Synchronous Modelling of Complex Systems

Size: px

Start display at page:

Download "Synchronous Modelling of Complex Systems"

Katrina Lane
5 years ago
Views:

1 Synchronous Modelling of Complex Systems Nicolas Halbwachs Verimag, Grenoble joint work with L. Mandel LRI E. Jahier, P. Raymond, X. Nicollin Verimag and D. Lesens Astrium Space Transportation () 1 / 45

2 The Synchronous Paradigm 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 2 / 45

3 The Synchronous Paradigm The Synchronous Paradigm (1/8) Synchronous machines Basic components: generalized Mealy machines X S f Y = fy ( X, S) S = f S ( X, S) Behaviour: ( S 0, X 0, Y 0 ),( S 1, X 1, Y 1 ),...,( S n, X n, Y n ),..., with Y n = f Y ( X n, S n ) and S n+1 = f S ( X n, S n ) Deterministic! () 3 / 45

4 The Synchronous Paradigm The Synchronous Paradigm (2/8) Basic components, simple examples unit delay δ: outputs the value received at the previous reaction f O ( X, S) = S, f S ( X, S) = X sampler β(b): outputs the current input if b is true, the previous output otherwise f O (b, X, S) = f S (b, X, S) = if b then X else S () 4 / 45

5 The Synchronous Paradigm The Synchronous Paradigm (3/8) Example: an integrator x Outputs the sum of inputs received so far + y f Y (x,s) = f S (x,s) = s + x s 0 () 5 / 45

6 The Synchronous Paradigm The Synchronous Paradigm (3/8) Example: an integrator x Outputs the sum of inputs received so far + y In Lustre: f Y (x,s) = f S (x,s) = s + x y = x+s ; s = 0 ->pre(y) ; s 0 () 5 / 45

7 The Synchronous Paradigm The Synchronous Paradigm (3/8) Example: an integrator x Outputs the sum of inputs received so far + y In Lustre: f Y (x,s) = f S (x,s) = s + x s 0 y = x+s ; s = 0 ->pre(y) ; or y = x + (0 ->pre(y)) ; () 5 / 45

8 The Synchronous Paradigm The Synchronous Paradigm (3/8) Example: an integrator x Outputs the sum of inputs received so far + y In Lustre: f Y (x,s) = f S (x,s) = s + x s 0 y = x+s ; s = 0 ->pre(y) ; or y = x + (0 ->pre(y)) ; step x x 0 x 1 x 2 x 3... () 5 / 45

9 The Synchronous Paradigm The Synchronous Paradigm (3/8) Example: an integrator x Outputs the sum of inputs received so far + y In Lustre: f Y (x,s) = f S (x,s) = s + x s 0 y = x+s ; s = 0 ->pre(y) ; or y = x + (0 ->pre(y)) ; step x x 0 x 1 x 2 x 3... y x 0 x 0 + x 1 x 0 + x 1 + x 2 x 0 + x 1 + x 2 + x 3... () 5 / 45

10 The Synchronous Paradigm The Synchronous Paradigm (4/8) Example: a counter of events Detect a minute every 60 second In Lustre: ns = 0 -> if second then if pre(ns) < 59 then pre(ns)+1 else 0 else pre(ns) ; minute = (second and ns=0) ; second? ns=59? ns:=0 minute! ns:=0 second? ns<59? ns++ In Esterel every 60 second do emit minute ; () 6 / 45

11 The Synchronous Paradigm The Synchronous Paradigm (5/8) Synchronous machines Parallel composition: S S X f Y () 7 / 45

12 The Synchronous Paradigm The Synchronous Paradigm (5/8) Synchronous machines Parallel composition: S S X f Y ( S, Y ) = f ( X, S, Z ) ( T, Z ) = g( W, T, Y ) W T g T Z (deterministic, provided there is no combinational loop) () 7 / 45

13 The Synchronous Paradigm The Synchronous Paradigm (6/8) Parallel composition, example every 60 second do emit minute ; every 60 second do emit minute ; second count minute count hour () 8 / 45

14 The Synchronous Paradigm The Synchronous Paradigm (7/8) Parallel composition, example ns:=0 nm:=0 second? ns=59? ns:=0 minute! second? ns<59? ns++ minute? nm=59? nm:=0 hour! minute? nm<59? nm++ second? ns=59? nm<59? ns:=0 nm++ minute! ns:=nm:=0 second? ns<59? ns++ second? ns=59? nm=59? ns:=nm:=0 minute! hour! () 9 / 45

