Tullio Vardanega

Guide for the use of the Ada Ravenscar Profile in high integrity systems

Tombs and the permission by Aonix Inc. to use sections of their cross-development guide for the ObjectAda/Raven® product as the textual basis of the initial version of this report.

Measurement-Based Probabilistic Timing Analysis for Multi-path Programs

The rigorous application of static timing analysis requires a large and costly amount of detail knowledge on the hardware and software components of the system. Probabilistic Timing Analysis has potential for reducing the weight of that demand. In this paper, we present a sound measurement-based probabilistic timing analysis technique based on Extreme Value Theory. In all the experiments made as part of this work, the timing bounds determined by our technique were less than 15% pessimistic in comparison with the tightest possible bounds obtainable with any probabilistic timing analysis technique. As a point of interest to industrial users, our technique also requires a comparatively low number of measurement runs of the program under analysis, less than 650 runs were needed for the benchmarks presented in this paper.

PROARTIS: Probabilistically Analyzable Real-Time Systems

Static timing analysis is the state-of-the-art practice of ascertaining the timing behavior of current-generation real-time embedded systems. The adoption of more complex hardware to respond to the increasing demand for computing power in next-generation systems exacerbates some of the limitations of static timing analysis. In particular, the effort of acquiring (1) detailed information on the hardware to develop an accurate model of its execution latency as well as (2) knowledge of the timing behavior of the program in the presence of varying hardware conditions, such as those dependent on the history of previously executed instructions. We call these problems the timing analysis walls. In this vision-statement article, we present probabilistic timing analysis, a novel approach to the analysis of the timing behavior of next-generation real-time embedded systems. We show how probabilistic timing analysis attacks the timing analysis walls; we then illustrate the mathematical foundations on which this method is based and the challenges we face in the effort of efficiently implementing it. We also present experimental evidence that shows how probabilistic timing analysis reduces the extent of knowledge about the execution platform required to produce probabilistically accurate WCET estimations.

Measurement-based probabilistic timing analysis: Lessons from an integrated-modular avionics case study

Probabilistic Timing Analysis (PTA) in general and its measurement-based variant called MBPTA in particular can mitigate some of the problems that impair current worst-case execution time (WCET) analysis techniques. MBPTA computes tight WCET bounds expressed as probabilistic exceedance functions, without needing much information on the hardware and software internals of the system. Classic WCET analysis has information needs that may be costly and difficult to satisfy, and their omission increases pessimism. Previous work has shown that MBPTA does well with benchmark programs. Real-world applications however place more demanding requirements on timing analysis than simple benchmarks. It is interesting to see how PTA responds to them. This paper discusses the application of MBPTA to a real avionics system and presents lessons learned in that process.

Automated model-based generation of Ravenscar-compliant source code

Graphical languages of various sorts are increasingly used for the specification and the design of high-integrity real-time systems. Their coverage however does not extend with as much success to automated source code generation. Several hurdles cause the model-to-code translation to often lapse in the preservation of the desired semantics. This paper illustrates the choices we have made to provide the HRT-UML design method with an automated Ravenscar-compliant source code generation engine. Compliance with the Ravenscar computational model warrants static analysability of the source code and predictability of execution. By elevating this compliance to the design stage, we earn semantic preservation across the whole development process.

Upper-bounding Program Execution Time with Extreme Value Theory

In this paper we discuss the limitations of and the precautions to account for when using Extreme Value Theory (EVT) to compute upper bounds to the execution time of programs. We analyse the requirements placed by EVT on the observations to be made of the events of interest, and the conditions that render safe the computations of execution time upper bounds. We also study the requirements that a recent EVT-based timing analysis technique, Measurement-Based Probabilistic Timing Analysis (MBPTA), introduces, besides those imposed by EVT, on the computing system under analysis to increase the trustworthiness of the upper bounds that it computes.

Correctness by construction for high-integrity real-time systems: a metamodel-driven approach

Current trends in software engineering promote the contention that the use of model-driven approaches should prove as beneficial to high-integrity systems as they have to business applications. Unfortunately, model-driven approaches as they presently stand focus more on attaining greater extents of automation than on warranting absolute end-to-end correctness for the target development process. This paper presents some elements of a novel approach that centres on a correctness-by-construction philosophy rooted on a domain-specific metamodel designed to formally define and constrain the design space and prove the allowable model transformations down to automated code generation.

Toward Correctness in the Specification and Handling of Non-Functional Attributes of High-Integrity Real-Time Embedded Systems

In high-integrity systems, the focus of the development process is geared to assuring that the assertions made on the system are both correct (i.e., semantically sustainable) and feasible (i.e., true at run time). Some of those assertions take effect in the non-functional domain, that is, in how the system is realized and behaves in time, space and communication during execution; others in the functional domain, and thus concern what outputs the system produces for its inputs. In this paper, we address the problem of achieving correct specification and handling of non-functional attributes, with particular regard to the concurrent structure of the system, the safeness of the interaction protocols engaged in it, and the guarantee that its timing feasibility can be statically verified. Our approach is based on a Model-Driven Engineering methodology, in which correctness can be ensured by construction or verified at a high level of abstraction, while the runtime implementation structure and code are automatically generated. We employ the Ravenscar Computation Model (RCM) and focus, in particular, on aerospace applications, which impose stringent requirements on correctness properties. We discuss an algebraic formalization of our model based on graph theory which we use to prove safe termination in systems compliant with RCM, and show how to use the MAST+ static analyzer to verify the timing aspects. We finally illustrate the results of a prototype tool that was developed for evaluation by major industrial players in the European space industry.

WCET analysis methods: Pitfalls and challenges on their trustworthiness

In the last three decades a number of methods have been devised to find upper-bounds for the execution time of critical tasks in time-critical systems. Most of such methods aim to compute Worst-Case Execution Time (WCET) estimates, which can be used as trustworthy upper-bounds for the execution time that the analysed programs will ever take during operation. The range of analysis approaches used include static, measurement-based and probabilistic methods, as well as hybrid combinations of them. Each of those approaches delivers its results on the assumption that certain hypotheses hold on the timing behaviour of the system as well that the user is able to provide the needed input information. Often enough the trustworthiness of those methods is only adjudged on the basis of the soundness of the method itself. However, trustworthiness rests a great deal also on the viability of the assumptions that the method makes on the system and on the users ability, and on the extent to which those assumptions hold in practice. This paper discusses the hypotheses on which the major state-of-the-art timing analyses methods rely, identifying pitfalls and challenges that cause uncertainty and reduce confidence on the computed WCET estimates. While identifying weaknesses, this paper does not wish to discredit any method but rather to increase awareness on their limitations and enable an informed selection of the technique that best fits the user needs.

Timing analysis of an avionics case study on complex hardware/software platforms

Probabilistic Timing Analysis (PTA) in general and its measurement-based variant called MBPTA in particular have been shown to facilitate the estimation of the worst-case execution time (WCET). MBPTA relies on specific hardware and software support to randomise and/or upper bound a number of sources of execution time variation to drastically reduce the need for user-provided information, thus replacing uncertainty by probabilities. MBPTA has been proven effective for specific single-core processor designs. However, particular hardware features and multicores in general challenge MBPTA application in industrial-quality developments. While solutions to those challenges have been proven on benchmarks, they have not been proven yet on real-world applications, whose timing analysis is far more challenging than that of simple benchmarks. This paper discusses the application of MBPTA to a real avionics system in the context of (1) software-only single-core solutions and (2) hardware-only multicore solutions with an ARINC 653 operating system.