towards certifiable resource sharing in safety-critical multi-core

Benny Akesson, Eduardo TovarCISTER, ISEP

Ashley Workshop, ISQ, November 5, 2015

(http://www.cister.isep.ipp.pt)

1

We are an internationally renowned research centre located in the main university

campus of Porto, Portugal. We perform fundamental and goal-oriented research in

cutting edge technologies, with expertise in real-time and embedded computing

systems. We work with global leading industry and academic partners.

2

3

ApplicationsAutomotive & Avionics, Smart-cities, Smart IT, eHealth, Manufacturing,

Electronics & Communications, Environmental Monitoring, Critical

Systems, Infotainment

SectorsAutomotive, avionics, consumer

electronics, communication, medicine, industrial automation,

energy

SubjectsEmbedded Software and

Systems, Wireless Sensor Networks, Multi-core

Platforms

Core FocusReal time and Embedded

Systems Computing

Industry driven

research projects

and services

Excellence in

education &

fundamental

research

Cutting edge

technology

DP [4]1

Slide 3

DP [4]1 Escolher um padrão de cores mais atractivoDAVID PEREIRA; 17-09-2015

4

Key Processes

• Real-time and

embedded computing

systems

• Reach for Excellence

• Internationalization

Key Activities

• Fundamental

Research

• Industry driven

research

• Application drive in

many domains

• Related courses and

degrees offered

• Support excellence

education

Value Proposition

••One of the leading

European research

units in the area

• Consistent 50%

acceptance rate in FCT

fundamental research

projects

• Participation in the

relevant European

Networks of Excellence

Key Resources

• 25 PhD qualified

researchers

• 20 PhD students

• 8 MSc and undergrad

students

• 4 support staff

• 18 Nationalities

• New building

Key Relationships

Advisory board

Key Industrial Relationships

External Advisory BoardValue

Proposition

Key ResourcesKey Processes

Key Activities

InternationalInternationalNationalNational

IndustryIndustry

Rodrigo Maia (Critical)Michael Paulitsch (EADS)Sérgio Penna (Embraer)Zlatko Petrov (Honeywell)

AcademyAcademy

Tarek Abdelzaher (UIUC)Sanjoy Baruah (UNC)Alan Burns (York)Daniel Mossé (Pittsburgh)Raj Rajkumar (CMU)

DP [2]1DP [3]1

Slide 4

DP [2]1 Update numbers!DAVID PEREIRA; 17-09-2015

DP [3]1 Add picturesDAVID PEREIRA; 17-09-2015

5

CISTER

Senior

Researchers

PhD Students

MSc + Undergrads

Interns, Other Staff

External Advisory

Board

Academia Industry

DP1

Slide 5

DP1 Add numbers here, and possibly some faces/logos for the EABDAVID PEREIRA; 17-09-2015

6

7

JU grant nr. 621429 ARTEMIS/0001/2013Funding: 9.56MEUR (CISTER Funding: 375KEUR)3 years (April 2014 to Mar 2017)

EMC² finds solutions for dynamic adaptability in open systems, provides handling of mixed criticality applications under real-time conditions, scalability and utmost flexibility, full scale deployment and management of integrated tool chains, through the entire lifecycle. The objective of EMC² is to establish Multi-Core technology in all relevant Embedded Systems domains.

Partners of the CONCERTO consortium include, among others:

8

JU grant nr. 333053 ARTEMIS/0003/2012Funding: 9.56MEUR (CISTER Funding: 375KEUR)3 years (May 2013 to Apr 2016)

CONCERTO will deliver a reference multi-domain architectural framework for complex, highly concurrent, and multi-core systems, where non-functional properties (including real-time, dependability, and energy management) will be established for individual components, derived for the overall system at design time, and preserved by construction and monitoring at run-time.

Partners of the CONCERTO consortium include, among others:

9

QREN – SI I&DT Nr. 38923Funding: 748KEUR (CISTER Funding: 53KEUR)18 months (Jan 2014 to Jul 2015)

The V-SIS project proposes addressing this challenge with the creation of a critical systems validation competence centre, leveraging our capability to compete worldwide. The project seeks to take advantage from the landscape of change, the doubts and needs triggered by normative evolutions like the ISO26262 inception (automotive) and the upgrade to DO-178C (avionics).

