Erwan Jahier

Virtual execution of AADL models via a translation into synchronous programs

Architecture description languages are used to describe both the hardware and software architecture of an application, at system-level. The basic software components are intended to be developed independently, and then deployed on the described architecture. This separate development of the architecture and of the software raises the problem of early validation of the integrated system. In this paper, we propose to solve this problem by translating the architecture into an executable model, which can be simulated and validated together with the software components. More specifically, we consider the case where the architecture is described in the AADL language, and the software components are developed in some synchronous language like Scade or Lustre. We show how the architecture can be automatically translated into a non-deterministic synchronous model, to which the actual software component can be integrated. The result is an executable integrated synchronous model, which can be validated with tools available for synchronous programs. The approach is illustrated on an industrial case study extracted from an actual spatial system.

Case studies with Lurette V2

Lurette is an automated testing tool dedicated to reactive programs. The test process is automated at two levels: given a formal description of the System Under Test (SUT) environment, Lurette generates realistic input sequences; and, given a formal description of expected properties, Lurette performs the test results analysis. Lurette has been re-implemented from scratch. In this new version, the main novelty lies in the way the SUT environment is described. This is done by means of a new language called Lucky, dedicated to the programming of probabilistic reactive systems. This article recalls the principles of Lurette, briefly presents the Lucky language, and describes some case studies from the IST project Safeair II. The objective is to illustrate the usefulness of Lurette on real case studies, and the expressiveness of Lucky in accurately describing SUT environments. We show in particular how Lurette can be used to test a typical fault-tolerant system; we also present case studies conducted with Hispano-Suiza and Renault.

Lutin: A Language for Specifying and Executing Reactive Scenarios

This paper presents the language Lutin and its operational semantics. This language specifically targets the domain of reactive systems, where an execution is a (virtually) infinite sequence of input/output reactions. More precisely, it is dedicated to the description and the execution of constrained random scenarios. Its first use is for test sequence specification and generation. It can also be useful for early simulation of huge systems, where Lutin programs can be used to describe and simulate modules that are not yet fully developed. Basic statements are input/output relations expressing constraints on a single reaction. Those constraints are then combined to describe non deterministic sequences of reactions. The language constructs are inspired by regular expressions and process algebra (sequence, choice, loop, concurrency). Moreover, the set of statements can be enriched with user-defined operators. A notion of stochastic directives is also provided in order to finely influence the selection of a particular class of scenarios.

Describing and Executing Random Reactive Systems

We present an operational model for describing random reactive systems. Some models have already been proposed for this purpose, but they generally aim at performing global reasoning on systems, such as stochastic analysis, or formal proofs. Our goal is somehow less ambitious, since we are rather interested in executing such models, for testing or prototyping. But on the other hand, the proposed model is not restricted by decidability issues. Therefore it can be more expressive: in particular, our model is not restricted to finite-state descriptions. The proposed model is rather general: systems are described as implicit state/transition machines, possibly infinite, where probabilities are expressed by means of relative weights. The model itself is more an abstract machine than a programming language. The idea is then to propose high level, user-friendly languages that can be compiled into the model. We present such a language, based on regular expressions, together with its translation into the model

Synchronous Modeling and Validation of Priority Inheritance Schedulers

Architecture Description Languages (ADLs) allow embedded systems to be described as assemblies of hardware and software components. It is attractive to use such a global modelling as a basis for early system analysis. However, in such descriptions, the applicative software is often abstracted away, and is supposed to be developed in some host programming language. This forbids to take the applicative software into account in such early validation. To overcome this limitation, a solution consists in translating the ADL description into an executable model, which can be simulated and validated together with the software. In a previous paper [1], we proposed such a translation of Aadl (Architecture Analysis & Design Language) specifications into an executable synchronous model. The present paper is a continuation of this work, and deals with expressing the behavior of complex scheduling policies managing shared resources. We provide a synchronous specification for two shared resource scheduling protocols: the well-known basic priority inheritance protocol (BIP), and the priority ceiling protocol (PCP). This results in an automated translation of Aadl models into a purely Boolean synchronous (Lustre) scheduler, that can be directly model-checked, possibly with the actual software.

Engineering functional requirements of reactive systems using synchronous languages

Automating the functional testing of reactive systems requires to provide a formal specification of the system environment which defines the admissible test inputs. It also requires a specification of the expected properties of the system in order to decide whether a test succeeds or fails. Engineering these formal specifications is a difficult task, as it is not part of the usual manual testing process. In this paper, we report some experiments that have been conducted within a project in collaboration with industrial developers of nuclear power plant control systems. In this project, automatic testing tools have been used for checking the correctness of reactive systems developed incrementally, using heterogeneous industrial engineering workbenches. But these tools appeared to be useful also for elaborating and refining formal, consistent, and accurate functional requirements.

Efficient Automated Trace Analysis: Examples with Morphine

Abstract Opium, Morphine and Coca are three automated trace analyzers based on the same principles for three different programming languages. An automated trace analyzer is connected to an event-oriented tracer. The traced program is run in coprocessing with the trace analysis session in which the user enters high-level queries about the traced execution. The trace is then automatically processed according to the query. The key of efficiency is that most of the work is done (1) on the fly and (2) in the traced process. In this article, we first present these mechanisms and then illustrate them through a debugging session and monitoring examples with Morphine.

Environment-Model Based Testing of Control Systems: Case Studies

A reactive system reacts to an environment it tries to control. Lurette is a black-box testing tool for such closed-loop systems. It focuses on environment modeling using Lutin, a language designed to perform guided random exploration of the System Under Test (SUT) environment, taking into account the feedback. The test decision is automated using Lustre oracles resulting from the formalisation of functional requirements.

Specifying and Executing Reactive Scenarios With Lutin

This paper presents the language Lutin and its operational semantics. This language specifically targets the domain of reactive systems, where an execution is a (virtually) infinite sequence of input/output reactions. More precisely, it is dedicated to the description and the execution of constrained random scenarios. Its first use is for test sequence specification and generation. It can also be useful for early simulation of huge systems, where Lutin programs can be used to describe and simulate modules that are not yet fully developed. The programming style mixes relational and imperative features. Basic statements are input/output relations, expressing constraints on a single reaction. Those constraints are then combined to describe non deterministic sequences of reactions. The language constructs are inspired by regular expressions, and process algebra (sequence, choice, loop, concurrency). Moreover, the set of statements can be enriched with user defined operators. A notion of stochastic directive is also provided, in order to finely influence the selection of a particular class of scenarios.

Environment-Model Based Testing with Differential Evolution in an Industrial Setting

Reactive systems interact continuously with their environments. In order to test such systems, one needs to design executable environment models. Such models are intrinsically stochastic, because environment may vary a lot, and also because they are not perfectly known. We propose an environment-model based testing framework optimized for reactive systems, where Differential Evolution (de ) is used to fine-tune the environment model and to optimize test input generation. In order to evaluate the proposed method, we present a case study involving a real-world scade system from the domain of railway automation. The problem specification was proposed by our industrial partner, Siemens. Our experimental data shows that de can be used efficiently to increase the structural coverage of the System Under Test.