Jeroen Voeten, email: [email protected] Information and Communication Systems Group 1 System Level Modelling in POOSL J. Voeten, P. van der Putten,

1Jeroen Voeten, email: [email protected]

Information and Communication Systems Group

System Level Modelling in POOSL

J. Voeten, P. van der Putten, M. Geilen, L. van Bokhoven and M. StevensInformation and Communication Systems

Eindhoven University of TechnologyThe Netherlands

>


Information and Communication Systems Group2

Contents

• Introduction: System Modelling

• The POOSL Language

• Formal Semantics

• Model Analysis

• Demonstration

>



Introduction:System Modelling

>



Design Decisions and Properties Design involves the investigation of design

alternatives to obtain a satisfying realisation.

Design decisions are based on the values of certain properties of alternative design realisations.

Realising design alternatives to determine the values of these properties is too costly and time-consuming.

Values of properties must be determined from models.

A property is a function on designs, realisations or models. If the range is Boolean the property is called qualitative (e.g. absence of deadlock), otherwise it is called quantitative (e.g. throughput).

>



Models and Adequacy

A model is an abstract representation of some design realisation.

A model must be adequate (to a certain degree of accuracy) for the properties that are relevant for making a design decision.

A model is adequate (to a certain degree of accuracy) for a property if the difference between the property value of the model and that of the design realisation is within the accuracy bound. Vice versa, the design realisation is said to satisfy the model.

>



Models and Abstraction If a model is more abstract

it will in general be adequate for less properties with less accuracy;

it has a larger realisation space (collection of realisations that satisfy the model) and will be more difficult to realise;

it will be more compact;

it will take less time to develop it;

it will be cheaper to deduce property values.

Design decisions taken early in the design process (based on abstract models) have a large impact on property values.

>



Towards System Models

Increasing Expressive

Power

Abstraction

Encapsulation

>

Less adequate and accurate

More difficult to realise

Design decisions have large impact

More compact

Less time to develop

Cheaper to deduce property

values

Hardware Software

Transistors

Gates

Registers, FSMs

Functions, Data Objects

Assembly Code

Machine Code

Functions, Data

Communicating (sub)systems

System

Behaviour

RT

Logic

Transistor

Object-Oriented

High

Assembly

Machine



Example: Switch Fabrics

Decision Properties

• Throughput

• Average Delay

• Jitter

• Quality of Service

Design Issues

• Queues

• Priorities

• Backpressure

• Scheduling

Modelling Concepts

• Modelling Entities

• Concurrency

• Communication/Synchronisation

• Time/Stochasticity

For different traffic types (CBR,VBR,ABR,UBR)

>



Language Design Considerations/Alternatives

• Modelling Entities– Separate Data & Control Autonomous Objects– Structural Behavioural– ...

• Concurrency– Synchronous Asynchronous– Inherent to Modelling Entities Orthogonality

• Communication/synchronisation– Synchronous Asynchronous– Buffered Unbuffered– ...

• Time/stochasticity– Real-time Discrete-time Synchrony

Hypothesis– Stochastic Probabilistic Non-determinism– ...

>

Mathematical semantics

Small Expressive

Collection of Blending

Language Primitives

Selection

Conflicts

Orthogonality

POOSL



The POOSL

Language

>



Overview of POOSL

POOSL (Parallel Object-Oriented Specification Language) is a formal specification language based on a timed version of process algebra CCS and on the basic concepts of traditional object-oriented programming languages (Smalltalk, Java, C++).

A POOSL specification consists of

A Top-Level Cluster;

Clusters & Cluster Classes;

Process Objects & Process Classes;

Data Objects & Data Classes.

>



Example: Switch Fabric

>



Clusters

Hierarchical structural entities;

Statically interconnected in a topology of channels;

Connect to the channels through private ports;

Consist of process objects and other clusters;

Behave asynchronous concurrent;

Communicate by synchronous message passing;

Organised in cluster classes.

