scispace - formally typeset

Book ChapterDOI

A Methodology and Tool Support for Generating Scheduled Native Code for Real-Time Java Applications

13 Oct 2003-pp 274-289

TL;DR: Current trends in industry are leading towards the use of Java as a programming language for implementing embedded and real-time applications, and the Java environment is indeed a very attractive development framework.

AbstractCurrent trends in industry are leading towards the use of Java [5] as a programming language for implementing embedded and real-time applications. From the software engineering perspective, the Java environment is indeed a very attractive development framework. Object-oriented programming provides encapsulation of abstractions into objects that communicate through clearly defined interfaces. Dynamic loading eases the maintenance and improvement of complex applications with evolving requirements and functionality. Besides, Java provides built-in support for multi-threading.

Topics: Real time Java (73%), Java annotation (71%), Java concurrency (70%), strictfp (69%), Java (67%)

Summary (3 min read)

1 Introduction

  • Current trends in industry are leading towards the use of Java [5] as a programming language for implementing embedded and real-time applications.
  • Among such work, the authors should mention the Real-Time Specification for Java [11], and the Real-Time Core Extension for the Java Platform [12], that provide support for real-time programming (timers, clocks, handlers, priorities, . . . ).
  • The semantics proposed by the profile do not fit the needs of applications that would demand alternative scheduling and synchronization paradigms, and handling quality of service requirements.
  • Its execution time is between 5ms and 6ms.
  • Section 3 explains the scheduler architecture and execution semantics, while section 4 describes their methodology for synthesizing an application-dependent scheduler.

2 Model Generation

  • The authors consider real-time Java applications made up of a fixed number of threads that synchronize and communicate through a fixed set of global shared objects.
  • Large blocks of source code or to specific statements, such as:lock (corresponding to the Java-bytecodemonitorEnter ), unlock (monitorExit ), wait, waitTimed (the Javawait method with a timeout parameter), andwaitForPeriod (the method of the classPeriodicThread in the Expresso profile, which blocks a thread until its next period).
  • This is done to keep the synchronization context consistent during the model extraction process.
  • The fact that the threadTh holds the lock ofO is recorded by adding{O} to theΣ of thesynchronized statement.
  • These graph-rewrite rules allow us to obtain an extended automaton at the desired level of abstraction for each application thread.

3.1 Architecture

  • The architecture of the schedulers the authors synthesize consists of two three-layered stacks [7], as shown in Fig.
  • The left stack selects a thread for execution.
  • The reason for this is that the threads which will be notified (if any) cannot ever be selected for execution.
  • The middle layerSafe-Notif, calculates the subsetSnotif of Rnotif consisting of those threads which, if notified, will not cause the system to enter into a deadlock state or to miss a deadline.
  • In choosing a QoS policy (or policies, since these are composable) the designer can balance between the execution time and extra memory space needed by the policy and the gains to the overall system quality the particular policy can offer.

3.2 Semantics

  • The model of the system the authors construct is the parallel composition of:(i) an automaton which is responsible for advancing time and firing timeouts,(ii) one automaton for each of the application threads, and(iii) two more automata, for theQoS-Execand theQoSNotif scheduler layers respectively.
  • The application automata are those obtained from the Java source code, appropriately annotated with the timing constraints modeling the execution times of the code that has been abstracted away.
  • The system goes through three different modes of execution, as shown in Fig. 5(c).
  • In the “Time Only” mode (whereExecSchedEnabled = Notif SchedEnabled = true) the automaton responsible for advancing time and firing timeouts (shown in Fig. 5(a)) is the sole automaton enabled in the system and it can fire one or more timeouts, if any is enabled, corresponding to the expiration of awaitTimed orwaitForPeriod.
  • If a timeout is fired then the execution mode changes to “Schedulers Only” (where ExecSchedEnabled= ¬Notif SchedEnabled), so that their scheduler can handle it.

