Model-based analysis is a common technique to identify incorrect behavioral composition of complex, safety critical systems, such as robotics systems. However, creating structural and behavioral models for hundreds of software components manually is often a labor-intensive and error-prone process. In this talk I present our past, current, and ongoing work to infer structural and behavioral models for components of systems based on the Robot Operating System (ROS) using static analysis by exploiting assumptions about the usage of the ROS framework. We see this work as a contribution towards making well-proven and powerful but infrequently used methods of model-based analysis more accessible and economical in practice to make robotics systems more reliable and safe.

1. ARCHITECTURAL MODEL INFERENCE
FROM CODE
FOR ROS-BASED ROBOTICS SYSTEMS
Tobias Dürschmid, Christopher S.Timperley, David Garlan, Claire Le Goues
Carnegie Mellon University

2. Legend
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems
Software
Component
Connector
Planning
Perception
Motor Controller
Port
Robotics Systems are Complex
Component-based Systems
2

3. Legend
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems
Software
Component
Connector
Planning
Perception
Motor Controller
Port
Some Bugs Result from Incorrect
Composition of Software Components
[ready = true]
[ready = false]
10 Hz
[ready == true]
3
component waits
indefinitely

4. Good News: Model-BasedAnalysis can Find Bugs
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 4
b : C2
a : C2
d : C3
c : C1
𝒊𝟏
𝒊𝟐
Runtime Model
Queue size = 10
𝒐
+ +
C3
C2
C1
𝒊𝟏
𝒊𝟐
𝒐
Component Behavior Models Environment Model
Models the interface of
components (i.e., port) and
connectors
Models the states and
state transitions of
components, their input-
output relationship, and
timing properties
Models inputs from the
environment and how the
environment reacts to
actions of the system

5. Good News: Model-BasedAnalysis can Find Bugs
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 5
Model Checking / Simulation
(large amount of existing work and tools, e.g.,TLA+, Palladio, …)
inputs
b : C2
a : C2
d : C3
c : C1
𝒊𝟏
𝒊𝟐
Runtime Model
Queue size = 10
𝒐
+ +
C3
C2
C1
𝒊𝟏
𝒊𝟐
𝒐
Component Behavior Models Environment Model

6. C3
C2
C1
𝒊𝟏
𝒊𝟐
𝒐
Component Behavior Models
Bad News: Manual Model Inference is Expensive
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 6
Environment Model
b : C2
a : C2
d : C3
c : C1
𝒊𝟏
𝒊𝟐
Runtime Model
Queue size = 10
𝒐
+ +
“We are a big company.We really can’t do this for every project”
Dr. Ingo Lütkebohle (Bosch Research)

7. Problem Statement
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 7
How to automatically infer component models of components
Why is static architecture recovery hard?
Static recovery of architectural models is undecidable in general.
Architecture-defining code is scattered across the entire system.
written for the Robot Operating System (ROS)?

8. ros::Subscriber sub = nh.subscribe("t_sub", receive_initial);
ros::Publisher pub = nh.advertise("t_pub");
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 8
bool ready = false;
void receive_initial(const Message msg)
{ // subscriber callback
ready = true; // state transition
}
Observation: ROS Systems Implement
Component Ports using well-defined APIs
• subscribe creates a publish-subscribe input port
• advertise creates a publish-subscribe output port
• Key idea: Statically Recover API calls and their arguments
to reconstruct run-time architectural models

9. Our previous work ROSDiscover[1]
can Infer Run-Time Models Statically
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 9
Approach: Architectural recovery using static analysis of API calls +
rule checking
Tool available at GitHub: https://github.com/rosqual/rosdiscover
Results: >90% recovery of runtime architectural models
Detecting 8 of 19 of real-world bugs
[1] C. S.Timperley,T. Dürschmid, B. Schmerl, D. Garlan and C. Le Goues, "ROSDiscover: Statically
Detecting Run-TimeArchitecture Misconfigurations in Robotics Systems," ICSA 2022

10. Behavioral Models are Needed to Find
Many Architectural Composition Bugs
• Components waiting indefinitely for a message
• Deadlocks due to components being in incompatibles states
• Ignored inputs and message loss
• Publishing at unexpectedly high / low frequency
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 10

11. int main(int argc, char** argv)
{
ros::Subscriber sub = nh.subscribe("t_sub", receive_initial);
ros::Publisher pub = nh.advertise("t_pub");
const int local_LOOP_RATE = 10;
ros::Rate loop_rate(local_LOOP_RATE);
while (ros::ok()) // periodic loop
{
if (!ready)
{ // state condition
loop_rate.sleep();
continue;
}
pub.publish(msg); // message sending
loop_rate.sleep();
}
return 0;
}
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 11
bool ready = false;
void receive_initial(const Message msg)
{ // subscriber callback
ready = true; // state transition
}
Periodic Behavior
is Defined via
Rate Objects
Observation: ROS Systems Implement
Architectural Behavior using APIs & Idioms
Planning
[ready = true]
[ready = false]
10 Hz
[ready == true]

12. 05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 12
int main(int argc, char** argv)
{
ros::Subscriber sub = nh.subscribe("t_sub", receive_initial);
ros::Publisher pub = nh.advertise("t_pub");
const int local_LOOP_RATE = 10;
ros::Rate loop_rate(local_LOOP_RATE);
while (ros::ok()) // periodic loop
{
if (!ready)
{ // state condition
loop_rate.sleep();
continue;
}
pub.publish(msg); // message sending
loop_rate.sleep();
}
return 0;
}
bool ready = false;
void receive_initial(const Message msg)
{ // subscriber callback
ready = true; // state transition
}
State-based Behavior
is Defined via State
Variables
Observation: ROS Systems Implement
Architectural Behavior using APIs & Idioms

13. Observation: ROS Systems Implement
Architectural Behavior using APIs & Idioms
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 13
int main(int argc, char** argv)
{
ros::Subscriber sub = nh.subscribe("t_sub", receive_initial);
ros::Publisher pub = nh.advertise("t_pub");
const int local_LOOP_RATE = 10;
ros::Rate loop_rate(local_LOOP_RATE);
while (ros::ok()) // periodic loop
{
if (!ready)
{ // state condition
loop_rate.sleep();
continue;
}
pub.publish(msg); // message sending
loop_rate.sleep();
}
return 0;
}
bool ready = false;
void receive_initial(const Message msg)
{ // subscriber callback
ready = true; // state transition
}
Reactive Behavior is
Defined via Subscriber
Callbacks

14. Case Study Evaluation on Autoware.AI
• Autoware.AI is the largest open-source ROS system
and the most popular open-source framework for autonomous driving
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 14

15. API-Call-Guided Static Recovery can Have
High Accuracy for Behavioral Models
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 15
• Method: Compare to manually inferred handwritten models (106)
• Manually identify root cause of missed behaviors and classify as
engineering issue or limitation of the approach
• Results:

16. A Partial Model is BetterThan No Model
• Static Analysis can find known unknowns (“⊤”)
• Static Analysis points to the location in the code to recover
• Developers can replace ⊤ with correct value
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 16

17. State Conditions on Objects are Hard to
Infer Statically
Example of State-based Behavior ROSInfer cannot find:
lane_planner::vmap::VectorMap all_vmap;
void cache_point(const vector_map::PointArray& msg)
{
all_vmap.points = msg.data; // state change
update_values();
}
void update_values()
{
// complex state condition
if (all_vmap.points.empty() || all_vmap.lanes.empty() || all_vmap.nodes.empty())
return;
[...]
lane_planner::vmap::publish_add_marker([...]);
}
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 17

18. Summary
• Manual Model Inference is Expensive
• Assumptions about framework-specific APIs and idioms enable the
automatic inference of behavioral & structural component models for
ROS-based Robotics systems
• This work makes model-based analyses more accessible and practical
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 18
Planning
[ready = true]
[ready = false]
10 Hz
[ready == true]

19. Discussion Questions
• What other analyses are needed?
• What properties are important for roboticists?
• Do you use model-based analysis?
• If not:Why not?
• If so: How do you use it?
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 19

20. Lessons Learned
• Many components are designed to process input streams and publish processed
outputs like a pipes and filters architecture. These components are stateless and
usually produce a single output for each input that they receive.
• Components that maintain states are often components that start to publish
periodically after receiving a set of input messages that are used to initialize the
component
• Only a few components implement a complex state machine. Most explicit or implicit
state variables are booleans and only few components have more than three state
variables.
• While the state machines that model the behavior of the component might be less
complex, developers sometimes use more complex language features to express
them than would be necessary.This makes the code more extensible and easier to read
by human developers, but harder to analyze using static analysis.
05/29/2023 Tobias Dürschmid:Architectural Model Inference from Code for ROS-based Robotics Systems 20