ESEVO Real-Time Systems Modeling Bernhard Frmel based on slides by - - PowerPoint PPT Presentation

esevo real time systems modeling
SMART_READER_LITE
LIVE PREVIEW

ESEVO Real-Time Systems Modeling Bernhard Frmel based on slides by - - PowerPoint PPT Presentation

Feb 05, 2023 18 likes •470 views

ESEVO Real-Time Systems Modeling Frmel ESEVO Real-Time Systems Modeling Bernhard Frmel based on slides by Christian El-Salloum. - Institute of Computer Engineering Vienna University of Technology - 182.722 Embedded Systems

slide-1
SLIDE 1

ESEVO Real-Time Systems Modeling Frömel

ESEVO Real-Time Systems Modeling

Bernhard Frömel

based on slides by Christian El-Salloum.

  • Institute of Computer Engineering

Vienna University of Technology

  • 182.722 Embedded Systems Engineering LU

October, 2014

1/45

slide-2
SLIDE 2

ESEVO Real-Time Systems Modeling Frömel

Part I

Engineering versus Scientific Method

2/45

slide-3
SLIDE 3

ESEVO Real-Time Systems Modeling Frömel

Engineering Method

build test revise

System Model

Scientific Method

build test revise

System Model

[taken from Henzinger]

3/45

slide-4
SLIDE 4

ESEVO Real-Time Systems Modeling Frömel

Engineering Method

build test revise

System Model

Scientific Method

build test revise

System Model

[taken from Henzinger]

4/45

slide-5
SLIDE 5

ESEVO Real-Time Systems Modeling Frömel

Engineering Method

build test revise

System Model

Scientific Method

System Model

build test revise

[taken from Henzinger]

5/45

slide-6
SLIDE 6

ESEVO Real-Time Systems Modeling Frömel

Engineering Method

build test revise

System Model

Scientific Method

System Model

build test revise

[taken from Henzinger]

6/45

slide-7
SLIDE 7

ESEVO Real-Time Systems Modeling Frömel

Engineering Method

System Model

build test revise

Scientific Method

System Model

build test revise

[taken from Henzinger] Predictability (repeatability, determinism) critical for both methods!

7/45

slide-8
SLIDE 8

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Part II

Model-based Design

8/45

slide-9
SLIDE 9

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

The problem

Classic development of safety-critical systems is expensive:

◮ Multiple views on the same specification (System-,

Software-, Hardware designer, ...) + miscommunication

◮ Ambiguous and incomplete specification ◮ Manual coding ◮ Vast implications of changes ◮ Leads to: Verification is very complex!

e.g. avg. devel&verification of 10K lines of code ∼ 16 PYs [Camus and Dion, 2003]

9/45

slide-10
SLIDE 10

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Model-based Design

Model is the center of entire development process

◮ Requirements ◮ Design ◮ Implementation ◮ Testing

How to adequately represent a model?

◮ C? ◮ Something graphical with boxes and arrows, like UML? 10/45

slide-11
SLIDE 11

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Any open questions?

volatile uint timer_count = 0; void ISR(void) { if(timer_count != 0) timer_count--; } int main(void) { setup_timer(); timer_count = 100; start_timer(); while(timer_count != 0) { /* do smth for 100 seconds */ } . .

[taken from E. Lee]

11/45

slide-12
SLIDE 12

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Any open questions?

12/45

slide-13
SLIDE 13

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Required Properties of a Model

◮ Concrete enough to capture all relevant details.

E.g., functional behavior, timing, reliability, ...

◮ Abstract enough to omit irrelevant details.

E.g., implementation details

◮ For model-based design, the model has to be

understandable by a machine

◮ Exact execution semantics ◮ Models as executable specification

◮ Boxes and arrows are fine, but only if semantics of an

arrow or a box is precisely defined in the meta-model.

13/45

slide-14
SLIDE 14

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Meta-Model

The meta-model defines:

◮ the building blocks of the model (e.g., nodes,

connections, messages, tasks, ...)

