sureal methodology and timing analysis innovations forum

SuRealSuRealSuReal 111

SurealMethodology and Timing Analysis

Innovations Forum23.04.2009

Dr. James J. Hunt and Nico Feiertag aicas GmbH SYMTA VISION

SuRealSuRealSuReal 22

SuReal Development ProcessHigh-level

TimingVerification

SchedulingVerification

Technical / Functional Verification

Code Verification

Requirements Modelling

Platform Refinement

Code Generationand Extension

Compilation

Platform-independent

Model

Platform-specific Model

Annotated Source Code

Executable Code

SuRealSuRealSuReal 33

SuReal Tool Chain

Co d e Ge n e ra to r (Ameos )

De riv e dAn n o ta tio n s

Bu ild e r (Ja m a ic a Bu ild e r)

Co n s tra in tsPa rs e r/Ed ito r

ja v a c

Cla s s File s

Exe c u ta b le

Da ta Flo w(Ve riflu x)

WCET An a lyze r(a iT)

Sc h e d u lin g (Sym TA/S)

An n o ta te dJa v a Co d e

Ve rific a tio nMo d e l

UML Ed ito r (Am e o s )

XMI Mo d e lGe n e ra to r

UML Mo d e l

J av a C o d e

B y te C o d e

Mac hineC o d e

A nno tate d Mo d e l

UP AAL

Model CheckerDF KI

VS E

Development Verification

•Verification of J ava Code•High Level WCE T Analys is

Au g m e n te dJa v a Co d e

FIBEX

SuRealSuRealSuReal 44

Profile Comparison

Pro file USTP MARTE HIDOORS SysMLAn n o ta tio n s Light weight Light weight Light weight Light weightSc h e d u la b ility ✔ ✔ ✔ ✘Pe rfo rm a n c e An a lys is ✔ ✔ ✔ ✔Qu a lity o f Se rv ic e ✔ ✔ ✘ ✘Su p p o rts De fin in g Me tric s ✘ ✔ ✘ ✔Fa u lt To le ra n c e ✘ ✔ ✘ ✘Fo rm a l Se m a n tic s ✘ p a rtia l ✘ ✘Em b e d d e d Sys te m s ✘ ✔ ✔ ✘Re a ltim e Sys te m s ✔ ✔ ✔ ✘Re q u ire m e n ts En g in e e rin g ✘ ✔ ✘ ✔Su p p o rts MDA ✘ ✔ ✔ ✔UML 2 .0 Co m p a tib ility ✘ ✔ ✘ ✔OCL 2 .0 Co m p a tib ility ✘ ✔ ✘ ✔Nonlinear Refinement ✘ ✘ ✘ ✘

SuRealSuRealSuReal 55

De s ig n

Co m p u ta tio n a lEn v iro n m e n t

Op e ra tin gEn v iro n m e n t

To p o lo g y

So ftw a re Ha rd w a re

Ap p lic a tio n

In fra s tru c tu re

Application

Mapping Architectu

re

Mapp

ingOperation

Mapping

SuReal Profile Views

SuRealSuRealSuReal 66

Diagram Usage

View vs. Diagram

Design Topology Operating Environment

Execution Environment

Class Diagram X

State Diagram X

Sequence Diagram

X

Composite Structure Diagram

X X X X

SuRealSuRealSuReal 77

Stereotypes

Task Types «SRTask» «SRPeriodicTask» «SRSporadicTask» «SRTriggeredTask»

Structural Types «SRLink» «SRPath» «SRCall» «SRNode» «SRProcessor» «SRNetworkSegment»

Budget Types «SRExecutionBudget» «SRReleaseBudget» «SRMessageBudget»

Object Types «SRDataStructure» «SRFrame» «SRMailbox»

«SRMailboxGet» «SRMailboxSet»

Other Types «SROperationSystem» «SRBusProtocol» «SRPrioritySchedulerParameters»

SuRealSuRealSuReal 88

Case Study 1 & 2—Design

SpeedCalculator SpeedControllerSpeedCalculator

SteeringController

LaneTracking

EmergencyBreak

SensorWatcherRightLight

LeftLight

RightMotorSpeed

LeftMotorSpeed

SteeringAngle

Distance

Stop

SuRealSuRealSuReal 99

Case Study 1—Deployment

NXT

SuRealSuRealSuReal 1010

NXT

Case Study 1—Application Map

SpeedControllerSpeedCalculator

SteeringController

LaneTracking

EmergencyBreak

SensorWatcher

SuRealSuRealSuReal 1111

Case Study 2—Deployment

Controller NXT

Bus

SuRealSuRealSuReal 1212

Case Study 2—Application Map

Controller NXT

Bus

FrameHost2NXT FrameNXT2Host

SpeedControllerSpeedCalculator

SteeringController

LaneTracking

EmergencyBreak

SensorWatcher

DistanceRightLightLeftLight

StopSteeringAngle

RightMotorSpeedLeftMotorSpeed

SuRealSuRealSuReal 1313

Case Study Infrastructure Op e ra tin g En v iro n m e n t

Ca s e 1 — Sin g le Pro c e s s o r C Co d e u n d e r NXTOs e k

Ca s e 2 — Tw o Pro c e s s o rs Re a ltim e Ja v a u n d e r VxWo rk s 6 .5 RTP C Co d e u n d e r NXTOs e k

