# **AADL Modeling Guidelines for CASE**

June 9, 2021

| Background                                                | 2  |
|-----------------------------------------------------------|----|
| Checking Compliance with these Guidelines in OSATE        | 3  |
| Software Architecture Requirements                        | 3  |
| System Components                                         | 5  |
| Process Components                                        | 6  |
| Thread Components                                         | 7  |
| Data Components                                           | 8  |
| Records                                                   | 9  |
| Arrays                                                    | 10 |
| Enums                                                     | 10 |
| Connections                                               | 11 |
| Component Behavior                                        | 12 |
| Hardware Architecture and Binding Requirements            | 14 |
| Virtual Machine Binding                                   | 16 |
| Timing Isolation through Domain Scheduling                | 17 |
| Utilizing the seL4 Domain Scheduler                       | 22 |
| Domains                                                   | 23 |
| Configuring the Number of Domains                         | 24 |
| Developing the Schedule Concept                           | 24 |
| Defining the Schedule                                     | 25 |
| AADL Modeling of Timing and Domain Scheduling Information | 26 |
| Appendix                                                  | 29 |
| Event Data Port                                           | 29 |
| Data Port                                                 | 32 |
| Event Port                                                | 34 |
| Virtual Machine Integration                               | 37 |
| Virtual Machine Applications                              | 40 |
| lesures (to be addressed)                                 | 47 |

# Background

The Architecture and Analysis Design Language (AADL) has been engineered as a general-purpose system architecture modeling language. As a result, the language specification does not necessarily dictate the semantics of how the modeling artifacts in AADL are mapped to actual physical artifacts in the end systems. The way in which AADL-based analysis and code-generation tools interpret the language's modeling artifacts are domain specific, and are left to the tool developers.

The purpose of this document is to define a set of modeling guidelines for producing well-formed AADL models for use in the Collins CASE toolchain. The CASE toolchain is extensible, but is currently comprised of the following tools and technologies:

- Cyber Requirements (TA 1)
  - GearCASE (Charles River Analytics)
  - DCRYPPS (Vanderbilt / DOLL Labs)
- Cyber Resiliency (TA 2)
  - StairCASE (Collins)
  - AGREE (Collins)
  - Resolute (Collins)
  - SPLAT (Collins)
- Formal Methods (TA 4)
  - Sally (SRI)
- Integration and Build (TA 5)
  - BriefCASE (Collins)
  - HAMR (Kansas State University / Adventium)
  - CAmkES (Data 61)
  - seL4 (Data 61)

Due to the importance of preserving data flow contracts between the design and implementation, this document also details how the CASE system build toolchain, specifically HAMR (High-Assurance Modeling and Rapid Engineering for Embedded Systems) AADL-to-CAmkES translator interprets an AADL model and converts it into CAmkES source code, targeted for a specific hardware platform that is ready for compilation. It is assumed the reader has familiarity with AADL, seL4, CAmkES, and the CASE program.

# Checking Compliance with these Guidelines in OSATE

To understand whether a given AADL model complies with these guidelines, the Collins CASE tools include a *CASE\_Tools* ruleset that can be used by the Resolint tool in OSATE.

Rules are identified in this document with a unique descriptive identifier a textual representation of the rule, and a problem type in the following format:



The problem type is how the rule violation will be classified in the Problem's view of OSATE when Resolint is run on the ruleset. The three problem types are:



# Software Architecture Requirements

HAMR is currently designed to process AADL instance models rooted at a system implementation.<sup>1</sup> The model *must* contain at least one processor-bound process that contains exactly one thread subcomponent (see the section <a href="Hardware Architecture and Binding">Hardware Architecture and Binding</a> Requirements for an example).

This section describes the basic components utilized in a typical AADL model for CASE applications. Details of the connections, and in particular the semantics represented by specific AADL port connections are described in detail in the Appendices.

Figure 1 below shows an example diagram from the CASE Experimental Platform model of a system that contains multiple process subcomponents.

<sup>&</sup>lt;sup>1</sup> From inside Eclipse, the system build can also be generated by selecting a system implementation in the Outline view and invoking the HAMR tool.



Figure 1: The primary software architecture model of the mission computer application in the Experimental Platform example developed under the CASE program.

The CASE modeling and build environment impose a few basic restrictions on the expected AADL usage. Both the modes and end to end flows capabilities in AADL are not currently supported and will be ignored by the code generator. Also, thread groups targeted for the seL4 platform are ignored.

| rule one_process      | The model must contain at least one process bound to a processor. | 8 |
|-----------------------|-------------------------------------------------------------------|---|
|                       |                                                                   |   |
| rule one_thread       | A process must have at most one thread subcomponent.              | 8 |
|                       |                                                                   |   |
| rule modes_ignored    | Modes will be ignored                                             | • |
|                       |                                                                   |   |
| rule flows_ignored    | Flows and end-to-end flows will be ignored                        | • |
|                       |                                                                   |   |
| thread_groups_ignored | Thread groups will be ignored for the seL4 target platform.       | • |

The table below summarizes the mapping of the primary AADL software artifacts used by the CASE system build: systems, processes, threads, ports, and data components. Additional details are given in subsequent sections.

| AADL<br>Component | CAmkES Mapping                                                                                                                                                                                                                                                                                                                                                                              |
|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| System            | For the CASE program, system components are modeling artifacts that represent high-level collections of software components that share common hardware bindings. System components may represent an arbitrary decomposition of the software architecture, and are not necessarily directly mapped to seL4 or CAmkES components.                                                             |
| Process           | Each process implementation represents a single seL4 resource that may be bound to hardware (one-to-one mapping). The resource may be a seL4 component, for example, or may be a separate seL4 instance, depending on the hardware bindings. AADL ports attached to a process represent dedicated communication channels (usually hardware specific I/O) into and out of the seL4 instance. |
| Thread            | Threads are the lowest level software components in the CASE context. Each thread implementation maps to a single CAmkES partitioned component (one-to-one mapping). AADL ports attached to a thread represent dedicated communication channels into and out of the CAmkES space-partitioned component.                                                                                     |
| Port              | Communications between CAmkES partitions are modeled in AADL as connections between port subcomponents of threads. The type of port dictates the type of communication implemented in CAmkES. See details under the Connections subsection below.                                                                                                                                           |
| Data              | Data components are associated with data ports, which represent the data types used in the CAmkES implementation. See details below.                                                                                                                                                                                                                                                        |

Table 1: Summary HAMR AADL to CAmkES Component Mapping.

### **System Components**

The top level implementation of the model must be a system component, in order to use the HAMR CAmkES translation tool. The AADL code sample below shows a top-level system with two processes bound to a processor. Intermediate system components defined in the AADL are allowed, but the architecture will be flattened by the HAMR tool during system auto-generation, so intermediate system components in the model will be merged into higher-level system components.

An item of note below is the property declaration  $\mathtt{HAMR}: \mathtt{Component\_Type}$ . This property defines for HAMR the target execution platform. Multiple options can be identified, and valid options at this time are  $\mathtt{Linux}$  and  $\mathtt{seL4}$ . The target of most interest to the CASE project (and this document) is  $\mathtt{seL4}$ .

Also, if the target execution implements raw bitcodec connections at the sending and receiving seL4 components, then the <code>HAMR::Bit\_Codec\_Raw\_Connections</code> should be set at the system component to true.

### **Process Components**

The AADL code example below shows an example of a process implementation with a thread subcomponent and its associated internal connections. If a process is targeted for execution on a virtual machine, then the HAMR::Component\_Type property is defined on the process declaration (See the <u>Virtual Machine Integration</u> section for details).

### **Thread Components**

The AADL code example below shows an example of a thread subcomponent.

