The Missing Link in Embedded Software

redlemonbalmΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μέρες)

90 εμφανίσεις

From Models to Code:
The Missing Link in Embedded Software

Tom Henzinger
University
of California, Berkeley



Joint work with Ben Horowitz and Christoph Kirsch

The History of Computer Science:
Lifting the Level of Abstraction

The “assembly age”:
Programming to the platform

High
-
level languages:
Programming to the application

Compilation:
perhaps “the” success
story of computer science

It is feasible to
abstract the platform.

The History of Computer Science:
Lifting the Level of Abstraction

The “assembly age”:
Programming to the platform

High
-
level languages:
Programming to the application

Automatic program synthesis:
No more programming

Compilation:
perhaps “the” success
story of computer science

Code generation
from specifications:

still mostly a dream

It is feasible to
abstract the platform.

It is not yet feasible to
abstract algorithms.

Current Practice in Control Software

Some manual
programming to the platform

Some automatic
code generation from models

-
often inefficient
-
often unpredictable


-
difficult to reuse
-
difficult to verify
-
requires systems experts

Current Practice in Control Software

Some manual
programming to the platform

Some automatic
code generation from models

The missing link:
platform
-
independent software

-
often inefficient
-
often unpredictable


-
difficult to reuse
-
difficult to verify
-
requires systems experts

Advocated Practice in Control Software

Executable code
for a specific platform

Mathematical model
e.g. Simulink, HyTech

Platform
-
independent software
e.g. Giotto

-
verifiable
-
reusable

-
efficiently implementable

Control engineer


Compiler


Current Control Software Development

Mathematical Model
e.g. Simulink, HyTech

Platform Constraints

Executable Code

-
hardware configuration
-
RTOS (scheduling algorithm)
-
network protocol

some automatic code generation,
some manual code optimization

-
CONCURRENCY
-
ENVIRONMENT TIME

-
DISTRIBUTION
-
PLATFORM TIME

Current Control Software Development

Mathematical Model

Platform Constraints

Executable Code

Problems:


-
close correspondence between model
and code is lost with code optimization

-
if either model or platform changes,
the entire process needs to be repeated

some automatic code generation,
some manual code optimization

Mathematical Model

Platform
-
independent
Software Model
e.g. Giotto

Platform Constraints

Executable Code

-
executable by virtual machine
-
composable

An intermediate layer that separates
platform
-
independent from platform
-
dependent software issues.

Advocated Control Software Development

Mathematical Model

Platform
-
independent
Software Model

Platform Constraints

Executable Code

e.g.
What is the control equation?
What is the sampling rate?


e.g.
Which procedure computes the

control equation?
Which event triggers the

computation?


e.g.
Which CPU executes the control

procedure?
What priority has the execution?


-
still CONCURRENCY
-
still ENVIRONMENT TIME

Advocated Control Software Development

Mathematical Model

Platform
-
independent
Software Model

Platform Constraints

Executable Code

Platform
-
independent programming
i.e. algorithms and data structures

Platform
-
dependent code generation

e.g. priorities

SEPARATION OF
CONCERNS !!!

Advocated Control Software Development

Motivation: Flight Control Software

ETH Zurich (Kirsch, Pree, Sanvido, Schaufelberger, Wirth).

Single CPU.

Motivation: Flight Control Software

UC Berkeley (Horowitz, Liebman, Ma, Koo, Sangiovanni
-
Vincentelli, Sastry).

Two connected CPUs.

Motivation: Flight Control Software

200 Hz

400 Hz

200 Hz

1 kHz

Motivation: Flight Control Software

1. Concurrent periodic tasks:


-
sensing
-
control law computation
-
actuating

2. Multiple modes of operation:


-
navigational modes (autopilot, manual, etc.)
-
maneuver modes (taxi, takeoff, cruise, etc.)
-
degraded modes (sensor, actuator, CPU failures)


Platform
-
independent Software Model

Mode 1

Mode 4

Mode 3

Mode 2

Task S 400 Hz

Task C 200 Hz

Task A 1 kHz

Task S 400 Hz

Task C 200 Hz

Task A’ 1 kHz

Task C’ 100 Hz

Task A 1 kHz

Task S 400 Hz

Task C 200 Hz

Task A 2 kHz

Task A” 1 kHz

Condition 1.2

Condition 2.1

Platform
-
independent Software Model

Host code
e.g. C

Glue code
Giotto

Functionality.

