Heterogeneous Reactive System Modeling and Correct-by-Construction Deployment
nov. 2003
Luca CarloniUC Berkeley
Alberto Sangiovanni-VincentelliUC Berkeley
Albert BenvenisteIrisa/Inria
Benoît CaillaudIrisa/Inria
Paul CaspiVerimag
Outline• Dealing with systems & components requires
handling heterogeneity– Tools with different MoC and paradigms– Heterogeneous architectures and systems– Correct-By-Construction deployment: what and how?
• Modeling Heterogeneous Systems – Tagged-Signal Model– Desynchronization– Heterogeneous parallel composition – Semantic Preserving
• Theoretical Results– General theorem on semantic-preserving deployment– Endo/iso-chrony– Correct-By-Construction deployment over GALS
Architectures
Heterogeneous models: design flow in automobile or aeronautics
• Systems modeling (UML, MDA,…)– Loose model of computation & communication
• Matlab/Simulink/Stateflow– Continuous time basis
• Statemate, synchronous languages• Late assembly of imported functions
– Can be in C… – Depends on OS and execution infrastructure
• Deployment – CAN, ARINC, TTA,…
Heterogeneous architectures: electronics for the Car
Information
SystemsTe
lem
atic
s
Faul
t To
lera
nt
Body Electronics Bo
dyFu
ncti
ons
Fail
Safe
Faul
t F
unct
iona
l
Body Electronics
Dri
ving
and
Veh
icle
Dyn
amic
Fun
ctio
nsMobile Communications Navigation
FireWall
Access to WWWDAB
GateWay
GateWay
Theft warning
Door Module Light Module
AirConditioning
Shift by
Wire
EngineManageme
nt
ABS
Steer by
Wire
Brake by
Wire
MOSTMOSTFirewireFirewire
CANCANLinLin
CANCANTTCANTTCAN
FlexRayFlexRay
Classes of heterogeneous systems: GALS (in “asynch” HW and OO-SW)
synchronous
synchronous
asynchronous
Classes of heterogeneous systems: LTTA (distributed control) [BenvCaspi&al, Emsoft2002]
synchronous
timed synchronous
timed
asynchronous timed
(bounded delay)
How to blend heterogeneous models while “preserving semantics”?
synch synch + timed
What have
you asynch
asynch +
timed
How to blend heterogeneous models while “preserving semantics”? Our proposal:
synch
asynchby generating proper adaptors
asynch +
timedsynch +
timed
What have
you
Adaptors for GALS: informal discussion
XYZ
XYZ
XYZ
synchsynch
asynch
Adaptors for GALS: informal discussion
How to ensure that the two components do not see the difference when moving from synchrony to GALS?
Adaptors for GALS: informal discussion
How to ensure that the two components do not see the difference when moving from synchrony to GALS? Easy if known to be single-clocked: bananas !
Adaptors for GALS: informal discussion
How to ensure that the two components do not see the difference when moving from synchrony to GALS? In general bananas can be many!
bananas ???
Adaptors for GALS: informal discussion
Solution: attach to each wire a boolean_clock that is present in each reaction and tells you the presence/absence for the wire (cf. hardware)
bananas ???ff tt tt tt ff ff
Adaptors for GALS: informal discussion
OK, but poor if slow/fast communications between components, because all boolean clocks must be communicated at fastest pace theory needed!
bananas ???ff tt tt tt ff ff
Outline• Dealing with systems & components requires
handling heterogeneity– Tools with different MoC and paradigms– Heterogeneous systems– Correct-By-Construction deployment: what and how?
• Modeling Heterogeneous Systems – Tagged-Signal Model– Desynchronization– Heterogeneous parallel composition – Semantic Preserving
• Theoretical Results– General theorem on semantic-preserving deployment– Endo/iso-chrony– Correct-By-Construction deployment over GALS
Architectures
Formalizing GALS
XYZ
XYZ
XYZ
synchsynch
asynch
Formalizing GALS [LeeASV98]
XYZ
1 3 4 64 61 2 3
asynch+ TAGS
XYZ
asynch
XYZ
synch= …
Formalizing GALS: desynchronization
XYZ
1 3 4 64 61 2 3
asynch+ TAGS
XYZ
asynch
desynchronise = remove TAGS
Formalizing GALS: P ||Q
XYV
1 3 4 64 6
unify values and TAGS
XYU
1 3 4 64 6
Formalizing GALS: P ||Q
XYV
1 3 4 64 6
XYU
3 5 7 122 3
unify values, ignoreignore TAGS [LeGuerTal2002]
Formalizing GALS: P ||Q
XYV
1 3 4 64 6
XYU
3 5 7 122 3
unify values, ignoreignore TAGS on the left
synch
asynch
TAGS generalize and heterogeneize
X
Z
1,t
1,s 2,s
3,t 4,t
4,s
a TAG consisting of the triple (reaction, physical time, causality)
TAGS generalize and heterogeneize
XYU
t1 t2 t3 t42 3
• TAGS can belong to any partially ordered set – tags can index reactions, can be (global or local) real time R, can encode causality, can do both, etc.• TAGS can be tuples – (generalized) desynchronization consists in erasing some components of the tag; yields morphisms of tag sets, we denote them by
• different TAG sets can be used for different systems – we can mix synchronous systems (with tag set N) and asynchronous ones (with trivial tag set), and more
TAGS generalize and heterogeneize
synchSynch
+ timed
What have
you asynch
Is this any useful???