◮ the rules how to instantiate and connect these building

blocks

◮ the semantics of the building blocks

The meta-model for executable specifications defines additionally an abstract machine.

◮ Complexity of abstract-machine model should be much

lower than for concrete machine.

◮ In each refinement step on the way to final

imlementation (physical platform) execution semantics

  • f abstract machine must be retained!

14/45

slide-15
SLIDE 15

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Finding the right abstraction level ...

It would be very cool to go from:

◮ Minimal specification where we have Requirements that

come directly from controlled environment (e.g., pure functionality, end-to-end latencies, non-functional requirements, ...) to a final (distributed) platform by automatic transformation realized by tools where we have

◮ high degree of freedom of solution space (e.g., which

CPUs, FPGAs, operating systems, ...), and

◮ employ optimization techniques (e.g., to optimize for

power, costs, ...). Unfortunately, it’s too complex!

15/45

slide-16
SLIDE 16

ESEVO Real-Time Systems Modeling Frömel

Problem Model- based Design Meta- models and Executable Specifica- tions

Finding the right abstraction level ...

It would be very easy for the tool designer to go from:

◮ Maximal specification where all details (e.g., mapping,

schedules, memory management, ...) are fixed and respect high level requirements to a final (distributed) platform by easy straight forward automatic transformation realized by simple tools. Unfortunately, all work is left to the poor person who writes the specification. E.g.,

◮ choose which CPUs, FPGAs, operating systems, ..., ◮ programming work, and ◮ optimize ’manually’. 16/45

slide-17
SLIDE 17

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Part III

Time in Models

17/45

slide-18
SLIDE 18

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Modeling Temporal Behavior and Concurrency

◮ Real computing ...

◮ There is some delay! ◮ There is some clock drift!

⇒ difficult to model and to compose!

◮ Asynchronous models: arbitrary delay (e.g.,

delay-insensitive circuits).

⇒ (cognitively) very complex!

◮ Synchronous models ◮ Logical execution time 18/45

slide-19
SLIDE 19

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

SIMTOOLS, Simulation Level 1 [SIMTOOLS, 2014]

19/45

slide-20
SLIDE 20

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

SIMTOOLS, Simulation Level 4 – with Timing Details

20/45

slide-21
SLIDE 21

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Safety Critical Application Development Environment (SCADE)

The golden rules of SCADE (∼model-based design principles)

◮ Share unique, accurate specifications ◮ Do things once ◮ Do things right at first shot

DESIGN-VERIFY-GENERATE

21/45

slide-22
SLIDE 22

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

SCADE

SCADE (Safety-Critical Application Development Environment):

◮ Formal executable specifications ◮ Verification of properties and assertions ◮ Synchronous dataflow design ◮ Generate specification in VHDL or Verilog formats ◮ C, SystemC Code generator (DO-178B, EN-50128 and

IEC-61508)

◮ Gateways available to e.g. Simulink, LabView, UML/SysML 22/45

slide-23
SLIDE 23

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Essence

Cycle based intuitive computational model: Sample/Hold Inputs Cyclic Function Send Outputs

Real-Time Event

Scope of SCADE

◮ Blocks implement functions and have a clock (derived from

a given master clock)

◮ Blocks read inputs and generate their output in zero delay

(⇒ synchronous language)

23/45

slide-24
SLIDE 24

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Synchronous Language

◮ Discrete time scale with a priori defined granularity,

imposed by dynamics of environment

◮ Each instant of scale corresponds to a computation cycle

(arrival of new inputs)

◮ Synchronism hypothesis: Calculation time < grain of the

discrete time scale

◮ Outputs calculated at the same instant (in zero time) as

when inputs are taken into account w.r.t. discrete time scale

◮ Temporal composability ◮ Synchronism hypothesis has to be verified by Worst Case

Execution Time Analysis (WCET)

24/45

slide-25
SLIDE 25

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Block diagrams (1)

Block diagrams for continuous control:

◮ Networked blocks (operators or nodes) ◮ Blocks compute mathematical functions ◮ Arrows represent flows of data ◮ Declarative data-flow language (what instead of how) ◮ Mathematically clean (no side effects) ◮ Blocks compute concurrently ◮ Block diagrams are fully hierarchical ◮ For algorithmic part: e.g., filters ◮ Temporal composability: 0 + 0 = 0

What about causality dependencies ?

