timed component modeling in preemptive systemscdgill/career/proposaldefense.pdf · 2007-05-31 ·...

Timed Component Modeling in Preemptive Systems

Huang-Ming Huang

Department of Computer Science and EngineeringWashington University in St. Louis

Huang-Ming Huang (WUSTL) Timed Component Modeling in Preemptive Systems 1 / 32

Introduction

Introduction

Component based software methodology is widely usedsoftware components with predefined interfaces to facilitate software reuserequires middleware for location transparency and concurrency controllots of configuration options to provide software flexibility

RateGenPulse

GPSReadyRefresh

NavDisplayRefresh

Middleware Middleware

concurrency security persistancy


Introduction

Problem Statement

Each component has its own environmental assumptionsIf configuration settings do not met the assumptions could causeproblems

such as deadlocks, race conditions, priority inversions.

Representation and analysis are needed to check the compatibilitybetween componentsThe analysis should

support the modeling ofComponent interactionsComponent timing constraintsInfluences of preemptive scheduling algorithmsInfluences of different component concurrency strategies

Automatically check the safety and liveness properties of a system


Introduction

Previous Works about Modeling Theory

Component Timing Preemptive PropertyInteraction Constraints System Concurrency Checking

Model !

Checking ! !

TimedAutomata ! ! ! !

Interface safetyAutomata ! ! only

Hybrid generallyAutomata ! ! ! ! unsolvable

Tractable checking of all 4 areas is needed


Introduction

My Proposal

Develop a new component modelCombining Interface Automata, Timed Automata and PreemptiveScheduling AlgorithmsIt integrates the modeling of

component interactionscomponent timing constraintsthe influences of preemptive scheduling algorithmsthe influences of different component concurrency strategies

Algorithms to convert the proposed model into a checkable timedautomata model

Build a tool to realize and check the proposed model


Introduction

Prior Works on Model Checker and Domain Specific ModelChecking

Modeling EnvironmentsGME, Ptolemy, ...

Untimed Model CheckersSPIN, Bogor, ...

Model Checkers for Timed or Hybrid AutomataUPPAAL, IF toolset, HYTECH,...

Model Libraries or Domain Specific Modeling TechniquesCadena, Madl et al, Subramonian et al, PTIDES, ...

None of above integrate component modeling with timing constraints,preemptive scheduling and choice of concurrency strategies.


Introduction

Structure of the Research

Interface Automata

Middleware concurrency control

Timed and Hybrid Automata

Proposed Component Model

Research and Evaluation Plan

Conclusions


Interface Automata

Interface AutomataAlfaro and Henzinger (2001)

Models component interactionsActions

Output (!)Input (?)Internal (;)

Finite state machineComponent composition

Needed by model checker tosearch a single state spaceAssumes every component isactive object

Matching actions becomeinternalized actions aftercomposition

⊗

0 1msg!

ok?

msg ok fail

0 1 2 3 4

5

6

msg? send! nack? send!ack?

ack?ok!

nack?fail!

msg ok fail

send ack nack

0 1 2 3 4

5

6

msg; send! nack? send!ack?

ack?ok;

nack?

send ack nack


Interface Automata

Deficiencies with Interface Automata

No timing constraint supportEvery component is an active object

No concurrency strategy supportMiddleware concurrency strategies

Single ThreadWait on connectionWait on reactor

Multiple ThreadsThread pool


Interface Automata

Wait on Connection StrategyOne request at a time, does not service others until current one finish


Interface Automata

Wait on Reactor StrategyOne request at a time, allows to service others while waiting


Interface Automata

Thread Pool StrategyMore than one request at a time


Subramonian’s Solution

Prior Work on Modeling Middleware ConcurrencyThe Solution of Subramonian et al. (2006)

Aims for applications written directly on top of middleware such asCORBA, nORB

Use timed automata to model network and middleware entities.Problems :

Lack of abstractionRequires explicit specification on network connection managementRequires explicit control to simulate thread execution

Prone to state space explosionDomain specific optimization helps, but must be applied explicitly.



