From Models to Code: The Missing Link in Embedded Software Tom Henzinger University of California, Berkeley Joint work with Ben Horowitz and Christoph

From Models to Code: The Missing Link in Embedded SoftwareTom Henzinger University of California, Berkeley

Joint work with Ben Horowitz and Christoph Kirsch

The History of Computer Science: Lifting the Level of Abstraction

The “assembly age”: Programming to the platform

High-level languages: Programming to the application Compilation:

perhaps “the” success story of computer scienceIt is feasible to

abstract the platform.

The History of Computer Science: Lifting the Level of Abstraction

The “assembly age”: Programming to the platform

High-level languages: Programming to the application

Automatic program synthesis: No more programming

Compilation: perhaps “the” success story of computer science

Code generation from specifications: still mostly a dream

It is feasible to abstract the platform.

It is not yet feasible to abstract algorithms.

Current Practice in Control Software

Some manual programming to the platform

Some automatic code generation from models

-often inefficient -often unpredictable

-difficult to reuse -difficult to verify -requires systems experts

Current Practice in Control Software

Some manual programming to the platform

Some automatic code generation from models

The missing link: platform-independent software

-often inefficient -often unpredictable

-difficult to reuse -difficult to verify -requires systems experts

Advocated Practice in Control Software

Executable code for a specific platform

Mathematical model e.g. Simulink, HyTech

Platform-independent software e.g. Giotto

-verifiable -reusable -efficiently implementable

Control engineer

Compiler

Current Control Software Development

Mathematical Model e.g. Simulink, HyTech

Platform Constraints

Executable Code

-hardware configuration -RTOS (scheduling algorithm) -network protocol

some automatic code generation, some manual code

optimization

-CONCURRENCY -ENVIRONMENT TIME

-DISTRIBUTION -PLATFORM TIME

Current Control Software Development

Mathematical Model


Executable Code

Problems:

-close correspondence between model and code is lost with code optimization

-if either model or platform changes, the entire process needs to be repeated

some automatic code generation, some manual code optimization

Mathematical Model

Platform-independent Software Model e.g. Giotto


Executable Code

-executable by virtual machine -composable

An intermediate layer that separates platform-independent from platform-dependent software issues.

Advocated Control Software Development

Mathematical Model

Platform-independent Software Model


Executable Code

e.g. What is the control equation? What is the sampling rate?

e.g. Which procedure computes the control equation? Which event triggers the computation?

e.g. Which CPU executes the control procedure? What priority has the execution?

-still CONCURRENCY -still ENVIRONMENT TIME


Mathematical Model



Executable Code

Platform-independent programming i.e. algorithms and data structures

Platform-dependent code generation e.g. priorities

SEPARATION OF CONCERNS !!!


Motivation: Flight Control Software

ETH Zurich (Kirsch, Pree, Sanvido, Schaufelberger, Wirth). Single CPU.


UC Berkeley (Horowitz, Liebman, Ma, Koo, Sangiovanni-Vincentelli, Sastry). Two connected CPUs.


200 Hz400 Hz

200 Hz 1 kHz


1. Concurrent periodic tasks:

-sensing -control law computation -actuating

2. Multiple modes of operation:

-navigational modes (autopilot, manual, etc.) -maneuver modes (taxi, takeoff, cruise, etc.) -degraded modes (sensor, actuator, CPU failures)


Mode 1

Mode 4

Mode 3

Mode 2

Task S 400 Hz

Task C 200 Hz

Task A 1 kHz

Task S 400 Hz

Task C 200 Hz

Task A’ 1 kHz

Task C’ 100 Hz

Task A 1 kHz

Task S 400 Hz

Task C 200 Hz

Task A 2 kHz

Task A” 1 kHz

Condition 1.2

Condition 2.1


Host code e.g. C

Glue code Giotto

Functionality. -Environment time, not platform

time. -Concurrency, not distribution.


Timing and interaction.

This kind of software is understood: Host code may (sometimes) be generated automatically.

The software complexity lies in the glue code (minimize jitter!) : Giotto enables requirements-driven rather than platform-driven glue-code programming.

-No time. -Sequential.

1. The Giotto Programmer’s Model

2. The Giotto Compiler

The Giotto Programmer’s Model

Programming in terms of environment time:

Programmer’s fiction: -time-triggered task invocation

-tasks are functions with a fixed duration -platform offers sufficient performance

Implementation in terms of platform time:

Compiler must maintain programmer’s fiction: -needs access to global time, no other platform requirements -tasks may finish early, but outputs cannot be observed early -tasks may be preempted and distributed

Given: 1. Units of scheduled host code (application-level

tasks). e.g. control law computation

2. Units of synchronous host code (system-level drivers). e.g. device drivers

3. Real-time requirements and data flow between tasks.

Giotto: Glue code that calls 1. and 2. in order to realize 3.

