Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315046
Tuba Yavuz
Device drivers are critical components of operating systems. However, due to their interactions with the hardware and being embedded in complex programming models implemented by the operating system, ensuring reliability of device drivers remains to be a challenge. In this paper, we focus on the interaction of the driver with the device and present an approach for modeling this interaction and verifying absence of hardware-software data races. Specifically, we use the counting abstraction technique to abstract dynamic process creation in response to I/O acknowledgements sent by the device. We present the results of our approach on the modeling and verification of several Linux device driver models.
{"title":"Verifying Absence of Hardware-Software Data Races using Counting Abstraction","authors":"Tuba Yavuz","doi":"10.1109/MEMOCODE51338.2020.9315046","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315046","url":null,"abstract":"Device drivers are critical components of operating systems. However, due to their interactions with the hardware and being embedded in complex programming models implemented by the operating system, ensuring reliability of device drivers remains to be a challenge. In this paper, we focus on the interaction of the driver with the device and present an approach for modeling this interaction and verifying absence of hardware-software data races. Specifically, we use the counting abstraction technique to abstract dynamic process creation in response to I/O acknowledgements sent by the device. We present the results of our approach on the modeling and verification of several Linux device driver models.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115546792","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/memocode51338.2020.9315050
{"title":"[MEMOCODE 2020 Front cover]","authors":"","doi":"10.1109/memocode51338.2020.9315050","DOIUrl":"https://doi.org/10.1109/memocode51338.2020.9315050","url":null,"abstract":"","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127457787","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315179
Dominik Walter, Michael Witterauf, J. Teich
A fundamental problem of massively parallel accelerator architectures is the management of typically small peripheral I/O buffers that decouple the accelerator from an external memory. Very often, these buffers cannot store the entire input and output data of one execution and must be updated, i.e., filled or drained, frequently. Moreover, if a processor array performs either a read on an empty bank or a write on a full bank, it must interrupt its execution immediately until the corresponding data transfer between the accelerator and an external memory has been carried out. As a consequence, the timing predictability of the array execution might be impaired. Therefore, a precise analysis of a schedule for all data transfers is inevitable. Moreover, as it is prohibitive to store all data transfers entirely within the accelerator itself, we must determine and schedule all necessary data transfers dynamically at runtime. In this paper, we present an approach to characterize all necessary data transfers and to issue them in time so that the peripheral I/O buffers never run full or empty. Here, it is shown first that a deadline for each data transfer can be derived from a given loop schedule resulting in a traditional task scheduling problem. Unfortunately, however, standard real-time scheduling techniques such as earliest deadline first (EDF) cannot be applied here, as each data transfer must not be interrupted and even existing non-preemptive variants of EDF are known to be prone to timing anomalies. As a solution, we present a strictly non-work-conserving variant of EDF together with an efficient schedulability test for periodic loop executions. In an experimental section, the scheduling approach is applied to a randomly generated set of loop programs observing that our algorithm is able to feasibly schedule 95% of the theoretically schedulable problem instances. Altogether, we provide a fully timing-predictable buffer management for massively parallel processor arrays that avoids any I/O related stalls of a processor array by construction.