-
Environment time, not platform time.
-
Concurrency, not distribution.

Platform
-
independent Software Model

Timing and interaction.

This kind of software
is understood:

Host code may (sometimes)
be generated automatically.

The software complexity lies in the
glue code (minimize jitter!) :

Giotto enables requirements
-
driven rather
than platform
-
driven glue
-
code programming.

-
No time.
-
Sequential.

1. The Giotto Programmer’s Model

2. The Giotto Compiler

The Giotto Programmer’s Model

Programming in terms of environment time:



Programmer’s fiction:

-
time
-
triggered task invocation



-
tasks are functions with a fixed duration

-
platform offers sufficient performance


Implementation in terms of platform time:


Compiler must maintain programmer’s fiction:

-
needs access to global time, no other platform requirements

-
tasks may finish early, but outputs cannot be observed early

-
tasks may be preempted and distributed

Given:


1. Units of scheduled host code (application
-
level tasks).


e.g. control law computation



2. Units of synchronous host code (system
-
level drivers).


e.g. device drivers



3. Real
-
time requirements and data flow between tasks.


Giotto:
Glue code that calls 1. and 2. in order to realize 3.

Task

Input ports

Output ports

Task

Task driver loads
task input ports.

The Giotto Programmer’s Model

Task

Driver

Input ports
loaded.

Driver execution in
environment time 0.

Task execution in
environment time d.

Output ports
read.

Sensor/output
ports read.

Sensor

Actuator

Actuator/input
ports loaded.

Time t

Time t

Time t+d

Time t+d

d

Task duration

Environment Timeline (defined by Giotto semantics)

Task

Driver

Input ports
loaded.

Output ports
read.

Sensor

Time t

Time t

Time t+d

Time t+d

d

Task on CPU.

Actuator

Platform Timeline (chosen by Giotto compiler)

The Giotto compiler chooses for a given platform a platform timeline
that is value equivalent to the environment timeline

defined by the
Giotto semantics.


Internal Determinism:

For a given sequence of sensor readings, the corresponding
sequence of actuator settings is uniquely determined (i.e., there
are no race conditions).

Platform Independence ensures Predictability

Navigation

Control

Simplified Helicopter Software

Sensors

Actuators

i

s

a

10

5

Navigation

Control

Simplified Helicopter Software

Sensors

Actuators

i

s

a

10

5

Matlab/legacy design

a



i



a



t+10ms

s



Task

Navigation

Navigation

Control

t+10ms

t

t

t+5ms

t+5ms

i



s



s



Helicopter Software: Environment Timeline

Block of synchronous code

(nonpreemptable)

Scheduled tasks
(preemptable)










t+10ms




Task

t+10ms

t

t

t+5ms

t+5ms










Single
-
CPU Helicopter: Platform Timeline (EDF)










t+10ms




t+10ms

t

t

t+5ms

t+5ms










t+7ms

HeliCtr

HeliNav

TDMA Slot

HeliNet

Two
-
CPU Helicopter: Platform Timeline








(Time
-
triggered Communication)










t+10ms




t

t

t+5ms

t+5ms










HeliCtr

HeliNav

Message

HeliNet

Two
-
CPU Helicopter: Platform Timeline








(Event
-
triggered Communication)

t+10ms

sensor
gps_type

GPS

uses
c_gps_device
;

actuator
servo_type

Servo

:=
c_servo_init


uses
c_servo_device
;

output


ctr_type

CtrOutput
:=
c_ctr_init
;


nav_type

NavOutput

:=
c_nav_init
;


driver
sensing

(
GPS
) output (
gps_type gps
)
{
c_gps_pre_processing

(
GPS
,
gps

) }


task
Navigation

(
gps_type

gps
) output (
NavOutput
)
{
c_matlab_navigation_code

(
gps
,
NavOutput
) }



Helicopter Software: Giotto Syntax (Functionality)
























mode

Flight
( )

period

10ms


{


actfreq
1

do
Actuator

(
actuating

) ;



taskfreq

1
do

Control

(
input

)

