Timed Automata Models for Principled Composition of Middleware

About This Presentation

Title:

Timed Automata Models for Principled Composition of Middleware

Description:

Effects and Results. Solution Approach. Challenge. 6 - Venkita Subramonian ... DREAM. Modeling environments. GME, Ptolemy. Model driven middleware. CoSMIC, OCML, ... – PowerPoint PPT presentation

Number of Views:93

Avg rating:3.0/5.0

Slides: 86

Provided by: fredk5

Category:

more less

Transcript and Presenter's Notes

Title: Timed Automata Models for Principled Composition of Middleware

1
Timed Automata Models for Principled Composition
of Middleware

Venkita Subramonian
Dissertation Defense
Distributed Object Computing Group
Department of Computer Science and Engineering
Washington University, St. Louis
venkita_at_cse.wustl.edu

Advisor Dr. Christopher D. Gill
Research supported by DOC Group, Washington
University NSF CAREER CCF-0448562
March 10, 2006
2
Research Focus
Thesis Composable, reusable and verifiable
formal models of fine-grain middleware building
blocks provides a principled approach to analyze
timing and liveness properties of systems that
use middleware built from these fine-grain
building blocks

Goal Build correct DRE middleware

System Implementation
System Modeling
CADENA DREAM RMA Ptolemy GME CoSMIC UPPAAL IF-tool
kit SPIN Bogor
Composable models of building blocks
Formal approach to composition

Bringing more concrete models of the platform
Models reflect actual system more closely

Formal documentation of available knowledge
Bringing more rigor in to model-driven middleware

3
Problem Interference Issues in DRE Middleware

Key features of modern DRE middleware
Reusability
Flexibility
Interaction between fine-grain building blocks
leads to interference
Interference issues in middleware affect safety
and liveness properties of DRE systems
Blocking delay at a reactor
Exhaustion of threads in a reactor thread pool
Not captured by high level computation models
that do not include middleware elements
Not captured in a formally analyzable manner by
patterns and pattern languages

This research captures these middleware
interference issues formally
4
Expert Opinion
ORB configurations have a substantial impact on
performance, e.g., TAO's fastest concurrency
model is thread-per-connection, rather than
thread pool
what's ultimately most important is to determine
how things perform for applications that are
representative of actual user configurations,
rather than micro-benchmarks alone
Dr. Douglas Schmidt, ICE vs CORBA newsgroup
discussion 3/29/05
a main obstacle to the application of rigorous
development techniques is the lack of methodology
for relating application software and functional
design to physical architecture and
implementation
Dr. Joseph Sifakis, Modeling real-time
systems-challenges and work directions, EMSOFT
2001
5
Research Challenges and Contributions
6
Survey of Related Work

Applying MIC to DRE systems
ESML, AIRES, CADENA, TimeWiz, VEST
DREAM
Modeling environments
GME, Ptolemy
Model driven middleware
CoSMIC, OCML, PICML, BGML
Formal techniques in CORBA
Work by Kaveh, Duval, Kamel
Execution platforms
E-machine, MicroQoSCORBA, Zen, ACE, CIAO, TinyOS

7
Computation Model
Application
Middleware
Network
De-multiplexing Dispatching
Application logic
Event Handlers
Interaction Channels
Reactor
Synchronous wait
Serial dispatching
Asynchronous event arrival
8
Middleware Modeling Architecture
Event Handler
Application Abstraction Layer
Event Handler
Event Handler
Transition Control Mechanisms
Acceptor
ThreadPool
Middleware Abstraction Layer
Reactor
Connector
Property Specifications
IPC Channel
Network/OS Abstraction Layer
Forward Channel
IPC SAP
IPC SAP
Reverse Channel
Foundational Data Structures and Operations E.g.,
IPC SAP buffers, Handler repository
9
Simple Illustration of Model Execution
Event Handler1
1
Event Handler2
3
Reactor
Client1
Connxn1
1
0
3
Client2
Connxn2
2

Our models are executable models
Can be executed in a model checker
Concrete middleware models in UPPAAL and IF

10
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
11
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
12
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
13
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
14
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
15
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
16
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
17
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
18
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
19
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
20
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
21
Illustration of Model Execution
Event Handler
Event Handler
1
3
Reactor
1
3
IPC Channel
Client1
Forward Channel
0
0
1
Reverse Channel
Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
22
Modeling Challenges

Choice of mechanisms for implementation of
foundational data structures and operations
Mapping object interactions to automata
interactions
State space optimization
Threads and thread scheduling
Maximal progress semantics

23
Foundational Data Structures and Operations

How much of this state should be exposed to the
model checker?
Choice of implementation based on facilities
offered by model checker

Foundational Data Structures and Operations
0
1
2
3
Handler Repository
IPC SAP Buffers
24
Model Execution
IF processes
P1
P2
Time progress
..
P3

Pn
Non-deterministic choice between P1 and P2

Maximal progress - Execution of all enabled
transitions before advancing time
Need to constrain unnecessary non-determinism
Achieved using mechanisms such as priority rules
and observers

25
Priority Rules in IF
prio_rule pid1 lt pid2 if pid1 instanceof P2
and pid2 instanceof P1
Priority rules evaluated at each step
IF processes
P1
P2
Deterministic choice between P1 and P2

Schedulable entity is a process (automaton)
Priority rules use conditional expressions, but
ordering specified only between two processes in
one rule

26
Observers in IF
output msg1
P1
match output(msg1)
Do some stuff
Observer
Do some more stuff
27
Observers in IF
output msg1
P1
match output(msg1)
Do some stuff
Observer
Do some more stuff
28
Observers in IF
output msg1
P1
match output(msg1)
Do some stuff
Observer
Do some more stuff
29
Observers in IF
output msg1
P1
match output(msg1)
Do some stuff
Observer
Do some more stuff
30
Observers in IF
output msg1
P1
match output(msg1)
Do some stuff
Observer
Do some more stuff
31
Observers in IF
output msg1
P1
match output(msg1)
Do some stuff
Observer
Do some more stuff
do 1) execute model transition 2) collect
observable events 3) trigger zero or more
observer transitions 4) Evaluate priority
rules repeat
32
Modeling Threads
O1
O2
O3
T1
IF processes
O1
O2
Logical thread T1
..
O3

