1. From Models to Code: The Missing Link in Embedded Software Tom Henzinger University of California, Berkeley Joint work with Ben Horowitz and Christoph Kirsch

2. The History of Computer Science: Lifting the Level of Abstraction The “assembly age”: Programming to the platform High-level languages: Programming to the application Compilation: perhaps “the” success story of computer science It is feasible to abstract the platform.

3. The History of Computer Science: Lifting the Level of Abstraction The “assembly age”: Programming to the platform High-level languages: Programming to the application Automatic program synthesis: No more programming Compilation: perhaps “the” success story of computer science Code generation from specifications: still mostly a dream It is feasible to abstract the platform. It is not yet feasible to abstract algorithms.

4. Current Practice in Control Software Some manual programming to the platform Some automatic code generation from models -often inefficient -often unpredictable -difficult to reuse -difficult to verify -requires systems experts

5. Current Practice in Control Software Some manual programming to the platform Some automatic code generation from models The missing link: platform-independent software -often inefficient -often unpredictable -difficult to reuse -difficult to verify -requires systems experts

6. Advocated Practice in Control Software Executable code for a specific platform Mathematical model e.g. Simulink, HyTech Platform-independent software e.g. Giotto -verifiable -reusable -efficiently implementable Control engineer Compiler

7. Current Control Software Development Mathematical Model e.g. Simulink, HyTech Platform Constraints Executable Code -hardware configuration -RTOS (scheduling algorithm) -network protocol some automatic code generation, some manual code optimization -CONCURRENCY -ENVIRONMENT TIME -DISTRIBUTION -PLATFORM TIME

8. Current Control Software Development Mathematical ModelPlatform Constraints Executable Code Problems: -close correspondence between model and code is lost with code optimization -if either model or platform changes, the entire process needs to be repeated some automatic code generation, some manual code optimization

9. Mathematical Model Platform-independent Software Model e.g. Giotto Platform Constraints Executable Code -executable by virtual machine -composable An intermediate layer that separates platform-independent from platform- dependent software issues. Advocated Control Software Development

10. Mathematical Model Platform-independent Software Model Platform Constraints Executable Code e.g. What is the control equation? What is the sampling rate? e.g. Which procedure computes the control equation? Which event triggers the computation? e.g. Which CPU executes the control procedure? What priority has the execution? -still CONCURRENCY -still ENVIRONMENT TIME Advocated Control Software Development

11. Mathematical Model Platform-independent Software Model Platform Constraints Executable Code Platform-independent programming i.e. algorithms and data structures Platform-dependent code generation e.g. priorities SEPARATION OF CONCERNS !!! Advocated Control Software Development

12. Motivation: Flight Control Software ETH Zurich (Kirsch, Pree, Sanvido, Schaufelberger, Wirth). Single CPU.

13. Motivation: Flight Control Software UC Berkeley (Horowitz, Liebman, Ma, Koo, Sangiovanni-Vincentelli, Sastry). Two connected CPUs.

14. Motivation: Flight Control Software

15. 200 Hz 400 Hz 200 Hz 1 kHz Motivation: Flight Control Software

16. 1. Concurrent periodic tasks: -sensing -control law computation -actuating 2. Multiple modes of operation: -navigational modes (autopilot, manual, etc.) -maneuver modes (taxi, takeoff, cruise, etc.) -degraded modes (sensor, actuator, CPU failures) Platform-independent Software Model

17. Mode 1 Mode 4Mode 3 Mode 2 Task S 400 Hz Task C 200 Hz Task A 1 kHz Task S 400 Hz Task C 200 Hz Task A’ 1 kHz Task C’ 100 Hz Task A 1 kHz Task S 400 Hz Task C 200 Hz Task A 2 kHz Task A” 1 kHz Condition 1.2 Condition 2.1 Platform-independent Software Model

18. Host code e.g. C Glue code Giotto Functionality. -Environment time, not platform time. -Concurrency, not distribution. Platform-independent Software Model Timing and interaction. This kind of software is understood: Host code may (sometimes) be generated automatically. The software complexity lies in the glue code (minimize jitter!) : Giotto enables requirements-driven rather than platform-driven glue-code programming. -No time. -Sequential.

