Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 86 2009-10-13 86 Model-Based Design for Embedded Systems messages that can arrive at ECU1. Using flat event models, we could only assume that every message contains a new signal for both receiving tasks, which results in a load of 91.58% of ECU1. With the HEM, we also obtain the maximum number of messages that contain a signal that was sent by task ctrl1 (marked by squares), and the maximum number of messages contain- ing a signal from ctrl2 (marked by triangles). If we now use the timings of signal arrivals as activation timings of the receiving tasks, we obtain a much smaller load of only 45% for ECU1. Hence, the system is not only schedulable, but it also appears that the bus with less than 50% utilization still has sufficient reserves to accommodate the additional communication of the parking-assistant application. Especially, since the time the parking assistant is enabled, the ESP communication is disabled. 3.8.2 Analyzing Scenario 2 In Scenario 2, Sensors 1 and 2 are disabled, and therefore tasks mon1 and mon2 are never activated. Consequently, they will not send data to the tasks eval1 and eval2. The control tasks ctrl1 and ctrl2 are still executed and send their data to the execution tasks running on ECU1. Their local response times will slightly decrease, as there will now be no competition for the shared memory from the second core. On the CAN bus we have the two addi- tional communication tasks C3andC4, representing the communication of the parking-assistant application. When we analyze this system, we obtain a maximum latency of 22 ms for the path IP1 → IP2 and 131 ms for the path Sens3 → SigOut. Therefore, the system is also schedulable when only the parking-assistant application is running. 3.8.3 Considering Scenario Change Having analyzed the two scenarios in isolation from each other, we neglected the (recurrent) transient overload that may occur during the SC. This may lead to optimistic analysis results. Thus, the SC analysis is needed to verify the timing constraints across the SC. In the first experiment, we perform an SC analysis assuming an “all scenarios in one” execution, that is, all tasks belonging to both scenario task sets are assumed to be able to execute simul- taneously. We obtain a maximum latency of 59 ms for the path IP1 →IP2 and 151 ms for the parking-assistant application path (path Sens3 →SigOut). So, the system is not schedulable, since neither constraint is met. In the second experiment, we use the compositional scenario-aware analysis presented in Section 3.5.2 for the timing verification across the SC. We calculate a maxi- mum latency of 39 ms for the path IP1 → IP2 and 131 ms for the parking- assistant application path. Thus, we notice that there is an improvement in the calculated maximum latencies of the constrained application paths. How- ever, the path IP1 → IP2 slightly exceeds its constraint. Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 87 2009-10-13 Formal Performance Analysis 87 1 0.8 0.6 0.4 0.2 0 Initial value Slack BUS ECU1 ECU2 ECU3 ECU4 FIGURE 3.13 One-dimensional slack of the resource speeds. 3.8.4 Optimizing Design As the design is not feasible in its current configuration, we need to optimize the critical path IP1 → IP2 latency. For this, we can explore the priority configuration of the communication tasks on the CAN bus. This can be per- formed automatically on the basis of genetic algorithms (refer to [11] for details). A feasible configuration is obtained for the following priority order: C1 > C2 > C5 > C3 > C4. The obtained maximum path IP1 → IP2 latency is equal to 29. Even though the maximum latency of the parking-assistant applicationincreasedfrom131to138,thisisstilllessthantheimposedconstraint. 3.8.5 System Dimensioning According to Section 3.6, the performance slack of the system components can be efficiently used in order to select hardware components that are opti- mal with respect to cost. The diagram presented in Figure 3.13 shows the minimum speed of the CAN bus and the single-core ECUs. The presented values are relative to the resource speed values in the initial configuration. These values were individually obtained for each resource, which means that the speed of only one resource was changed at any one time. 3.9 Conclusion This chapter has given an overview of state-of-the-art compositional performance analysis techniques for distributed systems and MPSoCs. Furthermore, we have highlighted specific timing implications that require Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 