1. Abstract of the scientific program
Cyber-Physical Systems (CPS) and the connected Internet of Things (IoT) are inherently heterogeneous systems, with (“cyber”) computer digital parts interacting with their physical sensible environment. Thus, design of such systems as a whole requires a diversity of models, and the behavior orchestration between such models must be carefully defined and analyzed. FM4CPS will address several facets of Formal Model-Driven Engineering for Cyber-Physical Systems (and their relevance in Internet of Things). The design of such large heterogeneous systems calls for hybrid modeling, combining formal Models of Computation, drawn from Concurrency Theory for the “cyber” discrete processors, timed extension and continuous behaviors for physical environments, requirement models and user constraints extended to non-functional aspects, new challenges for designing and analyzing large and highly dynamic communicating software entities.
Orchestration and comparison of models, with their expressive power vs. their decidable aspects, shall be considered with the point of view of hybrid/heterogeneous modeling here. Main aspects are the various timing or quantitative structure extensions relying for instance on a hybrid logical clock model for the orchestration of underlying components. The associated team aims at various level of research, from formal models, semantics, or complexity, to experimental tools development. This will start for example on one side with building a formal orchestration model for CPSs, based on an hybrid clock model that combine discrete and physical time, synchronous and asynchronous computations or communications. Another goal will be the study of expressiveness and decidability for CPS, based on dedicated sub-families of well-structured push-down systems, addressing both unbounded communication and time-sensitive models. Formal and compositional reasoning on Internet of Things (IoT) connected objects, which bear strong connection with CPS, will complete our research areas.
Beyond their own expertise in this field, the partners will build on the results of previous cooperation in the context of the Liama projects Hades and Tempo, and the associated team DAESD. The current proposal widely broadens the domain of collaboration, and with the inclusion, for the first time, of Jiao Tong University. We expect this is the first step towards the extension of LIAMA in Shanghai with the strengthening of the involvement of E.C.N.U., and the contribution of new top notch universities such as Jiaotong University in Shanghai.
2. Annual report 2015
2.1. Scientific progress – 2015
We have proposed a new language (BCool) for the orchestration of heterogeneous Models of Computation. Individual models are abstracted away by its behavioral language interface, i.e., a set of logical clocks that serve both as observation points and activation. The CCSL formalism was used to describe causalities and synchronizations between these logical clocks, specifying the desired orchestration. BCool decides which CCSL constraint should then be applied, and when. This work was presented at the international conference MoDELS 2015 [1]. The tool development aspects have also been presented in a separate demo session.
To better address the aspects of physical uncertainties in CPS, we have proposed an extension of CCSL with stochastic constructs [2]. Having a stochastic characterization is a way to help specify non-deterministic constraints from the environment in a quantitative way.
The OMG UML profile MARTE can use CCSL constraints to specify the orchestration of distinct UML models: UML State Machines, UML Activities, MARTE Time model of logical clocks. The relevance of MARTE (with and beyond CCSL) to model CyberPhysical Systems has been addressed in an article, included as chapter of a book [3] put up by partners of the International Lab led by ECNU.
We published a journal article that summarizes the different forms of correctness issues that may arise with CCSL, given its expressiveness, and how they can be dealt with [4]. Links to Petri Nets, Buchi automata and Esterel specifications were also expressed (as part of an on-going work). An encoding of a CCSL fragment in MAUDE, discussing decidability issues for schedule periodicity, is under completion [5].
The Chinese partners have used CCSL and the MARTE Time model to specify a realistic Interactive Telemedicine System [10]. Work was also conducted on the denotational semantics of SystemC and related formalisms, using UTP as interpretation domain, and the algebraic axiomatization of the corresponding program equivalence; this work considers in particular the two-dimensional shape of time in this language, with instantaneous causality needed for event-driven simulation encoded as delta-cycles [11].
Vania Joloboff, Frederic Mallet and an ECNU student, Daian Yue have started to work on a new run time verification approach. Simulators generate traces that can be used to verify that the required properties of the system are not violated. There exist assertion languages like PSL that may be used to verify required properties during the simulation session. This requires however that the properties to verify are known at compile time of the simulator. It is the case for a number of properties, but it is also the case that many properties are actually unknown when the simulator models are coded! In most cases, during system design the simulation fails: the engineers then investigate the cause of the failure. A widely used technique for that consists in storing all of the trace data of simulation sessions into trace files, which are analyzed later with specialized trace analyzer tools. An issue then is that the trace files become huge, possibly hundreds of Gigabytes as all data are stored into the trace files. The engineers after iterative refinement steps, which are very time consuming, eventually identify the cause(s) of the failures, most often some unforeseen causality chain of events and state transitions that lead to a failure state. Then a new required property is identified, it can be expressed and the simulator recompiled to check the new property.
We have been investigating a technique for trace analysis with a language and a compiler based on CCSL for discovering properties without recompiling the simulator although we expect the trace files size to be an order of magnitude smaller. The idea is that a new tool is being designed as a domain specific language (using the Eclipse Modeling Framework). The tool should allow users to define a mapping model from the local simulation events to a logical clock format as well as a user friendly property specification language. The property specification language is translated into CCSL formulas, which in turn generate automata. The mapping library is dynamically loaded by the simulator and generates input for the automata. The verification of the properties can be dynamically, with a true runtime verification, or statically by analyzing the (much smaller) trace files.
