Fremont Associates Process · Project · QA The Montana...

The Montana Toolset: The Montana Toolset: Formal Analysis of AADL Formal Analysis of AADL

SpecificationsSpecifications

SAE ASSAE AS--2 Working Group2 Working GroupSeal Beach, CaliforniaSeal Beach, California

27 January 200527 January 2005

Fremont AssociatesProcess · Project · QA

OutlineOutline

►►Origins, Goals, Plans and StrategyOrigins, Goals, Plans and Strategy►►ACSR and the VERSA ToolkitACSR and the VERSA Toolkit►►The Charon Language and ToolkitThe Charon Language and Toolkit►►The Montana ToolkitThe Montana Toolkit

STTR Phase ISTTR Phase ISTTR Phase IISTTR Phase II

OriginsOrigins

►►STTR AF04STTR AF04--T023T023Modeling Languages and Analysis Tools for Modeling Languages and Analysis Tools for Complex Distributed SystemsComplex Distributed SystemsOBJECTIVE: Develop language and OBJECTIVE: Develop language and computational tool support for modeling and computational tool support for modeling and analyzing complex distributed system designs analyzing complex distributed system designs and integrate these methods to build distributed and integrate these methods to build distributed systems.systems.

OriginsOrigins

►► AADLAADLLanguage, Eclipse tools, OSATE, EMFLanguage, Eclipse tools, OSATE, EMF

►► ACSR: Algebra of Communicating Shared ACSR: Algebra of Communicating Shared ResourcesResources

RealReal--TimeTimeResourcesResourcesVERSA tool supportVERSA tool support

►► Charon Charon Hybrid state machinesHybrid state machinesCharon tool supportCharon tool support

Goals, Plans and StrategyGoals, Plans and Strategy

►► STTR Phase ISTTR Phase IProof of ConceptProof of Concept►►Translation; AnnexTranslation; Annex►►PrototypePrototype►►Small case studies for demoSmall case studies for demo

►► STTR Phase IISTTR Phase IIPrimary R&DPrimary R&D►►Tools Design and DevelopmentTools Design and Development►►MethodologyMethodology►Proselytize

► Phase IIIMake the world a better place

Goals Plans and StrategyGoals Plans and Strategy

►►Phase IPhase IEclipse, Eclipse, OsateOsate, EMF, EMFCustom developed interface layer plugCustom developed interface layer plug--insinsC++ Implementation of VERSAC++ Implementation of VERSACharonCharon

Goals Plans and StrategyGoals Plans and Strategy

►►Phase IIPhase IIEclipse, ? (AADL frontEclipse, ? (AADL front--end), EMFend), EMFCustom developed analysis plugCustom developed analysis plug--insinsFresh implementation of VERSAFresh implementation of VERSAInterface to special purpose analysis enginesInterface to special purpose analysis engines►►CADP, SpinCADP, Spin►►PVSPVS

Books, tutorials, advocacy to support Books, tutorials, advocacy to support methodologymethodology

OutlineOutline



ACSR and the VERSA ToolkitACSR and the VERSA Toolkit

►►ACSR: Algebra of Communicating Shared ACSR: Algebra of Communicating Shared ResourcesResources

Process AlgebraProcess AlgebraRealReal--timetime►►Timed ActionsTimed Actions►►TimeoutsTimeouts►►InterruptsInterrupts

ResourcesResourcesPrioritiesPriorities


►► Events: (Events: (e,p).Pe,p).P, (', ('e,p).Pe,p).P, (, (ττ,,p).Pp).P►► Timed Actions: {(r1,p1),(r2,p2),Timed Actions: {(r1,p1),(r2,p2),……}:P}:P►► Choice: P1 + P2Choice: P1 + P2►► Parallel Composition: P1 || P2Parallel Composition: P1 || P2►► Temporal Scope:Temporal Scope:

►► Miscellaneous operatorsMiscellaneous operators

),,( iteta PPPP∆


TBB = (in,1).TBB1;TBB = (in,1).TBB1;TBB1 = (in,1).TBB2 + (out,2).TBB;TBB1 = (in,1).TBB2 + (out,2).TBB;TBB2 = (out,2).TBB1;TBB2 = (out,2).TBB1;

TBB

TBB1

TBB2

(in,1) (in,1)

(out,2) (out,2)


