An Open Ravenscar Real-Time Kernel for GNAT - DIT - Universidad ...

Only the first four of these packages are visible to GNULL. The other three, Kernel.Parameters,Kernel.CPU_Primitives, and Kernel.Peripherals, are used only by otherkernel packages, and encapsulate implementation dependent elements in order to makeit easier to port the kernel to other hardware environments.Some of the packages (e.g. Kernel.Threads) have additional children that extendtheir interfaces so that some of their internal functionality is made visible to other kernelpackages.Kernel.MemoryKernel{Storage Allocation}{Thread Management}{Synchronization}{Scheduling}Kernel.ThreadsKernel.CPU_Primitives{Interrupt Handling}{Time Keeping and Delays}Kernel.InterruptsEKernel.ParametersKernel.TimeKernel.PeripheralsFig. 4. Architecture of the Open Ravenscar Real-Time Kernel3.2 Thread managementAda tasks are implemented at the lower level by kernel threads. Threads are created atprogram startup, so that there is no need to dynamically allocate or deallocate resourcessuch as TCBs or stack space.Threads are scheduled according to the FIFO within priorities policy (ALRM [2],D2). There is a ready queue which is ordered by priority and arrival order. The synchronizationprimitives directly insert or remove threads from the ready queue.Two kinds of synchronization elements are provided by the kernel: mutexes andcondition variables. These elements are used by GNARL to implement protected objects.Despite the name similarity with POSIX, ORK synchronization primitives aredefined in such a way that the related GNULLI elements can be directly implemented,thus enabling a more efficient implementation of protected objects. We have taken ad-

vantage of the Ravenscar profile restrictions to implement only one kind of mutualexclusion locks.Condition variables are also simplified with respect POSIX, in that there are notimed waits and there are no suspended task queues, as the maximum number of tasksthat can be waiting on a condition is one. The fact that the Ravenscar profile doesnot allow select statements, timed wait operations, or ATCs, has also resulted in greatsimplification.Locks implement the Immediate Priority Ceiling Protocol (IPCP), which is thesame as the Ceiling Locking policy defined by the ALRM [2] (D3).3.3 Time managementThe package Kernel.Time provides timing support in a very simplified way. A time typeis defined that represents both absolute time and time intervals as an integer number ofnanoseconds. There is a monotonic clock that gives an absolute time value, measuredfrom system startup.According to the Ravenscar profile specification, only an absolute delay (delay until)operation is provided. Delayed threads are kept in a delay queue which is ordered bywakeup time. Since a delay cannot be canceled, as there are no abort statements orATCs, there is no need to keep delayed threads waiting on a condition variable, ascurrent GNARL implementations do.3.4 Storage managementAlthough the Ravenscar profile does not forbid all kinds of dynamic storage management,as the profile does not deal with non tasking features of Ada, it seems reasonableto expect Ravenscar compliant programs not to use dynamic storage pools. Consequently,only a limited form of memory management is provided, in order to allocateTCB and stack space for new threads. Since threads can only be created at systemstartup, and cannot terminate, this restricted form of storage allocation can be made ina safe way, using a simple linear algorithm.The task stacks are protected in order to avoid stack overflow or underflow. Thehardware segment protection mechanism is used for this purpose.3.5 Interrupt handlingAn interrupt represents a class of events that are detected by the hardware or the kernelitself. When an interrupt occurs an Interrupt Service Routine (ISR) is invoked to makethe interrupt available to the kernel. In Ada 95, a high-level handler can be attached tothe interrupt so that is is automatically started by the runtime system when the interruptoccurs. The handler may be a parameterless protected procedure or a task entry,although the latter is only included for compatibility with Ada 83.Current GNARL implementations use interrupt service tasks that are activated whenan interrupt occurs, and then call the associated interrupt handler procedure. In this way,priorities and mutual exclusion are handled in the standard way for tasks and protected

