The Mana Project
Lars AsplundKristina Lundqvist
Uppsala University, Information Technology, Dept of Computer Systems
The Mana Project
Lars AsplundKristina Lundqvist
Uppsala University, Information Technology, Dept of Computer Systems
Background
• Formal methods have been used in a number of safety critical systems– TGV – train signalling system in Paris
• Today's safety critical systems use cyclic executives.• Research take for granted that a system consists of
processes (scheduling, priorities), and that there is communications between these.
• Process based safety critical systems - formal methods (Raven, Enea …)
Ada-83
•Tasking•Rendez-vous•Dynamic•Hierarchy•Termination•...
Ada83
•For High Integrity Systems•Subsets:
•SPARK (No tasking)•Boeing•...
•Complex Run-Time•No Formal Proofs
Ada-95
•Tasking•Rendez-vous•Dynamic•Hierarchy•Termination•...
•Protected Objects•ATC•requeue•delay until•new interrupts•task attributes•...
Ada95 Subsets:
GNORT (Gnat NO Run-Time)SPARK-95
Ravenscar•Tasking•Protected Objects•delay until•new interrupts•task attribute
Ada 95 and Ravenscar
• The Ravenscar profile has been proposed as a possible standard runtime support system suitable for safety critical real-time Ada 95 applications.
• The subset provides enough functionality for targeted systems .
Ravenscar - tasking
• Library level• No dynamic creation• No unchecked deallocation• Non-terminating• No entries• No user defined attributes• Keep task discriminants• No ATC
Ravenscar - Protected Objects
• Single Entry• Barrier a single Boolean• Only one task in the entry queue
Ravenscar - Communication
• No Rendez vous• No requeue• No select statement• Interrupts are mapped only to PO
procedures
Ravenscar - Real Time
• delay until for delays• No Calendar• Clock from Real-Time package• No dynamic priorities• Immediate Ceiling Priority
The Mana Project
• Project Aim: Develop and model a run-time system using formal development methodologies. Implement for the gnu Ada-95 compiler.
• Target: Safety critical systems at the highest degree of safety, e.g. Nuclear power plants, ATC, aircraft, ...
The Mana Project
• Chosen language:– Subset of Ada 95: Ravenscar
• Representation model: Timed Automata– FSAs extended with clocks and constraints
• Verification scheme: A Real-Time Model Checker– UPPAAL: Modelling, simulation, and verification
tool
A System Model
SchedulerPO
T1 T2 T3
Delay Queue
ClockT0
Application
Run-Time KernelP EF
Delay untilTask dispatch
Ready Queue
A Verification Session
• Design.Timed Automata Model of1. An application (user code)2. Run-time kernel (Mana)
• Simulation of design• Verification by checking reachability
properties
A System Model
SchedulerPO
T1 T2 T3
Delay Queue
ClockT0
Application
Run-Time KernelP EF
Delay untilTask dispatch
Ready Queue
Simple application (T1)
task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0;begin loop Work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop;end T1;
Delay seq
Prot Proc
Protected Procedure
Calling Task
Procedure StartProcedure beginPreemptionRelease of Entry
Task T2
task body T2 is -- at priority 2 Cond : Boolean := false;begin loop Work (10); if Cond then PO.E; else Cond := not Cond; Work (5); end if; Work (4); end loop;end T2;
Prot Entry
Protected Entry
Calling Task
Entry Start
Lock Free and no Barrier
Barrier trueReleased by Procedure
Protected Entry
Calling Task
ExecutingPreemption
ExceptionPreemption in exceptionNormal end
Task T3task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0;begin loop case Cmd is when Ack => for I in 1..4 loop Work (5); PO.P; end loop; when Connect => Work (15); when Disconnect => Work (20); when Send => Work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop;end T3;
Prot Proc
Delay
A view of the System
F
PE
Prot Obj
Scheduler
T1 T2 T3
Delay Queue
Clock
T0
Delay untilTask dispatch
Ready Queue
Miscellaneous
Protected Function
Delay Queue
System Clock
The Run-Time System
F
PE
Prot Obj
Task T1
task body T1 is -- at priority 1 NextTime : Time := Clock + 30.0;begin loop work (5); delay until NextTime; PO.P; -- releases the PO entry NextTime := NextTime + 30.0; end loop;end T1;
Delay seq
Prot Proc
Building the System
F
PE
Prot Obj
T1
Task T2
task body T2 is -- at priority 2 Cond : Boolean := false;begin loop work (10); if Cond then PO.E; else Cond := not Cond; work (5); end if; work (4); end loop;end T2;
Prot Entry
A more Complete System
F
PE
Prot Obj
T1
T2
Task T3task body T3 is -- at priority 3 NextTime : Time := Clock + 18.0;begin loop case Cmd is when Ack => for I in 1..4 loop work (5); PO.P; end loop; when Connect => work (15); when Disconnect => work (20); when Send => work (10); end case; delay until NextTime; NextTime := NextTime + 18.0; end loop;end T3;
Prot Proc
Delay
A Complete System
F
PE
Prot Obj
T1
T2
T3
Scheduler and Idle process
Resume!
Suspend!
Resume!
Preempt!
Resume? Pcpu:= PLow
Preempt?
StartIdle Process is running
Resume? Pcpu:= PMed
Resume? Pcpu:= PHighMedium Process availableMedium Process runningIdle Process PreemptedHigh Process availableHigh Process running
Medium Process PreemptedIdle Process
Scheduler
Verifying Reachability Properties
• Statements format:Invariant()Possible()Where (atomic-formula) | | ’
• Examples:– Possible(CPU’Count > 1)
• At any point in time, there must be only one task executing– Invariant(P.Completed and E.Queue’Count > 0 and
E.Barrier imply Exec(E.Code, P.Context))
Conclusions and future work
• Have today modelled a full Ravenscar compliant RTK– PO: priorities, preemption
• Procedure, Function and Entry• Release on behalf
– delay until– exception handling in PO– interrupt
Conclusions and future work
• Verified the Mana-RTK together with a small application
• Next step is to implement the Mana-RTK – Automatic translation from Ada into TA
• http://www.docs.uu.se/mana
