Component-based Modeling of Real-Time Systems LASER 2005 Joseph - - PowerPoint PPT Presentation
Component-based Modeling of Real-Time Systems LASER 2005 Joseph Sifakis VERIMAG sifakis@imag.fr In collaboration with Gregor Goessler (INRIA) Ananda Basu, Marius Bozga, Susanne Graf (Verimag ) Laser 2005 - Summer School on Software
Laser 2005 - Summer School on Software Engineering 1
Component-based Modeling
LASER 2005
Joseph Sifakis VERIMAG
sifakis@imag.fr In collaboration with Gregor Goessler (INRIA) Ananda Basu, Marius Bozga, Susanne Graf (Verimag)
Laser 2005 - Summer School on Software Engineering 2
Modeling real-time systems - motivation Modeling plays a central role in systems engineering
(model-based approaches).
Modeling real-time systems
What is an architecture? What is a scheduler? How synchronous and asynchronous systems are related?
development methodologies (combination of techniques and tools, refinement) and architecture design principles.
Model Model-
based Development
Move from physical prototypes to virtual prototypes (models) with obvious advantages : minimize costs, flexibility, genericity, formal validation is a possibility
Validation Tools Modeling Environment
Modeling and validation environments for complex real-time systems
Synthesize embedded software from domain-specific models
Laser 2005 - Summer School on Software Engineering 3
Laser 2005 - Summer School on Software Engineering 4
Modeling real-time systems - objectives Provide a rigorous and general framework for modeling,
computation (behavior, interaction, control)
synchronous and asynchronous execution heterogeneous interaction (strong, weak, event-driven, state- driven) architecture styles e.g. client-server, blackboard architecture
such as deadlock-freedom, liveness, safety.
generation of glue code meeting given requirements
Laser 2005 - Summer School on Software Engineering 5
Overview
– The problem – Heterogeneity – Component-based construction
– Definition – Composition – Examples – Deadlock-freedom preservation
– Definition – Examples
Laser 2005 - Summer School on Software Engineering 6
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 7
Modeling real-time systems - our approach Environment
Application SW RTOS
HW
stimuli response Real-time system Thesis : A Timed Model of a RT system can be obtained by “composing” its application SW with timing constraints induced by both its execution and its external environment
Laser 2005 - Summer School on Software Engineering 8
Modeling real-time systems - our approach Application SW Timed model DESCRIPTION Reactive machine
(untimed)
TIME
Reference to physical (external) time
TRIGGERING
Timeouts to control waiting times
ACTIONS
No assumption about Execution Times Platform-independence
TO(5)
?e
Assumptions about Execution Times Platform-dependence
?e [0,6] !e [0,4]
Reactive machine + External Environment + Execution Platform Quantitative (internal) time Consistency pbs - timelocks Timing constraints on interactions
Laser 2005 - Summer School on Software Engineering 9
Modeling real-time systems - our approach
Composition/Synthesis Application SW Platform Timed Model Environment Timed Model User Requirements System Timed Model Code Generation Implementation Analysis Diagnostics
Component-based modeling
Laser 2005 - Summer School on Software Engineering 10
Modeling real-time systems – Taxys (1) Environment
Esterel+C
DSP
Event handler
tin tout
Deadline constraint
tout - tin<D
Throughput constraint: no buffer overflow
Laser 2005 - Summer School on Software Engineering 11
Modeling real-time systems – Taxys (2)
Machine Description C Code
ESTEREL + C Data
Target Machine executable code SAXO-RT SAXO IF/KRONOS
Timing Diagnostics
Environment Timed Model Event Handler Timed Model
Timed (instrumented) C Code
C2TimedC
Laser 2005 - Summer School on Software Engineering 12
Modeling real-time systems – Taxys(3)
Application = ESTEREL + Pragmas Instrumented C Code SAXO-RT Event Handler IF/KRONOS Timing Diagnostics
Exec.Times
QoS requ.
Environment = ESTEREL + Pragmas Instrumented C Code SAXO-RT
KRONOS Algorithms and Data Structures
Target Machine Executable Code SAXO
Laser 2005 - Summer School on Software Engineering 13
Overview
– The problem – Heterogeneity – Component-based construction
– Definition – Composition – Examples – Deadlock-freedom preservation
– Definition – Examples
Laser 2005 - Summer School on Software Engineering 14
Heterogeneity – Abstraction Levels integration abstraction
Model Model
(requirements) (requirements)
Application Application Software Software Execution Platform System System
Laser 2005 - Summer School on Software Engineering 15
Heterogeneity - from application SW to implementation
Application SW
CORBA DSP µcontroller RTOS OSEK TTA CAN
Lustre ADA SDL RT- Java Esterel UML
C C++
Matlab/Simulink
Implementation
Laser 2005 - Summer School on Software Engineering 16
Heterogeneity - from application SW to implementation
Application SW
Functional properties - logical abstract time High level structuring constructs and primitives Simplifying synchrony assumptions wrt environment
Implementation
Non functional properties, involving time and quantities Task coordination, scheduling, resource management, Execution times, interaction delays, latency abstraction refinement
Laser 2005 - Summer School on Software Engineering 17
Heterogeneity - synchronous vs. asynchronous execution Application SW
Implementation
Component- based approaches
execution steps
single processor
something » Synchronous Lustre, Esterel Statecharts
Priorities
Asynchronous ADA, SDL
Laser 2005 - Summer School on Software Engineering 18
Heterogeneity - interaction Interactions can be
Task1 Task2 Sem p1 v1 p2 v2 p v stage1
in1 stage2 in2
Laser 2005 - Summer School on Software Engineering 19
Heterogeneity - example A: Atomic interaction B: Blocking interaction Synchronous Computation Asynchronous Computation A B nonA B A nonB nonA nonB Lotos CSP Java UML SDL UML Matlab/Simulink VHDL/SystemC Statecharts
Laser 2005 - Summer School on Software Engineering 20
Overview
– The problem – Heterogeneity – Component-based construction
– Definition – Composition – Examples – Deadlock-freedom preservation
– Definition – Examples
21
Component Component-
based construction -
components Build systems by composition of components Components are building blocks composed of behavior and interface Behavior is a transition system Interface hides irrelevant internal behavior and provides some adequate abstraction for composition and re-use, e.g. set of action names (ports) and associated variables
prod put put x=1 y:=0 in x
y x=1 y:=1
22
Component Component-
based construction – – formal framework formal framework Pb:Build a component C satisfying a given property P, from
c1 c’1
gl1
c2 c’2
gl12
sat P
gl2
generated from C0 by using operators from GL
23
Component Component-
based construction – – formal framework formal framework Glue operators transform sets of components into components
B1
gl
B2 Bn
Operational Semantics
B
Glue operators
such as protocols, controllers, buses
gl(C1 ,C2 ,.., Cn)| A1 refines C1
24
Component Component-
based construction -
requirements Examples of existing frameworks:
property P e.g. token ring, clock synchronization … Pb: Find a set of glue operators meeting the following requirements:
25
Component Component-
based construction – – incremental description incremental description
≅
gl C1 C2 Cn gl_2 C1 C2 gl_1
Cn
≅
c1 c’1
gl1
c2 c’2
gl2
c1 c’1 c2 c’2
gl
Flattening can be achieved by introducing an idempotent
gl(gl’(C1 ,C2 ,.., Cn)) ≅ gl⊕gl’(C1 ,C2 ,.., Cn )
26
Component Component-
based construction construction -
Correctness by construction : by construction : compositionality compositionality
gl
Build correct systems from correct components
ci
sat gl(P1, ..,Pn)
gl
c1 cn sat Pi implies ∀gl ∃gl
~ ~
We need compositionality results about preservation of progress properties such as deadlock-freedom and liveness.
