2014-12 torrent ws - v6 paulitsch - irit · title: 2014-12 torrent ws - v6_paulitsch author:...

Monitoring Techniques in COTS Multicore Processors in Mixed-Criticality Systems with Focus on Temporal Aspects

Michael Paulitsch (Thales) and Jan Nowotsch (Airbus Group)Torrent Workshop, Toulouse, December 12, 2014

Ack.: German BMBF ARAMiS and ARTEMIS EMC2 projects; partly joint work with SYSGO, Airbus D&S and AbsInt

Trends in Avionics

Trend towards new and additional IT-services and denser functional integration:

Demand for new and additional IT-services on the aircraft itself and between the aircraft and the ground

• Integrate formerly physically separated functions onto one platform• New failure modes and failures• New threats and vulnerabilities

16.12.2014 Page 2

M. Paulitsch et al. – Monitoring Techniques in COTS Multi-Core Computers

Mixed-Criticality SystemWhat is it?

Multiple safety criticalities (residing) on same platform• Key requirement for platform: Simply defined, platform needs to fulfill safety requirements at

minimum of highest safety requirement of application • Chosen independence to minimize interaction between otherwise independent “chapters”

(system level safety analysis extremely complicated.

What it is NOT• A system where system approach sacrifices lower criticality applications for whatever purpose

(directional partitioning property)

“Real-life” aspects:• Deployed for many years (B777, B787, A380, A350, E170/175, E190/195, …) under the name

Integrated Modular Avionic (IMA) systems• Wish to deploy modern computing platforms like multicore

16.12.2014 3

M. Paulitsch et al. – Monitoring of Multicore Computers

OrionSpacecraft

16.12.2014

Mitch FletcherFrom Orion to Alstair …

Chip Evolution

Host processor

Increasing integration density and complexity

16.12.2014

Assurance in Aerospace – A Long Tradition of SafetyCivil Certification Standards (Large Airplane)

Part 21: Certification of Aircraft & Related Products, Parts & AppliancesCS 25: Certification Specifications for Large Aeroplanes

CS 25.1309: Equipment, Systems & InstallationsAMC 25.1309: System Design & Analysis

ARP4754 / ED-79System

Development Process

DO-160D / ED 14DEnvironmental Conditions

And Test Procedures

DO-297 / ED-124Integrated

Modular Avionics (IMA)

DO-254 / ED-80Electronic Hardware

Development Process

DO-178C / ED-12CSoftware

Development Process

16.12.2014 Page 6

ARP 4761Safety

Assessment

AirworthinessStandards

Set of requirements to ensure passengers‘ safety

Acceptable Means Of Compliance

The equipment is not available yet…

Structured approach to ensure that the equipment WILL meet the (safety) objectives

The equipment is available.Tests are applied on the equipment itself.

Assurance in Aerospace – System Development

Example ARP4754: System Development Process with strong safety focus

[Source: ED202, © ARINC]

16.12.2014 Page 7

Partitioning

Is a concept for spatial and temporal separation/segregation of functionally independent components:• Prevents interference between two components• Incremental development

• Partition/process: independent segregated environment

• Separation kernel / Memory Management Unit: control instance

16.12.2014

View of Aerospace Multi-Core Certification Body Related to Timing

• (Functional) interference channels of multicore processors• Concerns: there may be software or hardware channels through which the MCP cores or the

software hosted on those cores could interfere with each other• Shared resources like Memory / Cache

• Concerns: Memory or cache memory that are shared between the processing cores• … can lead to problems such as the worst-case execution times (WCETs) of the software

applications hosted on cores increasing greatly due to repeated cache accesses by the processes hosted on the other core, leading to repeated cache misses.

• Planning and Verification of Resource Usage• Concern: Interconnect Fabrics / Interconnect Modules as source of non-deterministic

behavior, fear of resource capacity violation, …

16.12.2014 9

Publicly available e.g. as FAA CAST paper 32

Multicore: General Possible Undesired Effects (Temporal)

Other possible undesired effects affecting temporal determinism

Details in paperO. Kotaba, J. Nowotsch, M. Paulitsch, S. Petters, H. Theiling. Multicore In Real-Time Systems - Temporal Isolation Challenges Due To Shared Resources. WICERT workshop as part of DATE 2013.Other overview paper: D. Dasari, B. Akesson, V. Nelis, M.A. Awan, S.M. Petters. Identifying the Sources of Unpredictability in COTS-based Multicore Systems. SIES conf. 2013.

16.12.2014 Page 10

Assessment of Multi-Core Worst-Case Execution BehaviorOverview

Motivation:• Integration leads to common use of

shared resources. Partitioning impact needs to be evaluated for safety-critical applications, such as IMA

Goal: • Analysis of partitioning features of

modern multicore computer in context of use in IMA

• Impact of integration on worst-case timing (WCET) of application

Approach • memory-intensive tests

Focus of work:• Network on Chip (not much data available); some memory access performance testsDetails of work published at EDCC2012 (J. Nowotsch, M. Paulitsch)

16.12.2014

(work with Airbus Defence and Space in RECOMP)

Freescale P4080

Assessment of Multi-Core WCET Memory (DDR) Accesses (8 Cores)

Worst-case access time increases over-proportionally with more cores.

1/30 about 4 times slower overall (8*1/32)

16.12.2014

Assessment of Multi-Core WCET Results: Access DDR vs. SRAM on Freescale P4080

16/12/2014

• Worst case access time increases over-proportionally with more cores

DDR – Results: in this setup saturation at 4 cores (1 cluster)

SRAM - Results: no influence of certain accesses

cluster

Increasing number of cores activeIncreasing number of cores active Increasing number of cores activeIncreasing number of cores active

16.12.2014 Page 13

WCET for Multi-Core ComputersProblem Statement

Goal: deploy multi-core processors for safety-critical real-time applications (avionics, automotive, ...)Problem: concurrent use of shared resources (e.g. interconnect, main memory)

! unknown access latency for a concrete resource access! complicating timing analysis

Approach:- Extend state-of-the art timing analysis to

- Analyse the use of shared resources ! compute upper bound- Compute interference delay based on timing and resource information

- Runtime monitoring to enforce resource usage bounds- Increase average performance (response times, ...) using dynamic re-computation of

resource usage bounds at runtime without violating static guaranteesBenefit:

- Robust execution framework for multicore processors- Tooling extension for multicore processors

16.12.2014

WCET for Multi-Core Computers Combined with Monitoring

Basic idea to benchmark/analyze hardware and include access interference and monitor memory accesses (RTNS 2013 paper, ECRTS 2014 paper)

- Extension of timing analysis- Applied to AbsInt’s aiT – commercial

static WCET framework (extension memory accesses)

- Runtime Monitoring- Applied to bare-metal OS layer- Applied to SYSGO’s PikeOS

Average-Case Extension- Applied to bare-metal OS layer

Evaluation- Based on Freescale’s P4080, other

processors evaluated- Benchmarks deduced from

EEMBC Autobench benchmark suiteWCET reduction:

- Utilisation increase: core 98.9%, system 55%- Additional accesses: 2 to 70 times the accesses that were statically assigned16.12.2014

Implications on Research Needs

WCET: • Optimizations for COTS devices (bank, cache, …)

• Need to be careful about experimental conclusions: current multicore platforms are very complex and measured behavior is not easily explainable

• New WCET approaches for multicore (measurements, analytical, hybrid)• Approaches to new monitoring considering different criticalities and different design integrity

guarantees• Consider I/O (as it is less feasible to control interference in COTS devices)

System Level (Scheduling):• New approaches to scheduling (in real mixed-criticality systems)

• Consider interference, COTS architecture (banks, cache hiercharchies, …) • Consider “dynamic” behavior as “add-on”; improvements while guaranteed

Security: attacks on timing (destroying partitioning / virtualization)

16.12.2014 16

Detailed Problem Definition

Problem• Interference between cores• WCET (Worst Case Execution Time) for Multicore Processors• COTS components

Goal1. Temporal partitioning of multicore systems

• Platform and OS independent• Transparent for applications

2. WCET• Incremental development and certification• Mixed-criticality systems

3. Efficient Use of Resources• No idle times• Compensation for over-estimated execution times

16.12.2014

Overview of Work on Monitoring Temporal Behavior of Multicore Systems Deployed

• Temporal Partitioning

• WCET Analysis

• QoS Extension

16.12.2014

Concept

16.12.2014

Concept

16.12.2014

Concept

16.12.2014

Concept

16.12.2014

Implementation

16.12.2014

State of the Art (Single Core)

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Multi-Core isWCET

16.12.2014

Evaluation

16.12.2014

Single core accessaccesses

Evaluation

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Background

16.12.2014

Background

16.12.2014

Approach

16.12.2014

Approach

16.12.2014

Approach

16.12.2014

Approach

16.12.2014

Approach

16.12.2014

Approach

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Evaluation

16.12.2014

Summary

16.12.2014

Summary

16.12.2014

Thank you!

Michael PaulitschMichael.Paulitsch@airbus.com

16.12.2014 57

Latencies

16.12.2014

Benchmark Characterization

16.12.2014

Run-Time Monitoring Effect – example bitmnp

16.12.2014

Overheads

16.12.2014

Impossible d’afficher l’image.

Influence of Architecture Model – Cache Levels

16.12.2014

Core-Local Overestimation

16.12.2014

isWCET – static (ILFB/DLFB)

16.12.2014

isWCET – observed (ILFB/DLFB)

16.12.2014

isWCET – observed (L1/L2 caches)

16.12.2014

QoS: Single- / Multi-Core

16.12.2014

QoS: lowp, static

16.12.2014

QoS: lowp, static

16.12.2014

QoS: Iowp, meas L1

16.12.2014

QoS: lowp, meas L1

16.12.2014

QoS: real static

16.12.2014

QoS: real, meas L1

16.12.2014

QoS: real, meas L1

16.12.2014

QoS: real, meas L2

16.12.2014

QoS: real, meas L2

16.12.2014

isWCET

16.12.2014

2014-12 torrent ws - v6 paulitsch - irit · title: 2014-12 torrent ws - v6_paulitsch author:...

Documents

final torrent

torrent technology

torrent uputstvo

torrent pharmaceuticals limited levofloxacin tablets,...

torrent...

torrent 91

torrent gros

bit torrent presentation

face torrent

avant torrent

bit torrent

torrent informatiu nº21

torrent tutorial

torrent notícies

bit torrent protocol

product catalog 2016 - macpek€¦ · torrent 49” rouge...

torrent distribution

simon necronomicon (torrent)

bit torrent techtalks_dht

torrent nadal 2013