open safety-critical java
DESCRIPTION
Presenting the first freely available prototype implementation of Safety-Critical Specification for JavaTRANSCRIPT
oSCJ Project:Developing Safety-Critical Applications in
Java
Ales Plsek
www.omvj.net/oscj/
oSCJOpen Safety-Critical Java
Saturday, April 24, 2010
Safety-Critical Systems
Safety-Critical Systems
is a system whose failure or malfunction may result in: death or serious injury to people, or loss or severe damage to equipment.
growing complexity
MLOC - code size
productivity, reusability, and availability of trained personnel
Ariane 5, 1996 $800 million embedded software failure
Saturday, April 24, 2010
Safety-Critical Software Development
Programming Languages
C, C++, Ada
static allocation, schedulability analysis
Certification standards
DO-178 A, B, C and D
Saturday, April 24, 2010
Java in Real-Time Domain
2001 - RTSJ
2003 - Golden Gate
Java 10-100 times slower than C
2005 - RT GC technology
2005-7 - RT Java Technology boom
SUN, IBM Metronome, Aicas, Aonix, etc.
2010 - Fiji VM
comparable performance with C, ~30% overhead
2010 - SCJ (JSR-302) near completion
Saturday, April 24, 2010
Safety-Critical Specification for Java
Latency
Expressivness
RT GC
RTSJ
Java
SCJ
1ms >>1ms<<1ms
SCJ specified by JSR-302
subset of RTSJ
memory safety
no heap, no GC
annotations
static allocation
Designed to be amenable for certification - DO-178B, Level A
reduction of system’s complexity and cost of certification
Compliance Levels
Saturday, April 24, 2010
oSCJoSCJ contains
Library
SCJ-compliant VM
Tools
Static Checker
Technology Compatibility Kit (TCK)
miniCDj benchmark
HARDWARE
RTEMS
oSCJ VM
oSCJ
oSCJ VM - running on top of OS or directly on bare hardware
Level 0
Level 1
Level 2L3 - No Heap RealtimeThreads
L2 - Asynchronous Event Handlers
L0 - Periodic Event Handlers
RTEMS OS
Xilinx FPGA board with LEON 3 architecture
oSCJOpen Safety-Critical Java
Saturday, April 24, 2010
SCJ Library
Saturday, April 24, 2010
Safety-Critical Specification for Java
Execution Model
Mission Concept
Memory Model
region based memory model, no heap
no dynamic allocation
Compliance Levels 0-2
Level 0 - single-threaded, Periodic Event Handlers, single Mission
Level 1 - AperiodicEvent handlers, Fixed-Priority Preemptive Scheduler
Level 2 - sub-missions, ManagedThreads
setup teardowninitialization execution cleanup
next mission
current mission
Saturday, April 24, 2010
The Mission Conceptapplication organized as a series of Missions
Mission - independent computation unit with respect to lifetime and resources
MissionSequencer
manages Missions and determines their execution order
bounded number of Schedulable objects
Schedulable Objects (SO)
application logic executed by SO
parameters - scheduling, priority, storage
e.g. storage requirements must be know prior to execution
MissionSequencer
M1 Mi Mn
ImmortalMemory
......
MissionManager
SO1 SOn... ...
MissionMemory
PrivateMemory
- getNextMission()
- creates MissionMemory
- runs in
PrivateMemory
- runs in
- startAll()
- waitAll()
current
setup missions teardown
initialization execution cleanup
Saturday, April 24, 2010
Memory ModelMemory Management Strategy
no heap, no GC
memory safety
each SO memory size statically given
static analysis friendly model
Region-Based Memory model
inspired by scoped memory areas (RTSJ)
memory areas forming an easily-analyzable tree - scope stack
strictly nested lifetime of scopes
execInArea supported
SO is allowed to switch its allocation context
Immortal
Mission
P1
P2
P3
P4
P1
P2
PEH AEH
Memory Types
immortal memory
shared by all missions
mission memory
shared by all SOs in mission
private memory
SO private
Saturday, April 24, 2010
Compliance LevelsCompliance Levels 0-2
refer to expected cost and difficulty of certification
allow to develop variously constrained SCJ applications
both application and implementation can conform
Level 0
only PeriodicEventHandlers
only 1 Mission
simple cyclic-execution model
used already during Apollo missions [1]
no aperiodicity
Saturday, April 24, 2010
Compliance LevelsLevel 1
Periodic and Aperiodic Event Handlers
Fixed-priority preemptive scheduler
Level 2
nesting of missions is allowed
Saturday, April 24, 2010
Library Status
Stable features
programming model
memory model
scheduling model
time and clock
annotations
I/0
raw memory access
In development
exceptions
JNI support
external event / interrupt model
dependent on JSR-282
Saturday, April 24, 2010
VM Interface
VM Interface
Library designed independently on the VM
dedicated interface for communication with the VM
Delegated tasks to the VM
memory management
thread-related methods (e.g. getMaxPriority)
I/O - raw memory access methods
time
interface VM_Interface {
public static native Opaque makeExplicitArea ( long size);public static native Opaque makeArea (MemoryArea ma, long size);public static native Opaque setCurrentArea(Opaque scope);public static native Opaque getCurrentArea( );...
public static native Opaque getCurrentTime{};public static native getClockResolution();
...}
Memory Management
Time
Saturday, April 24, 2010
SCJ VM
Saturday, April 24, 2010
SCJ VM Design
OVM
a metacircular Virtual Machine
similarly as J9, FijiVM, Squawk VM, etc.
requires a bootstrap JVM to run upon to create a boot image.
a small C loader is responsible for loading the boot image at runtime.
