A dynamically reconfigurable system can change its configuration during operation, and studies of such systems are being carried out in many fields. In particular, medical technology and aerospace engineering must ensure system safety because any defect will have serious consequences. Model checking is a method for verifying system safety. In this paper, we propose the Dynamic Linear Hybrid Automaton (DLHA) specification language and show a method to analyze reachability for a system consisting of several DLHAs.
Dynamically reconfigurable systems can change their configuration during operation. Such systems are being used in a number of areas [
In this paper, we propose the Dynamic Linear Hybrid Automaton (DLHA) specification language for describing dynamically reconfigurable systems and provide a reachability analysis algorithm for verifying system safety.
The target of our research is an embedded system in which a CPU and dynamically reconfigurable hardware, e.g., DRP (Dynamically Reconfigurable Processor) or dynamically reconfigurable FPGA (FieldProgrammable Gate Array) [
・ Dynamic creation/destruction of functions: when a process occurs, the DRP constitutes a private circuit for processing it. The circuit configuration is released after the process finishes.
・ Hybrid property: the operation frequency changes whenever a context switch occurs.
・ Parallel execution: the DRP executes several processes on the same board at the same time.
・ Queue for communication: the DRP asynchronously receives processing requests from the CPU.
We devised the following new specification techniques for dynamically reconfigurable systems consisting of CPUs and DRPs:
・ We use linear hybrid automata [
・ We use linear hybrid automata that have creation/destruction events describing dynamic creations and destructions of configuration components.
・ We use FIFO queues describing asynchronous communication.
We developed a new specification language (DLHA) based on a linear hybrid automaton with both creation/destruction events and unbounded FIFO queues. DLHA is different from existing research in the following points:
・ V. Varshavsky and J. Esparza proposed the GALA (Globally Asynchronous  Locally Arbitrary) modeling approach including timed guards [
・ S. Minami and others have specified a dynamically reconfigurable system using linear hybrid automata and have verified it by using a model checker, H YT ECH [
The originality of our work on the verification method is twofold:
・ Our method targets systems that dynamically change their configurations, which is something the existing work, such as H YT ECH, has studied. We extend the syntax and semantics of linear hybrid automata with special actions called creation actions and destruction actions. We define a state in which an automaton does not exist and transitions for creation and destruction.
・ Our method is a comprehensive symbolic verification for hybrid properties, FIFO queues and creation/destruction of tasks.
For the experiments, we specified a dynamically reconfigurable embedded system consisting of a CPU and DRP, and verified some of its important features. This is the first time that specification and verification of dynamic changes have been tried in a practical case.
Here, we describe related work and how it differs from our work.
・ P. C. Attie and N. A. Lynch specified systems whose components are dynamically created/destroyed by using I/O automata [
・ H. Yamada and others proposed hierarchical linear hybrid automata for specifying dynamically reconfigurable systems [
・ B. Boigelot and P. Godefroid specified a communication protocol in terms of finitestate machines and unbounded FIFO buffers (queues), and they verified it [
・ A. Bouajjani and others proposed a reachability analysis for pushdown automata and a symbolic reachability analysis for FIFOchannel systems [
Definition 1 (Constraint). Let V be a finite set of variables. A constraint
where
Definition 2 (Flow condition). Let
where
For each variable x, we use the dotted variable
Definition 3 (Update Expression). Let V be a finite set of variables. An update expression upd on V is defined as
where
A dynamic linear hybrid automaton (DLHA) is a tuple
・
・
・
・
・



