Human-Error Prevention for Autonomous Edge Software Using Minimalistic Modern C++

big data and cognitive computing

Article Human-Error Prevention for Autonomous Edge Software Using Minimalistic Modern C++

Ryo Fukano 1,* and Masato Ishikawa 2 1 Komatsu MIRAI Construction Equipment Cooperative Research Center, Osaka University, Osaka 565-0871, Japan 2 Dept. of Mechanical Engineering, Osaka University, Osaka 565-0871, Japan; [email protected] * Correspondence: [email protected]; Tel.: +81-6-6875-7220

Received: 15 September 2019; Accepted: 18 October 2019; Published: 4 November 2019

Abstract: In science and engineering using edge-embedded software, it is necessary to demonstrate the validity of results; therefore, the software responsible for operating an edge system is required to guarantee its own validity. The aim of this study is to guarantee the validity of the sampled-time filter and time domain as fundamental elements of autonomous edge software. This requires the update law of a sampled-time filter to be invoked once per every control cycle, which we guaranteed by using the proposed domain specific language implemented by a metaprogramming design pattern in modern C++ (C++11 and later). The time-domain elements were extracted from the software, after which they were able to be injected into the extracted software independent from the execution environment of the software. The proposed approach was shown to be superior to conventional approaches that only rely on the attention of programmers to detect design defects. This shows that it is possible to guarantee the validity of edge software by using only a general embedded programming language such as modern C++ without auxiliary verification and validation toolchains.

Keywords: edge-computing architecture; real-time computing; software veriﬁcation; ISO compliant

1. Introduction

1.1. Background The increasing scale in which embedded software is being developed has become a matter of deep concern because of increasing design failures attributable to the carelessness of designers [1]. The complexity of large-scale embedded software is such that the rapid prevention of design and implementation failures is difﬁcult, although science and engineering require rigorously reproducible software. Furthermore, today’s embedded software is generally a part of a huge system linked to the cloud. This complexity is even greater. Prevention of these failures is the duty of scientists and engineers using embedded software because embedded software in edge devices, advanced robots, and many types of uncrewed vehicles is designed to become part of our daily lives. Hence, methods to prevent these failures from being incorporated into embedded software are urgently required for both research and development purposes, and user safety. In order for cloud applications to properly analyze data from an edge, the responsibility of edge software requires that its data uploading to the cloud shall be reproducible and deterministic (Figure1). From an application-oriented viewpoint, machine learning and data analysis on edge devices [2,3] enable executing their applications with limited resources. On the other hand, from the building-block viewpoint, major cloud services such as AWS [4] and Azure [5] provide C/C++ language SDKs for

Big Data Cogn. Comput. 2019, 3, 52; doi:10.3390/bdcc3040052 www.mdpi.com/journal/bdcc Big Data Cogn. Comput. 2019, 3, 52 2 of 18 edge software that cooperate with the clouds. These SDKs provide functions for sending and receiving data to and from the clouds. These two viewpoints do not provide a design method for the stability of overall edge software that works for a long period.

Reproducible software Reliable results Deterministic software Camera Distance sensor 01110 10011 M M 10011

Motors Data upload Autonomous Edge Cloud Analysis (Mobile robot)

Figure 1. Reproducible and deterministic edge device yields reliable cloud-analysis results.

In terms of embedded software, typical factors for disturbing reproducibility and nondeterministic execution are the inclusion of the time domain as nonfunctional requirement, and the implementation of the human error of cyclic execution, such as sampled-time ﬁlters. Pure functionalities and the time domain are usually coupled in embedded software because the software not only has to comply with software-quality requirements, but also physical-boundary conditions. Additionally, this coupling often confuses programmers. An autonomous robot is a kind of movable edge device for sensor-data acquisition in the real world. It can collect data using its sensors and also simultaneously move itself for data acquisition. Subsumption (SA) [6] architecture, installed on the early generations of the Roomba [7], is one of the most successful examples for this purpose. The feature of SA is that consists of tightly coupled functionalities, a time domain, software, and hardware. This tightly coupled architecture ensures robust behavior in the real world. However, software engineering warns that tightly coupled architecture is known to cause nondeterministic behaviors, which could lead to fatal disasters such as those reported in [8]. Motors, sensors, and a camera mounted on the robot (Figure1) have different control rates (Figure2). When the SA robot is working in the ﬁeld, its software requires transaction processes to achieve a different control cycle and interference between SA layers.

I/O of functionalities(3)

Computer Vision 30Hz SA Interference(2)

Sensor Recognition 100Hz

Motor Control Sensors 1000Hz Actuaters

Realtime(1)

Figure 2. Software architecture of subsumption architecture in a mobile robot.

Object-Oriented Analysis and Design (OOAD) [9], generally used for large-scale software design, cannot solve the problems associated with tightly coupled SA. An essential purpose of OOAD is to decrease the connectedness between functionalities. However, first, robot software requires real-time capabilities classified as a nonfunctional requirement to execute its functionalities in the actual world. Second, the robustness of SA is provided by interference between SA layers by cross-referencing software functionalities. This ability to function in real time and to achieve interference are classified as cross-cutting concerns by Aspect-Oriented Analysis and Design (AOAD) [10] of the software and is difficult to implement using pure OOAD. Big Data Cogn. Comput. 2019, 3, 52 3 of 18

Furthermore, it was also necessary for us to consider sampled-time filters, which are fundamental elements of embedded-system design. These filters are defined as an all-online algorithm including Version October 16, 2019 submitted to Big Data Cogn. Comput. 3 of 18 internal states such as a Kalman filter, particle filter, and a finite-state automaton. The filters contain an update law that is inevitably required to be invoked once per one control cycle. Implementation of the61 algorithminternal states as software such as does a Kalman not prohibit filter, particle the algorithm filter, and a from finite-state invoking automaton its update and so law on. twice The filters or from 62 contain an update law that is inevitably required to invoked once per one control cycle. Implementation ignoring the law by the carelessness of designers and programmers, because programming languages 63 of the algorithm as software does not prohibit the algorithm from invoking its update law twice or from that are used to create robot software are designed for general purposes. These languages cannot 64 ignoring the law by the carelessness of designers and programmers because programming languages prevent robot-specific failures. 65 that are used to create robot software are designed for general purposes. These languages cannot

66 Thisprevent paper robot-speciﬁc assumes all failures. sampled-time ﬁlters to be implemented as classes. Classes KalmanF and

ParticleF67 inThis Figure paper3 are assumes implementations all sampled-time offilters a Kalman to be filterimplemented and a particle as classes. filter. The Theseclasses twoKalmanF classes include68 and memberParticleF functionin Figureupdate3 are implementationsthat has to be of invoked a Kalman once filter during and a particle each control filter. These cycle. two The classes Kalman filter69 invokesinclude itsa member update function law twiceupdate per, one which control has to cycle be invoked ( ), and at once the particle during each filter control is not cycle. invoked The ( ). 70 Kalman filter invokes its update law twice per one control♠ cycle ( ) and the particle filter is not invoked ♥ Consequently, these invoking update laws are implementation♠ failures. This loop also includes 71 ( ). Consequently these invoking update laws are implementation failures. Besides, this loop includes environmental♥ dependency directly as env_dependent_transaction ( ). 72 environmental dependency directly as env_dependent_transaction ( ♦). ♦

1 KalmanF kf; 2 ParticleF pf; 3 // a lot of statements 4 while(true){ 5 kf.update(); // ♠ 6 // pf.update();// overlooking update ♥ 7 // a lot of statements 8 env_dependent_transaction(); // ♦ 9 kf.update(); // excess update ♠ 10 }

Figure 3. Sampled-timeFigure 3. Filter ﬁlter update update functions functions using using traditional traditional real-time real-time loop implementation. loop implementation.