This year we have designed the architecture described above and carried some experimental work, but the implementation still remains to be done. There also remain some theoretical issues with regards to which properties can be effectively verified.
With Pr Mingsong Chen from ECNU, we have started to investigate parallel SystemC simulation for simulation of many-cores platforms. The idea is to run in parallel the simulation of each individual core, although the peripherals and the main model remain in the SystemC sequential scheduling. We have reached some results, but there are still pending issues to resolve regarding clock synchronization of the individual cores…
With Pr Min Zhang from ECNU, we have done some theoretical developments on the properties of the low level behavioral model called “parameterized networks of synchronized automata (pNets)”, and published these at PDP’2015. This work shows how pNets can be used for encoding many concepts of distributed systems, both synchronous or asynchronous, and how the properties of a specific bisimulation equivalence justifies the usage of pNets as a compositional approach in our verification platform. With Pr Huibiao Zhu, and with Siqi Li, we also started studying a UTP-based denotational semantics for pNets.
With Pr Min Zhang, we started to work on a direct and symbolic semantics for “open pNets”, aiming at a behavioral semantics and a proof methodology for open systems, like process expressions, or program skeletons. Preliminary results were presented in a workshop in Shanghai in July, and a master internship is ongoing on this subject.
2.2. Next year’s work program
Most of the topics described in the proposal technical annex, and partially addressed during the first year, are still ongoing activities. They concern mostly the issues of formal modeling of CPS using the relevant specification formalisms, so that stringent features can be considered, sound semantic interpretations defined, leading to effective and efficient verification with existing or new tools. Several short-time research directions can be mentioned here:
- Extension of the CCSL formalism with priority and preemption notions; in a possibly asynchronous (or multiform time) environment, this may require to introduce a dual clock feature (clock_enabled, clock_disabled) to specify mathematically their relation with the actual clock_event.
- Extension of CCSL with probabilistic features; one of the weak points of stochastic models is that they require statistical event occurrences to follow precise probabilistic laws, while the synchronization and causality imposed in the system by clock/event constraints such as specified in CCSL actually disrespect these regular laws. As in the case of “schedulability by model-checking”, similarities and dissimilarities with Stochastic Timed Automa should be considered here (where they name “clocks” what we would call stopwatches).
- The PhD thesis of Vincent Zhao should start in January 2016. This PhD is related to the activity with Esterel Technologies. The goal of the PhD is to make a bridge between system models, i.e., a set of components whose interaction semantics is usually informal, and the actual (heterogeneous) components that satisfy some known properties. By leveraging some of properties obtained on the component level, we hope to be able to conduct some execution, validation and verification activities at the system level. We also want to offer mechanisms to help the integration: verify that components satisfy system requirements, allow substitution of components and exploration of alternative costs with regards both of their functional or non-functional properties.
- Deeper connections between CCSL and UTP, as both are used to provide deeper and more precise semantic meaning to CPS timed formalisms.
- The study of new symbolic models based on open parameterized networks of synchronized automata (open pNets) will continue, using several directions: on one side, we want to extend our current work on behavioral equivalences, studying fundamental properties of various species of bisimulation, but also relating these with denotational and algebraic semantics, using a UTP approach. On the other side, we aim at experimental validation of the approach, and this requires the implementation of tools handling the model generation and the bisimulation; this will be used on non-trivial use-cases taken from existing bibliography. These activities will be strengthened by researcher visits on both sides, by Eric Madelaine at ECNU in July, and by Min Zhang and/or Huibiao Zhu in Sophia-Antipolis. Several internship subjects will also be proposed, and may lead to a PhD proposal later in the year.
In addition to these topics, new research directions were put up at the Rennes Workshop meeting, where a number of permanent staff from both sides were gathered in the same place and time. Some are linked to the extraction, execution and analysis of traces, considered as abstract behaviors at model level, and then leading to test suite for verification analysis at code level; in particular the joint use of symbolic execution and model-checking for the proper extraction of traces and tests was proposed as new direction topic
3. Annual report 2016
3.1. Scientific progress – 2016
3.2.Next year’s work program
4.Annual report 2017
4.1.Scientific progress – 2017
a) Analysis and Verification: expressively, CCSL goes beyond the range of automatic verification techniques. Still, the existing interpretation in terms of communicating counter automata shows that combination of simple integer arithmetic and Boolean equations are most often sufficient to solve practical problems. This raised the question of connection with SMT solvers (which combine Boolean satisfiability with equational theories) is thus a natural one, and is the subject of progressive evaluation: defining proper subsets of CCSL, matching theories, etc. This line of research is mainly conducted by Frédéric Mallet and Min Zhang, on both sides of the team association. The topic was further debated during the specific FM4CPS workshop held prior to TASE 2017.
b) extension to stochastic and probabilistic frameworks: CCSL is modtsly concerned originally with deterministic discrete logical clocks, althoug many of its basic definitions could be applied more broadly. The extension to stochastic and probabilistic models can be considered in two ways: first, making the ocurrences of clock ticks subject to uncertainty; second, handle stochastic continuous (Markov chain) processes, and try to extract the logical clocks that may integrate these probabilities of tick occurrences to a discrete logical clock with explicit significance (like Worst-Case Reacton Time). We mainly followed the first direction, in joint work between Dehui Du and Frédéric Mallet. In the course of the long-term visit by Dongdong AN to Inria Sophia as part of a Chinese PhD exchange program, we are considering the second direction and their interactions.
Recent Comments