Embed Size (px)
DESCRIPTION
Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods DARPA Order K203/AFRL Contract F33615-00-C-3044. Principal Investigators. Matt Dwyer John Hatcliff Masaaki Mizuno Mitch Neilsen Gurdip Singh. - PowerPoint PPT Presentation
Citation preview
Automatic Derivation, Integration, and Verification Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented of Synchronization Aspects in Object-Oriented Design MethodsDesign Methods
DARPA Order K203/AFRL Contract F33615-00-C-3044
Principal InvestigatorsMatt DwyerJohn HatcliffMasaaki MizunoMitch NeilsenGurdip Singh
Department of Computing and Information Sciences
Kansas State University
http://www.cis.ksu.edu/santos
Problem DescriptionProblem Description
Embedded systems are growing in complexity and developers are looking towards OO technologies to manage that complexity
Design methods for OO do not treat synchronization effectively
Embedded systems software is multi-threaded for performance reasons– System correctness relies on correct synchronization
of multiple activities Synchronization design/implementation is low-
level and platform specific – Error prone and not reusable
Project ObjectivesProject Objectives
III. Automatic verification of critical safety and liveness properties of woven embedded code
… domain-specific model-checking engines
… built on previous DARPA work –Bandera environment
II. Automatic derivation and weaving of synchronization code… multiple language and
synchronization targets (Java, C++, monitors, semaphores, etc.)
… weaving & optimization via abstract interpretation and program specialization techniques
I. Provide high-level, modular specification of global synchronization aspects
… integrated with UML/RUP
… formal specification via global invariants
… language of composable invariant patterns
… powerful, yet easy to use
IV. Evaluation using Common Digital Architecture (CDA 101) … a new standard for military target vehicle
electronics
CompleteProgram
Technical Approach/AccomplishmentsTechnical Approach/Accomplishments
Actors:Use Cases
Classes:Use-Case Realizations
ComponentCode
Synchronization specifications– via invariants– Identify common idioms/patterns
GlobalInvariant
Specs
Coarse-GrainSolution
Automated coarse-grain generation– SVC and pattern-based
Prototype release 9/01
Fine-GrainSynchronization
Code
CompleteProgram
Synch-code generators– C/C++ and Java– Monitor, Semaphore, …
CompleteProgram
Rational Unified Process (RUP)
Technical Approach Technical Approach --- Specifications--- Specifications
Users never write raw invariants but instead build synchronization specifications using a collection of global invariant patterns (idioms)…
Bound(R,n)… at most n threads can be in region R
Exclusion(R1,R2)… occupancy of region R1 and R2 should be mutually
exclusive Resource(R1, R2, n)
… region R1 is a producer, region R2 is a consumer of some resource with n initial resource values.
Barrier(R1,R2)… the kth thread to enter R1 and the kth thread to enter R2
meet and leave their respective regions together …
Contribution to PCES GoalsContribution to PCES Goals
Invariant patterns enable reuse of synchronization “solutions” across multiple systems and languages– Evaluate reduction in effort
• in the context of OEPs• on existing applications, if suitable code/design history is available• on controlled system development (class projects)
Synthesis of “correct” synchronization implementations potentially eliminates a class of subtle coding errors – Evaluate potential for reducing errors and validation effort
• as above
The overarching goal of the PCES program is novel technology and supporting engineering approaches that can greatly reduce effort to program embedded systems, while increasing confidence in the embedded software product.
Contribution to Relevant Military ApplicationContribution to Relevant Military Application
Apply our approach to CDA 101 based systems– CDA 101 provides a common architecture for
networking target vehicle electronics using CAN– Extract synchronization regions from existing
applications and re-engineer using our approach DoD Target System Studies
– Seaborne (ST 2000) and Airborne (BQM-74, MQM-107) CDA 101 and NMEA 2000 co-evolving standards
– NMEA 2000 working group member– Regular interaction with and source-code from
Seaborne Targets Engineering Group (NAWC – Point Mugu, CA)
Project Tasks/ScheduleProject Tasks/Schedule
Integration
Verification
Code weaver
Aspect code synthesis
Synch Aspect
language
Key Tasks
Non-synch Aspects
Initial OptimizedFull-scaleEvaluatio
n
5/01
5/01
5/01
5/02
11/01
11/01
11/01
11/01 +
5/02
5/02
5/02
11/01 +
5/02 +
5/03
5/02 +
5/03
CollaborationsCollaborations
Stanford (SVC) Berkeley (Bane) MIT (analyses to optimize weaved code) Grammatech, Inc. (slicing/verification
techniques) Collins, aJile systems (JEM boards) Honeywell (challenge problems from avionics) Kvaser, AB (CAN Kingdom = CDA 101/11) Seaborne Targets Engineering Lab (CDA 101) National Marine Electronics Association (NMEA)
Technology Transition/TransferTechnology Transition/Transfer
CDA 101 based Target Systems– Seaborne Targets:
• ST 2000
– Airborne Targets:• BQM-74• MQM-107
Commercial Applications– NMEA 2000, CanKingdom - standards for
real-time networking– Precision farming, industrial automation
Program IssuesProgram Issues
Difficult to do long range planning when there is a sense that funding is in jeopardy
Program meetings provide little time for technical interchange– i.e., identifying future collaborators
Involvement of more industrial participants to provide challenge problems– i.e., need more than code and documentation
Limited equipment availability restricts full deployment of prototypes
Synchronization RegionsSynchronization Regions
Use-Case
Actor
Use-Case
Actor
System
Classes/Objects
Use-case Realizations
Use-case Realizations
Wait
WakeUp
Wait
WakeUp
Synchronization Patterns (excerpts)Synchronization Patterns (excerpts)
R n
In
Out
R_1
In_1
Out_1
R_2
In_2
Out_2
Bound(R, n)Barrier(R_1,R_2)
BarrierWithInfoEx(R_1,R_2)
Relay(R_1,R_2)
• 8 basic patterns in current collection (many more composite patterns)
• Pattern compositions can solve all synchronization problems in Andrew’s and Hartley’s books
• We welcome challenge problems from PCES participants
Multiple Target DetectorsMultiple Target Detectorsand a Single Firing Batteryand a Single Firing Battery
Use-case realizationsUse-case realizations B1. Wait until a
detector locks on a target
B2. Receive information from the detector and fire
B3. Release the detector
T1. Lock on a target
T2. Wait until the battery is available
T3. Send information to the battery
T4. Wait until released
Multiple Target DetectorsMultiple Target Detectorsand a Single Firing Batteryand a Single Firing Battery
Use-case realizationsUse-case realizations B1. Wait until a
detector locks on a target
B2. Receive information from the detector and fire
B3. Release the detector
T1. Lock on a target
T2. Wait until the battery is available
T3. Send information to the battery
T4. Wait until released
R_B3 R_T4B3 T4
R_B1 R_T2B1
B2 T3
T2
T1
Communicate
Patterns for Target SystemPatterns for Target System
R_FFire
Relay(R_B3, R_T4)
Barrier(R_B1, R_T2)
Bound(R_F,1)
BarrierWithInfoEx(
R_B1, R_T2)
Relay(R_B3, R_T4)
Next Milestones (Next Milestones (66--99--1212 months) months) Extend synthesis approach to distributed CAN-
based systems including CanKingdom and CDA 101
Public distribution of prototype synchronization specification, code generation, and weaving tools
Generate solutions to other synchronization problems from CDA 101, Industrial Automation (KTEC) and Agricultural (John Deere) applications Extend global invariant approach to address real-time synchronization properties (e.g., priority inversion)
Integrate Bandera to check safety/liveness properties