73 ProgrammersProgrammers would would not obtainnot obtain any any kind kind of of noticeable noticeable feedback feedback information,information such such as asa compilation a compilation 74 error because implementation failures resulting from the invocation of update law functions, such error, because implementation failures resulting from the invocation of update-law functions, such as 75 as those in Figure3, are acceptable in term of their programming language grammars. Additionally, those in Figure3, are acceptable in terms of their programming-language grammars. Additionally, 76 source code inspection by review cannot guarantee the validity of robot software theoretically because source-code inspection by review cannot theoretically guarantee the validity of robot software because 77 reviewers’ attention is limited. Therefore, implementation failures can only be detected by assessing reviewers’78 the actual attention operation is limited. of the robot. Therefore, Conventional implementation methods offailures implementation can only be implicitly detected assume by assessing that the79 actualrobots operation would experience of the robot. runaway. Conventional methods of implementation implicitly assume that robots80 wouldDomain experience Specific runaway. Language(DSL)[11] is a method used to enable a programming language 81 Domainto reinforce Specific itself. Language The concept (DSL) of DSL [11] consists is a method of ”Internal used to DSL” enable which a programming is constructed by language the to reinforce82 combination itself. of The its base concept language of DSL and ”External consists DSL”of “Internal which is DSL”, assisted which by external is constructed tools. Internal by the combination83 DSL has of the its advantageous base language, feature and of “External being a lightweight DSL”, which method is assisted achieved by by external meta-programming. tools. Internal 84 Because C++, which is commonly used to pragmatically describe embedded software, provides a DSL has the advantageous feature of being a lightweight method achieved by metaprogramming. 85 meta-programming capability by using ”template” grammar, internal DSL written by using C++ is Because C++, which is commonly used to pragmatically describe embedded software, provides a 86 expected to enforce a robot-specific grammar and to improve the quality and productivity of embedded metaprogramming capability by using “template” grammar, internal DSL written by using C++ 87 software development. The lightweight method of internal DSL has possibility to overcomes the defects is expected88 of heavyweight to enforce method robot-specific such as middleware grammar and and formal to methods. improve the quality and productivity of embedded-software development. The lightweight method of internal DSL could overcome the defects89 1.2. of Researchheavyweight Objectives methods such as middleware and formal methods.

90 This paper proposes an internal DSL for autonomous edge software that only depends on

1.2.91 Researchthe C++11(ISO/IEC Objectives 14882:2011)[12] and later specification know as modern C++. The template 92 Thisspecification paper proposes has been an greatly internal enhanced DSL for since autonomous modern C++. edge Therefore, software it isthat not clear only how depends much theon the 93 quality of embedded software can be improved by the modern template. C++11 (ISO/IEC 14882:2011) [12] and later specification known as modern C++. Template specification 94 The DSL is expected to isolate the time domain and functionality in the edge software and has been greatly enhanced since modern C++. Therefore, it is not clear how much the quality of 95 guarantees the invocation of update laws once per one control cycle. This enables edge software embedded software can be improved by the modern template. 96 engineers to implement tightly coupled embedded architecture, such as SA, as loosely coupled

97 Thesoftware. DSL is If expected the DSL, towhich isolate only the depends time domain on C++ andgrammar, functionality can guarantee in edge the software, validity of and embedded guarantee the invocation of update laws once per control cycle. This enables edge-software engineers to implement a tightly coupled embedded architecture, such as SA, as loosely coupled software. If the DSL, which Big Data Cogn. Comput. 2019, 3, 52 4 of 18 only depends on C++ grammar, can guarantee the validity of embedded software, it would be possible to apply to all embedded software environments capable of running a C++ compiler. This paper introduces the practically desirable goals listed below based on the above consideration.

1. Free from object-oriented constraints and simultaneously type-safe. 2. Using a minimal robot-software environment as a compiler of standard language speciﬁcation. 3. No additional tools such as computer-aided software engineering (CASE) or software framework. 4. Providing well-designed building blocks easy to associate the result of a top–down approach. 5. Zero overhead in run-time.

2. Related Work There are many challenges to improving the engineering quality of robot software. Existing works are roughly summarized into two approaches. One is the top–down approach, which includes formal methods and XX-Oriented design. The other is the bottom–up approach, which includes programming frameworks and programming techniques.

2.1. Top–Down Approach Formal methods [13–15] and logic programming [16] extract consistency speciﬁcation from embedded software. However, after extraction, executable software is generally implemented by programming language. The robot was designed by the model-based approach from the viewpoint of safety [17]; model conversion and execution code are required. Human errors occur during the implementation process. In addition, even if the executable source code is generated by automatic conversion, it is difﬁcult to ensure readability for review. Application-Oriented System Design [18] applied XX-oriented analyses to exhaustively operating system design in order to build a customizable OS. In this design process, object-oriented design decomposes OS functionalities from the viewpoint of a problem domain. At the same time, aspect-oriented design extracts nonfunctional requirements called “cross-cutting concerns” from the system. The aspects are independent from the objects. Results showed that it is necessary to apply multiple design methods to complex software products such as OSs. To apply aspect-oriented design [19–21] to robot software, its analysis can extract time elements as “cross-cutting concerns” to control its behavior. Implementation of the extracted elements remains an issue.

2.2. Bottom–Up Approach Robot middleware such as OpenRTM [22] and ROS [23] cannot prevent implementation failure of a sampled-time filter and the dependency of an execution environment. For example, OpenRTM provides an onExecute function for cyclic execution. However, a programmer manages a connection between filter and onExection function only by attention, when the filter is implemented as OpenRTM component. A testbed for robot software is one of the most promising applications [24,25] for robot middleware because its purpose does not require much portability. This kind of middleware usually provides bindings for multiple programming languages and simulators. Therefore, it is suitable as an environment to validate functionalities implemented in various languages. On the other hand, if the core functionality of the robot itself depends on specific middleware, coexistence with another testbed becomes an issue because typical middleware does not intend to coexist with another. A review of robot middleware types [26] shows that no middleware is superior to others in any respect. It is difficult to ignore portability by adopting the best one. In addition, these middlewares are heavyweight software, so their portability is an issue, although they can improve developmental productivity. A simplified C language [27] eliminating some of its major features is proposed for robot education. This approach is classified as an external DSL [11] because its source code is parsed by Yacc [28] and does not support pass-by-reference and pointer operators as the features. Although these are notorious features of the C language, they are indispensable for the efficiency and portability of robot software. Big Data Cogn. Comput. 2019, 3, 52 5 of 18

To implement the extracted aspect using object-oriented language, two contrasting approaches are proposed: extending the language itself, and using programming techniques. AspectC++ [29] is an example of an extension of language speciﬁcation; however, it deviates from ISO. Generics can be used to implement aspects because they can describe functionalities that are free from being object-constrained. C++, commonly known as an object-oriented language, is in fact a multiparadigm language. Thus, C++ can implement generics by macro and template means. The macro approach [30] is not type-safe. The template approach [31] can satisfy both ISO compliance and type safety. However, this approach does not have the capabilities of modern C++ because it based on C++03.

3. Dependency Injection DSL for Separation of Functionalities and Time Domain

3.1. Design Pattern: Type-Safe Portable Real-Time Control 1. Problem and Context: Robot software highly depends on the environment and cannot be ported to different platforms. It is especially difﬁcult to port its simulator for testing. 2. Solution: Provide environment independency for robot software that includes different control cycles such as image processing, motor control, and sensing, in addition their interaction. In addition, because it is only implemented with the standard grammar of a programming language, it has portability and no additional tool is required. 3. Consequences and Trade-Offs: This is an extension of the bridge pattern of GoF [32] for robot software. Therefore, it inherits the issue of the bridge pattern.

