1 / 39

Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003

Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003. Luca Carloni UC Berkeley Alberto Sangiovanni-Vincentelli UC Berkeley. Albert Benveniste Irisa/Inria Benoît Caillaud Irisa/Inria Paul Caspi Verimag. Outline.

spence
Download Presentation

Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Heterogeneous Reactive System Modeling and Correct-by-Construction Deploymentnov. 2003 Luca Carloni UC Berkeley Alberto Sangiovanni-Vincentelli UC Berkeley Albert Benveniste Irisa/Inria Benoît Caillaud Irisa/Inria Paul Caspi Verimag

  2. Outline • Dealing with systems & components requires handling heterogeneity • Tools with different MoC and paradigms • Heterogeneous architectures and systems • Correct-By-Construction deployment: what and how? • Modeling Heterogeneous Systems • Tagged-Signal Model • Desynchronization • Heterogeneous parallel composition • Semantic Preserving • Theoretical Results • General theorem on semantic-preserving deployment • Endo/iso-chrony • Correct-By-Construction deployment over GALS Architectures

  3. Heterogeneous models: design flow in automobile or aeronautics • Systems modeling (UML, MDA,…) • Loose model of computation & communication • Matlab/Simulink/Stateflow • Continuous time basis • Statemate, synchronous languages • Late assembly of imported functions • Can be in C… • Depends on OS and execution infrastructure • Deployment • CAN, ARINC, TTA,…

  4. Heterogeneous architectures: electronics for the Car InformationSystems Mobile Communications Navigation Telematics Fault Tolerant Access to WWW MOSTFirewire DAB FireWall Body Electronics Theft warning AirConditioning BodyFunctions CANLin Door Module Light Module Fail Safe GateWay Body Electronics ABS CANTTCAN Shift by Wire EngineManagement Driving and VehicleDynamic Functions GateWay Fault Functional Steer by Wire Brake by Wire FlexRay

  5. Classes of heterogeneous systems: GALS(in “asynch” HW and OO-SW) synchronous asynchronous synchronous

  6. Classes of heterogeneous systems: LTTA (distributed control)[BenvCaspi&al, Emsoft2002] synchronous timed synchronous timed asynchronous timed (bounded delay)

  7. How to blend heterogeneous models while “preserving semantics”? asynch + timed synch synch + timed What have you asynch

  8. How to blend heterogeneous models while “preserving semantics”? Our proposal: asynch + timed synch synch + timed What have you asynch by generating proper adaptors

  9. Adaptors for GALS: informal discussion X X X Y Y Y Z Z Z synch asynch synch

  10. Adaptors for GALS: informal discussion How to ensure that the two components do not see the difference when moving from synchrony to GALS?

  11. Adaptors for GALS: informal discussion How to ensure that the two components do not see the difference when moving from synchrony to GALS? Easy if known to be single-clocked: bananas !

  12. Adaptors for GALS: informal discussion How to ensure that the two components do not see the difference when moving from synchrony to GALS? In general bananas can be many! bananas ???

  13. Adaptors for GALS: informal discussion bananas ??? ff tt tt tt ff ff Solution: attach to each wire a boolean_clock that is present in each reaction and tells you the presence/absence for the wire (cf. hardware)

  14. Adaptors for GALS: informal discussion bananas ??? ff tt tt tt ff ff OK, but poor if slow/fast communications between components, because all boolean clocks must be communicated at fastest pace  theory needed!

  15. Outline • Dealing with systems & components requires handling heterogeneity • Tools with different MoC and paradigms • Heterogeneous systems • Correct-By-Construction deployment: what and how? • Modeling Heterogeneous Systems • Tagged-Signal Model • Desynchronization • Heterogeneous parallel composition • Semantic Preserving • Theoretical Results • General theorem on semantic-preserving deployment • Endo/iso-chrony • Correct-By-Construction deployment over GALS Architectures

  16. Formalizing GALS X X X Y Y Y Z Z Z synch asynch synch

  17. Formalizing GALS [LeeASV98] asynch X X X synch =… Y Y Y Z Z Z 1 3 4 6 asynch +TAGS 4 6 1 2 3

  18. Formalizing GALS: desynchronization asynch X X desynchronise = removeTAGS Y Y Z Z 1 3 4 6 asynch +TAGS 4 6 1 2 3

  19. Formalizing GALS: Pa||aQ X X Y Y V U 1 1 3 3 4 4 6 6 4 4 6 6 unify values andTAGS

  20. Formalizing GALS: Pa||aQ X X Y Y U V 3 1 3 5 4 7 6 12 4 2 6 3 unify values, ignoreTAGS[LeGuerTal2002] a a

  21. Formalizing GALS: Pa||aQ X X Y Y V U 1 3 3 5 7 4 6 12 2 4 6 3 synch unify values, ignoreTAGS on the left a a asynch

  22. TAGS generalize and heterogeneize X 1,t1 3,t3 4,t4 Z 2,s2 1,s1 4,s4 a TAG consisting of the triple (reaction, physical time, causality)

  23. TAGS generalize and heterogeneize X Y U t1 t2 t3 t4 2 3 • TAGS can belong to any partially ordered set – tags can index reactions, can be (global or local) real time R, can encode causality, can do both, etc. • TAGS can be tuples – (generalized) desynchronization consists in erasing some components of the tag; yields morphisms of tag sets, we denote them by r, a • different TAG sets can be used for different systems – we can mix synchronous systems (with tag set N) and asynchronous ones (with trivial tag set), and more

  24. TAGS generalize and heterogeneize synch Synch + timed What have you asynch

  25. Is this any useful???

  26. Yes! For correct deployment synch synch synch synch

  27. Yes! For correct deployment synch synch synch asynch

  28. Sometimes this move is OK, sometimes not… make it OK! synch synch synch asynch

  29. Sometimes this move is OK, sometimes not… make it OK! synch synch synch asynch using adaptors

  30. Outline • Dealing with systems & components requires handling heterogeneity • Tools with different MoC and paradigms • Heterogeneous systems • Correct-By-Construction deployment: what and how? • Modeling Heterogeneous Systems • Tagged-Signal Model • Desynchronization • Heterogeneous parallel composition • Semantic Preserving • Theoretical Results • General theorem on semantic-preserving deployment • Endo/iso-chrony • Correct-By-Construction deployment over GALS Architectures

  31. A theory to automatically generate adaptors

  32. Semantic-Preserving Time Changes • GivenP1=(V1,T1), P2=(V2,T2)with time change mappings:T1  Tand:T2  T letT1=T2and consider two semantics: -theStrong Semantics:P1 ||P2 [unify values & all_tags] -theWeak Semantics:P1 ||P2 [ignore (tags)] • is semantics-preserving when two behaviors, which compose according to the strong semantics, compose also according to the weak one, written P1 ||P2  P1 ||P2 • Define also Pi,=(Vi,T), the desynchronization of Pi

  33. Semantic-Preserving Time Changes • GivenP1=(V1,T1), P2=(V2,T2)with time change mappings:T1  Tand:T2  T letT1=T2and consider two semantics: -theStrong Semantics:P1 ||P2 [unify values&all_tags] -theWeak Semantics:P1 ||P2 [ignore (tags)] • is semantics-preservingwhen two behaviors, which compose according to the strong semantics, compose also according to the weak one, written P1 ||P2  P1 ||P2 • Define also Pi,=(Vi,T), the desynchronization of Pi

  34. Theorem [Emsoft2003] i  {1,2} : Pi,is in bijection withPi (Pr)|| (Qr)=(P|| Q)r (1) (2) GALS: endochrony  GALS: isochrony  (1) (2) • Given P1=(V1,T1),P2=(V2,T2)with T1=T2: P1 ||P2  P1 ||P2

  35. Endochrony & Isochrony for GALS [BenvCaillaud2000] • A synchronous process P is endochronous when at each state the presence/absence of each variable can be inferred incrementally from the values carried by present input variables and state variables. • A synchronous pair (P1,P2 )is isochronous when at each state if each pair of shared variables that are present in bothP1,P2have the same value then all the shared variable are either present with the same value or absent • endo+iso deployment is semantics preserving

  36. Endochrony & Isochrony for GALS [BenvCaillaud2000] • A process P is endochronous when at each state the presence/absence of each variable can be inferred incrementally from the values carried by present input variables and state variables. • A pair (P1,P2 )is isochronous when at each state if each pair of shared variables that are present in both P1,P2have the same value then all the shared variable are either present with the same value or absent • Endochrony and isochrony are expressed in terms of transition relations (not infinite behaviors) • They can be model-checked • They can be synthesized: for a given P wrapper processes with additional signalling can be derived and composed with P to guarantee each property. Wrappers provide “cheap additional signalling”

  37. Future extension: finite generators for general TAG systems 1,t1 3,t3 4,t4 . dt 1 X Z 2,s2 1,s1 4,s4 dt 2 • TAG set equipped with a monoid structure making it a partial order • Alike generalized HMSC’s (High-level Message Sequence Charts), with asynchronous concatenation • Labeled by TAGS: TAG-HMSC • Future work: endo/iso for TAG-HMSC’s

  38. Conclusion • Heterogeneous reactive systems modeled as tagged systems • Tag sets to capture: reaction indices, physical time, causalities… and their combination • Desynchronizing  erasing (part of) tags • Theorems to cast semantics preserving as specific algebraic properties of tuples of systems • Goal: to generate adaptors for correct-by-construction deployment

  39. k q n a U u o

More Related