model-checking of component-based real-time embedded software based on corba event service
DESCRIPTION
Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service. Yuanfang Zhang for Seminar CSE7216. Presentation based on Zonghua Gu and Kang G. Shin, Model-Checking of Component-Based Real-time Embedded Software Based on CORBA Event Service , - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/1.jpg)
1
Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service
Yuanfang Zhang for Seminar CSE7216
Presentation based on Zonghua Gu and Kang G. Shin, Model-Checking of Component-Based Real-time Embedded Software Based on CORBA Event Service,
Proceedings of 8th IEEE International Symposium on Object-oriented Real-time distributed Computin (ISORC'05)
![Page 2: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/2.jpg)
2
Outline Problem
Verification of component-based real-time embedded software based on CORBA Event Service
Example: Avionics Mission Computing (AMC) Finite State Processes (FSP)
Formalize specification of software components and system architecture
Labeled Transition System Analyzer (LTSA) Exhaustively exploring the system state space to prove
certain system properties Scalability improvement
State space explosion
![Page 3: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/3.jpg)
3
AMC
Event Triggers Publish/Subscribe
Method Invocations Receptacle/Facet
Control-push/data pull (data push)
![Page 4: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/4.jpg)
4
FSP - event prefix
If x is an event and P a process then (x-> P) describes a process that initially synchronizes with the event x and then behaves exactly as described by P.
once
0 1
Convention: events begin with lowercase letters PROCESSES begin with uppercase letters
ONESHOT = (once -> STOP). ONESHOT state machine(terminating process)
![Page 5: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/5.jpg)
5
FSP - recursion
Repetitive behaviour uses recursion:on
off
0 1SWITCH = OFF,OFF = (on -> ON),ON = (off-> OFF).
Substituting to get a more succinct definition:SWITCH = OFF,OFF = (on ->(off->OFF)).
And again:SWITCH = (on->off->SWITCH).
![Page 6: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/6.jpg)
6
FSP - choice
If x and y are events then (x-> P | y-> Q) describes a process which initially engages in either of the events x or y. After the first event has occurred, the subsequent behavior is described by P if the first event was x and Q if the first action was y.
FSP model of a drinks machine :
DRINKS = (red->coffee->DRINKS |blue->tea->DRINKS ).
red
blue
coffee
tea
0 1 2
![Page 7: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/7.jpg)
7
FSP – Composition Process Primitive processes can be composed to form a
composition process with the operator | | If processes in a composition have a common
shared event, all processes must synchronize on the shared event at the same step
MAKER = (make -> ready ->MAKER)
USER = (ready -> use ->USER)
| | MAKER_USER = (MAKER | | USER)
MAKER = (make -> done ->MAKER)
USER = (ready -> use ->USER)
| | MAKER_USER =
(aMaker:MAKER | | aUser:USER)
/{aMaker.done / aUser.ready}
![Page 8: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/8.jpg)
8
Modeling AMC with FSP
ClosedEDComponentClosedEDComp = (inEvt -> issueGDCall ->receiveGDReply -> outEvt -> ClosedEDComp | receiveGDCall -> issueGDReply ->ClosedEDComp).
OpenEDComponentOpenEDComp = (inEvt -> issueGDCall ->receiveGDReply -> outEvt -> OpenEDComp | receiveGDCall -> issueGDReply ->OpenEDComp| receiveSDCall -> issueGDCall -> receiveGDReply -> issueSDReply -> outEvt -> OpenEDComp
• DeviceComponentDeviceComp = (inEvt -> outEvt -> DeviceComp
| receiveGDCall -> issueGDReply -> DeviceComp).
• DisplayComponentDisplayComp = (inEvt -> issueGDCall -> receiveGDReply -> display ->DisplayComp).
![Page 9: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/9.jpg)
9
FSP – Component Interactions (1) Control-Push / Data-Pull
Synchronous: pairwise interactions between components happen instantaneously without the delays introduced by the middleware
![Page 10: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/10.jpg)
10
FSP – Component Interactions (2)
Input Event Correlation AND synchronization / OR synchronization
![Page 11: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/11.jpg)
11
FSP – Component Interactions (3) Real-Time Issues
A global event tick is shared among all the timers
Schedulable (add an explicit synchronization between the timer and the terminal events)
Both 2 display components have been
triggered before next 20hz timeout
![Page 12: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/12.jpg)
12
FSP – an example application
![Page 13: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/13.jpg)
13
Verify System Properties
Safety Deadlock freedom
Circular dependency Multiple input events with AND synchronization, but not
all of them are available Event reachability Sequencing constrains
Liveness progress
![Page 14: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/14.jpg)
14
Deadlock FreedomLTSA:
![Page 15: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/15.jpg)
15
Event reachability & Sequencing constrains
![Page 16: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/16.jpg)
16
Progress Property
The action will be executed infinitely often in any infinite execution of a systemprogress P1 = {navDisplay.display}
![Page 17: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/17.jpg)
17
Scalability
Lack of scalability due to state-space explosion Out-of-memory
Exploit domain-specific constraints Omit the synchronization action
Compose and check the system hierachically Can not check for end-to-end sequencing contraints that
span multiple groups and involves internal events from these groups
![Page 18: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/18.jpg)
18
Exploit domain-specific constraints
Reduce the call-return two-way synchronization into a one-way synchronization
![Page 19: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/19.jpg)
19
![Page 20: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/20.jpg)
20
Both Display components are required to be triggered before the next 1Hz timeout
![Page 21: Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service](https://reader034.vdocuments.site/reader034/viewer/2022051821/5681634b550346895dd3e045/html5/thumbnails/21.jpg)
21
Performance Evaluation
3 components to 50 components Seconds or at most a few minutes Hundreds of thousands of components
No model checker can scale up to this size Rely on designer’s manual work to separate and
model-check them individually