Process Network Models for Embedded System Design based on the Real-Time BIP Execution Engine*

Transcription

1 1 st International Workshop on Methods and Tools for Rigorous System Design () 15 th of April 2018 Thessaloniki Greece Process Network Models for Embedded System Design based on the Real-Time BIP Execution Engine* Fotios Gioulekas 1, Peter Poplavko 2, Panagiotis Katsaros 1,3, Pedro Palomo 4 1 Aristotle University of Thessaloniki 2 Mentor, A Siemens Business 3 Information Technologies Institute, CERTH 4 Deimos-Space S.L.U. *Research supported by the ESA project ( ) Schedulability Analysis Techniques and Tools for Cached and Multicore Processors (MoSaTT-CMP), contract No /14/NL/MH

2 Outline Model-Based Design (MBD) for real-time embedded systems Rigorous Design-Flow of real-time embedded systems based on Fixed Priority Process Networks (FPPNs) Design of FPPNs using ESA s TASTE toolset Model Transformation (TASTE2BIP) Schedulability analysis Case-Study: Guidance Navigation & Control Application executed with BIP RTE on 4-Core LEON4FT NGMP platform Future work & Discussion 1

3 MBD for Real-Time Embedded Systems - I Model-Based Design flow systematically involves domain-specific models (DSMs) Application behavior HW/SW partitioning Mapping onto an architecture Analysis of system s nonfunctional properties (e.g. task execution times, memory footprint, schedulability) is based on DSMs throughout the design process e.g. by model checking, simulation, analytical methods Enables early verification and performance estimation Analysis of nonfunctional properties (task execution times, memory footprint, schedulability) Model Checking, Simulation, Analytical methods MODEL Specification Design Integration & Verification 2

4 MBD for Real-Time Embedded Systems - II Architecture-centric approach Via model transformations the system s non-functional properties are analyzed and described with appropriate tools (e.g. AADL language) Schedulability is based on assumptions for the temporal and concurrency properties of computations, comm. and synch. (e.g. priority based preemption) Synchronous languages (e.g. Esterel, Lustre) Suitable for formal design, verification & code generation of reactive systems (e.g. flight control) Program reacts in a sequence of logical clock ticks and computations within a tick are instantaneous (reaction to stimuli within strict time bounds) o J. Hugues, B. Zalila, L. Pautet & F. Kordon (2008): From the Prototype to the Final Embedded System Using the Ocarina AADL Tool Suite. ACM Trans. Embed. Comput. Syst. 7(4), pp. 42:1 42:25,doi: / o G. Brau, J. Hugues & N. Navet (2018): Towards the systematic analysis of non-functional properties in Model-Based Engineering for real-time embedded systems. Science of Computer Programming 156, pp. 1 20, doi: o N. Halbwachs (2010): Synchronous Programming of Reactive Systems. Springer-Verlag, Berlin, Heidelberg. o K. Schneider, J. Brandt & E. Vecchie (2006): Efficient code generation from synchronous programs. In: Fourth ACM and IEEE International Conference on Formal Methods and Models for Co-Design, MEMOCODE 06. Proceedings., pp , doi: /memcod

5 MBD for Real-Time Embedded Systems - III Synchronous languages (e.g. Esterel, Lustre) lack appropriate concepts for task parallelism and timing-predictable scheduling on multiprocessors Ptolemy II and PeaCE support design based on Models of Computation (MoCs) and subsequent code-generation, however schedulability aspects are often ignored Rigorous model-based design flow aims at a system implementation derived from high-level models by applying a sequence of semantics-preserving transformations Proposed Rigorous MBD: Usage of a new MoC called FPPN which is appropriate for timing-aware modeling at the early design steps Task Schedulability on multi-cores Streaming Signal Processing Reactive Control Processing Real Time Tasks FPPN o P. Poplavko, D. Socci, P. Bourgos, S. Bensalem & M. Bozga (2015): Models for deterministic execution of real-time multiprocessor applications. In: 2015 Design, Automation Test in Europe Conference Exhibition (DATE), pp

