Virtual Execution of AADL Models via a Translation into ...semba.conf.citi-lab.fr/.../emsoc07/presentations/EmSoC07_Halbwachs.pdf · E. Jahier, N. Halbwachs, P. Raymond, X. Nicollin

Virtual Execution of AADL Modelsvia a Translation

into Synchronous Programs

E. Jahier, N. Halbwachs, P. Raymond, X. NicollinVerimag, Grenoble

D. LesensAstrium Space Transportation, Les Mureaux

(Verimag and Astrium) 1 / 31

Synchrony and Asynchrony

1 Synchrony and Asynchrony

2 The Synchronous Paradigm

3 Synchronous Modelling of Asynchrony

4 A case study

5 Translating AADL concepts

6 Current work and conclusion



Synchrony and Asynchrony (1/3)

Synchronous languages and associated tools (Scade,Esterel-Studio, Sildex, . . . ) are well-established for centralized,statically scheduled applications

What about more complex situations?Need for dynamic scheduling: urgent sporadic events,multiple periodsNeed for distribution: redundancy, performances, physicalconstraints



Synchrony and Asynchrony (2/3)

In real-time systems, purely asynchronous situations are rare

Partial synchrony, or strongly constrained asynchrony: e.g.,known periodsknown clock driftquite precise WCET



Synchrony and Asynchrony (3/3)Related works:

extend the synchronous modelCRP [Berry-Shyamasundar-Ramesh],Multiclock-Esterel [Berry-Sentovitch],n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet],GALS [Metropolis], [Polychrony],Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni]

less synchronous implementationsMulti-task implementations [SYNDEX], [Caspi-Scaife],Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud]

model asynchrony within the synchronous frameworkSafeAir, SafeAir-II projects [Baufreton et-al],Polychrony [Le Guernic-Talpin-Le Lann], [Gamatie-Gautier],this talk (same approach, in the ctxt of the Assert project)





















The ASSERT Project (1/2)

European “Integrated Project” on model-driven design ofembbedded systemsMain application domain: aerospace applications

Target code

Targetarchitecture

(AADL)components

(UML, Scade, C)

Software




European “Integrated Project” on model-driven design ofembbedded systemsMain application domain: aerospace applications

Target code

Targetarchitecture

(AADL)components

(UML, Scade, C)

Software




What this talk is about:

(AADL)

Targetarchitecture

(Scade-Lustre)

Behavioural modelof the architecture

Automatictranslation

VerificationSimulation

Softwarecomponents

(Scade)


The Synchronous Paradigm




4 A case study





The Synchronous Paradigm (1/2)

Synchronous machines

Basic components: generalized Mealy machines

~S′ = fS(~I,~S)

~O = fO(~I,~S)~I

~Sf

Behaviour: (~S0,~I0, ~O0),(~S1,~I1, ~O1), . . . ,(~Sn,~In, ~On), . . . ,

with On = fO(~In, ~Sn) and ~Sn+1 = fS(~In, ~Sn)





Parallel composition:

~S′

~Of

~S

~I

(~S′,~O) = f (~I,~S,~Q)

(~T ′,~Q) = g(~J,~T ,~O)

(deterministic, provided there isno combinational loop)





Parallel composition:

g~T ′

~Q

~T

~J

~S′

~Of

~S

~I (~S′,~O) = f (~I,~S,~Q)

(~T ′,~Q) = g(~J,~T ,~O)

(deterministic, provided there isno combinational loop)


Synchronous Modelling of Asynchrony




4 A case study





Synchronous Modelling of Asynchrony (1/4)

Need toprevent a component from reacting (sporadic reactions)non-determinismmodel execution time




Prevent a component from reactingavailable in all synchronous languages:

clocks in Lustre and Signalactivation conditions in Scadesuspend statement in Esterel




Activation condition in Scade

A distinguished Boolean input, say c, de-cides if the component must react.

c

~I ~O

when c = 1 the normal reaction occurswhen c = 0

the state does not change

the output keeps its previous value






c

~I ~O

when c = 1 the normal reaction occurs

when c = 0the state does not change







c

~I ~O









c

~I ~O






Synchronous Modelling of Asynchrony(4/4)

