Upload
hahanh
View
218
Download
4
Embed Size (px)
Citation preview
Multicore and Functional Safety; Solutions for new challenges
Dheeraj Sharma
June 2016
Multicore and Functional Safety; Solutions for new challenges
Agenda
© Elektrobit (EB), 2012 / Confidential 2
• The Trend towards Multicore
• What is Functional Safety ?
• Multicore in AUTOSAR
• Challenges presented by Multicore
• Summary
The Trend towards Multicore
Next generation of car infrastructure
3
• Domain Controllers will be huge multi-MCU
and Multicore systems
‒ ECU independent function
‒ Connected to Actuator / Sensor ECUs
‒ Reloadable functions
‒ Connected via Automotive Ethernet
• Domain ECUs will be “small” Multicore or
single core systems
‒ Hard real time
‒ I/O handling
‒ Safety functions
Powertrain
Domain
Controller
Body
Domain
Controller
Infotain.
Domain
Controller
Chassis
Domain
Controller
Powertrain ECUs
Body ECUs
Chassis ECUs
Infotainment ECUs
Eth
erne
t
…
The Trend towards Multicore
Evolution of Desktop-CPU Performance
© Elektrobit (EB), 2016 4
0
1
2
3
4
5
6
7
8
9
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
PE
RF
OR
MA
NC
E
CPU RELEASED IN YEAR
Performance
Single-Core
Performance
Multi-Core
Source: Data from c‘t 7/2014, p. 127
Embedded CPUs
today?
The Trend towards Multicore
Typical HW architecture (Infineon AURIX TC27x)
© Elektrobit (EB) 2016 5
3 cores
heterogeneous
(2 lockstep)
Split I/D
scratchpad /
cache (non-coherent)
per core
Shared ECC RAM
(single-ported)
Cross-bar
(i.e. bus per slave)
Read-modify-write
support
Source: Datasheet AURIX TC27xT
Multicore and Functional Safety; Solutions for new challenges
Agenda
© Elektrobit (EB), 2012 / Confidential 6
• The Trend towards Multicore
• What is Functional Safety ?
• Multicore in AUTOSAR
• Challenges presented by Multicore
• Summary
The Importance of Functional Safety
From IEC 62304 Standard:
“There is no known method to guarantee 100 % safety for any kind of software.
There are three major principles which promote safety for medical device software:
1. Risk management
2. Quality management
3. Software engineering”
© Elektrobit (EB), 2016 7
The Importance of Functional Safety
Risk Control as part of risk management
• The goal of risk control is to reduce the risk to an “acceptable level”.
• Methods of risk control (in order of preference!):
1. Eliminate the risk (by design)
Easiest by omitting the functionality which creates the risk.
2. Implement protective measures
E.g., fault detection, prevention of fault propagation (freedom from interference), …
3. Provide adequate information
E.g., warnings, guidance in the safety manual, …
© Elektrobit (EB), 2016 8
The Importance of Functional Safety
ISO 26262: Freedom from Interference
Memory
• Unintended writing to memory of another partition
• Register/Configuration corruption due to unintended writing to
processor registers
CPU Time
• Blocking of partitions
• Wrong allocation of processor execution time
Communication
• Loss of communication
• Insertions of messages
© Elektrobit (EB), 2016 9
Functional Safety in AUTOSAR
Memory Partitioning
10
Safety E2E
Protection
MCAL (ASIL)
ASIL
CDD
QM
SW-C
BSW
MCAL
ASIL
SW-C
Safety
TimE
Protection
WdgPartitions
Sa
fety
OS
Safety OS:
• Data Protection
• Stack Protection
• Context Protection
• OS Protection
• Hardware Error
management
Safety E2E Protection
for safe communication
to other ECUs
Safety TimE Protection
for alive supervision,
deadline and
control flow
monitoring
Safety RTE
Safety RTE for protected
communication between
Memory Partitions
Memory COM
Safety RTE
© Elektrobit (EB), 2016
Multicore and Functional Safety; Solutions for new challenges
Agenda
© Elektrobit (EB), 2012 / Confidential 11
• The Trend towards Multicore
• What is Functional Safety ?
• Multicore in AUTOSAR
• Challenges presented by Multicore
• Summary
AUTOSAR and Multicore
Multicore in AUTOSAR 4.0
© Elektrobit (EB) 2016 12
Core 0
Runtime Environment
Microcontroller Drivers Memory Drivers
Memory Hardware
Abstraction
Memory ServicesSystem Services
Onboard Device
Abstraction
Communication Drivers
Communication
Hardware Abstraction
Communication
Services
Application 0
Core 1
Application 1
Concurrent
access to
comm. service Inter-core
communication
for each callPotentially
synchronous
calls
AUTOSAR and Multicore
Basic Software Distribution in AUTOSAR >4.0
© Elektrobit (EB) 2016 13
Core 0
Runtime Environment
Microcontroller Drivers Memory Drivers
Memory Hardware
Abstraction
Memory ServicesSystem Services
Onboard Device
Abstraction
Communication Drivers
Communication
Hardware Abstraction
Communication
Services
Master
Application 0
Core 1
Application 1
Concurrent
access handled
within master Local handling
of some
functionality
Communication
Services
Slave
Multicore and Functional Safety; Solutions for new challenges
Agenda
© Elektrobit (EB), 2012 / Confidential 14
• The Trend towards Multicore
• What is Functional Safety ?