Component Component-
based construction construction -
Correctness by construction : by construction : composability composability Make the new without breaking the old
gl
gl
and implies sat P
gl
c1 cn sat P’
gl’
c1 cn sat P∧P’
gl ⊕ gl’
c1 cn Property stability phenomena are poorly understood
27
28
Component Component-
based construction -
compositionality vs. composability
Integration/compositionality Layering/composability
Laser 2005 - Summer School on Software Engineering 29
Overview
– The problem – Heterogeneity – Component-based construction
– Definition – Composition – Examples – Deadlock-freedom preservation
– Definition – Examples
Laser 2005 - Summer School on Software Engineering 30
Component-based modeling – The BIP framework
Layered component model Interaction Model: Connectors + Interactions Scheduler: dynamic priority rules
B E H A V I O R
Composition (incremental description)
PR2 IM2 PR1 IM1 IM1 IM1 ⊗ IM2 ⊗ IM12 PR1 ⊕ PR2 ⊕ PR12
Laser 2005 - Summer School on Software Engineering 31
Interaction models Interaction models Connectors are maximal sets of compatible actions
tick1 tick2 tick3
in2 in3
Interactions are subsets of connectors; they are defined by using typing (complete , incomplete ) : either they are maximal or they contain some complete interaction Interactions: {tick1,tick2,tick3}, {out1}, {out1,in2}, {out1,in3}, {out1,in2, in3}
Laser 2005 - Summer School on Software Engineering 32
I Interaction nteraction models models -
examples
cl1,cl2 cl2 cl1
in
in1 in1,in2 in2
in1,out,in2 cl1 cl2
in
in1 in2 CN:{cl1,cl2} MI: ∅ CN:{out,in} MI: {out} CN:{in1,out,in} MI: {out}
Laser 2005 - Summer School on Software Engineering 33
Interaction models - definition Given a set of atomic components K with disjoint action vocabularies Ai for i∈K,
|γ ∩Ai|≤1
− Γ is a set of non comparable connectors − ∆ is a set of minimal complete interactions with ∀δ∈∆ ∃γ ∈Γ. δ⊆γ. The interactions of im = Γ ∪{α |∃δ∈∆.δ⊆ α⊆γ}
γ1 γ2 δ1 δ2 δ3 δ4
34
Interaction models Interaction models – – operational semantics
prod put CN: {put,get},{prod},{cons} MI: {prod},{cons} get cons Operational Semantics {put, get} put prod get put get cons prod cons
× × × ×
35
Interaction models Interaction models -
composition
⎢⎢
CN[P,C]: {put,get} MI[P,C]: ∅
prod put
CN[P]: {put},{prod} MI[P]: {prod}
get cons
CN[C]: {get}, {cons} MI[C]: {cons}
prod put get cons CN: {put,get},{prod},{cons} MI: {prod},{cons}
36
Interaction models Interaction models -
composition
a9 a1 a2
K1
a11 a5 a6 a7
⎢⎢
IM[K1,K2]: CN[K1,K2] : {a1, a2, a3 ,a4}, {a11, a12} MI[K1,K2] : {a1,a2,a3,a4}, {a11} IM[K1]: CN[K1] : {a1, a2}, {a5, a9},{a6, a9} MI[K1] : a5, a6, a11
K1
a1 a2 a9 a5 a6 a11
IM[K2]: CN[K2] : {a3, a4}, {a7, a10}, {a8, a10} MI[K2] : a10
K2
a3 a4 a10 a7 a8 a12 a8 a12 a3 a10
K2
a4
37
Interaction models Interaction models – – composition (2) composition (2)
⎢⎢
IM[K1,K2]: CN[K1,K2] : {a1, a2, a3 ,a4}, {a11, a12} MI[K1,K2] : {a1,a2,a3,a4}, {a11} IM[K1]: CN[K1] : {a1, a2}, {a5, a9},{a6, a9} MI[K1] : a5, a6, a11
K1
a1 a2 a9 a5 a6 a11
IM[K2]: CN[K2] : {a3, a4}, {a7, a10}, {a8, a10} MI[K2] : a10
K2
a3 a4 a10 a7 a8 a12
K1∪ K2
a1 a2 a9 a3 a4 a10 a5 a6 a11 a7 a8 a12
IM[K1 ∪ K2] = IM[K1] ⊗ IM[K2] ⊗ IM[K1,K2] CN[K1 ∪ K2] = max CN[K1] ∪ CN[K2] ∪ CN[K1,K2] MI[K1 ∪ K2] = min MI[K1] ∪ MI[K2] ∪ MI[K1,K2] }
38
Interaction models Interaction models – – results results [ [Goessler Goessler Sifakis] Sifakis] Incremental commutative composition encompassing blocking and non blocking interaction
in1 in2 sender receiver1 receiver2
sender receiver1 sender receiver1 receiver2
=
receiver2
39
Interaction models Interaction models -
mod8 counter
a0 a1
a0 a1
b0 b1
b0 b1
c0 c1
c0 c1
a0 a1 b0 b1 c0 c1 a1,b0 a1,b1 b1,c0 b1,c1 a1,c0 a1,c1 a1,b1,c0 a1,b1,c1
40
Interaction models Interaction models-
mod8 counter(2)
a0 a1
a0 a1
b0 b1
b0 b1
c0 c1
c0 c1 {a1,b1,c1} a0 a0 {a1,b0} {a1,b1,c0} a0 a0 {a1,b0}
a1 b1
{a1,b1}
b1 a1 b0
a0 a0
b0
{a1,b0}
Laser 2005 - Summer School on Software Engineering 41
Interaction models - commitment protocol
CN : {vote} ∪{vote_i}i∈I, {commit}∪{commit_i}i∈I, {yes}∪{yes_i }i∈I MI: abort, no, no_i for i∈I
vote yes no commit abort vote_1 yes_1 no_1 commit_1
ARBITER PROCESS_1
vote yes commit vote_1 yes_1 commit_1
Laser 2005 - Summer School on Software Engineering 42
Interaction models - commitment protocol (2)
CN : {vote} ∪{vote_i}i∈I, {commit}∪{commit_i}i∈I, {yes,yes_i }i∈I for i∈I MI: abort, no, no_i, abort_i for i∈I
vote yes commit vote_1 yes_1 commit_1 vote yes commit abort
ARBITER
no vote_1 yes_1 no_1 commit_1 abort_1
PROCESS_1
43
Interaction models Interaction models -
checking for deadlock-
freedom For a given system (set of components + interaction model), its dependency graph is a bipartite labeled graph with Nodes N = Set of components ∪ Set of minimal interactions Edges E
a
a1 a2 a3
{a,a1,a2,a3}
k k2 k1 k3
Blocking condition for an incomplete action a: Bl(a) = en(a) ∧ ¬ (en(a1) ∧ en(a2) ∧ en(a3) )
44
Interaction models Interaction models -
checking for deadlock-
freedom (2) Theorem 1 : A system is deadlock-free if its atomic components have no deadlocks and its dependency graph has a backward closed subgraph such that for all its circuits ω Bl (ω) = ∧a∈ω Inc(ω)∧Bl(a) = false where Inc(ω)= ∧k∈ωInc(k) with Inc(k) the set of the states of k from which only incomplete actions can be executed
a1 a2 a3 a4
k1 k3 k4 k2
Bl(a1) Bl(a2) Bl(a4) Inc(k4) Inc(k1) Inc(k3) Inc(k2) Bl(a3)
Laser 2005 - Summer School on Software Engineering 45
Interaction models - checking for deadlock-freedom: example
put get1 get2 CN: {put,get1,get2} MI: {put,get1}, {put,get2} producer consumer1 consumer2
Laser 2005 - Summer School on Software Engineering 46
Interaction models - checking for deadlock-freedom: example
n1: {put,get1} producer consumer1 consumer2 n2 : {put, get2} put put put put get1 get1 get2 get2 get2 get1
ω1=(producer, n1, consumer2, n2) Bl(ω1) =false ω2=(producer, n2, consumer1, n1) Bl(ω2) =false ω3=(consumer1, n1,consumer2, n2,) Bl(ω3)=Inc(ω3 )∧en(get1) ∧ ¬ (en(get2) ∧ en(put)) ∧en(get2) ∧ ¬ (en(get1) ∧ en(put)) =Inc(ω3 )∧en(get1) ∧ en(get2) ∧ ¬ en(put) Deadlock-freedom if Inc(producer) ∧¬ en(put) =false
Laser 2005 - Summer School on Software Engineering 47
