sureal methodology and timing analysis innovations forum

SuRealSuRealSuReal 111

SurealMethodology and Timing Analysis

Innovations Forum23.04.2009

Dr. James J. Hunt and Nico Feiertag aicas GmbH SYMTA VISION


SuReal Development ProcessHigh-level

TimingVerification

SchedulingVerification

Technical / Functional Verification

Code Verification

Requirements Modelling

Platform Refinement

Code Generationand Extension

Compilation

Platform-independent

Model

Platform-specific Model

Annotated Source Code

Executable Code


SuReal Tool Chain

Co d e Ge n e ra to r (Ameos )

De riv e dAn n o ta tio n s

Bu ild e r (Ja m a ic a Bu ild e r)

Co n s tra in tsPa rs e r/Ed ito r

ja v a c

Cla s s File s

Exe c u ta b le

Da ta Flo w(Ve riflu x)

WCET An a lyze r(a iT)

Sc h e d u lin g (Sym TA/S)

An n o ta te dJa v a Co d e

Ve rific a tio nMo d e l

UML Ed ito r (Am e o s )

XMI Mo d e lGe n e ra to r

UML Mo d e l

J av a C o d e

B y te C o d e

Mac hineC o d e

A nno tate d Mo d e l

UP AAL

Model CheckerDF KI

VS E

Development Verification

•Verification of J ava Code•High Level WCE T Analys is

Au g m e n te dJa v a Co d e

FIBEX


Profile Comparison

Pro file USTP MARTE HIDOORS SysMLAn n o ta tio n s Light weight Light weight Light weight Light weightSc h e d u la b ility ✔ ✔ ✔ ✘Pe rfo rm a n c e An a lys is ✔ ✔ ✔ ✔Qu a lity o f Se rv ic e ✔ ✔ ✘ ✘Su p p o rts De fin in g Me tric s ✘ ✔ ✘ ✔Fa u lt To le ra n c e ✘ ✔ ✘ ✘Fo rm a l Se m a n tic s ✘ p a rtia l ✘ ✘Em b e d d e d Sys te m s ✘ ✔ ✔ ✘Re a ltim e Sys te m s ✔ ✔ ✔ ✘Re q u ire m e n ts En g in e e rin g ✘ ✔ ✘ ✔Su p p o rts MDA ✘ ✔ ✔ ✔UML 2 .0 Co m p a tib ility ✘ ✔ ✘ ✔OCL 2 .0 Co m p a tib ility ✘ ✔ ✘ ✔Nonlinear Refinement ✘ ✘ ✘ ✘


De s ig n

Co m p u ta tio n a lEn v iro n m e n t

Op e ra tin gEn v iro n m e n t

To p o lo g y

So ftw a re Ha rd w a re

Ap p lic a tio n

In fra s tru c tu re

Application

Mapping Architectu

re

Mapp

ingOperation

Mapping

SuReal Profile Views


Diagram Usage

View vs. Diagram

Design Topology Operating Environment

Execution Environment

Class Diagram X

State Diagram X

Sequence Diagram

X

Composite Structure Diagram

X X X X


Stereotypes

Task Types «SRTask» «SRPeriodicTask» «SRSporadicTask» «SRTriggeredTask»

Structural Types «SRLink» «SRPath» «SRCall» «SRNode» «SRProcessor» «SRNetworkSegment»

Budget Types «SRExecutionBudget» «SRReleaseBudget» «SRMessageBudget»

Object Types «SRDataStructure» «SRFrame» «SRMailbox»

«SRMailboxGet» «SRMailboxSet»

Other Types «SROperationSystem» «SRBusProtocol» «SRPrioritySchedulerParameters»


Case Study 1 & 2—Design

SpeedCalculator SpeedControllerSpeedCalculator

SteeringController

LaneTracking

EmergencyBreak

SensorWatcherRightLight

LeftLight

RightMotorSpeed

LeftMotorSpeed

SteeringAngle

Distance

Stop


Case Study 1—Deployment

NXT


NXT

Case Study 1—Application Map

SpeedControllerSpeedCalculator

SteeringController

LaneTracking

EmergencyBreak

SensorWatcher


Case Study 2—Deployment

Controller NXT

Bus


Case Study 2—Application Map

Controller NXT

Bus

FrameHost2NXT FrameNXT2Host

SpeedControllerSpeedCalculator

SteeringController

LaneTracking

EmergencyBreak

SensorWatcher

DistanceRightLightLeftLight

StopSteeringAngle

RightMotorSpeedLeftMotorSpeed


Case Study Infrastructure Op e ra tin g En v iro n m e n t

Ca s e 1 — Sin g le Pro c e s s o r C Co d e u n d e r NXTOs e k

Ca s e 2 — Tw o Pro c e s s o rs Re a ltim e Ja v a u n d e r VxWo rk s 6 .5 RTP C Co d e u n d e r NXTOs e k

