Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open Safety-Critical Java


Published on

Presenting the first freely available prototype implementation of Safety-Critical Specification for Java

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Open Safety-Critical Java

  1. 1. oSCJ Project: Developing Safety-Critical Applications in Java Ales Plsek oSCJ Open Safety-Critical Java Saturday, April 24, 2010
  2. 2. Safety-Critical Systems Safety-Critical Systems is a system whose failure or malfunction may result in: death or serious injury to people, or loss or severe damage to equipment. Ariane 5, 1996 $800 million embedded software growing complexity failure MLOC - code size productivity, reusability, and availability of trained personnel Saturday, April 24, 2010
  3. 3. Safety-Critical Software Development Programming Languages C, C++, Ada static allocation, schedulability analysis Certification standards DO-178 A, B, C and D Saturday, April 24, 2010
  4. 4. Java in Real-Time Domain 2001 - RTSJ 2003 - Golden Gate Java 10-100 times slower than C 2005 - RT GC technology 2005-7 - RT Java Technology boom SUN, IBM Metronome, Aicas, Aonix, etc. 2010 - Fiji VM comparable performance with C, ~30% overhead 2010 - SCJ (JSR-302) near completion Saturday, April 24, 2010
  5. 5. Safety-Critical Specification for Java Expressivness SCJ specified by JSR-302 Java RT GC subset of RTSJ RTSJ memory safety SCJ no heap, no GC <<1ms 1ms >>1ms annotations Latency static allocation Designed to be amenable for certification - DO-178B, Level A reduction of system’s complexity and cost of certification Compliance Levels Saturday, April 24, 2010
  6. 6. oSCJ oSCJ Open Safety-Critical Java oSCJ contains L3 - No Heap oSCJ Level 2 RealtimeThreads Level 1 L2 - Asynchronous Event Library Handlers Level 0 L0 - Periodic Event Handlers oSCJ VM - running on top of oSCJ VM OS or directly on bare hardware SCJ-compliant VM RTEMS RTEMS OS Xilinx FPGA board with Tools HARDWARE LEON 3 architecture Static Checker Technology Compatibility Kit (TCK) miniCDj benchmark Saturday, April 24, 2010
  7. 7. SCJ Library Saturday, April 24, 2010
  8. 8. Safety-Critical Specification for Java Execution Model current mission Mission Concept setup initialization execution cleanup teardown next mission Memory Model region based memory model, no heap no dynamic allocation Compliance Levels 0-2 Level 0 - single-threaded, Periodic Event Handlers, single Mission Level 1 - AperiodicEvent handlers, Fixed-Priority Preemptive Scheduler Level 2 - sub-missions, ManagedThreads Saturday, April 24, 2010
  9. 9. The Mission Concept application organized as a series of Missions ImmortalMemory setup missions teardown Mission - independent computation unit with respect to lifetime and resources MissionSequencer - getNextMission() M1 ... Mi ... Mn current MissionSequencer - creates MissionMemory MissionMemory - runs in manages Missions and determines their initialization execution cleanup execution order MissionManager - startAll() - waitAll() bounded number of Schedulable objects SO1 ... ... SOn - runs in PrivateMemory PrivateMemory Schedulable Objects (SO) application logic executed by SO parameters - scheduling, priority, storage e.g. storage requirements must be know prior to execution Saturday, April 24, 2010
  10. 10. Memory Model PEH AEH P3 Memory Management Strategy P2 P4 P2 no heap, no GC P1 P1 memory safety Mission each SO memory size statically given Immortal static analysis friendly model Memory Types Region-Based Memory model immortal memory inspired by scoped memory areas (RTSJ) shared by all missions memory areas forming an easily-analyzable mission memory tree - scope stack shared by all SOs in mission strictly nested lifetime of scopes private memory execInArea supported SO is allowed to switch its allocation context SO private Saturday, April 24, 2010
  11. 11. Compliance Levels Compliance Levels 0-2 refer to expected cost and difficulty of certification allow to develop variously constrained SCJ applications both application and implementation can conform Level 0 only PeriodicEventHandlers only 1 Mission simple cyclic-execution model used already during Apollo missions [1] no aperiodicity Saturday, April 24, 2010
  12. 12. Compliance Levels Level 1 Periodic and Aperiodic Event Handlers Fixed-priority preemptive scheduler Level 2 nesting of missions is allowed Saturday, April 24, 2010
  13. 13. Library Status Stable features In development programming model exceptions memory model JNI support scheduling model external event / interrupt model time and clock dependent on JSR-282 annotations I/0 raw memory access Saturday, April 24, 2010