Exe c u tio n En v iro n m e n t Ca s e 1 — Sin g le Pro c e s s o r

NXT Arm Ca s e 2 — Tw o Pro c e s s o rs

Po w e rPC 6 0 3 NXT Arm

SuRealSuRealSuReal 1414

Case Study 1—Code

C Side main EmergencyBrake_states LaneTracking_states LoggingTask_states SensorWatcher_states SpeedCalculator_states SpeedController_states SteeringController_states

SuRealSuRealSuReal 1515

Cas e S tudy 2—Code

Java Side Controller EmergencyBrake LaneTracking LoggingTask SpeedCalculator MasterTransferTask FrameHost2NXT FrameNXT2Host NxtUsbDriver

C Side main SensorWatcher_states SpeedController_states SteeringController_states SlaveTransferTask_states

SuRealSuRealSuReal 1616

16

Controllers in planes, cars, plants, … are expected to finish their tasks within reliable time bounds.

It is essential that an upper bound on the execution times of all tasks is known : Commonly called Worst-Case Execution Time.

WCET prerequisite for system-level schedulability analysis.

Hard Real-Time Systems

SuRealSuRealSuReal 1717

ACCABS

ESP ASR

enginecontrol powertrain

control

Frame generation timing (cyclic and/or event+driven)

Buffering strategy(FIFO, priority ordered, hybrid)

Nachrichten Objekte(hardware buffers)

SIG signal register

SEND/ COM layer tasksRCV or interrupts

INT driver interrupt

MO message object(HW buffer)

CAN HW

CANBSW

RTESIG SIG

MO

INT

SEND

SIG

Queue

MO MO

SWC 1SWC 2

SWC 3

SWC 4

SIG SIG

MO

INT

RECV

Komplexes System-Zeitverhalten

SuRealSuRealSuReal 1818

18MethodologyPr

obab

ility

Execution time

Exact worst-caseexecution time

Safe worst-caseexecution timeestimate

Best-caseexecution time

Unsafe:execution timemeasurement

SuRealSuRealSuReal 1919

19Two Levels of Timing Analysis●Code level

● Single process, task, ISR● Focus on

● Control flow● Processor architecture

with pipelines and caches

●System level● Multiple functions or tasks● Focus on

● Integration and scheduling● Periodic or event-driven

activation, blocking● End-to-end timing

aiT(AbsInt)

SymTA/S(Symtavision)

SuRealSuRealSuReal 2020

20

aiT + SymTA/S: Integration with Modeling Tool OpenAmeos

SuRealSuRealSuReal 2121

Customer benefits

●Capturing realtime behavior systematically● Fast identification of bottlenecks● Preventing integration problems

●Planning timing early● Predict resource requirements● Optimal dimensioning

●Optimized development process● Reduced number of prototypes● Reduced testing effort

●Reliable prediction of extendibility

SuRealSuRealSuReal 2222

Overview on applied Techniques

Timing Analyse

Statische Code-Analyse

Scheduling Analyse

SuRealSuRealSuReal 2323

Application of Tools

assembler

instruction

basic block

function

runnable

task

ECU

system (EC

Us,

buses)

granularity

AbsInt (aiT)

Symtavision (SymTA/S)

SuRealSuRealSuReal 2424

Workflow and Information Flow

aiTSymTA/S

Scheduling Analysis (WCRT)System Stack Analysis

System model(tasks, activations, scheduling)

WCET/Stack Analysis(single task)Refinement

WCET/StackRequest Additional Info

WCET/StackResponse

SuRealSuRealSuReal 2525

Integration with AbsInt aiT

1

2

3

●Request – response● SymTA/S requests list of core execution times

● Different runnables● Different modes● Different processors

● aiT returns results

SuRealSuRealSuReal 2626

Integration with AbsInt aiT—Results

4

●Enables verification and quick mapping exploration

SuRealSuRealSuReal 2727

Veriflux: Data Flow Analysis

Extension of control flow analysis Data values are propagated as well Fixed point algorithm Necessary extension for OO Languages

Method dispatch is data dependent More precise than considering all

possible subclasses at each call point

SuRealSuRealSuReal 2828

DFA Applications

Worst case execution time analysis Memory use (stack, heap, etc.) Coverage and reachability Exception checking Shared object detection Synchronization (deadlocks)

SuRealSuRealSuReal 2929

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3030

NullP ointerE xception

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3131

NullP ointerE xception

Clas s Cas tE xception

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3232

NullP ointerE xception

NullP ointerE xception

Clas s Cas tE xception

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3333

NullP ointerE xception

NullP ointerE xception

Clas s Cas tE xception

device != null

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3434

NullP ointerE xception

NullP ointerE xception

Clas s Cas tE xception

device != null

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3535

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception

device != null

Detecting Runtime Errors

SuRealSuRealSuReal 3636

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3737

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception values (MyDevice.s ens or) contains only MyS ens or

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3838

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception values (MyDevice.s ens or) contains only MyS ens or

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 3939

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception ✔ values (MyDevice.s ens or) contains only MyS ens or

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 4040

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception ✔

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 4141

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception ✔null ∉ values (MyDevice.s ens or)

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 4242

NullP ointerE xception ✔

NullP ointerE xception

Clas s Cas tE xception ✔null ∉ values (MyDevice.s ens or)

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 4343

NullP ointerE xception ✔

NullP ointerE xception ✔

Clas s Cas tE xception ✔null ∉ values (MyDevice.s ens or)

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 4444

NullP ointerE xception ✔

NullP ointerE xception ✔

Clas s Cas tE xception ✔

Detecting Runtime Errors

...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;

int value = s.reading();

...}...

