2015 Concurrency: model-based design 1 ©Magee/Kramer 2 nd Edition Chapter 8 Model-Based Design.

Slides:



Advertisements
Similar presentations
CSC321 §1 Concurrent Programming 1 CSC 321 Concurrent Programming Course web site
Advertisements

DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 12Slide 1 Software Design l Objectives To explain how a software design may be represented.
WHAT IS AN OPERATING SYSTEM? An interface between users and hardware - an environment "architecture ” Allows convenient usage; hides the tedious stuff.
Concurrency: model-based design1 ©Magee/Kramer Chapter 8 Model-Based Design.
Concurrency: introduction1 ©Magee/Kramer 2 nd Edition Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.
Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.
MotoHawk Training Model-Based Design of Embedded Systems.
Concurrency.
1: Operating Systems Overview
Why Behavioral Wait statement Signal Timing Examples of Behavioral Descriptions –ROM.
Concurrency: model-based design ©Magee/Kramer Claus Brabrand University of Aarhus Model-Based Design Concurrency.
THE OBJECT-ORIENTED DESIGN WORKFLOW Statechart Diagrams.
Booch Block diagram for cruise control
Concurrency: Deadlock1 ©Magee/Kramer 2 nd Edition Chapter 6 Deadlock.
Concurrency: shared objects & mutual exclusion1 ©Magee/Kramer 2 nd Edition Chapter 4 Shared Objects & Mutual Exclusion.
1 CSCI 6900: Design, Implementation, and Verification of Concurrent Software Eileen Kraemer August 19 th, 2010 The University of Georgia.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
 2003 Prentice Hall, Inc. All rights reserved. 1 Introduction to Classes and Objects Outline Introduction Classes, Objects, Member Functions and Data.
Instructore: Tasneem Darwish1 University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department Concurrent and.
(C) 2009 J. M. Garrido1 Object Oriented Simulation with Java.
Concurrency: introduction1 ©Magee/Kramer Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.
Advanced Operating Systems CIS 720 Lecture 1. Instructor Dr. Gurdip Singh – 234 Nichols Hall –
LOGO OPERATING SYSTEM Dalia AL-Dabbagh
Operating System Review September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1.
Java Programming: Advanced Topics
Copyright 2002 Prentice-Hall, Inc. Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich Chapter 20 Object-Oriented.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Concurrency: processes & threads1 ©Magee/Kramer Chapter 2 Processes & Threads.
Concurrency: introduction1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 5 Introduction to Concurrency:
An Introduction to Java Chapter 11 Object-Oriented Application Development: Part I.
1 CSCI 6900: Design, Implementation, and Verification of Concurrent Software Eileen Kraemer August 16 th, 2010 The University of Georgia.
Object-Oriented Modeling Using UML CS 3331 Section 2.3 of Jia 2003.
Java Threads 11 Threading and Concurrent Programming in Java Introduction and Definitions D.W. Denbo Introduction and Definitions D.W. Denbo.
Today’s Agenda  Quick Review  Finish Java Threads  The CS Problem Advanced Topics in Software Engineering 1.
Java Software Solutions Lewis and Loftus Chapter 14 1 Copyright 1997 by John Lewis and William Loftus. All rights reserved. Advanced Flow of Control --
Concurrency: dynamic systems1 ©Magee/Kramer 2 nd Edition Chapter 9 Dynamic Systems.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Introduction to Concurrency.
Software Development Cycle What is Software? Instructions (computer programs) that when executed provide desired function and performance Data structures.
CSC321 §6 Modelling Processes using FSP 1 Chapter 6 Modelling Processes using FSP.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.
CSC321 Concurrent Programming: §5 Monitors 1 Section 5 Monitors.
1 Kyung Hee University Statecharts Spring Kyung Hee University Specifying Objects’ Behaviour  Interaction diagrams show message-passing behaviour.
1: Operating Systems Overview 1 Jerry Breecher Fall, 2004 CLARK UNIVERSITY CS215 OPERATING SYSTEMS OVERVIEW.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
2015 Concurrency: logical properties 1 ©Magee/Kramer 2 nd Edition Chapter 14 Logical Properties Satisfied? Not satisfied?
Multi-Threading in Java
Multithreaded programming  Java provides built-in support for multithreaded programming. A multithreaded program contains two or more parts that can run.
13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
Chapter 7 Classes and Methods III: Static Methods and Variables Lecture Slides to Accompany An Introduction to Computer Science Using Java (2nd Edition)
 Simulation enables the study of complex system.  Simulation is a good approach when analytic study of a system is not possible or very complex.  Informational,
Operating Systems Unit 2: – Process Context switch Interrupt Interprocess communication – Thread Thread models Operating Systems.
Agenda  Quick Review  Finish Introduction  Java Threads.
Concurrency (Threads) Threads allow you to do tasks in parallel. In an unthreaded program, you code is executed procedurally from start to finish. In a.
1 7 Systems Analysis and Design in a Changing World, 2 nd Edition, Satzinger, Jackson, & Burd Chapter 7 The Object-Oriented Approach to Requirements.
Concurrency: processes & threads1 ©Magee/Kramer 2 nd Edition Chapter 2 Processes & Threads.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Chapter 5:Architectural Design l Establishing the overall structure of a software.
Distributed Systems Lecture 6 Global states and snapshots 1.
Software Architecture
Advanced Operating Systems CIS 720
Concurrency.
Software Architecture
Chapter 20 Object-Oriented Analysis and Design
Segments Introduction: slides minutes
Software Architecture
Presentation transcript:

2015 Concurrency: model-based design 1 ©Magee/Kramer 2 nd Edition Chapter 8 Model-Based Design

2015 Concurrency: model-based design 2 ©Magee/Kramer 2 nd Edition Design Concepts : design process: requirements to models to implementations Models :check properties of interest: - safety on the appropriate (sub)system - progress on the overall system Practice :model interpretation - to infer actual system behavior threads and monitors Aim : rigorous design process.

2015 Concurrency: model-based design 3 ©Magee/Kramer 2 nd Edition  goals of the system  scenarios (Use Case models)  properties of interest 8.1 from requirements to models Requirements Model  identify the main events, actions, and interactions  identify and define the main processes  identify and define the properties of interest  structure the processes into an architecture  check traces of interest  check properties of interest Any appropriate design approach can be used.

2015 Concurrency: model-based design 4 ©Magee/Kramer 2 nd Edition a Cruise Control System - requirements When the car ignition is switched on and the on button is pressed, the current speed is recorded and the system is enabled: it maintains the speed of the car at the recorded setting. Pressing the brake, accelerator or off button disables the system. Pressing resume or on re- enables the system. buttons

2015 Concurrency: model-based design 5 ©Magee/Kramer 2 nd Edition a Cruise Control System - hardware Wheel revolution sensor generates interrupts to enable the car speed to be calculated. Parallel Interface Adapter (PIA) is polled every 100msec. It records the actions of the sensors: buttons (on, off, resume) brake (pressed) accelerator (pressed) engine (on, off). Output: The cruise control system controls the car speed by setting the throttle via the digital-to-analogue converter.

2015 Concurrency: model-based design 6 ©Magee/Kramer 2 nd Edition model - outline design  outline processes and interactions. Input Speed monitors the speed when the engine is on, and provides the current speed readings to speed control. Sensor Scan monitors the buttons, brake, accelerator and engine events. Cruise Controller triggers clear speed and record speed, and enables or disables the speed control. Speed Control clears and records the speed, and sets the throttle accordingly when enabled. Throttle sets the actual throttle. Sensors Prompts Engine speed setThrottle

2015 Concurrency: model-based design 7 ©Magee/Kramer 2 nd Edition model -design  Main events, actions and interactions. on, off, resume, brake, accelerator engine on, engine off, speed, setThrottle clearSpeed,recordSpeed, enableControl,disableControl  Identify main processes. Sensor Scan, Input Speed, Cruise Controller, Speed Control and Throttle  Identify main properties. safety - disabled when off, brake or accelerator pressed.  Define and structure each process. Sensors Prompts

2015 Concurrency: model-based design 8 ©Magee/Kramer 2 nd Edition model - structure, actions and interactions set Sensors = {engineOn,engineOff,on,off, resume,brake,accelerator} set Engine = {engineOn,engineOff} set Prompts = {clearSpeed,recordSpeed, enableControl,disableControl} The CONTROL system is structured as two processes. The main actions and interactions are as shown.

2015 Concurrency: model-based design 9 ©Magee/Kramer 2 nd Edition model elaboration - process definitions SENSORSCAN = ({Sensors} -> SENSORSCAN). // monitor speed when engine on INPUTSPEED = (engineOn -> CHECKSPEED), CHECKSPEED = (speed -> CHECKSPEED |engineOff -> INPUTSPEED ). // zoom when throttle set THROTTLE =(setThrottle -> zoom -> THROTTLE). // perform speed control when enabled SPEEDCONTROL = DISABLED, DISABLED =({speed,clearSpeed,recordSpeed}->DISABLED | enableControl -> ENABLED ), ENABLED = ( speed -> setThrottle -> ENABLED |{recordSpeed,enableControl} -> ENABLED | disableControl -> DISABLED ).

2015 Concurrency: model-based design 10 ©Magee/Kramer 2 nd Edition model elaboration - process definitions set DisableActions = {off,brake,accelerator} // enable speed control when cruising, disable when a disable action occurs CRUISECONTROLLER = INACTIVE, INACTIVE =(engineOn -> clearSpeed -> ACTIVE |DisableActions -> INACTIVE ), ACTIVE =(engineOff -> INACTIVE |on->recordSpeed->enableControl->CRUISING |DisableActions -> ACTIVE ), CRUISING =(engineOff -> INACTIVE |DisableActions->disableControl->STANDBY |on->recordSpeed->enableControl->CRUISING ), STANDBY =(engineOff -> INACTIVE |resume -> enableControl -> CRUISING |on->recordSpeed->enableControl->CRUISING |DisableActions -> STANDBY ).

2015 Concurrency: model-based design 11 ©Magee/Kramer 2 nd Edition model - CONTROL subsystem ||CONTROL =(CRUISECONTROLLER ||SPEEDCONTROL ). - Is control enabled after the engine is switched on and the on button is pressed? - Is control disabled when the brake is then pressed? - Is control re-enabled when resume is then pressed? Animate to check particular traces: Safety: Is the control disabled when off, brake or accelerator is pressed? Progress: Can every action eventually be selected? However, we need analysis to check exhaustively :

2015 Concurrency: model-based design 12 ©Magee/Kramer 2 nd Edition model - Safety properties Safety properties should be composed with the appropriate system or subsystem to which the property refers. In order that the property can check the actions in its alphabet, these actions must not be hidden in the system. Safety checks are compositional. If there is no violation at a subsystem level, then there cannot be a violation when the subsystem is composed with other subsystems. This is because, if the ERROR state of a particular safety property is unreachable in the LTS of the subsystem, it remains unreachable in any subsequent parallel composition which includes the subsystem. Hence...

2015 Concurrency: model-based design 13 ©Magee/Kramer 2 nd Edition model - Safety properties Is CRUISESAFETY violated? ||CONTROL =(CRUISECONTROLLER ||SPEEDCONTROL ||CRUISESAFETY ). property CRUISESAFETY = ({DisableActions,disableControl} -> CRUISESAFETY |{on,resume} -> SAFETYCHECK ), SAFETYCHECK = ({on,resume} -> SAFETYCHECK |DisableActions -> SAFETYACTION |disableControl -> CRUISESAFETY ), SAFETYACTION =(disableControl->CRUISESAFETY). LTS?

2015 Concurrency: model-based design 14 ©Magee/Kramer 2 nd Edition model - Safety properties Safety analysis using LTSA produces the following violation: Trace to property violation in CRUISESAFETY: engineOn clearSpeed on recordSpeed enableControl engineOff off Strange circumstances! If the system is enabled by switching the engine on and pressing the on button, and then the engine is switched off, it appears that the control system is not disabled.

2015 Concurrency: model-based design 15 ©Magee/Kramer 2 nd Edition model - Safety properties engineOn clearSpeed on recordSpeed enableControl engineOff engineOn speed setThrottle speed setThrottle … The car will accelerate and zoom off when the engine is switched on again! What if the engine is switched on again? We can investigate further using animation … … using LTS? Action hiding and minimization can help to reduce the size of an LTS diagram and make it easier to interpret …

2015 Concurrency: model-based design 16 ©Magee/Kramer 2 nd Edition Model LTS for CONTROLMINIMIZED minimal ||CONTROLMINIMIZED = (CRUISECONTROLLER ||SPEEDCONTROL {Sensors,speed}. … using progress?

2015 Concurrency: model-based design 17 ©Magee/Kramer 2 nd Edition model - Progress properties Progress violation for actions: {accelerator, brake, clearSpeed, disableControl, enableControl, engineOff, engineOn, off, on, recordSpeed, resume} Trace to terminal set of states: engineOn clearSpeed on recordSpeed enableControl engineOff engineOn Cycle in terminal set: speed setThrottle Actions in terminal set: {setThrottle, speed} Check the model for progress properties with no safety property and no hidden actions.

2015 Concurrency: model-based design 18 ©Magee/Kramer 2 nd Edition model - revised cruise controller Modify CRUISECONTROLLER so that control is disabled when the engine is switched off: … CRUISING =(engineOff -> disableControl -> INACTIVE |DisableActions -> disableControl -> STANDBY |on->recordSpeed->enableControl->CRUISING ), … Modify the safety property: property IMPROVEDSAFETY = {DisableActions,disableControl,engineOff} -> IMPROVEDSAFETY |{on,resume} -> SAFETYCHECK ), SAFETYCHECK = ({on,resume} -> SAFETYCHECK |{DisableActions,engineOff} -> SAFETYACTION |disableControl-> IMPROVEDSAFETY ), SAFETYACTION =(disableControl-> IMPROVEDSAFETY). OK now?

2015 Concurrency: model-based design 19 ©Magee/Kramer 2 nd Edition revised CONTROLMINIMIZED No deadlocks/errors

2015 Concurrency: model-based design 20 ©Magee/Kramer 2 nd Edition model analysis ||CONTROL = (CRUISECONTROLLER||SPEEDCONTROL||CRUISESAFETY {Sensors,speed,setThrottle}. ||CRUISECONTROLSYSTEM = (CONTROL||SENSORSCAN||INPUTSPEED||THROTTLE). We can now proceed to compose the whole system: Deadlock? Safety? No deadlocks/errors Progress?

2015 Concurrency: model-based design 21 ©Magee/Kramer 2 nd Edition model - Progress properties Progress checks should be conducted on the complete target system after satisfactory completion of the safety checks. Progress checks are not compositional. Even if there is no violation at a subsystem level, there may still be a violation when the subsystem is composed with other subsystems. This is because an action in the subsystem may satisfy progress yet be unreachable when the subsystem is composed with other subsystems which constrain its behaviour. Hence... No progress violations detected. Progress?

2015 Concurrency: model-based design 22 ©Magee/Kramer 2 nd Edition model - system sensitivities ||SPEEDHIGH = CRUISECONTROLSYSTEM << {speed}. Progress violation for actions: {accelerator, brake, engineOff, engineOn, off, on, resume, setThrottle, zoom} Trace to terminal set of states: engineOn Cycle in terminal set: speed Actions in terminal set: speed The system may be sensitive to the priority of the action speed. What about progress under adverse conditions? Check for system sensitivities.

2015 Concurrency: model-based design 23 ©Magee/Kramer 2 nd Edition model interpretation Models can be used to indicate system sensitivities. If it is possible that erroneous situations detected in the model may occur in the implemented system, then the model should be revised to find a design which ensures that those violations are avoided. However, if it is considered that the real system will not exhibit this behavior, then no further model revisions are necessary. Model interpretation and correspondence to the implementation are important in determining the relevance and adequacy of the model design and its analysis.

2015 Concurrency: model-based design 24 ©Magee/Kramer 2 nd Edition The central role of design architecture Design architecture describes the gross organization and global structure of the system in terms of its constituent components. We consider that the models for analysis and the implementation should be considered as elaborated views of this basic design structure.