15 The Synchronous Paradigm The Synchronous Paradigm (8/8) Synchronous languages are well accepted as description formalisms precise, formally defined match the way of thinking of users various, complementary, compatible paradigms (imperative/data-flow, textual/graphical) Powerful associated tools efficient code generation (for centralized, statically scheduled applications) precise and inexpensive modelling, no overhead in analysis and verification can be used for expressing properties (observers) Industrial environments: Esterel Studio, Lustre-Scade, Signal-Sildex () 10 / 45

16 Synchrony and Asynchrony 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 11 / 45

17 Synchrony and Asynchrony Synchrony and Asynchrony (1/3) Synchronous languages and associated tools are well-established for centralized, statically scheduled applications What about more complex situations? Need for dynamic scheduling: urgent sporadic events, multiple periods Need for distribution: redundancy, performances, physical constraints () 12 / 45

18 Synchrony and Asynchrony Synchrony and Asynchrony (2/3) First remark: In real-time systems, purely asynchronous situations are rare Partial synchrony, or strongly constrained asynchrony: e.g., known periods known clock drift quite precise WCET () 13 / 45

19 Synchrony and Asynchrony Synchrony and Asynchrony (3/3) Related works: () 14 / 45

20 Synchrony and Asynchrony Synchrony and Asynchrony (3/3) Related works: extend the synchronous model CRP [Berry-Shyamasundar-Ramesh], Multiclock-Esterel [Berry-Sentovitch], n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet], GALS [Metropolis], [Polychrony], Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni] () 14 / 45

21 Synchrony and Asynchrony Synchrony and Asynchrony (3/3) Related works: extend the synchronous model CRP [Berry-Shyamasundar-Ramesh], Multiclock-Esterel [Berry-Sentovitch], n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet], GALS [Metropolis], [Polychrony], Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni] less synchronous implementations Multi-task implementations [SYNDEX], [Caspi-Scaife], Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud] () 14 / 45

22 Synchrony and Asynchrony Synchrony and Asynchrony (3/3) Related works: extend the synchronous model CRP [Berry-Shyamasundar-Ramesh], Multiclock-Esterel [Berry-Sentovitch], n-synchrony [Cohen-Duranton-Eisenbeis-Pagetti-Plateau-Pouzet], GALS [Metropolis], [Polychrony], Tag machines [Benveniste-Caillaud-Carloni-Sangiovanni] less synchronous implementations Multi-task implementations [SYNDEX], [Caspi-Scaife], Distributed code [Caspi-Girault],[Caspi-Salem], [Potop-Caillaud] model asynchrony within the synchronous framework SafeAir, SafeAir-II projects [Baufreton et-al], Polychrony [Le Guernic-Talpin-Le Lann], [Gamatié-Gautier], this talk (same approach, in the ctxt of the Assert project) () 14 / 45

23 Synchrony and Asynchrony The ASSERT Project (1/2) European Integrated Project ( ) on model-driven design of embbedded systems Main application domain: aerospace applications () 15 / 45

24 Synchrony and Asynchrony The ASSERT Project (1/2) European Integrated Project ( ) on model-driven design of embbedded systems Main application domain: aerospace applications Target architecture (AADL) Software components (UML, Scade, C) Target code () 15 / 45

25 Synchrony and Asynchrony The ASSERT Project (2/2) What this talk is about: Target architecture (AADL) Automatic translation Software components (Scade) Behavioural model of the architecture (Scade-Lustre) Simulation Verification () 16 / 45

26 Synchronous Modelling of Asynchrony 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 17 / 45

27 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (1/5) Need to prevent a component from reacting (sporadic reactions) non-determinism model execution time () 18 / 45

28 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (2/5) Prevent a component from reacting available in all synchronous languages: clocks in Lustre and Signal activation conditions in Scade suspend statement in Esterel () 19 / 45

29 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (3/5) Activation condition in Scade c A distinguished Boolean input, say c, decides if the component must react. X Y () 20 / 45

30 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (3/5) Activation condition in Scade c A distinguished Boolean input, say c, decides if the component must react. when c = 1 the normal reaction occurs X Y () 20 / 45

31 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (3/5) Activation condition in Scade c A distinguished Boolean input, say c, decides if the component must react. when c = 1 the normal reaction occurs when c = 0 the state does not change X Y () 20 / 45