Exe c u tio n En v iro n m e n t Ca s e 1 — Sin g le Pro c e s s o r

NXT Arm Ca s e 2 — Tw o Pro c e s s o rs

Po w e rPC 6 0 3 NXT Arm


Case Study 1—Code

C Side main EmergencyBrake_states LaneTracking_states LoggingTask_states SensorWatcher_states SpeedCalculator_states SpeedController_states SteeringController_states


Cas e S tudy 2—Code

Java Side Controller EmergencyBrake LaneTracking LoggingTask SpeedCalculator MasterTransferTask FrameHost2NXT FrameNXT2Host NxtUsbDriver

C Side main SensorWatcher_states SpeedController_states SteeringController_states SlaveTransferTask_states


16

Controllers in planes, cars, plants, … are expected to finish their tasks within reliable time bounds.

It is essential that an upper bound on the execution times of all tasks is known : Commonly called Worst-Case Execution Time.

WCET prerequisite for system-level schedulability analysis.

Hard Real-Time Systems


ACCABS

ESP ASR

enginecontrol powertrain

control

Frame generation timing (cyclic and/or event+driven)

Buffering strategy(FIFO, priority ordered, hybrid)

Nachrichten Objekte(hardware buffers)

SIG signal register

SEND/ COM layer tasksRCV or interrupts

INT driver interrupt

MO message object(HW buffer)

CAN HW

CANBSW

RTESIG SIG

MO

INT

SEND

SIG

Queue

MO MO

SWC 1SWC 2

SWC 3

SWC 4

SIG SIG

MO

INT

RECV

Komplexes System-Zeitverhalten


18MethodologyPr

obab

ility

Execution time

Exact worst-caseexecution time

Safe worst-caseexecution timeestimate

Best-caseexecution time

Unsafe:execution timemeasurement


19Two Levels of Timing Analysis●Code level

● Single process, task, ISR● Focus on

● Control flow● Processor architecture

with pipelines and caches

●System level● Multiple functions or tasks● Focus on

● Integration and scheduling● Periodic or event-driven

activation, blocking● End-to-end timing

aiT(AbsInt)

SymTA/S(Symtavision)


20

aiT + SymTA/S: Integration with Modeling Tool OpenAmeos


Customer benefits

●Capturing realtime behavior systematically● Fast identification of bottlenecks● Preventing integration problems

●Planning timing early● Predict resource requirements● Optimal dimensioning

●Optimized development process● Reduced number of prototypes● Reduced testing effort

●Reliable prediction of extendibility


Overview on applied Techniques

Timing Analyse

Statische Code-Analyse

Scheduling Analyse


Application of Tools

assembler

instruction

basic block

function

runnable

task

ECU

system (EC

Us,

buses)

granularity

AbsInt (aiT)

Symtavision (SymTA/S)


Workflow and Information Flow

aiTSymTA/S

Scheduling Analysis (WCRT)System Stack Analysis

System model(tasks, activations, scheduling)

WCET/Stack Analysis(single task)Refinement

WCET/StackRequest Additional Info

WCET/StackResponse


Integration with AbsInt aiT

1

2

3

●Request – response● SymTA/S requests list of core execution times

● Different runnables● Different modes● Different processors

● aiT returns results


Integration with AbsInt aiT—Results

4

●Enables verification and quick mapping exploration


Veriflux: Data Flow Analysis

Extension of control flow analysis Data values are propagated as well Fixed point algorithm Necessary extension for OO Languages

Method dispatch is data dependent More precise than considering all

possible subclasses at each call point


DFA Applications

Worst case execution time analysis Memory use (stack, heap, etc.) Coverage and reachability Exception checking Shared object detection Synchronization (deadlocks)


Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...


NullP ointerE xception




...}...



Clas s Cas tE xception




...}...








...}...





device != null




...}...




...}...

NullP ointerE xception ✔



device != null









...}...




Clas s Cas tE xception values (MyDevice.s ens or) contains only MyS ens or




...}...




Clas s Cas tE xception ✔ values (MyDevice.s ens or) contains only MyS ens or




...}...




Clas s Cas tE xception ✔




...}...




Clas s Cas tE xception ✔null ∉ values (MyDevice.s ens or)




...}...








...}...




Clas s Cas tE xception ✔




...}...


WCETA for Realtime Java

La n g u a g ed e p e n d a n t

p h a s e

Da ta flo w g ra p h c o n s tru c tio n Pa th a n a lys is

e .g ., d e te rm in in g m e th o d c a ll s e ts a n d lo o p b o u n d s

Ba s ic b lo c k tim in g a n a lys is Ca c h e a n a lys is m o d u le Pip e lin e a n a lys is m o d u le Bra n c h p re d ic tio n m o d u le Wo rs t c a s e e xe c u tio n p a th d is c o v e ry

Ma c h in ed e p e n d a n t

p h a s e


WCETA Process for RTJava

Process JML annotations Transform source Compile to bytecode

Run full program dataflow analysis Generate low level WCETA tool

annotations for critical methods Compile bytecode to machine code Run low level WCETA tool


Loop Bounds Annotations

decreases [integer expression] While loop For loop For each loop

measured_by [integer expression] Recursion

Invariant [boolean expression] Unbound variables


JML Decreases Clause

d e c re a s e s [in te g e r e xp re s s io n ] lo o p sm e a s u re d _b y [in te g e r e xp re s s io n ] re c u rs io n⇒[in te g e r e xp re s s io n ]

0

[in te g e r e xp re s s io n ]in itia l

[in te g e r e xp re s s io n ]

fo r e a c h ite ra tio n i:[in te g e r e xp re s s io n ]

i [in te g e r e xp re s s io n ]

i+ 1+ 1


While Loop Transform

\\@ decreases elements.length – i;while (i < elements.length){ sum += elements[i++]; }

{ DFAHelper.captureBounds(elements.length – i);}while (i < elements.length){ sum += elements[i++];}


For Loop Transformation

\\@ decreases elements.length – i;for (int i = 0; i < elements.length; i++){ sum += elements[i];}

{ int i = 0; DFAHelper.captureBounds(elements.length – i);}for (int i = 0; i < elements.length; i++){ sum += elements[i];}


For Each Loop Transform 1

\\@ ghost int i = elements.length; decreases i;for (int entry: elements){ sum += entry; \\@ set i--;}

{ int i = elements.length; DFAHelper.captureBounds(i);}for (int entry: elements){ sum += entry;}


For Each Loop Transform 2

for (int entry: elements){ sum += entry;}

{ DFAHelper.captureBounds(elements.length);}for (int entry: elements){ sum += entry;}


Handeling Dispatch Sets

Calculated as part of dataflow analysis No annotations are necessary Veriflux determines two sets of values

Set of all invocations Set of referenced values

Call sets are determined for invocation sites, not just for each method.

Different invocation may have totally different call sets.


AIS Annotations

Unevaluated Method (know not to be called)snippet "jamaica_throwNull" is not analyzed and is never executed and takes exactly 0 cycles and uses exactly 0 bytes of stack and removes exactly 0 bytes of stack;

Dynamic Dispathinstruction "L1259_53_run@label" + 1 unpredictable calls jam_comp_javax_realtime_RealtLogic_48_run1, jam_comp_javax_realtime_Asyncndler_8_run16, jam_comp_javax_realtime_AEHTh00241_3_run1, jam_comp_javax_realtime_List_bject_23_run1;

Looploop file 'SpeedCalculator.java' line 180 max 10;


Realtime Java WCET Results

SpeedCalculator.handleAsynchEvent()

328678 cycles = 0.83 ms

LaneTracking.handleAsynchEvent()

133925 cycles = 0.339 ms

EmergencyBreak.handleAsynchEvent()

100454 cycles = 0.254 ms

MasterTransferTask.handleAsynchEvent()

39059 cycles = 98.634 us


Veriflux with aiT


Conclusion

Complete development process Capturing realtime behavior systematically From Model to Executable Full timing and schedulability analysis

Supports Object-Oriented Development Realtime Java Static compilation and GC

Improved development fexibility Up front model checking Separation of Concerns

sureal methodology and timing analysis innovations forum

Technology