designing predictable and robust systems tom henzinger uc berkeley and epfl
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/1.jpg)
Designing Predictable and Robust Systems
Tom Henzinger UC Berkeley and EPFL
![Page 2: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/2.jpg)
System
Build & test
Bridge Aircraft Software etc.
Complexity Management in System Design
![Page 3: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/3.jpg)
System
Model
Calculate
Build & test
Abstract Predict
Applied Mathematics
Bridge Aircraft Software etc.
Complexity Management in System Design
![Page 4: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/4.jpg)
Engineering
Differential Equations Linear Algebra Probability Theory
Computer Science
Logic Discrete Structures Automata Theory
Mathematical Modeling: A Tale of Two Cultures
![Page 5: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/5.jpg)
Uptime: 125 years
![Page 6: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/6.jpg)
![Page 7: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/7.jpg)
Uptime: 125 years
Why can’t we do Software?
![Page 8: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/8.jpg)
Engineering
Theories of estimation. Theories of robustness.
Computer Science
Theories of correctness.
Why can’t we do Software?
R B
![Page 9: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/9.jpg)
Engineering
Theories of estimation. Theories of robustness.
Goal: build reliable systems.
Computer Science
Theories of correctness.
Temptation: programs are mathematical objects; hence we want to prove them correct.
Why can’t we do Software?
![Page 10: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/10.jpg)
B
Engineering Computer Science
The CHESS Premise: The pendulum has swung too far
R
![Page 11: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/11.jpg)
B
Engineering Computer Science
Embedded Systems are a perfect playground to readjust the pendulum.
RPhysicality Computation
The CHESS Premise: The pendulum has swung too far
![Page 12: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/12.jpg)
EmbeddedSystem
Execution constraints
CPU speed power failure rates
Reaction constraints
deadlines throughput jitter
Computation
algorithms protocols reuse
![Page 13: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/13.jpg)
EmbeddedSystem
Execution constraints
CPU speed power failure rates
Reaction constraints
deadlines throughput jitter
Computation
algorithms protocols reuse
Embedded System Design is generalized hardware design (e.g. System C).
![Page 14: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/14.jpg)
EmbeddedSystem
Execution constraints
CPU speed power failure rates
Reaction constraints
deadlines throughput jitter
Computation
algorithms protocols reuse
Embedded System Design is generalized control design (e.g. Matlab Simulink).
![Page 15: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/15.jpg)
EmbeddedSystem
Execution constraints
CPU speed power failure rates
Reaction constraints
deadlines throughput jitter
Computation
algorithms protocols reuse
Embedded System Design is generalized software design (e.g. RT Java).
![Page 16: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/16.jpg)
EmbeddedSystem
Execution constraints
CPU speed power failure rates
Reaction constraints
deadlines throughput jitter
Computation
algorithms protocols reuse
CHESS
![Page 17: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/17.jpg)
We need a new formal foundation for embedded systems, which systematically and even-handedly re-marries
computation and physicality.
The CHESS Challenge
![Page 18: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/18.jpg)
CHESS Results: Integration of the Two Cultures
Engineering
Component model: transfer function Composition: parallel Connection: data flow
Computer Science
Component model: subroutine Composition: sequential Connection: control flow
[Hybrid Systems; Ptolemy; Metropolis; Metamodels]
![Page 19: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/19.jpg)
Equational Models
Strengths:
Concurrency Quantitative constraints (time, power, QoS)
Tool support:
Best-effort design Optimization
Abstract-Machine Models
Dynamic change Complexity theory
Worst-case analysis Constraint satisfaction
CHESS Results: Integration of the Two Cultures
Engineers must understand both complexities and trade-offs [EECS 20].
![Page 20: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/20.jpg)
We need a new formal foundation for computational systems, which systematically and even-handedly re-marries
performance and robustness.
The Cyber-Physical Challenge
What is being computed? At what cost?
How does the performance change under disturbances? (wrong assumptions; change of environment; change of resources; failures; attacks)
![Page 21: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/21.jpg)
We need a new formal foundation for computational systems, which systematically and even-handedly re-marries
performance and robustness.
The Cyber-Physical Challenge
Subchallenge 1: build predictable software
Subchallenge 2: build robust software
![Page 22: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/22.jpg)
Subchallenge 1: Build Predictable Software
![Page 23: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/23.jpg)
Subchallenge 1: Build Predictable Software
Predictable = Deterministic
A system is deterministic if for every input behavior, the output behavior is unique.
![Page 24: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/24.jpg)
Subchallenge 1: Build Predictable Software
Predictable = Deterministic
A system is deterministic if for every input behavior, the output behavior is unique.
