Languages, Compilers, and Tools for Embedded Systems: ACM SIGPLAN Workshop LCTES 2000, Vancouver, Canada, June 18, 2000, Proceedings (Lecture Notes in Computer Science, 1985) 3540417818, 9783540417811

Citation preview

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

1985

3

Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Singapore Tokyo

Jack Davidson Sang Lyul Min (Eds.)

Languages, Compilers, and Tools for Embedded Systems ACM SIGPLAN Workshop LCTES 2000 Vancouver, Canada, June 18, 2000 Proceedings

13

Preface This volume contains the proceedings of the ACM SIGPLAN Workshop on Languages, Compilers, and Tools for Embedded Systems (LCTES 2000), held June 18, 2000, in Vancouver, Canada. Embedded systems have developed considerably in the past decade and we expect this technology to become even more important in computer science and engineering in the new millennium. Interest in the workshop has been confirmed by the submission of papers from all over the world. There were 43 submissions representing more than 14 countries. Each submitted paper was reviewed by at least three members of the program committee. The expert opinions of many outside reviewers were invaluable in making the selections and ensuring the high quality of the program, for which, we express our sincere gratitude. The final program features one invited talk, twelve presentations, and five poster presentations, which reflect recent advances in formal systems, compilers, tools, and hardware for embedded systems. We owe a great deal of thanks to the authors, reviewers, and the members of the program committee for making the workshop a success. Special thanks to Jim Larus, the General Chair of PLDI 2000 and Julie Goetz of ACM for all their help and support. Thanks should also be given to Sung-Soo Lim at Seoul National University for his help in coordinating the paper submission and review process. We also thank Professor Gaetano Borriello of the University of Washington for his invited talk on Chinook, a hardware-software co-synthesis CAD tool for embedded systems.

January 2001

Jack Davidson Sang Lyul Min

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors Jack Davidson University of Virginia, School of Engineering and Applied Science Department of Computer Science Charlottesville, VA 22903-2442, USA E-mail: [email protected] Sang Lyul Min Seoul National University, Department of Computer Engineering Seoul 151-742, Korea E-mail: [email protected] Cataloging-in-Publication Data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Languages, compilers, and tools for embedded systems : proceedings / ACM SIGPLAN Workshop LCTES 2000, Vancouver, Canada, June 18, 2000. Jack Davidson ; Sang Lyul Min (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 2001 (Lecture notes in computer science ; Vol. 1985) ISBN 3-540-41781-8

CR Subject Classification (1998): D.4.7, C.3, D.3, D.2, F.3 ISSN 0302-9743 ISBN 3-540-41781-8 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. Springer-Verlag Berlin Heidelberg New York a member of BertelsmannSpringer Science+Business Media GmbH http://www.springer.de © Springer-Verlag Berlin Heidelberg 2001 Printed in Germany Typesetting: Camera-ready by author Printed on acid-free paper SPIN: 10781420

06/3142

543210

Preface This volume contains the proceedings of the ACM SIGPLAN Workshop on Languages, Compilers, and Tools for Embedded Systems (LCTES 2000), held June 18, 2000, in Vancouver, Canada. Embedded systems have developed considerably in the past decade and we expect this technology to become even more important in computer science and engineering in the new millennium. Interest in the workshop has been confirmed by the submission of papers from all over the world. There were 43 submissions representing more than 14 countries. Each submitted paper was reviewed by at least three members of the program committee. The expert opinions of many outside reviewers were invaluable in making the selections and ensuring the high quality of the program, for which, we express our sincere gratitude. The final program features one invited talk, twelve presentations, and five poster presentations, which reflect recent advances in formal systems, compilers, tools, and hardware for embedded systems. We owe a great deal of thanks to the authors, reviewers, and the members of the program committee for making the workshop a success. Special thanks to Jim Larus, the General Chair of PLDI 2000 and Julie Goetz of ACM for all their help and support. Thanks should also be given to Sung-Soo Lim at Seoul National University for his help in coordinating the paper submission and review process. We also thank Professor Gaetano Borriello of the University of Washington for his invited talk on Chinook, a hardware-software co-synthesis CAD tool for embedded systems.

January 2001

Jack Davidson Sang Lyul Min

Program Committee Neil C. Audsley Jack Davidson Alan Davis Susanne Graf Seongsoo Hong Alan Hu Inhye Kang Tei-Wei Kuo Jane Liu Sharad Malik Peter Marwedel Sang Lyul Min Ramesh Peri Peter Puschner Gang-Ryung Uh Wang Yi

University of York, UK University of Virginia, USA Texas Instruments, USA Verimag, France Seoul National University, Korea University of British Columbia, Canada Soongsil University, Korea National Chung Cheng University, ROC University of Illinois, USA Princeton University, USA University of Dortmund, Germany Seoul National University, Korea Intel, USA Technical University of Vienna, Austria Lucent Technologies, USA Uppsala University, Sweden

List of Reviewers Tobias Amnell Pavel Atanassov Neil C. Audsley Iain Bate Dean Batten Guenter Bauer Bryan Bayerdorffer Johan Bengtsson Guillem Bernat Clark Coleman Jack Davidson Alan Davis Sri Doddapaneni Julien d’Orso Jakob Engblom Heiko Falk Jose Fridman Gregor Goessler Susanne Graf

