KESO Functional Safety and the Use of Java in Embedded Systems

Similar documents
A JVM for Soft-Error-Prone Embedded Systems

Cooperative Memory Management in Embedded Systems

Coping with Immutable Data in a JVM for Embedded Real-Time Systems. Christoph Erhardt, Simon Kuhnle, Isabella Stilkerich, Wolfgang Schröder-Preikschat

A JVM for Soft-Error-Prone Embedded Systems

The Use of Java in the Context of AUTOSAR 4.0

JamaicaVM Java for Embedded Realtime Systems

Compiler Construction

KESO. An Open-Source Multi-JVM for Deeply Embedded Systems

Runtime. The optimized program is ready to run What sorts of facilities are available at runtime

Field Analysis. Last time Exploit encapsulation to improve memory system performance

Managed runtimes & garbage collection. CSE 6341 Some slides by Kathryn McKinley

Managed runtimes & garbage collection

Compiler Construction

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

A High Integrity Distributed Deterministic Java Environment. WORDS 2002 January 7, San Diego CA

Using the Singularity Research Development Kit

Sustainable Memory Use Allocation & (Implicit) Deallocation (mostly in Java)

Agenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1

Industrial Embedded Systems - Design for Harsh Environment -

Myths and Realities: The Performance Impact of Garbage Collection

SPIN Operating System

JAVA PERFORMANCE. PR SW2 S18 Dr. Prähofer DI Leopoldseder

SABLEJIT: A Retargetable Just-In-Time Compiler for a Portable Virtual Machine p. 1

LANGUAGE RUNTIME NON-VOLATILE RAM AWARE SWAPPING

The Z Garbage Collector Low Latency GC for OpenJDK

Software architecture in ASPICE and Even-André Karlsson

Eliminating Single Points of Failure in Software Based Redundancy

Automatic Memory Management

Implementation Garbage Collection

Important From Last Time

MISRA-C. Subset of the C language for critical systems

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

Operating Systems CMPSCI 377 Spring Mark Corner University of Massachusetts Amherst

What functional safety module designers need from IC developers

Run-Time Environments/Garbage Collection

One-Slide Summary. Lecture Outine. Automatic Memory Management #1. Why Automatic Memory Management? Garbage Collection.

CSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1

New ARMv8-R technology for real-time control in safetyrelated

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Functional Safety on Multicore Microcontrollers for Industrial Applications

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

Running class Timing on Java HotSpot VM, 1

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Chapter 8. Virtual Memory

Acknowledgements These slides are based on Kathryn McKinley s slides on garbage collection as well as E Christopher Lewis s slides

6.828: OS/Language Co-design. Adam Belay

A program execution is memory safe so long as memory access errors never occur:

CMSC 330: Organization of Programming Languages

Fiji VM Safety Critical Java

StackVsHeap SPL/2010 SPL/20

Model Based Development of Embedded Control Software

Programmer Directed GC for C++ Michael Spertus N2286= April 16, 2007

DEPENDABLE PROCESSOR DESIGN

CMSC 330: Organization of Programming Languages

CS527 Software Security

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

Compiler construction 2009

Pause-Less GC for Improving Java Responsiveness. Charlie Gracie IBM Senior Software charliegracie

TDDD07 Real-time Systems Lecture 10: Wrapping up & Real-time operating systems

Software Speculative Multithreading for Java

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

The Perfect Getaway: Using Escape Analysis in Embedded Real-Time Systems

Real Time: Understanding the Trade-offs Between Determinism and Throughput

Name, Scope, and Binding. Outline [1]

Types II. Hwansoo Han

Safety Critical Java. Language Standards and Analysis Techniques for Java in Safety Critical applications. aicas GmbH

Structure of Programming Languages Lecture 10

The Z Garbage Collector An Introduction

Introduction to Visual Basic and Visual C++ Introduction to Java. JDK Editions. Overview. Lesson 13. Overview

CMSC 330: Organization of Programming Languages. Memory Management and Garbage Collection

Last class: OS and Architecture. OS and Computer Architecture

A Trace-based Java JIT Compiler Retrofitted from a Method-based Compiler

Last class: OS and Architecture. Chapter 3: Operating-System Structures. OS and Computer Architecture. Common System Components

JOP: A Java Optimized Processor for Embedded Real-Time Systems. Martin Schoeberl

FILE SYSTEMS, PART 2. CS124 Operating Systems Fall , Lecture 24

The Slide does not contain all the information and cannot be treated as a study material for Operating System. Please refer the text book for exams.

Exploiting the Behavior of Generational Garbage Collector

Static Analysis of Embedded C

Habanero Extreme Scale Software Research Project

Memory Allocation. Static Allocation. Dynamic Allocation. Dynamic Storage Allocation. CS 414: Operating Systems Spring 2008

Simple Garbage Collection and Fast Allocation Andrew W. Appel

Memory Management: The Details

Lecture 9 Dynamic Compilation

A new Mono GC. Paolo Molaro October 25, 2006

Towards a Resilient Operating System for Wireless Sensor Networks

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

<Insert Picture Here> Symmetric multilanguage VM architecture: Running Java and JavaScript in Shared Environment on a Mobile Phone

Inside Out: A Modern Virtual Machine Revealed

ID 025C: An Introduction to the OSEK Operating System

CPSC 3740 Programming Languages University of Lethbridge. Data Types

CS 345. Garbage Collection. Vitaly Shmatikov. slide 1

IDE for medical device software development. Hyun-Do Lee, Field Application Engineer

CS558 Programming Languages

ACM Trivia Bowl. Thursday April 3 rd (two days from now) 7pm OLS 001 Snacks and drinks provided All are welcome! I will be there.

Hazard Pointers. Number of threads unbounded time to check hazard pointers also unbounded! difficult dynamic bookkeeping! thread B - hp1 - hp2

the gamedesigninitiative at cornell university Lecture 9 Memory Management

Compiler construction 2009

Issues in Programming Language Design for Embedded RT Systems

High-Level Language VMs

Performance of Non-Moving Garbage Collectors. Hans-J. Boehm HP Labs

Transcription:

KESO Functional Safety and the Use of Java in Embedded Systems Isabella S1lkerich, Bernhard Sechser Embedded Systems Engineering Kongress 05.12.2012 Lehrstuhl für Informa1k 4 Verteilte Systeme und Betriebssysteme 1

2 Functional Safety Ariane 5 (July 4th, 1996)" Detonation shortly after takeoff because of an error in the control software" Root cause: Insufficient tests of a reused proven in use software component"

3 Existing Standards IEC 61508! Functional safety of electrical / electronic /" programmable electronic safety-related systems" EN 62061! ISO 13849" Manufactoring" IEC 61513! IEC 60880! Nuclear" IEC 62304! Medical" EN 50271! EN 50402! Gas Measuring" DO 178B! Aviation" ISO 26262! Automotive" IEC 61511! Automation" EN 50126! EN 50128! EN 50129! Rail"

4 ISO 26262

5 Hazard Analysis and Risk Assessment Goal: Risk reduction to an acceptable level

6 System Design (Iso 26262: 4-7) Systematic Failures" are already in the system at commissioning time" manifest themselves under certain circumstances" can affect the safety of a system directly" may have an impact on all relevant components (hardware, software, etc.)" Random Failures" Are not a priori in the system" Arise only after a non-quantified, random or apparently random time" random errors appear usually only in the operation of the hardware" Goal: A dependable runtime system for the application of softwarebased fault tolerance (FT) measures!

7 Goals Automatic application of FT measures Ensurance of runtime system dependability

8 Functional Safety e.g. IEC 61508, domain-specific standards System consists of hardware (HW) and software (SW) A system can have systematic and random faults Systematic errors have to be avoid or mitigated (HW and SW) Random errors can only be mitigated (HW only) by means HW measures (ECC etc) or SW measures Objective: A dependable runtime system for the application of fault tolerance (FT) measures

9 Motivation

9 Motivation Transient hardware faults become more likely soft error rate in logic has increased by 9 orders of magnitude soft error rate in SRAM is constantly high soft errors cannot be ignored anymore

9 Motivation Transient hardware faults become more likely soft error rate in logic has increased by 9 orders of magnitude soft error rate in SRAM is constantly high soft errors cannot be ignored anymore Hardware-based fault tolerance (FT) techniques expensive: size, weight and power

9 Motivation Transient hardware faults become more likely soft error rate in logic has increased by 9 orders of magnitude soft error rate in SRAM is constantly high soft errors cannot be ignored anymore Hardware-based fault tolerance (FT) techniques expensive: size, weight and power Software-based fault tolerance (FT) techniques

10 KESO - Isabella S1lkerich - Bernhard Sechser 05.12.2012 Automatic Application of FT Measures differ in protection and costs Measures are inherently application-specific SW Fault Tolerance Variant A Variant B Configuration Checksums Redundancy Control Flow Monitoring FT Data Structures... Function Library Seat Control Light System Wiper System Distributed System A Distributed System B... ABS Code Code

11 Automatic application of FT Safety requirements source code System description Compiler-based approach Separation of functional code and FT Configurability of FT FT measure tailored towards the application Automatic application of FT possible by means of Static analysis of a static system Type-safe programming language Example for a FT technique: n-modular redundancy Used framework: The KESO Multi-JVM Redundancy Plugin Control Flow Monitoring other FT mechanism compiler FT code

12 Java and Static Embedded Systems comprehensive a priori knowledge code system objects (tasks/threads, locks, events) system object relationships (e.g., which tasks access which locks) benefits of Java more robust software (cf., MISRA C) software-based spatial isolation problems of Java dynamic code loading fully-featured Java runtimes (e.g., J2ME configurations) overhead code is interpreted or JIT compiled (execution time) dynamic linking (footprint)

13 KESO JVM tailoring (instead of fixed configurations) static applications, no dynamic class loading no Java reflection ahead-of-time compilation to Ansi C, VM bundled with application scheduling/synchronization provided by underlying OS currently AUTOSAR/OSEK OS accustomed programming model remains Integration with legacy C applications is possible smallest system to date: Robertino Autonomous robot navigating around obstacles Control software running on ATmega8535 8-bit AVR, 8 KiB Flash, 512 B SRAM

14 The KESO Multi-JVM Java-to-c ahead-of-time compiler VM tailoring static configuration Domain A Control Flows TaskA1 TaskA2 ISR1 Heap Portal Static Fields Shared Memory Service Domain R1 Heap Static Fields Peripheral Device Access (KNI) OSEK API (KNI) Domain Zero GC Task OSEK / AUTOSAR OS Microcontroller

15 Memory Safety public class Average { protected int sum, count; public synchronized void addvalues( int values[] ) { for(int i=0; i < values.length; i++) { sum += values[i]; count += values.length; public synchronized int average() { return (sum / count); Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. Aiken et. al (Microsoft Research)

15 Memory Safety public class Average { protected int sum, count; null!= values public synchronized void addvalues( int values[] ) { for(int i=0; i < values.length; i++) { sum += values[i]; count += values.length; public synchronized int average() { return (sum / count); Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. Aiken et. al (Microsoft Research)

15 Memory Safety public class Average { protected int sum, count; null!= values public synchronized void addvalues( int values[] ) { null!= values for(int i=0; i < values.length; i++) { sum += values[i]; count += values.length; public synchronized int average() { return (sum / count); Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. Aiken et. al (Microsoft Research)

15 Memory Safety public class Average { protected int sum, count; null!= values public synchronized void addvalues( int values[] ) { null!= values for(int i=0; i < values.length; i++) { sum += values[i]; 0 <= i < values.length count += values.length; public synchronized int average() { return (sum / count); Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. Aiken et. al (Microsoft Research)

15 Memory Safety public class Average { protected int sum, count; null!= values public synchronized void addvalues( int values[] ) { null!= values for(int i=0; i < values.length; i++) { sum += values[i]; 0 <= i < values.length count += values.length; null!= values public synchronized int average() { return (sum / count); Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. Aiken et. al (Microsoft Research)

15 Memory Safety public class Average { protected int sum, count; null!= values public synchronized void addvalues( int values[] ) { null!= values for(int i=0; i < values.length; i++) { sum += values[i]; 0 <= i < values.length count += values.length; null!= values public synchronized int average() { return (sum / count); count!= 0 Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. Aiken et. al (Microsoft Research)

16 Type Safety Type safety ensures that the only operations applied to a value are those defined for instances of its type. Aiken et. al (Microsoft Research)

16 Type Safety public class Average { protected int sum, count; Wert einer Instanz von Average public synchronized void addvalues( int values[] ) { for(int i=0; i < values.length; i++) { sum += values[i]; count += values.length; public synchronized int average() { return (sum / count); Operationen auf dem Typ Average Type safety ensures that the only operations applied to a value are those defined for instances of its type. Aiken et. al (Microsoft Research)

17 Application measures Implementation of FT measures based on Control flow analyses Data flow analyses Rapid type analyses (e.g. allows for high-level method devirtualization) Fault tolerant data structures Efficient application oft FT measures through JVM tailoring Support for the operating system (OS) Analyse application and pass information to OS System calls, native library usage as well as hardware access Application state etc. Existing and tested operating systems can be used Approach supports safety kernel concept

18 Goals Automatic application of FT measures Ensurance of runtime system dependability

19 Runtime system dependability Type safety of programming language Valid references with correct type information Maintain spatial isolation Memory management Safe communication Portal service Shared memory Native Interface Runtime system data e.g. domain descriptor, dispatch table

20 Type-safety of the language Java s type-safety ensures correct memory access in the absence of HW faults A program can only access memory it has been given an explicit reference to The type of the reference determines in which way the memory is used Bit flips can corrupt the integrity of the type system This does not affect the current application only Moreover: SW-based memory protection (null, array checks) are invalidated The error can spread to other software modules and replicas A memory protection may help (MPU) An MPU trap could trigger the recovery of a statically computed state

21 Type-safety of the language Using an MPU Isolation violation causes a trap - ok Some faults within application structures can be found do to an FT technique - ok A fault in the runtime system not causing a trap is not detected and can falsely assume a sane operation - x Low-end microcontrollers do not have an MPU Ensurance of type safety can render many other FT techniques more efficient or possible at all (at the granularity of objects)

22 Valid References Standard solution only compare the object content (heap) Reference and type information can be corrupted References can be enriched via FT information (e.g. checksum) Checksum creation is currently implemented in SW A HW operation such as popcount on the x86 architecture is advantageous for the execution time Object alignment can arbitrarily be adapted (just needs recompilation)

23 Valid References How can memory usage for the additional FT information be optimized? Alignment can leave bits unused Static application can be placed in a certain memory location. An embedded application usually utilized only small part of the address space The microcontroller architecture determines the valid address regions Example: TC 1796, 1 MB RAM

24 Valid References Integrity check At each object access Before existing checks At method call sites Object field access Adaption of current reference Execution time punishment Alternatively: Checking and adaption at reference loads and stores

25 Fault susceptability Data transfer SRAMs and DRAMs are most susceptable to transient errors, when data is read or written to memory cells Solution: Reference check Load value into register Write data into memory Manipulation level: JVM layer chip-level soft error system-level

26 Runtime system dependability Type safety of programming language Valid references with correct type information Maintain spatial isolation Memory management Safe communication Portal service Shared memory Native Interface Runtime system data e.g. domain descriptor, dispatch table

27 Memory Management Available strategies for heap allocation RestrictedDomainScope (ImmortalMemory/ScopedMemory in RTSJ) Throughput optimized garbage collection (GC) Latency-aware GC Stack allocation Escape analysis ROM allocation Constant data (data flow analysis)

28 Heap Allocation ImmortalMemory Heap reference Real-time GC GCs Data structures Static reference array Object layout groups reference fields Henderson linked stack frames Methods Scan-and-mark phase Sweep phase

29 Stack Allocation All objects are conceptually allocated on the heap Unreachable objects are reclaimed by the garbage collector (GC) Collector ensures consistency of the object graph Escape analysis: stack allocation reduces GC overhead (e.g. no barriers needed) memory is automatically reclaimed, when method returns reduces the need for complex data structures stack pointer (in register) is the only data structure to be protected RTSJ Scoped memory (explicit use by enter() or RealtimeThread constructor)

30 ROM Allocation Transient error susceptability of EEPROM and flashes A lot of Java objects are constant Are not necessarily marked as final (assist programmer) A whole-program analysis determines (aided by available type information), which data does not change to faciliate ROM allocation (error correction supported) The runtime must be adapted (objects cannot be easily moved to read-only memory since the GC has to mark visited objects) In combination with stack allocation and ImmortalMemory: may erase the need for a GC

31 Conclusion A multi-jvm approach for safety-critical embedded systems Software-based isolation Combinable with MPU protection Legacy application support Type-safe languages and common programming errors Java can be as efficient as in C In static embedded systems Static analyses and whole-program optimizations Allows for configurable FT measures Application does not to be changed Evaluation of costs vs safety level (Fault injection experiments) Tailored runtime can efficiently be hardened against soft errors

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback