Slide 1

Embedded Operating System DesignOctober 4, 2012Doug KellyEmbedded PlatformsWhats different?System-on-Chip (SoC) integrates componentsStorage (MNAND, NOR, SD)Power requirements/managementMay have memory management (MMU)May have graphics processor (GPU)May have direct memory access (DMA)More specialized hardwareDigital signal processor (DSP)GPS baseband processorCamera/imaging processorEmbedded Platforms - ProcessorsARM, MIPS, RISC?ARM is RISC-based, sold as IP blocksCore processorDebugging coprocessorGPU block (Mali), or 3rd-party vendors (SGX, Tegra)Vector Floating Point (VFP)NEON (SIMD processing architecture)Memory managementCache memory32-bit architectureThree instruction sets (ARM, Thumb, Thumb2)Embedded PlatformsOkay, so what?Floating point is not free.Time-critical tasks need servicingOther devices may be using memory busMay only have physical addressingStorage is slow, cache is limitedEngineers need to solve this!Floating point requires powering up VFP core, saving old state, performing execution by loading into VFP register set, and restoring stateMention display updates, GPS running at 1Hz, etc.GPU instructions may stall the memory bus (and blocking calls may make this worse)Physical addressing = memory fragmentation -> need defragDiscuss demand paging?5Operating System DesignEmebedded OSes exist!Home-grown, open-source or commercialGarminOSWindowsCE (Windows Embedded Compact)VxWorksQNXLinux (RTLinux)eCosHandle scheduling by priority or round-robinWinCE has 256 process priorities (8 for applications) and round-robin scheduling within a priorityOperating System Design - MemoryRTOSes handle memory managementSome platforms dont have MMUs, now what?May not be possible to use dynamic memorySafest, most portable option.Relies on static structures within program to use as scratch spaceDesign a malloc() replacement?Need to mark memory in-use, so it isnt used while defragging memoryPointer to allocated memory may change, so requires careful designOperating System Design - SchedulingThreads can be used to limit impact of non-critical failures in some applicationsPriority systems guarantee most critical tasks run when neededLower priority tasks run when higher tasks are blocked in some form (may be waiting for next event)But higher priority tasks could be blocked if a lower-priority task holds a resource!Operating System Design - SchedulingPriority inversion temporarily raises priorityAllows low-priority tasks to finish faster, unblocking high-priority tasksControl your loops/recursion!Some coding guidelines for embedded systems prohibit recursion, since it can quickly go without bound or exceed stack space.A high priority task stuck in a runaway loop can result in an unresponsive or useless system.Watch for deadlocks!True in any OS, but may be catastrophic in some casesSome RTOSes can detect deadlocksAlways reserve resources in the same orderOperating System Design - InterruptsIRQ, FIQCome in many flavorsHardwareExternal peripheralsDMATimersSpecial-purpose hardware interruptService watchdog timers, handle rescheduling, sometimes communicationSoftwareWhen good software goes badData Abort illegal memory access, page faults (if supported)Pre-fetch AbortUndefined InstructionDivision by zero, etc.

External peripherals could be I/O devices, such as touchscreen or buttons, however, not all devices are necessarily interrupt-driven. Some input (sound?) might be sampled into a buffer (possibly through an interrupt), then polled later in software.Timers are a special hardware interrupta clock frequency triggers the interrupt to fire, perhaps incrementing a system timer, scheduling other events to run, etc. May also be used with hardware watchdog timerssometimes on-chip, sometimes off-chip, but cause reset should the system enter an unresponsive state (as determined by the watchdog not getting poked)Software interrupts are generated by the processor when software encounters an error which the processor cannot recover.Data Abort (Windows: Access Violation, Linux: Segfault) when an illegal memory access occurs.May be unmapped memory, generated by the MMUMay be non-word aligned access, generated by processor (ARMv6 and later allow this, but it is configurableso it may still generate a data abort)May be a page fault, if the OS supports paging. This is not an error, and will be handled in the OSs ISR.Pre-fetch abortProgram counter went somewhere strange; processor could not fetch instructionVery similar to data aborts, but will occur if PC is not aligned to a 2-byte boundary in Thumb/Thumb2, or word-aligned for ARM.Undefined InstructionOpcode read is illegalProcessor may not support this extension, or the extensions core may not be poweredHappens with VFP if the VFP is not onmay be used to enable the VFP on demandMay be a garbage opcode/corrupt memoryCould be a jump to an invalid address that didnt generate a prefetch abort10Operating System Design - InterruptsISRs used to handle interruptsISRs may have limitations imposed by OS, platform, or processor technologyTiming constraintsAccess to memoryIRQ may be interruptedMust not block!Handling dependent on the interrupt vector tableDefines both exception and IRQ/FIQ handlersFast and efficient is the key!Memory may be off, especially if processor is in a low-power stateMobile DDR auto-refreshes, but may not be directly accessible in some power statesMay be running periodically to refresh memory in low-power statesTiming considerations are important, if ISR must complete within so many clock cycles to ensure display refresh, for example.IRQ may be interrupted by a higher-priority interrupt, or by a FIQ.May have limited or no stack space; is run in its own register bank, independent of system registersBlocking would result in deadlock so bad.11Operating System Design - IPCInter-process communication used to interact with the system at all levelsHardware drivers have no business updating UI state, nor should UI touch hardwareCan also be used to process long-running jobsMay be simple events, or contain dataWho owns the data?Which thread is the event processed on?When is the event processed?Callback functions to return controlBoost signals/slotsObject-Oriented CallbacksThree typesEvent bitsMessages (with data) sets event bitsNotifications (with/without data) runs immediately on current thread, sent to listenersClearly define ownership/lifetime of data. With notifications, data may be invalid immediately after all listeners have been sent the notification (if data was on the stack)Be careful of current thread/deadlock potential. Semaphore reservation may be very dangerous in notifications!Since some messages only set an event bit, it may mark a task as ready to run, but the task may be blocked by higher priority tasks stillMessages with callback functions could be used to return execution on right thread with a notification, or may facilitate additional processing after a long-running job (think plugins)Boost who said embedded systems cant be object oriented?Signals/slots allow for the notification-style message, but are self-contained in a C++ structureMight be applicable with messages to change executing thread?Needed when dealing with C++ classes (handles all the magic under the this pointer)

12DebuggingJTAGClosest to processor, can access entire memory busMay be useful for saving snapshot of device state for future analysis.Can also load code into RAM and reset registers (but peripherals may not reset!)WinCE: KITLKernel level transport, has a fair-amount of controlAllows developer to see into kernel callsWinCE also supports Visual Studio Remote DebuggingLinux/Other: GDBCan be implemented on many platforms; gdb has stubsDont rule out printf()!Doug KellySoftware Engineerdoug.kelly@garmin.comQuestions?