Jason Hiser Marc Hoffman Seongsoo Hong Alan Hu Sanjay Jinturkar Bengt Jonsson Inhye Kang Changhwan Kim Chanho Kim Saehwa Kim Tei-Wei Kuo Yassine Lakhnech Fredrik Larsson Chang-Gun Lee Seung-Hyoun Lee Sheayun Lee Rainer Leupers Wei Li Sung-Soo Lim

Jane Liu Sharad Malik Peter Marwedel Chris Milner Sang Lyul Min Sven Olof Nystrom Roman Pallierer Jungkeun Park Ramesh Peri Peter Puschner Kevin Scott Yangmin Seo Joseph Sifakis Christopher Temple Gang-Ryung Uh Lars Wehmeyer Wang Yi

Table of Contents Formal Methods and Databases Randomization-Based Approaches for Dynamic Priority Scheduling of Aperiodic Messages on a CAN Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Lucia Lo Bello and Orazio Mirabella (University of Catania, Italy) Complex Reactive Control with Simple Synchronous Models . . . . . . . . . . . . . . . 19 Reinhard Budde and Axel Poign´e (GMD, Germany) Optimistic Secure Real-Time Concurrency Control Using Multiple Data Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Byeong-Soo Jeong, Daeho Kim, and Sungyoung Lee (Kyung Hee University, Korea)

Compiler Array Reference Allocation Using SSA-Form and Live Range Growth . . . . . . 48 Marcelo Cintra (Conexant Systems Inc., USA) and Guido Araujo (IC-UNICAMP, Brazil) PROPAN: A Retargetable System for Postpass Optimisations and Analyses 63 Daniel K¨ astner (Saarland University, Germany) A Framework for Enhancing Code Quality in Limited Register Set Embedded Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Deepankar Bairagi, Santosh Pande, and Dharma P. Agrawal (University of Cincinnati, USA)

Tools A Stochastic Framework for Co-synthesis of Real-Time Systems . . . . . . . . . . . . 96 S. Chakraverty (Netaji Subhas Institute of Technology, India) and C.P. Ravikumar (Indian Institute of Technology, India) A Fault Tolerance Extension to the Embedded CORBA for the CAN Bus Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Gwangil Jeon (Seoul National University, Korea), Tae-Hyung Kim (Hanyang University, Korea), Seongsoo Hong (Seoul National University, Korea), and Sunil Kim (Hongik University, Korea)

VIII

Table of Contents

A Real-Time Animator for Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Tobias Amnell, Alexandre David, and Wang Yi (Uppsala University, Sweden)

Hardware Reordering Memory Bus Transactions for Reduced Power Consumption . . . 146 Bruce R. Childers and Tarun Nakra (University of Pittsburgh, USA) A Power Efficient Cache Structure for Embedded Processors Based on the Dual Cache Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Gi-Ho Park, Kil-Whan Lee, Jae-Hyuk Lee, Tack-Don Han, and Shin-Dug Kim (Yonsei University, Korea) Approximation of Worst-Case Execution Time for Preemptive Multitasking Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Matteo Corti, Roberto Brega, and Thomas Gross (ETH Z¨ urich, Switzerland)

Work in Progress A Design and Implementation of a Remote Debugging Environment for Embedded Internet Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Kwangyong Lee, Chaedeok Lim, Kisok Kong, and Heung-Nam Kim (ETRI, Korea) Optimizing Code Size through Procedural Abstraction . . . . . . . . . . . . . . . . . . . . 204 Johan Runeson, Sven-Olof Nystr¨ om (Uppsala University, Sweden), and Jan Sj¨ odin (IAR Systems, Sweden) Automatic Validation of Code-Improving Transformations . . . . . . . . . . . . . . . . 206 Robert van Engelen, David Whalley, and Xin Yuan (Florida State University, USA) Towards Energy-Aware Iteration Space Tiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 M. Kandemir, N. Vijaykrishnan, M.J. Irwin, and H.S. Kim (Pennsylvania State University, USA) An Integrated Push/Pull Buffer Management Method in Multimedia Communication Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Sungyoung Lee (Kyung Hee University, Korea), Hyon Woo Seung (Seoul Women’s University, Korea), and Tae Woong Jeon (Korea University, Korea)

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Randomization-Based Approaches for Dynamic Priority Scheduling of Aperiodic Messages on a CAN Network

Lucia Lo Bello and Orazio Mirabella Department of Computer Science and Telecommunications University of Catania V.le A. Doria 6, I-95125 Catania, Italy {llobello, omirabel}@iit.unict.it

Abstract. The Controller Area Network is a well-known communication bus widely used both in automotive applications and in other environments, as distributed embedded systems, to support the exchange of control messages. Any contention on a CAN bus is deterministically resolved on the basis of the priority, which is fixed and encoded in the identifier field of the frame. Fixed priorities are not the best solution for event-driven applications, such as many distributed embedded control systems, which feature significant reactive behaviour and produce aperiodic traffic which can have real-time constraints. Depending on the priority some aperiodic objects may experience unusually higher access delays compared with those from other objects. This problem can be overcome by dynamically assigning identifiers to aperiodic messages. This paper proposes the use of randomization to provide dynamic priority assignment in a CAN network. The aim of this work is to investigate how the management of aperiodic traffic in a CAN system can be improved using randomization. Two different strategies for aperiodic traffic scheduling on a CAN network are presented and evaluated by simulation.