25/45

slide-26
SLIDE 26

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Block diagrams (2)

Block diagrams for continuous control [(c) Esterel Technologies]

◮ equation (=) represents infinite sequence of values, i.e., a

flow

◮ Flow has unique definition (mathematical deterministic) ◮ Memory stores past flow states (recorded at previous

cycle(s))

26/45

slide-27
SLIDE 27

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

SCADE, State machines (1)

State machines for discrete control

27/45

slide-28
SLIDE 28

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

SCADE, State machines (2)

State machines for discrete control

◮ Model control logic ◮ Signal exchange with environment ◮ Safe State Machines (SSMs)

◮ Hierarchical state machines ◮ Macro states contain one or more SSMs

28/45

slide-29
SLIDE 29

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Code Generation and Resolving Concurrency

[(c) Esterel Technologies]

◮ Target platform code generation (e.g., C) ◮ Logical versus physical concurrency ◮ Automatic generation of sequential code

◮ Concurrent code is interleaved (⇒ cycle fusion) ◮ Multitasking (and Scheduling) can be avoided (⇒ WCET) ◮ Computation order based on functional dependencies ◮ ⇒ No deadlocks, race conditions, or tasking overhead

◮ Verification of code is easy: deterministically derived from

model, correct-by-construction

◮ ”Qualifiable” code generators 29/45

slide-30
SLIDE 30

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Limitations

◮ SCADE produces code for individual nodes ◮ No single model for entire (distributed) system ◮ No automatic distribution of code to

◮ nodes, or ◮ cores of an Multi Processor System on Chip (MPSoC)

◮ Inefficient implementation if multiple periods are required ◮ Extension of SCADE to distributed system design highly

complex

◮ Distributed execution has to follow partially ordered set of

tasks

◮ Communication activities have to be integrated ◮ End-to-end deadlines have to be met

30/45

slide-31
SLIDE 31

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

GIOTTO [Henzinger et al., 2003]

Enables modeling of distributed embedded real-time systems realizing control applications.

◮ Separation of control design (plant model, control law

derivation) and platform design (hardware mapping, programming, ...)

◮ Deploy system model on distributed nodes ◮ Enable temporal specifications

Uses a less abstract model in order to enable compilation on distributed resource-constraints platforms

31/45

slide-32
SLIDE 32

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Task Execution

32/45

slide-33
SLIDE 33

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Logical Execution Time

running running running physical time Logical Execution Time (LET) logical physical start suspend resume suspend resume stop release terminate task invocation

ET ≤ WCET ≤ LET

◮ Logical temporal behavior separated from physical

execution

◮ Inputs read at release, calculated outputs available at

terminate events

◮ In between: old values retained ⇒ observable delay! ◮ But: well-defined (temporal) behavior, no race-conditions 33/45

slide-34
SLIDE 34

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Two Tasks

34/45

slide-35
SLIDE 35

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Two Tasks Execution

35/45

slide-36
SLIDE 36

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Unit Delay

time 1 2 3 1 2 3 LET Task 1 Task 2

  • t1
  • t2
  • t3

t0 t1 t2 t3

36/45

slide-37
SLIDE 37

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Unit Delay, Limitations

Output is always delayed!

1 2 3 1 2 3 LET Task 1 Task 2

  • t1
  • t2
  • t3

time t0 t1 t2 t3 1 2 3 4 5 Task 3

’Remedy’ (output delay): Allow for fast step1 (cf. Mealy vs. Moore FSMs, combinatorial logic in digital design) Remedy (misalignment): Use multiples of periods (put related tasks in a single mode) and/or phase shift alignment (see later, TTA realizations).

