6th Framework Programme

(IST-FP6-2004 004033)

A Domain-Specific Metamodel for Reusable Object-Oriented High-Integrity Components

Matteo Bordin and Tullio VardanegaUniversity of Padua, Italy

The 7th OOPSLA Workshop on Domain-Specific Modeling

Montreal, October 21-22, 2007

- 2 / 16 -OOPSLA DSM Workshop 2007

Contents

1. The domain

2. Model-driven engineering

3. Constrained object-oriented modeling

4. Implementation technologies

5. Conclusions

- 3 / 16 -OOPSLA DSM Workshop 2007

High-Integrity SystemsThe domain

DO-178B

MIL-STD 882B

Def-Stan 0055

DO-178B

MISRA

IEC 880

IEC 61508

Up to 2/3 of development costs on V&V

- 4 / 16 -OOPSLA DSM Workshop 2007

High-integrity systems: a SW perspectiveThe domain

Pros: Abstraction, Automation (correctness by construction)

Cons: Model-to-executable distance (difficult analysis)

Pros: Adaptive reuse (and encapsulation, information hiding, …)

Cons: Predictability, costly/complex run-time

Object orientation

Model-driven engineering (MDE)

Object orientation

MD

E SCADE

Common practice

Our goal

AADL (+ tools)

Source-based approaches

- 5 / 16 -OOPSLA DSM Workshop 2007

MDE: a key questionModel-Driven Engineering

What determines the design semantics?

Where is it fixed?

The generated software product must be statically analyzable Its run-time behavior must be predictable and conform with the analysis

Static analysis of the software product should be anticipated by model-based

analysis What “reference universe” informs the metamodel?

The target programming language?

The target execution platform?

An underlying analysis theory?

The blue sky above?

Toward model-based analysis

- 6 / 16 -OOPSLA DSM Workshop 2007

Closing the gap between model and run-time (I)

Models as blueprints To permit model-based analysis (timing, safety, security) Bottom-up construction

Model-Driven Engineering

RavenscarProfile

• Run-time kernel for High-integrity Real-Time Systems• Warrants static analyzability• Prescribes run-time semantics • Identifies run-time metrics

RavenscarComputational

Model

• To render language-neutral the semantics of the Ravenscar profile

RCMMetamodel

• A high-level language to design systems compliant with Ravenscar restrictions by construction

Ada Kernel, JVM

Graphical/declarative language

Higher-level abstraction same run-time semantics

- 7 / 16 -OOPSLA DSM Workshop 2007

Closing the gap between model and run-time (II)Model-Driven Engineering

Enable sound/complete model-based analysis Models for V&V, not just for design/implementation

RavenscarProfile

RavenscarComputational

Model

RCMMetamodel

PSM(not visible)

AnalysisTool

PIM

Platform specification

conformance

SourceCode

traceability

- 8 / 16 -OOPSLA DSM Workshop 2007

Constrained Object-Oriented Modeling

Why object-orientation? Adaptive reuse through inheritance and overriding Reuse decrease verification costs

Dispensed with by current industrial practice Implementation issues

Dead inherited code Larger-sized executables More complex traceability

Requires dynamic binding No static analysis Far too costly path coverage

Object orientation

Advanced compilers address some of these problems

(e.g., via ROM-able virtual tables)

Main focus of the talk!

- 9 / 16 -OOPSLA DSM Workshop 2007

Dynamic binding: state-of-the-art?Object orientation

void m(){ // a dynamically bound invocation this.ptr.p();}

void m(){ if(this.ptr instaceof Impl1){ // issue a statically bound invocation (not possible in Java) } // now evaluate all types...}

Code transformation (compiler tool) use code analysis tools

Full code coverage: O(#dispatching_calls ∙ #types)

ptr

…

- 10 / 16 -OOPSLA DSM Workshop 2007

The RCM approach: models for V&VObject orientation

…

o2 : Impl3o1 : MyClass

Core idea: links fixed at model level Common in the high-integrity domain (HOOD, HRT-HOOD, AADL, etc.)

Use the dynamic binding mechanism but permit static analysis

Execution paths are statically determined

Model-based analysis instead of code-based analysis

ptr

ptr

- 11 / 16 -OOPSLA DSM Workshop 2007

Object-oriented modeling with RCMRCM metamodel

Enforce design-by-contract m1 invokes ptr.p2()

m2 invokes ptr.p1() and ptr.p2()

Class view

Component view

m1

m2

m3

p1

p2

Determine possible intra-component paths

MyClass

ptr

- 12 / 16 -OOPSLA DSM Workshop 2007

Object-oriented modeling with RCM (II)

m1 invokes ptr.p2()

m2 invokes ptr.p1() and ptr.p2()

Class viewptr

Object view

RCM metamodel

m : MyClass i : Impl1

Dynamic binding!

Statically determine possible inter-components paths

Enforce constant links

• functional dependencies on properties only

• call setters just once

- 13 / 16 -OOPSLA DSM Workshop 2007

Node N2

PIM to PSM in RCMRCM metamodel

PIM Object view (with deployment)

m : MyClass i : Impl1

Node N1

PSM Object view (not visible)

client task(m)

stub

Middleware

skeleton task

server(i)

Middleware

Dynamic binding with statically-fixed execution path(s)

- 14 / 16 -OOPSLA DSM Workshop 2007

Implementation technologies

Eclipse plug-in Metamodeling: EMF Model transformations: ATL, MOFscript GUI: GMF

Implementation

Class/Object diagram

Deployment diagram

- 15 / 16 -OOPSLA DSM Workshop 2007

Results & Conclusions (I)

Industrial pilot projects by and Due for completion and demonstration by December 2007 Targeting real space-qualified hardware

With real-life system ambitions and demands!

Model-based analysis Needs a suitable underlying computational model

The same philosophy as adopted by SCADE

Fundamental to formally reason on system properties Before implementation Easier and more solid what-if analysis

Needs full and accurate modeling of the system Difficult to map the middleware in the PIM-to-PSM transformation Difficult to evaluate sizing requirements

Permits to exploit a restricted form of dynamic binding

Results

- 16 / 16 -OOPSLA DSM Workshop 2007

Release client whentimeout expires

Timing event(released by the invocation of the RI)

Results & Conclusions (II) MDE-enabled object orientation: a première in space software!

Adaptive reuse: software frameworks are a major advantage Predictability: constrained dynamic binding is acceptable Certifiable implementation: requires compiler support

Work in progress To increase PIM expressive power while preserving RCM compliance

i : Impl1

Client Sporadic Task(waiting for server reply)

Server

Evaluate the release event(timeout / server reply)

Discard undesired release events

Timed-out RI (declarative spec.)

Results

OOPSLA DSM Workshop 2007

Questions?

Thank you!Matteo Bordin, mbordin@math.unipd.it

www.math.unipd.it/~mbordin

OOPSLA DSM Workshop 2007

: POS

Overall Modeling Process RCM Modeling

POS+ Write+ Read

Protected

ProtectedRead

WritePOS_Component

P : Pos

IComputer

Compute

???????

???????

GNC+ Compute+ GNC_Op : IComputer

Passive

ComputeGNC_Component

G : GNC: GNC

Passive

SporadicGNC_Op

Compute???????

???????

??????? : POS

Write

Read

: IComputer

Compute

Functional spec Non-functional spec