### The dispatch behavior of a thread can be specified using the

Thread\_Properties::Dispatch\_Protocol property. HAMR currently supports only Periodic or Sporadic threads. If the dispatch protocol property is not provided then the thread is treated as sporadic and a warning will be issued. HAMR will issue an error if a dispatch protocol other than periodic or sporadic is specified.

| rule dispatch_protocol_specified | Threads should have the dispatch_protocol property specified                                                                                      | ₾        |
|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------|
|                                  |                                                                                                                                                   |          |
| rule valid_dispatch_protocol     | Threads can only specify a dispatch_protocol property of <i>periodic</i> or <i>sporadic</i>                                                       | 8        |
|                                  |                                                                                                                                                   |          |
| rule thread_periodic_protocol    | If a thread has a Dispatch_Protocol property value of "Periodic" then it must have a valid Period and Compute_Execution_Time property values set. | •        |
|                                  |                                                                                                                                                   |          |
| rule process_periodic_protocol   | If the thread subcomponents of a process are specified as Dispatch_Protocol "Periodic" then                                                       | <b>A</b> |

|                                   | the process must have a seL4_Properties::Domain property value specified.                                                                                                                                                                                                                                                     |              |
|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| rule consistent_dispatch_protocol | For all thread subcomponents of processes bound to the same processor (via the Actual_Processor_Binding property), the Dispatch_Protocol property value assigned to the threads must be identical. For example, if one thread bound to a processor is "Periodic" then all threads bound to that processor must be "Periodic". | <b>&amp;</b> |
| rule thread stack size            | The maximum stack size requirements for each thread should be specified using the                                                                                                                                                                                                                                             | <b>A</b>     |
|                                   | Memory_Properties::Stack_Size property.                                                                                                                                                                                                                                                                                       | •            |

### **Data Components**

AADL data components can be used to specify the types of AADL features such as data ports. AADL includes a <code>Base\_Types</code> package that provides data component declarations for basic types like signed/unsigned integers, floating-point numbers, booleans and strings. HAMR provides translation support for each of these, mapping them to appropriate C data types, except for the unbounded <code>Base\_Types::Integer</code> and <code>Base\_Types::Float</code> types. HAMR will issue an error if these two unbounded types are used. E.g., the subcomponent <a href="SW::Coordinate.latitude">SW::Coordinate.latitude</a> will cause HAMR to issue an error<sup>2</sup>.

| rule<br>bounded_integers | Integer types must be bounded (cannot use Base_Types::Integer) | 8 |
|--------------------------|----------------------------------------------------------------|---|
| rule bounded_floats      | Float types must be bounded (cannot use Base_Types::Float)     | 8 |

AADL allows data type classifiers to be left unspecified in the instance model, for example the data type classifier of a data port. In such cases, HAMR will use a placeholder classifier called

<sup>&</sup>lt;sup>2</sup> A rewriter is used during HAMR development to convert *Base\_Types::Integer* to *Base\_Types::Integer\_32* in order to allow non-conforming models to be processed.

MISSING\_TYPE and issue a warning. For example, HAMR will attach the MISSING\_TYPE classifier to <a href="SW::WifiDriver.gimbal\_command">SW::WifiDriver.gimbal\_command</a>



User defined structured/record types, array types, and enumeration types can be specified using data components as follows:

#### Records

HAMR identifies data component implementations that contain data subcomponents as record types (i.e. instead of using the <code>Data\_Model::Data\_Representation => Struct</code> property). HAMR will substitute the <code>MISSING\_TYPE</code> and issue a warning if a subcomponent's type is not provided.

For example, <u>SW::Command.Impl</u> is a valid record type declaration

```
data Map
      -- The Map is a structure that contains a list of coordinates that
      -- encircle a region. In this implementation, we fix the size of
      -- the map to 4 waypoints.
      properties
            Data Model::Data Representation => Array;
            Data Model::Base Type => (classifier (Coordinate.Impl));
            Data Model::Dimension => (4);
end Map;
data FlightPattern
      -- The Flight Pattern is an enumeration that defines how
      -- the UAV will fly through the sensing region to conduct
      -- surveillance.
      properties
            Data Model::Data Representation => Enum;
            Data Model::Enumerators =>
                   ("ZigZag", "StraightLine", "Perimeter");
end FlightPattern;
data implementation Command.Impl
      subcomponents
            map: data Map;
            pattern: data FlightPattern;
end Command.Impl;
```

| subcomponent types should be specified Subcomponent types should be specified | • |
|-------------------------------------------------------------------------------|---|
|-------------------------------------------------------------------------------|---|

#### Arrays

Data components containing the property <code>Data\_Model::Data\_Representation => Array</code> are identified as array types. An array data component <code>must</code> contain the <code>Data\_Model::Dimension</code> property providing the dimensions of the array. HAMR currently supports only one dimensional arrays. HAMR will issue an error if the dimension property is not provided, or if a multidimensional array is specified. The base type of an array can be specified using the <code>Data\_Model::BaseType</code> property. HAMR will substitute the <code>MISSING\_TYPE</code> and issue a warning if the base type is not provided.

For example, <a href="SW::Map">SW::Map</a> is a valid array type declaration

| array_dimension                    | Array dimensions must be specified      | 89 |
|------------------------------------|-----------------------------------------|----|
|                                    |                                         |    |
| rule<br>one_dimensional<br>_arrays | Arrays can only have one dimension      | 8  |
|                                    |                                         |    |
| rule                               | The array hase type should be specified |    |

| rule array_base_type | The array base type should be specified | A |
|----------------------|-----------------------------------------|---|
|----------------------|-----------------------------------------|---|

#### Enums

Data components containing the property <code>Data\_Model::Data\_Representation => Enum</code> are identified as enumerated types. A non-empty list of enumerators for an enumeration data component must be defined using the <code>Data\_Model::Enumerators</code> property. For example, <code>SW::FlightPattern</code> is a valid enumerated type declaration

| rule non-empty_enums | Enumeration data components must be non-empty | <b>②</b> |  |
|----------------------|-----------------------------------------------|----------|--|
|----------------------|-----------------------------------------------|----------|--|

#### Connections

HAMR currently only translates connections between threads. Connections between thread components *must* be unidirectional, otherwise HAMR will issue an error.

| rule unidirectional_ connections | Connections between thread components must be unidirectional | 8 |
|----------------------------------|--------------------------------------------------------------|---|
|----------------------------------|--------------------------------------------------------------|---|

Additional constraints are placed on component ports. Although AADL ports can be both *in* and *out*, HAMR requires ports to be unidirectional.

| rule unidirectional_ ports | Ports must be in or out, but not both | 8 |
|----------------------------|---------------------------------------|---|
|----------------------------|---------------------------------------|---|

Furthermore, HAMR does not permit multiple incoming connections to a single port (fan-in).

| rule<br>no_fan_in | Multiple incoming connections to a single port are not allowed | 8 |
|-------------------|----------------------------------------------------------------|---|
|-------------------|----------------------------------------------------------------|---|

A warning will be issued if the model contains ports that are not connected.

| rule ports_connected | All ports should be connected | <b>A</b> |
|----------------------|-------------------------------|----------|
|----------------------|-------------------------------|----------|

Ports and connections in AADL define the types of CAmkES communications that are deployed between components in the system build. In the simplest constructs, there is a straight one-to-one mapping for the AADL connection to seL4 communication channel:

AADL event ports translate into seL4 notifications and AADL data ports translate into seL4 shared data channels.

### Refer to the following table:

| AADL Port Type             | seL4<br>Communications        | CAmkES Description                                                                                                                                                                                                                                                                                         |
|----------------------------|-------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Event Data Port            | Shared Data +<br>Notification | For communications between CAmkES components, implemented as a shared data/notification communications pair. The data is queued within the shared memory. The sending component can only write to the shared data port and the receiving component can only read the shared data port.                     |
| Data Port                  | Shared Data                   | Implemented as a shared data connection, where the sending component can only write to the shared data port and the receiving component can only read the shared data port. The data is not queued, and a write operation will overwrite the contents of the shared memory from previous write operations. |
| Event Port                 | Notification                  | Implemented as an emit/consumes pair.                                                                                                                                                                                                                                                                      |
| Data Access                | Shared Data                   | Not yet supported                                                                                                                                                                                                                                                                                          |
| Subprogram Group<br>Access | RPC                           | Not yet supported.                                                                                                                                                                                                                                                                                         |

Table 2: Summary of HAMR AADL to CAmkES Connection Mapping.

