Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003 Luca Carloni UC Berkeley Alberto Sangiovanni-Vincentelli UC Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003 Luca Carloni UC Berkeley Alberto Sangiovanni-Vincentelli UC Berkeley."— Presentation transcript:

1 Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003 Luca Carloni UC Berkeley Alberto Sangiovanni-Vincentelli UC Berkeley Albert Benveniste Irisa/Inria Benoît Caillaud Irisa/Inria Paul Caspi Verimag

2 Outline Dealing with systems & components requires handling heterogeneity –Tools with different MoC and paradigms –Heterogeneous architectures and systems –Correct-By-Construction deployment: what and how? Modeling Heterogeneous Systems –Tagged-Signal Model –Desynchronization –Heterogeneous parallel composition –Semantic Preserving Theoretical Results –General theorem on semantic-preserving deployment –Endo/iso-chrony –Correct-By-Construction deployment over GALS Architectures

3 Heterogeneous models: design flow in automobile or aeronautics Systems modeling (UML, MDA,…) –Loose model of computation & communication Matlab/Simulink/Stateflow –Continuous time basis Statemate, synchronous languages Late assembly of imported functions –Can be in C… –Depends on OS and execution infrastructure Deployment –CAN, ARINC, TTA,…

4 Distributed Nature of Implementations in hardware –with DSM technologies, the chip becomes a distributed system –wire delays not negligible w.r.t. transistor delays –on-chip communication latency is hard to estimate in (embedded) software –applications with distributed nature badly matching the synchronous assumption real-time safety critical embedded systems in avionics and automotive industries industrial plants, transportation/power networks –large variations in computation/communication times –hard to maintain a global notion of time

5 DSM: Percentage of Reachable Die 16 clock cyles 8 clock cycles 4 clock cycles 2 clock cycles 1 clock cycle “For a 60 nanometer process a signal can reach only 5% of the die’s length in a clock cycle” [D. Matzke,1997] Cause: Combination of high frequencies and slower wires

6 Heterogeneous architectures: electronics for the Car Information Systems Telematics Fault Tolerant Body Electronics Body Functions Fail Safe Fault Functional Body Electronics Driving and Vehicle Dynamic Functions Mobile CommunicationsNavigation Fire Wall Access to WWW DAB Gate Way Theft warning Door Module Light Module Air Conditioning Shift by Wire Engine Management ABS Steer by Wire Brake by Wire MOST Firewire CAN Lin CAN TTCAN FlexRay

7 Classes of heterogeneous systems: GALS (in “asynch” HW and OO-SW) synchronous asynchronous

8 Classes of heterogeneous systems: LTTA ( distributed control) [BenvCaspi&al, Emsoft2002] synchronous timed synchronous timed asynchronous timed (bounded delay)

9 How to blend heterogeneous models while “preserving semantics”? synch synch + timed What have you asynch asynch + timed

10 How to blend heterogeneous models while “preserving semantics”? Our proposal: synch asynch by generating proper adaptors asynch + timed synch + timed What have you

11 Adaptors for GALS: informal discussion X Y Z X Y Z X Y Z synch asynch

12 Adaptors for GALS: informal discussion How to ensure that the two components do not see the difference when moving from synchrony to GALS?

13 Adaptors for GALS: informal discussion How to ensure that the two components do not see the difference when moving from synchrony to GALS? Easy if known to be single-clocked: bananas !

14 Adaptors for GALS: informal discussion How to ensure that the two components do not see the difference when moving from synchrony to GALS? In general bananas can be many! bananas ???

15 Adaptors for GALS: informal discussion Solution: attach to each wire a boolean_clock that is present in each reaction and tells you the presence/absence for the wire (cf. hardware) bananas ??? fftt ff

16 Adaptors for GALS: informal discussion OK, but poor if slow/fast communications between components, because all boolean clocks must be communicated at fastest pace  theory needed! bananas ??? fftt ff

17 Outline Dealing with systems & components requires handling heterogeneity –Tools with different MoC and paradigms –Heterogeneous systems –Correct-By-Construction deployment: what and how? Modeling Heterogeneous Systems –Tagged-Signal Model –Desynchronization –Heterogeneous parallel composition –Semantic Preserving Theoretical Results –General theorem on semantic-preserving deployment –Endo/iso-chrony –Correct-By-Construction deployment over GALS Architectures

