DATA CONSISTENCY TEST TOWARDS SYSTEMATIC REQUIREMENTS ELICITATION IN - - PowerPoint PPT Presentation
DATA CONSISTENCY TEST TOWARDS SYSTEMATIC REQUIREMENTS ELICITATION IN AUTOMOTIVE MULTI-CORE APPLICATIONS ERTS 2020 Toulouse, 30.01.2020 Ralph Mader Vitesco Technologies GmbH Wolfgang Pree University of Salzburg and Chrona.com Public DATA
ERTS 2020 Toulouse, 30.01.2020 Ralph Mader Vitesco Technologies GmbH Wolfgang Pree University of Salzburg and Chrona.com Public
1 MULTI CORE SOFTWARE FOR POWERTRAIN 2 WHAT IS DATA CONSISTENCY 3 IDENTIFICATION OF CONSISTENCY REQUIREMENTS 4 SUMMARY AND OUTLOOK
2
WHERE IS MULTI-CORE IN USE?
3
Combustion Engine Transmission Control Domain Controller HV Inverter DC/DC Converter
PROJECT VERSUS PLATFORM DEVELOPMENT
4
Platform of re-usable elements Core independent
Function A Function B Function C Function D Function E Function F Function G Function H Function I Function J Function K Function L Function M Function N Function O Function P
Project A – 2 Core Micro Controller
Function A Function B Function C Function D Function E Function K
Project B – 4 Core Micro Controller
Function A Function B Function E Function F Function H Function I Function J Function K Function N Function O
Project N – 3 Core Micro Controller
Function C Function E Function F Function G Function H Function I Function J Function K
> Platform solution must be independent from core partitioning in project
TYPES OF SOFTWARE USED
5
> Multi Core Layer is generated based on data protection needs in project
Legacy Engine Drivers (CDD) RTE OEM ASW - Non AUTOSAR OEM ASW - AUTOSAR 4.3.1 System Services Memory Stack Communication Stack IO HW abstraction OS Legacy IF
PowerSAR CDD‘s
Microcontroller Abstraction - Drivers Multicore Microcontroller IF’s Vitesco Technologies ASW - AUTOSAR 4.3.1 Vitesco Technologies ASW - Non AUTOSAR
Multi Core PDA Layer
1 MULTI CORE SOFTWARE FOR POWERTRAIN 2 WHAT IS DATA CONSISTENCY 3 IDENTIFICATION OF CONSISTENCY REQUIREMENTS 4 SUMMARY AND OUTLOOK
6
DATA CONSISTENCY = DATA STABILITY & DATA COHERENCY
7
> For proper functional behavior, both stability and coherency have to be ensured
Stability Coherency
BUFFERING OR LOGICAL EXECUTION TIME (LET)
8
> Ensuring data consistency generates overhead > Below you find two means how to ensure data consistency in Multi-Core Systems Logical Execution Time (LET) Buffering of Data
Task R 1 R 2 R 3 R 2 R 3 R 2 R 3 Task individual buffer Global Data RAM R N R 4 R 5 R N R 4 R 5
Fill buffer Flush buffer
Task 1 Core 1
time time
Rp LET 01 LET 02 LET 01 LET 02 Rc Task 2 Core 0
Global Data RAM
Task LET 01 LET 02
SHORTCOMINGS OF REQUIREMENTS ELICITATION
9
> Ensuring data consistency should minimize the overhead > Functions are designed mostly by mechanical engineers > Design object reviews are used today for identifying consistency requirements > Quality of requirements is based on the multi-core background of the reviewers Status Quo > Missing Requirements could generate sporadic functional issues (sleeping issues) > Non-maintained Requirements could lead to miss data protection > Useless Requirements consume resources and add validation & maintenance effort Consequences
1 MULTI CORE SOFTWARE FOR POWERTRAIN 2 WHAT IS DATA CONSISTENCY 3 IDENTIFICATION OF CONSISTENCY REQUIREMENTS 4 SUMMARY AND OUTLOOK
10
TIMING IS EVERYTHING ...