1

Introduction

The Controller Area Network (CAN) [1][2] communication bus was originally designed for use within road vehicles to solve cabling problems arising from the growing use of microprocessor-based components in vehicles. CAN is widely used in automotive applications and, as it is highly versatile, it can also be adopted in other environments. Thanks to the low cost of CAN bus adaptors and its ability to support real-time communication, CAN can be used as an embedded control networks (ECN) to connect several Function Control Units in a distributed embedded system.

J. Davidson and S.L. Min (Eds.): LCTES 2000, LNCS 1985, pp. 1-18, 2001. © Springer-Verlag Berlin Heidelberg 2001

2

L. Lo Bello and O. Mirabella

For example, in an intelligent transportation system for real-time monitoring of road traffic conditions, CAN can be used in a passenger vehicle equipped with microprocessors and connected to the internet via a wireless network. Several works have dealt with high-level protocols for the CAN bus [3][4][5][6] and a recent work [7] has proposed an environment specific CORBA for CAN-based distributed embedded systems. One of the reasons of the success of the CAN lies in the non destructive priority based bus arbitration mechanism it implements. Any message contention on a CAN bus is deterministically resolved on the basis of the priority of the objects exchanged, which is encoded in the identifier field of the frame. Thus the priority of a messages is the priority of the object it contains, expressed by the identifier. The short length of the bus allows all nodes to sense the same bit, so that the system can behave as a kind of large AND-gate, with each node able to check the output of the gate. The identifier with the lowest numerical value has the highest priority, and a non-destructive bitwise arbitration provides collision resolution. The priority of a CAN message is static, system-wide unique and it is assigned during the initial phase of system design. As the CAN application layer proposal [8] provides a direct mapping between the Data Link level object (COBs, Communication Objects) and the information at the Application level, each connection is given a different and fixed priority. As it is known, fixed priorities are suitable to support time-driven interactions (as, for example, periodic exchanges between a master unit and a set of slave devices). Several strategies can be adopted to assign identifiers to periodic messages so that all the application deadlines can be met, and the results of a scheduling analysis developed in order to bound the worst case response time of a CAN message can be used. In [9][10] the authors addressed in detail the analysis of real-time communications in CAN, assuming fixed priorities for message streams. The Deadline Monotonic (DM) priority assignment [11] can be directly implemented in a CAN network, by setting the identifier field of each message stream to a unique priority, according to the DM rule. While CAN is highly suitable to support periodic traffic, its fixed-priority-based approach is not able to support efficiently aperiodic exchanges, both real-time and non-real-time, typical of event-driven applications, such as many real-time embedded control systems, which feature significant reactive behaviour and produce aperiodic traffic which can have real-time constraints [12]. Due to the lack of timing information for the real-time aperiodic exchanges, it is not possible to find a static way to determine CAN identifiers for this kind of objects so that their deadlines can be always met. In addition, depending on the assignment of identifiers, there can be a repetition of undesirable sequences for aperiodic messages and it is possible that certain aperiodic objects may experience unusually higher access delays compared with those of other objects. This problem can be overcome by dynamically assigning identifiers to aperiodic messages. In [13][14] the authors analyzed how the non pre-emptive Earliest Deadline First (EDF) [15] could be used to schedule CAN messages. They proposed a mixed traffic scheduler (MTS), which uses the standard 11-bit format for the identifier field (provided in CAN Version 2.0A). The key idea of the MTS scheduler is to assign identifiers to different messages so that they reflect the messages’ deadlines. As CAN requires that each message must have a unique identifier field, they suggested the division of the identifier field into three sub-fields.

Randomization-Based Approaches for Dynamic Priority Scheduling

3

Another work [16] introduced dynamic priorities in CAN networks through a mechanism which makes transmissions of aperiodic messages occur in a round-robin way. However, round-robin may not always be the best solution to handle aperiodic traffic in a CAN network. For example, depending on the application, it might be needed that some objects be processed more quickly than other ones, or with a better ’quality of service’ (in terms of throughput or bus access delay). A round-robin scheme cannot provide preferential service of aperiodic messages needed to deal with such kind of situation. For this reason, this paper proposes new solutions to provide dynamic priority assignment in a CAN network, based on randomized choice of priorities for exchanged objects. An algorithm is said to be randomized if its behaviour depends not only on the input, but also on values produced by a random-number generator. Use of randomization in generating dynamic priority for an aperiodic object avoids deterministic behaviours and leads to a probability distribution over the admissible priority levels for that object, i.e. to a probability distribution of the access delay the object will experience. As it will be shown in the paper, the introduction of randomization makes it possible to provide, depending on the application requirements, either a preferential service for some class of objects or fairness. Two different approaches are proposed, called Randomized Adjacent Priority (RAP) and Randomized Priority with Overlapping (RPO). They are very simple to implement and differ in the strategy used to generate aperiodic messages’ priorities.

