The OASIS model for developpement of deterministic safety-critical - - PowerPoint PPT Presentation

The OASIS model for developpement of deterministic safety-critical multitask real-time systems

Matthieu Lemerre

CEA LIST LaSTRE (V. David)

Synchron’08 Aussois, December 5th, 2008

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 1 / 35

Introduction

OASIS is an industrialized toolchain (compiler, runtime kernel...) based on a time-triggered model of computation OASIS model : computations take time (no zero-time abstraction)

Computations happens during intervals of time (not point in time) Use results of past computations (not that of parallel ones)

Model still independent of execution time (used only for scheduling)

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 2 / 35

Introduction

OASIS is an industrialized toolchain (compiler, runtime kernel...) based on a time-triggered model of computation OASIS model : computations take time (no zero-time abstraction)

Computations happens during intervals of time (not point in time) Use results of past computations (not that of parallel ones)

Model still independent of execution time (used only for scheduling) Ψ is a language extension

for expressing the time-triggered constraints of the model in a procedural language (e.g. C or Ada)

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 2 / 35

Outline

1

Timing Model Specifying time-triggered constraints Example uses and use in OASIS

Simple example uses Use in OASIS

2

Scheduling semantics Scheduling of chains Scheduling of trees Scheduling of automata

3

Implementation Communication primitives Implementation

4

Conclusion

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 3 / 35

Outline

1

Timing Model Specifying time-triggered constraints Example uses and use in OASIS

Simple example uses Use in OASIS

2

Scheduling semantics Scheduling of chains Scheduling of trees Scheduling of automata

3

Implementation Communication primitives Implementation

4

Conclusion

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 4 / 35

Chains

a b Notions Block Sequence of instructions, represented by an arc. Nodes Separates 2 blocks Chain Sequence of blocks and

• nodes. b runs after a.

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 5 / 35

Temporal constraints

b b b Goal: to specify temporal constraints

• n a block

2 possibilities: to make it start after a certain date OR to make it end before another date

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 6 / 35

Temporal constraints

5 b b Goal: to specify temporal constraints

• n a block

2 possibilities: to make it start after a certain date OR to make it end before another date We chose to make the adjascent nodes bear the constraints: “before” nodes constraint the preceding block

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 6 / 35

Temporal constraints

2 b b Goal: to specify temporal constraints

• n a block

2 possibilities: to make it start after a certain date OR to make it end before another date We chose to make the adjascent nodes bear the constraints: “before” nodes constraint the preceding block “after” nodes constraint the succeeding block

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 6 / 35

Temporal constraints

2 5 b b Goal: to specify temporal constraints

• n a block

2 possibilities: to make it start after a certain date OR to make it end before another date We chose to make the adjascent nodes bear the constraints: “before” nodes constraint the preceding block “after” nodes constraint the succeeding block

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 6 / 35

Temporal constraints

1 5 7 a b c a b b c Goal: to specify temporal constraints

• n a block

2 possibilities: to make it start after a certain date OR to make it end before another date We chose to make the adjascent nodes bear the constraints: “before” nodes constraint the preceding block “after” nodes constraint the succeeding block

Lemma: constraint extension

A block b is implicitly constrained by all preceding “after” nodes, and by all following “before” nodes

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 6 / 35

Combining constraints

d d′ ≤ d = ⇒ d′ a b c a b c

1 4

a b c

Some constraints can be simplified

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 7 / 35

Combining constraints

d d′ ≤ d = ⇒ d a b c a b c

1 4

a b c Some constraints can be simplified

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 7 / 35

Combining constraints

d d′ ≤ d = ⇒ Impossible or d = d′ b

1 4

3 2 0.5

b

Some constraints can be simplified

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 7 / 35

Combining constraints

d d′ ≤ d

OK

a b c

1 7

a b c a b c

Some constraints can be simplified

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 7 / 35

Combining constraints

d d′ ≤ d = ⇒ d′ (a) d d′ ≤ d = ⇒ d (b) d d′ ≤ d = ⇒ Impossible or d = d′ d d′ ≤ d

