Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods DARPA Order K203/AFRL Contract F C-3044 Principal Investigators Matt Dwyer John Hatcliff Masaaki Mizuno Mitch Neilsen Gurdip Singh Department of Computing and Information Sciences Kansas State University
Problem Description Embedded systems are growing in complexity and developers are looking towards OO technologies to manage that complexity Embedded systems software is multi-threaded for performance reasons –System correctness relies on correct synchronization of multiple activities Synchronization design/implementation is low-level and platform specific –Error prone and not reusable Design methods for OO do not treat synchronization effectively
Project Objectives III. Automatic verification of critical safety and liveness properties of woven embedded code … domain-specific model-checking engines … built on previous DARPA work – Bandera environment II. Automatic derivation and weaving of synchronization code … multiple language and synchronization targets (Java, C++, monitors, semaphores, etc.) … weaving & optimization via abstract interpretation and program specialization techniques I. Provide high-level, modular specification of global synchronization aspects … integrated with UML/RUP … formal specification via global invariants … language of composable invariant patterns … powerful, yet easy to use IV. Evaluation using Common Digital Architecture (CDA101) … a new standard for military target vehicle electronics
Technical Approach --- Invariant Patterns Users never write formulas but instead build invariants using a collection of global invariant patterns… Bound(R,n) … at most n threads can be in region R Exclusion(R1,R2) … occupancy of region R1 and R2 should be mutually exclusive Resource(R1, R2, n) … region R1 is a producer, region R2 is a consumer of some resource with n initial resource values. Barrier(R1,R2) … the k th thread to enter R1 and the k th thread to enter R2 meet and leave their respective regions together Synthesize efficient implementations that enforce invariants and link them automatically to sequential implementations of core system functionality.
Contribution to PCES Goals Invariants enable reuse of synchronization “code” across multiple systems and languages –reduced effort Synthesis of “correct” synchronization implementations –Eliminate a class of subtle errors reduced testing effort, increased confidence Verification of properties not guaranteed by construction –increased confidence The overarching goal of the PCES program is novel technology and supporting engineering approaches that can greatly reduce effort to program embedded systems, while increasing confidence in the embedded software product.
Contribution to Relevant Military Application Provide synchronization aspects for CDA101 - Common Digital Architecture –CDA101 provides a common architecture for networking a wide range of target vehicle electronics –Synchronization patterns can be used in existing systems and more importantly for future, more complex, target systems. DoD Target Systems –Seaborne Targets: ST 2000 –Airborne Targets: BQM-74, MQM-107 –Ground Targets
Project Tasks/Schedule Integration Verification Code weaver Aspect code synthesis Synch Aspect language Key Tasks Non-synch Aspects Initial Optimized Full-scale Evaluation 5/01 11/01 11/01 + 5/02 11/01 + 5/02 + 5/03 5/02 + 5/03
Complete Program Technical Progress/Accomplishments Actors: Use Cases Classes: Use-Case Realizations Component Code Global invariant pattern –Extensions and assessment Global Invariant Specs Coarse-Grain Solution Coarse grain generation: –SVC and pattern based Initial CDA-101 case-study –Seaborne Target (ST 2000) Prototype release 9/01 Fine-Grain Synchronization Code Complete Program Synch code generators –C/??? and Java Complete Program Rational Unified Process (RUP)
Synchronization Regions Wait WakeUp Wait WakeUp Classes/Objects Use-Case Actor Use-Case Actor System Use-case Realizations
Synchronization Patterns (excerpts) R n In Out R_1 In_1 Out_1 R_2 In_2 Out_2 Bound(R, n) Barrier(R_1,R_2) BarrierWithInfoEx(R_1,R_2) Relay(R_1,R_2) ??? patterns in current collection General enough to solve all synchronization problems in Andrew’s book We welcome challenge problems from PCES participants
Multiple Target Detectors and a Single Firing Battery Use-case realizations B1. Wait until a detector locks on a target B2. Receive information from the detector and fire B3. Release the detector T1. Lock on a target T2. Wait until the battery is available T3. Send information to the battery T4. Wait until released
Multiple Target Detectors and a Single Firing Battery Use-case realizations B1. Wait until a detector locks on a target B2. Receive information from the detector and fire B3. Release the detector T1. Lock on a target T2. Wait until the battery is available T3. Send information to the battery T4. Wait until released
R_B3 R_T4 B3 T4 R_B1 R_T2 B1 B2 T3 T2 T1 Communicate Patterns for Target System R_F Fire Relay(R_B3, R_T4) Barrier(R_B1, R_T2) BarrierWithInfoEx( R_B1, R_T2) Bound(R_F,1)
Next Milestones Generate solutions to a large collection of standard synchronization problems Integrate Bandera to check safety/liveness properties Extend synthesis approach to distributed CAN-based systems including CanKingdom and CDA101 –Examine existing CDA101 target code to assess how much of the adhoc synchronization code can be expressed in terms of our patterns –Provide translations from patterns to CDA101 Add GUI with UML support to current prototype Extend global invariant approach to include real-time properties
Collaborations Stanford (SVC) MIT (analyses to optimize weaved code) Rockwell-Collins, aJile systems (JEM boards) Honeywell Grammatech, Inc. (slicing techniques) Kvaser, AB (CAN Kingdom = CDA 101/11) Seaborne Targets Engineering Lab (CDA101) National Marine Electronics Association (NMEA)
Technology Transition/Transfer DoD Target Systems –Seaborne Targets: ST 2000 –Airborne Targets: BQM-74 MQM-107 –Ground Targets Commercial Applications –NMEA 2000, CanKingdom - standards for real- time networking –Precision farming, in-vehicle electronics, industrial automation
Seaborne Target 2000 (ST 2000)
Program Issues Difficult to do long range planning when there is a sense that funding is in jeapordy Program meetings provide little time for technical interchange Involvement of more industrial participants to provide challenge problems Limited equipment availability restricts full deployment of prototypes
Funding Profile and Financial Expenditures to Date We are burning our Salary/IDC at 100% –Due to a clerical error certain charges made against the project have not hit the project account –It may appear that we are underspending, but back-charges will hit within the next month. We are burning our travel money at ~80% –Travel money from the 1 st funding period was shifted to the second period. This means that 100% burn of the second period’s travel money will appear as if we are underburning. –Note that due to this shift we had to pay for travel to the PCES kickoff meeting from non-PCES sources.
Technical Approach --- Tool Architecture UML Tools Synchronization Aspect Specification Tool Intermediate Representation Generator Solver/ Prover Course-grain solution Synchronization Aspect Back-end Bandera Analysis & Transformation Fine-grain solution Specialization Engine Bandera Safety Properties Liveness Properties Code Weaver Optimized Woven Code Invariant & Region tags Functional Core Code Templates (Java, C++, …) Template Instantiation Traditional Development Environment Functional Core Code (Java, C++, …) Finite State Models