Real-Time Systems,
COSC-4301-01,
Lecture 10
Stefan Andrei
7/13/2017
COSC-4301-01, Lecture 10
1
Reminder of the last lecture


Counting true instances
Incremental verification of the real-time
systems specifications
7/13/2017
COSC-4301-01, Lecture 10
2
Overview of This Lecture

Systematic and Automatic Debugging of Real-Time
Systems based on Incremental Satisfiability Counting

[ACCL05] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.:
Systematic Debugging of Real-Time Systems based on Incremental
Satisfiability Counting. The 11th IEEE Real-Time and Embedded
Technology and Applications Symposium (RTAS'05), San
Francisco, United States, 7 March - 10 March, 10 pages, 2005
[ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.:
Automatic Debugging of Real-Time Systems based on Incremental
Satisfiability Counting. IEEE Transaction on Computers, vol. 55(7),
pp. 830-842 (2006) Selected as July issue's Feature Article.

7/13/2017
COSC-4301-01, Lecture 10
3
References




[JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic
Approach for Timing Analysis and its Implementation. IEEE
Transactions on Computers. Vol. C-36, No. 8, 1987
[JaS88] Jahanian, F., Stuart, D. A.: A Method for Verifying
Properties of Modechart Specifications. Proceedings of 9th IEEE Real-Time Systems Symposium, pp. 12-21, 1988
[WaM94] Wang, F., Mok, A. K.: RTL and Refutation by
Positive Cycles. Proceedings of Formal Methods Europe
Symposium, 873, Lecture Notes in Computer Science, pp.
659-680, 1994
[AnC04] Andrei, S., Chin, W.-N.: Incremental Satisfiability
Counting for Real-Time Systems. IEEE Real-Time and
Embedded Technology and Applications Symposium
(RTAS’04), Toronto, Canada, 25 May – 28 May, 2004
7/13/2017
COSC-4301-01, Lecture 10
4
References (cont)





[MTR96] Mok, A. K., Tsou, Duu-Chung, de Rooij, R. C. M.: The
MSP.RTL real-time scheduler synthesis tool. Proceedings of the
17th IEEE Real-Time Systems Symposium, 1996
[RiC99] Rice, L.E.P., Cheng, A.M.K.: Timing Analysis of the X-38
Space Station Crew Return Vehicle Avionics. Proceedings of the
5-th IEEE-CS Real-Time Technology and Applications
Symposium, pp. 255-264, 1999
[Che2002] Cheng, A.M.K.: Real-time systems. Scheduling,
Analysis, and Verification. Wiley-Interscience, 2002
[And2004] Andrei, S.: Counting for Satisfiability by Inverting
Resolution. Artificial Intelligence Review, 2004
[SoS94] O. Sokolsky and S.A. Smolka, Incremental Model
Checking in the Modal Mu-Calculus, Computer-Aided Verification
'94, LNCS 818, Springer-Verlag, 1994
7/13/2017
COSC-4301-01, Lecture 10
5
Real-Time Systems [JaM86, JaM87,
Che02]

Structural-functional specification

Behavioral specification (SP)

An implementation is correct if

7/13/2017
SP implies the safety assertions (SA)
COSC-4301-01, Lecture 10
6
Verification of Timing Properties
[JaM86, JaM87, Che02]

In checking SP → SA, we may have the cases:
 (safe) SA is a theorem derivable from SP;
 (inherently unsafe) SA is unsatisfiable with
respect to SP;
 (safe if additional constraints are added) the
negation of SA is satisfiable under certain
conditions.
7/13/2017
COSC-4301-01, Lecture 10
7
Our Incremental Approach for Systematic
Debugging [AnC04]
7/13/2017
COSC-4301-01, Lecture 10
8
Past Work [AnC04]



The satisfiability of SPk+1→SAk+1 is expressed
incrementally from the satisfiability of SPk→SAk
The manual debugging from step 3 is correlated with
the satisfiability of SPk→SAk
We use #SAT problem rather than SAT problem:


