The document discusses the SuReal methodology for modeling and timing analysis of embedded real-time systems. SuReal uses a model-based approach with UML profiles and MARTE annotations to capture real-time requirements and behavior. It performs timing analysis at both the code level using AbsInt aiT and the system level using Symtavision SymTA/S. The toolchain integrates these analyses to verify schedulability and detect potential runtime errors. The document provides an overview of the SuReal techniques and processes timing analysis, scheduling analysis, and data flow analysis to optimize real-time system development.
1. Sureal
Methodology and Timing Analysis
Innovations Forum
23.04.2009
Dr. James J. Hunt and Nico Feiertag
aicas GmbH SYMTA VISION
SuReal 1
2. SuReal Development Process
Platform- High-level
Modelling independent Timing
Requirements
Model Verification
Platform
Refinement
Platform- Scheduling
specific Model Verification
Code Generation
and Extension
Technical /
Annotated
Functional
Source Code
Verification
Compilation
Code
Executable Code
Verification
SuReal 2
3. SuReal Tool Chain
Development Verification
U LM de l
Mo UP AAL
U L Ed ito r
M Sc h e d u lin g Model C hecker
FIBEX
(Am e o s ) (Sym TA/S) DF KI
A n n o tate d M de l
o Ve rific a tio n
XI
M VS E
Ge n e ra to r M de l
o
Mo d e l
Co d e Ge n e ra to r
(Ameos )
An n o ta te d Co n s tra in ts
Ja v a Co d e Pa rs e r/Ed ito r
J av a C o d e
Au g m e n te d
ja v a c Ja v a Co d e
•Verifica tion of J a va C ode
Da ta Flo w
Cla s s File s
B y te C o d e (Ve riflu x) •High Level WC E T Ana lys is
Bu ild e r De riv e d
(Ja m a ic a Bu ild e r) An n o ta tio n s
Mac h in e WCET An a lyze r
Exe c u ta b le (a iT)
C o de
SuReal 3
4. Profile Comparison
USTP MARTE HIDOORS SysML
Pro file
Light weight Light weight Light weight Light weight
An n o ta tio n s
✔ ✔ ✔ ✘
Sc h e d u la b ility
✔ ✔ ✔ ✔
Pe rfo rm a n c e An a lys is
✔ ✔ ✘ ✘
Qua lity o f Se rv ic e
✘ ✔ ✘ ✔
Su p p o rts De fin in g M tric s
e
✘ ✔ ✘ ✘
Fa u lt To le ra n c e
✘ ✘ ✘
Fo rm a l Se m a n tic s p a rtia l
✘ ✔ ✔ ✘
Em b e d d e d Sys te m s
✔ ✔ ✔ ✘
Re a ltim e Sys te m s
✘ ✔ ✘ ✔
Re q uire m e n ts En g in e e rin g
✘ ✔ ✔ ✔
Su p p o rts MDA
✘ ✔ ✘ ✔
U L 2 .0 Co m p a tib ility
M
✘ ✔ ✘ ✔
OCL 2 .0 Co m p a tib ility
✘ ✘ ✘ ✘
Nonlinear Refinement
SuReal 4
5. SuReal Profile Views
So ftw a re Ha rd w a re
Applica tion
Ap p lic a tio n De s ig n To p o lo g y
Ma pping
Arc hite ctu re
Ma pping
n
io
t
ra
pe g
in
O p
ap
M
Co m p u ta tio n a l
Op e ra tin g
I fra s tru c tu re
n
En v iro n m e n t
En v iro n m e n t
SuReal 5
6. Diagram Usage
View vs. Design Topology Operating Execution
Diagram Environment Environment
Class Diagram X
State Diagram X
Sequence X
Diagram
Composite X X X X
Structure
Diagram
SuReal 6
12. Case Study 2—Application Map
Controller NXT
SpeedCalculator SpeedController
LaneTracking SensorWatcher
EmergencyBreak SteeringController
Bus
FrameHost2NXT FrameNXT2Host
LeftMotorSpeed LeftLight
RightMotorSpeed RightLight
SteeringAngle Distance
Stop
SuReal 12
13. Case Study Infrastructure
Op e ra tin g En v iro n m e n t
Ca s e 1 — Sin g le Pro c e s s o r
C Co d e u n d e r NX TOs e k
Ca s e 2 — Tw o Pro c e s s o rs
Re a ltim e Ja v a u n d e r VxWo rk s 6 .5 RTP
C Co d e u n d e r NX TOs e k
Exe c u tio n En v iro n m e n t
Ca s e 1 — Sin g le Pro c e s s o r
NX ArmT
Ca s e 2 — Tw o Pro c e s s o rs
Po w e rPC 6 0 3
NX ArmT
SuReal 13
14. Case Study 1—Code
C Side
main
EmergencyBrake_states
LaneTracking_states
LoggingTask_states
SensorWatcher_states
SpeedCalculator_states
SpeedController_states
SteeringController_states
SuReal 14
15. C as e S tudy 2—Code
Java Side C Side
Controller main
EmergencyBrake SensorWatcher_states
LaneTracking SpeedController_states
LoggingTask SteeringController_states
SpeedCalculator SlaveTransferTask_states
MasterTransferTask
FrameHost2NXT
FrameNXT2Host
NxtUsbDriver
SuReal 15
16. Hard Real-Time Systems
16
Controllers in planes, cars, plants, … are expected to finish their
tasks within reliable time bounds.