SYS = (OBBL||OBBR)SYS = (OBBL||OBBR)\\{sync};{sync};OBBL = (in,1).(sync,3).OBBL;OBBL = (in,1).(sync,3).OBBL;OBBR = ('sync,3).(out,2).OBBR;OBBR = ('sync,3).(out,2).OBBR;

OBBL OBBL’(in,1)

(sync,3)OBBR OBBR’

(‘sync,3)

(out,2)||

\sync


OBBL OBBL’(in,1)

(sync,3)OBBR OBBR’

(‘sync,3)

(out,2)||

\sync

OBBL || OBBR

OBBL’ || OBBR

OBBL || OBBR’

OBBL’ || OBBR’

(in,1)(τ,6) (in,1)

(out,2)

(out,2)


||{(r1,1),(r3,5)} {(r2,8),(r4,0)}

{(r1,1),(r2,8),(r3,5),(r4,0)}

||{(r1,1),(r3,5)} (τ,1)

(τ,1)


||{(r1,1),(r2,5)} {(r2,8),(r4,0)}

X


►►UtilityUtilityState space explorationState space explorationEquivalence testingEquivalence testing

►►VERSA: VERSA: Verification Execution and Rewrite System for ACSRVerification Execution and Rewrite System for ACSR

Syntax checkingSyntax checkingState space constructionState space constructionState space explorationState space explorationEquivalence testingEquivalence testingTerm rewritingTerm rewriting


►►UtilityUtilityTraditional Schedulability AnalysisTraditional Schedulability AnalysisSchedulability Analysis for Arbitrary SystemsSchedulability Analysis for Arbitrary Systems

Translating AADL to ACSRTranslating AADL to ACSR

►►Threads are modeled as ACSR processesThreads are modeled as ACSR processesBased on thread semantic automatonBased on thread semantic automaton

►►Processors and access connections are Processors and access connections are modeled as resourcesmodeled as resources

►►Event and data connections are modeled as Event and data connections are modeled as communication channelscommunication channels

Example: Cruise ControlExample: Cruise Control

►►Standard example (from OSATE release)Standard example (from OSATE release)

+ auxiliary processes for bookkeeping

Example: Cruise ControlExample: Cruise Control►► Processor and connection bindings determine Processor and connection bindings determine

resourcesresources►► Scheduling protocol determines prioritiesScheduling protocol determines priorities►► Periodic processes have activatorsPeriodic processes have activators

Scheduling_Protocol => EDF

Dispatch_Protocol => periodic


►► Eclipse + OSATE + EMF + Translator + Eclipse + OSATE + EMF + Translator + VERSA + reinterpretation of results in AADL VERSA + reinterpretation of results in AADL = Schedulability analysis for threads= Schedulability analysis for threads

OutlineOutline



Hybrid Automata: Hybrid Automata: Formalism for Hybrid System ModelsFormalism for Hybrid System Models

►► Continuous dynamics: Mathematical equationContinuous dynamics: Mathematical equationDifferential equationDifferential equation►►xx’’ = 1= 1 ((dx/dtdx/dt = 1)= 1): constant increase: constant increase►►xx’’ = x= x ((dx/dtdx/dt = x)= x): exponential increase (: exponential increase (x x = = ee tt))

Algebraic equationAlgebraic equation►►y = sin(x) y = sin(x)

InvariantInvariant►►x >= x >= --1010

►► Discrete control: Finite State MachineDiscrete control: Finite State MachineState: dynamicsState: dynamics►►xx’’ = 1, x= 1, x’’ = = --1, x1, x’’ = = xx, x, x’’ = = --xx, , ……

Transition: switching of dynamicsTransition: switching of dynamics►►xx’’ = 1 = 1 ––((xx > 10)> 10)——> x> x’’ = = --11

CHARON Language Features CHARON Language Features

Individual components described as agentsIndividual components described as agentsComposition, instantiation, and hidingComposition, instantiation, and hiding

Individual behaviors described as modesIndividual behaviors described as modesEncapsulation, instantiation, and scopingEncapsulation, instantiation, and scoping

Support for concurrencySupport for concurrencyShared variables as well as message passingShared variables as well as message passing

Support for discrete and continuous Support for discrete and continuous behaviorbehavior

Differential as well as algebraic constraintsDifferential as well as algebraic constraints

