Download - The Fixed Logical Execution Time (FLET) Assumption Tom Henzinger University of California, Berkeley
The History of Computer Science: Lifting the Level of Abstraction
The “assembly age”: Programming to the platform
High-level languages: Programming to the application Compilation:
perhaps “the” success story of computer scienceIt is feasible to
abstract the platform.
The History of Computer Science: Lifting the Level of Abstraction
The “assembly age”: Programming to the platform
High-level languages: Programming to the application
Automatic program synthesis: No more programming
Compilation: perhaps “the” success story of computer science
Code generation from specifications: still mostly a dream
It is feasible to abstract the platform.
It is not feasible to abstract algorithms and data structures.
Current Practice in Embedded Software Design
Some manual programming to the platform
Some automatic code generation from models
-often inefficient -often unpredictable -e.g. Real-Time Workshop
-difficult to reuse -difficult to verify -requires systems experts
Current Practice in Embedded Software Design
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
Code verification difficult
Code generation difficult
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
-verifiable -reusable -efficiently implementable
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
-verifiable -reusable -efficiently implementableReusable = composable + portable
Advocated Practice in Embedded Software Design
Platform P
Requirement A
Program A
Advocated Practice in Embedded Software Design
Requirement B
Program B +
+
Compositionality
Platform P
Requirement A
Program A
Advocated Practice in Embedded Software Design
Requirement B'
Program B' +
+
Compositionality
Requirement A
Platform P
Advocated Practice in Embedded Software Design
Platform Q
PortabilityProgram A
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
-concurrency -environment time
-distribution -platform (CPU) time
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
-concurrency -environment time
-distribution -platform (CPU) time
-concurrency -environment time
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
-descriptive -mathematics / logic
-prescriptive -algorithms + data structures
-concurrency -environment time
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
-descriptive -mathematics
-prescriptive -algorithms + data structures
-concurrency -environment time -prescriptive -virtual machine
Advocated Practice in Embedded Software Design
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Verification
Compilation
Advocated Practice in Embedded Software Design
e.g. What is the control equation? What is the sampling rate?
e.g. Which procedure computes the control equation? Which event triggers the computation? e.g. Which CPU executes the control procedure? What priority has the execution?
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
First Attempt
Priorities
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
Programming model: Priorities
First Attempt
Not sufficiently abstract
-not about environment time -not compositional
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
Programming model: Priorities
First Attempt
Not sufficiently abstract
-not about environment time -not compositional
Scheduling theory
Correctness?
Efficiency!
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Second Attempt
Synchrony assumption: platform time infinitely faster than environment time
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
Synchronous programming languages (Esterel, Lustre, Signal, etc.)
Second Attempt
Too abstract
difficult to compile to resource-constrained, distributed platforms
Efficient code (scheduled by RTOS)
Mathematical models (e.g. Simulink)
Synchronous programming languages (Esterel, Lustre, Signal, etc.)
Second Attempt
Too abstract
difficult to compile to resource-constrained, distributed platforms
Correctness!
Efficiency?
Efficient code (possibly schedule-carrying)
Mathematical models (e.g. Simulink)
The missing link: platform-independent programming model
Our Attempt
FLET assumption:-verifiable -efficiently implementable -composable -portable
The FLET (Fixed Logical Execution Time) Assumption
Software Task
read sensor input at time t
write actuator output at time t+d, for fixed d
Software Task
read sensor input at time t
write actuator output at time t+d, for fixed d
d>0 is the task's "logical execution time"
The FLET (Fixed Logical Execution Time) Assumption
The programmer specifies d (could be any event) to solve the problem at hand.
The compiler ensures that d is met on a given platform (hardware resources and performance); otherwise it rejects the program.