It is essential that an upper bound on the execution times of all
tasks is known : Commonly called Worst-Case Execution Time.
WCET prerequisite for system-level schedulability analysis.
SuReal 16
17. Komplexes System-Zeitverhalten
ABS
ASR
ESP
ACC
SIG signal register
SEND/ COM layer tasks
RCV or interrupts
INT driver interrupt
MO message object
(HW buffer)
SWC 3
SWC 1
engine SWC 2 SWC 4
powertrain
control
control
RTE
SIG SIG SIG
SIG SIG
Frame generation timing
(cyclic and/or event+driven) SEND
CAN RECV
BSW
Buffering strategy
Queue
(FIFO, priority ordered, hybrid)
INT INT
Nachrichten Objekte CAN HW
MO
MO MO
MO
(hardware buffers)
SuReal 17
18. Methodology
18
Probability
Unsafe: Safe worst-case
Best-case execution time execution time
measurement estimate
execution time
Exact worst-case
execution time
Execution time
SuReal 18
19. Two Levels of Timing Analysis
19
Code level
●
aiT
Single process, task, ISR
●
(AbsInt)
Focus on
●
Control flow
●
Processor architecture
●
with pipelines and caches
System level
●
Multiple functions or tasks
●
Focus on
●
Integration and scheduling
●
Periodic or event-driven
●
activation, blocking
End-to-end timing
●
SymTA/S
(Symtavision)
SuReal 19
20. 20
aiT + SymTA/S: Integration with Modeling Tool OpenAmeos
SuReal 20
21. Customer benefits
Capturing realtime behavior systematically
●
Fast identification of bottlenecks
●
Preventing integration problems
●
Planning timing early
●
Predict resource requirements
●
Optimal dimensioning
●
Optimized development process
●
Reduced number of prototypes
●
Reduced testing effort
●
Reliable prediction of extendibility
●
SuReal 21
23. 23
system (ECUs,
Symtavision (SymTA/S)
buses)
Application of Tools
ECU
task
granularity
runnable
AbsInt (aiT)
function
basic block
assembler
SuReal
instruction
24. Workflow and Information Flow
aiT
SymTA/S
System model
(tasks, activations, scheduling) WCET/Stack
Additional Info
Request
WCET/Stack Analysis
Refinement (single task)
WCET/Stack
Response
Scheduling Analysis (WCRT)
System Stack Analysis
SuReal 24
25. Integration with AbsInt aiT
Request – response
●
SymTA/S requests list of core execution times
●
Different runnables
●
Different modes
●
Different processors
●
aiT returns results
●
3
1
2
SuReal 25
26. Integration with AbsInt aiT—Results
Enables verification and quick mapping exploration
●
4
SuReal 26
27. Veriflux: Data Flow Analysis
Extension of control flow analysis
Data values are propagated as well
Fixed point algorithm
Necessary extension for OO Languages
Method dispatch is data dependent
More precise than considering all
possible subclasses at each call point
SuReal 27
28. DFA Applications
Worst case execution time analysis
Memory use (stack, heap, etc.)
Coverage and reachability
Exception checking
Shared object detection
Synchronization (deadlocks)
SuReal 28
29. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{
MySensor s = (MySensor) device.sensor;
int value = s.reading();
...
}
...
SuReal 29
30. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
int value = s.reading();
...
}
...
SuReal 30
31. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
...
}
...
SuReal 31
32. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 32
33. Detecting Runtime Errors
... device != null
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 33
34. Detecting Runtime Errors
... device != null
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 34
35. Detecting Runtime Errors
... device != null
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 35
36. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 36
37. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
values (MyDevice.s ens or)
C las s C as tE xception
contains only MyS ens or
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 37
38. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
values (MyDevice.s ens or)
C las s C as tE xception
contains only MyS ens or
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 38
39. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
values (MyDevice.s ens or)
C las s C as tE xception
contains only MyS ens or
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 39
40. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 40
41. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception null ∉ values (MyDevice.s ens or)
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 41
42. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception null ∉ values (MyDevice.s ens or)
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 42
43. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception null ∉ values (MyDevice.s ens or)
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 43
44. Detecting Runtime Errors
...
if (device instanceof MyDevice)
{ NullP ointerE xception
MySensor s = (MySensor) device.sensor;
C las s C as tE xception
int value = s.reading();
NullP ointerE xception
...
