Team aoste

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: Scientific Foundations

Keywords : Esterel, SyncCharts, synchronous formalisms, UML.

High-Level Modeling

Participants : Charles André, Julien Boucaron, Robert de Simone, Frédéric Mallet, Jean-Vivien Millo, Marie-Agnès Péraldi, Dumitru Potop, Yves Sorel.

Synchronous formalisms

Historically the so-called synchronous reactive formalisms [29] , [11] were developed, mostly inside French research groups in the 1980's (Esterel, Lustre, Signal was the trilogy), as foundational study of semantically well-founded description languages for real-time embedded software systems. Meanwhile a number of modeling languages were also introduced in this field, aiming more specifically at system simulation with discrete time steps: HDLs for hardware circuits, Statecharts for embedded software modeling, Simulink for signal and image processing and control theory. It should be recognized in our view that synchronous languages brought exactly what these simulation formalisms lack: a clear sense of correct construction properties, under which the instantaneous behavior (the reaction) can always be provably scheduled safely in an intelligible way, and which makes executions deterministic and complete (because all valid scheduling are essentially causally equivalent). With such an assumption there is a guaranteed match between the simulation model and the executable code obtained through the implementation (`` what you simulate is what you execute ''), and this opens the way to many important design activities, such as synthesis, verification, and test generation activities, which are largely banned out of a setting where the simulation model may differ from the actual implementation. Also, the precise scheduling in the case of synchronous formalisms is not required from the designer, it is synthesized from the high-level correctness principles. Examples of such benefits are the clock calculus in Signal, and in our case the constructive semantics of Esterel, and the optimized mapping of application specified with these languages, onto architectural models of SynDEx.

Esterel [13] , [16] was developed jointly at INRIA and École des Mines de Paris, in the Meije research team then headed by Gérard Berry. The language is of imperative nature, with syntactic features for precise description of reactive instants, conceptual parallelism (potential parallelism), signal broadcast and preemption. Its scope is the representation of control-dominated reactive systems as hierarchical automata. Under a strict correctness condition of constructive causality [14] (signal presence values should be determined at any instant before it is tested), it can be given formal interpretation, either in the form of synchronous circuits, or as Mealy finite state machines. These, being classical mathematical models, allow design transformation activities such as optimization and automatic verification based on model-checking, and can produce target C code directly simulating the behavior (of the circuit or the Mealy machine respectively).

SyncCharts were developed inside the Sports project-team at I3S (UNSA-CNRS) [2] , [8] . As opposed to Statecharts (and UML State Machines), their graphical syntax respect a strict state containment hierarchy, and transitions cannot cross a macrostate boundary. But where SyncCharts greatly depart from UML State Machines is on semantics, which can only be asynchronous in UML due to the lack of time modeling, while it is carefully synchronous in our case. The execution semantics of UML State Machines is described in terms of operations of a hypothetical machine that implements a state machine specification. Events are dispatched and processed by the state machine, one at a time . This does not open the possibility to handle simultaneous occurrences of events, which are the rule in synchronous models.

The synchronous semantics of SyncCharts is based on constructive causality issue: in ecah instant a value should be produced prior to being consumed. Constructiveness is in fact a notion first studied by Sharad Malik (Princeton U.). Variants of Esterel borrowing syntax from general-purpose languages such as ECL (Esterel-C language) and Jester (Java-Esterel) were designed inside Cadence Berkely Labs in the context of the Polis codesign/cosimulation project that ultimately led to the VCC product by Cadence. In Germany the synERGY project was conducted at GMD in Axel Poigné's group to build an environment merging features of Esterel, Lustre and Argos (a synchronous variant of StateCharts less expressive as SyncCharts, developed at VERIMAG). Work on foundational semantics of synchronous formalisms were also conducted in Germany (Quartz project of Klaus Schneider at Karlsruhe U.) and in the UK (Michael Mendler and Gerard Lüttgen, Sheffield U.). Work on optimized compilation schemes for Esterel were developed in parallel at France Telecom Grenoble (Etienne Closse, Daniel Weil et al. ), at Synopsys and then Columbia U. (Stephen Edwards), and in the INRIA Tick project (PhD thesis of Dumitru Potop).

Esterel/SyncCharts and Lustre/SCADE are now developed and commercialized in an industrial context by Esterel Technologies, an INRIA spin-off founded partially by former members of the Tick research group (and scientifically headed by Gérard Berry). On the academic side we study new directions for compilation/synthesis, optimization and analysis/verification, based on languages extensions or erstrictions, and heterogeneous embedded compilation targets.

Globally-Asynchronous/Globally-Synchronous (GALS) extensions and latency-Insensitive design

Sometimes, due to system complexity and physical latencies due to long interconnections, the synchronous hypothesis becomes unrealistic for implementation, while remaining a major useful reference specification. The prospect of the latency-insensitive design approach, as pionnered by Luca Carloni et al. , is to start from a synchronous specification, then desynchronize it. This step involves propagating ``absent'' signal values and allowing unbounded buffering for ``in-travel'' communications, and produces a model close to that of Event/Marked graphs in classical Petri Net theory. Third, mandatory latencies are introduced to represent physical constraints (gathered elsewhere); they provide effective bounds for buffering resources, and back-pressure flow-control protocols are to be applied. In essence this amounts to reconstructing a new fully synchronous system, but this time with a new, smaller instant granularity, one that complies with the latency requirements imposed. Each of these steps involve the addition of extra protocol ``wrappers'' around the previously existing components, to allow semantic preservation of behavior in a precisely defined way. These components can themselves be expressed as synchronous processes.

