Designing distributed software with RT-CORBA and SDL

https://doi.org/10.1016/j.csi.2008.09.033Get rights and content

Abstract

The use of formal description techniques (FDTs), and specifically SDL, has emerged as an interesting way of designing embedded real time distributed systems (ERTDSs) taking into account the increasing complexity of this kind of system. The communication platform for these ERTDSs should be included at the design stage in order to consider the behaviour of the communications. RT-CORBA is an interesting alternative as a middleware for real-time distributed applications because, unlike standard CORBA, it guarantees predictable temporal response to invocations to remote objects. We propose a set of design patterns in SDL for the RT-CORBA middleware so that users can integrate the communication behavior into their designs. This approach provides three important results: firstly, it is possible to carry out the simulation and validation of the whole system including communications; secondly, the implementation stage is simplified because the integration of RT-CORBA allows code to be generated from the design. Finally, different analysis techniques at design level for ERTDS including the temporal behavior of RT-CORBA middleware can be carried out. To apply our proposals we have integrated the design of RT-CORBA with the SDL specification of a distributed control application called Siroco.

Introduction

Distributed systems are increasingly being applied in critical real-time applications and their complexity forces programmers to use design methods which guarantee correctness and increase the maintainability of the products. Object-oriented methodologies are widely used to cope with complexity in any kind of system [44], but most of them lack a formal foundation to allow the analysis and verification of designs, which is one of the main requirements for dealing with concurrent and reactive systems. One of the most important advantages of having a formal foundation is the improved consistency between the models of the different phases. In this sense, Formal Description Techniques provide the basis for an automated design process, allowing simulation, validation and automatic code generation from the specifications. One of the most widely used FDTs is SDL (Specification and Description Language).

SDL is an International Telecommunication Union (ITU) standard [16], [11] which can be used as a wide spectrum language from requirements to implementation. It is suitable for real-time, stimulus–response systems with some semantic limitations. SDL uses a graphical form with models based on communicating processes defined as extended finite state machines where components can have an object oriented description. SDL is used as the design language for industrial applications and it is currently well supported by commercial tools [40], [10], [28], [35], [42].

Real-time CORBA (RT-CORBA) middleware [24] has simplified the development of distributed applications with timing requirements. This specification defines standard middleware characteristics that allow applications to allocate, schedule and control the CPU, memory and networking resources necessary to ensure end-to-end quality of service support. RT-CORBA greatly influences the temporal behaviour of the systems but it is not included at the design stage.

This paper deals with the integration of the communication behaviour at the design stage of the application development when communication is carried out by the RT-CORBA middleware. SDL is used for the design of the applications and the communication middleware and allows different analysis to be performed. In addition, we present several design patterns in SDL which can be easily reused when another communication platform or RT-CORBA implementation is applied or when another application is developed.

In order to integrate RT-CORBA into the application design we propose a framework in SDL of RT-CORBA 1.2. Specifically, we propose a set of SDL design patterns for the different elements of RT-CORBA. In this way, developers can join the model of the designed applications together with models of the communication middleware and can carry out a simulation of the whole system together with different analysis of for example the schedulability, deadlock and liveness properties. These analyses however are not considered in this paper. Instead, we focus only on the design of the models.

Some semantic aspects have to be addressed and integrated into SDL, such as for example, a priority model or a shared resource predictable access model. For this reason, we show how to include the RT-CORBA framework taking into account the extensions proposed for SDL in previous works [1] which assured predictability at design level.

Including an RT-CORBA model in SDL allows us to specify the whole distributed system at the design level and therefore:

  • Users can integrate the communication behavior in their designs together with their applications.

  • Different communication platforms can be integrated into the design.

  • The integration between the RT-CORBA implementation and the SDL generated code is simplified thereby reducing the time necessary at the implementation stage. A correspondence between the design elements and code in the implementation is presented.

  • Different analysis can be carried out at the design stage.

In this paper we focus on a set of RT-CORBA characteristics in SDL that are particularly significant in the context of the real-time distributed systems:

  • The definition of the different RT-CORBA priority models (client propagated and server declared).

  • A thread pre-creation mechanism (thread pools) to avoid unpredictability.

  • Mutexes: synchronization mechanism.