1http://www.chrona.com/en/technology/logical-execution-time/

37/45

slide-38
SLIDE 38

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Google Spanner

38/45

slide-39
SLIDE 39

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Google Spanner [Corbett et al., 2013]

◮ Distributed multiversion database (General-purpose

transactions (ACID), SQL, ...)

◮ Storage for Google’s ad data ◮ Global-scale consistency of distributed transactions

◮ Non-blocking reads in the past ◮ Lock-free read-only transactions ◮ Atomic schema changes

◮ Integration of concurrency control, replication, and 2PC ◮ Automatic data resharding across machines, datacenters

◮ to balance load, and ◮ to react to faults

◮ Clients automatically failover to available replicas ◮ Enabling technology: TrueTime, Interval-based global time 39/45

slide-40
SLIDE 40

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

TrueTime

◮ Global wall-clock time with bounded uncertainty ◮ API

◮ TT.now() returns a TTInterval: [earliest, latest] ◮ TT.after(t) true if t has definitely passed ◮ TT.before(t) true if t has definitely not arrived

◮ TrueTime guarantees for invocation of tt = TT.now()

that tt.earliest ≤ now ≤ tt.latest

◮ Implementation

◮ Multiple (uncorrelated)

self-checking [Marzullo and Owicki, 1983], fail-silent time sources (GPS, atomic clocks) used by time-masters

◮ Each client polls/synchronizes with multiple time-masters ◮ Between synchronizations: slowly increasing time

uncertainty ǫ. Depends on:

◮ Worst case local clock drift ◮ Time-master uncertainty ◮ Communication jitter to time-masters

40/45

slide-41
SLIDE 41

ESEVO Real-Time Systems Modeling Frömel

Modeling Case Studies

SIMTOOLS SCADE GIOTTO Google Spanner

Timestamp assignment: TrueTime [Corbett et al., 2013]

Write transaction:

  • 1. Acquire locks
  • 2. Execute reads
  • 3. Pick commit timestamp T=TT.now().latest
  • 4. Replicate writes
  • 5. Wait until TT.now().earliest > T
  • 6. Ack transaction commit
  • 7. Apply write
  • 8. Release locks

41/45

slide-42
SLIDE 42

ESEVO Real-Time Systems Modeling Frömel

Part IV

Conclusion

42/45

slide-43
SLIDE 43

ESEVO Real-Time Systems Modeling Frömel

Conclusion

◮ Engineering method fundamentally differs from scientific

method.

◮ Key of model-based design process is meta-model. ◮ Meta-model for executable specifications defines abstract

machine.

◮ Choice of meta-model has crucial impact on:

◮ the complexity of the resulting design, ◮ the certifiability of the product, and ◮ the efficiency of the implementation.

43/45

slide-44
SLIDE 44

ESEVO Real-Time Systems Modeling Frömel

References

Part V

End – Thank You!

44/45

slide-45
SLIDE 45

References

[Camus and Dion, 2003] Camus, J.-L. and Dion, B. (2003). Efficient development of airborne software with scade suite. Esterel Technologies, 62. [Corbett et al., 2013] Corbett, J. C., Dean, J., Epstein, M., Fikes, A., Frost, C., Furman, J., Ghemawat, S., Gubarev, A., Heiser, C., Hochschild, P., et al. (2013). Spanner: Google’s globally distributed database. ACM Transactions on Computer Systems (TOCS), 31(3):8. [Henzinger et al., 2003] Henzinger, T. A., Horowitz, B., and Kirsch, C. M. (2003). Giotto: A time-triggered language for embedded programming. Proceedings of the IEEE, 91(1):84–99. [Marzullo and Owicki, 1983] Marzullo, K. and Owicki, S. (1983). Maintaining the time in a distributed system. In Proceedings of the second annual ACM symposium on Principles of distributed computing, pages 295–305. ACM. [SIMTOOLS, 2014] SIMTOOLS (2014). Simtools, tools for distributed embedded systems. Available at: www.simtools.at/doc/SIMTOOLS_Folder.pdf, Accessed in October 2014.