. Compute the set of locations (line 8)
ii. Compute the convex polyhedron for the discrete transition (line 9)
iii. If a is an enqueue action
where
iv. If a is a dequeue action
v. If a is another internal action (line 22),
(c) If a is an output action
(d) If a is an input action,
Subroutine Syncs
1. Initialize
2. Compute a convex polyhedron
3. For each
4. Compute the set
5. For each combination
(a) Compute the set
(b) Compute the set
where
(c) Compute the update expression
where
(d) Compute the conjunction of guard conditions (ll.9-14).
(e) Compute the convex polyhedron
where
(f) If
The correctness of this algorithm is implied by Lemma 1 and Lemma 2.
Lemma 1. If the algorithm terminates and returns “
Lemma 2. If this algorithm terminates and returns “
By definition, all linear hybrid automata are DLHAs. Our system dynamically changes its structure by sending and receiving messages. However, the messages statically determine the structure, and the system is a linear hybrid automaton with a set of queues. It is basically equivalent to the reachability analysis of a linear hybrid automaton. Therefore, the reachability problem of DRSs is undecidable, and this algorithm might not terminate [
Moreover, in some cases, a system will run into an abnormal state in which the length of a queue becomes infinitely long, and the verification procedure does not terminate.
We implemented a model checker of DRSs consisting of DLHAs in Java (about 1600 lines of code) by using the LAS, PPL, and QDD external libraries [
For the specification of the input model, we extended the syntax and semantics of DLHA as follows:
・ A transition between locations can have a label asap (that means “as soon as possible”). For a transition labeled asap, a time transition does not occur just before the discrete transition.
・ Each DLHA can have constraints and update expressions for the variables of another DLHA in the same system. That is, for each DLHA, invariants, guard conditions, update expressions and flow conditions can be used by all DLHAs.
For example,
We have specified a dynamically reconfigurable embedded system consisting of a CPU and DRP for the model described in our previous research [
The system, whose components are illustrated in
Task | Period | Deadline | Priority | Process |
---|---|---|---|---|
A | 70 ms | 70 ms | high | 20 ms, co-task a0, |
10 ms, co-task b0 | ||||
B | 200 ms | 200 ms | low | co-task a1, 97 ms |
co-task | Processing time | Deadline | Tiles | Rate of Frequency |
---|---|---|---|---|
a0, a1 | 10 ms | 15 ms | 2 | 1 |
b0 | 5 ms | 10 ms | 6 | 1/2 |
TaskA (
TaskA and TaskB send a message to The Sender if they need a co-task. The Sender (
The DRP_Dispatcher (
We have the parameters of the model in subsection 5.2.1 and conducted experiments with it.
・ Modified Tasks: We modified the parameters of the tasks on the CPU as shown in
・ Modified co-tasks: We modified the parameters of the co-tasks on the DRP, as shown in
Task | Period | Deadline | Priority | Process |
---|---|---|---|---|
A | 90 ms | 80 ms | high | 20 ms, co-task b0, |
20 ms, co-task a0 | ||||
B | 200 ms | 150 ms | low | co-task a1, 70 ms |
co-task | Processing time | Deadline | Tiles | Rate of Frequency |
---|---|---|---|---|
a0, a1 | 5 ms | 10 ms | 4 | 1 |
b0 | 10 ms | 20 ms | 5 | 1/3 |
We verified that the embedded systems described in subsection 5.2 provide the following properties by using monitor automata (Figures 21-25). The verification experiment was performed on a machine with an Intel (R) Core (TM) i7-3770 (3.40 GHz) CPU and 16 GB RAM running Gentoo Linux (3.10.25-gentoo).
The experimental results shown in
・ Regarding the schedulability of the modified tasks model, the processing time is shorter than that of the original model since the verification terminates if a counterexample is found.
・ In the cases of the modified co-tasks, the most obvious explanation is that the state- space is smaller than that of the original model since the number of branches in the search tree (i.e. nondeterministic transitions in this system) is reduced by changing the start timings of the tasks and co-tasks with the parameters.
・ In cases other than those of the modified tasks, it is considered that the state-space is smaller than that of the original model because this system is designed to stop processing when a task exceeds its deadline.
Here, schedulability is a property in which each task of the system finishes before its deadline. Let
In the embedded system, each co-task must be created before the remaining time in the task calling it reaches its deadline. When the message
Each co-task must be destroyed before the waiting time reaches its deadline. For the co-task a0, when the message
Creating or destroying a co-task, the DRP changes the operating frequency corresponding to the co-tasks being processed. Since this system requires that the frequency is always at the minimum value, the monitor checks whether the frequency manager (Frequency_Manager) moves to the correct location when it receives a message for creating a co-task. For example, when co-task a0 and co-task b0 are running on the DRP, Frequency_Manager must be at location
Model | Property | Satisfiability | Memory [MB] | Time [sec] | The number of states |
---|---|---|---|---|---|
Original: | Schedulability | yes | 168 | 180 | 1220 |
Creation of co-tasks | yes | 92 | 315 | 1220 | |
Destruction of co-tasks | yes | 154 | 233 | 1220 | |
Frequency Management | yes | 173 | 265 | 1220 | |
Tile Management | yes | 167 | 234 | 1220 | |
Modified tasks: | Schedulability | no | 105 | 10.2 | 91 |
Creation of co-tasks | yes | 117 | 145 | 771 | |
Destruction of co-tasks | yes | 82 | 151 | 771 | |
Frequency Management | yes | 197 | 115 | 771 | |
Tile Management | yes | 135 | 107 | 771 | |
Modified co-tasks: | Schedulability | yes | 83 | 141 | 768 |
Creation of co-tasks | yes | 85 | 183 | 768 | |
Destruction of co-tasks | yes | 86 | 191 | 768 | |
Frequency Management | yes | 104 | 141 | 768 | |
Tile Management | yes | 119 | 134 | 768 |
When the DRP receives a message for creating of a co-task and the number of free tiles is enough to process it, the dispatcher creates the co-task. The dispatcher then updates the number of used tiles. The monitor automaton checks whether the number tiles in DRP_Dispatcher is always between 0 and the maximum number, 8 in this case (
We proposed a dynamic linear hybrid automaton (DLHA) as a specification language for dynamically reconfigurable systems. We also devised an algorithm for reachability analysis and developed a model checker for verifying the system. Our future research will focus on a more effective method of verification, for example, model checking with CEGAR (Counterexample-guided abstraction refinement) and bounded model checking based on SMT (Satisfiability modulo theories) [
Yanase, R., Sakai, T., Sakai, M. and Yamane, S. (2016) Specification and Verification of Dynamically Reconfigurable Systems Using Dynamic Linear Hybrid Automata. Journal of Software Engineering and Applications, 9, 452- 478. http://dx.doi.org/10.4236/jsea.2016.99030