Title: Ethan Jackson
1Ethan Jackson Institute For Software Integrated
Systems Vanderbilt University
Presented at Microsoft Research - Redmond,
WA December 6, 2006
2Introduction Challenges of Modern System Design
Heterogeneity
Dynamics
Resource Constraints
Part I Key Ideas in Model-based Design
Domain Specificity
Abstractions
Composition
Part II Case Study Synchronous
Reactive Systems
Basic Mathematical Description
Model-based Reformulation
Tools and Results
Conclusion Research Directions
3- Modern systems span the spectrums of size and
function - Evolving from the sequential to the concurrently
coordinating - Challenge traditional design through their
heterogeneity, - dynamics, and resource constraints
As technology converges, so will systems, making
the design task even more complex.
mm2
km2
m2
data/content distribution
sensing and control
multimedia
4- Heterogeneity
- Power processor element
- 8 Synergistic processing elements
- Element Interconnect bus
- Dynamics
- Functionality spread across PPE and SPEs
- PPE schedules tasks on SPEs
- SPEs cannot directly access memory
- Resource Constraints
- Single PPE
- Elements must share memory
- Elements must share interconnect bus
SPEs are optimized for single precision vector
operations. PPE is a general purpose processor
based on PowerPC core.
Even traditional software must change to make use
of the advantages in new processor architectures.
5- Heterogeneity
- Order of 80 ECUs (electronic control units) per
vehicle - Dozens of ECU providers
- CANBus / FlexRay
- Dynamics
- Time-triggered communication
- Hybrid engine dynamics
- Continuous dynamics of environment
- Discrete computational dynamics
- Resource Constraints
- Power consumption
- Communication limitations
Time-triggered architecture (TTA) developed by
Kopetz, H.
Hybrid model of cylinders, modeled in Ptolemy II,
developed by Barton, J.
Cylinder model
Physical dynamics
6- Heterogeneity
- Thousands (and beyond) of nodes
- As many platforms as possible
- Many communication mechanisms
- Dynamics
- System lag
- Bottlenecks
- Connectivity
- Quality of Service (QoS) Constraints
- Latency
- Throughput
- Reliability
- Security
AOL Instant Messenger (AIM) boasts 42 million
users. Supported on Windows, Mac, Linux, Mobile
phones/PDAs.
Second Life records over 700,000 users logged in
during the past 60 days. Over 1,700,000 total
users.
Instant messaging
Quality of Service (QoS) constraints are the
massively distributed version of resource
constraints.
Massively multiplayer games/worlds
7Part I - Key Ideas in Model-based Design
Domain Specificity
Abstractions
Composition
8Key Idea Capture intrinsic domain concepts with
domain-specific modeling languages (DSMLs)
partitioning the DSML into structural and
behavioral semantics.
- The structural semantics views a model as a
structure, and provides a means for calculating
which structures are well-formed.
- The behavioral semantics defines what the
structures do.
9(I)
- Model-based tools support rapid prototyping of
DSMLs - Metamodeling allows the user to define the
structural semantics of a language, and generate
a modeling tool from this specification.
The Generic Model Environment (GME), MetaGME, and
the Graph Rewriting and Transformation (GReAT)
tool are part of the ISIS metaprogrammable tool
suite.
Meta-modeling languages are usually extended with
a constraint language. MetaGME uses OCL.
Basic metamodeling notation
A simple use of OCL might require every compound
state to contain an initial state marker.
self.parts(Init)-gtsize 1
This particular constraint is encoded by the unit
cardinality on Init containment
Model-editor generated from metamodel
MetaGME metamodel of simple statecharts
10(II)
- Behavioral semantics are defined with semantic
anchoring techniques, model transformations,
and\or code generators.
C coding permits complex behavioral semantics,
but the model semantics are cluttered with C
details.
COM APIs
Representation as AST
C Interpreter/Generator
Graph transformations provide a transparent
mechanism to attach semantics. However, not all
behavioral semantics ca be specified this way.
