towards "write once - run whenever possible" with safety critical java af bent thomsen,...
DESCRIPTION
Oplægget blev holdt ved et seminar i InfinIT-interessegruppen Højniveausprog til indlejrede systemer, der blev afholdt den 18. juni 2014. Læs mere om interessegruppen her: http://infinit.dk/dk/interessegrupper/hoejniveau_sprog_til_indlejrede_systemer/hoejniveau_sprog_til_indlejrede_systemer.htmTRANSCRIPT
![Page 1: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/1.jpg)
Towards “write once – run wherever possible” with Safety
Critical Java
Bent ThomsenInfinIT Højniveausprog sem19
18.06.2014
![Page 2: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/2.jpg)
A typical safety critical embedded hard-real-time program
Cruise control:Loop every X microseconds
Read the sensors;Compute speed;if speed too high
Compute pressure for brake pedal; if speed too low Compute pressure for accelerator;
Transmit the outputs to actuators; wait for next period;
How hard can it be to program such systems?
![Page 3: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/3.jpg)
Aparently hard enough
• Toyota's Accelerator Problem Probably Caused by Embedded Software Bugs
• Software Bug Causes Toyota Recall of Almost Half a Million New Hybrid Cars
• BMW recall: The company will replace defective high-pressure fuel pump and update software in 150,000 vehicles.
![Page 4: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/4.jpg)
Some examples
• The Ariane 5 satellite launcher malfunction– caused by a faulty software exception routine resulting
from a bad 64-bit floating point to 16-bit integer conversion
• LA Air Traffic control system shutdown (2004)– Caused by count down timer reaching zero
• Airbus A330 nose-diving twice while at cruising altitude (2001)– 39 injured, 12 seriously. Problem never found
![Page 5: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/5.jpg)
A hard real-time problem
![Page 6: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/6.jpg)
Embedded Systems
• Over 90% of all microprocessors are used for real-time and embedded systems– Market growing 10% year on year
• Usually programmed in C or Assembler– Hard, error prone, work– But preferred choice
• Close to hardware• No real alternatives
– Difficult to find new skilled programmers• Jackson Structured Development (1975) still widely used• EE Times calling for re-introducing C programming at US Uni
Well … ADA – 10th on the list of most wanted skills
![Page 7: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/7.jpg)
Model Driven Development
• Develop Model of System• Verify desirable properties• Generate Code from Model
• But ..– Many finds developing models harder than programming– Often some parts have to be programmed anyhow– Model and code have tendency to drift apart
![Page 8: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/8.jpg)
We need to look for other languages
• The number of embedded systems is growing• More functionality in each system is required• More reliable systems are needed• Time to market is getting shorter• Increase productivity
– Software engineering practices (OOA&D) – 10%– Tools (IDEs, analyzers and verifiers) – 10%– New Languages -700%
• 200%-300% in embedded systems programming (Atego)
![Page 9: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/9.jpg)
Java
• Most popular programming language ever !– In 2005 Sun estimated 4.5 million Java
programmers– In 2010 Oracle estimated 9 million Java
programmers– 61% of all programmers are Java programmers
• Originally designed for setop-boxes• But propelled to popularity by the internet
http://jaxenter.com/how-many-java-developers-are-there-10462.html
![Page 10: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/10.jpg)
![Page 11: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/11.jpg)
Advantage of Java over C and C++
• Clean syntax and (relative) clean semantics • No preprocessor• Wide range of tool support• Single dispatch style OOP• Strong, extendible type system• Better support for separating subtyping and reuse via
interfaces and single inheritance• No explicit pointer manipulation• Pointer safe deallocation• Built-in Concurrency model• Portability via JVM (write once, run anywhere)
![Page 12: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/12.jpg)
Embedded hard real-time safety-critical systems
– Nuclear Power plants, car-control systems, aeroplanes etc.
– Embedded Systems• Limited Processor power• Limited memory• Resources matter!
– Hard real-time systems• Timeliness
– Safety-critical systems• Functional correctness
– Mine Pump and Candy Sorting machine– Grundfos pumps and SKOV pig farm air conditions– Aalborg Industries (ship boilers) and Therma (aero, defence)– GomSpace and NASA
![Page 13: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/13.jpg)
But Java is not for Nuclear facilities!
3) RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility....
![Page 14: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/14.jpg)
What is the problem with Java?
