In particular, our framework supports multi-processor systems, rich task-models with timing uncertainties in arrival and execution times, possible dependencies, a range of scheduling pol
Trang 14.6 Conclusion
We have provided a framework that allows the modeling and analysis of a variety of schedulability scenarios In particular, our framework supports multi-processor systems, rich task-models with timing uncertainties in arrival and execution times, possible dependencies, a range of scheduling policies, and possible preemption of resources The support of an approxi-mate analysis of stopwatch automata in UPPAAL4.1 is key to the successful schedulability analysis
Furthermore, the uncertainty on the periods used in our framework could
be generalized to more general task-arrivals where a separate process deter-mines the arrival of tasks Such situations can be modeled using the struc-ture of our framework by letting the starting of periods be dictated through channel synchronization with the model controlling arrival times Even with such liberty, the overapproximation is still finite and the termination is guar-anteed
The scheduling framework provided in this chapter is structured such that an adaptation can be made to accommodate other scheduling polices and inter-task constraints The former can be achieved by adding another policy model similarly to the three built-in policies, FIFO, the FPS, and the EDF The latter is achieved through the use of the function calls, new_period, dependencies_met, and completed
Acknowledgment
The authors would like to thank Marius Mikuˇcionis for providing the format for listing UPPAALcode
References
1 R Alur, C Courcoubetis, and D Dill Model-checking for real-time
sys-tems In Proceedings of the Fifth IEEE Symposium on Logic in Computer Science (LICS’90), pp 414–425, Philadelphia, PA, 1990 IEEE Computer
Society Press, 1990
2 R Alur and D Dill Automata for modeling real-time systems In Pro-ceedings of the 17th International Colloquium on Automata, Languages and Programming (ICALP’90), Warwick University, Couentry, U.K., 1990.
Trang 2Model-Based Framework for Schedulability Analysis Using U PPAAL 4.1 117
3 R Alur and D Dill A theory of timed automata Theoretical Computer Science (TCS), 126(2):183–235, 1994.
4 T Amnell, E Fersman, L Mokrushin, P Pettersson, and W Yi Times—
a tool for modelling and implementation of embedded systems In J.-P
Katoen and P Stevens (editors), TACAS, Grenoble, France, 2002 Lecture Notes in Computer Science, 2280:460–464 Springer, 2002.
5 J Madsen, A Brekling, and M.R Hansen Models and formal
verifica-tion of multiprocessor system-on-chips The Journal of Logic and Algebraic Programming, 77(1):1–19, 2008.
6 G Behrmann, A Cougnard, A David, E Fleury, D Larsen, K.G Larsen,
and D Lime Uppaal tiga: Time for playing games! In Proceedings of Computer Aided Verification (CAV’07), Berlin, Germany, July 2007, Lecture Notes in Computer Science, 4590:121–125 Springer, 2007.
7 G Behrmann, K.G Larsen, and J.I Rasmussen Optimal scheduling
using priced timed automata ACM SIGMETRICS Performance Evaluation Review, 32(4):34–40, 2005.
8 T Bœgholm, H Kragh-Hansen, P Olsen, B Thomsen, and K.G Larsen Model-based schedulability analysis of safety critical hard real-time java
programs In JTRES ’08: Proceedings of the Sixth International Workshop on Java Technologies for Real-Time and Embedded Systems, pp 106–114, New
York, 2008 ACM, 2008
9 F Cassez and K.G Larsen The impressive power of stopwatches In C
Palamidesi (editor), 11th International Conference on Concurrency Theory, (CONCUR’2000), University Park, PA, July 2000, Lecture Notes in Computer Science, 1877:138–152 Springer-Verlag, 2000.
