Presentation is loading. Please wait.

Presentation is loading. Please wait.

John D. McGregor Session 8 Evaluating Architectures written in AADL

Published byWidyawati Darmadi Modified over 5 years ago

Similar presentations

Presentation on theme: "John D. McGregor Session 8 Evaluating Architectures written in AADL"— Presentation transcript:

1 John D. McGregor Session 8 Evaluating Architectures written in AADL
CPSC 873 John D. McGregor Session 8 Evaluating Architectures written in AADL

2 Important elements in an architecture
Clear definitions of components – assume/guarantee Who is connected to whom - structure What properties does a component have - definitions What are the values of those properties – metrics for measuring

3 Techniques to be used with AADL
Manual Inspection AGREE queries Resolute claims Automated analyses of properties

4 Test within constraints
assume "seconds_to_cook is greater than or equal to zero" : seconds_to_cook >= 0; guarantee "The range of the cooking_mode variable shall be [1..3]" : true ; guarantee "The microwave shall be in cooking mode only when the door is closed." : true;

5 annex agree {. eq is_cooking : bool = defs
annex agree {** eq is_cooking : bool = defs.is_cooking(cooking_mode); eq is_setup : bool = defs.is_setup(cooking_mode); eq is_suspended : bool = defs.is_suspended(cooking_mode); eq is_running : bool = defs.is_running(cooking_mode); assume "seconds_to_cook is greater than or equal to zero" : seconds_to_cook >= 0; guarantee "The range of the cooking_mode variable shall be [1..3]" : true ;

6 Check boundary conditions
annex agree {** guarantee "targetSpeed>=0" : targetSpeed >= 0 ; guarantee "actualSpeed>=0" : actualSpeed >= 0 ; guarantee "actualSpeed<=targetSpeed" : actualSpeed <= targetSpeed ; guarantee "gapLimit>0" : gapLimit > 0 ; guarantee "gap>0" : gap > 0 ; guarantee "gap<=gapLimit" : gap<=gapLimit; **};

7 Reachability check_mils_partitions_connections (s : system) <= ** "Check that connected partitions in " s " share the same security level" ** forall (p1 : process) (p2 : process) (c : connection) (vp1 : virtual_processor) (vp2 : virtual_processor) . (connected (p1, c, p2)) and (processor_bound (p1, vp1)) and (processor_bound (p2, vp2)) => property (vp1, SEI::SecurityLevel) = property (vp2, SEI::SecurityLevel)

8 WeightBudget Property exists
AllHaveWeightBudgets(self : component) <= ** "Component " self " shall have a weight budget" ** HasWeightBudget(self) and forall (c: subcomponents(self)). AllHaveWeightBudgets(c) HasWeightBudget(t : component) : bool = not(has_property(t,SEI::GrossWeight)) => fail ** t " has no weight" **

9 Test using java methods
method ElectricalPowerSelfSufficiency: "Verify that a component is electrical power self sufficient" [ Java vmlibrary.AircraftConsistency.electricalPowerSelfSufficiency description "Verify that a component takes care of its own electrical power." ]

10 xTend class definition
def boolean electricalPowerSelfSufficiency(ComponentInstance ci) { val fil = ci.featureInstances for (fi : fil) { return fi.getPowerBudget( 0.0) != 0.0 || fi.getPowerSupply(0.0) != 0.0 }

11 Safe composition Ports Errors In/out pairs match
For each error ontology hierarchy Errors in that hierarchy are either Handled in ccomponent Propagated to component that accepts that type of propagation

12 State machines Error model, behavior model, modes N-way switch cover

13 ATM

14 Propagation Transition: trigger/guard/action
Action: message from one object to another

15 Error propagation

16 Completely bound system
system DemoSystem end DemoSystem ; system implementation DemoSystem.impl subcomponents clientProcessor1 : processor platform::DefaultProcessor.impl ; clientProcess1 : process Client::DefaultClientProcess.impl ; --clientMemory1 : memory platform::DefaultMemory.impl ; clientBus1 : bus platform::DefaultBus.impl ; serverProcessor1 : processor platform::DefaultProcessor.impl ; serverProcess1 : process ServerType::DefaultServerProcess.impl ; --serverMemory1 : memory platform::DefaultMemory.impl ; serverBus1 : bus platform::DefaultBus.impl ;

