Your SlideShare is downloading. ×
0
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Open Safety-Critical Java
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Open Safety-Critical Java

2,331

Published on

Presenting the first freely available prototype implementation of Safety-Critical Specification for Java

Presenting the first freely available prototype implementation of Safety-Critical Specification for Java

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,331
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. oSCJ Project: Developing Safety-Critical Applications in Java Ales Plsek www.omvj.net/oscj/ oSCJ Open Safety-Critical Java Saturday, April 24, 2010
  • 2. Safety-Critical Systems Safety-Critical Systems is a system whose failure or malfunction may result in: death or serious injury to people, or loss or severe damage to equipment. Ariane 5, 1996 $800 million embedded software growing complexity failure MLOC - code size productivity, reusability, and availability of trained personnel Saturday, April 24, 2010
  • 3. Safety-Critical Software Development Programming Languages C, C++, Ada static allocation, schedulability analysis Certification standards DO-178 A, B, C and D Saturday, April 24, 2010
  • 4. Java in Real-Time Domain 2001 - RTSJ 2003 - Golden Gate Java 10-100 times slower than C 2005 - RT GC technology 2005-7 - RT Java Technology boom SUN, IBM Metronome, Aicas, Aonix, etc. 2010 - Fiji VM comparable performance with C, ~30% overhead 2010 - SCJ (JSR-302) near completion Saturday, April 24, 2010
  • 5. Safety-Critical Specification for Java Expressivness SCJ specified by JSR-302 Java RT GC subset of RTSJ RTSJ memory safety SCJ no heap, no GC <<1ms 1ms >>1ms annotations Latency static allocation Designed to be amenable for certification - DO-178B, Level A reduction of system’s complexity and cost of certification Compliance Levels Saturday, April 24, 2010
  • 6. oSCJ oSCJ Open Safety-Critical Java oSCJ contains L3 - No Heap oSCJ Level 2 RealtimeThreads Level 1 L2 - Asynchronous Event Library Handlers Level 0 L0 - Periodic Event Handlers oSCJ VM - running on top of oSCJ VM OS or directly on bare hardware SCJ-compliant VM RTEMS RTEMS OS Xilinx FPGA board with Tools HARDWARE LEON 3 architecture Static Checker Technology Compatibility Kit (TCK) miniCDj benchmark Saturday, April 24, 2010
  • 7. SCJ Library Saturday, April 24, 2010
  • 8. Safety-Critical Specification for Java Execution Model current mission Mission Concept setup initialization execution cleanup teardown next mission Memory Model region based memory model, no heap no dynamic allocation Compliance Levels 0-2 Level 0 - single-threaded, Periodic Event Handlers, single Mission Level 1 - AperiodicEvent handlers, Fixed-Priority Preemptive Scheduler Level 2 - sub-missions, ManagedThreads Saturday, April 24, 2010
  • 9. The Mission Concept application organized as a series of Missions ImmortalMemory setup missions teardown Mission - independent computation unit with respect to lifetime and resources MissionSequencer - getNextMission() M1 ... Mi ... Mn current MissionSequencer - creates MissionMemory MissionMemory - runs in manages Missions and determines their initialization execution cleanup execution order MissionManager - startAll() - waitAll() bounded number of Schedulable objects SO1 ... ... SOn - runs in PrivateMemory PrivateMemory Schedulable Objects (SO) application logic executed by SO parameters - scheduling, priority, storage e.g. storage requirements must be know prior to execution Saturday, April 24, 2010
  • 10. Memory Model PEH AEH P3 Memory Management Strategy P2 P4 P2 no heap, no GC P1 P1 memory safety Mission each SO memory size statically given Immortal static analysis friendly model Memory Types Region-Based Memory model immortal memory inspired by scoped memory areas (RTSJ) shared by all missions memory areas forming an easily-analyzable mission memory tree - scope stack shared by all SOs in mission strictly nested lifetime of scopes private memory execInArea supported SO is allowed to switch its allocation context SO private Saturday, April 24, 2010
  • 11. Compliance Levels Compliance Levels 0-2 refer to expected cost and difficulty of certification allow to develop variously constrained SCJ applications both application and implementation can conform Level 0 only PeriodicEventHandlers only 1 Mission simple cyclic-execution model used already during Apollo missions [1] no aperiodicity Saturday, April 24, 2010
  • 12. Compliance Levels Level 1 Periodic and Aperiodic Event Handlers Fixed-priority preemptive scheduler Level 2 nesting of missions is allowed Saturday, April 24, 2010
  • 13. Library Status Stable features In development programming model exceptions memory model JNI support scheduling model external event / interrupt model time and clock dependent on JSR-282 annotations I/0 raw memory access Saturday, April 24, 2010