  • The connection management can be isolated in our approach. This way, it is possible to easily change one communication platform for another at the design phase.

The paper is organized as follows: In the rest of this section some comments about related work and a summary of the main characteristics of RT-CORBA and SDL are described. Additionally we present a review of the SDL extensions proposed in previous work. Section 2 presents RT-CORBA in the SDL context to design real-time distributed applications. Finally, in Section 3 we apply our proposals in a real example based on a distributed control application called Siroco [39] developed by Tecnatom S.A. The paper finishes with some conclusions and future lines of work are outlined.

Much work has been done on the integration of non-functional timing aspects in SDL and the suitability of SDL for the design of real-time systems. In [5] a technique that describes timing constraints is proposed together with a semantic interpretation. In [43] SDL is extended and integrated with task allocation and schedulability analysis algorithms. In [7], [8] an overview of the main weaknesses of SDL for developing real-time systems is given. Also, in [37], [2] limitations of SDL for modelling aspects of real-time and a set of extensions are presented, and in [15] we can see proposals for the inclusion of timing information in SDL. As regards supplementing SDL with load and machine models such as those described in [21], a queuing theory is used to calculate job and message queuing times and processor peak and average workloads. A further extension of SDL is presented in [38] to describe non-functional requirements. In [12] a new approach for early performance prediction based on Message Sequence Chart (MSC) specified systems in the context of SDL is presented.

Other lines of research deal with design pattern proposals. A design pattern is an SDL module, which can be used in different contexts for different applications with only minor modifications [22]. SDL patterns and examples exist for well known protocols [13]. The timing behaviour of the communication medium for the protocols in SDL is addressed in [22]. Here, a design pattern is proposed to allow the specification of a time critical functionality such as multiplexers or Quality-of-Service (QoS) schedulers.

Other works deal with the integration of CORBA and SDL. For example, in [27] the use of SDL for efficient service creation is addressed. In order to provide a generic platform for the implementation of future mobile services, supporting standardized interfaces and platform independent objects, [20] proposes the mapping of SDL and CORBA mechanisms. Finally, the Z-130 recommendation of ITU [17] specifies the ITU Extended Object Definition Language (ITU-eODL), which is used for a component-oriented development of distributed systems. This recommendation includes an IDL-SDL mapping, but RT-CORBA is not considered.

Only a few proposals integrate schedulability analysis and the formal foundation [43]. For example, HRT-HOOD [9] and Octopus [6] support schedulability analysis but lack a formal foundation that allows the analysis and validation of the systems modelled. In [32], [34] we can see how a real-time scheduling theory may be applied to Real-time Object-Oriented Modelling (ROOM). Also, [33] shows how schedulability analysis can be integrated with object-oriented design.

Currently, there are several RT-CORBA implementations available for different languages such as C++ and Java. One of the most popular RT-CORBA implementations for C++ is TAO (The ACE ORB) [19]. TAO is built on top of ACE (the Adaptive Communication Environment) [36], a freely available object-oriented framework that implements many core patterns for concurrent communication software. TAO is especially focused on the implementation of distributed real-time systems with hard real-time constraints. TAO is robust and widely used in different kinds of systems. ROFES (Real-Time CORBA for embedded Systems) [18] is another C++ implementation of RT-CORBA especially designed for embedded systems. ROFES not only implements RT-CORBA, it also adheres to the minimum CORBA specification [25]. This is a subset of CORBA designed for systems with limited resources. ROFES is divided into several components, which can be dynamically loaded, obtaining a very low memory footprint. Our approach can be applied to both implementations. However, due to the simplicity of ROFES, we have focused our efforts on this implementation.

There are also Java implementations of RT-CORBA. RTZen [31] is implemented using the Real-Time Specification for Java (RTSJ) [41], because of the unpredictability issues of the standard Java language. RTZen ensures predictability and ease of use by shielding RTSJ complexities from the middleware user. In [14], the authors present several customization strategies for RTZen in order to reduce the memory footprint and improve overall performance. They introduce components and aspects as tools to modularize and present a conditional compilation strategy to customize RTZen for different applications. Our work is focused on C++ implementations of RT-CORBA, however it could be easily adapted to this implementation.

