Verification of AADL Models with Timed Abstract State Machines

(1)

O

pen

A

rchive

T

OULOUSE

A

rchive

O

uverte (

OATAO

)

OATAO is an open access repository that collects the work of Toulouse researchers and

makes it freely available over the web where possible.

This is an author-deposited version published in :

http://oatao.univ-toulouse.fr/

Eprints ID : 13274

To cite this version : Yang, Zhi-Bin and Hu, Kai and Zhao, Yong-Wang

and Ma, Dian-Fu and Bodeveix, Jean-Paul AADL model verification by

translating into TASM. (2015) Journal of Software, vol. 26 (n° 2). pp.

202-222. ISSN 1000-9825

Any correspondance concerning this service should be sent to the repository

administrator:

staff-oatao@listes-diff.inp-toulouse.fr

(2)

෎Ѣᯊ䯈ᢑ䈵⢊ᗕᴎⱘ

AADL

῵ൟ偠䆕

ཷᄝμ

1,2

,

ܑ

࢚

2

,

ვစฌ

2

,

৴ԯؖ

2

, Jean-Paul BODEVEIX

1

1_{(Institut de Recherche en Informatique de Toulouse, Université de Toulouse, Toulouse, France)} 2₍

࣫ Ҁ 㟾ぎ㟾 ໽ ໻ ᄺ 䅵 ㅫ ᴎ ᄺ 䰶,࣫ Ҁ 100191) 䗮䆃 ԰ 㗙: 㚵 ߃, E-mail: hukai@buaa.edu.cn

ᨬ 㽕: ඔѻॴྡྷᄵݮဟನ޷Ѯເᅱൟݯ(timed abstract state machine,߅ыTASM)ԅAADL(architecture analysis and design language)੦໸ིᄃֺ֥.דιٓѻॴAADLᆐނۤTASMԅѮເဴ֥,ωݮဟဴ࿌ۆ೴ۤफMLԅ၍ဴ ཝ໹಴Շ࿌ᅧܰڟ႕.ၽҮݮ҄౨,ݮဟAADLࢗၗߙ੦ܬࡂOSATE(open source AADL tool environment)ಁޙωಬ ຣॴ AADL ੦໸ིᄃူד๥ٝ࡮ AADL2TASM,ωݮဟ۔ඟ୶ӽ۔cᄥӽူࣅᄥຂහ(guidance, navigation and control)ࠩ໻ॴಬै໿ིᄃ.

݇䬂䆡: AADL(architecture analysis and design language);TASM(timed abstract state machine);੦໸ᅧܰ;໹಴ིᄃ Ё ೒ ⊩ ߚ ㉏ ো: TP311

Verification of AADL Models with Timed Abstract State Machines

YANG Zhi-Bin1,2, HU Kai2, ZHAO Yong-Wang2, MA Dian-Fu2, Jean-Paul BODEVEIX1

1

(Institut de Recherche en Informatique de Toulouse, Université de Toulouse, Toulouse, France)

2

(School of Computer Science and Engineering, BeiHang University, Beijing 100191, China)

Abstract: This paper presents a formal verification method for AADL (architecture analysis and design language) models by TASM (timed abstract state machine) translation. The abstract syntax of the chosen subset of AADL and of TASM are given. The translation rules are defined clearly by the semantic functions expressed in a ML-like language. Furthermore, the translation is implemented in the model transformation tool AADL2TASM, which provides model checking and simulation for AADL models. Finally, a case study of space GNC (guidance, navigation and control) system is provided.

Key words: AADL (architecture analysis and design language); TASM (timed abstract state machine); model transformation; formal verification

ᑓ ⊯ ᑨ ⫼ Ѣ 㟾ぎ ǃ 㟾 ໽ ǃ ℺ ఼ 㺙 ໛ ǃ Ḍ 㛑 ǃ ≑ 䔺 ᥻ ࠊ ㄝ ݇ 䬂 ֵ ᙃ 乚 ඳ ⱘ ໡ ᴖ ጠ ܹ ᓣ ᅲ ᯊ ㋏㒳㹿⿄ Ў ᅝ ܼ

ᬌ ݇ ᅲ ᯊ ㋏㒳(safety-critical real-time systems).⬅ Ѣ ࡳ 㛑 ੠ 䴲 ࡳ 㛑㽕 ∖ ϡ ᮁ ᦤ 催,㋏㒳 ໡ ᴖ ᑺ ᗹ ࠻ ๲ ࡴ,བ ԩ 䆒䅵 Ϣ ᅲ ⦄ 催䋼䞣 ⱘ ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳,ᑊ ᳝ ᬜ ᥻ ࠊ ᓔ থ ᯊ 䯈 ੠ ៤ ᴀ,ᰃ ᄺ ᴃ ⬠ ੠ Ꮉ Ϯ ⬠ ݅ ৠ 䴶 Ј ⱘ 䲒乬.䖥 ᑈ ᴹ,῵ ൟ 偅 ࡼ ᓔ থ ᮍ ⊩ 䗤 ⏤ ៤ Ў ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳䆒䅵 Ϣ ᓔ থ ⱘ 䞡㽕 ᠟ ↉

[1]_,

㗠 ԰ Ў ໡ ᴖ ጠ ܹ ᓣ ᅲ ᯊ ㋏㒳 ⱘ ԧ

㋏㒧 ᵘ 䆒䅵 Ϣ ߚ ᵤ 䇁㿔 ᷛ ޚ,AADL(architecture analysis and design language)

[2,3]

᮹ Ⲟ ফ ࠄ ݇ ⊼,ᑊ 䗤 ⏤ থ ሩ ៤ Ў ϔ Ͼ ᮄ ⱘ ⷨ お ⛁ ⚍.

(3)

ҹ ঞ 䴲 ࡳ 㛑 ሲ ᗻ 䖯㸠㸼䖒.Ⳃ ࠡ,῵ ൟ 䕀 ᤶ ᰃ AADL ῵ ൟ ᔶ ᓣ 偠䆕 Ϣ ߚ ᵤ ⱘ Џ 㽕䗨 ᕘ,བ 䕀 ᤶ ࠄ BIP(behavior interaction priority)[4]ǃFiacre

[5] ǃࡼ ԰ ᯊ ᑣ 䘏䕥TLA+ [6] ǃৠ ℹ 䇁㿔Signal [7] ㄝ,Ⳃ ⱘ ᰃ Ў њ 䞡 ⫼ 䖭 ѯ ῵ ൟ Ϟ Ꮖ ᳝ ⱘ 偠䆕 ੠ ߚ ᵤ 㛑 ࡯. AADL 䇁㿔 Ў ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳 ᦤ կ њ Є ᆠ ⱘ 㸼䖒㛑 ࡯,Ԛ ݊ ໻ 䚼 ߚ 䇁 Н ҡ ✊ 䞛 ⫼ 㞾 ✊ 䇁㿔 ੠ ՟ ᄤ 䖯㸠㾷䞞.Ꮖ ᳝ ⱘAADL䇁 Н ⷨ お Џ 㽕䞛 ⫼ 䕀 ᤶ 䇁 Н(translational semantics)ⱘ ᮍ ᓣ

[8,9]

,े,⫼ ঺ ϔ ⾡ ᔶ ᓣ 䇁㿔(⿄ Ў Ⳃ ᷛ 䇁㿔)ᴹ 㸼䖒 AADL 䇁㿔 ⱘ 䇁 Н,བ BIP

[4]

,Fiacre[5],TLA+[6],Signal[7],IF[10],RTMaude[11],ACSR[12],Lustre[13], Petri Net[14]ㄝ,䖭⾡ ᮍ ᓣ Փ ᕫ 䇁 Н ᳈ ᯧ Ѣ ⧚ 㾷,г ᰃAADL῵ ൟ 䕀 ᤶ ⱘ ෎ ⸔.Ԛ ᰃ,໻ 䚼 ߚ Ꮖ ᳝ ⷨ お䛑䩜 ᇍ 䕗 ᇣ ⱘ AADLᄤ 䲚,≵ ᳝ 㒭 ߎ ϔ Ͼ ↨ 䕗 ᅠ ᭈ ⱘ ᔶ ᓣ 䇁 Н ᅮ Н;݊ ⃵,Џ 㽕䞛 ⫼ 㞾 ✊ 䇁㿔 ԰ Ў ܗ 䇁㿔 ⦃ ๗,݇ ⊼ ⱘAADLᄤ 䲚 ੠ Ⳃ ᷛ 䇁㿔䛑 ≵ ᳝ 㒭 ߎ ㊒ ⹂ ᅮ Н,䕀 ᤶ 㾘 ߭ г ϡ ໳ ᔶ ᓣ ࣪;᳔ ৢ,䌘 ⑤ ߽ ⫼ ℷ ⹂ ᗻ ᰃ ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳 ⱘ ϔ Ͼ 䞡㽕 ᗻ 䋼,৘ ⾡ Ⳃ ᷛ 䇁㿔 ݋ ᳝ ϡ ৠ ⱘ 㸼䖒㛑 ࡯,Ԛ 㛑 ໳ ᰒ ᓣ 㸼䖒䌘 ⑤ 㸠 Ў ⱘ 䇁㿔䕗 ᇥ.

ᢑ 䈵 ⢊ ᗕ ᴎ(abstract state machine,ㅔ ⿄ASM)

[15]

ᑓ ⊯ ᑨ ⫼ Ѣ 䕃 ǃ ⹀ ӊ ㋏㒳䆒䅵 ҹ ঞ ᔶ ᓣ 䇁 Н ᅮ Н.Ў њ ᬃ ᣕ ᅲ ᯊ ㋏㒳 ⱘ ࡳ 㛑㸠 Ў ǃᯊ 䯈 ሲ ᗻ ҹ ঞ 䌘 ⑤ ⍜ 㗫 ⱘ ᦣ 䗄,2006ᑈ,MIT೼ASMⱘ ෎ ⸔ Ϟ ᦤ ߎ њ ᯊ 䯈 ᢑ 䈵 ⢊ ᗕ ᴎ (timed abstract state machine,ㅔ ⿄TASM)

[16,17] .Ⳍ ᇍ ѢBIP,Fiacre,TLA+,Signalㄝ Ⳃ ᷛ 䇁㿔,TASM㛑 ໳ ৠ ᯊ ᬃ ᣕ ࡳ 㛑 ǃ ᯊ 䯈 ҹ ঞ 䌘 ⑤ ㄝ㸠 Ў ⱘ 偠䆕 ੠ ߚ ᵤ,㗠 Ϩ ৃ 䇏 ᗻ 䕗 ད. ಴ ℸ,ᴀ ᭛ ᦤ ߎ ϔ ⾡ ෎ ѢTASMⱘAADLᔶ ᓣ 䕀 ᤶ 䇁 Н,ᘏ ԧ ᗱ 䏃 བ ϟ: (1) 䩜ᇍϔϾ䕗Ўᅠᭈⱘ AADL ᄤ䲚,ᔶᓣഄ㒭ߎᄤ䲚ⱘᢑ䈵䇁⊩; (2) ᔶᓣഄ㒭ߎ TASM ⱘᢑ䈵䇁⊩; (3) ෎Ѣ䇁Нߑ᭄⏙᱄ࠏ⬏ AADL 䇁㿔ࠄ TASM 䇁㿔ⱘᭈԧ᯴ᇘ݇㋏,ᑊ෎Ѣ㉏ ML[18]ⱘ ܗ 䇁㿔 ᔶ ᓣ ᅮ Н 䕀 ᤶ 䇁 Н 㾘 ߭. ৠ ᯊ,೼ ᔶ ᓣ 䕀 ᤶ 䇁 Н ⱘ ෎ ⸔ Ϟ,෎ ѢAADLⱘ ᓔ ⑤ ᓎ ῵ ⦃ ๗OSATE [19] ,䆒䅵 ᑊ ᅲ ⦄AADL῵ ൟ 偠䆕 Ϣ ߚ ᵤ Ꮉ ݋ ü üAADL2TASM,ҹ ᬃ ᣕ 䗮䖛 ῵ ൟ Ẕ ⌟ Ꮉ ݋UPPAAL [20] ҹ ঞ ӓ ⳳ ߚ ᵤ Ꮉ ݋TASM ToolSet [21] ᇍAADL ῵ ൟ 䖯㸠偠䆕 ੠ ߚ ᵤ.

ᴀ ᭛ ㄀1㡖 ㅔ 㽕 ҟ 㒡AADL䇁㿔 ⱘ ෎ ᴀ ὖ ᗉ.㄀2㡖㒭 ߎ ᴀ ᭛AADLᄤ 䲚 ⱘ ᢑ 䈵䇁 ⊩.㄀3㡖㒭 ߎTASM 䇁㿔 ⱘ ෎ ᴀ ὖ ᗉ ঞ ݊ ᢑ 䈵䇁 ⊩.㄀ 4 㡖䆺㒚 ҟ 㒡 ᔶ ᓣ 䕀 ᤶ 䇁 Н.㄀ 5㡖 ㅔ 㽕 ҟ 㒡 AADL2TASM ῵ ൟ 䕀 ᤶ Ꮉ ݋. ㄀6㡖㒧 ড় 㟾 ໽ ఼ ᇐ 㟾 ǃࠊ ᇐ Ϣ ᥻ ࠊ ㋏㒳 ᅲ ՟,ҟ 㒡AADL2TASMᎹ ݋ ⱘ ᑨ ⫼ ᚙ މ.㄀7㡖㒭 ߎ Ⳍ ݇ Ꮉ ԰ ↨ 䕗. ㄀8㡖 ᰃ ᴀ ᭛ ⱘ ᘏ 㒧,ᑊ 䅼䆎 ῵ ൟ 䕀 ᤶ ℷ ⹂ ᗻ 䯂乬.

1 AADL 䇁㿔ㅔҟ

ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳 ᰃ ᑨ ⫼ 䕃 ӊ ǃ 䖤㸠 ᯊ ⦃ ๗(㰮 ᢳ ᴎ ៪ ᪡ ԰ ㋏㒳)ҹ ঞ ⹀ ӊ ᑇ ৄ ⏅ ᑺ 㵡 ড় ⱘ ໡ ᴖ ㋏㒳, AADL䇁㿔 Ϣ П ᇍ ᑨ ഄ ᦤ կ њ 䕃 ӊ ԧ ㋏㒧 ᵘ ǃ䖤㸠 ᯊ ⦃ ๗ ҹ ঞ ⹀ ӊ ԧ ㋏㒧 ᵘ ⱘ ᓎ ῵ ὖ ᗉ:䗮䖛㒓⿟(thread)ǃ㒓⿟㒘(thread group)ǃ䖯⿟(process)ǃ᭄ ᥂(data)ǃᄤ ⿟ ᑣ(subprogram)ㄝ ᵘ ӊ ҹ ঞ 䖲 ᥹ ᴹ ᦣ 䗄㋏㒳 ⱘ 䕃 ӊ ԧ ㋏㒧 ᵘ;䗮䖛 ໘ ⧚ ఼(processor)ǃ 㰮 ᢳ ໘ ⧚ ఼(virtual processor)ǃ ᄬ ټ ఼(memory)ǃ ໪ 䆒(device)ǃ ᘏ 㒓(bus)ǃ 㰮 ᢳ ᘏ 㒓(virtual bus)ㄝ ᵘ ӊ ҹ ঞ 䖲 ᥹ ᴹ ᦣ 䗄㋏㒳 ⱘ ⹀ ӊ ԧ ㋏㒧 ᵘ;䗮䖛 ߚ থ ण 䆂(dispatch)ǃ 䗮 ֵ ण 䆂 (communication)ǃ䇗 ᑺ ㄪ ⬹(scheduling)ǃ῵ ᓣ ব ᤶ ण 䆂(mode change)ҹ ঞ ߚ ऎ ᴎ ࠊ(partition)ㄝ ሲ ᗻ ᴹ ᦣ 䗄㋏㒳 ⱘ 䖤㸠 ᯊ ⦃ ๗,೼AADL䇁㿔 Ё ⿄ Ў ᠻ 㸠 ῵ ൟ(execution model);᳔ ৢ,䗮䖛㋏㒳(system)ᵘ ӊ 䖯㸠㒘 ড়,ሖ ⃵ ࣪ ഄ ᓎ ゟ㋏㒳 ⱘ ԧ ㋏㒧 ᵘ ῵ ൟ.঺ ໪,㸠 Ў 䰘 ӊ(behavior annex) [22] ҹ ব 䖕㋏㒳(transition system)ⱘ ᔶ ᓣ ๲ ᔎ њ AADL ᇍ 㒓⿟ ᵘ ӊ ੠ ᄤ ⿟ ᑣ ᵘ ӊ ࡳ 㛑㸠 Ў ⱘ 䆺㒚 ᦣ 䗄㛑 ࡯,㗠 Ϩ 㸠 Ў 䰘 ӊ Ϣ ᠻ 㸠 ῵ ൟ ᳝ ⴔ ㋻ ᆚ ⱘ 㘨㋏,े,ᠻ 㸠 ῵ ൟ ᅮ Н њ 㒓⿟ ੠ ᄤ ⿟ ᑣ ਼ ᳳ ᗻ(䴲 ਼ ᳳ ᗻ ៪ ي থ)ഄ 䇏 প ǃ 䅵 ㅫ ੠ থ 䗕 ᭄ ᥂,㸠 Ў 䰘 ӊ ߭ ᰃ ᇍ 䅵 ㅫ ⢊ ᗕ ݙ ⱘ ᠻ 㸠㸠 Ў 䖯㸠䆺㒚 ࠏ ⬏.಴ ℸ,䕃/⹀ ӊ ԧ ㋏㒧 ᵘ ǃ ᠻ 㸠 ῵ ൟ ҹ ঞ 㸠 Ў 䰘 ӊ ᵘ ៤ ϔ Ͼ ᅠ ᭈ ⱘAADLᦣ 䗄.

