Principles and Pragmatics for Embedded Systems John Regehr University of Utah.
-
Upload
peter-simmons -
Category
Documents
-
view
217 -
download
2
Transcript of Principles and Pragmatics for Embedded Systems John Regehr University of Utah.
![Page 1: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/1.jpg)
Principles and Pragmatics for Embedded Systems
John Regehr
University of Utah
![Page 2: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/2.jpg)
HierarchicalLoadableSchedulers
Theme: Appropriate, checkable abstractions for systems software
1998 20082003
Secure, large-scale embedded systems?
ComposableExecutionEnvironments
![Page 3: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/3.jpg)
Embedded Systems Account for ~100% of
new microprocessors Consumer electronics Vehicle control systems Medical equipment Smart dust
![Page 4: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/4.jpg)
Embedded Software Goals•Memory•Lock•Time
•Safe•Efficient•Reusable•Easy to develop•Functionally correct
•Minimal•Memory use•CPU use•Power use
•Composable•Late binding
•Debuggable•Testable•Problem specific
![Page 5: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/5.jpg)
Analyses
Time SafetyStack SizeRace DetectionLock Inference…
Optimizations
Thread MinimizationRobust SchedulingLock EliminationInlining…
Binding
CEE – Composable Execution Environments
Infrastructure and metadata
ErrorComposed System
![Page 6: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/6.jpg)
Why CEE?
Systems are in the real world Hard to reach Safety critical
Time is money Space is money Reuse is critical
Within a product line Between generations of products
![Page 7: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/7.jpg)
Embedded Platforms
RAM
1 B 1 KB 1 MB 1 GB
4- and 8-bit
16-bit
32- and 64-bit
No OS
Real-Time OS (RTOS)
GPOS
CPU Type
OS Type
![Page 8: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/8.jpg)
CEE Main Ideas
Composition of restricted execution environments
Global analyses and optimizations Late binding of requirements to
implementations
![Page 9: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/9.jpg)
Execution Environment Set of
Idioms and abstractions for structuring software
Rules for sequencing actions Rules for sharing information
Examples Low-level: Cyclic executive, interrupts,
threads, event loop High-level: Dataflow graph, time
triggered system, hierarchical state machines
![Page 10: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/10.jpg)
Bad News
Environments have rules Interacting environments have
rules Getting these right is a serious
problem Rules not usually checked
![Page 11: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/11.jpg)
Good News
Diversity can be exploited To create efficient systems To match design problems
Constrained environments are easier to analyze, debug, and understand
![Page 12: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/12.jpg)
Execution Environments
Embedded systems contain multiple execution environments
CEE exploits the benefits of multiple environments while mitigating the problems Local analyses Global analyses
![Page 13: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/13.jpg)
Other Frameworks for Embedded Software
Cadena – Hatcliff et al., Kansas State Koala – Van Ommering, Philips MetaH – Vestal, Honeywell nesC – Gay et al., Intel & Berkeley Ptolemy II – Lee et al., Berkeley Vest – Stankovic et al., Virginia
![Page 14: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/14.jpg)
Motivation and Introduction
Concurrency Analysis
Real-Time Analysis
Summary and Conclusion
![Page 15: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/15.jpg)
Concurrency
Embedded systems are fundamentally concurrent Interrupt-driven Response-time requirements
Concurrency is hard Especially when using components Especially when components span
multiple execution environments
![Page 16: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/16.jpg)
Task Scheduler Logic (TSL)
First-order logic with extra relations and axioms
Formalizes locking concerns across execution environments
![Page 17: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/17.jpg)
TSL Capabilities
Find races and other errors Generate mapping from each
critical section in a system to an appropriate lock Lock inference
![Page 18: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/18.jpg)
Why Infer Locks?
Locking rules are hard to learn, hard to get right
Sometimes no lock is needed Components can be agnostic
with respect to execution environments
Global side effects can be managed
![Page 19: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/19.jpg)
TSL Prerequisites
Visible critical sections and resources
Safe approximation of call graph TSL specifications for
schedulers
![Page 20: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/20.jpg)
Using TSL Developers connect components
as usual No direct contact with TSL
Run TSL analysis at build time Success – Return assignment of
lock implementations to critical sections Used to generate code
Failure – Return list of preemption relations that cause races
![Page 21: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/21.jpg)
TSL Concepts Tasks – units of computation Asymmetric preemption
A « B means “B may preempt A” Schedulers
S ◄ B means “S schedules B” Locks
S L means “S provides L” A «L B means “B may preempt A
while A holds L”
![Page 22: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/22.jpg)
Resources and Races
Resources A →L R means “A holds L while
accessing R”
Race (A, B, R) = A →L1 R
B →L2 R
A B
A «L1L2 B
![Page 23: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/23.jpg)
Specifying Schedulers
Non-preemptive Generic preemptive Priority
S
A B
(A « B) (B « A)S (t, t0, … , tn) =
i. t◄ti
![Page 24: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/24.jpg)
Specifying Schedulers
Non-preemptive Generic preemptive Priority
S
A B
(A « B) (B « A)S (t, t0, … , tn, L) =
i. t◄ti
i,j. ti « tj
lL. t l
![Page 25: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/25.jpg)
Specifying Schedulers
Non-preemptive Generic preemptive Priority
S
A B
(A « B) (B « A)S (t, t0, … , tn, L) =
i. t◄ti
i,j. i<j ti « tj
lL. t l
H L
![Page 26: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/26.jpg)
INT
IRQ Event
Timer
Network
E1 E2 E3
H L
![Page 27: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/27.jpg)
INT
IRQ
Timer
Network Event1
E1 E2E3
Event2
THREAD
H
H
L
L
![Page 28: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/28.jpg)
Applying TSL
Applied to embedded monitoring system with web interface 116 components 1059 functions 5 tasks 2 kinds of locks + null lock
![Page 29: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/29.jpg)
TSL Summary
Contributions Reasoning about concurrency
across execution environments Automated lock inference
In ACP4IS 2003 Future work: Optimal lock
inference Minimize run-time overhead Maximize chances of meeting real-
time deadlines
![Page 30: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/30.jpg)
Motivation and Introduction
Concurrency Analysis
Real-Time Analysis
Summary and Conclusion
![Page 31: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/31.jpg)
Real-Time Constraints
Examples Deploy multiple airbags no more than
5 ms after collision Compute flap position 100 times per
second
![Page 32: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/32.jpg)
Real-Time Analysis Output
Success: Static guarantee that deadlines
will be met A schedule (priority assignment)
Failure: List of tasks not guaranteed to
meet deadlines Tasks with hard-wired priorities
do not compose well
![Page 33: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/33.jpg)
Previous Example
INT
IRQ
Timer
Network Event1
E1 E2E3
Event2
THREAD
H L
H L
![Page 34: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/34.jpg)
An Improvement
INT
IRQ
Timer
Network
E1 E2 E3
V-Sched
H L
![Page 35: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/35.jpg)
Virtual Schedulers
Start with collection of real-time tasks Insert only enough preemption to
permit deadlines to be met Support mutually non-preemptible
collections of tasks Existing real-time theory not
good enough
![Page 36: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/36.jpg)
Background
Preemption threshold scheduling (Saksena and Wang 2000)
Supports mixing preemptive and non-preemptive scheduling But only as a back-end optimization My work: make mixed preemption first-
class
![Page 37: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/37.jpg)
New Abstractions
Task clusters Embed non-
preemptive EEs in a system
Task barriers Respect
architectural constraints
![Page 38: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/38.jpg)
Scheduling Algorithm 1
Target is standard RTOS – no support for preemption thresholds
Three-level algorithm Outer: iterate over partitions created by
task barriers Middle: iterate over clusters within a
partition Inner: iterate over tasks within a cluster
Requires O(n2) priority assignments to be tested
![Page 39: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/39.jpg)
Scheduling Algorithm 2
Target is RTOS that supports preemption thresholds More degrees of freedom Known optimal algorithms test O(n!)
priority assignments Use hill-climbing algorithm that
attempts to minimize maximum lateness over all tasks Works well in practice
![Page 40: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/40.jpg)
0
20
40
60
80
100
5 10 15 20 25
Number of Tasks
No
rmal
ized
Su
cces
sfu
l S
ched
ule
s
Alg 2 Alg 1 Non-Preemptive
![Page 41: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/41.jpg)
Avionics Application
Avionics task set from Tindell et al. (1994) with 17 tasks and two locks Both locks can be eliminated using
task clusters Only 5 threads are needed
![Page 42: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/42.jpg)
Ping / Pong App on Motes
version code data Pin-Int Int-Task Task-Task
Default 5022 B 232 B 11.3 μs 22.5 μs 16.0 μsCEE 6094 B 448 B 11.3 μs 46.7 μs 45.2 μs
0
5
10
15
20
0.10
1.00
5.00
7.50
10.0
012
.50
15.0
017
.50
20.0
0
Task execution time (ms)
Ro
un
d-t
rip
s p
er
se
co
nd
DefaultCEE
![Page 43: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/43.jpg)
Real-Time Summary Contributions: Task clusters and
task barriers Better abstractions to protect
developers from multithreading Permit embedding of non-preemptive
execution environments In RTSS 2002
![Page 44: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/44.jpg)
Motivation and Introduction
Concurrency Analysis
Real-Time Analysis
Summary and Conclusion
![Page 45: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/45.jpg)
Status and Ongoing Work
Tools exist Checker for task scheduler logic SPAK – real-time analysis Stacktool – bound stack depth Flatten – parameterizable inlining
Prototype CEE implementations Large systems: PCs with Knit + OSKit Small systems: Motes
![Page 46: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/46.jpg)
Summary CEE is a new framework for
embedded software Exploits qualities of the domain Supports late binding Basis for pluggable analyses and
optimizations Effective compromise between
principles and pragmatics NSF Embedded and Hybrid
Systems 2002–2005
![Page 47: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/47.jpg)
HierarchicalLoadableSchedulers
Theme: Appropriate, checkable abstractions for systems software
1998 20082003
Secure, large-scale embedded systems?
ComposableExecutionEnvironments
![Page 48: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/48.jpg)
Thanks to…
Alastair Reid, Jay Lepreau, Eric Eide, and Kirk Webb
![Page 49: Principles and Pragmatics for Embedded Systems John Regehr University of Utah.](https://reader035.fdocuments.us/reader035/viewer/2022070411/56649f495503460f94c6ab40/html5/thumbnails/49.jpg)
More info and papers here:
http://www.cs.utah.edu/~regehr/