• Unpredictable performance– Memory
• Garbage collected heap
– Control and data flow• Dynamic class loading• Recursion• Unbounded loops• Dynamic dispatch• Exceptions
– Scheduling– Lack high resolution time
• JVM– Good for portability – bad for predicatbility
![Page 15: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/15.jpg)
15
Observation
There is essentially only one way to get a more predictable language:
• namely to select a set of features which makes it controllable.
• Which implies that a set of features can be deselected as well
![Page 16: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/16.jpg)
Real-Time Java Profiles• RTSJ (JSR 001)
– The Real-Time Specification for Java– An attempt to cover everything – too complex and dynamic– Not suitable for high integrity systems
• Safety-Critical Java (draft) (JSR 302)– Subset of RTSJ– Focus on simplicity, analysability, and certification– No garbage collection: Scoped memory– Missions and Handlers (and some threads)– Implementation: sub-classes of RTSJ
• Predictable Java– Super classes for RTSJ– Simple structure– Inspiration for SCJ
![Page 17: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/17.jpg)
Real-Time Specification for Java (RTSJ)
• Java Community Standard (JSR 1, JSR 282)– Started in 1998
• January 2002 – RTSJ 1.0 Accepted by JSP• Spring 2005 – RTSJ 1.0.1 released• Summer 2006 – RTSJ 1.0.2 initiated• March 2009 Early draft of RTSJ version 1.1 now called JSR 282.
• Most common for real-time Java applications– Especially on Wall Street
• New Thread model: NoHeapRealtimeThread– Never interrupted by Garbage Collector– Threads may not access Heap Objects– Extends Java’s 10 priority levels to 28
![Page 18: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/18.jpg)
18
RTSJ Overview
• Clear definition of scheduler• Priority inheritance protocol• NoHeapRealtimeThread• BoundAsyncEventHandler• Scoped memory to avoid GC• Low-level access through raw memory• High resolution time and timer• Originally targeted at larger systems
– implementation from Sun requires a dual UltraSparc III or higher with 512 MB memory and the Solaris 10 operating system
![Page 19: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/19.jpg)
19
RTSJ Guiding Principles
• Backward compatibility to standard Java• No Syntactic extension• Write Once, Run Anywhere• Reflected current real-time practice anno 1998• Allow implementation flexibility
• Does not address certification of Safety Critical applications
![Page 20: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/20.jpg)
Safety-Critical Java (SCJ)
• Java Specification Request 302• Aims for DO178B, Level A• Three Compliance Points (Levels 0, 1, 2)
– Level 0 provides a cyclic executive (single thread), no wait/notify
– Level 1 provides a single mission with multiple schedulable objects,
– Level 2 provides nested missions with (limited) nested scopes• More worst case analysis friendly• Restricted subset of RTSJ
![Page 21: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/21.jpg)
SCJ
• Only RealtimeThreads are allowed• Notions of missions and handlers
• No heap objects/ no GC• Restricted use of scopes
![Page 22: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/22.jpg)
Predictable Java (PJ)
• Predictable Java intended as guidance/ideas for SCJ• JSR-302 uses inheritance for limitation
– Lots of @SCJAllowed annotations everywhere• RTSJ would be a specialisation of a smaller profile• PJ suggests to use inheritance for specialisation
– Generalisation of RTSJ• Missions are first-class handlers
– Scoped memory belonging to the mission• No need for immortal memory known from RTSJ and SCJ.• Simplifies memory hierarchy• Programs are more Java like
![Page 23: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/23.jpg)
Many variants of Java• J2EE
– J2SE & enterprise extensions
• J2SE– Standard Java
• J2ME– Subset of J2SE & additional
classes
• RTSJ– Add on to J2EE, J2SE, or J2ME
for realtime
• SCJava– Subset of RTSJ, subset of J2SE,
& additional classes
![Page 24: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/24.jpg)
Predicatble JVM• JOP
– Java Optimized Processor– JVM in Hardware (FPGA)
• HVM– targeted at devices with 256 kB flash and 8kB of RAM– Interpreted or AOT compilering– 1st level interupt handlers in Java– Runs on ATmega2560, CR16C, ARM7, ARM9 and x86
• JamaicaVM– Industrial strength real-time JVM from Aicas– Enroute for Certification for use in Airplanes and Cars
![Page 25: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/25.jpg)
Java look-and-feel for low-end embedded devicesSupport incremental move from C to Java 25
The HVMJava-to-C compiler with an embedded interpreter
![Page 26: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/26.jpg)
26
Features
- Execution on the bare metal- First level interrupt handling & Hardware Objects- Hybrid execution style (interpretation + AOT)- Program specialization* Classes & methods* Interpreter
- Native variable support- Portability* No external dependencies* Strict ANSI-C
- Process switching & scoped memory
![Page 27: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/27.jpg)
The Predictable Real-time HVM
• Time predictable implementations of Interpreter loop and each bytecode
![Page 28: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/28.jpg)
Trinity of tools, platform and programming model
![Page 29: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/29.jpg)
What about Time Analysis?
