Automatic Verification of Component-Based Real-Time

CORBA Applications

Gabor Madl gabe@isis.vanderbilt.eduSherif Abdelwahed sherif@isis.vanderbilt.edu

Gabor Karsai gabor@isis.vanderbilt.edu

This work was supported by the NSF ITR Grant CCR-0225610 “Foundations of Hybrid and Embedded Software Systems.”

Outline

Challenge problems Approach Verification tool chain using GME Generic timed automata model Case study: Verification of a Bold

Stroke application Boeing Bold Stroke execution framework Embedded Systems Modeling Language

(ESML) Transformation of the example application Verifying timed properties with UPPAAL

Challenge problems

Distributed Real-Time Embedded (DRE) systems are traditionally hard to verify

In the Model Integrated Computing approach we create application models using Domain Specific Modeling Languages (DSML)

We verify application models by mapping them to formally defined Models of Computations using well-defined model transformations (e.g. graph transformations) and checking the desired properties in that semantic domain

Approach

Trace VerificationProperty Verification

Designfeedback

Designfeedback

Generator

Model Checker

Simulator

InputInput

AnalysisModel

Semantic mapping

Domain Specific Model

Semantic Domain

ExecutableCode

Verification tool chain using GME

Component-based Modeling

Language (ESML)

Model Checker Input Domain

(Timed Automata)

UPPAAL

Model Checker

We provide a common framework based on the Graph Rewriting and Transformation (GREAT) tool, which utilizes graph transformations, and the UPPAAL model checker to verify the non-preemptive scheduling of embedded systems

Generic timed automata model

Case study:Verification of a Bold Stroke

application

Boeing Bold Stroke Execution Framework

Unsynchronized software timers trigger the periodic processing, event passing is asynchronous

Priority bands are executing same-priority actions Preemptive scheduling between bands, non-

preemptive between actions with the same priority Priority bands are implemented using 3 threads

(Thread-Pool policy for multi-threading)

Actioni Actioni

Process1 Actions

Actioni Actioni

Process2 Actions

IPC Priority Band #1

Priority Band #2

Priority Band #3

Priority Band #4

Priority Band #5

ORB

ORB

ORB

ORB

ORB

Priority Band #1

Priority Band #2

Priority Band #3

Priority Band #4

Priority Band #5

ORB

ORB

ORB

ORB

ORB

Timeout Dispatch ORB ORB Dispatch Timeout

Sc he du l er

Sc he du l er

Modeling the Bold Stroke application using the ESML language

ESML is a modeling language for component-based, event-driven systems

It uses the publisher/subscriber communication pattern

The models contain information about priorities, sub-priorities, worst case execution times and deadlines for actions

Transformation of the example application

Pattern of components

Pattern of TA

OR decomposition

Verifying timed properties with UPPAAL

DeadlockA[] not deadlock

The system is schedulable if all tasks can be executed within their deadlines

Verifying this property does not require additional property checking because the Timeout state deadlocks the model in our design

Additional properties can also be checked because dependencies and dense time information are captured in the network of timed automata

Conclusion and future directions

We presented a solution to verify dense timed properties of periodic event-driven systems

The verification process can provide simulation runs and pinpoint components that fail to meet their deadlines

Our close future plans are to formalize the graph transformation as well as the computational model behind Bold Stroke

Modeling preemption while avoiding the state explosion problem is our long-term goal

Questions?