10 Timesys Corporation Pittsburgh, PA,http://www.timesys.com
11 Timesys Corporation Pittsburgh, PA,http://www.tripac.com
12 R.J Engdahl and A.M Haugstad Efficient model checking for prob-abilistic timed automata Master thesis, Aalborg University, Aalborg, Denmark, 2008
13 E Fersman, L Mokrushin, P Pettersson, and W Yi Schedulability
anal-ysis of fixed-priority systems using timed automata Theoretical Computer Science, 354(2):301–317, 2006.
14 E Fersman, P Pettersson, and W Yi Timed automata with
asyn-chronous processes: Schedulability and decidability In Proceedings of TACAS 2002, pp 67–82, Grenoble, France, Springer-Verlag, 2002.
Trang 315 UPPAAL Scheduling Framework
http://www.uppaal.com/SchedulingFramework, January 2009
16 K Godary, I Augé-Blum, and A Mignotte Sdl and timed petri nets versus uppaal for the validation of embedded architecture in
automo-tive In Forum on Specification and Design Language (FDL’04), Lille, France,
September 2004
17 N Guna, Z Gu, Q Deng, S Gao, and G Yu Exact schedulability anal-ysis for static-priority global multiprocessor scheduling using
model-checking In Software Technologies for Embedded and Ubiquitous Systems, Santorini Island, Greece, Lecture Notes in Computer Science, pp 263–272.
Springer, Berlin, 2007
18 Uppaal Tiga Homepage http://www.cs.aau.dk/∼adavid/tiga, 2006
19 A Brekling, J Madsen, and M.R Hansen A modelling and analysis
framework for embedded systems In Model-Based Design for Embedded Systems, G Nicolescu and P.J Mosterman (editors), Taylor & Francis,
Boca Raton, FL, 2009
20 J Krakora and Z Hanzalek Timed automata approach to CAN
verifica-tion INCOM, 2004.
21 P Krcál and W Yi Decidable and undecidable problems in schedulabil-ity analysis using timed automata In K Jensen and A Podelski (editors),
TACAS, Barcelona, Spain, 2004 Lecture Notes in Computer Science, 2988:
236–250 Springer, 2004
22 J Madsen, K Virk, and M.J Gonzalez A systemC-based abstract
real-time operating system model for multiprocessor system-on-chip In Mul-tiprocessor System-on-Chip Morgan Kaufmann, San Francisco, CA, 2004.
23 S Mahadevan, M Storgaard, J Madsen, and K.M Virk Arts: A system-level framework for modeling MPSoC components and analysis of their
causality In 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS),
Atlanta, GA, 2005 IEEE Computer Society, Septemper 2005
24 Y Le Moullec, J.-P Diguet, N Ben Amor, T Gourdeaux, and J.L Philippe Algorithmic-level specification and characterization of
embed-ded multimedia applications with design trotter VLSI Signal Processing,
42(2):185–208, 2006
25 H Nikolov, M Thompson, T Stefanov, A.D Pimentel, S Polstra, R Bose,
C Zissulescu, and E.F Deprettere Daedalus: Toward composable
Trang 4mul-Model-Based Framework for Schedulability Analysis Using U PPAAL 4.1 119
26 S Schliecker, J Rox, R Henia, R Racu, A Hamann, and R Ernst Formal performance analysis for real-time heterogeneous embedded systems In
Model-Based Design for Embedded Systems, G Nicolescu and P.J
Moster-man (editors), Taylor & Francis, Boca Raton, FL, 2009
27 H Sun Timing constraints validation using uppaal: Schedulability
anal-ysis In DIPES ’00: Proceedings of the IFIP WG10.3/WG10.4/WG10.5 Interna-tional Workshop on Distributed and Parallel Embedded Systems, pp 161–172,
Deventer, the Netherlands, 2001 Kluwer, B.V 2001
28 UPPAAL.http://www.uppaal.com, January 2005
29 UPPAAL CORA.http://www.cs.aau.dk/∼behrmann/cora/, Jan-uary 2006
Trang 6Modeling and Analysis Framework for
Embedded Systems
Jan Madsen, Michael R Hansen, and Aske W Brekling
CONTENTS
5.1 Introduction 121
5.2 Motivation 124
5.3 Embedded Systems Model 125
5.3.1 Application Model 127
5.3.2 Execution Platform Model 127
5.3.2.1 Processing-Element Model 127
5.3.2.2 Network Model 128
5.3.3 Task Mapping 129
5.3.4 Memory and Power Model 129
5.4 Model of Computation 130
5.5 MoVES Analysis Framework 134
5.6 Using the MoVES Analysis Framework 136
5.6.1 Simple MultiCore Embedded System 136
5.6.2 Smart Phone, Handling Large Models 137
5.6.3 Handling Nondeterministic Execution Times 140
5.6.4 Stopwatch Model 140
5.7 Summary 141
Acknowledgments 141
References 142
5.1 Introduction
Modern hardware systems are moving toward execution platforms made up
of multiple programmable and dedicated processing elements implemented