Notion of a logical thread identified by a
threadid
Threadid is a pid reference to a Thread process
Enables thread-specific parameters like
priorities
Instance variable in each process to store
current threadid
Enables us to express thread scheduling in terms
of IF priority rules which are based on processes

33
Threadid Propagation
output meth1 to O20
O10
Thread0
input meth1
O20
nil
Threadid Propagator
match output(msg) from pid1 to pid2 if
pid1 instanceof O1 and pid2 instanceof O2 then
task (O2pid2).threadid
(O1pid1).threadid endif if
pid1 instanceof O2 and pid2 instanceof O3 then
task (O3pid2).threadid
(O2pid1).threadid endif
34
Threadid Propagation
output meth1 to O20
O10
Thread0
input meth1
O20
nil
Threadid Propagator
match output(msg) from pid1 to pid2 if
pid1 instanceof O1 and pid2 instanceof O2 then
task (O2pid2).threadid
(O1pid1).threadid endif if
pid1 instanceof O2 and pid2 instanceof O3 then
task (O3pid2).threadid
(O2pid1).threadid endif
35
Threadid Propagation
output meth1 to O20
O10
Thread0
input meth1
O20
nil
Threadid Propagator
match output(msg) from pid1 to pid2 if
pid1 instanceof O1 and pid2 instanceof O2 then
task (O2pid2).threadid
(O1pid1).threadid endif if
pid1 instanceof O2 and pid2 instanceof O3 then
task (O3pid2).threadid
(O2pid1).threadid endif
36
Threadid Propagation
output meth1 to O20
O10
Thread0
input meth1
O20
Thread0
Threadid Propagator
match output(msg) from pid1 to pid2 if
pid1 instanceof O1 and pid2 instanceof O2 then
task (O2pid2).threadid
(O1pid1).threadid endif if
pid1 instanceof O2 and pid2 instanceof O3 then
task (O3pid2).threadid
(O2pid1).threadid endif
37
Threadid Propagation
output meth1 to O20
O10
Thread0
input meth1
O20
Thread0
Threadid Propagator
match output(msg) from pid1 to pid2 if
pid1 instanceof O1 and pid2 instanceof O2 then
task (O2pid2).threadid
(O1pid1).threadid endif if
pid1 instanceof O2 and pid2 instanceof O3 then
task (O3pid2).threadid
(O2pid1).threadid endif
38
Modeling Thread Scheduling
O1
O2
O3
O4
O5
O6
T1
T2
IF processes
O1
T1
scheduler_prio pid1 lt pid2 if pid1 instanceof O1
and pid2 instanceof O4 and (O1pid1).threadid
ltgt (O4pid2).threadid and (Thread((O1pid1)
.threadid)).prio lt (Thread((O4pid2).threadid))
.prio ) . .
O2
O3
O4
T2
O5
O6
do 1) execute model transition 2) collect
observable events 3) trigger zero or more
observer transitions 4) Evaluate priority
rules repeat

What if priorities are the same?

39
Modeling Run-to-completion (1/4)
O1
O2
O3
O4
O5
O6
T1
T2
IF processes
O1
T1
The selected thread runs to completion
O2
O3
O4
Solution Keep track of the currently running
thread and not let any other thread of the same
priority run, until the current thread blocks
T2
O5
O6
40
Modeling Run-to-completion (2/4)
O1
O2
O3
O4
O5
O6
T1
T2
IF processes
O1
T1
run_to_completion pid1 lt pid2 if pid1 instanceof
O1 and pid2 instanceof O4 and (O1pid1).threadid
ltgt (O4pid2).threadid and (Thread((O1pid1
).threadid)).prio (Thread((O4pid2).threadid)
).prio ) and (Global0).current
(O4pid2).threadid . . .
O2
O3
O4
T2
O5
O6
41
Modeling Run-to-completion (3/4)
O1
O2
O4
O5
T1
T2
Current T1
Current T2
T1 executes
T2 executes
IF processes
O1
O2
..
O4
O5
Because of the run-to-completion priority rules,
model checker always selects O5
42
Modeling Run-to-completion (4/4)
O1
O2
O4
O5
T1
T2
CurrentT1
CurrentT2
Currentnil
T1 executes
T2 executes
IF processes
O1
O2
..
O4
O5
Idle Catcher
Idle Catcher resets Current to nil
Non-deterministic choice between O2 and O5
43
Ordering Optimizations

System Initialization
Establishing static relations at system
initialization can be done in any order
Pick any one order
Eg., A0 forks C and B0 forks C and the order
in which this is done does not matter
Leader Election in Leader Followers
It does not matter which thread gets selected as
leader in a threadpool
Pick any available thread in a leader/followers
threadpool

44
Impact of State Space Optimization
EH1
C1
EH2
EH3
EH1
C2
EH2
EH3
EH1
C3
EH2
EH3
Reactor1
Reactor2
45
Thread Exhaustion (1/2)
EH1
EH2
Reactor1
Reactor2
C1
EH3

Number of threads in reactor combined with choice
of reply wait strategy leads to exhaustion of
threads
What if we increase the number of threads?

