Synchronous Programming Techniques for Embedded Systemsis.ifmo.ru/present/_berry-wabp.pdf · 2019....
Transcript of Synchronous Programming Techniques for Embedded Systemsis.ifmo.ru/present/_berry-wabp.pdf · 2019....
G. Berry, CSR 2006 - 1© Esterel Technologies 2006
Synchronous Programming Techniques
for Embedded Systems
Chief Scientist
www.esterel-technologies.com
Gérard Berry
G. Berry, CSR 2006 - 2© Esterel Technologies 2006
• 1982-1985 : first ideas, languages, and semanticsEsterel (Berry – Rigault, Sophia-Antipolis)
Lustre (Caspi – Halbwachs, Grenoble)
Signal (Benveniste – Le Guernic, Rennes)
• 1985-1995 : more languages, semantics, compiling & verificationSyncCharts (André), Reactive C (Boussinot), TCC (Saraswat)
causality analysis (Gonthier, Shiple)
links to dataflow (Ptolemy), to hardware (Vuillemin), etc.
formal verification techniques (Madre & Coudert, Touati)
• 1995 –2000 : maturation, industrial experimentationactive international research (Edwards, Schneider, Ramesh, etc.)
applications: avionics, nuclear plant safety, telecom, robotics
• 2000-2006 : industrial expansionmajor standard in avionics, expanding in rail, automotive, etc.
hardware circuit design
G. Berry, CSR 2006 - 3© Esterel Technologies 2006
• computers + SoCs = hardware / software mix
• complete change in device interaction
• ever-growing number of critical applications
Beware of the computer!
G. Berry, CSR 2006 - 4© Esterel Technologies 2006
flight-control, engines, brakes, fuel, power, climate
safety-critical => certification
trajectory, attitude, image, telecom
mission-critical => very high quality
telephone, audio, TV, DVD, games
business critical => time-to market + quality
pacemakers, diabet control, robot surgeons
life-critical => TBD (!)
Applications and Constraints
G. Berry, CSR 2006 - 5© Esterel Technologies 2006
Global Coordination
ABS
Panel
Engine control
Radio
Light control
Supension
Gearbox
Clutch
Airbags
Direction
Air Con
Sleep
detector
Radar
Alarm detectionAutomatic
toll
GPS
ABS
Panel
Engine control
Radio
Light control
Supension
Gearbox
Clutch
Airbags
Direction
Air Con
Sleep
detector
Radar
Alarm detectionAutomatic
toll
GPS
Bugs grow faster than Moore’s law
!
G. Berry, CSR 2006 - 6© Esterel Technologies 2006
How to avoid or control bugs?
• Traditional : better verification by fancier simulation
• Next step : better design
better and more reusable specifications
simpler computation models, formalisms, semantics
reduce architect / designer distance
reduce hardware / software distance
• Mandatory: better tooling
synthesis from high-level descriptions
formal property verification / program equivalence
certified libraries
G. Berry, CSR 2006 - 7© Esterel Technologies 2006
Embedded Modules Anatomy
• CC : continuous control, signal processing
differential equations, digital filtering
specs and simulation with Matlab / Scilab
• FSM : finite state machines (automata)
discrete control, protocols, security, displays, etc.
flat or hierarchical FSMs
• Calc : heavy calculations
navigation, encryption, image processing
C + libraries
• Web : HMI, audio / video
user interaction / audio / vidéo
data flow networks, Java
G. Berry, CSR 2006 - 8© Esterel Technologies 2006
Global Coordination
ABS
Panel
Engine control
Radio
Light control
Supension
Gearbox
Clutch
Airbags
Direction
Air Con
Sleep
detector
Radar
Alarm detectionAutomatic
toll
GPS
ABS
Panel
Engine control
Radio
Light control
Supension
Gearbox
Clutch
Airbags
Direction
Air Con
Sleep
detector
Radar
Alarm detectionAutomatic
toll
GPS
G. Berry, CSR 2006 - 9© Esterel Technologies 2006
Global Coordination : Calc+CC+FSM
FSM
CC+Calc+FSM
CC + FSM
FSM
CC+FSM
CC+Calc+FSM
CC+FSM
CC+FSM
CC+FSM
CC+FSM
Calc+FSM
Calc
CC+FSMFSM
Calc+FSM
CC+FSM
G. Berry, CSR 2006 - 10© Esterel Technologies 2006
Key Computation Principles
• Concurrency is fundamentalimplicit in CC, audio / video, protocols, etc.
also mandatory for Web and Calc
• Determinism is fundamentalimplicit for CC and FSM
who would drive a non-deterministic car?
can be relaxed for Web, infotainment, etc.