  14. 14. VM Interface interface VM_Interface { public static native Opaque makeExplicitArea ( long size); public static native Opaque makeArea (MemoryArea ma, long size); public static native Opaque setCurrentArea(Opaque scope); public static native Opaque getCurrentArea( ); ... Memory Management public static native Opaque getCurrentTime{}; public static native getClockResolution(); Time ... VM Interface } Library designed independently on the VM dedicated interface for communication with the VM Delegated tasks to the VM memory management thread-related methods (e.g. getMaxPriority) I/O - raw memory access methods time Saturday, April 24, 2010
  15. 15. SCJ VM Saturday, April 24, 2010
  16. 16. SCJ VM Design SquawkVM Java code OVM a metacircular Virtual Machine C code similarly as J9, FijiVM, Squawk VM, etc. requires a bootstrap JVM to run upon to create a boot image. a small C loader is responsible for loading the boot image at runtime. Java code compiled down to C SCJ VM optimizations towards Level 0 Memory Manager Saturday, April 24, 2010
  17. 17. Optimizations Synchronization Support Level 0 - single threaded no synchronization/Monitor support needed Java Object Model BluePrint Hash-Code Object Model Monitor GC info optimized fields DATA monitor, GC information hash-code SCJ Object Model BluePrint physical address of the object - non- moving object model DATA Saturday, April 24, 2010
  18. 18. Memory Manager Saturday, April 24, 2010
  19. 19. Memory Manager PEH AEH P3 backing-store area P2 P4 P2 P1 P1 Mission Immortal MemoryManager stack based allocation top level BS level (PEH ) BS level (AEH) Advantages Im M1 P1 P2 P3 P4 P1 P2 linear time memory allocation constant-time allocation scope level linear-time memory zeroing Saturday, April 24, 2010
  20. 20. Static Checker Saturday, April 24, 2010
  21. 21. Static Checker Static verification of certain SCJ properties of the code API visibility @SCJAllowed, @SCJProtected to prevent users to access internal elements Memory Safety @AllocFree, @ScopeDef, @Scope, @RunsIn Saturday, April 24, 2010
  22. 22. API Visibility javax.realtime package @SCJAllowed(Level 2) javax.safetycritical package class Realtime { @SCJAllowed(Level 1) @SCJAllowed(Level 2) class Foo extends Realtime { public void foobar() { @SCJAllowed(Level 1) ... class ExFoo extends Foo { @SCJAllowed(Level 1) } } public void foo() { @SCJAllowed(Level 2) ... public void foo() { }; } bar(); } @SCJProtected @SCJAllowed(Level 1) public void bar () { class User { } public main() { }; Realtime.foobar(); } } user-level code Saturday, April 24, 2010
  23. 23. Memory Safety @Scope(“immortal”) class Outer { Scope A @ScopeDef(name=”a”, parent=”immortal”) PrivateMemory a = new PrivateMemory(“10000”); void initialize() { run( ); } @AllocFree boolean foo ( ) {...} Scope A @RunsIn(“a”) void run () { Memory Safety initialize(); foo(); @AllocFree - no allocation } } @ScopeDef - defines a scope memory @Scope - per object, indicates allocation context @RunsIn - overrides the class annotation, the default scope in which the type runs Saturday, April 24, 2010
  24. 24. Static Checker Implementation based on Checker Framework (JSR 308) that will be part of Java 7 verification is done through AST visitors Memory Safety double pass of the algorithm 1. a scope-tree is constructed 2. scope-tree used to verify the memory-safety rules Saturday, April 24, 2010
  25. 25. Evaluation Saturday, April 24, 2010
  26. 26. Evaluation Platform Hardware Platform Xilinx FPGA GR-XC3S-1500 development board 8Mb flash PROM, 64MB SDRAM no FPU LEON3 Processor flashed with LEON3, running at 40MHz used by NASA and ESA (Venus Express Mission 2005, Dawn Misssion 2007) Real-time OS RTEMS 4.9 Saturday, April 24, 2010
  27. 27. Benchmark Collision Detector Benchmark - CDx periodic real-time task highly configurable workloads - # of planes, # of iterations, # of collisions, period Various languages used C, RTSJ, regular Java miniCDj - CDx implementation in SCJ Open-source, available at Saturday, April 24, 2010
  28. 28. Results Benchmark results for LEON3 and x86 platforms to be published soon.... Saturday, April 24, 2010
  29. 29. Conclusion Saturday, April 24, 2010
  30. 30. Conclusion oSCJ Open Safety-Critical Java oSCJ Distribution available and open-source Library, VM, tools and benchmark Performance compatitive with C both on LEON3 and x86 Future Work Library implementation full Level 0 functionality (Exceptions, I/O, etc.) supported both by OVM and FijiVM FijiVM optimizations Saturday, April 24, 2010
  31. 31. References [1] Apollo's Rocket Scientists, [2] oSCJ : [3] Java for Safety-Critical Applications, Hunt, Locke, Nilsen, Schoeberl,Vitek, SAFECERT 2009. [4] oSCJ Project, Purdue CS Annual Report 2010. [5] A Technology Compatibility Kit for Safety Critical Java. Zhao,Tang,Vitek. JTRES 2009. Saturday, April 24, 2010