>



Example: Multistage Switch

>



Process objects Behavioural asynchronous concurrent entities;

Statically interconnected in a topology of channels;

Connect to the channels through private ports;

Communicate by synchronous message passing;

Contain data objects;

Compositional behaviour descriptions

Primitive statements: data,time,communication

Constructors: Parallel composition, interrupts, …

Behavioural abstraction: methods;

Are organised in process classes.

>



Example: Switch

>



Process Statements A method body consists of a process statement PS:

The execution of PS can result in Action Performance & Time Passage

PS ::= | ch!m(DE1,…,DEn) synchronous send

| delay(DE) delay statement

| while E do PS od repetition

| DS data statement | if E then PS1 else PS2 fi selection

message receptionch?m(p1,…,pn | DE)

| sel PS1 or … or PSn les choice statement | par PS1 and … and PSn rap parallel composition | PS1 interrupt PS2 interrupt statement | PS1 abort PS2 abort statement

| [DE]PS guarded command | m(DE1,…,DEn)(p1,…,pn) method call

| PS1;PS2 sequential composition

| timestamp x read model time



Example 1: Intuitive Semantics

initialize()()

ch!givePosition; delay(3.14); ch?position(point).

ch

initialize()()

ch?givePosition; ch!position(point).

instance variable

point

(10,12)

instance variable

point

givePosition

(10,12)

position( )

copy

>

Time: 0 3.14



Example 2: initial method startUp of Switch

startUp()()

outputBufferArray:=new(Array) size(2);outputBufferArray put(1,new(BoundedFIFOBuffer) size(bufferSize));outputBufferArray put(2,new(BoundedFIFOBuffer) size(bufferSize));par handleInput1()()and handleInput2()() and handleOutput1()()and handleOutput2()()rap.

>



Example 3: method handleInput1 of Switch

handleInput1()()

| cell:Cell |

i1?cell(cell | outputBufferArray at(cell destinationPort) isNotFull){outputBufferArray at(cell destinationPort) put(cell); cell nextDestinationPort};

delay(cellTime);handleInput1()().

>



Example 4: method handleOutput1 of Switch

handleOutput1()()

[outputBufferArray at(1) isNotEmpty]o1!cell(outputBufferArray at(1) firstElement){outputBufferArray at(1) removeFirstElement};

delay(cellTime);handleOutput1()().

>



Example 5: Process Class Source

>



Example 6: method of a TransmissionChannel

transfer()()

| p:Packet |

in?packet(p); par

delay(normal nextSample);out!packet(p)

andtransfer()()

rap.

Receive a new packet p from port inWait for some stochastically determinedamount of time before p is being delivered synchronously to port out

Be simultaneously prepared to receive another packet

>



Example 7: timeouts and watchdogswaitForInput()(value,status:String)

ch!inputRequest;

sel ch?input(value);status:=‘ok’ or

delay 20;status:=‘timeout’ les

Wait for input on port ch. Return from the method call if an input is not received within 20 time units

>

timeCriticalComputation()()

doComputation()() abort (delay deadline; errorHandling()()).

Call method doComputation()(). If themethod has not terminated within adeadline amount of time, abort it andstart an errorHandling routine.



Data objects

Behavioural sequential entities;

Can be created dynamically;

Communicate by message passing;

Invoke methods upon message reception;

Return results of method invocations to sender;

Are organised in data classes.

>



Example: Data class Exponential

>


Information and Communication Systems Group27 >

Data Statements and Expressions

DS ::= x:=DE | DS1;DS2

| while DE do DS | if E then DS1 else DS2 fi

| DE

assignment to variable or parametersequential compositionrepetitionselectiondata expression

•A method body consist of a data statement DS :

>

DE ::= x | new(C) | self | DE m (DE1,…,DEn)

| -1,0,’a’,’b’,3.14,true,false | nil

data object referenced by xnewly created data object of data class Cdata object evaluating this expressionmethod callconstants of primitive classes constantsundefined data object

• DE is a data expression, always evaluating to a data object:



mu

rand

withParam(m:Real):Exponential

mu:=m;

rand:=new(RandomGenerator);

return(self).