• Traditional approaches to analysis of RT systems are hard and conservative
• Very difficult to use with Java because of JVM (and Object Orientedness)
41
Utilisation-Based Analysis
• A simple sufficient but not necessaryschedulability test exists
)12( /1
1
NN
i i
i NT
CU
NU as 69.0
Where C is WCET and T is period
42
Response Time Equation
jihpj
j
iii C
TR
CR
)(
Where hp(i) is the set of tasks with priority higher than task i
Solve by forming a recurrence relationship:
jihpj
j
n
ii
n
i CTw
Cw
)(
1
The set of values is monotonically non decreasingWhen the solution to the equation has been found, must not be greater that (e.g. 0 or )
1 n
i
n
i ww,..,...,,, 210 n
iiii wwww0
iw
iR iC
![Page 30: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/30.jpg)
Model based Analysis
– TIMES• Model based schedulability tool based on UPPAAL
– WCA• WCET analysis for JOP
– SARTS• Schedulability on JOP
– TetaJ• WCET analysis for SW JVM on Commodity HW
– TetaSARTS• Schedulability analysis for SW JVM on Commodity HW and JOP
– SymRT• Combines Symbolic executioon and modelbased timing analysis
30
![Page 31: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/31.jpg)
31
SARTS
• Schedulability analyzer for real-time Java systems– Assumes program in SCJ profile– Assumes correct Loop bounds annotations– Assumes code to be executed on JOP
• Generates Timed Automata– Control flow graph with timing information– Uppaal Model-checker checks for deadlock– Based on ideas from TIMES tool
![Page 32: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/32.jpg)
SARTS Overview
32
![Page 33: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/33.jpg)
SARTS Overview
• A scheduler automaton models FPS• A controller automaton, periodic/sporadic, is
created for each handler• Each Java method results in a parametrised
automaton– One clock per task/thread– Pre-emption is modelled using stopwatches– Control-transfer is modelled using synchronization
33
![Page 34: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/34.jpg)
34
Java to UPPAAL
![Page 35: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/35.jpg)
35
Timed Automata templates
• Translation of Basic Blocks into states and transitions• Patterns for:
– Loops– Monitor statements– If statements– Method invoke– Sporadic task release
![Page 36: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/36.jpg)
36
Simple models of RM scheduler
• Predefined models– Scheduler– Periodic Task– Sporadic Task
![Page 37: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/37.jpg)
37
Periodic Task/Sporadic Task
![Page 38: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/38.jpg)
SARTS sales pitch
• The schedulability question is “translated" to a deadlock question– no deadlock means schedulable
• Compared to traditional schedulability analysis– Control flow sensitive– Fine grained interleaving– Less pessimism– Fully automatic
38
![Page 39: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/39.jpg)
39
SARTS can do better than utilisation test
• Example• One periodic task• Two sporadic tasks
– Mutually exclusive
![Page 40: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/40.jpg)
40
SARTS can do better than utilisation test
• Period: 240• Minimum inter-arrival time: 240• Periodic cost: 161• Sporadic cost: 64• Utilisation test fails:
![Page 41: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/41.jpg)
41
Time Line
![Page 42: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/42.jpg)
TetaJ
• WCET analysis tool – taking Java portability into account
• Analysis at method level• Can be used interactively• Takes VM into account• Takes HW into account
42
![Page 43: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/43.jpg)
43
![Page 44: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/44.jpg)
44
![Page 45: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/45.jpg)
TetaSARTS
45
![Page 46: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/46.jpg)
Minepump example
46
![Page 47: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/47.jpg)
Minepump exampleWrite once – run whereever possible
47
![Page 48: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/48.jpg)
Energy Optimize Applications
![Page 49: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/49.jpg)
SymRT
• Combining Symbolic execution and TA
![Page 50: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/50.jpg)
Compositional Verification
• TetaSARTS generates model for whole program• Library routines analysed again and again• Models based on control flow can be complicated
• Idea: Annotate interfaces with abstract description of behaviour– Time and Resource Specification Language (TRSL)– Could have been any of a range of spec. lang.
