Model-based Design and Verification of Embedded Software

Download Report

Transcript Model-based Design and Verification of Embedded Software 

Towards a Model-Based
Toolchain for High
Confidence Design
Peter Volgyesi
Gabor Karsai
Janos Sztipanovits
Sandeep Neema
Harmon Nine
Joe Porter
Ryan Thibodeaux
Vanderbilt University/ISIS
Recap:
Focus Area 2:
Model-based Software Design and Verification
Foundations of model-based software design for highconfidence, networked embedded systems applications:
1.
Semantic foundations for modeling languages and
model transformations,
2.
Precisely architected software and systems platforms
that guarantee system properties via construction,
3.
Methods for static source code verification and testing,
4.
Methods for dynamic runtime verification and testing.
Deliverables: theories, methods and design environment
components integrated into our prototype toolchain,
and a high-confidence embedded platform integrated
into our experimental systems.
2
Focus Area 2:
Model-based Software Design and
Verification
MSD-1. Model-Integrated Computing (MIC) (Karsai,Lee,Sztipanovits)
 Formal, metamodel-based semantic foundations for domainspecific modeling languages (DSML), based on the concept of
semantic anchoring, and model transformations.
MSD-2. Embedded Software Composition Platforms
(Lee,Karsai,Sastry,Sztipanovits)
 Heterogeneous software composition platform that offers
middleware support for a well-defined suite of models of
computations (MoC), incorporating dynamic type checking for
system-level types and seamless interfaces towards underlying
systems platforms such as Time Triggered Architecture and
towards higher-level modeling environments.
MSD-3. Automated Source-code Verification and Testing
(Clarke,Necula)
 New static analysis techniques for programming languages widely
used in embedded software development. (Presentation by Prof.
Clarke)
MSD-4. Model-Based Runtime Testing and Verification
(Krogh,Tomlin,Clarke,Sztipanovits)
 Algorithms for the runtime, passive conformance testing of system
behavior to a set of approximate models.
3
Links to overall Design Flow
Requirement Specification
RA
Control Design
FD
Functional
Mod/Sim
HW Arch. Design HwA
Software Architecture
SwA
MSD-2
Component Design
Arch Mod/Sim
MSD-3
MSD-4
MSD-1
System Arch. Design
SY
CD
Code Gen.
Verif.
HW Pwr/
Perf Est
Alloc./Sched.
Analysis
DPL
Latency/RT
Analysis
SW Deployment
4
First prototype toolchain elements
Simulink/Stateflow
-Single rate subsystems
Matlab/Simulink/Stateflow -Synchronous Dataflow semantics
-Event-triggered charts
Functional Design
ECSL Modeling Tool (GME)
Componentization
Scheduler
-Constraint-based generation of
task and bus message schedules
for a time-triggered platform
Software
Architecture
CSP-based Scheduler
Resource allocation
(Scheduling)
Allocation and
Deployment
ECSL
-Simulink/Stateflow import
-Additional aspects for components,
architecture, and deployment
-Code generation for
-Dataflow (Simulink/SDF) models
-Statechart (Stateflow) models
-Platform interface code
Time-Triggered
Platform
Execution
Platform
Platform
-Multiple processors connected
via a time-shared bus
-Tasks are cyclic, time-triggered
-Message receive/send happens
before/after task release/finish
5
Design rationale for prototype toolchain (1)
The connection towards Simulink/Stateflow
 Simulink/Stateflow is the industry standard
 SDF and (restricted) Statechart semantics is well-defined and
widely used
 Could be substituted in later stages of the project
The ECSL language
 Software components and architectures and deployment had to be
captured in models and integrated with the functional models.
 Not all features of Simulink/Stateflow are supported – only a ‘safe’
subset.
 Dataflow (Simulink/SDF) model: scheduling based on the timetriggered paradigm (t_k is determined by an off-line scheduler)


receive(t_k)  execute()  send(t_k+1)
Extensible towards other models of computation
6
Embedded Control System Language
7
Design rationale for prototype toolchain (2)
Code generation
 Dataflow/SDF code generation:




Stateflow code generation:




Explicit type inference (if Simulink model is not fully typed)
Graph transformation into an intermediate code format (C-like, Abstract
Syntax Graph)
Printing C code (or Java, or …)?
Follows Stateflow semantics (state transitions)
Graph transformation into an intermediate code format (C-like, Abstract
Syntax Graph)
Printing C code (or Java, or …)?
Both code generators are extensible/backend can be replaced
8
Code generation
Dataflow(Simulink) and Statechart(Stateflow)
Abstract Syntax
Graph
of executable code
The code generator is formally specified as a
programmed graph transformation system. This allows
reasoning about the correctness of the transformation
itself.
Support for verification:
The code generation could insert verification
conditions (derived from the models )into the
generated ASG.
The result of the
transformation is an
abstract syntax graph
that allows ‘printing’ the
executable code in
various languages.
C source code
9
Design rationale for prototype toolchain (3)
Scheduler

Explicit, design-time generation of cyclic time-triggered schedules for tasks
and messages

Constraint-based scheduling approach
The Platform

Robust, timed execution of tasks on a network of processors

Time-triggered approach:
- Nodes schedulers are time-synchronized
- Tasks are run cyclically released at
specific points in time
- Messages are transferred at
specific points in time

Tasks:




Receive(t_k)  execute()  Send (t_k+1)
Task: single rate, multiple components
Components == Simulink subsystems
Messages == input and output dataflows (signals) of subsystems
10
Scheduling
The model is translated into a scheduling problem:
Input: set of tasks with desired rates, set of messages with
desired source/destination tasks and rates
Output: task release times (in a cyclic schedule)
Formulation: Constraint Satisfaction Problem (equalities and
inequalities) over integers .
Support for certification:
Off-line scheduling of time-critical tasks and messages
ensures correct temporal behavior.
Constraint Solver Engine
(GECode)
Task
Schedule
Message
Schedule
11
Realization
Modeling/Simulation
Environment
(Simulink/Stateflow)
Simulation-based
verification
Model Editing
Environment
(ECSL-DP)
Mdl2Mga
Dataflow Stateflow
Simulink
Code Gen
C code
System
Stateflow
Code Gen
Scheduler
Conf Gen
C code
TT
Schedule
Conf
Symbolic verification (TBD)
12
Platforms
TTTech




MPC 555 micros
TTP/C comm
TTTech Software tools
Fault-tolerance
Soekris



Linux w/ 3xEthernet
TT Virtual Machine on
standard UDP and Linux
No fault tolerance (yet)
13
TT Virtual Machine
Step 1:
DEVS model of the TT scheduler
Step 2:
Prototype on POSIX interface
- Embedded Linux hosts
- Isolated Ethernet network (UDP)
- High-precision timers
TT Tasks
TT Sched
DEVS: (Discrete-Event Systems)
Finite-State Machines with
- Continuous time model for timed transitions
- Communication/triggering via discrete events
Abstract model, has C++ simulator implementation
TT Comm
Kernel
Ethernet (TT, shared bus)
14
Plans

Extending the modeling language






Other coordination techniques (P/S, etc.)
Extending the TT/VM Platform
Event-driven communications
Coordination patterns
Fault tolerance
Integrating code generation with code
verification

Propagating/generating verification conditions
into the generated code
15