46
Thread Exhaustion (2/2)
EH1
EH1
Reactor1
C1
Reactor2
C2
EH2
EH2
EH3
EH3

Increasing number of reactor threads may not
always prevent deadlock
Our models capture this formally

47
Deadlock Avoidance (DA) Protocol
2
2
EH1
EH1
C1
Reactor1
Reactor2
C2
1
1
EH2
EH2
1
1
EH3
EH3

Developed and proven by Cesar Sanchez, Henny
Sipma and Zohar Manna, Stanford University
Annotate call graph based on reactor-event
handler topology
BASIC-P modeled

EH1R1
EH1R1
2
2
EH2R2
EH2R2
1
1
EH3R1
1
EH3R1
1
48
DA Protocol Overhead Experiment Setup
5
write
EventHandler
read
4
ACE_TP_Reactor with DA
ACE_Pipe
Bootstrap write
upcall
3
1
2

DA BASIC-P protocol implemented in the ACE TP
Reactor
Thread allocation in the DA protocol implemented
using handle suspension and resumption in the ACE
TP reactor
Backward compatible
Overhead of implementation minimal

49
Overhead of ACE TP reactor with DA
Negligible overhead with no DA protocol
Overhead increases with number of event handlers
because of their suspension and resumption on
protocol entry and exit
50
Model Execution Trace Showing Deadlock (1/2)
1 Test_Harness0 ---INIT_MODE_DONE()---gt
nil0 2 Time advanced by 3 units. Global time
is 3 3 Client3 TRACE_SAP_Buffer_Write(13,10) 4
Unidir_IPC_13_14 TRACE_SAP_Buffer_Transfer(13,1
4,10) 5 Client2 TRACE_SAP_Buffer_Write(7,10) 6
Unidir_IPC_7_8 TRACE_SAP_Buffer_Transfer(7,8,10
) 7 Client1 TRACE_SAP_Buffer_Write(1,10) 8
Unidir_IPC_1_2 TRACE_SAP_Buffer_Transfer(1,2,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
EH1
EH1
EH1
EH2
EH2
EH2
9 Reactor1_TPRHE1 TRACE_Reactor_IO_Wait_Done(2
,8,14,,) 10 Reactor1_TPRHE1
---handle_input(2,1)---gt Flow1_EH1 11
Reactor1_TPRHE2 TRACE_Reactor_IO_Wait_Done(8,14
,,) 12 Reactor1_TPRHE2 ---handle_input(8,2)---
gt Flow2_EH1 13 Reactor1_TPRHE3
TRACE_Reactor_IO_Wait_Done(14,,) 14
Reactor1_TPRHE3 ---handle_input(14,3)---gt
Flow3_EH1
C1
R1
R2
C2
EH3
EH3
EH3
C3
15 Time advanced by 25 units. Global time is
28 16 Flow1_EH1 TRACE_SAP_Buffer_Write(3,10) 17
Unidir_IPC_3_4 TRACE_SAP_Buffer_Transfer(3,4,1
0) 18 Reactor2_TPRHE4 TRACE_Reactor_IO_Wait_Don
e(4,,) 19 Reactor2_TPRHE4 ---handle_input(4,4
)---gt Flow1_EH2 20 Time advanced by 25 units.
Global time is 53 21 Flow1_EH2
TRACE_SAP_Buffer_Write(5,10) 22 Unidir_IPC_5_6
TRACE_SAP_Buffer_Transfer(5,6,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
51
Model Execution Trace Showing Deadlock (2/2)
23 Time advanced by 25 units. Global time is
78 24 Flow2_EH1 TRACE_SAP_Buffer_Write(9,10) 25
Unidir_IPC_9_10 TRACE_SAP_Buffer_Transfer(9,10
,10) 26 Reactor2_TPRHE5 TRACE_Reactor_IO_Wait_D
one(10,,) 27 Reactor2_TPRHE5
---handle_input(10,5)---gt Flow2_EH2 28 Time
advanced by 25 units. Global time is 103 29
Flow2_EH2 TRACE_SAP_Buffer_Write(11,10) 30
Unidir_IPC_11_12 TRACE_SAP_Buffer_Transfer(11,12
,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
31 Time advanced by 25 units. Global time is
128 32 Flow3_EH1 TRACE_SAP_Buffer_Write(15,10)
33 Unidir_IPC_15_16 TRACE_SAP_Buffer_Transfer(1
5,16,10) 34 Reactor2_TPRHE6 TRACE_Reactor_IO_Wa
it_Done(16,,) 35 Reactor2_TPRHE6
---handle_input(16,6)---gt Flow3_EH2 36 Time
advanced by 25 units. Global time is 153 37
Flow3_EH2 TRACE_SAP_Buffer_Write(17,10) 38
Unidir_IPC_17_18 TRACE_SAP_Buffer_Transfer(17,18
,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
39 Time advanced by 851 units. Global time is
1004
Deadlock
52
Model Execution Trace Showing DA (1/2)
3 Client3 TRACE_SAP_Buffer_Write(13,10) 4
Unidir_IPC_13_14 TRACE_SAP_Buffer_Transfer(13,14
,10) 5 Client2 TRACE_SAP_Buffer_Write(7,10) 6
Unidir_IPC_7_8 TRACE_SAP_Buffer_Transfer(7,8,10)
7 Client1 TRACE_SAP_Buffer_Write(1,10) 8
Unidir_IPC_1_2 TRACE_SAP_Buffer_Transfer(1,2,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
9 Reactor1_TPRHE1 TRACE_Reactor_IO_Wait_Done(2
,8,14,,) 10 Reactor1_TPRHE1
---handle_input(2,1)---gt Flow1_EH1 11 Time
advanced by 25 units. Global time is 28 12
Flow1_EH1 TRACE_SAP_Buffer_Write(3,10) 13
Unidir_IPC_3_4 TRACE_SAP_Buffer_Transfer(3,4,10)
14 Reactor2_TPRHE4 TRACE_Reactor_IO_Wait_Done(
4,,) 15 Reactor2_TPRHE4 ---handle_input(4,4)-
--gt Flow1_EH2 16 Time advanced by 25 units.
Global time is 53 17 Flow1_EH2
TRACE_SAP_Buffer_Write(5,10) 18 Unidir_IPC_5_6
TRACE_SAP_Buffer_Transfer(5,6,10) 19
Reactor1_TPRHE2 TRACE_Reactor_IO_Wait_Done(6,,
) 20 Reactor1_TPRHE2 ---handle_input(6,2)---gt
Flow1_EH3 21 Time advanced by 25 units. Global
time is 78 22 Flow1_EH3 TRACE_SAP_Buffer_Write(
6,10) 23 Unidir_IPC_6_5 TRACE_SAP_Buffer_Transf
er(6,5,10) .. 38 Client1 TRACE_SAP_Buffer_Re
ad(1,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
53
Model Execution Trace Showing DA (2/2)
43 Reactor1_TPRHE3 TRACE_Reactor_IO_Wait_Done(
8,14,,) 44 Reactor1_TPRHE3 ---handle_input(8,3
)---gt Flow2_EH1 45 Time advanced by 25 units.
Global time is 103 46 Flow2_EH1
TRACE_SAP_Buffer_Write(9,10) 47 Unidir_IPC_9_10
TRACE_SAP_Buffer_Transfer(9,10,10) 48
Reactor2_TPRHE5 TRACE_Reactor_IO_Wait_Done(10,
,) 49 Reactor2_TPRHE5 ---handle_input(10,5)---gt
Flow2_EH2 50 Time advanced by 25 units. Global
time is 128 51 Flow2_EH2 TRACE_SAP_Buffer_Write
(11,10) 52 Unidir_IPC_11_12 TRACE_SAP_Buffer_Tr
ansfer(11,12,10) 53 Reactor1_TPRHE2
TRACE_Reactor_IO_Wait_Done(12,,) 54
Reactor1_TPRHE2 ---handle_input(12,2)---gt
Flow2_EH3 55 Time advanced by 25 units. Global
time is 153 56 Flow2_EH3 TRACE_SAP_Buffer_Write
(12,10) 72 Client2 TRACE_SAP_Buffer_Read(7,
10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
77 Reactor1_TPRHE1 TRACE_Reactor_IO_Wait_Done(
14,,) 78 Reactor1_TPRHE1 ---handle_input(14,1)
---gt Flow3_EH1 79 Time advanced by 25 units.
Global time is 178 80 Flow3_EH1
TRACE_SAP_Buffer_Write(15,10) 81
Unidir_IPC_15_16 TRACE_SAP_Buffer_Transfer(15,16
,10) 82 Reactor2_TPRHE6 TRACE_Reactor_IO_Wait_D
one(16,,) 83 Reactor2_TPRHE6
---handle_input(16,6)---gt Flow3_EH2 84 Time
advanced by 25 units. Global time is 203 85
Flow3_EH2 TRACE_SAP_Buffer_Write(17,10) 86
Unidir_IPC_17_18 TRACE_SAP_Buffer_Transfer(17,18
,10) 87 Reactor1_TPRHE2 TRACE_Reactor_IO_Wait_D
one(18,,) 88 Reactor1_TPRHE2
---handle_input(18,2)---gt Flow3_EH3 89 Time
advanced by 25 units. Global time is 228 90
Flow3_EH3 TRACE_SAP_Buffer_Write(18,10) .. 1
06 Client3 TRACE_SAP_Buffer_Read(13,10)
EH1
EH1
EH1
EH2
EH2
EH2
C1
R1
R2
C2
EH3
EH3
EH3
C3
54
Blocking Delays in DA Protocol
2
2
EH1
EH1
Client1
Reactor1
Reactor2
Client2
1
1
EH2
EH2
1
1
EH3
EH3
Blocking Delay for Client2