;


taskfreq

2
do

Navigation
(
sensing

) ;


}



Helicopter Software: Giotto Syntax (Timing)

Mode Switch

f

h

g

f

2.5

5

10

10

Mode m

Mode m’

d

d’

p


s

5

p

p

d

Task

g

f

Mode Switch @

t+5ms

Time

Mode Switch: Environment Timeline

p

d

p

Mode Switch finished @

t+5ms

Task

g

f

Time

s

Mode Switch: Environment Timeline

d’

p

d

p

Task

g

f

Time

t+5ms

t+5ms

s

Mode Switch: Environment Timeline

p

d

s

p

h

d’

Task

g

f

Time

t+7.5ms

t+5ms

Mode Switch: Environment Timeline

s

d

p

p

d’

t+10ms

h

d’

h

d’

Task

g

f

Mode Switch: Environment Timeline

t+10ms

1. The Giotto Programmer’s Model

2. The Giotto Compiler

The Giotto Compiler

Giotto Program


Native Code



Tasks and Drivers

Giotto
-
P

Platform Specification

-
topology (CPUs, nets)
-
performance (WCETs, latencies)
-
APIs (RTOSs, protocols)

Executables

Giotto Compiler

Functionality

Timing

Interaction

Platform

“Failure”

either Giotto
-
P overconstrained,
or compiler not smart enough
(distributed scheduling problem)

or

Closing the Gap: Annotated Giotto

Giotto Program


Native Code



Tasks and Drivers

Giotto
-
P

-
topology (CPUs, nets)


-
performance (WCETs, latencies)
-
APIs (RTOSs, protocols)

Executables

Giotto Compiler

Functionality

Timing

Interaction

Platform

“Failure”

either Giotto
-
PM overconstrained,
or compiler not smart enough
(global scheduling problem)

or

Giotto
-
PM

-
assign tasks to CPUs



-
assign connections to nets

Map

Closing the Gap: Annotated Giotto

Giotto Program


Native Code



Tasks and Drivers

Giotto
-
P

Executables

Giotto Compiler

Functionality

Timing

Interaction

Platform

“Failure”

Giotto
-
PMC overconstrained
(local scheduling problems solvable)

or

Giotto
-
PM

Map

Giotto
-
PMC

Communication

-
assign connections to TDMA slots (say)

-
topology (CPUs, nets)


-
performance (WCETs, latencies)
-
APIs (RTOSs, protocols)

-
assign tasks to CPUs



-
assign connections to nets

Single
-
CPU Giotto Scheduling

Why is it simple?

-
Static utilization test for each mode



-
Mode switches are
memory
-
free


Theorem: Given a Giotto program and WCETs for all tasks, it can be
checked in quadratic time if an EDF scheduler meets all deadlines.

[ host
HeliCtr

address
192.168.0.1
;


host
HeliNav

address
192.168.0.2
;


network
HeliNet

address
192.168.0.0

connects
HeliCtr
,
HeliNav
]



mode Flight ( ) period 10ms


{


actfreq 1 do Actuator ( actuating ) ;



taskfreq 1 do Control ( input )
[ host
HeliCtr
]
;


taskfreq 2 do Navigation ( sensing )

[host
HeliNav
;


push (
NavOutput

) to (

HeliCtr

) in
HeliNet

slots (7,10)

]
;


}



Two
-
CPU Helicopter: Annotated Giotto








(Time
-
triggered Communication)

Code Generation

Giotto Program


Native Code



Tasks and Drivers

Giotto
-
P

Giotto Compiler

Functionality

Timing

Interaction

Platform

Giotto
-
PM

Map

Giotto
-
PMC

Communication

-
assign connections to TDMA slots (say)

-
topology (CPUs, nets)


-
performance (WCETs, latencies)
-
APIs (RTOSs, protocols)

-
assign tasks to CPUs



-
assign connections to nets

or

“Failure”

VxWorks

OSEK



Code Generation: The Embedded Machine

Giotto Program


Native Code



Tasks and Drivers

Giotto
-
P

Embedded Machine code

Giotto Compiler

Functionality

Timing

Interaction

Platform

or

Giotto
-
PM

Map

Giotto
-
PMC

Communication

-
assign connections to TDMA slots (say)

-
topology (CPUs, nets)


-
performance (WCETs, latencies)
-
APIs (RTOSs, protocols)

-
assign tasks to CPUs



-
assign connections to nets

“Failure”

Embedded Machine interpreter

The Embedded Machine

-
a virtual machine that mediates the interaction of
physical processes (sensors and actuators)

and
software processes (tasks and drivers)

in real time

-
the Giotto compiler can be retargeted to a new
platform by porting the Embedded Machine

Environment

Software

Software Processes: platform time

Environment Processes: environment time

The Embedded Machine

Environment

Software

Schedulability

Reactivity

The Embedded Machine

The Art of Embedded Programming

Environment

Software

Schedulability: time safety checking for platform time

Reactivity: programming in environment time (e.g. Giotto)

The Embedded Machine: Time is like Memory

Embedded Machine

Environment Ports

Task Ports

Driver Ports

Embedded Machine

task
triggers

environment
triggers

sense
actuate

read
write

call drivers

The Embedded Machine

schedule tasks

e.g. clock

e.g. task
completion

Enable trigger:

future(
g
,B:)

B:

Schedule task:

schedule(
T
)

T

Call driver:

call(
d
)

g

The Embedded Machine: Three Instructions

Execute driver
d
now.

Hand task
t

over to the
system scheduler (RTOS).

Have code
B

executed as
soon as trigger
g

becomes true.

a



i



a



t+10ms

s



Task

Navigation

Navigation

Control

t+10ms

t

t

t+5ms

t+5ms

i



s



s




B1:

call(
actuate
)



call(
sense
)



call(
input
)



schedule(
Control
)



schedule(
Navigation
)



future(
now+5
,
B2:)



relax

Giotto Code Generation: The Embedded Machine

a



i



a



t+10ms

s



Task

Navigation

Navigation

Control

t+10ms

t

t

t+5ms

t+5ms

i



s



s




B2:

call(
sense
)



schedule(
Navigation
)



future(
now+5
,
B1:)



relax

Giotto Code Generation: The Embedded Machine

The Embedded Machine

Synchronous code:

-
Embedded Machine instructions and drivers
-
kernel context (trigger
-
related interrupts disabled)

Scheduled code:

-
tasks
-
user context (trigger
-
related interrupts enabled)

The Embedded Machine

Task
-
triggered code:

-
triggers on environment and task ports


-
observable behavior depends on environment and scheduler

Environment
-
triggered code:

-
triggers only on environment ports
-
observable behavior depends on environment only

All Giotto programs result in environment
-
triggered code.

The Embedded Machine

Time
-
safe code:

No driver accesses a scheduled task before completion.

Time
-
live code:

There is no infinite synchronous computation.

All Giotto programs result in time
-
live code.
Time safety is checked by the Giotto compiler.

Alternatively, time safety violations can be can be handled through
run
-
time exceptions.

The Embedded Machine

Time Safety:

Violations due to
combination

of





-
insufficient synchrony

(environment events too frequent)
-
insufficient platform utilization

(scheduler too weak)
-
insufficient platform

performance

(hardware too slow)


Our approach therefore systematically integrates

synchronous programming

and
scheduling theory
.


The Giotto Project

Completed:
www.eecs.berkeley.edu/~tah/giotto



-
Software tools:









Simulink to Giotto translator

(Kirsch, Pree)





Giotto compiler for single
-
CPU targets

(Kirsch)




Embedded Machine for Linux and VxWorks

(Kirsch)




-
Applications:









Lego Mindstorms

(Horowitz, Kirsch, Majumdar)




Zurich helicopter

(Kirsch, Sanvido)


In progress:


-
Software tools:









Giotto scheduler for distributed platforms

(Horowitz)




Time safety checker for Embedded Machine code

(Kirsch, Matic)

-
Applications:









Berkeley helicopter
(Horowitz, Liebman, Ma)





Electronic throttle control

(Kirsch)