A Framework for Managing Assumptions made by Software Components in Real-time Systems

Similar documents
AMF: An assumptions management framework using AADL

CSSE 490 Model-Based Software Engineering: Architecture Description Languages (ADL)

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Pattern-Based Analysis of an Embedded Real-Time System Architecture

Model Based System Development Using the Architecture Analysis and Design Language

Model-Based Engineering with AADL: An Overview

An Information Model for High-Integrity Real Time Systems

Synthesizing Adaptive Protocols by Selective Enumeration (SYNAPSE)

A Scalable and Reliable Message Transport Service for the ATLAS Trigger and Data Acquisition System

A Multi-Modal Composability Framework for Cyber-Physical Systems

Remote Health Monitoring for an Embedded System

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

Fiji VM Safety Critical Java

Predictable Interrupt Management and Scheduling in the Composite Component-based System

XCo: Explicit Coordination for Preventing Congestion in Data Center Ethernet

Lecture 9: MIMD Architectures

Ausgewählte Betriebssysteme - Mark Russinovich & David Solomon (used with permission of authors)

AADL Graphical Editor Design

Designing and debugging real-time distributed systems

3. Quality of Service

Real-Time Operating Systems Design and Implementation. LS 12, TU Dortmund

Real-time & Embedded Systems Workshop July 2007 Building Successful Real-time Distributed Systems in Java

Page 1. Outline / Computer Networking : 1 st Generation Commercial PC/Packet Video Technologies

Model-based Architectural Verification & Validation

MTAT Enterprise System Integration. Lecture 2: Middleware & Web Services

Software architecture in ASPICE and Even-André Karlsson

Analysis and Design Language (AADL) for Quantitative System Reliability and Availability Modeling

Orccad, a Model Driven Architecture and Environment for Real-Time Control. Soraya Arias Florine Boudin Roger Pissard-Gibollet Daniel Simon

Deterministic Ethernet & Unified Networking

Extensible Network Security Services on Software Programmable Router OS. David Yau, Prem Gopalan, Seung Chul Han, Feng Liang

Communication Networks for the Next-Generation Vehicles

Execution architecture concepts

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering

A High Integrity Distributed Deterministic Java Environment. WORDS 2002 January 7, San Diego CA

Explicating Critical Assumptions in Software Architectures Using AADL

Nooks. Robert Grimm New York University

OBJECT ADAPTER ORB CORE I/O SUBSYSTEM. struct RT_Info { wc_exec_time_; period_; importance_; dependencies_; }; 1: CONSTRUCT CALL 6: SUPPLY RUN-TIME

Static Analysis of Embedded Systems

Good Ideas So Far Computer Networking. Outline. Sequence Numbers (reminder) TCP flow control. Congestion sources and collapse

CS370 Operating Systems

OSATE Analysis Support

Amrita Vishwa Vidyapeetham. ES623 Networked Embedded Systems Answer Key

A Deployable Framework for Providing Better Than Best-Effort Quality of Service for Traffic Flows

Chapter 13: I/O Systems

Multiprocessor Systems. Chapter 8, 8.1

Loosely Coupled Actor Systems

The Google File System

An Implementation of the Behavior Annex in the AADL-toolset Osate2

«Computer Science» Requirements for applicants by Innopolis University

From MDD back to basic: Building DRE systems

Challenges in component based programming. Lena Buffoni

CS370 Operating Systems

The SAE AADL Standard - An Architecture Analysis & Design Language for Embedded Real-Time Systems

Presentation of the AADL: Architecture Analysis and Design Language

I/O Systems. Amir H. Payberah. Amirkabir University of Technology (Tehran Polytechnic)

Multimedia Systems 2011/2012

Internet Video Delivery. Professor Hui Zhang

AirTight: A Resilient Wireless Communication Protocol for Mixed- Criticality Systems

Autonomous Driving From Fail-Safe to Fail-Operational Systems

Internet of Things: An Introduction

RECOMMENDATION ITU-R BT.1720 *

ADVANCED trouble-shooting of real-time systems. Bernd Hufmann, Ericsson

Technology for Adaptive Hard. Rui Santos, UA

SWE 760 Lecture 1: Introduction to Analysis & Design of Real-Time Embedded Systems

Programming Languages for Real-Time Systems. LS 12, TU Dortmund

Chapter 4 Communication

Reliable Distributed System Approaches

PLEASE READ CAREFULLY BEFORE YOU START

PLEASE READ CAREFULLY BEFORE YOU START

AADL Meta Model & XML/XMI

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

RESOURCE MANAGEMENT MICHAEL ROITZSCH

Creating and Analyzing Software Architecture

Grid Computing Systems: A Survey and Taxonomy

Using AADL in Model Driven Development. Katholieke Universiteit Leuven Belgium

Today. Last Time. Motivation. CAN Bus. More about CAN. What is CAN?

