The Fixed Logical Execution Time (FLET) Assumption Tom Henzinger University of California, Berkeley.

The Fixed Logical Execution Time (FLET) Assumption

Tom Henzinger University of California, Berkeley

The History of Computer Science: Lifting the Level of Abstraction

The “assembly age”: Programming to the platform

High-level languages: Programming to the application Compilation:

perhaps “the” success story of computer scienceIt is feasible to

abstract the platform.

The History of Computer Science: Lifting the Level of Abstraction

The “assembly age”: Programming to the platform

High-level languages: Programming to the application

Automatic program synthesis: No more programming

Compilation: perhaps “the” success story of computer science

Code generation from specifications: still mostly a dream

It is feasible to abstract the platform.

It is not feasible to abstract algorithms and data structures.

Current Practice in Embedded Software Design

Some manual programming to the platform

Some automatic code generation from models

-often inefficient -often unpredictable -e.g. Real-Time Workshop

-difficult to reuse -difficult to verify -requires systems experts

Current Practice in Embedded Software Design

Efficient code (scheduled by RTOS)

Mathematical models (e.g. Simulink)

Code verification difficult

Code generation difficult

Advocated Practice in Embedded Software Design

Efficient code (possibly schedule-carrying)


The missing link: platform-independent programming model




Verification

Compilation





Verification

Compilation

-verifiable -reusable -efficiently implementable





Verification

Compilation

-verifiable -reusable -efficiently implementableReusable = composable + portable


Platform P

Requirement A

Program A


Requirement B

Program B +

+

Compositionality

Platform P

Requirement A

Program A


Requirement B'

Program B' +

+

Compositionality

Requirement A

Platform P


Platform Q

PortabilityProgram A




Verification

Compilation

-concurrency -environment time

-distribution -platform (CPU) time





Verification

Compilation


-distribution -platform (CPU) time






Verification

Compilation

-descriptive -mathematics / logic

-prescriptive -algorithms + data structures






Verification

Compilation

-descriptive -mathematics

-prescriptive -algorithms + data structures

-concurrency -environment time -prescriptive -virtual machine





Verification

Compilation


e.g. What is the control equation? What is the sampling rate?

e.g. Which procedure computes the control equation? Which event triggers the computation? e.g. Which CPU executes the control procedure? What priority has the execution?




First Attempt

Priorities



Programming model: Priorities

First Attempt

Not sufficiently abstract

-not about environment time -not compositional



Programming model: Priorities

First Attempt

Not sufficiently abstract

-not about environment time -not compositional

Scheduling theory

Correctness?

Efficiency!




Second Attempt

Synchrony assumption: platform time infinitely faster than environment time



Synchronous programming languages (Esterel, Lustre, Signal, etc.)

Second Attempt

Too abstract

difficult to compile to resource-constrained, distributed platforms



Synchronous programming languages (Esterel, Lustre, Signal, etc.)

Second Attempt

Too abstract

difficult to compile to resource-constrained, distributed platforms

Correctness!

Efficiency?




Our Attempt

FLET assumption:-verifiable -efficiently implementable -composable -portable

The FLET (Fixed Logical Execution Time) Assumption

Software Task

read sensor input at time t

write actuator output at time t+d, for fixed d

Software Task

read sensor input at time t

write actuator output at time t+d, for fixed d

d>0 is the task's "logical execution time"


The programmer specifies d (could be any event) to solve the problem at hand.

The compiler ensures that d is met on a given platform (hardware resources and performance); otherwise it rejects the program.

The FLET Programming Model

time t time t+d

possible physical execution on CPU buffer output


50% CPU speedup

Portability

Task 2

Task 1

Composability

-timing predictability: minimal jitter -function predictability: no race conditions

Verifiability through Predictability (Internal Determinism)

output as soon as ready

Contrast FLET with Standard Practice

Race

Contrast FLET with Standard Practice

… yes but, what about the sacrifice in performance ?!

Test Case: Flight Control Software

UC Berkeley (Horowitz, Liebman, Ma, Koo, Sangiovanni-Vincentelli, Sastry). Two connected CPUs.

Flight Control Software Architecture

200 Hz400 Hz

200 Hz 1 kHz

Flight Control Software Architecture

1. Concurrent periodic tasks:

-sensing -control law computation -actuating

2. Multiple modes of operation:

-navigational modes (autopilot, manual, etc.) -maneuver modes (taxi, takeoff, cruise, etc.) -degraded modes (sensor, actuator, CPU failures)

Platform-independent Software Model

Mode 1

Mode 4

Mode 3

Mode 2

Task S 400 Hz

Task C 200 Hz

Task A 1 kHz

Task S 400 Hz

Task C 200 Hz

Task A’ 1 kHz

Task C’ 100 Hz

Task A 1 kHz

Task S 400 Hz

Task C 200 Hz

Task A 2 kHz

Task A” 1 kHz

Condition 1.2

Condition 2.1


Host code e.g. C

Glue code e.g. Giotto

Functionality. -Environment time, not platform

time. -Concurrency, not distribution.


Timing and interaction.

This kind of software is understood: Host code may (sometimes) be generated automatically.