• UML/Marte, ACSR, TADL
50
![Page 51: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/51.jpg)
Note – could have used [ 1..8 ; using(r)[2] ; 1 ] since[ 1 ; 7? ; using(r)[2] ; 1 ] ≤ [ 1 ..8 ; using(r)[2] ; 1 ]
![Page 52: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/52.jpg)
TetaSARTS+
• Schedulability analysis now in three steps– Verify that implementation is simulated by
specification• Check L(Implementation) ≤ L(specification)• Possible since TRSL TAs are simple instances of the
Event-Clock Automata
– Generate TAs from Specs– Use TetaSARTS
![Page 53: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/53.jpg)
Further Analysis and tools
• Scope compliance analysis for SCJ
• SCJ compliance analyzer
• Eclipse plug-in
• Lot’s of work on (analyzable) Real-time GC
![Page 54: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/54.jpg)
Future Work
• Experiment with deductive verification– Functional requirements– JML and Key– Especially loop bounds
• Termination Analysis– Recursion bounds
• Hierarchical schedulability (mixed mode)• Analyse non-SCJ programs
– Java 8, Groovy, Scala
• Multi-core HVM• Android and Dalvik VM• Loadable Safelets and cloud verification
![Page 55: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/55.jpg)
Future Work
• Internet of Things– We can do it today, but how to do it fast and reliable?
– aicas's JamaicaVM hard real-time Java-based platform to provide a secure, scalable solution connecting intelligent devices to cloud-based services.
– Some of my ideas:– Combining work on SCJ with
• SmartCampus• HomePort 55
![Page 56: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/56.jpg)
Learn more
• Model-based schedulability analysis of safety critical hard real-time java programs– T. Bøgholm, H. Kragh-Hansen, P. Olsen, B. Thomsen, and K. G. Larsen– JTRES 2008
• Schedulability Analysis Abstractions for Safety Critical Java– Thomas Bøgholm, Bent Thomsen, Kim G. Larsen, Alan Mycroft– ISORC 2012
• Wcet analysis of java bytecode featuring common execution environments– C. Frost, C. S. Jensen, K. S. Luckow, and B. Thomsen– JTRES 2011
• TetaSARTS: A Tool for Modular Timing Analysis of Safety Critical Java Systems– Kasper Luckow, Thomas Bøgholm, Bent Thomsen, and Kim Larsen– To appear JTRES 2013
56
![Page 57: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/57.jpg)
Try it out?
• TetaSARTS– http://people.cs.aau.dk/~luckow/tetasarts/
• Hardware Near Virtual Machine– http://icelab.dk/
• oSCJ (open Safety-Critical Java Implementation)– http://sss.cs.purdue.edu/projects/oscj/
• Java Optimized Processor– http://www.jopdesign.com/
• JamaicaVM– http://www.aicas.com/jamaica.html
57
![Page 58: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/58.jpg)
58
Joint work with:
• Allan Mycroft– Cambridge University
• Corina S. Pasareanu– NASA Ames, CA, USA
• Hans Søndergaard, Stephan Korsholm– Via University College
• Thomas Bøgholm, Kasper Søe Luckow, Anders P. Ravn, Kim G. Larsen, Rene R. Hansen and Lone Leth Thomsen – CISS/Department of Computer Science, Aalborg University
![Page 59: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/59.jpg)
Thank You
59
![Page 60: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/60.jpg)
60
SmartCampusAAU project• Motivation:• An essential part of the strategy for future growth in the North Jutland region of
Denmark (Region Nordjylland- RN) is centred around private companies, as well as public services, use of location and other contextual information in Intelligent solutions.
