Reusable Models for Timing and Liveness Analysis of Middleware for Distributed Real-Time and Embedded Systems by Subramonian, Venkita et al.
Washington University in St. Louis 
Washington University Open Scholarship 
All Computer Science and Engineering 
Research Computer Science and Engineering 
Report Number: WUCSE-2006-32 
2006-01-01 
Reusable Models for Timing and Liveness Analysis of Middleware 
for Distributed Real-Time and Embedded Systems 
Venkita Subramonian, Christopher Gill, Cesar Sanchez, and Henny Sipma 
Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and 
other properties whose assurance is crucial to correct system behavior. Formal tools and 
techniques play a key role in verifying and validating system properties. However, many DRE 
systems are built using middleware frameworks that have grown increasingly complex to 
address the diverse requirements of a wide range of applications. How to apply formal tools and 
techniques effectively to these systems, given the range of middleware configuration options 
available, is therefore an important research problem. This paper makes three contributions to 
research on formal verification and validation of... Read complete abstract on page 2. 
Follow this and additional works at: https://openscholarship.wustl.edu/cse_research 
 Part of the Computer Engineering Commons, and the Computer Sciences Commons 
Recommended Citation 
Subramonian, Venkita; Gill, Christopher; Sanchez, Cesar; and Sipma, Henny, "Reusable Models for Timing 
and Liveness Analysis of Middleware for Distributed Real-Time and Embedded Systems" Report Number: 
WUCSE-2006-32 (2006). All Computer Science and Engineering Research. 
https://openscholarship.wustl.edu/cse_research/183 
Department of Computer Science & Engineering - Washington University in St. Louis 
Campus Box 1045 - St. Louis, MO - 63130 - ph: (314) 935-6160. 
This technical report is available at Washington University Open Scholarship: https://openscholarship.wustl.edu/
cse_research/183 
Reusable Models for Timing and Liveness Analysis of Middleware for Distributed 
Real-Time and Embedded Systems 
Venkita Subramonian, Christopher Gill, Cesar Sanchez, and Henny Sipma 
Complete Abstract: 
Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and other 
properties whose assurance is crucial to correct system behavior. Formal tools and techniques play a key 
role in verifying and validating system properties. However, many DRE systems are built using middleware 
frameworks that have grown increasingly complex to address the diverse requirements of a wide range of 
applications. How to apply formal tools and techniques effectively to these systems, given the range of 
middleware configuration options available, is therefore an important research problem. This paper 
makes three contributions to research on formal verification and validation of middleware-based DRE 
systems. First, it presents a reusable library of formal models we have developed to capture essential 
timing and concurrency semantics of foundational middleware building blocks provided by the ACE 
framework. Second, it describes domain-specific techniques to reduce the cost of checking those models 
while ensuring they remain valid with respect to the semantics of the middleware itself. Third, it presents 
a verification and validation case study involving a gateway service, using our models. 
Department of Computer Science & Engineering
2006-32
Reusable Models for Timing and Liveness Analysis of Middleware for
Distributed Real-Time and Embedded Systems
Authors: Venkita Subramonian, Christopher Gill, Cesar Sanchez, Henny Sipma
Corresponding Author: cdgill@cse.wustl.edu
Web Page: http://www.cse.wustl.edu/~venkita/mw_models
Abstract: Distributed real-time and embedded (DRE) systems have
stringent constraints on timeliness and other properties whose
assurance is crucial to correct system behavior. Formal tools
and techniques play a key role in verifying and validating system properties. However, many DRE systems are
built using middleware frameworks that have grown increasingly complex to address the diverse requirements of
a wide range of applications. How to apply formal tools and techniques effectively to these systems, given the
range of middleware configuration options available, is therefore an important research problem.
This paper makes three contributions to research on formal
verification and validation of middleware-based DRE systems.
First, it presents a reusable library of formal models we have developed to capture essential timing and
concurrency semantics of foundational middleware building blocks provided by the ACE framework. Second, it
describes domain-specific techniques to reduce the cost of checking those models while ensuring they remain
valid with respect to the semantics of the middleware itself. Third, it presents a verification and validation case
Notes:
This research was supported in part by NSF CAREER award CCF-0448562. The timed automata models in
Type of Report: Other
Department of Computer Science & Engineering - Washington University in St. Louis
Campus Box 1045 - St. Louis, MO - 63130 - ph: (314) 935-6160
Reusable Models for Timing and Liveness Analysis of
Middleware for Distributed Real-Time and Embedded Systems
Venkita Subramonian and Christopher Gill∗ C·esar S·anchez and Henny B. Sipma†
{venkita,cdgill}@cse.wustl.edu {cesar,sipma}@cs.stanford.edu
CSE Department, Washington University, St. Louis, MO CS Department, Stanford University, Stanford, CA
Abstract
Distributed real-time and embedded (DRE) systems have
stringent constraints on timeliness and other properties whose
assurance is crucial to correct system behavior. Formal tools
and techniques play a key role in verifying and validating sys-
tem properties. However, many DRE systems are built using
middleware frameworks that have grown increasingly complex
to address the diverse requirements of a wide range of applica-
tions. How to apply formal tools and techniques effectively to
these systems, given the range of middleware configuration op-
tions available, is therefore an important research problem.
This paper makes three contributions to research on formal
verification and validation of middleware-based DRE systems.
First, it presents a reusable library of formal models we have de-
veloped to capture essential timing and concurrency semantics
of foundational middleware building blocks provided by the ACE
framework. Second, it describes domain-specific techniques to
reduce the cost of checking those models while ensuring they re-
main valid with respect to the semantics of the middleware itself.
Third, it presents a verification and validation case study involv-
ing a gateway service, using our models.
Keywords. Middleware, Verification, Validation.
Technical Areas. Operating Systems and Middleware.
1 Introduction
Significant research over the past decade has made middle-
ware more customizable through the use of pattern-oriented soft-
ware frameworks [1, 2]. Although this effort has made middle-
ware solutions suitable for a wider range of applications, man-
aging the resulting multiplicity of customization options has be-
come an increasing concern. As is shown in Figure 1, abstrac-
tions from higher layers of the system software architecture build
upon abstractions from lower layers. This establishes an implicit
dependence of higher level properties on lower level properties,
which in turn makes the formal verification of application-level
requirements more difficult in middleware-based systems.
As Figure 1 illustrates, application-level properties such as
the timely return of a remote method invocation (A1), may de-
pend on middleware-level properties such as delays introduced
by different strategies for establishing and re-using connections
∗This research was supported in part by NSF CAREER award CCF-0448562.
†This research was supported in part by NSF grants CCR-01-21403, CCR-
02-20134, CCR-02-09237, CNS-0411363, and CCF-0430102, ARO grant
DAAD19-01-1-0723, and NAVY/ONR contract N00014-03-1-0939.
Figure 1. Layers, Abstractions, and Properties
with remote endsystems (M1) or for delivering the result of
the remote invocation to the application (M2). Furthermore,
middleware-level properties such as the delay in delivering the
result of the remote invocation to the application (M2) may de-
pend on other middleware properties such as the strategy used to
wait for the reply from the remote invocation (M3) and on OS-
level properties such as whether threads with the same priority
are scheduled with round-robin or run-to-completion semantics
(O1) and whether other threads are holding resources needed by
the thread that will return the result to the application (O2).
We have focused previously on the design and proof of proto-
cols to enforce application-level properties that depend on other
properties at the application, middleware and OS levels. For ex-
ample, we have developed [3] and optimized [4] thread alloca-
tion protocols that can provably avoid deadlock in middleware-
based distributed real-time and embedded systems whose 2-way
remote method invocation call graph is known. While this ap-
proach serves to advance the state of the art in both middleware
design and distributed systems theory, careful effort is required
to design and prove an enforcement protocol for each property of
interest. The research presented in this paper complements the
design and proof of enforcement protocols for system properties
by establishing a sound formal foundation that can be re-used
effectively to check properties for which enforcement protocols
have not yet been developed. Our approach is also useful when