Other RT-CORBA implementations are ORBExpress [26] and the OpenFusion approach [29] which includes e⁎ORB, both implementations can be used for C++. The OpenFusion approach also provides a Java version implemented on top of RTSJ. These are commercial implementations oriented to embedded systems, fast response, predictability, portability, etc., but the source code is not available for our analysis purposes and some features included in ORBExpress are not standard.

CORBA (Common Object Request Broker Architecture) [23] is a communication middleware that allows the transparent communication of objects developed in different programming languages and running on different hosts or operating systems. These objects (servers) define interfaces using the Interface Declaration Language (IDL) of CORBA with operations provided to the clients, and there is no difference between invocations to local objects and invocations to remote objects because all the communication details are managed by CORBA.

Temporal predictability is one of the main aspects in the development of real-time applications. However, standard CORBA implementations are not suitable for real-time because they only support best-effort capacities in the communications and there are no guarantees about the temporal response to particular invocations to remote objects. The solution, then, is to use Object Request Brokers (ORBs) supporting the Real-time CORBA specification. Real-time CORBA is an extension of standard CORBA which provides mechanisms that allow configuration and control of processor, communication and memory resources.

The following points show the main RT-CORBA features:

Real-time CORBA applications can use CORBA priorities that allow hiding the heterogeneity of native priorities in the different Operating Systems of a distributed application. RT-CORBA priorities can be specified with values ranging from 0 to 32,767. These priorities are used in a platform-independent way.

Two different policies are used to transmit priorities. In the server declared model, the server declares the priorities with which an invocation on an object will be executed. The client propagated model allows propagation of the client priorities that must be honored by servers.

These pools allow the pre-creation of threads in such a way that a thread manages each invocation on a particular object. In this way, rising costs and the unpredictability of the dynamic creation of threads are avoided. Thread pools can contain a set of pre-created ready to use dynamic threads which can be created on demand. In addition, thread pools can be created with lanes with different priorities, allowing the redistribution of invocations depending on client priorities.

RT-CORBA mutexes are the standard RT-CORBA synchronization mechanism that permits priority inheritance and priority ceiling protocols if the underlying operating system supports them (e.g. POSIX).

The underlying transport protocol used by a particular Object Request Broker (e.g.: Internet InterORB Protocol (IIOP)–TCP/IP [23]) can be configured by RT-CORBA to benefit from special features, such as ATM virtual circuits, etc.

Explicit binding and private connections can be used to avoid the unpredictability related to the implicit activation of objects and multiplexed connections of standard CORBA ORBs. These mechanisms permit pre-establishing non-multiplexed connections and controlling how client requests are propagated over these connections.

SDL is an object-oriented, graphical specification language intended to describe the structure, behaviour and data of distributed communicating systems. As SDL is a language with a formal foundation, every symbol has precise semantics; any ambiguity is therefore eliminated and system integrity guaranteed.

SDL semantics is based on Abstract State Machines (ASMs). Finite versions of ASMs can be seen as finite machines extended with variables and timers which run in parallel. Going from one state to another is called transition, and this transition takes place only after a stimulus has been received. These machines are independent in the sense that every process has its own data space and there are no shared data. The main communication mechanism is asynchronous message passing by means of signals. An event is a stimulus (signal sending or time expiration) that activates a sequence of transitions to respond to it.

In SDL, systems are described hierarchically at different levels: system, blocks, processes and procedures. The system description is refined progressively in the subsequent levels. A system is decomposed into blocks that communicate with each other by means of channels. Fig. 1a shows an example of a system. It is composed of a block called Blck, which receives signal response and sends signal ext_ev by means of channel EnvBlck. Fig. 1b shows block Blck. It is composed of two processes Proc1 and Proc2. Proc2 receives signal ext_ev from the environment and communicates with Proc2 by means of signal sg1. Finally, proc2 sends signal response to the environment. In SDL-2000, these structuring features (blocks and processes) were harmonized into an agent concept. This is the static view of the system. The dynamic view is described using processes (Fig. 1c), which can run in parallel, and procedures. All data must be local to processes, i.e., there is no shared data, a fact which increases the robustness of the system and reduces deficiencies. For example, process proc1 waits for the reception of ext_ev. When it is received a set of tasks can be carried out and the signal sg1 sent. The transition finishes blocking in state waiting2.