Interaction models - checking for individual deadlock-freedom Definition: A component of a system is individually deadlock-free if it can always perform some action Theorem2 : Sufficient condition for individual deadlock-freedom
graph satisfying conditions of Theorem 1;
controllable with respect to their outputs i.e. it is always possible by executing complete interactions, to reach states enabling all the output actions of the component;
Laser 2005 - Summer School on Software Engineering 48
Interaction models - discussion
Layered description => separation of concerns => associativity
combine behavior composition operators and restriction/hiding
((P1||P2)\a ||P3)\a’ \a ⊕\a’ P1||P2||P3
Laser 2005 - Summer School on Software Engineering 49
Overview
– The problem – Heterogeneity – Component-based construction
– Definition – Composition – Examples – Deadlock-freedom preservation
– Definition – Examples
Laser 2005 - Summer School on Software Engineering 50
Timed systems – from untimed to timed systems
Methodology :
may lead to inconsistency
consequences of the constraints
properties such as well- timedness, and deadlock- freedom
TIMED
P2 P1
⎜⎜T
P2T P1T UNTIMED
Timing Constraints ⊕
Laser 2005 - Summer School on Software Engineering 51
Timed systems – untimed systems : definition Untimed system: A set of transitions where
Each transition is labeled with a guard and a transfer function s s’ a, g, f Operational semantics: A set of transitions a (s,x) (s’,f(x)) where x is a valuation of X such that g(x)=true
Timed Systems - definition where
φs(x,t) is the valuation of state variables when time
progresses by t from state (s,x). s s’ a, g, u, f Timed system: A set of transitions
φs’ φs
Informal semantics:
urgency conditions of the transitions issued from s are false
Laser 2005 - Summer School on Software Engineering 52
Laser 2005 - Summer School on Software Engineering 53
Timed Systems - a periodic process A periodic process of period T>0 and execution time E, (E ≤ T). sleep wait t=T t=T t:=0 t≤T-E t=T-E x:=0 exec (x=E) (x=E) t’=x’=1 at all states
Laser 2005 - Summer School on Software Engineering 54
Timed Systems - definition b1 b2 bi s s2 si
φs
bi=(ai,gi,ui,fi) s1 A state is a pair (s,x) where x is a valuation of X Discrete Transitions (s,x) - ai→ (si,fi(x)/x) if gi(x)=true Time steps (s,x) - t→ (s, φs(x,t)) if ∀t’<t tps(φs(x,t’)) where tps = ¬(∨iui) Time can progress as long as no urgency condition is true
Laser 2005 - Summer School on Software Engineering 55
Timed Systems - relating urgency and time progress
3≤ x≤5 4<y ≤ 7 x=5 4<y ≤ 7
a b
tp=x≠5∧(y ≤ 4∨y>7)
a b
3≤ x≤5 4<y ≤ 7
Laser 2005 - Summer School on Software Engineering 56
Timed Systems – urgency types s s’ b b=(a,g,u,f) g : a may be executed u : a must be executed
u ⇒ g
Invariant: If a cannot be executed then time can progress at s g u=g u=false u=g↓ lazy (λ) delayable (δ) eager (ε)
Laser 2005 - Summer School on Software Engineering 57
Timed Systems: Urgency types Replace urgency conditions by urgency types preserved by restriction of guards
gλ : lazy guard (u=false) gε : eager guard (u=g) gδ : delayable guard (u=g↓)
Any TS can be transformed into an equivalent one with urgency types
s s’ a
(g,u) s a a (u,u) (g ∧¬ u, false) s’ s a a (g ∧¬ u)λ s’ uε
Laser 2005 - Summer School on Software Engineering 58
Timed Systems - a periodic process A periodic process of period T>0 and execution time E, (E ≤ T). sleep (t≤T-E)δ (t=T)ε t:=0 x:=0 wait exec (x=E) ε t’=x’=1 at all states
Laser 2005 - Summer School on Software Engineering 59
Timed systems – guard restriction
g’ u’ TS’ s1 s2 g u TS s1 s2 restriction g’⇒g u ⇒u’ TS’ simulates TS
Laser 2005 - Summer School on Software Engineering 60
Timed systems – guard restriction
+urgent +liberal maximal urgency u = g
u g (g,u) (g’,u’) g’ u’ (u,u) (g,g) (g”,u”)
Laser 2005 - Summer School on Software Engineering 61
Timed Systems as transition systems Q: set of states → ⊆ Q × A × Q q -a → q’
untimed transition
→ ⊆ Q × R+× Q q -t→ q’
time step Property (time additivity)
q1 -t1→q2 and q2 –t2→ q3 implies q1 –t1+t2→ q3
A run is a maximal sequence of transitions from states
q0 q1 … qi …
such that qi - ti→ qi+1 or qi -ai → qi+1 time[q0, qi]=Σk≤i tk
q0 q1 … qi … is time divergent if ∀k∈N ∃i time[q0, qi] > k
Important : Well-timed systems (only time divergent runs !)
Laser 2005 - Summer School on Software Engineering 62
Timed systems as transition systems - discrete vs. continuous a TIMEOUT[2]b : execute a within 2 otherwise execute b b 2 1 1 a a time unit 1 a a 2 a a
0.5 0.5 0.5 0.5
b time unit 0.5 a a a a 2 t t-2 a a dense time b t 2-t
Laser 2005 - Summer School on Software Engineering 63
Timed systems as transition systems - discrete vs. continuous a (bc TIMEOUT[1] AL2) TIMEOUT[1] AL1 for time unit 1 a b c 1 1 AL1 possible abc within 0 AL2
Laser 2005 - Summer School on Software Engineering 64
Timed systems as transition systems - discrete vs. continuous a (bc TIMEOUT[1] AL2) TIMEOUT[1] AL1 for time unit 0.25
0.25
AL1 a a a a AL2 b c b c b c b c possible abc within 1.75 AL2
Laser 2005 - Summer School on Software Engineering 65
Timed systems as Transition Systems - discrete vs. continuous a (bc TIMEOUT[1] AL2) TIMEOUT[1] AL1 for dense time AL1 a a a a AL2 b c b c b c b c AL2 a possible abc within <2
Laser 2005 - Summer School on Software Engineering 66
Overview
– The problem – Heterogeneity – Component-based construction
– Definition – Composition – Examples – Deadlock-freedom preservation
– Definition – Examples
Laser 2005 - Summer School on Software Engineering 67
Timed systems – from untimed to timed systems
Methodology :
may lead to inconsistency
consequences of the constraints
properties such as well- timedness, and deadlock- freedom
TIMED
P2 P1
⎜⎜T
P2T P1T UNTIMED
Timing Constraints ⊕
Laser 2005 - Summer School on Software Engineering 68
Scheduler modeling - example
A periodic process of period T and completion time C
sleep wait use f b a p r x<E t≤T-E x<E stop t=T t:=0 x:=0 x=E Actions a: arrive b: begin f: finish p: preempt r: resume (u) (c) (u) (c) (c) t’=x’=1 at all states except stop (x’=0)
Laser 2005 - Summer School on Software Engineering 69
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 70
