Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, / 28

Similar documents
AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

EECS 571 Principles of Real-Time Embedded Systems. Lecture Note #10: More on Scheduling and Introduction of Real-Time OS

ERIKA Enterprise Manual for the Altera Nios II target. the multicore RTOS on FPGAs

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Stack Size Minimization for Embedded Real-Time Systems-on-a-Chip *

Concurrent programming: Introduction I

Adding Timing Analysis to Functional Design to Predict Implementation Errors

EE458 - Embedded Systems Lecture 8 Semaphores

An implementation of the flexible spin-lock model in ERIKA Enterprise on a multi-core platform

Schedulability with resource sharing. Priority inheritance protocol Priority ceiling protocol Stack resource policy

Achieving Predictable Multicore Execution of Automotive Applications Using the LET Paradigm

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory

ERIKA Enterprise LWIP Tutorial

Overall Structure of RT Systems

Measuring the impacts of the Preempt-RT patch

Tasks. Task Implementation and management

Department of Computer Science Institute for System Architecture, Operating Systems Group REAL-TIME MICHAEL ROITZSCH OVERVIEW

TDDD07 Real-time Systems Lecture 10: Wrapping up & Real-time operating systems

CS A320 Operating Systems for Engineers

Real-time Support in Operating Systems

Microkernel/OS and Real-Time Scheduling

Efficiency and memory footprint of Xilkernel for the Microblaze soft processor

LINUX AND REALTIME 1

Efficient Event-Triggered Tasks in an RTOS

Multiprocessor Systems. Chapter 8, 8.1

Predictable Interrupt Management and Scheduling in the Composite Component-based System

Chapter 5. Introduction ARM Cortex series

Final Examination. Thursday, December 3, :20PM 620 PM. NAME: Solutions to Selected Problems ID:

CS A331 Programming Language Concepts

Real Time Linux patches: history and usage

EE 457 Unit 7b. Main Memory Organization

Reference Model and Scheduling Policies for Real-Time Systems

Multiprocessor System. Multiprocessor Systems. Bus Based UMA. Types of Multiprocessors (MPs) Cache Consistency. Bus Based UMA. Chapter 8, 8.

ECE 471 Embedded Systems Lecture 2

Real-Time Systems Hermann Härtig Real-Time Operating Systems Brief Overview

OPERATING SYSTEMS. After A.S.Tanenbaum, Modern Operating Systems 3rd edition Uses content with permission from Assoc. Prof. Florin Fortis, PhD

Embedded Systems. 6. Real-Time Operating Systems

Multiprocessor Systems. COMP s1

Automotive and open-source: Current solutions and future developments

Context. Giorgio Buttazzo. Scuola Superiore Sant Anna. Embedded systems are becoming more complex every day: more functions. higher performance

Context. Hardware Performance. Increasing complexity. Software Complexity. And the Result is. Embedded systems are becoming more complex every day:

Using the MPU with an RTOS to Enhance System Safety and Security

Exam TI2720-C/TI2725-C Embedded Software

ERIKA Enterprise FIFO message passing Tutorial

A Fully Preemptive Multiprocessor Semaphore Protocol for Latency-Sensitive Real-Time Applications

Verification of Real-Time Systems Resource Sharing

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

Protected mode RTOS: what does it mean?

Green Hills Software, Inc.

Tomasz Włostowski Beams Department Controls Group Hardware and Timing Section. Developing hard real-time systems using FPGAs and soft CPU cores

Real Time Operating System design for Multiprocessor system-on-a-chip

Real-Time Cache Management for Multi-Core Virtualization

MLR INSTITUTE OF TECHNOLOGY DUNDIGAL , HYDERABAD QUESTION BANK

CS 326: Operating Systems. CPU Scheduling. Lecture 6

Analysis and Research on Improving Real-time Performance of Linux Kernel

AUTOSAR Extensions for Predictable Task Synchronization in Multi- Core ECUs

Introduction to Embedded Systems

Migrating to Cortex-M3 Microcontrollers: an RTOS Perspective

(b) External fragmentation can happen in a virtual memory paging system.