7/13/2017
To know how “far away” is SP from satisfying SA;
The modification of SP and/or SA is useful for
incremental debugging, in which bugs are fixed one at
a time until the system is correct.
COSC-4301-01, Lecture 10
9
Motivation of this Work




The debugging from step 3 is done systematically, not
manually
Since the industrial real-time systems may have large
specifications, it is impractical for the designer to find
the proper missing or wrong constraints.
Efficient Java implementation of systematic debugging
(http://galaxy.lamar.edu/~sandrei/SDRTL/). Examples of
real-time systems have also been successfully tested by
SDRTL.
We simulated a real-life scenario, supposing that the
designer may forget to include some constraints or may
give some incorrect constraints.
7/13/2017
COSC-4301-01, Lecture 10
10
Real-Time Logic (RTL) [JaM86]




RTL = first-order logic with special features to capture
the timing requirements;
Occurrence Function: @:: Event x Occurrence 
Time, where Occurrence = Nat - {0} and Time = Nat.
@(e, i) = t means the i-th occurrence of event e
occurs at time t.
eEvent, iOccurrence, @(e,i) < @(e,i+1) if
@(e,i+1) is defined
7/13/2017
COSC-4301-01, Lecture 10
11
Real-Time Logic (cont)

Three types of RTL constants:


Actions: schedulable units of work
Events constants are temporal markers





7/13/2017
External Events: event-name
Start Events: event-name
Stop Events: event-name
Transition Events: event-name
Integers: used for timing constraints.
COSC-4301-01, Lecture 10
12
SP of Railroad Crossing – English and RTL




When train approaches sensor, a signal will initiate
the lowering of gate, and Gate is moved to down
position within 30s from being detected by the
sensor, and
x ( @(TrainApproach, x)  @(DownGate, x) 
@(DownGate, x)  @(TrainApproach, x) +
30
)
The gate needs at least 15s to lower itself to the
down position.
y ( @(DownGate, y) + 15  @(DownGate, y)
)
7/13/2017
COSC-4301-01, Lecture 10
13
SA of Railroad Crossing – English and RTL

If train needs at least 45s to travel from sensor to the
railroad crossing, and the train crossing is completed
within 60s from being detected by sensor, then
we are assured that at the start of the train crossing, gate
has moved down and
that the train leaves the railroad crossing within 45s from
the time the gate has completed moving down.



t u (
@(TrainApproach, t) + 45  @(TrainCrossing, u)

@(TrainCrossing, u) < @(TrainApproach, t) + 60 
@(TrainCrossing, u)  @(DownGate, t) 
@(TrainCrossing, u)  @(DownGate, t) + 45
)
7/13/2017
COSC-4301-01, Lecture 10
14
The Path-RTL formulas [JaM87, WaM94]

The general form of path-RTL formulas:
functionOccurrence  integerConstant 
functionOccurrence

Industrial real-time systems:




7/13/2017
Railroad crossing [JaM87], [JaS88], [Che2002]
Moveable control rods in a reactor [JaM87]
Boeing 777 Integrated Airplane Information
Management System [MTR96]
X-38, an autonomous spacecraft build by NASA
[RiC99]
COSC-4301-01, Lecture 10
15
X-38, an autonomous spacecraft build by
NASA [RiC99]
7/13/2017
COSC-4301-01, Lecture 10
16
Presburger Arithmetic Formulae



Each @(e,i) is replaced by an uninterpreted function fe(i)
SP:
 x (f(x)  g1(x)  g2(x)  f(x) + 30)
 y (g1(y) + 15  g2(y))
SA:
 t u (
f(t) + 45  h1(u)  h2(u) < f(t) + 60 
g2(t)  h1(u)  h2(u)  g2(t) + 45
)
7/13/2017
COSC-4301-01, Lecture 10
17
Railroad Crossing - Clausal Form

 (SP  SA)   ( SP  SA)  SP   SA
SP  SA is a theorem iff SP   SA is unsatisfiable;