The Solution of Subramonian et al. (2006)

ApplicationLayer

abstraction

MiddlewarePrimitive

abstraction

Network/OSabstraction

IPC channel

IPC_SAP IPC_SAPForwoard channel

Reverse channel

SAP Event Demultiplexer

ThreadPool Reactor

IPC_SAP_SetHander

Repository

Connector

Accepter

SAP Reader

SAP Writer

Event Handler

IPC_SAP



Prior Work on Modeling Middleware ConcurrencyThe Solution of Subramonian et al. (2006)

Aims for applications written directly on top of middleware such asCORBA, nORB

Use timed automata to model network and middleware entities.Problems :

Lack of abstractionRequires explicit specification on network connection managementRequires explicit control to simulate thread execution

Prone to state space explosionDomain specific optimization helps, but must be applied explicitly.


Component Composition

Modeling Component with Middleware AbstractionsMy proposed solution

Use component composition schemes to represent middlewareconcurrency strategies

Multi-threaded CompositionParallel Composition : the only scheme used by Interface Automata

Single-threaded Compositions : my new additionsAtomic CompositionMonitor Composition



Parallel Composition

a1 a2

ra1 ra2

p0

p1

p2

p3

a1?

ra1!

a2?

ra2!

ra2 a3 ra4

a2 ra3 a4

q0 q1 q2

q3q4q5

a3? a2!

ra2?

a4!ra4?

ra3!⊗

a1 a3 ra4

ra1 ra3 a4

p0q0 p0q1 p3q2 p0q3 p0q4 p0q5

p1q0 p1q1 p1q3 p1q4 p1q5

p2q0 p2q1 p2q3 p2q4 p2q5

a3? a2 ra2 a4! ra4?

a3? a4! ra4?

a3?

a4!

ra4?

a1? a1? a1? a1? a1?

ra3!

ra3!

ra3!

ra1! ra1!ra1!

ra1! ra1!



Atomic Composition

a1 a2

ra1 ra2

p0

p1

p2

p3

a1?

ra1!

a2?

ra2!

ra2 a3 ra4

a2 ra3 a4

q0 q1 q2

q3q4q5

a3? a2!

ra2?

a4!ra4?

ra3!⊙

a1 a3 ra4

ra1 ra3 a4


p1q0

p2q0

a3? a2 ra2 a4! ra4?

a1?

ra3!

ra1!



Monitor Composition

a1 a2

ra1 ra2

p0

p1

p2

p3

a1?

ra1!

a2?

ra2!

ra2 a3 ra4

a2 ra3 a4

q0 q1 q2

q3q4q5

a3? a2!

ra2?

a4!ra4?

ra3!⊕

a1 a3 ra4

ra1 ra3 a4


p1q0 p1q4

p2q0 p2q4

a3? a2 ra2 a4! ra4?

a1?

ra3!

ra1!

a1?

ra1!


Timed Automata

How to model time?


Timed Automata

Timed AutomataAlur and Dill (1993)

A Timed Automaton A = (S, S0, X, I, T)S is a finite set of locations

S0 ⊆ S : a set of starting locations

X : a set of clocks

I : S → C(X) location invariants

T ⊆ S× C(X)× 2X × S a set oftransitions

starty ≤ 20

loopy ≤ 50

endy ≤ 20

y ≥ 10enter

x := y := 0

y ≥ 40leave

y := 0

x == 1work

x := 0

y ≥ 10

y := 0

guard

reset


Timed Automata

The Problem with Timed Automata

Timed Automata models can’t express preemption semanticsAll clocks progress at the same speedDuring preemption, the clocks for representing execution time of thepreempted task should be stopped

Not possible in Timed Automata model


One Solution for Preemption : Hybrid Automata

Hybrid AutomataHenzinger (1996)

Each location contains rateconditions for each variable

Timed Automata is a special caseof Hybrid AutomataModel Checking with HybridAutomata is generallyundecidable

Some certain special cases aredecidable but the complexitiesare NP-hard.

p0q0t1 = 0t2 = 0

p1q0t1 = 1t2 = 0

p0q1t1 = 0t2 = 1

p1q1t1 = 0t2 = 1

a?t1 := 0

t1 = 3

b?

t2 := 0 t2 = 5 t2 = 5

b?

t2 := 0



My Solution for Preemption

Use task response time instead of maximum execution time in TimedAutomata Models

Task response time is subject to the changes of CPU allocation andscheduling algorithmsTimed Automata model does not have enough information for schedulinganalysis

Combine Interface Automata, Timed Automata and Scheduling AnalysisWhat is needed for scheduling analysis?