DA protocol introduces blocking delays which our
models capture
Blocking delays are important during timing
analysis

55
Timing Trace (1/4)
EH1
EH1
EH1
EH2
EH2
EH2
C1
Model/Actual
R1
R2
C2
C3
EH3
EH3
EH3
0/0
EH1
EH1
EH1
EH2
EH2
EH2
25/26
C1
0/0
R1
R2
C2
50/51
50/52
C3
EH3
EH3
EH3
56
Timing Trace (2/4)
50/52
EH1
EH1
EH1
EH2
EH2
EH2
75/77
C1
75/77
75/77
R1
R2
C2
C3
EH3
EH3
EH3
EH1
EH1
EH1
EH2
EH2
EH2
75/78
C1
100/103
R1
R2
C2
125/129
150/155
C3
EH3
EH3
EH3
57
Timing Trace (3/4)
150/155
EH1
EH1
EH1
EH2
EH2
EH2
150/155
150/155
C1
R1
R2
C2
150/155
C3
EH3
EH3
EH3
EH1
EH1
EH1
EH2
EH2
EH2
150/155
175/181
C1
175/181
R1
R2
C2
200/206
200/206
C3
EH3
EH3
EH3
58
Timing Trace (4/4)
225/232
EH1
EH1
EH1
EH2
EH2
EH2
225/232
225/232
C1
R1
R2
C2
225/232
C3
EH3
EH3
EH3
59
DA Blocking Delay Comparison
Actual Execution
Model Execution
Blocking delay for Client2
Blocking delay for Client3
60
Gateway Example
Supplier1
Consumer1
Gateway
Consumer2
Supplier2
Consumer3
Consumer4

Example in ACE source tree
Uses Publish/Subscribe communication model
Used in many real-time and enterprise
environments
Different variations possible
E.g., Real time, Reliability, Control-Push-Data-Pu
ll
Different design choices available E.g., Single
thread, With dispatch lanes
Our models provide a formal basis for making
design decisions
Modifications
Value added service in Gateway before forwarding
a published message to a consumer
Simulated by a CPU bound computation

61
Real-time Gateway Single Thread
Gateway
ConsumerHandler
SupplierHandler
ConsumerHandler
SupplierHandler
Consumer
ConsumerHandler
Supplier
ConsumerHandler
Reactor

Single reactor thread
I/O (reactor) thread same as dispatch thread

62
Real-time Gateway Dispatch Lanes
Gateway
ConsumerHandler
SupplierHandler
ConsumerHandler
SupplierHandler
Consumer
ConsumerHandler
Supplier
ConsumerHandler
Reactor

Single reactor thread
I/O (reactor) thread enqueues message into
dispatch lanes
Lane threads responsible for value added service
and dispatching messages to consumers

