3 Unit Course, Spring 2002EECS Department, UC Berkeley

Embedded Software Engineering

www.eecs.berkeley.edu/~fresco/giotto/course-2002

Christoph Kirsch

© 2002 C. Kirsch -2-

It’s significant

$4 billion development effort> 50% system integration & validation cost

© 2002 C. Kirsch -3-

It’s tricky

Mars, July 4, 1997Lost contact due to embedded software failure

© 2002 C. Kirsch -4-

It’s risky

French Guyana, June 4, 1996$800 million embedded software failure

© 2002 C. Kirsch -5-

It’s fun

© 2002 C. Kirsch -6-

Problem

Real-TimeComputer

System

ControlledObject

Operator

Man-MachineInterface

InstrumentationInterface

Kopetz97

Methodologies for the implementation ofembedded real-time applications

• Methodology: tool-supported, abstract, compositional• Implementation: compositional, scalable, dependable

© 2002 C. Kirsch -7-

Engine Controller

• Temporal accuracy of 3µsec• Up to 100 concurrent software tasks• Hard real-time: no missed deadlines

@ 6000rpm,10ms for 360º

0.1°

© 2002 C. Kirsch -8-

Video Streaming

• 25 frames/sec• Dynamic resource allocation• Soft real-time: degraded QoS

© 2002 C. Kirsch -9-

Real-Time Systems

DegradedPredictablePeak-load performance

Soft-desiredHard-requiredResponse time

CheckpointActiveRedundancy

Error detection

Control of pace

Characteristics

User assistedAutonomous

ComputerEnvironment

SoftHard

Kopetz97

© 2002 C. Kirsch -10-

Microcontroller Market

Cost

Performance

© 2002 C. Kirsch -11-

Mechatronics

Fly-by-wire

Drive-by-wire

© 2002 C. Kirsch -12-

Embedded Software Engineering

You

Solver/Checker

Compiler

Real-Time Operating System

Functionality

Models

Programs Execution

Simulation/Verification

Design

Tasks Scheduling

© 2002 C. Kirsch -13-

Real-Time

Not later than

TimeTime-instant DeadlineDuration

@

for

© 2002 C. Kirsch -14-

Concurrency

Task1 Task2

HostNetwork

Message1

Message2

In addition:• Other resource constraints• Time constraints

© 2002 C. Kirsch -15-

Time

Sequential Programming

1 2

Sequential Programming

© 2002 C. Kirsch -16-

Time

Multiprogramming

1 2

3 4

5

Multiprogramming

© 2002 C. Kirsch -17-

Time

Real-Time Programming

1 2

3 4

5

Real-Time Programming

© 2002 C. Kirsch -18-

Environment

Software

Software Processes

Environment Processes

Embedded Software

© 2002 C. Kirsch -19-

Environment

Software

Environment Time

Platform Time

Environment vs. Platform Time

© 2002 C. Kirsch -20-

Environment

Software

Embedded Programming

The Art of Embedded Programming

© 2002 C. Kirsch -21-

Embedded Programming

…requires the integration of:

1. Real-time operating system concepts2. Embedded programming languages3. Embedded compilers4. SE, modeling, and simulation techniques5. Formal methods

© 2002 C. Kirsch -22-

Real-Time Task

fInput Output

Worst case execution time

© 2002 C. Kirsch -23-

Real-Time Scheduling

terminateactivate

PassiveActivation

Active

© 2002 C. Kirsch -24-

Off-Line Scheduling

terminateactivate

PassiveTable

Active

Static System

© 2002 C. Kirsch -25-

On-Line Scheduling

terminateactivate

PassiveAlgorithm

Active

Dynamic System

© 2002 C. Kirsch -26-

Non-Preemptive Scheduling

Ready Run

scheduleterminateactivate

PassiveActivation

© 2002 C. Kirsch -27-

Preemptive Scheduling

Ready Run

scheduleterminateactivate

PassiveActivation

preempt

© 2002 C. Kirsch -28-

Shared Resources

Ready Run

Wait

schedule

preempt

terminate

busyfree

activate

PassiveActivation

© 2002 C. Kirsch -29-

Scheduling Problem

Real-Time Scheduling

Soft Hard

Off-line On-line

Preemptive Non-preemptive Non-preemptivePreemptive

© 2002 C. Kirsch -30-

Earliest Due Date

Time

Processors

P1 T1 T5

10

587103di

23111Ci

T5T4T3T2T1

T3 T4 T2

d1 d5 d3 d4 d2

Buttazzo97

© 2002 C. Kirsch -31-

Earliest Deadline First

Time

TasksT1

T5

10

63200ai

910452di

22221Ci

T5T4T3T2T1

T3

T4

T2 T2

T4

Buttazzo97

© 2002 C. Kirsch -32-

Real-Time Periodic Task

fInput Output

Worst case execution timeFrequency

© 2002 C. Kirsch -33-

Rate Monotonic Analysis

Time

Tasks

T1

10

105pi

12Ci

T2T1

T2 T2

T1 T1 T1

© 2002 C. Kirsch -34-

Scheduling Anomalies

T1 T9 T4

T8

T7

T6

T5

Time

Processors

P1

P2

P3

T1

T2

T3

T4

T6

T7

T9

12

T5

T8

© 2002 C. Kirsch -35-

Shorter Computation Times

T1 T9 T4

T8

T7

T6

T5

Time

Processors

P1

P2

P3

T1

T2

T3

T4 T6

T7

T9

13

T5 T8

© 2002 C. Kirsch -36-

More Processors

T1 T9 T4

T8

T7

T6

T5

Time

Processors

P1

P2

P3

P4

T1

T2

T3

T4

T5

T6

T7

T8

T9

15

© 2002 C. Kirsch -37-

Weaker Precedence

T1 T9 T4T6

T5

Time

Processors

P1

P2

P3

T1

T2

T3

T4

T7

T8 T9

16

T5

T6

© 2002 C. Kirsch -38-

Real-Time Communication

Network

Message1

Message2

© 2002 C. Kirsch -39-

Real-Time Message

mSource Target

Latency

© 2002 C. Kirsch -40-

Explicit Flow Control

Network

Message1

Message2

• Send time not known a priori• Sender can detect errors

© 2002 C. Kirsch -41-

Implicit Flow Control

Network

Message1

Message2

• Send time is known a priori• Receiver can detect errors

© 2002 C. Kirsch -42-

Explicit Flow Control: Priority

Network

Message1

Message2

Medium-Access Protocols:• CSMA/CD - LON, Echelon 1990• CSMA/CA - CAN, Bosch 1990• FTDMA - Byteflight, BMW 2000• TDMA - TTP, Kopetz 1993

© 2002 C. Kirsch -43-

Control Area Network

M1 M2

Time

Messages

M2

M1

0

0 0

0

11

0

0

0

0

0

0

0

0

0

1

1

0

0

1

1

1

0

1

© 2002 C. Kirsch -44-

Implicit Flow Control: Time

Network

Message1

Message2

Medium-Access Protocols:• FTDMA - Byteflight, BMW 2000• TDMA - TTP, Kopetz 1993

© 2002 C. Kirsch -45-

Time-Triggered Protocol

M1 M2

Time

Network

N1 M1 M2

Slot1 Slot2

© 2002 C. Kirsch -46-

Literature

• RT scheduling:– Hard Real-Time Computing Systems: Predictable

Scheduling Algorithms and Applications. G. Buttazzo. Kluwer, 1997.

• RT communication:– Real-Time Systems – Design Principles for

Distributed Embedded Applications. H. Kopetz. Kluwer, 1997.

– Byteflight, CAN papers.

© 2002 C. Kirsch -47-

Embedded Programming

…requires the integration of:

1. Real-time operating system concepts2. Embedded programming languages3. Embedded compilers4. SE, modeling, and simulation techniques5. Formal methods

© 2002 C. Kirsch -48-

Concurrency

Control Data

Task1 Task2 Task1 Task2

Parallel Composition I/O Decomposition

© 2002 C. Kirsch -49-

Control Operators

Parallel ChoiceSequential Loop

© 2002 C. Kirsch -50-

Real-Time

State

TimeEvent FrequencyTime

Change of state

Function

© 2002 C. Kirsch -51-

Real World

Time

Data

© 2002 C. Kirsch -52-

Discrete Data

Time

d0

d1

d2

Datad3

© 2002 C. Kirsch -53-

State

TimeState1

d0

State2

Data

State0

d1

d2

d0 d1 d1 d2 d2 d3

d3

© 2002 C. Kirsch -54-

Continuous Time

Time

Interval

Start Event Terminating Event

t1 t2State1

Data

© 2002 C. Kirsch -55-

Digital Clock

Time

Data

Granule

t1 t2

Clock Tick @ 1/(t2-t1) Hz

© 2002 C. Kirsch -56-

Discrete Time

Time

Data

t1 t2

State1

© 2002 C. Kirsch -57-

Event-Triggered (ET) System

Time

Data

Change of state

© 2002 C. Kirsch -58-

Time-Triggered (TT) System

Time

Data

Clock tick

© 2002 C. Kirsch -59-

Esterel - Giotto

• Esterel:– Synchronous reactive language– Event-triggered semantics

• Giotto:– Time-triggered semantics– Distributed platforms

© 2002 C. Kirsch -60-

Event - Reaction

fEvent Reaction

© 2002 C. Kirsch -61-

Esterel: Event

Event:

Time

emit S

Loop: loop P each SP

await S

© 2002 C. Kirsch -62-

Esterel: Operators

Choice:Parallel:

P || Q present S then P else Q

Sequential: P ; QP Q

P

Q

P

Q

© 2002 C. Kirsch -63-

Esterel: Controller

module normal:

input A, B, R;

output O;

loop

[ await A || await B ];

emit O

each R

end module

R?

R? R?

A?.~R?.O!

A?.~R? B?.~R?

B?.~R?.O!

A?.B?.~R?.O!

© 2002 C. Kirsch -64-

Sensor - Control Law - Actuator

fSensors Actuators

© 2002 C. Kirsch -65-

Giotto: Time

Sequential: Task

TimeInput Output

© 2002 C. Kirsch -66-

Giotto: Operators

Choice:Parallel:

Mode Program

Sequential: Task

© 2002 C. Kirsch -67-

Giotto: Helicopter Control

mode normal ( ) period 20ms

{

taskfreq 1 do servo = Control ( position ) ;

taskfreq 4 do position = Navigation ( GPS, position ) ;

}

© 2002 C. Kirsch -68-

Control @ 50Hz

SemanticsTask

Navigation @ 200Hz

msec5 10 15 20

© 2002 C. Kirsch -69-

InputTask

msec5 10 15 20

© 2002 C. Kirsch -70-

ComputationTask

msec5 10 15 20

Control Law Navigation Integrator

© 2002 C. Kirsch -71-

OutputTask

msec5 10 15 20

© 2002 C. Kirsch -72-

Literature

• Esterel:– The Foundations of Esterel. G. Berry. In Proof, Language

and Interaction: Essays in Honour of Robin Milner. G. Plotkin, C. Stirling and M. Tofte, editors. MIT Press, 2000.

– Synchronous programming of reactive systems. N. Halbwachs. Kluwer, 1993.

• Giotto:– Embedded Control Systems Development with Giotto. B.

Horowitz, T. Henzinger, C. Kirsch. 2001.– Giotto: A Time-Triggered Language for Embedded

Programming. B. Horowitz, T. Henzinger, C. Kirsch. 2001.

© 2002 C. Kirsch -73-

Embedded Programming

…requires the integration of:

1. Real-time operating system concepts2. Embedded programming languages3. Embedded compilers4. SE, modeling, and simulation techniques5. Formal methods

© 2002 C. Kirsch -74-

Concurrency

Task1 Task2 Task1 Task2

Parallel Composition I/O Decomposition

Task1 Task2;Task2 Task1;

Task1 Task2Task2 Task1

© 2002 C. Kirsch -75-

Real-Time

Task1 Task2; ; Task1Task3 Task2 Task1;

TimeEvent

DeadlineTimeFrequency

© 2002 C. Kirsch -76-

Control @ 50Hz

Helicopter ControlTask

Navigation @ 200Hz

msec5 10 15 20

© 2002 C. Kirsch -77-

ReadTask

msec5 10 15 20

Input

© 2002 C. Kirsch -78-

WriteTask

msec5 10 15 20

Output

© 2002 C. Kirsch -79-

Worst Case Execution TimeTask

msec5 10 15 20

Control Law Navigation Integrator

© 2002 C. Kirsch -80-

DeadlineTask

msec5 10 15 20

© 2002 C. Kirsch -81-

CodeTask

msec5 10 15 20

© 2002 C. Kirsch -82-

Literature

• Some compiler books:– Compiler Construction, N. Wirth, Addison-Wesley,

1996.– Compilers, Principles, Techniques, and Tools.

A.V. Aho, R. Sethi, J.D. Ullman. Addison-Wesley, 1985.

– Compiler Design. R. Wilhelm, D. Maurer. Addison-Wesley, 1995.

© 2002 C. Kirsch -83-

Embedded Programming

…requires the integration of:

1. Real-time operating system concepts2. Embedded programming languages3. Embedded compilers4. SE, modeling, and simulation techniques5. Formal methods

© 2002 C. Kirsch -84-

Real-Time Task

fInput Output

Worst case execution time

© 2002 C. Kirsch -85-

Type

Abstract Data Type

Interface: Set of methods

© 2002 C. Kirsch -86-

Empty

Abstract Interface

Interface: Set of methods

© 2002 C. Kirsch -87-

Application-dependent

Framework

Application-dependent

Application-independent

© 2002 C. Kirsch -88-

?

Type vs. Task

Interface: Set of methods

Input Output

© 2002 C. Kirsch -89-

Literature

• Patterns & Frameworks:– Design Patterns: Elements of Reusable Object

Oriented Software. E. Gamma, J. Vlissides, R. Johnson, R. Helm. Addison Wesley, 1994.

– Design Patterns for Object-Oriented Software Development. W. Pree, E. Gamma. Addison Wesley, 1995.

© 2002 C. Kirsch -90-

Embedded Programming

…requires the integration of:

1. Real-time operating system concepts2. Embedded programming languages3. Embedded compilers4. SE, modeling, and simulation techniques5. Formal methods

© 2002 C. Kirsch -91-

Formal Verification

Time

Safety Liveness

Control

Data

• Safety: Wrong things never happen!• Liveness: Something useful will happen eventually!

Property Space

© 2002 C. Kirsch -92-

Language Hierarchy

Design

Model

Program

Executable

Non-Deterministic

synthesize analyze

compile

expand

Deterministic

Sequential

Universal Macros

Automata

Code

Machine

© 2002 C. Kirsch -93-

Non-Determinism

Parallel ChoiceSequential Non-DeterminismA E

Programming Operators Modeling Operator

© 2002 C. Kirsch -94-

Esterel: Verification

EsterelProperty

AutomataAutomata

Automata

Esterel Abstraction “Bisimulation”

Model Checking

© 2002 C. Kirsch -95-

Esterel: Hierarchy

Design

Model

Esterel

Executable

Bisimulation

compile

Non-Det. Automata

Deterministic Code

Sequential Circuit

Model Checking

© 2002 C. Kirsch -96-

Giotto: Verification

GiottoProperty

MasaccioAutomata

MasaccioModel Checking

Abstraction “Refinement”

© 2002 C. Kirsch -97-

Giotto: Hierarchy

?

Masaccio

Giotto

Executable

synthesize Refinement

compile

expand

Hybrid Modules

Deterministic Code

Seq. Stack Machine

Model Checking

© 2002 C. Kirsch -98-

Giotto: Hierarchy

SLDLSLDL

SLDLSLDL

MASACCIO ATL

GIOTTO GIOTTO-HSC

SLDL 1

RTOS 1

DESIGN

MODEL

PROGRAM

EXECUTABLE

HARDWARESCHEDULERCOMMUNICATION

HierarchicalHybridModules

Time-TriggeredBlocks of

C Code

Model-check

Compile

given

Synthesize Refine

REQUIREMENTS

CONSTRAINTS

© 2002 C. Kirsch -99-

Literature

• Esterel:– Papers @ www.esterel.org

• Giotto:– T.A. Henzinger. Masaccio: A Formal Model for

Embedded Components. LNCS 1872, Springer, 2000, pp. 549-563.

© 2002 C. Kirsch -100-

End