Component Composition for Embedded Systems Using Semantic AspectOriented Programming

1
Component Composition for Embedded Systems Using
Semantic Aspect-Oriented Programming

• Martin Rinard
• Laboratory for Computer Science
• Massachusetts Institute of Technology
• F33615-00-C-1692

2
Problem Description

• How can we improve flexibility, reliability, and
  predictability of software for embedded and
  real-time systems?
• Need for better support for distributed
  computations
• Need to easily compose components on different
  platforms
• Need for implementations that survive partial
  failures
• Need for better understanding of distributed
  implementations
• Understand communication patterns and their
  implications
• Support for fault propagation analysis
• Exploit information to transform software
• Lack of real-time support in standard languages
  and systems
• Lack of real-time memory management support in
  Java
• Lack of real-time scheduling support in Java

3
Objective
Technical Approach

• Role Analysis
• Capture changing roles objects play in
  computation
• Points-to relationships determine roles
• Role Specifications
• Programmer supplied
• Dynamically discovered
• Statically verified

• Transformations
• Specialized communication
• Point-to-point
• Targeted multicast
• Request/response
• Preemptively move or replicate objects to close
  windows of vulnerability

• Interaction Analysis
• Match role changes with component movements
• Match publishers and subscribers
• Compute failure propagation information

Support for Distributed Real-Time Systems

• Shared Object Communication
• Shared reference system
• Thread-based failure model

Distributed Interaction System

• Event Notification
• Publish/Subscribe Primitives

• Predictable Memory Management
• Region-Based allocation primitives
• Pointer and escape analysis
• Validates correct region use
• Eliminates dynamic checks
• Role analysis enables safe explicit memory
  deallocation

• Real-Time Scheduling
• Compiler-controlled scheduling
• Preemptive thread scheduling
• Asynchronous event dispatch

Real Time Java
4
System Architecture
Shared Object Space
Shared Event Space
Subscribe
Publish
Distributed RTJ Components
5
Objectives for Distributed Components

• Understand how components interact
• Event notification relationships
• Communication patterns
• Failure propagation
• Replace pub/sub with specialized mechanisms
• Point-to-point communication
• Multicast communication
• Request/response communication
• Preemptively move or replicate objects to close
  windows of vulnerability to failures

6
Technical Approach

• Observations
• Objects play different roles in computation
• Role is conceptually similar to type
• Capture important differences between objects
• Useful constraints associated with roles (cant
  apply stop operation to stationary tank)

Stationary Tank
Moving Tank
Disabled Tank
Roles
7
Technical Approach

• Observations
• Role of object may change during computation
• Even though identity stays the same

Stationary Tank
Moving Tank
Disabled Tank
Roles
Role Transitions
8
Technical Approach

• Observations
• In a standard type system
• Objects type corresponds to its class
• Objects class does not change
• Type system does not capture objects roles

Tank
Class
Stationary Tank
Moving Tank
Disabled Tank
Roles
Role Transitions
9
Technical Approach

• Goal
• Develop a formalism (role types) to capture
  changing roles that objects play in computation
• Statically verify role constraints and
  transitions

Tank
Class
Stationary Tank
Moving Tank
Disabled Tank
Roles
Role Transitions
10
Role Transitions
StationaryTankList
MovingTankList
DisabledTankList
11
Role Transitions
StationaryTankList
MovingTankList
DisabledTankList
12
Role Transitions
StationaryTankList
MovingTankList
DisabledTankList
13
Role Classification

• Relative Classification
• Role determined by data structure membership
• Role changes correspond to movements between data
  structures
• Role depends on points-to relationships
• Content-based Classification
• Role determined by values of objects fields
• Role changes correspond to field assignments
• History-based Classification
• Role determined by operations applied to object
• Role changes correspond to method executions

14
Relative Role View of Objects

• For Each Role
• Set of incoming slots
• Reference that fills each slot (role.field)

Stationary Tank List Node
Stationary Tank
String
Tank Model
next
Integer
Top Speed
item
Current Speed
Moving Tank List Node
Moving Tank
String

• Stationary Tank Role
• One incoming slot
• Filled by Stationary Tank List Node.item Reference

