PROJECT SUMMARY
AO Number: DARPA Order K203
Contract Number: AFRL Contract F33615-00-C-3044
Organization: Kansas State University, Computing and Information Sciences Department
Subcontractors: none
Principal Investigators:

Dwyer, Matthew,
dwyer@cis.ksu.edu, (785) 532-6350,
234 Nichols Hall, Computing and Information Sciences Department

Hatcliff, John
hatcliff@cis.ksu.edu, (785) 532-6350,
234 Nichols Hall, Computing and Information Sciences Department

Mizuno, Masaaki,
masaaki@cis.ksu.edu, (785) 532-6350,
234 Nichols Hall, Computing and Information Sciences Department

Neilsen, Mitch,
neilsen@cis.ksu.edu, (785) 532-6350,
234 Nichols Hall, Computing and Information Sciences Department

Singh, Gurdip,
singh@cis.ksu.edu, (785) 532-6350,
234 Nichols Hall, Computing and Information Sciences Department
Financial POC:
McBride, Roger
roger57@ksu.edu
(785) 532-1848
Controller's Office - Sponsored Projects Accounting
Anderson Hall, Room 10
Manhattan, KS 66506-0108
Title of Effort:
Automatic Derivation, Integration and Verification of Synchronization Aspects in ObjectOriented Design Methods
Period of performance: 06/27/00 through 06/26/04
533575253
Approach:
Overview
The project emphasizes techniques and tools for developing high-assurance software by
providing formal specification and analysis of concurrent and distributed systems. The
approach taken does not consider complete formal specification of a system as this is
infeasible for realistic systems. Rather, the project focuses on providing developerfriendly specification, analysis, and code synthesis capabilities for crucial system
aspects such as synchronization, distribution, modal behavior, and scheduling that are
often impact overall system design or are difficult to reason about.
Initially, the project focused on developing a framework called SyncGen for high-level
specification of synchronization aspects and automatic synthesis of synchronization
code. Recently, the scope of the project has broadened to include the construction of an
integrated development and analysis environment called Cadena for building highassurance real-time systems using the CORBA Component Model (CCM).
Specification, Verification, and Synthesis of Synchronization Aspects
Object-oriented design, modeling, analysis, and coding techniques have been used
successfully to design and maintain large software systems, but multiple shortcomings in
their treatment of synchronization aspects limit their effectiveness in many applications.
The SyncGen effort seeks to overcome those shortcomings by providing techniques,
tools, and methodologies for (a) high-level, formal, modular specification of global, crosscutting synchronization aspects, (b) automatic derivation and weaving (i.e., integration)
of correct by construction synchronization code into core functional code, and (c)
automated verification of critical safety and liveness properties of woven embedded
code.
The SyncGen effort resulted in a tool that allows developers to avoid coding
synchronization structures and instead focus on development of core functional code.
The approach emphasizes the use of UML's Unified Process to construct core functional
components --- synchronization code is not directly constructed. Instead, as an
enhancement to the Unified Process at the level of requirements and use-cases, the
developer identifies regions in the core functional system behavior that should be
synchronized. The synchronization policy for a cluster of regions is specified by
constraining the relationships between the number of threads that can simultaneous
occupy regions.
Given a collection of policies for a cluster of regions, the
synchronization aspect code that enforces that policy is generated completely
automatically. Once the development of core functional code is complete, it is weaved
with the synchronization aspect code by an automatic process that inserts calls to the
synchronization code at the region boundaries marked in the code. The synchronization
code generated is correct-by-construction, but additional safety and liveness properties
are verified using software model-checking technology.
This approach is innovative because it allows highly complex code that is often
troublesome to develop and debug to be generated completed automatically from a very
high-level formal specification (usually the specification is one or two lines long). The
specification pattern language is very expressive and this has been demonstrated
initially by solving all the exercises
from well-known text-books on concurrency (Andrews, Hartley) using it. The approach is
very general in that it is language independent: synchronization code generation support
has been developed for Java, C, C++ and different synchronization primitives such as
533575253
general monitors for POSIX pthreads, active monitors, and controller-area-network
(CAN)-based message passing.
Development of High-Assurance Distributed Avionics Applications Using CCM
The practical effectiveness of the above work is being demonstrated by applying it to the
Boeing Bold Stroke Open Experimental Platform (OEP). The Bold Stroke architecture
emphasizes the use of distributed components that communicate via ACE/TAO real-time
CORBA middleware. At present, actual Bold Stroke product-line development does not
include high-level modeling or analysis, and as part of the MoBIES/PCES projects, Bold
Stroke OEP team members have proposed a number of challenge problems related to
modeling, static structural and behavioral analysis, and aspect code synthesis. In an
effort to provide a comprehensive framework for formal high-level specification and
analysis, and code synthesis from high-level design artifacts, we are building the
CADENA (Component Architecture Development ENvironment for Avionics applications)
tool suit. Cadena is built as a plug-in to IBM’s Eclipse IDE and leverages the OpenCCM
open-source Java CCM implementation to obtain integrated specification, analysis, and
development environment for high-assurance CORBA Component Model applications.
The CORBA 3.0 Interface Definition Language provides a high-level language for
describing CCM component interfaces (including both functional interfaces, and events
subscriptions and emissions). Thus, it seems like an ideal focal point for addressing the
lack of high-level design and analysis in current Bold Stroke product-line development.
Cadena allows Bold Stroke OEP component interfaces to be expressed using CORBA
3.0 IDL. These component interface definitions can be annotated with various forms of
specifications including state-transition semantics and modal behaviors. Graphical,
form-based, and text-based input mechanisms allow developers to easily assemble
systems from components. Cadena provides a number of dependency analyses to
address challenge problems posed by the Bold Stroke OEP team. Model-checking
technology is used to exhaustively explore possible modal behaviors of constructed
systems. Once systems are configured at the CORBA 3.0 IDL level, Java/CORBA
stub/skeleton code is automatically generated.
The Cadena environment provides a number of capabilities not present in current Bold
Stroke product-line development. At the most basic level, the tool support provided by
Cadena for assembling systems from components is a significant step forward.
Moreover, Cadena’s analysis capabilities can significantly reduce design-time efforts.
Finally, the automatic component and configuration code generation provide by the
CORBA IDL compilation can result in substantial reductions of developer effort, since
current Bold Stroke develop does not leverage component IDL code generation at all (it
only uses the familiar IDL 2 level code generation provided by ACE/TAO). Finally, the
Java code-generation facilities of OpenCCM used in Cadena provide an ideal way to
obtain Java implementations of the Bold Stroke OEP example systems. This is
important because demonstrating the feasibility of (RT) Java for embedded avionics
applications is one of the goals of PCES, and currently there is no other supported effort
to recast the Boeing OEP in Java.
While Cadena is not a production-quality tool, the goal is to use it to demonstrate a
spectrum of capabilities so that Boeing engineers selectively adopt the technologies and
tool components that seem most useful.
533575253
FY 02 Accomplishments:








The foundations of the SyncGen were described in a number of papers appearing in
venues such as the International Conference on Software Engineering,
The SyncGen tool that automatically generates synchronization implementation from
high-level pattern-based global invariants was publicly released. The released tool
focuses on code-level declaration of regions and generation of Java and C
synchronization implementations. Prototype code generators for C++/POSIX threads
and CAN-message passing systems were also developed.
The Cadena specification and development framework based on OMG’s CCM IDL3 was
developed that allows Boeing Bold Stroke components and system configurations to be
specified at a high-level. The high-level specifications built in these frameworks can be
leveraged in several ways, as described below.
OpenCCM (an open source CCM/Java framework) has been integrated into Cadena.
This enables much of the Java code required for implementing a system to be
automatically generated using the standardized CCM IDL compilation.
As a
consequence, programmer effort is dramatically reduced, and confidence in the code is
enhanced since correct code is automatically generated.
A dependency analysis workbench was developed for Cadena that allows data and
event dependencies between components to be visualized. Moreover, dependency
information is used to automatically generate non-functional real-time aspect information
such as suggestions for component distribution (e.g., highly-coupled components should
appear in the same node in a distribution), execution rates (components that transitively
depend on a particularly time trigger should be run at the same rate), and
communication optimization (components in the same rate group and distribution unit
can communicate directly instead of through a full event-channel). Each of these
analysis functions successfully addresses a particular challenge problem posed by the
Boeing Bold Stroke OEP team.
A prototype model-checking/simulation tool has been developed that can perform
exhaustive simulations on state-based Cadena system specifications. This allows
developers to reason about complex modal behaviors very early in the design process.
Crucial system invariants and event-sequencing properties can be automatically
checked, and when a violation is found, the execution trace leading to the violation can
be visualized. This capability successfully address challenge problems related to
reasoning about modal behaviors posed by the Boeing OEP team.
Using the Cadena development and analysis capabilities above, a small repository of
example system components and scenarios (configurations) written in Java was
developed based on the C++ scenarios provided in the Boeing OEP. This repository is
being used as the basis of interaction with other members of the PCES project as the
above tools are integrated with those of other teams.
A collection of metrics by which the work described above is to be evaluated was
proposed to the Bold Stroke OEP team.
533575253
Specific FY 03 Objectives:










Perform a second release of the SyncGen tool set that incorporates additional back-end
code generators based on existing prototypes and a larger examples repository.
Carry out experiments with Rockwell-Collins Advanced Technology Center where
SyncGen is applied to generate synchronization aspect code in avionics systems
intended for FAA-certification. This will allow the effectiveness of SyncGen to be
evaluated in an industrial setting.
Integrate FACET (a Java implementation of an aspect-structured real-time eventchannel from Ron Cytron’s PCES project at Washington University) in Cadena. Use this
is the primary experimental platform for the Java version of Bold Stroke scenarios.
Integrate a CORBA Avionics Data Service implementation by engineers at RockwellCollins (ATC) into Cadena to allow experimentation with other forms of component
communication beyond Bold Stroke’s “control-push data-pull” model.
Refine Cadena’s model-checking infrastructure so that medium-size systems of
hundreds of components can be analyzed for defects in modal-behavior specifications.
Develop a technical approach for high-level specification of mode-behavior constraints
that allows automatic generation of component code to implement correct mode
transitions. Bold Stroke engineers have identified analysis and correct implementation
of modal behaviors as one of the most challenging aspects of system development.
Adapt SyncGen’s high-level synchronization specifications capture synchronization
patterns that appear in Bold Stroke systems. This will allow intricate component
communication code that is used currently to achieve various forms of synchronization to
be replaced by code automatically generated from SyncGen’s specifications.
OMG specifications of CCM describe a robust deployment framework for assembling
and deploying CCM-based systems. Since this specification was only very recently
finalized, no tool currently implements it.
Work with OpenCCM developers to
incorporate a full deployment framework in Cadena, and enhance this framework to
support deployment of Bold Stroke OEP systems that conform to the OMG CCM
deployment format.
Perform a public release of the Cadena tool set with a large example repository based
on the examples provided in the Bold Stroke OEP.
Work with Bold Stroke engineers in multiple evaluations of Cadena in an effort to obtain
a system that can impact actual development process.
Technology Transition:
Besides working with Boeing OEP team members, we are actively working with
engineers from Rockwell-Collins Advanced Technology Center on a number of fronts.
The primary goal of interaction with Rockwell-Collins is to use SyncGen and Cadena to
develop systems that are representative of the types avionics systems that are part of
the Rockwell-Collins product-line. An interesting aspect of working with Rockwell-Collins
is that they working primarily in the civilian avionics sector, therefore there are a number
of interesting issues related to FAA certification that do not appear in the Bold Stroke
system. Practically speaking, Rockwell-Collins ATC is interested in using a framework
like Cadena enhanced with facilities to support issues related to certification such as
automatic test-generation and coverage metrics, object code to source code to
requirements traceability, greater support for requirements and specifications
management.
533575253
Funding Received to Date: $635000
Unexpended Funds: $132512 (as of June 17, 2002)
This is 44% of the FY02 budgeted total. The reason that this is high is that the summer
months billed to faculty were not charged against the project until July/August 2002. In
fact, due to a slight budget cut received in FY02 (with respect to our request) we will not
be able to fund all 4 of our research assistants through the end of September 2002 (only
3 can be funded throughout the remainder of this increment).
Date Unexpended Funds Will Be Depleted: September 30, 2002
Required Funding:
$299670 will fund the project through September 30, 2003
$374587 will fund the project through December 31, 2003
Latest Invoice: (attached – see following pages)
Date Prepared: August 16, 2002
533575253
533575253
533575253
533575253