existing enforcement protocols do not consider new influences,
such as those introduced by other enforcement protocols or by
new middleware or OS features.
Our approach offers the following benefits beyond those of-
fered by other related work, which we discuss in Section 7:
(1) our reusable, detailed and executable models of middleware
building blocks can be composed to model different kinds of
middleware, and then can be composed with different appli-
cation models; (2) the timing and liveness properties of these
building blocks can be verified with suitable precision; (3) our
models offer a more rigorous and formal representation of de-
tailed middleware engineering expertise that is currently repre-
sented as patterns [5]; (4) with these resuable low-level models
and verification techniques, the extent to which systems must be
1
“over-designed” can be reduced due to greater insight into the
possible behaviors of middleware-based systems.
The rest of this paper is structured as follows. Section 2
presents a detailed system model and states the research problem
this paper addresses. Section 3 describes the middleware archi-
tecture that is captured by our models. Section 4 discusses chal-
lenges and solution approaches for modeling concurrent object
middleware using the IF tool set. Section 5 discusses domain-
specific state space optimizations to allow tractable checking of
the models we have developed. In Section 6, we present a case
study of scenarios involving a broader set of middleware con-
currency and interaction strategies, which in turn affect system
timing and liveness properties. Section 7 describes related work,
and Section 8 offers concluding remarks.
2 System Model and Problem Definition
Our system model can be expressed as a 6-tuple
{E, H, I, R, A, θ}, consisting of the following elements:
• E is a set of events denoting relevant asynchronous changes
in the system’s state, such as the expiration of a timer, the
arrival of a network packet, or a transport-layer buffer be-
coming available for writing.
• H is a set of event handlers, which perform application-
specific processing when system events are dispatched to
them.
• I is a set of interaction channels, such as sockets and timer
registration interfaces, which trigger events as a result of
actions performed on them.
• R is a set of reactors, which dispatch events to event han-
dlers by invoking event-specific handler methods.
• A is a set of actions performed on event handlers, inter-
action channels, and reactors – such as registering an event
handler with a reactor, dispatching an event to an event han-
dler, sending data over a socket, or waiting in a reactor for
events to occur.
• θ is a set of endsystem threads – actions within a thread are
performed sequentially, while actions in different threads
can be performed concurrently.
Note that some categories of events (e.g., the return of a thread
from a method call) and actions (e.g., invoking a method call)
could apply to multiple instances and kinds of system elements.
Furthermore, a given event or action can be performed repeat-
edly. To avoid ambiguity, we assume that every event and every
action is identified uniquely, and that each occurrence of a given
event or action is indexed uniquely across the entire system. We
also assume that each occurrence of an event is instantaneous,
while each occurrence of an action has a (possibly different)
non-zero temporal duration, and the initiation and completion
of each action are represented by distinct events in our system
model.
Static relations. We first express several static relations in our
system model, which hold for the entire system lifetime. These
relations partition actions according to the system elements on
which the actions can be performed, and partition threads into
reactor-specific thread pools:
• αH : H → 2A. The set of actions that can be taken on
event handler h is given by αH(h).
• αI : I → 2A. The set of actions that can be taken on
interaction channel i is given by αI (i).
• αR : R → 2A. The set of actions that can be taken on
reactor r is given by αR(r).
• threadpool : R → 2θ. The set of threads assigned stat-
ically to reactor r is given by threadpool(r), with each
thread assigned to exactly one reactor, and at least one
thread assigned to each reactor. We say that two threads
are local to reactor r if both are assigned to that same reac-
tor. We say that two threads are remote if they are assigned
to different reactors.
Temporal relations. We use non-negative real number do-
main T to denote time, and express several temporal relations
in our system model that are useful for the analysis of system
timing and liveness properties:
• registered : E × I × R × T → 2H . The set of event
handlers registered for event e on interaction channel i in
reactor r at time t is given by registered(e, i, r, t).
• active : R × T → 2E . The set of events that have arrived
at reactor r but have not been dispatched to event handlers
at time t is given by active(r, t).
• ready : E × R× T → 2I . The set of interaction channels
for which event e is active in reactor r at time t is given
by ready(e, r, t), and a single event-specific action, such
as one read from a socket for a “data ready” event, can be
taken on a ready channel without blocking the thread in
which that action is taken.
• dispatched : R × T → 2θ. The set of threads in
threadpool(r) that are currently in use to dispatch events
to event handlers in reactor r, and thus are not available to
dispatch other events from active(r, t) at time t is given by
dispatched(r, t).
• blocked : R×T → 2θ. The set of threads in threadpool(r)
that have taken blocking actions that will only unblock and
allow the thread to continue when a specific event occurs
is given by blocked(r, t). Note that for some scenarios,
such as a thread scheduling a timer and then blocking on the
timer’s expiration, unblocking will not depend on an action
being performed in another thread; for other scenarios, such
as a thread performing a blocking read on a socket, an event
to trigger unblocking must be generated by an action taken
by another (possibly remote) thread.
• deadline : N × E → T . The time by which the nth
occurrence of event e must occur to preserve correctness is
given by deadline(n, e). Event occurrences without timing
constraints are given a deadline of ∞.
• occurred : N ×E → T . The time at which the nth occur-
rence of event e happened is given by occurred(n, e).
• live : R × T → 2θ. The set of threads assigned to reactor
r within each of which at least one action occurs after time
t is given by live(r, t).
2
• arrival time : N ×E ×R × I → T . The time of arrival
of the nth occurrence of event e on channel i at reactor r
is given by arrival time(n, e, r, i). Event occurrences are
numbered globally rather than by interaction channel, and
if the nth occurrence of an event happened in a different
channel than i (or did not happen at all) then the time re-
turned would be ∞.
• dispatch time : N × E × R × I → T . The time of
dispatch of the nth occurrence of event e on channel i
by reactor r to the appropriate event handler is given by
dispatch time(n, e, r, i). If the nth occurrence of event e
happened in a different channel than i (or did not happen at
all), then the time returned would be ∞.
Problem definition. Our approach hinges on the idea that in-
terference occurs when the actions taken by endsystem threads
can affect each other in ways that produce adverse consequences
for the system’s specified constraints. In this research, we ad-
dress the specific problem of detecting interference in which
threads’ actions on reactors, event handlers, and interaction
channels in the endsystem middleware can cause violations of
application-specific timing and liveness constraints.
Interference. We analyze two forms of interference with time-
liness and liveness constraints: blocking delays and exhaustion
of threads in a reactor thread pool.
• blocking delay : N × E × R × I → T . The blocking
delay for the nth occurrence of event e is given by the in-
terval between its arrival at a reactor r on channel i and its
dispatch to an event handler, blocking delay(n, e, r, i) =
dispatch time(n, e, r, i)− arrival time(n, e, r, i). If the
nth occurrence of e happened in a different channel and/or
reactor than those given to the blocking delay function
then the return value would be 0.
• threads exhausted : R × T → {true, false}. The
threads in the thread pool of a reactor r are exhausted at
time t if |blocked(r, t)| = |threadpool(r)|.
Our analysis depends both on (1) the specific constraints given
and (2) how different middleware mechanisms shape different
forms of interference with those constraints. We model the con-
straints as temporal logic statements and model the middleware
mechanisms as timed automata. We then use model checking
to evaluate whether or not the constraints are satisfied. Specifi-
cally, we search for states of the system in which two particular
kinds of constraint violations appear: missed deadlines, which
are timing constraint violations that can occur even when live-
ness is preserved, and deadlocks which are liveness constraint
violations that usually also lead to timing constraint violations
in subsequent system states. Checking for a missed deadline can
be done using our system model by comparing the time at which
the nth occurrence of event e happened, to the deadline for
that occurrence of the event: occurred(n, e) > deadline(n, e).
Deadlocks can be detected using our system model by deter-
mining whether or not we reach a state with global time t af-
ter which no further action will be taken by any of a reactor
