|
|
|
| e-Pub |
Previous | 
Home
Section: New Results
Safe Parallelization of Hard Real-Time Avionics Software
Participants : Keryan Didier, Dumitru Potop-Butucaru.
This work took place in the framework of the ITEA3 ASSUME project, which funds the PhD thesis of Keryan Didier, and in close collaboration with Inria PARKAS, Airbus, and Kalray.
Concurrent programming is notoriously difficult, especially in constrained embedded contexts. Threads, in particular, are wildly nondeterministic as a model of computation, and difficult to analyze in the general case. Fortunately, it is often the case that multi-threaded, semaphore-synchronized embedded software implements high-level functional specifications written in a deterministic data-flow language such as Scade or (safe subsets of) Simulink.
In many cases, the multi-threaded implementation of such specifications preserves a fundamentally dataflow structure, with specific rules on the way platform resources (shared memory, semaphores) are used. When this happens, the implementation is best represented as a dataflow synchronous program whose elements are mapped on the platform resources. Ensuring the correctness of such an implementation consists in ensuring that:
-
The dataflow program (without the mapping) implements the semantics of the functional specification. This analysis can be performed inside the dataflow model.
-
Once the mapping of program elements onto the platform resources (Sequencing of blocks into threads executed by processors; code, stack and data variables to memory locations; synchronizations to semaphores, etc.) is performed, the execution of the platform (under platform semantics) implements the behavior of the dataflow program.
Together, the dataflow program and the mapping information form an implementation model. This model is strictly richer than the multi-threaded C code, which can be obtained through a pretty-printing of model parts. Exposing the internal data-flow structure of the implementation facilitates defining and establishing correctness, e.g. the correctness of the synchronization or memory coherence protocols synthesized during the implementation process. All analyses can be realized using efficient tools specific to the synchronous model. Finally, if manual inspection of the C multi-threaded code is required, such a representation can be used to enforce strict code structuring rules which facilitate understanding.
We proposed a language for describing such implementation models that expose the data-flow behavior hiding under the form of a multi-threaded program. The language allows the representation of efficient implementations featuring pipelined scheduling and optimized memory allocation and synchronization [12].
We also proposed a design and tool flow taking as input industrial specifications based on Lustre/Scade and automatically producing fully mapped parallel implementation models and implementations with hard real-time guarantees. The front-end of the flow implements properties facilitating the mapping, e.g., exposing the state of all nodes to memory optimization. To strictly enforce realtime guarantees, the offline mapping algorithms of the back-end consider all sources of interference, including concurrent memory accesses, coherence protocols and event-driven synchronization. Our flow scales to an avionics application comprising more than 5000 unique nodes, targeting the Kalray MPPA 256 many-core platform, selected for its timing predictability.