3.2. Loosely Coupled Implementation of Tightly Coupled Architecture Using Modern C++ The robot architecture in Figure1 includes a time factor that crosses its system (Figure2 (1)), interaction among modules (Figure2 (2)) and transaction processes for the input and output of the modules (Figure2 (3)). For these items crossing over their system, AOAD [ 10] is proposed. OOAD encapsulates each object and weakens the association between objects, whereas implementations of AOAD often require a programming language with extensive capabilities. This paper proposes an internal DSL using design patterns that only employ C++ speciﬁcation to implement extracted objects and aspects without auxiliary toolchains. The patterns are shown in Figure4, illustrated by UML 2. This approach injects a small aspect code, of which the validity is guaranteed, into objects. First, this design pattern extracts dependency from objects as an aspect in order to reduce module coupling. Then, this pattern assigns dependency by injection into an object after object implementation. In addition, thread functionality that is essential for parallel execution for the aspects was introduced as a standard from C++11.

3.3. Isolation of Objects and Real-Time Aspect The bridge pattern [32] was introduced to isolate a real-time aspect (Figure2 (1)) from other functionality objects, as shown as DI(1) in Figure4. The isolation achieves writing independent robot functionalities from execution environments. The arrow direction from the RealtimeThreadIF class to the RealtimeFunctionalityIF one in Figure4 represents independence.

3.4. Input/Output Aspect Implementation Independent from Execution Environment A robot system based on SA has multiple running points because every functionality has speciﬁc control cycles. Hence, the Input/Output (I/O) aspect (Figure2 (3)) should have transactional I/O that maintains consistency in all running points. If the transaction is improperly implemented, the robot system becomes a runaway, such that the system either aborts with an I/O deadlock or controller values of the system are not correctly copied. This behavior causes a fatal error in a critical robot system. This paper proposes a “Dependency Injection” design pattern [33] for C++ to implement I/O aspects, as shown as DI(2) in Figure4. Implementation is problematic in that each different type of I/O requires different transaction implementation because the language is statically typed. This feature Big Data Cogn. Comput. 2019, 3, 52 6 of 18 causes reduplicated implementations. The problem of reduplication can be overcome by designing types of the I/O aspect as template arguments, as shown in Figure5. Hence, functionality classes that require the aspect need to simultaneously inherit both the template class and the RealtimeFunctionalityIF class.

<> PosixThread RealtimeThreadIF RTPreemptThread DI(1) BoostThread

<> ComputerVision RealtimeFunctionalityIF SensorRecognition MotorControl Input Output Lock Locker DI(2) TransactionIO SAInterference

Figure 4. UML class diagram of software design by extracted functionalities and concerns from Subsumption (SA).

Input: class Output: class Template arguments Lock: class of execution environment Locker: class TransactionIO

- inLock_: Lock - input_: Input Lock and buffer - outLock_: Lock of I/O exclusive control - output_: Output

+ getOutput(): Output External interface + setInput(Input&): void # getInput(): Input Internal interface # setOutput(Output&): void of a class inherited TransactionIO

Figure 5. UML class diagram of Input/Output (I/O) of functionality aspect class.

The TransactionIO template class (Figure5, implemented in Figure A1), is an implementation of the I/O aspect. The class connects public interfaces for external classes, and protected interfaces for subclasses via buffers as a transaction process. Implementation uses the “Parameterized Base Class” and “Thin Template” idioms [34]. The transaction process and I/O types are parameters bound at compilation time because of the effect of the “Parameterized Base Class”. Their lock processes of exclusive access control are robust against exceptions due to the “Resource Acquisition Is Initialization” idiom [35]. Parameterization achieves that a transaction process provided by a real-time environment is independent from the environment, and a type-safe transaction process implemented by a statically typed language is simultaneously independent from the statically typed system. Additionally, the TransactionIO class inherited by all functionality classes requiring the I/O consumes few resources owing to the effect of the “Thin Template”. This idiom reduces duplicate object code because the class only consists of an inline method.

3.5. Implementation of SA Interference Aspect The features of the SA interference aspect (Figure2 (2)) are encapsulated interference and the fastest control cycle to achieve inﬁnite response speed when SA layers interfere with each other. Big Data Cogn. Comput. 2019, 3, 52 7 of 18

The combination of these two methods is a versatile design that implements real-time interaction as loosely coupled objects in embedded software. A mediator pattern [32] is introduced to encapsulate the cross-reference of the objects. If the cross-reference of the objects were used to provide the interference of SA, the objects would involve tightly coupled implementation. The control cycle of SA interference is configured at 1000 Hz, which corresponds to the fastest control cycle of the motor controller. The configuration of 1000 Hz provides a pseudoinfinite response speed from other SA layers with the same or slower control cycles from the viewpoint of interference.

4. Preventive Metaprogramming DSL for Real-Time Loop

4.1. Pattern: Compile as Right Control 1. Problem and Context: Robot software executes unexpected runaway by excessive or overlooked update of sampled-time filters. 2. Solution: Eliminate excessive or overlooked execution of sampled-time filters as compile error before robot-software execution. It can be applied to all types of robot software that use a sampled-time filter, e.g., signal filters, Kalman filters, and particle filters. 3. Consequences and Trade-Offs: It has portability and does not require an additional code generator because it is only implemented with the programming language’s standard grammar. Compile-time check cannot detect errors that occur at run time. Therefore, an additional instance check is introduced in this paper.

4.2. Update-Law Metaprogramming Using Modern C++ Specification This paper proposes compile-time metaprogramming to detect defective update-law functions before the robot software is put into operation. The core of the proposed pattern is to invoke update functions by a destructor shown in Figure6 when it is dismantled (Figure A2). The design pattern contrasts an idiom of must-release resource connected to a constructor and destructor, known as “Resource Acquisition Is Initialization” (RAII). RAII is achieved to define a class that manages resource acquisition and release. On the other hand, the pattern cannot be achieved in a single class; instead, the pattern can be achieved by using a design pattern that harmonizes more than one class. This reflects the complexity of robot software in comparison to resource management. This paper calls the pattern “Cyclic Execution Is Destruction” (CEID). CEID (Figure A3) theoretically prevents overlooked and excessive calls of the update law.

CEID CEIDEqualComparable

<> KalmanF, ParticleF... KalmanF <> -update CEID ParticleF +~CEID (Destructor) +CEID (Constructor) -update UniqueCheck

Figure 6. UML class diagram of “Cyclic Execution Is Destruction” template class.

In addition, to prevent overlooked registration of a sampled-time ﬁlter with CEID, it is necessary to inform the compiler of that. Therefore, the operator-existence check at compile time shown in Big Data Cogn. Comput. 2019, 3, 52 8 of 18

Figure7, which is substantially enhanced from C++11, is combined with automatic operator generation. A compile error prevents embedded-software runaway beforehand, when there is no “==”operator. On the other hand, a unique check (Figure A4) for ﬁlter instances is executed at run time to prevent excessive registration.

1: bind KalmanF <> ParticleF CEID 2: hand over ﬁlter class

CEIDEqualComparable

3: generate "==" if ﬁlter class is invoked

operator==

4: raise comile error if "==" is not exist

is_update_per_cycle_once

5: check uniqueness of ﬁlter instance

CEID Constructor

Figure 7. UML collaboration diagram to eliminate excessive or overlooked execution of sampled-time ﬁlters.

These mechanisms are also implemented by variadic templates (Figure A5) introduced in C++11 to handle any number of filter classes at compile time. Variadic templates require recursive template declaration to handle any number of filter classes because the compiler does not know the number of sampled-time filters.

