Open Safety-Critical Java

oSCJ Project: Developing Safety-Critical Applications in Java Ales Plsek www.omvj.net/oscj/ oSCJ Open Safety-Critical Java Saturday, April 24, 2010

Safety-Critical Systems Safety-Critical Systems is a system whose failure or malfunction may result in: death or serious injury to people, or loss or severe damage to equipment. Ariane 5, 1996 $800 million embedded software growing complexity failure MLOC - code size productivity, reusability, and availability of trained personnel Saturday, April 24, 2010

Safety-Critical Software Development Programming Languages C, C++, Ada static allocation, schedulability analysis Certiﬁcation standards DO-178 A, B, C and D Saturday, April 24, 2010

Java in Real-Time Domain 2001 - RTSJ 2003 - Golden Gate Java 10-100 times slower than C 2005 - RT GC technology 2005-7 - RT Java Technology boom SUN, IBM Metronome, Aicas, Aonix, etc. 2010 - Fiji VM comparable performance with C, ~30% overhead 2010 - SCJ (JSR-302) near completion Saturday, April 24, 2010

Safety-Critical Specification for Java Expressivness SCJ specified by JSR-302 Java RT GC subset of RTSJ RTSJ memory safety SCJ no heap, no GC <<1ms 1ms >>1ms annotations Latency static allocation Designed to be amenable for certification - DO-178B, Level A reduction of system’s complexity and cost of certification Compliance Levels Saturday, April 24, 2010

oSCJ oSCJ Open Safety-Critical Java oSCJ contains L3 - No Heap oSCJ Level 2 RealtimeThreads Level 1 L2 - Asynchronous Event Library Handlers Level 0 L0 - Periodic Event Handlers oSCJ VM - running on top of oSCJ VM OS or directly on bare hardware SCJ-compliant VM RTEMS RTEMS OS Xilinx FPGA board with Tools HARDWARE LEON 3 architecture Static Checker Technology Compatibility Kit (TCK) miniCDj benchmark Saturday, April 24, 2010

SCJ Library Saturday, April 24, 2010

Safety-Critical Speciﬁcation for Java Execution Model current mission Mission Concept setup initialization execution cleanup teardown next mission Memory Model region based memory model, no heap no dynamic allocation Compliance Levels 0-2 Level 0 - single-threaded, Periodic Event Handlers, single Mission Level 1 - AperiodicEvent handlers, Fixed-Priority Preemptive Scheduler Level 2 - sub-missions, ManagedThreads Saturday, April 24, 2010

The Mission Concept application organized as a series of Missions ImmortalMemory setup missions teardown Mission - independent computation unit with respect to lifetime and resources MissionSequencer - getNextMission() M1 ... Mi ... Mn current MissionSequencer - creates MissionMemory MissionMemory - runs in manages Missions and determines their initialization execution cleanup execution order MissionManager - startAll() - waitAll() bounded number of Schedulable objects SO1 ... ... SOn - runs in PrivateMemory PrivateMemory Schedulable Objects (SO) application logic executed by SO parameters - scheduling, priority, storage e.g. storage requirements must be know prior to execution Saturday, April 24, 2010

Memory Model PEH AEH P3 Memory Management Strategy P2 P4 P2 no heap, no GC P1 P1 memory safety Mission each SO memory size statically given Immortal static analysis friendly model Memory Types Region-Based Memory model immortal memory inspired by scoped memory areas (RTSJ) shared by all missions memory areas forming an easily-analyzable mission memory tree - scope stack shared by all SOs in mission strictly nested lifetime of scopes private memory execInArea supported SO is allowed to switch its allocation context SO private Saturday, April 24, 2010

Compliance Levels Compliance Levels 0-2 refer to expected cost and difﬁculty of certiﬁcation allow to develop variously constrained SCJ applications both application and implementation can conform Level 0 only PeriodicEventHandlers only 1 Mission simple cyclic-execution model used already during Apollo missions [1] no aperiodicity Saturday, April 24, 2010

Compliance Levels Level 1 Periodic and Aperiodic Event Handlers Fixed-priority preemptive scheduler Level 2 nesting of missions is allowed Saturday, April 24, 2010

Library Status Stable features In development programming model exceptions memory model JNI support scheduling model external event / interrupt model time and clock dependent on JSR-282 annotations I/0 raw memory access Saturday, April 24, 2010

VM Interface interface VM_Interface { public static native Opaque makeExplicitArea ( long size); public static native Opaque makeArea (MemoryArea ma, long size); public static native Opaque setCurrentArea(Opaque scope); public static native Opaque getCurrentArea( ); ... Memory Management public static native Opaque getCurrentTime{}; public static native getClockResolution(); Time ... VM Interface } Library designed independently on the VM dedicated interface for communication with the VM Delegated tasks to the VM memory management thread-related methods (e.g. getMaxPriority) I/O - raw memory access methods time Saturday, April 24, 2010

SCJ VM Saturday, April 24, 2010

SCJ VM Design SquawkVM Java code OVM a metacircular Virtual Machine C code similarly as J9, FijiVM, Squawk VM, etc. requires a bootstrap JVM to run upon to create a boot image. a small C loader is responsible for loading the boot image at runtime. Java code compiled down to C SCJ VM optimizations towards Level 0 Memory Manager Saturday, April 24, 2010