on a single chip, known as a multiprocessor system-on-chip (MPSoC) The different parts of an embedded application are executing on these process-ing elements, but the activities of mappprocess-ing the parts of an embedded pro-gram onto the platform elements are nontrivial First of all, there may be various and often conflicting resource constraints The real-time constraint, for example, should be met together with constraints on the uses of mem-ory and energy There also are huge varieties in the freedom of choices in
Trang 7the mapping of an application to a platform because there are many ways to partition an embedded program into parts, there are many ways these parts can be assigned to processing elements, and there are many ways each pro-cessing element can be set up
As embedded systems become more complex, the interaction between the application and the execution platform becomes more incomprehensi-ble, and problems such as memory overflow, data loss, and missed dead-lines become more likely In the development phase, it is not enough
to simply look at the different layers of the system independently, as
a minor change at one layer can greatly influence the functionality of other layers The system-level verification of schedulability, upper limits for memory usage, and power consumption, taking all layers into account, have therefore become central fields of study in the design of embedded systems
As many important design decisions are made early in the design phase,
it is imperative to support the system designer at this level This chapter presents an abstract embedded system model that is able to capture a set
of applications executing on a multicore execution platform The model of computation for such systems is formalized in [BHM08], which also con-tains a more refined formalization using timed automata This refinement into timed automata, which is implemented using UPPAAL [BDL04], gives the ability to model check properties of timing, memory usage, and power consumption
In order to support designers of industrial applications, the timed-automata model is hidden for the user, allowing the designer to work directly with the abstract system-level model of embedded systems As outlined in Figure 5.1, the designer provides an application consisting of a set of task graphs, an execution platform consisting of processing elements intercon-nected by a network, and a mapping of tasks to processing elements The system model is then translated into a timed-automata model that enables schedulability analysis as well as being able to verify that memory usage and power consumption are within certain limits In the case where a sys-tem is not schedulable, the tool provides useful information about what caused the missed deadline We do not propose any particular methodology for design space exploration, but provide an analysis framework, MOVES , where embedded systems can be modeled and verified in the early stages
of the design process Thus, the MOVES analysis framework provides tool support for system designers to explore alternatives in an easy and efficient manner
An important aspect in the design of MOVES is to provide an experimen-tal framework, supporting easy adaptability of the “core model" to capture energy and memory considerations for example, or to experiment with, say, new principles for task scheduling and allocation Furthermore, the MOVES analysis framework is equipped with different underlying UPPAALmodels,
Trang 8Modeling and Analysis Framework for Embedded Systems 123
Application
model
Platform
model
Mapping
Queries
Schedule converterTrace Diagnostic
trace
U PPAAL
model
Model generation
Deter-ministic ARTS MoVES U PPAAL Core model
FIGURE 5.1
Overview of the MOVES analysis framework
aiming at an efficient verification in various situations For the moment, we are operating with the following underlying models for
• Schedulablity analysis in connection with worst-case execution times only
• Schedulablity analysis for the full core model (including best- and worst-case execution times)
• Schedulability analysis addressing memory and energy issues as well
• Schedulability analysis for the full core model on the basis of stopwatch automata This analysis approach is based on overapproximations, but