4.3. Overlooking to Invoke is a Compilation Error Using “Substitution Failure Is Not An Error” (SFINAE) Automatic operator generation to invoke the update laws at once per cycle is closely related to C++11 grammar. Therefore, it is difficult to explain with a UML diagram, which is a general expression method. For this reason, this section represents the mechanism to guarantee update laws using source code. C++ specification has a name-resolving mechanism to accept functions with the same name. This mechanism, SFINAE, does not judge substitution failure as a compilation error at compile time. The mechanism enables to detect overlooked sampled-time filters to invoke an update law of a sampled-time filter using automatic operator generation, taking the filter class and the special invoking class at compile time. The proposed design pattern uses the “Curiously Recurring Template Pattern” [34] to automatically declare an operator function for detection. The “Curiously Recurring Template Pattern” (CRTP) was designed to substitute an operator member function that requires a complicated manual code description. Automatic declaration of the operator for the update-invoking class is shown in Figure8. The upper part of Figure8( ) shows a template class for automatic operator declaration. The declaration of the update-invoking class in the lower part of Figure8( N) inherits an operator template class taken from the invoking class itself, and a target sampled-time filter class as argument. Therefore, member class function equal_to of the invoking class is executed as a “==” operator by the operator template class. Version October 16, 2019 submitted to Big Data Cogn. Comput. 9 of 18

255 4.3. Overlooking to Invoke is a Compilation Error Using SFINAE

256 The automatic operator generation to invoke the update laws at once per cycle is closely related to

257 C++11 grammar. Therefore it is difﬁcult to explain with UML diagram, which is a general expression

258 method. For this reason, this section represents the mechanism to guarantee the update laws using

259 source code.

260 The C++ speciﬁcation has a name-resolving mechanism to accept functions with the same name.

261 This mechanism named ”Substitution Failure Is Not An Error” (SFINAE) does not judge substitution

262 failure as a compilation error at compile time. The mechanism enables to detect overlooked to invoke

263 an update law of a sampled-time ﬁlter using automatic operator generation taken the ﬁlter class and

264 the special invoking class at compile time.

265 The proposed design pattern uses the ”Curiously Recurring Template Pattern”[34] to declare

266 an operator function for the detection automatically. The ”Curiously Recurring Template Pattern” is

267 designed to substitute an operator member function that requires a complicate manual code description.

268 Automatic declaration of the operator for the update invoking class is shown in Figure8. 269 The upper part of Figure8( ) shows a template class for automatic operator declaration. The 270 declaration of the update invoking class in the lower part of Figure8( N) inherits an operator template 271 class taken from the invoking class itself and a target sampled-time ﬁlter class as argument. Therefore, Big Data Cogn. Comput. 2019, 3, 52 9 of 18 272 the member class function equal_to of the invoking class is executed as ”==” operator by the operator

273 template class.

1 template 2 class CEIDEqualComparable {// 3 friend bool operator==(T const &a, U const &b) { 4 return a.equal_to(b); 5 } 6 }; 7 8 template 9 10 class CEID //N 11 : private CEIDEqualComparable, THead> { 12 public: 13 bool equal_to(THead const& rhs) const{ 14 return false; 15 }; 16 };

FigureFigure 8. Automatic 8. Automatic operator operator generation generation by by “Curiously ”Curiously Recurring Recurring Template Template Pattern”. Pattern”.

274 The classThe that class was that used is used to to inspect inspect the the absence absence or or presence of of the the ”== “==”” operator operator at compileat compile time time 275 is shown in Figure9.” ==” operators are generated for all filter classes corresponding to the special is shown in Figure9.” ==” operators are generated for all filter classes corresponding to the special 276 invoking class. The absence ”==” operator even induces overloading for the invoking inspection by invoking class. The absence of a “==” operator even induces overloading for invoking inspection by 277 SFINAE. Therefore, a filter class without this operator can be judged as an overlooked invocation. SFINAE. Therefore, a filter class without this operator can be judged as an overlooked invocation. 278 In order to check the absence of ”==” operator, a trailing return type ” >” introduced by C++11 To check the absence of a “==” operator, a trailing return type “ −>” introduced by C++11 279 extracts a type of class corresponding to the truth value using decltype. The− template member function extracts280 in a the type upper of class partcorresponding of Figure9( ]) indicates to the truth ”True” value as return using typedecltype by overloading. The template-membername resolving when function in281 the upperthe ”== part” operator of Figure of the9( special]) indicates invoking “True” classand as return a filter type class exists.by overloading The templatename member resolving function when the282 “==in” the operator middle of Figurethe special9( [) indicates invoking ”False” classand as return a filter type class when exists. the ” The==” template-member operator does not exist. function in283 the middleAn ofinterface Figure class9( [ to) indicates obtain the “False”truth value as at return compile type time when is shown the “in== the” lower operator part of does Figure not9( exist.\). 284 AnFirstly interface the class class generates to obtain an theoverloading truth valueof the at abovecompile member time is function shown by in using the lower a transfer part fromof Figure its 9 285 template arguments to the arguments of is_update_per_cycle_impl. Secondly, the class inherits an (\). First, the class generates overloading of the above member function by using a transfer from 286 extracted type of the truth value using decltype. Finally, the class obtains the truth value corresponding its template arguments to the arguments of is_update_per_cycle_impl. Second, the class inherits an 287 to the absence or presence of the update invocation as a member value at compile time. extracted type of the truth value using decltype. Finally, the class obtains the truth value corresponding to the absenceVersion October or presence 16, 2019 submitted of the to updateBig Data invocationCogn. Comput. as a member value at compile time. 10 of 18

1 struct is_update_per_cycle_once_impl { 2 template 3 static auto check(T*, U*) ->//] 4 decltype(std::declval() == std::declval(), std::true_type()); 5 template 6 static auto check(...) ->//[ 7 std::false_type; 8 }; 9 10 template struct is_update_per_cycle_once //\ 11 : decltype(is_update_per_cycle_once_impl::check(nullptr, nullptr)) { 12 };

FigureFigure 9. Compile-time 9. Compile time decision decision using usingoverloadingoverloading of functions.

288 The declarationThe declaration of a of sampled-time a sampled-time filter filter to to raise raise a compile a compile error if error the filter if the is not filter invoked is not is shown invoked is shown289 in Figure in Figure 10. The 10 truth. The value truth to raise value is assigned to raise to is the assigned ”value” member to the parameter “value” member of is_update parameter_percycle. of is_290updateThen_per the_cycle ”value”. Then, is assigned the “value” to an argument is assigned of static to an_assert argumentthat raises of static an error_assert by thethat compile-time raises an error by291 thetruth compile-time value. Consequently, truth value. this Consequently, design pattern this can design control pattern the raising can of control a compile the error raising regardless of a compile of error292 regardlesswhether an of update whether law an function update-law is invoked. function In practice, is invoked. a template In practice, or a macro a template that define or an a instancemacro that defines293 and anstatic instance_assert andatstatic the same_assert timeat is theuseful. same time is useful.

1 using CEIDAll = CEID; 2 KalmanF kf; 3 static_assert(is_update_per_cycle_once::value, 4 "Kalman␣filter␣is␣not␣updated."); 5 ParticleF pf; 6 static_assert(is_update_per_cycle_once::value, 7 "Particle␣filter␣is␣not␣updated.");

Figure 10. Assertion of overlooked update law at compile time.

294 5. Results

295 5.1. Summary of the Proposed Methods

296 The proposed methods achieve the following features that solve the prescribed requirements.

297 1. Free from object-oriented constraints simultaneously type safe (i.e., achieved by the proposed

298 design patterns)

299 2. Using a minimal robot software environment (i.e., implemented under C++11 compliance)

300 3. No additional tools (i.e., implemented by the C++11 compliance design patterns)

301 4. Providing well-designed building blocks (i.e., achieved by "Type-Safe Portable real-time Control")

302 5. Zero overhead in run-time; (i.e., achieved by "Compile as Right Control")

303 5.2. Portability by ISO Compliant

304 This paper ports the two proposed design pattern for the four types of computer, Linux PC

305 and MacOSX as desktop, Raspberry Pi[36] and Arduino[37] as embedded, shown in Table1. Both

306 "Type-Safe Portable Real-time Control" and "Compile as Right Control" work well on Linux PC,

307 MacOSX and Raspberry Pi. However, the patterns does not work on Arduino. The ﬁrst pattern using

308 standard thread can not be compiled because Arduino is a single process environment. Also, the

309 second pattern can not be compiled because the C++11 standard header is missing in the Arduino

310 environment. This result shows that these design patterns achieves portability in any ISO C++11

311 environment. Version October 16, 2019 submitted to Big Data Cogn. Comput. 10 of 18

Figure 9. Compile time decision using overloading of functions.

