Equivalence checking between embedded C code and corresponding Stateflow TM diagram specification

International audienceThis paper focuses on a cost-effective application of model-checking in Verification & Validation of safety critical airborne systems, for proving the correspondence between automatic C source code and its specification expressed with TM Stateflow diagram specification. The process requires a minimum of user intervention in most cases, gives very high confidence and has the potential to shift the traditional technical checks when qualification is effective

On the Determinism of Multi-core Processors

Hard real time systems are evolving in order to respond to the increasing demand in complex functionalities while taking advantage of newer hardware. Software development for safety critical systems has to comply with strict requirements that will facilitate the certification process. During this process, each part of the system is evaluated, requiring a certain level of assurance in order to provide confidence in the product. In particular there must be a level of confidence that the system behaves deterministically that may be based on functionality, resources and time. The success of system verification depends greatly on the capacity to determine its exact behavior. Nonetheless, hardware evolved in order to maximize the average computation power throughput with little to no regard to the deterministic aspect. Therefore modern architectural features of processors, like pipelines, cache memories and co-processors, make it hard to verify that all the needed properties are respected. The multi-core is furthermore difficult to analyze as the architecture employs mechanisms that compromise strong spatial and temporal partitioning when using shared resources without rigorous access control like shared caches or shared input/outputs. In this paper we identify and analyze the main sources of nondeterminism of the multi-cores with regard to the timing estimation. Precise determination of the worst case execution time is a challenging task even in single-core architectures. The problems are accentuated in the multi-core context mainly due to the resource sharing that can lead to highly complex interactions or to nondeterminism. Most of the units that generate behaviors that are hard to take into account can be deactivated, but it is not always easy to predict the impact on the performance. Nevertheless some of the features cannot be disabled (such as the out of order execution or some nondeterministic crossbar access policies) which leads to the invalidation of the respective platform for applications with high criticality level. We will address the problematic units, propose configuration or architecture guidelines and estimate their impact on the performance and determinism of the system

Analyse d’interférences mémoires sur les clusters de calcul du pluri-coeurs Kalray MPPA3

The Kalray MPPA3 Coolidge many-core processor is one of the few off-the-shelf high-performance processors amenable to full-fledged static timing analysis. And yet, even on this processor, providing tight execution time upper bounds may prove difficult. In this paper, we consider the sub-problem of bounding the timing overhead due to memory access interferences inside one MPPA3 shared memory compute cluster. This includes interferences between computing cores and interferences between the instruction and data accesses of a given core. We start with a detailed analysis of the MPPA3 compute cluster, with emphasis on three key components: the Prefetch Buffer (PFB), which performs speculative instruction loads, the fixed-priority (FP) arbiter between instruction and data accesses of a core, whose behavior is highly dependent (in the worst case) on interferences from other cores, and the SAP (bursty Round Robin) arbiters guarding access to memory banks. We provide a full-fledged interference analysis covering both levels. This analysis is rooted in a novel modeling of memory access patterns, which describes their worst- case and best-case burstiness, a key factor influencing the MPPA3 arbitration. We evaluate our interference model on multiple applications, ranging from real-life avionics code specified in SCADE to linear algebra code. We also suggests methods for reducing execution time and improving analysis precision by means of code generation.Le pluri-cœurs Kalray MPPA3 Coolidge est un des seuls processeurs haute-performance sur étagère à permettre le calcul de bornes statiques (non-probabilistes) sur le temps d’exécution. Mais même sur ce processeur le calcul de bornes serrées est difficile. Dans cet article, nous traitons le sous-problème du calcul de bornes supérieures sur les interférences dues aux accès concurrents aux bancs de mémoire partagée. De plus, notre analyse se concentre sur un seul cluster de calcul de l’architecture-cible, et s’intéresse seulement aux interférences entre cœurs de calcul du cluster et aux interférences entre accès instruction et données d’un seul cœur. Nous commençons par une analyse détaillée du cluster de calcul MPPA3, mettant l’accent sur trois composants-clefs: le tampon de préchargement anticipé (Prefetch Buffer, ou PFB) qui réalise des préchargements de code spéculatifs, l’arbitre à priorité fixe (FP) entre les accès au code et aux données d’un même cœur de calcul, dont le comportement est dépendant (au pire cas) des interférences d’autres cœurs, et les arbitres SAP (Round Robin avec support pour les rafales) qui contrôlent l’accès aux bancs de mémoire partagée. Nous développons une analyse d’interférences complète par rapport au domaine choisi. Notre analyse est fondée sur une nouvelle modélisation des motifs d’accès à la mémoire, qui permet la représentation du groupage des accès en rafales (dans le pire et dans le meilleur des cas). Ce facteur a une influence très forte sur l’arbitrage MPPA. Nous évaluons notre approche d’analyse d’interférences sur plusieurs applications allant de tâches avioniques appartenant à une application de production spécifiée en SCADE, et jusqu’à du code d’algèbre linéaire représentatif pour les applications de type “jumeau numérique” ou “machine learning”. Nous suggérons aussi des méthodes permettant de réduire le temps d’exécution et d’améliorer la précision de l’analyse par des choix de génération de code

