Upload
vanbao
View
222
Download
0
Embed Size (px)
Citation preview
Virtual Execution of AADL Modelsvia a Translation
into Synchronous Programs
E. Jahier, N. Halbwachs, P. Raymond, X. NicollinVerimag, Grenoble
D. LesensAstrium Space Transportation, Les Mureaux
(Verimag and Astrium) 1 / 31
Synchrony and Asynchrony
1 Synchrony and Asynchrony
2 The Synchronous Paradigm
3 Synchronous Modelling of Asynchrony
4 A case study
5 Translating AADL concepts
6 Current work and conclusion
(Verimag and Astrium) 2 / 31
Synchrony and Asynchrony
Synchrony and Asynchrony (1/3)
Synchronous languages and associated tools (Scade,Esterel-Studio, Sildex, . . . ) are well-established for centralized,statically scheduled applications
What about more complex situations?Need for dynamic scheduling: urgent sporadic events,multiple periodsNeed for distribution: redundancy, performances, physicalconstraints
(Verimag and Astrium) 3 / 31
Synchrony and Asynchrony
Synchrony and Asynchrony (2/3)
In real-time systems, purely asynchronous situations are rare
Partial synchrony, or strongly constrained asynchrony: e.g.,known periodsknown clock driftquite precise WCET
(Verimag and Astrium) 4 / 31
Synchrony and Asynchrony
Synchrony and Asynchrony (3/3)Related works:
extend the synchronous modelCRP [Berry-Shyamasundar-Ramesh],Multiclock-Esterel [Berry-Sentovitch],n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet],GALS [Metropolis], [Polychrony],Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni]
less synchronous implementationsMulti-task implementations [SYNDEX], [Caspi-Scaife],Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud]
model asynchrony within the synchronous frameworkSafeAir, SafeAir-II projects [Baufreton et-al],Polychrony [Le Guernic-Talpin-Le Lann], [Gamatie-Gautier],this talk (same approach, in the ctxt of the Assert project)
(Verimag and Astrium) 5 / 31
Synchrony and Asynchrony
Synchrony and Asynchrony (3/3)Related works:
extend the synchronous modelCRP [Berry-Shyamasundar-Ramesh],Multiclock-Esterel [Berry-Sentovitch],n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet],GALS [Metropolis], [Polychrony],Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni]
less synchronous implementationsMulti-task implementations [SYNDEX], [Caspi-Scaife],Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud]
model asynchrony within the synchronous frameworkSafeAir, SafeAir-II projects [Baufreton et-al],Polychrony [Le Guernic-Talpin-Le Lann], [Gamatie-Gautier],this talk (same approach, in the ctxt of the Assert project)
(Verimag and Astrium) 5 / 31
Synchrony and Asynchrony
Synchrony and Asynchrony (3/3)Related works:
extend the synchronous modelCRP [Berry-Shyamasundar-Ramesh],Multiclock-Esterel [Berry-Sentovitch],n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet],GALS [Metropolis], [Polychrony],Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni]
less synchronous implementationsMulti-task implementations [SYNDEX], [Caspi-Scaife],Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud]
model asynchrony within the synchronous frameworkSafeAir, SafeAir-II projects [Baufreton et-al],Polychrony [Le Guernic-Talpin-Le Lann], [Gamatie-Gautier],this talk (same approach, in the ctxt of the Assert project)
(Verimag and Astrium) 5 / 31
Synchrony and Asynchrony
Synchrony and Asynchrony (3/3)Related works:
extend the synchronous modelCRP [Berry-Shyamasundar-Ramesh],Multiclock-Esterel [Berry-Sentovitch],n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet],GALS [Metropolis], [Polychrony],Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni]
less synchronous implementationsMulti-task implementations [SYNDEX], [Caspi-Scaife],Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud]
model asynchrony within the synchronous frameworkSafeAir, SafeAir-II projects [Baufreton et-al],Polychrony [Le Guernic-Talpin-Le Lann], [Gamatie-Gautier],this talk (same approach, in the ctxt of the Assert project)
(Verimag and Astrium) 5 / 31
Synchrony and Asynchrony
The ASSERT Project (1/2)
European “Integrated Project” on model-driven design ofembbedded systemsMain application domain: aerospace applications
Target code
Targetarchitecture
(AADL)components
(UML, Scade, C)
Software
(Verimag and Astrium) 6 / 31
Synchrony and Asynchrony
The ASSERT Project (1/2)
European “Integrated Project” on model-driven design ofembbedded systemsMain application domain: aerospace applications
