Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 LiSyC ENSIETA/DTN 02/04/2008 AADL execution semantics transformation for formal verification Joel Champeau, Thomas Abdoul, Pierre Yves Pillain, Philippe.

Published byAlexandra Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "1 LiSyC ENSIETA/DTN 02/04/2008 AADL execution semantics transformation for formal verification Joel Champeau, Thomas Abdoul, Pierre Yves Pillain, Philippe."— Presentation transcript:

1 1 LiSyC ENSIETA/DTN 02/04/2008 AADL execution semantics transformation for formal verification Joel Champeau, Thomas Abdoul, Pierre Yves Pillain, Philippe Dhaussy, Jean Charles Roger LiSyC ENSIETA/DTN joel.champeau@ensieta.fr

2 2 LiSyC ENSIETA/DTN 02/04/2008 Context MDD approach for embedded systems MDD approach provides opportunity to develop or to couple analysis methods and tools. Multiformalism inputs for a same formal technique. Improvements of modeling techniques for this purpose: –View point dedicated to behavioral analysis. –Including execution models in metamodels

3 3 LiSyC ENSIETA/DTN 02/04/2008 Observer Based Prover (OBP) Environment Simulation & exploration of Transition system Property Observer Restriction Automata Context Automata System Composition IF-2 Programs Transformations Models (SDL, UML, AADL) Formal model (IF-2) Platform Models Diagnostic Models Diagnostics Plugging Eclipse / TopCased OBP platform is developed in the TOPCASED project context* Requirement and context Models (CDL) * Granded by French industry ministry

4 4 LiSyC ENSIETA/DTN 02/04/2008 Contents Introduction Used formalisms in the transformation –Target language : IF Language –Source language : AADL execution model AADL model transformation –Transformation context –Structure –Behavior –Execution semantics Experiments and analysis Conclusion

5 5 LiSyC ENSIETA/DTN 02/04/2008 Introduction Multiformalism approach context Capitalization on: –Formal verification technique based on Observer with a tool (OBP) –Design modular and reusable transformations Improve the execution semantic modeling in the metamodel.

6 6 LiSyC ENSIETA/DTN 02/04/2008 Contents Introduction Used formalisms in the transformation AADL model transformation Experiments and analysis Conclusion

7 7 LiSyC ENSIETA/DTN 02/04/2008 IF language If language is used in the IFx framework: –If simulator –Reachability graph for analysis –Time is discrete or dense. If language –The system entity is the root concept –A system is composed of active entities = process –The processes are timed automata –The processes interact with signal based on asynchronous communications. Advantages of the IF language –Timed behavior modeling –Asynchronous communication –Efficient tooling

8 8 LiSyC ENSIETA/DTN 02/04/2008 AADL language Based on hierarchical definition of components: –Software and hardware categories –Connection and port for communication –Behavior annex to describe the inside component behavior. NTIF language for our purpose, due to its clear and precise semantics. –Execution model precisely defined: Process and Thread management Concept of mode AADL properties –Adding dedicated information –Standard and custom properties Properties for execution model –Subprogram invocation = Server_Call_Protocol (Synchronous, half synchronous or asynchronous) –Dispatch_Protocol = period value for periodical Threads –Port mechanism with Queue_Size, Queue_Processing_Protocol, Overflow_Handling_Protocol

9 9 LiSyC ENSIETA/DTN 02/04/2008 AADL language Control automaton for Thread dispatch protocol –Without modes Thread initialization Wait For Dispatch Thread Computation complete initialization assert t <= Initialize_Deadline ? Enabled(t) Dispatch computation t<- 0 complete computation assert t <= Compute_Deadline t<- 0 Thread halted a b Buffer (Port a) Internal counter (Port b) AADL Thread 3 aaa b aa

10 10 LiSyC ENSIETA/DTN 02/04/2008 AADL language Control automaton for Thread dispatch protocol Thread initialization Wait For Dispatch Thread Computation complete initialization assert t <= Initialize_Deadline ? Enabled(t) Dispatch computation t<- 0 complete computation assert t <= Compute_Deadline t<- 0 Thread halted a b Buffer (Port a) Internal counter (Port b) AADL Thread 1 aa