objects. Interrupt handlers are executed in the context of the interrupt service tasks,which gives a clean execution model compared to other approaches in which the handleris executed in the context of the interrupted task.ORK follows a different approach. Under the Ravenscar profile restrictions onlyprotected procedure handlers can be defined. Moreover, the only possible locking policyis Ceiling Locking. This means that an interrupt handler can never be blocked waitingfor a protected object to become free. Since all interrupts are disabled while updatingthe kernel internal data (see 3.6 below), there is no need for complex mutual exclusionmechanisms. Actually, interrupt handlers are executed as if they were directly invokedby the interrupted task, with the difference that the interrupt stack is used instead of thetask stack.The Kernel.Interrupts package provides symbolic interrupt names and operationsfor attaching and detaching interrupt handlers. The handlers are directly attached to theinterrupts, without the burden of using POSIX signals as the current GNARL does.3.6 Other design issuesThe kernel interface is a purely procedural one, as there is no need for separate userand supervisor execution modes. All the program runs in supervisor mode, as it is commonin embedded systems. Mutual exclusion in the kernel is achieved by means of amonolithic monitor [15] protected by disabling interrupts, so that interrupt delivery ispostponed when a kernel function is executed [17, 16].Mutex lock operations are implemented by simply raising the locking thread activepriority to the ceiling priority of the mutex. This is consistent with the implementationproposed by the Ada Rationale [13] for protected objects.4 Related workThis project builds on some of the results of previous ESA projects which resulted inthe development of the current ERC32 GNU Cross Compilation system [10], whichincludes an Ada cross-compilation system for the ERC32 computer based on GNATand RTEMS, an open real-time operating system.The JTK kernel, which was developed at the Technical University of Madrid, [7,17], has provided some background for the development of ORK. We have also beeninspired by the Top Layer kernel [14].Other previous work of interest to the project includes Aonix’ Raven [8], and thekernels developed at the Florida State University [19, 18] and the University of York[20].5 Status and availabilityThe first version of the kernel has been fully implemented, and is available at the ORKproject server, www.openravenscar.org. The distribution package includes sourcepatches for the GNAT 3.13 runtime library, and GDB scripts, in addition to the kernelitself.

ORK is free software, and is distributed with the same license as GNAT (a slightlymodified GNU Public License). This means that everybody is free to read the ORKsource code, modify it, and redistribute it, provided they give others the same freedom.ORK is currently maintained on a voluntary basis for the general public.6 Conclusions and future workORK has been designed to provide an open source implementation of the Ravenscarprofile. Although the ORK project is primarily targeted to the on-board space softwaredomain, we expect that it will be useful to the hard real-time systems community atlarge.We plan to port ORK to other hardware platforms, starting with the ix86 PC compatiblearchitecture, in the near future. This will enable it to be used in other applicationdomains, and also in real-time systems education.AcknowledgmentsORK was developed by a team of the Department of Telematics Engineering TechnicalUniversity of Madrid (DIT/UPM), lead by Juan Antonio de la Puente. The other membersof the team were Juan Zamorano, José F. Ruiz, Ramón Fernández, and RodrigoGarcía. Alejandro Alonso and Ángel Álvarez acted as document and code reviewers,and contributed to the technical discussions with many fruitful comments and suggestions.The same team developed the adapted packages that enable GNAT to work withORK.GDB was adapted to ORK by a Jesús González-Barahona, Vicente Matellán, AndrésArias, and Juan Manuel Dodero. José Centeno and Pedro de las Heras acted asreviewers for this part of the work. All of them work at the King Juan Carlos Universityof Madrid.The ORK software was validated by Jesús Borruel and Juan Carlos Morcuende,from Construcciones Aeronáuticas (CASA), Space Division. We also relied very muchon Andy Wellings and Alan Burns, of York University, for reviewing and discussionsabout the Ravenscar profile and its implementation.ORK was developed under contract with ESA, the European Space Agency. JorgeAmador, Tullio Vardanega and Jean-Loup Terraillon provided many positive criticismand contributed the user’s view during the development. The project was carried outfrom September, 1999 to early June, 2000.References1. Ada Core Technologies. GNAT Reference Manual. Version 3.13a, March 2000.2. Ada 95 Reference Manual: Language and Standard Libraries. International StandardANSI/ISO/IEC-8652:1995, 1995. Available from Springer-Verlag, LNCS no. 1246.3. Lars Asplund, Bob Johnson, and Kristina Lundqvist. Session summary: The Ravenscarprofile and implementation issues. Ada Letters, XIX(25):12–14, 1999. Proceedings of the9th International Real-Time Ada Workshop.