Moreover, we formalize the following special actions:
 A creation action that has the form
 A destruction action that has the form
 An enqueue action that has the form
 A dequeue action that has the form
・
・
・
A state
where
We define the semantics
・
・
・
The following rules define time and discrete transitions:
Definition 4 (Time transition of a DLHA). For any
・
・
where
Definition 5 (Discrete transition of a DLHA). For an evaluation
・ For any transition
・ (Creation of a DLHA) For the initial transition
・ (Destruction of a DLHA) For any destructiontransition
For the initial transition
To describe an asynchronous communication among DLHAs in a dynamically reconfigurable system (DRS), we use a queue (unbounded FIFO buffer) as a model of the communication channel. We assume that the system performs lossless transmission, so we can let the queue be unbounded.
A dynamically reconfigurable system (DRS)
A state
・
・
Definition 6 (Time Transition of a DRS). For an arbitrary
Definition 7 (Discrete Transition of a DRS). Let
・ For any output action
An output action is broadcasted to all DLHAs, and a DLHA receiving the action moves by synchronization if the guard condition holds in the state.
・ For an internal action
 in the case of
 while in the case of
 otherwise,
A run (or path)
where
The initial state
Example 1 (DLHA and DRS). A DLHA is represented by a directed graph, where each node represents a location and each edge represents a transition.
where
This system runs as follows:
1)
2) When
3) After
4) This system infinitely repeats steps 1) to 3).
For example, (1) shows a run
We define reachability and the reachability problem for a DRS as follows:
Definition 8 (Reachability). For a DRS
where
Definition 9 (Reachability Problem). Given a DRS
Our method introduces convex polyhedra for the reachability analysis in accordance with [
A polyhedron is convex if it can be defined by a formula which is a conjunction of linear formulae. For a set
Example 2 (Convex Polyhedron). The formula
We define a state s in the reachability analysis as
・
・
・
1. Compute an initial state
2. Initialize a traversed set
3. While
(a) Take a state
(b) If the set
(c) If the state has not been traversed yet (
i. add the state into
ii. compute the set
iii. add all components of
Subroutine Succ
where
Let the initial state of
Here,
Let the set of all variables in the system and their derivatives be
where
For a convex polyhedron
where
Given a state
1. For each transition
(a) Compute the convex polyhedron for the time transition (line 4).
(b) If a is an internal action,
i. Compute the set of locations (line 8)
ii. Compute the convex polyhedron for the discrete transition (line 9)
iii. If a is an enqueue action
where
iv. If a is a dequeue action
v. If a is another internal action (line 22),
(c) If a is an output action
(d) If a is an input action,
Subroutine Syncs
1. Initialize
2. Compute a convex polyhedron
3. For each
4. Compute the set
5. For each combination
(a) Compute the set
(b) Compute the set
where
(c) Compute the update expression
where
(d) Compute the conjunction of guard conditions (ll.914).
(e) Compute the convex polyhedron
where
(f) If
The correctness of this algorithm is implied by Lemma 1 and Lemma 2.
Lemma 1. If the algorithm terminates and returns “
Lemma 2. If this algorithm terminates and returns “
By definition, all linear hybrid automata are DLHAs. Our system dynamically changes its structure by sending and receiving messages. However, the messages statically determine the structure, and the system is a linear hybrid automaton with a set of queues. It is basically equivalent to the reachability analysis of a linear hybrid automaton. Therefore, the reachability problem of DRSs is undecidable, and this algorithm might not terminate [
Moreover, in some cases, a system will run into an abnormal state in which the length of a queue becomes infinitely long, and the verification procedure does not terminate.
We implemented a model checker of DRSs consisting of DLHAs in Java (about 1600 lines of code) by using the LAS, PPL, and QDD external libraries [
For the specification of the input model, we extended the syntax and semantics of DLHA as follows:
・ A transition between locations can have a label asap (that means “as soon as possible”). For a transition labeled asap, a time transition does not occur just before the discrete transition.
・ Each DLHA can have constraints and update expressions for the variables of another DLHA in the same system. That is, for each DLHA, invariants, guard conditions, update expressions and flow conditions can be used by all DLHAs.
For example,
We have specified a dynamically reconfigurable embedded system consisting of a CPU and DRP for the model described in our previous research [
The system, whose components are illustrated in
Task  Period  Deadline  Priority  Process 