AADL 䖬 ࣙ ᣀ ݊ Ҫ ᮍ 䴶 ⱘ ᠽ ሩ,䖯 ϔ ℹ Є ᆠ њ AADL 䇁㿔 ⱘ 㸼䖒㛑 ࡯.՟ བ,ᬙ 䱰 ῵ ൟ 䰘 ӊ(error model annex)[23]ᠽ ሩ њ ᵘ ӊ ੠ 䖲 ᥹ ⱘ ᬙ 䱰 џ ӊ ǃᬙ 䱰 ὖ ⥛ ㄝ䴲 ࡳ 㛑 ሲ ᗻ,ҹ ᬃ ᣕ ㋏㒳 ৃ 䴴 ᗻ ߚ ᵤ;Ў њ ᬃ ᣕARINC653 ᷛ ޚ,থ Ꮧ њARINC653ᠽ ሩ 䰘 ӊ

[24]

(4)

2 AADL ᄤ䲚ঞ݊ᢑ䈵䇁⊩

Ң 2004ᑈ AADL ᷛ ޚ ℷ ᓣ থ Ꮧ ҹ ᴹ,݊ Ḍ ᖗ ᭛ ḷ ঞ ᠽ ሩ 䰘 ӊ ೼ ϡ ᮁ ⱘ ׂ 䅶 ੠ থ ሩ.՟ བ,Ⳃ ࠡ Ḍ ᖗ ᭛ ḷ ᳝ AADL V1.0 (AS5506),AADL V2.0 (AS5506A)੠AADL V2.1 (AS5506B)䖭3Ͼ ⠜ ᴀ,AADL V2.2г ℷ ೼ ׂ 䅶 ᔧ Ё;ᠽ ሩ 䰘 ӊ ߭ ࣙ ᣀAnnex AS5506/1,Annex AS5506/2,Annex AS5506/3ㄝ㋏ ߫ ᭛ ḷ,ℷ ೼ ࠊ ᅮ ᔧ Ё ⱘconstraint annex[26]੠BLESS annex

[27]

ᇚ থ Ꮧ ЎAnnex AS5506/4.AADLᏆ ៤ Ў ϔ Ͼ ᑲ ໻ ⱘ ᷛ ޚ ԧ ㋏,಴ ℸ,AADL䇁 Н ᔶ ᓣ ࣪ 䛑 ᰃ 䗝 ᢽ ϔ Ͼ ᙄ ᔧ ⱘ ᄤ 䲚 ᴹ 䖯㸠 ⱘ. ձ ᥂ 㟾 ໽ ఼ ㄝ ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳 ⱘ 䚼 ߚ ⡍ ᕕ,ᴀ ᭛ 䗝 প ⱘAADLᄤ 䲚 བ ϟ: (1) ԧ㋏㒧ᵘᮍ䴶,ࣙᣀ㋏㒳ᵘӊǃ䖯⿟ᵘӊǃ㒓⿟ᵘӊǃ໘⧚఼ᵘӊǃᄬټ఼ᵘӊҹঞᘏ㒓ᵘӊㄝ㒧 ᵘ ܗ ㋴; (2) ᠻ㸠῵ൟᮍ䴶,ࣙᣀ䖯⿟ᠻ㸠ǃ῵ᓣবᤶǃ㒓⿟ߚথǃ㒓⿟ᠻ㸠ǃッষ䗮ֵǃ䇗ᑺǃ䌘⑤݅ѿㄝᠻ 㸠 ῵ ൟ ሲ ᗻ; (3) ᠽሩ䰘ӊᮍ䴶,Џ㽕ࣙᣀ㸠Ў䰘ӊ. 䆹 ᄤ 䲚 ෎ ᴀ Ϟ 㛑 ᵘ ៤ ϔ Ͼ ↨ 䕗 ᅠ ᭈ ⱘAADL ᦣ 䗄:ᣝ ✻ ㋏㒳 ǃ 䖯⿟ ǃ 㒓⿟ ҹ ঞ 㸠 Ў 䰘 ӊ 䖭4Ͼ ሖ ⃵ ᴹ ᓎ ゟ㋏㒳 ⱘ AADL ῵ ൟ,ᑊ ᇚ 䖯⿟ ᯴ ᇘ ࠄ ໘ ⧚ ఼ ᵘ ӊ ǃ 䖲 ᥹ ᯴ ᇘ ࠄ ᘏ 㒓 ᵘ ӊ ǃ ᭄ ᥂ ᯴ ᇘ ࠄ ᄬ ټ ఼ ᵘ ӊ,㋏㒳 ᵘ ӊ ੠ 䖯⿟ ᵘ ӊ ৃ ҹ ᅮ Н ῵ ᓣ ঞ ῵ ᓣ ব ᤶ,㗠㒓⿟ ᠻ 㸠 Ӯ ফ ࠄ 䖯⿟ ࡴ 䕑 ǃ ῵ ᓣ ব ᤶ ǃ ߚ থ ǃ 䇗 ᑺ ⱘ ᕅ ડ,㒓⿟䗮 ֵ г ৃ 㛑 ফ ࠄ ῵ ᓣ ব ᤶ ⱘ ᕅ ડ.⬅ ѢAADLᇍ ᠻ 㸠 ῵ ൟ ᳝ Ϲ Ḑ ⱘ ᅮ Н,䖭 Փ ᕫ ᭈ Ͼ ㋏㒳 ⱘ 㸠 Ў ᰃ ⹂ ᅮ ᑊ ৃ 乘㾕 ⱘ. ៥ Ӏ ෎ Ѣ ㉏ ൟ ⱘ ᮍ ᓣ 㒭 ߎ AADLᄤ 䲚 ⱘ ᢑ 䈵䇁 ⊩.೼ ᢑ 䈵䇁 ⊩ 㸼⼎ Ё,㒧 ᵘ ܗ ㋴ ੠ ᠻ 㸠 ῵ ൟ ሲ ᗻ 㸼䖒 ೼ ৠ ϔ Ͼ 䇁 ⊩ 㒧 ᵘ ᔧ Ё.݊ Ё,PORT,SOM,EVENT,DURATION,BASTATE,EXPRESSIONҹ ঞVALUEЎ 乘 ᅮ Н ㉏ ൟ. ৠ ᯊ,೼ ㋏㒳 ᵘ ӊ Ё,៥ Ӏ ҙ 㗗㰥 ऩ ໘ ⧚ ఼,ᑊ Ϩ 咬䅸 ᇚ 䖯⿟ ᵘ ӊ ᯴ ᇘ ࠄ ໘ ⧚ ఼ ᵘ ӊ. Type System:=

{ Iports: set of PORT; Oports: set of PORT; Processes: set of Process; CPU: Processor;

Memories: set of Memory; Buses: set of Bus; Initial_Mode: SOM;

Mode_Transitions: set of SOM_Transition; }

Type Process:=

{ Iports: set of PORT; Oports: set of PORT; Threads: set of Thread;

Connections: set of Connection; Initial_Mode: SOM;

Mode_Transitions: set of SOM_Transition; }

Type Processor:=

{ Scheduling: {FixedTimeline,Cooperative,RMS}; }

Type Thread:=

{ Iports: set of PORT; Oports: set of PORT; Period: DURATION; BCET: DURATION; WCET: DURATION; Deadline: DURATION; DispatchType: {periodic,aperiodic,sporadic}; Behavior: BehaviorAnnex;

Modes: set of SOM; }

Type Connection:=

{ SourcePort: PORT;

ConnectionType: {immediate,delayed}; DestinationPort: PORT;

Modes: set of (SOMSOM_Transition); }

Type BehaviorAnnex:=

{ States: set of BASTATE; Transitions: set of BA_Transition; } Type SOM_Transition:= { SourceMode: SOM; TransitionType: {emergency,planned}; DestinationMode: SOM; Event: EVENT; } Type BA_Transition:= { SourceState: BASTATE; DestinationState: BASTATE; Time: DURATION; Guard: EXPRESSION;

Action: (Iports(th)oVALUE)uOports(th)oVALUE; }

(5)

3 TASM ঞ݊ᢑ䈵䇁⊩

3.1 TASM෎ᴀὖᗉ ϔ ϾTASMᦣ 䗄 ⬅ ϸ 䚼 ߚ 㒘 ៤:⦃ ๗ ੠ ᢑ 䈵 ᴎ.⦃ ๗ ࣙ ᣀ ⦃ ๗ ব 䞣 ঞ ݊ ㉏ ൟ,㗠 ෎ Ѣ ব 䞣 ⱘ ᔧ ࠡ প ؐ,ᢑ 䈵 ᴎ 䖯㸠䅵 ㅫ,✊ ৢ ᳈ ᮄ ব 䞣 ⱘ প ؐ,ҹ ᅲ ⦄ ㋏㒳 ⱘ ⢊ ᗕ ব 䖕.ৠ ᯊ,TASM ೼ ব 䖕 Ϟ ๲ ࡴ њ ᯊ 䯈 ੠ 䌘 ⑤ ⱘ ᅮ Н,ߚ ߿ 㸼⼎ ব 䖕 ⱘ ᣕ 㓁 ᯊ 䯈 ੠ 䌘 ⑤ ⍜ 㗫. ᅮ Н1. TASMSPEC=¢E,ASM²,Ў ϔ Ͼ Ѡ ܗ 㒘: (1) ⦃๗ E=¢EV,TU,ER²,EV㸼⼎ ⦃ ๗ ব 䞣,݊ ㉏ ൟ ᅮ Н ೼TUЁ,Џ 㽕 ࣙ ᣀ ᭈ ᭄ ㉏ ൟ ǃBoolean㉏ ൟ ǃᅲ ᭄ ㉏ ൟ ҹ ঞ ⫼ ᠋ 㞾 ᅮ Н ㉏ ൟ;ER={(rn,rs)}㸼⼎䌘 ⑤ ⦃ ๗ ব 䞣 ⱘ ᅮ Н,བ ໘ ⧚ ఼ ǃᄬ ټ ఼ ǃᏺ ᆑ ǃࡳ 㗫ㄝ, rnᰃ 䌘 ⑤ ⱘ ৡ ⿄,rs=[lower,upper]߭ 㸼⼎䌘 ⑤ ⱘ ໻ ᇣ.

(2) ᢑ䈵ᴎ ASM=¢MV,CV,IV,R²,ⲥ ᥻ ব 䞣MV(monitored variables)Ў ᕅ ડ ᢑ 䈵 ᴎ ᠻ 㸠 ⱘ ব 䞣 ⱘ 䲚 ড়;ফ ᥻ ব 䞣CV(controlled variables)Ў ᢑ 䈵 ᴎ ᇚ 㽕 ᳈ ᮄ ⱘ ব 䞣 ⱘ 䲚 ড়;ݙ 䚼 ব 䞣IV(internal variables)Ў ᢑ 䈵 ᴎ ݙ 䚼 Փ ⫼ ⱘ Ё 䯈 ব 䞣,ϡ ফ ⦃ ๗ ⱘ ᕅ ડ;R=¢n,t,RR,r²Ў ᢑ 䈵 ᴎ ⱘ ᠻ 㸠㾘 ߭,nᰃ 㾘 ߭ ⱘ ৡ ⿄,t㸼⼎㾘 ߭ ᠻ 㸠 ⱘ ᣕ 㓁 ᯊ 䯈,ৃ ҹ ᰃ ϔ Ͼ ೎ ᅮ ؐ,៪ ϔ Ͼ ऎ 䯈[t_min,t_max],г ৃ ҹ ᰃ ݇ 䬂 ᄫ next(t:=next 㸼⼎ ᴎ ఼ ໘ Ѣ ㄝ ᕙ ⢊ ᗕ,Ⳉ ࠄ ᶤ Ͼ џ ӊ থ ⫳),RR ᰃ ൟ བ rn:=rs ⱘ 䌘 ⑤ ⍜ 㗫,r ߭ ᰃ ൟ བ“if Condition then

Action”ⱘ 㾘 ߭ 䲚 ড়,݊ Ё,Conditionᰃ ⲥ ᥻ ব 䞣 ⱘ ᔧ ࠡ প ؐ,Actionࣙ ᣀ ফ ᥻ ব 䞣 ⱘ 䌟 ؐ ǃskipҹ ঞ 䗮 ֵ ㄝ,г ᬃ ᣕ“else then Action”㾘 ߭.

ASM ৃ ҹ ᳝ ໮ ᴵ 㾘 ߭,៥ Ӏ ⫼ R₁,R₂,…,R_n㸼⼎,Ԛ 㾘 ߭ П 䯈 ᰃ Ѧ ᭹ ᠻ 㸠 ⱘ,े,↣ ⃵ া ᳝ ϔ ᴵ 㾘 ߭ ⒵ 䎇 ᴵ ӊ

ᑊ ᠻ 㸠(؛ 䆒 ЎR_i).R_iᠻ 㸠 ᅠ ៤ П ৢ,䳔㽕 ᇍ ⦃ ๗ ব 䞣 ⱘ প ؐ ǃᯊ 䯈 ҹ ঞ 䌘 ⑤ ⍜ 㗫䖯㸠 ᳈ ᮄ.಴ ℸ,ASMⱘ ᠻ 㸠 ৃ ҹ 㸼⼎ Ў ϔ Ͼ ᳈ ᮄ 䲚 ᑣ ߫.

䰸 њ ᯊ 䯈 ੠ 䌘 ⑤ 㸠 Ў ҹ ໪,TASM 䖬 ᬃ ᣕ ᑊ থ 㒘 ড় ǃ ሖ ⃵ 㒘 ড় ҹ ঞ ৠ ℹ 䗮 ֵ ㄝ㸠 Ў ⱘ ᦣ 䗄.Ў ℸ,TASM ᇚ ᢑ 䈵 ᴎ ߚ Ў3㉏:Џ ᢑ 䈵 ᴎ(main ASM)ǃᄤ ᢑ 䈵 ᴎ(sub ASM)੠ ߑ ᭄ ᢑ 䈵 ᴎ(function ASM).ৠ ℹ 䗮 ֵ Џ 㽕 ᅮ Н ೼ Џ ᢑ 䈵 ᴎ П 䯈,ᑊ ৃ ҹ 䞛 ⫼ ݅ ѿ ব 䞣 ੠ 䗮䘧 ϸ ⾡ ᮍ ᓣ. ℸ ໪,TASMՓ ⫼ ῵ ൟ Ẕ ⌟ Ꮉ ݋UPPAAL [20] ҹ ঞ ӓ ⳳ ߚ ᵤ Ꮉ ݋TASM ToolSet [21] ᇍ ᮴ ⅏ 䫕 ᗻ ǃ ᅝ ܼ ᗻ ǃ ⌏ ᗻ ǃ ᯊ 䯈 ℷ ⹂ ᗻ ǃ 䌘 ⑤ ߽ ⫼ ℷ ⹂ ᗻ ㄝ ݇ 䬂 ᗻ 䋼䖯㸠偠䆕 ੠ ߚ ᵤ. 3.2 TASMᢑ䈵䇁⊩ ᴀ ᭛ ҙ 䞛 ⫼ ݅ ѿ ব 䞣 ⱘ 䗮 ֵ ᮍ ᓣ,಴ ℸ,TASMⱘ ᢑ 䈵䇁 ⊩ 㸼⼎ བ ϟ: min max min max

:: : exp | | if then | else then | ( , ) |

| ( , ) | |

:: , || || ... ||

P x skip BExpr P P time t t P time next P

resource r r r P P P P P TASM E P P P ¢ ²

Pᅮ Н њ ऩ Ͼ ᢑ 䈵 ᴎ ⱘ 㸠 Ў,x:=exp㸼⼎ ᳈ ᮄ ফ ᥻ ব 䞣xⱘ প ؐ;skip㸼⼎ ϡ ԰ ӏ ԩ ࡼ ԰;time㸼⼎㾘 ߭ ᠻ 㸠 ⱘ ᯊ 䯈;resource 㸼⼎㾘 ߭ ᠻ 㸠 ᳳ 䯈 ᠔ ⍜ 㗫 ⱘ 䌘 ⑤,r ᰃ 䌘 ⑤ ⱘ ৡ ⿄;PP 㸼⼎ ৠ ϔ Ͼ ᢑ 䈵 ᴎ ఼ ϡ ৠ 㾘 ߭ П 䯈 ⱘ 䗝 ᢽ ᪡ ԰;PP㸼⼎ ৠ ϔ ᴵ 㾘 ߭ ݙ ϡ ৠ ࡼ ԰ П 䯈 ⱘ ᑊ থ ᪡ ԰,Ԛ ϡ 㛑 ৠ ᯊ এ ᳈ ᮄ ৠ ϔ Ͼ ব 䞣 ⱘ প ؐ;P||P㸼⼎ ໮ Ͼ ᢑ 䈵 ᴎ ఼ П 䯈 ⱘ ᑊ থ ᪡ ԰,ᅗ Ӏ ݅ ѿ Ⳍ ৠ ⱘ ⦃ ๗E. Pⱘ 䗦 ᔦ ᅮ Н ৃ ҹ ᢑ 䈵㸼⼎ ᄤ ᢑ 䈵 ᴎ ੠ ߑ ᭄ ᢑ 䈵 ᴎ ⱘ 䇗 ⫼. ऩ ϾTASMᢑ 䈵 ᴎ ⱘ ᠻ 㸠䇁 Н ᰃ ϔ Ͼ ᕾ ⦃:ձ ᥂ ⦃ ๗ ব 䞣 ⱘ ᔧ ࠡ প ؐ,䗝 ᢽ ϔ ᴵ ⒵ 䎇 ᴵ ӊ ⱘ 㾘 ߭,ㄝ ᕙ 㾘 ߭ ⱘ ᣕ 㓁 ᯊ 䯈,ᑊ ⍜ 㗫䌘 ⑤;ᣕ 㓁 ᯊ 䯈 ᅠ ៤ ৢ,᳈ ᮄ ⦃ ๗ ব 䞣 ⱘ প ؐ,བ ᵰ ᄬ ೼ ৠ ℹ,߭ 䳔㽕ㄝ ᕙ;䆹㾘 ߭ ᠻ 㸠 ᅠ П ৢ, 䗝 ᢽ ϟ ϔ ᴵ 㾘 ߭ 㒻㓁 ᠻ 㸠.໮ Ͼ ᑊ থ ᢑ 䈵 ᴎ ⱘ 䇁 Н ߭ 㽕㗗㰥 ᳈ ᮄ 䲚 ⱘ 㒘 ড়.

