RTEdge - Carnegie Mellon University

wiki.sei.cmu.edu

RTEdge - Carnegie Mellon University

AADL Run-time Environment

Architecture based on the

RTEdge ® Microkernel

Serban Gheorghe

Edgewater Computer Systems, Inc.

GF


Outline

RTEdge ® as an AADL subset

RTEdge ® Flows and Transactions Engineering

• AADL software components mapping into the RTEdge ®

Microkernel

• AADL core spec Thread management Protocols

• Mode Change Management

• Sample Generated State Machines

• Init Controller and Process Manager

• Periodic User Thread and its Thread Manager

• AADL Software Component designer workflows

Edgewater Computer Systems – April 2012 2


RTEdge TM as a subset of AADL sw component model

Component

Type

System

AADL component_category ::=

abstract_component_category

Component

Implementation

Process

Thread Group

Thread

Data

| composite_category

| execution_platform_category

| software_category

RTEdge Deployment

Objects

RTEdge Components:

Composite Capsule (CC)

Atomic Capsule (AC)

Specification

Types

Implementation

Types

Memory

Processor

Bus

Device

Virtual Processor

Virtual Bus

Component

Type

Component

Implementation

Subprogram

Subprogram Group

Component

Type

Component

Implementation

RTEdge Atomic Capsule

behaviour:

Finite State Machines with

embedded Programming

Language Functions calls

(Misra C, other)

3

Edgewater Computer Systems – April 2012


RTEdge ® Transactions

A Transaction is the set of Event Flows originated from an Independent Input

• Conditional Flow Paths can happen

in AC FSMs

• Flows can end on AC FSM States

Transactions can share AC

FSM Instances

CC

2

D

Adjust_ctrl

Calibrate_ctrl

Sensor_In

E

CC1

Recalibrate

A

B

Calibrate_other

Sending a Signal Event through a Port

creates a concurrent Flow Path

•A Transaction is complete when all the downstream events caused by the Independent Input have been

consumed and all state machines involved are in a stable state

• Indicates no State Machines Deadlock (events not consumed) or Livelock (infinite event loops)

Edgewater Computer Systems – April 2012 4


RTEdge ® 1.3 Built-in Static Analysis Tools

‣ Proof-based Event Flows Engineering

Results guaranteed at execution through run-time semantics

enforcement (code generator + executive)

‣ Event Flow Path Analysis

‣ Flow Latency and Schedulability Analysis at Flow granularity level

‣ Incoming Ports Message Buffers Queue Size Analysis

‣ Hard and Soft Real-Time Flows Engineering

‣ Event Flows with Hard deadlines (Latency guarantee) or allocated to a

Soft Real-Time Server (Capacity Guarantee)

‣ Formal Properties Static Analysis Tools

‣ Transaction Completion Property

‣ No Deadlock, no Livelock

‣ Custom Formal Model Properties

RTEdge integration with the

SPIN formal Model Checker

Edgewater Computer Systems – April 2012 5


RTEdge ® as an AADL Microkernel

AADL Model

P1

P2

Abstract

P3_RTEdge

AADL Runtime in RTEdge Language Subset

Static Code

Analysis Generation Tools

P1_CC

P2_CC

P3_CC

RTEdge Code generated from AADL

Support AADL Thread Dispatch Modes, error recovery, initialization

- Periodic,Sporadic, Aperiodic,Timed and Hybrid

Support AADL inter-thread communication/synchronization semantics

C Code

Generation

RTEdge Runtime Exec Semantics

Asynchronous Message Passing Executive

Time constrained Discrete Events only

AADL Threads Atomic Capsules

Threads with FSM behavior, purely reactive

Features subset

- Event/Event Data Ports

- Required/Provides Data Ports

- FSM behavior, a subset of UML FSM

AADL Thread Groups Composite Capsules

Resolved to communicating Atomic Capsules

Periodic Timer Service

Bounded Overheads

Run-time Executive

Edgewater Computer Systems – April 2012 6


AADL Process and Thread

Mappings

AADL Model

Code

Generation

(RTEdge Language Subset)

AADL Runtime

C Code

Generation

Controller

Kernel

Process

P1

P2

Abstract

P3_RTEdge

RTEdge Timer

For each AADL Process:

One Process Manager Atomic Capsule

One Mode Manager Atomic Capsule

An Each AADL user Process defined maps AADL into Thread a is mapped

RTEdge into pair of Application RTEdge Atomic task Capsules (AC)