63
Model Execution of Single Threaded Gateway (1/2)
CH1
C1
S1
SH1
1 0 SUPP_SEND_EVENT(S1,M1) 2 0
SUPP_SEND_EVENT(S2,M1)
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
0/0
3 0 GW_SUPP_HNDLR_HANDLE_INPUT(S1,M1) 4 0
GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S1,M1,C1) 5
0 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGIN(S1,M1,C
1) 6 Time advanced by 10 units. Global time is
10 7 10 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_DONE(S
1,M1,C1) 8 10 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_
BEGIN(S1,M1,C1) 9 Time advanced by 10 units.
Global time is 20 10 20 GW_CONS_HNDLR_VALUE_ADD_
SVC_SLICE_DONE(S1,M1,C1) 11 20
GW_CONS_HNDLR_VALUE_ADD_SVC_END(S1,M1,C1) 12 20
GW_CONS_HNDLR_FWD_EVT_TO_CONS(S1,M1,C1)
20/20
0/0
CH1
C1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
13 20 GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S1,M1,
C2) 14 20 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGI
N(S1,M1,C2) 15 20 CONS_GOT_EVENT(S1,M1,C1) 16
Time advanced by 10 units. Global time is 30 17
30 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_DONE(S1,M1,C
2) 18 30 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGIN
(S1,M1,C2) 19 Time advanced by 10 units. Global
time is 40 20 40 GW_CONS_HNDLR_VALUE_ADD_SVC_SLI
CE_DONE(S1,M1,C2) 21 40 GW_CONS_HNDLR_VALUE_ADD_
SVC_END(S1,M1,C2) 22 40 GW_CONS_HNDLR_FWD_EVT_TO
_CONS(S1,M1,C2)
40/41
20/20
CH1
C1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
64
Model Execution of Single Threaded Gateway (2/2)
23 40 GW_SUPP_HNDLR_HANDLE_INPUT(S2,M1) 24 40
GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M1,C3) 25
40 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGIN(S2,M1,
C3) 26 40 CONS_GOT_EVENT(S1,M1,C2) 27 Time
advanced by 10 units. Global time is 50 28 50
SUPP_SEND_EVENT(S2,M2) 29 50 GW_CONS_HNDLR_VALUE
_ADD_SVC_SLICE_DONE(S2,M1,C3) 30 50
GW_CONS_HNDLR_VALUE_ADD_SVC_END(S2,M1,C3) 31 50
GW_CONS_HNDLR_FWD_EVT_TO_CONS(S2,M1,C3)
CH1
C1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
40/41
CH4
C4
50/50
50/51
32 50 GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M1,
C4) 33 50 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGI
N(S2,M1,C4) 34 50 CONS_GOT_EVENT(S2,M1,C3) 35
Time advanced by 10 units. Global time is 60 36
60 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_DONE(S2,M1,C
4) 37 60 GW_CONS_HNDLR_VALUE_ADD_SVC_END(S2,M1,C
4) 38 60 GW_CONS_HNDLR_FWD_EVT_TO_CONS(S2,M1,C4)
39 60 GW_SUPP_HNDLR_HANDLE_INPUT(S2,M2) 40
60 GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M2,C3)
41 60 GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGIN(S2
,M2,C3) 42 60 CONS_GOT_EVENT(S2,M1,C4) 43 60
DEADLINE_MISS(S2,M1,C4)
CH1
C1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
50/51
CH4
C4
60/62
65
Model Execution of Gateway with RMS Lanes (1/3)
1 0 SUPP_SEND_EVENT(S1,M1) 2 0
SUPP_SEND_EVENT(S2,M1)
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
0/0
0/0
3 0 GW_SUPP_HNDLR_HANDLE_INPUT(S1,M1) 4 0
GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S1,M1,C1) 5
0 GW_THR_CONS_HNDLR_ENQUEUE_EVENT(S1,M1,C1,L1) 6
0 GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S1,M1,C2)
7 0 GW_THR_CONS_HNDLR_ENQUEUE_EVENT(S1,M1,C2,L1)
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
CH1
C1
L1
8 0 GW_SUPP_HNDLR_HANDLE_INPUT(S2,M1) 9 0
GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M1,C3) 10
0 GW_THR_CONS_HNDLR_ENQUEUE_EVENT(S2,M1,C3,L2) 11
0 GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M1,C4)
12 0 GW_THR_CONS_HNDLR_ENQUEUE_EVENT(S2,M1,C4,L
2)
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
0/0
CH1
C1
L1
S1
SH1
CH2
C2
R
13 0 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S2,M1,C3,
L2) 14 Time advanced by 10 units. Global time is
10 15 10 GW_LANE_VALUE_ADD_SVC_SLICE_DONE(S2,M1,
C3,L2) 16 10 GW_LANE_VALUE_ADD_SVC_END(S2,M1,C3,
L2) 17 10 GW_LANE_DISPATCH_EVENT(S2,M1,C3,L2) 18
10 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S2,M1,C4,L
2) 19 10 CONS_GOT_EVENT(S2,M1,C3)
S2
CH3
SH2
C3
L2
CH4
C4
10/10
66
Model Execution of Gateway with RMS Lanes (2/3)
20 Time advanced by 10 units. Global time is
20 21 20 GW_LANE_VALUE_ADD_SVC_SLICE_DONE(S2,M1,
C4,L2) 22 20 GW_LANE_VALUE_ADD_SVC_END(S2,M1,C4,
L2) 23 20 GW_LANE_DISPATCH_EVENT(S2,M1,C4,L2) 24
20 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S1,M1,C1,L
1) 25 20 CONS_GOT_EVENT(S2,M1,C4)
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
L2
20/21
40/41
26 Time advanced by 10 units. Global time is
30 27 30 GW_LANE_VALUE_ADD_SVC_SLICE_DONE(S1,M1,
C1,L1) 28 30 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S
1,M1,C1,L1) 29 Time advanced by 10 units. Global
time is 40 30 40 GW_LANE_VALUE_ADD_SVC_SLICE_DON
E(S1,M1,C1,L1) 31 40 GW_LANE_VALUE_ADD_SVC_END(S
1,M1,C1,L1) 32 40 GW_LANE_DISPATCH_EVENT(S1,M1,C
1,L1) 33 40 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S1
,M1,C2,L1) 34 40 CONS_GOT_EVENT(S1,M1,C1)
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
L1 preempted
CH1
C1
L1
S1
SH1
35 Time advanced by 10 units. Global time is
50 36 50 SUPP_SEND_EVENT(S2,M2)
CH2
C2
R
S2
CH3
SH2
C3
50/50
L2
CH4
C4
L1 preempted
37 50 GW_SUPP_HNDLR_HANDLE_INPUT(S2,M2) 38 50
GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M2,C3) 39
50 GW_THR_CONS_HNDLR_ENQUEUE_EVENT(S2,M2,C3,L2) 4
0 50 GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(S2,M2,C
4) 41 50 GW_THR_CONS_HNDLR_ENQUEUE_EVENT(S2,M2,C
4,L2)
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
50/50
67
Model Execution of Gateway with RMS Lanes (3/3)
42 50 GW_LANE_VALUE_ADD_SVC_SLICE_DONE(S1,M1,C2,
L1) 43 50 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S2,M
2,C3,L2) 44 Time advanced by 10 units. Global
time is 60 45 60 GW_LANE_VALUE_ADD_SVC_SLICE_DON
E(S2,M2,C3,L2) 46 60 GW_LANE_VALUE_ADD_SVC_END(S
2,M2,C3,L2) 47 60 GW_LANE_DISPATCH_EVENT(S2,M2,C
3,L2)
L1 preempted
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
60/60
L1 preempted
48 60 GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S2,M2,C4
,L2) 49 60 CONS_GOT_EVENT(S2,M2,C3) 50 Time
advanced by 10 units. Global time is 70 51 70
GW_LANE_VALUE_ADD_SVC_SLICE_DONE(S2,M2,C4,L2) 52
70 GW_LANE_VALUE_ADD_SVC_END(S2,M2,C4,L2) 53
70 GW_LANE_DISPATCH_EVENT(S2,M2,C4,L2) 54 70
GW_LANE_VALUE_ADD_SVC_SLICE_BEGIN(S1,M1,C2,L1) 55
70 CONS_GOT_EVENT(S2,M2,C4)
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
70/70
L1 resumed
56 Time advanced by 10 units. Global time is
80 57 80 GW_LANE_VALUE_ADD_SVC_SLICE_DONE(S1,M1,
C2,L1) 58 80 GW_LANE_VALUE_ADD_SVC_END(S1,M1,C2,
L1) 59 80 GW_LANE_DISPATCH_EVENT(S1,M1,C2,L1) 60
80 CONS_GOT_EVENT(S1,M1,C2) 61 Time advanced
by 20 units. Global time is 100
CH1
C1
L1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
L2
CH4
C4
80/83
68
Reliable Gateway
fetch data
ack
Gateway
Supplier
dataAvailable
Consumer
forward
ack