{"title":"Real-time Scheduling of I/O Transfers for Massively Parallel Processor Arrays","authors":"Dominik Walter, Michael Witterauf, J. Teich","doi":"10.1109/MEMOCODE51338.2020.9315179","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315179","url":null,"abstract":"A fundamental problem of massively parallel accelerator architectures is the management of typically small peripheral I/O buffers that decouple the accelerator from an external memory. Very often, these buffers cannot store the entire input and output data of one execution and must be updated, i.e., filled or drained, frequently. Moreover, if a processor array performs either a read on an empty bank or a write on a full bank, it must interrupt its execution immediately until the corresponding data transfer between the accelerator and an external memory has been carried out. As a consequence, the timing predictability of the array execution might be impaired. Therefore, a precise analysis of a schedule for all data transfers is inevitable. Moreover, as it is prohibitive to store all data transfers entirely within the accelerator itself, we must determine and schedule all necessary data transfers dynamically at runtime. In this paper, we present an approach to characterize all necessary data transfers and to issue them in time so that the peripheral I/O buffers never run full or empty. Here, it is shown first that a deadline for each data transfer can be derived from a given loop schedule resulting in a traditional task scheduling problem. Unfortunately, however, standard real-time scheduling techniques such as earliest deadline first (EDF) cannot be applied here, as each data transfer must not be interrupted and even existing non-preemptive variants of EDF are known to be prone to timing anomalies. As a solution, we present a strictly non-work-conserving variant of EDF together with an efficient schedulability test for periodic loop executions. In an experimental section, the scheduling approach is applied to a randomly generated set of loop programs observing that our algorithm is able to feasibly schedule 95% of the theoretically schedulable problem instances. Altogether, we provide a fully timing-predictable buffer management for massively parallel processor arrays that avoids any I/O related stalls of a processor array by construction.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129041436","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315065
Piergiuseppe Mallozzi, P. Nuzzo, Patrizio Pelliccione, G. Schneider
We address the problem of automatically constructing a formal robotic mission specification in a logic language with precise semantics starting from an informal description of the mission requirements. We present CROME (Contract-based RObotic Mission spEcification), a framework that allows capturing mission requirements in terms of goals by using specification patterns, and automatically building linear temporal logic mission specifications conforming with the requirements. CROME leverages a new formal model, termed Contract-based Goal Graph (CGG), which enables organizing the requirements in a modular way with a rigorous compositional semantics. By relying on the CGG, it is then possible to automatically: i) check the feasibility of the overall mission, ii) further refine it from a library of pre-defined goals, and iii) synthesize multiple controllers that implement different parts of the mission at different abstraction levels, when the specification is realizable. If the overall mission is not realizable, CROME identifies mission scenarios, i.e., sub-missions that can be realizable. We illustrate the effectiveness of our methodology and supporting tool on a case study.
{"title":"CROME: Contract-Based Robotic Mission Specification","authors":"Piergiuseppe Mallozzi, P. Nuzzo, Patrizio Pelliccione, G. Schneider","doi":"10.1109/MEMOCODE51338.2020.9315065","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315065","url":null,"abstract":"We address the problem of automatically constructing a formal robotic mission specification in a logic language with precise semantics starting from an informal description of the mission requirements. We present CROME (Contract-based RObotic Mission spEcification), a framework that allows capturing mission requirements in terms of goals by using specification patterns, and automatically building linear temporal logic mission specifications conforming with the requirements. CROME leverages a new formal model, termed Contract-based Goal Graph (CGG), which enables organizing the requirements in a modular way with a rigorous compositional semantics. By relying on the CGG, it is then possible to automatically: i) check the feasibility of the overall mission, ii) further refine it from a library of pre-defined goals, and iii) synthesize multiple controllers that implement different parts of the mission at different abstraction levels, when the specification is realizable. If the overall mission is not realizable, CROME identifies mission scenarios, i.e., sub-missions that can be realizable. We illustrate the effectiveness of our methodology and supporting tool on a case study.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121412815","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315118
N. Naik, P. Nuzzo
The proliferation of artificial intelligence based systems in all walks of life raises concerns about their safety and robustness, especially for cyber-physical systems including multiple machine learning components. In this paper, we introduce robustness contracts as a framework for compositional specification and reasoning about the robustness of cyber-physical systems based on neural network (NN) components. Robustness contracts can encompass and generalize a variety of notions of robustness which were previously proposed in the literature. They can seamlessly apply to NN-based perception as well as deep reinforcement learning (RL)-enabled control applications. We present a sound and complete algorithm that can efficiently verify the satisfaction of a class of robustness contracts on NNs by leveraging notions from Lagrangian duality to identify system configurations that violate the contracts. We illustrate the effectiveness of our approach on the verification of NN-based perception systems and deep RL-based control systems.