88 2009-10-13 88 Model-Based Design for Embedded Systems attention when addressing the MPSoC setups, hierarchical communication networks, and SCs. To leverage the capabilities of the overall approach, sensitivity analysis and robustness optimization techniques were imple- mented that work without executable code and that are based on robustness metrics. By means of a simple example, we have demonstrated that modeling and formal performance analysis are adequate for the verifying, optimizing, and dimensioning heterogeneous multiprocessor systems. Many of the tech- niques presented here are already used in industrial practice [35]. References 1. K. Albers, F. Bodmann, and F. Slomka. Hierarchical event streams and event dependency graphs: A new computational model for embedded real-time systems. Proceedings of the 18th Euromicro Conference on Real- Time Systems, Dresden, Germany, pp. 97–106, 2006. 2. AUTOSAR. AUTOSAR Specification of Communication V. 2.0.1, AUTOSAR Partnership, 2006. http://www.autosar.org. 3. P. Balbastre, I. Ripoll, and A. Crespo. Optimal deadline assignment for periodic real-time tasks in dynamic priority systems. In 18th Euromicro Conference on Real-Time Systems, Dresden, Germany, 2006. 4. I. Bate and P. Emberson. Incorporating scenarios and heuristics to improve flexibility in real-time embedded systems. In Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), San Jose, CA, April 2006. 5. J. L. Boudec and P. Thiran. Network Calculus: A Theory of Deterministic Queuing Systems for the Internet. Springer, Berlin, 2001. 6. S. Chakraborty, S. Künzli, and L. Thiele. A general framework for analysing system properties in platform-based embedded system designs. In Proceedings of the IEEE/ACM Design, Automation and Test in Europe Conference (DATE), Munich, Germany, 2003. 7. P. Emberson and I. Bate. Minimising task migration and priority changes in mode transitions. In Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Seatlle, WA, April 2007. 8. J. Filipiak. Real Time Network Management. North-Holland, Amsterdam, the Netherlands, 1991. 9. O. Gonzalez, H. Shrikumar, J. Stankovic, and K. Ramamritham. Adap- tive fault tolerance and graceful degradation under dynamic hard Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 89 2009-10-13 Formal Performance Analysis 89 real-time scheduling. In Proceedings of the IEEE International Real-Time Systems Symposium (RTSS), San Francisco, CA, December 1997. 10. W. Haid and L. Thiele. Complex task activation schemes in system level performance analysis. In Proceedings of the IEEE/ACM International Con- ference on HW/SW Codesign and System Synthesis (CODES-ISSS), Salzburg, Austria, September 2007. 11. A. Hamann, M. Jersak, K. Richter, and R. Ernst. Design space explo- ration and system optimization with SymTA/S-symbolic timing analysis for systems. In Proceedings 25th International Real-Time Systems Symposium (RTSS04), Lisbon, Portugal, December 2004. 12. A. Hamann, R. Racu, and R. Ernst. A formal approach to robustness max- imization of complex heterogeneous embedded systems. In Proceedings of the IEEE/ACM International Conference on HW/SW Codesign and System Synthesis (CODES-ISSS), Seoul, South Korea, October 2006. 13. R. Henia and R. Ernst. Scenario aware analysis for complex event mod- els and distributed systems. In Proceedings of the Real-Time Systems Sym- posium, Jucson, AZ, 2007. 14. R. Henia, A. Hamann, M. Jersak, R. Racu, K. Richter, and R. Ernst. Sys- tem level performance analysis—the SymTA/S approach. IEE Proceed- ings Computers and Digital Techniques, 152(2):148–166, March 2005. 15. R. Henia, R. Racu, and R. Ernst. Improved output jitter calculation for compositional performance analysis of distributed systems. Parallel and Distributed Processing Symposium, 2007. IPDPS 2007. IEEE International, Long Beach, CA, pp. 1–8, 2007. 16. T. Henzinger and S. Matic. An interface algebra for real-time compo- nents. In Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), San Jose, CA, April 2006. 17. I. IXP2400. IXP2800 Network Processors. 18. V. Izosimov, P. Pop, P. Eles, and Z. Peng. Design optimization of time- and cost-constrained fault-tolerant distributed embedded systems. In Proceedings of the IEEE/ACM Design, Automation and Test in Europe Con- ference (DATE), Munich, Germany, March 2005. 19. M. Jersak. Compositional performance analysis for complex embedded applications. PhD thesis, Technical University of Braunschweig, Braun- schweig, Germany, 2004. 