WebGME-BIP: A Design Studio for Modeling Systems with BIP. Anastasia Mavridou, Joseph Sifakis, and Janos Sztipanovits

Transcription

1 WebGME-BIP: A Design Studio for Modeling Systems with BIP Anastasia Mavridou, Joseph Sifakis, and Janos Sztipanovits

2 Why BIP? A language and tool-set for component-based system design formal semantics high expressiveness with small number of notions code generation, simulation and verification tools BIP allows to compositionally analyze existing applications develop correct-by-construction applications Developed and maintained by Verimag and RiSD, EPFL directed by Joseph Sifakis A. Basu, S. Bensalem, M. Bozga, J. Combaz, M. Jaber, T.-H. Nguyen, and J. Sifakis, Rigorous component-based system design using the BIP frame, Software, IEEE, vol. 28, no. 3, pp ,

3 BIP applications IP applications BIP applications Development of current-by-construction satellite software f current-by-construction satellite software of current-by-construction satellite software 49Development safety properties enforced by construction perties enforced by construction 50 safety propertiesofenforced by construction Compositional verification deadlock-freedom with D-Finder 10 - State > 3 4 with D-Finder al verification of deadlock-freedom space size: Compositional verification of deadlock-freedom with D-Finder - Verification time: < 2 minutes f the Dala robot controller Development of the Dala robot controller TABLE 1 TABLE 1 Development of the Dala robot controller es of code results dom-checking for Dala lines robot controller > Deadlock-freedom-checking 500,000 of code modules. results for Dala robot controller modules. > 500,000 lines of code Estimated state Verification Atomic Control Estimated state Verification ults of deadlock-freedom analysis with D-Finder: Example results of deadlock-freedom analysis with D-Finder: Connectors BIP LoC C/C++ LoC space size time components locations Connectors BIP LoC(minutes) C/C++D-Finder: LoC space size time (minute Module Example results of deadlock-freedom analysis with Control locations dom-checking results for Dala robot controller modules. Deadlock-freedom-checking results for Dala robot controller modules Control 160 locations 202 LaserRF 5, Atomic 3, BIP LoC components 117 Connectors Module Aspect 51, Control 30, C/C++ LoC locations Estimated state Connectors space 3117 size 5,3431:22 51,653 Verification 3,029 30,204 time (minutes)c/c++ BIP LoC0:39 LoC Estimated state 217 space 323 size 1:22 Verificatio time 0:39 (minute 117 NDD202 LaserRF 4,013 5, ,600 51, :22 4,0138:16 5,343 32,600 51, :16 1: Rflex227 Aspect 8, , , , ,244 0:39 3,0299:39 57,442 30, :39 0: Antenna NDD ,645 4, ,501 32, ,645 4,0130:14 8:16 16,501 32, :14 8: Battery Rfle x ,898 8, ,527 57, ,898 8,2440:26 9:39 21,527 57, :26 9: ,453 1, ,380 16, ,453 1,6450:17 0:14 18,380 16, :17 0: A. 149 Mavridou for HCSS, May Heating Antenna 3 3 3

4 BIP by example {, } {,,, } B 1 B 2 No restrictions Restrictions from the interaction model Restrictions from the priority model 4

5 BIP by example {, } {,,, } B 1 B 2 No restrictions Restrictions from the interaction model Restrictions from the priority model 5

6 BIP by example {, } {,,, } B 1 B 2 No restrictions Restrictions from the interaction model Restrictions from the priority model 6

7 BIP Connectors tick1 tick2 tick3 tick 1 tick 2 tick 3 p q r p + pq + pr + pqr Connectors are tree-like structures ports as leaves and nodes of two types - Triggers (diamonds) nodes that can initiate an interaction - Synchrons (bullets) nodes that can only join an interaction initiated by others 7