OK

Some constraints can be simplified Reductions (a) and (b) allows for relative labeling of constraints:

Lemma (relative labeling)

All constraints can be expressed as a stricly positive increment from the last “after” node. (In an equivalent, simplified automaton)

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 7 / 35

From chains to trees: Handling choices

1

if

4 3 a b c

1 4

a b a c either b or c will be executed. a → b has 3 unit of times to complete a → c only has 2. Important:

Choice between b and c is done dynamicallly And is known only after a’s execution → Both choices must be doable until a finishes This is reflected in scheduling semantics (later)

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 8 / 35

From trees to automata: Handling loops and joins

1 2 1 a b c

=

1 2 1 2 1 a b c b c

1 8

a b c b c Semantic of unfolding : “copy” of the traversed tree Must use relative labeling to be useful

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 9 / 35

From trees to automata: Handling loops and joins

a b c d

=

c d a b c d a b c d a b Semantic of unfolding : “copy” of the traversed tree Must use relative labeling to be useful When both loops and choices: unfolding gives an infinite tree! Execution trace = path in the tree = chain

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 9 / 35

Example uses

2 (a) Implicit-deadline periodic task

• f period 2

2 3 1 c a b (b) A periodic task (period 5). b is constrained with

fine-grained jitter specification (maximum jitter 1)

1 1 2 ǫ a 2 1 2 ǫ b (c) Two constrained-deadline periodic tasks of period 2 and deadline 1,

with respective phase 1 and 2. a and b are in mutual exclusion

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 10 / 35

Generation of the automaton from ΨC code

while(1) { after(1); if(...) { after(2); for(i=0;i<10;i++) { advance(1); } } else before(2); advance(5); } The CFG defines the automaton. Tasks define sequential execution Multiple tasks to get parallel execution while after(1) if after(2) for advance(1); before(2) advance(5)

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 11 / 35

Outline

1

Timing Model Specifying time-triggered constraints Example uses and use in OASIS

Simple example uses Use in OASIS

2

Scheduling semantics Scheduling of chains Scheduling of trees Scheduling of automata

3

Implementation Communication primitives Implementation

4

Conclusion

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 12 / 35

Semantics for scheduling chains

Conditions for a correct schedule for a chain: To respect the “before” and “after” constraints Blocks must be executed in order Blocks must be executed for their required execution time ||b|| 1 3 6 a b ||a|| = 2 ||b|| = 1

1 7

a a b b

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 13 / 35

Optimal scheduling with EDF-dyn

In conventional scheduling models, tasks dynamically release fix jobs (i.e. 1 starttime, 1 deadline, 1 execution time) In the OASIS task model, a task is one job that changes dynamically → cannot use conventional scheduling algorithms “as is”

Definition

EDF-Dyn: EDF with dynamic change of deadlines

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 14 / 35

Optimal scheduling with EDF-dyn

Theorem

EDF-Dyn is optimal for scheduling OASIS tasks. 1 3 6 2 5 T1 T2 a c b ||a|| = 1.5 ||b|| = 2 ||c|| = 1

1 7

a b c a c b a b a c Dynamic deadline T1 deadline=3 T1 deadline=6

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 14 / 35

Implementation

Scheduling decisions have to be made only when

The date of an after node is reached An after node is reached A before node is reached

Scheduler implementation:

Deletion of useless constraints Translation into system calls to the scheduler

1 2 3 4 5 a b c d e s = 1 e = 2 e = 3 e = 5 s = 4 e = ... a b c d e

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 15 / 35

Semantics for scheduling trees

1 6 7 a b c 2 4 d

1 6 a d a c a d a b

(f) Valid schedule

a d a c a d a b

(g) Invalid schedule : differ before the instant of choice

1 tree schedule =

• ne schedule for chain

per set of choices made Schedules for chain must be the same up to their differenciating choice Each schedule for chain must be correct