4 ෎Ѣ TASM ⱘ AADL ᔶᓣ䕀ᤶ䇁Н

෎ ѢAADLᄤ 䲚 ⱘ ᢑ 䈵䇁 ⊩ ੠TASMⱘ ᢑ 䈵䇁 ⊩,៥ Ӏ ҹ“ሖ ⃵ ࣪ ǃ ῵ ഫ ࣪”ⱘ ᮍ ᓣ 㒭 ߎ 䕀 ᤶ 䇁 Н ᅮ Н.

(6)

Software నߑ༰ͱ Vol.26, No.2, February 2015 4.1 ㋏㒳ᵘӊ ㋏㒳 ᵘ ӊ ⱘ 䇁 Н ᰃ ⬅ ݊ Ҫ ᓎ ῵ ܗ ㋴ ⱘ 䇁 Н 㒘 ড় 㗠 ៤,៥ Ӏ ⫼ ϔ Ͼ ܼ ሔ 䇁 Н ߑ ᭄ ᴹ 㸼⼎: . . _ . . . ( : ) _ ( ) ( _ ( )) ( _ ( )) ( _ ( )) (

pr s Processes tr s Mode transitions

sch s Processor th pr Threads

cn pr Conne

Translate s System

Trans ProcessData pr Trans ModeData tr Trans SchedulerData sch Trans ThreadData th

¢ _. . . _ . _ ( )) ( _ ( )), || _ ( ) || ( || _ ( )) || ( || _ ( )) || ( || ctions th pr Threads

pr s Processes tr s Mode transitions

sch s Processor

Trans ConnectionData cn Trans BehaviorAnnexData th Trans Process pr Trans Mode tr

Trans Scheduler sch . . . _ ( )) || ( || _ ( )) || ( || _ ( )) th pr Threads cn pr Connections th pr Threads Trans Thread th

Trans Connection cn Trans BehaviorAnnex th

² 䆹䇁 Н ߑ ᭄ ߚ Ў 3 Ͼ ሖ ⃵:㋏㒳 ᵘ ӊ ⱘ ᄤ ᵘ ӊ ሖ ⃵ ǃ 䖯⿟ ᵘ ӊ ⱘ ᄤ ᵘ ӊ ሖ ⃵ ҹ ঞ 㸠 Ў 䰘 ӊ ሖ ⃵,↣ Ͼ ሖ ⃵ 䛑 ࣙ ᣀ ϸ 䚼 ߚ:䇁 ⊩ 㒧 ᵘ(䕃/⹀ ӊ ᵘ ӊ ⱘ 㒧 ᵘ ܗ ㋴ ǃᠻ 㸠 ῵ ൟ ሲ ᗻ ҹ ঞ 㸠 Ў 䰘 ӊ ⱘ 㒧 ᵘ ܗ ㋴)᯴ ᇘ ЎTASM⦃ ๗ ব 䞣,ࡼ ᗕ 㸠 Ў(ᠻ 㸠䇁 Н ҹ ঞ 㸠 Ў 䰘 ӊ ⱘ 䇁 Н)᯴ ᇘ ЎTASMᢑ 䈵 ᴎ.៥ Ӏ ᇚ Փ ⫼ ㉏MLⱘ ܗ 䇁㿔 ᴹ 㸼⼎ ᯴ ᇘ ੠ 㒘 ড় ݇ ㋏: - ... -P name P TASM P P condition TASM TASM LET AND IN IF THEN ELSE 4.2 䖯⿟ᵘӊ 䖯⿟ ᵘ ӊ ҷ 㸼㋏㒳 ⱘ 㰮 ᢳ ഄ ഔ ぎ䯈,ᔧ ᇍ ᑨ ⱘ ໘ ⧚ ఼ ਃ ࡼ П ৢ,䖯⿟ ᇚ 㽕 ᠻ 㸠 ⱘ Ѡ 䖯 ࠊ 䬰 ڣ ᭛ ӊ ࡴ 䕑 ࠄ 㰮 ᢳ ഄ ഔ ぎ䯈,ࣙ ᣀ ᭛ ӊ ࡴ 䕑 ੠ 䖯⿟ ਃ ࡼ(े ߱ ྟ ࣪)ϸ Ͼ ℹ 偸,㗠 Ϩ ᭈ Ͼ 䖛⿟ ৃ 㛑 Ӯ ߎ 䫭 ៪ 㹿㒜 ℶ. 佪 ܜ,ᇚ 䖯⿟ ᵘ ӊ ⱘ 䕧 ܹ/䕧 ߎ ッ ষ ǃ ᯊ 䯈 ሲ ᗻ ҹ ঞ 䖯⿟ ⢊ ᗕ 䕀 ᤶ Ў TASM ⦃ ๗ ব 䞣.݊ Ё,᭄ ᥂ ッ ষ ⫼

Integerব 䞣㸼⼎,џ ӊ ッ ষ ⫼Booleanব 䞣㸼⼎,џ ӊ ᭄ ᥂ ッ ষ ⫼ ϸ Ͼ ব 䞣(Integer,Boolean)ᴹ 㸼⼎.䖯⿟ ᅮ Н ⱘ ࡴ 䕑 ᯊ 䯈 ੠ ਃ ࡼ ᯊ 䯈,ৃ ҹ ԰ ЎTASM㾘 ߭ ⱘ ᠻ 㸠 ᯊ 䯈.

䇁 Н 㾘 ߭4.2.1. AADL䖯⿟ ᵘ ӊ ⱘTASM⦃ ๗ ব 䞣㸼⼎.

Trans_ProcessData(pr)=

{ State: {unloaded,loading,starting,loaded}:=unloaded;

Iport: Iports(pr)oInteger; Oport: Oports(pr)oInteger; LoadTime: Integer;

StartupTime: Integer;

... }

݊ ⃵,䖯⿟ ᵘ ӊ ⱘ ᠻ 㸠䇁 Н 䕀 ᤶ Ў ϔ Ͼ ࣙ ৿7ᴵ ᠻ 㸠㾘 ߭(Loading Begin,Loading Complete,Loading Abort, Starting Complete,Starting Abort,Process Stop,Process Normal)ⱘTASMᢑ 䈵 ᴎ.TASMৃ ҹ ᕜ ᮍ ֓ ഄ ೼ ↣ Ͼ ᯊ ࠏ ៪ ᯊ ↉,⫼ ϔ ᴵ 㾘 ߭ ᴹ 㸼⼎ Ⳍ ᑨ ⱘ 㸠 Ў.݅ ѿ ব 䞣:

x Started(processor)㸼⼎ ໘ ⧚ ఼ ᰃ ৺ ਃ ࡼ ៤ ࡳ,咬䅸Started(processor)=true; x Abort(processor)㸼⼎ ໘ ⧚ ఼ ᰃ ৺ 㹿 Ё ᮁ;

x Load(th)㸼⼎䆹䖯⿟ Ё ⱘ 㒓⿟ ᰃ ৺ ࡴ 䕑 ៤ ࡳ;

(7)

໘ Ѣloaded⢊ ᗕ.

䖭 ѯ ݅ ѿ ব 䞣 г ᅮ Н ೼TASM⦃ ๗ Ё.

䇁 Н 㾘 ߭4.2.2. AADL䖯⿟ ᵘ ӊ ᠻ 㸠䇁 Н ⱘTASM㸼⼎.

_ ( )

// Rule Loading Begin

0 (if ( ) and ( ) true then

( ) : ) // Rule Loading Complete

TASM Process pr

time State pr unloaded Started processor State pr loading tim LET Trans Process pr

(if ( ) and ( ) false then

( ) : ) // Rule Loading Abort

0 (if ( ) and ( ) true

e LoadTime State pr loading Abort processor State pr starting

time State pr loading Abort processor

then

( ) : ) // Rule Starting Complete

(if ( ) and ( ) false then

( ) :

State pr unloaded

time StartupTime State pr starting Abort processor State pr

.

( ( ) : true))

// Rule Starting Abort

0 (if ( ) and ( ) true then

( ) : ) // Rule Process Stop

0 (if

th pr Threads

loaded Load th

time State pr starting Abort processor State pr unloaded time

( ) and ( ) true then

( ) : ) // Rule Process Normal

(else then )

IN _ ( )

State pr loaded Stop processor State pr unloaded time next skip TASM Process pr 4.3 ῵ᓣবᤶ ೼ ㋏㒳 ᵘ ӊ ੠ 䖯⿟ ᵘ ӊ Ё 䛑 ৃ ҹ ᅮ Н ῵ ᓣ ব ᤶ,ᇍ ᑨ ৘ 㞾 ᄤ ᵘ ӊ ੠ 䖲 ᥹ ⱘ 䜡㕂 ⱘ ব ࣪.៥ Ӏ 䞡 ⚍ 㗗㰥 ῵ ᓣ ব ᤶ ᇍ 㒓⿟ ᠻ 㸠 ੠ 䗮 ֵ ⱘ ᕅ ડ,㗠 Ϩ ῵ ᓣ ব ᤶ থ ⫳ ೼ ᠔ ሲ ⱘ 䖯⿟ ᵘ ӊ ਃ ࡼ П ৢ.೒ 1 㒭 ߎ њ ㋏㒳 ῵ ᓣ ব ᤶ ⱘ ᠻ 㸠 ⢊ ᗕ ੠ ࡼ ԰.

Fig.1 Execution states and actions of an AADL SOM transition ೒1 AADL㋏㒳 ῵ ᓣ ব ᤶ ⱘ ᠻ 㸠 ⢊ ᗕ ੠ ࡼ ԰

(8)

῵ ᓣ ব ᤶ ⱘ ޚ ໛ ᳳ,བ ᵰ ῵ ᓣ ব ᤶ ⱘ ㉏ ൟ Ў ㋻ ᗹ ব ᤶ(Mode_Transition_Response=Emergency),߭ ℸ ޚ ໛ ᳳ ⱘ ᣕ 㓁 ᯊ 䯈 Ў0;བ ᵰ ῵ ᓣ ব ᤶ ⱘ ㉏ ൟ Ў 䅵 ߦ ব ᤶ(Mode_Transition_Response=Planned),߭ ℸ ޚ ໛ ᳳ ᇚ ᣕ 㓁 ࠄ ᮻ ῵ ᓣ ϟ ⱘ ݇ 䬂㒓⿟ ⱘ 䍙 ਼ ᳳ(䆄 ЎHyper(critical_old)),៥ Ӏ ⿄ Ў ৠ ℹ ⚍(synchronization point),㗠 Ϩ ℸ ᯊ 䯈 Ў 㒱 ᇍ ᯊ 䯈.೼ ℸ ᳳ 䯈,ᮻ ῵ ᓣ ϟ ⱘ 㒓⿟ ᇚ 㒻㓁 ᠻ 㸠,䖭 ᰃ Ў њ ֱ 䆕 ῵ ᓣ ব ᤶ ᳳ 䯈㒓⿟ ᠻ 㸠 ੠ 䗮 ֵ ⱘ ⹂ ᅮ ᗻ.೼ ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳 Ё,ӏ ࡵ ⱘ ݇ 䬂⿟ ᑺ 䇈 ᯢ њ ӏ ࡵ ⱘ 䞡㽕 ᗻ,AADL⫼“Synchronized_Component”ሲ ᗻ Ў ⳳ ⱘ ਼ ᳳ ᗻ 㒓⿟ ᴹ 㸼⼎ ݇ 䬂㒓⿟. ೼ ℸ ৠ ℹ ⚍ Ϟ,㋏㒳䖯 ܹ Mode_transition_in_progress ⢊ ᗕ,ᑊ ℷ ᓣ ᓔ ྟ ῵ ᓣ ব ᤶ:⏏ ࡴ ᮄ ῵ ᓣ(newSOM)ϟ Ϩ ϡ ሲ Ѣ ᮻ ῵ ᓣ(oldSOM)ⱘ 㒓⿟;ߴ 䰸 ᮻ ῵ ᓣ ϟ Ϩ ϡ ሲ Ѣ ᮄ ῵ ᓣ ⱘ 㒓⿟ ੠ 䖲 ᥹;ৠ ᯊ ሲ Ѣ ϸ Ͼ ῵ ᓣ ⱘ ݇ 䬂㒓⿟㒻㓁 ᠻ 㸠;ৠ ᯊ ሲ Ѣ ϸ Ͼ ῵ ᓣ ⱘ 䖲 ᥹ ৃ ҹ ⫼ Ѣ 䗮 ֵ.ᅠ ៤ 䖭 ѯ ࡼ ԰ П ৢ,㋏㒳 ᠡ ℷ ᓣ 䖯 ܹ ᮄ ῵ ᓣ,ᑊ ▔ ⌏ ᮄ ῵ ᓣ ϟ ⱘ 䖲 ᥹.བ ᵰ ῵ ᓣ ব ᤶ ⱘ ㉏ ൟ Ў ㋻ ᗹ ব ᤶ,߭ ῵ ᓣ ব ᤶ ⱘ ᣕ 㓁 ᯊ 䯈 Ў 0;བ ᵰ ῵ ᓣ ব ᤶ ⱘ ㉏ ൟ Ў 䅵 ߦ ব ᤶ,߭ ῵ ᓣ ব ᤶ ᇚ ᣕ 㓁 ࠄ ೼ ℸ ᳳ 䯈㒻㓁 ᠻ 㸠 ⱘ ݇ 䬂㒓⿟ ⱘ 䍙 ਼ ᳳ(े,ৠ ᯊ ሲ Ѣ ϸ Ͼ ῵ ᓣ ⱘ ݇ 䬂㒓⿟),ᑊ Ϩ ৃ 㛑 Ў ໮ Ͼ 䍙 ਼ ᳳ,៥ Ӏ 䆄 ЎHyper(critical_continue)*. ㋏㒳 ↣ ⃵ া ડ ᑨ ϔ Ͼ ῵ ᓣ ব ᤶ 䇋 ∖,೼ ῵ ᓣ ব ᤶ 䖛⿟ Ё,݊ ҪMCR䛑 Ӯ 㹿 ᗑ ⬹,㗠 Ϩ ϡ 㗗㰥 ໮ ϾMCRⱘ Ӭ ܜ 㑻. ೼TASM⦃ ๗ ব 䞣 Ё,៥ Ӏ ᓩ ܹ“CurrentSOM”,“ModeTransitionInProgress”,“ArriveHyperPeriod”ㄝ ব 䞣. 䇁 Н 㾘 ߭4.3.1. AADL㋏㒳 ῵ ᓣ ব ᤶ ⱘTASM⦃ ๗ ব 䞣㸼⼎. Trans_ModeData(tr)= { CurrentSOM: SOM; ArriveHyperPeriod: Boolean; ModeTransitionInProgress: Boolean; SOMRequest: Boolean; … } ݊ ᠻ 㸠䇁 Н 䕀 ᤶ ЎTASM_SOM_Transition੠MCRϸ Ͼ ᢑ 䈵 ᴎ,ߚ ߿ ᇍ ᑨ ῵ ᓣ ব ᤶ ⱘ 㸠 Ў ੠ ῵ ᓣ ব ᤶ 䇋 ∖ ⱘ ѻ ⫳.ࠡ 㗙 ࣙ ᣀWaiting Hyper Period,Mode Transition In Progress,Mode Transitionҹ ঞWaiting MCRㄝ4ᴵ 㾘 ߭,ᑊ 䗮䖛 ݅ ѿ ব 䞣 Activation(th)੠ Activation(cn)ᴹ 㸼⼎㒓⿟ ੠ 䖲 ᥹ ᰃ ৺ ໘ Ѣ ᔧ ࠡ ῵ ᓣ.ᇍ Ѣ 䅵 ߦ ব ᤶ,⬅ Ѣ ৠ ℹ ⚍Hyper(critical_old)ᰃ 㒱 ᇍ ᯊ 䯈,಴ ℸ ⫼Waiting Hyper Period㾘 ߭ ᴹ 㸼⼎䍙 ਼ ᳳ ⱘ ࠄ 䖒,ᑊ ೼ 䖭 Ͼ ᯊ ࠏ 䖯 ܹ

Mode_transition_in_progress ⢊ ᗕ;ᇍ Ѣ ゟ े ব ᤶ,ϡ 䳔㽕 ৠ ℹ ⚍,㗠 ᰃ ゟ े 䖯 ܹ Mode_transition_in_progress ⢊ ᗕ,ᑊ ゟ े ᅠ ៤ ῵ ᓣ ব ᤶ.MCR ᢑ 䈵 ᴎ ࣙ ৿ ϸ ᴵ 㾘 ߭,ᑊ ⫼[0,Hyper(critical_old)]ᴹ 㸼⼎䱣 ᴎ ѻ ⫳ MCR ⱘ ᯊ 䯈. ⬅ Ѣ Hyper(critical_continue)*ৃ 㛑 Ў ໮ Ͼ 䍙 ਼ ᳳ,े,Ң Mode_transition_in_progress ⢊ ᗕ ࠄ End_of_SOM_

transition⢊ ᗕ ⱘ ᣕ 㓁 ᯊ 䯈 ϡ ⹂ ᅮ,಴ ℸ ៥ Ӏ Փ ⫼ ঺ ϔ Ͼ ᢑ 䈵 ᴎManage_Hyper_Continueᴹ ㅵ ⧚ 䖭 Ͼ ᯊ 䯈. 䇁 Н 㾘 ߭4.3.2. AADL㋏㒳 ῵ ᓣ ব ᤶ ᠻ 㸠䇁 Н ⱘTASM㸼⼎. _ ( ) . . _ _

// Rule Waiting Hyper Period .