2 Dynamic Priority Assignment in a CAN Network As said in Sect.1, while CAN is highly suitable to support periodic traffic, its fixedpriority-based approach is not able to support efficiently aperiodic exchanges typical of event-driven systems. A point against fixed-priority assignment comes from evidence that, when the workload is close to the nominal bandwidth of the system, the transmission delays experienced by the objects vary significantly according to their priority (i.e. according to the identifiers assigned to them). Finally, there is no way of providing for fair bandwidth sharing between non real-time applications without adopting poor solutions (e.g. limiting in advance the bandwidth allocated to each object) which affect the overall efficiency. For this reason there is a need to find new solutions that, without altering the ability of the CAN protocol to support periodic object exchanges correctly, would be efficient for aperiodic traffic as well. In [16] the introduction of dynamic priorities was proposed to better support sporadic or aperiodic object exchanges, even in the case of system overload. In fact, in such conditions, objects with lower identifiers (i.e. having a higher priority) can monopolize all the bandwidth thus heavily affecting the transmission of objects with higher identifiers (lower priority). The use of dynamic identifiers allowed the authors to introduce mechanisms that make the protocol more fair. They presented two approaches: the Distributed Priority Queue, which requires the management of a global distributed queue where all the nodes are virtually inserted, and the Priority Promotion (PP), based on priority increase. The latter is based on the idea of assigning each node a priority level, called station priority, which depends on the object to be transmitted and progressively increases proportionally to the time that has

4

L. Lo Bello and O. Mirabella

elapsed since the node first attempted to transmit the current frame. In PP the extended identifier format (Version 2.0B) is used which, as foreseen by the CAN standard, is 20 bits longer than the normal format (Version 2.0A, which is shown in Fig.1a) and comprises a base identifier plus an identifier extension (Fig. 1b)1.

Arbitration field (CAN 2.0A)

S O F

R T R

11 bit Identifier

Other fields

Fig. 1a. Arbitration field for the 2.0A CAN protocol

Arbitration field (CAN 2.0B)

S O F

11 bit Base id entifier

S R R

I D E

18 bit Identifier Extensio n

Fig. 1b. Arbitration field for the 2.0B (Extended) CAN protocol

As Fig. 1b shows, when an extended identifier field is used (V 2.0B), two subidentifiers are available in the frame. The first is dynamic; it is used by the Medium Access Control (MAC) sub-layer to solve any contention (it is called a base identifier and is 11 bit long as the 2.0A CAN identifier), while the second is static and contains the effective identifier of the object being exchanged. It is used by the Logical Link Control (LLC) in the Data Link Layer to filter the content of a message. In fact, CAN messages produced by any node do not contain the address of the destination node. It is the consumer’s responsibility to filter messages and select only those that are of interest to the node. In [16] a service priority is defined for the PP protocol, representing the degree of urgency assigned to objects to be transmitted, which is specified by the application on each transmission service invocation. Service priority is encoded in a two-bit field called priority class (PC) (see Fig. 2), while the remaining bits of the base identifier encode the station (node) priority. Identifier Extension

Base identifier S PC O ((2 bit) F

Station Priority

S R R

I D E

18 bit Effective Identifier

Fig. 2. Arbitration field for the Priority Promotion protocol

1

In [16] it was proved that this little increment in the frame size introduces only a small additional cost.

Randomization-Based Approaches for Dynamic Priority Scheduling

5

In PP, a node priority is dynamically updated to indicate the precedence the node has in sending a frame when a collision occurs. Each node stores its priority level in a local variable which is dynamically reassigned by the MAC protocol, so that the priority is increased by 1 when a collision occurs and is set to the lowest value for the associated service priority class (each class has its own lowest value) when a transmission is successfully completed. This protocol organizes traffic into at most four priority classes (time critical, high, low and time available) and messages inside each class are transmitted on the basis of a round-robin approach. In many situations, round-robin mechanism is not the best solution. An application process has to be given the possibility of transferring more data than the others at any one time (for example, it has to transfer a large table to calibrate a sensor, or download a program into a slave node). Again, depending on the application, it might be needed that some objects be given a better quality of service in terms of throughput and access delay. The main drawback of the scheme proposed in [16] is that it can not provide preferential service of aperiodic messages needed to deal with such kind of situation. For this reason, this paper proposes new solutions to provide dynamic priority assignment in a CAN network, based on randomized choice of base identifiers for messages.

3

Reasons for Randomization

An algorithm is said to be randomized if its behaviour depends not only on the input, but also on values produced by a random-number generator. Randomization has the property that no particular input elicits its worst case behaviour, that is, no single input will always evoke worst case behaviour, and guarantees good-average case performance, no matter what keys are provided as input [17]. A suitable use of randomization therefore can provide more flexibility and effectiveness in dynamic priority assignment. Use of randomization avoids deterministic behaviours, which in many cases may lead to transmission sequences that are unfavourable to some low priority objects. When randomization is used in generating the base identifier of an object, the induced outcome is itself random, leading to a probability distribution over the admissible priority levels for that object. This also leads to a probability distribution of the access delay that the exchanged object will experience.2

2

It is possible that, due to randomization, different messages have the same base identifiers. For example, for two base identifiers generated independently from each other in the same range of length N according to a uniform probability distribution, the probability of obtaining 2 the same value is equal to 1/N . However, our approach does not require different objects to be assigned different priorities to work correctly. If two or more messages having the same base identifier start transmitting at the same time, the contention is resolved based on the effective identifier field. The same situation occurred in [16], both at system start-up, when all the nodes were given the same identifier value, and every time a new node joined the bus.

6

L. Lo Bello and O. Mirabella

As random functions generate numbers within a given range (which can be specified by a generation range), with a uniform probability distribution, by using the theory of probability it is possible to obtain the distribution of the access delays of the various messages according to the randomized dynamic priorities assigned to them. As a result, a suitable method to determine the length of the generation range in order to provide the required performance level can be found. For aperiodic low-priority real-time traffic the performance target can be that of probabilistically guaranteeing an upper bound on the access delay for each object. For non real-time traffic, the target can be, for example, that of providing an acceptable average access delay for objects, by giving them a non-null probability of being transmitted even in the presence of unfavourable workload condition on the network. In our scenario randomization can be applied in different ways for diverse purposes. Two different approaches are proposed in the paper, called Randomized Adjacent Priority (RAP) and Randomized Priority with Overlapping (RPO).

4

The Basic Idea

The two approaches proposed in this paper, RAP and RPO, have in common in that base identifiers (and consequently, priorities) are assigned to messages according to the requirements specified by the application for the exchanged objects. Moreover, both the algorithms use a random function to generate the object priority and encode it using all 11 bits of the base identifiers shown in Fig. 1b3. Each base identifier is an integer belonging to a range [Nmin, Nmax] fixed by the CAN protocol. To support different priority service classes, we split the entire domain of identifiers into three main parts. The first part, indicated as [Naperiodic_hp, Nperiodic -1], which features the lowest identifiers (i.e. those giving maximum priority to messages), is reserved for high-priority real-time aperiodic messages (e.g. alarms). As there are normally very few of these messages, it is reasonable to assign them a limited range (e.g. from 0 to 100 or less). A second range of identifiers [Nperiodic, Naperiodic_lp -1] is reserved for periodic traffic. As periodic traffic is known a priori, we can assign a fixed priority to the messages, and choose the identifiers so that deadlines can be met using suitable approaches following the analysis made in [9][10]. Randomization is not needed for both these kinds of traffic. Finally, we use a third range of identifiers [Naperiodic_lp, Nmax] for both low-priority aperiodic traffic real-time4 and non real-time traffic. As will be seen in what follows, the range [Naperiodic_lp, Nmax] can be further divided into sub-ranges, in order to provide 3

The CAN protocol states that 2.0B controllers are completely backward compatible with 2.0A controllers and can transmit and receive messages in either format. It is also possible to use both V 2.0A and V2.0B controllers on a single network, provided that V.2.0A controllers of the "2.0B passive type" are used.

4

Here we assume that real-time low priority traffic has soft deadlines. Through a suitable choice of randomization, it can be given an upper bound for the access delay in a statistical way.

Randomization-Based Approaches for Dynamic Priority Scheduling

7

several different service priority classes for aperiodic low priority traffic. For this kind of traffic we can generate dynamic node priorities by means of random numbers following the RAP and RPO policies described above. The difference between RAP and RPO lies in the strategy used to generate objects priority. The two algorithms are extremely simple to implement, as they do not require the management of distributed queues or priority increase strategies as in [16], but only the generation of random numbers within a pre-defined range.

5 Randomized Adjacent Priority Protocol As said above, several different priority classes for low-priority aperiodic traffic can be obtained through suitable partitioning into sub-intervals of the range [Naperiodic_lp, Nmax]. This partitioning can be done off-line according to the requirements of the application. In the RAP algorithm we assume that the various ranges are disjoint, thus that the service classes obtained are disjoint. When a node has to transmit an object with a service priority class specified by the application, it picks up an identifier (node priority) generated using randomization in the range associated with the given class. For example, let us suppose that only two service classes have to be supported for aperiodic low priority traffic. Thus, let us refer to an identifier space comprising Nmax Naperiodic_lp different values, divided into two intervals of length s1 and s2 respectively, associated to the first and the second service class. In the RAP algorithm identifiers for the first class (id1) are generated using the formula id1=Naper_lp + rand (s1)

(1)

so id1³A, where A=[ Naper_lp, Naper_lp+ s1-1] , while identifiers for the second class (id2) are generated using the formula id2=Naper_lp + s1+ rand (s2)

(2)

so id2³B, where B=[ Naper_lp + s1, Naper_lp+ s1+ s2 -1] . As it can be seen, A¬B=«. It is immediate to extend the above presented formulas if more than two service classes are present. As the probability is uniformly distributed over the generation range, thanks to randomized generation of objects’ priorities, messages belonging to the same service priority class have the same probability of being successfully transmitted in the case of conflict on the bus. RAP can therefore provide fairness, but it is more flexible than the algorithms in [16]. However, it has the same limits, as it is not possible to give only a preferential service (that is, a greater probability of success in the case of conflict, but no deterministic success) to objects belonging to higher priority classes. That is, in the event of collision messages having a higher service priority will always win over messages having a lower service priority. For this reason the RPO mechanism has been introduced.

