Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration...
Transcript of Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration...
![Page 1: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/1.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/1
Hierarchical Dynamic Models for Verifying Parallel Distributed
Real-Time Systems
Heinz Schmidt
Centre for Distributed Systems and Software Engineering
Monash University
11/2005
![Page 2: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/2.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/2
Overview
Architectural Models and ADLsDarwin, Koala, RADLApplications: what do we model or predict?Context-dependent analysis and parameterized componentsWork in Progress
![Page 3: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/3.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Example Component-Based System
3
![Page 4: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/4.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Example ModelProduction Cell Animation
4
![Page 5: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/5.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Reliable/Rich Architecture Definition Language (RADL)
Many ADLs now available [See M.Shaw ICSE’01, Medvidocic&Taylor TSE1/2000]
UML2 includes ADL in socalled superstructure standard
RADL is based on ICL’s DARWIN [joint project 94-96]
5
ProductionCell
Robot
![Page 6: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/6.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Our extension of Darwin’s Software Architect Assistant: TCAT [98]
From object-based to object-oriented
Beyond Objects: Components and Architectural Assemblies
6
ADL Features SAA / DARWIN TCAT / RADLObjects Object-based Object-orientedClasses No Yessubtyping No Yesinheritance No Yescomponent protocols Yes Yesconnector protocols No YesLanguage binding CORBA Java
![Page 7: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/7.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
KOALA - Darwin spin-off
Industrial-strength spin-off at Philips (Eindhoven)
Now applied to all consumer electronics architectures/ product lines
Additions to DarwinC modules: breaking out of ADL in primitive components
Switches: mini-components for complex connector scripting s.a. dispatch, delegation of calls etc but without separate binary black-box component
Koala compiler to C - 10-20% of CE code ADL derived
Strength: in modelling, reuse, documentation, compilation
Weakness: no behaviour specification or analysis
7
![Page 8: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/8.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Meanwhile...KOALA: ongoing work on ADL - IDE
initial prototype with graphical and textual capabilities
exploration of Eclipse integration
first analysis support s.a. tool for concurrency analysis
DARWIN: richer dynamic modelsUML2: Scenarios, MSC, UML2 state charts
Semantic extensions: FSP revisions and target of UML translation, fluent calculus and probabilistic LTS
Improved analysis: LTSA2 and beyond
RADL: extra-functional analysis and industrial applicationsWCET prediction and consistency analysis
Parameterised models and probabilistic prediction
... move away from graphic models to Java API strength
8
![Page 9: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/9.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Why Architecture-Level Reasoning
9
[Mary Shaw: The Coming of Age of Software Architecture ICSE’01, IEEE]
One of the early motivations for
specifying software architectures explicitly is the use of architectural design information for structural reasoning
about component, assembly and system properties.
![Page 10: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/10.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
RADL Rich Dynamic ModelsExtended DFAs underlying DFSMs
variables capturing shared external and internal state and folding dynamic models
hierarchical state refinement
Generic extra-functional property modellingreal-time, space and probabilities (reliability, availability...)
different type iterators walking dynamic models for ease of extra-functional analysis
aspect-oriented EFP weaving
Sophisticated model composition operatorsarchitectural component assembly
dynamic model manipulation and analysis in component dependency networks
10
![Page 11: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/11.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Architectural Design & Composition in RADL
requires gate provides gate
Gate: interface object of defined interaction protocol type
Connectors: two-way interaction or flow;direction indicates dominant control, e.g. initiation of sequence
Component composition 1: Connectors for component „wiring“
Hierarchical architecturalcomponents
Component composition 2: protocol expressionsRobot = (Arm1 . Base . Arm2) | WeakSync
including constraints & properties
11
![Page 12: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/12.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Dependent FSMs andArchitectural dependency networks
Connector DFAs (extended dependent finite state automaton / trace languages) Component DFTs (extended dep. fin. state translator / trace translations)
R DFA P DFA
Component DFT DFT computed for composite
12
![Page 13: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/13.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
RADL Hierarchical Dynamic Models
13
Components
Interaction models
Protocol and/or property models “canned” with packaged components and built into architectural dependency network at configuration or deployment
Prop. models
single DFSM (P,T,R)Provided Automata
(stimuli)P
Translation Automata (stimuli-responses)T
Required Automata (responses)R
EFP Formulae derivedbefore discarding DFSM
![Page 14: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/14.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Interaction and Translation Protocol TypesInteraction protocol types (port interface abstraction)
Defined by trace languages and automata based in Petri nets and automata theory
True concurrency based on partially ordered traces over interactions
Translation protocol type (component abstraction)Dependencies between interaction ports
Distinguish input, output, hidden subalphabets Σ=I+O+H
Hierarchical protocol name spaces following architectural decomposition
Petri nets covered by atomic (sequential) subnets (S-components)
Closed under rational operators
Lattice of interaction protocol type => subtyping
Time, reliability, usage probabilities and other extra-functional property annotations
14
![Page 15: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/15.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Postponing state space explosionPartial order traces and vectors of statemachines composing underlying Petri net
vector product preserves local ordering and synchronisation constraints
concatenation and shuffle as special case based on distinction of dependency D and independence I relation between labelsadditional fairness constraints sufficient for decidability (see trace
15
a
d
a
b
e
c
g
=.
a
d
a
b
e
c
gif {a,d}I{b,c,e,g}if dDe Component-wise (temporal order) + Sync. Constraints
![Page 16: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/16.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Application: eCAP ABB CollaborationIEC 6 1131-3 code
Function Block Diagrams & ST (imperative)restrictions: assume few loops, no pointer arithmetic, no recursion, no suspend, etc..
