la méthodologie morse f. kordon, lip6-src (umr 7606) université p. & m. curie...

La méthodologie MORSE

F. Kordon, LIP6-SRC (UMR 7606)

Université P. & M. Curie

[email protected]

2Journée Informatique Embarquée: du matériel au logiciel - 13 Mai 2005 Fabrice Kordon - UPMC

Is there a future for applicationsout of distribution?

Some examplesAutomatic freewaySatellite constellationsDrone fleetsDomotic applicationsEtc.

Increasing complexity…

…and need for reliability

Main problem how to handle such applicationsInteractions between components (p2p approaches)Spécification, Analysis techniques, Relation to program,

DeploymentHow to capture know-how (usability for engineers)

Need for a vertical approach (no way to solve the problem locally only)


Separation of concerns

Control aspects (the difficult part;-)Computational aspects (related to an application domain)

Controlaspects

Computationalaspects

DistributedApplication

External components

Development usingdomain approaches

Model Based Develoment

Spec. of controlsFormal verif.Prog. gen.


MORSE: development Methodology centered on models

Formalspec.

Formal spec.generation

Programs

ProgramGeneration

UML (profile)

Tests & «tuning»

Reffinements

Formal verif.(Petri nets, DDD)

«Formal debug»

LfP

Reformulate/enrich

LfP =pivot language


LfP: Language overview

LfP (language for prototyping)Architectural views c ensure traceability

Deduced from UML + identification of communications elementsBehavioral views c describe behavioral contracts

Partially deduced from sequence diagrams + connection to state diagrams

Property views c expected properties (guide for verification)

Properties must be embedded into the specificationDeployment view c for program synthesis (directives for code

gen.) Link to the target architecture, detailed code generation directives

Now strongly linked to a UML-profile (UML-M)


Spec.formelle

LfP

programes

UML (profile)

Focus 1: using formal methods

Testing techniques fail Exhaustivity is not ensured

Require formal methods «premise and problems» Need for push-button tools

Approaches Theorem proving

Parameterizable Difficult to automate

Model checking Easy to automate Combinatorial explosion

Problem,mastering the complexity


An example, specific techniquesusing symbolic approaches

Client code

-- Get a reference to the current client taskClient := Get_My_Id;-- Do the main looploop -- computing data + server call Message := Get_This_message; Server := Get_This_server; Server.gr(client, message); -- Waiting for results accept ga;end loop

Server code

loop -- Waiting for an incoming service accept gr (The_Client, The_Message) do Who := The_Client; Data := The_Message; end gr; -- Processing (according to Data) if (Evaluate (Data < 2)) then Processing_1 (Data); else Processing_2 (Data); end if; -- Notifying the client Who.ga; end loop;

Hypothesis: process comute only atyellow points


Specification (Petri nets)

Parameterization according to C, S et M

rq

ack

Client

c1<C.all>

c2

sm

ga<c>

<c,s,m>

<c>

<c>

<c>

<c>

Server

s1<S.all>

s2

gr1[m < 2]

gr2[m >= 2]

sa<c>

<s><c,s>

<s> <s>

<c,s><c,s>

<c,s,m>


Where does complexity comes from?

c1<C.all>

c2

s1<S.all>

s2

rq

ack

sm

ga

gr1[m < 2]

gr2[m >= 2]

sa<c><c>

<s><c,s>

<s> <s>

<c,s><c,s>

<c,s,m><c,s,m><c,s,m>

<c>

<c>

<c>

<c>

This part generates distinct but permutable valuesToo many concreted states (the system is symmetric, clients are permutable)

Problem


State space & Symbolic state space(C=2, S=1, M=2)

sm

sm

sm

ga

gr1

sa

sm

sm

gr1

ga

sm

gr2

ga

gr2

gr2

gr1

sm

gr2

ga

sm

sm

gr1

gr1

sm

ga sm

sa

gr2

sm

sa

ga

gr2

sa

gr2

sm

gr1

sa

ga

sm

gr1

sm

sa

sm

gr1

sm

ga

sm

gr2

ga

sa

sm

sm

sa

ga

A client sends M < 2 to serverTwo paths (C1 ≠ C2)

24 nodes, 54 arcs

sm

sm

gr1

sm

sm

gr2

sm

sm

sa

sm

sm

gr1

gr2

gr1

gr2

ga

sm

sm

sa

sa

gr1

ga

gr2

ga

sa ga

ga

Same configuration, only one path (client identity can be exchanged)

14 nodes, 27 arcs


State spacedoes not

grow anymore!

Data for C=5 and M=4 (S growth)

110

1001 000

10 000100 000

1 000 00010 000 000

100 000 000

Concr. Stt

Symb. stt

Ratio

Performances

It is useless to

have S > C ;-)


Why this technique is applicable?

Yes, Well formed Petri Nets allow such an analysisUse of structural information on the specificationIdentification of static subclasses

All elements share the same behaviorDetection of total system symmetries

Extensions for partial symmetries too

Is this operational?Automatic detection of static subclasses is implemented in CPN-

AMISymbolic model checking as well (cooperation with the GreatSPN

kernel)Coming in the next release

Larger experimentations?


100 millions states

Almost a «hard limit» for numerous tools due to RAM size (then model checkers do swap)

1

10

100

1000

10000

100000

1E+06

1E+07

1E+08

1E+09

1E+10

1E+11

1E+12

2 thre

ads

3 thre

ads

4 thre

ads

5 thre

ads

6 thre

ads

7 thre

ads

Concr. SttSymb. SttRatio

Other performances (PolyORB)(P4 2.4GHz 512Mo)

Manual specification but same strategy

89 places, 72 transitions, 289 arcs

Strongly symmetric specification


Spec.formelle

LfP

programes

UML (profile)

Focus 2: relation to programs

Requires a generic prototype architecture

Integrates a communication pattern with external copnents

Requires a set of services (runtime)

Similar to programing languages;-)

Provides support functions to operate LfP specifications

LfP runtime and middleware? Similar objectives Require facilities for deployment Discussed laterProblem,

liaison with «the world»


From the model to the program

LfP contains a deployment viewYet experimental in its syntax (XML data associated to the

specification)

Generation approach

Partitioned view

Application node

Programs

N1 N2 N3

EnvironmentLfP Capsule (runtime)What needs for

the runtime?

LfP Specification

LfP element (thread?)

Runtime

Patterns &architectures

Projection of the model into implementation components


conclusion

Distributed applications are a difficult taskHandling complexity of interactionsHandling deployment onto machinesHandling configuration (on a node)

Certification, real-time, etc.

Integrated methodology can help!!!Modeling and formal methods

Experimentation on LfP Why not UML? goes somewhat in «the good» direction

Architecture languages: Software or hardware (need both?) AADL, UML/ROOM, both?

Middleware manufacturing Middleware «à la carte»


Advertising;-)the MORSE project

Méthodes et Outils pour la Réalisation et la vérification formellede Systèmes interopérables Embarqués critiques

RNTL project (June 2003- June 2006)Sagem SA (project leader)AonixLIP6-SRCLaBRI

Objectives: a methodology with its (prototype;-) toolsPrototyping approachUse of formal methods for verifying the systemUse of a pivot languageIntegration of legacy code


Many perspectives

Need for dynamic adaptation (at execution time)Some techniques are available

Virtual Virtual machines (for the runtime)…

Need to control the development of transformation toolsModel engineering techniques are available

Metamodeling techniques? Transformation languages?

Need for more formal techniquesManagement of time? Probabilistic analysis?

Etc…

There is still some interesting work to come;-)

la méthodologie morse f. kordon, lip6-src (umr 7606) université p. & m. curie...

Documents

matriel au logiciel

journe informatique

fabrice kordon upmc

fabrice kordon upmc

s c page

complexity page

arcs page

client data