20. B. Jonsson, S. Perathoner, L. Thiele, and W. Yi. Cyclic dependencies in modular performance analysis. In ACM & IEEE International Conference Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 90 2009-10-13 90 Model-Based Design for Embedded Systems on Embedded Software (EMSOFT), Atlanta, GA, October 2008. ACM Press. 21. E. Lee, S. Neuendorffer, and M. Wirthlin. Actor-oriented design of embedded hardware and software systems. Journal of Circuits Systems and Computers, 12(3):231–260, 2003. 22. P. Lee, T. Anderson, J. Laprie, A. Avizienis, and H. Kopetz. Fault Toler- ance: Principles and Practice. Springer Verlag, Secaucus, NJ, 1990. 23. J. Lehoczky. Fixed priority scheduling of periodic task sets with arbitrary deadlines. In Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Lake Buena Vista, FL, 1990. 24. J. Lemieux. Programming in the OSEK/VDX Environment. CMP Books, Lawrence, KS, 2001. 25. C. Lu, J. Stankovic, S. Son, and G. Tao. Feedback control real-time scheduling: Framework, modeling, and algorithms. Real-Time Systems Journal, 23(1–2):85–126, 2002. 26. A. Maxiaguine, S. Künzli, S. Chakraborty, and L. Thiele. Rate analysis for streaming applications with on-chip buffer constraints. In Proceedings of the IEEE/ACM Asia and South Pacific Design Automation Conference (ASP- DAC), Yokohama, Japan, pp. 131–136, January 2004. 27. M. Negrean, S. Schliecker, and R. Ernst. Response-time analysis of arbi- trarily activated tasks in multiprocessor systems with shared resources. In Proceedings of Design, Automation and Test in Europe (DATE 2009),Nice, France, April 2009. 28. K. Poulsen, P. Pop, V. Izosimov, and P. Eles. Scheduling and voltage scaling for energy/reliability trade-offs in fault-tolerant time-triggered embedded systems. In Proceedings of the IEEE/ACM International Confer- ence on HW/SW Codesign and System Synthesis (CODES-ISSS), Salzburg, Austria, October 2007. 29. R. Racu and R. Ernst. Scheduling anomaly detection and optimization for distributed systems with preemptive task-sets. In 12th IEEEReal-Time and Embedded Technology and Applications Symposium (RTAS),SanJose,CA, April 2006. 30. R. Racu, A. Hamann, and R. Ernst. Automotive system optimization using sensitivity analysis. In International Embedded Systems Symposium (IESS), Embedded System Design: Topics, Techniques and Trends, Irvine, CA, pp. 57–70, June 2007. Springer. 31. R. Racu, A. Hamann, and R. Ernst. Sensitivity analysis of complex embedded real-time systems. Real-Time Systems Journal, 39(1–3):31–72, 2008. Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 91 2009-10-13 Formal Performance Analysis 91 32. J. Real and A. Crespo. Mode change protocols for real-time systems: A survey and a new proposal. Real-Time System, 26(2):161–197, 2004. 33. K. Richter, D. Ziegenbein, M. Jersak, and R. Ernst. Model composition for scheduling analysis in platform design. In Proceedings of the 39th Design Automation Conference (DAC 2002), New Orleans, LA, June 2002. 34. K. Richter. Compositional performance analysis. PhD thesis, Technical University of Braunschweig, Braunschweig, Germany, 2004. 35. K. Richter. New kid on the block: Scheduling analysis improves quality and reliability of ecus and busses. Embedded World Conference, Nurem- berg, Germany, 2008. 36. J. Rox and R. Ernst. Construction and deconstruction of hierarchical event streams with multiple hierarchical layers. In Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS 2008), Prague, Czech Republic, July 2008. 37. J. Rox and R. Ernst. Modeling event stream hierarchies with hierarchical event models. In Proceedings of the Design, Automation and Test in Europe (DATE 2008), Munich, Germany, March 2008. 38. S. Schliecker, M. Ivers, and R. Ernst. Integrated analysis of communi- cating tasks in MPSoCs. Proceedings of the 4th International Conference on Hardware/Software Codesign and System Synthesis, Seoul, Korea, pp. 288– 293, 2006. 39. S. Schliecker, M. Ivers, and R. Ernst. Memory access patterns for the anal- ysis of MPSoCs. 2006 IEEE North-East Workshop on Circuits and Systems, Gatineau, Quebec, Canada, pp. 249–252, 2006. 40. S. Schliecker, M. Ivers, J. Staschulat, and R. Ernst. A framework for the busy time calculation of multiple correlated events. 6th International Workshop on WCET Analysis, Dresden, Germany, July 2006. 41. S. Schliecker, M. Negrean, and R. Ernst. Reliable performance analysis of a multicore multithreaded system-on-chip (with appendix). Technical report, Technische Universität Braunschweig, Braunschweig, Germany, 2008. 