## Soundness of the Quasi-Synchronous Abstraction

Guillaume Baudart

Timothy Bourke

Marc Pouzet

École normale supérieure, INRIA Paris, UPMC

FMCAD'16

Mountain View, 06-10-2016

Distributed controllers for critical embedded systems



Distributed controllers for critical embedded systems

Two redundant Flight Guidance Systems Only one active side (pilot side)



Distributed controllers for critical embedded systems

Two redundant Flight Guidance Systems Only one active side (pilot side)



#### Crew can switch from one to the other

Example from [Miller et al. 2015]

Distributed controllers for critical embedded systems

#### Two redundant Flight Guidance Systems Only one active side (pilot side)



#### Crew can switch from one to the other

Example from [Miller et al. 2015]

Distributed controllers for critical embedded systems

#### Two redundant Flight Guidance Systems Only one active side (pilot side)



#### Crew can switch from one to the other

**Example:** Flight Control System Generate pitch and roll guidance commands The two modules must share their state to avoid control glitch

Distributed controllers for critical embedded systems

Two redundant Flight Guidance Systems Only one active side (pilot side)

Run embedded application...



Crew can switch from one to the other

**Example:** Flight Control System Generate pitch and roll guidance commands The two modules must share their state to avoid control glitch

Distributed controllers for critical embedded systems



#### Crew can switch from one to the other

**Example:** Flight Control System Generate pitch and roll guidance commands The two modules must share their state to avoid control glitch

For each process, activations are triggered by a **local clock Execution:** infinite sequence of activations

• For each process: known bounds for the time between two activations.

 $0 \le T_{\min} \le \kappa_i - \kappa_{i-1} \le T_{\max}$ 

- Buffered communication without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock Execution:** infinite sequence of activations

• For each process: known bounds for the time between two activations.

 $0 \le T_{\min} \le \kappa_i - \kappa_{i-1} \le T_{\max}$ 

- Buffered communication without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock Execution:** infinite sequence of activations

• For each process: known bounds for the time between two activations.

 $0 \le T_{\min} \le \kappa_i - \kappa_{i-1} \le T_{\max}$ 

- Buffered communication without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock Execution:** infinite sequence of activations

• For each process: known bounds for the time between two activations.

 $0 \le T_{\min} \le \kappa_i - \kappa_{i-1} \le T_{\max}$ 

- Buffered communication without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock Execution:** infinite sequence of activations

• For each process: known bounds for the time between two activations.

 $0 \le T_{\min} \le \kappa_i - \kappa_{i-1} \le T_{\max}$ 

- Buffered communication without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$





| Centre Equation<br>2 avenue de Vignate<br>38610 GIERES<br>Tel. +33 4 76 63 48 48<br>Fax +33 4 76 63 48 50 | Verification                                                                   |
|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|
|                                                                                                           | Verifying safety critical applications running on quasi-periodic architectures |
| The Quasi-S<br>Distribu                                                                                   | Quasi-Synchronous Abstraction                                                  |
|                                                                                                           | Crisys draft<br>October 2000                                                   |
|                                                                                                           |                                                                                |
|                                                                                                           |                                                                                |
| Cantra National de la Dacharada Saiontífia                                                                | e - Haivereite Jesent Exviser - Institut National Baldeshalava de Granable     |



| Centre Equation<br>2 avenue de Vignate<br>38610 GIERES<br>Tel. +33 4 76 63 48 48<br>Fax +33 4 76 63 48 50 | Verification                                                                   |  |  |
|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|--|--|
|                                                                                                           | Verifying safety critical applications running on quasi-periodic architectures |  |  |
| The Quasi-S<br>Distribu                                                                                   | Quasi-Synchronous Abstraction                                                  |  |  |
| Cri                                                                                                       | isys draft                                                                     |  |  |
| Oct                                                                                                       | ober 2000                                                                      |  |  |
|                                                                                                           |                                                                                |  |  |
|                                                                                                           |                                                                                |  |  |
|                                                                                                           |                                                                                |  |  |
|                                                                                                           |                                                                                |  |  |
| Centre National de la Recherche Scientifique                                                              | Universite Joseph Fourier Institut National Polytechnique de Grenoble          |  |  |
|                                                                                                           |                                                                                |  |  |









Real-time Model (RT)







#### Why discretize?

Verification in a simpler discrete-time model Use discrete-time model checking tools (Lesar-Verimag, Kind2-Ulowa)













Abstracting execution time Abstracting communication



Abstracting execution time Abstracting communication



Abstracting execution time Abstracting communication



Abstracting execution time Abstracting communication

### Problems:

- · Lots of possible interleavings
- Too general



Abstracting execution time Abstracting communication

### Problems:

- · Lots of possible interleavings
- Too general



Can we do better using real-time assumptions?