17 Completely bound system
connections connection1 : port clientProcess1.get -> serverProcess1.put ; connection2 : port serverProcess1.get -> clientProcess1.put; connection3 : bus access clientBus1 <-> clientProcessor1.busAcc; --connection4 : bus access clientBus1 <-> --clientMemory1.busAcc;

18 Completely bound system
properties --Actual_Memory_Binding => (reference (clientMemory1 )) --applies to clientProcess1 ; Actual_Processor_Binding => (reference (clientProcessor1)) applies to clientProcess1.clientThread ; ------ --Actual_Memory_Binding => (reference (serverMemory1)) --applies to serverProcess1 ; Actual_Processor_Binding => (reference (serverProcessor1)) applies to serverProcess1.serverThread ;

19 ServerType package ServerType public with types; subprogram processData features inputData: in parameter types::item; outputData: out parameter types::item; end processData; thread interactWithClient receiveRequest: in event data port types::item; sendToClient:out event data port types::item; end interactWithClient; thread implementation interactWithClient.basic calls C: { produce : subprogram processData; }; connections c1: parameter receiveRequest->produce.inputData;

20 ServerType - 2 c2: parameter produce.outputData->sendToClient; properties Period => 120ms; Compute_Execution_Time => 30ms .. 40ms; Dispatch_Protocol => Periodic; -- annex behavior {** -- compute(5ms); -- compute(10ms); -- compute(15ms); -- raise(sendToClient); -- **}; end interactWithClient.basic; process DefaultServerProcess features put: in event data port types::item; get: out event data port types::item; end DefaultServerProcess; process implementation DefaultServerProcess.impl subcomponents serverThread : thread ServerType::interactWithClient.basic ; connections connection : port put -> serverThread.receiveRequest ; connection1 : port serverThread.sendToClient -> get; end DefaultServerProcess.impl ; end ServerType;

21 Client-1 package Client public with Thread_Properties; with types; subprogram produceData features inputData: in parameter types::item; outputData: out parameter types::item; end produceData; thread interactWithServer receiveData: in event data port types::item; requestData:out event data port types::item; end interactWithServer; thread implementation interactWithServer.basic calls C: { produce : subprogram produceData; }; connections c1: parameter receiveData->produce.inputData;

22 Client - 2 c2: parameter produce.outputData->requestData; properties Period => 120ms; Compute_Execution_Time => 30ms .. 40ms; Dispatch_Protocol => Periodic; -- annex behavior {** -- compute(5ms); -- compute(10ms); -- compute(15ms); -- raise(requestData); -- **}; end interactWithServer.basic; process DefaultClientProcess features put: in event data port types::item; get: out event data port types::item; end DefaultClientProcess ; process implementation DefaultClientProcess.impl subcomponents clientThread : thread Client::interactWithServer.basic ; connections connection : port put -> clientThread.receiveData ; connection1 : port clientThread.requestData -> get; end DefaultClientProcess.impl ; end Client;

23 Types package types public data item end item; data implementation item.impl end item.impl; end types;

24 Platform package platform public -- Description of the memory onto which the process is bound memory DefaultMemory features busAcc: requires bus access DefaultBus.impl; end DefaultMemory; memory implementation DefaultMemory.impl end DefaultMemory.impl; -- Description of the bus onto which connections are bound bus DefaultBus end DefaultBus; bus implementation DefaultBus.impl end DefaultBus.impl ;

25 -- Description of a processor to execute the threads processor DefaultProcessor features busAcc : requires bus access DefaultBus.impl ; end DefaultProcessor ; processor implementation DefaultProcessor.impl subcomponents mem : memory DefaultMemory.impl ; properties Scheduling_Protocol => ( RMS ); end DefaultProcessor.impl ; end platform;

26 Petri net for client/server

27

28 coverage criteria The values in the program variables determine what state the product instance is in and what structures are accessible Every end to end flow (nominal or error) Covered in every state in which it is “alive” Must select test data that exercises each of those states

29 But … The model is not what gets delivered
Need to automatically generate the code from the verified models in order to ensure correctness Ocarina …

Download ppt "John D. McGregor Session 8 Evaluating Architectures written in AADL"

Similar presentations

Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.

Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
CPSC 875 John D. McGregor Scheduling Threads. Real-time scheduling When there are more threads than processors scheduling becomes necessary. When there.

CPSC 875 John D. McGregor Scheduling Threads. Real-time scheduling When there are more threads than processors scheduling becomes necessary. When there.
Architecture Modeling and Analysis for Embedded Systems Oleg Sokolsky CIS700 Fall 2005.

Architecture Modeling and Analysis for Embedded Systems Oleg Sokolsky CIS700 Fall 2005.
Component Symbols process Thread Auto-sized with text label Processor Memory System data Device bus Threadgroup subprogram.

Component Symbols process Thread Auto-sized with text label Processor Memory System data Device bus Threadgroup subprogram.
A case study System to Software Integrity Matteo Bordin Jérôme Hugues Cyrille Comar, Ed Falis, Franco Gasperoni, Yannick Moy, Elie Richa.

A case study System to Software Integrity Matteo Bordin Jérôme Hugues Cyrille Comar, Ed Falis, Franco Gasperoni, Yannick Moy, Elie Richa.
Examining the Code [Reading assignment: Chapter 6, pp. 91-104]

Examining the Code [Reading assignment: Chapter 6, pp ]
January 27, 2002 ECEN5033 University of Colorado -- Class Testing 1 Specifying interactions Remainder of slides assume Operations defined by a class are.

January 27, 2002 ECEN5033 University of Colorado -- Class Testing 1 Specifying interactions Remainder of slides assume Operations defined by a class are.
Structural Coverage Verilog code is available to help generate tests o Code can be analyzed statically and/or simulated Easier to detect “additive” design.

Structural Coverage Verilog code is available to help generate tests o Code can be analyzed statically and/or simulated Easier to detect “additive” design.
Object-Oriented Software Testing. C-S 5462 Object-Oriented Software Testing Research confirms that testing methods proposed for procedural approach are.

Object-Oriented Software Testing. C-S 5462 Object-Oriented Software Testing Research confirms that testing methods proposed for procedural approach are.
Christopher Gill and Nanbor Wang Department of Computer Science and Engineering Washington University, St. Louis Monday May.

Christopher Gill and Nanbor Wang Department of Computer Science and Engineering Washington University, St. Louis Monday May.
John D. McGregor Module 3 Session 2 AADL

John D. McGregor Module 3 Session 2 AADL
Using AADL to Model a Protodol Stack Didier Delanote, Stefan Van Baelen, Wouter Joosen and Yolande Berbers Katholieke Universiteit Leuven.

Using AADL to Model a Protodol Stack Didier Delanote, Stefan Van Baelen, Wouter Joosen and Yolande Berbers Katholieke Universiteit Leuven.
© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren.

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren.
Chapter 14 System Testing.

Chapter 14 System Testing.
CPSC 875 John D. McGregor C10 – Physical architecture.

CPSC 875 John D. McGregor C10 – Physical architecture.
John D. McGregor Session 2 Preparing for Requirements V & V

John D. McGregor Session 2 Preparing for Requirements V & V
SIGAda, Atlanta, nov’05 1/20 Scheduling and Memory requirements analysis with AADL F. Singhoff, J. Legrand, L. Nana, L. Marcé University of Brest, France.

SIGAda, Atlanta, nov’05 1/20 Scheduling and Memory requirements analysis with AADL F. Singhoff, J. Legrand, L. Nana, L. Marcé University of Brest, France.
Java Security Model For Mobile Code Abdo Achkar. Mobile Code A mobile object is a “self contained piece” of executable code. Definition:  Code that can.

Java Security Model For Mobile Code Abdo Achkar. Mobile Code A mobile object is a “self contained piece” of executable code. Definition:  Code that can.
CPSC 871 John D. McGregor Module 7 Session 1 More UML.

CPSC 871 John D. McGregor Module 7 Session 1 More UML.

Similar presentations

Ads by Google