The Appendix gives examples of each AADL to CAmkES connection mapping, including AADL and CAmkES source code.

## Component Behavior

HAMR supports the insertion of behavior code to components in the generated CAmkES output. The files containing user supplied source code for a component can be specified by attaching the file location directly to threads in the AADL model using the Source\_Text property. The files, if they exist, will be copied into the corresponding CAmkES component's directory.

Alternatively, a directory location can be provided to HAMR and any C-source files contained in the directory will be copied to an *auxiliary code* directory that will be provided to every generated CAmkES component. The names of any functions declared in these source files must be unique across the entire system.

HAMR recognizes the properties in the following table as specifying behavior code. Each property is of string type and will contain the name of a function in the component's source file, which must conform to the corresponding signature (Table 3).

| Property Name                        | Purpose                 | Applies<br>To         | Function Signature                                    |
|--------------------------------------|-------------------------|-----------------------|-------------------------------------------------------|
| Initialize_Entrypoint_Source_Text    | Initialize<br>component | Thread                | <pre>void functionName(const int64_t *in_arg);</pre>  |
| HAMR::Compute_Entrypoint_Source_Text | Event<br>callback       | Event<br>Data<br>Port | <pre>void functionName(const portType *in_arg);</pre> |

Table 3: Properties to Identify Component Behavior Entry Points in HAMR.

For example, the following <u>AADL model</u> was constructed to help illustrate how component behavior can be attached (the generated CAmkES code is available <u>here</u>).

```
thread sender
...
properties
...
Source_Text => ("user_code/user_sender.c");
Initialize_Entrypoint_Source_Text => "sender_init";
HAMR::Compute_Entrypoint_Source_Text => ("periodic_ping");
```

The entry point for a CAmkES component is a method generated by HAMR called run. The Initialize\_Entrypoint\_Source\_Text property can be used to specify the method name containing initialization instructions that should be executed when the method is invoked. The required signature for the method is provided in the header file that HAMR generates for the component (e.g., from <a href="mailto:sb\_sender.h">sb\_sender.h</a>). The header file also contains the signatures of the methods that can be used to interact with a component's

middleware. The following excerpt shows a portion of the generated C-code for the sender component (full listing is available at <u>sb\_sender.c</u>).

```
void sb_entrypoint_sender_initializer(const int64_t * in_arg) {
    sender_init((int64_t *) in_arg);
}

int run(void) {
    {
        int64_t sb_dummy;
        sb_entrypoint_sender_initializer(&sb_dummy);
    }

// Initial lock to await dispatch input.
    sb_pacer_notification_wait();
    for(;;) {
        sb_pacer_notification_wait();
        {
            int64_t sb_dummy = 0;
            sb_entrypoint_sender_periodic_dispatcher(&sb_dummy);
        }
    }
    return 0;
}
```

After executing the optional initialization block, the method then waits on the pacing component to notify the beginning of the scheduling frame, before invoking the dispatcher message (See section below, "Timing Isolation through Domain Scheduling," for details on the periodic pacing notifications). The names of the methods that should be invoked to handle a particular event can be specified using the HAMR::Compute\_Entrypoint\_Source\_Text property, which should be attached to the component for periodic threads (e.g. sender), or to an event port for sporadic threads (e.g. receiver).

# Hardware Architecture and Binding Requirements

For the CASE program, the hardware specifications in an AADL model are used only as references, and do not directly impact the generated CAmkES output, except that the process in the model targeted for CAmkES implementation must be bound to a hardware processor resource.



Consider the example AADL code below, again taken from the CASE "Simple UAV" model. This example defines the hardware specification for the mission computer subsystem. In its system implementation, the processor binding property, e.g. Actual\_Processor\_Binding, specifies that the software process PROC\_SW is bound to the hardware processor PROC\_SW.

```
system MissionComputer
       features
             recv map: in event data port;
             position status: in event data port;
             waypoint: out event data port;
             send status: out event data port;
end MissionComputer;
system implementation MissionComputer.Impl
       subcomponents
             RADIO HW: device Radio.Impl;
             UART HW: device UART.Impl;
             PROC HW: processor MC Proc.Impl;
             PROC SW: process SW::MC SW.Impl;
       connections
             c1: port recv map -> RADIO HW.recv map in;
             c2: port RADIO HW.recv map out -> PROC SW.recv map;
             c3: port PROC SW.send status -> RADIO HW.send status in;
             c4: port RADIO HW.send status out -> send status;
             c5: port PROC SW.waypoint -> UART HW.waypoint in;
             c6: port UART HW.waypoint out -> waypoint;
             c7: port position status -> UART HW.position status in;
             c8: port UART HW.position status out ->
                   PROC SW.position status;
       properties
            Actual Processor Binding => (reference (PROC HW))
                  applies to PROC SW;
            Actual Memory Binding => (reference (MEM HW))
                  applies to PROC SW;
            Actual Connection Binding => (reference (BUS HW))
                  applies to c2, c3, c5, c8;
    end MissionComputer.Impl;
```

## Virtual Machine Binding

Special consideration is made for processes that are hosted within virtual machines. The HAMR code generator translates processes bound to virtual machines into a CAmkES infrastructure that configures the virtual machine, its hosted (Linux) instance, and the necessary components that enable communications to and from the virtual machine. The same basic infrastructure is used for both communications between two separate virtual machine instances (within their own separate CAmkES components) and between a virtual machine and a CAmkES component not hosting a virtual machine. The section in the Appendix <u>Virtual Machine Applications</u> describes the communication infrastructure in detail.

Currently, there are two techniques to define virtual machines within AADL for HAMR system build generation. The easiest technique, recommended for those first learning the CASE tool environment, is to use the HAMR::Component\_Type property on process subcomponents. Refer to the <u>Virtual Machine Integration</u> section in the Appendix for details.

The second technique relies on modeling conventions of AADL. For this second approach, consider the following AADL code sample:

```
system implementation top.Impl
      subcomponents
             proc: processor proc.impl;
             vproc: virtual processor vproc.impl;
             vm : process vm p.impl;
             ping : process ping p.impl;
       connections
             vm to ping : port vm.enq -> ping.deq;
             ping to vm : port ping.enq -> vm.deq;
      properties
            Actual Processor Binding =>
                  (reference (proc)) applies to vproc;
            Actual Processor Binding =>
                  (reference (vproc)) applies to vm;
            Actual Processor Binding =>
                  (reference (proc)) applies to ping;
   end top.Impl;
```

As the example shows, binding is established from the process vm to the virtual processor vproc via the property Actual\_Processor\_Binding. Similarly, a virtual

machine is represented in AADL as a **virtual processor**, and is bound to a physical **processor** using the Actual\_Processor\_Binding property, as the virtual processor vproc is bound to the processor proc in the example.

HAMR recognizes the binding and automatically generates the build and source code infrastructure to implement the process hosted within the CAmkES virtual machine. The AADL specification allows other modeling approaches to represent hardware-software bindings, but the approach described here is the only approach for representing virtual machines recognized by HAMR. For example, in AADL a virtual processor can be bound to a processor by instantiating the virtual processor as a subcomponent of the processor. The CASE tools do not support this representation.

| no_processor_sub components     | Processor subcomponents may be ignored                                                                                                                                                                       |          |
|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
|                                 |                                                                                                                                                                                                              |          |
| rule<br>vm_host_one_proc<br>ess | A virtual processor may host at most one process                                                                                                                                                             | <b>A</b> |
|                                 |                                                                                                                                                                                                              |          |
| rule vm_bound_to_one _processor | A virtual processor may be bound to at most one processor                                                                                                                                                    | <b>A</b> |
|                                 |                                                                                                                                                                                                              |          |
| rule vm_no_dispatch_ protocol   | A virtual processor should not have the Dispatch_Protocol specified. This property applied to virtual processors is a corner-case allowed by the AADL standard, but is outside the scope of the CASE program |          |

# Timing Isolation through Domain Scheduling

Temporal partitioning can help maintain the desired availability, integrity, and confidentiality of mission-critical information flows. Temporal isolation prevents malicious actors with a foothold in one component from disrupting the operations of another component sharing resources on the hardware platform. In the simplest example, a component infected with malware can steal the processing cycles from another component, and thereby prevent the other component from completing its tasks in a

timely manner. Early Integrated Modular Avionics (IMA) efforts established the need for robust temporal partitioning, and specified several key properties that must be maintained, including resident duration on the processor, rate, latency, and jitter, accounting for context switch overhead, and strict control over cache state. Since then, researchers have identified issues in some scheduling approaches that previously claimed temporal partitioning, such as Rate Monotonic Analysis (RMA).