288 The declaration of a sampled-time ﬁlter to raise a compile error if the ﬁlter is not invoked is shown

289 in Figure 10. The truth value to raise is assigned to the ”value” member parameter of is_update_percycle.

290 Then the ”value” is assigned to an argument of static_assert that raises an error by the compile-time

291 truth value. Consequently, this design pattern can control the raising of a compile error regardless of Big Data Cogn. Comput. 2019, 3, 52 10 of 18 292 whether an update law function is invoked. In practice, a template or a macro that deﬁne an instance

293 and static_assert at the same time is useful.

FigureFigure 10. Assertion 10. Assertion of overlooked of overlooked update update law law at compile time. time.

5. Results 294 5. Results 5.1. Summary of Proposed Methods 295 5.1. Summary of the Proposed Methods The proposed methods achieve the following features that solve the prescribed requirements. 296 The proposed methods achieve the following features that solve the prescribed requirements. 1. Free from object-oriented constraints, simultaneously type-safe (i.e., achieved by the proposed 297 1. Free from object-oriented constraints simultaneously type safe (i.e., achieved by the proposed design patterns). 298 design patterns) 2. Using a minimal robot-software environment (i.e., implemented under C++11 compliance). 299 2. Using a minimal robot software environment (i.e., implemented under C++11 compliance)

3. 300 No additional3. No additional tools tools (i.e., (i.e., implemented implemented by by the the C++11 C++11 compliance compliance design design patterns) patterns).

4. 301 Providing4. Providing well-designed well-designed building building blocks (i.e., (i.e., achieved achieved by "Type-Safe by “Type-Safe Portable real-time Portable Control") Real-time 302 Control”).5. Zero overhead in run-time; (i.e., achieved by "Compile as Right Control") 5. Zero overhead in run time (i.e., achieved by “Compile as Right Control”). 303 5.2. Portability by ISO Compliant

5.2.304 PortabilityThis by paper ISO portsCompliant the two proposed design pattern for the four types of computer, Linux PC

305 and MacOSX as desktop, Raspberry Pi[36] and Arduino[37] as embedded, shown in Table1. Both This paper ported the two proposed design pattern for four types of computers: Linux PC and 306 "Type-Safe Portable Real-time Control" and "Compile as Right Control" work well on Linux PC, MacOSX as desktop, Raspberry Pi [36] and Arduino [37] as embedded (see Table1). Both “‘Type-Safe 307 MacOSX and Raspberry Pi. However, the patterns does not work on Arduino. The ﬁrst pattern using Portable Real-time Control” and “Compile as Right Control” work well on Linux PC, MacOSX, and 308 standard thread can not be compiled because Arduino is a single process environment. Also, the

Raspberry309 second Pi. pattern However, can the not patterns be compiled do not because work the on C++11 Arduino. standard The ﬁrst header pattern is missing using ina standard the Arduino thread could310 notenvironment. be compiled This because result Arduinoshows that is thesea single-process design patterns environment. achieves portability In addition, in theany second ISO C++11 pattern could311 environment. not be compiled because the standard C++11 header is missing in the Arduino environment. This result shows that these design patterns achieve portability in any ISO C++11 environment.

Table 1. Portability of proposed design patterns.

Linux PC MacOSX Raspberry Pi 3B+ Arduino Architecture Intel x86 Intel x86 ARM Cortex AVR OSX 10.9.3 N/A OS Linux 3.10.17 Linux 4.14 OSX 10.13.6 (Arduino IDE 1.8.3) g++ 4.8.2 Compiler g++ 4.7.3 g++ 6.3.0 g++ 5.4.0 clang 9.0 Standard library Yes Yes Yes N/A Porting Yes Yes Yes N/A

5.3. Development of SA Real-Time Simulation Using “Type-Safe Portable Real-Time Control” The authors implemented controller software for an SA robot implemented by C++03 and C++11 (Table2) using the proposed design patterns as a case study. C++03 also had the ability to implement the proposed design patterns, but it requires deviation from ISO. Robot software requires time-adjustment sleep to periodically execute a control cycle. The std :: chrono introduced in C++11 indicates that it can implement the aspect. On the other hand, a nonstandard sleep function is required to execute on a real-time OS. Even in this case, switching is easy due to the loosely coupled design. Quantitative evaluation of this implementation by cccc [38] is shown in Table3. The table shows the cyclical complexity of the implementation responsible for SA behavior, isolation to the environment, Big Data Cogn. Comput. 2019, 3, 52 11 of 18 and parallel processing. From the perspective of metrics, C++11 and C++03 did not show any difference in complexity. The SAInterference object has maximum 8 of cyclomatic complexity. In addition, the sum of all implemented objects was 33. In general, software testing is difﬁcult if complexity is 20 or more. Decomposition by the proposed methods kept maintainability in the applicable range.

Table 2. Comparison of robot software using C++11 and C++03.

C++11 C++03 Real-time standard No No Concurrency standard Yes No Time-adjustment standard Yes No Copy-control grammar Yes No Strict override Yes No

Table 3. Comparison of cyclomatic complexity using C++11 and C++03.

C++11 C++03 ComputerVision 6 6 MotorControl 6 6 SensorRecognition 5 5 SAInterference 8 8 RealtimeFunctionalityIF 0 0 ChronoCycleLogicalThread 1 N/A RTPreemptCycleLogicalThread 3 3 TransactionIO 4 4 Total 33 32

According to qualitative analysis, C++11 has stronger grammar in terms of inheritance and parallel execution than C++03 (Table2). For example, the override specifier keyword supports the compiler in finding the wrong member function to override. Although it is difficult to quantitatively evaluate the effects of these types of grammar, C++11 grammar might be able to automatically prevent human error. Another “Dependency Injection” architecture validated as a commercial embedded C++ system [39] was invented independent from this paper. The effectiveness of the architecture was measured by the software metrics provided in Table4.

Table 4. Productivity of another “Dependency Injection” architecture [39].

Total Man Hour New Code Bugs Bug Density 85.5% 127.0% 31.7% 17.9%

From this result, the proposed “Type-Safe Portable real-time Control” can be expected to achieve equivalent productivity. Moreover, the proposed “Compile as Right Control” design pattern can also be expected to improve productivity because the pattern can save embedded software from common occurrence failures.

5.4. Robust Behavior Simulation to Verify Independence from Execution Environment Simulation testing used the ChronoCycleLogicalThread class by std :: chrono (soft real-time) and the RTPreemptLogicalThread class (hard real time) by RT Preempt [40] as “Dependency Injection”. The performance of the robot was tested to verify its integrated behaviors. The mobile environment of the simulation included an obstacle and a reaching goal. The system test for the integrated behavior is represented in Figure 11. The path was plotted every 0.1 s, and total testing time was 7.0 s for each intensity. The ﬁgure demonstrates that the robot behaved rationally Big Data Cogn. Comput. 2019, 3, 52 12 of 18 whenever the interference intensity of the concurrent avoidance and reaching was changed. Results showed that the simulator could exchange soft and hard real time by “Dependency Injection”, although the simulator did not require modiﬁcation of the core part of the controller, and the real-time functions were provided from different computational environments, respectively.

0.8 [m] Interference 0.0 Interference 0.5 Interference 1.0 Goal

0.6

0.4

0.2 Obstacle

M M Start 0 -0.4 -0.2 0 0.2 0.4 [m]

Figure 11. System test simulation of SA using proposed design pattern.