SuRealSuRealSuReal 4545

WCETA for Realtime Java

La n g u a g ed e p e n d a n t

p h a s e

Da ta flo w g ra p h c o n s tru c tio n Pa th a n a lys is

e .g ., d e te rm in in g m e th o d c a ll s e ts a n d lo o p b o u n d s

Ba s ic b lo c k tim in g a n a lys is Ca c h e a n a lys is m o d u le Pip e lin e a n a lys is m o d u le Bra n c h p re d ic tio n m o d u le Wo rs t c a s e e xe c u tio n p a th d is c o v e ry

Ma c h in ed e p e n d a n t

p h a s e

SuRealSuRealSuReal 4646

WCETA Process for RTJava

Process JML annotations Transform source Compile to bytecode

Run full program dataflow analysis Generate low level WCETA tool

annotations for critical methods Compile bytecode to machine code Run low level WCETA tool

SuRealSuRealSuReal 4747

Loop Bounds Annotations

decreases [integer expression] While loop For loop For each loop

measured_by [integer expression] Recursion

Invariant [boolean expression] Unbound variables

SuRealSuRealSuReal 4848

JML Decreases Clause

d e c re a s e s [in te g e r e xp re s s io n ] lo o p sm e a s u re d _b y [in te g e r e xp re s s io n ] re c u rs io n⇒[in te g e r e xp re s s io n ]

0

[in te g e r e xp re s s io n ]in itia l

[in te g e r e xp re s s io n ]

fo r e a c h ite ra tio n i:[in te g e r e xp re s s io n ]

i [in te g e r e xp re s s io n ]

i+ 1+ 1

SuRealSuRealSuReal 4949

While Loop Transform

\\@ decreases elements.length – i;while (i < elements.length){ sum += elements[i++]; }

{ DFAHelper.captureBounds(elements.length – i);}while (i < elements.length){ sum += elements[i++];}

SuRealSuRealSuReal 5050

For Loop Transformation

\\@ decreases elements.length – i;for (int i = 0; i < elements.length; i++){ sum += elements[i];}

{ int i = 0; DFAHelper.captureBounds(elements.length – i);}for (int i = 0; i < elements.length; i++){ sum += elements[i];}

SuRealSuRealSuReal 5151

For Each Loop Transform 1

\\@ ghost int i = elements.length; decreases i;for (int entry: elements){ sum += entry; \\@ set i--;}

{ int i = elements.length; DFAHelper.captureBounds(i);}for (int entry: elements){ sum += entry;}

SuRealSuRealSuReal 5252

For Each Loop Transform 2

for (int entry: elements){ sum += entry;}

{ DFAHelper.captureBounds(elements.length);}for (int entry: elements){ sum += entry;}

SuRealSuRealSuReal 5353

Handeling Dispatch Sets

Calculated as part of dataflow analysis No annotations are necessary Veriflux determines two sets of values

Set of all invocations Set of referenced values

Call sets are determined for invocation sites, not just for each method.

Different invocation may have totally different call sets.

SuRealSuRealSuReal 5454

AIS Annotations

Unevaluated Method (know not to be called)snippet "jamaica_throwNull" is not analyzed and is never executed and takes exactly 0 cycles and uses exactly 0 bytes of stack and removes exactly 0 bytes of stack;

Dynamic Dispathinstruction "L1259_53_run@label" + 1 unpredictable calls jam_comp_javax_realtime_RealtLogic_48_run1, jam_comp_javax_realtime_Asyncndler_8_run16, jam_comp_javax_realtime_AEHTh00241_3_run1, jam_comp_javax_realtime_List_bject_23_run1;

Looploop file 'SpeedCalculator.java' line 180 max 10;

SuRealSuRealSuReal 5555

Realtime Java WCET Results

SpeedCalculator.handleAsynchEvent()

328678 cycles = 0.83 ms

LaneTracking.handleAsynchEvent()

133925 cycles = 0.339 ms

EmergencyBreak.handleAsynchEvent()

100454 cycles = 0.254 ms

MasterTransferTask.handleAsynchEvent()

39059 cycles = 98.634 us

SuRealSuRealSuReal 5656

Veriflux with aiT

SuRealSuRealSuReal 5757

Conclusion

Complete development process Capturing realtime behavior systematically From Model to Executable Full timing and schedulability analysis

Supports Object-Oriented Development Realtime Java Static compilation and GC

Improved development fexibility Up front model checking Separation of Concerns