18 Formalizing GALS X Y Z X Y Z X Y Z synch asynch

19 Formalizing GALS [LeeASV98] X Y Z 1346 46 123 asynch + TAGS X Y Z asynch X Y Z synch = …

20 Formalizing GALS: desynchronization X Y Z 1346 46 123 asynch + TAGS X Y Z asynch desynchronise = remove TAGS

21 Formalizing GALS: P  ||   Q X Y V 1346 46 unify values and TAGS X Y U 1346 46

22 Formalizing GALS: P  ||   Q X Y V 1346 46 X Y U 35712 23 ignore unify values, ignore TAGS [LeGuerTal2002] 

23 Formalizing GALS: P  ||   Q X Y V 1346 46 X Y U 35712 23 ignore unify values, ignore TAGS on the left  synch asynch

24 TAGS generalize and heterogeneize X Z 1, t  1, s  2, s  3, t  4, t  4, s  a TAG consisting of the triple (reaction, physical time, causality)

25 TAGS generalize and heterogeneize X Y U t1t2t3t4 23 TAGS can belong to any partially ordered set – tags can index reactions, can be (global or local) real time R, can encode causality, can do both, etc. TAGS can be tuples – (generalized) desynchronization consists in erasing some components of the tag; yields morphisms of tag sets, we denote them by  different TAG sets can be used for different systems – we can mix synchronous systems (with tag set N) and asynchronous ones (with trivial tag set), and more

26 TAGS generalize and heterogeneize synch Synch + timed What have you asynch

27 Is this any useful???

28 Yes! For correct deployment synch

29 Yes! For correct deployment synch asynch

30 Sometimes this move is OK, sometimes not… make it OK! synch asynch

31 Sometimes this move is OK, sometimes not… make it OK! synch asynch using adaptors

32 Outline Dealing with systems & components requires handling heterogeneity –Tools with different MoC and paradigms –Heterogeneous systems –Correct-By-Construction deployment: what and how? Modeling Heterogeneous Systems –Tagged-Signal Model –Desynchronization –Heterogeneous parallel composition –Semantic Preserving Theoretical Results –General theorem on semantic-preserving deployment –Endo/iso-chrony –Correct-By-Construction deployment over GALS Architectures

33 A theory to automatically generate adaptors

34 Semantic-Preserving Time Changes Given P 1 =(V 1,T 1 ), P 2 =(V 2,T 2 ) with time change mappings  : T 1  T and  : T 2  T let T 1 =T 2 and consider two semantics: - the Strong Semantics: P 1  ||  P 2 [unify values & all_tags] - the Weak Semantics: P 1  ||  P 2 [ignore  (tags)]  is semantics-preserving when two behaviors, which compose according to the strong semantics, compose also according to the weak one, written P 1  ||  P 2  P 1  ||  P 2 Define also P i,  =(V i,T), the desynchronization of P i

35 Semantic-Preserving Time Changes Given P 1 =(V 1,T 1 ), P 2 =(V 2,T 2 ) with time change mappings  : T 1  T and  : T 2  T let T 1 =T 2 and consider two semantics: - the Strong Semantics: P 1  ||  P 2 [unify values&all_tags] - the Weak Semantics: P 1  ||  P 2 [ignore  (tags)]  is semantics-preserving when two behaviors, which compose according to the strong semantics, compose also according to the weak one, written P 1  ||  P 2  P 1  ||  P 2 Define also P i,  =(V i,T), the desynchronization of P i

36 Theorem [Emsoft2003] Given P 1 =(V 1,T 1 ), P 2 =(V 2,T 2 ) with T 1 =T 2 : P 1  ||  P 2  P 1  ||  P 2  i  {1,2} : P i,  is in bijection with P i (P  )  || (Q  ) = (P  || Q)  (1) (2) GALS: endochrony  GALS: isochrony  (1) (2)

37 Endochrony & Isochrony for GALS [BenvCaillaud2000] A synchronous process P is endochronous when at each state the presence/absence of each variable can be inferred incrementally from the values carried by present input variables and state variables. A synchronous pair ( P 1,P 2 ) is isochronous when at each state if each pair of shared variables that are present in both P 1,P 2 have the same value then all the shared variable are either present with the same value or absent endo+iso  deployment is semantics preserving