5.5. Defective Design Prevention Using “Compile as Right Control” The proposed design pattern (code fragments of Figures8, A4, and A5 were integrated as one class) demonstrated that it can prohibit the failure of update-law invocation of sampled-time ﬁlters, as shown in Figure 10. The truth value for inspection is stored in the value member parameter. Then, the truth value is passed to static_assert that generates an error by the passed value at compile time. Instance-uniqueness investigation of double-invoking can also stop executing the sampled-time ﬁlters by run time. Using the combination of metaprogramming and run-time investigation, the proposed method succeeded in preventing runaway before the robot started its control.

6. Discussion In this paper, we proposed an internal DSL with two design patterns, “Type-Safe Portable Real-time Control” and “Compile as Right Control” as building blocks. The proposed DSL enables abstract design without additional modeling tools. This minimalistic approach can provide software-quality improvement opportunities for start-ups that investigate feasibility using a small controller, such as Raspberry Pi, and small-scale development organizations, such as university laboratories. In addition, the proposed method only uses a compiler that does not require external tools or language extensions, and it has high affinity with external software libraries. We can expect synergy with previous studies [2,3] and open-source artificial-intelligence products, for example, OpenCV [41], TensorFlow [42], and Autoware.AI [43], which can enlarge edge capability. This minimalistic approach based on DSL makes full use of built-in programming-language grammar to detect design defects. The internal DSL eradicates implementation failures from sampled-time filters, which are fundamental elements of real-time signal-processing software. Furthermore, the method prevents failures in the time domain and increases the productivity of complex and robust autonomous-edge software, including the time domain, such as subsumption architecture. These results show that the minimalistic approach can provide a building block to wide domains of edge systems. The defective design of software has traditionally faced the challenge of achieving effective prevention with minimal effort. Existing approaches, such as code review and formal methods, rely on programmers’ attention and mathematical inspection, respectively, to eliminate design defects. To apply them to the time domain and existing assets, particularly in the case of embedded software, is a significant challenge that needs to be overcome [44] because the size of a practical system is often Big Data Cogn. Comput. 2019, 3, 52 13 of 18 too large for reviewers’ perception and the computational complexity of formal methods. The building block by the minimalistic approach seems to decompose complexity to support them. The main part of the proposed method applies static class analysis by the compiler to software inspection. The double-registration prevention for a sampled-time filter causes very small run-time overhead because it checks pointers of sampled-time filters in the CEID constructor. C++ provides a limited run-time check mechanism because C++ was born as a statically typed language. One possibility for this purpose is compile-time reflection [45], but it is currently under discussion in the ISO committee. Another is to apply "Int-To-Type" idiom [34] to sampled-time filters. A constant integer of this idiom creates a new type that is identified by CEID from an existing sampled-time filter type. Promotion of a pattern catalogue for edge software is future work because this paper proposes just two design patterns. Abstract modeling of the minimalistic approach will continue to expand its scope by strengthening language specification. In particular, the “concept” of C++20 [46] will make it easier to enhance the inspection of edge software. “Concept” is a grammar type that evaluates the existence of an operator. Therefore, the proposed automatic operator generation according to programmers’ intention would be able to more directly investigate by C++20 and later.

7. Conclusions To our knowledge, it has not previously been possible to use the proposed internal DSL approach for edge software as an established method that is widely applicable in practice, even though this approach only depends on the grammar of C++11 and later, which is one of the most popular edge-software languages. We expect this approach to replace the conventional defensive programming approach and lead to the widespread introduction of safe edge software.

Author Contributions: Conceptualization, R.F. and M.I.; methodology, R.F.; software, R.F.; validation, R.F.; investigation, R.F.; writing—original-draft preparation, R.F.; writing—review and editing, R.F. and M.I.; visualization, R.F.; and supervision, M.I. Funding: This work was supported by the Komatsu MIRAI Construction Equipment Cooperative Research Center, endowed by Komatsu Ltd. https://home.komatsu/. Acknowledgments: We wish to thank the timely help given by Editage and MDPI English Editing Service in English proofreading. Conﬂicts of Interest: The authors declare no conﬂict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of the data.

Abbreviations The following abbreviations are used in this manuscript:

DSL Domain Speciﬁc Language SA Subsumption Architecture UML Uniﬁed Modeling Language OOAD Object Oriented Analysis and Design AOAD Aspect Oriented Analysis and Design DI Dependency Injection RAII Resource Acquisition Is Initialization CEID Cyclic Execution Is Destruction CRTP Curiously Recurring Template Pattern SFINAE Substitution Failure Is Not An Error

Appendix A. Implementation of Dependency Injection DSL for Separation of Functionalities and Time Domain Figure A1 represents the implementation of an automatic transaction process. The object receives a value from an external object via the setInput method. The value is stored in the input_ buffer by exclusive access control using inLock_ atomically. Then, the required value by functionality objects is Big Data Cogn. Comput. 2019, 3, 52 14 of 18 atomically loaded by the getInput method. The output process is also symmetrically implemented. The locksVersion of the October exclusive 16, 2019 submittedaccess control to Big Data are Cogn. robust Comput. against exceptions due to the “Resource Acquisition15 of 18 Is Initialization” idiom [35].

1 template 2 class TransactionIO 3 { 4 // Transaction for class external access 5 public: 6 inline void setInput(const Input& input) 7 { 8 Locker locker(&inLock_); 9 input_ = input; 10 return; 11 } 12 13 // Transaction for class internal access 14 protected: 15 inline const Input getInput() 16 { 17 Input tmp ; 18 { 19 Locker locker(inLock_); 20 tmp = input_; 21 } 22 return tmp; 23 }; 24 }; 25 26 class DependencyInjected 27 : public RealtimeFunctionalityIF, 28 public TransactionIO 29 30 { 31 // Automatic transaction process 32 ConcreteIn val = getInput(); 33 setInput(val); 34 }

FigureFigure A1. Dependency A1. Dependency injection injection design design pattern pattern for for transaction process. process.

Appendix B. Implementation of Preventive Metaprogramming DSL for Realtime Loop

1Figureusing A2 CEIDAll provides = a CEID; of update-law functions, which are a vital part of robot2 software.while(true This){ method can control the invoking sequence of filter classes from the declaration 3 auto&& cyclicExecution = CEIDAll(kf, pf); position4 near// a the lot start of position procedures of the control loop. 5Figure// A3 implicit represents destructor the prohibition calling of the mistaken invocation of an update law by programmers 6 using a}private access qualifier. CEID, which is a special class for invoking update-law functions, can access the private member function using a f riend qualifier. Figure A2. Automatic cyclic execution in realtime loop. Figure A4 represents a run-time investigation of a double-invoking instance to supplement compile-time investigation. The recursive execution of the CEID constructor recursively searches the pointers of sampled-time filters because the constructor is always executed before the sampled-time 1 filters areclass executed. KalmanF { 2 template friend classCEID; 3Theprivate variadic: template class in Figure A5 is a recursive declaration that separates the filter list into a4 headvoid item update(); and remaining tail items, and inherits the remaining items ( ). The template class 5 }; F uses invocation of an update-law function of the head class as an argument. This class automatically invokes all update-lawFigure functions A3. Update because member the function template of sampled-time class is recursively filter in private declared. access. The recursive declaration terminates itself to inherit the specialized template class with no argument ( ) when the 4 declaration reaches the last argument class. Version October 16, 2019 submitted to Big Data Cogn. Comput. 15 of 18

Version October 16, 2019 submitted to Big Data Cogn. Comput. 15 of 18

1 template 2 class TransactionIO 13 {template 24 class// TransactionTransactionIO for class external access 35 { public: 46 //inline Transaction void setInput( for classconst external Input& input) access 57 {public: 68 inlineLocker void locker(&inLock_); setInput(const Input& input) 79 { input_ = input; 108 Lockerreturn; locker(&inLock_); 119 } input_ = input; 1012 return; 1113 }// Transaction for class internal access 1214 protected: 1315 //inline Transaction const Input forclass getInput() internal access 1416 {protected: 1517 inlineInput const tmp ; Input getInput() 1618 { { 1719 InputLocker tmp ;locker(inLock_); 1820 { tmp = input_; 1921 } Locker locker(inLock_); 2022 returntmp =tmp; input_; 2123 };} 2224 }; return tmp; 2325 }; 2426 };class DependencyInjected 2527 : public RealtimeFunctionalityIF, 2628 classpublic DependencyInjected TransactionIO 2729 : public 2830 { public TransactionIO 2931 // Automatic 3032 { ConcreteIn val = getInput(); 3133 //setInput(val); Automatic transaction process 3234 } ConcreteIn val = getInput(); 33 setInput(val); 34 } Figure A1. Dependency injection design pattern for transaction process.