4 Scheduler Synthesis

  • In order to synthesize theSafe-ExecandSafe-Notifscheduler layers, the authors first construct the set of reachable states and, thus, identify the deadlocks.
  • These are the states where the application threads are deadlocked, or the states where some thread has missed its deadline or period (since in that case the authors block the system explicitly).
  • The existence of these states indicates that the predicate the authors are currently using to describe the setSexec (resp.Snotif ) needs to be constrained even further.
  • Having obtained the deadlocked states, the authors do a backwards traversal of the whole state space starting from the deadlocked states, until they reach a state which corresponds to a choice of one of the scheduler automata.
  • There, the authors identify the choiceTExec = ti which allowed the path leading to a deadlock state(s) and create a new constraint for the layerSafe-Exec(resp. Safe-Notif).

4.1 State-Space Reduction and Application Analysis

  • Even though the basic idea of synthesizing theSafe-ExecandSafe-Notifscheduler layers is simple, it is evident that in practice it suffers from the state explosion problem.
  • The authors then apply the synthesis algorithm again on the parallel composition of the already constrained models.
  • The authors examine theuntimed model (U) of the system and search for constraints which can guarantee theabsence of deadlocks.
  • Once the authors can indeed safely schedule the system under the hypothesis that threads are never preempted, then they can use the constraints obtained during this step toreduce even furtherthe state space that they have to construct and analyze when they do allow threads to be preempted.
  • Therefore, if the authors wish their scheduler to always make a decision which issafe, then theSexec set of thisequivalence classof states should be theintersectionof theSexec sets of the states which belong to the same equivalence class.

5 Scheduler Implementation

  • Once the scheduler has been synthesized using the model, it has to be implemented and integrated with the code generated by the TurboJ compiler.
  • The application-level scheduler is implemented on top of an accompanying runtime library, which offers an implementation in native code of the aforementioned statements and methods.
  • Finally, the authors use three different priority levels, namely,BLOCKED , EXEC & SUPER (from lowest to highest) and theSCHED_FIFOPOSIX scheduling policy (i.e., priority based, FIFO, non-preemptive execution of tasks having the same priority).
  • J_Scheduler calls the function Synthesized_Predicates (generated by the synthesis tool) passing it the current labels of all the application threads.
  • This final action releasessched mx just before blocking, thus allowing the notified threadtn to resume execution.

6 Conclusions

  • The authors have presented a complete application-driven scheduler synthesis chain that allows to automatically generate native code for embedded real-time systems based on Java.
  • In addition, it allows one to substitute RMA/EDF & PCP with a scheduler which is still safe but not as pessimistic and which can be easily extended with QoS scheduling policies.
  • The authors are not aware of any other similar chain.
  • The full integration of the model- generation and scheduler-synthesis tools with the compiler is under test as it requires a close collaboration with the TurboJ development team.

Did you find this useful? Give us your feedback

...read more

Content maybe subject to copyright    Report

City, University of London Institutional Repository
Citation: Kloukinas, C., Nakhli, C. and Yovine, S. (2003). A Methodology and Tool Support
for Generating Scheduled Native Code for Real-Time Java Applications. Lecture Notes in
Computer Science: Embedded Software, 2855, pp. 274-289. doi: 10.1007/978-3-540-45212-
6_18
This is the unspecified version of the paper.
This version of the publication may differ from the final published
version.
Permanent repository link: https://openaccess.city.ac.uk/id/eprint/2896/
Link to published version: http://dx.doi.org/10.1007/978-3-540-45212-6_18
Copyright: City Research Online aims to make research outputs of City,
University of London available to a wider audience. Copyright and Moral
Rights remain with the author(s) and/or copyright holders. URLs from
City Research Online may be freely distributed and linked to.
Reuse: Copies of full items can be used for personal research or study,
educational, or not-for-profit purposes without prior permission or
charge. Provided that the authors, title and full bibliographic details are
credited, a hyperlink and/or URL is given for the original metadata page
and the content is not changed in any way.
City Research Online