( _ ) (if ( )

oldSOM tr SourceMode newSOM tr DestinationMode TASM SOM Transition

tr TransitionType planned

time Hyper critical old State pr loaded

LET AND AND IF THEN Trans Mode tr

and and false then

: true) // Rule Mode Transition In Progress

.

CurrentSOM oldSOM SOMRequest ArriveHyperPeriod

(9)

( ) \ ( )

0 (if and true and true then

: true : true

th threads newSOM threads oldSOM

time CurrentSOM oldSOM SOMRequest ArriveHyperPeriod ModeTransitionInProgress FlagNewSOM Activa ( ) \ ( ) ( ) \ ( ) ( ) : true ( ) : false ( ) : false)

0 (if and true

th threads oldSOM threads newSOM

cn connections oldSOM threads newSOM

tion th Activation th

Activation cn

time CurrentSOM oldSOM SOMRequest

ELSE ( ) \ ( ) ( ) \ ( ) ( then : true ( ) : true ( ) : false

th threads newSOM threads oldSOM

th threads oldSOM threads newSOM cn connections old

ModeTransitionInProgress Activation th Activation th ) \ ( ) ( ) : false)

// Rule SOM transition .

0 (if true and false then

:

SOM threads newSOM Activation cn

time ModeTransitionInProgress FlagNewSOM CurrentSOM newS IF THEN ( ) \ ( ) Re : false ( ) : true : false : false) 0 (if

cn connections newSOM threads oldSOM

OM SOM quest Activation cn ModeTransitionInProgress ArriveHyperPeriod time ModeTrans ELSE ( ) \ ( ) true then : ( ) : true : false : false)

cn connections newSOM threads oldSOM

itionInProgress

CurrentSOM newSOM Activation cn

SOMRequest ModeTransitionInProgress Mana AND _ _

( _ ) (if true then

: false)

// Produce MCR

(0, ( _ )) (if (

ge Hyper Continue time Hyper critical continue

FlagNewSOM MCR

time Hyper critical old State pr

AND

) and and false then

: true) // Rule Waiting Next Event

(else ) .

loaded CurrentSOM oldSOM SOMRequest SOMRequest

time next then skip tr Transitio IN IF _ _ || _ _ || _ _ || nType planned

TASM SOM Transition Manage Hyper Continue MCR

TASM SOM Transition MCR

THEN ELSE 4.4 㗗㰥᭄᥂ッষ䗮ֵⱘ㒓⿟ᵘӊ 㗗㰥 ᭄ ᥂ ッ ষ 䗮 ֵ ⱘ 㒓⿟ ᵘ ӊ ⱘ 䇁 Н ᰃ ⬅ 㒓⿟ ᵘ ӊ ⱘ ෎ ᴀ 㸠 Ў ҹ ঞ 㒓⿟ ߚ থ ੠ ᭄ ᥂ ッ ষ 䗮 ֵ ⱘ ᠻ 㸠䇁 Н ᵘ ៤,㸼⼎ Ў 䇁 Н 㾘 ߭4.4.1੠ 䇁 Н 㾘 ߭4.4.2. 䇁 Н 㾘 ߭4.4.1. 㗗㰥 ᭄ ᥂ ッ ষ 䗮 ֵ ⱘ 㒓⿟ ᵘ ӊ ⱘTASM⦃ ๗ ব 䞣㸼⼎. Trans_ThreadData(th)= {State: {halted,waiting_mode,waiting_dispatch,waiting_execution,execution, completed,waiting_next_dispatch}:=waiting_mode;

Iport: Iports(th)oInteger; Oport: Oports(th)oInteger;

(10)

RscUsage: RESOURCESoInteger; WaitingNextDispatch: Boolean; … } Trans_ConnectionData(cn)= { ConnectionType: {immediate,delayed}; … } 䇁 Н 㾘 ߭4.4.2. 㗗㰥 ᭄ ᥂ ッ ষ 䗮 ֵ ⱘ 㒓⿟ ᵘ ӊ ᠻ 㸠䇁 Н ⱘTASM㸼⼎. _ ( ) _ ( ) //

0 (if ( ) and ( ) true then ( ) : _ )

// Rule Activation

0 (if ( ) _

TASM Thread th Rule Initialization

time State th halted Load th State th waiting mode Time State th waiting

LET

Trans Thread th

and ( ) true then ( ) : _ )

// Rule Dispatch

0 (if ( ) _ and ( ) true then

( ) :

mode Activation th State th waiting dispatch

Time State th waiting dispatch Dispatch th State th waiti

_ ( ) : ( ) ( ) : false)

// Rule Waiting Execution

0 (if ( ) _ _ ( ) true then

( ) : _

ng execution Iport th IportBuffer th Dispatch th

Time State th waiting execution and Get CPU th State th execution Trans Co _ ( )) // Rule Execution ( ( ), ( )) 100 (if ( ) then ( ) : ( ( )) ( ) : _ (

Time BCET th WCET th Resource Processor State th execution

Oport th ComputeOutPut Iport th State th completed Get CPU t

nnection Read th

) : false) // Rule Write Data

0 (if ( ) then

( ) : _ _ _ _ _ ( ))

// Rule Waiting Next Event (else then

h Time State th completed

State th waiting next dispatch

Time next s

Trans Connection Write Imm th

) // Rule Deactivation

0 (if ( ) _ ( ) false then

( ) : _ ) ( )

_ // Rule D

kip

time State th waiting dispatch and Activation th State th waiting mode

Dispatcher th

Dispatch protocol Periodic

AND

IF THEN

ispatch Thread

0 (if ( ) true and ( ) _ and ( ) false then ( ) : true : true)

// Rule Waiting Period

time Activation th State th waiting dispatch Dispatch th Dispatch th WaitingNextDispatch

time Perio

( ) (if true then

: false _ _ _ ( )

d th WaitingNextDispatch

WaitingNextDispatch

Trans Connection Write Delay th

( ) : _ )

// Rule Waiting Next Event

State th waiting mode

(11)

(else then ) _

// Rule Dispatch Thread

[0, Max] (if ( ) true and ( ) _ and ( ) false then

time Next skip Dispatch protocol Aperiodic

time Activation th State th waiting dispatch Dispatch th

IF THEN

( ) : true : true)

// Rule Prepare Next Dispatch

0 (if ( ) and true then

: false (

Dispatch th WaitingNextDispatch

time State th completed WaitingNextDispatch WaitingNextDispatch State ) : _ )

// Rule Waiting Next Event (else then ) //

// Rule Dispatch Thread

[ , Max] (if ( ) true and ( ) _ and ( ) fa

th waiting mode

time next skip Sporadic

time Period Activation th State th waiting dispatch Dispatch th

ELSE

lse then

( ) : true : true) // Rule Prepare Next Dispatch

0 (if ( ) and true then

Dispatch th WaitingNextDispatch time State th completed WaitingNextDispatch

( )

: false ( ) : _ )

// Rule Waiting Next Event (else then )

_ ( ) || ( )

_ _ ( )

ip Iports th cn Connections

WaitingNextDispatch State th waiting mode

time next skip

TASM Thread th Dispatcher th

IN

Trans Connection Read th

( ) ( )

( )

( ) ( )

: ( )

_ _ _ ( ) (

DestinationPort cn ip ConnectionType cn immediate

op Oports th cn Connections ConnectionType cn immediate SourcePort cn op

ip IportBuffer th IportBuffer Destinati

Trans Connection Write Imm th

( )

( ) ( )

( )) :

_ _ _ ( ) ( ( )) :

op Oports th cn Connections ConnectionType cn delayed SourcePort cn op

onPort cn op IportBuffer DestinationPort cn op

Trans Connection Write Delay th

4.4.1 㒓⿟ᵘӊⱘ෎ᴀ㸠Ў 㒓⿟ ᵘ ӊ 㸼⼎ ϔ Ͼ Ѡ 䖯 ࠊ 䬰 ڣ Ё 乎 ᑣ ᠻ 㸠 ⱘ ᣛ Ҹ ᑣ ߫,ᰃ AADLЏ 㽕 ⱘ ᠻ 㸠 ੠ 䇗 ᑺ ऩ ܗ.ӏ ԩ ϔ Ͼ 㒓⿟ ᵘ ӊ ೼ ᠻ 㸠 П ࠡ,䛑䳔㽕 ᇚ ݊ Ѡ 䖯 ࠊ 䬰 ڣ ᭛ ӊ ࡴ 䕑 ࠄ 䖯⿟,ࡴ 䕑 ៤ ࡳ ᠡ 㛑 ໘ Ѣ ㄝ ᕙ ߚ থ ⢊ ᗕ(waiting dispatch);བ ᵰ ㋏㒳 ᄬ ೼ ϡ ৠ ῵ ᓣ,া ᳝ ໘ Ѣ ᔧ ࠡ ῵ ᓣ ⱘ 㒓⿟ ᠡ 㛑㹿 ߚ থ,৺ ߭,㒓⿟ ໘ Ѣ ㄝ ᕙ ῵ ᓣ ⢊ ᗕ(waiting mode);໘ Ѣ ㄝ ᕙ ߚ থ ⢊ ᗕ ⱘ 㒓⿟ ৃ ҹ 㹿 ਼ ᳳ ᗻ ᯊ 䩳 ៪ џ ӊ ᴹ ߚ থ,ࣙ ᣀ ਼ ᳳ ǃ 䴲 ਼ ᳳ ǃ ي থ ㄝ ໮ ⾡ ߚ থ ण 䆂;ߚ থ ৢ ⱘ 㒓⿟䳔㽕ㄝ ᕙ 䇗 ᑺ ᠻ 㸠(waiting execution);ᕫ ࠄ ໘ ⧚ ఼ ⱘ 㒓⿟䖯 ܹ ᠻ 㸠 ⢊ ᗕ,ᠻ 㸠 ⱘ ݋ ԧ 㸠 Ў ߭ ৃ ⫼ 㸠 Ў 䰘 ӊ (behavior annex)ᴹ 䆺㒚 ࠏ ⬏;ᇍ Ѣ 㒓⿟䯈䗮 ֵ,AADL䞛 ⫼“Input-Compute-Output”ⱘ 䅵 ㅫ ῵ ൟ,咬䅸 ᚙ މ ϟ,೼ 㒓⿟ ߚ থ ⱘ ᯊ ࠏ 䇏 প ᠔ ᳝ 䕧 ܹ ッ ষ ⱘ ᭄ ᥂ ᑊ ㄝ ᕙ 䅵 ㅫ,೼ 䅵 ㅫ ᅠ ៤ ᯊ ࠏ ᇚ 㒧 ᵰ ݭ ܹ 䕧 ߎ ッ ষ,Ԛ ϡ ৠ ⱘ 䗮 ֵ ᴎ ࠊ (immediate/delayed)Ӯ ᕅ ડ 㒓⿟ ⱘ 䇏 ǃ ݭ ᯊ 䯈.བ ೒2᠔ ⼎.

Fig.2 Execution states and actions of an AADL thread component ೒2 AADL㒓⿟ ᵘ ӊ ⱘ ᠻ 㸠 ⢊ ᗕ ੠ ࡼ ԰

(12)

↣ Ͼ 䕧 ܹ ッ ষ ᅮ Н ϔ Ͼ ব 䞣 IportBuffer,⫼ Ѣ 㓧 ᄬ ᭄ ᥂;݊ ⃵,ᇚ 㒓⿟ ᵘ ӊ ⱘ ᠻ 㸠䇁 Н 䕀 ᤶ Ў ϔ Ͼ ࣙ ৿8 ᴵ ᠻ 㸠㾘 ߭(Initialization,Activation,Dispatch,Waiting Execution,Execution,Write Data,Waiting Next Event,Deactivation) ⱘTASMᢑ 䈵 ᴎTASM_Thread(th):

x Initialization㾘 ߭:⫼ ᴹ ໘ ⧚ 㒓⿟ ੠ 䖯⿟ ࡴ 䕑 ⱘ ݇ ㋏,䗮䖛 ݅ ѿ ব 䞣 Load(th):{true,false}ᴹ ৠ ℹ,䖯⿟ ᵘ ӊ ⱘ ᠻ 㸠䇁 Н ೼ ㄀4.2㡖 Ꮖ 㒣 ᅮ Н.

x Activation㾘 ߭:⫼ ᴹ 㸼⼎㒓⿟䖯 ܹ ᔧ ࠡ ῵ ᓣ(Enter(mode)),ᑊ 䗮䖛 ݅ ѿ ব 䞣Activation(th)=trueᴹ ৠ ℹ, ῵ ᓣ ব ᤶ ⱘ ᠻ 㸠䇁 Н ೼ ㄀4.3㡖 Ё Ꮖ 㒣 ᅮ Н.

x Dispatch㾘 ߭:⫼ ᴹ ໘ ⧚ 㒓⿟ ੠ ߚ থ ఼(dispatcher)ⱘ ݇ ㋏,ߚ থ ఼ ৃ ҹ ਼ ᳳ ǃ 䴲 ਼ ᳳ ៪ ي থ ᗻ ഄ ߚ থ 㒓⿟,䗮䖛 ݅ ѿ ব 䞣Dispatch(th):{true,false}ᴹ ৠ ℹ,ᑊ ᇚIportBufferЁ ⱘ ᭄ ᥂ 䇏 প ࠄ 䕧 ܹ ッ ষ Ё. x Waiting Execution 㾘 ߭:㒓⿟ ᠻ 㸠 Ӯ ফ ࠄ 䗮 ֵ ձ 䌪 ៪ 䇗 ᑺ ⱘ ᕅ ડ,៥ Ӏ Փ ⫼ ݅ ѿ ব 䞣 Get_CPU(th):

{true,false}ᴹ ৠ ℹ,䇗 ᑺ ఼(scheduler)ⱘ ᠻ 㸠䇁 Н ᇚ ೼ ㄀4.5㡖 Ё ᅮ Н.

x Execution 㾘 ߭:བ ᵰ ≵ ᳝ ᅮ Н 㸠 Ў 䰘 ӊ,ℸ 㾘 ߭ ⱘ ᠻ 㸠 ᯊ 䯈 Ў[BCET,WCET],៥ Ӏ ⫼“ComputeOutPut” ߑ ᭄ ᴹ ᢑ 䈵㸼⼎ ݊ ᠻ 㸠,ᑊ Ϩ ৃ ҹ ᅮ Н ໘ ⧚ ఼ ǃ ᄬ ټ ఼ ǃ ᘏ 㒓 ǃ ࡳ 㗫 ⱘ ߽ ⫼ ⥛,བ ᵰ ᅮ Н њ 㸠 Ў 䰘 ӊ, ߭ 䳔㽕 ᇍ 䖭 ᴵ 㾘 ߭ 䖯㸠 ∖ ㊒,ᇚ ೼ ㄀4.6㡖 Ё 㒭 ߎ.

x Write Data㾘 ߭:ᠻ 㸠 ᅠ ៤ П ৢ,Ⳉ ᥹ ᇚ 䕧 ߎ ッ ষ ⱘ ᭄ ᥂ ݭ ܹ ᥹ ᬊ 㒓⿟ ⱘIportBufferᔧ Ё.

x Waiting Next Event㾘 ߭:⫼ Ѣ ໘ ⧚ ᴵ ӊ ϡ ⒵ 䎇㗠䳔㽕ㄝ ᕙ ⱘ ᚙ މ,՟ བ 䖯⿟ ࡴ 䕑 ༅ 䋹 ǃ ϡ ໘ Ѣ ᔧ ࠡ ῵ ᓣ ǃ ≵ ᳝ 㹿 ߚ থ ǃ ≵ ᳝ ᕫ ࠄ ໘ ⧚ ఼ 䌘 ⑤ ㄝ,䆹㾘 ߭ Փ ⫼ њTASM䴲 ᐌ 䞡㽕 ⱘ ৠ ℹ ᴎ ࠊ:t:=next. x Deactivation 㾘 ߭:⫼ ᴹ 㸼⼎㒓⿟䗔 ߎ ᔧ ࠡ ῵ ᓣ(Exit(mode)),ᑊ 䗮䖛 ݅ ѿ ব 䞣 Activation(th)=false ᴹ ৠ

ℹ,῵ ᓣ ব ᤶ ⱘ ᠻ 㸠䇁 Н ೼ ㄀4.3㡖 Ё Ꮖ 㒣 ᅮ Н. 4.4.2 㒓⿟ߚথ

೼AADLЁ,ߚ থ ఼ ᑊ ϡ ᰃ ϔ Ͼ ⣀ ゟ ᵘ ӊ,㗠 ᰃ 㒓⿟ ᵘ ӊ ⱘ ϔ Ͼ ᠻ 㸠 ῵ ൟ ሲ ᗻ,ᬃ ᣕ ਼ ᳳ ǃ 䴲 ਼ ᳳ ǃ ي থ ǃ ᅲ ᯊ ǃ ⏋ ៤ ǃ ৢ ৄ 䖭6⾡ ߚ থ ण 䆂,ᴀ ᭛ Џ 㽕㗗㰥 ᐌ ⫼ ⱘ ࠡ3⾡ ᚙ މ.

