Component Composition for Embedded Systems Using Semantic

Aspect-Oriented Programming

Martin RinardLaboratory for Computer Science

Massachusetts Institute of TechnologyF33615-00-C-1692

Problem Description

How can we improve flexibility, reliability, and predictability of software for embedded and real-time systems?

• Need for better support for distributed computations• Need to easily compose components on different

platforms• Need for implementations that survive partial failures

• Need for better understanding of distributed implementations• Understand communication patterns and their

implications• Support for fault propagation analysis• Exploit information to transform software

• Lack of real-time support in standard languages and systems• Lack of real-time memory management support in Java• Lack of real-time scheduling support in Java

Support for Distributed Real-Time Systems

Role Analysis•Capture changing roles objects play in computation

•Points-to relationships determine roles

•Role Specifications•Programmer supplied•Dynamically discovered

•Statically verified

Interaction Analysis• Match role changes

with component movements

• Match publishers and subscribers

• Compute failure propagation information

Transformations• Specialized

communication• Point-to-point• Targeted multicast• Request/response

• Preemptively move or replicate objects to close windows of vulnerability

Distributed

Interaction System

Event Notification• Publish/Subscribe

Primitives

Shared Object Communication

• Shared reference system

• Thread-based failure model

Real Time Java

Predictable Memory Management

• Region-Based allocation primitives

• Pointer and escape analysis• Validates correct region

use• Eliminates dynamic

checks• Role analysis enables safe

explicit memory deallocation

Real-Time Scheduling• Compiler-controlled

scheduling• Preemptive thread

scheduling• Asynchronous event

dispatch

Objective Technical Approach

System Architecture

Shared ObjectSpace

Shared EventSpace

DistributedRTJ

Components

PublishSubscribe

Objectives for Distributed Components

• Understand how components interact• Event notification relationships• Communication patterns• Failure propagation

• Replace pub/sub with specialized mechanisms• Point-to-point communication• Multicast communication• Request/response communication

• Preemptively move or replicate objects to close windows of vulnerability to failures

Technical Approach

Observations• Objects play different roles in computation• Role is conceptually similar to type

• Capture important differences between objects

• Useful constraints associated with roles (can’t apply stop operation to

stationary tank)Stationary

TankMoving

TankDisabled

TankRoles

Technical Approach

Observations• Role of object may change during

computation• Even though identity stays the same

StationaryTank

Moving Tank

Disabled Tank

Roles

Role Transitions

Technical Approach

Observations• In a standard type system

• Object’s type corresponds to its class• Object’s class does not change• Type system does not capture object’s

rolesTank Class

StationaryTank

Moving Tank

Disabled Tank

Roles

Role Transitions

Technical Approach

Goal• Develop a formalism (role types) to

capture changing roles that objects play in computation

• Statically verify role constraints and transitions

Tank Class

StationaryTank

Moving Tank

Disabled Tank

Roles

Role Transitions

Role Transitions

StationaryTankList

MovingTankList

DisabledTankList

Role Transitions

StationaryTankList

MovingTankList

DisabledTankList

Role Transitions

StationaryTankList

MovingTankList

DisabledTankList

Role Classification

• Relative Classification• Role determined by data structure membership• Role changes correspond to movements

between data structures• Role depends on points-to relationships

• Content-based Classification• Role determined by values of object’s fields• Role changes correspond to field assignments

• History-based Classification• Role determined by operations applied to

object• Role changes correspond to method executions

For Each Role• Set of incoming slots• Reference that fills

each slot (role.field)

Moving Tank Role•One incoming slot•Filled by Moving Tank

List Node.item Reference

Stationary Tank Role•One incoming slot•Filled by Stationary

Tank List Node.item Reference

Relative Role View of Objects

Stationary Tank

String

Integernext

item

Tank Model

Stationary Tank List

Node

Moving Tank String

Integernext

item

Tank Model

Top Speed

Moving Tank List Node

Current Speed

Integer

Top Speed

Current Speed

Role Analysis

• Role information at method boundaries• Programmer provided or• Dynamically discovered• Statically verified using generalized

interprocedural shape analysis

Applications of Roles

• Roles provide object referencing relationships • Object referencing determines interaction

patterns• Interaction analysis leverages roles to statically

extract interaction patterns• Match publishers with subscribers• Match role changes with movements of

objects between components• Compute failure propagation information

• Move or replicate objects to eliminate windows of failure vulnerability

More Benefits of Roles

• Software Engineering Benefits• Enhanced implementation

transparency • Role constraints = safety checks that

take application semantics into account

• Safe explicit memory deallocation

Real-Time Java

Real-Time Java Memory Management

• Scoped Memories for Real-Time Memory Management

• Implementation in MIT Flex System• Pointer and Escape Analysis

• Verifies correct use of scoped memories• Eliminates dynamic scoped memory checks

• Analysis of Multithreaded Programs (PPoPP ’01)• Computes interactions between threads• Capture objects accessed by multiple threads

• Incrementalized Analysis (PLDI ’01)

Real-Time Java SchedulingCompiler-controlled scheduling

• Start with lightweight user-level threads package• Compile scheduling checks into generated code• Check for:

• Asynchronous event dispatch• Preemptive thread switch

• Result:• Scheduler part of Java Run-Time (at user level)• Can be partially generated by compiler• Minimal demands on OS• Maximum flexibility in implementation

Contribution to PCES GoalsWhat we provide: Automated understanding of distributed,

embedded, and real-time software• Analyses

• Pointer and escape analysis• Role analysis• Interaction analysis

• Some envisioned uses:• Safe memory management alternatives for Real-Time Java

•Verification of safe use of region-based allocation•Roles enable explicit deallocation instead of garbage

collection• Interaction analysis

•Understanding and validation of synchronization interactions•Understanding of communication patterns•Understanding of how failures propagate•Validations of ABSENCE of interactions

• Transformations•Specialized, efficient communication implementations •Close windows of failure vulnerability

Contribution to Military Applications

Basic Contribution: More Flexible, Reliable, Predictable Real-Time, Distributed, and

Embedded Systems• Implementation technology to enable use of standard,

widely used language (Java) in military applications• Compiler-controlled event and thread management• Memory management algorithms for real-time

systems• Analyses and transformations for understanding and

improving military software systems• Potential application areas

• Real-time monitoring and control• Information collection and presentation• Integrating (distributed) systems of systems

Project Tasks and Schedule

• Real-Time Java Implementation• Scoped Memories (Year 1)• Thread and Event Scheduling (Year 3)

• Publish/Subscribe Implementation• Initial prototype (Year 2)• Final version (Year 4)

• Pointer and Escape Analysis (Year 1)• Role Analysis

• Initial design and implementation (Year 2.5)• Final design and implementation (Year 4)

• Interaction Analysis and Transformations• Failure propagation analysis (Year 3)• Transformations to close windows of failure

vulnerability (Year 4)

Technical Progress/Accomplishments

• Implementation of Real-Time Java Scoped Memories• Scoped memory allocation primitives• Pointer and escape analysis for multithreaded programs

(PPoPP ’01)• Verify correct use of scoped allocation• Eliminate dynamic checks

• Incrementalized pointer and escape analysis (PLDI ’01)

• Initial phases of distributed surveillance application• Initial JavaCar prototype – 1/6 scale car with

• 233 MHz StrongARM, 32 Mbytes, running Java on Linux • Camera, wireless ethernet, USB, various sensors• Speed and steering control

• Initial role design, specification language, analysis

Next Milestones

Progress in Following Areas• Publish/Subscribe Design and

Implementation• Realization in Java (Event class)• Event distribution mechanism• Shared object space mechanism

• Real-Time Java Threads and Events• Role Design, Specification, and Analysis• JavaCar and Surveillance Applications

Collaborations

• Washington University• Real-Time Java Memory Management• Dynamic Scope Generation (Washington)• Static Scope Verification (MIT)• Real-Time Event Service

• Stanford, Kansas State University (Model Extraction)

• Purdue, SUNY Oswego, Maryland (RT Java)• Utah (Analysis for Component Constraints)• Anyone else with Real-Time Java needs

• We provide prototype open implementation• We provide analysis prototypes

Technology Transfer• Illustrations of Implementation Techniques for Real-Time Java

• Implementation available under GNU GPL• Anyone can download it, use it, improve it• http://www.cag.lcs.mit.edu/~rinard/pces

• Real-Time Java as Infection Vector• Integrated pointer and escape analysis

• Correctness tool for region allocation• Enables stack allocation (reduces memory footprint)

• Integrated role discovery and analysis• Dynamic discovery leads to easy initial experience• Roles become central abstraction for developer

• Roles + publish/subscribe system = easy, effective distribution• Communication and failure propagation analysis• Useful transformations• Dynamic deployment

• Our system serves as prototype• Illustrates key implementation techniques• Helps others evaluate suitability for their application

Program Issues

Current Speed

Example Roles

Tank ObjectString

Integernext

item

Tank Model

Top Speed

Stationary Tank List Node

Tank ObjectString

Integernext

item

Tank Model

Top Speed

Moving Tank List Node

Current SpeedInteger

Standard View of Object

Fields

OutgoingReferences

•

•

•

IncomingReferences

Tank ObjectString

Integer

Integer

Tank Model

Top Speed

Current Speed

Incrementalized AnalysisBig Program

Incrementalized AnalysisObject Allocation Sites to Capture

Incrementalized AnalysisStandard Approach: Analyze Entire Program

Incrementalized AnalysisOur Approach: Incrementally Analyze Region

Surrounding Each Allocation Site

Incrementalized AnalysisOur Approach: Incrementally Analyze Region

Surrounding Each Allocation Site

Incrementalized AnalysisOur Approach: Incrementally Analyze Region

Surrounding Each Allocation Site

Incrementalized Analysis

• Key Question: Where to invest analysis resources?

• Obtain estimates of• Payoff of capturing allocation site• Likelihood of capturing site• If can capture site, cost of the capture

• As invest resources in site, improve estimates• Invest resources in site with (current) best

estimated return on invested resources• Results show can obtain almost all benefit of

whole-program analysis at fraction of cost (PLDI ’01)