Conversion to model editor
Graph rewriting rules
Semantic anchoring with ASM captures the best of
both worlds Simple graph transformations and
simple behavioral specifications.
Canonical definition of FSM behavioral semantics
in ASM
Translation of GME model to ASM data structures
- Simulation artifacts and test cases can be
generated
11Key Idea Abstractions provide an ideal view of
domain semantics. They can be layered so that
design complexity can be incrementally introduced.
In platform-based design, abstraction layers are
referred to as the platform stack.
Architecture defines the composition of functions
such that a least fixed point exists and is
unique.
End-to-end characterization of architecture
functionality
Notion of concurrency insufficient
Platform mapping
The more detailed models must be verified to be
equivalent to their abstract counterparts. This
is refinement verification.
Architecture defines a set of concurrent
functional units, and a partial order over the
units. An architecture is schedulable iff there
are no transitivity violations.
No notion of time
Concurrency model with tractable analysis.
Platform mapping
Architecture defines a set of timed automata with
local clocks and broadcast. Models can be
analyzed with TCTL.
In this example functional units are decomposed
into models that load, process, and then emit
their results.
Verify many different system properties
Verification is intractable
12Key Idea Decompose architecture into views or
aspects. Views are composed to create complete
specification.
Each view may be an entire stack of DSMLs.
?
?
Deployment Language
Functionality Language
Timing Language
Semantics of OS (scheduling) and comm. protocols
Semantics tell how to compute partial responses
Semantics tell how to schedule and measure
computations
?
?
This decomposition style is also called
separation of concerns. Design aspects are
orthogonal if they do not interact with each
other. In most cases, aspects are non-orthogonal,
or interacting.
- An architectural specification is created in
each view - The total system is the composition (synthesis)
of all the views
Key Question If properties hold in a view, do
they hold in the entire system?
Key Question How do engineers keep track of
cross-aspect interactions?
13Part II Case Study with Synchronous Reactive
Systems
Basic Mathematical Description
Model-based Reformulation
Tools and Results
14(I)
- Synchronous reactive (SR) systems are a
well-studied class of systems characterized with
the following abstractions
SR system are useful for software control. A
number of tools support analysis and verification
of SR systems. SCADE is the most widely used
analysis tool.
1. STRONG SYNCHRONY - System parts respond
instantaneously to inputs discrete-time model.
2. REACTIVITY System reacts to external
stimulus event driven. 3. BOUNDED MEMORY
System computes with bounded memory
ESTEREL Automata-based descriptions of
functionality. (G. Berry) LUSTRE
Dataflow-based descriptions of functionality. (P.
Caspi). SIGNAL Provides relational
descriptions of SR systems. Also dataflow-based.
(A. Benveniste)
The discrete time model means that for every
system there exists an order isomorphism from the
reals to the integers.
- SR systems must be causal, meaning that internal
events must have a non-contradictory ordering.
Systems that are not causal are similar to
deadlocked systems in other formalisms.
15(II)
- SIGNAL variables contain a record of their past.
A SIGNAL program calculates the current value of
variable based on - 1) inputs provided at the current instant 2) a
bounded history.
The value domain of synchronous signals is
extended with a symbol ? to mark the absence of a
value.
Table reproduced from The Synchronous Languages
Twelve Years Later, A. Benveniste et al.
- SIGNAL contains only five constructs
- System behaviors are solutions to the set of
abstracted equations
16- The SIGNAL model is elegant and straightforward,
but functionality, control flow, concurrency are
intertwined.
Example reproduced from SIGNAL tutorial.
8 HOUR TICK 9 HOUR (HOUR init
0) 1 10 CNT TICK ORDER DONE 11
ZCNT CNT init (-1) 12 CNT DELAY when
ORDER 13 default -1 when DONE 14
default ZCNT - 1 when ZCNT gt 0 15
default -1 16 ALARM HOUR when CNT 0
Functionality and concurrency are two
non-orthogonal design aspects. They must work
together just right.
