Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 116 2009-9-30
116 Model-Based Design for Embedded Systems
4.6 Conclusion
We have provided a framework that allows the modeling and analysis of a
variety of schedulability scenarios. In particular, our framework supports
multi-processor systems, rich task-models with timing uncertainties in
arrival and execution times, possible dependencies, a range of scheduling
policies, and possible preemption of resources. The support of an approxi-
mate analysis of stopwatch automata in U
PPAAL 4.1 is key to the successful
schedulability analysis.
Furthermore, the uncertainty on the periods used in our framework could
be generalized to more general task-arrivals where a separate process deter-
mines the arrival of tasks. Such situations can be modeled using the struc-
ture of our framework by letting the starting of periods be dictated through
channel synchronization with the model controlling arrival times. Even with
such liberty, the overapproximation is still finite and the termination is guar-
anteed.
The scheduling framework provided in this chapter is structured such
that an adaptation can be made to accommodate other scheduling polices
and inter-task constraints. The former can be achieved by adding another
policy model similarly to the three built-in policies, FIFO, the FPS, and the
EDF. The latter is achieved through the use of the function calls, new_period,
dependencies_met,andcompleted.
Acknowledgment
The authors would like to thank Marius Miku
ˇ
cionis for providing the format
for listing U
PPAAL code.
References

1. R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time sys-
tems. In Proceedings of the Fifth IEEE Symposium on Logic in Computer
Science (LICS’90), pp. 414–425, Philadelphia, PA, 1990. IEEE Computer
Society Press, 1990.
2. R. Alur and D. Dill. Automata for modeling real-time systems. In Pro-
ceedings of the 17th International Colloquium on Automata, Languages and
Programming (ICALP’90), Warwick University, Couentry, U.K., 1990.
Lecture Notes in Computer Science, 443:322–335. Springer, 1990.
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 117 2009-9-30
Model-Based Framework for Schedulability Analysis Using UPPAAL 4.1 117
3. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer
Science (TCS), 126(2):183–235, 1994.
4. T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. Times—
a tool for modelling and implementation of embedded systems. In J P.
Katoen and P. Stevens (editors), TACAS, Grenoble, France, 2002. Lecture
Notes in Computer Science, 2280:460–464. Springer, 2002.
5. J. Madsen, A. Brekling, and M.R. Hansen. Models and formal verifica-
tion of multiprocessor system-on-chips. The Journal of Logic and Algebraic
Programming, 77(1):1–19, 2008.
6. G. Behrmann, A. Cougnard, A. David, E. Fleury, D. Larsen, K.G. Larsen,
and D. Lime. Uppaal tiga: Time for playing games! In Proceedings of
Computer Aided Verification (CAV’07), Berlin, Germany, July 2007, Lecture
Notes in Computer Science, 4590:121–125. Springer, 2007.
7. G. Behrmann, K.G. Larsen, and J.I. Rasmussen. Optimal scheduling
using priced timed automata. ACM SIGMETRICS Performance Evaluation
Review, 32(4):34–40, 2005.
8. T. Bœgholm, H. Kragh-Hansen, P. Olsen, B. Thomsen, and K.G. Larsen.
Model-based schedulability analysis of safety critical hard real-time java
programs. In JTRES ’08: Proceedings of the Sixth International Workshop on
Java Technologies for Real-Time and Embedded Systems, pp. 106–114, New

York, 2008. ACM, 2008.
9. F. Cassez and K.G. Larsen. The impressive power of stopwatches. In C.
Palamidesi (editor), 11th International Conference on Concurrency Theory,
(CONCUR’2000), University Park, PA, July 2000, Lecture Notes in Computer
Science, 1877:138–152. Springer-Verlag, 2000.
10. Timesys Corporation. Pittsburgh, PA, .
11. Timesys Corporation. Pittsburgh, PA, .
12. R.J. Engdahl and A.M. Haugstad. Efficient model checking for prob-
abilistic timed automata. Master thesis, Aalborg University, Aalborg,
Denmark, 2008.
13. E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. Schedulability anal-
ysis of fixed-priority systems using timed automata. Theoretical Computer
Science, 354(2):301–317, 2006.
14. E. Fersman, P. Pettersson, and W. Yi. Timed automata with asyn-
chronous processes: Schedulability and decidability. In Proceedings of
TACAS 2002, pp. 67–82, Grenoble, France, Springer-Verlag, 2002.
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 118 2009-9-30
118 Model-Based Design for Embedded Systems
15. UPPAAL Scheduling Framework
January 2009.
16. K. Godary, I. Augé-Blum, and A. Mignotte. Sdl and timed petri nets
versus uppaal for the validation of embedded architecture in automo-
tive. In Forum on Specification and Design Language (FDL’04), Lille, France,
September 2004.
17. N. Guna, Z. Gu, Q. Deng, S. Gao, and G. Yu. Exact schedulability anal-
ysis for static-priority global multiprocessor scheduling using model-
checking. In Software Technologies for Embedded and Ubiquitous Systems,
Santorini Island, Greece, Lecture Notes in Computer Science, pp. 263–272.
Springer, Berlin, 2007.
18. Uppaal Tiga Homepage. />2006.