  • 14. VM Interface interface VM_Interface { public static native Opaque makeExplicitArea ( long size); public static native Opaque makeArea (MemoryArea ma, long size); public static native Opaque setCurrentArea(Opaque scope); public static native Opaque getCurrentArea( ); ... Memory Management public static native Opaque getCurrentTime{}; public static native getClockResolution(); Time ... VM Interface } Library designed independently on the VM dedicated interface for communication with the VM Delegated tasks to the VM memory management thread-related methods (e.g. getMaxPriority) I/O - raw memory access methods time Saturday, April 24, 2010
  • 15. SCJ VM Saturday, April 24, 2010
  • 16. SCJ VM Design SquawkVM Java code OVM a metacircular Virtual Machine C code similarly as J9, FijiVM, Squawk VM, etc. requires a bootstrap JVM to run upon to create a boot image. a small C loader is responsible for loading the boot image at runtime. Java code compiled down to C SCJ VM optimizations towards Level 0 Memory Manager Saturday, April 24, 2010
  • 17. Optimizations Synchronization Support Level 0 - single threaded no synchronization/Monitor support needed Java Object Model BluePrint Hash-Code Object Model Monitor GC info optimized fields DATA monitor, GC information hash-code SCJ Object Model BluePrint physical address of the object - non- moving object model DATA Saturday, April 24, 2010
  • 18. Memory Manager Saturday, April 24, 2010
  • 19. Memory Manager PEH AEH P3 backing-store area P2 P4 P2 P1 P1 Mission Immortal MemoryManager stack based allocation top level BS level (PEH ) BS level (AEH) Advantages Im M1 P1 P2 P3 P4 P1 P2 linear time memory allocation constant-time allocation scope level linear-time memory zeroing Saturday, April 24, 2010
  • 20. Static Checker Saturday, April 24, 2010
  • 21. Static Checker Static verification of certain SCJ properties of the code API visibility @SCJAllowed, @SCJProtected to prevent users to access internal elements Memory Safety @AllocFree, @ScopeDef, @Scope, @RunsIn Saturday, April 24, 2010
  • 22. API Visibility javax.realtime package @SCJAllowed(Level 2) javax.safetycritical package class Realtime { @SCJAllowed(Level 1) @SCJAllowed(Level 2) class Foo extends Realtime { public void foobar() { @SCJAllowed(Level 1) ... class ExFoo extends Foo { @SCJAllowed(Level 1) } } public void foo() { @SCJAllowed(Level 2) ... public void foo() { } super.foo(); } bar(); } @SCJProtected @SCJAllowed(Level 1) public void bar () { class User { } public main() { } Foo.foo(); Realtime.foobar(); } } user-level code Saturday, April 24, 2010
  • 23. Memory Safety @Scope(“immortal”) class Outer { Scope A @ScopeDef(name=”a”, parent=”immortal”) PrivateMemory a = new PrivateMemory(“10000”); void initialize() { run( ); } @AllocFree boolean foo ( ) {...} Scope A @RunsIn(“a”) void run () { Memory Safety initialize(); foo(); @AllocFree - no allocation } } @ScopeDef - defines a scope memory @Scope - per object, indicates allocation context @RunsIn - overrides the class annotation, the default scope in which the type runs Saturday, April 24, 2010
  • 24. Static Checker Implementation based on Checker Framework (JSR 308) that will be part of Java 7 verification is done through AST visitors Memory Safety double pass of the algorithm 1. a scope-tree is constructed 2. scope-tree used to verify the memory-safety rules Saturday, April 24, 2010
  • 25. Evaluation Saturday, April 24, 2010
  • 26. Evaluation Platform Hardware Platform Xilinx FPGA GR-XC3S-1500 development board 8Mb flash PROM, 64MB SDRAM no FPU LEON3 Processor flashed with LEON3, running at 40MHz used by NASA and ESA (Venus Express Mission 2005, Dawn Misssion 2007) Real-time OS RTEMS 4.9 Saturday, April 24, 2010
  • 27. Benchmark Collision Detector Benchmark - CDx periodic real-time task highly configurable workloads - # of planes, # of iterations, # of collisions, period Various languages used C, RTSJ, regular Java miniCDj - CDx implementation in SCJ Open-source, available at www.ovmj.net/cdx/ Saturday, April 24, 2010
  • 28. Results Benchmark results for LEON3 and x86 platforms to be published soon.... Saturday, April 24, 2010
  • 29. Conclusion Saturday, April 24, 2010
  • 30. Conclusion oSCJ Open Safety-Critical Java oSCJ Distribution available and open-source Library, VM, tools and benchmark www.omvj.net/oscj Performance compatitive with C both on LEON3 and x86 Future Work Library implementation full Level 0 functionality (Exceptions, I/O, etc.) supported both by OVM and FijiVM FijiVM optimizations Saturday, April 24, 2010
  • 31. References [1] Apollo's Rocket Scientists, http://www.technologyreview.com/computing/23636/ [2] oSCJ : www.ovmj.net/oscj/ [3] Java for Safety-Critical Applications, Hunt, Locke, Nilsen, Schoeberl,Vitek, SAFECERT 2009. [4] oSCJ Project, Purdue CS Annual Report 2010. [5] A Technology Compatibility Kit for Safety Critical Java. Zhao,Tang,Vitek. JTRES 2009. Saturday, April 24, 2010

×