Figure A1. Dependency injection design pattern for transaction process. Big Data Cogn. Comput. 2019, 3, 52 15 of 18

1 using CEIDAll = CEID; 2 while(true){ 13 usingauto &&CEIDAll cyclicExecution = CEID; pf); 24 while//( atrue lot){ of procedures 35 auto// implicit&& cyclicExecution destructor = calling CEIDAll(kf, pf); 46 } // a lot of procedures 5 // implicit destructor calling 6 } Figure A2. Automatic cyclic execution in realtime loop.

FigureFigure A2. A2.AutomaticAutomatic cyclic cyclic execution execution in in realtime loop. loop.

1 class KalmanF { 2 template friend classCEID; 13 classprivate KalmanF: { Version October 16, 2019 submitted to Big Data Cogn. Comput. 16 of 18 24 templatevoid update(); friend classCEID; 35 };private: 4 void update(); 5 }; FigureFigure A3. Update A3. Update member member function function of of sampled-time sampled-time ﬁlter in in private private access. access.

Figure A3. Update member function of sampled-time ﬁlter in private access. 1 template 2 class UniqueCheck; 3 4 template <> 5 class UniqueCheck<> { 6 public: 7 UniqueCheck() {}; 8 bool const isUnique() const{ 9 return true; 10 } 11 const void* searchImpl(const void* p) const{ 12 return nullptr; 13 }; 14 }; 15 16 template 17 class UniqueCheck 18 : public UniqueCheck { 19 public: 20 UniqueCheck(THead const& t, 21 const TTails&... args) 22 : UniqueCheck(args...), 23 pointer_(&t) { 24 assert (true == isUnique()); 25 } 26 bool const isUnique() const{ 27 return (pointer_ == UniqueCheck::searchImpl(pointer_)) 28 ? false : UniqueCheck::isUnique(); 29 } 30 const void* searchImpl(const void* p) const{ 31 return (p == pointer_) 32 ? pointer_ 33 : UniqueCheck 34 ::searchImpl(p); 35 } 36 public: 37 const void* pointer_; 38 }; 39 40 // Unique check in constructor 41 template 42 class CEID { 43 public: 44 explicit CEID(THead &cyclicObject, 45 TTails&... args) 46 : cyclicObject_(cyclicObject) { 47 UniqueCheck uniqueCheck(cyclicObject, args...); 48 }; 49 private: 50 THead& cyclicObject_; 51 }

Runtime uniqueness inspection at constructor. Figure A4.FigureRun-time A4. uniqueness inspection at constructor. Big Data Cogn. Comput. 2019, 3, 52 16 of 18 Version October 16, 2019 submitted to Big Data Cogn. Comput. 17 of 18

1 template 2 classCEID; 3 4 template <> 5 class CEID<> {}; // 4 6 7 template 8 class CEID //F 9 : public CEID { 10 public: 11 explicit CEID(THead &filter, TTails... args) 12 : CEID(args...), cyclicObject_(cyclicObject) { 13 }; 14 ~CEID(){ cyclicObject_.update(); }; 15 16 private: 17 THead& cyclicObject_; 18 };

Figure A5.FigureVariadic A5. Variadic template template invoking invoking updateupdate-law law functions. functions.

References440 3. Kang, K.D.; Chen, L.; Yi, H.; Wang, B.; Sha, M. Real-Time Information Derivation from Big Sensor Data via 441 Edge Computing. Big Data and Cognitive Computing 2017, 1, 5. doi:10.3390/bdcc1010005. 1. Leveson,442 4. N.G.AWS Chapter IoT SDKs. Computers https://docs.aws.amazon.com/iot/latest/developerguide/iot-sdks.html and Risk. In Safeware: System Safety and Computers. Accessed; Addison-Wesley 1 443 September, 2019. Professional: Boston, MA, USA, 1995. 444 5. Understand and use Azure IoT Hub SDKs. https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-

2. Yazici,445 M.; Basurra,devguide-sdks S.; Gaber,. Accessed M. Edge 1 September, Machine 2019. Learning: Enabling Smart Internet of Things Applications. Big446 Data6. Cogn.Brooks, Comput. R.A. A2018 robust, 2, layered 26. [CrossRef control system] for a mobile robot. IEEE Journal of Robotics and Automation 3. Kang,447 K.D.; Chen,1986, 2, L.; 14–23. Yi, H.; Wang, B.; Sha, M. Real-Time Information Derivation from Big Sensor Data via 448 7. FORM S-1 IROBOT CORPORATION; 2005; chapter BUSINESS, p. 43. Edge Computing. Big Data Cogn. Comput. 2017, 1, 5. [CrossRef] 449 8. Leveson, N.G., Safeware: System Safety and Computers; Addison-Wesley Professional, 1995; chapter

4. AWS450 IoT SDKs.Medical Available Devices: online: The Therac-25. https://docs.aws.amazon.com/iot/latest/developerguide/iot-sdks.html

(accessed451 9. onMeyer, 1 September B. Object-Oriented 2019). Software Construction, 2nd ed.; Prentice Hall, 1997. 5. Understand452 10. andJacobson, Use I.;Azure Ng, P.W. IoTAspect-Oriented Hub SDKs. SoftwareAvailable Development online: withhttps://docs.microsoft.com/en-us/azure/iot- Use Cases; Addison-Wesley Professional, 453 2005. hub/iot-hub-devguide-sdks (accessed on 1 September 2019). 454 11. Ghosh, D. DSLs in Action; Manning Publications, 2010.

6. Brooks,455 12. R.A. The A C++ robust Standards layered Committee. control ISO/IEC system 14882:2011, for a mobile 2011. robot. IEEE J. Robot. Autom. 1986, 2, 14–23.

[CrossRef456 13. ] Overture project. Overture Tool Formal Modelling in VDM. http://overturetool.org. Accessed 4 Jan, 2019. 7. FORM457 S-114. iROBOTVerifying CORPORATION Multi-threaded Software; Chapter with Spin. BUSINESS; http://spinroot.com/spin/whatispin.html 2005; p. 53. Available online:. https://www.sec.gov/ Accessed 4 Jan, 458 2019. Archives/edgar/data/1159167/000095013505005611/b55709a2sv1za.htm#110 (accessed on 1 November 2019). 459 15. Information Technology - Z Formal Speciﬁcation Notation - Syntax, Type System and Semantics ISO/IEC

8. Leveson,460 N.G.13568:2002, Chapter 2002. Medical Devices: The Therac-25 Story. In Safeware: System Safety and Computers;

Addison-Wesley461 16. Calegari, Professional: R.; Ciatto, G.; Boston, Mariani, S.;MA, Denti, USA, E.; Omicini, 1995. A. LPaaS as Micro-Intelligence: Enhancing IoT with 9. Meyer,462 B. Object-OrientedSymbolic Reasoning. SoftwareBig Data Construction and Cognitive, 2nd Computing ed.; Prentice2018, 2, 23. Hall: doi:10.3390/bdcc2030023 Englewood Cliffs,. NJ, USA, 1997. 463 17. Leite, A.; Pinto, A.; Matos, A. A Safety Monitoring Model for a Faulty Mobile Robot. Robotics 2018, 7, 32. 10. Jacobson, I.; Ng, P.W. Aspect-Oriented Software Development with Use Cases; Addison-Wesley Professional: 464 doi:10.3390/robotics7030032.

Boston,465 18. MA, Fröhlich, USA, 2005. A.A. Application Oriented Operating Systems; 2001. 11. Ghosh,466 19. D. DSLsBrugali, in Action D.; Salvaneschi,; Manning P. Stable Publications: Aspects in Robot Greenwich, Software Development. CT, USA, 2010.International Journal of Advanced 12. The467 C++ StandardsRobotic SystemsCommittee2006;. ISO/IEC 14882:2011; ISO/IEC: Geneva, Switzerland, 2011. 468 20. Maoz, S.; Ringert, J.O.; Rumpe, B. Synthesis of component and connector models from crosscutting 13. Overture Project. Overture Tool Formal Modelling in VDM. Available online: http://overturetool.org 469 structural views. ESEC/FSE 2013 Proceedings of the 2013 9th Joint Meeting on Foundations of Software

(accessed470 onEngineering, 4 January 2019). 2013.

14. Verifying471 21. Multi-ThreadedWehrmeister, M.A.; Software Freitasb, withE.P.; Binottoc, Spin. AvailableA.P.D.; Pereirad, online: C.E. Combininghttp://spinroot.com/spin/whatispin.html aspects and object-orientation (accessed472 onin 4 Januarymodel-driven 2019). engineering for distributed industrial mechatronics systems. Mechatronics, pp. 844–865. 473 22. OpenRTM-aist ofﬁcial website. http://www.openrtm.org/. Accessed 4 Jan, 2019. 15. Information Technology—Z Formal Speciﬁcation Notation—Syntax, Type System and Semantics ISO/IEC 13568:2002; ISO/IEC: Geneva, Switzerland, 2002. 16. Calegari, R.; Ciatto, G.; Mariani, S.; Denti, E.; Omicini, A. LPaaS as Micro-Intelligence: Enhancing IoT with Symbolic Reasoning. Big Data Cogn. Comput. 2018, 2, 23. [CrossRef] 17. Leite, A.; Pinto, A.; Matos, A. A Safety Monitoring Model for a Faulty Mobile Robot. Robotics 2018, 7, 32. [CrossRef] 18. Fröhlich, A.A. Application Oriented Operating Systems; GMD-Forschungszentrum Informationstechnik: Sankt Augustin, Germany, 2001. Big Data Cogn. Comput. 2019, 3, 52 17 of 18

19. Brugali, D.; Salvaneschi, P. Stable Aspects in Robot Software Development. Int. J. Adv. Robot. Syst. 2006. [CrossRef] 20. Maoz, S.; Ringert, J.O.; Rumpe, B. Synthesis of component and connector models from crosscutting structural views. In Proceedings of the ESEC/FSE 2013 9th Joint Meeting on Foundations of Software Engineering, Saint Petersburg, Russia, 18–26 August 2013. 21. Wehrmeister, M.A.; Freitasb, E.P.; Binottoc, A.P.D.; Pereirad, C.E. Combining aspects and object-orientation in model-driven engineering for distributed industrial mechatronics systems. Mechatronics 2014, 24, 844–865. [CrossRef] 22. OpenRTM-Aist Official Website. Available online: http://www.openrtm.org/ (accessed on 4 January 2019). 23. ROS Wiki. Available online: http://www.ros.org/wiki/ (accessed on 4 January 2019). 24. Correal, R.; Pajares, G.; Ruz, J. A Matlab-Based Testbed for Integration, Evaluation and Comparison of Heterogeneous Stereo Vision Matching Algorithms. Robotics 2016, 5, 24. [CrossRef] 25. Yan, Z.; Fabresse, L.; Laval, J.; Bouraqadi, N. Building a ROS-Based Testbed for Realistic Multi-Robot Simulation: Taking the Exploration as an Example. Robotics 2017, 6, 21. [CrossRef] 26. Jensen, K.; Larsen, M.; Nielsen, S.; Larsen, L.; Olsen, K.; Jørgensen, R. Towards an Open Software Platform for Field Robots in Precision Agriculture. Robotics 2014, 3, 207–234. [CrossRef] 27. Gonzalez, F.; Zalewski, J. Teaching Joint-Level Robot Programming with a New Robotics Software Tool. Robotics 2017, 6, 41. [CrossRef] 28. Johnson, S.C. Yacc: Yet Another Compiler-Compiler. Available online: http://dinosaur.compilertools.net/ yacc/index.html (accessed on 18 June 2019). 29. Spinczyk, O.; Gal, A.; Schröder-Preikschat, W. AspectC++: An aspect-oriented extension to the C++ programming language. In CRPIT ’02 Proceedings of the Fortieth International Conference on Tools Pacific: Objects for Internet, Mobile and Embedded Applications; Australian Computer Society, Inc.: Darlinghurst, Australia, 2002; pp. 53–60. 30. Willink, E.D.; Muchnick, V.B. Preprocessing C++: Meta-class aspects. In Proceedings of the Eastern European Conference on Technology of Object Oriented Languages and Systems, Prague, Czech Republic, 7 July 1999. 31. Yao, Z.; Zheng, Q.L.; Chen, G.L. AOP++: A Generic Aspect-Oriented Programming Framework in C++. In Proceedings of the 4th International Conference, GPCE 2005, Tallinn, Estonia, 29 September–1 October 2005; pp. 94–108. 32. Gamma, E.; Helm, R.; Johnson, R.; Vlissides, J. Design Patterns: Elements of Reusable Object-Oriented Software; Addison-Wesley Professional: Boston, MA, USA, 1995. 33. Fowler, M. Inversion of Control Containers and the Dependency Injection Pattern; Technical Report; ThoughtWorks: Chicago, IL, USA, 2004. 34. Tambe, S.; Many Other C++ aficionados. More C++ Idioms. Available online: https://en.wikibooks.org/ wiki/More_C%2B%2B_Idioms (accessed on 4 January 2019). 35. Sutter, H. Exceptional C++; Addison-Wesley Professional: Boston, MA, USA, 1999. 36. Raspberry Pi. Available online: https://www.raspberrypi.org/ (accessed on 22 June 2019). 37. Arduino. Available online: https://www.arduino.cc/ (accessed on 17 June 2019). 38. CCCC-C and C++ Code Counter. Available online: http://cccc.sourceforge.net/ (accessed on 22 June 2019). 39. Adachi, N. Model based development utilizing DI container for wide variety products and effective tests. In Proceedings of the JUSE Software Quality Symposium 2014, Tokyo, Japan, 14 September 2014. Available online: https://www.juse.jp/sqip/symposium/archive/2014/day1/files/happyou_D2.pdf (accessed on 31 October 2019). (In Japaneses) 40. Maria, A. RT PREEMPT HOWTO. Available online: https://wiki.linuxfoundation.org/realtime/documentation/ howto/applications/application_base (accessed on 4 January 2019). 41. OpenCV. Available online: https://opencv.org/ (accessed on 17 June 2019). 42. TensorFlow. Available online: https://www.tensorflow.org/ (accessed on 17 June 2019). 43. Autoware.AI. Available online: https://www.autoware.ai/ (accessed on 17 June 2019). 44. He, K.; Lahijanian, M.; Kavraki, L.E.; Vardi, M.Y. Towards manipulation planning with temporal logic specifications. In Proceedings of the 2015 IEEE international conference on robotics and Automation (ICRA), Seattle, WA, USA, 26–30 May 2015; pp. 346–352. Big Data Cogn. Comput. 2019, 3, 52 18 of 18

45. Sankel, D. N4766 Draft, C++ Extensions for Reﬂection. Available online: http://www.open-std.org/jtc1/ sc22/wg21/docs/papers/2018/n4766.pdf (accessed on 15 October 2019). 46. The C++ Standards Committee. Wording Paper, C++ Extensions for Concepts. Available online: http://www. open-std.org/jtc1/sc22/wg21/docs/papers/2017/p0734r0.pdf (accessed on 22 June 2019).

c 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).