Yes! For correct deployment
synchsynch
synchsynch
Yes! For correct deployment
synchsynch
synchasync
h
Sometimes this move is OK, sometimes not… make it OK!
synchsynch
synchasync
h
Sometimes this move is OK, sometimes not… make it OK!
synchsynch
synchasync
husing adaptors
Outline• Dealing with systems & components requires
handling heterogeneity– Tools with different MoC and paradigms– Heterogeneous systems– Correct-By-Construction deployment: what and how?
• Modeling Heterogeneous Systems – Tagged-Signal Model– Desynchronization– Heterogeneous parallel composition – Semantic Preserving
• Theoretical Results– General theorem on semantic-preserving deployment– Endo/iso-chrony– Correct-By-Construction deployment over GALS
Architectures
A theory to automatically generate adaptors
Semantic-Preserving Time Changes• Given P1=(V1,T1), P2=(V2,T2) with time change
mappings :T1 T and :T2 T let T1=T2 and consider two semantics:
-the Strong Semantics: P1 || P2 [unify values & all_tags]-the Weak Semantics: P1 || P2 [ignore (tags)]
is semantics-preserving when two behaviors, which compose according to the strong semantics, compose also according to the weak one, written
P1 || P2 P1 || P2
• Define also Pi,=(Vi,T), the desynchronization of Pi
Semantic-Preserving Time Changes• Given P1=(V1,T1), P2=(V2,T2) with time change
mappings :T1 T and :T2 T let T1=T2 and consider two semantics:
-the Strong Semantics: P1 || P2 [unify values&all_tags]-the Weak Semantics: P1 || P2 [ignore (tags)]
is semantics-preserving when two behaviors, which compose according to the strong semantics, compose also according to the weak one, written
P1 || P2 P1 || P2
• Define also Pi,=(Vi,T), the desynchronization of Pi
Theorem [Emsoft2003]
• Given P1=(V1,T1), P2=(V2,T2) with T1=T2:
P1 || P2 P1 || P2
i {1,2} : Pi, is in bijection with Pi
(P)|| (Q) = (P|| Q)
(1)(2)
GALS: endochrony GALS: isochrony
(1)(2)
Endochrony & Isochrony for GALS [BenvCaillaud2000]
• A synchronous process P is endochronous when at each state the presence/absence of each variable can be inferred incrementally from the values carried by present input variables and state variables.
• A synchronous pair (P1,P2 ) is isochronous when at each state if each pair of shared variables that are present in both P1,P2 have the same value then all the shared variable are either present with the same value or absent
• endo+iso deployment is semantics preserving
Endochrony & Isochrony for GALS [BenvCaillaud2000]
• A process P is endochronous when at each state the presence/absence of each variable can be inferred incrementally from the values carried by present input variables and state variables.
• A pair (P1,P2 ) is isochronous when at each state if each pair of shared variables that are present in both P1,P2 have the same value then all the shared variable are either present with the same value or absent
• Endochrony and isochrony are expressed in terms of transition relations (not infinite behaviors) – They can be model-checked – They can be synthesized: for a given P wrapper
processes with additional signalling can be derived and composed with P to guarantee each property. Wrappers provide “cheap additional signalling”
Future extension: finite generators for general TAG systems
X
Z
1,t
1,s 2,s
3,t 4,t
4,s
•TAG set equipped with a monoid structure making it a partial order•Alike generalized HMSC’s (High-level Message Sequence Charts), with asynchronous concatenation•Labeled by TAGS: TAG-HMSC•Future work: endo/iso for TAG-HMSC’s
.
Conclusion
• Heterogeneous reactive systems modeled as tagged systems
• Tag sets to capture: reaction indices, physical time, causalities… and their combination
• Desynchronizing erasing (part of) tags• Theorems to cast semantics preserving
as specific algebraic properties of tuples of systems
• Goal: to generate adaptors for correct-by-construction deployment
a n o