A  70 ms  70 ms  high  20 ms, cotask a0, 
10 ms, cotask b0  
B  200 ms  200 ms  low  cotask a1, 97 ms 
cotask  Processing time  Deadline  Tiles  Rate of Frequency 

a0, a1  10 ms  15 ms  2  1 
b0  5 ms  10 ms  6  1/2 
TaskA (
TaskA and TaskB send a message to The Sender if they need a cotask. The Sender (
The DRP_Dispatcher (
We have the parameters of the model in subsection 5.2.1 and conducted experiments with it.
・ Modified Tasks: We modified the parameters of the tasks on the CPU as shown in
・ Modified cotasks: We modified the parameters of the cotasks on the DRP, as shown in
Task  Period  Deadline  Priority  Process 

A  90 ms  80 ms  high  20 ms, cotask b0, 
20 ms, cotask a0  
B  200 ms  150 ms  low  cotask a1, 70 ms 
cotask  Processing time  Deadline  Tiles  Rate of Frequency 

a0, a1  5 ms  10 ms  4  1 
b0  10 ms  20 ms  5  1/3 
We verified that the embedded systems described in subsection 5.2 provide the following properties by using monitor automata (Figures 2125). The verification experiment was performed on a machine with an Intel (R) Core (TM) i73770 (3.40 GHz) CPU and 16 GB RAM running Gentoo Linux (3.10.25gentoo).
The experimental results shown in
・ Regarding the schedulability of the modified tasks model, the processing time is shorter than that of the original model since the verification terminates if a counterexample is found.
・ In the cases of the modified cotasks, the most obvious explanation is that the state space is smaller than that of the original model since the number of branches in the search tree (i.e. nondeterministic transitions in this system) is reduced by changing the start timings of the tasks and cotasks with the parameters.
・ In cases other than those of the modified tasks, it is considered that the statespace is smaller than that of the original model because this system is designed to stop processing when a task exceeds its deadline.
Here, schedulability is a property in which each task of the system finishes before its deadline. Let
In the embedded system, each cotask must be created before the remaining time in the task calling it reaches its deadline. When the message
Each cotask must be destroyed before the waiting time reaches its deadline. For the cotask a0, when the message
Creating or destroying a cotask, the DRP changes the operating frequency corresponding to the cotasks being processed. Since this system requires that the frequency is always at the minimum value, the monitor checks whether the frequency manager (Frequency_Manager) moves to the correct location when it receives a message for creating a cotask. For example, when cotask a0 and cotask b0 are running on the DRP, Frequency_Manager must be at location
Model  Property  Satisfiability  Memory [MB]  Time [sec]  The number of states 

Original:  Schedulability  yes  168  180  1220 
Creation of cotasks  yes  92  315  1220  
Destruction of cotasks  yes  154  233  1220  
Frequency Management  yes  173  265  1220  
Tile Management  yes  167  234  1220  
Modified tasks:  Schedulability  no  105  10.2  91 
Creation of cotasks  yes  117  145  771  
Destruction of cotasks  yes  82  151  771  
Frequency Management  yes  197  115  771  
Tile Management  yes  135  107  771  
Modified cotasks:  Schedulability  yes  83  141  768 
Creation of cotasks  yes  85  183  768  
Destruction of cotasks  yes  86  191  768  
Frequency Management  yes  104  141  768  
Tile Management  yes  119  134  768 
When the DRP receives a message for creating of a cotask and the number of free tiles is enough to process it, the dispatcher creates the cotask. The dispatcher then updates the number of used tiles. The monitor automaton checks whether the number tiles in DRP_Dispatcher is always between 0 and the maximum number, 8 in this case (
We proposed a dynamic linear hybrid automaton (DLHA) as a specification language for dynamically reconfigurable systems. We also devised an algorithm for reachability analysis and developed a model checker for verifying the system. Our future research will focus on a more effective method of verification, for example, model checking with CEGAR (Counterexampleguided abstraction refinement) and bounded model checking based on SMT (Satisfiability modulo theories) [
Yanase, R., Sakai, T., Sakai, M. and Yamane, S. (2016) Specification and Verification of Dynamically Reconfigurable Systems Using Dynamic Linear Hybrid Automata. Journal of Software Engineering and Applications, 9, 452 478. http://dx.doi.org/10.4236/jsea.2016.99030