Principled Design of Embedded Software Edward A. Lee High Confidence Design for Distributed Embedded Systems MURI Review Project: Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems (Vanderbilt, UC Berkeley, CMU, Stanford) Berkeley, CA September 6, 2007

Lee, Berkeley 2 Overall Plan for “Principled Design of Embedded Software” Build a “models to C” lab enabling experiments with Models of concurrency and time Optimization based on partial evaluation Create sampled data models and translation to C with Polled I/O Interrupt-driven I/O Create event-driven models and translation to C with Model of time Synthesized scheduling of reactions Created distributed timed models and translation to C Host, supervisor, and controller interactions Time synchronization Emphasis on repeatability and verifiability! Status as of August 07: Ptolemy II architecture with pluggable “helpers” for both directors and actors. Demo on iRobot Create and partially on Starmac Robostix.

Lee, Berkeley 3 STARMAC Electronics WiFi b ≤ 5 Mbps ESC & Motors Phoenix-25, Axi 2208/26 IMU 3DMG-X1 76 or 100 Hz Ranger SRF08 13 Hz Altitude GPS Superstar II 10 Hz I 2 C 400 kbps PPM 100 Hz UART 19.2 kbps Robostix Atmega128 Low level control UART 115 kbps CF 100 Mbps Stereo Cam Videre STOC 30 fps 320x240 Firewire 480 Mbps UART 115 Kbps LIDAR URG-04LX 10 Hz ranges Ranger Mini-AE Hz Altitude Beacon Tracker/DTS 1 Hz WiFi g+ ≤ 54 Mbps USB Mbps RS kbps Timing/ Analog Analog RS232 UART Stargate 1.0 Intel PXA255 64MB RAM, 400MHz Supervisor, GPS PC/104 Pentium M 1GB RAM, 1.8GHz Est. & control Start with controller Expand to supervisor Finally to host

Lee, Berkeley 4 Approaches 1. Model the vehicle dynamics and develop the embedded control code to work with that model. 2. Model the controller and I/O and generate embedded C code from the model.

Lee, Berkeley 5 Simpler/Safer Testbed We are using the iRobot Create (the platform for the Roomba vacuum cleaner) with a pluggable Command Module containing a similar Atmel microcontroller as the Starmac to shake out the code generation techniques.

Lee, Berkeley 6 Helper-based extensible open architecture. Helpers for SDF (synchronous dataflow), FSM (finite state machines) and HDF (hierarchical combinations of the two). Helpers for a fairly extensive actor library. Embedded C actors for custom, platform- specific code. Model-to-C for the Controller Simple iRobot example that hierarchically combines SDF and FSM. Custom C code

Lee, Berkeley 7 Each actor has a corresponding helper class which is responsible for generating the target code for that actor. Each director (which governs the interaction between actors) has a corresponding helper class for providing MoC-specific information and orchestrating the code generation for the model. The helper class hierarchy and package structure parallel those of the corresponding actors, to achieve modularity, maintainability, portability, efficiency and extensibility in code generation. ActorActor helper DirectorDirector helper A Software Architecture Built for Experimentation

Lee, Berkeley 8 Director Helper Enables Experimentation with Principles of Time and Concurrency for Embedded Systems SDF (Lee et al., Berkeley) Structured Dataflow (Kodosky et al., NI) Synchronous Languages (Berry, Caspi, Benveniste et al., France) Real time workshop (Ciolfi et al., MathWorks) HDF (Lee et al., Berkeley) Koala (Ommering et al., Philips) Giotto (Henzinger et al., Berkeley) TinyOS (Culler et al., Berkeley) Click (Kohler et al., MIT) Ptides (Lee et al., Berkeley)

Lee, Berkeley 9 Actor: ptolemy.actor.lib.Ramp.java Java helper class: ptolemy.codegen.c.actor.lib.Ramp.java C code template file: ptolemy.codegen.c.actor.lib.Ramp.c /***preinitBlock***/ static int $actorSymbol(state); /**/ /***initBlock***/ $actorSymbol(state) = $val(init); /**/ /***fireBlock***/ $ref(output) = $actorSymbol(state); $actorSymbol(state) += $val(step); /**/ A Simple Actor Helper Example

Lee, Berkeley 10 Principle of Partial Evaluation in Automatic Program Generation (Jones, Gomard, Sestoft 1993) static input in1 subject program p dynamic input in2 partial evaluator “mix” residual program P in1 output The strategy is to carry through all computations that depend only on static data at design time rather than at run time. : data : program

Lee, Berkeley 11 Next Steps Support interrupt-driven concurrency in generated code Create a model of time and microkernel support Implement a timed sample-data MoC Create support for event-driven computation Implement PTIDES: a timed distributed run time environment Implement timing verification based on PTIDES formalism

Lee, Berkeley 12 PTIDES Builds on Principles of Discrete Event Modeling DE Director implements timed semantics using an event queue Event source Time line Reactive actors Signal Components send time- stamped events to other components, and components react in chronological order. Whereas DE is usually a simulation technology, we are using it as a real-time MoC.

Lee, Berkeley 13 Using DE Semantics in Distributed Real-Time Systems DE is usually a simulation technology. Distributing DE is done for acceleration. Hardware design languages (e.g. VHDL) use DE where time stamps are literally interpreted as real time. We are using DE for distributed real-time software, binding time stamps to real time only where necessary. Static analysis of models enables checking for schedulability and modeling errors. Formalism is built on an interface algebra for causality analysis.

Lee, Berkeley 14 PTIDES: Our Proposed Event-Driven Model of Computation for Distributed Real-Time Systems See “A Programming Model for Time-Synchronized Distributed Real-Time Systems”, Yang Zhao, Jie Liu, and Edward A. Lee, RTAS ’07. PTIDES combines naturally with modal models, lending itself to state-based verification methods that validate timing properties.

Lee, Berkeley 15 PTIDES: Programming Temporally Integrated Distributed Embedded Systems Being explicit about timing means that we can analyze control system dynamics… The system is stable if … Feedback through the physical world

Lee, Berkeley 16 From Our Annual Report: Objective 2 “Develop foundations of model-based software design for high-confidence, networked embedded systems applications. We will investigate new semantic foundations for modeling languages and model transformations, precisely architected software and systems platforms that guarantee system properties via construction, and new methods for static source code verification and testing, as well as for dynamic runtime verification and testing.” “We have been implementing high confidence code generator for the Ptolemy II actor languages using partial evaluation mechanisms. The code generator transforms an actor-oriented model into target code while preserving the model's semantics.”

Lee, Berkeley 17 From Our Annual Report: Objective 3 “Develop composable tool architecture that supports high- level reusability of modeling, model analysis, verification and testing tools in domain-specific tool chains. We create new foundation for tool integration that goes beyond data modeling and data transfer.” “We have developed PTIDES: Programming Temporally Integrated Distributed Embedded Systems. For components for embedded systems, we have further refined the Ptolemy II code generation environment and are targeting the quadrotor effort.”

Lee, Berkeley 18 From Our Annual Report: Objective 4 “Demonstrate the overall effort by creating an end-to-end design tool chain prototype for the model-based generation and verification of embedded controller code for experimental plat-forms.” “We have begun the process of interfacing the Ptolemy toolkit with the embedded software control architecture on board our autonomous quadrotor aircraft.”