ARTIST-Relevant Research from Linköping

Journal of Electronics and Communication Engineering & Technology (JECET)

Multiple Views and Relationships for Quality Driven Architecture with AADL: A Multimodel for Software Product Lines

Reform: A Domain Specific Language

Computing and Communications Infrastructure for Network-Centric Warfare: Exploiting COTS, Assuring Performance

Implementation work on open source web of things servers and gateways. Dave Raggett, W3C

Internet of Things 2018/2019

Communication Networks Simulation of Communication Networks

The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

The Ocarina Tool Suite. Thomas Vergnaud

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

Context. Giorgio Buttazzo. Scuola Superiore Sant Anna. Embedded systems are becoming more complex every day: more functions. higher performance

Context. Hardware Performance. Increasing complexity. Software Complexity. And the Result is. Embedded systems are becoming more complex every day:

LabVIEW Communication Techniques for Distributed Applications

Chapter 5 Ad Hoc Wireless Network. Jang Ping Sheu

AADL : about code generation

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4

Flight Systems are Cyber-Physical Systems

Dynamic Analytics Extended to all layers Utilizing P4

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory

Overview SENTINET 3.1

TrafficDB: HERE s High Performance Shared-Memory Data Store Ricardo Fernandes, Piotr Zaczkowski, Bernd Göttler, Conor Ettinoffe, and Anis Moussa

Transcription:

A Framework for Managing Assumptions made by Software Components in Real-time Systems Ajay Tirumala tirumala@uiuc.edu 09/01/05 Ajay Tirumala [SEI-CMU Talk] 1

Outline Background and motivation Case studies Design Concepts Solution approach Extensions and comparison with related tools 09/01/05 Ajay Tirumala [SEI-CMU Talk] 2

Background: Building real-time systems Critical real-time systems are built using a) COTS components b) components from diverse development groups Simple Car Control Systems Control Systems in satellites 09/01/05 Ajay Tirumala [SEI-CMU Talk] 3

COTS Adoption and Concurrent Development Significant Benefits Distributed expertise Uniform process for building different types of systems Faster turn around time Software / Hardware Component reuse. Problems (Real-time domain) Gives rise to black-box software interfaces. Acoustic sensor returns a 16-bit value when data is available. event dataready(uint_16t data); Software components make assumptions which are not reflected in the software interface E.g: Max sensing delay < 10ms, sensing jitter < 1ms, acoustic intensity units = {Db}, saturation value for readings <= 1023, granularity of readings <= 0.1 Db. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 4

Real-world example (Avionics) Ariane 5 reused some software developed for Ariane 4 Ariane 4 made the following assumption The horizontal velocity component will not overflow a 16-bit variable This was true for Ariane 4, but not for Ariane 5. This triggered self-destruction roughly 40 seconds after the launch Assumption was known before hand but was not recorded in a verifiable (machine-checkable) format 09/01/05 Ajay Tirumala [SEI-CMU Talk] 5

Real-world example (Automotive sector) Fatality due to a software controlled airbag deactivation. In presence of child seat Airbag was deactivated by the primary controller. Under certain combination of environmental conditions primary controller gives the control to a simpler backup controller Backup controller has simple logic Deploy all airbags on impact On impact, deploys airbag and causes fatality Unaware of the environmental factor - child-seat presence OR Has the capability of only deploying all or nothing. Backu Primary p airbag Contro controller ller Airba g 1 Airba g 3 Airba g 2 Airba g 4g 4 Environmental assumption propagation not handled during integration of the primary and backup airbag controllers 09/01/05 Ajay Tirumala [SEI-CMU Talk] 6

Outline Background and motivation Case studies Design Concepts Solution approach Extensions and comparison with related tools 09/01/05 Ajay Tirumala [SEI-CMU Talk] 7

Case-study hypotheses Hypothesis I : Significant portion (>= 50%) of software defects in released products in RT-systems are related to inconsistent assumptions This hypothesis is related to the necessity of the assumption management framework. Hypothesis II : Majority of the assumptions that result in defects can be encoded in a machine checkable format Thus can warn of defects in advance or prevent mismatched assumptions in end-products. This hypothesis is related to the feasibility of such a framework. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 8