}
...
SuReal 44
45. WCETA for Realtime Java
La n g u a g e
Da ta flo w g ra p h c o n s tru c tio n
d e pe nd a nt
Pa th a n a lys is ph a s e
e .g ., d e te rm in in g m e th o d c a ll s e ts a n d lo o p b o u n d s
Ba s ic b lo c k tim in g a n a lys is M c h in e
a
Ca c h e a n a lys is m o d u le d e pe nd a nt
ph a s e
Pip e lin e a n a lys is m o d u le
Bra n c h p re d ic tio n m o d u le
Wo rs t c a s e e xe c u tio n p a th d is c o v e ry
SuReal 45
46. WCETA Process for RTJava
Process JML annotations
Transform source
Compile to bytecode
Run full program dataflow analysis
Generate low level WCETA tool
annotations for critical methods
Compile bytecode to machine code
Run low level WCETA tool
SuReal 46
47. Loop Bounds Annotations
decreases [integer expression]
While loop
For loop
For each loop
measured_by [integer expression]
Recursion
Invariant [boolean expression]
Unbound variables
SuReal 47
48. JML Decreases Clause
d e c re a s e s [in te g e r e xp re s s io n ] lo o p s
m e a s u re d _b y [in te g e r e xp re s s io n ] re c u rs io n
⇒
[in te g e r e xp re s s io n ] 0
[in te g e r e xp re s s io n ]in itia l [in te g e r e xp re s s io n ]
fo r e a c h ite ra tio n i:
[in te g e r e xp re s s io n ]i [in te g e r e xp re s s io n ]i+1 +1
SuReal 48
49. While Loop Transform
@ decreases elements.length – i;
while (i < elements.length)
{
sum += elements[i++];
}
{
DFAHelper.captureBounds(elements.length – i);
}
while (i < elements.length)
{
sum += elements[i++];
}
SuReal 49
50. For Loop Transformation
@ decreases elements.length – i;
for (int i = 0; i < elements.length; i++)
{
sum += elements[i];
}
{
int i = 0;
DFAHelper.captureBounds(elements.length – i);
}
for (int i = 0; i < elements.length; i++)
{
sum += elements[i];
}
SuReal 50
51. For Each Loop Transform 1
@ ghost int i = elements.length; decreases i;
for (int entry: elements)
{
sum += entry; @ set i--;
}
{
int i = elements.length;
DFAHelper.captureBounds(i);
}
for (int entry: elements)
{
sum += entry;
}
SuReal 51
52. For Each Loop Transform 2
for (int entry: elements)
{
sum += entry;
}
{
DFAHelper.captureBounds(elements.length);
}
for (int entry: elements)
{
sum += entry;
}
SuReal 52
53. Handeling Dispatch Sets
Calculated as part of dataflow analysis
No annotations are necessary
Veriflux determines two sets of values
Set of all invocations
Set of referenced values
Call sets are determined for invocation
sites, not just for each method.
Different invocation may have totally
different call sets.
SuReal 53
54. AIS Annotations
Unevaluated Method (know not to be called)
snippet quot;jamaica_throwNullquot; is not analyzed
and is never executed
and takes exactly 0 cycles
and uses exactly 0 bytes of stack
and removes exactly 0 bytes of stack;
Dynamic Dispath
instruction quot;L1259_53_run@labelquot; + 1 unpredictable calls
jam_comp_javax_realtime_RealtLogic_48_run1,
jam_comp_javax_realtime_Asyncndler_8_run16,
jam_comp_javax_realtime_AEHTh00241_3_run1,
jam_comp_javax_realtime_List_bject_23_run1;
Loop
loop file 'SpeedCalculator.java' line 180 max 10;
SuReal 54
55. Realtime Java WCET Results
SpeedCalculator.handleAsynchEvent()
328678 cycles = 0.83 ms
LaneTracking.handleAsynchEvent()
133925 cycles = 0.339 ms
EmergencyBreak.handleAsynchEvent()
100454 cycles = 0.254 ms
MasterTransferTask.handleAsynchEvent()
39059 cycles = 98.634 us
SuReal 55
57. Conclusion
Complete development process
Capturing realtime behavior systematically
From Model to Executable
Full timing and schedulability analysis
Supports Object-Oriented Development
Realtime Java
Static compilation and GC
Improved development fexibility
Up front model checking
Separation of Concerns
SuReal 57