Java code compiled down to C
SCJ VM
optimizations towards Level 0
Memory Manager
Java code
C code
SquawkVM
Saturday, April 24, 2010
Optimizations
Synchronization Support
Level 0 - single threaded
no synchronization/Monitor support needed
Object Model
optimized fields
monitor, GC information
hash-code
physical address of the object - non-moving object model
BluePrint
Hash-Code
Monitor
GC info
DATA
Java Object Model
BluePrint
DATA
SCJ Object Model
Saturday, April 24, 2010
Memory Manager
Saturday, April 24, 2010
Memory Manager
backing-store area
MemoryManager
stack based allocation
Advantages
linear time memory allocation
constant-time allocation
linear-time memory zeroing
Immortal
Mission
P1
P2
P3
P4
P1
P2
PEH AEH
Im M1 P1 P2 P3 P1
BS level (PEH ) BS level (AEH)
P4 P2
top level
scope level
Saturday, April 24, 2010
Static Checker
Saturday, April 24, 2010
Static Checker
Static verification of certain SCJ properties of the code
API visibility
@SCJAllowed, @SCJProtected
to prevent users to access internal elements
Memory Safety
@AllocFree, @ScopeDef, @Scope, @RunsIn
Saturday, April 24, 2010
@SCJAllowed(Level 1)class Foo extends Realtime {
@SCJAllowed(Level 1)public void foo() {...}
}
@SCJAllowed(Level 1)class ExFoo extends Foo {
@SCJAllowed(Level 2)public void foo() {
super.foo(); bar();
}
@SCJProtectedpublic void bar () {}
}
API Visibility
@SCJAllowed(Level 1)class User { public main() {
Foo.foo();Realtime.foobar();
}}
@SCJAllowed(Level 2)class Realtime {
@SCJAllowed(Level 2)public void foobar() {...}
}
javax.realtime package
user-level code
javax.safetycritical package
Saturday, April 24, 2010
@Scope(“immortal”)class Outer {
@ScopeDef(name=”a”, parent=”immortal”)PrivateMemory a = new PrivateMemory(“10000”);
void initialize() {
run( );}
@AllocFreeboolean foo ( ) {...}
@RunsIn(“a”)void run () {
initialize();foo();
}}
Memory SafetyScope
A
Scope A
Memory Safety
@AllocFree - no allocation
@ScopeDef - defines a scope memory
@Scope - per object, indicates allocation context
@RunsIn - overrides the class annotation, the default scope in which the type runs
Saturday, April 24, 2010
Static Checker Implementation
based on Checker Framework (JSR 308) that will be part of Java 7
verification is done through AST visitors
Memory Safety
double pass of the algorithm
1. a scope-tree is constructed
2. scope-tree used to verify the memory-safety rules
Saturday, April 24, 2010
Evaluation
Saturday, April 24, 2010
Evaluation Platform
Hardware Platform
Xilinx FPGA GR-XC3S-1500 development board
8Mb flash PROM, 64MB SDRAM
no FPU
LEON3 Processor
flashed with LEON3, running at 40MHz
used by NASA and ESA (Venus Express Mission 2005, Dawn Misssion 2007)
Real-time OS
RTEMS 4.9
Saturday, April 24, 2010
Benchmark
Collision Detector Benchmark - CDx
periodic real-time task
highly configurable
workloads - # of planes, # of iterations, # of collisions, period
Various languages used
C, RTSJ, regular Java
miniCDj - CDx implementation in SCJ
Open-source, available at www.ovmj.net/cdx/
Saturday, April 24, 2010
Results
Benchmark results for LEON3 and x86 platforms to be published soon....
Saturday, April 24, 2010
Conclusion
Saturday, April 24, 2010
ConclusionoSCJ Distribution available and open-source
Library, VM, tools and benchmark
www.omvj.net/oscj
Performance
compatitive with C both on LEON3 and x86
Future Work
Library implementation
full Level 0 functionality (Exceptions, I/O, etc.)
supported both by OVM and FijiVM
FijiVM optimizations
oSCJOpen Safety-Critical Java
Saturday, April 24, 2010
References
[1] Apollo's Rocket Scientists, http://www.technologyreview.com/computing/23636/
[2] oSCJ : www.ovmj.net/oscj/
[3] Java for Safety-Critical Applications, Hunt, Locke, Nilsen, Schoeberl,Vitek, SAFECERT 2009.
[4] oSCJ Project, Purdue CS Annual Report 2010.
[5] A Technology Compatibility Kit for Safety Critical Java. Zhao,Tang,Vitek. JTRES 2009.
Saturday, April 24, 2010