Our approach employs the domain scheduler in the stock seL4 implementation, and a special "tick-tock" pacing mechanism, built with the existing CAmkES communication infrastructure.



Figure 2: Portion of the CASE Phase 2 demo application

Consider Figure 2, which shows the CASE Phase 2 demonstration modeled in AADL. The application is a basic feed-forward design. The default configuration for this example has no temporal partitioning. In the default configuration of the UAV application without temporal isolation, all components are assigned to domain 0 (which by default receives all the CPU time). Periodic behavior is simulated with a busy-wait loop. Consequently, if one of the execution threads does not relinquish the processor, then the operations of the threads downstream may be disrupted. If the operations are disrupted enough, then the mission fails, or in the worst-case scenarios, the UAV asset is put at risk. Priority mechanisms on threads can alleviate some of these issues, but as described above, are insufficient to provide significant mission resiliency. The busy-wait loop slows down the output for demonstration display purposes; otherwise the processing chain would run-to-complete, only bounded by the machine's execution capability. However, the busy-wait loop is not calibrated to machine performance, so the perceived output behavior changes depending on the hardware platform.

*Domains* in the seL4 context are a way to group threads. Domains include temporal execution budgets, and a fixed, repeating schedule, which is defined independently of

the thread components themselves. The domain scheduler in stock seL4 supports the completely deterministic scheduling of domains specified during system design. By default, all threads are assigned to Domain 0. During design time, the system developer may explicitly assign threads to other domains. Threads can only execute during the scheduled times for the domains to which they are assigned. Within each domain slice (time that it is resident on the processor), the threads in that domain are released for execution according to the normal seL4 scheduler. For our temporal isolation approach, we assign each thread to a single domain.

This basic behavior is sufficient to schedule the CASE Phase 2 UAV example with a static schedule that is akin to an ARINC 653 partition schedule. One capability that is missing from the stock seL4 domain scheduler is a mechanism to synchronize the thread execution with the domain schedule. When seL4 threads execute under the (currently verified) stock seL4, they are not aware of when, within their domain slice, they are executed, i.e., there is no concept of "this period" or "wait until next period." Therefore, it is difficult to force periodic behavior in the default case.

To provide that capability in the base seL4, we make use of a safety feature of the verified seL4 kernel: domain-to-domain notifications (AADL events) are propagated outside of the domain slice. We use this mechanism to provide a self-pacing signal that each thread uses to start itself at the beginning of its domain slice. This approach enforces the behavior of periodic thread launches at the start of each domain slice. To support this behavior, the HAMR infrastructure generator adds emitter "tick" and consumer "tock" event ports to each thread component. Also generated by the HAMR infrastructure is a CAmkES connection from "tick" to "tock." When initialized, the thread emits a "tick" pacing signal to itself, that it will not consume until the next domain slice. Once completing its initialization, the thread waits on the "tock" signal. That "tock" request blocks until the next domain slice. During regular periodic execution, it follows then the same pattern: the thread blocks on the tock, does its work, emits a tick event, and blocks again. The sequence of events and the connections is shown for two major frames for a simple source-to-destination model in Figure 3.



Figure 3: Tick-Tock timer approach for a simple source-destination model

This approach does not require modifications to application behavior code residing within the CAmkES component itself. Communications to and from the CAmkES component is the same as if the "tick-tock" mechanism is not part of the implementation.

The resulting system is resilient to component failures that could cause stalls leading to loss of processing availability. The transformed UAV example runs on QEMU, as well as and ODroid-XU4 and ODroid-C2 platforms. One particularly nice feature of this approach is that it is stable across architectures, and the timing is guaranteed by seL4. For example, when running directly on a hardware platform with hardware timers (e.g., the ODroids with their different processors and clock rates), the perceived output rate is the same, regardless of the processor clock rates. This benefit will aid testing, debugging, and certification efforts, since the behavior will be the same on bench tests as well as the embedded system.

Through a particular technique that utilizes the domain scheduler within seL4, HAMR is able to generate a system-build from AADL source that enforces time partitioning, as well as space partitioning. The following section describes how to construct the AADL source to use this time-scheduling technique. Other CASE resources describe the theory behind the seL4 domain scheduler and timing isolation.

Below is a list of constraints and properties required by HAMR that must be followed within the AADL system models in order to enact the described static cyclic scheduling paradigm on a seL4 platform.

- All threads are periodic (all threads should be declared with Periodic dispatch mode).
- There is one thread per process in the AADL model.
- Each AADL process is associated with a numeric domain identifier specified using the CASE Scheduling::Domain property.

- The maximum value of the domain identifiers is specified in the AADL model (applies to system instance) using the CASE\_Scheduling::Max\_Domain property.
- Timing\_Properties::Compute\_Execution\_Time (applies to each AADL thread type) specifies the duration for which the thread is scheduled. This property is used by HAMR to generate a hint in the auto-generated schedule skeleton. The value should match the slot duration value length in the seL4 domain schedule (this needs to be checked manually).
- Timing\_Properties::Period (applies to each AADL thread type) specifies the
  period for each thread. Comments containing this information are included along with the
  HAMR generated skeleton for the schedule, helping the developer to verify that the
  periodicity of the thread implied by the written schedule matches the specified period in
  the AADL model (this needs to be checked manually).
- The schedule for the system is written as a domain schedule for seL4 (which is specified
  in a C data structure, processed by CAmkES). One future effort might be to develop a
  platform independent representation of the same information that would enable us to
  generate scheduling for Linux and JVM platforms.
- The tick duration for the underlying platform is configured using the TimingProperties::Clock\_Period, applied to system instances. The slot durations within the schedule are specified in terms of ticks.

The period of the major frame of the schedule is specified using the <code>Timing\_Properties::Frame\_Period</code> property in the AADL model. The sum of the domain lengths specified in the domain schedule should equal this value. The frame period value is included in hints generated by HAMR to accompany an auto-generated schedule skeleton. Correspondence to the actual duration of the schedule must be checked manually.

| rule valid_sched_dom ain      | The value of a seL4_Properties::Domain property set on processes must be greater than or equal to 1. Domain zero is reserved for seL4/CAmkES operations and domain one is reserved for the Pacer component. | <u>&amp;</u> |
|-------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| rule consistent_sched _domain | For all processes bound to the same processor (via the Actual_Processor_Binding property), the seL4_Properties::Domain property value assignments must be sequential and non-repeating.                     | <u>&amp;</u> |

| rule min_compute_exec _time         | All thread Compute_Execution_Time property values must be greater than or equal to 2 ms           | <u> </u> |
|-------------------------------------|---------------------------------------------------------------------------------------------------|----------|
|                                     |                                                                                                   |          |
| rule<br>min_period                  | All thread Period property values must be greater than or equal to minimum Compute_Execution_Time | ₼        |
|                                     |                                                                                                   |          |
| rule period_div_by_tick             | All thread Period property values must be divisible by 2 ms                                       | •        |
|                                     |                                                                                                   |          |
| rule compute_exec_time _div_by_tick | All thread Compute_Execution_Time property values must be divisible by 2 ms                       | •        |

### Utilizing the seL4 Domain Scheduler

The *static schedule* defined by the system designer must satisfy the timing constraints on the computation or environment interactions of the system. For example, a thread for mission planning must execute quickly enough for flight controls, or satisfying jitter, throughput, and latency requirements on sensing and actuating actions in control loops.