Isolation of Cores. Reduce costs of mixed-critical systems by using a divide-and-conquer startegy on core level

Embedded Systems. 5. Operating Systems. Lothar Thiele. Computer Engineering and Networks Laboratory

CS A320 Operating Systems for Engineers

Zilog Real-Time Kernel

A TimeSys Perspective on the Linux Preemptible Kernel Version 1.0. White Paper

Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi

Kernel Synchronization I. Changwoo Min

The components in the middle are core and the components on the outside are optional.

Real Time Operating Systems and Middleware

Operating Systems, Fall

Real-Time Scalability of Nested Spin Locks. Hiroaki Takada and Ken Sakamura. Faculty of Science, University of Tokyo

EC H2020 dredbox: Seminar School at INSA Rennes

Real-Time Systems. Real-Time Operating Systems

Implementation of automotive CAN module requirements

Operating Systems Introduction

Exam Review TexPoint fonts used in EMF.

A Synchronous IPC Protocol for Predictable Access to Shared Resources in Mixed-Criticality Systems

Overview. Sporadic tasks. Recall. Aperiodic tasks. Real-time Systems D0003E 2/26/2009. Loosening D = T. Aperiodic tasks. Response-time analysis

Components & Characteristics of an Embedded System Embedded Operating System Application Areas of Embedded d Systems. Embedded System Components

CS 571 Operating Systems. Midterm Review. Angelos Stavrou, George Mason University

In examining performance Interested in several things Exact times if computable Bounded times if exact not computable Can be measured

EMERALDS: a small-memory real-time microkernel

New ARMv8-R technology for real-time control in safetyrelated

Concurrent Programming Synchronisation. CISTER Summer Internship 2017

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING UNIT I

Embedded Systems. 7. System Components

A Predictable RTOS. Mantis Cheng Department of Computer Science University of Victoria

Deterministic Futexes Revisited

SNS COLLEGE OF ENGINEERING

Growth outside Cell Phone Applications

Q1. What is Deadlock? Explain essential conditions for deadlock to occur?

Flexible Design of ARM- CAN MCUs with Powered Gate Technology

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

Overview The Microcontroller The Flex Board Expansion boards Multibus board Demo board How to: Compile demo Flash & Run Demos

Modern Embedded Systems Programming: Beyond the RTOS

Final Exam Preparation Questions

ZiLOG Real-Time Kernel Version 1.2.0

KERNEL IMPLEMENTATION OF MONITORS FOR ERIKA

Embedded Systems. Octav Chipara. Thursday, September 13, 12

REAL TIME OPERATING SYSTEM PROGRAMMING-I: VxWorks

The RETIS Group. RETIS Lab Real-Time Systems Laboratory. A brief introduction 11/23/2012. Currently, the RETIS Lab comprises 30 people, including:

Transcription:

Multicore for safety-critical embedded systems: challenges and opportunities Giuseppe Lipari CRItAL - Émeraude March 15, 2016 Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 1 / 28

Outline 1 An history of multicore in automotive 2 Multicore scheduling 3 Current platforms Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 2 / 28

Outline 1 An history of multicore in automotive 2 Multicore scheduling 3 Current platforms Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 3 / 28

Why multicore systems? In the past: one functionality æ one board (ECU) lot of network cables high end car æ tens of ECUs Need to integrate functions into single boards (ECUs) Reduces cabling Reduces total cost Example: Power train and gear-shift in one single board Increased chances of fast coordination Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 4 / 28

Challenges From single core to multi-core, what exactly is going to change? do we need a new programming model? can we re-use existing code? how can we perform (real-time) analysis? We will come back to these questions after a historical perspective Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 5 / 28

Historical perspective A typical processor architecture for automotive applications in 1998/2000: ample oc 68HC11 micro 12Kb ROM 512 bytes RAM in approximately the same space No cache, no MMU Processors for automotive would feature up to 16 Kb RAM Need to optimise RAM as much as it was possible Put all constants and code into ROM Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 6 / 28

The OEK/VDX standard Automotive applications are programmed in C using the OEK/VDX interface standard Interrupts + simple tasks Application code and kernel linked together in the same memory space Periodic (clock-driven) tasks: periodic sampling of sensor data, execution of control algorithms Aperiodic (event-driven) tasks: Activated by external events (interrupts) Example: network drivers, drive shaft Heavy use of global variables to reduce the amount of stack memory A configuration file (OIL) is used to create the tasks and initialize the static parameters Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 7 / 28