City Research Online: http://openaccess.city.ac.uk/ publications@city.ac.uk

A methodology and tool support for generating
scheduled native code for real-time Java applications
?
Christos Kloukinas Chaker Nakhli Sergio Yovine
VERIMAG
Centre Equation, 2 Ave. Vignate, 38610 Gi
`
eres, France
{Christos.Kloukinas,Chaker.Nakhli,Sergio.Yovine}@imag.fr
1 Introduction
Current trends in industry are leading towards the use of Java [5] as a programming
language for implementing embedded and real-time applications. From the software
engineering perspective, the Java environment is indeed a very attractive development
framework. Object-oriented programming provides encapsulation of abstractions into
objects that communicate through clearly defined interfaces. Dynamic loading eases
the maintenance and improvement of complex applications with evolving requirements
and functionality. Besides, Java provides built-in support for multi-threading.
However, the semantics of Java do not guarantee a predictable run-time behavior,
which is an essential issue in embedded real-time software. To overcome this problem,
work has been done to extend the language and the platform to accommodate to the
requirements of real-time systems by focusing on current practices. Among such work,
we should mention the Real-Time Specification for Java [11], and the Real-Time Core
Extension for the Java Platform [12], that provide support for real-time programming
(timers, clocks, handlers, priorities, ... ). Still, these extensions leave some important is-
sues unspecified, like the scheduling algorithm to be used, allowing an implementation
to resolve them at will.
In order to obtain more precise semantics, domain-specific profiles have also been
defined, such as the Ravenscar-Java [8] high-integrity profile for safety-critical sys-
tems. This profile settles an execution model based on a two/three-phase program ex-
ecution, comprising an initialization phase and a mission phase (possibly followed by
a termination phase), and multi-threading semantics relying on fixed priority preemp-
tive scheduling and priority ceiling inheritance. Though designed to ease analysis and
programming, this profile still has some drawbacks. For instance, it does not directly
support threads which synchronize and communicate using the wait and notify
methods of Java. Besides, the underlying schedulability analysis is pessimistic by na-
ture and not well adapted for systems with heterogeneous tasks and constraints.
The other important issue is performance. Though there are efforts to produce effi-
cient implementations of Java Virtual Machines (e.g., [1,15]), the slowdown due to the
VM remains an argument against adopting Java for real-time applications. Real-time
systems can afford neither the overhead nor the non-determinism of using a Just-In-
Time (JIT) compiler (e.g., [3,14]). An alternative approach consists in using an Ahead-
?
Partially supported by the RNTL project Expresso (http://www.irisa.fr/rntl-expresso).

of-Time (AOT) compiler (e.g., [10,17]) to generate executable code for a run-time sys-
tem and to provide a native implementation of the real-time primitives. A major advan-
tage of AOT compilation is that it allows performing sophisticated analysis techniques
to produce highly optimized code.
In this paper we present an approach that takes into account the demands of both
precise semantics and performance. Our work is based on the two/three-phase execution
model and API of the Expresso High-Integrity Profile [4], which itself inherits concepts
from the Ravenscar-Java profile and the RTSJ API. However, the semantics proposed by
the profile do not fit the needs of applications that would demand alternative schedul-
ing and synchronization paradigms, and handling quality of service requirements. To
accommodate to such demands, our approach focuses primarily on the application.
Model
Automata
Timed
Scheduler
Synthesis
Table of
Dynamic
Priorities
Program
Java
Information
WCET
Instrumented
Java
Program
Compiler
Java
TurboJ
Executable
Native
Run−Time
RT OS
(POSIX / eCos)
(per state)
Model
Generator
Scheduler
Support Library
Fig.1. Code analysis & generation chain
Following [13], we first extract a formal model of the behavior of the application
program as an extended automaton (see Fig. 1 & section 2). Then, we synthesize an
application-dependent scheduler (see sections 34) which is safe (i.e., it is deadlock
free and meets all timing constraints) and QoS extendible (i.e., it can be extended to
handle QoS requirements, such as reducing response jitter, power consumption or con-
text switches). This synthesized scheduler is meant to be used with an appropriate native
run-time support we have developed, which itself uses the underlying R-T OSs primi-
tives (see section 5). Our scheduler also needs an instrumented version of the original
Java code (also produced by our model extracting tool), so as to be able to follow