r’s assigned threads : |live(r, t)| = 0. Note that it is not suffi-
cient to check whether or not all threads in a reactor are blocked:
|blocked(r, t)| = |threadpool(r)| says only that no actions can
be taken by the threads assigned to reactor r from time t until
a subsequent occurrence of an event (e.g., due to an action in a
remote thread) causes one of those threads to unblock, and only
indicates deadlock if no such event occurs after time t.
When a state containing a constraint violation is reached, the
model checker then can produce a trace of the system states that
led up to that constraint violation. By examining these traces
and correcting the particular patterns of interference they reveal,
we can remove design and implementation errors, and also gain
insights into designing new enforcement protocols to prevent or
avoid constraint violations.
3 Middleware Modeling Architecture
To be able to verify the correctness of different middleware
configurations in the context of each specific application, we
have developed detailed and formal models of common mid-
dleware building blocks found in the widely used ACE [1]
framework. We have modeled reactors, thread pools, event
handlers, interaction channels, and other middleware building
blocks which can be composed and checked rigorously to evalu-
ate timing and liveness properties in each particular application
and its supporting middleware configuration.
IPC_SAP Buffers
IPC Channel
EventHandler
EventHandler
Reactor
Reverse channel
IPC_SAPIPC_SAP Forward channel
Handler
RepositoryIPC_SAP_Set
Handler
Repository
ThreadPool
IPC_SAP_Set
Data structures and operations
IPC_SAP
Event Handler
Transition
control
mechanisms
Application
abstraction
layer
Middleware
abstraction
layer
Network/OS
abstraction
layer
Acceptor
Connector
SAP Event Demultiplexer
SAP Reader
SAP Writer
Leader/
Followers
Property
Specifications
Read buffer Write Buffer
Read buffer Write Buffer
Read buffer Write Buffer
3
2
1
Figure 2. Middleware Modeling Architecture
Figure 2 shows our modeling architecture, which we have im-
plemented in the context of the IF tool set [6]. We use the IF
notation to specify our fine-grained models as processes (au-
tomata) that run in parallel and interact through shared variables
and asynchronous signals. The behavior of these processes is
represented formally in IF as timed automata with urgency [7]
and the semantics of a system modeled in IF is the Labeled Tran-
sition System (LTS) obtained by interleaving the executions of
its processes.
Our models are divided into three layers: (1) models of net-
work/OS level abstractions such as channels for interprocess
communication; (2) models of middleware building blocks such
as reactors; and (3) models of application functionality imple-
mented in the form of event handlers. The models themselves
are executable in the IF environment and can be model-checked
against system property specifications. The unshaded rectangu-
lar boxes shown in Figure 2 are modeled using timed finite state
automata specified in the IF language. The shaded rectangular
3
boxes shown in Figure 2 are data structures that are shared by
the different automata in the models. Automata with timed tran-
sitions are shown by timer icons in Figure 2.
Network/OS abstraction layer. At the lowest architectural
layer we model inter-process communication (IPC) mecha-
nisms, such as sockets, pipes, FIFOs, and message queues, as
IPC channels. An IPC channel has two Service Access Points
(SAPs), for convenience called the left-hand-side SAP (lhs-
SAP) and the right-hand-side SAP (rhs-SAP). Each SAP has a
read-buffer and a write-buffer associated with it. The read-buffer
is used by the SAP to receive any data sent to it from another
SAP and the write buffer is used to send data from that SAP to
another SAP. Each SAP has a unique handle associated with it
and this handle is used as an index in the IPC channel collection
data structure to access the data buffers associated with that SAP.
An IPC channel is bidirectional. It is modeled as two data-
transfer automata, one for the forward direction, and one for the
reverse direction. The forward channel automaton waits for data
to be enqueued on the write-buffer of the lhs-SAP and transfers it
to the read-buffer of the rhs-SAP. The reverse channel automaton
waits for data to be enqueued on the write buffer of the rhs-SAP
and transfers it to the read-buffer of the lhs-SAP. These forward
and reverse channel automata also can be parameterized with
appropriate propagation delays, if needed.
Middleware abstraction layer. Above the network/OS layer
is the middleware layer, where we model abstractions of seman-
tically rich middleware building blocks.
Each middleware primitive is modeled so that the behavior
seen when the model is executed closely adheres to that of the
actual implementation. This faithful modeling of the middle-
ware primitives in turn results in high-fidelity models of higher-
level middleware services, obtained by composing these primi-
tive models. To support such faithful modeling, we have devel-
oped data structures like the event handler repository used by the
reactor to store mappings between a Service Access Point (SAP)
and the handler associated with that SAP. This table is populated
whenever an event handler is registered with a reactor.
Application abstraction layer. Our models encapsulate appli-
cation functionality using event handlers, as is customary when
developing ACE-based applications in practice. Each event han-
dler reads data from or writes data to IPC channels, which in
turn model interactions between different event handlers. The
computation performed by an event handler can be modeled as
a (potentially complex) automaton, or may be abstracted away
and represented by a single transition guarded by a constraint
on a timer variable to delay its execution completion event as
necessary.
Property specifications for verification. In the IF tool set,
observable system properties can be specified by observers [6].
These observers are represented by timed automata; they are ex-
ecuted at each step of the labeled transition system (LTS) that is
generated from the composed system model before an enabled
transition is selected. To facilitate specification, IF provides ob-
server constructs for a variety of events in a system including
forking a new process, output events, and input events. In gen-
eral an observer records an abstraction of the actions and inter-
actions of other automata and also can be used to control the
model’s execution.
4 Modeling Concurrent Objects in IF
Although our goal is to model systems having multiple com-
municating threads, each of which executes actions including
object method calls, the distinction between an object and a
thread is not known to the IF model checker. Despite its lack
of direct representations for objects and threads, IF proved to be
the best suited tool set for our middleware modeling and anal-
ysis needs: while Bogor [8] provides native support for objects
and threads, IF offers direct support for reasoning about explicit
timing, which Bogor does not provide.
This decision required us to keep track of the distinctions be-
tween threads and objects in the models themselves. In this
section we describe the techniques we developed to represent
object-oriented concurrent DRE systems in terms of processes
(automata) and their interactions in IF.
4.1 Modeling Object Interactions in IF
To model object-oriented concurrent systems in IF, each
method call must be represented by a separate process, because
multiple simultaneous calls can be made to the same object
(method), whose computations may interfere with each other. If
each object method were modeled by a single process, all calls to
this method would be implicitly assumed serialized. This does
not, however, correctly represent actual system behavior of, for
example, multiple threads in a reactor.
We therefore model a method call from one object to another
object by having the caller process create a new process for the
callee method and send a signal to the new process to start its
execution [9]. Upon completion of execution the callee process
sends a signal back to the parent (caller) process and stops, thus
deleting itself.
4.2 Modeling Threads in IF
In IF, it is the responsibility of the model developer to repre-
sent explicitly, in the model itself, the idea of a thread of con-
trol flowing through multiple objects as part of a chain of object
method invocations. For example, Figure 3(a) shows a logical
thread that represents a flow of control from one object to an-
other object (Foo1 to Foo2, Bar1 to Bar2), with both of these
objects modeled as IF processes. To model a distinct thread flow
of control, we developed the concept of a thread id maintained
by each IF process. The thread id is a reference (of type pid in
IF) to a unique instance of an IF process of type Thread. Note
that the Thread automaton has been developed as part of this re-
search and it is not a built-in feature in IF. The thread automaton
serves to record the real-world thread context under which the
IF process is executing.
To represent concurrency accurately, any thread in the actual
system should be modeled by creating a Thread automaton in
our models. When we model an object method invocation, the
thread context (represented by a unique thread id) under which
that invocation is made is carried over from the caller to the
callee object. To propagate the thread context, we use an IF ob-
server. Between any two labeled transition system (LTS) steps,
this observer runs and updates the thread context of a destination
4
 