11 11 LiSyC ENSIETA/DTN 02/04/2008 AADL language Control automaton for Thread dispatch protocol Thread initialization Wait For Dispatch Thread Computation complete initialization assert t <= Initialize_Deadline ? Enabled(t) Dispatch computation t<- 0 complete computation assert t <= Compute_Deadline t<- 0 Thread halted a b Buffer (Port a) Internal counter (Port b) AADL Thread 3 aaa b aa

12 12 LiSyC ENSIETA/DTN 02/04/2008 Contents Introduction Used formalisms in the transformation AADL model transformation Experiments and analysis Conclusion

13 13 LiSyC ENSIETA/DTN 02/04/2008 Transformation context Eclipse/EMF framework IF metamodel created –120 metaclasses with 17 abstract classes AADL metamodel –Standard Eclipse implementation –254 metaclasses with 56 abstract classes –NTIF metamodel created for behavior annex Kermeta metalanguage [INRIA/Triskell] –For complementary metamodeling –Transformation with Visitor pattern

14 14 LiSyC ENSIETA/DTN 02/04/2008 Structure transformation Validation purpose, focus on: –Behavior of software components –Process and Thread with port management Basic concept equivalences –AADL SystemImpl to IF System –AADL data types to IF types –Process and Thread to IF process Port and properties –Port management with Event and EventData to IF Signals with independent process –Time value of the thread Dispatch_Protocol property memorized and processed. Conclusion –Static structure mapped to the IF structure –Execution information via properties are memorized

15 15 LiSyC ENSIETA/DTN 02/04/2008 Behavior transformation Including : –Behavior description with the NTIF language –AADL Subprogram management Behavior description –NTIF and IF are closed –But NTIF provides high level instructions, like Select: Several transition out of a state to intermediate states with property on transitions AADL Subprogram –Property Server_Call_Protocol = HSER (synchronous call)

16 16 LiSyC ENSIETA/DTN 02/04/2008 Behavior transformation IF result for a subprogram call. state Producer_Receive; deadline eager; provided put_bitReceives = 7; fork process_subprogram_put(word,self); nextstate Producer_Receive_wait_put; …. endstate; state Producer_Receive_wait_put; deadline eager; input put_return(); task put_bitReceives := 0; nextstate Producer_End; endstate; state Producer_End; …. Endstate;

17 17 LiSyC ENSIETA/DTN 02/04/2008 Execution model transformation Execution model is not explicitly in the metamodel definition –Definition is splitted in several properties –Control automaton for thread management only in the standard Control automaton –States are added –IF clocks for transition guards –Thread computation state is the behavior of the thread Thread initialization Wait For Dispatch Thread Computation complete initialization assert t <= Initialize_Deadline ? Enabled(t) Dispatch computation t<- 0 complete computation assert t <= Compute_Deadline t<- 0 Thread halted

18 18 LiSyC ENSIETA/DTN 02/04/2008 Execution model transformation Port management and the dispatch protocol a b Internal buffer (Port a) Internal counter (Port b) 1 aabb aaa IF Dispatch Process aaa 2 IF ThreadProcess aa 1 « public » Control and data signals AADL Thread

19 19 LiSyC ENSIETA/DTN 02/04/2008 Execution model transformation To improve the execution model transformation: –2 metaclasses added: DispatchBehavior –Properties to control the dispatch mechanism. –Queue_Processing_Protocol, Queue_Processing_Protocol, Dispatch_Protocol, … Behavior –Entry point for the behavior –Execution deadline with the value of Thread_Comptutation_Deadline Control automaton management (3 versions) 1.Hard coded in the transformation 2.IF model loaded 3.Beginning of a metamodeled definition to complete the AADL metamodel

20 20 LiSyC ENSIETA/DTN 02/04/2008 Experiments and analysis Application on Sensor/Filter model –Real time application with different frequencies for the threads –Sporadic and period threads Transformation metrics –AADL model 417 objects from 62 metaclasses (out of 254, and 56 abstracts) –IF Model 512 objects from 59 metaclasses (out of 120 and 17 abstracts) IF model growing –The behavior transformation creates more transitions and states –The execution model is not explicitly defined in the source model. Execution model metaclasses instantiated before applying transformation. Modular transformation implementation based on 3 parts: –Structure –Behavior –Execution model

21 21 LiSyC ENSIETA/DTN 02/04/2008 Conclusion AADL to IF transformation –AADL metamodel analysis –Execution model analysis for our purpose –Modular and reusable implementation Using Kermeta: –Adding concepts by metamodel veawing. Any impact on the ECore “standard” implementation –Transformation implementation with the extended metamodel. Future works –Complete the transformation. –Test on other AADL models –Improve the execution model definition Adding the control automaton definition in the metamodel

22 22 LiSyC ENSIETA/DTN 02/04/2008 Questions ?

Download ppt "1 LiSyC ENSIETA/DTN 02/04/2008 AADL execution semantics transformation for formal verification Joel Champeau, Thomas Abdoul, Pierre Yves Pillain, Philippe."

Similar presentations

Embedded System, A Brief Introduction

Embedded System, A Brief Introduction
INTERVAL Next Previous 13/02/2014 1 Timed extensions to SDL Analysis requirements –Assumptions on moments and duration Semantics with controllable time.

INTERVAL Next Previous 13/02/ Timed extensions to SDL Analysis requirements –Assumptions on moments and duration Semantics with controllable time.
Profiles Construction Eclipse ECESIS Project - 1 - Construction of Complex UML Profiles UPM ETSI Telecomunicación Ciudad Universitaria s/n Madrid 28040,

Profiles Construction Eclipse ECESIS Project Construction of Complex UML Profiles UPM ETSI Telecomunicación Ciudad Universitaria s/n Madrid 28040,
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Timed Automata.

Timed Automata.
Eugene Syriani * † Hans Vangheluwe * ‡ Amr Al Mallah * † * ‡ Tuscaloosa, AL Montreal, Canada Antwerp, Belgium.

Eugene Syriani * † Hans Vangheluwe * ‡ Amr Al Mallah * † * ‡ Tuscaloosa, AL Montreal, Canada Antwerp, Belgium.
Sensor Network Platforms and Tools

Sensor Network Platforms and Tools
A Brief Introduction. Acknowledgements  The material in this tutorial is based in part on: Concurrency: State Models & Java Programming, by Jeff Magee.

A Brief Introduction. Acknowledgements  The material in this tutorial is based in part on: Concurrency: State Models & Java Programming, by Jeff Magee.
Automatic Verification of Component-Based Real-Time CORBA Applications Gabor Madl Sherif Abdelwahed

Automatic Verification of Component-Based Real-Time CORBA Applications Gabor Madl Sherif Abdelwahed
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
1 Flexible Subtyping Relations for Component- Oriented Formalisms and their Verification David Hurzeler PhD Examination, 9/11/2004.

1 Flexible Subtyping Relations for Component- Oriented Formalisms and their Verification David Hurzeler PhD Examination, 9/11/2004.
Architecture Modeling and Analysis for Embedded Systems Oleg Sokolsky CIS700 Fall 2005.

Architecture Modeling and Analysis for Embedded Systems Oleg Sokolsky CIS700 Fall 2005.
VERTAF: An Application Framework for Design and Verification of Embedded Real-Time Software Pao-Ann Hsiung, Shang-Wei Lin, Chih-Hao Tseng, Trong-Yen Lee,

VERTAF: An Application Framework for Design and Verification of Embedded Real-Time Software Pao-Ann Hsiung, Shang-Wei Lin, Chih-Hao Tseng, Trong-Yen Lee,
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.

Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
A Formal Model of Computation for Sensory-Based Robotics

A Formal Model of Computation for Sensory-Based Robotics
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.
Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl

Verifying Distributed Real-time Properties of Embedded Systems via Graph Transformations and Model Checking Gabor Madl
Model-based Analysis of Distributed Real-time Embedded System Composition Gabor Madl Sherif Abdelwahed

Model-based Analysis of Distributed Real-time Embedded System Composition Gabor Madl Sherif Abdelwahed
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

Similar presentations

Ads by Google