Formal Verification of Real-Time Networks Lucien Rakotomalala, Marc Boyer, Pierre Roux

Formal Verification of Real-time Networks Lucien Rakotomalala, Marc Boyer, Pierre Roux

To cite this version:

Lucien Rakotomalala, Marc Boyer, Pierre Roux. Formal Verification of Real-time Networks. JRWRTC 2019, Junior Workshop RTNS 2019, Nov 2019, TOULOUSE, France. hal-02449140

HAL Id: hal-02449140 https://hal.archives-ouvertes.fr/hal-02449140 Submitted on 22 Jan 2020

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Formal Veriﬁcation of Real-time Networks

Lucien Rakotomalala Marc Boyer Pierre Roux ONERA / DTIS Université de Toulouse F-31055 Toulouse – France ﬁ[email protected]

ABSTRACT Another advantage is to identify where and how hypothe- Embedded real-time networks must ensure guaranteed de- ses are used by a proof. In extreme cases, it happens that lays. Network calculus is a theory providing bounds on such some hypotheses are in fact unused in the course of a proof. delays. This mathematical theory currently relies on, hu- To check this, it is enough to remove the considered hypoth- man made, pen and paper proofs. The current work offers esis and attempt a recompilation of the proof. to formalize such proofs in Coq, an automated proof checker. Finally, a proof assistant enables a simpler and safer reuse We formalize a subset of the theory large enough to handle of the results: an application of a theorem is only possible a complete proof of bounds on a representative case study. when all hypotheses are collected. Thus, it is not possible to forget hypotheses. Keywords The proof assistant we use in this paper is Coq [3], developed by Inria, based on a small kernel and extended by a network-calculus, Coq, real-time network large sets of libraries. The kernel implements an intuitionistic logic. Our confi- 1. INTRODUCTION dence is based on this reduced kernel that ultimately check all Coq proofs. This kernel uses a low level language that is Nowadays, real-time systems are pervasive in embedded simple but hardly usable by humans. Coq thus provides an applications such as the aerospace or automotive industries. interface to make it operable, it interprets user’s commands Such applications being critical, it is mandatory to establish to elaborate a proof in the kernel language. a high degree of confidence in their functional and tempo- Coq comes with a standard library providing mathemat- ral behaviour. Whereas a lot of work is available on func- ical models and properties. Other libraries go beyond this tional verification, this paper focuses on temporal correct- standard set, such as the Mathcomp [12] or the Coquelicot ness. Analysis methods in this regard do exist and they are [4] libraries. The correctness of these libraries relies on the mathematically proved. However, these proofs are only re- fact that they are checked by the kernel. viewed and verified by humans which implies a substantial In order to formalize proofs on a specific problem, a Coq risk of error, due to their complexity or subtle hypotheses. user first defines a mathematics model (the modeling of the Therefore, some mistakes can be made during the writing problem). Then she expresses some properties of the model and reviewing process of a proof. A major source of mis- (stating lemmas or theorems) and eventually writes Coq takes is the omission of an implicit hypothesis when reusing commands to prove these properties. a previous results. Such omissions have occurred several During this process, Coq checks that definitions and state- times in real-time analysis proofs. For example, it has been ments of properties are well formed and that the proofs hold. recently discovered that some self-suspension consideration was inexact 20 years after publication of the original paper Our proofs will focus on embedded networks and will use [14]. As another example, an error in real-time analyses of an analysis method of temporal properties on these net- the CAN bus, was discovered only 13 years after the original works: the network calculus (NC). This theory heavily relies publication [9]. on tropical algebra through the dioid of min-plus functions. We aim at increasing the confidence in mathematical proofs As previously described, our first step will consist in writ- by automating the proofreading process. This can be made ing NC definitions in the Coq language. Secondly, NC re- by a computer running a proof assistant. Such tools are sults found in the literature will be prove within Coq. Only developed by computer scientists and mathematicians for a NC expert can check that the Coq definitions match with nearly half a century. We can for instance mention Coq, Is- the ones in the literature. Thus our models have to be read- abelle or PVS [3, 15, 16]. We can use one of them to formally able even without a deep Coq expertise. In contrast, the define mathematical objects, enunciate theorems and finally second step, proof writing, does not need to be checked by describe proofs of these theorems. A computer is then able a human since the compilation guarantees the proofs. to automatically check these proofs. While our final goal is to be able to verify a full industrial As a first advantage to the use of a proof assistant, the con- network, our current contributions are: fidence in the correctness of the proofs is reduced to the ab- • an extension of the Coq Mathematical Components li- sence of bugs in the tool, the coherence of the implemented brary of algebraic structures, logic and potential axioms used. On this last point, the tool allows to know exactly which axioms are used in each proof. • formal definitions and proofs of some typical network calculus theorems, Theorem 1. Let D be a complete dioid with operators ⊕ 0 • an application on a first case study, handling 5 flows and ⊗. Any D ⊆ D including 0¯ and 1¯ and stable for ⊕, ⊗ through 5 servers with FIFO policy. and infinite sums is also a complete dioid. Section 2 presents related works on proof assistants and We can then define the kleene operator, useful in NC. real-time network analyses. Then, Section 3 presents our formal development. Section 4 is a case study on a perfor- Definition 2 (Kleene operator). Let D be a com- mances analyses of a network. Finally, we conclude with plete dioid with operators ⊕ and ⊗, the kleene operator on Section 5 and explain our future work in Section 6. ∗ L+∞ i 0 ¯ i+1 i a ∈ D is: a = i=0 a with a = 1 and a = a ⊗ a 2. RELATED WORK By using this definition, we can state the next theorem. Network calculus tools take as input the description of a This result is shared with language theory. network and compute delay bounds. The validity of these bounds relies on both the correctness of the network calculus Theorem 2. Let D be a complete dioid with ⊕ and ⊗, for ∗ theorems (produced by authors and checked by reviewers) all a, b in D, a ⊗ b is the least solution of x = (a ⊗ x) ⊕ b. and the correctness of the implementation (relying on devel- oper skills). There exist many other results on dioids [5, 13]. Among Formally proving correct implementation was the aim of them we prove 78 properties useful for NC. All of these results have been submitted as a pull request [11], using the proof assistant Isabelle. Our goal is to prove 2 both theory and implementation correctness, using another on the Mathcomp library . proof assistant, Coq. 3.2 Instances Our work is part of the project RT-proofs [2]. The main objective of this project is to lay the foundations for computer- To use these properties in the NC context, we have to assisted formal verification of timing analysis results. Many prove that sets of interest are dioids. This implies to: works have been performed already, for example a verifica- • give a set D, tion of a CAN schedulability analysis with Coq [10]. • give operators ⊕, ⊗ and their neutral elements, Finally, a library for the development of machine-checked • prove that dioid properties (cf. Definition 1: associativity, schedulability analysis using Coq is also available [8] commutativity...) hold. + NC handles functions on real values: F : R → R, with 3. NETWORK CALCULUS WITH COQ S R = R {−∞, +∞}, and uses the following two operators: The Network Calculus theory is based on the min-plus • minimum: (f ∧ g)(t) = min(f(t), g(t)) dioid [5]. Thus, our first contribution consists in adding this algebraic structure to the Mathcomp library (Sections 3.1, • convolution: (f ∗ g)(t) = inf {f(t − s) + g(s)} 06s6t 3.2). We then formalize main NC results (Section 3.3). Some metrics on the Coq development are given in Section 3.4. Theorem 3. The set of functions F with ⊕ = ∧ and ⊗ = ∗ is a complete dioid. 3.1 Algebraic structures We use some of the existing elements in the Mathcomp Depending on the authors and even on the papers, NC library [12] to define the algebraic structure of complete results handle either F or some specific subsets: + + + dioids. The Mathcomp library provides some algebraic struc- •F : R → R , tures useful in our case (monoids, rings,...) but not dioids. •F ↑: subset of non-decreasing elements of F +. So, with the help of this library, we add a description of the dioid structure as defined by [13]. Theorem 4. The sets F + and F ↑ with ⊕ = ∧ and ⊗ = ∗ Definition 1 (Dioid). A set D with two operators ⊕ are complete dioids. and ⊗ is called a dioid if This is proved by using Theorem 1. One contribution of •⊕ is associative and commutative and admits a neutral our work is to explicit which subset is needed for each result. element 0¯ To develop these constructions, we use results of the Co- •⊗ is associative and admits a neutral element 1¯ quelicot library [4]: the set R and its properties. •⊗ is left and right distributive over ⊕ • 0¯ is absorbing for ⊗ 3.3 Network calculus •⊕ is idempotent, i.e: ∀a ∈ D, a ⊕ a = a 3.3.1 Model A dioid is said to be complete if it is closed for infinite sum NC models data flows by the cumulative amount of data and if the product distributes over infinite sums on both at a point in a network at time t. sides.1 Under some assumptions, a subset of a complete dioid remains a complete dioid. Definition 3 (Cumulative function). A function f : + + 1All these algebraic structures and their properties have R → R is a cumulative function if f: been developed using only intuitionistic logic. Even proofs • is non-decreasing: ∀t, d ∈ +, f(t) f(t + d), on infinite sums don’t require classical reasoning since we R 6 only prove results based on the hypothesis that such sums • starts at 0: f(0) = 0, do exist. In contrary, the next section will deal with real • is left-continuous. numbers whose formalization in the Coq standard library requires classical logic with the excluded middle axiom. 2https://github.com/math-comp/math-comp/pull/357 is_min_service Definition curve β can a so departure arrival exists that before there means happen arrival property not all second for The that, departure. means property first The rgamn tl ewe h w libraries. Coq two in the difference a between from style comes in programming it definitions meaning: significant of no number has the that observed stances be first can overview development Coq server. next the for 3.4 arrival an server,i.e., a of output the Coq. in theorem have delay this proved the packets We bounds packet. theorem arrived each NC by a previously experienced policy, each this all For server, served. after a been such served In is policy. [5]. First-Out in packet First-In found the be is can them definition formal A whose 1. flow figure the in by trated experienced delay is The arrival delay. of notions Coq. in implication logical for stands on 3.2. Section Coq. in then mathematics, using first below, it define We function for The function. mulative functions. cumulative constrain to used flowsA that consider We before data decrease. contain not of not can amount do one cumulative this a and represent data they denoted because is decreasing functions cumulative of set The • ∀ • .. Properties 3.3.2 al ie oemtiso u o eeomn.It development. Coq our on metrics some gives 1 Table on contract a compute to method a provides NC Finally, of One NC. in defined are servers for policies Different a defines NC performances, network temporal analyze To notation The service. minimal of notion the uses NC servers, specify To is It curve. arrival called is use we NC of notion Another functions: cumulative two between relation a is server A F ∈ eiiin6(iia service). (minimal 6 Definition curve). (Arrival 5 Definition ( (Server). 4 Definition o ria and arrival for C ,D A, A A h term The . iue1 lutaino h oino delay of notion the of Illustration 1: Figure data C ∈ β if + shge oprdto compared higher is ) h server The . if: A ∈ , A 6 ∃ ∀ S := D n eatr is departure and ( ( A ,D A, ⇒ S D A forall C ∈ ∗ : D A S Fplus D α D C ) . , 6 → ∈ o eatr fteserver. the of departure for ( ,D A, A infis( signifies S C S ersnsteset the represents → d = , A ssi ooe a offer to said is ( ) ⇒ D A S ( ,D A, Prop t S ∈ ,so 0, = D : Dioid A S C server A D ) ,D A, ) 6 ∗ → → en that means α β sdenoted is A A C F ∈ . 6 ) and C ∗ → ∈ D beta ucin tr n0. in start functions ↑ Let Prop S S . NC Let sa ria curve arrival an is n h arrow the and C × C ⊆ D F C 6 A ( ) iia service minimal hsdifference This . hyaenon- are They . S + S d D beta C ∈ easre and server a be ( . rsne in presented ,D A, sarelation a is : satisfies: eacu- a be ,illus- ), Fplus In- → ) n tpcnit ncmiiglclrslswt epc to respect with results sec- local The combining in sections. applies previous consists the and step in individually, ond a presented flows considers results written crossing step Coq have first its the we A and steps. so, server two do in each consists To which proof network. Coq entire the 4 crossing flows and port rightmost output the other. one to the sharing converge 3 5 and then and and down flows 2 goes 1, All flows port symmetrically switch, 5. output 3 the flow Flow on the switch 4 switch. meets them: flow leftmost upper separate with the switch the competes and next on of up The converge la- goes 3 no port. 1 flow have output and to its to 2 fixed share assumed is 1, and are server Flows Servers each second. of tency. in The per rate introduced Kbyte Mbits speed as 1 100 The FIFO, to is fixed 3.3.2. server are Mbits subsection each sizes 20 for frame a policy The with scheduling periodic rate. second are con- we transmissions per network, this data In that 2. sider Figure on shown topology ticular STUDY CASE 4. dioid, any proof. to shorter leveraged only a been valid have with proofs instances paper dioid and specific for pen sim- both generalized: to been have and us properties mistakessimplified helped some Lastly, Coq few hypotheses. specified: fix the a over plify to be found to had also appeared we we results which some but proofs, expected, found As in paper been and benefits. have several pend to typos provides Formalizing paper Coq and proofs. in pen NC these proofs compare of of to proofs versions paper possible and thus Coq is pen giving It [5], properties. textbook NC a contrary, from the On one. only taking time exceeding of NC never most and proofs, lines short 10 require only which properties in in than properties of number the and and definitions Coq of Table done Summary property 1: Table between 3 o xml,i ro fterm62 ofso a made was confusion a 6.2, theorem of proof in example, For NC Instances Dioid h betv s o ahflw obudtedlywhen delay the bound to flow, each for is, objective The par- a with network simple a on work we section, this In inspired much very are properties and definitions These lines of number the between ratio the interestingly, More eurslre,mr ope,proofs. complex, more larger, requires NC > and hsmasthat means This . Definitions iue2 ewr Topology Network 2: Figure > 108 26 19 naiaigteproof. the invalidating , Properties 159 Dioid 52 78 3 Dioid oeitrsigy some interestingly, More . and and Lines 2253 2888 1616 Instances Instances Lines/prop. slower is contain 43 18 21 Flow 1 2 3 4 5 itive, and quite a direct mapping of the network topology. Delays bound (µs) 601.6 368 601.6 233.6 233.6 We plan to automatize this part: either inside Coq, using dedicated tactics, or collaborating with an external tool, as Table 2: Delay bound for each flow done in [10]. 7. REFERENCES the topology presented in Figure 2. This leads to algebraic [1] Real time at work. http://realtimeatwork.com/. expressions of the delays (in the min-plus dioid) whose nu- [2] RT-proofs main page. https://rt-proofs.inria.fr/. merical values are computed using the min-plus calculator [3] Y. Bertot and P. Castéran. Interactive theorem from RTaW [1]. This tool implements the algorithms from proving and program development. Coq’Art: The [6] whose pen and paper proofs have not been formalized in Calculus of inductive constructions. 01 2004. Coq yet. The results are presented in Table 2. [4] S. Boldo, C. Lelay, and G. Melquiond. Coquelicot: A user-friendly library of real analysis for coq. Math. in 5. CONCLUSION Computer Science, 9(1):41–62, Mar 2015. The aim of this work was to formalize (using Coq) results [5] A. Bouillard, M. Boyer, and E. Le Corronc. on delay bounds of real-time network (using the NC theory). Deterministic Network Calculus: From Theory to This required the formalization in Coq of the algebraic Practical Implementation. 