㒓⿟ ߚ থ ఼ ⱘ ᠻ 㸠䇁 Н ⫼ ঺ ϔ Ͼ ᢑ 䈵 ᴎ Dispatcher(th)ᴹ 㸼⼎,ᑊ ੠ 㒓⿟ ෎ ᴀ 㸠 Ў ⱘ ᢑ 䈵 ᴎ ᑊ থ ᠻ 㸠,ᅗ Ӏ П 䯈䗮䖛 ݅ ѿ ব 䞣Dispatch(th)੠ 㒓⿟ ⢊ ᗕ ব 䞣State(th)ᴹ ৠ ℹ.៥ Ӏ ⫼t:=[0,max]㸼⼎䴲 ਼ ᳳ џ ӊ ⱘ ࠄ 䖒 ᯊ 䯈, ⫼t:=[period,max]㸼⼎ ي থ џ ӊ ⱘ ࠄ 䖒 ᯊ 䯈.݊ Ё,Dispatch Thread㾘 ߭ 㸼⼎:

x བ ᵰ 㒓⿟ ሲ Ѣ ᔧ ࠡ ῵ ᓣ,ᑊ Ϩ ໘ Ѣ ㄝ ᕙ ߚ থ ⢊ ᗕ,߭ ߚ থ 䆹㒓⿟. x ᇍ Ѣ ਼ ᳳ ᗻ 㒓⿟,㒓⿟㹿 ߚ থ П ৢ,ߚ থ ఼ 䳔㽕ㄝ ᕙ ϔ Ͼ ਼ ᳳ,ݡ 䅽㒓⿟䖯 ܹ ϟ ϔ ⃵ ߚ থ.⬅ Ѣ 䳔㽕㗗㰥 ῵ ᓣ ব ᤶ ⱘ ᕅ ડ,಴ ℸ ᇚ 㒓⿟ ⢊ ᗕ 䆒 Ў ㄝ ᕙ ῵ ᓣ. x ᇍ Ѣ 䴲 ਼ ᳳ ៪ ي থ 㒓⿟,㒓⿟ ᠻ 㸠 ᅠ ៤ П ৢ,ህ ৃ ҹ 䖯 ܹ ㄝ ᕙ ῵ ᓣ ⢊ ᗕ. 4.4.3 ᭄᥂ッষ䗮ֵ ᴀ ᭛ Џ 㽕 ݇ ⊼ ਼ ᳳ ᗻ 㒓⿟ П 䯈 ⱘ ᭄ ᥂ ッ ষ 䗮 ֵ.ッ ষ 䗮 ֵ ⱘ ෎ ᴀ ᮍ ᓣ ᰃ 䞛 ḋ(sampled),Ԛ ⬅ Ѣ ᑊ থ ੠ ᡶ ऴ ⱘ ॳ ಴,䗮 ֵ 㸠 Ў ৃ 㛑 ᄬ ೼ ϡ ⹂ ᅮ ᗻ,Ң 㗠 ᇐ 㟈 ᭈ Ͼ ㋏㒳 ᄬ ೼ ᓊ 䖳 ǃᡪ ࡼ ៪ ϡ 〇 ᅮ.Ў ℸ,AADLᦤ կ њ ϸ ⾡ ⹂ ᅮ ᗻ ⱘ ᭄ ᥂ ッ ষ 䗮 ֵ ᴎ ࠊ:े ᯊ 䗮 ֵ(immediate)੠ ᓊ 䖳䗮 ֵ(delayed). x े ᯊ 䗮 ֵ 㽕 ∖ (1) থ䗕㒓⿟੠᥹ᬊ㒓⿟䛑ᰃ਼ᳳᗻ㒓⿟. (2) ᇍѢߚথ:བᵰ਼ᳳⳌৠ(⿄Ў synchronous),㽕∖ϸϾ㒓⿟ৠᯊߚথ;བᵰ਼ᳳϡৠ,ᔧথ䗕㒓⿟਼ᳳ ᰃ ᥹ ᬊ 㒓⿟ ਼ ᳳ ⱘ ס ᭄(⿄ Ў oversampling),े,থ 䗕㒓⿟ ߚ থ ϔ ⃵,㗠 ᥹ ᬊ 㒓⿟ Ӯ ߚ থ ໮ ⃵,Ԛ ϔ 㠀㽕 ∖ থ 䗕㒓⿟ ⱘ ߚ থ ੠ ᥹ ᬊ 㒓⿟ ⱘ ㄀1⃵ ߚ থ ᰃ ৠ ᯊ ⱘ;ᔧ ᥹ ᬊ 㒓⿟ ਼ ᳳ ᰃ থ 䗕㒓⿟ ਼ ᳳ ⱘ ס ᭄(⿄ Ў undersampling),े,থ 䗕㒓⿟ ߚ থ ໮ ⃵,㗠 ᥹ ᬊ 㒓⿟ ߚ থ ϔ ⃵,ϔ 㠀㽕 ∖ থ 䗕㒓⿟ ⱘ ㄀1⃵ ߚ থ ੠ ᥹ ᬊ 㒓⿟ ⱘ ߚ থ ᰃ ৠ ᯊ ⱘ. (3) ᇍѢᠻ㸠:㱑✊ϸϾ㒓⿟ᰃৠᯊߚথⱘ,Ԛ᥹ᬊ㒓⿟ⱘⳳℷᠻ㸠㽕ㄝࠄথ䗕㒓⿟ᅠ៤Пৢᠡ㛑ᓔྟ, े,থ 䗕㒓⿟ ೼ ݊ Complete ᯊ ࠏ ᇚ ᭄ ᥂ ݭ ܹ 䕧 ߎ ッ ষ,㗠 ᥹ ᬊ 㒓⿟䳔㽕 ೼ ℸ ࠏ 䞡 ᮄ 䇏 প থ 䗕㒓⿟ ⱘ

(13)

䕧 ߎ ᭄ ᥂,ᑊ ᓔ ྟ ᠻ 㸠. x ᓊ 䖳䗮 ֵ 㽕 ∖ (1) থ䗕㒓⿟੠᥹ᬊ㒓⿟䛑ᰃ਼ᳳᗻ㒓⿟. (2) ᇍѢߚথ:ᄬ೼ Synchronous,Oversampling,Undersampling 䖭 3 ⾡ᚙމ,Ԛϡ㽕∖ϸϾ㒓⿟ৠᯊߚথ. (3) ᇍѢᠻ㸠:থ䗕㒓⿟ᰃ೼݊ Deadline ᯊࠏ(ϔ㠀ㄝѢ਼ᳳ)ᠡᇚ᭄᥂ݭܹ䕧ߎッষ,㗠᥹ᬊ㒓⿟೼݊ Dispatchᯊ ࠏ 䇏 প Ϟ ϔ Ͼ ਼ ᳳ থ 䗕㒓⿟ ⱘ 䕧 ߎ ᭄ ᥂,಴ ℸ ϡ 䳔㽕䞡䇏 ᮄ ᭄ ᥂. 佪 ܜ,ᇚ 䖲 ᥹ ㉏ ൟ ㄝ ֵ ᙃ ᯴ ᇘ ЎTASM⦃ ๗ ব 䞣;݊ ⃵,݊ 䕀 ᤶ 䇁 Н ᰃ ೼ 㒓⿟ ᵘ ӊ ҹ ঞ ਼ ᳳ ᗻ ߚ থ ण 䆂 ⱘ 䇁 Н П Ϟ,䖯 ϔ ℹ ᠽ ܙ 䗮 ֵ ᇍ ッ ষ 䇏 ݭ ᯊ 䯈 ⱘ ᕅ ડ,៥ Ӏ ᇚ Trans_Connection(th)ߚ Ў Trans_Connection_Read(th), Trans_Connection_Write_Imm(th)ҹ ঞTrans_Connection_Write_Delay(th)),ߚ ߿ ᇍ ᑨ े ᯊ 䗮 ֵ ⱘ ᥹ ᬊ 㒓⿟ ೼ ᓔ ྟ ᠻ 㸠 П ࠡ 䞡䇏 ᳔ ᮄ ᭄ ᥂ ǃे ᯊ 䗮 ֵ ⱘ থ 䗕㒓⿟ ೼Completeᯊ ࠏ 䕧 ߎ ᭄ ᥂ ҹ ঞ ᓊ 䖳䗮 ֵ ⱘ থ 䗕㒓⿟ ೼Deadline ᯊ ࠏ 䕧 ߎ ᭄ ᥂.䱤 ৿ ⱘ 㒓⿟ ᠻ 㸠乎 ᑣ ᇚ ᰒ ᓣ ഄ 㸼⼎ Ў ϔ Ͼ 䇗 ᑺ ఼,ᑊ ೼ ㄀ 4.5㡖㒭 ߎ.㗠 Ϩ,䇁 Н 㾘 ߭ ᰃ 䩜 ᇍ ӏ ᛣ ⱘ ਼ ᳳ ᗻ 㒓⿟,Synchronous,Oversampling,Undersampling,Immediateҹ ঞDelayedㄝ ໮ ⾡ ᚙ މ 䛑㗗㰥 ೼ ݊ Ё. 4.5 䇗ᑺ఼ ᴀ ᭛ 䅼䆎 ⱘ 䇗 ᑺ Џ 㽕 ᰃ 䩜 ᇍ ऩ ໘ ⧚ ఼,Ϩ Ў 䴲 ᡶ ऴ ᓣ 䇗 ᑺ: x 佪 ܜ,ϸ ⾡ ⹂ ᅮ ᗻ ⱘ ᭄ ᥂ ッ ষ 䗮 ֵ ᮍ ᓣ ϡ ҙ 㾘 ᅮ њ থ 䗕㒓⿟ ੠ ᥹ ᬊ 㒓⿟ ⱘ ッ ষ 䇏 ݭ ᯊ 䯈,䖬䱤 ৿ ഄ 㒭 ᅮ њ 㒓⿟ ᠻ 㸠乎 ᑣ,៥ Ӏ ⿄ Ў 䴭 ᗕ 䇗 ᑺ(offline scheduling).䴭 ᗕ 䇗 ᑺ ೼ ᅝ ܼ ᬌ ݇ ᅲ ᯊ ㋏㒳乚 ඳ 㒣 ᐌ Փ ⫼,े,Փ ⫼ 䇗 ᑺ 㸼䴭 ᗕ ഄ 㒭 ߎ ᠻ 㸠乎 ᑣ,㗠 Ϩ ৃ ҹ ᮍ ֓ ഄ 㸼⼎ ӏ ࡵ П 䯈 ⱘ ձ 䌪 ݇ ㋏. x ݊ ⃵,AADL ᬃ ᣕ ೼ ໘ ⧚ ఼ ᵘ ӊ Ё ᰒ ᓣ ᅮ Н 䇗 ᑺ ㄪ ⬹,ࣙ ᣀ ೎ ᅮ ᯊ 䩳偅 ࡼ ǃ 䕂䕀 ǃRMSǃEDFǃ SporadicServerǃSlackServerҹ ঞARINC653ㄝ䇗 ᑺ ㄪ ⬹.៥ Ӏ Џ 㽕㗗㰥 ೎ ᅮ ᯊ 䩳偅 ࡼ ǃ䕂䕀䇗 ᑺ ҹ ঞ RMSㄝ䇗 ᑺ ㄪ ⬹,Ϩ ⫼ Ѣ ⣀ ゟ ӏ ࡵ.ձ ᥂AADLᯊ 䯈 খ ᭄,ৃ ҹ ᕫ ࠄ 䴭 ᗕ ⱘ 䇗 ᑺ 㸼.

佪 ܜ 㒭 ߎ 䇗 ᑺ ఼ ᠔ ᇍ ᑨ ⱘTASM⦃ ๗ ব 䞣,ব 䞣CPUࣙ ᣀfree੠busyϸ Ͼ ⢊ ᗕ. 䇁 Н 㾘 ߭4.5.1. AADL㒓⿟䇗 ᑺ ᇍ ᑨ ⱘTASM⦃ ๗ ব 䞣㸼⼎. Trans_SchedulerData= { Deadline: Integer; CPU:{free,busy}; … } ݊ ⃵ 㒭 ߎ 䇗 ᑺ ఼ ᇍ ᑨ ⱘ TASM ᢑ 䈵 ᴎ.ᣝ ✻ 䇗 ᑺ 㸼,៥ Ӏ ᵘ 䗴㒓⿟ ᠻ 㸠 ⱘ ೎ ᅮ Ӭ ܜ 㑻乎 ᑣ(䖭䞠 ⫼ Ҹ ⠠ Token={th1,…thi,…thn}ᴹ 㸼⼎),ҹ ⹂ ֱ ໮ Ͼ 㒓⿟ ϡ ৠ ᯊ Փ ⫼ ໘ ⧚ ఼. 䇁 Н 㾘 ߭4.5.2. AADL㒓⿟䇗 ᑺ ᠻ 㸠䇁 Н ⱘTASM㸼⼎. _ _ ...

// Rule Scheduling Thread

0 (if ( ) _ and and then

_ ( ) : true : ) ...

// Rule W

TASM Scheduler

th

time State th waiting execution Token th CPU free

Get CPU th CPU busy

LET Trans Scheduler

aiting Next Event (else then ) _

time next skip TASM Scheduler

IN

೼ ෎ ᴀ 䇗 ᑺ ㄪ ⬹ ⱘ ෎ ⸔ Ϟ,ৃ ҹ 䖯 ϔ ℹ 㗗㰥䌘 ⑤ ݅ ѿ ᇍ 䇗 ᑺ ⱘ ᕅ ડ.㒓⿟ ᵘ ӊ 䳔㽕 ๲ ࡴWaiting resource⢊ ᗕ,㗠䌘 ⑤ ৃ ҹ 㸼⼎ Ў ᏺ{idle,used}ϸ Ͼ ⢊ ᗕ ⱘ ᢑ 䈵 ᴎ,ᑊ Ϣ 㒓⿟ ᵘ ӊ ᠻ 㸠䇁 Н ⱘ ᢑ 䈵 ᴎ ᑊ থ ᠻ 㸠.