{"title":"Robustness Contracts for Scalable Verification of Neural Network-Enabled Cyber-Physical Systems","authors":"N. Naik, P. Nuzzo","doi":"10.1109/MEMOCODE51338.2020.9315118","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315118","url":null,"abstract":"The proliferation of artificial intelligence based systems in all walks of life raises concerns about their safety and robustness, especially for cyber-physical systems including multiple machine learning components. In this paper, we introduce robustness contracts as a framework for compositional specification and reasoning about the robustness of cyber-physical systems based on neural network (NN) components. Robustness contracts can encompass and generalize a variety of notions of robustness which were previously proposed in the literature. They can seamlessly apply to NN-based perception as well as deep reinforcement learning (RL)-enabled control applications. We present a sound and complete algorithm that can efficiently verify the satisfaction of a class of robustness contracts on NNs by leveraging notions from Lagrangian duality to identify system configurations that violate the contracts. We illustrate the effectiveness of our approach on the verification of NN-based perception systems and deep RL-based control systems.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117049287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315160
M. Kim, Weiwei Ai, P. Roop, Nathan Allen, R. Ramchandra, J. Paton
Cardiovascular Implantable Electronic Devices (CIEDs) are routinely implanted to treat various types of arrhythmia. However, conventional pacing algorithms may not be able to provide optimal treatment for the patients with Heart Failure (HF) and evidence suggests negative outcomes. In this paper, we introduce a formal pacemaker model that can restore heart-lung synchronization, which may bring therapeutic benefits to the patient with chronic HF. We use valued Synchronous Discrete Timed Automata (SDTA) to describe the timing requirements of the device, which is then translated into Promela for formal verification through a set of rules which are defined to maintain the synchronous semantics. The safety-critical properties are then verified using the model checker SPIN. We show that the SDTA model can be verified more efficiently than conventional approaches with pure Timed Automata (TA). Animal test results show that the pacing rates are synchronized with the respiratory cycles. In particular, the functional safety is ensured under various respiratory conditions. This work yields, for the first time, a formal model of pacing device to reinstate heart rate variability for HF patients.
{"title":"Formal Modeling and Verification of Rate Adaptive Pacemakers for Heart Failure","authors":"M. Kim, Weiwei Ai, P. Roop, Nathan Allen, R. Ramchandra, J. Paton","doi":"10.1109/MEMOCODE51338.2020.9315160","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315160","url":null,"abstract":"Cardiovascular Implantable Electronic Devices (CIEDs) are routinely implanted to treat various types of arrhythmia. However, conventional pacing algorithms may not be able to provide optimal treatment for the patients with Heart Failure (HF) and evidence suggests negative outcomes. In this paper, we introduce a formal pacemaker model that can restore heart-lung synchronization, which may bring therapeutic benefits to the patient with chronic HF. We use valued Synchronous Discrete Timed Automata (SDTA) to describe the timing requirements of the device, which is then translated into Promela for formal verification through a set of rules which are defined to maintain the synchronous semantics. The safety-critical properties are then verified using the model checker SPIN. We show that the SDTA model can be verified more efficiently than conventional approaches with pure Timed Automata (TA). Animal test results show that the pacing rates are synchronized with the respiratory cycles. In particular, the functional safety is ensured under various respiratory conditions. This work yields, for the first time, a formal model of pacing device to reinstate heart rate variability for HF patients.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121780993","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315040
Mir Md Sajid Sarwar, Rajarshi Ray, A. Banerjee
In artificial intelligence planning, having an explanation of a plan given by a planner is often desirable. The ability to explain various aspects of a synthesized plan to an end-user not only brings in trust on the planner but also reveals insights of the planning domain and the planning process. Contrastive questions such as "Why action A instead of action B?" can be answered with a contrastive explanation that compares properties of the original plan containing A against the contrastive plan containing B. In this paper, we explore a set of contrastive questions that a user of a planning tool may raise and we propose a re-model and re-plan framework to provide explanations to such questions. Earlier work has reported this framework on planning instances for discrete problem domains described in the Planning Domain Definition Language (PDDL) and its variants. In this paper, we propose an extension for planning instances described by PDDL+ for hybrid systems which portray a mix of discrete-continuous dynamics. Specifically, given a mixed discrete continuous system model in PDDL+ and a plan describing the set of desirable actions on the same to achieve a destined goal, we present a framework that can integrate contrastive questions in PDDL+ and synthesize alternate plans. We present a detailed case study on our approach and propose a comparison metric to compare the original plan with the alternate ones.
{"title":"A Contrastive Plan Explanation Framework for Hybrid System Models","authors":"Mir Md Sajid Sarwar, Rajarshi Ray, A. Banerjee","doi":"10.1109/MEMOCODE51338.2020.9315040","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315040","url":null,"abstract":"In artificial intelligence planning, having an explanation of a plan given by a planner is often desirable. The ability to explain various aspects of a synthesized plan to an end-user not only brings in trust on the planner but also reveals insights of the planning domain and the planning process. Contrastive questions such as \"Why action A instead of action B?\" can be answered with a contrastive explanation that compares properties of the original plan containing A against the contrastive plan containing B. In this paper, we explore a set of contrastive questions that a user of a planning tool may raise and we propose a re-model and re-plan framework to provide explanations to such questions. Earlier work has reported this framework on planning instances for discrete problem domains described in the Planning Domain Definition Language (PDDL) and its variants. In this paper, we propose an extension for planning instances described by PDDL+ for hybrid systems which portray a mix of discrete-continuous dynamics. Specifically, given a mixed discrete continuous system model in PDDL+ and a plan describing the set of desirable actions on the same to achieve a destined goal, we present a framework that can integrate contrastive questions in PDDL+ and synthesize alternate plans. We present a detailed case study on our approach and propose a comparison metric to compare the original plan with the alternate ones.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121813264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315156
M. Foughali, S. Bensalem, Jacques Combaz, F. Ingrand
Throughout the last few decades, researchers and practitioners are showing more and more interest in using formal methods in order to predict and prevent software failures in robotic and autonomous systems. However, the applicability of formal methods to such systems is limited due to several factors. For instance, robotic specifications are often non-formal which makes their formalization hard and error prone, and their translation into formal models ad-hoc and non automatic. Furthermore, the complexity and size of robotic applications lead most often to scalability issues with exhaustive techniques such as model checking. In this paper, we investigate the use of runtime verification as an alternative to model checking for the rigorous verification of large robotic systems. To do so, we first develop a sound and automatic translation from the robotic framework GenoM3 to the real-time version of the BIP formal language. Then, we apply the translation to a real-world case study the formal models of which do not scale with model checking, and use the BIP Engine to execute the generated BIP model, verify properties online, and adequately react to their possible violation. The experiments are carried out on a real Robotnik robot and show the efficiency of our approach in verifying timed properties, that is when the amount of time separating events is important.
{"title":"Runtime Verification of Timed Properties in Autonomous Robots","authors":"M. Foughali, S. Bensalem, Jacques Combaz, F. Ingrand","doi":"10.1109/MEMOCODE51338.2020.9315156","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315156","url":null,"abstract":"Throughout the last few decades, researchers and practitioners are showing more and more interest in using formal methods in order to predict and prevent software failures in robotic and autonomous systems. However, the applicability of formal methods to such systems is limited due to several factors. For instance, robotic specifications are often non-formal which makes their formalization hard and error prone, and their translation into formal models ad-hoc and non automatic. Furthermore, the complexity and size of robotic applications lead most often to scalability issues with exhaustive techniques such as model checking. In this paper, we investigate the use of runtime verification as an alternative to model checking for the rigorous verification of large robotic systems. To do so, we first develop a sound and automatic translation from the robotic framework GenoM3 to the real-time version of the BIP formal language. Then, we apply the translation to a real-world case study the formal models of which do not scale with model checking, and use the BIP Engine to execute the generated BIP model, verify properties online, and adequately react to their possible violation. The experiments are carried out on a real Robotnik robot and show the efficiency of our approach in verifying timed properties, that is when the amount of time separating events is important.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126895937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315130
J. Pope, Jules Saget, C. Seger
Finite state machines (FSMs) are at the heart of many digital circuits, in particular microprocessors such as the IoT-oriented Cephalopode processor we are implementing as part of the Octopi project.We frequently encounter two practical difficulties with FSM design: first, in the case of Mealy machines state transitions and output logic can have complex and overlapping conditions, which are difficult to maintain and comprehend if separated; and second, there is a tension between clarity and clock cycles with respect to the insertion of intermediate states.To address these in the context of the Cephalopode processor we developed the open-source tool Stately, a visual environment for designing finite state machines. States are organized spatially, individually programmed in a simple domain-specific language, and the resulting machine can be compiled to HFL code for the VossII hardware design and simulation platform.In addition to allowing the intermingling of transitions and output declarations, Stately introduces a mechanism by which chosen states can be merged during compilation. While only a modest semantic extension, it resolves several clarity-efficiency tradeoffs while retaining a clear visual interpretation. Other features include lightweight simulation for rudimentary testing, and extensive error-checking.