8

6

L. Lo Bello and O. Mirabella

Randomized Priority with Overlapping

The scenario for the RPO protocol is the same as that described for RAP as regards the partitioning of the entire domain of base identifiers into three main parts. Again, RPO envisages that priority is assigned to a message dynamically, according to the service class (specified by the application), when it is generated. However, the RPO mechanism generates object priority using randomization over a variable-length range, being longer or shorter according to the requirements of the application. That is, if a node has to transmit a low priority aperiodic message M1 with a preferential service in order to comply with the ’urgency’ specified by the application, it will use the random function in such a way that it will return an identifier that is as low as possible in the range [Naperiodic_lp, Nmax]. Thus randomization in the generation of an identifier for M1 will be performed so that the value returned for M1 will be as close as possible to Naperiodic_lp, for example, in a range [Naperiodic_lp, Naperiodic_lp+d], d³N (d has to be small, as lower identifiers give higher priorities). If, on the other hand, a generating node has to transmit a message, M2, for which the application did not specify particular requirements, it will pick up the identifier for M2 using a random function such that it will return a value which may belong to a wider range [Naperiodic_lp, Naperiodic_lp+D], with D³N : D>d. The advantage of using randomization in this way is that there is a non-null probability that message M2 will have a priority higher than M1. Let us consider the same situation already described for RAP. We refer to an identifier space comprising Nmax - Naperiodic_lp different values, divided into two intervals of length s1 and s2 respectively, with s2 > s1, associated to the first and the second service class. In the RP0 algorithm identifiers for the first class (id1) are generated using the formula

id1=Naper_lp + rand (s1)

(3)

so id1³A, where A=[ Naper_lp, Naper_lp+ s1-1] , while identifiers for the second class (id2) are generated using the formula id2=Naper_lp + rand (s2)

(4)

so id2³B, where B=[ Naper_lp , Naper_lp+ s2 -1] . In this case, A¬Bž«, as A ± B. It is immediate to extend the above presented formulas if more than two service classes are present. Differently from RAP and the approaches in [16], RPO allows a "controlled" degree of unfairness between aperiodic objects in the range [Naperiodic_lp, Nmax]: this means that if different service classes are provided in that range, lowest priority class objects do have a chance of winning a contention and then of being transmitted, even in the presence of objects of other classes. We underline that RPO preserves highpriority exchanges (both aperiodic real-time and periodic) as they are reserved identifiers in other ranges (as said in Sect.5) which are not affected by randomization

Randomization-Based Approaches for Dynamic Priority Scheduling

9

and feature the lowest identifiers. RPO can control the fairness of the CAN protocol in managing transmission of all the aperiodic low-priority objects. In this way it is possible, by using different but partially overlapping ranges, to assign the various objects different transmission success probabilities. In low workload conditions randomization does not affect the throughput of any object, because if the bandwidth is sufficient all the objects will be transmitted. However, when the offered traffic approaches the saturation point, objects whose identifiers are generated in smaller ranges have a higher probability of being successfully transmitted, and thus of having a higher throughput, but they do not totally prevent the transmission of the other objects.

7

Remarks on the Identifier Ranges

As we stated earlier, 11 bits are devoted to generating random identifiers and they represent the first part of the arbitration field of the frame in Fig. 1b, i.e. the one used in our approach to solve conflicts caused by collisions. The other 18 bits, which make up the data item’s effective identifier, are used to solve the conflict only if it is not solved by the first 11 bits (i.e. when randomization returns the same value). If we generate two random numbers, “a” and “b” with a 0) { counter--; }; }; private boolean isElapsed() { return (counter announce(TEMP_MONITOR_TAG, TEMP_MONITOR_IFACE); TemperatureMonitor_ptr ft_monitor = conjoiner->announce(_B_TEMP_MONITOR_TAG, FAULT_MONITOR_IFACE); // Create a servant implementing a fault detector object. FaultMonitor_impl ft_detector; // Assign a local CORBA object name to ft_detector. PortableServer::ObjectId_ptr oid = PortableServer::string_to_ObjectId("Ft_detector1"); // Register the object name and ft_detector to a POA. poa->activate_object_with_id(oid, &ft_detector); // Bind the ft_detector object to the _B_TEMP_MONITOR_TAG. conjoiner->subscribe(_B_TEMP_MONITOR_TAG, &ft_detector); while(1) { // Each replica checks if it is a primary one. The conjoiner determines // the primary replica by returning TRUE to the ::switch() method. if (!conjoiner->switch(TEMP_MONITOR_TAG, TEMP_MONITOR_IFACE)) { // This is a main loop for non-primary replicas where the ft_detector // watches a time-out. This is terminated only if a fault is found. orb->run(); // The ft_detector detects a fault. It is now terminated and requests // a channel switching to the conjoiner via invoking ::switch() method. continue; } // Primary replica starts here. Publish periodically. while(1) { // Invoke a method of subscribers. monitor->update_temperature(’A’, value); // Publish data to let replicas know my aliveness. ft_monitor->I_am_alive(); if (conjoiner->is_switched()) break; } }

Fig. 10. Passively replicated publisher code.