38 Endochrony & Isochrony for GALS [BenvCaillaud2000] A process P is endochronous when at each state the presence/absence of each variable can be inferred incrementally from the values carried by present input variables and state variables. A pair ( P 1,P 2 ) is isochronous when at each state if each pair of shared variables that are present in both P 1,P 2 have the same value then all the shared variable are either present with the same value or absent Endochrony and isochrony are expressed in terms of transition relations (not infinite behaviors) –They can be model-checked –They can be synthesized: for a given P wrapper processes with additional signalling can be derived and composed with P to guarantee each property. Wrappers provide “cheap additional signalling”

39 Future extension: finite generators for general TAG systems X Z 1, t  1, s  2, s  3, t  4, t  4, s  TAG set equipped with a monoid structure making it a partial order Alike generalized HMSC’s (High-level Message Sequence Charts), with asynchronous concatenation Labeled by TAGS: TAG-HMSC Future work: endo/iso for TAG-HMSC’s    .

40 Conclusion Heterogeneous reactive systems modeled as tagged systems Tag sets to capture: reaction indices, physical time, causalities… and their combination Desynchronizing  erasing (part of) tags Theorems to cast semantics preserving as specific algebraic properties of tuples of systems Goal: to generate adaptors for correct-by- construction deployment

41 a  n  o  

Download ppt "Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment nov. 2003 Luca Carloni UC Berkeley Alberto Sangiovanni-Vincentelli UC Berkeley."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
Timed Automata.

Timed Automata.
Weakly endochronous systems Dumitru Potop-Butucaru IRISA, France Joint work with A. Benveniste and B. Caillaud.

Weakly endochronous systems Dumitru Potop-Butucaru IRISA, France Joint work with A. Benveniste and B. Caillaud.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.

Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.
1 Towards formal manipulations of scenarios represented by High-level Message Sequence Charts Loïc Hélouet Claude Jard Benoît Caillaud IRISA/PAMPA (INRIA/CNRS/Univ.

1 Towards formal manipulations of scenarios represented by High-level Message Sequence Charts Loïc Hélouet Claude Jard Benoît Caillaud IRISA/PAMPA (INRIA/CNRS/Univ.
Overview This project applies the tagged-signal model to explain the semantics of piecewise continuous signals. Then it illustrates an operational way.

Overview This project applies the tagged-signal model to explain the semantics of piecewise continuous signals. Then it illustrates an operational way.
Introduction Designing cost-sensitive real-time control systems for safety-critical applications requires a careful analysis of the cost/fault-coverage.

Introduction Designing cost-sensitive real-time control systems for safety-critical applications requires a careful analysis of the cost/fault-coverage.
I MPLEMENTING S YNCHRONOUS M ODELS ON L OOSELY T IME T RIGGERED A RCHITECTURES Discussed by Alberto Puggelli.

I MPLEMENTING S YNCHRONOUS M ODELS ON L OOSELY T IME T RIGGERED A RCHITECTURES Discussed by Alberto Puggelli.
2/11/2010 BEARS 2010 On PTIDES Programming Model John Eidson Jeff C. Jensen Edward A. Lee Slobodan Matic Jia Zou PtidyOS.

2/11/2010 BEARS 2010 On PTIDES Programming Model John Eidson Jeff C. Jensen Edward A. Lee Slobodan Matic Jia Zou PtidyOS.
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Causality Interfaces for Actor Networks Ye Zhou and Edward A. Lee University of California,

7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Causality Interfaces for Actor Networks Ye Zhou and Edward A. Lee University of California,
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.
Introduction to asynchronous circuit design: specification and synthesis Part III: Advanced topics on synthesis of control circuits from STGs.

Introduction to asynchronous circuit design: specification and synthesis Part III: Advanced topics on synthesis of control circuits from STGs.
1 Ivan Lanese Computer Science Department University of Bologna Roberto Bruni Computer Science Department University of Pisa A mobile calculus with parametric.

1 Ivan Lanese Computer Science Department University of Bologna Roberto Bruni Computer Science Department University of Pisa A mobile calculus with parametric.
Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.

Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.

Similar presentations

Ads by Google