 
	












	



 
 
(a) Thread ID Propagation and Scheduling
   thread_schedule: pid1 < pid2
     if
       pid1 instanceof Foo1 and
       pid2 instanceof Bar1 and
       ({Foo1}pid1).threadid <>
       ({Bar1}pid2).threadid and
       ({Thread}(({Foo1}pid1).threadid)).prio <
       ({Thread}(({Bar1}pid2).threadid)).prio )
(b) IF Priority Rules to Model Thread Scheduling
	













	

 
 









(c) Run-to-Completion Semantics for Two Threads
	

 	

	
 	



	 	
 	
	
	

 
	
		

	

 	


 	



	 	



 
	   	



 	


(d) Idle Catcher
Figure 3. Modeling Thread Semantics in IF
process of an IF signal to be the same as the thread context of
the source process.
4.3 Modeling Priority Based Thread Scheduling in IF
In our approach, a Thread automaton with a user-defined
state variable named priority can be instantiated to restrict con-
currency in execution of the models, just as a priority can be
used in OS thread scheduling to reduce interleavings of threads
actions in the actual system. Since the Thread automaton is not
a built-in construct in IF, a mechanism by which we inform the
model checker about the priorities of logical threads is needed,
so that the model checker can give preference to transitions that
are executing under the context of a higher priority thread over
those under the context of a lower priority thread. We use the
priority rules feature in IF to specify the priority ordering among
different automata interactions.
Figure 3(b) illustrates how we use the priority rules feature in
IF to achieve thread scheduling in our models. This IF priority
rule states that between two automata of IF process types Foo1
and Bar1, if the thread contexts of these two automata are dif-
ferent, then choose the automaton with a threadid that points to
a Thread automaton with a higher value for the priority state
variable (in this example, Bar1 is chosen over Foo1).
4.4 Modeling Run-to-Completion Semantics
In the previous section, we discussed how to model priority
based scheduling in IF, where we dealt mainly with modeling
threads with different priorities. In real-time systems, it is very
common to use the SCHED FIFO scheduling mechanism to re-
duce context switching between real-time threads of the same
priority. We use a similar technique to control interleavings be-
tween the execution of automata within different logical threads
of the same priority.
In our models, each logical thread of control runs across mul-
tiple IF automata until the thread blocks, or is preempted by a
higher priority thread - only then can another thread start run-
ning. In the IF model, this translates to the notion of automata
in the same thread context executing in sequence until there are
no enabled transitions in the group of automata running under
that thread context.
To realize run-to-completion semantics in IF, we developed
a combination of techniques: (1) keeping track of the currently
running thread id as part of the state space; (2) performing thread
context propagation from a caller object to callee object; and (3)
using an idle catcher to reset the currently running thread when
none of the processes in our model have any enabled transitions.
For the purpose of this discussion, we assume that Thread1 and
Thread2 have the same value for their priority state variables.
Currently running thread context. Each transition in every
automaton in the model updates a globally accessible state vari-
able Current to record the thread context under which it is cur-
rently running. Any IF process P whose thread context is the
same as the currently running thread will get preference to any
IF process Q whose thread context is not the same as the cur-
rently running thread, provided the threads for P and Q have the
same priority. This policy is expressed in IF using a combina-
tion of IF priority rules. Note that if there is no currently run-
5
ning thread context, then we allow appropriate non-determinism
in the model. For example, Figure 3(c) illustrates an execution
sequence where in state 1, the Foo1 automaton is chosen non-
deterministically over Bar1 since the value of Current is nil. The
Foo1 automaton updates the value of the Current state variable
with the threadid (1) of its thread context. In state 2, the model
checker selects Foo2 over Bar1, since the value of Current (1) is
the same as the threadid of Foo2 and hence Foo2 is chosen over
Bar1. Foo2 (and hence Thread1) then blocks in state 3. Bar1
is now chosen to run since there are no other automata that are
eligible to run. Bar1 now sets Current to its threadid (2). After
this Bar2 runs and then blocks in state 5. Thus we have achieved
run-to-completion semantics.
Idle catcher. The combination of maintaining and propagat-
ing thread contexts is sufficient as long as there is always an
enabled transition in the system. However, there could be prob-
lems when there are no enabled transitions in the system, such as
when time needs to progress in the model. Figure 3(d) illustrates
such a problem, where Thread1 and Thread2 from Figure 3(c)
both become unblocked after some time at state 6. At state 6,
both Foo2 and Bar2 are enabled and ideally there should be a
non-deterministic choice between them. But since the value of
Current is 2, Bar2 is always chosen to run by virtue of its threa-
did being the same the value of Current. This results in over-
constraining the state space, in which a form of non-determinism
which is quite possible and which may be relevant to the con-
straints of the actual system, is removed. To avoid such over-
constraining, we add an Idle Catcher automaton as Figure 3(d)
also shows.
This automaton has a lower preference than any other au-
tomaton in the model, and runs only when there are no other
enabled transitions in the system. As soon as it runs, the idle
catcher automaton resets the currently running thread context to
nil. When Foo2 and Bar2 are enabled one of them is picked
non-deterministically by the model checker. The selected pro-
cess then updates the currently running thread context and runs
to completion.
5 Domain Specific State Space Optimizations
A common problem with model checking is the potential for
state space explosion. With concurrency the state space can
grow especially large due to interleavings of transitions, even
when individual processes have relatively small state spaces.
Therefore it is imperative to reduce unnecessary nondeterminism
and to disable state transitions that do not have a counterpart in
the actual system. In this section we describe the techniques we
have employed to reduce nondeterminism in the system initial-
ization phase and to limit irrelevant interleavings of state transi-
tions, respectively.
System initialization. When we construct an IF model of a
system, we first establish the static structure of the system, cre-
ating both active objects (e.g., ThreadPools) and passive ob-
jects (e.g., Reactors) and their associations. In this initialization
phase, the order in which the different objects and their associa-
tions are created may be irrelevant to the application semantics,
in which case they are observationally equivalent. However, dif-
ferent creation orders are by default considered distinct states
by the model checker. For example, consider an application
with objects A and B that each create an instance of object C.
In IF when a process is created (with fork) it gets a unique id.
Thus, depending on which object’s fork is executed first, we may
have the associations {A}0-{C}0, {B}0-{C}1, or {A}0-{C}1,
{B}0-{C}0. Although these two scenarios are equivalent from
an application point of view, they are considered distinct execu-
tion paths by the model checker. Since the number of combina-
tions is exponential in the number of such object creations, this
can significantly impact the size of the state space. To reduce
this type of nondeterminism we arbitrarily choose and fix an ob-
ject creation order, e.g., in ascending order of process id values,
using IF priority rules.
Leader thread election. With some concurrency strategies,
such as the thread pool reactor, it may not matter in which order
a thread is chosen from a set of waiting threads, e.g., to become
the leader thread and start waiting for events on the reactor. If
the choice of a specific thread does not have any consequences
for the safety, timing, or liveness properties of the system, then
this non-determinism can be eliminated, thus reducing the state
space. We use a simple strategy to remove non-determinism
in this case: among the IF processes representing the waiting
threads, we choose the one with the lowest process id number.