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 16 / 35

Semantics for scheduling trees

1 6 7 a b c 2 4 d

1 6 a d a c a d a b

(j) Valid schedule

a d a c a d a b

(k) Invalid schedule : differ before the instant of choice

Definition

Choice deadline inheritance: a transformation where all choice nodes have the earliest possible following constraint

1 6 7 6 a b c

Theorem

CDI is a necessary condition

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 16 / 35

EDF wich choice deadline inheritance

Definition

EDF-Dyn-min: EDF dyn with the earliest possible deadline

Theorem

EDF-dyn-min is optimal for scheduling time-triggered trees on a single processor Implementation: Translation of choice nodes into “update deadline” system calls. 1 2 2 3 a b c = ⇒

s = 1 e = 2 e = 3 e = ... e = ...

a b c ǫ ǫ

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 17 / 35

Scheduling of automata

Same as scheduling the unfolded tree Relative → absolute conversion done dynamically Execution of the code unfolds the automaton on the fly Additional checking of reachability of nodes Exact feasibility analysis is possible

jump Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 18 / 35

Outline

1

Timing Model Specifying time-triggered constraints Example uses and use in OASIS

Simple example uses Use in OASIS

2

Scheduling semantics Scheduling of chains Scheduling of trees Scheduling of automata

3

Implementation Communication primitives Implementation

4

Conclusion

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 19 / 35

Communication primitives

The different tasks need to communicate Synchronizations (rendez-vous/semaphores) render feasibility analysis and scheduling very difficult → All synchronisations done solely using time We additionally need to ensure that buffer size is sufficient → automatic computation of buffer size

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 20 / 35

A simple communication primitive

Simple example: Using shared memory for communication Synchronisation using time 3 3 r s

(l) Synchronisation using time:s writes to shared memory before time 3, r reads it after time 3

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 21 / 35

A simple communication primitive

Simple example: Using shared memory for communication Synchronisation using time 3 3 r s r ′ × ×

(m) Synchronisation using time:s writes to shared memory before time 3, r reads it after time 3

Interactions may still be undeterministic → provide only communication primitives that preserve determinism → guaranteed determinism

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 21 / 35

A communication primitive: the message

1 10

×

send(3.6)

×

no msg

×

rcv 3.6

A sender The recipient

N to 1 communication Typed mailboxes Mailbox have “peremption dates” → buffer sizes can be computed send instruction specifies a visibility date (a before constraint) Value read does not depend on the actual time of send/recv → determinism Synchronous model would need only afters Wait-free implementation

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 22 / 35

A communication primitive: the temporal variable

1 10 2.5 2.5 2.1

×

a=2.1

×

a==2.5

×

a==2.1

TV a Producer A consumer

The temporal variable is updated periodically Updates are independent of any task rhythm One producer, N consumers Value read does not depend on the actual time of read → determinism Wait-free implementation

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 23 / 35

Runtime

Task 0 System layer for 0 Task 1 System layer for 1 Task 2 System layer for 2 Task 3 System layer for 3 Scheduler Designed for safety: All parts separated in different memory contexts (e.g. process) Implementation on bare hardware (OASIS kernel) or simulation on Linux

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 24 / 35

Outline

1

Timing Model Specifying time-triggered constraints Example uses and use in OASIS

Simple example uses Use in OASIS

2

Scheduling semantics Scheduling of chains Scheduling of trees Scheduling of automata

3

Implementation Communication primitives Implementation

4

Conclusion

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 25 / 35

Summary

The OASIS model is a very expressive model for expressing time-triggered timing constraints Industrially used to realize complex safety-critical systems Easy to prove application timing properties Safety-oriented design and implementation Special scheduling semantics, quite unusual Communication primitives that guarantee determinism despite multitasking Independence from hardware:

correct execution guaranteed if schedulable (i.e. hardware fast enough)

Really high efficiency:

Multitasking No lock Optimal scheduling and exact feasibility analysis

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 26 / 35

Conclusion

Present and future extensions: OASIS for the automative industry OASIS for SMP Intra-task parallelism (multithreading) Distributed OASIS Formal transition from specifications to implementation

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 27 / 35

Thanks for your attention Questions?

