Embed Size (px)
Citation preview
Polychrony as an abstract model of computation for GALS architectures
Time Oriented Reliable Embedded Networked Systems
Toulouse – Nov. 2., 2010
Jean-Pierre Talpin, INRIA
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
Heterogeneity of skills, teams, tools, methods
CATIA Nastran Simulink Scade Rhapsody …
CAN Flexray ARINC
653 Profiling Energy AADL …
Motivation
co-modeling
analyse
test
map
CATIA Nastran Simulink Scade Rhapsody …
CAN Flexray ARINC
653 Profiling Energy AADL …
verify
simulate
Motivation
Simulink
AADL
co-modeling
analyse
test
map …
verify
simulate
Motivation
Case study of a airplane doors control system
Functional specification Structural specification
Simulink AADL
A suitable GALS model of computation
Simulation, verification, performance evaluation, scheduling, distribution …
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
AADL diagrams (or UML, or SysML)
Asynchronous architecture models
Asynchrony, synchrony, polychrony
Synchronous behavior models
Elements of Simulink (or Geneauto, Lustre, Scade)
Asynchrony, synchrony, polychrony
Signal (or RT-Builder, Marte’s CCSL, MRICDF)
A polychronous model of computation
Asynchrony, synchrony, polychrony
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
Globally asynchronous implementation of a multi-clocked network of synchronous modules preserving functional correctness
synchronous module
From synchrony to asynchrony
synchronous module
synchronous module
synchronous module
A polychronous network
Globally asynchronous implementation of a multi-clocked network of synchronous modules preserving functional correctness
From synchrony to asynchrony
synchronous module
synchronous module
synchronous module
synchronous module
A polychronous network Timing refinement Communication refinement
synchronous module
From synchrony to asynchrony
synchronous module
synchronous module
synchronous module
synchronous module
synchronous module
synchronous module
synchronous module
Co-modeling
Architecture exploration
Goal Globally asynchronous implementation of synchronous modules preserving functional correctness
synchronous module
clock
… …
input channels output channels container
asynchronous environment
From synchrony to asynchrony
From synchrony to asynchrony
synchronous module
clock
… …
input channels output channels container
asynchronous environment
Issue Different timing domains Synchronous signals vs. asynchronous channels Reaction trigger vs. core activation
From synchrony to asynchrony
Issue 1. To ensure asynchrony incurs no extra behavior
=> Deadlock-freedom
await I ; emit A ; await I ; emit B ;
I I A B
┴A
┴ BI I Await
[A and B]; emit O ;
I AB
O
From synchrony to asynchrony
abort await A; emit P when B
… … A
B
P
Q
Issue 2. To ensure determinism given asynchronous inputs
=> Confluence and no priority
do emit Q end
┴ A
┴ B
┴ A
┴ B
┴ P
┴ Q ┴
┴
From synchrony to asynchrony
synchronous module
clock
… …
input channels output channels container
asynchronous environment
Goal Synthesize a correctness preserving container and the activation clock
synthesis
clock
clock
From synchrony to asynchrony
Challenge Can this be done modularly, iteratively, compositionaly ?