11
a b global variables a, b
milliseconds
TIMING IS EVERYTHING ...
12
98 a 3 b global variables a, b
Provider component (PRV) writes values to a, b 2 milliseconds
TIMING IS EVERYTHING ...
13
98 a 3 b global variables a, b
Provider component (PRV) writes values to a, b 3 milliseconds Module under Test (MUT) reads variables a, b as inputs
core 1 core 2 void f(void) { ... if (a > b) { ... ... // use a, b for calc. ... } } if (98 > 3)
TIMING IS EVERYTHING ...
14
98 a 3 b global variables a, b
Provider component (PRV) writes values to a, b 5 milliseconds Module under Test (MUT) reads variables a, b as inputs
core 1 core 2 void f(void) { ... if (a > b) { ... ... // use a, b for calc. ... } } if (98 > 3)
TIMING IS EVERYTHING ...
15
1 a 3 b global variables a, b
Provider component (PRV) writes values to a, b 8 milliseconds Module under Test (MUT) reads variables a, b as inputs
core 1 core 2 void f(void) { ... if (a > b) { ... ... // use a, b for calc. ... } } if (98 > 3)
TIMING IS EVERYTHING ...
16
1 a 3 b
global variables a, b
Provider component (PRV) writes values to a, b 9 milliseconds Module under Test (MUT) reads variables a, b as inputs
core 1 core 2 void f(void) { ... if (a > b) { ... ... // use a, b for calc. ... } } a= 1, b= 3 if (98 > 3)
All would have been fine if: > MUT would have executed a bit faster (eg, shorter waiting time for bus communication resource), or > PRV would have executed a bit slower (eg, longer interrupt by another task function on core 2) TIMING IS EVERYTHING ...
17
void f(void) { ... if (a > b) { ... ... // use a, b for calc. ... } } (98 > 3) a= 98, b= 3 void f(void) { ... if (a > b) { ... ... // use a, b for calc. ... } } if (98 > 3) a= 1, b= 3
we call this a Problematic Access Pattern (PAP)
> maximize occurrences of violations by manipulating execution times of code fragments to achieve ”bad” interleaving of MUT and PRV executions > PAP coverage (as many different PAPs as possible ) > filter by assessing the effect of certain PAPs on the outputs > basis for consistency testing: Validator simulator: a platform-aware Software-in- the-Loop (SiL) simulation > execution of application software is interleaved with simulation of a virtual platform model
BY VARYING THE EXECUTION TIMES OF TASK FUNCTIONS WITHIN WCET LIMITS
18
>a (typically a reduced) set of data protection requirements >documented exceptions with reproducible tests
ADEQUATE SET OF VARIABLES THAT NEED TO BE BUFFERED
19
. : . . . . | . . W Entry vVS vVS C v CS vVS C fat v pat
* .
/ (arg min . );
P v PS
P P net
. . vVS v CS
Init CheckPRV
/ . . . . | . . t pEt vVS vVS C v CS vVS C fat v pat
Final
* * *
. / ( ); max , . ;
M
P net t exec P pEt t P net
*. M
P net t
Wait4PRV
. .
min .
C v CS v VS C fat
: ; Entry resume
. : . , . min( . , ); W Exit C v CS C fat C fat t
. : W During
FINITE STATE MACHINES > THUS, CONSISTENCY/COHERENCY TESTING CAN BE FORMALLY VERIFIED
IMPROVES SOFTWARE QUALITY AND REDUCES RESOURCE CONSUMPTION
21
> batch mode as part of a daily build (continuous integration) > interactively with UI seamlessly integrated in Matlab/Simulink and Eclipse
1 MULTI CORE SOFTWARE FOR POWERTRAIN 2 WHAT IS DATA CONSISTENCY 3 IDENTIFICATION OF CONSISTENCY REQUIREMENTS 4 SUMMARY AND OUTLOOK
22
WHEN TO PERFORM THE CONSISTENCY TEST?
