

# Faithful multi-task implementations of synchronous programs



◆□▶ ◆□▶ ▲□▶ ▲□▶ ■ ののの

#### Paul Caspi

Verimag-CNRS (emeritus)

WSS 16 october2009

historical overview

multi-tasking

#### Some safety critical control systems.



flight control



emergency shutdown



speed control, signalling



full automation

## Looking inside\_



▲□▶ ▲□▶ ▲ 三▶ ▲ 三▶ - 三 - のへぐ

Fly-by-wire ? Drive-by-wire ? Electronic Control Units ?

## Looking inside



Fly-by-wire ? Drive-by-wire ? Electronic Control Units ? Fly-by-computers ! Fly-by-software !

#### Two Questions\_

Knowing the low reliability of computing technology

thousands of car "recalled" for computing bugs

▲□▶ ▲□▶ ▲ 三▶ ▲ 三▶ - 三 - のへぐ

- Ariane V accident
- your personal computer ...

#### Two Questions

Knowing the low reliability of computing technology

- thousands of car "recalled" for computing bugs
- Ariane V accident
- your personal computer ...
- 1. Is it wise to use this poor technology in safety critical systems?

◆□▶ ◆□▶ ▲□▶ ▲□▶ □ のQ@

#### Two Questions

Knowing the low reliability of computing technology

- thousands of car "recalled" for computing bugs
- Ariane V accident
- your personal computer ...
- 1. Is it wise to use this poor technology in safety critical systems?
- 2. Why, nevertheless, things are not as bad as could be expected?

◆□▶ ◆□▶ ▲□▶ ▲□▶ □ のQ@

#### Two Questions

Knowing the low reliability of computing technology

- thousands of car "recalled" for computing bugs
- Ariane V accident
- your personal computer ...
- 1. Is it wise to use this poor technology in safety critical systems?
- 2. Why, nevertheless, things are not as bad as could be expected?
- A Tentative Answer

The safety-critical control industry has designed a very strong model-based development method

# Some steps in model-based design of control systems\_\_\_\_\_

- Early eigthies: first automatic program generation from high level control models
  - SAO (block-diagrams) and the Airbus A320 fly-by-wire
  - Lustre, Signal, Esterel, the French synchronous school
  - ▶ ...
- integration into control modelling tool-boxes (early nineties)
  - Targetlink (Dspace), Ascet (Etas), RTW (Mathworks), Simulink Gateway (Esterel)
- Qualified code generation
  - SCADE (Esterel): Do178B Level A, EN 50128 SIL 4

(ロ) (同) (三) (三) (三) (○) (○)

- Connection with formal tools
  - Prover plugins: SCADE, RTW
  - Abstract interpretation
- Time triggered distributed implementations

#### Interest of automatic code generation.

Twofold :

Automatic code generation from high-level control models:

=> easier and earlier debugging

- Graphic languages close to the cultural background of application engineers, test pilots, suppliers, certification authorities, ... :
  - => allows easier communication within the entreprise

< □ > < 同 > < Ξ > < Ξ > < Ξ > < Ξ < </p>

=> preserves the know-how and makes easier the technology transfer

#### Single Thread Code Generation.

- Allows generating code for any discrete-time model that can be simulated
- Allows many optimisations
- The need for Real-Time Operating System is minimised
- Provides in general robust and efficient code
- But in some cases it is very inefficient and even not possible:

need for multi-thread code generation

◆□▶ ◆□▶ ▲□▶ ▲□▶ □ のQ@

#### Multi-Periodic Systems.

Models are based on null execution times But implementations take time !!

Example:

- period (3,0)
- period(1,0)

single-thread code generation: can yield



#### Multi-Periodic Systems.

Models are based on null execution times But implementations take time !!

Example:

- period (3,0)
- period(1,0)

single-thread code generation: can yield even worse



#### Multi-Periodic Systems.

Models are based on null execution times But implementations take time !!

Example:

- period (3,0)
- period(1,0)

multi-thread code generation: and preemptive scheduling can yield



#### Event and time-triggered systems.

An engine control example:



▲□▶ ▲□▶ ▲□▶ ▲□▶ = 三 のへで

#### Preemptive scheduling

If the deadline associated with event-triggered computations is smaller than the execution time of time-triggered tasks, preemptive scheduling is mandatory:



< □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □

#### Scheduling.

Schedulability test: formula of response times

$$R_j = \sum_{i=1,j-1} \left\lceil \frac{R_j}{T_i} \right\rceil C_i + C_j$$

- thread priorities in decreasing order
- T<sub>i</sub> minimum inter-arrival time of thread i
- C<sub>i</sub>: worst case execution times of thread i
- $\begin{bmatrix} \frac{R_j}{T_i} \end{bmatrix}$ :number of times *j* can be preempted by *i* while executing
- $\begin{bmatrix} \frac{R_j}{T_i} \end{bmatrix} C_i$ : maximum time during which *j* can be preempted by *i* while executing
- The sum is taken on every thread with higher priority

#### Inter-task communication.

Communication integrity, several approaches:

- Blocking approaches based on semaphores Priority inversion (pathfinder !!) priority inheritance, priority ceiling protocols
- Lock-free methods
- Loop-free, wait-free methods
  Burns et Chen (triple buffer)
  provide easier schedulability analysis ?