10 2018. structure of complete dioids. We rely on the Mathcomp [6] A. Bouillard and E. Thierry. An algorithmic toolbox library and we shared our development to this library. Then, for network calculus. Discrete Event Dynamic we built specific instances of complete dioids used in NC with Systems: Theory and Applications, 18, 03 2008. the help from the Coquelicot library. [7] M. Boyer, N. Navet, and M. Fumey. Experimental Last, we developed a set of NC definitions and results, assessment of timing verification techniques for AFDX. sufficient to perform the complete proof of a first case study. In 6th European Congress on Embedded Real Time Thus, we obtained a Coq development of 6757 lines con- Software and Systems, Toulouse, France, Feb. 2012. taining a definition of the algebraic structure of dioids, in- [8] F. Cerqueira, F. Stutz, and B. B. Brandenburg. stances of dioids and NC results. This work took one year, PROSA: A case for readable mechanized considering that the main author was a newcomer to both schedulability analysis. In 28th Euromicro Conference Coq and the NC theory. on Real-Time Systems, ECRTS 2016, Toulouse, Several benefits come with this formal development: we France, July 5-8, 2016, pages 273–284, 2016. found a few mistakes in proofs from [5], which we had to [9] R. I. Davis, A. Burns, R. J. Bril, and J. J. Lukkien. fix. More interestingly, some results appeared to be over Controller area network (can) schedulability analysis: specified: Coq helped us to reduce the hypotheses. Last, Refuted, revisited and revised. Real-Time Systems, some results have been generalized while simplifying their 35(3):239–272, Apr 2007. proofs. [10] P. Fradet, X. Guo, J.-F. Monin, and S. Quinton. Finally, the results are applied to a first case study. We CertiCAN: A Tool for the Coq Certification of CAN used here a tool from RTaW to compute the final numerical Analysis Results. In RTAS 2019 - 25th IEEE results but Coq is used to prove the correctness of the com- Real-Time and Embedded Technology and Applications puted expressions and all properties used to obtain these Symposium, pages 1–10, Montreal, Canada, Apr. 2019. expressions. [11] E. Mabille, M. Boyer, L. Fejoz, and S. Merz. Towards We notice that there are three possible kinds of modifi- certifying network calculus. In Interactive Theorem cations of our case study. First, a modification of its nu- Proving, Rennes, France, July 22-26, 2013. merical values (throughput, packet sizes...) does not change [12] A. Mahboubi and E. Tassi. Mathematical Components. the Coq proof, since only numerical parameters of the final 2018. computation are affected. Second, a modification of the ser- [13] M. Minoux and M. Gondran. Graphs, Dioids and vice policy requires to prove new theorems related to the Semirings. New Models and Algorithms, volume 41 of new policy, but does not change the global structure of the Operations Research/Computer Science Interfaces proof. Finally, a modification in the network topology or Series. Springer, 2008. routing breaks the structure of the proof. [14] G. Nelissen, J. Fonseca, G. Raravi, and V. Nélis. Timing analysis of fixed priority self-suspending 6. FUTURE WORK sporadic tasks. In 2015 27th Euromicro Conference on One may wonder how the work done for this small case Real-Time Systems, pages 80–89, July 2015. study is relevant for realistic configurations. [15] S. Owre, J. M. Rushby, , and N. Shankar. PVS: A Verification of actual embedded network, like AFDX [7] prototype verification system. In D. Kapur, editor, requires only two more results: on static priority scheduling 11th International Conference on Automated and packetisation. We plan to add such Coq proofs. Deduction (CADE), volume 607 of Lecture Notes in In our case study, we use an external tool to compute the Artificial Intelligence, pages 748–752, Saratoga, NY, value of analytic expressions. We plan to either have Coq jun 1992. Springer-Verlag. compute them by itself or verify the values computed by the [16] M. Wenzel, L. C. Paulson, and T. Nipkow. The external tool. This will allow us to have a complete Coq isabelle framework. In O. A. Mohamed, C. Muñoz, validation of performances bounds values. and S. Tahar, editors, Theorem Proving in Higher The change of routing implies a manual modification of Order Logics, pages 33–38, Berlin, Heidelberg, 2008. the proof. However, the structure of the proof is very repet- Springer Berlin Heidelberg.