Scheduler modeling - the role of schedulers A scheduler is a controller restricting access to resources by triggering controllable interactions so as to respect timing constraints (state predicates) K0 =KSCH ∧KPOL
QoS requirem
Scheduler for KSCH ∧KPOL Interactions
Processes
state controllable interaction
Timed Model
Laser 2005 - Summer School on Software Engineering 71
Scheduler modeling - control invariants
A control invariant K ⇒ K0
K0
u u
t
c u
ILLEGAL STATES
controllable actions
Laser 2005 - Summer School on Software Engineering 72
Scheduler modeling - restriction by a constraint The restriction of TS by a constraint K is a timed system TS/K
restriction
ac g
TS s1 s2
ac g∧K ∧pre12(K)
TS/K s1 s2
In TS/K, K holds right before and right after the execution
If K is a control invariant of TS then TS/K, is the scheduled (controlled) system
Laser 2005 - Summer School on Software Engineering 73
Scheduler modeling – controller synthesis There exists a scheduler maintaining K0 if there exists a non empty control invariant K, K ⇒ K0 For given K0, the maximal control invariant K, K ⇒ K0 can be computed as the result of a synthesis semi- algorithm SYNTH(TS,K0) = limI{Ki } where Ki+1 = Ki+1 ∧ contr-pre (Ki ) from K0
Ki c contr-pre(Ki ) u t
All states from which TS can be led to Ki no matter how the environment behaves
Laser 2005 - Summer School on Software Engineering 74
Scheduler modeling - invariants vs. control invariants Def: K is an invariant of TS if it is preserved by the transition relation (TS sat inv(K))
TS/K sat inv(K
K’
K
Laser 2005 - Summer School on Software Engineering 75
Scheduler modeling – composability of control invariants
control invariants ? Def: A control invariant K1 of TS is composable if for all constraints K2, K1 is a control invariant of TS/K2
TS/(K1∧K2) sat inv (K1 ∧ K2)
Laser 2005 - Summer School on Software Engineering 76
Scheduler modeling – composability of control invariants
s2 s1 (t2=5) t2:=0 t1=15 t1:=0 w2 w1 b2
∧¬ e2 ¬ e1∧
(t1≤10) x1:=0 (t2≤3) x2:=0 b1 x1=5 x2=2 e2 e1
TS1∪TS2/K_mutex
K_mutex = ¬ (e1∧ e2) is a composable control invariant of TS1∪TS2
Laser 2005 - Summer School on Software Engineering 77
Scheduler modeling – composability of control invariants
s2 s1 (t2=5) t2:=0 t1=15 t1:=0 w2 w1 b2
∧¬ e2 ¬ e1∧
(t1≤10) x1:=0 (t2≤3) x2:=0 b1 x1=5 x2=2 e2 e1
TS1∪TS2/K_mutex
K_df = K_df1∧ K_df2 is a control invariant of TS1∪TS2 K_df is not a control invariant of TS1∪TS2/K_mutex
Laser 2005 - Summer School on Software Engineering 78
Scheduler modeling – the scheduling constraint KSCH The scheduling constraint KSCH relates timing constraints of 3 different kinds
times
triggering events e.g. periodic tasks
relating events of the real-time system and events of its environment e.g. deadlines, jitter
Laser 2005 - Summer School on Software Engineering 79
Scheduler modeling – the scheduling constraint KSCH
Each shared resource induces a partition {Sleep, Wait, Use}. begin
Sleep Use Wait
finish
x:=0 Emin ≤ x ≤Emax
arrive
t:=0 Tmin ≤ t ≤Tmax Execution time (x) t ≤ D t ≤ D - Emax t ≤ D Deadline D Arrival time (t)
Laser 2005 - Summer School on Software Engineering 80
Scheduler modeling – the scheduling constraint KSCH
s
KSCH =∧i KiSCH
where KiSCH expresses the property that no timing constraint is violated in process i. a t=T t:=0 w b t ≤ T- E For timelock-free process models with bounded guards, schedulability boils down to deadlock- freedom of processes x:=0 x=E f u
KSCH = s∧(t ≤ T) ∨ w∧ (t≤T-E) ∨ u∧(x ≤ E)
Laser 2005 - Summer School on Software Engineering 81
Scheduler modeling – the scheduling policy KPOL
KPOL is the conjunction of scheduling policies for the set R of
shared resources
KPOL =∧r ∈R Kr
POL where
Kr
POL = Kr CONF ∧ Kr ADM
CONF says how conflicts for the acquisition of resource r
are resolved e.g. EDF, RMS, LLF
ADM says which requests for r are considered by the
scheduler at a state e.g. masking
Laser 2005 - Summer School on Software Engineering 82
Scheduler modeling – the scheduling policy KPOL
KPOL : scheduling policy ri KiADM KADM : admission control KCONF: Conflict resolution r1 K1ADM rn KnADM r1 K1CONF ri KiCONF rn KnCONF
Laser 2005 - Summer School on Software Engineering 83
Scheduler modeling – the scheduling policy KPOL : example
KPOL for the Priority Ceiling Protocol Admission control: “Process P is eligible for resource r if the current priority of P is higher than the ceiling priority of any resource allocated to a process other than P” Conflict resolution: “The CPU is allocated to the process with the highest current priority”
Laser 2005 - Summer School on Software Engineering 84
Scheduler modeling – composability results
SYNTH(TS, K_pol ) = TS/ K_pol
SYNTH(TS, K_sched ∧ K_pol ) = SYNTH (TS/K_pol, K_sched )
1. Choose a scheduling policy K_pol such that the conflicts on controllable actions of TS/K_pol are resolved 2. Check TS/K_pol sat inv(K_sched)
Laser 2005 - Summer School on Software Engineering 85
Composability results - application
A scheduler design methodology supported by the Prometheus tool connected to Kronos
K_pol2 K_pol1 trace 1 trace2 K_sced
K:= K_sched; while ¬ (TS/K sat inv(K) ) do choose K_pol; K:= K_sched ∧ K_pol
Laser 2005 - Summer School on Software Engineering 86
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 87
Timed Systems with priorities - scheduling and priorities
If K is a constraint characterizing a set of deadlock- free states of TS then there exists a set of priority rules pr such that pr(TS) preserves K For any control invariant K of TS there exists a set of dynamic priority rules pr such that the scheduled system TS/K = pr(TS) Any feasible scheduling policy KPOL induces a restriction that can be described by priorities
Laser 2005 - Summer School on Software Engineering 88
Timed Systems with priorities
s
exec2 a1 g1
〈
exec1 g2 a2
Priority Strengthened guard a1 〈0 a2 g1’ = g1 ∧ ¬g2 a1 〈5 a2 g1’ = g1 ∧ ¬〈5〉g2 a1 〈∝ a2 g1’ = g1 ∧ ¬〈∞〉g2
Notation: 〈k〉g(X) = ∃ t t≤ ≤k g(X+t) (= eventually g within time k) k g(X+t) (= eventually g within time k)
Laser 2005 - Summer School on Software Engineering 89
Timed Systems with priorities a1 〈k a2 means that a1 is disabled when a2 will be enabled within time k
Def: A priority order is a set of partial orders 〈 = {〈k ⎜ partial order on A }k∈R+ s.t.