Increased trend towards assembly of components
Need for correct composition of software
components including the middleware
configurations
Supplier, Consumer and Gateway could be developed
by different parties
Our models capture the accidental mismatches that
occur during composition because of design
choices in the middleware layer
E.g. Reply Wait Strategy Wait On Connection,
Wait On Reactor

69
Model Execution Trace with WoC (1/2)
3 Supplier_Data_Handler0 ---SUPP_SEND_EVENT(1,1
)---gt nil0 4 Unidir_IPC_17_16
TRACE_SAP_Buffer_Transfer(17,16,10) 5
Supplier_Data_Handler1 ---SUPP_SEND_EVENT(2,1)--
-gt nil0 6 Unidir_IPC_20_19
TRACE_SAP_Buffer_Transfer(20,19,10)
CH1
C1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
7 Reactor1_SRHE0 TRACE_Reactor_IO_Wait_Done(16
,19,,) 8 Reactor1_SRHE0 ---SELECT_REACTOR_AFTE
R_SELECT(16,19,,)---gt nil0 9
Reactor1_SRHE0 ---SELECT_REACTOR_BEFORE_UPCALL()--
-gt nil0 10 Reactor1_SRHE0 ---handle_input(16,7)
---gt Supplier_Connxn_Handler0 11
Supplier_Connxn_Handler0 ---GW_SUPP_HNDLR_HANDLE
_INPUT(1,1)---gt nil0 12 Supplier_Connxn_Handle
r0 ---forward_event()---gt Consumer_Connxn_Handle
r0 13 Supplier_Connxn_Handler0
---GW_SUPP_HNDLR_FWD_EVT_TO_CONS_HNDLR(1,1,1)---gt
nil0 14 Consumer_Connxn_Handler0
---GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_BEGIN(1,1,1)-
--gt nil0 15 Time advanced by 10 units. Global
time is 11 16 Consumer_Connxn_Handler0
---EXEC_SLICE_SO_FAR(10)---gt nil0 17
Consumer_Connxn_Handler0 ---GW_CONS_HNDLR_VALUE_
ADD_SVC_SLICE_DONE(1,1,1)---gt nil0 18
Consumer_Connxn_Handler0 ---GW_CONS_HNDLR_VALUE_
ADD_SVC_SLICE_BEGIN(1,1,1)---gt nil0 19 Time
advanced by 10 units. Global time is 21 20
Consumer_Connxn_Handler0 ---EXEC_SLICE_SO_FAR(20
)---gt nil0 21 Consumer_Connxn_Handler0
---GW_CONS_HNDLR_VALUE_ADD_SVC_SLICE_DONE(1,1,1)--
-gt nil0 22 Consumer_Connxn_Handler0
---GW_CONS_HNDLR_VALUE_ADD_SVC_END(1,1,1)---gt
nil0 23 Consumer_Connxn_Handler0
---GW_CONS_HNDLR_FWD_EVT_TO_CONS(1,1,1)---gt nil0
CH1
C1
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
CH1
C1
24 Unidir_IPC_22_23 TRACE_SAP_Buffer_Transfer(2
2,23,10) 25 Reactor3_SRHE0 TRACE_Reactor_IO_Wai
t_Done(23,,) 26 Reactor3_SRHE0
---SELECT_REACTOR_AFTER_SELECT(23,,)---gt
nil0 27 Reactor3_SRHE0 ---SELECT_REACTOR_BEFORE
_UPCALL()---gt nil0 28 Reactor3_SRHE0
---handle_input(23,3)---gt Consumer_Data_Handler0
29 Consumer_Data_Handler0 ---CONS_GOT_EVENT(1,
1,1)---gt nil0
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
CH1
C1
30 Unidir_IPC_2_1 TRACE_SAP_Buffer_Transfer(2,1
,1) 31 Idle_Catcher0 ---IDLE_CATCHER_RUNS()---gt
nil0 32 Time advanced by 9979 units. Global
time is 10000
S1
SH1
CH2
C2
R
S2
CH3
SH2
C3
CH4
C4
70
Model Execution Trace with WoC (2/2)
Supplier_Data_Handler0
_at_wait_for_ack_on_conn threadid_Thread1
,current_event_size0,num_bytes_written10,num_byt
es_remain0,threadno0,this_contextthreadidThr
ead1,parentSupplier_Data_Handler0,callerSupp
lier_Data_Handler0,delay9,msg_num2,num_bytes_a
ctually_read_0,ack_handler_nil0,tpthreadno1,c
ons_req_handlerConsumer_Request_Handler0,peer_s
ap_handle17caller_contextthreadidThread1,p
arentnil0,callerGW_Acceptor0,reactorReact
or0,period100,supp_id1,num_messages_to_publish
1 Consumer_Data_Handler0
_at_wait_for_reply threadid_Thread5
,this_contextthreadidThread5,parentnil0,ca
llerConsumer_Data_Handler0,current_event_size
10,num_bytes_read10,num_bytes_remain10,peer_sap_
handle23,threadno3,hi_caller_Select_Reactor_Ha
ndle_Events2,msg_num1,curr_time21,supp_id1,sup
p_req_sap_handle2,deadlock_delay12caller_conte
xtthreadidThread5,parentnil0,callerSelec
t_Reactor_Handle_Events2,cons_id1,reactorReac
tor2,cons_deadline110 Consumer_Connxn_Handler
0 _at_wait_for_ack_from_consumer ....state
variables.....
S1
CH1
C1
SH1
CH2
C2
R
CH3
SH2
C3
CH4
C4
WaitOnConnection

