Automatic Derivation, Integration, and Verification Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented of Synchronization Aspects in Object-Oriented Design MethodsDesign Methods

DARPA Order K203/AFRL Contract F33615-00-C-3044

Principal InvestigatorsMatt DwyerJohn HatcliffMasaaki MizunoMitch NeilsenGurdip Singh

Department of Computing and Information Sciences

Kansas State University

http://www.cis.ksu.edu/santos

Problem DescriptionProblem Description

Embedded systems are growing in complexity and developers are looking towards OO technologies to manage that complexity

Design methods for OO do not treat synchronization effectively

Embedded systems software is multi-threaded for performance reasons– System correctness relies on correct synchronization

of multiple activities Synchronization design/implementation is low-

level and platform specific – Error prone and not reusable

Project ObjectivesProject Objectives

III. Automatic verification of critical safety and liveness properties of woven embedded code

… domain-specific model-checking engines

… built on previous DARPA work –Bandera environment

II. Automatic derivation and weaving of synchronization code… multiple language and

synchronization targets (Java, C++, monitors, semaphores, etc.)

… weaving & optimization via abstract interpretation and program specialization techniques

I. Provide high-level, modular specification of global synchronization aspects

… integrated with UML/RUP

… formal specification via global invariants

… language of composable invariant patterns

… powerful, yet easy to use

IV. Evaluation using Common Digital Architecture (CDA 101) … a new standard for military target vehicle

electronics

CompleteProgram

Technical Approach/AccomplishmentsTechnical Approach/Accomplishments

Actors:Use Cases

Classes:Use-Case Realizations

ComponentCode

Synchronization specifications– via invariants– Identify common idioms/patterns

GlobalInvariant

Specs

Coarse-GrainSolution

Automated coarse-grain generation– SVC and pattern-based

Prototype release 9/01

Fine-GrainSynchronization

Code

CompleteProgram

Synch-code generators– C/C++ and Java– Monitor, Semaphore, …

CompleteProgram

Rational Unified Process (RUP)

Technical Approach Technical Approach --- Specifications--- Specifications

Users never write raw invariants but instead build synchronization specifications using a collection of global invariant patterns (idioms)…

Bound(R,n)… at most n threads can be in region R

Exclusion(R1,R2)… occupancy of region R1 and R2 should be mutually

exclusive Resource(R1, R2, n)

… region R1 is a producer, region R2 is a consumer of some resource with n initial resource values.

Barrier(R1,R2)… the kth thread to enter R1 and the kth thread to enter R2

meet and leave their respective regions together …

Contribution to PCES GoalsContribution to PCES Goals

Invariant patterns enable reuse of synchronization “solutions” across multiple systems and languages– Evaluate reduction in effort

• in the context of OEPs• on existing applications, if suitable code/design history is available• on controlled system development (class projects)

Synthesis of “correct” synchronization implementations potentially eliminates a class of subtle coding errors – Evaluate potential for reducing errors and validation effort

• as above

The overarching goal of the PCES program is novel technology and supporting engineering approaches that can greatly reduce effort to program embedded systems, while increasing confidence in the embedded software product.

Contribution to Relevant Military ApplicationContribution to Relevant Military Application

Apply our approach to CDA 101 based systems– CDA 101 provides a common architecture for

networking target vehicle electronics using CAN– Extract synchronization regions from existing

applications and re-engineer using our approach DoD Target System Studies

– Seaborne (ST 2000) and Airborne (BQM-74, MQM-107) CDA 101 and NMEA 2000 co-evolving standards

– NMEA 2000 working group member– Regular interaction with and source-code from

Seaborne Targets Engineering Group (NAWC – Point Mugu, CA)

Project Tasks/ScheduleProject Tasks/Schedule

Integration

Verification

Code weaver

Aspect code synthesis

Synch Aspect

language

Key Tasks

Non-synch Aspects

Initial OptimizedFull-scaleEvaluatio

n

5/01

5/01

5/01

5/02

11/01

11/01

11/01

11/01 +

5/02

5/02

5/02

11/01 +

5/02 +

5/03

5/02 +

5/03

CollaborationsCollaborations

Stanford (SVC) Berkeley (Bane) MIT (analyses to optimize weaved code) Grammatech, Inc. (slicing/verification

techniques) Collins, aJile systems (JEM boards) Honeywell (challenge problems from avionics) Kvaser, AB (CAN Kingdom = CDA 101/11) Seaborne Targets Engineering Lab (CDA 101) National Marine Electronics Association (NMEA)

Technology Transition/TransferTechnology Transition/Transfer

CDA 101 based Target Systems– Seaborne Targets:

• ST 2000

– Airborne Targets:• BQM-74• MQM-107

Commercial Applications– NMEA 2000, CanKingdom - standards for

real-time networking– Precision farming, industrial automation

Program IssuesProgram Issues

Difficult to do long range planning when there is a sense that funding is in jeopardy

Program meetings provide little time for technical interchange– i.e., identifying future collaborators

Involvement of more industrial participants to provide challenge problems– i.e., need more than code and documentation

Limited equipment availability restricts full deployment of prototypes

Synchronization RegionsSynchronization Regions

Use-Case

Actor

Use-Case

Actor

System

Classes/Objects

Use-case Realizations

Use-case Realizations

Wait

WakeUp

Wait

WakeUp

Synchronization Patterns (excerpts)Synchronization Patterns (excerpts)

R n

In

Out

R_1

In_1

Out_1

R_2

In_2

Out_2

Bound(R, n)Barrier(R_1,R_2)

BarrierWithInfoEx(R_1,R_2)

Relay(R_1,R_2)

• 8 basic patterns in current collection (many more composite patterns)

• Pattern compositions can solve all synchronization problems in Andrew’s and Hartley’s books

• We welcome challenge problems from PCES participants

Multiple Target DetectorsMultiple Target Detectorsand a Single Firing Batteryand a Single Firing Battery

Use-case realizationsUse-case realizations B1. Wait until a

detector locks on a target

B2. Receive information from the detector and fire

B3. Release the detector

T1. Lock on a target

T2. Wait until the battery is available

T3. Send information to the battery

T4. Wait until released

Multiple Target DetectorsMultiple Target Detectorsand a Single Firing Batteryand a Single Firing Battery

Use-case realizationsUse-case realizations B1. Wait until a

detector locks on a target

B2. Receive information from the detector and fire

B3. Release the detector

T1. Lock on a target

T2. Wait until the battery is available

T3. Send information to the battery

T4. Wait until released

R_B3 R_T4B3 T4

R_B1 R_T2B1

B2 T3

T2

T1

Communicate

Patterns for Target SystemPatterns for Target System

R_FFire

Relay(R_B3, R_T4)

Barrier(R_B1, R_T2)

Bound(R_F,1)

BarrierWithInfoEx(

R_B1, R_T2)

Relay(R_B3, R_T4)

Next Milestones (Next Milestones (66--99--1212 months) months) Extend synthesis approach to distributed CAN-

based systems including CanKingdom and CDA 101

Public distribution of prototype synchronization specification, code generation, and weaving tools

Generate solutions to other synchronization problems from CDA 101, Industrial Automation (KTEC) and Agricultural (John Deere) applications Extend global invariant approach to address real-time synchronization properties (e.g., priority inversion)

Integrate Bandera to check safety/liveness properties