On the seL4 platform, the static scheduling is realized using the seL4 domain-scheduling framework. The schedule itself is expressed as a C data structure used to configure seL4. The scheduling data structure for a simple producer (source) / consumer (destination) system is shown below.

```
// Copyright 2020 Adventium Labs
// This is a kernel data structure. You must compile this into your kernel.
// For example, you might modify the top level settings.cmake file to include
// it.
// camkes-project/projects/camkes/settings.cmake

#include <config.h>
#include <object/structures.h>
#include <model/statedata.h>

// An arbitrary hand generated schedule. The length is in seL4 ticks
// (2 ms default). This schedule should be generated from the AADL model
// using execution time and data flow latency specifications.
//
// This schedule is single-rate, 1Hz, run each thread within 200ms windows
// This will provide room to slot in other test examples without perturbing
// this particular example.
// Fill space in with domain 0.
```

```
//
// 2 dest | -
// 1 src | -
// 0 dom0 |-- -- --------
//
        seconds 1 2 3
//
//
// Major frame is 1 seconds, since destination has 1 second period
const dschedule t ksDomSchedule[] = { // (1 tick == 2ms)
     \{ .domain = 0, .length = 100 \}, // all other seL4 threads, init, 200ms
     { .domain = 1, .length = 1 }, //
                                   source
     { .domain = 0, .length = 99 }, // domain0 198ms
     { .domain = 2, .length = 1 }, //
                                    destination 2ms
     \{ .domain = 0, .length = 349 \}, // domain 0 198ms + 500ms \}
                               /// frame 1000ms
const word t ksDomScheduleLength = sizeof(ksDomSchedule) / sizeof(dschedule t);
```

#### **Domains**

Because we are leveraging the seL4 domain scheduler as the foundation of the CASE scheduling approach, the unit of schedulability is the *domain*. The CASE strategy uses domain 0 for infrastructure, and the rest for application threads (called *application* domains). At present, there is a one-to-one correspondence between AADL threads and application domains. Later we may be able to support multiple AADL threads in the same scheduling domain, but for CASE Phase 2 this is not supported.

We use the following convention for organizing the infrastructure domains:

- Domain 0 includes seL4 infrastructure threading for initialization, servicing interrupts, etc.
- Given a feed-forward design represented in a left-to-right layout in AADL, it is practical for the developer to visually inspect the schedule, if the domains are assigned in increasing order left-to-right. This is not required, but it has been handy to aid debugging and schedule visualization.

System developers do not need to configure the internal logic of the infrastructure domain. The CAmkES compilation process determines the logic of domain 0. However, the system designer will need to configure manually the time slots, following some straightforward guidelines. For application domains, the current convention is to simply consider the order in which AADL threads are intended to execute and select domain identifiers, starting at 1, according to that order. Note that the domain numbers are only

identifiers – they do not influence the order of execution. The order of execution is completely determined by the order of entries in the domain schedule data structure. An AADL process is assigned to a domain using AADL model properties. This is illustrated further in sections below.

### **Configuring the Number of Domains**

The first step to develop the schedule is to establish the total number of domains. Currently this is specified manually in the CAmkES *cmake* file (not auto-generated by HAMR). Here is an example for the producer/consumer system: 2 application domains, 1 each for producer and consumer, and 1 infrastructure domain.

```
// set(KernelNumDomains 3 CACHE STRING "" FORCE)
```

### **Developing the Schedule Concept**

Next, one would typically develop a "schedule concept," an informal description of the schedule that can be shared across the development team. The inputs to developing the schedule concept include the end-to-end latency needs of the application and the information flow (dependences) reflected in the AADL model. The scheduling concept is developed and refined simultaneously with the specification of periods for each AADL thread, captured using an AADL thread property (see subsequent sections). Periods are also potentially determined by the end-to-end latency needs. See real-time scheduling textbooks for these concepts and process.[1]

Prior Figure 3 showed a visualization of a schedule concept for the procedure/consumer system. First, one aims to determine the relative ordering of the domains within the schedule. Following that, the specific time values for the slots in the schedule are determined.

The schedule for the system is cyclic, where each complete cycle is referred to as a *major frame*. The system designer specifies the schedule by configuring the ordering and timing properties of domains within the major frame. Within each major frame, a domain that has a thread rate that is the same as the major frame rate will typically be scheduled once. The exception to this convention is that domain 0 needs to be interleaved with application threads to handle interrupts and other kernel level services. Another exception is if a thread has a long duration and must be preempted to allow a higher rate thread to execute. For the remainder of the discussion we will focus on single-rate schedules for simplicity.

Next the developer will consider ordering implied by producer/consumer information and control flows. Analysis tools such as FASTAR automatically take information flow into

account, as long as the AADL model follows the necessary modeling conventions (e.g., ARINC 653). One may manually accomplish the same for simple systems. For example, one may interleave application domains such as monitors to satisfy ordinal requirements (i.e., "monitor evaluates producer outputs before consumer reads inputs").

The example producer/consumer schedule visualization above illustrates two major frames. In each frame, the application domains (domains 1 and 2) are each scheduled once, whereas domain 0 is scheduled multiple times, interleaved between the other domains.

When defining the schedule, domain 0 should always execute first. In the simple CASE scheduling methodology, the domain 0 time slot durations for will be determined by starting with a value that typically works, and then tweaking based on experience running the system (see additional guidelines at the end of this chapter).

For application domains, the ordering is typically determined by looking at the application data flow reflected in the AADL model. In our example, the producer component produces information that flows to the consumer. Therefore, we schedule the source thread before the destination thread, with domain 0 executions interleaved.

### **Defining the Schedule**

After the schedule concept is developed, the system designer encodes the schedule in a data structure that is compiled into the seL4 kernel. An example schedule data structure for the producer/consumer system was shown above in Figure 3 (and repeated here).

The schedule is an array of domain and execution durations in the order of desired execution within the major frame. The domain fields are either 0 or refer to the CASE\_Scheduling::Domain property associated with a process in the AADL model. The units on duration fields (.length) are seL4 *ticks*. The actual clock time for a tick is

configured in TIMER\_TICK\_MS[2]. The default tick duration for verified seL4 kernels is 2 milliseconds.

It is good style to indicate the duration of each domain activation time in milliseconds (.length \* tick duration) via comments in the code. It is also useful to indicate in comments the total duration (in ticks and seconds/milliseconds) of the major frame.

The following constraints[3] should hold for the completed data structure and AADL model:

- Each domain field should lie within the interval {0..CASE Scheduling::Max Domain}.
- Each domain from {0..CASE\_Scheduling::Max\_Domain} should be included at least once in the schedule.
- The slot duration (in milliseconds) written in comments should correspond to the Timing\_Properties::Compute\_Execution\_Time property for the thread captured in the AADL model.
- The slot duration field value (in ticks) should be correctly computed from the millisecond duration in comments and the tick duration.
- The major frame duration written in comments (in milliseconds) should correspond to the Timing\_Properties::Frame\_Period property value written in the AADL model.
- The sum of the length fields (and associated milliseconds in comments) in the schedule should be equal to the major frame duration (in ticks, respectively milliseconds) written in comments.
- The time between the activation of an application domain in one cycle to the next activation of the domain (which may be in the next major frame) should be equal to the Period property of thread in the AADL model.

### **AADL Modeling of Timing and Domain Scheduling Information**

The CASE scheduling approach provides strong temporal partitioning and predictability for user applications running on seL4, the primary execution context technology for the Collins CASE teams. To achieve alignment with the seL4 context, AADL modeling related to process and threads as well as AADL properties are restricted compared to the full expressive power available in AADL. The primary restrictions are:

- There is a single thread in each process (AADL normally allows multiple threads and thread groups per process).
- A CASE-specific property annotation explicitly associates a process to a scheduling domain (this concept is expressed using Virtual Machines in the ARINC 653 annex).