• Physical distribution becomes fundamentalseparation of functions, links between them
redundancy for fault-tolerance
global time needed for distributed control
G. Berry, CSR 2006 - 11© Esterel Technologies 2006
The Classical Software Development
Model is Inadequate
• Turing complete => too rich, too hard to check
• OS- or thread-based concurrency => too hard too check
interference, non-determinism
• CC implementation too indirect (manual action scheduling)
• Inadapted to circuit design (except for filters)
G. Berry, CSR 2006 - 12© Esterel Technologies 2006
The Classical Hardware Development
Model becomes Inadequate
• Structural RTL descriptions hide behavior dynamics
• HDLs inadequate for software
• Concurrency OK, but sequencing very indirect
• Quite old language basis, semantics too vague
⇒ much simpler models are needed
that reconcile sequencing and concurrency
G. Berry, CSR 2006 - 13© Esterel Technologies 2006
Concurrency : the compositionality principle
P
Q
R
P||Q
G. Berry, CSR 2006 - 14© Esterel Technologies 2006
P
Q
R
t
d
t’
t’’
t ~ t + t
t’’ = t + d + t’
t’’ ~ t ~ d ~ t’
P||Q
G. Berry, CSR 2006 - 15© Esterel Technologies 2006
Only 3 solutions :
• t arbitrary asynchrony
• t = 0 synchrony
• t predictable vibration
G. Berry, CSR 2006 - 16© Esterel Technologies 2006
Arbitrary Delay : Brownian Motion
Chemical reaction
H+
H+
Cl_ H+
Cl_
Cl_
HCL
HCL
HCL
H+
Internet routing
H+ Cl_
HCL+
Models : Kahn networks, π-calculus, CHAM,Join-Calculus, Ambients, etc...
G. Berry, CSR 2006 - 17© Esterel Technologies 2006
Kahn Networks
nodes = deterministic programs
arrows = infinite fifos
• result-dterministic (independent of computation order)
• easy semantics by flow equations
• heavily used in streaming applications (audio, TV)
G. Berry, CSR 2006 - 18© Esterel Technologies 2006
Concurrency + Determinism
Calculations are feasible
Zero delay example:
Newtonian Mechanics
G. Berry, CSR 2006 - 19© Esterel Technologies 2006
Refer to a fabulous drawing of Hergé’s
"On a Marché sur la Lune", in English
"Explorers on the Moon". French edition, page 10,
first drawing.
Drunk Captain Haddock has become a satellite
of the Adonis asteroid. To catch him, Tintin,
courageously standing on the rocket's side,
asked Pr. Calculus to start the rocket's atomic engine.
At precisely the right time, he shouts "STOP"!
This is the trickiest real-time manoeuver ever
performed by man. It required a perfect understanding
of Newtonian Mechanics and absolute synchrony.
The most difficult real-time manoeuver ever
G. Berry, CSR 2006 - 20© Esterel Technologies 2006
Refer to the 3rd
drawing of page 10 of
"Explorers on the Moon".
Tintin's manoeuver was
a perfect success, and
he now catches Haddock
with a lasso (highly non-
trivial in deep space!)
Digital synchronous circuits
the RTL zero-delay model
Synchronous languages
Esterel, Lustre, Signal, ...
Excellent abstract model
G. Berry, CSR 2006 - 21© Esterel Technologies 2006
trap HeartAttack in
|| run CheckHeart
exit HeartAttack
handle HeartAttack fo
run RushToHospital
end trap
abort
loop
abort run Slowly when 100 Meter ;
abort
every Step do
run Jump || run Breathe
end every
when 15 Second ;
run FullSpeed
each Lap
when 2 Lap
every Morning do
end every
G. Berry, CSR 2006 - 22© Esterel Technologies 2006
Nothing can illustrate vibration better than
Bianca Castafiore, Hergé's famous prima
donna. See [1] for details. The power of her
voice forcibly shakes the microphone and
the ears of the poor spectators.