19. 1. The Giotto Programmer’s Model 2. The Giotto Compiler

20. The Giotto Programmer’s Model Programming in terms of environment time: Programmer’s fiction: -time-triggered task invocation -tasks are functions with a fixed duration -platform offers sufficient performance Implementation in terms of platform time: Compiler must maintain programmer’s fiction: -needs access to global time, no other platform requirements -tasks may finish early, but outputs cannot be observed early -tasks may be preempted and distributed

21. Given: 1. Units of scheduled host code (application-level tasks). e.g. control law computation 2. Units of synchronous host code (system-level drivers). e.g. device drivers 3. Real-time requirements and data flow between tasks. Giotto: Glue code that calls 1. and 2. in order to realize 3. Task Input portsOutput ports Task Task driver loads task input ports. The Giotto Programmer’s Model

22. Task Driver Input ports loaded. Driver execution in environment time 0. Task execution in environment time d. Output ports read. Sensor/output ports read. Sensor Actuator Actuator/input ports loaded. Time t Time t+d d Task duration Environment Timeline (defined by Giotto semantics)

23. Task Driver Input ports loaded. Output ports read. Sensor Time t Time t+d d Task on CPU. Actuator Platform Timeline (chosen by Giotto compiler)

24. The Giotto compiler chooses for a given platform a platform timeline that is value equivalent to the environment timeline defined by the Giotto semantics. Internal Determinism: For a given sequence of sensor readings, the corresponding sequence of actuator settings is uniquely determined (i.e., there are no race conditions). Platform Independence ensures Predictability

25. Navigation Control Simplified Helicopter Software Sensors Actuators i s a 10 5

26. Navigation Control Simplified Helicopter Software Sensors Actuators i s a 10 5 Matlab/legacy design

27. aia t+10ms s Task Navigation Control t+10ms tt t+5ms i ss Helicopter Software: Environment Timeline Block of synchronous code (nonpreemptable) Scheduled tasks (preemptable)

28. t+10ms Task t+10ms tt t+5ms Single-CPU Helicopter: Platform Timeline (EDF)

29. t+10ms ttt+5ms t+7ms HeliCtr HeliNav TDMA Slot HeliNet Two-CPU Helicopter: Platform Timeline (Time-triggered Communication)

30. t+10mstt t+5ms HeliCtr HeliNav Message HeliNet Two-CPU Helicopter: Platform Timeline (Event-triggered Communication) t+10ms

31. sensor gps_type GPS uses c_gps_device ; actuator servo_type Servo := c_servo_init uses c_servo_device ; output ctr_type CtrOutput := c_ctr_init ; nav_type NavOutput := c_nav_init ; driver sensing (GPS) output (gps_type gps) { c_gps_pre_processing ( GPS, gps ) } task Navigation (gps_type gps) output (NavOutput) { c_matlab_navigation_code ( gps, NavOutput ) } … Helicopter Software: Giotto Syntax (Functionality)

32. … mode Flight ( ) period 10ms { actfreq 1 do Actuator ( actuating ) ; taskfreq 1 do Control ( input ) ; taskfreq 2 do Navigation ( sensing ) ; } … Helicopter Software: Giotto Syntax (Timing)

33. Mode Switch f hg f 2.55 10 Mode m Mode m’ d d’ p  s 5

34. ppd Task g f Mode Switch @ t+5ms Time Mode Switch: Environment Timeline

35. pdp Mode Switch finished @ t+5ms Task g f Time s Mode Switch: Environment Timeline

36. d’pdp Task g f Time t+5ms s Mode Switch: Environment Timeline

37. pdsphd’ Task g f Time t+7.5mst+5ms Mode Switch: Environment Timeline

38. sdppd’ t+10ms hd’h Task g f Mode Switch: Environment Timeline t+10ms

39. 1. The Giotto Programmer’s Model 2. The Giotto Compiler

40. The Giotto Compiler Giotto Program Native Code Tasks and Drivers Giotto-P Platform Specification -topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols) Executables Giotto Compiler Functionality Timing Interaction Platform “Failure” either Giotto-P overconstrained, or compiler not smart enough (distributed scheduling problem) or

41. Closing the Gap: Annotated Giotto Giotto Program Native Code Tasks and Drivers Giotto-P -topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols) Executables Giotto Compiler Functionality Timing Interaction Platform “Failure” either Giotto-PM overconstrained, or compiler not smart enough (global scheduling problem) or Giotto-PM -assign tasks to CPUs -assign connections to nets Map

42. Closing the Gap: Annotated Giotto Giotto Program Native Code Tasks and Drivers Giotto-P Executables Giotto Compiler Functionality Timing Interaction Platform “Failure” Giotto-PMC overconstrained (local scheduling problems solvable) or Giotto-PM Map Giotto-PMC Communication -assign connections to TDMA slots (say) -topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols) -assign tasks to CPUs -assign connections to nets

43. Single-CPU Giotto Scheduling Why is it simple? -Static utilization test for each mode -Mode switches are memory-free Theorem: Given a Giotto program and WCETs for all tasks, it can be checked in quadratic time if an EDF scheduler meets all deadlines.

