# Rigorous Component-based System Design Using the BIP Framework #### Saddek Bensalem Join work with A. Basu, M. Bozga, P. Bougos, J. Sifakis VERIMAG Laboratory (Grenoble, France) Fifth Annual Layered Assurance Workshop December 5-6, 2011 Orlando, Florida # <u>Outline</u> Introduction - The BIP Framework - Basic Concepts and Results - The BIP Language and the associated tools - The Rigorous System Design Flow - Discussion # System Design #### Today #### We master, at high cost: - critical systems of low to medium complexity - ex: flight controllers - complex best effort systems - ex: telecommunication systems #### **Tomorrow** #### We need - affordable critical systems ex: active safety, health, robots - integration of systems of systems ex: internet of things, smart grids, ambient intelligence #### A long way to go ... Complexity: mainly for building systems by integration of existing components #### Design Approaches: - empirical and based on the expertise of the teams - reuse/extend/improve solutions that have been proven efficient and robust #### Lack of constructivity results: correctness cannot be guaranteed by design, validation is mandatory # System Design System design is the process leading to a mixed software-hardware system meeting given requirements # System Design vs Software Design ### Programs and Algorithms - Terminating - Deterministic - Behaviour: relations independent from physical resources needed for their execution - Correctness independent in the dynamic characteristics of the execution platform ### **Systems** - Non-terminating - Non-deterministic - Behaviour: relations between histories of inputs and histories of outputs - Correctness dependent on the dynamic characteristics of the execution platform # Trends in System Design ### ES must jointly meet technical requirements - Reactivity: responding within a known and bounded delay. - Autonomy: providing continuous service without human intervention. - Dependability: invulnerability to threats including attacks, hardware failures, software execution errors - Scalability: performance increase is commensurable with the increase of resources ### In addition ES must meet requirements for optimal/quality as they are integrated in mass-market products # What is needed? Foundations for a rigorous system design # Rigorous System Design ### Three grand Challenges ### 1. Marrying Physicality and Computation • theory and models encompassing continuous and discrete dynamic to predict the global behavior of a system interacting with its physical environment. ### 2. Component based Design theory, models and tools for the cost-effective building of complex systems by assembling heterogeneous components ### 3. Adaptivity systems must provide a service meeting given requirements in interaction with uncertain environments. ## Rigorous System Design – Essential Properties: Productivity ### Efficiency of the design process ### Rigorous System Design – Essential Properties: Performance - ☐ Languages for describing feasible (correct) design solutions - Optimal use of resources through design space exploration to resolve choices such as - reducing parallelism (through mapping on the same processor) - reducing non determinism (through scheduling) - fixing parameters (quality, frequency, voltage) ### System Design - Essential Properties: Correctness - Avoid design errors or eliminate them as early as possible - Incremental construction and validation scalability - Traceability between application software and implementation # Our Approach ### **Develop the BIP framework:** model-based and component-based design ### Component-Based Construction: Formal Framework Build a component C satisfying a given property P, from - C<sub>0</sub> a set of atomic components modeling behavior - $GL = \{gl_1, ..., gl_i, ...\}$ a set of glue operators on components #### Glue operators - model mechanisms used for communication and control such as protocols, controllers, buses. - restrict the behavior of their arguments, that is $$gl(C_1, C_2, ..., C_n)|A_1 refines C_1$$ # Our Approach ### **Develop the BIP framework:** - model-based and component-based design - expressive enough to encompass heterogeneity of - execution: synchronous and asynchronous components - interaction: function call, broadcast, rendez-vous - abstraction levels: hardware, middleware, application software # Our Approach ### **Develop the BIP framework:** - model-based and component-based design - expressive enough to encompass heterogeneity of - execution: synchronous and asynchronous components - interaction: function call, broadcast, rendez-vous - abstraction levels: hardware, middleware, application software - using a minimal set of constructs and principles for guaranteeing correctness by construction. ### Component-Based Construction: Incremental Description ### 1. Decomposition ### 2. Flattening Flattening can be achieved by using a (partial) associative operation $\oplus$ on GL ### Component-Based Construction: Constructivity - Compositionality Building correct systems from correct components $c_i$ sat $P_i$ implies $\forall gl \exists gl$ $c_i$ sat $gl(P_1, ..., P_n)$ ### Component-Based Construction: Constructivity - Composability Make the new without breaking the old: Rules guaranteeing non interference of solutions Property stability phenomena are poorly understood. We need composability results e.g. feature interaction in middleware, composability of scheduling algorithms, theory for reconfigurable systems # Our Approach ### **Develop the BIP component framework:** - model-based and component-based design - expressive enough to encompass heterogeneity of - execution: synchronous and asynchronous components - interaction: function call, broadcast, rendez-vous - abstraction levels: hardware, middleware, application software - using a minimal set of constructs and principles for guaranteeing correctness by construction. - treating interaction and system architectures as first class entities that can be composed and analyzed independently of the behavior of individual components # Our Approach ### **Develop the BIP component framework:** - model-based and component-based design - expressive enough to encompass heterogeneity of - execution: synchronous and asynchronous components - interaction: function call, broadcast, rendez-vous - abstraction levels: hardware, middleware, application software - using a minimal set of constructs and principles for guaranteeing correctness by construction - treating interaction and system architectures as first class entities that can be composed and analyzed independently of the behavior of individual components - providing automated support for efficient implementation on given platforms - providing automated support for validation and performance analysis #### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) Software Model - BIP **Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation Functional Simulation, Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines # **Outline** Introduction - The BIP Framework - Basic Concepts and Results - The BIP Language and the associated tools - The Rigorous System Design Flow - Discussion # Component-Based Construction: The BIP Framework Layered component model Composition (incremental description) # The BIP Framework: Behavior #### An atomic component has - A set of ports P, for interaction with other components - A set of control states S - A set of variables V - A set of transitions of the form - p is a port - g<sub>p</sub> is a guard, boolean expression on V - f<sub>p</sub> is a function on V (block of C code) ### The BIP Framework: Interaction Model - A *connector* is a set of ports which can be involved in an interaction - Port attributes (*complete*, *incomplete*) are used to distinguish between rendezvous and broadcast. - An *interaction* of a connector is a set of ports such that: either it contains some complete port or it is maximal. #### Interactions: $\{\operatorname{tick}_1,\operatorname{tick}_2,\operatorname{tick}_3\} \{\operatorname{out}_1,\operatorname{in}_2\} \{\operatorname{out}_1,\operatorname{in}_3\} \{\operatorname{out}_1,\operatorname{in}_2,\operatorname{in}_3\}$ 1/06/2007 ### The BIP Framework: Interaction Model # BIP Construction Space - separation of concerns: between behavior and architecture (interaction and priority) - semantic unification: heterogeneous components can be unified through transformation in the construction space - correctness by construction: basis for study of preservation of properties under architecture or behavior transformations # **Outline** Introduction - The BIP Framework - Basic Concepts and Results - The BIP Language and the associated tools - The Rigorous System Design Flow - Discussion # The BIP Framework: An example **Priorities** $[z_4>0]$ $p_{1234}$ Glue p<sub>123</sub> v $\uparrow v:=max(u,x_2)$ $\psi u, x_2 := v$ p<sub>123</sub> v $\uparrow u:=\max(x_1,x_2)$ Interactions p<sub>12</sub> Glue $p_1$ $p_2$ $p_3$ $p_4$ $p_{2}$ $y_2 := f_2(x_2)$ **Behavior** $q_2$ $Z_3$ $q_1$ $[y_1 < y_2]$ $q_{123}$ $r_{34}$ 29 # The BIP Language ``` // atomic component definitio // connector type definition atomic type Atom(int p, int q data int