Component-based Construction of Heterogeneous Real-time Systems in - - PowerPoint PPT Presentation
Component-based Construction of Heterogeneous Real-time Systems in BIP FOSE 2010 Zurich, November 22-23, 2010 Joseph Sifakis VERIMAG Laboratory in collaboration with A. Basu, S. Bensalem, M. Bozga, M. Jaber, J. Quilbeuf Systems
Component-based Construction
Systems in BIP
FOSE 2010
Zurich, November 22-23, 2010
Joseph Sifakis
VERIMAG Laboratory in collaboration with
2
Systems Everywhere
Electronic components integrate software and hardware jointly and specifically designed to provide given functionalities, which are often critical.
System Design – New Trends
3
Mixed SW/HW system design is different from pure SW design New trends break with traditional Computing Systems Engineering. It is hard to jointly meet technical requirements such as:
Ex : flight controller
Ex : no manual start, optimal power management
Ex : attacks, hardware failures, software execution errors
increase with resources) Ex : reconfiguration, scalable services Technological challenge : Capacity to build systems of guaranteed functionality and quality, at an acceptable cost. ...and also take into account economic requirements for optimal cost/quality
System Design – State of the Art
Flight controller, smart card
Telecommunication systems, web-based applications
We need:
Ex : transport, health, energy management
Internet of Things Automated Highways New generation air traffic control « Ambient Intelligence»
TOMORROW TODAY We master – at a high cost – two types of systems which are difficult to integrate:
System Design – Still a long way to go
Traditional systems engineering disciplines are based on solid theory for building artefacts with predictable behaviour over their life-time. Computing systems engineering lacks similar constructivity results
design problems
at design time
essential for ensuring correctness
O V E R V I E W
6 Rigorous System Design
The BIP Component Framework
Discussion
System Design – Essential Requirements
7
Productivity using high level domain-specific languages for ease of expression and natural expression of data parallelism and functional parallelism allowing reuse of components and the development of component- based solutions tools for programming, validation and code generation Correctness This means that the designed system meets its requirements. Ensuring correctness requires that the design flow relies on the use of models with well-defined semantics. The models should consistently encompass system description at different levels of abstraction from application software to its implementation. Properties met at some step of the design flow, should be preserved in all the subsequent steps
System Design – Essential Properties
8
Parsimony Design choices are only implied by requirements - system designers privilege specific programming models or implementation principles that a priori exclude efficient solutions. Design choices such as
are resolved so as to determine appropriate implementations Performance guaranteeing extra-functional properties regarding optimal resource management. resources such as memory, time and energy must be first class concepts encompassed by rigorous models. possibility to analyze and evaluate efficiency in using resources as early as possible along the design flow.
System Design – Rigorous Design Flow
9
A rigorous system design flow allows guaranteeing that the designed system meets some essential requirements. It is model-based: the software and system descriptions used along the design flow should be based on a single semantic model. This is essential for the overall coherency and efficiency
abstraction levels and purposes (validation, performance evaluation, code generation) component-based: it provides primitives for building composite components as the composition of simpler heterogeneous components. correct-by-construction: it rely on tractable theory for guaranteeing at design time essential properties so as to avoid as much as possible monolithic a posteriori validation
O V E R V I E W
10 Rigorous System Design
The BIP Component Framework
Discussion
11
Model-based – Marry Physicality and Computation
Computing: algorithms protocols architectures Environment constraints: Performance (deadlines, jitter, throughput) Processor constraints: CPU speed memory power failure rates temperature EMBEDDED SYSTEM
12
Model-based – Marry Physicality and Computation
Embedded SW Design cannot ignore HW design
Computing: algorithms protocols architectures Environment constraints: Performance (deadlines, jitter, throughput) Processor constraints: CPU speed memory power failure rates temperature EMBEDDED SYSTEM
13
Model-based – Marry Physicality and Computation
Embedded SW Design cannot ignore control design
Computing: algorithms protocols architectures Environment constraints: Performance (deadlines, jitter, throughput) Processor constraints: CPU speed memory power failure rates temperature EMBEDDED SYSTEM
14
Model-based – Marry Physicality and Computation
Embedded SW Design coherently integrates all these
We need to revisit and revise computing to integrate methods from EE and Control
Computing: algorithms protocols architectures Environment constraints: Performance (deadlines, jitter, throughput) Processor constraints: CPU speed memory power failure rates temperature EMBEDDED SYSTEM
Model-based – Marry Physicality and Computation
15 15
Physical Systems Engineering Analytic Models
Component: transfer function Composition: parallel Connection: data flow
Computing Systems Engineering Computational Models
Component: subroutine Composition: sequential Connection: control flow
Model-based – Marry Physicality and Computation
16
Matlab/Simulink Model
Model-based – Marry Physicality and Computation
UML Model
(Rational Rose)
O V E R V I E W
18 Rigorous System Design
The BIP Component Framework
Discussion
Component-based – Heterogeneity
System designers deal with a large variety of components, each having different characteristics, from a large variety of viewpoints, each highlighting different dimensions of a system SW Component frameworks:
BPEL, Javaspaces, TSpaces, Concurrent Fortran, NesC
System modeling languages: Statecharts, SysML, Matlab/Simulink, AADL, Ptolemy Hardware description languages: Verilog, VHDL, SystemC Build complex systems by composing components (simpler systems). This confers numerous advantages such as productivity and correctness
Component-based– Heterogeneity
Develop a framework for model-based and component-based design expressive enough to directly encompass heterogeneity of
software using a minimal set of constructs and principles treating interaction and system architecture as first class entities that can be composed and analyzed - independently of the behavior of individual components providing automated support for efficient implementation on given platforms
Thread-based programming
Component-based– Heterogeneity
Actor-based programming Software Engineering Systems Engineering
Component-based – The Problem
Build a component C satisfying a given property P, from
c1 c’1
gl1 gl1
c2 c’2
gl12 gl12
sat P
gl2 gl2
frameworks based on families of composition operators
such as protocols, schedulers, buses
Component-based – Glue Operators
B1
gl gl
B2 Bn
Use operational semantics to define the meaning of a composite component – glue operators are “behavior transformers” Operational Semantics
B
Glue Operators
the atomic components e.g. parallel composition operators
Universal Glue)
O V E R V I E W
24 Rigorous System Design
The BIP Component Framework
Discussion
Correct-by-construction – Cope with Complexity
c1 c’1 c2 c’2
gl gl
c2 c’2
gl2 gl2
c1 c’1
gl1 gl1
gl1 gl1
gl gl C1 C2 Cn
≅ ≅
gl2 gl2 C2 Cn C1 Plasticity: Glue is a first class concept independent from behavior
Correct-by-construction – Cope with Complexity
Compositionality: Build correct systems from correct components: rules for proving global properties from properties of individual components
We need compositionality results for the preservation of progress properties such as deadlock-freedom and liveness as well as extra-functional properties
gl
ci
sat Pi implies ∀gl ∃gl
~
sat gl(P1, ..,Pn)
gl gl
c1 cn
~
Correct-by-construction – Cope with Complexity
Composability: Essential properties of components are preserved when they are integrated
gl
gl
Property stability phenomena are poorly understood. We need composability results e.g. non interaction of features in middleware, composability of scheduling algorithms, of Web services, of aspects
sat P
gl gl
c1 cn and sat Pʼ
gl gl’
c1 cn implies sat P&Pʼ
gl gl ⊕ gl gl’
c1 cn
O V E R V I E W
28 Rigorous System Design
The BIP Component Framework
Discussion
BIP – Basic Concepts
B E H A V I O R
Interactions (collaboration) Priorities (conflict resolution)
Layered component model Composition operation parameterized by glue IN12, PR12 IN12 PR12 PR1 IN1 PR2 IN2 IN1 ⊗ IN2 ⊗ IN12 PR1 ⊕ PR2 ⊕ PR12
S2S S2S S2S BIP – Connectors s + sr2 + sr3 +sr2r3
tick1 tick2 tick3 s r2 r3
tick1tick2tick3
rendezvous and broadcast.
contains some trigger or it is maximal. Express interactions by combining two protocols: rendezvous and broadcast
BIP – Hierarchical Connectors
Atomic Broadcast: a+abc Causality chain: a+ab+abc+abcd
b c
bc
c d
c(1+d) a(1+bc)
a
y= b(1+y)
b
x= a(1+x)
a
BIP – The Language in a Nutshell
p1 q1 p1 q1 p2 r3 p2 q2 p3 r3 p3 q2 q3 q3 p4 r4 x1 x2 x3 x4 y1 y2 z3 z4 y2:=f2(x2) [g3(x3)] x1++ p4 r4 y1:=x1/2 p12 p123 r3 q123 p1234 r34 u v z3 ↑u:=max(x1,x2) ↓x1,x2:=u ↑v:=max(u,x3) ↓u,x3:=v [y1<y2] p123 < r3r4 [z4>0]
Behavior Interac.ons Priori.es
v p123
BIP – Execution Engine
Interaction Meta-model Dynamic priorities Meta-model
BIP Execution BIP Execution Engine Engine
BIP model BIP model C→a〈b b Component Meta-model
Platform
BIP – Execution Engine
Interaction model Priorities
BIP BIP Execution Execution Engine Engine
Platform
BIP – Compositional Verification
Verify global deadlock-freedom of a system by separate analysis of the components and of the architecture.
K1 K2
p1 p2
K1 K2
q1 q2 p1 p2 Potential deadlock D = en(p1) ∧ ¬ en(p2) ∧ en(q2) ∧ ¬ en(q1)
K3 K2 K1
p1 p2 q3 r3 r1 q2 Potential deadlock D = en(p1) ∧ ¬ en(p2) ∧ en(q2) ∧ ¬ en(q3) ∧ en(r3) ∧ ¬ en(r1)
Method: Eliminate potential deadlocks D by computing compositionally global invariants χ such that
χ∧D=false BIP – Compositional Verification: D-Finder B1 |= □ φ1 B2 |= □ φ2 ψ∈ II(γ(B1, B2 ),φ1,φ2) φ1 ∧ φ2 ∧ ψ⇒ χ γ(B1, B2 ) |= □χ
φ1 φ2 ψ
reachable states
BIP – Compositional Verification: D-Finder
O V E R V I E W
38 Rigorous System Design
The BIP Component Framework
Discussion
SW Componentization
Planner
Functional Level ::= Module+ Module ::= Service+ . Poster Service ::= Service Controller . Service Task Service Controller ::= Event Triggered Controller | Cyclic Controller Cyclic Controller ::= Event Triggered Controller . Cyclic Trigger Service Task ::= Timed Task | Untimed Task
Ready Idle Exec Abort trigger request interrupt abort abort finish trigger interrupt abort request finish
Idle: the Service is idle Ready: checks the possibility for starting a new Task of the Service Exec: execution of the Task of the Service Abort: Service is aborted
SW Componentization Event Triggered Controller
Cyclic Controller ::= Event Triggered Controller . Cyclic Trigger
Exec tick count<p / count++ count == p / count = 0 trigger trigger tick
Cyclic Trigger
trigger interrupt abort request finish
Event Triggered Controller
tick interrupt abort finish request
The Cyclic Trigger starts the Event Triggered Controller every period p
SW Componentization
Triggered by request status == 1 : Task successfully executed status == 0 : Task aborted
interrupt request abort finish Exec Abort Idle request interrupt abort finish read write read write state state state state status status := 1
SW Componentization Untimed Task
interrupt request abort finish Exec Abort Idle request abort finish /status:=1 read write tick read tick tick write count < t2 / count++ t1 ≤ count ≤ t2 state state state state status /count:=0 interrupt
Timed Task
SW Componentization
Untimed Event Triggered Service ::= Event Triggered Controller. Untimed Task
trigger intrpt req abort finish intrpt req abort finish
Event Triggred Controller Untimed Task
read state state status write
Untimed Event Triggered Service
trigger intrpt req abort finish intrpt req abort finish
Event Triggred Controller Timed Task
read state state status write tick
Timed Event Triggered Service
intrpt req abort finish intrpt req abort finish
Cyclic Controller Timed Task
read state state status write tick tick tick
Cyclic Service
Timed Event Triggered Service ::= Event Triggered Controller. Timed Task Cyclic Service ::= Cyclic Controller . Timed Task
SW Componentization
Module Pom reads and integrates data to provide an estimate
Pom ::= SetModel. AddME. SetRefME. Run. SetPos. Poster
trigger trigger trigger read tick trigger
Module Pom
write
data Poster trigger Run trigger SetRefME trigger AddME trigger SetModel tick write SetPos
state state state read request request request
SW Componentization
SW Componentization – Results
Modules Components Locations Interactions States LOC Min.
LaserRF 43 213 202 220x329x34 4353 1:22 Aspect 29 160 117 217x323 3029 0:39 NDD 27 152 117 222x314x5 4013 8:16 RFLEX 56 308 227 234x335x1045 8244 9:39 Antenna 20 97 73 212x39x13 1645 0:14 Battery 30 176 138 222x317x5 3898 0:26 Heating 26 149 116 217x314x145 2453 0:17 PTU 37 174 151 219x322x35 8669 0:59 Hueblob 28 187 156 212x310x35 3170 5:42 VIAM 41 227 231 210x36x665 5099 4:14 DTM 34 198 201 228x320x95 4160 13:42 Stereo 33 196 199 227x320x95 3591 13:20 P3D 50 254 219 213x35x54x629 6322 3:51 LaserRF+Aspect+NDD 97 523 438 258x366x85 11395 40:57 NDD+RFLEX 82 459 344 256x349x52x209 12257 73:43
46
O V E R V I E W
47 Rigorous System Design
The BIP Component Framework
Discussion
Expressiveness for Component-based Systems
gl3 gl3
c1 c2 c3 c4
gl1 gl1 gl2 gl2
c1 c3 c2 c4
gl1 gl1
gl1 gl1
gl1 gl1
Given two glues G1 , G2 G2 is strongly more expressive than G1 if for any component built by using G1 and C0 there exists an equivalent component built by using G2 and C0
≅
Expressiveness for Component-based Systems
gl3 gl3
c3 c1 c2
gl1 gl1
c1 c3 c c2
gl1 gl1
gl1 gl1
gl1 gl1
Given two glues G1 , G2 G2 is weakly more expressive than G1 if for any component built by using G1 and C0 there exists an equivalent component built by using G2 and C0∪ C
where C is a finite set of coordination behaviors.
≅
Expressiveness for Component-based Systems
BIP IM CCS SCCS CSP
<S <S <S <S
W > W > W > W >
[Bliudze&Sifakis, Concur 08]
≅S
Universal Glue
O V E R V I E W
51 Rigorous System Design
The BIP Component Framework
Discussion
Distributed Implementation – From BIP to S/R-BIP
BIP is based on: Global state semantics, defined by operational semantics rules, implemented by the BIP Engine Atomic multiparty interactions, e.g. by rendezvous or broadcast Translate BIP models into observationally equivalent S/R-BIP models Point to point communication by asynchronous message passing Replace the BIP Engine by a set of Engines executing subsets of interactions Collection of independent components intrinsically concurrent - No global state
internal computation Translation is correct-by-construction
Distributed Implementation – Atomic Components
Before reaching a ready state, the set of the enabled ports is sent to the Engine From a ready state, await notification from the Engine indicating the selected port a ga a b
Global state model
fa fb
S2S S2S S2Sb gb a ga a
b
Partial state model
fa fb b gb
Distributed Implementation – Multiple Engines
SemanDcs ViolaDon
Dispatch interacDons across mul.ple engines !
Engine Engine
BIP Model
α1 α2 α3 α1 α2 α3
Distributed Implementation – 3-Layer Architecture
S2S S2S S2SC1 C6 C3 C5 C2 C4
α1 α2 α3 α4
C1
Protocol
C2
Protocol
C3
Protocol
C4
Protocol
C5
Protocol
C6
Protocol
InteracDon Protocol
port
α1 α2
InteracDon Protocol
port
α3 α4
Conflict ResoluDon Protocol
reserve
CR Protocol Model
fail
Conflict ResoluDon Protocol
reserve
[α1α2][α3α4]
reserve
reserve
Distributed Implementation – Centralized CRP
p1
C1’ C3’ C2’ C4’
p2 p3 p5 p6 p4
InteracDon Protocol
α1 α2
InteracDon Protocol
α3 α4
C5’
p7 p8
C6’
p5 p6
Centralized Conflict ResoluDon Protocol
reserve2
fail2 reserve3 ok3 fail3 reserve4 ok4 fail4 C1 C6 C3 C5 C2 C4
α1 α2 α3 α4
Distributed Implementation – Token Ring CRP InteracDon Protocol
α1 α2
InteracDon Protocol
α3 α4
reserve2
fail2 reserve3 ok3 fail3 reserve4 ok4 fail4 C1 C6 C3 C5 C2 C4
α1 α2 α3 α4
Token Ring CRP
Token Ring CRP
RT ST
Token Ring CRP
RT ST RT ST
p1
C1’ C3’ C2’ C4’
p2 p3 p5 p6 p4
C5’
p7 p8
C6’
p5 p6
Distributed Implementation – Dining Philosophers CRP InteracDon Protocol
α1 α2
InteracDon Protocol
α3 α4
reserve2
fail2 reserve3 ok3 fail3 reserve4 ok4 fail4 C1 C6 C3 C5 C2 C4
α1 α2 α3 α4
Dining Philosophers CRP Dining Philosophers CRP Dining Philosophers CRP
SF1 RF1 SR1 RR1 SF2 RF2 SR2 RR2 p1
C1’ C3’ C2’ C4’
p2 p3 p5 p6 p4
C5’
p7 p8
C6’
p5 p6
Distributed Implementation – Detailed Design Flow
C 1 C 6 C 3 C 5 C 2 C 4
α1 α2 α3 α4
Conflict Resolution Protocol Partitioning of Interactions
p1 dp1 C1’ C3’ C2’ C4’ dp2 dp3 dp4 dp5 dp6Interactio n Protocol
α1 α2 Interaction Protocol α3 α4α1 α2
Interaction Protocolα3 α4
Partitioning of Components
S2S S2 S S2 SComponent 1 129.2.2.1 Core1 Component 2 129.2.2.1 Core3 Component 3 129.2.2.1 Core2
Core1 Core2 Core3 Core4 CHIP Core1 Core2 Core3 Core4 CHIPSockets/C+ + Code MPI/C++ Code Code Generator
S2S S2 S S2 S Distributed Implementation – Code Generation
O V E R V I E W
61 Rigorous System Design
The BIP Component Framework
Discussion
Discussion
Component framework encompassing heterogeneous composition Clear separation between behavior and architecture (Interaction + Priority) involving a minimal set of constructs and principles Expressiveness: BIP is as expressive as the universal glue Rigorous design flow Correct-by-construction source-to-source transformations Verification techniques based on compositionality, composability and incrementality Global analysis techniques jointly taking into account : 1) interaction partitioning; 2) component partitioning; 3)HW resources Applications: software componentization programming multicore systems complex systems modeling e.g.IMA
Component-based – Glue Operators
{qi - ai →i q’i }i∈I { ¬ qk - ak →k }k∈K
(q1 ,. ., qn) - a → (q’1 ,. . , q’n) A glue operator is a set of derivation rules of the form
A glue is a set of glue operators Notice that, non deterministic choice and sequential composition are not glue operators
Rigorous System Design Flow in BIP
Platform Code Generation Implementation Transformation System model in S/R-BIP Protocols
≈ ≈ ≈
System model in BIP HW Infrastructure Mapping Transformation Translation Application SW Application SW model in BIP
S2S
S2S S2S S2S
S2S
S2S S2S S2S
S2S
S2S S2S S2S
S2S
S2S S2S S2S