32 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (3/5) Activation condition in Scade c A distinguished Boolean input, say c, decides if the component must react. when c = 1 the normal reaction occurs when c = 0 the state does not change the output keeps its previous value X Y () 20 / 45

33 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony(4/5) Non determinism Just by adding auxiliary inputs (oracles) Restriction of non-determinism: constraints/assumptions on oracles ensured by assertions or transducer (scheduler) () 21 / 45

34 Synchronous Modelling of Asynchrony A task in the synchronous world x () 22 / 45

35 Synchronous Modelling of Asynchrony A task in the synchronous world x t () 22 / 45

36 Synchronous Modelling of Asynchrony A task in the synchronous world x t () 22 / 45

37 Synchronous Modelling of Asynchrony A task in the synchronous world x t x () 22 / 45

38 Synchronous Modelling of Asynchrony A sporadic or periodic task () 23 / 45

39 Synchronous Modelling of Asynchrony A sporadic or periodic task t () 23 / 45

40 Synchronous Modelling of Asynchrony A sporadic or periodic task T t () 23 / 45

41 Synchronous Modelling of Asynchrony A sporadic or periodic task x T t x () 23 / 45

42 Synchronous Modelling of Asynchrony A sporadic or periodic task period T x T t x () 23 / 45

43 Synchronous Modelling of Asynchrony Execution time period T () 24 / 45

44 Synchronous Modelling of Asynchrony Execution time period T t () 24 / 45

45 Synchronous Modelling of Asynchrony Execution time period T m M m M m M t () 24 / 45

46 Synchronous Modelling of Asynchrony Execution time period T m M m M m M t x () 24 / 45

47 Synchronous Modelling of Asynchrony Execution time ω period T (m, M) x m M m M m M t x () 24 / 45

48 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (5/5) A quite general structure: P Q () 25 / 45

49 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (5/5) A quite general structure: C P C Q P Q () 25 / 45

50 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (5/5) A quite general structure: Ω P Ω Q Sched. C P C Q P Q () 25 / 45

51 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (5/5) A quite general structure: Ω P Ω Q Sched. C P C Q P Q () 25 / 45

52 Synchronous Modelling of Asynchrony Synchronous Modelling of Asynchrony (5/5) A quite general structure: Ω P Ω Q Ω pq Ω qp Sched. C P c pq C Q P c qp Q () 25 / 45

53 A case study 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 26 / 45

54 A case study The PFS case study (1/5) Proximity Flight Safety (PFS), part of the Automatic Transfer Vehicule (ATV), spacecraft in charge of supplying the International Space Station (ISS) ESA, Astrium-ST Ensures the safety of the approach of the ATV to the ISS (most safety critical part of the mission) () 27 / 45

55 A case study When anything goes wrong, the PFS is in charge of safely moving the ATV apart from the ISS, and to orient it towards the sun ( Collision Avoidance Manoeuvre, CAM) () 28 / 45

56 A case study The PFS case study (3/5) The system is made of two redundant Monitoring and Safety Units (MSU): one master, one backup Each MSU: detects anomalies: failures of the main computer, abnormal state of the bus, erroneous position or speed of the ATV, red button pressed from inside the ISS detects its own failures (master change) is able to perform a CAM () 29 / 45

57 A case study The PFS case study (4/5) At each instant, one of the MSU is the master. If the master detects its own failure, it transmits its mastership to the other MSU. However, such a master change can only occur once in a mission master change is forbidden during a CAM () 30 / 45

58 A case study The PFS case study (5/5) Distribution: Two computers (one for each MSU) running in quasi-synchrony Multitasking: Each MSU consists of two periodic tasks (one fast, one slow). Each task specified in Scade () 31 / 45

59 A case study The PFS case study (5/5) Distribution: Two computers (one for each MSU) running in quasi-synchrony Multitasking: Each MSU consists of two periodic tasks (one fast, one slow). Each task specified in Scade Fast thread Fast thread Slow thread Slow thread SP1 SP2 SP1 SP2 Processor 1 Processor 2 () 31 / 45

60 Quasi-synchrony 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 32 / 45

61 Quasi-synchrony Quasi-synchrony (1/2) [Caspi et al, FTRTFT 00, Safecomp 01] Several periodic processes on different computers Supposed to run with the same clock Small clock drift, under which the following assumption can be made: Between two successive activations of one periodic process, each other process is activated either 0, or 1, or at most 2 times P 1 P 2 () 33 / 45