[1] King's Ottokar Sceptre, Hergé, page 29,
last drawing.
t predictable : vibration
propagation of light, electrons, program counter...
G. Berry, CSR 2006 - 23© Esterel Technologies 2006
Bianca Castafiore singing for the King
Muskar XII in Klow, Syldavia. King's Ottokar
Sceptre, page 38, first drawing.
Although the speed of sounds is finite, it is
fast enough to look infinite. Full abstraction!
Full Abstraction
Specify with zero-delay
Implement with predictable delay
Control room size
If room is small enough,
predictable delay implements zero-delay
G. Berry, CSR 2006 - 24© Esterel Technologies 2006
Software Synchronous Systems
Cycle based
read inputs
compute reaction
produce outputs
Synchronous = 0-delay = within the same cycle
propagate control
propagate signals
No interference between I/O and computation
Room size control = Worst Case Execution Time (AbsInt)
G. Berry, CSR 2006 - 25© Esterel Technologies 2006
Lustre = Synchronous Kahn Networks
truet
otherwisetCount
EventiftCounttCountt
Count
=
−
+−=>∀
=
)(
),1(
,1)1()(,0
0)0(
Count = 0 ->
(if Event
then pre(Count)+1
else pre(Count)
A simple counter
G. Berry, CSR 2006 - 26© Esterel Technologies 2006
CC
FSM
SCADE
Certified compiler to C
Formal verification engine
G. Berry, CSR 2006 - 27© Esterel Technologies 2006
SCADE Suite™ Customers BaseCivilian Avionics� Aircraft Braking Systems� Airbus� Chengdu Aircraft Development & research Institute
� Chinese Aeronautical Radio Electronics Research Institute
� CMC Electronics Inc.� Dassault Aviation� Diehl Avionik Systeme GmH� Elbit Systems� Eurocopter� Honeywell� Flight Automatic Control Research Institute
� Liebherr-Aerospace� Messier-Bugatti� Nanjing University of Aeronautics and Aerospace
� Pratt & Whitney � Rockwell Collins� SAAB Aerospace� SAFRAN
� Seditec
� Smiths Aerospace
� Snecma Aerospace
� Thales Avionics
� Transiciel
� Turbomeca
Defense & Space� CAST 504th Institute
� CRIL Technology
� Dassault Aviation
� EADS Military
� EADS SD Electronics
� EADS Space Transportation
� Elbit Systems Ltd.
� ESA
� Eurocopter
� Hills US Air Force Base
� Hispano-Suiza
� Intertechnique
� Lockheed Martin
� MBDA
� NASA
� Rockwell Collins
� Rockwell Collins Flight Dynamics
� SAGEM
� Thales Airborne Systems
� Thales Communication
Energy &
Transportation
� Ansaldo Signal
� DS & S
� Framatome
� Schneider Electric
� Siemens Transp.
G. Berry, CSR 2006 - 28© Esterel Technologies 2006
SCADE Suite in the A380
• SCADE = Airbus corporate standard for all new airplanes developments
– Flight Control system
– Flight Warning system
– Electrical Load Management system
– Anti Icing system
– Braking and Steering system
– Cockpit Display system
– Part of ATSU (Board / Ground comms)
– FADEC (Engine Control)
– EIS2 : Specification GUI Cockpit:
– PFD : Primary Flight Display
– ND : Navigation Display
– EWD : Engine Warning Display
– SD : System Display
Flight ControlPrimary & Secondary
Commands
Anti IceControl Unit
FlightWarningSystem
Braking & SteeringControl Unit
G. Berry, CSR 2006 - 29© Esterel Technologies 2006
EUROCOPTER
• World leader in civilian helicopters
• Introduced SCADE Suite™ for EC135 and EC155 autopilotsEC135 and EC155 autopilots
• Results– 90% of the code with SCADE
– Development time divided by 2divided by 2
– (8 level A certifications by JAA : EC155, EC135, EC145; EC225 on-going)
– The entire modification cycle can be performed in < 48 h !
