[aadl]: Cyclic Immediate Connections in AADL

Peter Feiler phf at sei.cmu.edu
Thu Dec 18 17:27:30 EST 2014 

This consistency rule is still true independent of whether we have partitions or not.
Partitions just introduce additional cyclic dependency rules that affect units that do not talk to each other - see my two thread pairs example.

Synchronization domains has to do with different clocks. We do not have anything in the standard as to whether immediate connections are supportable across such domains or under what assumptions (e.g., on top of PALS).

Peter

From: Jérôme Hugues [mailto:Jerome.HUGUES at isae.fr]
Sent: Thursday, December 18, 2014 3:47 PM
To: Peter Feiler
Cc: Andrew Gacek; Julien Delange; sae-aadl-users at lists.sei.cmu.edu
Subject: Re: [aadl]: Cyclic Immediate Connections in AADL


Le 18 déc. 2014 à 15:32, Peter Feiler <phf at sei.cmu.edu<mailto:phf at sei.cmu.edu>> a écrit :


Immediate connection cycles is an interesting issue. It exists for connections between periodically sampling units, e.g., two threads, two devices, or a thread and a device.
The reason is that immediate says that one is to execute before the other in the same period and you cannot have both before the other.
In other words, it is best to check in the instance model.

I do agree with your interpretation Peter, but my standard says, in 9.2 (C1)

(C1)  There cannot be cycles of immediate connections between threads, devices, and processors.

So I'm lost .. did we overlook this one ?

Although  the first part of section 9.2.5 discusses the case for periodically sampling units and immediate connections, I usually use immediate connections for what they are: they detail when the data is actually sent. So we definitely need to separate the two issues

Cycles of periodically sampling units should be forbidden under the assumptions of the synchronous models of computations
(e.g. these are forbidden in SCADE and Esterel, under the term causality loop). It is probably what should be clarified in terms of synchronization domain. Within one synchronization domain (e.g. one hyperperiod), they should not be allowed

If there is no restriction in terms of synchronization domain, these can be allowed: we just mandate the instant of transmission, but the user is on its own in terms of data consistency.

It gets more interesting. P1 and P2 are mapped into different ARINC653 partitions and they execute on a static time line, then P1 has to be before P2 and P2 before P1, i.e., we have a cycle. However, this cycle can be broken by giving each partition multiple windows and allocating the threads such that P1.A -> P2.B/C -> P1.A in a major frame.

So here you have implicitly (or not ?) a synchronization domain. I mean implicitly from the use of ARINC653 properties

Regards,

-
Jerome HUGUES
Enseignant-Chercheur -- Ingénierie des Systèmes Embarqués/Embedded Systems Engineering

ISAE SUPAERO - Institut Supérieur de l'Aéronautique et de l'Espace
10 avenue Edouard Belin - BP 54032 - 31055 TOULOUSE CEDEX 4 FRANCE - http://www.isae-supaero.fr<http://www.isae-supaero.fr/>
Tel +33 5 61 33 91 84 - Fax (+33) 5 61 33 83 30
Plan d'accès/Access map<http://plan.univ-toulouse.fr/#783>

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the Sae-aadl-users mailing list