• Multicore in AUTOSAR
• Challenges presented by Multicore
• Summary
Migrating to Multicore
Cohesive Architecture
© Elektrobit (EB), 2016 15
• Safety Analysis
‒ Only feasible when working
on small units
• Partitioning and core allocation
‒ Functional Grouping
‒ Related functions on same core
‒ Freedom from Interference
Core 0
Partition 4
Function D
Core 1
RTE
Partition 1
Function A
Partition 2
Function B
Partition 3
Function C
DataData DataData DataData DataData
Migrating to Multicore
Architectural considerations
© Elektrobit (EB) 2016 16
Countermeasures
• Keep partitions cohesive
• Locate related and communication-
intensive applications on same core
or partition
• Where possible, use lock-free
algorithms
• Reduce cross-core communication to
a minimum
Challenges
• Partitions are mapped to cores
‒ Groups of tasks etc. are distributed
• Cross-core communication
takes time
‒ Beware: Transparent communication
in AUTOSAR
• Locks are expensive
‒ Locking only possible via OS
‒ Spinlocks can block entire CPU
• True parallel execution
‒ Race conditions
‒ Task priorities work only on one core
Scheduling
Single-core scheduling with shared resources
• AUTOSAR supports preemptive and non-preemptive tasks
• Shared resources to protect access to global data
• AUTOSAR uses Priority Ceiling Protocol (PCP)
• Upon occupying a resources, the task receives the priority of the highest task that can access the resource
© Elektrobit (EB) 2016 17
Task 3
Task 2
Task 1
Shared resourceTask 1 receives
priority of Task 3
Pri
ori
ty �
Time �
Scheduling
Shared resources on Multicore
• Priority Ceiling Protocol (PCP) does not work for Multicore
‒ Separate schedulers
‒ No common notion of priority
• AUTOSAR specifies spinlocks for Multicore synchronization
‒ Busy waiting on memory location via atomic instruction (e.g. TAS, CAS, LL/SC)
• Multicore Priority Ceiling Protocol (MPCP) assigns priority higher than highest
core-local priority to each inter-core resource
‒ Can be implemented in AUTOSAR (spinlock and interrupt lock)
‒ Used to prevent deadlock
(e.g. when task holding a spinlock is preempted by task that also tries to obtain the
spinlock)
© Elektrobit (EB) 2016 18
Scheduling
Multicore scheduling with shared resources
© Elektrobit (EB) 2016 19
Task 3
Task 1
BUSY
• Spinlocks waste processing time
• Spinlocks create high traffic on the
processors interconnect
• Inter-core locking creates
scheduling dependencies
Core 2
Core 0
Spinlock
Task 2
Task 2 could have completed
while Task 3 was waiting for
the spinlock
Scheduling
Multicore scheduling in AUTOSAR
© Elektrobit (EB) 2016 20
Core 0 Core 1
Ready queue
Scheduler
T T
T T
Global Scheduling
Core 0 Core 1
Ready queue
Scheduler
T TT T
Ready queue
Scheduler
Partitioned Scheduling
Core 0 Core 1
Ready Q
Scheduler
T TT T
Ready Q
Scheduler
Ready Q
Semi-partitioned Scheduling
AUTOSAR
Scheduling
Multicore scheduling in AUTOSAR
• Logical separate OS instance per core
‒ OS resources are effective only per core
‒ Priorities defined per core
‒ (Memory protection configured per core)
• Static mapping of tasks to cores (i.e. partitioned scheduling)
‒ No fancy features like dynamic load-balancing
• Cross-core interrupts possible
• Cross-core events possible
• Inter-core locking via spinlocks; but spinlocks can be expensive.
© Elektrobit (EB) 2016 21
Scheduling
Partitioned Multicore scheduling
© Elektrobit (EB) 2016 22
Task 4
Task 3
Task 1
• Cross-core task activations/interrupts/callbacks/sync. C/S calls create schedulingdependencies (remember independent schedulers/timebases)
• Cross-core scheduling dependencies can increase context switches
• Analysis is complex
Core 2
Core 0
Task 2 If Task 1 executed a bit
longer, no additional context
switches would occur
Scheduling
Full-blown scheduling complexity
• What are the scheduling dependencies here?
© Elektrobit (EB) 2016 23
Core 2Core 0
T1
T2
T3
T5
T4
T2
T3
T1
T4
T5
OS Resource Spinlock OS Resource
„In my thesis I have shown how incredibly complex the analysis is and
quite frankly you simply should not build systems like this.“
Dr. Mircea Negrean
(Title of thesis: „Performance Analysis for Multi-Mode Multicore Systems with Shared Resources – Principles and Application to AUTOSAR“)
Multicore and Functional Safety; Solutions for new challenges
Agenda
© Elektrobit (EB), 2012 / Confidential 24
• The Trend towards Multicore
• What is Functional Safety ?
• Multicore in AUTOSAR
• Challenges presented by Multicore
• Summary
Data Structure Design
Corollaries
• Reducing inter-core locks
‒ Increases potential parallelism
‒ Decreases complexity
• Reducing core-scope of global data
‒ Reduces need for inter-core locks
‒ Increases potential use of caches
• Separating global data
‒ Reduces need for inter-core locks
‒ Helps establishing memory protection
• Reducing consistency
‒ Increases potential parallelism
© Elektrobit (EB) 2016 25
• Where is data accessed?
• What kind of lock is required?
• Is atomic access possible?
• Where is data accessed?
• Are separate per-core instances
possible?
• Do members of a struct/elements of
an array have different access
requirements?
• Is the order of calls relevant?
• May data be inconsistent in
intermediate states?
Questions to ask
Contact us!www.elektrobit.com