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

Reduce the state-space in two ways:

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)


Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Replace transmission with precedence

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Replace transmission with precedence

2. Limit activations interleavings A process is at most twice as fast as another



Focus on 'almost' synchronous architectures with fast transmissions



#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Replace transmission with precedence

2. Limit activations interleavings A process is at most twice as fast as another



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



Always possible if transmissions are not instantaneous

**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



9

**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



Always possible if transmissions are not instantaneous



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



Always possible if transmissions are not instantaneous

**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



Always possible if transmissions are not instantaneous



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays



**Definition:** A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays



Gather all contraints on the unitary discretization f in a weighted graph

After reception





$$x \xrightarrow{0} y \implies f(x) \leq f(y)$$



Gather all contraints on the unitary discretization f in a weighted graph

After reception



**Lemma:** A trace is *unitary discretizable* if and only if there is no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are *unitary discretizable.* 

$$x \xrightarrow{0} y \implies f(x) \leq f(y)$$



Gather all contraints on the unitary discretization f in a weighted graph

After reception



**Lemma:** A trace is *unitary discretizable* if and only if there is no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are *unitary discretizable.* 

$$x \xrightarrow{0} y \implies f(x) \le f(y)$$





Gather all contraints on the unitary discretization f in a weighted graph

After reception



**Lemma:** A trace is *unitary discretizable* if and only if there is no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are *unitary discretizable.* 

$$x \xrightarrow{0} y \implies f(x) \le f(y)$$





Gather all contraints on the unitary discretization f in a weighted graph

After reception



**Lemma:** A trace is *unitary discretizable* if and only if there is no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are *unitary discretizable.* 

$$x \xrightarrow{0} y \implies f(x) \le f(y)$$





Gather all contraints on the unitary discretization f in a weighted graph

After reception



**Lemma:** A trace is *unitary discretizable* if and only if there is no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are *unitary discretizable.* 

$$x \xrightarrow{0} y \implies f(x) \le f(y)$$





Forbidden topologies in the static communication graph



Forbidden topologies in the static communication graph



Forbidden topologies in the static communication graph





**Theorem:** A quasi-periodic architecture is unitary discretizable if and only if, in the communication graph

- 1. All u-cycles are cycles of balanced u-cycle, or  $\tau_{\rm max} = 0$ , and
- 2. There is no balanced u-cycle, or  $\tau_{\min} = \tau_{\max}$  , and
- 3. There is no cycle in the communication graph, or  $T_{\min} \ge L_c \tau_{\max}$

L<sub>c</sub>: size of the longest elementary cycle

**Proof:** If there is a *u*-cycle, construction of a counter-example

Communications





**Proof:** If there is a *u*-cycle, construction of a counter-example

Communications





**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example


**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** If there is a *u*-cycle, construction of a counter-example



**Proof:** On the other hand, by contraposition,

PC/u-cycle

















# **Topology Examples**

 $A \rightleftarrows B \iff C \Longleftrightarrow D$ 

daisy chain:  $T_{\min} \ge 2\tau_{\max}$ 



star:  $T_{\min} \geq 2\tau_{\max}$ 



unidirectional ring:  $T_{\min} \ge 5\tau_{\max}$ 







# **Topology Examples**

 $A \rightleftharpoons B \rightleftharpoons C \rightleftharpoons D$ 

daisy chain:  $T_{\min} \ge 2\tau_{\max}$ 



star:  $T_{\min} \geq 2\tau_{\max}$ 



unidirectional ring:  $T_{\min} \ge 5\tau_{\max}$ 



Require instantaneous communications

Communications of the application

"It is not the case that a component process executes more than twice between two successive executions of another process."

For any node:

- 1. no more than 2 activations between 2 message receptions
- 2. no more than 2 message receptions between two activations





Condition 2.

"It is not the case that a component process executes more than twice between two successive executions of another process."

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$

"It is not the case that a component process executes more than twice between two successive executions of another process."

Theorem: A real-time model is quasi-synchronous if and only if,

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$

Worst-case scenario

"It is not the case that a component process executes more than twice between two successive executions of another process."

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$



"It is not the case that a component process executes more than twice between two successive executions of another process."

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$



"It is not the case that a component process executes more than twice between two successive executions of another process."

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$



"It is not the case that a component process executes more than twice between two successive executions of another process."

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$



# Conclusion

#### The quasi-synchronous abstraction:

- 1. Model transmission as unit delays
- 2. Constrain node activations interleavings

#### **Contributions:**

- Condition 1 is not sound in general
- Notion of unitary discretization
- Necessary and sufficient conditions to recover soundness
- Characterization of quasi-synchronous systems

Constrain both the communication graph and the real-time characteristics of the architecture to recover soundness of the quasi-synchronous abstraction.