Optimizations Synchronization Support Level 0 - single threaded no synchronization/Monitor support needed Java Object Model BluePrint Hash-Code Object Model Monitor GC info optimized ﬁelds DATA monitor, GC information hash-code SCJ Object Model BluePrint physical address of the object - non- moving object model DATA Saturday, April 24, 2010

Memory Manager Saturday, April 24, 2010

Memory Manager PEH AEH P3 backing-store area P2 P4 P2 P1 P1 Mission Immortal MemoryManager stack based allocation top level BS level (PEH ) BS level (AEH) Advantages Im M1 P1 P2 P3 P4 P1 P2 linear time memory allocation constant-time allocation scope level linear-time memory zeroing Saturday, April 24, 2010

Static Checker Saturday, April 24, 2010

Static Checker Static veriﬁcation of certain SCJ properties of the code API visibility @SCJAllowed, @SCJProtected to prevent users to access internal elements Memory Safety @AllocFree, @ScopeDef, @Scope, @RunsIn Saturday, April 24, 2010

API Visibility javax.realtime package @SCJAllowed(Level 2) javax.safetycritical package class Realtime { @SCJAllowed(Level 1) @SCJAllowed(Level 2) class Foo extends Realtime { public void foobar() { @SCJAllowed(Level 1) ... class ExFoo extends Foo { @SCJAllowed(Level 1) } } public void foo() { @SCJAllowed(Level 2) ... public void foo() { } super.foo(); } bar(); } @SCJProtected @SCJAllowed(Level 1) public void bar () { class User { } public main() { } Foo.foo(); Realtime.foobar(); } } user-level code Saturday, April 24, 2010

Memory Safety @Scope(“immortal”) class Outer { Scope A @ScopeDef(name=”a”, parent=”immortal”) PrivateMemory a = new PrivateMemory(“10000”); void initialize() { run( ); } @AllocFree boolean foo ( ) {...} Scope A @RunsIn(“a”) void run () { Memory Safety initialize(); foo(); @AllocFree - no allocation } } @ScopeDef - deﬁnes a scope memory @Scope - per object, indicates allocation context @RunsIn - overrides the class annotation, the default scope in which the type runs Saturday, April 24, 2010

Static Checker Implementation based on Checker Framework (JSR 308) that will be part of Java 7 veriﬁcation is done through AST visitors Memory Safety double pass of the algorithm 1. a scope-tree is constructed 2. scope-tree used to verify the memory-safety rules Saturday, April 24, 2010

Evaluation Saturday, April 24, 2010

Evaluation Platform Hardware Platform Xilinx FPGA GR-XC3S-1500 development board 8Mb ﬂash PROM, 64MB SDRAM no FPU LEON3 Processor ﬂashed with LEON3, running at 40MHz used by NASA and ESA (Venus Express Mission 2005, Dawn Misssion 2007) Real-time OS RTEMS 4.9 Saturday, April 24, 2010

Benchmark Collision Detector Benchmark - CDx periodic real-time task highly conﬁgurable workloads - # of planes, # of iterations, # of collisions, period Various languages used C, RTSJ, regular Java miniCDj - CDx implementation in SCJ Open-source, available at www.ovmj.net/cdx/ Saturday, April 24, 2010

Results Benchmark results for LEON3 and x86 platforms to be published soon.... Saturday, April 24, 2010

Conclusion Saturday, April 24, 2010

Conclusion oSCJ Open Safety-Critical Java oSCJ Distribution available and open-source Library, VM, tools and benchmark www.omvj.net/oscj Performance compatitive with C both on LEON3 and x86 Future Work Library implementation full Level 0 functionality (Exceptions, I/O, etc.) supported both by OVM and FijiVM FijiVM optimizations Saturday, April 24, 2010

References [1] Apollo's Rocket Scientists, http://www.technologyreview.com/computing/23636/ [2] oSCJ : www.ovmj.net/oscj/ [3] Java for Safety-Critical Applications, Hunt, Locke, Nilsen, Schoeberl,Vitek, SAFECERT 2009. [4] oSCJ Project, Purdue CS Annual Report 2010. [5] A Technology Compatibility Kit for Safety Critical Java. Zhao,Tang,Vitek. JTRES 2009. Saturday, April 24, 2010

http://www.cs.purdue.edu	273
http://rtjava.blogspot.com	119
http://www.czechschoolofcalifornia.com	33
http://rtjava.blogspot.fr	5
http://www.slideshare.net	3
http://rtjava.blogspot.com.br	2
http://feeds.feedburner.com	2
http://rtjava.blogspot.co.uk	1
http://rtjava.blogspot.se	1
http://rtjava.blogspot.de	1
http://rtjava.blogspot.in	1
http://czechschoolofcalifornia.com	1

Open Safety-Critical Java

by Ales Plsek on Apr 24, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

12 Embeds 442

Statistics

Open Safety-Critical Java — Presentation Transcript