the changes of thread states (i.e., the instrumentation implements an abstract program
counter). The test-bed we have developed has been integrated together with the Ex-
presso High-Integrity API and the TurboJ [17] Java-to-native compiler.
This framework provides a complete analysis and compilation chain for embedded
real-time systems based on Java, allowing one to substitute RMA/EDF & PCP with a
scheduler which is still safe but not as pessimistic. In this article, we describe the model
generator, the scheduler architecture and synthesis methodology, and the prototype test-
bed implemented using POSIX [6] primitives.
We will illustrate our approach throughout the paper with a case study inspired
by the robotic arm system described in [9] (see Fig. 2). The arm is programmed to
take objects from a conveyor belt, to store them in a buffer shelf, and to put them
into a basket. The arm is controlled by threads running on a single processor. The
TrajectoryControl thread reads commands from a shared buffer and issues set-
points to the low-level arm controller Controler. If there are no commands to pro-
cess, it holds, otherwise reads sensor values and computes the new set-point. Its ex-
ecution time is between 5ms and 6ms. The Lifter thread is activated periodically
every 40ms. Its role is to command the arm to pick objects from the conveyor belt.
Upon termination, it issues a command to the TrajectoryControl and activates
the Putter. Its execution time is between 4ms to 8ms. The Putter thread sends com-
mands to take the object from the buffer shelf and put it into the basket. Its execution
time is between 4ms to 8ms. The SensorReader thread reads sensors every 24ms. Its
execution time is 1ms. The results of the sensors are used by TrajectoryControl.
Controler is a periodic thread with period 16ms. Notice in Fig. 2 how, according
to the Expresso HIP-API,
waitForPeriod
returns a boolean value which is
false
if the
thread misses its period. In such a case, the application ends the mission phase and
goes into a termination phase which is omitted here. In this paper we only consider the
problem of synthesizing a scheduler for the mission phase.
The paper is organized as follows. Section 2 presents the technique we use to gen-
erate models from Java source code. Section 3 explains the scheduler architecture and
execution semantics, while section 4 describes our methodology for synthesizing an
application-dependent scheduler. Section 5 discusses our test-bed implementation.
2 Model Generation
We consider real-time Java applications made up of a fixed number of threads that
synchronize and communicate through a fixed set of global shared objects. There is a
distinguished thread, namely Main, which is the first thread to wake up at application
startup and the unique entry-point of the application. We assume that Main is pro-
grammed according to the Expresso HIP, that is, all the shared objects and threads are
created during the initialization phase.
The model of a Java program is a transition system which abstracts program actions
and states. Each state in the model is an abstraction of a program state at run-time. Tran-
sitions are associated with source code and capture the change that its execution makes
to the program state. More formally, let Θ = {th
i
} be a finite set of threads, = {O
i
}
be a finite set of shared objects, and A be a set of labels. Labels may correspond to

Citations
More filters

Journal ArticleDOI
01 Mar 2005
TL;DR: The proposed framework for component-based modeling using an abstract layered model for components considers components where behavior models are transition systems and interaction models are described by priority relations on interactions, leading to a concept of "flexible" composition different from usual composition in that it preserves deadlock-freedom and is appropriate for correctness by construction.
Abstract: We propose a framework for component-based modeling using an abstract layered model for components. A component is the superposition of two models: a behavior model and an interaction model. Interaction models describe architectural constraints induced by connectors between components.We propose and analyze general requirements for component composition that motivated and guided the development of the framework. We define an associative and commutative composition operator on components encompassing heterogeneous interaction. As a particular instance of the proposed framework, we consider components where behavior models are transition systems and interaction models are described by priority relations on interactions. This leads to a concept of "flexible" composition different from usual composition in that it preserves deadlock-freedom and is appropriate for correctness by construction. Nevertheless, flexible composition is a partial operation. Product systems should be interaction safe in the sense that they do not violate constraints of the interaction model.We propose results ensuring correctness by construction of a system from properties of its interaction model and of its components. The properties considered include global deadlock-freedom, individual deadlock-freedom of components, and interaction safety.