Example: Intuitive Semantics

Consider the execution of the following statement:exp:=new(Exponential) withParam(3)

3

some

Random

>



FormalSemantics

>



Formal Semantics: Transition System• Plotkin-style Structural Operational Interleaving Semantics defines a

probabilistic labelled transition system:

Model M can perform action a with probability p and then behave as M’

Model M can delay for time t with probability p and then behave as M’

>

(Mod,Act,T,{ | a Act,p [0,1]},{ | t T,p [0,1]})a,p t,p

M M’a,p

• Compositional Definition with Axioms and Inference Rules

M M’t,p

delay(t) t,1

M2 M’2t,p2M1 M’1

t,p1

M1 || M2 M’1 || M’2t,p1• p2



Action Urgency: Two-Phase Model [X.Nicollin, J.Sifakis ’91]

Asynchronous Execution of Actions

Synchronous Passage of Time

>



Example: Lossy Channel

>



Transition System of a Lossy Channel

in?cell

out!cell

100

1.0 1.0

0.9

0.1

1.0

1.0

>



ModelAnalysis

>



Analysis

• Validation– Are we building the correct model

• Qualitative Verification– Analyse correctness properties

• Quantitative Verification– Analyse performance properties

• Synthesis– for rapid model analysis– for implementation/realisation

>



Validation

>



Qualitative Verification: Equivalence Checking

Abstraction to CCS

Minimisation

Equivalent minimised protocol

>



Qualitative Verification: Model Checking • Specify the property () to verify in a temporal logic (LTL).• Example: A stimulus S always results in a response R within 10 ms• Construct an automaton that accepts precisely the traces satisfying

this property.• Check whether the model satisfies the property

–Exhaustively• Generate complete transition system (T) of the model • Check for language inclusion L(T) L() or for empty intersection

L(T) L() = • Proof of correctness but only applicable in case of relatively small

finite-state systems.–Non-exhaustively

• Generate one execution trace from transition system (T)• Check whether some infinite completion of this trace can be

accepted by the automaton• No proof of correctness, but always applicable to detect errors.

>



Quantitative Verification: Performance Analysis• Specify the performance metric as a (temporal) reward.• Examples: jitter, buffer fill levels.• Determine the long-run average metric value

–Analytically• Generate the complete probabilistic labelled transition system • Interpret it as a Markov chain with (temporal) reward structure• Compute performance metric by using the strong law of large numbers

and the ergodic theorem for Markov chains• Certain/precise results but only applicable in case of relatively small finite-

state systems.–Empirically

• Generate one execution trace• Estimate the metric value, confidences and errors using the strong law of

large numbers and the central limit theorem for Markov chains• Uncertain results but applicable in case of large and even infinite-state

systems.

>



Synthesis

• To analyse large systems, it is important to be able to generate the model’s transition graph or a trace thereof rapidly.

• Automatic mapping from POOSL to C++ using Process Execution Trees:

–Self-modifying data-structure representing the state of the model;

–Compositional mapping of all language constructs;–Offering facilities for model debugging;–No use of (real-time) operating system;–Slave-like C++ module facilitating the interfacing with other

tools;–Automatic storage reclamation.

>



Process Execution Trees

root

;

sel

granted

c?mc!m

finished kill

finished

root root

;

sel

c?mc!m

startUp

startUp

startUpgranted

startUp

Staten Staten+1 Staten+2

talk()()

talk()()

talk()() talk()()

talk()()

talk()()

sel c!m or c?mles;talk()()



Demonstration

>



The Validation Tool SHESim

• Tool Demonstration• Example of a simple datalink protocol• Download tool via ftp at: ftp.ics.ele.tue.nl/pub/projects/she_sim/prac9900

>

Documents

Jeroen Voeten, email: [email protected] Information and Communication Systems Group 1 System Level Modelling in POOSL J. Voeten, P. van der Putten,