SP:



xy (f(x)  g1(x)  g2(x) - 30  f(x)  g1(y) + 15 
g2(y))
Negation of SA:
t u (f(t) + 45  h1(u)  h2(u) < f(t) + 60 
(h1(u) < g2(t)  g2(t) + 45 < h2(u)));
 Skolem normal form of path-RTL formulas [T/t][U/u]:
f(T) + 45  h1(U)  h2(U) – 59  f(T) 
(h1(U) + 1  g2(T)  g2(T) + 46  h2(U))
7/13/2017
COSC-4301-01, Lecture 10
18
The Constraint Graph Technique [JaM87]



F – the initial path-RTL formula;
F’ – the corresponding Presburger formula;
PF = C1  C2  …  Cn is the propositional formula
of SP   SA:
 Ci = Li,1  Li,2  …  Li,n and
 each Li,j has the general form: v1  I  v2, I being a

positive integer constant.
For each Xi,1, Xi,2,…, Xi,ni the i-th positive cycle, the
clause Xi,1  Xi,2  …  Xi,ni is added to PF.
7/13/2017
COSC-4301-01, Lecture 10
19
Counting SAT Problem ([And04], [AnC04])

PF={C1,…,Cl} over V. If C1’,…,Ck’  PF and k  l,
then:


mV(C1’,…,Ck’)= number of variables from V which do not
occur in C1’ …  Ck’.
difV(C1’,…,Ck’)=


0 if  i, j  {1,…,k}, i  j,  L literal such that L
 Ci’ and L  Cj’
2mV(C1’,…,Ck’) otherwise
7/13/2017
COSC-4301-01, Lecture 10
20
Incremental Counting SAT ([AnC04])




detV(PF)=
2|V|- k=1l (-1)k+1*  1 i1<…<ikl difV(C1’,…,Ck’)
is called the determinant of PF.
Theorem. PF has detV(PF) truth assignments. So, PF is
satisfiable iff detV(PF)  0.
Problem: Knowing the number of true instances of PF,
what is the number of true instances of PFυ{C}, for any
arbitrary clause C?
Incremental computation: get detV(PF2) using detV(PF1),
without re-computing the common parts of PF2 and PF1
7/13/2017
COSC-4301-01, Lecture 10
21
The Increment of a Clausal Formula


Definition: Given PF={C1,…,Cl} over V and C an
arbitrary clause, then
incV(C,PF)=k=0l(-1)k+1 * 1 i1<…<ikl difV(C,Ci1,…,Cik)
is called the increment of PF with C over V.
Theorem: Let PF={C1,…,Cl} be a clausal formula
and PF’={Cl+1,…,Cl+k}. Then:


detV(PF υ PF’) = detV(PF) + incV(Cl+1, PF) + incV(Cl+2, PF υ
{Cl+1}) + .. + incV(Cl+k, PF υ {Cl+1,.., Cl+k-1})
Incremental computing is optimal
7/13/2017
COSC-4301-01, Lecture 10
22
Related Work: Incremental Approaches



An incremental positive cycle detection
algorithm [MTR96] is also based on the
constraint-graph technique and uses an
algorithm for single source with positive weight
in the graph.
An incremental algorithm for model checking
using transition systems in the alternation-free
fragment of the modal mu-calculus was
presented in [SoS94].
Instead, our incremental approach is applied to
propositional formulas.
7/13/2017
COSC-4301-01, Lecture 10
23
Railroad Crossing - Constraint Graph (1)


7/13/2017
COSC-4301-01, Lecture 10
PF1={{A1}, {A2}, {A3},
{A4}, {A5}, {A6, A7},
{A2,A4,A6},
{A4,A5,A6,A7}
,
{A1,A3,A5,A7}
}.
detV1(PF1)=0, where
V1={A1, ..., A7}.
24
Re-design of Railroad Example


We consider 2 new events (CarCrossingLeft - CCL and
CarCrossingRight – CCR) and 2 new constraints
We add to SP:
 (English) A car from the left or right needs at most 10 seconds to


cross the railroad;
(RTL)  z1, @(CCL, z1) – 10  @(CCL, z1) and  z2,
@(CCR, z2) – 10  @(CCR, z2)
We add to SA:


(English) If the train starts to cross the railroad crossing, there is no
car crossing neither from left nor from the right in the last 5
seconds;
(RTL)  v1, @(CCL, v1) + 5  @(TrainCrossing, u) and  v2,
@(CCR, v2) + 5  @(TrainCrossing, u)
7/13/2017
COSC-4301-01, Lecture 10
25
Railroad Crossing - Constraint Graph (2)



7/13/2017
PF2=PF1 {{A8}, {A9}, {A6,
A7, A10, A11}} – {{A6, A7}}
detV2(PF2)=detV1(PF1)+
incV2({A8}, PF1)+
incV2({A9}, PF1  {{A8}}) +
incV2({A6, A7, A10, A11}, PF1
 {{A8}}  {{A9}})incV2({A6, A7}, PF1  {{A8}}
 {{A9}}  {{A6, A7, A10,
A11}}) =3, where V2= V1 
{A8, ..., A11}.
As detV2(PF2)>0, then the
real-time system is unsafe.
COSC-4301-01, Lecture 10
26
Debugging Computation. Manual versus
Systematic




Manual debugging [AnC04] is impractical for big
systems.
There is a need to consider a systematic way to
solve this matter.
The method will automatically generate, in order from
the most probable ones to the less probable ones, all
the possible missing/wrong constraints.
Then the designer chooses from this list the proper
constraint which is not against the real-time system
specifications.
7/13/2017
COSC-4301-01, Lecture 10
27
Railroad Crossing - Constraint Graph (2)

Algorithm Main:
(Init)
desired = false;
while (desired == false) {
(Test & Print)
if (desired == false) {
(Incremental Computation)
(Debugging Computation)
}
}
7/13/2017



(Init) construct PF1
(Test & Print) test if the
determinant is 0 and if the
designer agrees with the
suggested constraint according to
the systematic debugging
computation
(Incremental Computation)
compute detVk+1(PFk+1) using
detVk(PFk)
(desired == false) is evaluated to
false when the designer wishes to
stop the systematic debugging
and the timing constraints of the
real-time system are fulfilled.
COSC-4301-01, Lecture 10
28
Addition of a New Arc


7/13/2017
It shows that the node v
has no out-arc;
So the arc (v,w) (pictured
with a dashed line) is
added to the constraint
graph as a member of a
new positive cycle.
COSC-4301-01, Lecture 10
29
Transforming a Negative Cycle



7/13/2017
The algorithm detects all possible
incorrect constraints (i.e.
containing a fault).
That is, the algorithm proposes
other (bigger) constants I for the
literal v1 ± I ≤ v2, and with help of
the designer, one such constraint
is selected.
Figure 3(b) is more than a
“refinement”, because it
corresponds to detecting faults in
the initial specification, and
proposes a new proper
constraint.
COSC-4301-01, Lecture 10
30
Key Point: the Increment




SDRTL will compute for each change (new
arc and/or new cost) the increment.
Then, SDRTL will sort all these increments in
an increasing order.
Starting from the minimum increment, the
designer will be asked for his agreement.
The increments which are zero do not count.
7/13/2017
COSC-4301-01, Lecture 10
31
Monotony of det and inc
7/13/2017
COSC-4301-01, Lecture 10
32
The Execution Run
7/13/2017
COSC-4301-01, Lecture 10
33
The Execution Run (cont)
7/13/2017
COSC-4301-01, Lecture 10
34
Railroad Crossing - Constraint Graph (3)



7/13/2017
COSC-4301-01, Lecture 10
PF3=PF2  {C12,
C13, C14, C15},
over V2.
As detV2(PF3)=0,
then the real-time
system is safe.
The unification
should be done
carefully.
35
Systematic Debugging Results




Denote by niz the number of increments which are zero, and by
tni the total number of increments.
The effectiveness is efct = (tni-niz)/(tni).
The closer effectiveness to 0, the faster algorithm is (because
useless clauses are not generated).
The more bugs the system has, the bigger execution time we get.
7/13/2017
COSC-4301-01, Lecture 10
36
Real-Time Systems Debugging Times



