MachineAssisted Parameter Synthesis of the Biphase Mark Protocol

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction Shinya Umeno Nancy Lynch’s Group CSAIL, MIT TDS seminar September 18 th, 2009

FORMATS 2009 The 7 th International Conference on Formal Modelling and Analysis of Timed Systems FACTS: Mostly theory papers (decidability, recognizability, etc). Some application papers (using Alur-Dill automata and UPPAAL). No parametric approach paper, except for mine. Shinya Umeno, TDS seminar, September 18 th 2009

Keywords of The Talk Real-time System Analysis (Formal Methods) Time-Parametric Verification Timing Parameter Constraint Synthesis Event-Order-Based Abstraction of Timed Systems Case Study Using an “Industrial” Example Shinya Umeno, TDS seminar, September 18 th 2009

Outline Biphase Mark Protocol (BMP) Timing Constraints for Correctness Case Studies by Several Approaches Our Approach: Event Order Abstraction Human Guidance + Automatic Synthesis (Umeno, EMSOFT 2008) Case Study Result Bad Event Orders of BMP Parameter Constraints for Bad EOs Shinya Umeno, TDS seminar, September 18 th 2009

Biphase Mark Protocol (BMP) - is a lower-layer communication protocol for consumer and industrial electronics. - uses timing constraints on system’s behavior to encode and decode bits. - used in a digital audio protocol, S/PDIF (Sony Philips Digital Inter. Face) Shinya Umeno, TDS seminar, September 18 th 2009

Biphase Mark Protocol (BMP) Bits to be sent: 1 0 1 1 Time Cell: Sub-Cell: (Mark) Signal Represents 1 by Toggling, and 0 by Flat signal Shinya Umeno, TDS seminar, September 18 th 2009

Biphase Mark Protocol (BMP) Bits to be sent: 1 0 1 1 Time Cell: Sub-Cell: (Mark) Signal: Detection: Detects a signal level change Shinya Umeno, TDS seminar, September 18 th 2009

Biphase Mark Protocol (BMP) Bits to be sent: 1 0 1 1 Time Cell: Sub-Cell: (Mark) Signal: Detection: Detects a signal level change Check a signal level change Shinya Umeno, TDS seminar, September 18 th 2009

Biphase Mark Protocol (BMP) Bits to be sent: 1 0 1 1 Time Cell: Sub-Cell: (Mark) Signal: Detection: Decoded Bits: 1 Toggling is detected 0 1 1 Flat is detected Shinya Umeno, TDS seminar, September 18 th 2009

Biphase Mark Protocol (BMP) Bits to be sent: 1 0 1 1 Time Cell: Sub-Cell: (Mark) Signal: Detection: Decoded Bits: 1 0 1 1 Timing Parameters: C, M 1, D, T (and Metastability H) Shinya Umeno, TDS seminar, September 18 th 2009

Why Parametric Approach? A parametric approach gives the user more information than a fixed-parameter approach (such as the Alur-Dill timed automata approach). • Does the system satisfy a desirable property irrespective to parameter settings? (Undecidable; Alur et al. ) • If a parameter setting affects system correctness, then what are parameter sets that satisfy the correctness? Optimization under parameter constraints Shinya Umeno, TDS seminar, September 18 th 2009

Our Goal for BMP Case Study Correctness: 1. Sent bits = Decoded bits 2. No decoding overflow/underflow - Special module for tracking the information Sender Signal Toggling Sending Bits Receiver Decoded Bits Monitor Goal: Synthesize parameter constraints under which the correctness is guaranteed. Shinya Umeno, TDS seminar, September 18 th 2009

Why is BMP Parametric Verification Challenging? Due to repetitions with timing constraints! Timed execution: s 0 (Detect. F, Δ) s 1 (Detect. F, 2Δ) s 2 (Detect. F, 3Δ) s 3 … All of si’s are different! Reachable state (fixed point) computation will not terminate. (TRe. X extrapolation technique takes care of this. ) Untimed execution: s 0 Detect. F s 1 Detect. F s 2 Detect. F s 3 … All of si’s are same (Detect. F is just a stuttering transition). Shinya Umeno, TDS seminar, September 18 th 2009

Modeling: Time-Interval Automata A time-interval automaton (A, b) is an I/O automaton A with an interval boundmap b. An I/O automaton: • Is a classical state transition machine with distinguished input/output/internal actions. • Is typically described using a guardedcommand style language. Suitable for concurrent/distributed systems. Shinya Umeno, TDS seminar, September 18 th 2009

Interval Boundmap b ( p , P) = [ L , U ] An action of A A set of actions that follow p A lower bound L and an upper bound U for the duration between p and any action in P Example from BMP: b (Detect. F, {Detect. F, Detect. T}) = [d, D] b (Detect. T, {Decode} ) = [t, T] (Repeated checks) (Sampling distance) Shinya Umeno, TDS seminar, September 18 th 2009