2015 Concurrency: model-based design 25 ©Magee/Kramer 2 nd Edition 8.2 from models to implementations Model Java  identify the main active entities - to be implemented as threads  identify the main (shared) passive entities - to be implemented as monitors  identify the interactive display environment - to be implemented as associated classes  structure the classes as a class diagram

2015 Concurrency: model-based design 26 ©Magee/Kramer 2 nd Edition cruise control system - class diagram SpeedControl interacts with the car simulation via interface CarSpeed. CRUISECONTROLLERSPEEDCONTROL

2015 Concurrency: model-based design 27 ©Magee/Kramer 2 nd Edition cruise control system - class Controller class Controller { final static int INACTIVE = 0; // cruise controller states final static int ACTIVE = 1; final static int CRUISING = 2; final static int STANDBY = 3; private int controlState = INACTIVE; //initial state private SpeedControl sc; Controller(CarSpeed cs, CruiseDisplay disp) {sc=new SpeedControl(cs,disp);} synchronized void brake(){ if (controlState==CRUISING ) {sc.disableControl(); controlState=STANDBY; } } synchronized void accelerator(){ if (controlState==CRUISING ) {sc.disableControl(); controlState=STANDBY; } } synchronized void engineOff(){ if(controlState!=INACTIVE) { if (controlState==CRUISING) sc.disableControl(); controlState=INACTIVE; } Controller is a passive entity - it reacts to events. Hence we implement it as a monitor

2015 Concurrency: model-based design 28 ©Magee/Kramer 2 nd Edition cruise control system - class Controller synchronized void engineOn(){ if(controlState==INACTIVE) {sc.clearSpeed(); controlState=ACTIVE;} } synchronized void on(){ if(controlState!=INACTIVE){ sc.recordSpeed(); sc.enableControl(); controlState=CRUISING; } synchronized void off(){ if(controlState==CRUISING ) {sc.disableControl(); controlState=STANDBY;} } synchronized void resume(){ if(controlState==STANDBY) {sc.enableControl(); controlState=CRUISING;} } This is a direct translation from the model.

2015 Concurrency: model-based design 29 ©Magee/Kramer 2 nd Edition cruise control system - class SpeedControl class SpeedControl implements Runnable { final static int DISABLED = 0; //speed control states final static int ENABLED = 1; private int state = DISABLED; //initial state private int setSpeed = 0; //target speed private Thread speedController; private CarSpeed cs; //interface to control speed private CruiseDisplay disp; SpeedControl(CarSpeed cs, CruiseDisplay disp){ this.cs=cs; this.disp=disp; disp.disable(); disp.record(0); } synchronized void recordSpeed(){ setSpeed=cs.getSpeed(); disp.record(setSpeed); } synchronized void clearSpeed(){ if (state==DISABLED) {setSpeed=0;disp.record(setSpeed);} } synchronized void enableControl(){ if (state==DISABLED) { disp.enable(); speedController= new Thread(this); speedController.start(); state=ENABLED; } SpeedControl is an active entity - when enabled, a new thread is created which periodically obtains car speed and sets the throttle.

2015 Concurrency: model-based design 30 ©Magee/Kramer 2 nd Edition cruise control system - class SpeedControl synchronized void disableControl(){ if (state==ENABLED) {disp.disable(); state=DISABLED;} } public void run() { // the speed controller thread try { while (state==ENABLED) { double error = (float)(setSpeed-cs.getSpeed())/6.0; double steady = (double)setSpeed/12.0; cs.setThrottle(steady+error);//simplified feed back control wait(500); } } catch (InterruptedException e) {} speedController=null; } SpeedControl is an example of a class that combines both synchronized access methods (to update local variables ) and a thread.

2015 Concurrency: model-based design 31 ©Magee/Kramer 2 nd Edition Summary  Concepts design process: from requirements to models to implementations design architecture  Models check properties of interest safety: compose safety properties at appropriate (sub)system progress: apply progress check on the final target system model  Practice model interpretation - to infer actual system behavior threads and monitors Aim : rigorous design process.

2015 Concurrency: model-based design 32 ©Magee/Kramer 2 nd Edition Course Outline  Processes and Threads  Concurrent Execution  Shared Objects & Interference  Monitors & Condition Synchronization  Deadlock  Safety and Liveness Properties  Model-based Design  Dynamic systems  Message Passing  Concurrent Software Architectures Concepts Models Practice  Timed Systems  Program Verification  Logical Properties The main basic Advanced topics …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.