Thanks to ::: Composing and synchronizing real-time ...mheuvel/presentations/20140916... · Chip Design Magazine (Jan. 2005) Increasing number of applications; Extensive networking

Composing and synchronizing real-time componentsthrough virtual platforms in vehicular systems

Martijn van den Heuvel

System Architecture and Networking (SAN)Department of Mathematics and Computer Science

Eindhoven University of TechnologyThe Netherlands

16th September 2014

Martijn van den Heuvel (TU/e, SAN) 16th September 2014 1 / 32

Thanks to . . .

Promotor and co-promotor:

Prof. Johan J. LukkienDr. Reinder J. Bril

Technical support:

Dr. Mike HolenderskiDr. Erik J. LuitDr. Richard Verhoeven

Research collaboration (MDH):

Dr. Moris BehnamProf. Thomas Nolte

Various M.Sc. students and postgraduates.


An automotive example

Why this growth of electronic parts?


An automotive example: electronic stability program (ESP)

Chip Design Magazine (Jan. 2005)

Increasing number of applications;Extensive networking between them.


An automotive example: electronic stability program (ESP)

Increasing number of applications, for example: ABS, TCS, ESP;

Extensive networking between them.


An automotive example: IVDC advances beyond ESP . . .

Adding suspension control and software-based vehicle state estimation:

B. Bonsen, R. Mansvelders, and E. Vermeer.

Integrated vehicle dynamics control using state dependent riccati equations.

In AVEC, Aug. 2010.


An automotive example: deployment of IVDC advances

4X Local controllers for steering, braking, suspension;

Front and rear IVDC;

1X Global IVDC state estimation and supervisory control.

Local controllers

Supervisory + IVDC

τ1 τ2 . . . τn τ1 τ2 . . . τn

RTOS+middleware

Hardware (CPU: 200 MHz)

Supervisory control IVDC

Network

Legend: Task Virtual processor

Virtual network bus Send or receive messages

– Component composition on central ECU–

(Semi-)independent developed components by various partners!


Demo: IVDC with active suspension

Experimental setup:

4X Local controllers for active suspension;

1X Global IVDC and supervisory control.

Our contribution:

Virtualization techniques applied to a central node:

τ1 τ2 . . . τn τ1 τ2 . . . τn

RTOS+middleware



Network



– Component composition on central ECU–

Synchronization between independently developed components.


Demo: active suspension on


Demo: active suspension off


Demo: active suspension on


Hierarchical composition of schedulers for vehicular systems

τ1 τ2 . . . τn τ1 τ2 . . . τn

RTOS+middleware



Network



– Component composition on central ECU–Global

Scheduler

localscheduler

Component 0

localscheduler

Component 1

localscheduler

Component n. . .

R1 R2

component: server, set of tasks and local (task) scheduler

server or virtual processor: a CPU budget allocated each period

Tasks, located in arbitrary components, may share resourcesi.e. deal with local and global priority inversion!


Resource sharing across components: a closer look

Add a resource arbiter to each scheduler, i.e.,at the task level and at the component level.

GlobalScheduler

localscheduler

Component 0

localscheduler

Component 1

localscheduler

Component n. . .

R1 R2

Tasks may request:1 Access to shared memory:

shared buffers;memory-mapped devices.

2 Operating-system services:

in-kernel: short non-preemptive critical sections;device drivers and other services: mutually exclusive between users.

3 Global limited-preemptive access to the processor:

reduce cache misses;less pipeline flushes.


Challenges for resource sharing across components

Component Cs Resource-supply model

Interface selection

Component Interface Ωs

Admission control

Other components’ interfaces

rejectaccept

Virtual platform of Cs Other virtual platforms

Resource allocation

Global scheduling and global resource arbitration

Component development

(Timing-) Requirements analysis

1 Independent development andintegration of components;

M. M. H. P. van den Heuvel, R. J. Bril, and J. J. Lukkien.

Transparent synchronization protocols for compositionalreal-time systems.IEEE TII, 8(2):322–336, May 2012.

2 Independent timing analysis ofcomponents and their integration;

M. M. H. P. van den Heuvel, M. Behnam, R. J. Bril, J. J.

Lukkien, and T. Nolte.Opaque analysis for resource sharing in compositionalreal-time systems.In CRTS, pages 3–10, Nov. 2011.


Lukkien, and T. Nolte.Optimal and fast composition of resource-sharingcomponents in hierarchical real-time systems.In RTCSA, Aug. 2014.

3 Scheduling components andcontainment of temporal faults.


Dependable resource sharing for compositional real-timesystems.In RTCSA, pages 153–163, Aug. 2011.




Interface selection


Admission control


rejectaccept


Resource allocation






Transparent synchronization protocols for compositionalreal-time systems.IEEE TII, 8(2):322–336, May 2012.




Independent development and integration of components

A programmer’s perspective:

1 resources are shared between tasks, not between components.

2 tasks claim and protect their resources;

Question from integrator to programmer:

Is the resource local or global to a component?Don’t know, don’t care!

Postpone binding of SRP primitives until component integration.P. Lopez Martinez, L. Barros, and J. Drake.

Scheduling configuration of real-time component-based applications.In Reliable Softw. Technology - Ada-Europe, volume 6106 of LNCS, pages 181–195. Springer, 2010.


Transparent synchronization protocols for compositional real-time systems.IEEE TII, 8(2):322–336, May 2012.




Interface selection


Admission control


rejectaccept


Resource allocation







Lukkien, and T. Nolte.Opaque analysis for resource sharing in compositionalreal-time systems.In CRTS, pages 3–10, Nov. 2011.


Lukkien, and T. Nolte.Optimal and fast composition of resource-sharingcomponents in hierarchical real-time systems.In RTCSA, Aug. 2014.



Independent timing analysis of components

Interface of a component:

period Ps ;

guaranteed budget Qs within each period;

set of RHTs Xsl which defines Xs = maxlXsl.

Analytical perspective:

1 incremental analysis: separate concerns of local and global scheduling;

2 easier analysis: no timing details on global resource sharing;

3 avoid protocol-specific knowledge to compute Qs and Xsl.

Some analyses in literature do not support this independence!


The key idea – Specify partial interfaces . . .

Interpretation

Cn may use one resource R` for at most Xn,` time unitssupplied within period Pn.


The key idea – Specify partial interfaces and merge them

Gained independence:

Detect which resources are shared by others.

Arbitrate shared resources by SRP;

Merge them at composition!Martijn van den Heuvel (TU/e, SAN) 16th September 2014 20 / 32

The key idea – Prune dependencies at composition



Merge just remaining candidates!


Add an arbiter for shared resources only



Arbitrate shared resources by SRP;




Interface selection


Admission control


rejectaccept


Resource allocation








Dependable resource sharing for compositional real-timesystems.In RTCSA, pages 153–163, Aug. 2011.


Scheduling and containment of temporal faults

Temporal isolation stunned by overrun when a task unwinds:

Legend: critical section normal execution budget arrival

C1

C2

C3

timetet0 t1

No longer a guarantee for:

overrun durations

blocking durations


Sources of unpredictable interferences

Global effects of local SRP-based arbitration:

time

RHT

τ1

τ2

τ3

rcsl

hs2l

Rl Rl

Rl

resource ceiling (rcsl):highest priority of any (local) tasksharing resource Rl

What if task τ1 exceeds its WCET?

What if a task (τ2 or τ3) exceeds its critical-section length?


Confine temporal faults

What if an interfering task exceeds its WCET?

A solution to prevent an increase of resource-holding times:

Disable local preemptions.

What if a task exceeds its critical-section length?

NO solution to prevent an increase of resource-holding times.

To protect independent components:

Extend SRP with enforced blocking durations.

It is now similar to the protected Immediate-PCP in:

D. de Niz, L. Abeni, S. Saewong, and R. Rajkumar.

Resource sharing in reservation-based systems.In RTSS, pages 171–180, 2001.




Interface selection


Admission control


rejectaccept


Resource allocation







M. M. H. P. van den Heuvel, R. J. Bril, J. J. Lukkien, and

T. Nolte.Performance evaluation of analysis methods for arbitratingnonpreemptive resource access in compositional real-timesystems.In VtRES, Sep. 2014.


Scheduling of resource-sharing components

Budget depletion during a critical section can lead toexcessive blocking times:

Ps Ps

Qs QsBs

Ps

Qs

Solutions:

React upon budget depletion by allowing budget overruns.1 Overrun with payback (OWP): the consumed overrun is subtracted

from the next budget;2 Overrun without payback (ONP): no penalty for overrun.

Prevent budget depletion by checking the remaining budget.1 SIRAP: insert idle time during task execution;2 BROE: delay budget supply.


Timing analysis of resource-sharing components

synthetic periodic tasks: 8 tasks/component;tasks generated by UUnifast with total utilization of 0.5;random task deadline constraints: [WCETi + α(Pi −WCETi ); Pi ];short non-preemptive critical section.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Rat

io o

f fea

sibl

e sy

stem

s

δ

BROESIRAPIONP

ONP ≈ IOWPOWP

N = 5 components.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Rat

io o

f fea

sibl

e sy

stem

s

Number of components (N)

BROESIRAPIONP

ONP ≈ IOWPOWP

Implicit deadlines (α = 1).


Timing analysis of resource-sharing components

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Rat

io o

f fea

sibl

e sy

stem

s

δ

BROESIRAPIONP

ONP ≈ IOWPOWP

N = 5 components.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Rat

io o

f fea

sibl

e sy

stem

s

Number of components (N)

BROESIRAPIONP

ONP ≈ IOWPOWP

Implicit deadlines (α = 1).

SIRAP: no independent analysis of components,i.e., detailed task-level analysis of global resource sharing.

ONP: enables independent analysis of SIRAP, but weak performance.

BROE: weaker composition rules than SIRAP.




Interface selection


Admission control


rejectaccept


Resource allocation







Current and future challenges:

Mixed criticality:1 deal with uncertain timing specs of tasks;2 graceful degrade functions by enabling/disabling optional ones.

Industrial standards: timing augmented descriptions of components.Martijn van den Heuvel (TU/e, SAN) 16th September 2014 31 / 32

Questions?

Let’s pass the remote . . .


Documents

Thanks to ::: Composing and synchronizing real-time ...mheuvel/presentations/20140916... · Chip Design Magazine (Jan. 2005) Increasing number of applications; Extensive networking