Thread Atomic Capsule

Mapping of user defined of AADL Ports:

- direct mapping of event and data ports

- subprogram ports with subprogram access

protocol

- AADL Thread Flavour Specific Extra Ports

- clock port for periodic/sporadic/hybrid

- connected to an RTEdge Timer

Thread Manager Atomic Capsule

TARGET

GDB

Server

RTEdge ®

Executive

Real-Time OS

One Controller Kernel Process per vprocessor

Init Controller Atomic Capsule

Mode Controller Atomic Capsule

Connected to a higher level Init / Mode Controller

- Implements the AADL core spec Hybrid

automatum

- Connected to the Thread AC through a

Thread management Port

- Typed by an thread management Protocol

derived from the core AADL spec

Edgewater Computer Systems – April 2012 7


AADL Core Spec System Startup

Process Loading

Thread Initialization

sys-

Thread Computation

Thread Finalization

(synchronization point)

Edgewater Computer Systems – April 2012 8


AADL Kernel Protocols

(notional)

error

Edgewater Computer Systems – April 2012 9


Mode Change Management

Generated AC State Machines for Mode Change Management:

‣ A Mode Manager Atomic Capsule is generated per Process/Thread Group

‣ A Mode Controller AC is generated per Kernel Process

‣ Mode Controller AC in the Kernel Process is connected to all Mode

Managers in Processes on the same vprocessor

‣ Both external and thread logic initiated mode changes are covered

Edgewater Computer Systems – April 2012 10


Externally Initiated Mode Change

External event

or from another

Mode Controller

• Mapping local mode names

to unique mode numbers

• Re-mapping require mode

names from container

o

Mode Controller and Mode Managers AC State Machines,

Ports and Connections are synthesized from

- AADL component mode clauses:

- Mode States and Transitions

- Mode Transition Triggers and

- in mode and require modes

AADL declarations

Edgewater Computer Systems – April 2012 11


Thread Initiated Mode Change Flow

• Declared mode triggering events

from subcomponent Threads result

in generation of direct modechange

ports connections to the Mode

Manaager

Edgewater Computer Systems – April 2012 12


Generated Init Controller and

Process Manager AC State Machines

• Only static process loading supported initially

• For dynamic loading, this should be split into

another AC running in the Kernel Process space

• All Processses loaded, start initialization

• All Processses initialized, inform up the

chain and wait for System “ready” signal

• System operational “ready” signal received,

relay to all Processes to start RTEdge timers

and proceed to computation

Edgewater Computer Systems – April 2012 13


Init Controller Sample RTEdge code

atomicCapsule init_Controller implements init_Controller_interface

{

attribute loadCounter : type int8;

attribute startCounter : type int8;

attribute stopCounter : type int8;

stateMachine (S0) {

stable unloadedProcess;

stable loadingAllProcesses;

stable startingProcess;

stable loadedProcess;

stable stoppingProcess;

transient initialize: activity initializing_counters;

transient counterToLoad: activity loading_counter, TOTAL_NO_OF_PROCESSES; /*TOTAL_NO_OF_PROCESSES is a NaturalNumber*/

transient counterToStart: activity starting_counter, TOTAL_NO_OF_PROCESSES;

transient counterToStop: activity stopping_counter, TOTAL_NO_OF_PROCESSES;

transition

transition

transition


transition

initializing: S0 -> initialize,

trigger rt_init.init;

initialized: initialize -> unloadProcess;

started: unloadedProcess -> loadingAllProcesses,

trigger initC_HW.started {out initC_P1.load};

comp_loading1: loadingAllProcesses -> counterToLoad,

activity initializing_counters: (void) returns void, file “” /*QuotedString*/

activity counterToLoad : (void) returns bool, file “” /*QuotedString*/

activity counterToStart: (void) returns bool, file “” /*QuotedString*/

activity counterToStop : (void) returns bool, file “” /*QuotedString*/

};

Edgewater Computer Systems – April 2012 14


Thread_Manager and Periodic

Thread AC State Machines

Specified as the Event Port

Activate_Entrypoint_Call_Sequence

Property Association

Synchronous subprogram call pattern

Semi-synchronous subprogram call pattern

Edgewater Computer Systems – April 2012 15


Extending the RTEdge ® User Workflows

• The Model IS the Executable Application:

