1. Automatic Verification of Component-Based Real-Time CORBA Applications Gabor Madl gabe@isis.vanderbilt.edugabe@isis.vanderbilt.edu Sherif Abdelwahed sherif@isis.vanderbilt.edusherif@isis.vanderbilt.edu Gabor Karsai gabor@isis.vanderbilt.edugabor@isis.vanderbilt.edu This work was supported by the NSF ITR Grant CCR-0225610 “Foundations of Hybrid and Embedded Software Systems.”

2. Outline  Challenge problems  Approach  Verification tool chain using GME  Generic timed automata model  Case study: Verification of a Bold Stroke application  Boeing Bold Stroke execution framework  Embedded Systems Modeling Language (ESML)  Transformation of the example application  Verifying timed properties with U PPAAL

3. Challenge problems  Distributed Real-Time Embedded (DRE) systems are traditionally hard to verify  In the Model Integrated Computing approach we create application models using Domain Specific Modeling Languages (DSML)  We verify application models by mapping them to formally defined Models of Computations using well-defined model transformations (e.g. graph transformations) and checking the desired properties in that semantic domain

4. Approach Trace Verification Property Verification Design feedback Design feedback Generator Model Checker Simulator Input Analysis Model Semantic mapping Domain Specific Model Semantic Domain Executable Code

5. Verification tool chain using GME Component-based Modeling Language (ESML) Model Checker Input Domain (Timed Automata) U PPAAL Model Checker We provide a common framework based on the Graph Rewriting and Transformation (GR E AT) tool, which utilizes graph transformations, and the U PPAAL model checker to verify the non-preemptive scheduling of embedded systems

6. Generic timed automata model

7. Case study: Verification of a Bold Stroke application

8. Boeing Bold Stroke Execution Framework  Unsynchronized software timers trigger the periodic processing, event passing is asynchronous  Priority bands are executing same-priority actions  Preemptive scheduling between bands, non- preemptive between actions with the same priority  Priority bands are implemented using 3 threads (Thread-Pool policy for multi-threading)

9. Modeling the Bold Stroke application using the ESML language  ESML is a modeling language for component-based, event-driven systems  It uses the publisher/subscriber communication pattern  The models contain information about priorities, sub-priorities, worst case execution times and deadlines for actions

10. Transformation of the example application Pattern of components Pattern of TA OR decomposition

11. Verifying timed properties with U PPAAL  Deadlock A[] not deadlock  The system is schedulable if all tasks can be executed within their deadlines  Verifying this property does not require additional property checking because the Timeout state deadlocks the model in our design  Additional properties can also be checked because dependencies and dense time information are captured in the network of timed automata

12. Conclusion and future directions  We presented a solution to verify dense timed properties of periodic event-driven systems  The verification process can provide simulation runs and pinpoint components that fail to meet their deadlines  Our close future plans are to formalize the graph transformation as well as the computational model behind Bold Stroke  Modeling preemption while avoiding the state explosion problem is our long-term goal

13. Questions?