8 Connector examples p q r Strong synchronization: pqr p q r Broadcast: p + pq + pr + pqr p q r Enumerative BIP specification connector type Broadcast(HelloPort_t p p, HelloPort_t q q, HelloPort_t r) define p' q r r s on p q r on p q on p r on p Atomic broadcast: p + pqr Causal chain: p + pq + pqr + pqrs Symbolic BIP specification (q =) p) ^(r =) q) ^(p =) true) p Requires p Accepts q, r q Requires p q Accepts p, r r Requires p r Accepts p, q 8

9 Architecture diagrams An architecture diagram consists of: - component types port types - cardinality - connector motifs T1 n1 p mp:dp mq:dq q T2 n2 degree multiplicity A. Mavridou, E. Baranov, S. Bliudze, and J. Sifakis, Architecture diagrams: A graphical language for architecture style specification, 9th Interaction and Concurrency Experience, A. Mavridou, E. Stachtiari, S. Bliudze, A. Ivanov, P. Katsaros, and J. Sifakis. "Architecture-Based Design: A Satellite On-Board Software Case Study." 13th Formal Aspects of Component Software,

10 Architecture diagrams An architecture diagram consists of: - component types port types - cardinality - connector motifs T1 n1 p mp:dp mq:dq q T2 n2 degree multiplicity 10

11 Architecture diagrams An architecture diagram consists of: - component types port types - cardinality - connector motifs T1 n1 p mp:dp mq:dq q T2 n2 degree multiplicity 11

12 Architecture diagrams An architecture diagram consists of: - component types port types - cardinality - connector motifs T1 n1 p mp:dp mq:dq q T2 n2 degree multiplicity 12

13 Architecture diagrams An architecture diagram consists of: - component types port types - cardinality - connector motifs T1 n1 p mp:dp mq:dq q T2 n2 degree multiplicity 13

14 Degree constraint Degree constraints the number of connectors attached to any instance of the port type q1 q1 T 3 q m:1 q2 T 3 q m:2 q2 q3 q3 14

15 Multiplicity constraint Multiplicity constraints the number of instances of the port type that must participate in a connector q1 q1 T 3 q 1:1 q2 T 3 q 3:1 q2 q3 q3 15

16 Engine-based execution 1. Components notify the Engine about enabled transitions. 2. The Engine picks an interaction and instructs the components. B E H A V I O U R Interactions Priorities 16

17 BIP summary Compositional approach allows modeling complex, hierarchical components - atomic components - interaction and priority composition operators Execution is orchestrated by the BIP engine Expressiveness Small number of notions Separation of concerns between behavior and interaction Architecture diagrams in BIP reusability allow to deal with model complexity and size 17

18 Why WebGME? WebGME allows: Web-based webgme.org Collaborative Versioned model editing Formalized metamodeling process with FORMULA formula.codeplex.com M. Maroti, T. Kecskes, R. Kereskenyi, B. Broll, P. Volgyesi, L. Juracz, T. Levendovszky, and A. Ledeczi, Next generation (meta) modeling: Web-and cloud-based collaborative tool infrastructure. in MoDELS, 2014, pp

19 The design studio WebGME-BIP BIP in WebGME Semantic integration Specification of the modeling language JavaBIP metamodel in UML class diagrams Model transformation WebGME code generator plugins: 1. FSM to Java 2. Architecture to XML Design guidance WebGME plugin for encoding checking Tool integration Service Integration Simulation and analysis JavaBIP engine Accessibility Web interface Model repositories 1. Architecture styles 2. Component types Simulated execution Simulation of JavaBIP engine output 19

20 Hands-on WebGME-BIP Camel Routes case study Many independent routes share memory We have to control the memory usage e.g., by limiting to only a safe number of routes simultaneously 20

21 Conclusion The WebGME-BIP design studio can be easily accessed through a web interface is open-source allows reusability of component types and parameterized models allows coping with modeling complexity and size - component types, connector motifs has formal semantics - allows connection with checkers and analysis tools includes - dedicated editors for code, interaction, and behavior editing - code generator plugins - consistency checking plugin - integration with the JavaBIP engine and visualization of its output 21

22 Thank you for your attention