Projects selection for case studies Criteria Should be representative projects in the domain in which we intend to generalize the results Should have close interactions with the operating environment Should provide adequate data for validating the hypothesis. Projects selected TinyOS [for Hypothesis 1&2] an operating system for embedded devices public repository of defect list available Iperf [for Hypothesis 1&2] an internet end-to-end bandwidth measurement tool public repository of user-problems faced [mailing list available] Inverted Pendulum Control System [for Hypothesis 2] A system that balances an inverted pendulum using feedback control 09/01/05 Ajay Tirumala [SEI-CMU Talk] 9

TinyOS Description and Functionality Operating System for wireless embedded sensors Designed for low overhead, small memory footprint, and low power consumption Event driven architecture, with single shared stack. Events and tasks/commands are 2 basic constructs for execution. Assumptions: TinyOS hardware, operating environment and applications that run on it. Applications TinyOS, for the interpretation of the data and commands to request the data. Actuating Main (includes Scheduler) Application (User Components) Sensing Mote Hardware Active Message Communication Source: Kang, State Univ of New York Messaging Component Internal Tasks Int ern al Sta te Commands Events 09/01/05 Ajay Tirumala [SEI-CMU Talk] 10

Iperf project functionality Description and Functionality Measures end-to-end achievable bandwidth between hosts in an IP based network Uses TCP itself to measure the amount of data sent Approximates cumulative bandwidth sent over a period of time to the achievable bandwidth Measures jitter and loss for a constant bandwidth UDP stream. Use cases: To estimate the amount of data that can be sent between high-energy sites ISP to client bandwidth estimation, ISP ISP tests. Network administrators health monitoring Assumptions Iperf OS, Hardware : TCP Window size, Memory, System bus characteristics, availability of a number of OS features. Network Functionality presented at SC 2001 09/01/05 Ajay Tirumala [SEI-CMU Talk] 11

Inverted Pendulum Control System Description and Functionality Feedback control system Objective: Hold the pendulum upright 3 software components, one plant (hardware) proxy. Assumptions: Over 40 assumptions encountered E.g.: Controller assumes track length, mass and length of the pendulum, frictional constants, etc. No public repository for defects Detailed study conducted on software architecture, interfaces, assumptions made by software components Actuator Plant Track Pendulum Cart Controller Sensor Assumption made by components : ACM SIGBED July 05 Special Issue back 09/01/05 Ajay Tirumala [SEI-CMU Talk] 12

Sample class of assumptions made by Iperf Assumptions Window size assumptions Min > 2048 bytes [Code ] OS specific min : Linux 256 bytes, SunOS: 4.5K [Configuration time] Max : OS constraints and root/admin policies [Configuration time] OS non-conformance to standards Win NT - ICMP error messages [Configuration time] Win32 UDP single threaded per port [Configuration time] Resource related assumptions System bus bandwidth > achievable bandwidth [Dynamic] Adequate CPU / Memory [Dynamic] Defects caused Min window sizes: Precludes testing in low-end devices Max window sizes: Results in under-reporting of bandwidth in high-bandwidth networks. Longer than requested duration UDP tests Precludes server side testing for multiple clients Incorrect throughputs in case of high bandwidth networks Users obtained incorrect results trying to launch 250 threads Compromises functionality Service degradation 09/01/05 Ajay Tirumala [SEI-CMU Talk] 13

Sample class of assumptions made by TinyOS Assumptions Value range/ Data interpretation errors Assumption that node ID is 8-bits [Code] int is adequate for measuring time [Code] send() command should have non-zero data length [Code] Hardware limitations + resource related assumptions Timer granularity > 10ms under overload [Runtime] Only 7 tasks can be in the queue at any time [Code] Optimization related errors Bcast module assumes default packet length [Code] Defects caused 16-bit IDs allowed, causes ID mismatches Value can well be in the range of long send() Crashes with zero length data (payload) Silent timer malfunction (hard to detect) Silent dropping of tasks on overload Can transmit only maximum length packets, wastage of bandwidth. Compromises functionality Service degradation 09/01/05 Ajay Tirumala [SEI-CMU Talk] 14

Outline Background and motivation Case studies Design Concepts Solution approach Extensions and comparison with related tools 09/01/05 Ajay Tirumala [SEI-CMU Talk] 15