Below we provide an example-driven explanation of how models are structured and annotations are added to support the CASE scheduling approach.

Following the standard semantics of AADL, an AADL process represents a separate address space, a space partition unit whose boundaries are enforced at runtime (see Section 5.8 of the AADL standard). When using the seL4 CAmkES framework, a space partition unit is represented as a CAmkES component. While AADL allows multiple threads per process, to simplify the verification argument, we currently restrict there to be exactly one AADL thread per process. Thus, an AADL process/thread pair will become both the unit of space partitioning and scheduling.

The AADL code below illustrates how processes and threads are declared in concert, with accompanying annotations, to support the CASE scheduling approach.

```
-- thread specifies unit of temporal execution; depending on scheduling
-- model this can provide temporal isolation.
thread source thread
      features
             write port: out data port Base Types::Integer 8;
      properties
             Dispatch Protocol => Periodic;
             Period => 1000ms;
                    Compute Execution Time => 2ms .. 2ms;
                    Source Text => ("behavior code/components/source/src/source.c");
                    Initialize Entrypoint Source Text =>
                           "test data port periodic domains source component init";
                    Compute Entrypoint Source Text =>
"test data port periodic domains source component time triggered";
end source thread;
thread implementation source thread.impl
end source thread.impl;
-- process specifies boundary of spatial isolation
process source process
      features
             write port: out data port Base Types::Integer 8;
      properties
             CASE Scheduling::Domain => 1; -- source 1, destination 2
end source_process;
process implementation source process.impl
      subcomponents
              source thread component: thread source thread.impl;
      connections
              write connection: port source thread component.write port -> write port;
end source process.impl;
```

Startup initialization often occurs in a different mode, then the schedule switches to operational mode. If partitions (corresponding to domains in this context) are restarted (e.g., suffered a failure and an external signal or watchdog causes it to reset), initialization runs within its regular domain slice. Initialization may take multiple frames to complete, often understood as a temporary loss of availability of that function until it is again running in operational mode. If the system needs to transition to operational mode in fewer frames, then the system designer should allocate more time to the domain. This is a typical latency and efficiency trade. Latency can be a feature of platform resiliency. Efficiency is often driven by cost, so the ultimate trade is resilience versus cost.

<sup>[1]</sup> There are many scheduling textbook examples, such as https://www.wiley.com/en-us/Real+time+Systems+Scheduling+1%3A+Fundamentals-p-9781848 216655

<sup>[2]</sup> https://github.com/seL4/seL4/blob/master/config.cmake

<sup>[3]</sup> At the time of this writing, these constraints must be checked manually, although they may be automated in the future. HAMR currently generates some helpful hints when values used in the schedule can be derived from AADL model properties,

# **Appendix**

The following is a set of basic AADL model examples that exercise specific communication types or transformations when converted to CAmkES application source code using the HAMR auto-generation tool.

### **Event Data Port**

The event data port communication pattern is illustrated in Figure 2.



Figure 2: AADL event data ports are mapped to a notification/shared data connection pair when translated into CAmkES source. Following AADL run-time semantics, the data transferred on the shared data connection is gueued at the destination end.

A simple in/out event data port connection in AADL is converted into a shared data connection and notification connection pair within CAmkES. The source component may only write to the shared data port, and the destination component may only read from the shared data port. The shared data is queued at the destination end of the shared data connection via glue-code that is auto-generated by HAMR. The AADL source, <code>test\_event\_data\_port.aadl</code>, is shown here.

```
package test_event_data_port
public
    with HAMR;
    with Base_Types;

thread emitter_t
    features
```

```
enq: out event data port Base Types::Integer 8;
   properties
         Dispatch Protocol => Sporadic;
         Source Text =>
               ("behavior code/components/emitter/src/emitter.c");
         Initialize Entrypoint Source Text =>
               "test event data port emitter component init";
         Compute Entrypoint Source Text => "run emitter";
end emitter t;
thread implementation emitter t.impl
end emitter t.impl;
process emitter p
   features
        enq: out event data port Base Types::Integer 8;
end emitter p;
process implementation emitter p.impl
   subcomponents
         src: thread emitter p.impl;
   connections
         outgoing: port src.enq -> enq;
end emitter p.impl;
thread consumer t
   features
         deq: in event data port Base Types::Integer 8 {
               Compute Entrypoint Source Text =>
                     "test event data port consumer s event handler";
         };
   properties
         Dispatch Protocol => Sporadic;
         Source Text =>
               ("behavior code/components/consumer/src/consumer.c");
         Initialize Entrypoint Source Text =>
              "test event data port consumer component init";
end consumer t;
thread implementation consumer t.impl
end consumer t.impl;
processor consumer p
   features
        deq: in event data port Base Types::Integer 8;
end proc;
processor implementation consumer p.impl
```

```
subcomponents
            dest: thread consumer t.impl;
       connections
            incoming: port deq -> dest.deq;
    end consumer p.impl;
    process implementation emitter_p.impl
       subcomponents
             src: process emitter p.impl;
       connections
             outgoing: port src.enq -> enq;
    end emitter p.impl;
    system top
    end top;
    system implementation top.impl
       subcomponents
             proc: processor proc.impl;
             emitter: process emitter p.impl;
             consumer: process consumer p.impl;
       Connection
             data connect : port emitter.enq => consumer.deq;
       properties
             Actual Processor Binding => (reference (proc))
                  applies to emitter, consumer;
    end top.impl;
end test_event_data_port;
```

The resulting CAmkES top-level assembly is shown here.

```
configuration {
    src.sb_enq_queue_1_access = "W";
    dest.sb_deq_queue_access = "R";
}
```

### Data Port

The data port communication pattern is similar to the event data port, except that the data is not queued by the monitor (or alternatively, the shared data represents a queue of size one). If the sending thread sends subsequent data before the receiving component has read the data from the shared memory, then the prior data is overwritten. For completeness, the AADL *test data port.aadl* is shown here.

```
package test data port
public
    with Base Types;
    with HAMR;
    thread source t
       features
             write port: out data port Base Types::Integer 8;
       properties
             Dispatch Protocol => Sporadic;
             Source Text =>
                   ("behavior code/components/source/src/source.c");
             Initialize Entrypoint Source Text =>
                   "test data port source component init";
             Compute Entrypoint Source Text => "run sender";
    end source t;
    thread implementation source t.impl
    end source t.impl;
    process source p
            write port: out data port Base Types::Integer 8;
    end source p;
    process implementation source p.impl;
       subcomponents
            src : thread source t.impl;
       connections
```

```
outgoing : port src.write port -> write port;
end source p.impl;
thread destination t
   features
         read port: in data port Base Types::Integer 8;
   properties
         Dispatch Protocol => Sporadic;
         Source Text =>
               ("behavior code/components/destination/src/destination.c");
         Initialize Entrypoint Source Text =>
              "test data port destination component init";
         Compute Entrypoint Source Text => "run receiver";
end destination t;
thread implementation destination t.impl
end destination t.impl;
process destination p
   features
        read port: in data port Base Types::Integer 8;
end destination p;
process implementation destination p.impl;
   subcomponents
        dest: thread destination t.impl;
   connections
        incoming : port dest.read port -> read port;
end destination p.impl;
processor proc
end proc;
processor implementation proc.impl
end proc.impl;
system top
end top;
system implementation top.impl
   subcomponents
         proc: processor proc.impl;
         source: process source p.impl;
         destination: process destination p.impl;
   connections
         data connection : source.outgoing -> destination.incoming;
   properties
         Actual Processor Binding =>
```

```
(reference (proc)) applies to source, destination;
end top.impl;
end test_data_port;
```

The resulting CAmkES top-level assembly generated by HAMR is shown here.

### **Event Port**

Event port communications represent a simple one-way notification message between a sender and a receiver thread without associated data. Event port communication and their translation to CAmkES are illustrated in Figure 3.



