Michael Stilkerich

KESO: an open-source multi-JVM for deeply embedded systems

Java still is a rather exotic language in the field of real-time and particularly embedded systems, though it could provide productivity and especially safety and dependability benefits over the dominating language C. The reasons for the lack of acceptance of Java in the embedded world are the high resource consumption caused by the Java runtime environment and lacking language features for low-level programming. KESO is a JVM under LGPL license that was specifically designed for the domain of statically-configured deeply embedded systems. KESO provides a sensible selection of Java features useful to the majority of embedded applications and safe and convenient constructs for low-level programming in Java. A key feature of KESO is its Multi-JVM architecture, which allows the isolated cohabitation of different applications on one hardware platform. The resource consumption of applications developed on the base of KESO is comparable to C applications, and its mechanisms for communicating among isolated components are efficient and encourage the actual utilization of spatial isolation.

Tailor-made JVMs for statically configured embedded systems

Java still is a rather exotic language in the field of real‐time and particularly embedded systems, eventhough it could provide productivity and especially safety and dependability benefits over the dominating language C. The reasons for the lack of acceptance of Java in the embedded world are the high resource consumption caused by the Java runtime environment and the lacking language features for low‐level programming. KESO is a Java Virtual Machine (JVM) that was specifically designed for statically configured resource‐constrained embedded systems. Rather than providing a fixed subset of the Java standard functionality, KESO uses the available ahead‐of‐time knowledge to generate a Java runtime that is specifically tailored towards the particular application. A key feature of KESO is its Multi‐JVM architecture, which allows the isolated cohabitation of different applications on one hardware platform. Our evaluation uses two non‐trivial real‐time applications, a control application for a quadrotor helicopter and a collision detector, to compare the cost of an application using KESO to its C counterpart. Our results show that the resource consumption of applications developed on the base of KESO is comparable to C applications, and its mechanisms for communicating among isolated components are efficient and encourage the actual utilization of spatial isolation. Copyright

Exploiting static application knowledge in a Java compiler for embedded systems: a case study

Offering many benefits in terms of productivity and reliability, Java is becoming an attractive choice for the field of embedded computing. However, its programming model that relies on the capabilities of just-in-time compilation limits the opportunities to generate highly optimized code in an ahead-of-time compiler. In the KESO project, a Java VM for statically-configured deeply embedded systems, we have previously used static application knowledge to create a tailored runtime environment. In this paper, we present and discuss how this static knowledge can further be exploited by our compiler in order to perform advanced optimizations that would otherwise not be achievable. We conducted a case study with the CDx real-time benchmark in which we examined the peculiarities and challenges that arise, and evaluated the effectiveness of both standard and system-model-specific compiler optimizations in the context of a static embedded application model. Our results show that incorporating the available a-priori knowledge in the compiler provides significant improvements to both footprint and runtime, and can additionally help the system integrator to identify consistency problems between the code and a higher-level system specification at an early development stage.

Automated application of fault tolerance mechanisms in a component-based system

Due to the reduction of structure sizes in modern embedded systems, tolerating soft errors presenting itself as bit flips becomes a mandatory task even for moderate critical applications. Accordingly, software-based fault tolerance mechanisms recently gained in popularity and a multitude of approaches that differ in the number and frequency of tolerated errors as well as their associated overhead have been proposed. As a consequence, an application- and environment-tailored selection of mechanisms is required to balance protection and costs. Accounting the diverse solution space, we propose to make software-based fault tolerance a matter of configuration that should be transparent to the applications. While this would be cumbersome when using an unsafe programming language, we show that in the context of KESO, a JVM for deeply embedded systems, this can be achieved by utilizing the Java type system and static code analysis. As an initial technique we decided to add redundant execution to KESO, which enables us to selectively and transparently replicate an application. This essentially builds a first step to a JVM, which offers reliable execution of components as demanded by the system configuration.

An OSEK/VDX-based Multi-JVM for Automotive Appliances

The automotive industry has recent ambitions to integrate multiple applications from different micro controllers on a single, more powerful micro controller. The outcome of this integration process is the loss of the physical isolation and a more complex monolithic software. Memory protection mechanisms need to be provided that allow for a safe co-existence of heterogeneous software from different vendors on the same hardware, in order to prevent the spreading of an error to the other applications on the controller and leaving an unclear responsibility situation. With our prototype system KESO, we present a Java-based solution for robust and safe embedded real-time systems that does not require any hardware protection mechanisms. Based on an OSEK/VDX operating system, we offer a familiar system creation process to developers of embedded software and also provide the key benefits of Java to the embedded world. To the best of our knowledge, we present the first Multi-JVM for OSEK/VDX operating systems. We report on our experiences in integrating Java and an embedded operating system with focus on the footprint and the real-time capabilities of the system.