it has provided exact results in the experiments carried out so far and
it appears to be the most efficient UPPAAL implementation
The chapter is organized as follows First, we motivate the modeling and analysis of multi-core embedded systems We then present an embedded system model that consists of an application model, an execution platform model, and a system model, which is a particular mapping of the appli-cation onto the execution platform For an embedded system, we give an informal presentation of the model of computation We then outline how the model has been captured using timed automata Finally, we present how the MOVES analysis framework can be used to verify properties of an embedded system through a number of examples, including a smart phone example, showing the ability to handle systems of realistic sizes
Trang 95.2 Motivation
In this work, we aim at models and tools for analysis of properties that must
be considered when an application is mapped to an execution platform Such
models are called system models [PHL+01] as they comprise a model for the application executing on the platform, and the analysis of such systems is called “cross-layer analysis” as it deals with problems where decisions con-cerning one layer of abstraction (for instance, concon-cerning the scheduling principle used in a processing element) has an influence on the properties at another level of abstraction (for instance, a task is missing a deadline) One particular challenge of multi-core systems is that of “multiprocessing timing anomaly” [Gra69], where the system is exhibiting a counterintuitive timing behavior
Example 5.1 To illustrate this challenge, consider the simple example in Figure 5.2,
where the application is specified by five cyclic tasks, τ1, , τ5 , that are mapped onto three processing elements, pe1, pe2, and pe3 The best- and worst-case execution times for each task (bcet and wcet, respectively) are shown in Table 5.1.
There are causal dependencies between tasks For example, τ1must finish before
τ2can start We want to find the shortest period where all tasks meet their deadlines and analyze two different runs corresponding to two possible execution times for τ1
in Figures 5.3 and 5.4, one where the “best-case execution time”, bcet = 2, is chosen for τ1and another where the “worst-case execution time”, wcet = 4, is chosen.
In both runs, τ1and τ3are executing on pe1and pe3, respectively, in the first time step, where no task is executing on pe2because of the causal dependencies The later time steps have similar explanations Observe that the shortest possible period
is π = 8, corresponding to the case where the best-case execution time, bcetτ1 = 2, is chosen for τ1 Thus, an analysis based on the worst-case execution time, wcetτ1 = 4, would, in this case, not lead to the worst-case scenario This is an example of a
System model
τ1
os1
pe1
os2
pe2
os3
pe3
τ2
τ4 τ5
τ3
FIGURE 5.2
Trang 10Modeling and Analysis Framework for Embedded Systems 125
TABLE 5.1
Characterization of Tasks, for Example, in Figure 5.2
Execution Time Task (bcet, wcet) Processor
pe1 τ1
τ3
τ4
τ5
pe3
FIGURE 5.3
Execution time for τ1is 2
τ3
τ4
τ5
pe3
FIGURE 5.4
Execution time for τ1is 4
“multiprocessing timing anomaly” [Gra69] exhibiting a counterintuitive timing behavior A locally faster execution, either by making the processor faster or by mak-ing the algorithm more efficient, may lead to an increase in the execution time of the whole system The presence of such behavior makes multiprocessor timing analysis particularly difficult [RWT+06].
It is easy to check that a period π = 6 can be achieved for this application, simply
by changing the priorities so that τ4gets a higher priority than τ2 But the problems cannot get much larger than the one in Figure 5.2 before the consequences of design decisions cannot be comprehended, and it is necessary to have tool support for the
“design space exploration” [HFK+07,PEP06].
5.3 Embedded Systems Model
In this section, we present a system-level model of an embedded system inspired by ARTS [MVG04,MVM07] Such a model can be described as a layered structure consisting of three different parts Figure 5.5 illustrates