Timers are the SDL instruments used to deal with a global, abstract notion of time. They can be set and reset and can expire. When a timer expires, a signal is sent to the process that set it. This timeout signal is received and managed by the process like any other signal. Timers allow developers to simulate time passing before implementation and can be mapped to operating system timers or hardware timers.

In order to model real-time aspects of RT-CORBA in SDL we summarise the proposals from a previous work [4]. The main issue is the inclusion of the priority concept for transitions. Although some environments [40] provide extensions to incorporate priorities into the processes, this proposal assigns priorities to the transitions of the processes. In this case, the process priority depends on the transition being executed at each time instant. Fig. 2 shows how to specify this extension, by adding a comment symbol with priority x, where x is the priority level.

This extension is useful to apply real-time analysis at the design stage but it is also necessary to define a new execution model to eliminate the non-determinism from the SDL semantics.

The execution model is based on fixed priority pre-emptive scheduling. As commented previously, it does not assign fixed priorities directly to processes but to process transitions (using the extension proposed in the previous paragraph). Process priorities can vary from one state to another depending on the transitions that these processes can carry out in the current state (taking into account the queued signals). Processes are scheduled according to these dynamic priorities, although the schedulability analysis is based on the transition priorities, which are fixed. Transitions can be pre-empted by higher priority ready transitions of other processes, but never by a transition of the same process, i.e., if a process transition with a higher priority becomes ready while another transition of the same process is being executed, that transition is delayed until the current one has finished. This may cause an increase in the response time of events, but this constraint is necessary in order to maintain SDL process execution semantics. Processes are therefore pre-emptively scheduled according to their dynamic priorities. The model formalization can be studied in [3].

Section snippets

An SDL model for RT-CORBA

In this section we present the SDL design of the main elements of RT-CORBA, addressing important real-time characteristics such as the priority models, mutexes and thread pools mentioned in the Introduction. Firstly, we define the framework applying it to a CORBA model and then we extend it with the RT-CORBA aspects.

It is important to point out that our objective is not to model the full RT-CORBA middleware at low-level detail. This is a difficult job and one which is not very useful because

Example: the Siroco application

Siroco-Inside is a real time remote control application for inspection systems developed in Tecnatom S.A [39]. The driver design is based on intelligent hardware with a distributed control, interconnected by means of a Tecnatom bus. All In/Out functions are integrated into this bus:

  • Axes control (Encoded, end career sensors, etc…)

  • Level and temperature sensors.

  • Peripheral devices, e.g. TV cameras.

  • Internal variable monitorization.

Siroco-Inside can be operated by means of a console application (See

Conclusions

From a general point of view the contributions presented in this paper show the importance of the design stage in the development of real-time distributed systems. Specifically, we think that the use of formal description techniques is an interesting alternative. In this context, we have presented an SDL framework to include the RT-CORBA middleware in the designs. In this model we have addressed important aspects for real-time applications such as the priority models, access to shared resources

Acknowledgements

This work is partially supported by the EU funded project SMEPP (www.smepp.org), FP6 IST-5-033563. We would like to acknowledge the help from the staff of Tecnatom S.A. who contributed to the preparation of this paper.

Manuel Díaz received his M.S. and Ph.D. degree in Computer Science from the University of Málaga in 1990 and 1995, respectively. From 1990 to 1995 he was an Assistant Professor in the Department of Languages and Computer Science of the University of Málaga. Since 1995 he has been an Associate Professor in the same department. He has worked in the areas of distributed and parallel programming and in real-time systems, especially in the areas of software engineering for this kind of system. He

References (44)

  • J.M. Alvarez et al.

    Integrating schedulability analysis and SDL in an object-oriented methodology

  • B. Geppert et al.

    Configuring communication protocols using SDL patterns

  • J.M. Alvarez et al.

    An analyzable execution model for SDL for embedded real-time systems

  • J.M. Alvarez et al.

    An object oriented methodology for embedded real-time systems

    The Computer Journal

    (2003)
  • J.M. Alvarez et al.

    Integrating schedulability analysis and design techniques in SDL

    Real-Time Systems

    (2003)
  • M. Ashour et al.

    Formal description of real-time systems using SDL

  • M. Awad et al.

    Object Oriented Technology for Real-Time Systems

    (1996)
  • M. Bozga et al.

    SDL for real-time: what is missing

  • M. Bozga et al.

    Timed extensions for SDL

  • A. Burns et al.

    HRT-HOOD: A Structured Design Method for Hard Real-Time Ada Systems

    (1995)
  • Cinderella....
  • L. Doldi

    SDL Illustrated — Visually design executable models

    (2001)
  • W. Dulz et al.

    Early performance prediction of SDL/MSC specified systems by automatic synthetic code generation

  • S. Gorappa, J.A. Colmenares, H. Jafarpour, R. Klefstad, “Tool-based Configuration of Real-time CORBA Middleware for...
  • S. Graf

    Expression of time and duration constraints in SDL

  • ITU recommendation Z.100: Specification and Description Language (SDL)

    (2000)
  • ITU recommendation Z.130: Extended Object Definition Language (eODL)

    (2005)
  • S. Lankes et al.

    Integration of a CAN-based connection-oriented communication model into real-time CORBA

  • D.L. Levine et al.

    The design of the TAO real-time object request broker

    Computer Communications

    (1998)
  • A. Mahimkar

    Modeling of software radio aspects by mapping of SDL and CORBA

  • A. Mitschele-Thiel et al.

    Performance engineering of SDL/MSC systems

  • R. Münzenberger et al.

    A general approach for the specification of real-time systems with SDL

  • Cited by (5)

    • A flexible time-triggered service for real-time CORBA

      2014, Computer Standards and Interfaces
      Citation Excerpt :

      For example, [13] proposes standardizing the interface between CORBA and real-time distributed transducer networks. Other works show how component oriented programming could help leveraging the complexity of CORBA in concrete application domains [11,12]. The CORBA solutions referred above focus on handling the priorities in the access to servers and other shared resources.

    • A method of developing spacecraft software components based on non-object oriented language

      2018, Proceedings - 8th International Conference on Instrumentation and Measurement, Computer, Communication and Control, IMCCC 2018
    • Middleware reconfiguration relying on formal methods

      2015, Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015
    • Optimization approach on "mission-critical" situation detection in distributed sensor networks

      2010, Proceedings of SPIE - The International Society for Optical Engineering
    • Monitoring approach of Supervisory Control and Data Acquisition downloadable data files for "mission - Critical" situations detection

      2010, 2010 IEEE International Conference on Automation, Quality and Testing, Robotics, AQTR 2010 - Proceedings

    Manuel Díaz received his M.S. and Ph.D. degree in Computer Science from the University of Málaga in 1990 and 1995, respectively. From 1990 to 1995 he was an Assistant Professor in the Department of Languages and Computer Science of the University of Málaga. Since 1995 he has been an Associate Professor in the same department. He has worked in the areas of distributed and parallel programming and in real-time systems, especially in the areas of software engineering for this kind of system. He has published several papers in international refereed journals and representative congresses in the area. Currently, he is the coordinator of the european project SMEPP: Secure Middleware for Embedded P2P Systems.

    Daniel Garrido received his M.S. and Ph. D. degree in Computer Science from the University of Málaga in 1999 and 2006, respectively. From this year he has worked in different public and private projects related to distributed programming, simulation and real-time systems, especially in the areas of software engineering. He has published several papers in international refereed journals and representative congresses in the area. Since 2007 he is an Assistant Professor in the Department of Languages and Computer Science of the University of Málaga.

    Luis Llopis received his M.S. and Ph.D. degree in Computer Science from the University of Málaga in 1995 and 2002, respectively. From 1997 to 2002 he was an Assistant Professor in the Department of Languages and Computer Science of the University of Málaga. Since 2002 he has been an Associate Professor in the same department. He has worked in the area of real-time systems, especially in issues of software engineering for this kind of system. He has published several papers in international refereed journals and representative congresses in the area.

    José M. Troya received his M.S. and Ph.D. degrees from the University Complutense of Madrid in 1975 and 1980 respectively. From 1980 to 1988 he was an Associate Professor in that University, and since 1988 he has been a Full Professor in the Department of Languages and Computing Science of the University of Málaga. He has worked on parallel algorithms for optimization problems and on parallel programming and software engineering for distributed real-time systems. He has supervised twenty Ph.D. thesis and published more than fifty papers in international refereed journals.

    View full text