[Traditional] Software interface Traditional programming language interfaces (E.g. C, Java, CORBA, nesc etc) Used to exchange actual data Mostly concerns the syntax of data exchange. E.g. Interface has one 16 bit unsigned integer. Data acquisition module Software Interface Data acq module: event dataready(uint16_t dataval); Sensor: signal dataready(200); Acoustic sensor 09/01/05 Ajay Tirumala [SEI-CMU Talk] 16

Property Interface Used to encode the assumptions and guarantees made by the software component These assumptions and guarantees are not a part of the data exchanged using software interfaces Assumptions may or may not pertain to parameters in the software interface E.g: Units of the intensity data (assumed to be decibel) Data collector expects maximum sensing delay to be < 50 ms Acoustic intensity data units = {Decibels} Maximum sensing delay <= 50ms Max error in readings <= 10% Max sensing jitter <= 10 ms Jitter specification units = {ms} Saturation value for readings <= 100 Granularity of readings <= 0.1 Valid reading constraints = func_valid() DATA COLLECTOR ASSUMPTIONS Acoustic intensity data units = Decibels Maximum sensing delay = 10ms Max error in readings = 10% Max sensing jitter = 4 ms Jitter specification units = ms Saturation value for readings = 100 (Db) Granularity of readings = 0.1 (Db) Valid reading constraints = func_valid() SENSOR GUARANTEES Definition: Encodes sufficient information about the environment, and the assumptions made by the component that are not a part of the software interface. Further, these assumptions are encoded in a machine-checkable format. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 17

Classification of assumptions: Dimension I Time-frame for assumption changes Static assumptions assumptions that change only when the software changes System configuration assumptions. assumptions that change only when configuration of the system changes or the hardware changes Dynamic assumptions. assumptions that may change along the mission or run of the system Necessity for this classification Cost of checking assumptions Not all assumptions need to be checked at all times Manageability Enabling different tools for different types of checks 09/01/05 Ajay Tirumala [SEI-CMU Talk] 18

Classification of assumptions: Dimension II Criticality of assumptions Each component has a core-functionality Critical assumptions (Class A) Violation of some assumptions cause the core component functionality to be compromised Non-critical assumptions. (Class B-E) Violation of certain assumptions may cause performance degradation, core functionality holds Graded by the user (Class B-E) Necessity for this classification Certifying functionality correctness [on assumption violation] Can be used by dependency management tools Service gradations 09/01/05 Ajay Tirumala [SEI-CMU Talk] 19

Composition of assumptions In the acoustic subsystem Each component has a property maximum delay The acoustic sub-system is a part of the larger sub-system E.g.: Vehicle classification system The integrator for the vehicle classification system Is not interested in individual guarantees like that of data analyzer, acoustic sensor, etc. Is interested in calculating the next Max Delay of the acoustic subsystem. Max Delay 1 Data Analyz er Data Validat or Max Delay 2 Data Collect or Max Delay 3 Acoustic subsystem Acousti c Sensor Max Delay 4 Max Delay = ΣMax Delay i 09/01/05 Ajay Tirumala [SEI-CMU Talk] 20

Composition of assumptions - II Data collector makes quite a few assumptions which are satisfied by the sensor These assumptions need not be exposed as a part of the larger sub-system. Dimension III: Scope of assumptions Private: Any assumption (or guar) that has matching guarantee (or assn) and need not be exposed as a part of the larger sub-component. max_delay_1, between the acoustic sensor and data collector Public: Any assumption (or guar) that needs to be exposed as a part of the sub-component. total_max_delay: Sum of delays of components Important: Public and private assumptions are only for easier manageability Checks may still need to be performed for functionality and/or performance conformance on relevant changes. Match all assumptions that have matching guarantees. [Need not be exposed in the larger sub-system] All unmatched assumptions need to be satisfied by external components [Part of the larger sub-system s assumptions] Create new assumptions and guarantees, if needed [For example, the total_delay in acoustic system, loop_delay in Inv Pend system] 09/01/05 Ajay Tirumala [SEI-CMU Talk] 21

Making assumptions explicit: [Context and benefits] Iperf makes a key assumption TCP slowstart is < 2-3 seconds for most networks [hence default measurement time of 10s is adequate] In high-bandwidth networks, 1Gbps-200ms transfer, slow-start duration = 5.6 seconds Assumption violation causes critical error In most networks, e.g., 10Mbps-5ms transfer, slowstart duration << 2 seconds Assumption on default measurement time causes more than required data to be transferred. 1-2 second transfer is adequate. Non-critical error. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 22