Run-to-completion OEK adopts two models of tasks Normal tasks Task mytask() { int local; initialization(); for (;;) { do_instance(); end_instance(); } } One stack per task is needed Run-to-completion tasks int local; TAK(mytask) { do_instance(); } int main() { initialization(); } tack frame is created and destroyed at each instance Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 8 / 28

Priority-based execution and stack How much stack space do we need? uppose we have one RTC task for each priority level then, in the worst case tack tot = ÿ i tack i To reduce the size of the stack, we can reduce preemption increasing delay Free preemption CcanpreemptB Preemption threshold C cannot preempt B Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, 2016 9 / 28

Blocking The technique for reducing stack works if the task does never block However, tipically a task access shared memory and given the high number of global variables, this is quite likely to happen How to guarantee that the program remains consistent? use mutex semaphores However, two problems arise Interleaving (no stack can be shared) priority inversion Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 10 / 28

Priority Inversion Priority inversion: 1 2 3 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inversion Priority inversion: 1 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inversion Priority inversion: 1 L() 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inversion Priority inversion: 1 L() 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inversion Priority inversion: 1 L() 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inversion Priority inversion: 1 L() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inversion Priority inversion: 1 L() U() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 Two problems unbounded priority inversion: 2 delays 1 Interleaving (no stack-based execution) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 11 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 L() 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 L() 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 L() 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 L() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 L() U() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

Priority Inheritance Priority Inheritance consisting in giving the locking tasks the priority of the locked task 1 L() U() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 We still have interleavings, so it cannot be used in a stack-based execution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 12 / 28

The tack Resource Policy olution: selectively disable preemption resource ceiling: highest priority of all tasks that use that semaphore system ceiling: highest resource ceiling of all locked semaphores A task cannot start execution unless prio > sysceiling The previous example 1 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 13 / 28

The tack Resource Policy olution: selectively disable preemption resource ceiling: highest priority of all tasks that use that semaphore system ceiling: highest resource ceiling of all locked semaphores A task cannot start execution unless prio > sysceiling The previous example 1 2 3 L() 0 2 4 6 8 10 12 14 16 18 20 22 24 Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 13 / 28

The tack Resource Policy olution: selectively disable preemption resource ceiling: highest priority of all tasks that use that semaphore system ceiling: highest resource ceiling of all locked semaphores A task cannot start execution unless prio > sysceiling The previous example 1 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 13 / 28

The tack Resource Policy olution: selectively disable preemption resource ceiling: highest priority of all tasks that use that semaphore system ceiling: highest resource ceiling of all locked semaphores A task cannot start execution unless prio > sysceiling The previous example 1 L() U() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 13 / 28

The tack Resource Policy olution: selectively disable preemption resource ceiling: highest priority of all tasks that use that semaphore system ceiling: highest resource ceiling of all locked semaphores A task cannot start execution unless prio > sysceiling The previous example 1 L() U() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 13 / 28

The tack Resource Policy olution: selectively disable preemption resource ceiling: highest priority of all tasks that use that semaphore system ceiling: highest resource ceiling of all locked semaphores A task cannot start execution unless prio > sysceiling The previous example 1 L() U() 2 3 L() U() 0 2 4 6 8 10 12 14 16 18 20 22 24 No interleavings! Max blocking time = maximum lenght of critical sections Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 13 / 28

Outline 1 An history of multicore in automotive 2 Multicore scheduling 3 Current platforms Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 14 / 28

Going multicore This was the state of the art for automotive RT software in 1999 Around 2000, T Microelectronics, Magneti Marelli (FIAT Group), and PARADE, decided to design a double core chip, code name JANU symmetric dual processor (2 ARM7TDMI) 2 RAM banks, connected through a crossbar switch specialized I/O for engine control 11% additional silicon area with respect to single-arm solution Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 15 / 28

Challenges: partitioned or global? Main problem: how to program this new architecture? Need to adapt the OEK standard to deal with multicore systems simplest choice: partitioned scheduling tasks are statically allocated to processors Requirements: tack minimization ame interface Proposal: Researchers at cuola ant Anna founded a spin-o Evidence.r.l. to produce a new µ-kernel called ERIKA Main ideas: tatic allocation of tasks to processors (extending OIL language) Extension of the RP protocol to support multicore systems Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 16 / 28

Challenges: shared resources Tasks allocated to di erent processors may access the same memory need semaphores however, priority tricks do not work We proposed the M-RP protocol uses spin-locks to extend RP Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 17 / 28

The M-RP Local resources = used only by tasks allocated on the same processor use standard RP technique Global resources = used by tasks on di erent processors use spin-lock pin-lock (BW Busy Waiting) if a task accesses a semaphores locked by another task on a di erent processor, it start to busy-wait while in BW, raises the ceiling to the maximum (no preemption is possible) if necessary, disables interrupts Multiple tasks in BW are served in FIFO order Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 18 / 28

M-RP properties Paper: Paolo Gai, Giuseppe Lipari, Marco Di Natale, tack ize Minimization for Embedded Real-Time ystems-on-a-chip, Design Automation for Embedded ystems, vol. 7, n. 1-2, pp. 53 87 2002 tack-based execution can be used to reduce the total stack size using preemption thresholds Deadlock still possible if nested critical sections on global resources can be detected by static analysis Bounded blocking time one critical section for local resources sum of critical sections for global resources Minimise global resources by properly allocating tasks Accepted in the AUTOAR 4.0 standard in 2014 Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 19 / 28

The end Unfortunately, the Janus project was cancelled after 2 years for lack of interest Clients in automotive did not know how to use a multicore They were too afraid of possible software problems Multicore systems have started to be accepted in automotive since 2010, more than 10 years after the Janus project Evidence continued development of ERIKA for single and multi-core platforms reconfigurable FPGAs (Altera Nios) Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 20 / 28

Outline 1 An history of multicore in automotive 2 Multicore scheduling 3 Current platforms Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 21 / 28

Toward a "real" symmetric processor ince 2000, many things have changed Memory is less costly, chips can feature several kb of memory they now include MMU and caches Freescale Qorivva 32-bit MCU Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 22 / 28

Additional features Fault-tolerance there is an interest in using the two processors in lock-step mode The two processors execute the same instructions and results are compared, to quickly detect faults Certification and isolation are the two main keywords Certification of multicore automotive software is still an open challenge a lot of work in proof of µ-kernel till di cult for a complex distributed system Memory and temporal isolation are needed when integrating software from third parties into the same ECU, guarantee that one does not jeopardise the others Additional functionalities Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 23 / 28

Isolation One of the main drivers of multi-core technology possibility to integrate di erent applications in the same ECU thus reducing the number of ECUs and the lenght of the network cables It is important to isolate one application from another Applications can have di erent level of criticalities But they share the same memory, bus, etc. They are developed by di erent companies / teams Isolation: Memory protection via MMU Time Triggered Access to bus eparate caches, cache coloring or cache locking Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 24 / 28

ingle core equivalence It uses a technique called MemGuard for sharing the bus Can be implemented in software on all architectures At the O level: the task is blocked after a certain number of cache misses Done @ UIUC Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 25 / 28

Experiments with Virtualization One core runs Linux, for the command interfaces One core runs ERIKA for low level critical control sw Timing isolation for separating access to processors and resources Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 26 / 28

Certification? Interactions: From Linux it is possible to top and reload the RTO (ERIKA) et an Alarm Activate a critical task Increment a counter Verifying the whole system is impossible Linux is too big to be verified However, there is some hope to verify The hypervisor (XEN) the RTO (ERIKA) One viable approach? By reasoning in terms of isolation, we could perform a "component-based" verification of the critical part Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 27 / 28

Conclusions Automotive Embedded ystems have evolved during the last 15 years Introduction of multi-core chips MMU and caches Requirements are always the same Reduce the amount of memory used by the application Real-time constraints Certification New requirements Fault-tolerance Reduce energy consumption Integrate application with di erent criticality levels in the same ECU Component-based certification There is still space for doing research at the system level timing isolation predictability Multicore for safety-critical embedded systems: challenges and March opportunities 15, 2016 28 / 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback