Incremental Queries and Transformations for Engineering Critical Systems

Budapest University of Technology and EconomicsDepartment of Measurement and Information Systems

INCREMENTAL QUERIES AND TRANSFORMATIONS FOR ENGINEERING

CRITICAL SYSTEMS

Ákos Horváth, István Ráth

Budapest University of Technology and EconomicsFault Tolerant Systems Research Group

Outline of the Talk

Model transformations in Critical Systems Engineering

EMF-IncQuery and VIATRA: Incremental Queries and Transformations

Industrial applications• Avionics, automotive, telecom, cloud

Conclusions

Main Contributors o István Rátho Ákos Horvátho Gábor Bergmanno Ábel Hegedüso Zoltán Ujhelyio Dániel Varróo ... and many

more!

MODEL TRANSFORMATIONS IN CRITICAL SYSTEMS ENGINEERING

Development Process for Critical SystemsUnique Development Process

(Traditional V-Model)

Critical Systems Design requires a certification process to develop justified evidence that the system is free of flaws

Software Tool Qualification obtain certification credit for a software tool used in critical system design

Qualified Tool Certified Output

DO-178BIEC 61508

Innovative Tool Better System

Model-Driven Engineering of Critical Systems

Traditional V-Model Model-Driven Engineering

Main ideas of MDE• early validation of system models • automatic source code generation quality++ tools ++ development cost--

• DO-178B/C: Software Considerations in Airborne Systems and Equipment Certification (RTCA, EUROCAE) • Steven P. Miller: Certification Issues in Model Based Development (Rockwell Collins)

Models and Transformations in Critical Systems

System Design Model

Architecture Design Model

Component Design Model

Refine

Refine

Design + V&V Artifacts (Source code, Glue code, Config. Tables, Test Cases, Monitors, Fault Trees, etc.)

Code & TestGeneration

Vertical Model Transform

ations

Component V&V Model

Architecture V&V Model

System V&V Model

Model generation

Back-AnnotationModel generation

Back-AnnotationModel generation

Back-Annotation

Use

Use

Horizontal Model Transformations

Formal methods

Formal methods

Design rules

Design rules

Design rules

End-to-End Traceability

End-to-End Traceability

Model Transformations• knowledge transfer: theoretical resultstools• bridge / integrate existing languages&tools

Related projects• CESAR, SAVI, …• HIDE, DECOS, DIANA, MOGENTES, CERTIMOT,GENESYS, SENSORIA

Open Source Eclipse.org Projects

Incremental query engineo Declarative languageo Incremental, live querieso Highly scalable

Easy integrationo On-the-fly validationo Derived features o Custom viewso Traceability

Model transformation frameworko Event-based + reactive execution

platformo Internal DSL over Xtendo Scalable M2M & M2T

High-level featureso Complex event processingo Design space explorationo Incremental transform.

EMF-IncQuery VIATRA

Official Eclipse member2 Project leads 10 Eclipse committers

Tool integration with: Papyrus UML, Sirius, RMF, Capella, ARTOP, mbeddr

• Declarative graph query language• Transitive closure,

Negative cond., etc.• Compositional, reusable

Definition

• Incremental evaluation• Cache result set• Maintain incrementally

upon model change

Execution

• Derived features,• On-the-fly validation• View generation,

Notifications, Soft links, Databinding,

Features

EMF-IncQuery: An Open Source Eclipse Project

http://eclipse.org/incquery

The IncQuery (IQ) Graph Query Language

IQ: declarative query languageo Attribute constraints o Local + global querieso Compositionality+Reusabilility o Recursion, Negation, o Transitive Closureo Syntax: DATALOG style

pattern routeSensor(sensor: Sensor) = { TrackElement.sensor(switch,sensor); Switch(switch); SwitchPosition. switch(sp, switch); SwitchPosition(sp); Route.switchPosition(route, sp); Route(route); neg find head(route, sensor); }pattern head(R, Sen) = { Route.routeDefinition(R, Sen);}

route: Route sp: SwitchPosition

Switch: Switchsensor: Sensor

switchPosition

switchsensor

routeDefinition

Query(A,B) ∧condi(Ai,Bi) • all tuples of model elements a,b• satisfying the query condition• along the match A=a and B=b• parameters A,B can be input/ output

EMF-INCQUERY Architecture

Transaction

In-memory EMF model

Rete net

Indexer layer

EMF-INCQUERY

Indexing

In-memory storage

Production network• Stores intermediate query results• Propagates changes

Performance of EMF-INCQUERY Incremental graph queries based on Rete Models in the Eclipse Modeling Framework

model size

runtimebatch queries

incremental queries

Exec. time is proportional to the size of the modification.

Largest synthetic model(TrainBenchmark)• 2.8 million nodes • 11.2 million edges• revalidation time: 1 ms

Largest real model(Eclipse 4.0 source code)• 8.6M nodes+26.2M edges• revalidation: <20 ms (except for 1 query)

Motivation: General Tooling Challenges

Interference between functions Commonalities

o Queries, rules, scheduling, conflicts

User interaction

(modify)

SRC TRGBatch/Incremental

transformation

Traceability links

Live validation Live views

Derived features

Reactive Event Driven Transformations

1. First transformation

2. Source model changes

4. Fire rule activations (in relevant context)

SRC1

SRC2

TRG1TRACE1

TRG2TRACE2

3. Detect new activations

Pros:• Source incremental: driven

by changes of query result• Chaining• Avoids continuous comp.Cons:• Language-level restrictions


VIATRA: Reactive

Transformation Engine

Observed events

Controlled events

Actions

What has changed?

When to react?Perform in

consistent state


VIATRA: Reactive

Transformation Engine

Observed events

Controlled events

Actions

• Model modified• Match appeared• Event sequence identified

• „Run” button pushed• Consistent state reached after

editing• Transaction committed

• Modify model• Add error marker• Update view• Send e-mail

VIATRA: Overview of Features• Explore design model

candidates• Satisfying multiple criteria• Rule based exploration• Optimization

Design Space

Exploration

• Detect complex event sequences

• Rule based reaction• Xtext based language

Complex Event

Processing

• Remove sensitive information from confidential models

• Original model Obfuscated model

Model Obfuscato

r

Reactive MT Platformo MT Language:

• Internal DSL over Xtend• Transformation API

o MT Engine:• Event-driven virtual machine• Batch + Incremental MTs• Control flow library• Compiles to Java• Debugger• High performance

o Integrations:• EMF, IncQuery, Xtend,

EMF-UML, …

INDUSTRIAL APPLICATIONS

Relevant application projects

AUTOSAR(ThyssenKrupp Presta, etc.)• Support standard

defined well-formedness rules

• On-the-fly validation

• Scale to large AUTOSAR models

TRANS-IMA (Embraer)• Eclipse based

development tooling

• HW-SW allocation: avionics architecture

• Integration to the distributed Embraer simulator

• (1st time in Europe)

EMDW(Ericsson)• Executable (UML)

modeling• Incremental code

generation to C++• Multiple execution

platform support• Model

interpretation (ELTESoft)

MONDO(EU FP7)• Modeling in the

cloud • Scaling out MDE

technologies• Collaborative

modeling and version control

• Access control• Model obfuscation

AUTOSAR- Early validation of design rulesSystemSignalGroup design rule (from AUTOSAR)

o A SystemSignal and its group must be in the same IPduo Challenge: find violations quickly in large modelso New difficulties• reverse

navigation• complex

manualsolution

AUTOSAR: • standardized SW architecture of the automotive industry• now supported by modern modeling toolsDesign Rule/Well-formedness constraint: • each valid car architecture needs to respect• designers are immediately notified if violatedChallenge: • >500 design rules in AUTOSAR tools• >1 million elements in AUTOSAR models• models constantly evolve by designers

20

TRANS-IMA – HW-SW allocation and simulation

Goal: Allocate SW components to ARINC653 compliant IMA platform

Functional Architecture

Platform description

Component database

Allocation

Integrated System Model




Component database

Allocation


Inputs: • Platform Independent Model (PIM) (functional + nonfunc. reqs; Simulink) • Platform Description Model (PDM) for ARINC 653 (DSML)