input channels output channels
asynchronous environment
synthesis
synchronous module
clock
… …
container
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
Globally asynchronous implementation of a network of synchronous modules with multiple clocks preserving functional correctness
synchronous module
synchronous module
synchronous module
synchronous module
Polychrony
c = a default b
b
a c
Ta
Tb Tc
Tc = Ta U Tb
Globally asynchronous implementation of a network of synchronous modules with multiple clocks preserving functional correctness
synchronous module
synchronous module
synchronous module
synchronous module
Polychrony
c = a when b
b
a c
Ta
Tb Tc
Tc = Ta Tb
U
Polychrony
a 3 -2 -1 …
b 0 0 2 1 …
c 3 -2 0 -1 1 …
a 3 -2 -1 …
b 0 0 2 1 …
c 3 -2 -1 2 1 …
synchronous module
synchronous module
synchronous module
synchronous module
c = a default b
b
a c
Default and when are not flow functions
Polychrony
synchronous module
synchronous module
synchronous module
c = a default b
b
a
c Ta
Tb
Implementing polychrony amounts to synthesizing a network of synchronized flow functions : a Kahn network
synchronous module
Tc = Ta U Tb
Plan
Motivation
Models of computation
A definition of polychrony
From synchrony to asynchrony
An old fashioned watch
– Semantics of Signal
– Code generation
Clock synthesis
Compositional correctness
Conclusion and perspectives
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
IN
X RST
An old-fashioned watch
An old-fashioned watch
IN (t0, 3) (t4, 3) ZX (t0, 0) (t1, 3) (t2, 2) (t3,1) (t4, 0) X (t0, 3) (t1, 2) (t2, 1) (t3,0) (t4, 3)
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
An old-fashioned watch
ZX (t0, 0) (t1, 3) (t2, 2) (t3,1) (t4, 0) X (t0, 3) (t1, 2) (t2, 1) (t3,0) (t4, 3)
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
An old-fashioned watch
ZX (t0, 0) (t1, 3) (t2, 2) (t3,1) (t4, 0) RST (t0, 1) (t1, 0) (t2, 0) (t3,0) (t4, 1)
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
IN (t0, 3) (t4, 3) RST (t0, 1) (t1, 0) (t2, 0) (t3,0) (t4, 1)
An old-fashioned watch
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
– Semantics of Signal
– Code generation
Clock synthesis
Compositional correctness
Conclusion and perspectives
A calculus to reason on synchronization relations CX = CIN+^CZX CZX = CX CRST = CZX CIN = [RST]
Semantics and compilation
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
IN (t0, 3) (t4, 3) ZX (t0, 0) (t1, 3) (t2, 2) (t3,1) (t4, 0)
A calculus to reason on scheduling relations IN X when (RST) ZX X when (not RST) ZX RST RST IN
IN (t0, 3) (t4, 3) X (t0, 0) (t1, 3) (t2, 2) (t3,1) (t4, 0) ZX (t0, 0) (t1, 3) (t2, 2) (t3,1) (t4, 0)
Semantics and compilation
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
Semantics and compilation
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
CX = CIN + CZX CZX = CX CRST = CZX CIN = [RST]
Implementing the watch amounts to synthesize 1. A function that computes clocks
read CX; RST = (X <= 0) If RST then {
read IN; X = IN;
} else X = X - 1; write X;
Semantics and compilation
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
read CX; RST = (X <= 0) If RST then {
read IN; X = IN;
} else X = X - 1; write X;
Implementing the watch amounts to synthesize 1. A function that computes clocks 2. A schedule that respects causality
ZX RST RST IN IN X when (RST) ZX X when (RST)
Semantics and compilation
X = IN default ZX-1 ZX = X$ init 0 RST = (ZX < 0) IN ^= when RST
read CX; RST = (X <= 0) If RST then {
read IN; X = IN;
} else X = X - 1; write X;
Implementing the watch amounts to synthesize 1. A function that computes clocks 2. A schedule that respects causality
It yields a synchronized flow function
X = watch (CX, IN)
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
A clock c is a set of symbolic instants in time
Cx x is present
[x] x is present and true
[not x] x is present and false
A clock relation is an invariant on timing properties
Cx = Cy * [z] x is present iff y is present and z is true
The goal of clock synthesis is to define a clock function from a set of relations
Synthesis of clock functions
The computability of a clock by an other defines an equivalence relation. For example,
For any Boolean signal x, the clocks [x] and [not x] are computable from Cx
Synthesis of clock functions
CX
[X] [¬X]
Synchronous signals x and y are in the same equivalence class
CX CY
[X] [¬X]
A hierarchy is built by attaching all clock equations to the equivalence relation
Suppose that
Synthesis of clock functions
CX
CY CZ
If Ca = f (Cy, Cz) then we can add
CX
CY CZ CA
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
Correctness
CX ~ CZX ~ CRST
[RST]~CIN [¬RST]
Endochrony
A program whose clock hierarchy is a tree is endochronous: All clocks can be computed from a root equivalence class Example of the watch : read CX;
RST = (X <= 0) If RST then {
read IN; X = IN;
} else X = X - 1; write X;
Correctness
Endochrony
A program whose clock hierarchy is a tree is endochronous: All clocks can be computed from a root equivalence class Unfortunately, endochrony is not compositional
A
B C
X
Y Z
However, asynchronous determinism (AD) is compositional
If p and q are AD and if p | q is non blocking then p | q is AD
If a module p is endochronous then it is AD
...
