Section: New Results

New Programming Languages for Embedded Systems

Participants : Alain Girault [contact person] , Pascal Fradet, Petro Poplavko, Vagelis Bebelis, Bertrand Jeannet, Peter Schrammel.

The DSystemJ programming language

In collaboration with Avinash Malik (IBM Watson) and Zoran Salcic (University of Auckland), we have designed the SystemJ programming language [9] , which implements the Globally Asynchronous Locally Synchronous (GALS) Model of Computation (MoC) over Java . In a nutshell, SystemJ uses the notion of clock domains (CD) to design portions of the system that must operate at unrelated clocks. CDs communicate with each other via asynchronous rendez-vous. Then, a CD consists of one or several reactions, which react synchronously in lock-step and communicate with each other via synchronous broadcast of signals. Finally, all the data computations are implemented in Java .

We have further extended SystemJ to allow programmers to design dynamic GALS systems: this is the new language DSystemJ  [27] , [12] , aimed at dynamic distributed systems that use socket based communication protocols for communicating between components. DSystemJ allows the creation and control at runtime of CDs, their mobility on a distributed execution platform, as well as the runtime reconfiguration of the system’s functionality and topology. We have defined the formal semantics of DSystemJ , based on the Dynamic GALS MoC: it offers very safe mechanisms for implementation of distributed systems, as well as potential for their formal verification. The runtime support is implemented in the SystemJ language, which can as such be considered as a static subset of DSystemJ .

This work has been done within the Afmes associated team with the Electric and Computer Engineering Department of the University of Auckland.

The PRET-C programming language for time-predictable systems

Typical safety critical embedded applications, ranging from complex aircraft flight controllers to embedded health devices require worst case guarantees on their timing behavior. The problem is that general-purpose processors, being highly speculative, are intrinsically non-deterministic, and thus are not ideally suited for implementing such systems: either the computed worst-case execution time is highly pessimistic, or heroic efforts are required to accurately model the caches, pipeline, and speculative execution [93] . For similar reasons, using an RTOS to guarantee the determinism of a program’s behavior, along with temporal guarantees, is not feasible. The ability to analyze temporal bounds is dependent on the selected programming language, compiler tool chain, operating system, and the target hardware.

To alleviate these problems, we have defined a synchronous variant of C called PRET-C, together with Sidharta Andalam and Partha Roop (University of Auckland). PRET-C offers constructs for reactive inputs/outputs; it supports a notion of logical time, synchronous concurrency, and preemption [40] . We have also designed the ARPRET architecture for efficient and predictable execution of PRET-C. ARPRET inherits from the long lasting research effort on reactive processors conducted at the University of Auckland. Finally, all timing constraints are precisely verified using a Worst Case Reaction Time (WCRT) analyzer. While there has been a considerable body of work on the timing analysis of procedural programs [93] , such analysis for synchronous programs has received less attention. Current state-of-the-art analyses for synchronous programs use integer linear programming (ILP) combined with path pruning techniques to achieve tight results. These approaches first convert a concurrent synchronous program into a sequential program. ILP constraints are then derived from this sequential program to compute the longest tick length. For PRET-C, we have proposed an alternative approach based on model checking [16] . Unlike conventional programs, synchronous programs are concurrent and state-space oriented, making them ideal for model checking based analysis. Our analysis of the abstracted state-space of the program is combined with expressive data-flow information, to facilitate effective path pruning. We have demonstrated through extensive experimentation that the proposed approach is both scalable and about 67% tighter compared to the existing approaches (namely Protothreads [60] and SC [94] ).

This overall framework provides an ideal platform for designing and verifying precision timed real-time systems. It has been conducted within the Afmes associated team with the Electric and Computer Engineering Department of the University of Auckland, and is the topic of the PhD of Sidharta Andalam.

Analysis and Scheduling of Parametric Data-Flow Models

Recent data-flow programming environments support applications whose behavior is characterized by dynamic variations in resource requirements. The high expressive power of the underlying models (e.g., Kahn Process Networks, the CAL actor language) makes it challenging to ensure predictable behavior. In particular, checking liveness (i.e., no part of the system will deadlock) and boundedness (i.e., the system can be executed in finite memory) is known to be hard or even undecidable for such models. This situation is troublesome for the design of high-quality embedded systems.

We have introduced the schedulable parametric data-flow (SPDF) model of computation (MoC) for dynamic streaming applications [23] , [32] , [36] , [34] , [35] . SPDF extends the standard data flow model by allowing rates to be parametric (e.g., of the form $2xy$). SPDF was designed to be statically analyzable while retaining sufficient expressive power. We formulated sufficient and general static criteria for boundedness and liveness. In SPDF, parameters can be changed dynamically even within iterations. The safety of dynamic parameter changes can be checked and their implementation made explicit in the graph. These different analyses are made possible using well-defined static operations on symbolic expressions. The same holds for quasi-static scheduling which is the first step towards code generation for multi-core systems.

We are now considering other kinds of analyses for this new data-flow MoC. The objective of these analyses is to generate distributed schedules optimizing both the power consumption and the execution time of applications. The targeted hardware is P2012, a new embedded many-core platform designed by STMicroelectronics consisting of several clusters (9 in the current implementation) interconnected through a 2D mesh asynchronous NoC. Each cluster comprises 16 identical computing cores and is equipped with a hardware mechanism for DVFS (dynamic voltage and frequency scaling). As a first step, we have studied energy efficient scheduling of simple data-flow graphs for that platform  [81] . The next step is to extend the approach to SPDF.

This line of research will be followed in the PhD thesis of Vagelis Bebelis which has just started. It will be conducted in collaboration with STMicroelectronics.

Translating Hybrid Data-Flow Languages to Hybrid Automata

Hybrid systems are used to model embedded computing systems interacting with their physical environment. There is a conceptual mismatch between high-level hybrid system languages like Simulink , which are used for simulation, and hybrid automata, the most suitable representation for safety verification. Indeed, in simulation languages the interaction between discrete and continuous execution steps is specified using the concept of zero-crossings, whereas hybrid automata exploit the notion of staying conditions.

In the context of the Inria large scale action Synchronics (see § 8.1.4 ), we studied how to translate the Zelus hydrid data-flow language [43] developped in this project into logico-numerical hybrid automata by carefully pointing out this issue. We investigated various zero-crossing semantics, proposed a sound translation, and discussed to which extent the original semantics is preserved. This work has been accepted to the conference HSCC'2012 (Hybrid Systems: Computation and Control).

This work is part of the PhD thesis of Peter Schrammel.