One source of truth for Software Components across the lifecycle

Graphical

Editing

Environment

Flow Analysis

Buffer Analysis

Code

Code

file Code

fileCode

file

file

exe

File

exec

exe

File

exec

RTOS Target

Code

Generation

Build

Debug

exe

File

AADL Run-time Development Environment

User

Application

Model

exec

Virtual Time Environment

Flow Latency

& Schedulability

Analysis

Model

Completeness

Analysis

Behavioural

Analysis using

Formal Methods

AADL Proof Based Event Flows

Engineering

Edgewater Computer Systems – April 2012 16


Background slides

Edgewater Computer Systems – April 2012 17


RTEdge ® Application Model

RT Ports Components

and

Protocols (Capsules)

RTEdge ® Application

• An Application maps into one RTOS Task (in RTEdge

1.3):

- resolves at run-time to a set of concurrent Atomic

Capsule (AC) Finite State Machines (FSM)

- built-in FSM event priority scheduling

• Closed System Model Definition:

- “External Tasks” model environment assumptions:

RTOS Tasks I/O behavior and processor demands

RTEdge • Independent Dispatch Input Event time arrival types: specification

• Independent Input arrivals

•{ Signal min Inter-arrival Events received Time, (Jitter at Port or FIFOs (Burst size, I ))}

• AC Transient State Activity Completion

Static Event priority assignment

• Deadline Monotonic

Application Flows Specification:

Event Flows with Real-Time Contracts

• Arrival spec (Period)

• Deadline

Event Flow: a specification of a causal relationship between an ordered pair of RTEdge ® Dispatch Events

Key concepts:

• PROCESSOR and COMMS resource scheduling are based on Event Flows

RTEdge® Platform automatically calculates:

• Application implementation Flow paths and

• Worst-Case Response Times (Latencies) for each Event Flow, based on Execution costs

Edgewater Computer Systems – April 2012 18


RTEdge ® End to End Flow Latency Engineering

Software System View

Build,Execute,Debug

Build Options,

Compiler and OS options

(e.g., vxWorks 5.5.1)

AC

CC

Flow Engineering:

Event Flows with

Time Binding Constraints to the

Hardware • Period, System Jitter

• Deadline

Schedulability

Mathematical Models for

Processor and Bus Latency

Flow Latency

Calculation

Physical Bus Role 1

Processor Role 1

Processor Types

(e.g., PPC, x86)

Hardware System View

Processor Role 2

RTEdge TM 1.3 performs Schedulability Analysis only for single Processor Flows

Edgewater Computer Systems – April 2012 19


Reducing Software Costs by crossing the “V”

Proof Based Engineering => using mathematical proof in building software to

evaluate functional and real-time properties at design time

“Integrate before Build”:

Static Model Analysis Tools

• work on “Single source of truth” Model

• realize huge cost savings through early

problem resolution

HOWEVER

*)

• must have intimate knowledge of

1. 1. Execution Execution State State Space Space

2. 2. Target Target Execution Execution Semantics Semantics

Model Transformation to

executable, target deployable

software creates a semantic

discontinuity

Software Components Conformance

Deployed Software Components

Integration and Debugging must be

performed in the context of the Model

The effectiveness of Real-time and Functional Model Analysis Tools

*) depends From System on Architecture Code Generation Virtual Integration and the (SAVI): enforcement An Industrial at run-time Case Studyof

SEI the Technical same Report CMUESI-2009-TR-017, Carnegie Mellon, 2009

1. Execution State Space

Single source of truth run-time enforcement 2. Target Execution Semantics

Edgewater Computer Edgewater Systems Computer – Confidential Systems – Commercial April 2012 Information

20


RTEdge ® Execution Semantics Enforcement

Static Analysis

Programming

Language

Specification

Model

HLD Model

Implementation Model

User Application

RTEdge Tools

Timing Analysis

Tools

Functional Properties

Analysis Tools

Code Generator Tool

Based on

Run-Time EXEC

Hardware Abstraction Layer (HAL)

HW

Platform 1

HW

Platform 2

Virtual Time

Platform

Enforced by

Well defined

execution

semantics

Virtual Time Simulation Platform

• Enable execution of software

components on host computers by

emulating target hardware real-time

behaviour

• HAL adaptation of Run-Time Exec

to multiple platforms

• A host RTOS is assumed on the

HW Platform

Edgewater Computer Systems – April 2012 21

More magazines by this user
Similar magazines