Output: • Integrated system model • Ready for simulation

Matlab Simulink• End-to-end traceability

Capture constraints

Explore alternatives

Human decision

Automate consequence

s



Component database

Allocation


Model transformation chains: • Designer-guided manual steps• Automated steps

• Communication channels calculation• Integrated architecture model generation

• Continuous validation of design rules


EMDW – Executable Modeling

Executable UML Modeling:• Class models with state machines• Components for modularization• High-level action language - rAlfTarget• Ericsson core network servers• Optimized C++ and Java source codeChallenges: • >short roundtrip (generate and compile)• >large models (complete 4G radio system)

EMDW – Executable modeling

EMDW-MC

Cpp

EMF-UML

xUML-RT

Cpp

rAlf

C++ source

Editor

Model Execution and Compilation

EMDW-

ME

Platform config

Input: • Papyrus EMF-UML specification

Output: • Optimized C++ and configuration

Transformation: • Complex transformation chain• Incremental execution• Workflow based execution mechanism• Text-to-model transformations

Integration: • One-way incremental synchronization• On-the-fly execution

Model Execution: • Incremental Java generation

Scalable MDE: The MONDO Project

Models and Languages

• Large and heterogeneous

• Construction• Visualization

Queries and Transformations

• Executed over large models

• Incremental• Lazy• Parallel

Collaboration

• Offline (SVN)• Online (Gdocs)• Many

collaborators• Secure access

Persistent Storage

• Efficient• Secure• Interoperability

GOALS: • Scale to model sizes >100M elements

Prototype tools: • open source software• open benchmarks

Academic Partners: • Univ. York (UK) Univ. Autónoma Madrid (ES), ARMINES (FR), BME (HU)

Industrial Partners: • The Open Group (UK), Uninova (PT), Softeam (FR), Soft-Maint (FR), IKERLAN (ES)

MONDO: From EMF-INCQUERY to INCQUERY-D

Transaction

In-memory EMF model

Rete net

Indexer layer

EMF-INCQUERY

Indexing

In-memory storage

Production network• Stores intermediate query results• Propagates changes

Database shard 0

MONDO: INCQUERY-D Architecture

Server 1

Database shard 1

Server 2

Database shard 2

Server 3

Database shard 3

Transaction

Server 0

Rete net

Indexer layer

INCQUERY-D

Distributed query evaluation network

Distributed indexer Model access adapter

Distributed indexing, notification

Distributed persistent storage

Distributed production network• Each intermediate node can be allocated

to a different host• Remote internode communication

MONDO: Collaborative Modeling

View for HW Supplier1

View for SW Provider2

View for SW Provider1

Version Control System1


Acce

ss Co

ntrolWrite-through access control

checked by storage

Write restrictions by property-based locks (at client)

Secured views with filtered and

obfuscated model

CONCLUSIONS

Conclusions• Find design candidates• Rules for operations• Queries for constraints• Hints and guidance• Potentially infinite state

space

Design Space Exploration

• Connect to Matlab Simulink model

• Export: Matlab2EMF• Change model in EMF• Re-import: EMF2Matlab• Library handling

MASSIF: MATLAB-EMF Bridge

• Runtime detection / verification

• Live models (refreshed at very fast rate: 25 frame/sec)

• E.g. gesture recognition, tracking

Complex Event Processing

• Provide simpified graphical views for complex models

• Forward incremental view maintenance

• Chaining of views• Sirius integration

View Maintenance

• Queries for validation• Complex model

transformation chain• Extensibility• Virtual models

(by derived objects)• Soft traceability links

Tools

• Itemis (developer)• Ericsson• Embraer, Thales• CERN, CEA• ThyssenKrupp,• Tools: ARTOP, Capella,

Papyrus, RMF, mbeddr

Known Users

Incremental Queries and Transformations for Engineering Critical Systems

Software

Transcript of Incremental Queries and Transformations for Engineering Critical Systems