Making assumptions explicit II: [Solution] Make the TCP slow-start explicit (machine checkable) Use Web100 exposes few TCP kernel variables in Linux proc file system New algorithm: Detect end of slow-start, use TCP variables from Web100 Measure steady state bandwidth for a short period of time after end of slow-start. Results Estimates differing by < 10% for 20 second standard Iperf runs. Estimation time savings ~ 92% Network traffic savings ~ 94% Quick mode estimate Default estimate 09/01/05 Ajay Tirumala [SEI-CMU Talk] 23

Outline Background and motivation Case studies Design Concepts Solution approach Extensions and comparison with related tools 09/01/05 Ajay Tirumala [SEI-CMU Talk] 24

Assumption specification within AADL system Sensor features Filter system features annex assumptions {** componentassumptions name= DataCollector { -- Dependent component DataCollector about Sensor { -- Assumptions assumes validreadings (int validreadingsid, int startlatency, int frequency) { validreadingsids > startlatency/frequency } {Criticality=CRITICAL_LEVEL_5} {ChangeInterval=STATIC}; -- Guarantees guarantees minfrequecy { int frequency = 100; }; }; Makes assumption validreadings Sensor Data Collector Provides guarantee minfrequency **} }; about OtherComponents { }; 09/01/05 Ajay Tirumala [SEI-CMU Talk] 25

Assumption management: Objects defined using EMF [Diagram from Peter Feiler s presentation] UML Model & Design XMI XSD XML Documents Transformation Tools Database Tools Integrate Testing Tools Annotated Java XSD, XMI Java EMF - The Data Integration Foundation of Eclipse Model Driven App Development MetaData Management Java Tools Etc.. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 26

XML persistent objects as a hierarchical database Example of simple search queries. Check status of all critical assumptions. //assumptions/@criticality= CriticalLevel_5 Get all assumptions for a particular component x //assumptionset/ @dependentcomponentname= x. Assumption database //tinyos_req/@criticality= critical Assn x 1 Assn x 2... Assn x n //tinyos_req/@changeinterval= system_config Assn y 1... Assn yn 09/01/05 Ajay Tirumala [SEI-CMU Talk] 27

Graphical editing of assumptions (EMF) 09/01/05 Ajay Tirumala [SEI-CMU Talk] 28

Java code generation for assumptions Current implementation of the parser generates Java code to check the assumptions. Any assumption that can be specified with predicate logic can be checked easily. Can interface with tools like JavaMOP for assumptions in temporal logic JavaMOP generates Java code for testing temporal logic predicates. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 29

Composition of assumptions Data Analyzer Acoustic Sensor Data Validator Data Collector Max Delay 1 Max Delay 2 Max Delay 3 Max Delay 4 Acoustic subsystem Max Delay = ΣMax Delay i Complexity: O(n) : n is the number of assumptions for a complete composition. Can include domain specific composition rules. Use markers to point to the assumptions themselves. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 30

Assumptions validity Checks that assumptions can be made only between compatible AADL components E.g.: Data component cannot make assumptions on the Memory component. Of course, flags all assumption violations. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 31

Outline Background and motivation Case studies Design Concepts Solution approach Extensions and comparison with related tools 09/01/05 Ajay Tirumala [SEI-CMU Talk] 32

Extensions: Domain specific assumptions Existing dimensions time-frame-of-change, criticality and scope hold for most systems. Domain specific case studies. RT protocol [FAI-EDF] Networking applications. Domain specific default assumption toolkit Every periodic real-time component has period, WCET. Depending on the system it runs, there are assumptions on priority mapping. Byte-ordering (little-endian, big-endian) in networking protocols Component Name: Controller System ID : Inverted Pendulum Component Domain: Control Systems, Real-time RT-Component [Periodic task] Domain Specific Assumptions and Guarantees RT-Linux Specific Assumptions Period, WCET, Max blocking time, Priority class. Every component will inherit a default set of assumptions depending on the domain it is classified into. Associated goal is to form a rich hierarchy of assumptions specific to domains. H/W Specific Assumptio ns 09/01/05 Ajay Tirumala [SEI-CMU Talk] 33

Dynamic assumptions checking Challenge with RTsystems How to ensure timing properties along with validation code? Initial studies suggest necessity for a separate VM How to handle assumption violation? Dynamic Assumptions Monitoring framework RT Application RT- Application versus Dynamic Assumption s Monitoring framework Messages 09/01/05 Ajay Tirumala [SEI-CMU Talk] 34