6 Case Study: Application Level Gateway
The case study presented in this section (1) illustrates the
reusability of our models and (2) serves as an illustrative ex-
ample of realistic systems1, where our low-level models help to
identify gaps between higher level models and the actual design
and implementation of systems.
This case study illustrate how our low-level models can detect
the forms of interference discussed in Section 2, which are not
entirely captured by high-level system models like RMA [10].
This case study also shows how how our low-level models help
to evaluate different middleware-level design alternatives in light
of these forms of interference.
Gateway overview. We first give a brief overview of the gate-
way: a more complete description of this middleware service
appears in [11]. The underlying idea of a gateway is the media-
tor pattern [12] that allows cooperating peers to interact without
having to maintain references to each other. A peer that takes the
role of a supplier publishes events to the gateway. The gateway
forwards these events to peers that take the role of consumers
and are subscribed to those events.
We first extended the default functionality of the gateway so
that before forwarding an event to a consumer, the gateway can
perform a value-added service that is specific to that supplier.
This is a reasonable extension for real-world applications, e.g.,
when a stock quote is broadcast to different subscribers the gate-
way may collect and distribute more information such as the
stock’s performance history.
We developed two variations of the gateway, both with event
propagation from suppliers to consumers and with suppliers be-
ing consumer agnostic. The two variations show how feature
1Although customers of Riverace (a company that helps to maintain ACE
and provides commercial support for a number of ACE-based systems) could not
share the details of their use cases with us, Steve Huston, the CEO of Riverace,
confirmed that the gateway example is an exemplar of such applications.
6
additions (i.e., real-time, reliability) can produce changes in the
middleware configuration which in turn can affect the timing and
liveness properties of the system: (1) a gateway used by an ap-
plication with real-time requirements; and (2) a gateway used by
an application with a control-push data-pull model and reliabil-
ity requirements.
6.1 Real-time Gateway
We first examine the use of the gateway by a real-time appli-
cation. We consider a scenario where events are supplied period-
ically by two suppliers S1 and S2 with periods 100ms and 50ms
respectively. Events from S1 are forwarded to consumers C1
and C2 and events from S2 are forwarded to C2 and C3. Note
that C2 receives events from both S1 and S2. The deadlines for
the arrival of these events at the consumers is the same as the
period of the supplier that supplies the events. The value-add
computation for the events supplied by S1 takes 20ms and that
for S2 takes 10ms.
High level modeling using RMA. During high level model-
ing, we try to determine whether the above application is schedu-
lable under the given parameters. Typically for a periodic system
like this, Rate Monotonic Analysis (RMA) [10] is used to deter-
mine whether sharing the same CPU among tasks is feasible.
Assuming that there is a constant propagation delay from the
suppliers to the gateway, the events arrive at the gateway at reg-
ular intervals. Under RMA, the gateway thus can be considered
a periodic system with 2 periodic tasks (with periods 50ms and
100ms and execution times of 20ms and 10 ms respectively).
Since the total utilization (80%) is well below the utilization
bound (100%) for harmonic periods, the system is guaranteed
to be schedulable if the higher frequency task is given a higher
priority, preemptively.
Having done a high-level analysis, we now examine three de-
sign choices for configuring the gateway, which are shown in
Figure 4. Note that in the RMA analysis, we only considered the
sharing of resources at the hardware level and did not consider
the sharing of resources that could take place at the middleware
level. This lack of detail in the high-level model in turn may lead
to a violation of system timing properties during system execu-
tion, unless we use a sufficiently detailed model to capture the
effects of various design choices thereby guiding the designer
to make the appropriate choice. Therefore, we now provide the
middleware design details using our own models and analyze the
resulting models for any timing violations.
Design 1: single reactor thread. With this design choice,
shown in Figure 4(a), an I/O thread waits on socket events us-
ing a reactor. When an event arrives from a supplier, the reactor
makes an upcall to the appropriate supplier handler which then
forwards the event to the appropriate consumer handlers. The
consumer handlers send these events to the consumers in the
context of the I/O thread itself. Note that the value-added ser-
vice (if any) for each consumer is also done in the context of the
I/O thread.
The model execution trace in Figure 5(a) shows that a deadline
miss occurred because of a priority inversion (A) that occurred
at the reactor in the gateway. The priority inversion occurred be-
cause of the sequential nature of the reactor upcalls. Message
Supplier
Supplier
Handler
Supplier
Handler
Consumer
Handler
Consumer
Handler
Reactor Consumer
(a) Design 1: Single Threaded
Supplier
Supplier
Handler
Supplier
Handler
Consumer
Handler
Consumer
Handler
Reactor
Consumer
Reactor
LO
HI
(b) Design 2: Reactor Priority Lanes
Supplier
Supplier
Handler
Supplier
Handler
Consumer
Handler
Consumer
Handler
Reactor
Consumer
Reactor
LO
HI
LO
HI
(c) Design 3: Reactor and Dispatch Priority Lanes
Figure 4. Real-time Gateway Design Choices
from S1 was processed first and then message from S2 was pro-
cessed. This resulted in a blocking delay for the message from
S2. The blocking delay was the time it took for the value-added
processing for message from S1, which in the above example
was 40 time units (20 time units each for C1 and C2). Because
of this blocking delay there was a deadline miss for Consumer
C3 at (B). This trace thus shows that the enforcement of the high-
level RMA model is not achieved using this design approach.
Design 2: reactor priority lanes. To eliminate the priority in-
version due to blocking at the reactor in Design 1, we now use
separate reactor/thread pairs to handle I/O events correspond-
ing to the two suppliers. Under this design choice, which has
been used to avoid priority inversion in real-time ORBs like
TAO [13, 14], there is an I/O thread and reactor per priority level,
as is shown in Figure 4(b). The value-added service for each
consumer is also done in the context of the I/O thread. To pro-
tect the same event handler (for example the consumer handler
for C2) from concurrent upcalls from different reactor threads,
access to the event handlers is synchronized.
The model execution trace in Figure 5(b) shows that the pri-
ority inversion seen at (A) in Figure 5(a)) is prevented because
of the priority isolation achieved by separation of I/O handling
for the events from the two suppliers. However, a priority inver-
sion still occurs (C) at the synchronized consumer handler corre-
sponding to C2 because the value-added service corresponding
to the event from S1 to C2 is done by the synchronized consumer
handler for C2. This delays the second event from S2 (released
at time = 50) that is waiting for access to the same consumer
handler.
7
Design 3: reactor and dispatch priority lanes. Under this
design, a consumer handler hands over an event to an active ob-
ject [5], which has its own thread of execution to forward the
events to a consumer. Synchronization at the event handler is
maintained as in Design 2, but the value added service itself is
done by the active object thread rather than within the event han-
dler. To achieve priority isolation for event dispatching by the
active object threads, we used simple Kokyu [15] style priority
lanes. The number of lanes is based on the number of priority
levels needed - 2 lanes in this example under RMA, since we
have two rate groups (100ms and 50ms).
Our model execution traces indicated no deadline misses or
priority inversions, as is shown in Figure 5(c). According to
RMA, the lane corresponding to the 100ms period was given a
lower priority than that for 50ms. As a result, the S1-C2 event
processing by the low priority active object thread is preempted
(at time = 50 units) by the S2-C2 event processing by the high
priority active object thread.

     	 
  





 
 


     	 
  


 







     	 
  














Figure 5. Timelines from Model Execution
6.2 Reliable Gateway with Control-Push Data-Pull
In Section 6.1 we have seen how our middleware models can
help to evaluate different design choices with respect to timing
constraints and alternative configurations of the application level
gateway. That discussion focused on blocking delays caused by
the single threaded reactor or by synchronization at an event han-
dler shared by two different gateway threads.
We now examine a second form of interference that our mod-
els capture - exhaustion of reactor threads - using an applica-
tion with reliability requirements. This example reemphasizes
the fact that such interference can be captured only by including
lower-level models of middleware building blocks in our analy-
sis. In this example, the application uses an event propagation
model called “control-push data-pull” model. In this model, the
supplier publishes a “data-available” event to the gateway and
the gateway forwards it to the subscribed consumers. The con-
sumers then make remote calls to the supplier to fetch the data.
Apart from the control-push-data pull model, the application
also has a reliability requirement - every event that is published
by a supplier must be acknowledged by the gateway and every
event received by a consumer from the gateway must be ac-
knowledged by that consumer. Once the gateway receives ac-
knowledgements from all the consumers for an event, it sends
an acknowledgement back to the supplier.
To wait for an acknowledgement from the gateway after pub-
lishing an event, a supplier could use the WaitOnConnection
or WaitOnReactor strategy. Which of these strategies is most
suitable depends on other factors such as inter-process depen-
dencies and available threads, as well as on application-specific
constraints [16]. We now analyze the impact of these two de-
sign choices on the liveness of the system, and illustrate how a
deadlock may occur in the context of the gateway example as a
consequence of using the WaitOnConnection reply wait strategy.
We enhanced both the composed set of low-level models and
the implementation of the gateway example in ACE to accom-
modate reliability. In the following discussion, we consider a
single-threaded implementation of the gateway, where a reac-
tor thread is responsible for demultiplexing among connections
from suppliers and forwarding the events to consumers. We also
assume the suppliers and consumers to have a single-threaded re-
actor. Scenarios involving multi-threaded suppliers, consumers,
and gateways can lead to analyses [3] that are similar to those
presented here, but a detailed discussion of those scenarios is
beyond the scope of this paper.
Design 1: reply wait using WaitOnConnection. Figure 6
shows the sequence of interactions drawn from the trace out-
put from our model execution. The trace shows that a supplier
first (1) publishes an event to the gateway, and then (2) waits
for an acknowledgement from the gateway using the WaitOn-
Connection (WoC) reply wait strategy. The gateway reactor un-
blocks, and (3) makes an upcall to the appropriate event handler.
The event handler (4) forwards the event to a consumer handler,
which then (5) forwards it to the appropriate consumer. The
consumer (6) receives the event and makes a remote call to the
supplier to get data. After this no transitions are enabled and
time advances to a large preset number, indicating a deadlock.
 	