44. [ host HeliCtr address 192.168.0.1; host HeliNav address 192.168.0.2; network HeliNet address 192.168.0.0 connects HeliCtr, HeliNav ] … mode Flight ( ) period 10ms { actfreq 1 do Actuator ( actuating ) ; taskfreq 1 do Control ( input ) [ host HeliCtr ] ; taskfreq 2 do Navigation ( sensing ) [host HeliNav; push ( NavOutput ) to ( HeliCtr ) in HeliNet slots (7,10) ] ; } … Two-CPU Helicopter: Annotated Giotto (Time-triggered Communication)

45. Code Generation Giotto Program Native Code Tasks and Drivers Giotto-P Giotto Compiler Functionality Timing Interaction Platform Giotto-PM Map Giotto-PMC Communication -assign connections to TDMA slots (say) -topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols) -assign tasks to CPUs -assign connections to nets or “Failure” VxWorksOSEK …

46. Code Generation: The Embedded Machine Giotto Program Native Code Tasks and Drivers Giotto-P Embedded Machine code Giotto Compiler Functionality Timing Interaction Platform or Giotto-PM Map Giotto-PMC Communication -assign connections to TDMA slots (say) -topology (CPUs, nets) -performance (WCETs, latencies) -APIs (RTOSs, protocols) -assign tasks to CPUs -assign connections to nets “Failure” Embedded Machine interpreter

47. The Embedded Machine -a virtual machine that mediates the interaction of physical processes (sensors and actuators) and software processes (tasks and drivers) in real time -the Giotto compiler can be retargeted to a new platform by porting the Embedded Machine

48. Environment Software Software Processes: platform time Environment Processes: environment time The Embedded Machine

49. Environment Software Schedulability Reactivity The Embedded Machine The Art of Embedded Programming

50. Environment Software Schedulability: time safety checking for platform time Reactivity: programming in environment time (e.g. Giotto) The Embedded Machine: Time is like Memory Embedded Machine

51. Environment Ports Task Ports Driver Ports Embedded Machine task triggers environment triggers sense actuate read write call drivers The Embedded Machine schedule tasks e.g. clock e.g. task completion

52. Enable trigger: future( g,B:) B: Schedule task: schedule( T ) T Call driver: call( d ) d g The Embedded Machine: Three Instructions Execute driver d now. Hand task t over to the system scheduler (RTOS). Have code B executed as soon as trigger g becomes true.

53. ai a t+10ms s Task Navigation Control t+10ms ttt+5ms i ss B1:call( actuate ) call( sense ) call( input ) schedule( Control ) schedule( Navigation ) future( now+5, B2:) relax Giotto Code Generation: The Embedded Machine

54. ai a t+10ms s Task Navigation Control t+10ms tt t+5ms i ss B2:call( sense ) schedule( Navigation ) future( now+5, B1:) relax Giotto Code Generation: The Embedded Machine

55. The Embedded Machine Synchronous code: -Embedded Machine instructions and drivers -kernel context (trigger-related interrupts disabled) Scheduled code: -tasks -user context (trigger-related interrupts enabled)

56. The Embedded Machine Task-triggered code: -triggers on environment and task ports -observable behavior depends on environment and scheduler Environment-triggered code: -triggers only on environment ports -observable behavior depends on environment only All Giotto programs result in environment-triggered code.

57. The Embedded Machine Time-safe code: No driver accesses a scheduled task before completion. Time-live code: There is no infinite synchronous computation. All Giotto programs result in time-live code. Time safety is checked by the Giotto compiler. Alternatively, time safety violations can be can be handled through run-time exceptions.

58. The Embedded Machine Time Safety: Violations due to combination of -insufficient synchrony (environment events too frequent) -insufficient platform utilization (scheduler too weak) -insufficient platform performance (hardware too slow) Our approach therefore systematically integrates synchronous programming and scheduling theory.

59. The Giotto Project Completed: www.eecs.berkeley.edu/~tah/giotto -Software tools: Simulink to Giotto translator (Kirsch, Pree) Giotto compiler for single-CPU targets (Kirsch) Embedded Machine for Linux and VxWorks (Kirsch) -Applications: Lego Mindstorms (Horowitz, Kirsch, Majumdar) Zurich helicopter (Kirsch, Sanvido) In progress: -Software tools: Giotto scheduler for distributed platforms (Horowitz) Time safety checker for Embedded Machine code (Kirsch, Matic) -Applications: Berkeley helicopter (Horowitz, Liebman, Ma) Electronic throttle control (Kirsch)