(14)

4.6 㸠Ў䰘ӊ AADL㒓⿟ ᵘ ӊ Փ ⫼ ⱘ ᰃ“Input-Compute-Output”䅵 ㅫ ῵ ൟ,䕧 ܹ ǃ䕧 ߎ 㸠 Ў ᰃ ⬅ 㒓⿟ ⱘ ෎ ᴀ ᠻ 㸠䇁 Н ੠ 㒓⿟䗮 ֵ 䇁 Н އ ᅮ ⱘ,㗠㸠 Ў 䰘 ӊ ߭ ᰃ ᇍ 䅵 ㅫ 㸠 Ў 䖯㸠㒚 ࣪ ੠ ∖ ㊒. ೒ 3 㒭 ߎ њ 㸠 Ў 䰘 ӊ Ϣ 㒓⿟ ᠻ 㸠 ῵ ൟ ⱘ ݇ ㋏:㒓⿟ ᠻ 㸠 ῵ ൟ ⱘ ߚ থ ᴎ ࠊ ᇚ ᭄ ᥂ ݭ ܹ 䕧 ܹ ᭄ ᥂ ッ ষ;㸠 Ў 䰘 ӊ 䇏 প 䖭 ѯ ᭄ ᥂ خ 䘏䕥 ߸ ᮁ ᑊ 䅵 ㅫ,䅵 ㅫ ᅠ ៤ П ৢ,ᇚ 㒧 ᵰ ݭ ܹ 䕧 ߎ ᭄ ᥂ ッ ষ.ৠ ᯊ,㸠 Ў 䰘 ӊ 䖬 ৃ ҹ 䗮䖛䕧 ܹ џ ӊ ッ ষ ǃ 䕧 ܹ џ ӊ ᭄ ᥂ ッ ষ ᥹ ᬊ џ ӊ ੠ ᭄ ᥂,བ ᥹ ᬊ Ё ᮁ 䇋 ∖ ǃ ᇍ 䴲 ਼ ᳳ ᗻ 㒓⿟ ⱘ ߚ থ ᴵ ӊ 䖯㸠㒚 ࣪ ㄝ;䗮䖛䕧 ߎ џ ӊ ッ ষ ǃ 䕧 ߎ џ ӊ ᭄ ᥂ ッ ষ থ 䗕 џ ӊ,བ থ 䗕 Ё ᮁ 䇋 ∖ ǃ ᄤ ⿟ ᑣ 䇗 ⫼ ǃ ῵ ᓣ ব ᤶ 䇋 ∖ ㄝ.಴ ℸ,㸠 Ў 䰘 ӊ ⱘ ᠻ 㸠䇁 Н ᰃ ᇍ 㒓⿟ ᵘ ӊ ᠻ 㸠䇁 Н Ё“Execution”㾘 ߭ ⱘ 㒚 ࣪ ੠ ∖ ㊒. State(th) = execution State(th) = completed Guard/Action Guard/Action Guard/Action BA_State(th)=S0 BA_State(th)=Si BA_State(th)=Sn

Data port Event data port Event port Rule: Execution

Fig.3 Relation between the behavior annex and execution model ೒3 㸠 Ў 䰘 ӊ Ϣ 㒓⿟ ᠻ 㸠 ῵ ൟ ⱘ ݇ ㋏

佪 ܜ,៥ Ӏ 㒭 ߎ ෎ ᴀ ⱘ 䕀 ᤶ ᗱ 䏃:⢊ ᗕ ব 䞣(state variables)᯴ ᇘ ЎTASM⦃ ๗ ব 䞣;⢊ ᗕ(state)᯴ ᇘ Ў ᢑ 䈵 ᴎ ⱘ ݙ 䚼 ⢊ ᗕ(internal variables);↣ ᴵ ব 䖕 ᯴ ᇘ Ў ϔ ᴵ TASM 㾘 ߭,㗠㾘 ߭ ⱘ ᴵ ӊ ⬅ ᔧ ࠡ 㒓⿟ ᵘ ӊ ⱘ ⢊ ᗕ (State(th))ǃᔧ ࠡ 㸠 Ў 䰘 ӊ ⱘ ⢊ ᗕ ҹ ঞ 㸠 Ў 䰘 ӊ ⱘ ব 䖕 ᴵ ӊ(guard)㒘 ៤,㾘 ߭ ⱘ ᠻ 㸠䚼 ߚ ߭ ࣙ ᣀ 㸠 Ў 䰘 ӊ ⱘ ᠻ 㸠 ࡼ ԰(action)ҹ ঞ ᇍ 㸠 Ў 䰘 ӊ ϟ ϔ Ͼ ⢊ ᗕ ⱘ 䌟 ؐ;៥ Ӏ 䖬 ๲ ࡴ ϔ ᴵ 㾘 ߭(behavior annex completion),䅽㒓⿟ ᵘ ӊ 䖯 ܹ ϟ ϔ Ͼ ⢊ ᗕ;᳔ 㒜,⫼ 䖭 ѯ 㾘 ߭ ᴹ ᳓ ᤶ 㒓⿟ ᵘ ӊ ᠻ 㸠䇁 Н Ё ⱘ“Execution”㾘 ߭.

݊ ⃵,䖬䳔㽕 ᇍGuard੠Actionⱘ 䇁 Н 䖯㸠㒚 ࣪:

GuardЏ 㽕 ࣙ ᣀ џ ӊ ᥹ ᬊ(¢event²)ǃッ ষ ᭄ ᥂ ⱘ 䘏䕥 ߸ ᮁ(¢BExpr²),㗠 ৢ 㗙 ৃ ᢚ ߚ Ў ϸ 䚼 ߚ:“on ¢BExpr²”੠ “when ¢BExpr²”,݊ 㸼⼎ ᔶ ᓣ བ ϟ:

¢guard²::=¢BExpr²|[on ¢BExpr²o] ¢event² [when ¢BExpr²].

¢event²㸼⼎ Ң џ ӊ ッ ষ ᥹ ᬊ џ ӊ(P?)៪ Ң џ ӊ ᭄ ᥂ ッ ষ ᥹ ᬊ џ ӊ ੠ ᭄ ᥂(P?(x)),PЎ ッ ষ ৡ,x Ў ⢊ ᗕ ব 䞣,៥ Ӏ ৃ ҹ ᓩ ܹBooleanব 䞣 ᴹ 㸼⼎ ᥹ ᬊ џ ӊ,xⱘ ᭄ ᥂ ߭ ֱ ᄬ ࠄ ᇍ ᑨ ⱘ ⦃ ๗ ব 䞣 ᔧ Ё;¢BExpr²ᰃ ᇍ ᭄ ᥂ ッ ষ ៪ џ ӊ ᭄ ᥂ ッ ষ ⱘ ᭄ ᥂ 䖯㸠䘏䕥 ߸ ᮁ,ৃ ҹ ᯴ ᇘ Ў ᇍTASM⦃ ๗ ব 䞣 ⱘ ᪡ ԰,on ¢BExpr²㸼⼎ ᇍ ᔧ ࠡ ⢊ ᗕ ϟ ⱘ ッ ষ ᭄ ᥂ 䖯㸠䘏䕥 ߸ ᮁ,㗠when ¢BExpr²㸼⼎ ᇍ ᇚ 㽕䇏 প ⱘ ᭄ ᥂ 䖯㸠䘏䕥 ߸ ᮁ.៥ Ӏ ᇚ ݊ ㅔ ࣪ 㸼⼎ Ў

a

guard .

b

ActionЏ 㽕 ࣙ ᣀ ব 䞣䌟 ؐ ǃ᭄ ᥂ ៪ џ ӊ ⱘ থ 䗕 ǃ䅵 ㅫ ᯊ 䯈 ǃㄝ ᕙ ᯊ 䯈ㄝ.ব 䞣䌟 ؐ ৃ ҹ Ⳉ ᥹ ᯴ ᇘ Ў ᇍTASM ⦃ ๗ ব 䞣 ⱘ 䌟 ؐ;ᇍ Ѣ ᭄ ᥂ থ 䗕(P!(x),P=x)੠ џ ӊ থ 䗕(P!),ৃ ҹ ᓩ ܹ Boolean ব 䞣 ᴹ 㸼⼎ থ 䗕 џ ӊ,x ߭ ֱ ᄬ ࠄ ᇍ ᑨ ⱘ ⦃ ๗ ব 䞣 ᔧ Ё;೼ ব 䖕 Ϟ ᅮ Н ᯊ 䯈 ሲ ᗻ,ৃ ҹ ᳈ ㊒ ⹂ ഄ 㒭 ߎ ᠻ 㸠 ੠ ㄝ ᕙ ⱘ ᯊ 䯈 ᑣ ߫,䅵 ㅫ ᯊ 䯈 (Computation(min,max))㸼⼎ Փ ⫼ CPU ⱘ ᯊ 䯈,ㄝ ᕙ ᯊ 䯈(Delay(min,max))㸼⼎㹿 ᣖ 䍋 ៪ Ё ᮁ ⱘ ᯊ 䯈,⬅ Ѣ 㸠 Ў 䰘 ӊ ⱘActionᰃ ԰ ⫼ ೼ ব 䖕 Ϟ,಴ ℸ 䖭 ѯ ᯊ 䯈 ሲ ᗻ ৃ ҹ Ⳉ ᥹ ᯴ ᇘ ЎTASM㾘 ߭ ⱘ ᠻ 㸠 ᯊ 䯈.

೼ TASM ⦃ ๗ ব 䞣 Ё,៥ Ӏ ᓩ ܹ“CurrentBAState”,“isInitial”,“isFinal”ㄝ ব 䞣.“isInitial”⫼ Ѣ ߸ ᮁ 㸠 Ў 䰘 ӊ ⱘ ⢊ ᗕ ᰃ ৺ Ў ߱ ྟ ⢊ ᗕ;“isFinal”⫼ Ѣ ߸ ᮁ 㸠 Ў 䰘 ӊ ⱘ ⢊ ᗕ ᰃ ৺ Ў ᅠ ៤ ⢊ ᗕ,㗠 ݊ ᠻ 㸠䇁 Н Ў 㒓⿟ ᵘ ӊ ᠻ 㸠䇁 Н“Execution”㾘 ߭ ⱘ ∖ ㊒.

(15)

Trans_BehaviorAnnexData(th)=

{ CurrentBAState: BAState; isInitial: BAStateoBoolean; isFinal: BAStateoBoolean;

…} 䇁 Н 㾘 ߭4.6.2. AADL㸠 Ў 䰘 ӊ ᠻ 㸠䇁 Н ⱘTASM㸼⼎. . _ . _ ( ) ... // Rule Execution _ ( ) // ... _ ( ) ( _ ) (if ( ) BA th Behavior BA tr BA Transitions

Rule Write Data

Time Time BA tr State th executi Trans Thread th Trans BehaviorAnnex th Trans BehaviorAnnex th

a

b

and ( _ ) and ( _ ) true then

: ( _ ) ( ) : ( _ )( ( ))

// Rule Behavior Annex Completion

on CurrentBAState SourceState BA tr Guard BA tr CurrentBAState DestinationState BA tr Oport th Action BA tr Iport th

T

0 (if ( ) true then

( ) : )

ime isFinal CurrentBAState State th completed

5 AADL2TASM ῵ൟ䕀ᤶᎹ݋

೼ 䕀 ᤶ 䇁 Н ⱘ ෎ ⸔ Ϟ,෎ Ѣ AADLⱘ ᓔ ⑤ ᓎ ῵ ⦃ ๗OSATE [19] ,䆒䅵 ᑊ ᅲ ⦄ ῵ ൟ 䕀 ᤶ Ꮉ ݋AADL2TASM,ҹ ᬃ ᣕ ᇍAADL῵ ൟ 䖯㸠 ᔶ ᓣ 偠䆕 ੠ ߚ ᵤ.݊ ԧ ㋏㒧 ᵘ བ ೒4᠔ ⼎. Applications

Space system Missile borne

AADL models (OSATE) Execution semantics (informal) ATL Abstract syntax TASM operational semantics Translational semantics [[TASM Abstract Syntax]]

TASM models

Automatic tool chain

Formal syntax and semantics

Subset of AADL TASM ToolSet Avionics Theory translationl evel Tool & application

level ATL UPPAAL

Fig.4 Architecture of the model transformation toolAADL2TASM ೒4 AADL2TASM῵ ൟ 䕀 ᤶ Ꮉ ݋ ⱘ ᘏ ԧ ᶊ ᵘ

(1) ೼ᓎ῵ᮍ䴶,ᓔ⑤ᓎ῵⦃๗ OSATE ᓎゟ೼ Eclipse ᑇৄϞ,ᬃᣕҹᦦӊᔶᓣᅲ⦄ AADL ῵ൟⱘ偠䆕੠ ߚ ᵤ Ꮉ ݋,г ৃ ҹ Փ ⫼TOPCASEDᓎ ῵ ⦃ ๗.

(16)

(2) ೼῵ൟ䕀ᤶᮍ䴶,䞛⫼῵ൟ䕀ᤶ䇁㿔 ATL(atlas transformation language)[28]ᴹ ᅲ ⦄ AADL ῵ ൟ ࠄ TASM῵ ൟ ⱘ 㞾 ࡼ 䕀 ᤶ,TASMՓ ⫼ ῵ ൟ Ẕ ⌟ Ꮉ ݋UPPAALҹ ঞ ӓ ⳳ ߚ ᵤ Ꮉ ݋TASM ToolSetᇍ ῵ ൟ 䖯㸠偠䆕 ੠ ߚ ᵤ.Ў њ ᇚUPPAALг ㋻ ᆚ 䲚 ៤ ࠄOSATEᔧ Ё,෎ ѢMIT㒭 ߎ ⱘ 䕀 ᤶ ㅫ ⊩

[17]

,䞛 ⫼ATL ᅲ ⦄TASM῵ ൟ ࠄUPPAAL῵ ൟ ⱘ 㞾 ࡼ 䕀 ᤶ,ᑊ ᇚ ϸ Ͼ ῵ ൟ 䕀 ᤶ Ꮉ ݋ 䲚 ៤ Ў 㒳 ϔ ⱘOSATEᦦ ӊ,ᮍ ֓ ⫼ ᠋ Փ ⫼. (3) ೼ᗻ䋼偠䆕Ϣߚᵤᮍ䴶,TASM ToolSet ᬃᣕᇍ῵ൟⱘᅠᭈᗻ੠ϔ㟈ᗻ䖯㸠偠䆕,ҹঞᇍᯊ䯈㸠Ў੠ 䌘 ⑤ 㸠 Ў 䖯㸠 ӓ ⳳ ߚ ᵤ;㗠UPPAALᬃ ᣕ ᇍ ⅏ 䫕 ǃᅝ ܼ ᗻ ǃ⌏ ᗻ ҹ ঞ ᅲ ᯊ ᗻ 䋼䖯㸠偠䆕,ϸ 㗙 ⱘ Ӭ ࢓ ৃ ҹ Ѧ 㸹. (4) ೼㋏㒳ᑨ⫼ᮍ䴶,೼ᎹϮ⬠乍Ⳃⱘᬃᣕϟ,៥Ӏߚ߿ᇍ㟾໽఼ᇐ㟾ǃࠊᇐϢ᥻ࠊ㋏㒳ǃᴎ䕑亲㸠᥻ࠊ ㋏㒳 ҹ ঞ ᔍ 䕑亲㸠 ᥻ ࠊ ㋏㒳䖯㸠 њ ᓎ ῵ ੠ ᅲ ՟ ᗻ 偠䆕.

6 ᑨ⫼ᅲ՟

6.1 ㋏㒳ҟ㒡 ᇐ 㟾 ǃࠊ ᇐ Ϣ ᥻ ࠊ ㋏㒳,ेGNC㋏㒳,ᰃ 㟾 ໽ ఼ ೼ 䔼䖤㸠 ⱘ Ḍ ᖗ ֱ 䱰㋏㒳,ᡓ ᢙ ⴔ 㟾 ໽ ఼ ࿓ ᗕ ੠ 䔼䘧 ⹂ ᅮ Ϣ ᥻ ࠊ ⱘ 䞡㽕 ӏ ࡵ [29] .GNC㋏㒳 ϔ 㠀 ⬅ ᇐ 㟾 Ӵ ᛳ ఼ ǃ ᥻ ࠊ 䅵 ㅫ ᴎ ੠ ᠻ 㸠 ᴎ ᵘ 㒘 ៤.݊ Ё, x ᇐ 㟾 Ӵ ᛳ ఼ ࣙ ᣀ ᇐ 㟾 Ⳍ ᴎ ǃ ᯳ ᬣ ᛳ ఼ ǃ 䰔㶎 ǃ ࡴ 䗳 ᑺ 䅵ㄝ,Џ 㽕 ⫼ Ѣ 䞛䲚 ৘ ⾡ ᭄ ᥂.

x ᥻ ࠊ 䅵 ㅫ ᴎ г ⿄ Ў ࿓ ᗕ Ϣ 䔼䘧 ᥻ ࠊ ㋏㒳(attitude and orbit control system,ㅔ ⿄AOCS),䗮䖛 ᬊ 䲚 ੠ ໘ ⧚ ৘ ⾡ Ӵ ᛳ ఼ ⱘ ⌟ 䞣 ᭄ ᥂ ᴹ ᅠ ៤ ࠊ ᇐ ੠ ᥻ ࠊ ӏ ࡵ,Џ 㽕 ᠻ 㸠䔼䘧 ⹂ ᅮ ǃ䔼䘧 ᥻ ࠊ ǃ࿓ ᗕ ⹂ ᅮ ǃ࿓ ᗕ ᥻ ࠊ ㄝ ࡳ 㛑,ৠ ᯊ 䋳䋷 Ϣ ݊ Ҫ ߚ ㋏㒳䖯㸠 Ѹ Ѧ,AOCSϔ 㠀䞛 ⫼ ঠ ᴎ ໛ ӑ ⱘ ᮍ ᓣ ᴹ ᦤ 催 ৃ 䴴 ᗻ.

x ᠻ 㸠 ᴎ ᵘ ࣙ ᣀ ড ԰ ⫼ 亲䕂 ǃ஋ ఈ ǃ䔼 ᥻ থ ࡼ ᴎ ㄝ,ড ԰ ⫼ 亲䕂 ੠ ஋ ఈ ⫼ ᴹ ᥻ ࠊ ࿓ ᗕ,㗠䔼 ᥻ থ ࡼ ᴎ ߭ ⫼ ᴹ ᠻ 㸠䔼䘧 ᴎ ࡼ ੠ ׂ ℷ.

ᇐ 㟾 Ӵ ᛳ ఼ ੠ ᥻ ࠊ 䅵 ㅫ ᴎ П 䯈 ᄬ ೼ ϔ Ͼ ᥹ ষ 㺙㕂,⫼ ᴹ ᇍ 䞛䲚 ⱘ ᭄ ᥂ 䖯㸠 ࠡ ᳳ ໘ ⧚,⿄ Ў ᭄ ᥂ ໘ ⧚ ऩ ܗ (data process unit,ㅔ ⿄DPU),㗠DPU੠ ᇐ 㟾 Ӵ ᛳ ఼ 㒳⿄ Ў ሔ 䚼㒜ッ ໘ ⧚ ऩ ܗ(local terminal unit,ㅔ ⿄LTU).݊ ㅔ ࣪ ⱘ ㋏㒳 ԧ ㋏㒧 ᵘ བ ೒5᠔ ⼎.