19. A. Brekling, J. Madsen, and M.R. Hansen. A modelling and analysis
framework for embedded systems. In Model-Based Design for Embedded
Systems, G. Nicolescu and P.J. Mosterman (editors), Taylor & Francis,
Boca Raton, FL, 2009.
20. J. Krakora and Z. Hanzalek. Timed automata approach to CAN verifica-
tion. INCOM, 2004.
21. P. Krcál and W. Yi. Decidable and undecidable problems in schedulabil-
ity analysis using timed automata. In K. Jensen and A. Podelski (editors),
TACAS, Barcelona, Spain, 2004. Lecture Notes in Computer Science, 2988:
236–250. Springer, 2004.
22. J. Madsen, K. Virk, and M.J. Gonzalez. A systemC-based abstract real-
time operating system model for multiprocessor system-on-chip. In Mul-
tiprocessor System-on-Chip. Morgan Kaufmann, San Francisco, CA, 2004.
23. S. Mahadevan, M. Storgaard, J. Madsen, and K.M. Virk. Arts: A system-
level framework for modeling MPSoC components and analysis of their
causality. In 13th IEEE International Symposium on Modeling, Analysis,
and Simulation of Computer and Telecommunication Systems (MASCOTS),
Atlanta, GA, 2005. IEEE Computer Society, Septemper 2005.
24. Y. Le Moullec, J P. Diguet, N. Ben Amor, T. Gourdeaux, and J.L.
Philippe. Algorithmic-level specification and characterization of embed-
ded multimedia applications with design trotter. VLSI Signal Processing,
42(2):185–208, 2006.
25. H. Nikolov, M. Thompson, T. Stefanov, A.D. Pimentel, S. Polstra, R. Bose,
C. Zissulescu, and E.F. Deprettere. Daedalus: Toward composable mul-
timedia MPSoC design. In L. Fix (editor), DAC, pp. 574–579, Anaheim,
CA, 2008, ACM, 2008.
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 119 2009-9-30
Model-Based Framework for Schedulability Analysis Using UPPAAL 4.1 119
26. S. Schliecker, J. Rox, R. Henia, R. Racu, A. Hamann, and R. Ernst. Formal
performance analysis for real-time heterogeneous embedded systems. In

Model-Based Design for Embedded Systems, G. Nicolescu and P.J. Moster-
man (editors), Taylor & Francis, Boca Raton, FL, 2009.
27. H. Sun. Timing constraints validation using uppaal: Schedulability anal-
ysis. In DIPES ’00: Proceedings of the IFIP WG10.3/WG10.4/WG10.5 Interna-
tional Workshop on Distributed and Parallel Embedded Systems, pp. 161–172,
Deventer, the Netherlands, 2001. Kluwer, B.V. 2001.
28. UPPAAL. , January 2005.
29. UPPAAL CORA. />uary 2006.
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 120 2009-9-30
Nicolescu/Model-Based Design for Embedded Systems 67842_C005 Finals Page 121 2009-10-13
5
Modeling and Analysis Framework for
Embedded Systems
Jan Madsen, Michael R. Hansen, and Aske W. Brekling
CONTENTS
5.1 Introduction 121
5.2 Motivation 124
5.3 EmbeddedSystemsModel 125
5.3.1 Application Model 127
5.3.2 Execution Platform Model 127
5.3.2.1 Processing-Element Model 127
5.3.2.2 Network Model 128
5.3.3 Task Mapping 129
5.3.4 Memory and Power Model 129
5.4 Model of Computation 130
5.5 MoVESAnalysisFramework 134
5.6 UsingtheMoVESAnalysisFramework 136
5.6.1 Simple MultiCore Embedded System 136
5.6.2 Smart Phone, Handling Large Models 137
5.6.3 Handling Nondeterministic Execution Times 140