a1 〈k a2 ∧ a2〈m a3 ⇒ a1 〈k+m a3 (transitivity)
〈
g1 gn s1 sn a1 an
s
gi’=gi ∧ (∧ ¬<k>gm)
ai〈kam 〈k ∈〈 g1’ gn’ s1 sn a1 an
s
Laser 2005 - Summer School on Software Engineering 90
Timed Systems with priorities A timed system with priorities is a pair (TS, pr) where pr is a set
pr = { Ci → 〈i }i
TS
ak gi ak gi’
TS’
gi’ = gi ∧ ∧ C → 〈 ∈pr (C ⇒ ∧ (∧ ¬<k>gm))
ai〈kam 〈k ∈〈
Activity Preservation Theorem: ◊∨i gi = ◊∨i gi’
Laser 2005 - Summer School on Software Engineering 91
Timed Systems with priorities - fixed priority policy w1∧w2 → b1 〈k b2 for some k
x1=E1 f1 b1 t1≤T1-E1 x1:=0 a1 t1=T1 t1:=0 b2 t2≤T2-E2 x2:=0 a2 t2=T2 t2:=0
s1 w1 e1 s2 w2 e2
x2=E2 f2
Laser 2005 - Summer School on Software Engineering 92
Timed Systems with priorities - FIFO policy t1≤ t2 → b1〈 0 b2 t2≤ t1 → b2〈 0 b1
x1=E1 f1 b1 t1≤T1-E1 x1:=0 a1 t1=T1 t1:=0 b2 t2≤T2-E2 x2:=0 a2 t2=T2 t2:=0
s1 w1 e1 s2 w2 e2
x2=E2 f2
Laser 2005 - Summer School on Software Engineering 93
Timed Systems with priorities - LLF policy L1≤ L2 → b2 〈0 b1 L2≤ L1→ b1〈0b2 where Li=Ti-Ei-ti,
x1=E1 f1 b1 t1≤T1-E1 x1:=0 a1 t1=T1 t1:=0 b2 t2≤T2-E2 x2:=0 a2 t2=T2 t2:=0
s1 w1 e1 s2 w2 e2
x2=E2 f2
94
Priority Systems Priority Systems -
Composition of priorities
pr1 pr2
pr2 pr1 a c b a 〈1 b c b b〈2 c c b〈2 c a 〈1 b a c a c
95
Priority Systems Priority Systems -
Composition of priorities
pr1 pr2 pr1⊕ pr2
We take:
pr1⊕ pr2 is the least priority containing pr1∪pr2 Results :
96
Timed Systems with priorities – mutual exclusion w1∧e2 → b1 〈∞ f2 w2∧e1 → b2 〈∞ f1
x1=E1 f1 b1 t1≤T1-E1 x1:=0 a1 t1=T1 t1:=0 b2 t2≤T2-E2 x2:=0 a2 t2=T2 t2:=0
s1 w1 e1 s2 w2 e2
x2=E2 f2 Idea: Give infinitely higher priority to the process using the resource
97
Timed Systems with priorities – mutual exclusion
x1=E1 f1 b1 t1≤T1-E1∧(¬e2∨x2 ≤ E2) x1:=0 a1 t1=T1 t1:=0 b2 (¬e1∨x1≤ E1 ) ∧ t2≤T2-E2 x2:=0 a2 t2=T2 t2:=0
s1 w1 e1 s2 w2 e2
x2=E2 f2 The behavior after application of mutual exclusion constraints
Laser 2005 - Summer School on Software Engineering 98
Timed Systems with priorities – mutual exclusion Mutex on R’ : b1 〈∞ f2 b2 〈∞{ f1, b1’} Mutex on R : b1’ 〈∞ { f2, b2 } b2’ 〈∞f1 s1 b1 w2 a1 f1 a2 f2 b2’ w1 b1’ b2 R RR’ RR’ R’ Risk of deadlock: The composition is not a priority order ! s2
99
Timed Systems with priorities – mutual exclusion + FIFO policy w1∧e2 → b1 〈∞ f2 w2∧e1 → b2 〈∞ f1
x1=C1 f1 b1 t1≤T1-C1 x1:=0 a1 t1=T1 t1:=0 b2 t2≤T2-C2 x2:=0 a2 t2=T2 t2:=0
s1 w1 e1 s2 w2 e2
x2=C2 f2
t1≤ t2 → b1〈 0 b2 t2≤ t1 → b2〈 0 b1
Laser 2005 - Summer School on Software Engineering 100
The BIP framework -fixed priority preemptive scheduling (1)
bi〈bj, ri 〈 rj , ri 〈 bj , bi 〈 rj (access to the resource – priority preserved by composition) {bi,pj } 〈 fj , {ri,pj } 〈 fj , n ≥ I >j ≥1 (non pre-emption by lower pty tasks) CN: {bi,pj } {ri,pj } for n ≥i,j ≥ 1 MI: ai, fi, bi for n ≥i ≥ 1
s1 e1 b1 w1 a1 e1’ r1 p1 f1 sj ej bj wj aj ej’ rj pj fj si ei bi wi ai ei’ ri pi fi sn en bn wn an fn ei’ pi en’ rn pn
Laser 2005 - Summer School on Software Engineering 101
The BIP framework -fixed priority preemptive scheduling (state graph)
Laser 2005 - Summer School on Software Engineering 102
The BIP framework - fixed priority preemptive scheduling (2)
bi〈bj, ri 〈 rj , ri 〈 bj , bi 〈 rj (access to the ressource – pty inherited by composition) pi 〈 fj , if wi or e’i n ≥ I >j ≥1 (non pre-emption by lower pty tasks)
{bi ,ri }〈 {fj pj }
n ≥ I,j ≥1 (Mutual exclusion)
s1 e1 b1 w1 a1 e1’ r1 p1 f1 sj ej bj wj aj ej’ rj pj fj si ei bi wi ai ei’ ri pi fi sn en bn wn an fn ei’ pi en’ rn pn
Laser 2005 - Summer School on Software Engineering 103
The BIP framework - traffic light for tramway crossing
red signal signal green
in enter r2g g2r exit appr exit signal
in green {enter,r2g} appr red r2g g2r
exit g2r {exit,g2r} appr green r2g enter
exit r2g enter signal g2r
signal
Laser 2005 - Summer School on Software Engineering 104
The BIP framework – run to completion
i1 o1
f1 e1
i1
i2 o2
f2 e2
i2
i3 o3
f3 e3
i3
i1 〈 {o1,i2} 〈 {o2,i3} 〈 o3 CN: {o1,i2}, {o2,i3} MI: i1,o3
i1 o1 i2 o2 i3 o3
Laser 2005 - Summer School on Software Engineering 105
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 106
Timed Systems with priorities – liveness Run: a maximal sequence of successive transitions in a TS q0- t0→q0’- a1→q1- t1 →q1’- a2→ … … qi- ti→qi’ -ai→qi+1- t1+1 → ….. Timelock: a run where the total time elapsed is bounded Livelock : a run where only a finite number of transitions
LIVE = Timelock-free + Livelock-free
Laser 2005 - Summer School on Software Engineering 107
Timed Systems with priorities – structural liveness
Enforce liveness satisfaction by appropriate structural restrictions preserved by composition operators 3 structural properties easy to check
structurally non-Zeno locally timelock-free locally livelock-free structurally live timelock-free livelock-free
Laser 2005 - Summer School on Software Engineering 108
Timed Systems with priorities – structural liveness
Structurally non-Zeno: any circuit of the control graph has some clock reset and tested against some positive lower bound Locally Timelock-free: if time cannot progress then some action is executed (satisfied by construction) Locally Livelock-free: if time can progress then some action will be executed
ui
s in(s) ⇒ ◊ ∨iui
LTLF+SnZ ⇒ TLF LTLF+LLLF ⇒LLF Structurally live = LTLF+SnZ +LLLF
Laser 2005 - Summer School on Software Engineering 109
Timed Systems with priorities – structural liveness
sleep wait (t≤T-E)δ (t=T)ε t:=0 x:=0 exec (x=E) ε A periodic process of period T>0 and execution time E, (E ≤ T).
This process is structurally live:
in(wait)=(t=0) ⇒ ◊(t=T-E) = t≤T-E in(exec)=(x=0) ⇒ ◊(x=E) = x≤E in(sleep)=(x=E) ⇒ ◊(t=T) = t≤T ???
