A Domain-Specific Metamodel for Reusable
Object-Oriented High-Integrity Components
The 7th OOPSLA Workshop on
Domain-Specific Modeling
6th Framework
Programme
(IST-FP6-2004 004033)
Montreal, October 21-22, 2007
Matteo Bordin and Tullio Vardanega
University of Padua, Italy
Contents
1.
2.
3.
4.
5.
The domain
Model-driven engineering
Constrained object-oriented modeling
Implementation technologies
Conclusions
OOPSLA DSM Workshop 2007
- 2 / 16 -
The domain
High-Integrity Systems
IEC 880
MIL-STD 882B
Def-Stan 0055
Up to 2/3 of development
IEC 61508
costs on V&V
DO-178B
MISRA
DO-178B
OOPSLA DSM Workshop 2007
- 3 / 16 -
The domain
High-integrity systems: a SW perspective
Model-driven engineering (MDE)
Pros: Abstraction, Automation (correctness by construction)
Cons: Model-to-executable distance (difficult analysis)
Object orientation
MDE
Pros: Adaptive reuse (and encapsulation, information hiding, …)
Cons: Predictability, costly/complex run-time
SCADE
Our goal
AADL (+ tools)
Common practice
Source-based approaches
Object orientation
OOPSLA DSM Workshop 2007
- 4 / 16 -
Model-Driven Engineering
MDE: a key question
 Toward model-based analysis
What determines the design semantics?
Where is it fixed?


The generated software product must be statically analyzable

Its run-time behavior must be predictable and conform with the analysis

Static analysis of the software product should be anticipated by model-based
analysis
What “reference universe” informs the metamodel?

The target programming language?

The target execution platform?

An underlying analysis theory?

The blue sky above?
OOPSLA DSM Workshop 2007
- 5 / 16 -
Model-Driven Engineering
Closing the gap between model and run-time (I)
 Models as blueprints


To permit model-based analysis (timing, safety, security)
Bottom-up construction
Graphical/declarative
language
Higher-level abstraction
same run-time semantics
Ada Kernel, JVM
OOPSLA DSM Workshop 2007
RCM
Metamodel
• A high-level language to design
systems compliant with Ravenscar
restrictions by construction
Ravenscar
Computational
Model
• To render language-neutral the
semantics of the Ravenscar profile
Ravenscar
Profile
• Run-time kernel for High-integrity
Real-Time Systems
• Warrants static analyzability
• Prescribes run-time semantics
• Identifies run-time metrics
- 6 / 16 -
Model-Driven Engineering
Closing the gap between model and run-time (II)
traceability
PIM
RCM
Metamodel
conformance
Source
Code
PSM
(not visible)
Ravenscar
Computational
Model
Analysis
Tool
Platform specification
Ravenscar
Profile
 Enable sound/complete model-based analysis
 Models for V&V, not just for design/implementation
OOPSLA DSM Workshop 2007
- 7 / 16 -
Object orientation
Constrained Object-Oriented Modeling
 Why object-orientation?

Adaptive reuse through inheritance and overriding

Reuse  decrease verification costs
 Dispensed with by current industrial practice


Implementation issues

Dead inherited code

Larger-sized executables

More complex traceability
Advanced compilers address
some of these problems
(e.g., via ROM-able virtual tables)
Requires dynamic binding

No static analysis

Far too costly path coverage
OOPSLA DSM Workshop 2007
Main focus of the talk!
- 8 / 16 -
Object orientation
Dynamic binding: state-of-the-art?
ptr
…
void m(){
// a dynamically bound invocation
this.ptr.p();
}
Code transformation (compiler tool)  use code analysis tools
void m(){
if(this.ptr instaceof Impl1){
// issue a statically bound invocation (not possible in Java)
} // now evaluate all types...
}
Full code coverage:
OOPSLA DSM Workshop 2007
O(#dispatching_calls ∙ #types)
- 9 / 16 -
Object orientation
The RCM approach: models for V&V
 Core idea: links fixed at model level

Common in the high-integrity domain (HOOD, HRT-HOOD, AADL, etc.)

Use the dynamic binding mechanism but permit static analysis

Execution paths are statically determined

Model-based analysis instead of code-based analysis
ptr
…
ptr
o1 : MyClass
OOPSLA DSM Workshop 2007
o2 : Impl3
- 10 / 16 -
RCM metamodel
Object-oriented modeling with RCM
Class view
ptr
m1 invokes ptr.p2()
m2 invokes ptr.p1() and ptr.p2()
Enforce design-by-contract
Component view
MyClass
m1
m2
m3
p1
p2
Determine possible intra-component paths
OOPSLA DSM Workshop 2007
- 11 / 16 -
RCM metamodel
Object-oriented modeling with RCM (II)
Class view
ptr
m1 invokes ptr.p2()
Enforce constant links
m2 invokes ptr.p1() and ptr.p2()
• functional dependencies on properties only
• call setters just once
Object view
Dynamic binding!
m : MyClass
i : Impl1
Statically determine possible inter-components paths
OOPSLA DSM Workshop 2007
- 12 / 16 -
RCM metamodel
PIM to PSM in RCM
PIM Object view (with deployment)
Node N1
Node N2
m : MyClass
i : Impl1
PSM Object view (not visible)
Dynamic binding with statically-fixed
execution path(s)
client task
(m)
Middleware
OOPSLA DSM Workshop 2007
stub
skeleton
task
server
(i)
Middleware
- 13 / 16 -
Implementation
Implementation technologies
 Eclipse plug-in



Metamodeling: EMF
Model transformations: ATL, MOFscript
GUI: GMF
Class/Object diagram
Deployment diagram
OOPSLA DSM Workshop 2007
- 14 / 16 -
Results
Results & Conclusions (I)
 Industrial pilot projects by


and
Due for completion and demonstration by December 2007
Targeting real space-qualified hardware

With real-life system ambitions and demands!
 Model-based analysis

Needs a suitable underlying computational model


Fundamental to formally reason on system properties



Before implementation
Easier and more solid what-if analysis
Needs full and accurate modeling of the system



The same philosophy as adopted by SCADE
Difficult to map the middleware in the PIM-to-PSM transformation
Difficult to evaluate sizing requirements
Permits to exploit a restricted form of dynamic binding
OOPSLA DSM Workshop 2007
- 15 / 16 -
Results
Results & Conclusions (II)
 MDE-enabled object orientation: a première in space software!

Adaptive reuse: software frameworks are a major advantage

Predictability: constrained dynamic binding is acceptable

Certifiable implementation: requires compiler support
 Work in progress

To increase PIM expressive power while preserving RCM compliance
i : Impl1
Timed-out RI
(declarative spec.)
Evaluate the release event
(timeout / server reply)
Discard undesired release events
Release client when
timeout expires
Timing event
(released by the invocation of the RI)
Server
Client Sporadic Task
(waiting for server reply)
OOPSLA DSM Workshop 2007
- 16 / 16 -
Questions?
Thank you!
Matteo Bordin, [email protected]
www.math.unipd.it/~mbordin
OOPSLA DSM Workshop 2007
RCM Modeling
Overall Modeling Process
Functional spec
Non-functional spec
POS_Component
Write
: POS
Protected
???????
: IComputer
P : Pos
Compute
Protected
???????
Read
POS
+ Write
+ Read
IComputer
Compute
GNC
+ Compute
+ GNC_Op
Compute : IComputer
GNC_Component
: POS
???????
Passive
Write
Compute
: GNC
Passive
???????
???????
Sporadic
GNC_Op
OOPSLA DSM Workshop 2007
G : GNC
Read