Tasks and their worst case execution timesTask periodicityThe components share the same scheduling resources (Node)



A New Component Model

ActionsInput ActionsOutput ActionsInternal Actions

InterfaceAutomata

Locations

Clocks

Location InvariantsTransitions

Timed Transition : Guards, Resets

TimedAutomata

Preemptible Transitions

Output Rate RelationsMy

Additions

t ≤ 3

a?

b?

[2]

t ≤ 3

c;

t:=0

ra!

a

rara + ara + 2ara + 0.5ara + min(a, b)ra + max(a, b)

b



Component Composition and Node

Component Composition SchemesParallel Composition ⊗ Interface AutomataAtomic Composition �Monitor Composition ⊕ My Additions

Composition RulesSymmetric : A⊗ B ≡ B⊗ AParallel composition cannot be nested inside atomic and monitorcomposition

Legal : A⊗ (B� C)Illegal :A� (B⊗ C)

Node : the mapping of components to resourcesUsed to calculate CPU utilization and preemption overhead



Rate Deduction and CPU utilization Calculation of a Node

Given the input rate of all externalactions, the rate of internalizedinput actions can be deduced

The rate of preemptibletransitions is associated with theirclosest input actionsThe CPU utilization of a node isbounded by

∑ eipi

ei : worst case transition timeof the preemptive transition ipi : period of the preemptivetransition i

b

rb

P0

a?

[2]

ra!

a ra + a

a + b ra

b rb + ra

P1

b? [3]

ra?[2]

a!rb!



Input actions and Preemptible Transitions

a?

b?

[3]

a b

⇒

a?

b?

c! rc?

a b

c + a + b rc

c?[3]

rc!

c rc + c



Scheduling Algorithm and Preemptible Transitions

An Example with RateMonotonic Scheduling (RMS)Algorithm :

Higher rate tasks have higherprioritiesLiu and Layland (1973)

CPU Utilization : U =∑ ei

pi

Task response time

ti = ei +i−1∑k=1

⌈tipk

⌉ek

p0 p1

a?

[3]

t2 := 0

t2 ≤ 8

t1 := 0

t1 ≤ 5

q0 q1

b?

[5]

ra = 130 rb = 1

15

U = 330 + 5

15 = 0.43 < 0.69t2 = 3 +⌈ 3

15

⌉5 = 8 t2 ≤ 8

t1 ≤ 5 t2 ≤ 8t1 ≤ 5

a?t2 := 0

t2 ≤ 8

b?

t1 := 0 t1 ≤ 5 t1 ≤ 5

b?

t1 := 0



Composition Constraints

Modeling communication delay between components

P0

a?

[2]

ra! a

ra

⊙(1,2)

(3,4) ra

a

b rb

b? [3]

ra?[2]

a!rb!

t ≤ 2

t ≤ 4

b? [3] a;

[2]

ra;[2]

rb!

t := 0 1 ≤ t ≤ 2

3 ≤ t ≤ 4 t := 0


Plan and Conclusion

Research and Evaluation Plan

Develop a tool to realize the proposed modelBase on the Bogor Model checker

Bogor is open sourceBogor supports several key abstractions such as classes, objects, threads

What I need to doDevelop a textual language for the specification of proposed modelDefine an algorithm to convert the proposed model into a checkable TimedAutomata modelImplement timed automata model checking in Bogor

Model realistic component based applications and compare withThe approach of Subramonian et al.Hybrid automata


Plan and Conclusion

Conclusions

Component based software hides some complexities that may impact thesafety and liveness properties of a system

Model checking technology can help to verify those properties duringcompositionMy proposed component model deals with the following issues

Component compositions with different concurrency strategiesTimed automata don’t support systems with preemptive schedulingHybrid automata are generally unsolvable

Tool need to be developed for checking the proposed component model


timed component modeling in preemptive systemscdgill/career/proposaldefense.pdf · 2007-05-31 ·...

Documents