Laser 2005 - Summer School on Software Engineering 110
Timed Systems with priorities – structural liveness
sleep wait (t≤T-E)δ (t=T)ε t:=0 x:=0 exec (x=E) ( ∧(t ≤ T)) ε A periodic process of period T>0 and execution time E, (E ≤ T). This process is structurally live:
in(wait)=(t=0) ⇒ ◊(t=T-E) = t≤T-E in(exec)=(x=0) ⇒ ◊(x=E) in(sleep)=(x=E) ⇒ ◊(t=T) = t≤T ∧(t ≤ T- E) ∧(t ≤ T) ∧(t ≤ T)
Laser 2005 - Summer School on Software Engineering 111
Timed Systems with priorities – structural liveness
Theorem: Priorities preserve the 3 structural properties, thus they preserve structural liveness. If TS is structurally live then (TS, pr) is structurally live too
Laser 2005 - Summer School on Software Engineering 112
Flexible Composition
s1 s1’ α1 s2 s2’ α2 (s1,s2) (s1’,s2’) α2 α1 (s1’,s2) (s1,s2’) α1∪α2 pr1 pr2 pr1⊕ pr2 ⊕ pr_12
wrt all the interactions containing it e.g. α1 〈α1∪α2 α2 〈 α1∪α2
Laser 2005 - Summer School on Software Engineering 113
Flexible Composition - timed systems
s1 s1’ b1 s2 s2’ b2 (s1,s2) (s1’,s2’) b2 b1 (s1’,s2) (s1,s2’) {b1,b2} pr1 pr2 pr1⊕ pr2 ⊕ pr_12
g1τ1 ∧ g2τ2 = (g1 ∧ g2)τ with τ=max{τ1,τ2 }
Theorem: Flexible composition preserves
Laser 2005 - Summer School on Software Engineering 114
Flexible Composition - timed systems : best effort synchronization
f1 x1=E1 go1 g1 x1:=0 a1 t1=T1 t1:=0 go2 g2 x2:=0 a2 t2=T2 t2:=0
sleep1 wait1 exec1 sleep2 wait2 exec2
f2 x2=E2 g1∧g2 {go1,go2}
For g1 = (t1≤T1-E1), g2 = (t2≤T2-E2) we have:
Laser 2005 - Summer School on Software Engineering 115
Timed Systems with priorities – discussion STRICT (NON FLEXIBLE) COMPOSITION
tp1 tp2 tp1 tp2 ∧
FLEXIBLE (NON STRICT) COMPOSITION
tp1 tp2 tp
Laser 2005 - Summer School on Software Engineering 116
Timed Systems with priorities – about priorities
conflicts between actions
management and scheduling
associativity of composition
“What It Means for a Concurrent Program to Satisfy a Specification: Why No One Has Specified Priority” Leslie Lamport, POPL, 1984
Laser 2005 - Summer School on Software Engineering 117
Timed Systems with priorities – discussion Priorities are a powerful modeling tool
modeling of urgency, scheduling policies
modeled by assigning priorities to threads
Laser 2005 - Summer School on Software Engineering 118
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 119
The IF toolset: objectives Model-based development of real-time systems
Use of high level modeling and programming languages
Model-based validation
Applications: Protocols, Embedded systems, Asynchronous circuits, Planning and scheduling
Laser 2005 - Summer School on Software Engineering 120
The IF toolset: approach Modeling and programming languages (SDL, UML, SCADE, Java …) Transition systems simulation test verification1 verification2 verification3
Optimisation and abstraction
IF: Intermediate Format, based on a general and powerful semantic model
state explosion
Laser 2005 - Summer School on Software Engineering 121
The IF toolset: challenges Find an adequate intermediate representation
Expressiveness: direct mapping of concepts and primitives of high modeling and programming languages
Use information about structure for efficient validation and traceability Semantic tuning: when translating languages to express semantic variation points, such as time semantics, execution and interaction modes
Laser 2005 - Summer School on Software Engineering 122
The IF toolset - IF notation: system description Processes (Behavior) Interactions Data
extended timed systems (non-determinism, dynamic creation) asynchronous channels shared variables predefined data types (basic types, arrays, records) abstract data types
Dynamic priorities
Laser 2005 - Summer School on Software Engineering 123
The IF toolset: - IF notation: the basic model (ACTA)
x,y: var t:timer ?g,a
Laser 2005 - Summer School on Software Engineering 124
The IF toolset - IF notation: system description
– executes asynchronously with other instances – can be dynamically created – owns local data (public or private) – owns a private FIFO buffer
– asynchronous signal exchanges (directly or via signalroutes) – shared variables
Laser 2005 - Summer School on Software Engineering 125
P1(N1)
const N1 = … ; // constants type t1 = … ; // types signal s2(t1, t2), // signals // signalroutes signalroute sr1(1) … // route attributes from P1 to P3 // processes process P1(N0) … // data + behaviour endprocess; … process P3(N3) … endprocess;
The IF toolset - IF notation: system description
P1(N1) P3(N3) P2(N2)
signalroute process signal (N1 initial instances) s2 (t1, t2) s1(t1) … … … … parameter sr(1) … local data
Laser 2005 - Summer School on Software Engineering 126
The IF toolset -IF notation: process description
Process = hierarchical, timed system process P1(N1); fpar … ; // types, variables, constants, procedures state s0 … ; … // transition t1 endstate; state s1 #unstable…; … // transitions t2, t3 endstate; … // states s2, s3, s4 endprocess;
parameters local data state
s2 s1 s3 s0 s4 t1 t4 t5 t3 t2
local data + local clocks
s41 s42 t6 t7
P1(N1)
Laser 2005 - Summer School on Software Engineering 127
The IF toolset - IF notation: dynamic creation
p := fork client (true) a new instance is created
process name parameters pid of the newly created instance
the instance is destroyed, together with its buffer, and local data kill client(2) kill p
pid expression
stop the “self” instance is destroyed, together with its buffer, and local data
Laser 2005 - Summer School on Software Engineering 128
The IF toolset - IF notation: transition description
transition = urgency + trigger + body
state s0 … urgency eager provided x!=10; when c2 >= 4; input update(m); body …. nextstate s1; … endstate;
= trigger
urgency untimed guard timed guard signal consumption from the process buffer statement list
t1
statement = data assignment message emission, process or signalroute creation or destruction, …
iterative composition
Laser 2005 - Summer School on Software Engineering 129
The IF toolset- IF notation: data and types Variables:
Predefined basic types: integer, boolean, float, pid, clock Predefined type constructors:
Abstract Data Type definition facilities …
⊇ {self, nil}
Laser 2005 - Summer School on Software Engineering 130
The IF toolset - IF notation: interactions
signal route = connector = process to process communication channel with attributes, can be dynamically created
signalroute s1(1) #unicast #lossy #fifo from server to client with grant, fail;
route name initial instance number attributes signal set endpoints
attributes:
Laser 2005 - Summer School on Software Engineering 131
The IF toolset - IF notation: interactions (delivery policies)
peer
server(0) server(0) server(0)
to one specific instance
client(1) client(0) client(2) client(1) client(0) client(2) client(1)
unicast multicast to all instances to a randomly chosen instance
Laser 2005 - Summer School on Software Engineering 132
The IF toolset - IF notation: interactions (signal exchange) Signal emission (non blocking):
to a specific process: output req (3, open) to server(2);
signal
via a signalroute:
mixed:
parameters signalroute pid expression pid expression
Signal consumption (blocking):
input req (f, s);
formal parameters k=integer(self)
Laser 2005 - Summer School on Software Engineering 133
The IF toolset - IF notation: System description (example)
server(NS) client(NC)
grant, fail(reason) req(file,status) stop abort s0 s1 s2 update(file) fail(reason)
const NS= … , NC= … ; type file= … , status= … , reason= … ; signal stop(), req(file, status), fail(reason), grant(), abort(), update(data); signalroute s0(1) #multicast from server to client with abort; signalroute s1(1) #unicast #lossy from server to client with grant,fail; signalroute s2(1) #unicast from client to server with req; process server(NS) … endprocess; process client(NC) … endprocess;
Laser 2005 - Summer School on Software Engineering 134
The IF toolset - IF notation: timed behavior The model of time [timed systems]
– global time → same clock speed in all processes – time progress in stable states only → transitions are instantaneous
time = 0
q0 t1 t2 q1 q2
δ0(q2)
q3
time = δ0
q4
δ1(q4)
P1 P2 P3 Pk …
system configuration
q5
time = δ0 + δ1 …
Laser 2005 - Summer School on Software Engineering 135
The IF toolset - IF notation: timed behavior
– set to value – deactivate – read the value into a variable
– comparison of a clock to an integer – comparison of a difference of two clocks to an integer state send;
set t:= 10; nextstate wait_ack; endstate; state wait_ack; input ack(sender,c); … when 10 <t<20 ; … endstate;
Laser 2005 - Summer School on Software Engineering 136
The IF toolset - IF notation: dynamic priorities
variables ranging over the active process set) priority_rule_name : p1 < p2 if condition(p1,p2)
– fixed priority: p1 < p2 if p1 instanceof T and p2 instanceof R – run-to-completion: p1 < p2 if p2 = manager(0).running – EDF: p1 < p2 if Task(p2).timer < Task(p1).timer (p1)
Laser 2005 - Summer School on Software Engineering 137
IF toolset - overall architecture
UML RT/UML OMEGA SDL
aml2if uml2if sdl2if
IF Description IF Exploration Platform
TGV Test Generation
Test Suites
model construction
LTS
model checking guided exploration
mincost path extraction
schedules
Objecteering Rational Rose ObjectGeode CADP SPIDER
IF Static Analyzer
LASH RMC TReX
guided simulation
Laser 2005 - Summer School on Software Engineering 138
IF toolset - Core components
syntactic transformation tools:
LTS exploration tools
priorities (scheduling) interaction model state space representation writer IF description parser C/C++ code
IF AST
application specific process code predefined modules (time, channels, etc.)