Providing efficient bounds on the size of buffering storage elements required to accomodate the iimposed latencies is an important issue. It amounts to scheduling techniques as found in [17] , [34] , [22] , but their application in the domain of SoC design raises new opportunities in optimization, such as those based on low-power dissipation criteria.

In Latency-Insensitive modeling the handling of absence is explicit (new signals have to be cast to notify it). This is generaly costly at run time, and work on extending the approach to multi-clock systems, where absence is truly dealt with as a primitive notion, are currently under investigation.

UML modeling diagrams for Real-Time Embedded applications

The UML consists of a variety of models (or ``diagrams''), aiming at covering modeling concerns during the whole lifespan of software engineering. Of particular interest to us are some models of structural or behavioral nature, and in the later case state and sequence diagrams. State diagrams may represent components behaviors, in a way inspired from StateCharts. Sequence diagrams represent possible interaction scenarios between components, in a way inspired from Message Sequence Charts.

The only ``semi-formal'' semantics of models is usually given in natural language, with high risks of ambiguity and, even worse, inconsistencies; there is a uniform lack of clear relationship between the various models; currently, sequence diagrams have poor expressiveness. A number of research efforts address this demand for rigourous semantics of the UML models, such as the Precise UML group ( ) or the Neptune (Nice Environment with a Process and Tools Using Norms and Example) project ( ). Umlaut (J-M. Jezequel, INRIA Triskell team) is a UML transformation framework allowing complex manipulations to be applied to a UML model, where manipulations are expressed as algebraic compositions of reified elementary transformations.

The weak expressivity of sequence diagrams as models of interactions is currently tackled by researchers proposing extensions of Message Sequence Charts (MSC) to this end (thus outside the UML standardization community). Work on ``High-Level MSCs'' (for instance in INRIA Triskell and S4 teams) or on ``Live Sequence Charts'' (LSC, by D. Harel and W. Damm) fall into this category. With LSCs one can express possible, but also mandatory or even forbidden interaction scenarios. Prototypical tools at the University of Oldenburg/OFFIS provide semantic interpretation into timed automaton.

While the standard UML is aimed at general-purpose object-oriented software engineering, specific extensions (or ``profiles'') have been proposed to deal specifically with real-time aspects. Just to mention a few such: UML-RT (B. Selic) used in the Rational Rose-RT development environment, RT UML (B. Douglass) used in Rhapsody (I-Logix), and ACCORD/UML (F. Terrier, CEA). UML-RT is based on the first success story of ROOM (Real-time Object-Oriented Modeling), introduced in 1994 by Selic, Gullekson, and Ward, and put on the market by ObjecTime. The RTAD (Real-Time Analysis and Design) working group of the OMG has been especially created to promote real-time issues within the OMG, and to specialize the UML to be suitable for different real-time domains. The newly adopted UML-SPT profile is a first visible result, enabling models that support Scheduling, Performance, and Time evaluation. However, it fulfils different needs than ours (quantitative performance analysis rather than executable specifications). We are taking part in the elaboration of a Request-For-Proposal (RFP) for a new profile in this field, named MARTE (Modeling and Analysis of Real-Time Embedded systems). In this context we shall try if possible to promote models relevant to our goals.

There is a growing interest in integrating synchronous concepts into UML (or UML profiles). The former PAMPA and Ep-Atr teams (IRISA) once proposed the BDL formalism, to study a mixed synchronous-asynchronous semantics. The UML here plays the role of a federator notation. The I3S SPORTS project has adopted another point of view  [4] : the direct use of synchronous (imperative) models. The question is whether these enrichments are ``lightweight'' (stereotypes or tag values) or ``heavyweight'' changes to the UML. Heavyweight here means that synchronous hypotheses are at places incompatible with some basic current assumptions made in UML. A UML state machine, which is a variant of Statecharts, has a queue for incoming events, an event dispatcher that selects and de-queues event instances one at a time, and an event processor which processes dispatched event instances under a run-to-completion scheduling policy. This definitely excludes simultaneous occurrences. Interaction models raise similar difficulties. Introducing our synchronous models to UML (SyncCharts as state-based model, and SIB as interaction model) would need changes at the meta model level.

The new UML2.0standard should improve the ability and utility of the UML with respect to architecture and scalability (through its ``Superstructure'' RFP). In the new version classes can be structured and reuse other classes playing specific `` parts '' roles. Ports are introduced for architectural modeling, as (instantiable) connection points through which part instance export specific services or operations accross the class boundary. Interfaces should be also expanded to allow specification of a required interface (from the distant other end) in addition to the usual notion of (local) offered interface . Moreover, the specification of allowable sets of sequences of service invocations might be specified with ``protocol state machine''. Almost all these new possibilities were present in the ROOM's capsule notion, a major influence. Such a model can play the role of an ADL (Architecture Description Language). Other improvements are related to behavioral models: sequence diagrams might now be broken up into ``interaction fragments'', with nesting capabilities and extended control constructs, making them closer to MSC and LSC. Last but not least, a form of Data Flow Diagrams should be introduced (since activity diagrams address only partially this issue).

To summarize, new UML trends meet our concerns about system architecture, components, and behavior. UML offers rich and standard notations, but lacks semantic rigor at places. This should not hinder our objectives of rigorous system design. Whenever an official model semantics will appear as not defined well enough, we shall feel free to adapt it: strict UML compliance is not our goal !


Logo Inria