x, y, z, ... data DataType u, v, w, ... port MyPort p1(x) port TypePort2 p2(y, u) place s1, s2, s3, s4, ... initial to s1 do { /* initialization co on p1 from s1 to s2 provided guard1 do { /* transition code end on p2 from s2 to s3 provided x < y do { {# plain C code #} export port MyPort p1 is r1 end ``` ``` connector type Bus (PortType1 p1 PortType2 p2 define port-expression data int y on interaction1 provided guard up { /*interaction code */ down { /* interaction code on p1 p2 provided p1.x > 0 up \{y = p1.x + p2.x \} down \{ \{ \# p1.x = p2.x = y; \# \} \} export port PortType p0(y) ``` ``` // compound component type definition compound type Compo(int p, ...) component CompType 1 c1(p, ...) component CompType n cn connector ConType 1 x1( c1.p, ... c2.q ) connector ConType k xk( x1.p0, cn.r ) priority prio1 provided guard xi:interaction1 < xj:interaction2</pre> export port PortType1 c1.p is p export port PortTypek xk.p0 is q end ``` # Sequential Implementation - The reference implementation for BIP models - Separate compilation of component's code and coordination code - The sequential engine runs one execution trace according to the BIP semantics - The sequential engine provides extrafunctionality for run-time verification and model-checking # Sequential Implementation Execution of the Engine # The BIP Toolbox # <u>Outline</u> Introduction - The BIP Framework - Basic Concepts and Results - The BIP Language and the associated tools - The Rigorous System Design Flow - Discussion #### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) **Software Model - BIP Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation Functional Simulation, Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines # BIP Language Factory Use BIP as a unifying semantics model for various programming models #### Translations defined so far: - (Discretized) Timed and Hybrid Systems - Synchronous Systems (Lustre, MATLAB/Simulink, Scicos, ...) - Architecture Description Languages (AADL) - Domain Specific Languages and MoCs - Autonomous Robotic Applications (GeNoM) - Wireless Sensor Network Applications (TinyOs + nesC) - Process Networks in the Distributed Operation Layer (DOL) - **–** ... - Systematic approach based on two level translation into BIP: - structural translation of the language constructs, the programmers view - structural translation of the language operational semantics, the execution model view # DOL (Distributed Operation Layer) A framework from ETHZ for programming parallel applications and specifying their mapping onto multicore arch ``` <!-- arm core 1 --> rocess network of sw-prod IL), process behavior (C f <configuration name="memory" value="pm1"/> <memory name="sc mem1" type="CACHE"> square <configuration name="cvcles" value="1"/> </memory> <hw_channel name="lbus1" type="BUS"> Computation resources in nication paths (XML descr <configuration name="frequency"</pre> value="20000000"/> <configuration name="bytespercycle"</pre> es communication between ( value="1"/> </hw channel> <!-- distributed external memory --> Tile1 ARM1 <memory name="sh mem" type="RAM"> <configuration name="cycles" value="1"/> <!--configuration name="cycles" value="6"/ Local Bus (LB1) Local Bu </memory> </binding> Local Loc Me Mem <!-- bus --> <hw channel name="ahb" type="BUS"> (LM1) <configuration name="frequency"</pre> value="10000000"/> Shard Bus <configuration name="bytespercycle"</pre> ot sw-process to nw-pr description) value="4"/> </hw channel> </binding> ``` ``` cprocess name="square"> <port type="input" name="1"/> <port type="output" name="2"/> <source type="c" location="square.c"/> </process> <!-- sw channels --> <sw channel type="fifo" size="10" name="C1"> <port type="input" name="0"/> <port type="output" name="1"/> </sw channel> <connection name="q-c"> <origin name="generator"> <port name="1"/> </origin> <target name="C1"> <!-- process bindings --> <br/><br/>binding name="binding generator" xsi:type="computation"> cprocess name="generator"/> cprocessor name="ARM1"/> <!