131

132

G. Jeon et al.

in [12]. Such a replication policy significantly helped reduce the complexity of our fault tolerant CAN-CORBA design. Since the fault tolerant CAN-CORBA provides replications for publishers, subscribers, and a conjoiner, not only can programmers be free from the single point of failure caused by the centralized conjoiner, but also they can freely add fault tolerance to their designs through replicating CAN-CORBA objects. Finally, we showed a program example that made use of the proposed fault tolerance features. Although we are still implementing and evaluating the fault tolerant CANCORBA, we strongly believe that additional resource requirements of the fault tolerant CAN-CORBA fall in a reasonable boundary where most CAN based embedded systems could handle. The new CAN-CORBA design demonstrated that it was feasible to use a fault tolerant CORBA in developing distributed embedded systems on real-time networks with severe resource limitations.

7

Acknowledgements

Thanks to the referees and others who provided us with feedback about the paper. Special thanks to Seoul National University RTOS Lab. members who have participated in a series of heated discussions through a year long seminar on this topic. The work reported in this paper was supported in part by MOST under the National Research Laboratory grant and by Automatic Control Research Center. T.-H. Kim was supported in part by ’99 RIET (Research Institute for Engineering and Technology) grant and research fund for new faculty members from Hanyang University, Korea.

References 1. Bosch: CAN Specification, Version 2.0. (1991) 2. Cristian, F.: Reaching Agreement on Processor Group Membership in Synchronous Distributed Systems. Distributed Computing, Vol. 4. 1991) 175–187 3. Fetzer, C.: Fail-Aware Publish/Subscribe Communication in Erlang. Proceedings of the 4th International Erlang User Conference. (1998) 4. Object Management Group: Fault-Torerant CORBA Using Entity Redundancy Request For Proposal, OMG Document orbos/98-04-01 edition. (1999) 5. Object Management Group: Minimum CORBA - Joint Revised Submission , OMG Document orbos/98-08-04 edition. (1998) 6. Object Management Group: Fault-Torerant CORBA - Joint Revised Submission, OMG TC Document orbos/99-12-08 edition. (1999) 7. ISO-IS 11898: Road vehicles - Interchange of digital information - Controller Area Network (CAN) for high speed communication. (1993) 8. Kaiser, J., Mock, M.: Implementing the Real-Time Publisher/Subscriber Model on the Controller Area Network (CAN). IEEE International Symposium on Objectoriented Real-time distributed Computing. (1999) 9. Kim, K., Jeon, G., Hong, S., Kim, S., Kim, T.: Resource Conscious Customization of CORBA for CAN-based Distributed Embedded Systems. IEEE International Symposium on Object-Oriented Real-Time Computing. (2000)

A Fault Tolerance Extension to the Embedded CORBA

133

10. Kim, K., Jeon, G., Hong, S., Kim, T., Kim, S.: Integrating Subscription-based and Connection-oriented Communications into the Embedded CORBA for the CAN Bus. IEEE Real-time Technology and Application Symposium. (2000) 11. Oki, B., Pfluegl, M., Siegel, A., Skeen, D.: The Information Bus – An Architecture for Extensible Distributed Systems. ACM Symposium on Operating System Principles. (1993) 12. Rajkumar, R., Gagliardi, M.: High Availability in the Real-Time Publisher/Subscriber Inter-Process Communication Model. IEEE Real-Time Systems Symposium. (1996) 13. Rajkumar, R., Gagliardi, M., Sha, L.: The Real-Time Publisher/Subscriber InterProcess Communication Model for Distributed Real-Time Systems: Design and Implementation. IEEE Real-time Technology and Application Symposium. (1995)

A Real-Time Animator for Hybrid Systems Tobias Amnell1 , Alexandre David1 , and Wang Yi1 Department of Computer Systems Uppsala University {tobiasa,adavid,yi}@docs.uu.se

Abstract. In this paper, we present a real time animator for dynamical systems that can be modeled as hybrid automata i.e. standard finite automata extended with differential equations. We describe its semantic foundation and its implementation in Java and C using CVODE, a software package for solving ordinary differential equations. We show how the animator is interfaced with the Uppaal tool to demonstrate the real time behavior of dynamical systems under the control of discrete components described as timed automata.

1

Introduction

Uppaal is a software tool for modeling, simulation and verification of real time systems that can be described as timed automata. In recent years, it has been applied in a number of case studies [6,7,8,4,3], which demonstrates the potential application areas of the tool. It suits best the class of systems that contain only discrete components with real time clocks. However it can not handle more general hybrid systems, which has been a serious restriction on many industrial applications. The goal of this work is to extend the Uppaal tool with features for modeling and simulation of hybrid systems. A hybrid system is a dynamical system that may contain both discrete and continuous components whose behavior follows physical laws [5], e.g. process control and automotive systems. In this paper, we shall adopt hybrid automata as a basic model for such systems. A hybrid automaton is a finite automaton extended with differential equations assigned to control nodes, describing the physical laws. Timed automata [1] can be seen as special class of hybrid automata with the equation x˙ = 1 for all clocks x. We shall present an operational semantics for hybrid automata with dense time and its discrete version for a given time granularity. The discrete semantics of a hybrid system shall be considered as an approximation of the continuous behavior of the system, corresponding to sampling in control theory. We have developed a real time animator for hybrid systems based on the discrete semantics. It can be used to simulate the dynamical behavior of a hybrid system in a real time manner. The animator implements the discrete semantics for a given automaton and sampling period, using the differential equation solver CVODE. Currently the engine of the animator has been implemented in Java and C using CVODE. We are aiming at a graphical user interface for editing and J. Davidson and S.L. Min (Eds.): LCTES 2000, LNCS 1985, pp. 134–145, 2001. c Springer-Verlag Berlin Heidelberg 2001 