23
Consistency stress test will complement the SIL test as a formal way to prove data consistency
Functional Model Implementation model C-Code
(s-function in model)
≈ =
Result Result Result ACG
MIL Model in the Loop SIL Software In the Loop
Scaling
Functional Requirements
≈
Modeling Test cases Expected Values Model Coverage Code Coverage
C-Code
(compiled for µC- Target) Result
PIL Processor In the Loop
=
Consistency Stress Test Validator Configuration Producer Event DB Chrona Validator Validator Test Trace Runtime DB Configure Validator YPDAs Projects YPDAs Projects Project Archite ctures Test Result Summary
> Test is based on a formal method to identify consistency requirements > It works in context of a project > Extension to platform approach is possible by batch processing of different scenarios > Piloting Phase within Vitesco Technologies is started
24
EXAMPLE AND CASE STUDY ENGINE CONTROL FUNCTION – FOR SELF STUDY
27
>Consistency sets: C0={a,c,e}, C1={b,d}
28
>Consistency sets: C0={a,c,e}, C1={b,d}
29
>Consistency sets: C0={a,c,e}, C1={b,d}
Stability violations: (c,a),(d,b),(e,c) Buffer: a,c
30
>Consistency sets: C0={a,c,e}, C1={b,d}
Stability violations: (c,a),(d,b),(e,c) Buffer: a,c
31
>Consistency sets: C0={a,c,e}, C1={b,d}
Stability violations: (c,a),(d,b),(e,c) Buffer: a,c Coherency violations: (d,b) Buffer: a,c,d
32
>Consistency sets: C0={a,c,e}, C1={b,d}
33
>Consistency sets: C0={a,c,e}, C1={b,d}
Stability violations: (d,b),(c,e) Buffer: a,c,d
34
>Consistency sets: C0={a,c,e}, C1={b,d}
Stability violations: (d,b),(c,e) Buffer: a,c,d Coherency violations: none Buffer: a,c,d
35
>Consistency sets: C0={a,c,e}, C1={b,d} > Buffering requirements for a,c,d
Stability violations: (d,b),(c,e) Buffer: a,c,d Coherency violations: none Buffer: a,c,d
TESTING WORKFLOW
36
› Standard Simulink SIL model › MUT and PRV software is built into an S-
function
› Testcases
Starting point
› Replace original S-function with Validator
S-function in the Simulink model
› Instrument the MUT and PRV software at
the access points
› Generate Validator glue code, set
parameters of virtual execution platform
› Build generated and instrumented
software together with Validator library into a separate executable
ConsisTest model generation
› Set runtime configuration: test case,
alternative CSs and WCETs, protection levels for inputs
› Run test group › Evaluate results: view report on PAPs and
› Decide on protection levels of variables
and repeat tests, if necessary
Testing Seamless Workflow in existing Simulink Models
USE CASE: POWERTRAIN CONTROL FUNCTION
>MUT: periodic (10ms) >PRV: event-triggered (crank-angle event)
37
USE CASE: POWERTRAIN CONTROL FUNCTION
>SIL model with test configuration
38
USE CASE: POWERTRAIN CONTROL FUNCTION
>SIL model with test configuration >Apply test configuration on SIL model
39
USE CASE: POWERTRAIN CONTROL FUNCTION
>SIL model with replaced S-Function
40
USE CASE: POWERTRAIN CONTROL FUNCTION
>SIL model with replaced S-Function >Execute test runs
41
Test1
42
Test1
43
>Run on an INTEL i7 with 2.7GHz and 32GB RAM >SIL environment setup: ~60min (one time effort) >One test case execution: 12secs–3.5min (1min avg.) >Evaluation of test results: ~30min >On average 5 test cases per module >One module is on average reused in 10 projects >Additional testing overhead introduced per module: 140min
44