• RN already sponsor several clusters of projects: SmartCityDK, Intelligent Transport and Infotainment
• Observation:– All such projects build (throwaway) middleware needed for their demonstrations
• Goal:– Build scalable and re-usable middleware infrastructure enabling easy development of location
based applications
• Project Period: 3.8.2009 – 31.12.2011 (funded by RN / EU regional development)
• SmartCampus2.0: 1.1.2012-31.12.2012 (funded by CaIN)• SmartCampus3.0: 1.3.2013 – 30.6.2013 (funded by InfinIT)
![Page 61: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/61.jpg)
61
WiFi-based localization
• RADAR (by Microsoft Research in 2000)• (almost) No need for new infrastructure• Fingerprinting
![Page 62: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/62.jpg)
62
Location Fingerprinting- The Offline Phase
AP1
AP3
AP3
AP1 = -40AP2 = -70AP3 = -95
(x1, y1, z1)
AP1 = -45AP2 = -60AP3 = -85
AP1 = -65AP2 = -55AP3 = -75AP1 = -80AP2 = -45AP3 = -60
(x2, y2, z1)
…
(x3, y3, z1)
(x4, y4, z1)
(…)
Radio Map
![Page 63: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/63.jpg)
63
Location Fingerprinting- The Online Phase
AP1
AP3
AP2
AP1 = -55AP2 = -40AP3 = -80
(x1, y1, z1)
AP1 = -40AP2 = -60AP3 = -95AP1 = -40AP2 = -70AP3 = -85AP1 = -35AP2 = -90AP3 = -55
(x2, y2, z1)
…
(x3, y3, z1)
(x4, y4, z1)
(…)
Radio Map
AP1 = -50AP2 = -40AP3 = -85
![Page 64: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/64.jpg)
Improving WLAN Positioning withWeighted Graphs
![Page 65: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/65.jpg)
65
Indoor Navigation
![Page 66: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/66.jpg)
IFC file PIFC file
•Standard format•Big file, used only on PC•Can be read using specialized toolkit•Unaligned to real word
•Non-standard XML-based format•Small file, can be used on pocket PC•Extendable for different types of objects•Can be read using XML parser•Aligned to WGS84
Foreach (building, storey) extract:Walls, spaces, access points …
Conversion on user machine or Streamspin service
![Page 67: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/67.jpg)
Infrastructure-Based Positioning• iPhone and WP 7 does not support device-based positioning.• Instead, a ”Wi-Fi sniffer” infrastructure is required. • Positioning is done on Infrastructure-Based Positioning Service
67
![Page 68: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/68.jpg)
Building the radio maps• Two types of radio maps:1. Device-based radio map
– Measurement done locally and uploaded.2. Infrastructure-based radio map
• The Android app builds both radio maps in one go.
68
1.A) bool StartMeasuringAtBoundLocation(string clientMac, int buildingId, int vertexId)
1.B) bool StartMeasuringAtUnboundLocation(string clientMac, int buildingId, int latE6, int lonE6, int alt)
2) bool StopMeasuring(string clientMac)3) int SaveMeasurement(string clientMac)
![Page 69: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/69.jpg)
Setting up a Wi-Fi sniffer infrastructure
• Buy appropriate equipment or use/ modify existing ( http://wiki.openwrt.org/toh/start )
• Update firmware (contact us for instructions)• Start sniffing!• I.e., start sending measurement reports of the form [sniffer_mac,
time, RSSI, client_mac] to our Infrastructure-Based Positioning Service.
• Contact us regarding hosting of infrastructure-based pos. service: – Use smartcampus server– Use your own server– Use an intermediary to filter measurement reports
69
![Page 70: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/70.jpg)
3rd Positioning Service
• Infrastructure-Based, Device-Assisted Positioning• For positioning and tracking of IoT devices
70* RTX41xx: http://www.rtx.dk/RTX4100_Wi-Fi_module-3921.aspx
![Page 71: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/71.jpg)
Integration
• PIM (Calandar) http://way.askcody.dk/d.php?id=1644
• Intelligent signs• Social Networks• Intelligent Buildings
![Page 72: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/72.jpg)
72
Interacting with smart buildings
HomePort
Door locks
![Page 73: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/73.jpg)
Conlan Demo
• Objective: Turn on Conlan device when mobile device is within 10 meters
73
![Page 74: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/74.jpg)
![Page 75: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/75.jpg)
![Page 76: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/76.jpg)
Solution from MapsPeople
• Geo Location Manager
![Page 77: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/77.jpg)
![Page 78: Towards "write once - run whenever possible" with Safety Critical Java af Bent Thomsen, AAU](https://reader033.vdocuments.site/reader033/viewer/2022061111/54556045af7959b8038b8767/html5/thumbnails/78.jpg)
Location-Based Edutainment(group SW805 and Mymo®)
78