Transcript Time Predictable Systems

Timing Predictability
- A Must for Avionics Systems -
Reinhard Wilhelm
Saarland University, Saarbrücken
Run-Time Guarantees for Hard Real-Time Systems
• Hard real-time embedded systems need offline
guarantees for the satisfaction of their timing
constraints
• Timing analysis should determine upper bounds on
the execution times of all tasks statically
• This has become difficult because of the huge
variability in the execution time of individual
instructions/functions/systems
Access Times
x = a + b;
LOAD
r2, _a
LOAD
r1, _b
ADD
r3,r2,r1
MPC 5xx
PPC 755
Execution Time (Clock Cycles)
Execution Time depending on Flash Memory
(Clock Cycles)
350
30
300
250
20
200
Clock Cycles
Clock Cycles
10
150
100
50
0
0 Wait
Cycles
1 Wait
Cycle
External
(6,1,1,1,...)
0
Best Case
Worst Case
Timing Accidents and Penalties
The variability of execution times is caused by the
many different ways instructions can be executed:
•Timing Accident – cause for an increase of the
execution time of an instruction
•Timing Penalty – the associated increase
•Types of timing accidents
Cache miss
TLB miss
Pipeline stall
Memory refresh of
DRAM
Bus collision
Branch misprediction
Page fault
How to Deal with Murphy’s Law?
Essentially three different answers:
• Accepting: Every timing accident that
may happen will happen
• Fighting: Reliably showing that
many/most Timing Accidents cannot
happen
• Cheating: measuring “enough” runs to
feel comfortable
Accepting Murphy’s Law
like guaranteeing
a speed of 4.07 km/h
for this car
because variability of execution times
on modern processors is in the order of 100
Cheating to deal with Murphy’s Law
• measuring “enough” runs to feel comfortable
• how many runs are “enough”?
• Example: Analogy – Testing vs. Verification
AMD was offered a verification of the K7.
They had tested the design with 80 000 test
vectors, considered verification unnecessary.
Verification attempt discovered 2 000 bugs!
The only remaining solution: Fighting Murphy’s Law!
aiT WCET Analyzer
IST Project DAEDALUS final review report:
"The AbsInt tool is probably the
best of its kind in the world and it
is justified to consider this result
as a breakthrough.”
aiT is in routine use in the aeronautics and automotive industries
A380 subsystems of the highest criticality level
are being certified using aiT
Timing Predictability
• The possibility, the obtainable precision, and the
complexity of timing analysis depend on predictability
properties of the SuA, e.g.
– processor architecture (memory hierarchy, speculation)
– communication protocols (deterministic/stochastic)
– SW design (model-based design + synthesis)
• Many “advances” in computer architecture have
increased average-case performance at the cost of
worst-case performance
Computer Architects,
1. forget about increasing average-case performance only
2. look for a good combination of average-case and
worst-case performance
Alternatives?
• Over-provisioning
will no longer work
• Completely deterministic systems
will not perform
A New Research Agenda
– Design for Predictability • Architecture design: Reconcile averagecase with worst-case performance
• Programming for analyzability
• Resource-aware abstraction
• Exploit synergy between design and
analysis
Design only what you can analyze!
cache-miss penalty
over-estimation
Tremendous Progress
during the past 10 Years
200
The explosion of penalties has been
compensated by a reduction of uncertainties!
60
25
30-50%
20-30%
15%
10%
4
1995
Lim et al.
2002
Thesing et al.
2005
Souyris et al.