6 Fixed Priority Process Networks (FPPNs) - I Dataflow order FPPNs combine streaming and reactive control processing defined by two directed graphs (Possibly cyclic) graph (P, C), whose nodes P are processes and edges C are channels for pairs of communicating processes that define a dataflow direction, i.e. from the writer to the reader Graph (P, FP) is the functional priority directed acyclic graph (DAG) with edges defining a functional priority relation between processes ensuring its functional determinism => precedence constraint on task execution 5

7 Fixed Priority Process Networks (FPPNs) - II X sporadic process generates values, the Square process calculates the square of the received value and the Y periodic process serves as a sink for the squared value Periodic process is annotated by its period Sporadic process is annotated by its minimal inter-arrival time Two types of non-blocking inter-process channels FIFO (mailbox) has a semantics of a queue Blackboard (shared variable) remembers the last written value that can be read multiple times The arc depicted above the channels indicates the functional priority relation FP (higher to lower) 6

8 Rigorous Design-Flow of realtime embedded systems based on FPPNs - I Our method: TASTE to BIP design flow Capture FPPN in architectural design framework (TASTE) and perform model transformation into expressive formal language BIP and use it for refinement towards final implementation Input: (i) application requirements (FPPN model), (ii) platform requirements Output: implementation on the target platform using BIP run-time environment o o o o P. Poplavko, D. Socci, P. Bourgos, S. Bensalem & M. Bozga (2015): Models for deterministic execution of real-time multiprocessor applications. In: 2015 Design, Automation Test in Europe Conference Exhibition (DATE), pp P. Poplavko, R. Kahil, D. Socci, S. Bensalem & M. Bozga (2016): Mixed-Critical Systems Design with Coarse-Grained Multi-core Interference. In: Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques - 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, October 10-14, 2016, Proceedings, Part I, pp F. Gioulekas, P. Poplavko, P. Katsaros, S. Bensalem & P. Palomo (2018): A Process Network Model for Reactive Streaming Software with Deterministic Task Parallelism. In: Fundamental Approaches to Software Engineering (FASE). P. Poplavko, A. Nouri, L. Angelis, A. Zerzelidis, S. Bensalem & P. Katsaros (2017): Regression- Based Statistical Bounds on Software Execution Time. In: Verification and Evaluation of Computer and Communication Systems - 11 th International Conference, VECoS 2017, Montreal, QC, Canada, August 24-25, 2017, Proceedings, pp

9 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II 1 Step 1 Architectural design The functional code (software behavior) is implemented and the requirements are mapped to an architectural model (i.e., TASTE I-V): Application is decomposed into FPPN processes Establish the dependencies between processes in the form of functional priorities and data channels Step 2 Model transformation Step 3 Functional simulation of RT-BIP model Step 4 Worst Case Execution Time (WCET) Estimation Step 5 Schedulability analysis & timing simulation Step 6 Code generation for the BIP RTE Step 7 Performance analysis on the target platform 8

10 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II Step 1 Architectural design Step 2 Model transformation FPPN model transformation into BIP according to the FPPN execution semantics in [1, 2] If WCETs are known, the task graph is also generated [if (Task Graph exists) goto Step 5] Step 3 Functional simulation of RT-BIP model Step 4 Worst Case Execution Time (WCET) Estimation Step 5 Schedulability analysis & timing simulation Step 6 Code generation for the BIP RTE Step 7 Performance analysis on the target platform 2 1. F. Gioulekas, P. Poplavko, P. Katsaros, S. Bensalem & P. Palomo (2018): A Process Network Model for Reactive Streaming Software with Deterministic Task Parallelism. In: Fundamental Approaches to Software Engineering (FASE). 2. P. Poplavko, R. Kahil, D. Socci, S. Bensalem & M. Bozga (2016): Mixed-Critical Systems Design with Coarse-Grained Multi-core Interference. In: Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques - 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, October 10-14, 2016, Proceedings, Part I, pp

11 TASTE 2 BIP model transformation principle Set of functional blocks communicating via SW interfaces TASTE-IV architectural model BIP model Network of communicating timed automata Process automaton 10

12 Design of Fixed Priority Process Networks (FPPNs) using ESA s TASTE toolset - I 11

13 Design of Fixed Priority Process Networks (FPPNs) using ESA s TASTE toolset - II FPPNClass attribute: the type of FPPN entities (e.g. blackboard, periodic process) The Fpriority attribute is an integer, which dictates the priority index of the process (priority order in the network) 12

14 Design of Fixed Priority Process Networks (FPPNs) using ESA s TASTE toolset - III The FPPNClass attributes mailbox and blackboard are used for datachannels Each channel declares two provided interfaces for read and write, while the processes that access the channel have respective required interfaces. DataChannelSize represents the minimum size of the data type (in bytes) communicated via the channel DataChannelLength is defined in mailbox channel determining the length of the FIFO 13

15 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II Step 1 Architectural design Step 2 Model transformation Step 3 Functional simulation of RT-BIP model Generated BIP model is functionally tested on a workstation Step 4 Worst Case Execution Time (WCET) Estimation Step 5 Schedulability analysis & timing simulation Step 6 Code generation for the BIP RTE Step 7 Performance analysis on the target platform 3 14

16 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II Step 1 Architectural design Step 2 Model transformation Step 3 Functional simulation of RT-BIP model Step 4 Worst Case Execution Time (WCET) Estimation The probabilistic measurement-based timing analysis in [1] is used to guarantee safe probabilistic bounds Step 5 Schedulability analysis & timing simulation Step 6 Code generation for the BIP RTE Step 7 Performance analysis on the target platform 4 1. P. Poplavko, A. Nouri, L. Angelis, A. Zerzelidis, S. Bensalem & P. Katsaros (2017): Regression-Based Statistical Bounds on Software Execution Time. In: Verification and Evaluation of Computer and Communication Systems - 11 th International Conference, VECoS 2017, Montreal, QC, Canada, August 24-25, 2017, Proceedings, pp

17 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II Step 1 Architectural design Step 2 Model transformation Step 3 Functional simulation of RT-BIP model Step 4 Worst Case Execution Time (WCET) Estimation Step 5 Schedulability analysis & timing simulation The task graph is generated and given as input to a static scheduler The schedule obtained from the scheduler is translated into input for the online-scheduler model in BIP, which implements resource management (by enforcing task ordering and other constraints) [if (! schedulable) iterate Steps 1 to 4] Step 6 Code generation for the BIP RTE Step 7 Performance analysis on the target platform 5 16

18 Output buffer2 Input buffer Output buffer1 Schedulability analysis and code generation for the BIP-RTE - I The split task appends two small data items to the two output channels Tasks A and B read the data All tasks have the same periodic scheduling window, with period and deadline being 25ms split 25ms A 25ms B 25ms 1. P. Poplavko, R. Kahil, D. Socci, S. Bensalem & M. Bozga (2016): Mixed-Critical Systems Design with Coarse-Grained Multi-core Interference. In: Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques - 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, October 10-14, 2016, Proceedings, Part I, pp

19 Schedulability analysis and code generation for the BIP-RTE - II fire XIF_Write2 split XIF_Write2 Xmailbox2 XIF_Read2 processa XIF_Read2 fire In the derived task graph, every task is represented by a job The arrival times Ai and deadlines Di for all jobs are the same fire XIF_Write XIF_Write Xmailbox XIF_Read processb XIF_Read Interface -View TASTE TOOLSET TASTE2BIP Generator Task Graph J i : A i = 0, D i = 25 ms, = 1 ms J 2 split [1] (1) ms J 1 A [1] (12) ms J 3 B [1] (6) ms Jobs are annotated by WCETs δ is the worst-case cost of a single transition in the BIP automata components 18

20 Schedulability analysis and code generation for the BIP-RTE - III The offline scheduler takes into account the cost of BIP transitions by BIP-RTE and the execution time of jobs and generates the schedule for the online scheduler Core 0 : BIP-RTE Core 1: Task split & Task A Core 2: Task B 19

21 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II Step 1 Architectural design Step 2 Model transformation Step 3 Functional simulation of RT-BIP model Step 4 Worst Case Execution Time (WCET) Estimation Step 5 Schedulability analysis & timing simulation Step 6 Code generation for the BIP RTE The joint application/scheduler model is compiled by the RT BIP compiler and linked with the BIP-RTE Step 7 Performance analysis on the target platform 6 20

22 Rigorous Design-Flow of realtime embedded systems based on FPPNs - II Step 1 Architectural design Step 2 Model transformation Step 3 Functional simulation of RT-BIP model Step 4 Worst Case Execution Time (WCET) Estimation Step 5 Schedulability analysis & timing simulation Step 6 Code generation for the BIP RTE Step 7 Performance analysis on the target platform Validation by performance analysis is essential towards identifying possible excessive delays, due to resource starvation cases The executable runs on the target platform on top of the real-time operating system (RTEMS-SMP) Tools are used (e.g. gprof) that trace/monitor the software performance on the target platform [if (excessive delays found) goto Step 1] 7 21

23 Case-Study: GNC application - I Demonstrate the execution of the GNC application with BIP RTE on 4-Core LEON4FT embedded platform [1] We adapt the FPPN, Task Graph and BIP models to explore parallelism in comparison to [2] the potential for such an exploratory approach is inherent in the FPPN model and remains transparent to the application designer until the final steps of our rigorous design flow 1. GR-CPCI-LEON4-N2X: Quad-Core LEON4 Next Generation Microprocessor Evaluation Board, 2. F. Gioulekas, P. Poplavko, P. Katsaros, S. Bensalem & P. Palomo (2018): A Process Network Model for Reactive Streaming Software with Deterministic Task Parallelism. In: Fundamental Approaches to Software Engineering (FASE) 22

24 Case-Study: GNC application - II Guidance Navigation & Control (GNC) is on-board spacecraft application that controls the movement of the vehicle by processing the data of the corresponding sensors and controller Data Input Dispatcher Task: signals each time new data (Mission and Vehicle Management, Inertial Measurement Unit, Global Positioning System) is available (reads, decodes, dispatches) - pre-computed and stored in staticmemory buffers as C arrays Guidance Navigation Task: executes the guidance and navigation algorithms Control FM Task: performs the control and flight management algorithms Control Output Task: sends the outputs of the GNC to the Dynamics Kinematics and Environment module (DKE). The output data consists of the geodetic altitude, the longitude, the mach and the dynamic pressure values 23

25 Case-Study: GNC application - III TASTE-IV FPPN model Functional priorities were assigned based on the specification 24

26 GNC Task Graph computed by the TASTE2BIP generator The WCET values were estimated by profiling the application s execution under BIP RTE (In progress to use Statistical tools described in [1]) 1. P. Poplavko, A. Nouri, L. Angelis, A. Zerzelidis, S. Bensalem & P. Katsaros (2017): Regression-Based Statistical Bounds on Software Execution Time. In: Verification and Evaluation of Computer and Communication Systems - 11 th International Conference, VECoS 2017, Montreal, QC, Canada, August 24-25, 2017, Proceedings, pp

27 Real-Time Execution of the GNC App. on 4-Core LEON4FT NGMP - I Real-time execution on LEON4FT P1: Data Input Dispatcher P2: Control FM P3: Control Output P4: Guidance Navigation P20: BIP-RTE Engine P4 and P3 processes skip their first job execution 11 th job of P1 is executed in parallel with 1 st job of P4 P4 and P1 access to the buffered mailbox concurrently P4 reads the first 10 valid IMU frames stored while P1 writes the 11 th frame Execution after the 50ms Execution after the 500ms 26

28 Real- Time Execution of the GNC App. on 4-Core LEON4FT NGMP - II all activities in the current period end by time slightly less than 40ms after the period start job in P4 requires more time to be completed than non-pipelined version in [1]=> no throughput improvement (P1, P4 interference) improving the implementation of the mailbox and letting P4 ten data items in one call to the `read interface instead of issuing 10 calls as it is done now Non-pipelined version [1] 1. F. Gioulekas, P. Poplavko, P. Katsaros, S. Bensalem & P. Palomo (2018): A Process Network Model for Reactive Streaming Software with Deterministic Task Parallelism. In: Fundamental Approaches to Software Engineering (FASE) 27

29 Discussion & Future Work Rigorous Design Flow for the FPPN MoC using TASTE2BIP transformation and model refinement for schedulability Validated in real application for multi-core embedded platform Future work: Support distributed multi-core platforms Support for preemptive scheduling by BIP/BIP RTE WCET measurement tool integration Support additional languages included in TASTE e.g. ITU-T SDL and Simulink 28

30 Questions? Thank you TASTE2BIP tool download: Or Google for Time Critical Multicore Verimag