42. S. Schliecker, M. Negrean, G. Nicolescu, P. Paulin, and R. Ernst. Reli- able performance analysis of a multicore multithreaded system-on-chip. In Proceedings of the 6th IEEE/ACM/IFIP International Conference on Hard- ware/Software Codesign and System Synthesis, pp. 161–166. ACM, New York, 2008. 43. S. Schliecker, J. Rox, M. Ivers, and R. Ernst. Providing accurate event models for the analysis of heterogeneous multiprocessor systems. In Proceedings of the 6th IEEE/ACM/IFIP International Conference on Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 92 2009-10-13 92 Model-Based Design for Embedded Systems Hardware/Software Codesign and System Synthesis, pp. 185–190. ACM, New York, 2008. 44. S. Segars. The ARM9 family-high performance microprocessors for embedded applications. Proceedings of the International Conference on Com- puter Design: VLSI in Computers and Processors, 1998. ICCD’98.,Austin, TX, pp. 230–235, 1998. 45. L. Sha, R. Rajkumar, J. Lehoczky, and K. Ramamritham. Mode change protocols for priority-driven preemptive scheduling. Technical Report UM-CS-1989-060, 31, 1989. 46. J. Staschulat and R. Ernst. Worst case timing analysis of input dependent data cache behavior. Euromicro Conference on Real-Time Systems, Dresden, Germany, 2006. 47. K. W. Tindell, A. Burns, and A. J. Wellings. Mode changes in priority pre-emptively scheduled systems. In IEEE Real-Time Systems Symposium, Phoenix, AZ, pp. 100–109, 1992. 48. S. Vestal. Fixed-priority sensitivity analysis for linear compute time mod- els. IEEE Transactions on Software Engineering, 20(4):308–317, April 1994. 49. R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenström, The worst-case execution- time problem—overview of methods and survey of tools, Transactions on Embedded Computing Systems, 7(3):1–53, 2008. Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 93 2009-9-30 4 Model-Based Framework for Schedulability Analysis Using U PPAAL 4.1 Alexandre David, Jacob Illum, Kim G. Larsen, and Arne Skou CONTENTS 4.1 Introduction 93 4.2 U PPAAL andItsFormalism 95 4.2.1 Modeling Language 95 4.2.2 Specification Language 99 4.3 Schedulability Problems 99 4.3.1 Tasks 100 4.3.2 Task Dependencies 100 4.3.3 Resources 101 4.3.3.1 Scheduling Policies 101 4.3.3.2 Preemption 101 4.3.4 Schedulability 102 4.4 Framework Model in U PPAAL 102 4.4.1 Modeling Idea 102 4.4.2 Data Structures 103 4.4.3 Task Template 104 4.4.3.1 Modeling Task Graphs 106 4.4.4 Resource Template 107 4.4.5 Scheduling Policies 109 4.4.5.1 First-In First-Out (FIFO) 110 4.4.5.2 Fixed Priority 110 4.4.5.3 Earliest Deadline First 111 4.5 FrameworkInstantiation 112 4.5.1 Schedulability Query 113 4.5.2 Example Framework Instantiation 114 4.6 Conclusion 116 Acknowledgment 116 References 116 4.1 Introduction Embedded systems involve the monitoring and control of complex physical processes using applications running on dedicated execution platforms in a 93 Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 94 2009-9-30 94 Model-Based Design for Embedded Systems resource-constrained manner in terms of, for example, memory, processing power, bandwidth, energy consumption, and timing behavior. Viewing the application as a collection of interdependent tasks, various “scheduling principles” may be applied to coordinate the execution of tasks in order to ensure orderly and efficient usage of resources. Based on the phys- ical process to be controlled, timing deadlines may be required for the indi- vidual tasks as well as the overall system. The challenge of “schedulability analysis” is now concerned with guaranteeing that the applied scheduling principle(s) ensure that the timing deadlines are met. For single-processor systems, industrial applied schedulability analy- sis tools include TimeWiz from TimeSys Corporation [10] and RapidRMA from TriPacific [11], based on rate monotonic analysis. More recently, Sym- TA/S has emerged as an efficient tool for system-level performance and timing analysis based on formal scheduling analysis techniques and sym- bolic simulation [26]. These tools benefit from the great success of real- time scheduling theories: results that were developed in the 1970s and the 1980s, and are now well established. However, these theories and tools have become seriously challenged by the rapid increase in the use of multi-cores and multiprocessor systems-on-chips (MPSoCs). To overcome the limitation to single-processor architectures, applications of simulation have been pursued, including—in the case of MPSoCs—the ARTS framework (based on SystemC) [22,23], the Daedaleus simulation tool [25], and the Design-Trotter [24]. Though extremely useful for early design exploration by providing