Vertical assumptions tracking Many assumptions are generated in translating requirements to code. In addition to inadequacy of software interfaces. Need to track assumptions across software life cycle. Need a language which will help in generation of machine checkable requirements. Need to revalidate assumptions when requirements or code change. E.g.: When PerfSocket_UDP.cpp change should necessitate revalidation of UDP Buffer Size assumption. Efficiency concerns. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 35

Comparison with related solutions Design by Contract RT- CORBA VEST SpecTRM - Cannot validate assumptions for assumptions not in code, management of assumptions, Composition - Cannot handle [not meant] to handle most of the semantic assumptions, management of assumptions, composition - Cannot handle any system configuration assumptions, since it s a modeling tool, remote from implementation. - Design the entire project in SpecTRM from scratch. May not be suitable for COTS. + Can check dynamic assumptions (for assumptions that have representation in code) + Resource related assumptions, for example thread pool management in Iperf. + Can model resource related dynamic asumptions + Suitable for very small critical modules, complete verification MOP - Structure of assumptions and composition. Checking assumptions not represented in code. + Check dynamic assumptions, generates code for temporal properties checking. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 36

Thank you Integration Problem: Having divided to conquer, we must reunite to rule M. Jackson E-mail : tirumala@uiuc.edu 09/01/05 Ajay Tirumala [SEI-CMU Talk] 37

APX: Scalability tests DOM Parser crash Sample code size cell phones: > 1M lines of code. XML validation infrastructure : SAX or DOM parser Test 1: Document size: [2 2Million] fragments, Max Nesting level: 2. Results: 1. DOM parser is faster than SAX parser for size < 512 fragments 2. SAX parser consistently faster than DOM 3. DOM parser crashed with 64K fragments 4. SAX parser successfully validated 2M fragments (48 sec) Test 2: Nested document validation times [2-64K nesting level] Results DOM was better than SAX almost consistently Performance difference was negligible. SAX Parser is more scalable. Current implementation uses SAX parser for handling events. Do not see practical document structures with nesting levels greater than few tens or hundreds.. 09/01/05 Ajay Tirumala [SEI-CMU Talk] 38

SAE AADL Standard An Enabler of Predictable Model-Based Embedded System Engineering [Slide from Peter Feiler s presentation] Notation for specification of task and communication architectures of Real-time, Embedded, Fault-tolerant, Secure, Safety-critical, Software-intensive systems Fields of application: Avionics, Automotive, Aerospace, Autonomous systems, Based on 15 Years of DARPA funded technologies Standard approved & published Nov 2004 http://www.aadl.info 09/01/05 Ajay Tirumala [SEI-CMU Talk] 39

AADL: The Language [Slide from Peter Feiler s presentation] Components with precise semantics Thread, thread group, process, system, processor, device, memory, bus, data, subprogram Completely defined interfaces & interactions Data & event flow, synchronous call/return, shared access End-to-End flow specifications Real-time Task Scheduling Supports different scheduling protocols incl. GRMA, EDF Defines scheduling properties and execution semantics Modal, configurable systems Modes to model transition between statically known states & configurations Component evolution & large scale development support AADL language extensibility 09/01/05 Ajay Tirumala [SEI-CMU Talk] 40

System Type [Slide from Peter Feiler s presentation] system GPS features speed_data: in data port metric_speed {arch::miss_rate => 0.001 mps;}; geo_db: requires data access real_time_geodb; s_control_data: out data port state_control; flows speed_control: flow path speed_data -> s_control_data properties arch::redundancy => 2 X; end GPS; 09/01/05 Ajay Tirumala [SEI-CMU Talk] 41

System Implementation [Slide from Peter Feiler s presentation] system implementation GPS.secure subcomponents decoder: system PGP_decoder.basic; encoder: system PGP_encoder.basic; receiver: system GPS_receiver.basic; connections c1: data port speed_data -> decoder.in; c2: data port decoder.out -> receiver.in; c3: data port receiver.out -> encoder.in; c4: data port encoder.out -> s_control_data; flows speed_control: flow path speed_data -> c1 -> decoder.fs1 -> c2 -> receiver.fs1 -> c3 -> decoder.fs1 -> c4 -> s_control_data; modes none; properties arch::redundancy_scheme => Primary_Backup; end GPS; 09/01/05 Ajay Tirumala [SEI-CMU Talk] 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback