From Models to Code The Missing Link in Embedded Software Tom Henzinger University of California Berkeley Joint work with Ben Horowitz and Christoph Kirsch The History of Computer Science Lifting the Level of Abstraction High level languages Programming to the application The assembly age Programming to the platform Compilation perhaps the success story of computer It isscience feasible to abstract the platform The History of Computer Science Lifting the Level of Abstraction Automatic program synthesis No more programming High level languages Programming to the application The assembly age Programming to the platform Code generation from specifications still mostly It is not yet feasible a dream to abstract algorithms Compilation perhaps the success story of computer It isscience feasible to abstract the platform Current Practice in Control Software Some automatic code generation from models often inefficient Some manual programming to the platform difficult to reuse difficult to verify requires systems experts often unpredictable Current Practice in Control Software Some automatic code generation from models often inefficient often unpredictable The missing link platform independent software Some manual programming to the platform difficult to reuse difficult to verify requires systems experts Advocated Practice in Control Software Mathematical model e g Simulink HyTech Control engineer Platform independent software e g Giotto Compiler Executable code for a specific platform verifiable reusable efficiently implementable Current Control Software Development Mathematical Model e g Simulink HyTech Platform Constraints hardware configuration RTOS scheduling algorithm network protocol CONCURRENCY ENVIRONMENT TIME DISTRIBUTION some automatic code generation some manual code optimization Executable Code PLATFORM TIME Current Control Software Development Mathematical Model Platform Constraints Problems close correspondence between model and code is lost with code optimization if either model or platform changes the entire process needs to be repeated some automatic code generation some manual code optimization Executable Code Advocated Control Software Development Mathematical Model An intermediate layer that separates platform independent from platform dependent software issues Platformindependent Software Model e g Giotto executable by virtual machine composable Platform Constraints Executable Code Advocated Control Software Development Mathematical Model e g What is the control equation What is the sampling rate Platformindependent Software Model Platform Constraints e g e g Which procedure computes the control equation Which event Executable Code triggers the computation Which CPU executes the control procedure What priority has the execution still CONCURRENCY still ENVIRONMENT TIME Advocated Control Software Development Mathematical Model Platform independent programming i e algorithms and data structures Platform dependent code generation e g priorities Platformindependent Software Model Platform Constraints Executable Code SEPARATION OF CONCERNS Motivation Flight Control Software ETH Zurich Kirsch Pree Sanvido Schaufelberger Wirth Single CPU Motivation Flight Control Software UC Berkeley Horowitz Liebman Ma Koo Sangiovanni Vincentelli Sastry Two connected CPUs Motivation Flight Control Software Motivation Flight Control Software 200 Hz 400 Hz 200 Hz 1 kHz Platform independent Software Model 1 Concurrent periodic tasks sensing control law computation actuating 2 Multiple modes of operation navigational modes autopilot manual etc maneuver modes taxi takeoff cruise etc degraded modes sensor actuator CPU failures Platform independent Software Model Mode 1 Task S 400 Hz Condition 1 2 Task C 200 Hz Task C 200 Hz Task A 1 kHz Mode 2 Task S 400 Hz Condition 2 1 Task A 1 kHz Task A 1 kHz Mode 3 Task S 400 Hz Task C 200 Hz Task A 2 kHz Mode 4 Task C 100 Hz Task A 1 kHz Platform independent Software Model Functionality Glue No time code Host code e g C Sequential Timing and Environment time not platform interaction time Concurrency not distribution Giotto This kind of software is understood The software complexity lies in the glue code minimize jitter Host code may sometimes be generated automatically Giotto enables requirementsdriven rather than platform driven gluecode programming 1 The Giotto Programmer s Model 2 The Giotto Compiler The Giotto Programmer s Model Programming in terms of environment time Programmer s fiction time triggered task invocation tasks are functions with a fixed duration platform offers sufficient performance Implementation in terms of platform time Compiler must maintain programmer s fiction needs access to global time no other platform requirements tasks may finish early but outputs cannot be observed early tasks may be preempted and distributed The Giotto Programmer s Model Given 1 Units of scheduled host code application level tasks e g control law computation Input ports Output ports Task 2 Units of synchronous host code system level drivers e g device drivers Task Task driver loads task input ports 3 Real time requirements and data flow between tasks Giotto Glue code that calls 1 and 2 in order to realize 3 Environment Timeline defined by Giotto semantics Task duration Actuator Sensor Driver d Task Driver execution in environment time 0 Sensor outpu t ports read Time t Task execution in environment time d Input ports Output loaded ports read Time t Time t d Actuator input ports loaded Time t d Platform Timeline chosen by Giotto compiler Actuator Sensor Driver d Task Task on CPU Input ports Output ports loaded read Time t Time t Time t d Time t d Platform Independence ensures Predictability The Giotto compiler chooses for a given platform a platform timeline that is value equivalent to the environment timeline defined by the Giotto semantics Internal Determinism For a given sequence of sensor readings the corresponding sequence of actuator settings is uniquely determined i e there are no race conditions Simplified Helicopter Software Control 1 0 i Sensors s Navigation 5 a Actuators Simplified Helicopter Software Control 1 0 a Actuators i Sensors s Navigation 5 Matlab legacy design Helicopter Software Environment Timeline Task a i a i Control s s Navigation t t Block of synchronous code nonpreemptable s Navigation t 5ms t 5ms t 10mst 10ms Scheduled tasks preemptable Single CPU Helicopter Platform Timeline EDF Task t t t 5ms t 5ms t 10mst 10ms Two CPU
View Full Document
Unlocking...