Customization principles of an aeronautics SLM environment and an illustration on aeronautics use cases: the doors management system and the flight control system

International audienceHaving efficient means to build an appropriate system engineering framework is a differentiating factor for the competitiveness of the European aeronautics industry. We present in this paper an approach and a set of concepts enabling the construction and customization of a system engineering environment. These customization principles, set up in the frame of the CESAR project, are driven by a multi-view model-based system development process and by a system data description. The flexibility and the benefits of this approach are demonstrated on two industrial cases: the doors management system and the flight control system

Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods

Multi-domain comparison of safety standards

International audienceThis paper presents an analysis of safety standards and their implementation in certification strategies from different domains such as aeronautics, automation, automotive, nuclear, railway and space. This work, performed in the context of the CG2E ("Club des Grandes Entreprises de l'Embarqué"), aims at identifying the main similarities and dissimilarities, for potential cross-domain harmonization. We strive to find the most comprehensive 'trans-sectorial' approach, within a large number of industrial domains. Exhibiting the 'true goals' of their numerous applicable standards, related to the safety of system and software, is a first important step towards harmonization, sharing common approaches, methods and tools whenever possible

1-Synchronous Programming of Large Scale, Multi-Periodic Real-Time Applications with Functional Degrees of Freedom

The design and implementation of reactive, hard real-time systems involves modeling and generating efficient code for the integration of harmonic multi-periodic tasks. Such a reactive system can be modeled as a synchronous program orchestrating computations, state machine transitions and communications. In a harmonic multi-periodic integration program, task execution rates are related through integral ratios. This paper aims at providing a scalable way to implement large systems composed of modular, synchronous reactive tasks, and to generate efficient code satisfying real-time constraints.The paper describes three incremental extensions to the Lustre language and evaluates them on production applications. First, we propose a clock calculus for 1-synchronous clocks, i.e. strictly periodic clocks with a single activation on their period; we show how the compiler can exploit this information to raise the level of abstraction when integrating tasks at the system level. Second, we allow some variables to have unknown phases, extending the clock inference to gather constraints on unknown phases, using a solver for load balancing over multi-periodic real-time schedules, before instantiating this solution to assign clocks to all reactions of the system. Third, we propose temporally underspecified operations, relevant to many discrete control scenarii, for example on variables with low temporal variability; we show how to express this in a composable way, retaining the Kahn semantics of the synchronous program outside these controlled relaxations, and exploiting slack in the computation to relax the constraints of the real-time load-balancing problem

Parallelisation efficace de larges applications temps-reel

We present a parallel compilation method for embedded control applications. The method is fully automatic and scales up, being based on low-complexity heuristics. Unlike classical compilation, it also takes as input non-functional requirements, e.g. real-time or resource limits.The main objective is not optimization per se, but the respect of requirements. To this end, static resource allocation and code generation algorithms perform a safe accounting of non-functional properties. Accounting starts from per-component time and memory footprint worst-case bounds, automatically obtained through calls to state-of-the-art static analysis tools. Experiments show that our method produces efficient code for large-scale, real-life avionics applications

Polyhedral Scheduling and Relaxation of Synchronous Reactive Systems

International audienceThe design and implementation of reactive, hard real-time systems involves modeling and generating efficient code for the integration of harmonic multi-periodic tasks. The simple principles of synchronous reactive programming met great scientific and engineering success in the area. A synchronous program orchestrates concurrent computations. It does so while maintaining composability, modularity, functional determinism and real-time execution guarantees. In the case of hard real-time systems, a reactive control program is composed of multi-periodic tasks related through integral ratios. This paper presents a language and optimizing compiler to implement large reactive control systems composed of multi-periodic, synchronous reactive tasks. The same language is used to program a complete control system, from the finest-grained computations to task-level integration, while generating efficient code satisfying real-time constraints. It is evaluated on two real-world applications