The V-SIS project proposes working two elemental vectors (1) functional safety and (2) critical systems validation. The work will be arranged in (i) processes innovation (RAMS techniques, model based V&V, multi-criticality systems, security fault injection) and (ii) validation laboratory development.

Partners of the V-SIS consortium include:

10

The goal of this project was the development of techniques and technologies that allow performing scalable and efficient data processing in large-scale dense cyber-physical systems. This is yet an unsolved problem.

The major novelty of this project is effectively in the co-design of distributed algorithms for sensor data processing and underlying networked distributed computing systems with corresponding resource management schemes such that the utilization of resources is low.

FCOMP-01-0124-FEDER-020312 PTDC/EEA-ELC/121753/2010CISTER Funding: 141KEUR3 years (Mar 2012 to Feb 2015)

11

The EMCROSS project proposes to unleash the power of COTS multicore platforms to applications with

safety critical requirements across several application domains, including space, avionics, rail and

automotive.

The main concept of EMCROSS is the use of SW-based techniques to deliver predictable high-

performance to mixed-criticality workloads on multi-/many-core COTS processors by limiting and

quantifying the interferences over the shared resources.

The EMCROSS project will contribute to: new models of computation; trustworthy Worst-Case

Execution Time (WCET) analysis; scheduling and schedulability analysis; adapt deterministic,

automotive Ethernet for “Single-Core Equivalent” (SCE); development tools; and Validation and

Verification (V&V) techniques of highly parallel algorithms.

The EMCROSS proposal was lead by CISTER, is currently under evaluation by the ECSEL JU, and its consortium includes, among others:

• Embedded systems get increasingly complex

– Increasingly complex applications (more functionality)

– Growing number of applications integrated in a device

– More applications execute concurrently

– Requires increased performance without increasing power

• The resulting complex platforms

– are multi-core systems to improve performance/power ratio

– Resources in the system are shared to reduce cost

12

• Some applications have real-time requirements

• Applications have different design assurance levels (DAL)

– DAL level determines required certification effort [1,2]

– High DAL levels are very expensive and time-consuming to certify

• Commercial-of-the-shelf (COTS) platforms are used

– Custom hardware not cost-effective with low volumes

[1] DO-178C Software Considerations in Airborne Systems and Equipment Certification, 2012[2] DO-254 Design Assurance Guidance for Airborne Electronic Hardware, 2000

13

• Increased integration implies mixed-criticality systems– Applications with different DALs share resources

• Resource sharing creates interference between applications

– Makes it difficult to derive WCET of applications

– Highest DAL of applications must be used unless there is isolation [1]

• Both temporal and spatial isolation is required [1]

– Applications must be ”sufficiently” independent

[1] DO-178C Software Considerations in Airborne Systems and Equipment Certification, 2012

14

• Isolation on single core is typically provided by operating system

– E.g. based on ARINC-653 specification [3]

– ”Robust” partitions created for sets of applications

• Temporal isolation using time-division multiplexing (TDM)

– TDM non-work-conserving (nwc) to eliminate interference

– Application-level scheduling within a partition

[3] ARINC Specification 653, 2010

Partition 1

Application A

Application B

Partition 2

Application C

Application D

Partition 1 Partition 1Partition 2 Partition 2 Partition 1TDM

A B A B

15

How to ensure that applications sharing resources are isolated and that WCET of applications can be computed in certifiable mixed-criticality multi-core systems?

This presentation discusses this problem in a survey-like manner

16

COTS Analysis Methods

Introduction

Time-Predictable Hardware

Airbus isWCET Approach

CISTER’s Related Projects

17

Conclusions

• CompSoC is a platform for real-time applications [4]

– For independent app. development, verification, and execution

• Components of tiled architecture [5]

– Processor tiles with MicroBlaze cores

– Æthereal network-on-chip

– Memory tiles with SRAM or SDRAM

– Peripheral tiles

• Platform implementation in VHDL [6]

[4] http://compsoc.eu[5] Goossens, Kees, et al. "Virtual execution platforms for mixed-time-criticality systems: The compsoc architecture and design flow." SIGBED Review 10.3, 2013.[6] Goossens, Sven, et al. "The CompSOC design flow for virtual execution platforms." Proceedings of the 10th FPGAworld Conference. ACM, 2013.