A simple (static) and compositional criterion
Correctness
H
A B
H
A B
G
B C
1. Deadlock-freedom
await I ; emit A ; await I ; emit B ;
I I A B
┴A
┴ BI I Await
[A and B]; emit O ;
I AB
O
Asynchronous determinism (AD) solves our two issues
2. Confluence and no priority
abort await A; emit P when B
… … A
B
P
Q
do emit Q end
┴ A
┴ B
┴ A
┴ B
┴ P
┴ Q ┴
┴
Correctness
Corollary
A compositional methodology to iteratively build isochronous systems by the static analysis of clock and scheduling relations of synchronous modules
Correctness
synchronous module
synchronous module
synchronous module
synchronous module
Plan
Motivation
Models of computation
From synchrony to asynchrony
A definition of polychrony
An old fashioned watch
Clock synthesis
Compositional correctness
Conclusion and perspectives
The polychronous model of computation and communication
A clear and solid semantics
Compositional correctness
A calculus of synchronization and scheduling
Sequential, modular, distributed code generation
Interface models, abstraction and refinement
Model transformations
Heterogeneous architecture modeling and analysis
Virtual prototyping
Tools
RT-Builder by Geensoft
Polychrony by INRIA team Espresso
MRICDF by Virginia Tech and USAF laboratories
UML Marte’s CCSL, Timesquare tool by INRIA team Aoste
Conclusion
A DSL for software architecture exploration • Data-flow for computation • Mode automata for control • Libraries for services
A toolbox of services • Code generation • Model transformation • Model checking • Controller synthesis
An eclipse interactive interface • Open import functionalities • High-level visual editor • Analysis and transformation • Visualization and traceability
Polychrony
To be released under GPL v2.0 licence at http://www.irisa.fr/espresso/Polychrony
On the model of computation
"Polychrony for system design" Le Guernic, P., Talpin, J.-P., Le Lann, J.-C. Journal for Circuits, Systems and Computers. Special Issue on Application Specific Hardware Design. World Scientific, August 2003.
On desynchronization
"Compositional design of isochronous systems" Talpin, J.-P., Ouy, J., Gautier,T., Besnard, L., Le Guernic, P. In Science of Computer Programming, Special Issue on APGES. Elsevier, 2010.
“Correct-by-construction asynchronous implementation of modular synchronous specifications”. D. Potop-Butucaru, B. Caillaud. In Fundamenta Informaticae. IOS Press, 2006.
On architecture modeling
"Polychronous design of embedded real-time systems" Gamatié, A., Gautier, T., Le Guernic, P., Talpin, J.-P. ACM Transactions on Software Engineering and Methodology. ACM Press, 2006.
"System-level co-simulation of integrated avionics using polychrony ". Yu, H., Ma, Y., Glouche, Y., Talpin, J.-P., Besnard, L., Gautier, T., Le Guernic, P., Toom, A., and Laurent, O. ACM Symposium on Applied Computing (SAC'11). ACM, 2011.
On virtual prototyping
"Formal refinement checking in a system-level design methodology" Talpin, J.-P., Le Guernic, P., Shukla, S. K., Gupta, R., Doucet, F. Fundamenta Informaticae, special Issue on Applications of Concurrency to System Design. IOS, 2004.
"A synchronous approach to threaded program verification " Johnson, K., Besnard, L., Gautier, T., Talpin, J.-P. Automated Verification of Critical Systems (AVOCS'10). EASST, 2010.
On model-driven engineering
"A metamodel for the design of polychronous systems" Brunette, C., Talpin, J.-P., Gamatié, A., Gautier, T. Journal of Logic and Algebraic Programming, Special Issue on Applying Concurrency Research to Industry. Elsevier, 2008.
Papers available from http://www.irisa.fr/prive/talpin
Bibliography
