timed component modeling in preemptive systemscdgill/career/proposaldefense.pdf · 2007-05-31 ·...
Post on 23-Apr-2020
0 Views
Preview:
TRANSCRIPT
Timed Component Modeling in Preemptive Systems
Huang-Ming Huang
Department of Computer Science and EngineeringWashington University in St. Louis
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 1 / 32
Introduction
Introduction
Component based software methodology is widely usedsoftware components with predefined interfaces to facilitate software reuserequires middleware for location transparency and concurrency controllots of configuration options to provide software flexibility
RateGenPulse
GPSReadyRefresh
NavDisplayRefresh
Middleware Middleware
concurrency security persistancy
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 2 / 32
Introduction
Problem Statement
Each component has its own environmental assumptionsIf configuration settings do not met the assumptions could causeproblems
such as deadlocks, race conditions, priority inversions.
Representation and analysis are needed to check the compatibilitybetween componentsThe analysis should
support the modeling ofComponent interactionsComponent timing constraintsInfluences of preemptive scheduling algorithmsInfluences of different component concurrency strategies
Automatically check the safety and liveness properties of a system
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 3 / 32
Introduction
Previous Works about Modeling Theory
Component Timing Preemptive PropertyInteraction Constraints System Concurrency Checking
Model !
Checking ! !
TimedAutomata ! ! ! !
Interface safetyAutomata ! ! only
Hybrid generallyAutomata ! ! ! ! unsolvable
Tractable checking of all 4 areas is needed
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 4 / 32
Introduction
My Proposal
Develop a new component modelCombining Interface Automata, Timed Automata and PreemptiveScheduling AlgorithmsIt integrates the modeling of
component interactionscomponent timing constraintsthe influences of preemptive scheduling algorithmsthe influences of different component concurrency strategies
Algorithms to convert the proposed model into a checkable timedautomata model
Build a tool to realize and check the proposed model
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 5 / 32
Introduction
Prior Works on Model Checker and Domain Specific ModelChecking
Modeling EnvironmentsGME, Ptolemy, ...
Untimed Model CheckersSPIN, Bogor, ...
Model Checkers for Timed or Hybrid AutomataUPPAAL, IF toolset, HYTECH,...
Model Libraries or Domain Specific Modeling TechniquesCadena, Madl et al, Subramonian et al, PTIDES, ...
None of above integrate component modeling with timing constraints,preemptive scheduling and choice of concurrency strategies.
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 6 / 32
Introduction
Structure of the Research
Interface Automata
Middleware concurrency control
Timed and Hybrid Automata
Proposed Component Model
Research and Evaluation Plan
Conclusions
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 7 / 32
Interface Automata
Interface AutomataAlfaro and Henzinger (2001)
Models component interactionsActions
Output (!)Input (?)Internal (;)
Finite state machineComponent composition
Needed by model checker tosearch a single state spaceAssumes every component isactive object
Matching actions becomeinternalized actions aftercomposition
⊗
0 1msg!
ok?
msg ok fail
0 1 2 3 4
5
6
msg? send! nack? send!ack?
ack?ok!
nack?fail!
msg ok fail
send ack nack
0 1 2 3 4
5
6
msg; send! nack? send!ack?
ack?ok;
nack?
send ack nack
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 8 / 32
Interface Automata
Deficiencies with Interface Automata
No timing constraint supportEvery component is an active object
No concurrency strategy supportMiddleware concurrency strategies
Single ThreadWait on connectionWait on reactor
Multiple ThreadsThread pool
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 9 / 32
Interface Automata
Wait on Connection StrategyOne request at a time, does not service others until current one finish
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 10 / 32
Interface Automata
Wait on Reactor StrategyOne request at a time, allows to service others while waiting
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 11 / 32
Interface Automata
Thread Pool StrategyMore than one request at a time
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 12 / 32
Subramonian’s Solution
Prior Work on Modeling Middleware ConcurrencyThe Solution of Subramonian et al. (2006)
Aims for applications written directly on top of middleware such asCORBA, nORB
Use timed automata to model network and middleware entities.Problems :
Lack of abstractionRequires explicit specification on network connection managementRequires explicit control to simulate thread execution
Prone to state space explosionDomain specific optimization helps, but must be applied explicitly.
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 13 / 32
Subramonian’s Solution
The Solution of Subramonian et al. (2006)
ApplicationLayer
abstraction
MiddlewarePrimitive
abstraction
Network/OSabstraction
IPC channel
IPC_SAP IPC_SAPForwoard channel
Reverse channel
SAP Event Demultiplexer
ThreadPool Reactor
IPC_SAP_SetHander
Repository
Connector
Accepter
SAP Reader
SAP Writer
Event Handler
IPC_SAP
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 14 / 32
Subramonian’s Solution
Prior Work on Modeling Middleware ConcurrencyThe Solution of Subramonian et al. (2006)
Aims for applications written directly on top of middleware such asCORBA, nORB
Use timed automata to model network and middleware entities.Problems :
Lack of abstractionRequires explicit specification on network connection managementRequires explicit control to simulate thread execution
Prone to state space explosionDomain specific optimization helps, but must be applied explicitly.
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 15 / 32
Component Composition
Modeling Component with Middleware AbstractionsMy proposed solution
Use component composition schemes to represent middlewareconcurrency strategies
Multi-threaded CompositionParallel Composition : the only scheme used by Interface Automata
Single-threaded Compositions : my new additionsAtomic CompositionMonitor Composition
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 16 / 32
Component Composition
Parallel Composition
a1 a2
ra1 ra2
p0
p1
p2
p3
a1?
ra1!
a2?
ra2!
ra2 a3 ra4
a2 ra3 a4
q0 q1 q2
q3q4q5
a3? a2!
ra2?
a4!ra4?
ra3!⊗
a1 a3 ra4
ra1 ra3 a4
p0q0 p0q1 p3q2 p0q3 p0q4 p0q5
p1q0 p1q1 p1q3 p1q4 p1q5
p2q0 p2q1 p2q3 p2q4 p2q5
a3? a2 ra2 a4! ra4?
a3? a4! ra4?
a3?
a4!
ra4?
a1? a1? a1? a1? a1?
ra3!
ra3!
ra3!
ra1! ra1!ra1!
ra1! ra1!
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 17 / 32
Component Composition
Atomic Composition
a1 a2
ra1 ra2
p0
p1
p2
p3
a1?
ra1!
a2?
ra2!
ra2 a3 ra4
a2 ra3 a4
q0 q1 q2
q3q4q5
a3? a2!
ra2?
a4!ra4?
ra3!⊙
a1 a3 ra4
ra1 ra3 a4
p0q0 p0q1 p3q2 p0q3 p0q4 p0q5
p1q0
p2q0
a3? a2 ra2 a4! ra4?
a1?
ra3!
ra1!
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 18 / 32
Component Composition
Monitor Composition
a1 a2
ra1 ra2
p0
p1
p2
p3
a1?
ra1!
a2?
ra2!
ra2 a3 ra4
a2 ra3 a4
q0 q1 q2
q3q4q5
a3? a2!
ra2?
a4!ra4?
ra3!⊕
a1 a3 ra4
ra1 ra3 a4
p0q0 p0q1 p3q2 p0q3 p0q4 p0q5
p1q0 p1q4
p2q0 p2q4
a3? a2 ra2 a4! ra4?
a1?
ra3!
ra1!
a1?
ra1!
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 19 / 32
Timed Automata
How to model time?
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 20 / 32
Timed Automata
Timed AutomataAlur and Dill (1993)
A Timed Automaton A = (S, S0, X, I, T)S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set oftransitions
starty ≤ 20
loopy ≤ 50
endy ≤ 20
y ≥ 10enter
x := y := 0
y ≥ 40leave
y := 0
x == 1work
x := 0
y ≥ 10
y := 0
guard
reset
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 21 / 32
Timed Automata
The Problem with Timed Automata
Timed Automata models can’t express preemption semanticsAll clocks progress at the same speedDuring preemption, the clocks for representing execution time of thepreempted task should be stopped
Not possible in Timed Automata model
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 22 / 32
One Solution for Preemption : Hybrid Automata
Hybrid AutomataHenzinger (1996)
Each location contains rateconditions for each variable
Timed Automata is a special caseof Hybrid AutomataModel Checking with HybridAutomata is generallyundecidable
Some certain special cases aredecidable but the complexitiesare NP-hard.
p0q0t1 = 0t2 = 0
p1q0t1 = 1t2 = 0
p0q1t1 = 0t2 = 1
p1q1t1 = 0t2 = 1
a?t1 := 0
t1 = 3
b?
t2 := 0 t2 = 5 t2 = 5
b?
t2 := 0
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 23 / 32
Proposed Component Model
My Solution for Preemption
Use task response time instead of maximum execution time in TimedAutomata Models
Task response time is subject to the changes of CPU allocation andscheduling algorithmsTimed Automata model does not have enough information for schedulinganalysis
Combine Interface Automata, Timed Automata and Scheduling AnalysisWhat is needed for scheduling analysis?