Fig.5 Simplified architecture of the GNC system ೒5 GNC㋏㒳 ⱘ ㅔ ࣪ ԧ ㋏㒧 ᵘ

6.2 ㋏㒳ᓎ῵

៥ Ӏ ҹAOCSᄤ ㋏㒳 Ў ՟.AOCSᄤ ㋏㒳 ⬅ ϔ Ͼ ㋏㒳 ᵘ ӊ ᴹ 㸼⼎,ࣙ ᣀ 䖯⿟ ᵘ ӊS_AOCS_Processǃ ໘ ⧚ ఼ ᵘ ӊAOCS_Procǃ ᄬ ټ ఼ ᵘ ӊAOCS_Memǃ ᘏ 㒓 ᵘ ӊAOCS_LANҹ ঞ3Ͼ ໪ 䆒 ᵘ ӊ,ᅗ Ӏ П 䯈䞛 ⫼ ᘏ 㒓 ᵘ ӊ

(17)

ᴹ 䗮 ֵ.ৠ ᯊ,GNC㋏㒳 ⍝ ঞ ᯳ ㆁ ߚ ⾏ ǃ䗳 ⥛ 䰏 ሐ ǃᇍ ᮹ ᤩ 㦋 ǃᇍ ᳜ ᤩ 㦋 ǃϝ 䕈〇 ᅮ ǃব 䔼 ᴎ ࡼ ㄝ ῵ ᓣ,៥ Ӏ ҹ 〇 ᅮ(stabilization)੠ ᴎ ࡼ(maneuver)ϸ Ͼ ῵ ᓣ Ў ՟,བ ೒6᠔ ⼎.

Fig.6 AADL graphic model of the AOCS subsystem ೒6 AOCSᄤ ㋏㒳 ⱘAADL೒ ᔶ ࣪ ῵ ൟ

AOCSᄤ ㋏㒳 ⍝ ঞ4⾡ ӏ ࡵ ⱘ ᠻ 㸠:᥻ ࠊ ӏ ࡵ ǃ䘹 ⌟ 䘹 ᥻ ӏ ࡵ ǃ㋏㒳 ⲥ ⌟ ӏ ࡵ ҹ ঞ ぎ䯆 ӏ ࡵ,៥ Ӏ Џ 㽕㗗㰥 ᥻ ࠊ ӏ ࡵ.᥻ ࠊ ӏ ࡵ ⫼ ᴹ ᅠ ៤ ᇍ 㟾 ໽ ఼ ࿓ ᗕ Ϣ 䔼䘧 ⱘ ᥻ ࠊ,ࣙ ᣀ থ 䗕 ֵ ᙃ 䞛䲚 ᣛ Ҹ(Star_Sensor_Data_Sampling,

Gyroscope_Data_Sampling,Camera_Data_Sampling,Accelerometer_Data_Sampling)ǃ ࿓ ᗕ ⹂ ᅮ(attitude filter)ǃ 䔼䘧 ⹂ ᅮ(orbit filter)ǃ ࿓ ᗕ ࠊ ᇐ1(attitude guidance 1)ǃ ࿓ ᗕ ᥻ ࠊ1(attitude control 1)ǃ ࿓ ᗕ ࠊ ᇐ2(attitude

guidance 2)ǃ ࿓ ᗕ ᥻ ࠊ 2(attitude control 2)ǃ ӏ ࡵ ࠊ ᇐ ᕟ(guidance law)ㄝ ᄤ ӏ ࡵ.ᭈ Ͼ ᥻ ࠊ ӏ ࡵ ⱘ ਼ ᳳ 䆒 Ў 360ms,಴ ℸ,䖭 ѯ ᄤ ӏ ࡵ ⱘ ਼ ᳳ г 䆒 Ў 360ms,Ԛ ᠻ 㸠 ᯊ 䯈 ϡ ৠ.೼ 〇 ᅮ ῵ ᓣ ϟ,Star_Sensor_Data_Sampling,

Gyroscope_Data_Sampling,Attitude Filter,Camera_Data_Sampling,Orbit Filter,Attitude Guidance 1,Attitude Control 1 ㄝ ᄤ ӏ ࡵ ᣝ 乎 ᑣ ᠻ 㸠;೼ ᴎ ࡼ ῵ ᓣ ϟ,Gyroscope_Data_Sampling,Attitude Filter,Accelerometer_Data_

Sampling,Orbit Filter,Guidance Law,Attitude Guidance 2,Attitude Control 2ㄝ ᄤ ӏ ࡵ ᣝ 乎 ᑣ ᠻ 㸠.᠔ ᳝ ᄤ ӏ ࡵ ഛ 䞛 ⫼ ਼ ᳳ ᗻ 㒓⿟ ᴹ ᦣ 䗄,ӏ ࡵ П 䯈䞛 ⫼ ⱘ ᭄ ᥂ ッ ষ 䗮 ֵ ᴎ ࠊ Ў े ᯊ 䗮 ֵ.㸼1㒭 ߎ њAOCSᄤ ㋏㒳 ӏ ࡵ ⱘ ਼ ᳳ ǃ ᠻ 㸠 ᯊ 䯈 ǃ 䌘 ⑤ ⍜ 㗫(ࡳ 㗫 ǃ ᄬ ټ)ҹ ঞ ᠔ ሲ ⱘ ῵ ᓣ.

Table 1 Parameters of the tasks of the AOCS subsystem

㸼1 AOCSᄤ ㋏㒳 ӏ ࡵ ⱘ খ ᭄

Thread Period (ms) Execution time (ms) Power (W) Memory (KB) Mode

Star_Sensor_Data_Sampling 360 32 [2,10] 256 Stabilization

Gyroscope_Data_Sampling 360 32 [5,20] 256 Stabilization maneuver

Camera_Data_Sampling 360 32 [5,10] 1 024 Stabilization

Accelerometer_Data_Sampling 360 32 [1,3] 256 Maneuver

Attitude_Filter 360 64 [5,10] 1 024 Stabilization maneuver

Orbit_Filter 360 64 [5,10] 1 024 Stabilization maneuver

Attitude_Guidance 1 360 64 [2,10] 512 Stabilization

Attitude_Control 1 360 64 [2,10] 512 Stabilization

Attitude_Guidance 2 360 64 [2,10] 512 Maneuver

Attitude_Control 2 360 64 [2,10] 512 Maneuver

(18)

6.3 ݇䬂ᗻ䋼偠䆕੠ߚᵤ

෎ ѢAADL2TASM῵ ൟ 䕀 ᤶ Ꮉ ݋,ᅲ ⦄AADL῵ ൟ ࠄTASM῵ ൟ ⱘ 㞾 ࡼ 䕀 ᤶ.

佪 ܜ,Ⳉ ᥹ ෎ ѢTASM ToolSetᇍ 䕀 ᤶ ᕫ ࠄ ⱘTASM῵ ൟ 䖯㸠 ߚ ᵤ.TASM ToolSetᬃ ᣕ ᇍ ῵ ൟ ⱘ ᅠ ᭈ ᗻ ੠ ϔ 㟈 ᗻ 䖯㸠偠䆕,ҹ ঞ ᇍ ᯊ 䯈㸠 Ў ੠ 䌘 ⑤ 㸠 Ў 䖯㸠 ӓ ⳳ ߚ ᵤ.೒7㒭 ߎ њTASM῵ ൟ Ё ᠔ ᳝ ᢑ 䈵 ᴎ ⱘ ᠻ 㸠 ᯊ ᑣ.

ৠ ᯊ,TASM ToolSet Ў ↣ ⾡䌘 ⑤ 㒭 ߎ ϔ Ͼ ᘏ ԧ 䌘 ⑤ ⍜ 㗫 ߚ ᵤ ೒,⬅ Ѣ 䌘 ⑤ ⍜ 㗫 ϔ 㠀 ᅮ Н Ў ϔ Ͼ ऎ 䯈,಴ ℸ, TASM ToolSetᣝ ✻ ऎ 䯈 ⱘ ᳔ ᇣ ؐ ǃ ᳔ ໻ ؐ ǃ ᑇ ഛ ؐ ҹ ঞ 䱣 ᴎ ؐ 䖭 4⾡ ᚙ މ ᇍ ㋏㒳 ⱘ 䌘 ⑤ ⍜ 㗫 ᚙ މ 䖯㸠 ߚ ᵤ, བ ೒8᠔ ⼎.

Fig.7 Time simulation of the TASMToolSet ೒7 ෎ ѢTASMToolSetⱘ ᯊ 䯈 ӓ ⳳ ߚ ᵤ

Fig.8 Resource simulation of the TASMToolSet ೒8 ෎ ѢTASMToolSetⱘ 䌘 ⑤ ӓ ⳳ ߚ ᵤ

݊ ⃵,෎ ѢUPPAALᇍ ⅏ 䫕 ǃ ᅝ ܼ ᗻ ǃ ⌏ ᗻ ҹ ঞ ᅲ ᯊ ᗻ 䋼䖯㸠偠䆕,UPPAAL੠TASM ToolSetৃ ҹ Ѧ 㸹, ݅ ৠ ЎTASM῵ ൟ ᦤ կ Є ᆠ ⱘ 偠䆕 Ϣ ߚ ᵤ 㛑 ࡯.៥ Ӏ Փ ⫼TASM2UPPAAL῵ ൟ 䕀 ᤶ Ꮉ ݋,㞾 ࡼ ⫳ ៤ ᇍ ᑨ ⱘ ᯊ 䯈㞾 ࡼ ᴎ 㸼⼎,བ ೒9੠ ೒10᠔ ⼎.

Fig.9 Timed automaton expression of mode change

೒9 ῵ ᓣ ব ᤶ ⱘ ᯊ 䯈㞾 ࡼ ᴎ 㸼⼎

Fig.10 Timed automaton expression of the task of

Star_Sensor_Data_Sampling

೒10 Star_Sensor_Data_Samplingӏ ࡵ ⱘ ᯊ 䯈㞾 ࡼ ᴎ 㸼⼎

TASMᬃ ᣕ ⱘ ᭄ ᥂ ㉏ ൟ ᳝Integer,Boolean,Floatҹ ঞ ⫼ ᠋ 㞾 ᅮ Н ㉏ ൟ,㗠UPPAALা ᬃ ᣕInteger㉏ ൟ,ᇍ Ѣ ⫼ ᠋ 㞾 ᅮ Н ㉏ ൟ,བ 㒓⿟ ⱘ ⢊ ᗕ,䆒 ᳝ n Ͼ ៤ ਬ,೼ UPPAAL Ё ⫼ ᭄ 㒘 int[0,n1]ᴹ 㸼⼎,“0”ᇍ ᑨ ㄀ 1 Ͼ ៤ ਬ,“n1”ᇍ ᑨ ㄀nϾ ៤ ਬ,ᇍ ѢBoolean㉏ ൟ,⫼int[0,1]ᴹ 㸼⼎,䖭䞠,“0”ҷ 㸼true,“1”ҷ 㸼false;TASM੠UPPAAL ᇍ ᯊ 䯈 ⱘ 㸼䖒 г ϡ ৠ,TASMⱘ ᯊ 䯈 ᅮ Н ೼ ব 䖕 Ϟ,㗠UPPAALⱘ ᯊ 䯈 ᅮ Н ೼ ⢊ ᗕ Ϟ,಴ ℸ,ᇍ ѢTASM㾘 ߭ Ϟ ⱘ ᯊ 䯈,೼UPPAALϞ 䗮䖛 ๲ ࡴ ϔ Ͼ Ё 䯈 ⢊ ᗕ ᴹ 㸼⼎,བ ೒ Ё ⱘwaiting_hyper_period_S,begin_mode_change_S2M

(19)

ㄝ ⢊ ᗕ;TASM㾘 ߭ ੠ UPPAALᯊ 䯈㞾 ࡼ ᴎ ⱘ ব 䖕 ᰃ ᇍ ᑨ ⱘ,㗠 ᇍ Ѣ“t:=next”ㄝ ᕙ ᴎ ࠊ,䗮䖛 ๲ ࡴ ϔ Ͼ 乱 ໪ ⱘ ᯊ 䯈㞾 ࡼ ᴎ ᴹ 㸼⼎.

೼ ℸ ෎ ⸔ Ϟ,ৃ ҹ ᇍ ⅏ 䫕 ǃ ᅝ ܼ ᗻ ǃ ⌏ ᗻ ㄝ ᗻ 䋼䖯㸠偠䆕,՟ བ: (1) ㋏㒳ϡᄬ೼⅏䫕,A[]!deadlock;

(2) ᅝܼᗻ,བ“ᔧ㋏㒳໘Ѣ〇ᅮ῵ᓣ,Star_Sensor_Data_Sampling ӏࡵϔᅮӮ㹿▔⌏”:

A[](CurrentMode==0) imply (Activation_SSDS==0);

(3) ⌏ᗻ,བ“㋏㒳㒜おӮ䖯ܹ〇ᅮ῵ᓣ”,E¢² (CurrentMode==0).

ℸ ໪,䖬 ৃ ҹ ෎ Ѣ 㾖 ᆳ 㞾 ࡼ ᴎ(observer)ᇍ ᳔ ണ ડ ᑨ ᯊ 䯈 ǃ ッ ࠄ ッ ᓊ 䖳 ǃ ৃ 䇗 ᑺ ᗻ ㄝ ᅲ ᯊ ᗻ 䋼䖯㸠偠䆕. ᴀ ᭛ ≵ ᳝ ᇚAADLᄤ 䲚 Ⳉ ᥹ 䕀 ᤶ ࠄUPPAAL:佪 ܜ,UPPAALᬃ ᣕ ⱘ ᭄ ᥂ ㉏ ൟ 䕗 ᇥ;݊ ⃵,UPPAALϡ 㛑 ᬃ ᣕ 䌘 ⑤ ሲ ᗻ ⱘ 㸼䖒;᳔ ৢ,TASM԰ Ў Ё 䯈 ῵ ൟ,ৠ ᯊ ᬃ ᣕUPPAAL੠ ӓ ⳳ ߚ ᵤ Ꮉ ݋TASM Toolset,೼ ϔ ᅮ ⿟ ᑺ Ϟ ৃ ҹ ᅲ ⦄ ᔶ ᓣ 偠䆕 Ϣ ӓ ⳳ ߚ ᵤ ⱘ Ѧ 㸹.

7 Ⳍ݇Ꮉ԰

䕀 ᤶ 䇁 Н ᮍ ⊩ ᰃ ⷨ お AADL 䇁 Н ⱘ ϔ ⾡䞡㽕 ᠟ ↉,བ 䕀 ᤶ ࠄ BIP,Fiacre,TLA+,Signal,IF,RTMaude,ACSR, Lustre,Petri Netㄝ Ⳃ ᷛ 䇁㿔.

⊩ ೑Verimagᅲ 偠 ᅸ ᦤ ߎ њAADLࠄBIPⱘ 䇁 Н 䕀 ᤶ

[4]

,Џ 㽕 ⍝ ঞ 䖯⿟ ǃ㒓⿟ ǃᄤ ⿟ ᑣ ǃ໘ ⧚ ఼ ㄝ ᵘ ӊ ⱘ ᠻ 㸠䇁 Н,㗠㒓⿟䗮 ֵ ੠ 㸠 Ў 䰘 ӊ ⱘ 䇁 Н ᅮ Н ϡ ໳ 䆺㒚;Ў њ ᮍ ֓ ⧚ 㾷,䆹 ⷨ お䛑 ҹ ೒ ⼎ ⱘ ᮍ ᓣ 㒭 ߎ 䇁 Н,݇ ⊼ ⱘ ⷨ お ᄤ 䲚 ੠ 䕀 ᤶ 㾘 ߭ Џ 㽕䞛 ⫼ 㞾 ✊ 䇁㿔 ᦣ 䗄.

ぎ Ё ᅶ 䔺 ݀ ৌ ⱘTOPCASED乍 Ⳃ ᦤ ߎ њAADLࠄ Ё 䯈䇁㿔Fiacreⱘ 䇁 Н 䕀 ᤶ

[5]_,

Џ 㽕㒭 ߎ њ 㒓⿟ ᠻ 㸠 ੠

䗮 ֵ ⱘ 䕀 ᤶ ॳ ⧚,᠔ ݇ ⊼ ⱘ ⷨ お ᄤ 䲚 ੠ 䕀 ᤶ 㾘 ߭ 䞛 ⫼ 㞾 ✊ 䇁㿔䖯㸠 ᦣ 䗄.

⊩ ೑IRITᅲ 偠 ᅸ 䞛 ⫼ ࡼ ԰ ᯊ ᑣ 䘏䕥 ᦣ 䗄䇁㿔TLA+ᇍAADLᠻ 㸠 ῵ ൟ ⱘ 䚼 ߚ 䇁 Н خ њ ߱ ℹ ⷨ お

[6]

,ࣙ ᣀ ッ ষ 䗮 ֵ ǃ ݅ ѿ ব 䞣 ⱘ ᵘ ӊ 䯈䗮 ֵ ǃ ᡶ ऴ ᓣ 䇗 ᑺ ㄪ ⬹ ҹ ঞ ῵ ᓣ ⱘ 䇁 Н,䖭 ᰃ AADL 䇁 Н ᔶ ᓣ ࣪ ⱘ ᳔ ᮽ ⷨ お Ꮉ ԰, ݊ 䕀 ᤶ 㾘 ߭ Џ 㽕 ҹ 䇁 Н ߑ ᭄ ⱘ ᮍ ᓣ 㒭 ߎ,ԚTLA+ⱘ ῵ ൟ Ẕ ⌟ Ꮉ ݋TLCⱘ 偠䆕㛑 ࡯ 䕗 ᔅ.