Non determinismJust by adding auxiliary inputs (oracles)Restriction of non-determinism:

constraints/assumptions on oracles ensured by “assertions”or transducer (scheduler)



A task in the synchronous world

x




t

x




t

x




x

t

x



A sporadic or periodic task




t




Tt




x

x

Tt



A sporadic or periodic taskperiod T

x

x

Tt



Execution time

period T



Execution time

t

period T



Execution time

mM

mM

mM

t

period T



Execution time

x

mM

mM

mM

t

period T



Execution time

x

∆(m,M)

ω

x

mM

mM

mM

t

period T


A case study




4 A case study




A case study

The PFS case study (1/4)

Proximity Flight Safety (PFS), part of the Automatic TransferVehicule (ATV), spacecraft in charge of supplying theInternational Space Station (ISS) ESA, Astrium-STEnsures the safety of the approach of the ATV to the ISS(most safety critical part of the mission)


A case study

��

� ��

��

��

��

� ��

� ��

When anything goes wrong, the PFS is in charge of safelymoving the ATV apart from the ISS, and to orient it towards thesun (“Collision Avoidance Manoeuvre”, CAM)


A case study

The PFS case study (3/4)

The system is made of two redundant “Monitoring and SafetyUnits” (MSU): one master, one backup

Each MSU:detects anomalies: failures of the main computer, abnormalstate of the bus, erroneous position or speed of the ATV,“red button” pressed from inside the ISSdetects its own failures (master change)is able to perform a CAM


A case study

The PFS case study (4/4)Distribution: Two computers (one for each MSU) running inquasi-synchrony

Multitasking: Each MSU consists of two periodic tasks (one fast,one slow). Each task specified in Scade

Processor 1

Fast thread

Processor 2

Fast thread

SP1 SP2 SP1 SP2Slow thread Slow thread


A case study

The PFS case study (4/4)Distribution: Two computers (one for each MSU) running inquasi-synchrony

Multitasking: Each MSU consists of two periodic tasks (one fast,one slow). Each task specified in Scade

Processor 1

Fast thread

Processor 2

Fast thread

SP1 SP2 SP1 SP2Slow thread Slow thread


Translating AADL concepts




4 A case study





Processes: actual clocks

Proc1 Proc2

Fast Th

SP1 SP2

Fast Th

Slow Th

“Quasi-synchronous” clocksused to count periods and deadlines



Processes: actual clocks

Proc1 Proc2

Fast Th

SP1 SP2

Fast Th

Slow Th

“Quasi-synchronous” clocksused to count periods and deadlines



Threads: sharing the processor

Proc1

Fast Th

Slow Th

Activity clocks, used to count execution times




Proc1

Fast Th

Slow Th





Proc1

Fast Th

Slow Th




Subprograms: sequencing









Final model

QS

TF

TS

Mm

Mm Mm

SCH

Mm

Mm Mm

SCH

TF

TS



Applications

extensive simulation(using the tool LURETTE to generate oracles automatically)automatic verification

Example of property of the PFS:“at each instant, one and only one MSU is the master”

Wrong, because of asynchrony.Right property:“at each instant, there is at most one master”“there are at most two clock cycles without master”



Applications

extensive simulation(using the tool LURETTE to generate oracles automatically)automatic verification

Example of property of the PFS:“at each instant, one and only one MSU is the master”Wrong, because of asynchrony.Right property:“at each instant, there is at most one master”“there are at most two clock cycles without master”


Current work and conclusion




4 A case study





Current work

deterministic communicationresource managementscheduling policies

ConclusionGives precise semantics to AADLMakes it executable (early simulation/validation)One more non-synchronous application of synchrony



Current work

deterministic communicationresource managementscheduling policies

ConclusionGives precise semantics to AADLMakes it executable (early simulation/validation)One more non-synchronous application of synchrony


Documents

Virtual Execution of AADL Models via a Translation into ...semba.conf.citi-lab.fr/.../emsoc07/presentations/EmSoC07_Halbwachs.pdf · E. Jahier, N. Halbwachs, P. Raymond, X. Nicollin