246 citations


Cites background from "A Methodology and Tool Support for ..."

  • ...Nevertheless, its key features, such as combination of behavior and priorities and the resulting advantages in composability and compositionality, have already been positively assessed in some non-trivial applications [18] and [12]....

    [...]


Journal ArticleDOI
TL;DR: A general procedure for synthesizing non-linear formulas which conservatively estimate the quantity of memory explicitly allocated by a method as a function of its parameters is proposed.
Abstract: We present a static analysis for computing a parametric upper-bound of the amount of memory dynamically allocated by (Java-like) imperative object-oriented programs. We propose a general procedure for synthesizing non-linear formulas which conservatively estimate the quantity of memory explicitly allocated by a method as a function of its parameters. We have implemented the procedure and evaluated it on several benchmarks. Experimental results produced exact estimations for most test cases, and quite precise approximations for many of the others. We also apply our technique to compute usage in the context of scoped memory and discuss some open issues.

42 citations


Cites background from "A Methodology and Tool Support for ..."

  • ..., [29]) to make decisions based on available memory resources and the memory-consumption estimates....

    [...]


Proceedings ArticleDOI
18 Sep 2005
TL;DR: This work proposes algorithms for the automatic construction of code-aware resource managers for multithreaded embedded applications, and produces a compact code description of these strategies.
Abstract: Multithreaded programs coordinate their interaction through synchronization primitives like mutexes and semaphores, which are managed by an OS-provided resource manager. We propose algorithms for the automatic construction of code-aware resource managers for multithreaded embedded applications. Such managers use knowledge about the structure and resource usage (mutex and semaphore usage) of the threads to guarantee deadlock freedom and progress while managing resources in an efficient way. Our algorithms compute managers as winning strategies in certain infinite games, and produce a compact code description of these strategies. We have implemented the algorithms in the tool Cynthesis. Given a multithreaded program in C, the tool produces C~code implementing a code-aware resource manager. We show in experiments that Cynthesis produces compact resource managers within a few minutes on a set of embedded benchmarks with up to 6 threads.

29 citations


Cites background from "A Methodology and Tool Support for ..."

  • ...In closely related work, [17, 16] study the synthesis of code-aware managers for Java....

    [...]

  • ...This analysis is not present in some recent work on code-aware schedulers [17, 16], a circumstance that prevents those schemes from addressing the problem of progress (or absence of starvation), C compiler C compiler...

    [...]


Book ChapterDOI
01 Jan 2004
TL;DR: It is shown that priorities are expressive enough to represent restrictions induced by deadlock-free controllers preserving safety properties and a correspondence between such restrictions and priorities is defined and compositionality results about the preservation of this correspondence are provided.
Abstract: We present a framework for the incremental construction of deadlock-free systems meeting given safety properties. The framework borrows concepts and basic results from the controller synthesis paradigm by considering a step in the construction process as a controller synthesis problem. We show that priorities are expressive enough to represent restrictions induced by deadlock-free controllers preserving safety properties. We define a correspondence between such restrictions and priorities and provide compositionality results about the preservation of this correspondence by operations on safety properties and priorities. Finally, we provide an example illustrating an application of the results

26 citations


Journal ArticleDOI
TL;DR: A simple programming language, called Nemo, specific to the domain of multitask real-time control systems, such as in robotic, automotive, or avionics systems, is proposed, based on the synchronous modelling techniques, languages, and tools.
Abstract: We propose a simple programming language, called Nemo, specific to the domain of multitask real-time control systems, such as in robotic, automotive, or avionics systems. It can be used to specify a set of resources with usage constraints, a set of tasks that consume them according to various modes, and applications sequencing the tasks. We automatically obtain an application-specific task handler that correctly manages the constraints (if there exists one), through a compilation-like process including a phase of discrete controller synthesis. This way, this formal technique contributes to the safety of the designed systems, while being encapsulated in a tool that makes it usable by application experts. Our approach is based on the synchronous modelling techniques, languages, and tools.

