6 th Framework Programme (IST-FP6-2004 004033) A Domain-Specific Metamodel for Reusable Object-Oriented High- Integrity Components Matteo Bordin and Tullio Vardanega University of Padua, Italy The 7 th OOPSLA Workshop on Domain-Specific Modeling Montreal, October 21-22, 2007
18
Embed
6 th Framework Programme (IST-FP6-2004 004033) A Domain-Specific Metamodel for Reusable Object-Oriented High-Integrity Components Matteo Bordin and Tullio.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
6th Framework Programme
(IST-FP6-2004 004033)
A Domain-Specific Metamodel for Reusable Object-Oriented High-Integrity Components
Matteo Bordin and Tullio VardanegaUniversity of Padua, Italy
The 7th OOPSLA Workshop on Domain-Specific Modeling
Montreal, October 21-22, 2007
- 2 / 16 -OOPSLA DSM Workshop 2007
Contents
1. The domain
2. Model-driven engineering
3. Constrained object-oriented modeling
4. Implementation technologies
5. Conclusions
- 3 / 16 -OOPSLA DSM Workshop 2007
High-Integrity SystemsThe domain
DO-178B
MIL-STD 882B
Def-Stan 0055
DO-178B
MISRA
IEC 880
IEC 61508
Up to 2/3 of development costs on V&V
- 4 / 16 -OOPSLA DSM Workshop 2007
High-integrity systems: a SW perspectiveThe domain
Pros: Abstraction, Automation (correctness by construction)
void m(){ // a dynamically bound invocation this.ptr.p();}
void m(){ if(this.ptr instaceof Impl1){ // issue a statically bound invocation (not possible in Java) } // now evaluate all types...}
Code transformation (compiler tool) use code analysis tools
Full code coverage: O(#dispatching_calls ∙ #types)
ptr
…
- 10 / 16 -OOPSLA DSM Workshop 2007
The RCM approach: models for V&VObject orientation
…
o2 : Impl3o1 : MyClass
Core idea: links fixed at model level Common in the high-integrity domain (HOOD, HRT-HOOD, AADL, etc.)
Use the dynamic binding mechanism but permit static analysis
Execution paths are statically determined
Model-based analysis instead of code-based analysis
ptr
ptr
- 11 / 16 -OOPSLA DSM Workshop 2007
Object-oriented modeling with RCMRCM metamodel
Enforce design-by-contract m1 invokes ptr.p2()
m2 invokes ptr.p1() and ptr.p2()
Class view
Component view
m1
m2
m3
p1
p2
Determine possible intra-component paths
MyClass
ptr
- 12 / 16 -OOPSLA DSM Workshop 2007
Object-oriented modeling with RCM (II)
m1 invokes ptr.p2()
m2 invokes ptr.p1() and ptr.p2()
Class viewptr
Object view
RCM metamodel
m : MyClass i : Impl1
Dynamic binding!
Statically determine possible inter-components paths
Enforce constant links
• functional dependencies on properties only
• call setters just once
- 13 / 16 -OOPSLA DSM Workshop 2007
Node N2
PIM to PSM in RCMRCM metamodel
PIM Object view (with deployment)
m : MyClass i : Impl1
Node N1
PSM Object view (not visible)
client task(m)
stub
Middleware
skeleton task
server(i)
Middleware
Dynamic binding with statically-fixed execution path(s)
- 14 / 16 -OOPSLA DSM Workshop 2007
Implementation technologies
Eclipse plug-in Metamodeling: EMF Model transformations: ATL, MOFscript GUI: GMF
Implementation
Class/Object diagram
Deployment diagram
- 15 / 16 -OOPSLA DSM Workshop 2007
Results & Conclusions (I)
Industrial pilot projects by and Due for completion and demonstration by December 2007 Targeting real space-qualified hardware
With real-life system ambitions and demands!
Model-based analysis Needs a suitable underlying computational model
The same philosophy as adopted by SCADE
Fundamental to formally reason on system properties Before implementation Easier and more solid what-if analysis
Needs full and accurate modeling of the system Difficult to map the middleware in the PIM-to-PSM transformation Difficult to evaluate sizing requirements
Permits to exploit a restricted form of dynamic binding
Results
- 16 / 16 -OOPSLA DSM Workshop 2007
Release client whentimeout expires
Timing event(released by the invocation of the RI)
Results & Conclusions (II) MDE-enabled object orientation: a première in space software!
Adaptive reuse: software frameworks are a major advantage Predictability: constrained dynamic binding is acceptable Certifiable implementation: requires compiler support
Work in progress To increase PIM expressive power while preserving RCM compliance
i : Impl1
Client Sporadic Task(waiting for server reply)
Server
Evaluate the release event(timeout / server reply)