-internal (invisible) behavior need not be unique
-behavior includes all nonfunctional aspects of interest: for real-time systems, behavior includes time stamps
![Page 25: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/25.jpg)
Nondeterminism
Central to complexity theory: P v. NP
Central to abstraction:
-high-level programming languages: e.g. memory management
-algorithm design: as long as there exists an 0·i<n such that a[i]>a[i+1], swap a[i] and a[i+1]
-don’t cares: if input=0, then output=?
Central to concurrency: a||b = ab + ba
![Page 26: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/26.jpg)
Nondeterminism
Central to complexity theory: P v. NP
Central to abstraction:
-high-level programming languages: e.g. memory management
-algorithm design: as long as there exists an 0·i<n such that a[i]>a[i+1], swap a[i] and a[i+1]
-don’t cares: if input=0, then output=?
Central to concurrency: a||b = ab + ba
invisible
invisible
invisible
deterministic
![Page 27: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/27.jpg)
Nondeterminism
Central to complexity theory: P v. NP
Central to abstraction:
-high-level programming languages: e.g. memory management
-algorithm design: as long as there exists an 0·i<n such that a[i]>a[i+1], swap a[i] and a[i+1]
-don’t cares: if input=0, then output=?
Central to concurrency: a||b = ab + ba
invisible
invisible
invisible
deterministic
visible
a: x := x+1 b: x := 2x
![Page 28: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/28.jpg)
Nondeterminism
Central to complexity theory: P v. NP
Central to abstraction:
-high-level programming languages: e.g. memory management
-algorithm design: as long as there exists an 0·i<n such that a[i]>a[i+1], swap a[i] and a[i+1]
-don’t cares: if input=0, then output=?
Central to concurrency: a||b = ab + ba
Alternatives to threads:
actor models; transactional memory
invisible
invisible
invisible
deterministic
visible
less nondeterministic
![Page 29: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/29.jpg)
Can we build a real-time programming language that treats time in the way in which high-level languages treat memory?
-programmer specifies the time of outputs
-programmer assumes the platform offers sufficient performance
-compiler generates a suitable schedule or throws an exception
![Page 30: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/30.jpg)
The LET (Logical Execution Time) Programming Model
Software Task
read sensor input at time t
write actuator output at time t+d, for specified d
![Page 31: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/31.jpg)
time t time t+d
real execution on CPU buffer output
The LET (Logical Execution Time) Programming Model
![Page 32: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/32.jpg)
50% CPU speedup
Portability
![Page 33: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/33.jpg)
Task 2
Task 1
Composability
![Page 34: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/34.jpg)
Timing predictability: minimal jitter Function predictability: no race conditions
Determinism
![Page 35: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/35.jpg)
make output available as soon as ready
Contrast LET with Standard Practice
![Page 36: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/36.jpg)
data race
Contrast LET with Standard Practice
![Page 37: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/37.jpg)
But what about performance?
The Giotto project at UC Berkeley.
![Page 38: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/38.jpg)
Can we build a programming language that treats reliability in the way in which high-level languages treat memory?
-programmer specifies the mean-time to failure for outputs
-programmer assumes the platform offers sufficient reliability
-compiler generates a task replication mapping or rejects the program
[HTL project: Chatterjee et al.]
![Page 39: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/39.jpg)
Subchallenge 2: Build Robust Software
![Page 40: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/40.jpg)
Subchallenge 2: Build Robust Software
Robust = Continuous
A system is continuous if for all real-valued quantities, small input changes cause small output changes.
![Page 41: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/41.jpg)
Subchallenge 2: Build Robust Software
Robust = Continuous
A system is continuous if for all real-valued quantities, small input changes cause small output changes.
-8 >0. 9 >0. input-change · ) output-change ·
-can apply only to real-valued quantities: sensor readings and actuator settings; input and output time stamps
![Page 42: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/42.jpg)
A Program
kbfilter.c 12,000 lines of code
![Page 43: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/43.jpg)
A Program
kbfilter.c 12,000 lines of code
![Page 44: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/44.jpg)
A Program
kbfilter.c 12,000 lines of code
r
![Page 45: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/45.jpg)
An Error Trace
In general, programs are not continuous.
![Page 46: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/46.jpg)
More continuous:
read sensor value x at time t;compute “continuous” function y = f(x);write output value y at time t+d;
Less continuous:
read sensor value x; if x · c then ... else ...
![Page 47: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/47.jpg)
More continuous:
read sensor value x at time t;compute “continuous” function y = f(x);write output value y at time t+d;
Less continuous:
read sensor value x; if x · c then ... else ...
We need system preference metrics in addition to boolean correctness criteria.
[A Discounted Theory of Systems: de Alfaro et al.]
![Page 48: Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d6a5503460f94a49697/html5/thumbnails/48.jpg)
Summary
1. We need high-level programming models for building deterministic systems from nondeterministic parts.
2. We need system preference metrics for building continuous systems from noncontinuous parts.