Dr David Greaves – University of Cambridge Computer Laboratory. Using Simple Pushlogic “Suppressing Ubicomp Skirmishes” David Greaves, Daniel Gordon, Atif Alvi O2S/AutoHAN Project University of Cambridge Computer Laboratory

Dr David Greaves – University of Cambridge Computer Laboratory. A Vision of Evolution for UbiComp 1.A myriad of devices connected to the network. 2.All devices are connected and share a common, all-pervasive, middleware. 3.Mixed reality interaction is the norm – myriads of scripts.

Dr David Greaves – University of Cambridge Computer Laboratory. Home Networking - First the seeds DVD player Television Amplifier Camcorder Extension display Kitchen Home Cinema Study Modem Security cameras Video child monitor camera Access Fax is printer ? Remote security ? Pay per listen ? How many loudspeakers ? Doorbell with headphones ? Burglar alarm phones out ? CATV Internet POTS

Dr David Greaves – University of Cambridge Computer Laboratory.  1. The following separate devices, each of which can be individually useful in a networked home: Let's look at what a modern TV set contains: A Device: A collection of Pebbles and a Canned App  2. A canned application that joins the components. RF Tuner Colour Display Ni-Cam Audio Decoder Power Amplifier Surround Sound Decoder IR Receiver Teletext Decoder MPEG Decoder Programming Memory Front Panel User Interface

Dr David Greaves – University of Cambridge Computer Laboratory. AutoHAN Device Decomposition 1. Devices register themselves as a collection of Pebbles and Bundles. 2. Devices expose a command API for each internal device (Pebble). 3. Devices export their canned application's effects on other Pebbles.

Dr David Greaves – University of Cambridge Computer Laboratory. Device API Evolution 1. Early, wire protocol RPC APIs:  Sun RPC, CORBA, HAVI, MOSTNET 2.Evolvable XML APIs with Reflection:  UPnP, EDDL, (SNMP), XMLRPC, SOAP, WSDL 3.Self-Assembling Directory Services  UPnP, LDAP, SCP, SSDP, INS, … 4.Namespaces and Ontologies  OWL, OWL-S, DAML, RDF 5.Code Reflection

Dr David Greaves – University of Cambridge Computer Laboratory. Plant Control Stack Network: LAN or FIELDBUS DEVICE INVENTORY DESCRIPTIONS DATABASE STATUS DATABASE CONTROLLING APPLICATIONS SYSTEM LIVE/SAFE CONSTRAINTS PLANT DEVICES (Sensors, Valves, Pumps...) PLANT MODEL (Known Sensor/Actuator Feedback Paths, Autonomous Controller Behaviour) VIEWER TOOLS

Dr David Greaves – University of Cambridge Computer Laboratory. Ontology Mapping – a future norm ? Orange Jam Living-Room Front-Door-Bell StartUP Marmalade Lounge FrontDoorBell SwitchOn Ontologies can be nested: Claret isa RedWine isa Wine isa Drink isa Food Ontology Web Language Service (OWL-S) Ontologies can be mapped:

Dr David Greaves – University of Cambridge Computer Laboratory. Controllers versus the Controlled API Reflection is now a Mature Technology –WSDL, SOAP, XMLRPC, UPnP, It will be further deployed (?) –X-by-wire, Field Busses, Sensor Networks, CAN. –EDDL, XDDL, Embedded Systems Code Reflection has seen virtually no work! –Canned Applications –Self-hydrating Applications –User Scripting –Automated Learning (Pebbles and Goals)

Dr David Greaves – University of Cambridge Computer Laboratory. Code Reflection A device must expose the proactive behaviour of its canned application(s) –Actual source code (constrained language) –Proof carrying actual source code –Summary of behaviour –E.G. I will not send control messages when I am in standby mode. –E.G. I am always off between 1:00 and 5:00. Device is banned for remote operations unless proof obligations are met.

Dr David Greaves – University of Cambridge Computer Laboratory. Also for holding User Scripts Record both Simpson’s shows tonight and charge to Pam’s pay-per-view account. Create a video call to Peter of best quality. Whenever the doorbell is pressed during darkness turn on the porch light for 10 minutes. Do not render dialog or other popups when video recording is taking place.

Dr David Greaves – University of Cambridge Computer Laboratory. Rules of the Domain No rule should issue a command under the same circumstances where another rule issues the counter-rule. Jonny is not allowed to spend more than 2 pounds per day on pay-per- listen. Fire Alarm must mute all music sources. The front gates must always be remotely openable by some method or other.

Dr David Greaves – University of Cambridge Computer Laboratory. An Approach: Pushlogic All applications and rules are held in Pushlogic. The world is made of disjoint ‘Domains’ that devices and rules enter and leave. Devices and rules enter on a first-come basis and so take priority over subsequent disagreeing arrivals Pushlogic rules can be model-checked in tens of milliseconds on embedded processors (eventually?).

Dr David Greaves – University of Cambridge Computer Laboratory. Pushlogic Features Every application is encoded as/converted to a list of state transition rules. Rules are re-hydrated to use only static bindings. All constraints on behaviour are converted to safety and liveness forms. Monotonicity requirements on failure or removal A symbolic model checker finds conflicts and satisfaction. All rules are interpreted in Herbrand form so as to tolerate arbitrary state space growth after joining a domain.

Dr David Greaves – University of Cambridge Computer Laboratory. Pushlogic Features 2 A declarative bytecode with runtime system. Various compilers envisaged, one developed so far. Specifies timed automata using idempotent executable rules. Interfaces to streams, sensors, actuators and other Bundles. Supports a dynamic population of devices and scripts. Rules are re-hydrated to use only static bindings. Source code looks like C++/Java. application is encoded as/converted to a list of state transition rules. Automated formal checking (CTL) - At compile time/At load time/(Optionally) at run time

Dr David Greaves – University of Cambridge Computer Laboratory. Mechanism View of Pushlogic All variables can have safe values defined for them. Controlled devices can fail or self-reset to a safe value. Controlling scripts are reversible, so that a failure feeds back to the control source in a defined way. Feedback form is intrinsic or explicit. System behaves like a ‘mechanism’: both the controller and the controlled can push on each other.

Dr David Greaves – University of Cambridge Computer Laboratory. Pushlogic Restrictions All integrators must be inside differentiators: if (x != x_last) { sum := sum + 1; x_last := x } All pointer, arithmetic and time calculations must be reduced to undetermined boolean inputs. Dynamic allocation only performed at bundle load time (SPL1). All assertions are in CTL.

Dr David Greaves – University of Cambridge Computer Laboratory. Object bundle Source Form 1 Compiler 1 Re- Hydration Source Form 1 Source Form 1 Object bundle Object bundle Object bundle Source Form 2 Compiler 2 Source Form 2 Source Form 2 Object bundle Object bundle Re- Hydration Re- Hydration Re- Hydration Bound bundle Bound bundle Bound bundle Bound bundle Execution Platform Execution Platform Execution Platform Compile Time Checker Bundle Checker Load Time Checker (Run Time Checker ) Domain of participation network Device bindings Semantic Web Push Logic Compile/bind/ execute Flow diagram

Dr David Greaves – University of Cambridge Computer Laboratory. Compilation Method Parse input file(s). Break threads into arcs at blocking primitives. Guard each arc by a runtime program counter being set to a label constant and create rules to update the program counters. Repeated symbolic evaluation of arc set until fixed point reached. Perform bundle checks using internal model checker. Generate declarative bytecode bundle, containing a mix of –Executable rules (v:= e, …) –CTL assertions (always, live, until, …).

Dr David Greaves – University of Cambridge Computer Laboratory. Compiler Internal Flow Diagram

Dr David Greaves – University of Cambridge Computer Laboratory. Compile-Time Checks Safe Value Check –There exists a setting of the variables where each is in a safe state and all executable rules hold. Rule Consistency –No two rules will try to set the same variable to different values at any one time. Idempotency Check –No ring of rules exists that causes an observable output to oscillate when rules are obeyed more than once with the same input settings. Push Back Check –For any unilateral change in any output, to any safe value of that output, internal variables or inputs to the bundle can be changed, again to safe values, so that all rules hold User’s Embedded and Imported CTL Expressions –Safety, liveness and until assertions may be embedded in the source. These are checked against a Herbrand-style interpretation of the bundle, so that any number of concurrently loaded bundles are sure to be consistent. Monotonicity Check –Rules cannot cease to hold when an un-associated (separate) bundle or device leaves.

Dr David Greaves – University of Cambridge Computer Laboratory. Also, “Design-Time” Ubi-Comb Components are brought together: –As IP and devices from many suppliers –Meta-info ranging from data-sheets to machine- readable formal specs –Often a rapid time-to-market requirement –Sometimes a live-insertion requirement Examples - Oil Rig or Brewery Plant Control, - Automotive CAN Network - System-On-Chip VLSI - Design of a PDA

Dr David Greaves – University of Cambridge Computer Laboratory. Research Challenges Can embedded RAM afford XML protocols ? Can embedded processors run the model check phase ? How much application code can easily be ported to a formal-proof-amenable form ? –eg. Can we implement a full TiVo PVR ? How to merge domains on the fly ? –eg. Two sets of train carriages become a single train. How to modify conventional APIs to hold less state (eg. Posix Sockets) ?

Dr David Greaves – University of Cambridge Computer Laboratory. Current Status Implemented on top of a distributed tuple space paradigm for distributed computing. Compiler built (10K lines of SML and C++). Runtime system runs on Linux, raw PC motherboards and our Molly cards. Various applications and embedded devices constructed. GUI for interactive monitoring/debugging.

Dr David Greaves – University of Cambridge Computer Laboratory. CD Player – Pebble Decomposition

Dr David Greaves – University of Cambridge Computer Laboratory. CD Player: Tuple Space View

Dr David Greaves – University of Cambridge Computer Laboratory. Heating Controller

Dr David Greaves – University of Cambridge Computer Laboratory. GUI Example

Dr David Greaves – University of Cambridge Computer Laboratory. Clock and DVD Player

Dr David Greaves – University of Cambridge Computer Laboratory. Future Work Re-hydration stage not implemented. Domain checker not implemented. Compilation of bytecode to ROM-able machine code (PIC) and integrate with CAN car node checking project. Some larger examples still need exploration. Talks with industrial collaborators who might use it ? Further HCI and multi-view editing projects.

Dr David Greaves – University of Cambridge Computer Laboratory. The End The Pebbles, AutoHAN and Oxygen O2S Teams