TaskInput ports Output ports

Task Task driver loads task input ports.

The Giotto Programmer’s Model

Task

Driver

Input ports loaded.

Driver execution in environment time 0.

Task execution in environment time d.

Output ports read.

Sensor/output ports read.

Sensor Actuator

Actuator/input ports loaded.

Time t Time t Time t+d

Time t+d

d

Task duration

Environment Timeline (defined by Giotto semantics)

Task

Driver

Input ports loaded.

Output ports read.

Sensor

Time t Time t Time t+d

Time t+d

d

Task on CPU.

Actuator

Platform Timeline (chosen by Giotto compiler)

The Giotto compiler chooses for a given platform a platform timeline that is value equivalent to the environment timeline defined by the Giotto semantics.

Internal Determinism:

For a given sequence of sensor readings, the corresponding sequence of actuator settings is uniquely determined (i.e., there are no race conditions).

Platform Independence ensures Predictability

Navigation

Control

Simplified Helicopter Software

Sensors

Actuators

i

s

a10

5

Navigation

Control

Simplified Helicopter Software

Sensors

Actuators

i

s

a10

5

Matlab/legacy design

a ia

t+10ms

s

Task

Navigation Navigation

Control

t+10mst t t+5ms t+5ms

i

s s

Helicopter Software: Environment Timeline

Block of synchronous code (nonpreemptable)

Scheduled tasks (preemptable)

t+10ms

Task


Single-CPU Helicopter: Platform Timeline (EDF)

t+10mst+10mst t t+5mst+5ms t+7ms

HeliCtr

HeliNav

TDMA Slot

HeliNet

Two-CPU Helicopter: Platform Timeline (Time-triggered Communication)


HeliCtr

HeliNav

Message

HeliNet

Two-CPU Helicopter: Platform Timeline (Event-triggered Communication)

t+10ms

sensor gps_type GPS uses c_gps_device ;

actuator servo_type Servo := c_servo_init uses c_servo_device ;

output

ctr_type CtrOutput := c_ctr_init ;

nav_type NavOutput := c_nav_init ;

driver sensing (GPS) output (gps_type gps) { c_gps_pre_processing ( GPS, gps ) }

task Navigation (gps_type gps) output (NavOutput) { c_matlab_navigation_code ( gps, NavOutput ) }

…

Helicopter Software: Giotto Syntax (Functionality)

…

mode Flight ( ) period 10ms

{

actfreq 1 do Actuator ( actuating ) ;

taskfreq 1 do Control ( input ) ;

taskfreq 2 do Navigation ( sensing ) ;

}

…

Helicopter Software: Giotto Syntax (Timing)

Mode Switch

f

hg

f

2.55

1010

Mode m Mode m’

dd’

p s

5

p pd

Task

g

f

Mode Switch @ t+5ms Time

Mode Switch: Environment Timeline

pdp

Mode Switch finished @ t+5ms

Task

g

f

Time

s


d’pdp

Task

g

f

Timet+5mst+5ms

s


p d sp hd’

Task

g

f

Timet+7.5mst+5ms


sdp p d’

t+10ms

hd’hd’

Task

g

f


t+10ms

1. The Giotto Programmer’s Model

2. The Giotto Compiler

The Giotto Compiler

Giotto Program

Native Code Tasks and Drivers

Giotto-P Platform Specification

-topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols)

Executables

Giotto Compiler

Functionality

Timing Interaction

Platform

“Failure”

either Giotto-P overconstrained, or compiler not smart enough (distributed scheduling problem)

or

Closing the Gap: Annotated Giotto

Giotto Program


Giotto-P-topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols)

Executables

Giotto Compiler

Functionality

Timing Interaction

Platform

“Failure”

either Giotto-PM overconstrained, or compiler not smart enough (global scheduling problem)

or

Giotto-PM -assign tasks to CPUs -assign connections to nets

Map

Closing the Gap: Annotated Giotto

Giotto Program


Giotto-P

Executables

Giotto Compiler

Functionality

Timing Interaction

Platform

“Failure”

Giotto-PMC overconstrained (local scheduling problems solvable)

or

Giotto-PMMap

Giotto-PMCCommunication

-assign connections to TDMA slots (say)

-topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols)-assign tasks to CPUs -assign connections to nets

Single-CPU Giotto Scheduling

Why is it simple?

-Static utilization test for each mode -Mode switches are memory-free

Theorem: Given a Giotto program and WCETs for all tasks, it can be checked in quadratic time if an EDF scheduler meets all deadlines.

[ host HeliCtr address 192.168.0.1;

host HeliNav address 192.168.0.2;

network HeliNet address 192.168.0.0 connects HeliCtr, HeliNav ]

…

mode Flight ( ) period 10ms

{

actfreq 1 do Actuator ( actuating ) ;

taskfreq 1 do Control ( input ) [ host HeliCtr ] ;

taskfreq 2 do Navigation ( sensing ) [host HeliNav;

push ( NavOutput ) to ( HeliCtr ) in HeliNet slots (7,10) ] ;

}

…

Two-CPU Helicopter: Annotated Giotto (Time-triggered

Communication)

Code Generation

Giotto Program


Giotto-P

Giotto Compiler

Functionality

Timing Interaction

Platform

Giotto-PMMap




or “Failure”

VxWorks

OSEK …

Code Generation: The Embedded Machine

Giotto Program


Giotto-P

Embedded Machine code

Giotto Compiler

Functionality

Timing Interaction

Platform

or

Giotto-PMMap




“Failure”

Embedded Machine interpreter

The Embedded Machine

-a virtual machine that mediates the interaction of physical processes (sensors and actuators) and software processes (tasks and drivers) in real time

-the Giotto compiler can be retargeted to a new platform by porting the Embedded Machine

Environment

Software

Software Processes: platform time

Environment Processes: environment time


Environment

Software

Schedulability

Reactivity


The Art of Embedded Programming

Environment

Software

Schedulability: time safety checking for platform time

Reactivity: programming in environment time (e.g. Giotto)

The Embedded Machine: Time is like Memory

Embedded Machine

Environment Ports

Task Ports

Driver PortsEmbedded Machine

task triggers

environment triggers

sense actuate

read write

call drivers


schedule tasks

e.g. clock

e.g. task completion

Enable trigger:future(g,B:) B:

Schedule task:schedule(T)

T

Call driver:call(d)

d

g

The Embedded Machine: Three Instructions

Execute driver d now.Hand task t over to the system scheduler (RTOS).

Have code B executed as soon as trigger g becomes true.

a ia

t+10ms

s

Task


Control

t+10mst t t+5mst+5ms

i

s s

B1: call(actuate)call(sense)call(input)schedule(Control)schedule(Navigation)future(now+5, B2:)relax

Giotto Code Generation: The Embedded Machine

a ia

t+10ms

s

Task


Control


i

s s

B2: call(sense)schedule(Navigation)future(now+5, B1:)relax

Giotto Code Generation: The Embedded Machine


Synchronous code:

-Embedded Machine instructions and drivers -kernel context (trigger-related interrupts disabled)

Scheduled code:

-tasks -user context (trigger-related interrupts enabled)


Task-triggered code:

-triggers on environment and task ports -observable behavior depends on environment and scheduler

Environment-triggered code:

-triggers only on environment ports -observable behavior depends on environment onlyAll Giotto programs result in environment-

triggered code.


Time-safe code:

No driver accesses a scheduled task before completion.

Time-live code:

There is no infinite synchronous computation.All Giotto programs result in time-live code. Time safety is checked by the Giotto compiler.

Alternatively, time safety violations can be can be handled through run-time exceptions.


Time Safety:

Violations due to combination of -insufficient synchrony

(environment events too frequent) -insufficient platform utilization (scheduler too weak) -insufficient platform performance (hardware too slow) Our approach therefore systematically integrates synchronous programming and scheduling theory.

The Giotto Project

Completed: www.eecs.berkeley.edu/~tah/giotto

-Software tools: Simulink to Giotto translator (Kirsch, Pree)

Giotto compiler for single-CPU targets (Kirsch) Embedded Machine for Linux and VxWorks (Kirsch) -Applications:

Lego Mindstorms (Horowitz, Kirsch, Majumdar) Zurich helicopter (Kirsch, Sanvido)

In progress:

-Software tools: Giotto scheduler for distributed platforms

(Horowitz) Time safety checker for Embedded Machine code (Kirsch, Matic) -Applications:

Berkeley helicopter (Horowitz, Liebman, Ma)Electronic throttle control (Kirsch)

Documents

From Models to Code: The Missing Link in Embedded Software Tom Henzinger University of California, Berkeley Joint work with Ben Horowitz and Christoph