Tank Model
next
Integer
Top Speed
item
Current Speed
Integer

• Moving Tank Role
• One incoming slot
• Filled by Moving Tank List Node.item Reference

15
Role Analysis

• Role information at method boundaries
• Programmer provided or
• Dynamically discovered
• Statically verified using generalized
  interprocedural shape analysis

16
Applications of Roles

• Roles provide object referencing relationships
• Object referencing determines interaction
  patterns
• Interaction analysis leverages roles to
  statically extract interaction patterns
• Match publishers with subscribers
• Match role changes with movements of objects
  between components
• Compute failure propagation information
• Move or replicate objects to eliminate windows of
  failure vulnerability

17
More Benefits of Roles

• Software Engineering Benefits
• Enhanced implementation transparency
• Role constraints safety checks that take
  application semantics into account
• Safe explicit memory deallocation

18
Real-Time Java
19
Real-Time Java Memory Management

• Scoped Memories for Real-Time Memory Management
• Implementation in MIT Flex System
• Pointer and Escape Analysis
• Verifies correct use of scoped memories
• Eliminates dynamic scoped memory checks
• Analysis of Multithreaded Programs (PPoPP 01)
• Computes interactions between threads
• Capture objects accessed by multiple threads
• Incrementalized Analysis (PLDI 01)

20
Real-Time Java Scheduling

• Compiler-controlled scheduling
• Start with lightweight user-level threads package
• Compile scheduling checks into generated code
• Check for
• Asynchronous event dispatch
• Preemptive thread switch
• Result
• Scheduler part of Java Run-Time (at user level)
• Can be partially generated by compiler
• Minimal demands on OS
• Maximum flexibility in implementation

21
Contribution to PCES Goals

• What we provide Automated understanding of
  distributed, embedded, and real-time software
• Analyses
• Pointer and escape analysis
• Role analysis
• Interaction analysis
• Some envisioned uses
• Safe memory management alternatives for Real-Time
  Java
• Verification of safe use of region-based
  allocation
• Roles enable explicit deallocation instead of
  garbage collection
• Interaction analysis
• Understanding and validation of synchronization
  interactions
• Understanding of communication patterns
• Understanding of how failures propagate
• Validations of ABSENCE of interactions
• Transformations
• Specialized, efficient communication
  implementations
• Close windows of failure vulnerability

22
Contribution to Military Applications

• Basic Contribution More Flexible, Reliable,
  Predictable Real-Time, Distributed, and Embedded
  Systems
• Implementation technology to enable use of
  standard, widely used language (Java) in military
  applications
• Compiler-controlled event and thread management
• Memory management algorithms for real-time
  systems
• Analyses and transformations for understanding
  and improving military software systems
• Potential application areas
• Real-time monitoring and control
• Information collection and presentation
• Integrating (distributed) systems of systems

23
Project Tasks and Schedule

• Real-Time Java Implementation
• Scoped Memories (Year 1)
• Thread and Event Scheduling (Year 3)
• Publish/Subscribe Implementation
• Initial prototype (Year 2)
• Final version (Year 4)
• Pointer and Escape Analysis (Year 1)
• Role Analysis
• Initial design and implementation (Year 2.5)
• Final design and implementation (Year 4)
• Interaction Analysis and Transformations
• Failure propagation analysis (Year 3)
• Transformations to close windows of failure
  vulnerability (Year 4)

24
Technical Progress/Accomplishments

• Implementation of Real-Time Java Scoped Memories
• Scoped memory allocation primitives
• Pointer and escape analysis for multithreaded
  programs (PPoPP 01)
• Verify correct use of scoped allocation
• Eliminate dynamic checks
• Incrementalized pointer and escape analysis (PLDI
  01)
• Initial phases of distributed surveillance
  application
• Initial JavaCar prototype 1/6 scale car with
• 233 MHz StrongARM, 32 Mbytes, running Java on
  Linux
• Camera, wireless ethernet, USB, various sensors
• Speed and steering control
• Initial role design, specification language,
  analysis