Discrete transitions can call Java routinesDiscrete transitions can call Java routines

Syntax: Modes and AgentsSyntax: Modes and Agents

Modes describe sequential behaviorModes describe sequential behaviorAgents describe concurrencyAgents describe concurrency

Emergency

{t = 1}• local t, rateglobal level, infusion

Agent Controller

dx de

Agent Tank

infusion

global levelglobal infusion

{level = f(infusion)}•

{ level∈[2,10] } level

level∈[2,10]

level∈[4,8]

dxde

Compute

Normal

e

dedx

xt=10t:=0

Maintain{t<10}

Charon toolset: visual editorCharon toolset: visual editor

Charon toolset: control panelCharon toolset: control panel

Charon toolset: simulationCharon toolset: simulation

Case StudyCase StudyFourFour--legged Robot: Architectural legged Robot: Architectural

ModelModel►► InputInputtouch sensorstouch sensors

►► OutputOutputdesired angles of each desired angles of each jointjoint

►► ComponentsComponentsBrain: control four legsBrain: control four legsFour legs: control servo Four legs: control servo motorsmotors►► Instantiated from the same Instantiated from the same

patternpattern

Case StudyCase StudyFourFour--legged Robot: Behavioral Modellegged Robot: Behavioral Model

►► Control objectiveControl objectivev = cv = c

►► HighHigh--level control lawslevel control laws

►► LowLow--level control lawslevel control laws

)LL2

LLarccos(

)L2

LLarccos()/arctan(

21

22

21

22

2

221

22

21

22

1

−++=

+

−++−=

yxj

yxyxyxj

x

y

j1

j2

L1

(x, y)

2/stride−≥−=

xvx&

kvy −=&2/stride≤

=x

kvx&

kvy =&

v

L2

Code Generation FrameworkCode Generation Framework►► FrontFront--endend

Translate CHARON objects into modular C++ objectsTranslate CHARON objects into modular C++ objects

►► BackBack--endendMap C++ objects to execution environmentMap C++ objects to execution environment

agent

mode

analog var

diff eqn

transition

class agent

class modediff()trans()

class var

scheduler

API

CHARON objects C++ objects Executionenvironment Target

platform

front-end back-end

OutlineOutline



The Montana Toolkit The Montana Toolkit –– Phase IPhase I

►►Translation of restricted model to ACSRTranslation of restricted model to ACSRSchedulability analysis of threadsSchedulability analysis of threadsGeneral state space explorationGeneral state space explorationSimulationSimulation

►►Definition of Charon behavioral annexDefinition of Charon behavioral annexSimulationSimulationGeneration of code fromGeneration of code from……►►AADL architectureAADL architecture►►Embedded CharonEmbedded Charon

The Montana Toolkit The Montana Toolkit –– Phase IIPhase II

►► Robust interpretation of AADL in ACSRRobust interpretation of AADL in ACSRModel checkingModel checkingSchedulability analysisSchedulability analysisEquivalence preserving system Equivalence preserving system refactoringrefactoringEquivalence testingEquivalence testingSimulationSimulation

►► Complete behavioral annex based on CharonComplete behavioral annex based on CharonProperty checkingProperty checkingSimulationSimulationAnalysisAnalysis

OutlineOutline



ContactsContacts►► Duncan ClarkeDuncan Clarke

http://www.fremontassociates.comhttp://[email protected]@fremontassociates.com

►► Oleg Oleg SokolskySokolskyhttp://http://www.cis.upenn.edu/www.cis.upenn.edu/[email protected]@cis.upenn.edu

►► AFOSR STTR AF04AFOSR STTR AF04--T023 Program T023 Program Director:Director:Dr. Robert L. Dr. Robert L. HerklotzHerklotzProgram Manager: Software and Systems Program Manager: Software and Systems Air Force Office of Scientific Research Air Force Office of Scientific Research 4015 Wilson Blvd., Room 713 4015 Wilson Blvd., Room 713 Arlington, VA 22203Arlington, VA 22203--19541954emailemail-- [email protected]@afosr.af.mil(703) 696(703) 696--6565 fax (703) 6966565 fax (703) 696--8450 8450

Fremont Associates Process · Project · QA The Montana...

Documents

Transcript of Fremont Associates Process · Project · QA The Montana...