The FLET Programming Model
time t time t+d
possible physical execution on CPU buffer output
The FLET (Fixed Logical Execution Time) Assumption
-timing predictability: minimal jitter -function predictability: no race conditions
Verifiability through Predictability (Internal Determinism)
Test Case: Flight Control Software
UC Berkeley (Horowitz, Liebman, Ma, Koo, Sangiovanni-Vincentelli, Sastry). Two connected CPUs.
1. Concurrent periodic tasks:
-sensing -control law computation -actuating
2. Multiple modes of operation:
-navigational modes (autopilot, manual, etc.) -maneuver modes (taxi, takeoff, cruise, etc.) -degraded modes (sensor, actuator, CPU failures)
Platform-independent Software Model
Mode 1
Mode 4
Mode 3
Mode 2
Task S 400 Hz
Task C 200 Hz
Task A 1 kHz
Task S 400 Hz
Task C 200 Hz
Task A’ 1 kHz
Task C’ 100 Hz
Task A 1 kHz
Task S 400 Hz
Task C 200 Hz
Task A 2 kHz
Task A” 1 kHz
Condition 1.2
Condition 2.1
Platform-independent Software Model
Host code e.g. C
Glue code e.g. Giotto
Functionality. -Environment time, not platform
time. -Concurrency, not distribution.
Platform-independent Software Model
Timing and interaction.
This kind of software is understood: Host code may (sometimes) be generated automatically.
The software complexity lies in the glue code (minimize jitter!): Giotto enables requirements-driven rather than platform-driven glue-code programming.
-No time. -Sequential.
The Giotto Programmer’s Model
Programming in terms of environment time:
Programmer’s fiction: -time-triggered task invocation
-tasks are functions with a fixed duration -platform offers sufficient performance
Implementation in terms of platform time:
Compiler must maintain programmer’s fiction: -needs access to global time, no other platform requirements -tasks may finish early, but outputs cannot be observed early -tasks may be preempted and distributed
1. Units of scheduled host code (application-level tasks). e.g. control law computation
2. Units of synchronous host code (system-level drivers). e.g. device drivers
TaskInput ports Output ports
Task Task driver loads task input ports.
Functional Components
Task
Driver
Input ports loaded.
Driver execution in environment time 0.
Task execution in environment time d.
Output ports read.
Sensor/output ports read.
Sensor Actuator
Actuator/input ports loaded.
Time t Time t Time t+d
Time t+d
d
Task duration
Environment Timeline (defined by Giotto semantics)
Task
Driver
Input ports loaded.
Output ports read.
Sensor
Time t Time t Time t+d
Time t+d
d
Task on CPU.
Actuator
Platform Timeline (chosen by Giotto compiler)
The Giotto compiler chooses for a given platform a platform timeline that is value equivalent to the environment timeline defined by the Giotto semantics.
Internal Determinism:
For a given sequence of sensor readings, the corresponding sequence of actuator settings is uniquely determined (i.e., there are no race conditions).