25
Next Milestones

• Progress in Following Areas
• Publish/Subscribe Design and Implementation
• Realization in Java (Event class)
• Event distribution mechanism
• Shared object space mechanism
• Real-Time Java Threads and Events
• Role Design, Specification, and Analysis
• JavaCar and Surveillance Applications

26
Collaborations

• Washington University
• Real-Time Java Memory Management
• Dynamic Scope Generation (Washington)
• Static Scope Verification (MIT)
• Real-Time Event Service
• Stanford, Kansas State University (Model
  Extraction)
• Purdue, SUNY Oswego, Maryland (RT Java)
• Utah (Analysis for Component Constraints)
• Anyone else with Real-Time Java needs
• We provide prototype open implementation
• We provide analysis prototypes

27
Technology Transfer

• Illustrations of Implementation Techniques for
  Real-Time Java
• Implementation available under GNU GPL
• Anyone can download it, use it, improve it
• http//www.cag.lcs.mit.edu/rinard/pces
• Real-Time Java as Infection Vector
• Integrated pointer and escape analysis
• Correctness tool for region allocation
• Enables stack allocation (reduces memory
  footprint)
• Integrated role discovery and analysis
• Dynamic discovery leads to easy initial
  experience
• Roles become central abstraction for developer
• Roles publish/subscribe system easy,
  effective distribution
• Communication and failure propagation analysis
• Useful transformations
• Dynamic deployment
• Our system serves as prototype
• Illustrates key implementation techniques
• Helps others evaluate suitability for their
  application

28
Program Issues
29
Objectives Technical Approach

• System Architecture
• Distributed Object-Oriented Programming
• Java shared object space
• Dynamically deployed components
• Publish/subscribe event model
• Powerful event mechanism
• Open, extensible system
• Communication via shared objects

• Object Relationship Analysis
• Goal Match Object and Computation Lifetimes
• Pointer and escape analysis for multithreaded
  programs
• Goal Capture and exploit changing roles objects
  play
• Roles change as objects move between data
  structures
• Points-to relationships determine roles
• Role specifications at method boundaries
• Supplied by programmer or dynamically discovered
• Statically verified by role analysis
• Program analysis system statically knows all
  object references

• Real-Time Java
• Region-based object allocation
• Compiler-controlled scheduling
• Compile scheduling checks into generated code,
  check for
• Asynchronous event dispatch
• Preemptive thread scheduling
• Priority ceiling and inheritance for monitors

• Interaction Analysis
• Characterizes interactions between components
• Uses roles to extract detailed object usage
  information
• Matches role changes and movements between
  components
• Matches publishers and subscribers
• Matches roles with object usage patterns
  (migrating, inherited, shared, private objects)
• Extracts failure propagation information

• Transformations
• Replace general publish/subscribe mechanism with
• Point-to-point communication (when appropriate)
• Controlled multicast (when appropriate)
• Request/response (when appropriate)
• Preemptively move or replicate objects to close
  failure vulnerability windows

30
Example Roles
Stationary Tank List Node
Tank Object
String
Tank Model
next
Integer
Top Speed
item
Current Speed
31
Moving Tank List Node
Tank Object
String
Tank Model
next
Integer
Top Speed
item
Current Speed
Integer
32
Standard View of Object
Incoming References
Outgoing References
Tank Object
String
Tank Model

Integer
Top Speed

Current Speed

Integer
Fields
33
Incrementalized Analysis
Big Program
34
Incrementalized Analysis
Object Allocation Sites to Capture
35
Incrementalized Analysis
Standard Approach Analyze Entire Program
36
Incrementalized Analysis
Our Approach Incrementally Analyze Region
Surrounding Each Allocation Site
37
Incrementalized Analysis
Our Approach Incrementally Analyze Region
Surrounding Each Allocation Site
38
Incrementalized Analysis
Our Approach Incrementally Analyze Region
Surrounding Each Allocation Site
39
Incrementalized Analysis

• Key Question Where to invest analysis resources?
• Obtain estimates of
• Payoff of capturing allocation site
• Likelihood of capturing site
• If can capture site, cost of the capture
• As invest resources in site, improve estimates
• Invest resources in site with (current) best
  estimated return on invested resources
• Results show can obtain almost all benefit of
  whole-program analysis at fraction of cost (PLDI
  01)