18

• All resources are shared [7]

– NWC TDM partition scheduling on CPU (ARINC-653)

– NWC pipelined TDM flit scheduling in network-on-chip

– NWC TDM trans. scheduling or any scheduler + delay for DRAM

• Performance analysis

– Data-flow models for all software/hardware components

– WCET for all tasks/transactions

[7] Nelson, Andrew, Kees Goossens, and Benny Akesson. "Dataflow formalisation of real-time streaming applications on a Composable and Predictable Multi-Processor SOC." Journal of Systems Architecture (2015).

19

• Extremely robust partitioning [7]

– Not a single cycle interference from other partitions

– Similar to PREcision-Timed Architectures (PRET) [8]

[7] Akesson, Benny, et al. "Composability and predictability for independent application development, verification, and execution." Chapter in Multiprocessor System-on-Chip, 2011. [8] Edwards, Stephen A., and Edward A. Lee. "The case for the precision timed (PRET) machine." Proc. DAC, 2007.

20

• It is possible to design time-predictable multi-core platforms

– Extremely robust partitioning

– WCET for all tasks/transactions, but

– Average-case performance suffer

• Application domain is practically restricted to COTS platforms

– Hardware is given

– Transfering technology is very difficult

– Most customers are oriented towards average-case performance

21

COTS Analysis Methods

Introduction

Time-Predictable Hardware

Airbus isWCET Approach

Conclusions

22

CISTER’s Related Projects

• Analytically modeling a COTS platform is very difficult

– Hardware is optimized for average-case performance

– No detailed documentation of implementation

– Limited possibilities for measurements during validation

– Difficult to guarantee correctness / conservativeness of model

• Often pessimistic assumptions about memory controller:

– Unknown size of reorder buffer in memory controller [9]

– Unknown work-conserving memory scheduler [10,11,12]

– Bounds still useful?

[9] Kim, Hyoseung, et al. "Bounding memory interference delay in COTS-based multi-core systems." Proc. RTAS, 2014.[10] Dasari, Dakshina, et al. "Response time analysis of COTS-based multicores considering the contention on the shared memory bus." Proc. TRUSTCOM, 2011.[11] Nowotsch, Jan, et al. "Multi-core interference-sensitive wcet analysis leveraging runtime resource capacity enforcement." Proc. ECRTS, 2014.[12] Schliecker, Simon, and Rolf Ernst. "Real-time performance analysis of multiprocessor systems with shared memory." ACM Transactions on Embedded Computing Systems (TECS) 10.2 (2010): 22.

23

• There is much work on bounding interference between tasks– Vary w.r.t. task model and (task/transaction) schedulers

• Common assumptions– Single outstanding transaction– No or partitioned caches– Different path of worst-case memory accesses (WMA)

• Abstraction of memory accesses– Number of memory accesses per task / block [11,13]– Minimum / maximum requests in interval [12] (for self / others)

[11] Nowotsch, Jan, et al. "Multi-core interference-sensitive wcet analysis leveraging runtime resource capacity enforcement." Proc. ECRTS, 2014.[12] Schliecker, Simon, and Rolf Ernst. "Real-time performance analysis of multiprocessor systems with shared memory." ACM Transactions on Embedded Computing Systems (TECS) 10.2 (2010): 22.[13] Yun, Heechul, et al. "Memory access control in multiprocessor for real-time systems with mixed criticality." Proc. ECRTS, 2012.