Figure 3: AADL event ports are mapped to the emits/consumes pairs when translated into CAmkES source.

```
package test event port
public
    with HAMR;
    thread emitter t
       features
             e: out event port;
       properties
             Dispatch Protocol => Sporadic;
             Initialize Entrypoint Source Text =>
                   "test event port emitter component init";
             Source Text =>
                   ("behavior code/components/Emitter/src/emitter.c");
             Compute Entrypoint Source Text => "run emitter";
    end emitter;
    thread implementation emitter t.impl
    end emitter t.impl;
    process emitter p;
       features
            event port : out event port;
    end emitter p;
    process implementation emitter p.impl
       subcomponents
            src : thread emitter t.impl;
       connections
            write connection : src.e -> event port;
    end emitter p.impl;
    thread consumer t
       features
             s: in event port {
                   Compute Entrypoint Source Text =>
                         "test event port consumer s event handler";
             };
       properties
             Dispatch Protocol => Sporadic;
             Initialize Entrypoint Source Text =>
                   "test event port consumer component init";
             Source Text =>
                   ("behavior code/components/Consumer/src/consumer.c");
    end consumer t;
```

```
thread implementation consumer t.impl
    end consumer t.impl;
    process consumer p;
       features
            event port : in event port;
    end consumer p;
    process implementation consumer_p.impl
       subcomponents
            dest : thread consumer t.impl;
       connections
            write connection : event port -> dest.e;
    end consumer p.impl;
    processor proc
    end proc;
    processor implementation proc.impl
    end proc.impl;
    system top
    end top;
    system implementation top.impl
       subcomponents
             proc: processor proc.impl;
             emitter : process emitter p.impl;
             consumer : process consumer p.impl;
       connections
             data connection : emitter.event port ->
                  consumer.event port;
       properties
             Actual Processor Binding =>
                  (reference (proc)) applies to emitter, consumer;
    end top.impl;
end test event port;
```

The resulting CAmkES top-level assembly generated by HAMR is shown here.

```
import <std_connector.camkes>;
import "components/emitter_impl/emitter_impl.camkes";
import "components/consumer impl/consumer impl.camkes";
```

```
assembly {
  composition {
    component emitter_impl src;
    component consumer_impl snk;

    connection seL4Notification conn1(from src.e, to snk.s);
  }
  configuration {
  }
}
```

# Virtual Machine Integration

This section describes how Linux-based virtual machines may be hosted within the CASE system build environment, including details on port communications to and from a virtualized CAmkES component.

The diagram below shows a simple example of a Linux-based virtual machine in a CAmkES component interacting with a "ping client" hosted on a regular, non-virtual CAmkES component. The Linux virtual machine (name vm) sends ping messages and the receiving ping client (named ping) responds accordingly following the standard ping protocol. The process vm is bound to the virtual processor vproc, while vproc in turn is bound to the physical processor proc. The process ping is bound to proc.



Figure 4: AADL representation of a Linux-based virtual machine within a CAmkES component interacting with a separate non-virtual CAmkES component.

Here is example AADL source code representing the model.

```
package test event data port
public
    with HAMR;
    with Base Types;
    with CASE Scheduling;
    thread emitter t
       features
             write port: out event data port Base Types::Integer 8;
       properties
             Dispatch Protocol => Periodic;
             Period => 1000ms;
             Compute Execution Time => 10ms .. 10ms;
             Source Text =>
                  ("behavior code/components/emitter/src/emitter.c");
             Initialize Entrypoint Source Text =>
                  "test event data port emitter component init";
             Compute Entrypoint Source Text =>
                  "test event data port emitter time triggered handler";
    end emitter t;
    thread implementation emitter t.impl
    end emitter t.impl;
    process emitter p
       features
             write port: out event data port Base Types::Integer 8;
       properties
             CASE Scheduling::Domain => 2; -- pacer 1, source 2, destination 3
             HAMR::Component Type => VIRTUAL MACHINE;
    end emitter p;
    -- process specifies boundary of spatial isolation
    process implementation emitter p.impl
       subcomponents
             src thread: thread emitter t.impl;
       connections
             write connection: port src thread.write port -> write port;
    end emitter p.impl;
    thread consumer t
       features
             read port: in event data port Base Types::Integer 8 {
```

```
Compute Entrypoint Source Text =>
                     "Periodic thread so should be ignored";
         };
  properties
         Dispatch Protocol => Periodic;
         Period => 1000ms;
         Compute Execution Time => 10ms .. 10ms;
         Source Text =>
               ("behavior code/components/consumer/src/consumer.c");
         Initialize Entrypoint Source Text =>
              "test event data port consumer component init";
         Compute Entrypoint Source Text =>
              "test event data port consumer time triggered handler";
end consumer t;
thread implementation consumer t.impl
end consumer t.impl;
process consumer p
   features
         read port: in event data port Base Types::Integer 8;
   properties
         CASE Scheduling::Domain => 3; -- pacer 1, source 2, destination 3
end consumer p;
-- process specifies boundary of spatial isolation
process implementation consumer p.impl
   subcomponents
         dst thread: thread consumer t.impl;
   connections
         read connection: port read port -> dst thread.read port;
end consumer p.impl;
processor proc
end proc;
processor implementation proc.impl
  properties
         Frame Period => 1000ms;
         Clock Period => 2ms;
         CASE Scheduling::Max Domain => 3;
         CASE Scheduling::Schedule Source Text =>
              "behavior code/kernel/domain schedule.c";
end proc.impl;
system top
end top;
```

The property value "HAMR::Component\_Type => VIRTUAL\_MACHINE" defined within the emitter\_p declaration in the example indicates that the process is implemented as a virtual machine hosted within a seL4 component. The HAMR::Component\_Type property must be defined on process subcomponents.

Port communications to and from a virtual machine within the CASE seL4/CAMKES execution environment enforce the exact same behavior semantics as port communications to and from regular CAmkES components. Specifically, event ports defined in the AADL model going to and from a process assigned to a virtual machine enforce event port (notification) semantics; data ports defined in the AADL going to and from a process assigned to a virtual machine enforce data port (shared memory) semantics; event data ports defined in the AADL going to and from a process assigned to a virtual machine enforce event data port (queued data with notifications) semantics. Data access ports and subprogram group access ports are not currently supported.

### Virtual Machine Applications

The CASE build environment provides a number of programmatic mechanisms to integrate user-defined application code residing within the virtual machine. These programmatic hooks enable the virtualized applications to interact with the port communications enforced through the execution environment.

Data sent to and from a virtual machine within the environment utilizes device files within Linux to interface with the hosted applications, by default /dev/uio. For example, in the ping-pong model above, the virtualized "ping" application has one incoming port, representing the periodic event from the pacer component (signalling the start of the periodic frame), and one outgoing port, representing the event-data port "ping" messages. These ports are assigned to /dev/uiol for the outgoing port and /dev/uiol for the incoming port.

HAMR assigns the device file numbers to ports as follows: The connections defined in the AADL model are first assigned devices within the virtual machine in the order they are defined, starting at device file zero. Second, if the application is periodic, the port from the pacer component is appended to the end of the list of device files used within the virtual machine. The expected size of the memory allocated for each device within the virtual machine defaults to 4096 bytes.

HAMR automatically generates the necessary glue-code that enforces the AADL port semantics, such as queues for event-data ports and shared memory constructs for data ports. HAMR also auto-generates the necessary support for the periodic pacer component. The CAmkES execution environment strictly maintains the read-write restrictions put upon the port communications, namely that write ports can only write to the memory allocation to the port communications, and read ports can only read to the allocated memory. It is the user's responsibility to develop application code that adheres to the read-write restrictions, and if the restrictions are violated, then the application will likely fail to execute.

HAMR also generates a skeleton framework that facilitates application integration. The framework employs the following steps:

- 1. Initialize the application, including the incoming and outgoing ports.
- 2. Wait on periodic notification for the start of the scheduled iteration (for periodic applications), or wait for non-periodic execution to resume.
- 3. Execute the application, including reading and writing to assigned ports.
- 4. Repeat to step 2.

The framework includes calls to functions with specific naming conventions, and it is expected that application developers will fill in these functions as needed to implement their application's behavior.