Supplier waiting for ack from gateway, gateway
waiting for ack from consumer, consumer waiting
for ack from supplier

71
Model Execution Trace with WoR
39 Consumer_Data_Handler0 ---CONS_GOT_EVENT(1,1
,1)---gt nil0 40 Unidir_IPC_2_1
TRACE_SAP_Buffer_Transfer(2,1,1) 41
Reactor2_SRHE1 TRACE_Reactor_IO_Wait_Done(1,,
) 42 Reactor2_SRHE1 ---SELECT_REACTOR_AFTER_SELE
CT(1,,)---gt nil0 43 Reactor2_SRHE1
---SELECT_REACTOR_BEFORE_UPCALL()---gt nil0 44
Reactor2_SRHE1 ---handle_input(1,1)---gt
Consumer_Request_Handler0 45
Consumer_Request_Handler0 ---SUPP_RECVD_REQ_FROM
_CONS()---gt nil0 46 Consumer_Request_Handler0
---handle_input_return(1)---gt Reactor2_SRHE1 47
Unidir_IPC_1_2 TRACE_SAP_Buffer_Transfer(1,2,1)
48 Reactor2_SRHE1 ---SELECT_REACTOR_AFTER_UPCALL(
)---gt nil0 49 Reactor2_SRHE1
---handle_events_return()---gt Supplier_Data_Handl
er0 50 Supplier_Data_Handler0
---handle_events(1)---gt Reactor2 51 Reactor2
forks Reactor2_SRHE1 52 Reactor2_SRHE1
---SELECT_REACTOR_BEFORE_SELECT()---gt nil0 53
Consumer_Data_Handler0 ---CONS_RECVD_DATA_FROM_S
UPP()---gt nil0 54 Consumer_Data_Handler0
---handle_input_return(0)---gt Reactor3_SRHE0 55
Unidir_IPC_23_22 TRACE_SAP_Buffer_Transfer(23,22
,1) 56 Consumer_Connxn_Handler0
---GW_RECVD_ACK_FROM_CONS()---gt nil0 .. 110
Supplier_Data_Handler0 ---SUPP_RECVD_ACK_FROM_GW
()---gt nil0
S1
Consumer Request Handler
CH1
C1
SH1
CH2
C2
R
R
CH3
SH2
C3
CH4
C4
WaitOnReactor
72
Concluding Remarks

Research challenges
Inadequate formal description of interference
issues in middleware
Gap between high level application models and
actual system
The above challenges are addressed by a
principled approach to middleware composition
using composable, reusable and verifiable formal
models of middleware building blocks which we
have developed
Result is more accurate models of DRE systems,
that includes the implementation platform also
Future work
Toolsets to aid modeling (GME, Ptolemy)
Evaluation of middleware (e.g. ORB, CCM
container) configurations
Model/Software co-design
A formal and complete computation model for
middleware building blocks
Modeling of OS level interactions