24

• Throttling popular to control memory interference [11,14,15,16]

– Can be implemented at operating system level

– Relies on good performance monitoring counters

• Basic idea:

1. Assign memory access budgets

2. Monitor number of memory accesses using performance counters

3. Enforce budget by suspending tasks with depleted budgets

• Optionally, there are mechanisms for slack distribution

– Observed slack [15] or proven slack [16]

[11] Nowotsch, Jan, et al. "Multi-core interference-sensitive wcet analysis leveraging runtime resource capacity enforcement." Proc. ECRTS, 2014.[14] Inam, Rafia, et al. "The Multi-Resource Server for predictable execution on multi-core platforms." Proc. RTAS, 2014.[15] Yun, Heechul, et al. "Memguard: Memory bandwidth reservation system for efficient performance isolation in multi-core platforms." Proc. RTAS, 2013.[16] Nowotsch, Jan, and Michael Paulitsch. "Quality of service capabilities for hard real-time applications on multi-core processors." Proc. RTNS, 2013.

25

• New scheduling theory on top of memory throttling [13,17]

– Respecting both memory budget and CPU scheduling

• Theory requires knowledge about memory access times

– Commonly done by assumption

– Sometimes by measurements on platform [11,13]

– Never done using validated analytical model

[11] Nowotsch, Jan, et al. "Multi-core interference-sensitive wcet analysis leveraging runtime resource capacity enforcement." Proc. ECRTS, 2014.[13] Yun, Heechul, et al. "Memory access control in multiprocessor for real-time systems with mixed criticality." Proc. ECRTS, 2012.[17] Behnam, Moris, et al. "Multi-core composability in the face of memory-bus contention." ACM SIGBED Review 10.3 (2013): 35-42.

26

• Measurement-based approaches offer pragmatic solution

• Possible to use measurement-based WCET tools

– E.g. RapiTime

– Measure your way around things you cannot model

• Stressing shared resources

– Possible using synthetic resource stressing tasks [18,19]

[18] Nowotsch, Jan, and Michael Paulitsch. "Leveraging multi-core computing architectures in avionics." Dependable Computing Conference (EDCC), 2012 Ninth European. IEEE, 2012.[19] Radojković, Petar, et al. "On the evaluation of the impact of shared resources in multithreaded COTS processors in time-critical environments." ACM Transactions on Architecture and Code Optimization (TACO) 8.4 (2012): 34.

27

COTS Analysis Methods

Introduction

Time-Predictable Hardware

Airbus isWCET Approach

Conclusions

28

CISTER’s Related Projects

• Setup

– Freescale P4080 multi-core platform

– SYSGO Pike OS operating system

– AbsInt aiT static analysis tool

– EEMBC Automotive benchmarks

• Approach [11]

– Individual core-local and interference analyses

– Separation of timing and resource analyses

[11] Nowotsch, Jan, et al. "Multi-core interference-sensitive wcet analysis leveraging runtime resource capacity enforcement." Proc. ECRTS, 2014.

29

• Core-local Analysis

time resources

30

• Core-local Analysis

31

time resources time resources time resources

…

• Core-local Analysis

• Interference Analysis

time resources time resources time resources

…

32

• Comparison to intuitive approaches

(minimum tmin and maximum tmax contention)

Benchmark Tmin[ms] Tmax[ms] Tis[ms]

cacheb 114 1996 493

iirflt 60 136 116

rspeed 233 4468 612

a2time 29 524 231

bitmnp 154 262 225

tblook 122 449 289

matrix 21 35 32

aifftr 11 11 11

33

• Dynamic adaptation of resource budgets based on actual progress

• Progress determined through monitoring

[16] Nowotsch, Jan, and Michael Paulitsch. "Quality of service capabilities for hard real-time applications on multi-core processors." Proc. RTNS, 2013.

34

COTS Analysis Methods

Introduction

Time-Predictable Hardware

Airbus isWCET Approach

Conclusions

35

CISTER’s Related Projects

• Increased integration drives transition to multi-core platforms

– Resource sharing causes interference between applications

– Nightmare w.r.t. certification

– Problem to isolate sharing applications and safely determine WCET

• Time-Predictable Platforms have been demonstrated

– Extremely robust partitioning and easy to determine WCET

– Difficult to get commercial uptake of technology

• Analysis of COTS systems active research topic

– Difficult to model analytically due to lacking openness

– Community is finding the right models/abstractions

– Most models remain unvalidated

– Alternative is to use measurement-based techniques

36