On the X-axis, we have the number of missing constraints and on the Yaxis, we have the debugging time in seconds.
For each number of missing constraints, three real-time systems are
considered, in this order, from the left to the right: the railroad crossing,
the reactor, and the X-38.
As the missing number of constraints increases, the debugging time
increases linearly rather than exponentially.
7/13/2017
COSC-4301-01, Lecture 10
37
Real-Time Systems Debugging Effectiveness



On the X-axis, we have the number of missing constraints and on
the Y-axis, we have the effectiveness, as a subunit real number.
As the missing number of constraints increases, the effectiveness
tends to decrease.
In other words, our incremental approach is significantly better than
the non-incremental approach.
7/13/2017
COSC-4301-01, Lecture 10
38
Automatic Debugging


The automatic approach is similar to the
systematic approach, but it should work in the
absence of the human beings.
Our solution was to consider in advance all
the necessary information such as the
designer's guidance:


7/13/2017
a set of constraints which cannot be modified;
the specific ranges for the constants which appear
in the constraints.
COSC-4301-01, Lecture 10
39
Automatic Debugging


The input files for the automatic approach are
augmented with the lower and upper bounds
for the constants.
Example:

the formula


denotes the following set of formulas:

7/13/2017
h1(U),-9,1,11,g2(T) || g2(T),36,46,56,h2(U)
h1(U)+ a ≤ g2(T)  g2(T)+ b ≤ h2(U), where a{-9, ...,
11} and b  {36, ..., 56} have the implicit initial values a=1
and b=46.
COSC-4301-01, Lecture 10
40
Automatic versus Systematic Debugging
The tool ADRTL (Automatic Debugging using RTL) contains
the set of all possible arcs – compared with SDRTL.

7/13/2017
COSC-4301-01, Lecture 10
41
Automatic versus Systematic Debugging


When 1, 2, or 3 constraints are missing, ADRTL (filled boxes) may be
faster than SDRTL (empty boxes), whereas for 4 missing constraints,
ADRTL is always slower than SDRTL.
Conclusions:
 The more bugs a real-time system has, the faster the systematic tool
we get when compared with the automatic tool.
 The human experience may outperform an automatic tool, when talking
about a considerable number of bugs in the real-time system.
7/13/2017
COSC-4301-01, Lecture 10
42
Future Work: Replacement of SAT solvers


Counting SAT solvers are more efficient than
SAT solvers when there are two many
choices to consider (like re-design and
debugging problems)
Applications:


7/13/2017
Finding a feasible scheduling
Model checking
COSC-4301-01, Lecture 10
43
Summary

Systematic and Automatic Debugging of RealTime Systems based on Incremental
Satisfiability Counting
7/13/2017
COSC-4301-01, Lecture 10
44
Reading suggestions


[ACCL05] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu,
M.: Systematic Debugging of Real-Time Systems based
on Incremental Satisfiability Counting. The 11th IEEE
Real-Time and Embedded Technology and Applications
Symposium (RTAS'05), San Francisco, United States, 7
March - 10 March, 10 pages, 2005
[ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu,
M.: Automatic Debugging of Real-Time Systems based on
Incremental Satisfiability Counting. IEEE Transaction on
Computers, vol. 55(7), pp. 830-842 (2006) Selected as
July issue's Feature Article.
7/13/2017
COSC-4301-01, Lecture 10
45
Coming up next

Optimization of Specifications expressed in
path-RTL [AnC06]

[AnC06] Andrei, S., Cheng, A.M.K.: Optimization of RealTime Systems Timing Specifications. Proceedings of the
12th IEEE International Conference on Embedded and
Real-Time Computing Systems and Applications
(RTCSA 2006), 7 pages, IEEE Computer Society,
Sydney, August 16-18, 2006
7/13/2017
COSC-4301-01, Lecture 10
46
Thank you for your attention!
Questions?
7/13/2017
COSC-4301-01, Lecture 10
47