73
Selected Publications

Venkita Subramonian, Christopher Gill, Cesar
Sanchez and Henny Sipma, Composable Models for
Timing and Liveness Analysis in Distributed
Real-Time Embedded Systems, Washington University
Technical Report WUCSE-2005-54
Venkita Subramonian, Christopher Gill, Cesar
Sanchez and Henny Sipma, Composable Time
Automata Models for Real-Time Embedded Systems
Middleware, Washington University Technical
Report WUCSE-2005-29
Venkita Subramonian, Gan Deng, Christopher Gill,
Jaiganesh Balasubramanian, Liang-Jui Shen,
William Otte, Douglas C. Schmidt, Aniruddha
Gokhale and Nanbor Wang, The Design and
Performance of Component Middleware for
QoS-enabled Deployment and Configuration of DRE
Systems, submitted to Elsevier Journal of Systems
and Software, Special Issue on Component-Based
Software Engineering of Trustworthy Embedded
Systems.
Venkita Subramonian and Christopher Gill,
"Middleware Design and Implementation for
Networked Embedded Systems", Embedded Systems
Handbook (Richard Zurawski, ed.), CRC Press,
Florida, 2005, Chapter 30, pp. 1-17.
Cesar Sanchez, Henny Sipma, Venkita Subramonian
and Christopher Gill, Thread Allocation Protocols
for Distributed Real-Time and Embedded Systems,
25th IFIP WG 6.1 International Conference on
Formal Techniques for Networked and Distributed
Systems, Taipei, Taiwan, October 2-5, 2005.
Tejasvi Aswathanarayana, Venkita Subramonian,
Douglas Niehaus and Christopher Gill, Design and
Performance of Configurable Endsystem Scheduling
Mechanisms, 11th IEEE Real-Time and Embedded
Technology and Applications Symposium, March
7-10, 2005, SanFransisco, USA.
Venkita Subramonian, Liang-Jui Shen, Christopher
Gill and Nanbor Wang, The Design and Performance
of Dynamic and Static Configuration Mechanisms in
Component Middleware for Distributed Real-Time
and Embedded Systems, 25th IEEE International
Real-Time Systems Symposium, December 5-8, 2004,
Lisbon, Portugal.
Nanbor Wang, Chris Gill, Douglas C. Schmidt and
Venkita Subramonian, Configuring Real-time
Aspects in Component Middleware, Distributed
Objects and Applications, Agia Napa, Cyprus, Oct
25-29, 2004.
Venkita Subramonian, Guoliang Xing, Christopher
Gill, Chenyang Lu and Ron Cytron, Middleware
Specialization for Memory-Constrained Networked
Embedded Systems, 9th IEEE Real-Time and Embedded
Technology and Applications Symposium, May 25-28,
2004, Toronto, Canada.
Venkita Subramonian and Christopher Gill, A
Generative Programming Framework for Adaptive
Middleware, Hawai'i International Conference on
System Sciences, January 5 8, 2004, Big Island,
Hawaii (awarded best paper in the Software
Technology Track).

74
Acknowledgements

My advisor and mentor Dr. Chris Gill
Committee members
Collaborators
DOC Group members
IF team
UPPAAL newsgroup members
Family

75
BACKUP SLIDES
76
Our Solution A Principled Approach
Building blocks
Complete high-fidelity model of the actual system
Middleware
Application

Verify system properties of the complete model
using model-checking tools
Iterate verification step with alternative
middleware configurations enabling the choice of
the appropriate set of configurations

77
Our Formalism
Timed Automata Enables us to capture both time
and event-based triggers
Clock variables keep track of time
Guard
time gt 5
x 2
y 6, time0
chan!
Communicating Timed Automata
Actions
Communication
chan?
Invariants
time 5 pulse! time 0
Periodic Pulse
time lt 5
78
Problem Chasm Between High-Level Model and
Actual System
High Level Models
RMA
DREAM
CADENA
CADENA
This research reduces this gap
Implementation Platform
CORBA
CCM Container
EJB
Java RMI
OS
79
Motivation

Why a principled approach?
A principled approach provides a formal basis (as
opposed to an ad-hoc basis) for making
appropriate choices to deal with interference
Why target fine-grain middleware elements?
Key source of interference in middleware
Makes our approach applicable to a wide variety
of middleware
Interference
Occurs when computations require the same
resource(s) at the same time - e.g., CPU, thread,
reactor
Could occur in application, middleware or OS
layers
Interference issues fundamental when analyzing
safety and liveness properties of DRE systems

80
Extending State-of-the-art

Extensive research and documentation available on
patterns in middleware, but
Informal representation
Has not been composed with formal models of
application for formal verification
We aim to create formal models of fine-grain
middleware building blocks
For reuse thru composition that is verifiable
Encodes collective expertise in building
middleware
Provides a formal substrate to analyze
interference
E.g. Reactor, Acceptor, Connector, Thread Pools,
Active Objects

81
IF-toolkit

Processes, Signals, Channels, Transitions
Process as an active object?
Atomicity of transitions
Guarded (timed and untimed) transitions
How do we model objects and interaction between
objects?
How do we represent blocking calls?
Observers vs mu-calculus for verification

82
Problem Middleware Configuration is Non-trivial
Connect strategies
Concurrency strategies
Flushing strategies
Middleware
TransportMux strategies
Reply-Wait strategies
Collocation strategies
This research aims to provide a principled basis
to configure/customize middleware
83
Extending State-of-the-art

Application of model integrated computing
techniques to middleware development
E.g., CoSMIC, CADENA
Modeling languages help application developers
with
Component Assembly, Deployment and Configuration
E.g. Platform Independent Component Modeling
Language (PICML)
Component Middleware Configuration
E.g. Options Configuration Modeling Language
(OCML)
Testing and verification
E.g. Benchmark Generation Modeling Language
(BGML)
An essential first step, but more needs to be
done
OCML What is the right combination of
middleware configurations?
BGML aids exhaustive testing to check
combinations of configurations for satisfaction
of QoS requirements
Our research aims to answer the question Why it
is the right combination of configurations in the
context of the application?
Our research aims to guide middleware
configuration at the design stage itself

84
Round-Trip System Engineering Support
Generator/ Weaver
Model Checker
E? reactor.critical and controller.idling
Simulation Verification
Code Synthesis
Libraries
Software
Tests
Formal Model
front end (formal domain)
back end (software domain)
Automated Build Test
Compile, Configure, Run
Modeling Tool Interface
Case ltR1,threads3gt ltR2,threads2gt ltdeadlock_
timer_id3gt ltexpired 1223.001gt
Test output
85
My Research Focus
E? reactor.critical and controller.idling
Existing Software (ACE/nORB)
Tests
Formal Model
Simulation Verification
A First step Model consolidation using an
Iterative approach
Model Checker

Write a Comment

User Comments (0)