25 citations


References
More filters

Book
12 Sep 1996
TL;DR: The Java Language Specification, Second Edition is the definitive technical reference for the Java programming language and provides complete, accurate, and detailed coverage of the syntax and semantics of the Java language.
Abstract: From the Publisher: Written by the inventors of the technology, The Java(tm) Language Specification, Second Edition is the definitive technical reference for the Java(tm) programming language If you want to know the precise meaning of the language's constructs, this is the source for you The book provides complete, accurate, and detailed coverage of the syntax and semantics of the Java programming language It describes all aspects of the language, including the semantics of all types, statements, and expressions, as well as threads and binary compatibility

4,343 citations


"A Methodology and Tool Support for ..." refers background in this paper

  • ...Current trends in industry are leading towards the use of Java [5] as a programming language for implementing embedded and real-time applications....

    [...]


01 Jan 1966
Abstract: ArtDirector RuthM.EdmistonProduction Editor HEADQUARTERSSTAFF ~~~~~~~~be senttotheeditor ofthatTransactions attheaddress shownintheOctober issue ofIEEESPEC- CarlMaler ~~~~~~~TRUM, page112.Whenindoubt, sendthemanuscript toE.K.Gannett, Director, Editorial Ser- Advertising Producetion Manager vices, atIEEEHeadquarters, forforwarding tothecorrect party.

1,491 citations


Book
15 Jan 2000
TL;DR: RTSJ's features and the thinking behind the specification's design are explained, which aims to provide a platform-a Java execution environment and application program interface (API) that lets programmers correctly reason about the temporal behavior of executing software.
Abstract: New languages, programming disciplines, operating systems, and software engineering techniques sometimes hold considerable potential for real-time software developers. A promising area of interest-but one fairly new to the real-time community-is object-oriented programming. Java, for example, draws heavily from object orientation and is highly suitable for extension to real-time and embedded systems. Recognizing this fit between Java and real-time software development, the Real-Time for Java Experts Group (RTJEG) began developing the real-time specification for Java (RTSJ) in March 1999 under the Java Community Process. This article explains RTSJ's features and the thinking behind the specification's design. The goal of the RTJEG, of which the authors are both members, was to provide a platform-a Java execution environment and application program interface (API)-that lets programmers correctly reason about the temporal behavior of executing software.

1,092 citations


Journal ArticleDOI
TL;DR: This paper investigates whether observation equivalence really does respect the branching structure of processes, and finds that in the presence of the unobservable action τ of CCS this is not the case, and the notion of branching bisimulation equivalence is introduced which strongly preserves the branching structures of processes.
Abstract: In comparative concurrency semantics, one usually distinguishes between linear time and branching time semantic equivalences. Milner's notion of observatin equivalence is often mentioned as the standard example of a branching time equivalence. In this paper we investigate whether observation equivalence really does respect the branching structure of processes, and find that in the presence of the unobservable action t of CCS this is not the case.Therefore, the notion of branching bisimulation equivalence is introduced which strongly preserves the branching structure of processes, in the sense that it preserves computations together with the potentials in all intermediate states that are passed through, even if silent moves are involved. On closed CCS-terms branching bisimulation congruence can be completely axiomatized by the single axion scheme: a.(t.(y+z)+y)=a.(y+z) (where a ranges over all actions) and the usual loaws for strong congruence.We also establish that for sequential processes observation equivalence is not preserved under refinement of actions, whereas branching bisimulation is.For a large class of processes, it turns out that branching bisimulation and observation equivalence are the same. As far as we know, all protocols that have been verified in the setting of observation equivalence happen to fit in this class, and hence are also valid in the stronger setting of branching bisimulation equivalence.

825 citations


Book
01 Dec 1990

229 citations