TIA Code of the Encoder Automaton Declaration Transition signatures State variables Precondition (transition guard) Effects (transition commands) Time bounds Shinya Umeno, TDS seminar, September 18 th 2009

Overview of Our Approach (Event Order Abstraction, EOA) We split timed verification into two parts: 1. Verification of Untimed Model + Event Order Constraints Untimed Model Event Order Constraints Model-Checking Bad Event Order Generalization (Subclass of Regular Expression) 2. Automatic Synthesis of Timing Parameter Constraints from Event Order Constraints Performed by our tool METEORS Shinya Umeno, TDS seminar, September 18 th 2009

Identifying Bad Event Orders • The user first identifies a candidate set of bad event orders (which may be empty). • Monitors are constucted by a support tool from the given orders (for model-checking). A monitor raises a flag if a bad event order is detected in the current model execution. • He/she then model-checks: Untimed Model not Monitor. raise. Flag not Safety. Property. Violated. Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 Flat New Edge (0 or 1) Decode 1 !! Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 Flat New Edge (0 or 1) Decode 1 !! Detect. F-Detect. F-Edge 0 -Detect. T-Edge 0 -Decode • This event order specifies the order of consecutive actions in an automaton execution. Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 Flat New Edge (0 or 1) Decode 1 !! >c Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 Flat New Edge (0 or 1) Decode 1 !! >c <D <T Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 Flat New Edge (0 or 1) Decode 1 !! >c <D <T c>D+T Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 New Edge (Edge 0) Metastability Flat signal for 0 is completely missed! Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 New Edge (Edge 0) Edge 0 -(Detect. F)*- Detect. T- Settle-Edge 0 Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 New Edge (Edge 0) Edge 0 -(Detect. F)*- Detect. T- Settle-Edge 0 <T Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 New Edge (Edge 0) Edge 0 -(Detect. F)*- Detect. T- Settle-Edge 0 >c <H <T Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 0 New Edge (Edge 0) Edge 0 -(Detect. F)*- Detect. T- Settle-Edge 0 >c c>H+T <H <T Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 1 S Edge 1 T Decode- (Detect. F)*- Edge 1 S-(Detect. F)*-Settle-Edge 1 T Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 1 S Edge 1 T Decode- (Detect. F)*- Edge 1 S-(Detect. F)*-Settle-Edge 1 T > m 1 Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 1 S Edge 1 T Decode- (Detect. F)*- Edge 1 S-(Detect. F)*-Settle-Edge 1 T > m 1 <H Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 1 S Edge 1 T Decode- (Detect. F)*- Edge 1 S-(Detect. F)*-Settle-Edge 1 T > m 1 <H < D ? ? Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenario Example of BMP Edge 1 S Edge 1 T Unwinding! Decode- (Detect. F)*- Edge 1 S-(DF)*- DF -Settle-Edge 1 T > m 1 > H + D <H <D! Shinya Umeno, TDS seminar, September 18 th 2009

Our Tool: METEORS One event order: Disjunction of linear inequalities - All derivable bounds - Automatic decomposition Multiple event orders: Conjunction of disjunction of linear inequalities Simplification of resulting constraint Shinya Umeno, TDS seminar, September 18 th 2009

Bad Scenarios of BMP From page 269 of the proceedings: Shinya Umeno, TDS seminar, September 18 th 2009

Sufficient Parameter Constraints METEORS reported: It is sufficient to satisfy three constraints for correctness of BMP. m 1 > H + D t > M 1 + H c>H+D+T Shinya Umeno, TDS seminar, September 18 th 2009

Related Work (BMP Verification) Verification UPPAAL and PVS: Vaandrager, F. W. , de Groot, A. : Analysis of a biphase mark protocol with UPPAAL and PVS. 2006 - Bad event order are found using UUPAAL - Constraints are manually derived from bad orders. - Correctness under the derived constraints is proved using PVS. Calendar Automata: Brown, G. M. , Pike, L. : Easy parameterized verification of biphase mark and 8 N 1 protocols. 2006 - BMP is modeled using Calendar Automata framework for SAL - Correctness under the derived constraints is proved using SAL (inductive invariants must be used though proof is automatic. ) Synthesis Hy. Tech: Henzinger, T. , Preussig, J. , Wong-Toi, H. : Some lessons from the HYTECH experience. 2001 - Some parameters are fixed. - Model is modified: no repetitive checks with time bounds Shinya Umeno, TDS seminar, September 18 th 2009

Other Case Studies of EOA • IEEE 1394 (Fire. Wire / i-Link), Root Contention Protocol (Randomness is abstracted) • Train-Gate Toy Problem • Fischer’s Mutual Exclusion Algorithm Shinya Umeno, TDS seminar, September 18 th 2009

Summary and Future Work We synthesized parameter constraints of BMP using Event Order Abstraction (METEORS and SAL are used). Future work: Automatic bad event order identification - List of counter examples from model-checking - Automatic “chopping” and generalization? ? Shinya Umeno, TDS seminar, September 18 th 2009