Tasks and their worst case execution timesTask periodicityThe components share the same scheduling resources (Node)
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 24 / 32
Proposed Component Model
A New Component Model
ActionsInput ActionsOutput ActionsInternal Actions
InterfaceAutomata
Locations
Clocks
Location InvariantsTransitions
Timed Transition : Guards, Resets
TimedAutomata
Preemptible Transitions
Output Rate RelationsMy
Additions
t ≤ 3
a?
b?
[2]
t ≤ 3
c;
t:=0
ra!
a
rara + ara + 2ara + 0.5ara + min(a, b)ra + max(a, b)
b
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 25 / 32
Proposed Component Model
Component Composition and Node
Component Composition SchemesParallel Composition ⊗ Interface AutomataAtomic Composition �Monitor Composition ⊕ My Additions
Composition RulesSymmetric : A⊗ B ≡ B⊗ AParallel composition cannot be nested inside atomic and monitorcomposition
Legal : A⊗ (B� C)Illegal :A� (B⊗ C)
Node : the mapping of components to resourcesUsed to calculate CPU utilization and preemption overhead
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 26 / 32
Proposed Component Model
Rate Deduction and CPU utilization Calculation of a Node
Given the input rate of all externalactions, the rate of internalizedinput actions can be deduced
The rate of preemptibletransitions is associated with theirclosest input actionsThe CPU utilization of a node isbounded by
∑ eipi
ei : worst case transition timeof the preemptive transition ipi : period of the preemptivetransition i
b
rb
P0
a?
[2]
ra!
a ra + a
a + b ra
b rb + ra
P1
b? [3]
ra?[2]
a!rb!
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 27 / 32
Proposed Component Model
Input actions and Preemptible Transitions
a?
b?
[3]
a b
⇒
a?
b?
c! rc?
a b
c + a + b rc
c?[3]
rc!
c rc + c
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 28 / 32
Proposed Component Model
Scheduling Algorithm and Preemptible Transitions
An Example with RateMonotonic Scheduling (RMS)Algorithm :
Higher rate tasks have higherprioritiesLiu and Layland (1973)
CPU Utilization : U =∑ ei
pi
Task response time
ti = ei +i−1∑k=1
⌈tipk
⌉ek
p0 p1
a?
[3]
t2 := 0
t2 ≤ 8
t1 := 0
t1 ≤ 5
q0 q1
b?
[5]
ra = 130 rb = 1
15
U = 330 + 5
15 = 0.43 < 0.69t2 = 3 +⌈ 3
15
⌉5 = 8 t2 ≤ 8
t1 ≤ 5 t2 ≤ 8t1 ≤ 5
a?t2 := 0
t2 ≤ 8
b?
t1 := 0 t1 ≤ 5 t1 ≤ 5
b?
t1 := 0
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 29 / 32
Proposed Component Model
Composition Constraints
Modeling communication delay between components
P0
a?
[2]
ra! a
ra
⊙(1,2)
(3,4) ra
a
b rb
b? [3]
ra?[2]
a!rb!
t ≤ 2
t ≤ 4
b? [3] a;
[2]
ra;[2]
rb!
t := 0 1 ≤ t ≤ 2
3 ≤ t ≤ 4 t := 0
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 30 / 32
Plan and Conclusion
Research and Evaluation Plan
Develop a tool to realize the proposed modelBase on the Bogor Model checker
Bogor is open sourceBogor supports several key abstractions such as classes, objects, threads
What I need to doDevelop a textual language for the specification of proposed modelDefine an algorithm to convert the proposed model into a checkable TimedAutomata modelImplement timed automata model checking in Bogor
Model realistic component based applications and compare withThe approach of Subramonian et al.Hybrid automata
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 31 / 32
Plan and Conclusion
Conclusions
Component based software hides some complexities that may impact thesafety and liveness properties of a system
Model checking technology can help to verify those properties duringcompositionMy proposed component model deals with the following issues
Component compositions with different concurrency strategiesTimed automata don’t support systems with preemptive schedulingHybrid automata are generally unsolvable
Tool need to be developed for checking the proposed component model
Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 32 / 32
top related