◆□▶ ◆□▶ ▲□▶ ▲□▶ □ のQ@

#### What about semantics?\_

... and model-based development?

#### What about semantics?\_

... and model-based development?

Preemption alters the ordering of computations

- In many cases it does not matter (robustness, continuity, faithfulness...)
- In some cases it can (discontinuities, critical races, ...)

Can we propose executions that be functionally equivalent to the model?

< □ > < 同 > < Ξ > < Ξ > < Ξ > < Ξ < </p>

#### A general solution (Scaife & Caspi 2004).

Ensures communication integrity and provides executions that are functionally equivalent to the model:

Applies to both periodic and sporadic activities

Based on:

- 1. Syntactic checks: communications from low to high priority tasks should go through a unit delay on the low task trigger
- 2. Double buffer protocols where distinction is made between the occurrence of triggering events and the task executions

(ロ) (同) (三) (三) (三) (○) (○)

#### Double buffer protocol

- From low to high
  - two buffers ("current" et "previous") managed by P<sub>l</sub>, toggled when e<sub>l</sub> takes place

- ▶ when *e<sub>h</sub>* occurs, *P<sub>h</sub>* stores the address of "previous"
- P<sub>1</sub> writes to "current" et P<sub>h</sub> reads into "previous"
- From high to low
  - double buffer ("current" et "next") managed by P<sub>l</sub>
  - on e<sub>l</sub> "current" is set to "next"
  - on e<sub>h</sub> "next" is toggled if "current" equals "next"
  - P<sub>h</sub> writes to "next" and P<sub>l</sub> reads into "current"
- Bit toggling is assumed to take no time

## Another (partial) solution\_

#### Simulink RTW...

| Block Parameters: Rate Transition                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | $\times$        |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|
| Pate Transition      Specify the data transfer mechanism between two rates of a multirate system. The default config provides are and deterministic data transfer. However, it is also possible to compromise determine indicate indexify in favor of minimum delay and code efficiency. Block behavior is different where this and contrastic zero Order Hold      101/12. Unit Oelay    Detection indicates block behavior. It is also possible to compromise determine indicates block behavior. Block behavior is different where the angle time are different. Text on ison indicates block behavior. 2011: Zero Order Hold      101/12. Unit Oelay    Detectory: Nordeterministic Zero Order Hold      102/12. Unit Oelay    Detectory: Order Hold      102/12. Order therministic data transfer    Detectory: Dete | uration<br>nism |

▲□▶ ▲□▶ ▲□▶ ▲□▶ ▲□ ● のへぐ

Only works for harmonic multiperiodic systems

#### Other Results.

- Proof by Model-Checking
- Generalisation to EDF Works the same.
- Several Optimisations
  - Tripakis & al.
  - DiNatale, ASGV & al.

◆□ ▶ ◆□ ▶ ◆ □ ▶ ◆ □ ▶ ● ● ● ● ●

#### Industrial Perspectives.

There seems to be a clear industrial interest :

- RTW
- SCADE
- Partially implemented in the ASSERT European IP
- Parades (Roma) is currently exploring the same ways

▲□▶ ▲□▶ ▲ 三▶ ▲ 三▶ - 三 - のへぐ

#### A Key Issue: Faithfulness\_

| What you { <i>model</i><br><i>simulate</i> is what<br><i>prove</i> | t you { <i>implement execute</i> |
|--------------------------------------------------------------------|----------------------------------|
|--------------------------------------------------------------------|----------------------------------|

(Gérard Berry 1984)



#### From Handicraft to Industry\_

In twenty years, the industry of critical control moved from

- handicraft :
  - > paper design, human coding, validation on hardware
- to industry:
  - functional and architectural design and validation based on formal models that can be simulated and checked,
  - automatic code generation ensuring faithfulness between models and implementations

(ロ) (同) (三) (三) (三) (○) (○)

This is a notable advance that has to be pursued, strengthened and extended

#### Some references.

- N. Scaife and P. Caspi: Integrating model-based design and preemptive scheduling in mixed time- and event-triggered systems, Euromicro Conference Real-Time Systems, ECRTS04, Catania, June 2004
- P.Caspi, N. Scaife, Ch. Sofronis, S. Tripakis: Semantics-preserving multitask implementation of synchronous programs, ACM Transactions on Embedded Computing Systems, 7(2), February 2008
- L. Mangeruca, M. Baleani, A. Ferrari and A. Sangiovanni-Vincentelli: Semantics Preserving Design of Embedded Control Software from Synchronous Models, IEEE Transactions on Software Engineering, Vol. 33, N. 8, August 2007.
- J.-L. CAMUS, P. VINCENT, O. GRAFF: A verifiable architecture for multi-task, multi-rate synchronous software, 4th European Congress ERTS EMBEDDED REAL TIME SOFTWARE, Toulouse 2008 http://www.esterel-technologies.com/technology/WhitePapers/
- http://www.mathworks.com/access/helpdesk/help/toolbox/simulink/
- G.Wang, M. Di Natale and A. Sangiovanni-Vincentelli: Optimizing the implementation of communication in synchronous reactive models with time constraints, to appear in IEEE Trans. INDUSTRIAL INFORMATICS, DECEMBER 2009

(ロ) (同) (三) (三) (三) (○) (○)