very adequate performance estimates, for example, memory usage, energy con- sumption, and options for parallelizations, the use of simulation makes the schedulability analysis provided by these tools unreliable; though no dead- line violation may be revealed after (even extensive) simulation, there is no guarantee that this will never occur in the future. For systems with hard real- time requirements, this is not satisfactory. During recent years, the use of real-time model checking has become an attractive and maturing approach to schedulability analysis providing abso- lute guarantees: if after model checking no violations of deadlines have been found, then it is guaranteed that no violations will occur during execution. In this approach, the (multiprocessor) execution platform, the tasks, the inter- dependencies between tasks, their execution times, and mapping to the plat- form are modeled as timed automata [3], allowing efficient tools such as U PPAAL [28] to “verify” schedulability using model checking. The tool TIMES [4] has been pioneering this approach, providing a rather expressive task-model called time-triggered architecture (TTA) allowing for complex task-arrival patterns, and using the verification engine of U PPAAL to verify schedulability. However, so far the tool only supports single-processor scheduling and limited dependencies between tasks. Other schedulability frameworks using timed automata as a modeling formalism and U PPAAL as a backend are given in [8,13,14,17,27]. Also, related to schedulability analysis, Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 95 2009-9-30 Model-Based Framework for Schedulability Analysis Using UPPAAL 4.1 95 a number of real-time operating systems (RTOS) have been formalized and analyzed using U PPAAL [16,20]. The MOVES analysis framework [19], presented in Chapter 5 of this book, is closely related to this chapter. Whereas the chapter on MOVES reports on the ability to apply U PPAAL to verify properties and schedulability of embed- ded systems through a number of (realistic size) examples, we provide in this chapter a detailed—and compared with [5], alternative—account on how to model multiprocessor-scheduling scenarios most efficiently, by making full use of the modeling formalism of U PPAAL. This chapter offers an UPPAAL mod- eling framework [15]) that may be instantiated to suit a variety of scheduling scenarios, and which can be easily extended. In particular, the framework includes • A rich collection of attributes for tasks, including the offset, best- and worst-case execution times, minimum and maximum interarrival times, deadlines, and task priorities • Task dependencies • Assignment of resources, for example, processors or busses, to tasks • Scheduling policies, including first-in first-out (FIFO), earliest deadline first (EDF), and fixed priority scheduling (FPS) • Possible preemption of resources The combination of task dependencies, execution time uncertainties, and preemption makes schedulability of the above framework undecidable [21]. However, the recent support for stopwatch automata [9] in U PPAAL leads to an efficient approximate analysis that has proved adequate for several con- crete instances, as demonstrated in [19]. The outline of the remaining chapter is as follows: In Section 4.2, we show the formalism of U PPAAL by the use of an example. In Section 4.3, we give an introduction to the types of schedulability problems that can be analyzed using the framework presented in Section 4.4. Following the framework, in Section 4.5, we show how to instantiate the framework for a number of dif- ferent schedulability problems by way of an example system. Finally, we conclude the chapter in Section 4.6. 4.2 UPPAAL and Its Formalism In this section, we provide an introductory description of the UPPAAL model- ing language. 4.2.1 Modeling Language The tool UPPAAL is designed for design, simulation, and verification of real-time systems that can be modeled as networks of timed automata [2], . in modular performance analysis. In ACM & IEEE International Conference Nicolescu /Model-Based Design for Embedded Systems 67842_C003 Finals Page 90 2009-10-13 90 Model-Based Design for Embedded. Nicolescu /Model-Based Design for Embedded Systems 67842_C003 Finals Page 86 2009-10-13 86 Model-Based Design for Embedded Systems messages that can arrive at. of complex embedded real-time systems. Real-Time Systems Journal, 39(1–3):31–72, 2008. Nicolescu /Model-Based Design for Embedded Systems 67842_C003 Finals Page 91 2009-10-13 Formal Performance