Target code
Targetarchitecture
(AADL)components
(UML, Scade, C)
Software
(Verimag and Astrium) 6 / 31
Synchrony and Asynchrony
The ASSERT Project (2/2)
What this talk is about:
(AADL)
Targetarchitecture
(Scade-Lustre)
Behavioural modelof the architecture
Automatictranslation
VerificationSimulation
Softwarecomponents
(Scade)
(Verimag and Astrium) 7 / 31
The Synchronous Paradigm
1 Synchrony and Asynchrony
2 The Synchronous Paradigm
3 Synchronous Modelling of Asynchrony
4 A case study
5 Translating AADL concepts
6 Current work and conclusion
(Verimag and Astrium) 8 / 31
The Synchronous Paradigm
The Synchronous Paradigm (1/2)
Synchronous machines
Basic components: generalized Mealy machines
~S′ = fS(~I,~S)
~O = fO(~I,~S)~I
~Sf
Behaviour: (~S0,~I0, ~O0),(~S1,~I1, ~O1), . . . ,(~Sn,~In, ~On), . . . ,
with On = fO(~In, ~Sn) and ~Sn+1 = fS(~In, ~Sn)
(Verimag and Astrium) 9 / 31
The Synchronous Paradigm
The Synchronous Paradigm (2/2)
Synchronous machines
Parallel composition:
~S′
~Of
~S
~I
(~S′,~O) = f (~I,~S,~Q)
(~T ′,~Q) = g(~J,~T ,~O)
(deterministic, provided there isno combinational loop)
(Verimag and Astrium) 10 / 31
The Synchronous Paradigm
The Synchronous Paradigm (2/2)
Synchronous machines
Parallel composition:
g~T ′
~Q
~T
~J
~S′
~Of
~S
~I (~S′,~O) = f (~I,~S,~Q)
(~T ′,~Q) = g(~J,~T ,~O)
(deterministic, provided there isno combinational loop)
(Verimag and Astrium) 10 / 31
Synchronous Modelling of Asynchrony
1 Synchrony and Asynchrony
2 The Synchronous Paradigm
3 Synchronous Modelling of Asynchrony
4 A case study
5 Translating AADL concepts
6 Current work and conclusion
(Verimag and Astrium) 11 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony (1/4)
Need toprevent a component from reacting (sporadic reactions)non-determinismmodel execution time
(Verimag and Astrium) 12 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony (2/4)
Prevent a component from reactingavailable in all synchronous languages:
clocks in Lustre and Signalactivation conditions in Scadesuspend statement in Esterel
(Verimag and Astrium) 13 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony (3/4)
Activation condition in Scade
A distinguished Boolean input, say c, de-cides if the component must react.
c
~I ~O
when c = 1 the normal reaction occurswhen c = 0
the state does not change
the output keeps its previous value
(Verimag and Astrium) 14 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony (3/4)
Activation condition in Scade
A distinguished Boolean input, say c, de-cides if the component must react.
c
~I ~O
when c = 1 the normal reaction occurs
when c = 0the state does not change
the output keeps its previous value
(Verimag and Astrium) 14 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony (3/4)
Activation condition in Scade
A distinguished Boolean input, say c, de-cides if the component must react.
c
~I ~O
when c = 1 the normal reaction occurswhen c = 0
the state does not change
the output keeps its previous value
(Verimag and Astrium) 14 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony (3/4)
Activation condition in Scade
A distinguished Boolean input, say c, de-cides if the component must react.
c
~I ~O
when c = 1 the normal reaction occurswhen c = 0
the state does not change
the output keeps its previous value
(Verimag and Astrium) 14 / 31
Synchronous Modelling of Asynchrony
Synchronous Modelling of Asynchrony(4/4)
Non determinismJust by adding auxiliary inputs (oracles)Restriction of non-determinism:
constraints/assumptions on oracles ensured by “assertions”or transducer (scheduler)
(Verimag and Astrium) 15 / 31
Synchronous Modelling of Asynchrony
A task in the synchronous world
t
x
(Verimag and Astrium) 16 / 31
Synchronous Modelling of Asynchrony
A task in the synchronous world
t
x
(Verimag and Astrium) 16 / 31
Synchronous Modelling of Asynchrony
A task in the synchronous world
x
t
x
(Verimag and Astrium) 16 / 31
Synchronous Modelling of Asynchrony
A sporadic or periodic task
x
x
Tt
(Verimag and Astrium) 17 / 31
Synchronous Modelling of Asynchrony
A sporadic or periodic taskperiod T
x
x
Tt
(Verimag and Astrium) 17 / 31
Synchronous Modelling of Asynchrony
Execution time
mM
mM
mM
t
period T
(Verimag and Astrium) 18 / 31
Synchronous Modelling of Asynchrony
Execution time
x
mM
mM
mM
t
period T
(Verimag and Astrium) 18 / 31
Synchronous Modelling of Asynchrony
Execution time
x
∆(m,M)
ω
x
mM
mM
mM
t