⊩ ೑INRIA-Rennesᅲ 偠 ᅸ ෎ Ѣ ৠ ℹ 䇁㿔SignalᇍAADL䇁 Н 䖯㸠 њ ⷨ お

[7] ,Џ 㽕 ᰃ 䩜 ᇍ 㒓⿟ ᠻ 㸠 ǃ䗮 ֵ ǃ 㸠 Ў 䰘 ӊ ㄝ ὖ ᗉ;೼ 䕀 ᤶ ᮍ 䴶,㒭 ߎ њ ㋏㒳 ᵘ ӊ ੠ 㒓⿟ ᵘ ӊ ⱘ ᔶ ᓣ ᅮ Н,ᑊ ҹ 䇁 Н ߑ ᭄ ⱘ ᮍ ᓣ 㒭 ߎ њ 䚼 ߚ 䕀 ᤶ 㾘 ߭ ⱘ ᢑ 䈵㸼⼎. Abdoulㄝ Ҏ ᇚAADL䕀 ᤶ ࠄIF䇁㿔 [10]_, ᬃ ᣕ 㒓⿟ ᠻ 㸠 ǃ䗮 ֵ ǃ㸠 Ў 䰘 ӊ ࠄIFⱘ 䕀 ᤶ,Ԛ ϡ ᰃAADLᷛ ޚ ⱘ 㸠 Ў 䰘 ӊ,㗠 ᰃ ⫼IF䇁㿔 ϧ 䮼 ЎAADLᅮ Н ⱘ 㸠 Ў 䰘 ӊ;೼ 䕀 ᤶ ᮍ 䴶,ϔ ϾAADL㒓⿟ ᇍ ᑨ ϸ ϾIF䖯⿟ ᵘ ӊ, ߚ ߿ ⫼ Ѣ ᦣ 䗄 ߚ থ ੠ 㒓⿟㸠 Ў,ᯊ 䯈 ⫼IFᯊ 䩳 ᴹ 㸼⼎;݇ ⊼ ⱘ ⷨ お ᄤ 䲚 ੠ 䕀 ᤶ 㾘 ߭ 䞛 ⫼ 㞾 ✊ 䇁㿔 ᦣ 䗄.

Olveczky ㄝ Ҏ ᦤ ߎ њ AADL ࠄ ᅲ ᯊ Maude ⱘ 䇁 Н 䕀 ᤶ

[11]

,ᅲ ᯊ Maude ᰃ ϔ ⾡ ෎ Ѣ 䞡 ݭ 䘏䕥(rewriting logic)ⱘ ᅲ ᯊ ㋏㒳 ᓎ ῵ 䇁㿔,೼ 䕀 ᤶ ᮍ 䴶,ⷨ お ᄤ 䲚 ੠ 䕀 ᤶ 㾘 ߭ Џ 㽕䞛 ⫼ 㞾 ✊ 䇁㿔䖯㸠 ᦣ 䗄.

Pennsylvania໻ ᄺ ᦤ ߎ њAADLࠄ 䌘 ⑤ 䖯⿟ ҷ ᭄ACSRⱘ 䇁 Н 䕀 ᤶ

[12]

,Џ 㽕 ࣙ ᣀ 㒓⿟ ᠻ 㸠 ǃ䗮 ֵ ҹ ঞ 䌘 ⑤ ݅ ѿ ⱘ 䇁 Н ᦣ 䗄,Ⳃ ⱘ ᰃ Ў њ 䖯㸠 ৃ 䇗 ᑺ ᗻ ߚ ᵤ,݊ 䕀 ᤶ 㾘 ߭ 䞛 ⫼ Ӿ ҷ ⷕ ㅫ ⊩ ⱘ ᔶ ᓣ 㒭 ߎ.

⃻ ⲳ ASSERT乍 Ⳃ ᇚAADL䕀 ᤶ ࠄ ৠ ℹ 䇁㿔Lustre

[13]

,Џ 㽕 ⍝ ঞ 㒓⿟ ᠻ 㸠 ǃ 䇗 ᑺ ҹ ঞ 䌘 ⑤ ݅ ѿ ⱘ ᠻ 㸠䇁 Н;೼ 䕀 ᤶ ᮍ 䴶,ⷨ お ᄤ 䲚 ੠ 䕀 ᤶ 㾘 ߭ Џ 㽕䞛 ⫼ 㞾 ✊ 䇁㿔䖯㸠 ᦣ 䗄,㗠 Ϩ 䇁 Н ᰃ ҹ ՟ ᄤ ⱘ ᔶ ᓣ 㒭 ߎ.

⊩ ೑LAASᅲ 偠 ᅸ ෎ Ѣ ᑓ Н 䱣 ᴎPetri㔥 ϧ 䮼 ⷨ おAADLᬙ 䱰 ῵ ൟ 䰘 ӊ ⱘ 䇁 Н

[14] ,Ⳃ ⱘ ᰃ Ў њ ᬃ ᣕ ৃ 䴴 ᗻ ǃ ৃ ⫼ ᗻ ǃ ৃ 㓈 ᡸ ᗻ ㄝ䴲 ࡳ 㛑 ᗻ 䋼 ⱘ ߚ ᵤ. ೼ ೑ ݙ ৠ 㸠 ⱘ Ꮉ ԰ ᮍ 䴶,᭛ ⤂[30]ᦤ ߎ њ ϔ ⾡ AADL῵ ൟ ৃ 䴴 ᗻ ߚ ᵤ 䆘 Ԅ Ꮉ ݋,Џ 㽕 ⍝ ঞAADLᬙ 䱰 ῵ ൟ 䰘 ӊ;᭛ ⤂[31]ᇚAADL῵ ൟ 䕀 ᤶ ࠄ ⏋ ៤ 㞾 ࡼ ᴎ ῵ ൟ,Џ 㽕 ݇ ⊼AADL῵ ൟ ⱘ ৃ 䇗 ᑺ ߚ ᵤ. ᴀ ᭛ ᦤ ߎ ⱘAADL2TASMᔶ ᓣ 䕀 ᤶ 䇁 Н Ϣ 䖭 ѯ Ꮖ ᳝ ⷨ お ⱘ ϡ ৠ П ໘ Џ 㽕㸼 ⦄ ೼ ҹ ϟ ޴ Ͼ ᮍ 䴶: (1) AADL ᄤ䲚:ձ᥂㟾໽఼ㄝᅝܼᬌ݇ᅲᯊ㋏㒳ⱘ䚼ߚ⡍ᕕ,ᴀ᭛䗝পњϔϾ䕗Ўᅠᭈⱘ AADL ᄤ䲚, ᑊ ⏙ ᱄ ഄ ߚ ᵤ њ ԧ ㋏㒧 ᵘ ǃ ᠻ 㸠 ῵ ൟ ҹ ঞ 㸠 Ў 䰘 ӊ П 䯈 ⱘ ݇ ㋏.

(20)

(2) Ⳃᷛ䇁㿔ⱘ㸼䖒㛑࡯:TASM ᬃᣕࡳ㛑ǃᯊ䯈ҹঞ䌘⑤ㄝ㸠Ўⱘᦣ䗄,㗠Ꮖ᳝ⷨおⱘⳂᷛ䇁㿔ᕜᇥ݇ ⊼ 䌘 ⑤ 㸠 Ў ⱘ 㸼䖒. (3) 䕀ᤶ䇁НⱘᅮН:ᣝ✻“ሖ⃵࣪ǃ῵ഫ࣪”ⱘᮍᓣ,ᔶᓣᅮН AADL ᄤ䲚ⱘ䕀ᤶ䇁Н,ᑊ⏙᱄ഄࠏ⬏৘῵ ഫ П 䯈 ⱘ ݇ ㋏,↣ Ͼ ῵ ഫ 䛑 ࣙ ᣀ ϸ 䚼 ߚ:䇁 ⊩ 㒧 ᵘ ᯴ ᇘ ЎTASM⦃ ๗ ব 䞣,ࡼ ᗕ 㸠 Ў ᯴ ᇘ ЎTASMᢑ 䈵 ᴎ,ᑊ ෎ Ѣ ㉏MLⱘ ܗ 䇁㿔 ᴹ ᦣ 䗄 ᯴ ᇘ ੠ 㒘 ড় ݇ ㋏.

8 ᘏ㒧Ϣ䅼䆎

AADL 䇁㿔 ⱘ ᔶ ᓣ 䇁 Н ঞ ݊ ᬃ ᣕ ⱘ ᔶ ᓣ 偠䆕 Ϣ ߚ ᵤ ᮍ ⊩ ᰃ Ⳃ ࠡ ᄺ ᴃ ⬠ ੠ Ꮉ Ϯ ⬠ ݅ ৠ ݇ ⊼ ⱘ ⛁ ⚍ 䯂乬.ᴀ ᭛ ᦤ ߎ њ ϔ ⾡ ෎ Ѣ ᯊ 䯈 ᢑ 䈵 ⢊ ᗕ ᴎ ⱘAADLᔶ ᓣ 䕀 ᤶ 䇁 Н.Ϣ Ꮖ ᳝ ⱘAADL䕀 ᤶ 䇁 Н ⷨ お Ⳍ ↨,䆹䇁 Н ᅮ Н ݋ ᳝ 䕗 Ў ᅠ ᭈ ⱘAADLⷨ お ᄤ 䲚 ǃ䕗 ᔎ ⱘ Ⳃ ᷛ 䇁㿔㸼䖒㛑 ࡯ ҹ ঞ ᇍ ᇍ 䈵䇁㿔 ǃⳂ ᷛ 䇁㿔 ੠ 䕀 ᤶ 䇁 Н 㾘 ߭ ㊒ ⹂ ᦣ 䗄ㄝ Ӭ ⚍.೼ 䕀 ᤶ 䇁 Н ⱘ ෎ ⸔ Ϟ,෎ ѢAADLᓔ ⑤ ᓎ ῵ ⦃ ๗OSATE,䆒䅵 ᑊ ᅲ ⦄ њAADL῵ ൟ 偠䆕 Ϣ ߚ ᵤ Ꮉ ݋ AADL2TASM,ᑊ ෎ Ѣ 㟾 ໽ ఼ ᇐ 㟾 ǃ ࠊ ᇐ Ϣ ᥻ ࠊ ㋏㒳䖯㸠 њ ᅲ ՟ ᗻ 偠䆕.

෎ Ѣ ৘ ⾡䕀 ᤶ 䇁 Н ⱘ ᅮ Н,Ꮖ ᳝ ⷨ お ߚ ߿ ᅲ ⦄ њ AADL῵ ൟ ࠄ ϡ ৠ Ⳃ ᷛ ῵ ൟ ⱘ 䕀 ᤶ,݊ Ⳃ ⱘ ᰃ Ў њ 䞡 ⫼ Ⳃ ᷛ ῵ ൟ Ϟ Ꮖ ᳝ ⱘ 偠䆕 ੠ ߚ ᵤ 㛑 ࡯.Ԛ ᰃ བ ԩ 偠䆕 ῵ ൟ 䕀 ᤶ ⱘ ℷ ⹂ ᗻ ᰃ ϔ Ͼ 䞡㽕䯂乬,៥ Ӏ ⿄ ℸ Ў 䇁 Н ֱ ᣕ (semantics preservation)䯂乬.೼ 䖭 ѯAADL῵ ൟ 䕀 ᤶ ⷨ お Ё,໻ 䛑䞛 ⫼ ᠟ Ꮉ ⹂ 䅸 ⱘ ᮍ ᓣ,៪ 㗙 ؛ 䆒䇁 Н ᰃ ֱ ᣕ ⱘ, ᕜ ᇥ 䖯㸠䇁 Н ֱ ᣕ ⱘ 䆕 ᯢ.೼ ᭛ ⤂[32,33]Ё,៥ Ӏ ᦤ ߎ њ ϔ ⾡ ෎ Ѣ ঠ ⠜ ᴀ ᔶ ᓣ 䇁 Н ⱘAADL ῵ ൟ 䕀 ᤶ ⱘ 䇁 Н ֱ ᣕ 䆕 ᯢ ᮍ ⊩:(1) ⬅ Ѣ ៥ Ӏ ᮴ ⊩ Ⳉ ᥹ 䆕 ᯢ ᔶ ᓣ 䕀 ᤶ 䇁 Н ੠ AADL ᷛ ޚ 㒭 ߎ ⱘ 䴲 ᔶ ᓣ 䇁 Н П 䯈 ⱘ ㄝ Ӌ ᗻ,಴ ℸ Ϣ ᔶ ᓣ 䕀 ᤶ 䇁 Н ᇍ ᑨ,෎ Ѣ ᯊ 䯈 ব 䖕㋏㒳(timed transition system,ㅔ ⿄TTS)㒭 ߎ Ⳍ ᑨAADLᄤ 䲚 ⱘ 䇁 Н,԰ Ў 䇁 Н ֱ ᣕ 䆕 ᯢ ⱘ খ 㗗䇁 Н(reference semantic);(2) ᇚ 䕀 ᤶ 䇁 Н ᅮ Н Ё ⱘTASM㸼⼎ ੠TASM䇁㿔 ᴀ 䑿 ⱘ ᪡ ԰ 䇁 Н 䖯㸠㒘 ড়,ᵘ ៤ ঺ ϔ ϾTTS;(3) 䆕 ᯢ ϸ ϾTTS⒵ 䎇 ῵ ᢳ ㄝ Ӌ ݇ ㋏(simulation equivalence),े,AADLᄤ 䲚 ⱘ 䇁 Н ೼ AADL ࠄ TASM ⱘ ῵ ൟ 䕀 ᤶ Ё ᕫ ࠄ ֱ ᣕ,ᑊ ෎ Ѣ ᅮ ⧚ 䆕 ᯢ ఼ Coq

[34]

ᇍ Ⳍ ݇ ᅮ ⧚ 䖯㸠 њ 䆕 ᯢ.ᔧ ✊,䖭䞠 ᄬ ೼ “⫼TTS㸼䖒 ⱘAADL䇁 Н ੠AADLᷛ ޚ 䇁 Н ᰃ ৺ ϔ 㟈”ⱘ 䯂乬.Ԛ ᰃ ঠ ⠜ ᴀ ᔶ ᓣ 䇁 Н ⱘ 㒭 ߎ,ᑊ 䆕 ᯢ ϸ 㗙 ⱘ ㄝ Ӌ ᗻ,೼ ϔ ᅮ ⿟ ᑺ Ϟ 㛑 ໳ 䰡 Ԣ ῵ ൟ 䕀 ᤶ ߎ 䫭 ⱘ ὖ ⥛,ᑊ ᦤ 催 ᇍAADL䇁 Н 䖯㸠 ᔶ ᓣ 㾷䞞 ⱘ ৃ ֵ ᑺ.

㟈䇶 ᛳ 䇶 ⊩ ೑ ೒ श ݍ 䅵 ㅫ ᴎ Ϣ ֵ ᙃ ⷨ お ᠔(Institut de Recherche en Informatique de Toulouse)ⱘ Mamoun Filaliᬭ ᥜ ᇍ ᴀ ᭛ Ꮉ ԰ ⱘ ⧚ 䆎 ᣛ ᇐ ੠ ᬃ ᣕ,ᛳ 䇶 ࣫ Ҁ ᥻ ࠊ Ꮉ ⿟ ⷨ お ᠔ 乒 ᭠ ᘏ Ꮉ ⿟ Ꮬ ⱘ 䅼䆎 ੠ ᐂ ࡽ,ৠ ᯊ ᇍ খ Ϣ ῵ ൟ 䕀 ᤶ Ꮉ ݋ ㋏㒳 ᓔ থ ⱘ ᄭ ⾥ ǃ 㩟 ᷥ ǃ ᓴ 㝒ㄝ ৠ ᄺ 㸼⼎ ᛳ 䇶.

References:

[1] Lewis B. Architecture based model driven software and system development for real-time embedded systems. In: Radical Innovations of Software and Systems Engineering in the Future. LNCS 2941, 2004. 249260. [doi: 10.1007/978-3-540-24626- 8_17]

[2] SAE. Architecture analysis & design language (standard SAE AS5506). 2004. http://www.sae.org [3] SAE. Architecture analysis & design language (standard SAE AS5506A). 2009. http://www.sae.org

[4] Chkouri MY, Robert A, Bozga M, Sifakis J. Translating AADL into BIPüApplication to the verification of real-time systems. In: Models in Software Engineering. LNCS 5421, 2009. 519. [doi: 10.1007/978-3-642-01648-6_2]

[5] Berthomieu B, Bodeveix JP, Chaudet C, Zilio SD, Filali M, Vernadat F. Formal verification of AADL specifications in the topcased environment. In: Proc. of the 14th Ada-Europe Int’l Conf. on Reliable Software Technologies. Berlin, Heidelberg: Springer-Verlag, 2009. 207221. [doi: 10.1007/978-3-642-01924-1_15]

[6] Rolland JF, Bodeveix JP, Filali M, Chemouil D, Dave T. Modes in asynchronous systems. In: Proc. of the 13th IEEE Int’l Conf. on Engineering of Complex Computer Systems. IEEE, 2008. 282287. [doi: 10.1109/ICECCS.2008.28]

[7] Ma Y, Talpin JP, Gautier T. Virtual prototyping AADL architectures in a polychronous model of computation. In: Proc. of the 6th ACM/IEEE Int’l Conf. on Formal Methods and Models for Co-Design. IEEE/ACM, 2008. 139148. [doi: 10.1109/MEMCOD.2008. 4547701]