5.6.4 Stopwatch Model 140
5.7 Summary 141
Acknowledgments 141
References 142
5.1 Introduction
Modern hardware systems are moving toward execution platforms made up
of multiple programmable and dedicated processing elements implemented
on a single chip, known as a multiprocessor system-on-chip (MPSoC). The
different parts of an embedded application are executing on these process-
ing elements, but the activities of mapping the parts of an embedded pro-
gram onto the platform elements are nontrivial. First of all, there may be
various and often conflicting resource constraints. The real-time constraint,
for example, should be met together with constraints on the uses of mem-
ory and energy. There also are huge varieties in the freedom of choices in
121
Nicolescu/Model-Based Design for Embedded Systems 67842_C005 Finals Page 122 2009-10-13
122 Model-Based Design for Embedded Systems
the mapping of an application to a platform because there are many ways to
partition an embedded program into parts, there are many ways these parts
can be assigned to processing elements, and there are many ways each pro-
cessing element can be set up.
As embedded systems become more complex, the interaction between
the application and the execution platform becomes more incomprehensi-
ble, and problems such as memory overflow, data loss, and missed dead-
lines become more likely. In the development phase, it is not enough
to simply look at the different layers of the system independently, as
a minor change at one layer can greatly influence the functionality of
other layers. The system-level verification of schedulability, upper limits
for memory usage, and power consumption, taking all layers into account,
have therefore become central fields of study in the design of embedded

systems.
As many important design decisions are made early in the design phase,
it is imperative to support the system designer at this level. This chapter
presents an abstract embedded system model that is able to capture a set
of applications executing on a multicore execution platform. The model of
computation for such systems is formalized in [BHM08], which also con-
tains a more refined formalization using timed automata. This refinement
into timed automata, which is implemented using U
PPAAL [BDL04], gives
the ability to model check properties of timing, memory usage, and power
consumption.
In order to support designers of industrial applications, the timed-
automata model is hidden for the user, allowing the designer to work directly
with the abstract system-level model of embedded systems. As outlined in
Figure 5.1, the designer provides an application consisting of a set of task
graphs, an execution platform consisting of processing elements intercon-
nected by a network, and a mapping of tasks to processing elements. The
system model is then translated into a timed-automata model that enables
schedulability analysis as well as being able to verify that memory usage
and power consumption are within certain limits. In the case where a sys-
tem is not schedulable, the tool provides useful information about what
caused the missed deadline. We do not propose any particular methodology
for design space exploration, but provide an analysis framework, M
OVES ,
where embedded systems can be modeled and verified in the early stages
of the design process. Thus, the M
OVES analysis framework provides tool
support for system designers to explore alternatives in an easy and efficient
manner.
An important aspect in the design of M

OVES is to provide an experimen-
tal framework, supporting easy adaptability of the “core model" to capture
energy and memory considerations for example, or to experiment with, say,
new principles for task scheduling and allocation. Furthermore, the M
OVES
analysis framework is equipped with different underlying U
PPAAL models,
Nicolescu/Model-Based Design for Embedded Systems 67842_C005 Finals Page 123 2009-10-13
Modeling and Analysis Framework for Embedded Systems 123
Application
model
Platform
model
Mapping
Queries
Schedule
Trace
converter
Diagnostic
trace
U
PPAAL
model
Model
generation
Deter-
ministic
ARTS MoVES U
PPAAL Core model
FIGURE 5.1