To further illustrate the HAMR integration with virtual machine applications, consider another example, extending the ping-pong model from above. This example assumes a periodic schedule is deployed, enforced by the pacer component. The sending component is implemented as a virtual machine, and the receiving component is implemented as a native CAmkES component. HAMR generates the following C-source code, <code>vmsrc\_process.c.</code> The name of this file is taken from the name of the virtualized process in the AADL model, prepended with "vm". By default this file is located in the generated code directory, <code>components/VM/apps</code>.

```
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <stdint.h>
#include <string.h>
#include <sb emitter t impl.h>
#include <sb types.h>
#include <sb event counter.h>
#include <sb queue int8 t 1.h>
void sb pacer notification wait();
void sb write port 1 notification emit();
int sb pacer period queue fd;
sb queue int8 t 1 Recv t sb pacer period queue;
int sb write port fd;
sb queue int8 t 1 t *sb write port queue 1;
int *sb_write_port emit;
/************************
* sb entrypoint emitter t impl:
* This is the function invoked by an active thread dispatcher to
* call to a user-defined entrypoint function. It sets up the dispatch
* context for the user-defined entrypoint, then calls it.
***********************
void sb entrypoint period emitter t impl(int64 t *in arg) {
 test event data port emitter time triggered handler((int64 t *) in arg);
}
/**********************************
* sb write port enqueue:
* This is the function may be invoked by a user-defined function to write
* data to the outgoing queue.
bool sb write port enqueue(const int8 t *data) {
 sb queue int8 t 1 enqueue(sb write port queue 1, (int8 t*) data);
 sb write port 1 notification emit();
 return true;
}
/***********************
```

```
* sb entrypoint emitter t impl initializer:
* This is the function invoked by an active thread dispatcher to
* call to a user-defined entrypoint function. It sets up the dispatch
* context for the user-defined entrypoint, then calls it.
*******************************
void sb entrypoint emitter t impl initializer(const int64 t * in arg) {
 test event data port emitter component init((int64 t *) in arg);
void pre init(void) {
 // initialise data structure for outgoing event data port write port
 sb queue int8 t 1 init(sb write port queue 1);
/***********************************
* Main active thread function.
******************************
int run(void) {
 {
     int64 t sb dummy;
      sb entrypoint emitter t impl initializer(&sb dummy);
 sb pacer notification wait();
 for(;;) {
      sb pacer notification wait();
      int64 t sb dummy = 0;
      sb entrypoint period emitter t impl(&sb dummy);
      }
 }
 return 0;
int main(int argc, char *argv[]) {
 if (argc != 5) {
      printf("Usage: %s <fd of sb write port queue> <size of sb write port queue> <fd
of sb pacer period queue> <size of sb pacer period queue> \n\n", arqv[0]);
      return 1;
 }
 char *sb write port name = argv[1];
 int sb write port length = atoi(argv[2]);
 assert(sb write port length > 0);
 sb write port fd = open(sb write port name, O RDWR);
 assert(sb write port fd >= 0);
 char *raw sb write port queue 1;
```

```
if ((raw sb write port queue 1 = mmap(NULL,
      sb write port length,
      PROT READ | PROT WRITE,
      MAP SHARED,
      sb write port fd,
      1 * getpagesize())) == (void *) -1) {
      printf("mmap raw sb write port queue 1 failed\n");
      close(sb write port fd);
  }
 char *emit;
 if ((emit = mmap(NULL,
      0x1000,
      PROT READ | PROT WRITE,
      MAP SHARED,
      sb write port fd,
      0 * getpagesize())) == (void *) -1) {
      printf("mmap emit failed\n");
      close(sb write port fd);
  }
 sb write port queue 1 = (sb queue int8 t 1 t *)raw sb write port queue 1;
 sb write port emit = (int*) emit;
 char *sb pacer period queue name = argv[3];
 int sb pacer period queue length = atoi(argv[4]);
 assert(sb pacer period queue length > 0);
 sb pacer period queue fd = open(sb pacer period queue name, O RDWR);
 assert(sb pacer period queue fd >= 0);
 char *sb pacer period queue char;
 if ((sb pacer period queue char = mmap(NULL,
      sb pacer period queue length,
      PROT READ | PROT WRITE, MAP SHARED,
      sb pacer period queue fd,
      1 * getpagesize())) == (void *) -1) {
      printf("mmap sb pacer period queue char failed\n");
      close(sb pacer period queue fd);
      return 1;
  }
 sb queue int8 t 1 Recv init(&sb pacer period queue, (sb queue int8 t 1 t
*) sb pacer period queue char);
 pre init();
 sb write port queue 1->numSent = 0;
 run();
 munmap(raw sb write port queue 1, sb write port length);
 close(sb write port fd);
```

```
munmap(sb pacer period queue char, sb pacer period queue length);
 close(sb pacer period queue fd);
 return 0;
void sb write port 1 notification emit() {
 sb write port emit[0] = 1;
void sb pacer notification wait() {
 sb event counter t numDropped = 0;
 int8 t data;
 while (!sb queue int8 t 1 dequeue(&sb pacer period queue, &numDropped, &data)) {
      int val;
      /* Blocking read */
      int result = read(sb pacer period queue fd, &val, sizeof(val));
      if (result < 0) {
      printf("Error reading period. %i\n", result);
      //return -1;
 }
}
const char *get instance name(void) {
 static const char name[] = "vmsrc process";
 return name;
```

The main function initializes the port communications performed through the device files, configured through a command line interface invoked via Linux within the hosting virtual machine. The expected command, for example, would look like:

```
% vmsrc process /dev/uio0 4096 /dev/uio1 4096
```

The behavior in the run function follows the steps outlined earlier. After initializing access to the ports, the run function enters a continuous loop, waiting for periodic notifications from the pacer component, and then writing its output to the outgoing emitter port (and performing its other application behaviors as needed).

In this example, the user-defined behavior code integrates with the <code>vmsrc\_process</code> application via two functions: <code>test\_event\_data\_port\_emitter\_component\_init</code> and <code>test\_event\_data\_port\_emitter\_component\_init</code> and <code>test\_event\_data\_port\_emitter\_time\_triggered\_handler</code>.

The \*\_init function is where the user-defined initialization of the application resides. The name of this function follows the convention:

```
<name of AADL model>_<name of component>_component_init
```

The \*\_time\_triggered\_handler function is where the primary user-defined application behavior resides. The name of this function follows the convention:

```
<name of AADL model> <name of component> time triggered handler
```

Within the user-defined behavior code, access to the incoming and outgoing ports is done through functions defined within the C-source generated by HAMR. In the <code>vmsrc\_process</code> example, the <code>sb\_write\_port\_enqueue</code> function provides write access to the outgoing event data port.

Example behavior code that integrates with <code>vmsrc\_process</code> is shown here. In this example, the behavior code simply sends an increasing integer value to the port upon each periodic invocation.

```
#include <stdio.h>
#include <sb types.h>
#include <sb emitter t impl.h>
static int8 t value;
extern const char *get instance name(void);
void test event data port emitter component init(const int64 t *in arg) {
 printf("[%s] test event data port emitter component init called\n",
get instance name());
 _value = 0;
void test event data port emitter time triggered handler (const int64 t *in arg) {
 printf("----\n");
 if (sb write port enqueue( & value ) ) {
      printf("[%s] sending %d\n", get_instance_name(), _value);
      value = ( value + 1) % 500;
  } else {
      printf("[%s] Unable to send\n", get instance name());
 }
}
```

# Issues (to be addressed)

1. Type extensions are not supported

HAMR will generate an error when encountering a type declared as:

A rule should be created that these are not supported.

2. In-line array declarations not supported

When arrays are declared such as:

```
data implementation Foo.impl
  subcomponents
    x : data Base_Types::Unsigned_8[12];
end Foo.impl;
```

They are completely ignored by HAMR. Not sure how HAMR handles similar array declarations on features. Will this be addressed in future versions? Should we create a rule to check for these array declarations?