compiler
Laser 2005 - Summer School on Software Engineering 139
IF toolset - core components: exploration platform
step
S S u u c c c c ! ! Interaction model
I1:P2 I2:P1 Time I1:P1 Ik:Pj active instances process 1 process 2 process j Time module
I2:P2 create s e t , r e s e t
execution control
run
S S u u c c c c ? ? priorities (scheduling)
run step run step run step
Laser 2005 - Summer School on Software Engineering 140
IF toolset - core components: exploration platform (time)
i) discrete time
varying size integer vectors
computed w.r.t. the next enabled deadline
ii) continuous time
varying size difference bound matrices (DBMs)
symbolically
because of deadlines: they are represented implicitly as unions of DBMs
Dedicated module
(set, reset)
guards)
w.r.t. actual deadlines and
Two implementations for discrete and continuous time (others can be easily added)
Laser 2005 - Summer School on Software Engineering 141
IF toolset - case studies: protocols
SSCOP
Service Specific Connection Oriented Protocol
Issue on Formal Methods in Industry. Vol. 36, number 1, January 2000.
MASCARA
Mobile Access Scheme based on Contention and Reservation for ATM case study proposed in VIRES ESPRIT LTR
In M.B. Dwyer (Ed.) Proceedings of SPIN Workshop 2001, Toronto,
PGM
Pragmatic General Multicast case study proposed in ADVANCE IST-1999-29082
Laser 2005 - Summer School on Software Engineering 142
IF toolset - ase studies: asynchronous circuits
timing analysis
modeling and analysis of timed systems, FORMATS’03, Marseille, France.
functional validation
specifications using IF/CADP. In Proceedings of IFIP Intl. Conference on VLSI, Darmstadt, Germany
Laser 2005 - Summer School on Software Engineering 143
IF toolset - case studies: embedded software
Ariane 5 Flight Program
joint work with EADS Lauchers
Flight Program. In Proceedings of FMICS 2001, Paris, France.
K9 Rover Executive
S.Tripakis et al. Testing conformance of real-time software by automatic generation of observers. In Proceedings of Workshop on Runtime Verification, RV’04, Barcelona, Spain. Akhavan et al. Experiment on Verification of a Planetary Rover Controller. In Proceedings of 4th International Workshop
Germany.
Laser 2005 - Summer School on Software Engineering 144
IF toolset - Ariane-5 flight program
Laser 2005 - Summer School on Software Engineering 145
IF toolset - Ariane-5 flight program : the model
– high level, non-deterministic, abstracts the whole program as communicating extended finite-state machines
– low level, deterministic, focus on specific components …
– we focus on the asynchronous view
Laser 2005 - Summer School on Software Engineering 146
IF toolset - Ariane-5 flight program: architecture Regulation
engines/boosters ignition/extinction
Configuration
stage/payload separation
Control
Navigation Guidance Algorithms
OBC (On Board Computer) Ground OBC (Redundant)
~3500 lines
Laser 2005 - Summer School on Software Engineering 147
IF toolset - Ariane-5 flight program: regulation components
“regulation” commands at right moments in time :
– at T0 + ∆1 execute action1 – at T0 +∆2 execute action2 … – at T0 + ∆n execute actionn
moment
processes, moving on specific, precise times
start state1
action1
state2 state3
now = T0+∆1 now = T0+∆2 action2 now = T0+∆3 action3 input start-date(T0)
Laser 2005 - Summer School on Software Engineering 148
IF toolset - Ariane-5 flight program: configuration components
– flight phase : ground, launch, orbit, … – control information: reception of some signal, ... – time : eventually done in [T0+L,T0+U]
timeout-driven transitions
Laser 2005 - Summer School on Software Engineering 149
IF toolset - Ariane-5 flight program: configuration component ( example)
start wait-sig done the opening action eventually happens between Tearly and Tlate moments, if possible, on the reception on the
ready wait-time now = Tearly
« opening » input open input open
now = Tearly now = Tlate
Laser 2005 - Summer School on Software Engineering 150
IF toolset - Ariane-5 flight program: control components
the current flight evolution
– guidance, navigation and control algorithms
– send flight commands with some temporal uncertainty
Laser 2005 - Summer School on Software Engineering 151
IF toolset - Ariane-5 flight program: control components (example)
time non-deterministic: the firing signal can be sent between T0 + L and T0 + U time deterministic: the firing signal is sent exactly at T0 + K init done
to vulcain T0 + K = now eager
init done
to vulcain T0 + L ≤ now and now ≤ T0+U lazy
Laser 2005 - Summer School on Software Engineering 152
IF toolset - Ariane-5 flight program: requirements
– e.g. no deadlock, no timelock
– e.g. flight phase order – e.g. stop sequence order
– e.g. activation signals arrive eventually in some predefined time intervals
Laser 2005 - Summer School on Software Engineering 153
IF toolset - Ariane-5 flight program: validation (model exploration)
causality e.g., deadline missed because of ∆1 > ∆2
now = T0+∆1 now = T0+∆2
input status
Laser 2005 - Summer School on Software Engineering 154
IF toolset - Ariane-5 flight program: Validation (static analysis)
1st version: 143 clocks reduced to 41 clocks 2nd version : 55 clocks, no more reduction
20% of all variables are dead in each state
eliminates passive processes (without outputs and requirements are independent of their events)
Laser 2005 - Summer School on Software Engineering 155
IF toolset - Ariane-5 flight program: Validation
Some results (for 31 processes)
time deterministic time non-deterministic
n.a. n.a. + live reduction
2201760 st. 18796871 tr. n.a. + live reduction + partial order 1604 st. 1642 tr. 195718 st. 278263 tr.
