Slide 1Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
EmBounded:Automatic Prediction of Resource Bounds
for Embedded Systems
EU Framework VI IST-510255, 2005-2008A €1.3M STReP Funded by FET-Open
EmBounded:Automatic Prediction of Resource Bounds
for Embedded Systems
EU Framework VI IST-510255, 2005-2008A €1.3M STReP Funded by FET-Open
Kevin HammondUniversity of St Andrews
Slide 2Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Slide 3Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Application Domain (1)Application Domain (1)
QuickTime™ and aYUV420 codec decompressorare needed to see this picture.
Slide 4Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Application Domain (2)Application Domain (2)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Slide 5Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Application Domain (3)Application Domain (3)
Slide 6Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
The Importance of Embedded SystemsThe Importance of Embedded Systems
• Some Facts– 98% of all processors are used in embedded systems
– in 2003, there were 8 billion programmable devices in use
– by 2010, conservative estimates anticipate 16 billion embedded systems
» 3 devices for every person on the planet!
– by 2009, the spend on embedded systems R&D will be €122bn
» out of a total ICT R&D spend of €202bn
Slide 7Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
State of the Art...State of the Art...
• Embedded Systems Engineering– big trend to high level software design (UML etc.)– 80% of all embedded software is now written in C/C++– 75% of embedded software is delivered late– bugs can cost $14,000 each to fix!
• A Major Problem with C/C++ is Poor Memory Management– explicit allocation, deallocation– pointer following– etc. etc.
• No Accurate Method for Determining Memory Usage – profiling, guesswork(!!), approximation
Slide 8Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
A New Direction?A New Direction?
Slide 9Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
In the near future, we will view software
without formal resource bounds
in the same way as we regard untyped
programs today
Prof. Greg Morrissett, Harvard University
Slide 10Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Embounded AimsEmbounded Aims
• The project aims to identify, to quantify and to certify resource-bounded code targeting real-time embedded systems.
• We will:– develop static analyses for determining strong, provably correct, time and
space bounds in the real-time embedded systems domain.
– target important modern, but hard-to-cost, features, including automatic memory management and recursion.
– advance the state-of-the-art in embedded systems software engineering by permitting the safe use of such features.
Slide 11Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Embounded ObjectivesEmbounded Objectives
1. Produce formal models of resource consumption in real-time embedded systems for very high-level programming language constructs;
2. Develop static analyses of upper bounds for these resources based on the formal models of resource consumption;
3. Provide independently and cheaply verifiable automatically generated resource certificates for the space and time behaviour of software/firmware components that can be used to construct embedded software/firmware in a compositional manner;
4. Validate analyses against complex real-time embedded applications taken from computer vision systems for autonomous vehicle control;
5. investigate how these technologies can be applied in the short-to-medium term in more conventional language frameworks for embedded systems;
6. develop underpinning specification, implementation and support environment for the Hume language.
Slide 12Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
ApproachApproach
1. Build Formal operational semantics– explicit program execution properties: time and space
– captures low-level information
2. Build mathematical models of execution costs– relate programs to costs
– formal models of complex program structures, real-time constructs
– metrics: execution time, stack high watermarksmemory allocations/deallocations
– provable bounds on execution costs
3. Construct static analyses– based on mathematical models
Tplus = 1
Tpush = 3
…
1.
2.
findNewCentre centre dx old_dx nloops frame Qu = if dx==<<0,0>> || nloops>4 || addCoord dx old_dx == <<0,0>> then centre else findNewCentre (addCoord centre dx) (computeDisplacement (updateWeights (updateModel frame (addCoord centre dx) theKern) Qu frame (addCoord centre dx)) theDeriv) dx (nloops+1) frame Qu;
ProgramSource
T_init = Tcall + 5*Tpushvar + 3*Tmkint + Tmkvec(2) + … + Tcreateframe+Tmatchrule+…3.