A Real-Time Animator for Hybrid Systems

135

showing moving graphical objects and plotting curves. The graphical objects act on the screen according to physical laws described as differential equations and synchronize with controllers described as timed automata in Uppaal. The rest of the paper is organized as follows: In the next section we describe the notion of hybrid automata, the syntax and operational semantics. Section 3 is devoted to implementation details of the animator. Section 4 concludes the paper.

2

Hybrid Systems

A hybrid automaton is a finite automaton extended with differential equations describing the dynamical behavior of the physical components. 2.1

Syntax

Let X be a set of real-valued variables X ranged over by x, y, z etc including a time variable t. We use x˙ to denote the derivative (rate) of x with respect to the time variable t. This variable represents the global time. Note that in general x˙ may be a function over X; but t˙ = 1. We use X˙ to stand for the set of differential equations in the form x˙ = f (X) where f is a function over X. Assume a set of predicates over the values of X; for example, 2x + 1 ≤ 10 is such a predicate. We use G ranged over by g, h etc to denote the set of boolean combinations of the predicates, called guards. To manipulate variables, we use concurrent assignments in the form: x1 := f1 (X) . . . xn := fn (X) that takes the current values of the variables X as parameters for fi and updates all xi ’s with fi (X)’s simultaneously. We use Γ to stand for the set of concurrent assignments. We shall study networks of hybrid automata in which component automata synchronize with each other via complementary actions. Let A be a set of action names. We use Act = { a? | α ∈ A } ∪ { a! | α ∈ A } ∪ { τ } to denote the set of actions that processes can perform to synchronize with each other, where τ is a distinct symbol representing internal actions. ˙ G, Act and Γ is a tuple L, E, I, T, l0 , X0  A hybrid automaton over X, X, where – L is a finite set of names standing for control nodes. ˙ – E is the equation assignment function: E : L → 2X . – I is the invariant assignment function: I : L → G which for each node l, assigns an invariant condition I(l). – T is the transition relation: T ⊆ L×(G ×Act×Γ )×L. We denote (l, g, α, γ, l ) by l → g, α, γl . For simplicity, we shall use l → g, γl to stand for l → g, τ, γl . – l0 ∈ L is the initial node. – X0 is the initial variable assignment.

136

T. Amnell, A. David, and W. Yi

To study networks of automata, we introduce a CCS-like parallel composition operator. Assume that A1 , ..., An are automata. We use A to denote their parallel composition. The intuitive meaning of A is similar to the CCS parallel composition of A1 , ..., An with all actions being restricted, that is, A = (A1 |...|An )\Act. Thus only synchronization between the components Ai is possible. We call A a network of automata. We simply view A as a vector and use Ai to denote its ith component. Example 1. In figure 1 we give a simple example hybrid automaton that describes a bouncing ball and a touch sensitive floor. The left automaton defines three variables, x, the horizontal distance from the starting point, the height y and the speed upwards u. These variables can be observed by the other automata. Initially the x-speed is 1, the ball is at 20 m height and the gravitational constant is 9.8. The variables will change according to their equations until the transition becomes enabled when y 30

.

φ=1.5 . θ=0.5

θ>60

φ>270

.

φ=0 . θ=1

.

φ=1.5 . θ=0 θ>45

φ>360

.

φ=2 . θ=1

θ270 & θ>=40

φ>270 & θ60

Fig. 3. Robot inner arm automaton

2.2

Semantics

To develop a formal semantics for hybrid automata we shall use variable assignments. A variable assignment is a mapping which maps variables X to the reals. For a variable assignment σ and a delay Δ (a positive real), σ + Δ denotes the variable assignment such that  xdt ˙ (σ + Δ)(x) = σ(x) + Δ

For a concurrent assignment γ, we use γ[σ] to denote the variable assignment σ  with σ  (x) = V al(e, σ) whenever (x := e) ∈ γ and σ  (x ) = σ(x ) otherwise, where V al(e, σ) denotes the value of e in σ. Given a guard g ∈ G and a variable assignment σ, g(σ) is a boolean value describing whether g is satisfied by σ or not. A node vector l of a network A is a vector of nodes where li is a location of Ai . We write l[li /li ] to denote the vector where the ith element li of l is replaced by li . A state of a network A is a configuration (l, σ) where l is a node vector of A and σ is a variable assignment.

A Real-Time Animator for Hybrid Systems

139

init: ξ=15 move2pickup2?

.

ξ=0

.

ξ=−1

ξ15

pickup? .

.

ξ=1

ξ>30

release! ξ