OSEK/VDX API for Java

Modern cars contain a multitude of micro controllers for a wide area of tasks. The diversity of the heterogeneous hardware and software leads to a complicated and expensive integration process.Integrating multiple tasks on fewer micro controllers reduces diversity and costs of production, but poses new problems with the growing complexity of software on a single micro controller. Therefore a more robust software development process and a safe execution environment is needed in the automotive area and other areas with similar constraints. With the KESO system we have implemented a very small and adapted Java execution environment for an OSEK/VDX operating system to address these issues.In this paper we present our approach for a low overhead OSEK/VDX system interface, which is an integral component of the KESO system. We show how access to the system services can be restricted at low cost to ensure the isolation of tasks by the use of type-safety and modern compiler techniques, while maintaining a familiar programming interface for developers that are used to OSEK application development using the C programming language.

Escaping the Bonds of the Legacy: Step-Wise Migration to a Type-Safe Language in Safety-Critical Embedded Systems

Type-safe high-level languages such as Java have not yet found their way into the domain of deeply embedded systems, even though numerous attempts have been made to make these languages cost attractive. One major challenge that remains is the huge existing code base in many industries. Completely reengineering this code base is not viable for cost and time reasons. We present an approach that allows to isolatedly combine legacy software components and safe software components in an embedded system using the two most common communication idioms found in this domain. Our approach allows the developer to freely choose between hardware- and software-based isolation mechanisms. We demonstrate the feasibility of our approach by porting a non-trivial part of a real-world, hard real-time embedded avionics application. Our results show that the cost of this mixed-mode operation is on the same scale as the pure operation.

RT-LAGC: Fragmentation-Tolerant Real-Time Memory Management Revisited

The use of managed, type-safe languages such as Java in real-time and embedded systems is advantageous, as it offers productivity and especially safety and dependability benefits over dominating unsafe languages. A Java Virtual Machine (JVM) has to provide an implicit memory management system such as a garbage collector (GC), for example, as explicit memory management through allocation and release operations by the application developer is prone to programming errors and may result in a violation of the type system properties. Real-time systems have specific requirements regarding space and time bounds and a GC has to ensure that these defined upper limits will not be exceeded. A proper solution to address this issue is, for example, employing fragmentation-tolerant garbage collection as proposed by Pizlo et al. [16]. Their approach is called SCHISM/CMR. Based on their work, we developed an alternative fragmentation-tolerant GC variant called RT-LAGC, which is supported by our compiler jino and is part of the KESO JVM [18]. RT-LAGC is a cooperative GC, that is, the real-time system developer and the compiler assist the GC through system configuration (e.g. enough slack time for the GC to run) and program analyses, respectively. This is achieved by integrating the GCs in the design process of the whole system just as any other user application. In RT-LAGC, we designed a new bidirectional fragmented object layout. Furthermore, we implemented latency-aware management of fragmented memory as well as an alternative collection technique for array meta-information. Moreover, the execution properties of an exemplary application were improved by jinos extended escape analysis. RT-LAGC is evaluated against KESOs purely incremental non-fragmentation-tolerant GC called IRRGC and a throughput-optimized stop-the-world collector named CBGC. A classification of typical memory patterns for Java objects supports the predictability of the examined embedded system.

Team up: cooperative memory management in embedded systems

The use of a managed, type-safe languages such as Java in realtime and embedded systems can offer productivity and, in particular, safety and dependability benefits over the dominating unsafe languages at reasonable costs. A JVM that has dynamic memory-management needs to provide an implicit memory-management strategy, that is, for example, a garbage collector (GC) or stack allocation provided by the escape analysis of the JVMs compiler: Explicit management of dynamically allocated memory (i.e., by use of functions such as Cs malloc () and free()) is vulnerable to programming errors such as neglected or false memory release operations causing memory leaks or dangling pointers. Such operations have the potential to break the soundness of the type system and are therefore usually not available for strongly typed languages. Type-safe languages in combination with static analyses - which respect hardware as well as system-specific information - can efficiently be employed to provide a runtime system including memory management (MM) that is specifically suited to an embedded application on a particular hardware device. In the context of this paper, we present novel memory-management strategy we implemented in our KESO JVM. It is a latency-aware garbage-collection algorithm called LAGC. Also, we introduce the static analyses that can assist LAGC. The application developers have to ensure that there is enough time for the GCs to run. Hardware characteristics such as soft-error proneness of the hardware or the memory layout can also be taken into consideration as demanded by the system configuration. This is achieved by integrating the GCs in the design process of the whole system just as any other user application, which is the reason why this approach is called cooperative memory management. The suggested strategies require reasonably low overhead.

Memory protection at option

There is hardware- and software-based memory protection that can improve the dependability of software systems. The two variants vary in the degree of protection and the amount and sites of overhead. The decision for a particular mechanism therefore highly depends on the application and deployment scenario. We propose a system suited for deeply embedded systems that allows to choose among no protection, software-based protection, hardware-based protection or a combination of the two without the need to change the application. In this paper, we present the current state of this work and support our claim that the best-suited memory protection type depends on the application by a preliminary evaluation.