Laser 2005 - Summer School on Software Engineering 156
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 157
The BIP framework
Interaction model Priority
Execution kernel
Platform
Laser 2005 - Summer School on Software Engineering 158
The BIP framework – the execution platform
Interaction Meta-model Dynamic priorities Meta-model
Description in L C⇒ a<b Component Meta-model C⇒ a<b
L
Execution kernel
159
Implementation Implementation -
atomic component: abstract syntax
Component: C Ports: p1,p2, … Data: x,y,z, …. Access: (p1,{x,y,z}), (p2,{x,u,v}), Behavior: state s1
……………… ……
state s2
………. state sn
160
Implementation Implementation -
atomic components
run() { Port* p; int state = 1; while(true) { switch(state) { case 1: p = sync(a, ga, d, gd); if (p == a) fa; state = 2; else fd; state = 3; break; case 2: p = sync(b, gb, e, ge); … case 3: … } } }
2 3
a ga fa b gb fb c gc fc d gd fd e ge fe f gf ff
1
161
Implementation Implementation -
connectors and priorities: abstract syntax Connector: BUS={p, p’, … , } complete() Behavior:
Priorities: PR if C1 then {(α1, α2), (α3, α4) , … } if C2 then {(α,…), (α,…) , … } if Cn then {(α,…), (α,…) , … }
Laser 2005 - Summer School on Software Engineering 162
The BIP framework - modulo-8 counter : atomic component
Zero’ One’
flip gflip: X=1 fflip: Y:=1 tick tick flip gflip: X=1 fflip: Y:=0
Zero One
tick tick tick
counter
in:X
Laser 2005 - Summer School on Software Engineering 163
The BIP framework - modulo-8 counter: architecture
in:X1 in:X2 in:X0
tick1 tick0 tick2 AND
Laser 2005 - Summer School on Software Engineering 164
The BIP framework - modulo-8 counter: the model tick 〈 flip0 , tick 〈 flip1 , tick 〈 flip2 CN: tick={tick0, tick11 , tick2} CI: ∅
Transfer : X1 := Y0; X2 := Y1 ∧ Y0 in:X1 in:X2 in:X0
CN: tick0, flip0 CI: flip0 CN: tick1, flip1 CI: flip1 CN: tick2, flip2 CI: flip2
Laser 2005 - Summer School on Software Engineering 165
The BIP framework – readers/writers: architecture
Idle Writing wrReq wrRel rdRel rdCount == 0 Idle Rd_Busy Wr_Busy rdReq rdRel, rdCountr>0 rdReq wrRel wrReq wrRel wrReq wrReq wrRel rdReq rdRel file rdRel rdReq quantum Idle Reading rdReq rdRel repository rdData_i file quantum
Reader_i Resource Writer
The BIP framework – readers/writers: resource model
Component : Resource Port: wrReq, rdReq, rdRel, wrRel Data: repository, rdID , rdData0 , rdData1 , …. rdDatan Access: (wrRel, {repository}), (rdRel, {rdData0 , rdData1 , …. rdDatan }), (rdReq,{rdID}) Behavior : (State : Idle, RdBusy, WrBusy) state Idle
to state RdBusy state WrBusy
state RdBusy
RdBusy
Laser 2005 - Summer School on Software Engineering 166
Laser 2005 - Summer School on Software Engineering 167
The BIP framework – readers/writers: writer model
Component : Writer Port : wrReq, wrRel Data : file, quantum Access : (wrRel, {quantum}) Behavior : (States : Idle, Writing) state Idle
state Writing
Laser 2005 - Summer School on Software Engineering 168
The BIP framework – readers/writers: reader model
Component: Reader Port: rdReq, rdRel, Data: file, quantum Access: (rdRel, {quatum}) Behavior (States : Idle, Reading) state Idle
state Reading
Laser 2005 - Summer School on Software Engineering 169
The BIP framework – Readers/Writers: connectors
Connector : WrReq = {Writer.wrReq, Resource.wrReq} Complete() :∅ Behavior: On WrReq provided (true), do {Nop} Connector : WrRel = {Writer.wrRel, Resource.wrRel} Complete() : ∅ Behavior: On WrRel provided (true), do { put(quantum,repository)} Connector : RdReqi = {Resource.rdReq, Readeri.rdReq} Complete() : ∅ Behavior: On RdReqi, provided (true), do {RdID:=i} Connector: ReadReli = { Resource.rdRel, Readeri.rdRel } Complete() : ∅ Behavior: On RdReli , provided (true), do {Readeri.quantum:=RdDatai}
Laser 2005 - Summer School on Software Engineering 170
The BIP framework - Readers/Writers: state graph
Laser 2005 - Summer School on Software Engineering 171
The BIP framework – implementation: the kernel p1 p2 p3 P.run
{p1,q1} { p2,q2} {p3, q3} {p3 ,q3 , r1} {q2 ,r2 }
q1 q2 q3 Q.run r1 r2 R.run Kernel.run
Laser 2005 - Summer School on Software Engineering 172
The BIP framework – implementation: the kernel init loop
Launch atom’s threads
stable
Wait all atoms
ready
Compute legal interactions
filter
Filter w.r.t. priorities
choose
Choose among maximal
execute
Execute chosen interaction transfer Notify involved atoms
Laser 2005 - Summer School on Software Engineering 173
Overview (2)
– The role of schedulers – Control invariants – Scheduler specifications – Composability results
– Definition – Composition of priorities – Correctness-by-construction results
– The IF toolset – The BIP framework
Laser 2005 - Summer School on Software Engineering 174
General discussion - the BIP framework
and relying on a minimal set of constructs and principles e.g. interaction models + dynamic priorities
Structure is a first class entity Correctness-by-construction techniques for deadlock- freedom and liveness, based on suficient conditions on structure (mainly)
IF toolset allows layered description of timed systems, Methodology and tool support for generating scheduled code for real-time applications (work by S. Yovine et al.)
Laser 2005 - Summer School on Software Engineering 175
General discussion – work dealing with components
SW Design Description Languages
languages, SystemC, Metropolis, Ptolemy
Javaspaces, TSpaces, Concurrent Fortran, …
approaches
General discussion – related approaches
Metropolis PTOLEMY
Laser 2005 - Summer School on Software Engineering 176
ASML .net Composition Operators
Vanderbilt’s Approach
Operational Semantics
Semantic Unit Meta-model Behavior Semantic Unit Meta-model Platform Connectors Directors Semantic Domains Behavior MoC
(Model of Computation)
Media Quantity Managers Behavior Platform
Operational Semantics Operational Semantics
Laser 2005 - Summer School on Software Engineering 177
General discussion – future work Develop a rigorous and general basis for architecture modeling and implementation:
(components, interaction, control)
styles, paradigms, e.g.
state ports)
glue code meeting given requirements
General discussion – future work: synchronous reactive systems
Data flow partial order
Laser 2005 - Summer School on Software Engineering 178
input1:x1
input4:x4
input2:x2
input3:x3
input1:x1
input4:x4
input2:x2
input3:x3
Connector: s1,s2,s3,s4 transfer: x2,x3:=y1; x4:=y2,y3 Priority: lowest
s1 s2 s3 s4
Laser 2005 - Summer School on Software Engineering 179
General discussion – future work: hierarchical modeling p1 p2 p3 q1 q2 q3 r1 r2 p1 q1 p2 q2 p3 q3 w1 r1 w2 r2 v1 v2 w1 w2
Pb: coordination between fathers and children
Laser 2005 - Summer School on Software Engineering 180
General discussion – future work: expressiveness Study Component Algebras CA= (B, GL,⊕, ≅)
Study notions of expressiveness characterizing structure Given CAi= (B, GLi,⊕i, ≅i), i=1,2, CA1 is more expressive than CA2 if ∀ P ∃ gl2∈GL2 gl2(B1, .,Bn) sat P ⇒ ∃ gl1∈GL1. gl1(B1, …Bn) sat P
Laser 2005 - Summer School on Software Engineering 181
General discussion – future work: expressiveness(2)
C⇒ a 〈 b
Example: For given B, IM and PR which coordination problems can be solved?
Notion of expressiveness different from existing ones which
seems problematic e.g. hiding, restriction