Currently 800xA includes almost no support for performance analysis
benchmark data for example components on various CPUs;benchmarking methods manually driven, time consumingclient problem resolution may require specialist support at client sites for days/weeks
16
![Page 17: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/17.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
eCAP - ABB CollaborationGoal: tool to diagnose extra-functional properties (load, WCET) of IEC 6 1131-3 component software designs for ABB AC800 Controllers
Benefits: reduce design, testing & maintenance costs
Resultsprototype running on small examplespatent application (filed May 2005)deployment for in-house evaluation requestedpublications: WORDS 2004 (Fall), ERCIM Workshop on Software Intensive Embedded Systems
17
![Page 18: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/18.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/18
![Page 19: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/19.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/19
ECAP Polymetric viewsMultiple metrics
BCET/WCET/DeviationCode complexity...
Beyond summary tablesVisual cues
following source structurebasic and aggregate entitieslength/height outlierscolor coding
![Page 20: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/20.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
User interface: profile
ABB IndustrialIT (TM) 800xA Extensionprotected by joint patent: proprietary feasibility checking;
analyser plugins .NET/C# (open-source license); commercialisation gate 5 passed 12/2005
1
2
3
![Page 21: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/21.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Production Cell - press “provides” gate
21
![Page 22: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/22.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Context-Dependent Analysis
Automation library component software in industry becomes more and more ‘capable’ and ‘configurable’ for different contexts to maximise reuse without loss of quality
Software components are used in restricted deployment environment guaranteeing much stronger assumptions than those made for generic library components
Predicted times and reliability based on context-free property models (adding resource usage of components without regard for embedding in context) are not sufficiently accurate except for the simplest, lowest-level, components
22
![Page 23: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/23.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
WCET: reuse vs. context dependencetraditionally whole-of-system approach
context-free or global analysisoverly pessimistic for many contextsresults not easily reusedrequires full source
need “context-dependent” approach
23
?
??
?
![Page 24: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/24.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Context-dependent property analysisContext of component type T is restriction of T's stimuli-response ‘translation’ protocols
qualify “guard” property G of T with a context C: <G,C>the universal context of T is simply its DFSM's original provided protocol: <true,P>
<G1,C1> only valid in a given context C2 if C2 equals or (further) restricts C1
analysis techniques must be adapted to handle context
properties reusable only if guards satisfied
24
![Page 25: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/25.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Parameterised Components - beyond provides and requires interfaces -
Parameter contexts– development, e.g. reuse settings– configuration, e.g. product line variation– deployment, e.g. installation settings
and services– execution, e.g. initialization and run-
time services
Extra-functional annotations in parameters
– runtime usage probabilities– architecture-dependent WCET
– policies (such as fault-tolerance)
Provided Required
P1
P2
P3
Pn
Basic or composite (subsystem) component
R1
R2
Rm
Externalcomponents
Configuration
Deployment
Infrastructure
25
User/client
![Page 26: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/26.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Probabilistic Component Parametrisation
Provided Gate protocol typesunknown usage profileusage probabilities for component services
load probabilities: passive - active, night - day etc.
Required Gate protocol typesunknown depolyment contextcontext services reliabilityavailability of independent resources
Component Abstract Machine translation types
unknown realisation detailsprobabilistic state transitionsprobabilities hiding resource information detailsProvided Required
P1
P2
P3
Pn
Basic or composite (subsystem) component
R1
R2
Rm
Externalcomponents
Configuration
Deployment
Infrastructure
26
User/client
![Page 27: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/27.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Towards Handling Cyclic Dependencies Connector DFAs (extended rational trace language)
Component DCFTs (extended context-free translations)
R DFA sublanguage P DFA
Component DCFT DCFT computed for composites
27
![Page 28: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/28.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Required signatures R1,R2,R3,R4,...
Provided regular P
Abstract CF component C
Projected CF required protocol languages
Projected regular provided protocol languages
Binding problem decidable (!) and efficiently so (practical?)
Simple Reduced Dependency Networks
1
2
3
4
5
6
P C
P C P’ C’?i j
pro ji(LC)∩ pro j j(LP′) = pro ji(LC)
![Page 29: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/29.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
Related WorkWCET analysis
most work focuses on monolithic/whole-of-system analyses
Model checking / automata researchefficient model “folding”hybrid/extended automata (Presburger arithmetic)
Context modeling
Architectural modelingUML2, Koala (Phillips), SaveComp (MRTC et al), Robocop
29
![Page 30: Hierarchical Dynamic Models for Verifying Parallel ...€¦ · Application: eCAP ABB Collaboration IEC 6 1131-3 code Function Block Diagrams & ST (imperative) restrictions: assume](https://reader036.fdocuments.net/reader036/viewer/2022071419/6117dd5db9a17e6bd50be881/html5/thumbnails/30.jpg)
Heinz Schmidt www.csse.monash.edu/~hws/
ConclusionFoundations, key ideas and approach for reliable/rich architecture definition language (RADL)
Protocol dependency models important - not just connector conformanceCompositional extra-functional property models
WCET, usage probabilities, reliabilityContext-dependent analysis
Implementation:Proof-of-concept prototypes and industrial tools
Ongoing generalisation and extension
30