Translating AADL into BIP Application to the Verification of Real time Systems

Transcription

1 Toulouse, France (in conjunction with MODELS 2008) 1st International Workshop on Model Based Architecting and Construction of Embedded Systems (ACESMB 2008) Translating AADL into BIP Application to the Verification of Real time Systems M.Y.Chkouri, A.Robert, M.Bozga, J.Sifakis Laboratoire : VERIMAG Centre Équation - 2, avenue de Vignate GIÈRES 1

2 Motivation Provide a general methodology for transforming AADL models into BIP: AADL suffers from the absence of concrete operational semantics. Provide an execution environment for AADL models Enable the application of formal verification techniques already developed for BIP to AADL 2

3 Outline Overview of AADL Overview of BIP Translation AADL to BIP Case study Conclusion 3

4 Overview of AADL AADL = Architecture Analysis and Design Language Standardized by the SAE (Society of Automotive Engineers). Dedicated to the modeling and specification of complex Real time embedded systems. Describe the structure of component based system as an assembly of software components mapped onto an execution platform. 4

5 Component categories Software category Execution platform category Composite category Data Subprogram Process Thread Processor Memory Bus Device System 5

6 Software category (1/2) The data component type represents a data type in the source text that defines a representation and interpretation for instances of data. A subprogram component represents an execution entrypoint in source text. A subprogram call sequence is declared in a subprogram or thread implementation. data Person end Person; data implementation Person.impl subcomponents end Person.impl; Name : data string; Adress: data string; Age : data integer; subprogram operation features A: in parameter integer; B: in parameter integer; result: out parameter integer; end operation; 6

7 Software category (2/2) A thread represents a sequential ilflow of control that executes instructions i within a binary image produced from source text. A thread always executes within the virtual address space of a process; Several types of thread exist : Periodic, Sporadic, Aperiodic, Background. A process represents a virtual it address space. To be complete, the implementation of a process must contain at least one thread or thread group subcomponent. thread sensor features inp : in data port integer; outp : out event port; properties Dispatch protocol=>periodic; Period => 20ms; end sensor; process implementation Partition.Impl subcomponents Sensor_A : thread Sensor Thread.A; Data_Fusion: thread Fusion Thread.Impl; Alrm 1 : thread Alrm Thread.Impl; connections data port Sensor A.outp->Data Fusion.inpA; A; end Partition.Impl; event port Sensor A.launch alrm->alrm >Alrm.launch launch 7

8 Execution platform category A processor is the execution platform component that is capable of scheduling and executing threads. A memory component represents an execution platform component that stores binary images. A bus component represents an execution platform ltf component that t can exchange control and data between memories, processors, and devices. A device component represents an execution platform component that provides an interface with the external environment. 8

9 System A system component represents an assembly of software and execution platform components. It is the only composite category. system Platform end Platform; system implementation Platform.Impl subcomponents Part : process Partition.Impl; p : processor myprocessor ;... end Platform.Impl; 9

10 Connection & Port A connection is a linkage that represents communication i of data and control between components. Types of connections: Port connection Parameter connection A port is a logical lconnection point tbt between components that t can be used for the transfer of control and data. Three directions: input port (in) output port (out), bidirectional port (in out). Three types of port: data port, event port, event data port. 10

11 Outline Motivation Overview of AADL Overview of BIP Translation AADL to BIP Case study Conclusion 11

12 Overview of BIP Component based modeling: The BIP framework BIP = Behavior Interaction Priority BIP is a framework for modelling heterogeneous real-time components. Priorities (Memoryless Controller) Interaction Model (Connectors on typed ports) B E H A V I O R 12

13 BIP framework Atomic component Atomic component : An atomic component is composed of: a set of ports, e.g, {in, out} a set of control llocations, e.g, {Si, Sj} a set of variables, a set of transitions 13

14 BIP framework Composition A connector is a set of ports which can be involved in an interaction. Port types (complete, incomplete ) are used to distinguish i i between ports which may or must interact. tick1 tick2 tick3 out1 in2 in3 Interactions: {tick1,tick2,tick3},, {out1}, {out1,in2}, {out1,in3}, {out1,in2,, in3} 14

15 BIP Tools BIP Editor BIP Program BIP Compiler BIP MetaModel BIP Model Structural analysis BIP Transformations Code Generation deadlock detection invariant generation D-Finder Verification Model checking Exploration Engine Interactive Simulation execution, guided/exhaustive simulation 15

16 Outline Motivation Overview of AADL Overview of BIP Translation AADL to BIP Case study Conclusion 16

17 Translation from AADL to BIP Structural translation summary: AADL Software component: Subprogram Data Thread Process Hardware component: Processor (scheduling) Device System Connection Annex behavior BIP Atomic/Compound component Data : C/C++ structure Atomic component Atomic component Atomic component Atomic component Compound component Connector Behavior (state/transition) 17

18 Translation from AADL to BIP Structural translation summary: AADL Software component: Subprogram Data Thread Process Hardware component: Processor (scheduling) Device System Connection Annex behavior BIP Atomic/Compound component Data : C/C++ structure Atomic component Atomic component Atomic component Atomic component Compound component Connector Behavior (state/transition) 18

19 AADL subprogram : BIP model AADL : in parameter Annex behavior out parameter out event data port (thread or subprogram) BIP : call (parameter) return (parameter) IDLE return call data port Annex behavior 19

20 AADL thread : BIP model load stop abort get_exec req_exec complete preempt in_port out_port HALTED (in_data) (out_data) abort stop INIT load not_ready low<t<high ready complete SUSPENDED activation READY FINISH no more port get_exec RESUME preempt out_port get_exec COMPUTE OUTPUTS low<t<high deadline clock>deadline in_port in_port overflow ERROR 20

21 AADL Processor : BIP component dispatch ready finish IDLE IDS finish all_false(ids) finish i/ids[i].ready ready ready WAIT_END dispatch (SelectedID) CHOICE ready SelectedID 21

22 System : BIP compound component 22

23 Annex Behavior Specification The behavioral annex describes a transition system [ annex behavior_specification ifi {** [ state variables (Identifier : data_type;)+ ] [ initial (<assignment> ; )+ ] Included in the variables part Included in the Initialization part states (state_identifier : [initial] [return] [complete] state;)+ transitions ( <state_identifier> -[ <guard> ]-> <state_identifier> { <action>* }; )+ **}; ] 23

24 Guard AADL : <guard> ::= [on <expression> >] <event> [when<expression>] <expression> BIP : on <event> [provided <expression>] provided <expression> when part expresses a past condition over the data to be read. Action AADL : <action> ::= computation ( expression, expression ) ; delay ( expression, expression ); communication ; assignment ; if ( expression ) action (elsif ( expression ) action)* ( else action )? end if ; BIP : Transition Or Set of transition connected -- expresses use of the cpu for a non-deterministic period of time between min and max. -- expresses a suspension for a non-deterministic period of time between min and max. 24

25 Tool architechture 25

26 Outline Motivation Overview of AADL Overview of BIP Translation AADL to BIP Case study Conclusion 26

27 Case study (1/4) Flight computer : 27

28 Case study (2/4) BIP Flight computer : 28

29 Case study (3/4) BIP Verification : BIP exploration engine, generates a Labeled Transition System (LTS). Model checking by Aldebaran: Checks for deadlock-freedom. Model checking with observers: Observers allow us to express in a simple manner most safety requirements. Verification of thread deadlines. Verification of synchronization between components: 29

30 Case study (4/4) BIP Flight computer : 30

31 Outline Motivation Overview of AADL Overview of BIP Translation AADL to BIP Case study Conclusion 31

32 Conclusion We provide a translation from AADL to BIP, which has an operational semantics formally defined in terms of labelled transition systems. Translation allows simulation of AADL models, as well as application verification techniques, such as state exploration (using IF toolset) or component based deadlock detection (D Finder tool). Limitation : there are AADL features ignored : bus, memory, Future work : incorporating features that will appear with V2.0 of the AADL standard. 32

33 Thank you 33

34 AADL subprogram subprogram sub 1 sub n Annex behavior Annex behavior parameter connexion out event data port connexion 34

35 BIP : Compound component sub 1 idle sub n idle return 1 call 1 data port return call data port n n 1 n Annex behavior Annex behavior call 1 return 1 call n return n call 1 return 1 call n return n return finish idle ( thread or subprogram ) call return return n wait_return n call n call wait_call 1 call 1 Call_sequence wait_call n return 1 wait_return 1 35

36 AADL Processes: BIP Component Process States and Transition 36

37 AADL thread : BIP model 37

38 AADL Processor : BIP component 38