1

Model-Checking of Component-Based Real-Time Embedded Software Based on CORBA Event Service

Yuanfang Zhang for Seminar CSE7216

Presentation based on Zonghua Gu and Kang G. Shin, Model-Checking of Component-Based Real-time Embedded Software Based on CORBA Event Service,

Proceedings of 8th IEEE International Symposium on Object-oriented Real-time distributed Computin (ISORC'05)

2

Outline Problem

Verification of component-based real-time embedded software based on CORBA Event Service

Example: Avionics Mission Computing (AMC) Finite State Processes (FSP)

Formalize specification of software components and system architecture

Labeled Transition System Analyzer (LTSA) Exhaustively exploring the system state space to prove

certain system properties Scalability improvement

State space explosion

3

AMC

Event Triggers Publish/Subscribe

Method Invocations Receptacle/Facet

Control-push/data pull (data push)

4

FSP - event prefix

If x is an event and P a process then (x-> P) describes a process that initially synchronizes with the event x and then behaves exactly as described by P.

once

0 1

Convention: events begin with lowercase letters PROCESSES begin with uppercase letters

ONESHOT = (once -> STOP). ONESHOT state machine(terminating process)

5

FSP - recursion

Repetitive behaviour uses recursion:on

off

0 1SWITCH = OFF,OFF = (on -> ON),ON = (off-> OFF).

Substituting to get a more succinct definition:SWITCH = OFF,OFF = (on ->(off->OFF)).

And again:SWITCH = (on->off->SWITCH).

6

FSP - choice

If x and y are events then (x-> P | y-> Q) describes a process which initially engages in either of the events x or y. After the first event has occurred, the subsequent behavior is described by P if the first event was x and Q if the first action was y.

FSP model of a drinks machine :

DRINKS = (red->coffee->DRINKS |blue->tea->DRINKS ).

red

blue

coffee

tea

0 1 2

7

FSP – Composition Process Primitive processes can be composed to form a

composition process with the operator | | If processes in a composition have a common

shared event, all processes must synchronize on the shared event at the same step

MAKER = (make -> ready ->MAKER)

USER = (ready -> use ->USER)

| | MAKER_USER = (MAKER | | USER)

MAKER = (make -> done ->MAKER)

USER = (ready -> use ->USER)

| | MAKER_USER =

(aMaker:MAKER | | aUser:USER)

/{aMaker.done / aUser.ready}

8

Modeling AMC with FSP

ClosedEDComponentClosedEDComp = (inEvt -> issueGDCall ->receiveGDReply -> outEvt -> ClosedEDComp | receiveGDCall -> issueGDReply ->ClosedEDComp).

OpenEDComponentOpenEDComp = (inEvt -> issueGDCall ->receiveGDReply -> outEvt -> OpenEDComp | receiveGDCall -> issueGDReply ->OpenEDComp| receiveSDCall -> issueGDCall -> receiveGDReply -> issueSDReply -> outEvt -> OpenEDComp

• DeviceComponentDeviceComp = (inEvt -> outEvt -> DeviceComp

| receiveGDCall -> issueGDReply -> DeviceComp).

• DisplayComponentDisplayComp = (inEvt -> issueGDCall -> receiveGDReply -> display ->DisplayComp).

9

FSP – Component Interactions (1) Control-Push / Data-Pull

Synchronous: pairwise interactions between components happen instantaneously without the delays introduced by the middleware

10

FSP – Component Interactions (2)

Input Event Correlation AND synchronization / OR synchronization

11

FSP – Component Interactions (3) Real-Time Issues

A global event tick is shared among all the timers

Schedulable (add an explicit synchronization between the timer and the terminal events)

Both 2 display components have been

triggered before next 20hz timeout

12

FSP – an example application

13

Verify System Properties

Safety Deadlock freedom

Circular dependency Multiple input events with AND synchronization, but not

all of them are available Event reachability Sequencing constrains

Liveness progress

14

Deadlock FreedomLTSA:

15

Event reachability & Sequencing constrains

16

Progress Property

The action will be executed infinitely often in any infinite execution of a systemprogress P1 = {navDisplay.display}

17

Scalability

Lack of scalability due to state-space explosion Out-of-memory

Exploit domain-specific constraints Omit the synchronization action

Compose and check the system hierachically Can not check for end-to-end sequencing contraints that

span multiple groups and involves internal events from these groups

18

Exploit domain-specific constraints

Reduce the call-return two-way synchronization into a one-way synchronization

19

20

Both Display components are required to be triggered before the next 1Hz timeout

21

Performance Evaluation

3 components to 50 components Seconds or at most a few minutes Hundreds of thousands of components

No model checker can scale up to this size Rely on designer’s manual work to separate and

model-check them individually