4. Ted Baker and Tullio Vardanega. Session summary: Tasking profiles. Ada Letters,XVII(5):5–7, 1997. Proceedings of the 8th International Ada Real-Time Workshop.5. Alan Burns. The Ravenscar profile. Technical report, University of York, 1999. Available athttp://www.cs.york.ac.uk/rts/papers/p.ps.6. Alan Burns, Brian Dobbing, and George Romanski. The Ravenscar profile for high integrityreal-time programs. In Lars Asplund, editor, Reliable Software Technologies — Ada-Europe’98, number 1411 in LNCS. Springer-Verlag, 1998.7. Juan A. de la Puente, José F. Ruiz, and Jesús M. González-Barahona. Real-time programmingwith GNAT: Specialised kernels versus POSIX threads. Ada Letters, XIX(2):73–77,1999. Proceedings of the 9th International Real-Time Ada Workshop.8. Brian Dobbing and George Romanski. The Ravenscar profile: Experience report. Ada Letters,XIX(2):28–32, 1999. Proceedings of the 9th International Real-Time Ada Workshop.9. ESA. 32 Bit Microprocessor and Computer System Development, 1992. Report9848/92/NL/FM.10. Jiri Gaisler. The ERC32 GNU Cross-Compiler System. ESA/ESTEC, 1999. Version 2.0.6.11. E.W. Giering and T.P. Baker. The GNU Ada Runtime Library (GNARL): Design and implementation.In Proceedings of the Washington Ada Symposium, 1994.12. IEEE. Portable Operating System Interface (POSIX) — Part 1: System Application ProgramInterface (API) [C Language] (Incorporating IEEE Stds 1003.1-1990, 1003.1b-1993,1003.1c-1995, and 1003.1i-1995), 1990. ISO/IEC 9945-1:1996.13. Intermetrics. Ada 95 Rationale: Language and Standard Libraries., 1995. Available fromSpringer-Verlag, LNCS no. 1247.14. M. Kamrad and B. Spinney. An Ada runtime system implementation of the Ravenscar profilefor a high speed application layer data switch. In Michael González-Harbour and Juan A.de la Puente, editors, Reliable Software Technologies — Ada-Europe’99, number 1622 inLNCS, pages 26–38. Springer-Verlag, 1999.15. A.K. Mok. The design of real-time programming systems based on process models. In IEEEReal-Time Systems Symposium. IEEE Computer Society Press, 1984.16. Frank Mueller. A library implementation of POSIX threads under UNIX. In Proceedings ofthe USENIX Conference, pages 29–41, January 1993.17. José F. Ruiz and Jesús M. González-Barahona. Implementing a new low-level tasking supportfor the GNAT runtime system. In Michael González-Harbour and Juan A. de la Puente,editors, Reliable Software Technologies — Ada-Europe’99, number 1622 in LNCS, pages298–307. Springer-Verlag, 1999.18. H. Shen and T.P. Baker. A Linux kernel module implementation of restricted Ada tasking.Ada Letters, XIX(2):96–103, 1999. Proceedings of the 9th International Real-Time AdaWorkshop.19. H. Shen, A. Charlet, and T.P. Baker. A ’bare-machine’ implementation of Ada multi-taskingbeneath the Linux kernel. In Michael González-Harbour and Juan A. de la Puente, editors,Reliable Software Technologies — Ada-Europe’99, number 1622 in LNCS, pages 287–297.Springer-Verlag, 1999.20. W.M. Walker, P.T. Wooley, and A. Burns. An experimental testbed for embedded real timeAda 95. Ada Letters, XIX(2):84–89, 1999. Proceedings of the 9th International Real-TimeAda Workshop.