The software complexity lies in the glue code (minimize jitter!): Giotto enables requirements-driven rather than platform-driven glue-code programming.

-No time. -Sequential.

1. The Giotto Programmer’s Model: Time-triggered FLET

2. The Giotto Compiler

The Giotto Programmer’s Model

Programming in terms of environment time:

Programmer’s fiction: -time-triggered task invocation

-tasks are functions with a fixed duration -platform offers sufficient performance

Implementation in terms of platform time:

Compiler must maintain programmer’s fiction: -needs access to global time, no other platform requirements -tasks may finish early, but outputs cannot be observed early -tasks may be preempted and distributed

1. Units of scheduled host code (application-level tasks). e.g. control law computation

2. Units of synchronous host code (system-level drivers). e.g. device drivers

TaskInput ports Output ports

Task Task driver loads task input ports.

Functional Components

Task

Driver

Input ports loaded.

Driver execution in environment time 0.

Task execution in environment time d.

Output ports read.

Sensor/output ports read.

Sensor Actuator

Actuator/input ports loaded.

Time t Time t Time t+d

Time t+d

d

Task duration

Environment Timeline (defined by Giotto semantics)

Task

Driver

Input ports loaded.

Output ports read.

Sensor

Time t Time t Time t+d

Time t+d

d

Task on CPU.

Actuator

Platform Timeline (chosen by Giotto compiler)

The Giotto compiler chooses for a given platform a platform timeline that is value equivalent to the environment timeline defined by the Giotto semantics.

Internal Determinism:

For a given sequence of sensor readings, the corresponding sequence of actuator settings is uniquely determined (i.e., there are no race conditions).

Platform Independence ensures Predictability

Navigation

Control

Simplified Helicopter Software

Sensors

Actuators

i

s

a10

5

Navigation

Control

Simplified Helicopter Software

Sensors

Actuators

i

s

a10

5

Simulink / legacy design

…

mode Flight ( ) period 10ms

{

actfreq 1 do Actuator ( actuating ) ;

taskfreq 1 do Control ( input ) ;

taskfreq 2 do Navigation ( sensing ) ;

}

…

Helicopter Software: Giotto Syntax

Navigation

Control

i

s

a10

5

a ia

t+10ms

s

Task

Navigation Navigation

Control

t+10mst t t+5ms t+5ms

i

s s

Helicopter Software: Environment Timeline

Block of synchronous code (nonpreemptable)

Scheduled tasks (preemptable)

t+10ms

Task


Single-CPU Helicopter: Platform Timeline (EDF)

t+10mst+10mst t t+5mst+5ms t+7ms

HeliCtr

HeliNav

TDMA Slot

HeliNet

Two-CPU Helicopter: Platform Timeline (Time-triggered Communication)


HeliCtr

HeliNav

Message

HeliNet

Two-CPU Helicopter: Platform Timeline (Event-triggered Communication)

t+10ms

1. The Giotto Programmer’s Model

2. The Giotto Compiler

The Giotto Compiler

Giotto Program

Native Code Tasks and Drivers

Giotto-P Platform Specification

-topology (CPUs, networks) -performance (WCETs, latencies) -APIs (RTOSs, protocols)

Executables

Giotto Compiler

Functionality

Timing Interaction

Platform

“Failure”

either Giotto-P overconstrained, or compiler not smart enough (distributed scheduling problem)

or

Closing the Gap: Annotated Giotto

Giotto Program


Giotto-P-topology (CPUs, networks)

-performance (WCETs, latencies) -APIs (RTOSs, protocols)

Executables

Giotto Compiler

Functionality

Timing Interaction

Platform

“Failure”

either Giotto-PM overconstrained, or compiler not smart enough (global scheduling problem)

or

Giotto-PM -assign tasks to CPUs -assign connections to networks

Map

Closing the Gap: Annotated Giotto

Giotto Program


Giotto-P

Executables

Giotto Compiler

Functionality

Timing Interaction

Platform

“Failure”

Giotto-PMC overconstrained (local scheduling problems solvable)

or

Giotto-PMMap

Giotto-PMCCommunication

-assign connections to TDMA slots (say)

-topology (CPUs, networks) -performance

(WCETs, latencies) -APIs (RTOSs, protocols)-assign tasks to CPUs -assign connections to networks

Code Generation

Giotto Program


Giotto-P

Giotto Compiler

Functionality

Timing Interaction

Platform

Giotto-PMMap





or “Failure”

VxWorks

OSEK …

Code Generation: The Embedded Machine

Giotto Program


Giotto-P

Embedded Machine code

Giotto Compiler

Functionality

Timing Interaction

Platform

or

Giotto-PMMap





“Failure”

Embedded Machine interpreter

The Embedded Machine

-a virtual machine that mediates the interaction of physical processes (sensors and actuators) and software processes (tasks and drivers) in real time

-the Giotto compiler can be retargeted to a new platform by porting the Embedded Machine

Environment

Software

Software Processes: platform time

Environment Processes: environment time


Environment

Software

Schedulability: time safety checking for platform time

Reactivity: programming in environment time

The Embedded Machine: Time is like Memory

Embedded Machine

Environment Ports

Task Ports

Driver PortsEmbedded Machine

task triggers

environment triggers

sense actuate

read write

call drivers


schedule tasks

e.g. clock

e.g. task completion

Enable trigger:future(g,B:) B:

Schedule task:schedule(T)

T

Call driver:call(d)

d

g

The Embedded Machine: Three Instructions

Execute driver d now.Hand task t over to the system scheduler (RTOS).

Have code B executed as soon as trigger g becomes true.

a ia

t+10ms

s

Task


Control

t+10mst t t+5mst+5ms

i

s s

B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)relax

Giotto Code Generation

a ia

t+10ms

s

Task


Control


i

s s

B2: call(sense)schedule(Navigation)future(now+5, B1:)relax


Embedded Machine Code combines

Synchronous code:

-Embedded Machine instructions and drivers -kernel context (trigger-related interrupts disabled)

Scheduled code:

-tasks -user context (trigger-related interrupts enabled)

Real-Time Programs

Task-triggered code:

-triggers on environment and task ports -observable behavior depends on environment and scheduler

Environment-triggered code:

-triggers only on environment ports -observable behavior depends on environment onlyAll Giotto programs result in environment-

triggered code.

Real-Time Programs

Time-safe code:

No driver accesses a scheduled task before completion.

Time-live code:

There is no infinite synchronous computation.All Giotto programs result in time-live code. Time safety is checked by the Giotto compiler.

Alternatively, time safety violations can be can be handled through run-time exceptions.

Real-Time Programs

Time Safety:

Violations due to combination of -insufficient synchrony

(environment events too frequent) -insufficient platform utilization (scheduler too weak) -insufficient platform performance (hardware too slow) Our approach systematically integrates synchronous programming and scheduling theory.

Distributed Giotto Compiler

Giotto Compiler

Giotto Program

E Code

Distributed Giotto Compiler

Giotto Compiler with Time Safety

Checker

Giotto Program

E Code

Giotto-P Platform

Spec

Proof of Time Safety = Schedule

Schedule-Carrying Code


Checker

Giotto Program

E Code

Giotto-P Platform

Spec

Proof of Time Safety (Schedule)

+

Schedule-Carrying Code


Checker

Giotto Program

E Code

Giotto-P Platform

Spec

S Code (Executable Schedule)

+

a ia

t+10ms

s

Task


Control


i

s s

B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)relax


a ia

t+10ms

s

Task


Control


i

s s

B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)dispatch(Navigation, now+5)dispatch(Control, now+5)idle(now+5)

Giotto EDF Schedule Generation

Advantages of SCC (Schedule-Carrying Code)

Advantages of PCC:

-schedule generation is harder than schedule validation (nonpreemptive or distributed case: NP-hard vs. linear)

-once generated, schedule can be reused

-compiler does not need to be trusted

Advantages of SCC (Schedule-Carrying Code)

Advantages of PCC:

-schedule generation is harder than schedule validation (nonpreemptive or distributed case: NP-hard vs. linear)

-once generated, schedule can be reused

-compiler does not need to be trusted

Advantages of Executability:

-flexible scheduling scheme

-no system scheduler (RTOS) necessary

-overhead reduction of up to 80%

The Giotto Project

www.eecs.berkeley.edu/~tah/giotto

Software Tools:

Simulink to Giotto translator (Pree)Giotto to E code compiler (Kirsch) E Machine on Linux, VxWorks, OSEK (Kirsch)

S code time safety checker (Matic)Integrated E and S machine on StrongARM (Kirsch, Sanvido) Event-triggered xGiotto (Ghosal, Sanvido)

Applications:

Lego Mindstorms (Horowitz, Kirsch, Majumdar)Zurich helicopter (Kirsch, Sanvido)Berkeley helicopter (Horowitz, Liebman, Ma,

Sastry) BMW electronic throttle control (Kirsch, Pree)

GIOTTO: FLET for periodic tasks with time-triggered mode

switching

Mode 1 Mode 2

Task S Task C Condition 1.2

xGIOTTO: General (event-triggered) FLET programming

1. Schedule Instruction:

schedule Task by Event ;

2. Reaction Block:

react { when Event do Block ;

whenever Event do Block ; begin … end ; } until Event ;

logical deadline


If all events can happen at any time, then few programs would be time-safe.

However, nested reaction blocks can be used for event scoping (i.e., not all events are listened to all the time).


If all events can happen at any time, then few programs would be time-safe.

However, nested reaction blocks can be used for event scoping (i.e., not all events are listened to all the time).

xGiotto = Structured Real-Time Programming

The Giotto Project

www.eecs.berkeley.edu/~tah/giotto

Participants:

Ben HorowitzArkadeb GhosalChristoph Kirsch Slobodan Matic Marco Sanvido

Sponsors:

DARPA SEC (Software-Enabled Control)NSF CHESS (Center for Hybrid & Embedded Software Systems)

The Fixed Logical Execution Time (FLET) Assumption Tom Henzinger University of California, Berkeley.

Documents

Transcript of The Fixed Logical Execution Time (FLET) Assumption Tom Henzinger University of California, Berkeley.