Platform Independence ensures Predictability
Navigation
Control
Simplified Helicopter Software
Sensors
Actuators
i
s
a10
5
Simulink / legacy design
…
mode Flight ( ) period 10ms
{
actfreq 1 do Actuator ( actuating ) ;
taskfreq 1 do Control ( input ) ;
taskfreq 2 do Navigation ( sensing ) ;
}
…
Helicopter Software: Giotto Syntax
Navigation
Control
i
s
a10
5
a ia
t+10ms
s
Task
Navigation Navigation
Control
t+10mst t t+5ms t+5ms
i
s s
Helicopter Software: Environment Timeline
Block of synchronous code (nonpreemptable)
Scheduled tasks (preemptable)
t+10mst+10mst t t+5mst+5ms t+7ms
HeliCtr
HeliNav
TDMA Slot
HeliNet
Two-CPU Helicopter: Platform Timeline (Time-triggered Communication)
t+10mst t t+5ms t+5ms
HeliCtr
HeliNav
Message
HeliNet
Two-CPU Helicopter: Platform Timeline (Event-triggered Communication)
t+10ms
The Giotto Compiler
Giotto Program
Native Code Tasks and Drivers
Giotto-P Platform Specification
-topology (CPUs, networks) -performance (WCETs, latencies) -APIs (RTOSs, protocols)
Executables
Giotto Compiler
Functionality
Timing Interaction
Platform
“Failure”
either Giotto-P overconstrained, or compiler not smart enough (distributed scheduling problem)
or
Closing the Gap: Annotated Giotto
Giotto Program
Native Code Tasks and Drivers
Giotto-P-topology (CPUs, networks)
-performance (WCETs, latencies) -APIs (RTOSs, protocols)
Executables
Giotto Compiler
Functionality
Timing Interaction
Platform
“Failure”
either Giotto-PM overconstrained, or compiler not smart enough (global scheduling problem)
or
Giotto-PM -assign tasks to CPUs -assign connections to networks
Map
Closing the Gap: Annotated Giotto
Giotto Program
Native Code Tasks and Drivers
Giotto-P
Executables
Giotto Compiler
Functionality
Timing Interaction
Platform
“Failure”
Giotto-PMC overconstrained (local scheduling problems solvable)
or
Giotto-PMMap
Giotto-PMCCommunication
-assign connections to TDMA slots (say)
-topology (CPUs, networks) -performance
(WCETs, latencies) -APIs (RTOSs, protocols)-assign tasks to CPUs -assign connections to networks
Code Generation
Giotto Program
Native Code Tasks and Drivers
Giotto-P
Giotto Compiler
Functionality
Timing Interaction
Platform
Giotto-PMMap
Giotto-PMCCommunication
-assign connections to TDMA slots (say)
-topology (CPUs, networks) -performance
(WCETs, latencies) -APIs (RTOSs, protocols)-assign tasks to CPUs -assign connections to networks
or “Failure”
VxWorks
OSEK …
Code Generation: The Embedded Machine
Giotto Program
Native Code Tasks and Drivers
Giotto-P
Embedded Machine code
Giotto Compiler
Functionality
Timing Interaction
Platform
or
Giotto-PMMap
Giotto-PMCCommunication
-assign connections to TDMA slots (say)
-topology (CPUs, networks) -performance
(WCETs, latencies) -APIs (RTOSs, protocols)-assign tasks to CPUs -assign connections to networks
“Failure”
Embedded Machine interpreter
The Embedded Machine
-a virtual machine that mediates the interaction of physical processes (sensors and actuators) and software processes (tasks and drivers) in real time
-the Giotto compiler can be retargeted to a new platform by porting the Embedded Machine
Environment
Software
Software Processes: platform time
Environment Processes: environment time
The Embedded Machine
Environment
Software
Schedulability: time safety checking for platform time
Reactivity: programming in environment time
The Embedded Machine: Time is like Memory
Embedded Machine
Environment Ports
Task Ports
Driver PortsEmbedded Machine
task triggers
environment triggers
sense actuate
read write
call drivers
The Embedded Machine
schedule tasks
e.g. clock
e.g. task completion
Enable trigger:future(g,B:) B:
Schedule task:schedule(T)
T
Call driver:call(d)
d
g
The Embedded Machine: Three Instructions
Execute driver d now.Hand task t over to the system scheduler (RTOS).
Have code B executed as soon as trigger g becomes true.
a ia
t+10ms
s
Task
Navigation Navigation
Control
t+10mst t t+5mst+5ms
i
s s
B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)relax
Giotto Code Generation
a ia
t+10ms
s
Task
Navigation Navigation
Control
t+10mst t t+5ms t+5ms
i
s s
B2: call(sense)schedule(Navigation)future(now+5, B1:)relax
Giotto Code Generation
Embedded Machine Code combines
Synchronous code:
-Embedded Machine instructions and drivers -kernel context (trigger-related interrupts disabled)
Scheduled code:
-tasks -user context (trigger-related interrupts enabled)
Real-Time Programs
Task-triggered code:
-triggers on environment and task ports -observable behavior depends on environment and scheduler
Environment-triggered code:
-triggers only on environment ports -observable behavior depends on environment onlyAll Giotto programs result in environment-
triggered code.
Real-Time Programs
Time-safe code:
No driver accesses a scheduled task before completion.
Time-live code:
There is no infinite synchronous computation.All Giotto programs result in time-live code. Time safety is checked by the Giotto compiler.
Alternatively, time safety violations can be can be handled through run-time exceptions.
Real-Time Programs
Time Safety:
Violations due to combination of -insufficient synchrony
(environment events too frequent) -insufficient platform utilization (scheduler too weak) -insufficient platform performance (hardware too slow) Our approach systematically integrates synchronous programming and scheduling theory.
Distributed Giotto Compiler
Giotto Compiler with Time Safety
Checker
Giotto Program
E Code
Giotto-P Platform
Spec
Proof of Time Safety = Schedule
Schedule-Carrying Code
Giotto Compiler with Time Safety
Checker
Giotto Program
E Code
Giotto-P Platform
Spec
Proof of Time Safety (Schedule)
+
Schedule-Carrying Code
Giotto Compiler with Time Safety
Checker
Giotto Program
E Code
Giotto-P Platform
Spec
S Code (Executable Schedule)
+
a ia
t+10ms
s
Task
Navigation Navigation
Control
t+10mst t t+5mst+5ms
i
s s
B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)relax
Giotto Code Generation
a ia
t+10ms
s
Task
Navigation Navigation
Control
t+10mst t t+5mst+5ms
i
s s
B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)dispatch(Navigation, now+5)dispatch(Control, now+5)idle(now+5)
Giotto EDF Schedule Generation
Advantages of SCC (Schedule-Carrying Code)
Advantages of PCC:
-schedule generation is harder than schedule validation (nonpreemptive or distributed case: NP-hard vs. linear)
-once generated, schedule can be reused
-compiler does not need to be trusted
Advantages of SCC (Schedule-Carrying Code)
Advantages of PCC:
-schedule generation is harder than schedule validation (nonpreemptive or distributed case: NP-hard vs. linear)
-once generated, schedule can be reused
-compiler does not need to be trusted
Advantages of Executability:
-flexible scheduling scheme
-no system scheduler (RTOS) necessary
-overhead reduction of up to 80%
The Giotto Project
www.eecs.berkeley.edu/~tah/giotto
Software Tools:
Simulink to Giotto translator (Pree)Giotto to E code compiler (Kirsch) E Machine on Linux, VxWorks, OSEK (Kirsch)
S code time safety checker (Matic)Integrated E and S machine on StrongARM (Kirsch, Sanvido) Event-triggered xGiotto (Ghosal, Sanvido)
Applications:
Lego Mindstorms (Horowitz, Kirsch, Majumdar)Zurich helicopter (Kirsch, Sanvido)Berkeley helicopter (Horowitz, Liebman, Ma,
Sastry) BMW electronic throttle control (Kirsch, Pree)
GIOTTO: FLET for periodic tasks with time-triggered mode
switching
Mode 1 Mode 2
Task S Task C Condition 1.2
xGIOTTO: General (event-triggered) FLET programming
1. Schedule Instruction:
schedule Task by Event ;
2. Reaction Block:
react { when Event do Block ;
whenever Event do Block ; begin … end ; } until Event ;
logical deadline
xGIOTTO: General (event-triggered) FLET programming
If all events can happen at any time, then few programs would be time-safe.
However, nested reaction blocks can be used for event scoping (i.e., not all events are listened to all the time).
xGIOTTO: General (event-triggered) FLET programming
If all events can happen at any time, then few programs would be time-safe.
However, nested reaction blocks can be used for event scoping (i.e., not all events are listened to all the time).
xGiotto = Structured Real-Time Programming