Slide 13Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Resource Models & AnalysisResource Models & Analysis
Source Level Resource Model
Machine Level Resource Model
Formalised Translation with proof of equivalence
Source Level Analysis
Low Level
Analysis
Formal Equivalence Proofs
Slide 14Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
The EmBounded VisionThe EmBounded Vision
data Questions = Eat | Rabbit | Cow;data Responses = Yes | No;data Done2 = Done;data Maybe a = Just a | Nothing;data Boolean = True | False;
type State = (Boolean,Boolean,Boolean,Boolean);
--changeState :: State -> Questions -> Responses -> State;changeState (norabbit,yesrabbit, nocow, yescow) animal response = case (animal,response,(norabbit,yesrabbit, nocow, yescow)) of (Rabbit,No,(norabbit,yesrabbit, nocow, yescow)) -> (True,yesrabbit,nocow,yescow) | (Rabbit,Yes,(norabbit,yesrabbit, nocow, yescow)) -> (norabbit,True,nocow,yescow) | (Cow,No,(norabbit,yesrabbit, nocow, yescow)) -> (norabbit,yesrabbit,True,yescow) | (Cow,Yes,(norabbit,yesrabbit, nocow, yescow)) -> (norabbit,yesrabbit,nocow,True);
showState (True,False, True, False) = "Vegetarian\n";showState (True,False, False, False) = "Rabbo-vegetarian\n";showState (False,False, True, False) = "Bovo-vegetarian\n";showState (_,_, _, _) = "Carnivore\n";
--changestate _ _ _ = Nothing;
--allFalse :: State;--allFalse = (False,False,False,False);
template cToQ in ( c :: char ) out ( q :: Questions, d :: Done2 )match 'E' -> (Eat, *)| 'R' -> (Rabbit, *)| 'C' -> (Cow, *)| _ -> (*, Done);
template cToR in ( c :: char ) out ( r :: Responses, d :: Done2 )
ResourceUsageReport
Time: xx msHeap: xx KBStack: xx KB
Analyse
Compile and Build
Formal Proof
001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa001a00af fed234f5 000012ce 234581fa
Source Program
Binary Program
Resource Certificate
≥ 0
√
Embedded System
proof
carrying
code
techniques
Slide 15Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Research MethodologyResearch Methodology
• Hume: High-Level features, Low-Level target– Recursion, Exceptions, Concurrency, Automatic memory management, Polymorphic
typing, …– Timing, Interrupts, FIFOs, Devices, Scheduling, …
• Hume Abstract Machine– High-level AM design, simplifies construction of semantics/models
• Formal semantics– Explain the operation of the program in terms of the underlying machine
• Cost Models– Allow AM-derived costs to be attached to language constructs
• Static analyses– Formally derived from cost models
• Formal Certification– Formally based on analyses, checking/verification possible
• Testbed Applications– Realistic, derived from autonomous vehicle domain
Slide 17Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
The Embounded ConsortiumThe Embounded Consortium
Vision Algorithms
LASMEA, Heriot-Watt
Embedded Applications
LASMEA, AbsInt
Language Design
St Andrews, Heriot-Watt,Ludwig-Maximilians
Compilation and Implementation
Heriot-Watt,St Andrews, AbsInt,
LASMEA
Proof Theory and Resource Models
Ludwig-Maximilians,St Andrews
Slide 18Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Main Y1 Technical AchievementsMain Y1 Technical Achievements
• Production of Formal Semantics, Cost Models and Translations for Hume/HAM
• Production of aiT tool specialised to M32C
• Construction of computer vision algorithms in Hume
• Production of HAM port for Renesas M32C
Slide 19Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Main Y2 Technical AchievementsMain Y2 Technical Achievements
• Production of Formal Analyses for Space and WCET
• Implementation of Time and Space Analyses
• Development of Generic Approach to Resource Costing
• Construction of computer vision algorithms in Hume
• Production of HAM port for Pioneer P3/AT
Slide 20Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Main Y3 Technical AchievementsMain Y3 Technical Achievements
• WCET Results for Hume Obtained and Validated– some good quality results obtained
• Improvement of Time and Space Analyses– coverage and quality
• Assertion Language for Certificates
• Construction of CyCab algorithm in Hume
• Development of robust Hume to C compiler
• Construction of Hume Model Checker
• Started to investigate application to traditional languages
Slide 21Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
QuickTime™ and aMotion JPEG OpenDML decompressor
are needed to see this picture.
Slide 22Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
QuickTime™ and aMotion JPEG OpenDML decompressor
are needed to see this picture.
Slide 23Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Project Web SiteProject Web Site
Slide 24Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Publications on linePublications on line
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Slide 25Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Deliverables on lineDeliverables on line
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Slide 26Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Tools on lineTools on line
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Slide 27Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Immediate Development PlansImmediate Development Plans
• 3-year, £1M UK project to investigate use of Hume for MIMO applications
• 3-year £240K UK project to study use of Hume for automous vehicle applications
• Involvement in the EU CARA Network for Resource Analysis
• Pursue commercial and academic interest in– Hume for FPGAs
– Hume and RTOSes
– Component-based compositional analysis for box-based design approaches
Slide 28Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
“Finally someone has combined the critical features needed for successful development of embedded systems: [Hume has] exactly the features I have been looking for — I have actually designed a language myself to accomplish some of the goals, but I can scrap that now since you seem to get it all right (unlike me)”
Industrial RTOS Developer
“Finally someone has combined the critical features needed for successful development of embedded systems: [Hume has] exactly the features I have been looking for — I have actually designed a language myself to accomplish some of the goals, but I can scrap that now since you seem to get it all right (unlike me)”
Industrial RTOS Developer
Slide 29Kevin Hammond, University of St AndrewsWorkshop on Resource AnalysisHatfield, Sept. 9th 2008
Long-Term Exploitation RoutesLong-Term Exploitation Routes
• Hume– user-focused research/development project:
adaptivity, medical embedded systems, real-time operating systems, worst-case execution time analysis
– commercial product
• Resource Modelling Technology– analyses for power consumption– more advanced memory/time analyses, e.g. real-time GC– adapted to conventional languages, e.g. C– incorporation into standalone tool suite
• General framework for specifying non-functional properties– security, resource usage, ...– time, space, power consumption, reactivity, liveness, ...– exploit dependent types to merge static/dynamic properties?