62 Quasi-synchrony Quasi-synchrony (2/2) In case of simple communication (e.g., by shared memory), each process can only miss or duplicate at most one output in a row from any other process: P P () 34 / 45

63 Quasi-synchrony Modeling quasi-synchrony (1/2) 2 processes P and Q, activated by conditions C P, C Q Assumption: between 2 occurrences of C i there are at most 2 occurrences of C j Ambiguous, because of simultaneity... Precise assumption: Each condition cannot be true alone more than twice in a row. If a condition occurs alone twice in a row, the other condition must follow alone () 35 / 45

64 Quasi-synchrony Modeling quasi-synchrony (2/2) Non-deterministic quasi-synchronous scheduler Ω P Ω Q C P C Q () 36 / 45

65 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 0 () 37 / 45

66 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 01/01 0 1Q () 37 / 45

67 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 01/ /10 1Q 1P () 37 / 45

68 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 11/11 00/00 01/ /10 1Q 1P () 37 / 45

69 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 11/11 00/00 00/00 1Q 01/01 11/ /10 1P () 37 / 45

70 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 11/11 00/00 00/00 1Q 01/01 11/ /10 10/10 1P () 37 / 45

71 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 11/11 00/00 00/00 1Q 01/01 11/ /10 10/10 1P 01/01 2Q () 37 / 45

72 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 11/11 00/00 00/00 1Q 01/01 11/ /10 10/10 1P 00/00 01/01 00/00 2Q 10/10 01/10 11/10 () 37 / 45

73 Quasi-synchrony Quasi-synchronous scheduler Ω P,Ω Q /C P,C Q 11/11 00/00 00/00 1Q 01/ /10 11/11 11/11 01/01 00/00 1P 10/10 01/01 10/10 00/00 2Q 10/10 01/10 11/10 01/01 2P 10/01 11/01 00/00 () 37 / 45

74 Translating AADL concepts 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 38 / 45

75 Translating AADL concepts Processes: actual clocks Proc 1 Proc 2 Fast Th Fast Th Slow Th SP 1 SP 2 () 39 / 45

76 Translating AADL concepts Processes: actual clocks Proc 1 Proc 2 Fast Th Fast Th Slow Th SP 1 SP 2 Quasi-synchronous clocks used to count periods and deadlines () 39 / 45

77 Translating AADL concepts Threads: sharing the processor Proc 1 Fast Th Slow Th () 40 / 45

78 Translating AADL concepts Threads: sharing the processor Proc 1 Fast Th Slow Th () 40 / 45

79 Translating AADL concepts Threads: sharing the processor Proc 1 Fast Th Slow Th Activity clocks, used to count execution times () 40 / 45

80 Translating AADL concepts Subprograms: sequencing () 41 / 45

81 Translating AADL concepts Subprograms: sequencing () 41 / 45

82 Translating AADL concepts Subprograms: sequencing () 41 / 45

83 Translating AADL concepts Final model QS T F Mm T F Mm SCH SCH T S Mm Mm T S Mm Mm () 42 / 45

84 Translating AADL concepts Applications extensive simulation (using the tool LURETTE to generate oracles automatically) automatic verification Example of property of the PFS: at each instant, one and only one MSU is the master () 43 / 45

85 Translating AADL concepts Applications extensive simulation (using the tool LURETTE to generate oracles automatically) automatic verification Example of property of the PFS: at each instant, one and only one MSU is the master Wrong, because of asynchrony. Right property: at each instant, there is at most one master there are at most two clock cycles without master () 43 / 45

86 Current work and conclusion 1 The Synchronous Paradigm 2 Synchrony and Asynchrony 3 Synchronous Modelling of Asynchrony 4 A case study 5 Quasi-synchrony 6 Translating AADL concepts 7 Current work and conclusion () 44 / 45

87 Current work and conclusion Other works deterministic communication [ACSD2006] scheduling policies and resource management [FASE2009] () 45 / 45

88 Current work and conclusion Other works deterministic communication [ACSD2006] scheduling policies and resource management [FASE2009] Conclusion Gives precise semantics to AADL Makes it executable (early simulation/validation) One more non-synchronous application of synchrony () 45 / 45

Simulation and Verification of Asynchronous Systems by means of a Synchronous Model

c IEEE Computer Society ress, ACSD 06 Simulation and Verification of Asynchronous Systems by means of a Synchronous Model Nicolas Halbwachs and Louis Mandel Vérimag, Grenoble France Abstract Synchrony