Towards programming safety critical systems in java
This presentation is the property of its rightful owner.
Sponsored Links
1 / 66

Towards Programming Safety Critical Systems in Java PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on
  • Presentation posted in: General

Towards Programming Safety Critical Systems in Java. Bent Thomsen Aalborg University. Joint work with:. Martin Schoeberl Institute of Computer Engineering Vienna University of Technology, Austria Hans Søndergaard Vitus Bering University College Stephan Korsholm

Download Presentation

Towards Programming Safety Critical Systems in Java

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Towards programming safety critical systems in java

Towards Programming Safety Critical Systems in Java

Bent Thomsen

Aalborg University


Joint work with

Joint work with:

  • Martin Schoeberl

    • Institute of Computer Engineering

      Vienna University of Technology, Austria

  • Hans Søndergaard

    • Vitus Bering University College

  • Stephan Korsholm

    • Polycom (former KIRK telecom) and CISS

  • Anders P. Ravn, Thomas Bøgholm, Henrik Kragh-Hansen, Petur Olsen, Kim G. Larsen, Rene R. Hansen and Lone Leth Thomsen

    • CISS/Department of Computer Science

      Aalborg University


Computers today

Computers today

A computer is a grey box full of black smoke.

When the black smoke escapes the computer

does not work any more

Anonymous CS student


Some have a broader view

Some have a broader view


But what about these

But what about these?


Especially this one

Especially this one

  • JOP - Java Optimized Processor


Embedded systems

Embedded Systems

• Computer purchased as part of some other piece of equipment

– Typically dedicated software (may be user customizable)

– Often replaces previously electromechanical components

– Often no “real” keyboard

– Often limited display or no general purpose display


Real time systems landscape

Real-time Systems Landscape

  • Interaction software

    • Psychology

  • Signal processing

    • Compute as much as possible within deadline

  • Media processing

    • QoS, graceful degradation

  • Control software

    • Catastrophic consequences of missed deadlines


High integrity embedded real time systems

High Integrity Embedded Real-Time Systems

  • Implemented in hardware

  • Customized components

  • Hardware specific software

  • Poor reusability

  • Specially trained programmers

    • Assembler and C (and C++) dominate embedded systems programming

    • Still at lot of Ada programming going on


What is the problem

What is the problem?

  • Sheer number of systems

  • Poor programmer productivity

    • Fewer and fewer C/C++ programmers


How to increase programmer productivity

How to increase Programmer Productivity?

3 ways of increasing programmer productivity:

  • Process (software engineering)

    • Controlling programmers

    • Good process can yield up to 20% increase

  • Tools (verification, static analysis, program generation)

    • Good tools can yield up to 10% increase

  • Better designed Languages --- the center of the universe!

    • Core abstractions, mechanisms, services, guarantees

    • Affect how programmers approach a task (C vs. SML)

    • New languages can yield 700% increase


Why java

Why Java

  • Easy to learn

  • Early (first) programming language

  • Object oriented

  • Industrial strength

  • Platform independent

  • Concurrent

  • (Almost) Well-defined semantics


Java is all around us

Java is all around us

1B installed

base in 2006

2004

2005

2006

2007

2008


Even in space

Even in space


Java disadvantages wrt real time

Java Disadvantages wrt. Real-time

  • Unpredictable performance

    • Scheduling

    • Memory

    • Control and data flow

  • Automatic garbage collection

  • Dynamic class loading


Real time specification for java

Real-Time Specification for Java

  • RTSJ for short

  • First JSR request (JSR-001)

  • Still not completely finished

  • Implementations

    • Timesys RI

    • OVM (Purdue)

    • PERCS (AONIX),

    • JamaicaVM (AICAS)

    • McKinack (SUN) based on Hotspot

    • Websphere (IBM) based on J9


Rtsj guiding principles

RTSJ Guiding Principles

  • Backward compatibility to standard Java

  • Write Once, Run Anywhere

  • Reflects current real-time practice

  • Predictable execution

  • No Syntactic extension

    • But subtle changes to semantics

  • Allow implementation flexibility


Rtsj overview

RTSJ Overview

  • Clear definition of scheduler

  • Priority inheritance protocol

  • NoHeapRealtimeThread

  • BoundAsyncEventHandler

  • Scoped memory to avoid GC

  • Low-level access through raw memory

  • High resolution time and timer

  • Targeted at larger systems

    • implementation from Sun requires a dual UltraSparc III or higher with 512 MB memory and the Solaris 10 operating system


Rtsj subset

RTSJ Subset

  • Ravenscar Java

    • Name from Ravenscar Ada

    • Based in Puschner & Wellings paper

  • Profile for high integrity applications

  • RTSJ compatible

  • No dynamic thread creation

  • Simplified scoped memory

  • Targeted at Java 2 Micro Edition

  • Implementations?