-- channel bindings --> <binding name="binding fifoC1"</pre> xsi:type="communication"> <sw channel name="C1"/> <writepath name="pm1ahbsh mem"/> <readpath name="sh memahbpm2"/> ``` ## Generation of Application SW Model ### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) Software Model - BIP **Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation Functional Simulation, Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines # Construction of HW Template - Collection of HW-processor, memory and bus components connected as defined in the architecture - HW-processor and memory are placeholder - uses HW component library # Mapping: Fill up the HW Templates - Transformation on sw model: - Splitting FIFO channel - Breaking atomic read/write - Adding interactions with CPU-Scheduler - FIFO buffers mapped to memory - Transformations fully preserve functional behavior - Uses HdS component library # System Model Construction - System model generated by applying a fixed number of transformations on the software model - splitting software channels - breaking atomicity of read/write operations in processes - inserting HdS components - **—** ... - Transformations fully preserve functional behavior - ensure correctness-by-construction! - No deadlocks are introduced - Using a given set of BIP library components (characterized by the HW architecture, OS) ### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) Software Model - BIP **Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation Functional Simulation, Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines Compositional rule for proving state invariants: - Combine two categories of particular invariants: - Component Invariants $(\Phi_i)_{i=1,n}$ - Interaction Invariants Ψ automatically generated from BIP models! Compositional rule for proving state invariants: - Combine two categories of particular invariants: - Component Invariants $(\Phi_i)_{i=1,n}$ - Interaction Invariants Ψ automatically generated from BIP models! Compositional rule for proving safety properties: ### Component Invariants: - over-approximations of the set of reachable states of atomic components - computed using static analysis of behavior Compositional rule for proving safety properties: ### Interaction Invariants: - characterize constraints on the global state space induced by synchronizations between components. - computed by static analysis of interaction structures # Implementation: D-Finder ### Results on deadlock-freedom checking of all the modules | Modules | Components | Locations | Interactions | States | LOC | Minutes | |--------------------|------------|-----------|--------------|-------------------------------------------------------|-------|---------| | LaserRF | 43 | 213 | 202 | 2 <sup>20</sup> x3 <sup>29</sup> x34 | 4353 | 1:22 | | Aspect | 29 | 160 | 117 | 2 <sup>17</sup> x3 <sup>23</sup> | 3029 | 0:39 | | NDD | 27 | 152 | 117 | 2 <sup>22</sup> x3 <sup>14</sup> x5 | 4013 | 8:16 | | RFLEX | 56 | 308 | 227 | 2 <sup>34</sup> x3 <sup>35</sup> x1045 | 8244 | 9:39 | | Antenna | 20 | 97 | 73 | 2 <sup>12</sup> x3 <sup>9</sup> x13 | 1645 | 0:14 | | Battery | 30 | 176 | 138 | 2 <sup>22</sup> x3 <sup>17</sup> x5 | 3898 | 0:26 | | Heating | 26 | 149 | 116 | 2 <sup>17</sup> x3 <sup>14</sup> x145 | 2453 | 0:17 | | PTU | 37 | 174 | 151 | 2 <sup>19</sup> x3 <sup>22</sup> x35 | 8669 | 0:59 | | Hueblob | 28 | 187 | 156 | 2 <sup>12</sup> x3 <sup>10</sup> x35 | 3170 | 5:42 | | VIAM | 41 | 227 | 231 | 2 <sup>10</sup> x3 <sup>6</sup> x665 | 5099 | 4:14 | | DTM | 34 | 198 | 201 | 2 <sup>28</sup> x3 <sup>20</sup> x95 | 4160 | 13:42 | | Stereo | 33 | 196 | 199 | 2 <sup>27</sup> x3 <sup>20</sup> x95 | 3591 | 13:20 | | P3D | 50 | 254 | 219 | 2 <sup>13</sup> x3 <sup>5</sup> x5 <sup>4</sup> x629 | 6322 | 3:51 | | LaserRF+Aspect+NDD | 97 | 523 | 438 | 2 <sup>58</sup> x3 <sup>66</sup> x85 | 11395 | 40:57 | | NDD+RFLEX | 82 | 459 | 344 | 2 <sup>56</sup> x3 <sup>49</sup> x5 <sup>2</sup> x209 | 12257 | 73:43 | ### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) **Software Model - BIP Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation **Functional Simulation.** Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines # Distributed Implementation ### Requirements - produce efficient decentralized execution models - allow for concurrent execution of interactions and internal computation of components - collection of atomic processes/threads intrinsically concurrent no global state - point-to-point communication by asynchronous message passing - ensure correctness-by-construction, that is, the initial model is equivalent to the implementation # Centralized Implementation Centralized Implementation: one Engine play all interactions! ## **Decentralized Implementation** Decentralized Implementation: dispatch interactions across *multiple* engines! # **Conflicting Interactions** I1 and I2 are conflicting (I1 # I2) ### 1st sol: Conflict-Free Distributed Engines ### Send/Receive BIP ### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) **Software Model - BIP Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation **Functional Simulation.** Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines ## Code Generation: Overview - Application task: data + thread routine - Communication: API calls provided by runtime - Main application routine - Deployment - threads to cores - data to memories - Data allocation: thread stacks; FIFO queues - API - Thread Management - Memory allocation - Communication - Synchronization ## Example: P2012 Code Generation Runtime ndpf0 ins.c ioiner.c generator.c **Functional** Code channel.map process.map #define NUM PROCESS 14 #define NUM CHANNEL 24 float FIFO\_genp\_ndpf0\_buffer[45000] L3 SHARED; void\* genp ins execute(void\*); void\* ndpf0 ins execute(void\*); float FIFO genp ndpf1 buffer[30000] L3 SHARED; void\* ndpf1 ins execute(void\*); Glue Code q handle t q handle FIFO genp ndpf0 L3 SHARED; process\_map\_t process\_map [NUM\_PROCESS] = { q\_handle\_t q\_handle\_FIFO\_genp\_ndpf1 L3\_SHARED; (Resource 0, 0, genp ins execute}, "genp", Allocation "ndpf0", 0, 1, ndpf0 ins execute}, channel map t channel map[NUM CHANNEL] = { "ndpf1", 0, 2, ndpf1 ins execute}, { "FIFO genp ndpf0", (void\*)FIFO genp ndpf0 buffer, 1, (100\*100) & \*sizeof(float), &q handle FIFO genp ndpf0 }, Thread Creation **}**; & Deployment) main.c NPL **}**; ### BIP System Design refines updates **Application Software** (Programming Models) (Multi-Core) Platform Mapping Model **Translation** Model Transformation (II) **Software Model - BIP** Model Transformation (I) **Software Model - BIP Functional Validation Invariant Generation System Model - BIP** Deadlock Detection, Code generation **Functional Simulation.** Profiling/ Deployed Software Calibration **Performance** Middleware **Extend Analysis Timed Simulation System Model - BIP** (Multi-Core) Platform refines ## Our Methodology - 1. Build executable model of the overall system - 2. Learn probability distribution of key characteristics impacting application - 3. Plug distributions and build a stochastic abstract model of the context - 4. Apply Statistical model checking on the reduced model # Statistical Model Checking (1) - Statistical methods to decide if a property is satisfied - Estimate the probability that a system satisfies a property - An alternative to avoid exhaustive exploration of state-space of a system - Results might not be always correct, but possible to bound the probability of making errors - Accuracy of estimates depends on no. and length of simulations - Simple to implement and use - Less memory and time intensive (compared to Model Checking) # Statistical Model Checking (2) ### What are the questions? - Qualitative Question: Does S |= P<sub>≥θ</sub>(φ) ? - Quantitative Question: What is the probability for S to satisfy φ? ### Principle: Reason on a finite set of executions and answer the question ## Discussion - Component framework encompassing heterogeneous composition - Separation of concerns between behavior and architecture (Interaction + Priority) involving a minimal set of constructs and principles - Expressiveness: BIP is as expressive as the universal glue - Rigorous Design Flow - Correctness-by-construction - Source to source transformations - Verification based on compositionality, composability and incrementality - System-level analysis techniques jointly taking into account - · application, hardware resources and mapping - · Component and interaction partitioning - Applications - Software componentization - Programming multicore systems - Complex systems modeling and analysis e.g., IMA # BIP Related Projects | ACOSE | BGLE | Speculative and Exploratory Design in System Engineering | |---------------|-----------|----------------------------------------------------------------------------| | ManyCoreLabs | BGLE | Generic Embedded Systems Platform | | SPICES | ITEA | Support for Predictable Integration of Mission Critical Embedded Systems | | COMBEST | FP7 | Component-Based Embedded Systems Design Techniques | | PRO3D | FP7 | Programming for Future 3D Architectures with Many Cores | | SMECY | ARTEMIS | Smart Multicore Embedded Systems | | ACROSS | ARTEMIS | Artemis Cross-Domain Architecture | | <b>ASCENS</b> | FP7 | Autonomic Service Component Ensembles | | CERTAINTY | FP7 | CErtification of Real Time Applications desIgNed for mixed criticaliTY | | MIND | Minalogic | Technologie d'assemblage des composants logiciels embarques | | CHAPI | ANR | Calcul Embarque Hautes Performances pour des Applications<br>Industrielles | | MARAE | FRAE | Methodes et Architectures Robustes pour l'Autonomie dans l'Espace | | GOAC | ESA | Goal Oriented Autonomous Controller | | SYMPAA | | Controlleur de Paiement Monetique de type Automate sur Autoroute | • Thanks for your attention. Questions?