Partial abstracted equations describing
concurrent interactions
Clock equations must be triangularizable
NP-Hard, non-local.
define DELAY n int HOUR 0 int COUNT -1 int
ZCOUNT -1 while (true) ZCOUNT COUNT if
(IsOrder()) COUNT DELAY else if
(IsDone()) COUNT -1 else if (ZCOUNT gt
0) --COUNT else COUNT -1 if
(TickedAnHour()) HOUR if (COUNT 0)
RaiseAlarm(HOUR)
Reenactment of the program functionality
17Modes produce control signals that reconfigure
dataflow graphs.
The mode aspect defines a controller that senses
system inputs and produces reconfiguration
signals. The controller also eliminates bad
behavior in the dataflow graph.
Functionality and concurrency are two
non-orthogonal design aspects. They must work
together just right.
The untimed dataflow aspect defines an untimed
homogenous dataflow graph of rate one.
Untimed and timed models have meaningful semantics
The operator aspect defines stateless n-ary
operators.
18- Modes divide clock equations, allowing
polynomial-time approximations of correctness to
be applied to each mode.
Without hierarchical composition, these rules are
sound. However, if models are nested, then these
rules become approximations
Empty behavior
Correct Undersampling
Non-determinism
Not schedulable
- Static type lattice approximates correctness
- Similar rules approximate causality
Merge lattice
Apply semi-lattice
19- The synchronous modeling language SMOLES
implements this paradigm and includes tools for
design-time correctness checks.
Conservative Approximation Component
Auto-completion Component
Simulator Component
Smart Instantiation Component
Model Traversal Libraries
Additional components
Metamodels GME
SMOLES tool architecture
20Metamodel for SDF operators in SMOLES
21(No Transcript)
22Metamodel for untimed dataflow graphs
23Operator Instances
24Metamodel for timed modes
25(No Transcript)
26- Systems can be hierarchically composed. In this
case, the type on component interfaces are
approximated.
Modeling environment approximates response of
component when it is embedded inside of a mode of
a containing component.
27The strong links between language layers allows
parts of the specification to be automatically
completed.
Change in dataflow graph
Before
After
28Designer is constantly driven towards a more
correct design.
29- Enhancing behavior through dynamic
reconfiguration can be extended to modes.
Mode machines restrict modes based on system
trajectory.
This extension can easily implement complex SR
behaviors.
30- A platform mapping aspect allows pieces of an SR
model to deployed over different locations and to
model environments.
This example was developed for summer
undergraduate interns to learn about language
semantics in the context of robotics. (SIPHER
program, NSF)
Part of a simple robot controller
In this example parts of a robot controller a
placed on a robot and may be collocated on a PC.
31- Simulation includes mode machines, modes,
dataflow graphs, and operators.
32- Modern systems are distributed and coordinate
through a complex environment. - Systems have many interacting functional and
non-functional requirements - Model-based design offers strategies to amortize
complexity across domain specific abstractions
and aspects. - As a case study, this strategy has been
concretely and holistically applied to the
synchronous reactive (SR) systems.
33- How can this the SMOLES success be generalized?
Structural semantics of model-based design 1)
Models as structures 2) Model transformations 3)
Metamodeling 4) Formal methods for structure
?
Deployment Language
Functionality Language
Semantics of OS (scheduling) and comm. protocols
Semantics tell how to compute partial responses
?
Adaptive systems defined over structure 1) Look
for order homomorphisms between structure and
semantics. 2) ASM-based composition mechanism for
these languages 3) Which general properties can
be invariant?
New approaches towards domain-specific behavioral
semantics 1) Multilinear-algebraic formalism
that leverages this theoretical power of linear
algebra 2) Contrasts existing denotational
approaches 3) Find generic algorithms for
analysis of behaviors?
34Thank you
Questions?