    • Partial on aJ-100 at CISS/AAU


Observation

Observation

There is essentially only one way to get a more predictable language:

  • Namely to select a set of features which makes it controllable.

  • Which implies that a set of features can be deselected as well


The bottom up approach

The bottom up approach

  • take the Java language and its associated VM

  • provide low level access to physical memory (and interrupts),

  • add an interface to a scheduler which is some mechanism that gives predictability to thread execution, and which implements some policy that is specified through release and scheduling parameters,

  • add an interface to some memory areas controlled by mechanisms that may give more predictable allocation of objects,

  • add some mechanism to make synchronization more predictable,

  • add new classes of asynchronous events and their handlers, and internal event generators called timers related to clocks,

  • and try to come to terms with asynchronous transfer of control and termination.


Life is complicated enough

Life is complicated enough

  • apart from 1 and 2, the remaining ”enhancements” complicate life for a programmer

  • source program for an application becomes a mixture of

    • application specific requirements

      • (deadlines, periods, binding of external events, and program logic),

    • parameters for controlling policies of the underlying middleware mechanisms

      • (cost, priority, importance, event queue sizes, memory area sizes),

    • parameters for tuning or sidestepping the mechanisms

      • (miss handlers, timers).


Our target community

SC Java

Our Target Community

Real-Time

Computing

Control

Engineering

Control in Real-Time Computing

Real-Time Programming Techniques

in Control System Implementation


A typical embedded program

A typical embedded program

Cruise control:

Loop

Read the sensors;

Compute speed;

if speed too high

Compute pressure for brake pedal;

if speed too low

Compute pressure for accelerator;

Transmit the outputs to actuators;


Foss winescan case study

FTIR instrument

Interfero-gram

enclosed in a Thermobox

FOSS WineScan Case Study

  • FTIR technology: Fourier Transform Infrared Spectroscopy


Interferometer functional requirements

Interferometer functional requirements

The instrument

  • Temperature reading and regulation

    • thermobox, cuvette, interferometer, IR-source

      • reading: 5 times/sec

      • regulation: 1 time/sec

  • Interferometer measurement

    • move the mirror and read IR-detector

      • every 333 µs

      • up to 3200 times in a scan

    • an interferometer measurement

      • 32 scans

Thermobox


Our approach

Our approach

  • the Java language and machine supported by existing RT mechanisms and policies

  • low level access to hardware, since hardware abstraction layers are yet in the future

  • plus periodic and sporadic threads with application specific parameters, including program logic


The aim

The Aim

  • An easy to use framework

  • Simplified program analysis

  • Easy to implement on embedded systems

  • Minimum implementation details

  • J2ME programmers should be able to learn to use SC Java in a day


Sc java programming model

SC Java Programming Model

Initialized: An RT application is in the Initialized state until

the initialization code of the RealTimeSystem has

run to completion and its start method has not been

invoked. Application threads and passive objects are

created and initialized here. Threads are not started.

Mission: An RT application is in the Mission state when

it has returned from its start method which starts all

threads.

Stop: An RT application is in the Stop state when it has

returned from the stop method which waits for threads

to perform their optional cleanup.


Difference to rtsj

Difference to RTSJ

  • No Initializer Thread

    • Done as part of main method

  • No WaitForNextperiod

    • Scheduler does this

  • No priorities

    • Programmer Specify deadline and periods

    • Scheduler calculates priorities


Only few concepts

Only few concepts

  • Periodic Threads

  • Sporadic Threads

  • RunTimeSystem

  • Relative Time

  • Immortal and Raw Memory


Schedulable entities

Schedulable Entities

All schedulable entities (periodic and sporadic) are represented by threads.

The abstract class RealtimeThread has two methods:

  • run()

    • the run logic to be executed every time the thread is activated

  • cleanup()

    • a clean-up method to be executed if the system should be shut down or stopped

      Initialize is done in main()


The class diagram

The Class Diagram


The realtimethread class

The RealtimeThread Class


Periodicthread

PeriodicThread


Sporadicthread

SporadicThread


The runtime system

The Runtime System


An example

An example


Implementations of sc java

Implementations of SC Java

  • On Ajile aJ-100 and JOP

    • Use existing schedulers and threads

  • On Mechatronic Brick and Polycom (Kirk)

    • Currently experimenting with JamVM

  • Implementation on RTSJ underway


What about program analysis

What about Program Analysis?