Photos courtesy of EUROCOPTER
G. Berry, CSR 2006 - 30© Esterel Technologies 2006
SCADE 6 : full data-flow / control-flow integration
IA4C_SYSTEM_OFF
THIRDCM_DISPLAY_CONTROLLER
TD
L_Display _Format
IgnoreCount
HUD_DISPLAY_CONTROLLEROUTER_DISPLAY_CONTROLLER
L_Display _Format
SUR
INNER_DISPLAY_CONTROLLER
SomeFormat
L_Display _Format L_Display _Format
1
SidedInnerDisplay
Right
Lef t
DisplaySide
1
grabSide
LOWER_DISPLAY_CONTROLLER
2
grabSide
L_Display _FormatL_Display _Format
HUDR_OK
HUDL_OKSomeFormat
2
SidedLowerDisplay
DisplaySide
CENTER_DISPLAY_CONTROLLER
init
LR_OK
LL_OK
OR_FORMAT
OL_FORMAT
Right
Lef t
SideStruct
HUDL_OK
HUDR_OK
SideStruct
IL_Format
OL_OK
OR_OK
IR_Format
2
PFDMaxFrom
IA4C_SYSTEM_OUT
L_Display _Format
2
grabFirst
SUR
CENTER
HUD
Default
LOG
A
DisplayPosition
<2> (
DisplayPosition
= CENTER)
<3> (
DisplayPosition
= LOWER)
<4> (
DisplayPosition
= INNER)
<5> (
DisplayPosition
= OUTER)
<1> (
DisplayPosition
= HUD)
<6> (
DisplayPosition
= THIRD)
<1> (
not
(IA4C))
<1> (
IA4C)
G. Berry, CSR 2006 - 31© Esterel Technologies 2006
Hardware Synchrony: the RTL model
TRY PASS
REQ OK
GET_TOKEN PASS_TOKEN
OK = REQ and GO
PASS = not REQ and GO
GO = TRY or GET_TOKEN
PASS_TOKEN = reg(GET_TOKEN)
GO
Room size control = timing closure
G. Berry, CSR 2006 - 32© Esterel Technologies 2006
Esterel v7 (Berry – Kishinevsky)
text + graphics, concurrency + sequencing
clear semantics
G. Berry, CSR 2006 - 33© Esterel Technologies 2006
Esterel Customer Consortium
• In 2001 Esterel Technologies formed a
consortium of leading Semiconductor
companies
– Strategic involvement
– Collaborative specification of the requirements
– Strong influence on roadmap
– Early adopters of Esterel Studio™
– Working with Esterel Technologies for IEEE standardization of the Esterel language
• 2005 observers: ARM, EVE, Synopsys
G. Berry, CSR 2006 - 34© Esterel Technologies 2006
Application Targets
• Bus interfaces and peripheral controllers
– Bus Bridge
– Serial ATA
– Secure Memory Card
– Video Controller
• Processor core peripherals
– Complex Instruction and Data Cache
– Arbiters
– Complex Power Management
– DMA
– Interrupt Controller
• Communication IPs
– Serial Controller
– HDLC
– Fast serial links (UART, Aurora)
– Bluetooth Call Control
– Ethernet MAC Controller
System bus
MemoryController
Arbitration
DSPCore
Processors
Bridge
SDCardI/F
UART
DMA
Peripheral bus
SRAM
Video IP
PowerMgt
GlueLogic
G. Berry, CSR 2006 - 35© Esterel Technologies 2006
The Usage Model
formal, readable,
animated specs
visualization-based
virtual prototypes
simulation
formal verification
certified
software code /
hardware circuit
full and faithful
doumentation
G. Berry, CSR 2006 - 36© Esterel Technologies 2006
Computer Science at Work
1. Language design & mathematical semanticsEsterel: imperative, SOS semantics (residuals)
constructive logic, proof networks
Lustre/SCADE: declarative, functional, denotational semantics
clock calculus = static type-check of dynamics
2. CompilingEsterel: translation to circuits (hardware)
translation to concurrent flow graphs (software)
Lustre/SCADE: clock calculus to drive expression execution
All: static scheduling of elementary actions
3. Formal Verification: properties and equivalenceforward / backward reachable state space analysis (BDDs)
SAT + numerical solving
Abstract Interpretation (Astrée, Cousot)
G. Berry, CSR 2006 - 37© Esterel Technologies 2006
nothing
pause
emit S
present S then p else q end
suspend p when S
p; q
loop p end
p || q
trap T in p end
exit T
signal S in p end
The Pure Esterel Kernel
0
1
! s
s ? p, q
s p
p; q
p
p | q
{p} p
k, k > 1
p \ s
U
*