	 





	
	

	

	
	


	
 
	
	



!

	"

	

#	

$%
&
#
'

Figure 6. Interaction Sequence: WaitOnConnection
Design 2: reply wait using WaitOnReactor. Figure 7 shows
the sequence of interactions drawn from the trace output from
our model execution. The trace is similar to the one with the
WaitOnConnection strategy (shown in Figure 6) until (6) where
a consumer got an event and sends a request to the supplier and
waits for a reply. The only difference until (6) in Figure 7 is that
the supplier (2) waits for the acknowledgement from the gateway
using the WaitOnReactor (WoR) reply wait strategy. After (6),
the request sent by the consumer reaches the supplier whose sin-
gle thread was waiting both for requests and for pending replies,
using the reactor. In the WaitOnReactor reply wait strategy, the
reactor thread is used to receive the incoming remote call from
8
the consumer and make an upcall to the appropriate event han-
dler. The event handler for the remote call then (7) sends a reply
to the consumer, which (8) receives the reply and then (9) sends
an acknowledgement to the gateway, which in turn (10) sends
an acknowledgement back to the supplier. This trace shows
that the WaitOnReactor strategy eliminated the deadlock arising
from the loop in the supplier→gateway→consumer→supplier
call-chain.
 	
	 





	
	

	

	
	


	
 
	
	



!

	"

	

# 	

$%
&
#
'
(
)
$%
$%

	

$%

	
	
*
$%


+




Figure 7. Interaction Sequence: WaitOnReactor
7 Related Work
Model-integrated computing. Our research fits within the
Model-Driven Middleware [17] paradigm, which applies model-
integrated computing techniques [18] to the domain of middle-
ware. Our approach provides a detailed set of models for use in
conjunction with other model-based middleware configuration
techniques such as the CoSMIC [17] tool set, which supports
integrated model-driven component assembly, deployment and
configuration. We plan to investigate the possibility of integrat-
ing our formal models within the Generic Modeling Environ-
ment [19] and Ptolemy II [20] environments.
DREAM. Even though our approach is similar to
DREAM [21] in that we use timed automata models to
verify system properties, the problems that these research
efforts address are different. Whereas DREAM addresses
the problem of deciding schedulability of a set of tasks [21],
our research addresses the problem of correct composition of
reusable middleware building blocks that are modeled at a finer
level of granularity than the elements in the computational
model offered by DREAM.
CADENA and Bogor. CADENA [22] is an integrated envi-
ronment for building and modeling CORBA Component Model
(CCM) [23] systems. [24] shows how model checking using the
extensible Bogor [8] model checker has been applied to verify-
ing event-driven systems using an event channel. We plan to
investigate how the low-level formal models we have developed,
combined with the middleware building blocks our models rep-
resent, could be integrated with these tool sets to provide fine-
grained model checking and software synthesis capabilities over
a common and reusable software base.
Fine-grain middleware building blocks. Our work so far has
focused on abstractions in ACE. Our techniques are applicable to
other environments where abstractions like the Selectors in Java
NIO [25] are similar to the reactor and event handler models we
have already developed. Moreover, our modeling approach has
potential application to other less similar environments, e.g., to
model and analyze the fundamental building blocks provided by
other platforms such as TinyOS [26].
8 Conclusions and Future Work
Our middleware modeling approach presented in this paper
is designed to address the need for a more detailed formal ba-
sis for verification of correct middleware construction and con-
figuration in the context of individual applications. The ex-
amples presented in Section 6 illustrate a variety of ways in
which evaluating timing and liveness properties can be compli-
cated by different combinations of middleware mechanisms. In
practice, the range of complicating factors is much larger than
even these examples show, which motivates both our develop-
ment of reusable mechanism-level models and our composition-
based model checking approach for analysis of entire systems.
For example, different applications will naturally exhibit (1) dif-
ferent dependency topologies between event handlers; (2) var-
ious strategies for concurrency, scheduling, event demultiplex-
ing, and other crucial mechanisms; and (3) alternative strategies
for handlers relinquishing control, such as WaitOnConnection
and WaitOnReactor. Furthermore, the constraints each applica-
tion places on timing and other properties may alter the criteria
by which system timeliness and liveness are evaluated.
Summary of results. The results of our case study presented
in Section 6 motivate the need for detailed modeling of low-
level middleware mechanisms, and evaluation of those models
through model checking tools. We compared the results of ex-
ecuting our models with the results of executing actual imple-
mentations of our case study scenarios with ACE 5.4.7 on Linux
2.6.12, using the design alternatives that we discussed in Sec-
tion 6. Both the the priority inversions predicted by the models
in Section 6.1, and the deadlocks predicted by the models in
Section 6.2, appeared in the actual runs, thus demonstrating the
validity of our models.
Moreover, for the real-time gateway scenarios in Section 6.1,
we populated the models with execution times from the actual
runs and then generated timeline traces from the resulting model
execution. The timelines from the model execution trace re-
sembled the timelines from actual execution trace very closely,
demonstrating the fidelity of our models. A more detailed dis-
cussion of our modeling approach, of this case study, and of
other verification and validation examples using our models can
be found in [27].
These results support the view that modeling and analysis
should be done as an integral part of the system design and engi-
neering process. Significant further work is needed to make this
vision a reality in the DRE middleware domain, but the research
9
presented in this paper demonstrates the suitability and viability
of that approach.
Acknowledgments We wish to thank Dr. Joseph Sifakis,
Dr. Marius Bozga and Dr. Iulian Ober for their valuable discus-
sions and advice regarding the IF tool set.
References
[1] Institute for Software Integrated Systems, “The
ADAPTIVE Communication Environment (ACE).”
www.dre.vanderbilt.edu/ACE/, Vanderbilt University.
[2] Institute for Software Integrated Systems, “The ACE ORB
(TAO).” www.dre.vanderbilt.edu/TAO/, Vanderbilt University.
[3] C. Sanchez, H. B. Sipma, V. Subramonian, C. Gill, and Z. Manna,
“Thread Allocation Protocols for Distributed Real-time and Em-
bedded Systems,” in 25th IFIP WG 6.1 International Conference
on Formal Techniques for Networked and Distributed Systems
(FORTE ’05), oct 2005.
[4] C. Sanchez, H. B. Sipma, Z. Manna, V. Subramonian, and C. Gill,
“On Efficient Distributed Deadlock Avoidance for Real-time and
Embedded Systems,” in 20th IEEE International Parallel and
Distributed Processing Symposium (IPDPS ’06), Apr. 2006.
[5] D. C. Schmidt, M. Stal, H. Rohnert, and F. Buschmann, Pattern-
Oriented Software Architecture: Patterns for Concurrent and Net-
worked Objects, Volume 2. New York: Wiley & Sons, 2000.
[6] M. Bozga, S. Graf, I. Ober, I. Ober, and J. Sifakis, “The IF
Toolset,” in Formal Methods for the Design of Real-time Systems,
Springer-Verlag LNCS 3185, 2004.
[7] S. Bornot, J. Sifakis, and S. Tripakis, “Modeling Urgency in
Timed Systems,” in COMPOS, pp. 103–129, Springer-Verlag
LNCS 1536, 1997.
[8] Robby and Matthew Dwyer and John Hatcliff, “Bogor: An Exten-
sible and Highly-Modular Model Checking Framework,” in In the
Proceedings of the Fourth Joint Meeting of the European Soft-
ware Engineering Conference and ACM SIGSOFT Symposium
on the Foundations of Software Engineering (ESEC/FSE 2003),
(Helsinki, Finland), ACM, Sept. 2003.
[9] S. Graf, I. Ober, and I. Ober, “Model-checking UML models via
a mapping to communicating extended timed automata,” in Pro-
ceedings of SPIN’04, 2004.
[10] C. Liu and J. Layland, “Scheduling Algorithms for Multiprogram-
ming in a Hard-Real-time Environment,” JACM, vol. 20, pp. 46–
61, Jan. 1973.
[11] D. C. Schmidt, “Applying a Pattern Language to Develop
Application-level Gateways,” in Design Patterns in Communica-
tions (L. Rising, ed.), Cambridge University Press, 2000.
[12] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Pat-
terns: Elements of Reusable Object-Oriented Software. Reading,
MA: Addison-Wesley, 1995.
[13] C. O’Ryan, D. C. Schmidt, F. Kuhns, M. Spivak, J. Parsons,
I. Pyarali, and D. Levine, “Evaluating Policies and Mechanisms
for Supporting Embedded, Real-time Applications with CORBA
3.0,” in Proceedings of the 6th IEEE Real-time Technology and
Applications Symposium, (Washington DC), IEEE, May 2000.
[14] I. Pyarali, D. C. Schmidt, and R. Cytron, “Techniques for En-
hancing Real-time CORBA Quality of Service,” IEEE Proceed-
ings Special Issue on Real-time Systems, vol. 91, July 2003.
[15] C. Gill, D. C. Schmidt, and R. Cytron, “Multi-Paradigm Schedul-
ing for Distributed Real-time Embedded Computing,” IEEE Pro-
ceedings, Special Issue on Modeling and Design of Embedded
Software, vol. 91, Jan. 2003.
[16] V. Subramonian and C. Gill, “A Generative Programming Frame-
work for Adaptive Middleware,” in Proceedings of the 37th
Hawaii International Conference on Computer Sciences (HICCS),
(Kona, Hawaii), Jan. 2004.
[17] A. Gokhale, B. Natarajan, D. C. Schmidt, A. Nechypurenko,
J. Gray, N. Wang, S. Neema, T. Bapty, and J. Parsons, “CoSMIC:
An MDA Generative Tool for Distributed Real-time and Embded-
ded Component Middleware and Applications,” in Proceedings
of the OOPSLA 2002 Workshop on Generative Techniques in the
Context of Model Driven Architecture, (Seattle, WA), ACM, Nov.
2002.
[18] J. Sztipanovits and G. Karsai, “Model-Integrated Computing,”
IEEE Computer, vol. 30, pp. 110–112, Apr. 1997.
[19] G. Karsai, S. Neema, A. Bakay, A. Ledeczi, F. Shi, and
A. Gokhale, “A Model-based Front-end to ACE/TAO: The Em-
bedded System Modeling Language,” in Proceedings of the Sec-
ond Annual TAO Workshop, (Arlington, VA), July 2002.
[20] J. Liu, X. Liu, and E. A. Lee, “Modeling Distributed Hybrid Sys-
tems in Ptolemy II,” in Proceedings of the American Control Con-
ference, June 2001.
[21] G. Madl, S. Abdelwahed, and D. C. Schmidt, “Verifying dis-
tributed real-time properties of embedded systems via graph trans-
formations and model checking,” International Journal of Time-
Critical Computing Systems, 2005.
[22] J. Hatcliff, W. Deng, M. Dwyer, G. Jung, and V. Prasad, “Ca-
dena: An Integrated Development, Analysis, and Verification En-
vironment for Component-based Systems,” in Proceedings of the
25th International Conference on Software Engineering, (Port-
land, OR), May 2003.
[23] N. Wang, C. Gill, D. C. Schmidt, and V. Subramonian, “Config-
uring Real-time Aspects in Component Middleware,” in Lecture
Notes in Computer Science: Proc. of the International Symposium
on Distributed Objects and Applications (DOA’04), vol. 3291,
(Agia Napa, Cyprus), pp. 1520–1537, Springer-Verlag, Oct. 2004.
[24] W. Deng, M. B. Dwyer, J. Hatcliff, G. Jung, Robby, and G. Singh,
“Model-checking Middleware-based Event-driven Real-time Em-
bedded Software,” Department of Computer Science, Technical
Report SAnToS-TR2003-2, Department of Computing and Infor-
mation Sciences, Kansas State University, 2003.
[25] R. Hitchens, Java NIO. O’Reilly, 2002.
[26] J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, and K. Pis-
ter, “System architecture directions for networked sensors,” in
Proceedings of the ninth international conference on Architec-
tural support for programming languages and operating systems,
pp. 93–104, ACM Press, 2000.
[27] V. Subramonian, Timed Automata Models for Principled Compo-
sition of Middleware. PhD thesis, Washington University in St.
Louis, Technical Report WUCSE-2006-23, May 2006.
10