  • Traditional approaches to analysis of RT systems are hard and conservative

  • Alternatives via:

    • Java PathFinder

    • SARTS

      • WCET and Schedulability on JOP


Utilisation based analysis

Utilisation-Based Analysis

  • A simple sufficient but not necessary schedulability test exists

Where C is WCET and T is period


Response time equation

Solve by forming a recurrence relationship:

The set of values is monotonically non decreasing

When the solution to the equation has been found,

must not be greater that (e.g. 0 or )

Response Time Equation

Where hp(i) is the set of tasks with priority higher than task i


Java pathfinder

Java Code

Bytecode

void add(Object o) {

buffer[head] = o;

head = (head+1)%size;

}

Object take() {

tail=(tail+1)%size;

return buffer[tail];

}

JAVAC

JVM

0: iconst_0

1: istore_2

2: goto#39

5: getstatic

8: aload_0

9: iload_2

10: aaload

Model

Checker

Special

JVM

Java PathFinder


Sarts

SARTS

  • WCET and Schedulability analyzer for Java programs written in the SCJ profile (PRTJ)

  • Assumes correct Loop bounds annotations

  • Generated code to be executed on JOP

  • Generates Timed Automata

  • Control flow graph with timing information

  • Uppaal Model-checker checks for deadlock


Sarts overview

SARTS Overview


Java to uppaal

Java to UPPAAL


Timed automata templates

Translation of Basic Blocks into states and transitions

Patterns for:

Loops

Monitor statements

If statements

Method invoke

Sporadic task release

Timed Automata templates


Simple models of rm scheduler

Predefined models

Scheduler

Periodic Task

Sporadic Task

Simple models of RM scheduler


Periodic task sporadic task

Periodic Task/Sporadic Task


Sarts can do better than utilisation test

Example

One periodic task

Two sporadic tasks

Mutually exclusive

SARTS can do better than utilisation test


Sarts can do better than utilisation test1

SARTS can do better than utilisation test

  • Period: 240

  • Minimum inter-arrival time: 240

  • Periodic cost: 161

  • Sporadic cost: 64

  • Utilisation test fails:


Time line

Time Line


Real time sorting machine

real-time sorting machine


Sarts future work

SARTS future work

  • Cache analysis

  • Different scheduling strategies

  • Memory usage analysis

  • Multicore

  • IDE integration


Java objects project

B

J

J

J

O

Java Objects Project

  • CISS/DPT CS AAU

  • Vitus Bering Denmark

  • Polycom (Kirk telecom A/S)

  • Wirtek A/S

  • Mechatronic Brick ApS

  • Aalborg Industries A/S

  • Prevas A/S

  • Teknologisk Institut


Project objectives

Project Objectives

  • Porting JVM on various hardware platforms

  • WCET and other prgl. analysis

  • Integration into IDE (eclipse)

  • Legacy programming (not JNI)

  • Applications, applications …


The missing parts

The missing parts

  • Standard Libraries

  • Generalised phases

  • Generalised WCET analysis

    • Works for JOP!

  • Memory usage analysis

  • Memory mechanisms

    • Immortal and local (with weak references) memory


Standard library

Standard Library

  • Problems with existing libraries:

    • Use a lot of dynamic allocations

    • Bad for WCET and memory usage

    • Focus on improved average performance

  • Javolution

    • Reuse memory

    • Focus on WCET, but no guarantees

    • Focus on predictability


Standard library1

Standard Library

  • Canteen

    • Implements List, Set and Map

    • WCET analysis possible

    • Does not throw exceptions

    • No memory allocation in mission phase

    • Support for generics

    • Use standard interfaces (almost)


Generalised phases

Generalised Phases

  • JSR 302 proposal by The Open Group:


Generalised mode change

Generalised Mode Change


Mode change requirements

Mode Change Requirements

Requirements the transition from mode mi to the next mode mj must satisfy:

R1. When a Mode Change Request (MCR) has occurred, a transition from mode mi to mode mj must take place

R2. Continuing tasks belonging to both mode mi and mode mj are permitted

R3. A mix of old tasks from mode mi and new tasks from mode mj must not be concurrently active

R4. All real-time requirements of the system must be met (deadlines, periods, etc.)

R5. The mode changes of the system must happen within a bounded time δt


Mode change contract

Mode Change Contract

C1. Each mode m in {m1,..,mn} has a fixed set of periodic or sporadic tasks τ(m) which are individually schedulable under a given scheduling discipline

C2. A specific event, MCR, is designated as request to change from a current mode mi to a new mode mj

C3. When a MCR occurs, the task set τ(mi) of the current mode mi remains active till a time-interval, Δt idle, within a delay δt(mi) after MCR, after which the task set τ(mj) of mode mj is active

C4. Periodic and sporadic tasks that occur in both mi and mj remain periodic and sporadic over the mode change


Sc java programming model1

SC Java Programming Model

  • Periodic/sporadic tasks with constant period, hard deadline, and known WCET

  • Just a model:

    • Does not fit all control problems

    • Overly restrictive for many control problems


Jsr 302

JSR 302

  • Safety Critical Java Technology

  • This specification creates a J2ME capability, based on the Real-Time Specification for Java (JSR-1), containing minimal features necessary for safety critical systems capable of certification, e.g., DO-178B


  • Login