period T
(Verimag and Astrium) 18 / 31
A case study
1 Synchrony and Asynchrony
2 The Synchronous Paradigm
3 Synchronous Modelling of Asynchrony
4 A case study
5 Translating AADL concepts
6 Current work and conclusion
(Verimag and Astrium) 19 / 31
A case study
The PFS case study (1/4)
Proximity Flight Safety (PFS), part of the Automatic TransferVehicule (ATV), spacecraft in charge of supplying theInternational Space Station (ISS) ESA, Astrium-STEnsures the safety of the approach of the ATV to the ISS(most safety critical part of the mission)
(Verimag and Astrium) 20 / 31
A case study
������������������
� ������� ������
������� �������
�������
���������
� ����� ���������
� �����������
When anything goes wrong, the PFS is in charge of safelymoving the ATV apart from the ISS, and to orient it towards thesun (“Collision Avoidance Manoeuvre”, CAM)
(Verimag and Astrium) 21 / 31
A case study
The PFS case study (3/4)
The system is made of two redundant “Monitoring and SafetyUnits” (MSU): one master, one backup
Each MSU:detects anomalies: failures of the main computer, abnormalstate of the bus, erroneous position or speed of the ATV,“red button” pressed from inside the ISSdetects its own failures (master change)is able to perform a CAM
(Verimag and Astrium) 22 / 31
A case study
The PFS case study (4/4)Distribution: Two computers (one for each MSU) running inquasi-synchrony
Multitasking: Each MSU consists of two periodic tasks (one fast,one slow). Each task specified in Scade
Processor 1
Fast thread
Processor 2
Fast thread
SP1 SP2 SP1 SP2Slow thread Slow thread
(Verimag and Astrium) 23 / 31
A case study
The PFS case study (4/4)Distribution: Two computers (one for each MSU) running inquasi-synchrony
Multitasking: Each MSU consists of two periodic tasks (one fast,one slow). Each task specified in Scade
Processor 1
Fast thread
Processor 2
Fast thread
SP1 SP2 SP1 SP2Slow thread Slow thread
(Verimag and Astrium) 23 / 31
Translating AADL concepts
1 Synchrony and Asynchrony
2 The Synchronous Paradigm
3 Synchronous Modelling of Asynchrony
4 A case study
5 Translating AADL concepts
6 Current work and conclusion
(Verimag and Astrium) 24 / 31
Translating AADL concepts
Processes: actual clocks
Proc1 Proc2
Fast Th
SP1 SP2
Fast Th
Slow Th
“Quasi-synchronous” clocksused to count periods and deadlines
(Verimag and Astrium) 25 / 31
Translating AADL concepts
Processes: actual clocks
Proc1 Proc2
Fast Th
SP1 SP2
Fast Th
Slow Th
“Quasi-synchronous” clocksused to count periods and deadlines
(Verimag and Astrium) 25 / 31
Translating AADL concepts
Threads: sharing the processor
Proc1
Fast Th
Slow Th
Activity clocks, used to count execution times
(Verimag and Astrium) 26 / 31
Translating AADL concepts
Threads: sharing the processor
Proc1
Fast Th
Slow Th
Activity clocks, used to count execution times
(Verimag and Astrium) 26 / 31
Translating AADL concepts
Threads: sharing the processor
Proc1
Fast Th
Slow Th
Activity clocks, used to count execution times
(Verimag and Astrium) 26 / 31
Translating AADL concepts
Final model
QS
TF
TS
Mm
Mm Mm
SCH
Mm
Mm Mm
SCH
TF
TS
(Verimag and Astrium) 28 / 31
Translating AADL concepts
Applications
extensive simulation(using the tool LURETTE to generate oracles automatically)automatic verification
Example of property of the PFS:“at each instant, one and only one MSU is the master”
Wrong, because of asynchrony.Right property:“at each instant, there is at most one master”“there are at most two clock cycles without master”
(Verimag and Astrium) 29 / 31
Translating AADL concepts
Applications
extensive simulation(using the tool LURETTE to generate oracles automatically)automatic verification
Example of property of the PFS:“at each instant, one and only one MSU is the master”Wrong, because of asynchrony.Right property:“at each instant, there is at most one master”“there are at most two clock cycles without master”
(Verimag and Astrium) 29 / 31
Current work and conclusion
1 Synchrony and Asynchrony
2 The Synchronous Paradigm
3 Synchronous Modelling of Asynchrony
4 A case study
5 Translating AADL concepts
6 Current work and conclusion
(Verimag and Astrium) 30 / 31
Current work and conclusion
Current work
deterministic communicationresource managementscheduling policies
ConclusionGives precise semantics to AADLMakes it executable (early simulation/validation)One more non-synchronous application of synchrony
(Verimag and Astrium) 31 / 31