Overview of the M
OVES analysis framework.
aiming at an efficient verification in various situations. For the moment, we
are operating with the following underlying models for
• Schedulablity analysis in connection with worst-case execution times
only.
• Schedulablity analysis for the full core model (including best- and
worst-case execution times).
• Schedulability analysis addressing memory and energy issues as well.
• Schedulability analysis for the full core model on the basis of stopwatch
automata. This analysis approach is based on overapproximations, but
it has provided exact results in the experiments carried out so far and
it appears to be the most efficient U
PPAAL implementation.
The chapter is organized as follows. First, we motivate the modeling and
analysis of multi-core embedded systems. We then present an embedded
system model that consists of an application model, an execution platform
model, and a system model, which is a particular mapping of the appli-
cation onto the execution platform. For an embedded system, we give an
informal presentation of the model of computation. We then outline how the
model has been captured using timed automata. Finally, we present how the
M
OVES analysis framework can be used to verify properties of an embedded
system through a number of examples, including a smart phone example,
showing the ability to handle systems of realistic sizes.
Nicolescu/Model-Based Design for Embedded Systems 67842_C005 Finals Page 124 2009-10-13
124 Model-Based Design for Embedded Systems
5.2 Motivation
In this work, we aim at models and tools for analysis of properties that must
be considered when an application is mapped to an execution platform. Such

models are called system models [PHL
+
01] as they comprise a model for the
application executing on the platform, and the analysis of such systems is
called “cross-layer analysis” as it deals with problems where decisions con-
cerning one layer of abstraction (for instance, concerning the scheduling
principle used in a processing element) has an influence on the properties at
another level of abstraction (for instance, a task is missing a deadline). One
particular challenge of multi-core systems is that of “multiprocessing timing
anomaly” [Gra69], where the system is exhibiting a counterintuitive timing
behavior.
Example 5.1 To illustrate this challenge, consider the simple example in Figure 5.2,
where the application is specified by five cyclic tasks, τ
1
, , τ
5
, that are mapped
onto three processing elements, pe
1
, pe
2
, and pe
3
. The best- and worst-case execution
times for each task (bcet and wcet, respectively) are shown in Table 5.1.
There are causal dependencies between tasks. For example, τ
1
must finish before
τ
2

can start. We want to find the shortest period where all tasks meet their deadlines
and analyze two different runs corresponding to two possible execution times for τ
1
in Figures 5.3 and 5.4, one where the “best-case execution time”, bcet = 2, is chosen
for τ
1
and another where the “worst-case execution time”, wcet = 4, is chosen.
In both runs, τ
1
and τ
3
are executing on pe
1
and pe
3
, respectively, in the first
time step, where no task is executing on pe
2
because of the causal dependencies. The
later time steps have similar explanations. Observe that the shortest possible period
is π = 8, corresponding to the case where the best-case execution time, bcet
τ
1
= 2,is
chosen for τ
1
. Thus, an analysis based on the worst-case execution time, wcet
τ
1
= 4,

would, in this case, not lead to the worst-case scenario. This is an example of a
System model
τ
1
os
1
pe
1
os
2
pe
2
os
3
pe
3
τ
2
τ
4
τ
5
τ
3
FIGURE 5.2
System model of a simple multicore system.
Nicolescu/Model-Based Design for Embedded Systems 67842_C005 Finals Page 125 2009-10-13
Modeling and Analysis Framework for Embedded Systems 125
TABLE 5.1
Characterization of Tasks, for

Example, in Figure 5.2
Execution Time
Task (bcet, wcet) Processor
τ
1
(2,4) pe
1
τ
2
(2,2) pe
2
τ
3
(2,2) pe
3
τ
4
(2,2) pe
2
τ
5
(2,2) pe
3
pe
1
τ
1
pe
2
τ

2
τ
3
τ
4
τ
5
pe
3
FIGURE 5.3
Execution time for τ
1
is 2.
pe
1
τ
1
pe
2
τ
2
τ
3
τ
4
τ
5
pe
3
FIGURE 5.4

Execution time for τ
1
is 4.
“multiprocessing timing anomaly” [Gra69] exhibiting a counterintuitive timing
behavior. A locally faster execution, either by making the processor faster or by mak-
ing the algorithm more efficient, may lead to an increase in the execution time of the
whole system. The presence of such behavior makes multiprocessor timing analysis
particularly difficult [RWT
+
06].
It is easy to check that a period π = 6 can be achieved for this application, simply
by changing the priorities so that τ
4
gets a higher priority than τ
2
. But the problems
cannot get much larger than the one in Figure 5.2 before the consequences of design
decisions cannot be comprehended, and it is necessary to have tool support for the
“design space exploration” [HFK
+
07,PEP06].
5.3 Embedded Systems Model
In this section, we present a system-level model of an embedded system
inspired by ARTS [MVG04,MVM07]. Such a model can be described as a
layered structure consisting of three different parts. Figure 5.5 illustrates