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 28 / 35

Transformation to temporal chains

1 3 4 7 6 9 a b c d e 1 3 4 6 7 9 a,b

1

b

2

c,d

3

c,d,e

4

d,e

5

Temporal chains:

Nodes represent dates, and are ever-increasing Arcs represent intervals Arcs carry blocks that can be executed during the interval (above) Arcs are labelled (below) Algorithm for transforming TT chains into temporal chains is simple

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 29 / 35

Composition of temporal chains

1 4 6 8

×

1 3 6 7

=

1 3 4 6 7 8 a,b b c d,e e,f f a,b d,e

1

a,b e,f

2

b e,f

3

c f

4

c

5

Result shows which blocks can be executed on each interval Separation of blocks coming from different chains Ab set of arcs of a block b Ba set of blocks on an arc a

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 30 / 35

Feasibility of temporal chains

1 3 4 6 7 8 a,b d,e

1

a,b e,f

2

b e,f

3

c f

4

c

5

∀n arc,

• b∈Bn

bn ≤ |In| ∀b block,

• n∈Ab

bn = ||b|| a1 + b1 + d1 + e1 ≤ 3 − 1 a1 + a2 = ||a|| a2 + b2 + e2 + f2 ≤ 4 − 3 b1 + b2 + b3 = ||b|| b3 + e3 + f3 ≤ 6 − 4 c4 + c5 = ||c|| c4 + f4 ≤ 7 − 6 d1 = ||d|| c5 ≤ 8 − 7 e1 + e2 + e3 = ||e|| f2 + f3 + f4 = ||f||

Theorem: feasibility of temporal chains

A temporal chain is feasible on a single-processor computer if, and

• nly if, there is a solution to the previous equations.

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 31 / 35

Resolution using network flows

1 3 4 6 7 8 a,b d,e

1

a,b e,f

2

b e,f

3

c f

4

c

5 ||a|| ||b|| ||c|| ||d|| ||e|| ||f|| ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ 3-1 4-3 6-4 7-6 8-7

Use a maximal flow algorithm Allows a more efficient resolution than LP

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 32 / 35

Conversion of TT automaton to temporal automaton

1 2 3 4 1 1 2 3 4rel 1 1 2 3 2 1 1 Steps:

1

Suppression of “no-constraints” nodes

2

“Partial relative” labelling

3

“Complete relative” labelling (need duplicating nodes)

Other operations:

expanding variable temporal constraints expanding temporal constraints with a different clock

→ not simple algorithm! Current OASIS algorithm: unfold everything and re-convert to an automaton

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 33 / 35

Product of temporal automata

2 1 1 2 a b c d e 2

=

2 2 1 1 1 1 1 1 d1

4d2 4

e1

4e2 4

a1

3d2 3

b1

3d2 3

c1

3e2 3

a1

2a2 2

b1

2b2 2

c1

2c2 2

d1

1a2 1

d1

1b2 1

e1

1c2 1

Product of temporal automata We assume all nodes are labelled by integers Close to classical product of automata (if we split nodes labeled n by n nodes labelled 1) Duplication of blocks → additional indices to differentiate them Can be used to check e.g. mutual excusion constraints Size increase with the number

• f different automata

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 34 / 35

Feasibility of temporal automata

Theorem

A temporal automaton is feasible on a single-processor computer if, and only if, there is a solution to the following equations ∀n arc,

• b∈Bn

bn ≤ |In| (1) ∀b block,

• n∈Ab

bn = ||b|| (2) It is immediate that a solution on the automaton gives a solution to every trace, But the opposite is more difficult to prove! So steps for feasibility analysis:

1

Convert TT automatons into temporal automatons

2

Combine them using synchronized product

3

Use network flow and this theorem to perform analysis

Matthieu Lemerre (CEA LIST) The OASIS model Synchron’08 35 / 35