{"title":"Stately: An FSM Design Tool.","authors":"J. Pope, Jules Saget, C. Seger","doi":"10.1109/MEMOCODE51338.2020.9315130","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315130","url":null,"abstract":"Finite state machines (FSMs) are at the heart of many digital circuits, in particular microprocessors such as the IoT-oriented Cephalopode processor we are implementing as part of the Octopi project.We frequently encounter two practical difficulties with FSM design: first, in the case of Mealy machines state transitions and output logic can have complex and overlapping conditions, which are difficult to maintain and comprehend if separated; and second, there is a tension between clarity and clock cycles with respect to the insertion of intermediate states.To address these in the context of the Cephalopode processor we developed the open-source tool Stately, a visual environment for designing finite state machines. States are organized spatially, individually programmed in a simple domain-specific language, and the resulting machine can be compiled to HFL code for the VossII hardware design and simulation platform.In addition to allowing the intermingling of transitions and output declarations, Stately introduces a mechanism by which chosen states can be merged during compilation. While only a modest semantic extension, it resolves several clarity-efficiency tradeoffs while retaining a clear visual interpretation. Other features include lightweight simulation for rudimentary testing, and extensive error-checking.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128125870","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-02DOI: 10.1109/MEMOCODE51338.2020.9315067
Tomoya Yamaguchi, Bardh Hoxha, D. Prokhorov, Jyotirmoy V. Deshmukh
Verification and validation are vital steps in the development process of autonomous systems such as mobile robots and self-driving vehicles, as they allow reasoning about system safety. In the domain of cyber-physical systems, techniques using formal requirements have been show to enable rigorous mathematical reasoning about system safety through techniques for automatic test generation and performance analysis. In this paper, we show that system-level and subsystem-level requirements can also enable fault localization in autonomous systems that use heterogeneous functional components. However, writing correct formal requirements is challenging and requires a significant investment of time, effort and most importantly, expertise. To address this issue, we propose a specification library for autonomous mobile systems called TLAM (Temporal Logic for Autonomous Mobility). Our contributions are twofold: We provide a library of parametric formal specifications at both the system-level and subsystem-level for typical subsystems in autonomous systems such as those for perception, planning and decision-making. The specification parameters encode the design trade-offs for such components. Second, we introduce a new fault localization technique based on these parametric specifications that identifies the likeliest subsystem that has a fault.
{"title":"Specification-guided Software Fault Localization for Autonomous Mobile Systems","authors":"Tomoya Yamaguchi, Bardh Hoxha, D. Prokhorov, Jyotirmoy V. Deshmukh","doi":"10.1109/MEMOCODE51338.2020.9315067","DOIUrl":"https://doi.org/10.1109/MEMOCODE51338.2020.9315067","url":null,"abstract":"Verification and validation are vital steps in the development process of autonomous systems such as mobile robots and self-driving vehicles, as they allow reasoning about system safety. In the domain of cyber-physical systems, techniques using formal requirements have been show to enable rigorous mathematical reasoning about system safety through techniques for automatic test generation and performance analysis. In this paper, we show that system-level and subsystem-level requirements can also enable fault localization in autonomous systems that use heterogeneous functional components. However, writing correct formal requirements is challenging and requires a significant investment of time, effort and most importantly, expertise. To address this issue, we propose a specification library for autonomous mobile systems called TLAM (Temporal Logic for Autonomous Mobility). Our contributions are twofold: We provide a library of parametric formal specifications at both the system-level and subsystem-level for typical subsystems in autonomous systems such as those for perception, planning and decision-making. The specification parameters encode the design trade-offs for such components. Second, we introduce a new fault localization technique based on these parametric specifications that identifies the likeliest subsystem that has a fault.","PeriodicalId":212741,"journal":{"name":"2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126169688","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: