Peter Puschner | Tu Wien (original) (raw)
Papers by Peter Puschner
Proceedings of the 2014 Forum on Specification and Design Languages (FDL), 2014
This paper presents the Platform Specific Time Triggered Model (PS-TTM), a SystemC based modeling... more This paper presents the Platform Specific Time Triggered Model (PS-TTM), a SystemC based modeling and simulation framework for time-triggered safety-critical embedded systems. The approach facilitates the modeling of Time-Triggered Architecture (TTA) based embedded systems, following a strict separation between the designs of functionality and platform. The PS-TTM provides a value and time domain deterministic simulation environment for an early functional and temporal assessment of the systems. Moreover, the framework includes a time-triggered automatic test executor that enables to perform non-intrusive simulated fault injection (SFI) to the models. The SFI makes an early dependability assessment possible, what reduces the risk of late and expensive discovery of safety related pitfalls. The feasibility of the proposed framework is illustrated with a case study, based on the modeling, simulation and validation of a simplified railway on-board signaling system.
2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC), 2008
The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program b... more The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program behavior. In practice it is still not possible to obtain all needed information automatically.
ACM SIGBED Review, 2015
In this paper we address the problem of improving the instruction cache performance for single-pa... more In this paper we address the problem of improving the instruction cache performance for single-path code. The properties of single-path code allow us to align single-path loops within the cache in order to reduce the number of cache misses during the loop execution. We propose an algorithm that categorizes loops in a simple way so that the loops can be aligned and NOP instructions can be inserted to support this loop alignment. Our experimental results show the predictability for cache misses in single-path loops and demonstrate the benefit of the single-path loop alignment.
This paper presents a testing and simulated fault injection framework for time-triggered safety-c... more This paper presents a testing and simulated fault injection framework for time-triggered safety-critical embedded systems. Our ap-proach facilitates the validation of fault-tolerance mechanisms by per-forming non-intrusive Simulated Fault Injection (SFI) on models of the system at different stages of the development, from the Platform Inde-pendent Model (PIM) to the Platform Specific Model (PSM). The SFI enables exercising the intended fault tolerance mechanisms by injecting faults in a simulated model of a system. The main benefit of this work is that it enables an early detection of design flaws in fault-tolerant sys-tems, what reduces the possibility of late discovery of design pitfalls that might require an expensive redesign of the system. We examine the fea-sibility of the proposed approach in a case study, where SFI is used to assess the fault tolerance mechanisms designed in a simplified railway signaling system.
The development and certification of safety critical embedded systems require the implementation ... more The development and certification of safety critical embedded systems require the implementation of fault-tolerance mechanisms to ensure the safe operation of the system even in the presence of faults. These mechanisms need to be verified and validated by means of fault injection. Simulated fault injection enables an early dependability assessment that validates the correct implementation of fault-tolerance mechanisms and reduces the risk of late and expensive discovery of safety related pitfalls. This paper presents a novel modeling and simulation framework for time-triggered safety critical embedded systems. Our approach supports simulated fault injection at different abstraction levels (platform independent and platform specific models) and integrates a time-triggered automatic test executor for the early verification and validation of the systems. The feasibility of the proposed framework is illustrated with a case study where a simplified railway signaling system is modeled and...
2014 3rd Mediterranean Conference on Embedded Computing (MECO), 2014
The increase in the amount of functionalities provided by safety-critical systems in the last yea... more The increase in the amount of functionalities provided by safety-critical systems in the last years has lead to a complexity growth in these systems. Several techniques have been developed in order to tackle this issue, including simplification strategies and the definition of time-deterministic models of computation (MoCs) and architectures, such as the Logical Execution Time MoC (LET) and the Time-Triggered Architecture (TTA) respectively. Although TTA based systems relying on the LET MoC have already been successfully applied to safety-critical systems, SystemC, the nowadays de-facto standard in HW/SW system development, does not provide a LET-based simulation engine for the modeling and assessment of these systems. With the aim to fill this gap, this paper presents the PI-TTM, a novel SystemC extension for the modeling and simulation of LET based safety-critical embedded systems.
In mixed-criticality systems, applications with different levels of criticality are integrated on... more In mixed-criticality systems, applications with different levels of criticality are integrated on the same computational platform. Without a proper isolation of the different applications of such a mixed-criticality system certification gets expensive, because it has to be shown that application components of lower criticality do not hamper the correct operation of the critical applications. Therefore, all components -even the less critical ones -have to be certified for the highest criticality level. The use of hypervisors promises to shield applications of different criticality from each other, thus keepting certification cost reasonable. Indeed hypervisors can provide spatial isolation. Further they can prohibit certain types of temporal interference. We show, however, that full temporal isolation is only achievable if the hypervisor is run on appropriate hardware. We discuss hardware mechanisms that thwart respectlively facilitate temporal isolation. This way we provide a guideline for the sharing of resources and the realization of memory hierarchies for mixedcriticality multi-core systems.
In mixed-criticality systems, applications of different criticality levels share the same computi... more In mixed-criticality systems, applications of different criticality levels share the same computing platform. To avoid spatial and temporal interference of the applications, the computing platform must implement measures for spatial and temporal isolation. In this paper we show how the enhancement of a static memory arbiter by a second, dynamic arbitration layer facilitates the interference-free integration of mixed-criticality applications with different performance requirements. This paper (a) compares the performance tradeoffs of the new dual-layer arbiter and a COTS arbiter and (b) evaluates the performance of an XtratuM hypervisor system running on a platform with this dual-layer arbiter.
2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops, 2011
Today's embedded systems are considering cache as inherent part of their design. Unfortunately, c... more Today's embedded systems are considering cache as inherent part of their design. Unfortunately, cache memory behavior heavily depends on the past references which model a large execution history and makes WCET analysis impractical. This paper presents a novel prefetch memory mechanism that simplifies the prediction of cache hits/misses because the memory access times are independent of the execution history. We use local prefetching into on-chip memory together with a customdesigned prefetch controller instead of cache memories to provide for time-predictable memory accesses. To be competitive in code execution time, our approach relies on a special organization of main memory and on a modified compiler that generates code layouts to allow for parallel prefetching from different memory banks. The proposed solution is still in a conceptual phase. The paper discusses design decisions and parameters to be explored.
2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops, 2010
In this paper we explore a hierarchical memory architecture that simplifies the WCET prediction o... more In this paper we explore a hierarchical memory architecture that simplifies the WCET prediction of tasks. Instead of using cache memories for speeding up code execution, we propose to use hierarchical memories that are similar to scratchpad memories. These memories are filled by explicit prefetch operations that are executed in synchrony with program execution. The instructions respectively the data that control the timing and the content to be loaded by these memory-fill operations are computed at code-generation time. The paper describes the overall system and memory architecture, and design choices for explicitely controlled timepredictable hierarchical memory architectures.
2014 12th IEEE International Conference on Industrial Informatics (INDIN), 2014
In mixed-criticality systems, applications with different levels of criticality are integrated on... more In mixed-criticality systems, applications with different levels of criticality are integrated on the same computational platform. Without a proper isolation of the different applications of such a mixed-criticality system certification gets expensive, because it has to be shown that application components of lower criticality do not hamper the correct operation of the critical applications. Therefore, all components -even the less critical ones -have to be certified for the highest criticality level. For single core platforms the use of hypervisors promises to shield applications of different criticality from each other. Timing problems may emerge when the hypervisor is ported to a multicore platform where different cores access the global memory concurrently. We show, that full temporal isolation of applications executing on different cores is only achievable if the hypervisor is run on appropriate hardware. The presented duallayer bus arbiter enables critical applications to preserve isolation properties and also improves the execution performance of noncritical applications.
The demand for predictable timing behavior is characteristic for real-time applications. Experien... more The demand for predictable timing behavior is characteristic for real-time applications. Experience has shown that this property cannot be achieved by software alone but rather requires support from the processor. This situation is analyzed and mapped to a design rationale for SPEAR (Scalable Processor for Embedded Applications in Real-time Environments), a processor that has been designed to meet the specific temporal demands of real-time systems. At the hardware level, SPEAR guarantees interrupt response with minimum temporal jitter and minimum delay. Furthermore, the processor provides an instruction set that only has constant-time instructions. At the software level, SPEAR supports the implementation of temporally predictable code according to the single-path programming paradigm. Altogether, these features support writing of code with minimal jitter and provide the basis for exact temporal predictability. Experimental results show that SPEAR indeed exhibits the anticipated high...
@techreport{TUW-137961, author = {Vilanek, Johann and Schmid, Ulrich and Kastner, Wolfgang and We... more @techreport{TUW-137961, author = {Vilanek, Johann and Schmid, Ulrich and Kastner, Wolfgang and Weiss, Bettina and Puschner, Peter and Elmenreich, Wilfried and Deinhart, Heinz and Meyer, Wolfgang}, title = {Projektbericht Technische Informatik: Seamless Campus}, institution = {E182 - Institut f{\"u}r Technische Informatik, E183 - Institut f{\"u}r Rechnergest{\"u}tzte Automation; Technische Universit{\"a}t Wien}, year = {2003}, url = {http://www.auto.tuwien.ac.at /TR} } Erstellt aus der Publikationsdatenbank der Technischen Universität Wien.
Traditional worst-case execution time (WCET) analysis interfaces to the user either through high-... more Traditional worst-case execution time (WCET) analysis interfaces to the user either through high-level language source code or assembly/machine code. This paper demonstrates how WCET analysis can be integrated into high-level application design and simulation tools like Matlab/Simulink, thus providing a higher-level interface to WCET analysis. The paper shows necessary restrictions and adaptations to Matlab/Simulink that make code generated from the tool chain amenable to WCET analysis. It presents the interface between the Matlab/ ...
In order to fulfill the temporal requirements of a real-time system, it is necessary to enforce p... more In order to fulfill the temporal requirements of a real-time system, it is necessary to enforce predictability in the temporal domain. Therefore, it is required to determine the timing behavior of the tasks running on a real-time computer system. The worst-case execution time (WCET) denotes an upper bound of a task's execution time.
This paper presents a WCET analysis concept which is based on the analysis of source code, writte... more This paper presents a WCET analysis concept which is based on the analysis of source code, written in a high-level programming language. Additional information about the timing behaviour of the program is given as annotations. These annotations are transformed inside the compiler to assembly code level. This transformation also works for code optimizations performed by the compiler. Experiments show examples of effects that can arise and be handles by this WCET analysis concept.
Workshop Programme, Apr 21, 2009
As real-time software is increasing in size and complexity, the need for advanced modeling and an... more As real-time software is increasing in size and complexity, the need for advanced modeling and analysis capabilities early in the software development process is getting more and more urgent. One particular concern is the lack of sufficient methods and tools to effectively reason about the timing of software in such a way that software systems can be constructed hierarchically from components while still guaranteeing the timing properties [1]. In this talk, we will discuss deficiencies in current real-time embedded hardware and software ...
Technische Universität Wien, Institut für Technische Informatik, Treitlstr, 2009
The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program b... more The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program behavior. On modern processors the instruction timing heavily depends on the processor state. WCET analysis therefore has to the model processor behavior in detail. This analysis is challenging in case of so called timing anomalies, which violate the continuity properties proportionality and continuity of the timing behavior.
International Workshop on Real-Time Embedded Systems RTES (in conjunction with 22nd IEEE RTSS 2001), Dec 1, 2001
$ EVWUDFW--In this paper we describe the construction of a safe and tight timing model of the Inf... more $ EVWUDFW--In this paper we describe the construction of a safe and tight timing model of the Infineon C1 7 proces sor. We performed systematic measurements to assess the execution time of single instructions and of instruction se Tuences. All timing measurements were performed on real hardware not on an emulator. The accurate timing model was implemented in a tool for static WCET analysis. The WCET estimates made by the tool for several benchmark programs are safe and remarkably tight.
Proceedings of the 2014 Forum on Specification and Design Languages (FDL), 2014
This paper presents the Platform Specific Time Triggered Model (PS-TTM), a SystemC based modeling... more This paper presents the Platform Specific Time Triggered Model (PS-TTM), a SystemC based modeling and simulation framework for time-triggered safety-critical embedded systems. The approach facilitates the modeling of Time-Triggered Architecture (TTA) based embedded systems, following a strict separation between the designs of functionality and platform. The PS-TTM provides a value and time domain deterministic simulation environment for an early functional and temporal assessment of the systems. Moreover, the framework includes a time-triggered automatic test executor that enables to perform non-intrusive simulated fault injection (SFI) to the models. The SFI makes an early dependability assessment possible, what reduces the risk of late and expensive discovery of safety related pitfalls. The feasibility of the proposed framework is illustrated with a case study, based on the modeling, simulation and validation of a simplified railway on-board signaling system.
2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC), 2008
The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program b... more The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program behavior. In practice it is still not possible to obtain all needed information automatically.
ACM SIGBED Review, 2015
In this paper we address the problem of improving the instruction cache performance for single-pa... more In this paper we address the problem of improving the instruction cache performance for single-path code. The properties of single-path code allow us to align single-path loops within the cache in order to reduce the number of cache misses during the loop execution. We propose an algorithm that categorizes loops in a simple way so that the loops can be aligned and NOP instructions can be inserted to support this loop alignment. Our experimental results show the predictability for cache misses in single-path loops and demonstrate the benefit of the single-path loop alignment.
This paper presents a testing and simulated fault injection framework for time-triggered safety-c... more This paper presents a testing and simulated fault injection framework for time-triggered safety-critical embedded systems. Our ap-proach facilitates the validation of fault-tolerance mechanisms by per-forming non-intrusive Simulated Fault Injection (SFI) on models of the system at different stages of the development, from the Platform Inde-pendent Model (PIM) to the Platform Specific Model (PSM). The SFI enables exercising the intended fault tolerance mechanisms by injecting faults in a simulated model of a system. The main benefit of this work is that it enables an early detection of design flaws in fault-tolerant sys-tems, what reduces the possibility of late discovery of design pitfalls that might require an expensive redesign of the system. We examine the fea-sibility of the proposed approach in a case study, where SFI is used to assess the fault tolerance mechanisms designed in a simplified railway signaling system.
The development and certification of safety critical embedded systems require the implementation ... more The development and certification of safety critical embedded systems require the implementation of fault-tolerance mechanisms to ensure the safe operation of the system even in the presence of faults. These mechanisms need to be verified and validated by means of fault injection. Simulated fault injection enables an early dependability assessment that validates the correct implementation of fault-tolerance mechanisms and reduces the risk of late and expensive discovery of safety related pitfalls. This paper presents a novel modeling and simulation framework for time-triggered safety critical embedded systems. Our approach supports simulated fault injection at different abstraction levels (platform independent and platform specific models) and integrates a time-triggered automatic test executor for the early verification and validation of the systems. The feasibility of the proposed framework is illustrated with a case study where a simplified railway signaling system is modeled and...
2014 3rd Mediterranean Conference on Embedded Computing (MECO), 2014
The increase in the amount of functionalities provided by safety-critical systems in the last yea... more The increase in the amount of functionalities provided by safety-critical systems in the last years has lead to a complexity growth in these systems. Several techniques have been developed in order to tackle this issue, including simplification strategies and the definition of time-deterministic models of computation (MoCs) and architectures, such as the Logical Execution Time MoC (LET) and the Time-Triggered Architecture (TTA) respectively. Although TTA based systems relying on the LET MoC have already been successfully applied to safety-critical systems, SystemC, the nowadays de-facto standard in HW/SW system development, does not provide a LET-based simulation engine for the modeling and assessment of these systems. With the aim to fill this gap, this paper presents the PI-TTM, a novel SystemC extension for the modeling and simulation of LET based safety-critical embedded systems.
In mixed-criticality systems, applications with different levels of criticality are integrated on... more In mixed-criticality systems, applications with different levels of criticality are integrated on the same computational platform. Without a proper isolation of the different applications of such a mixed-criticality system certification gets expensive, because it has to be shown that application components of lower criticality do not hamper the correct operation of the critical applications. Therefore, all components -even the less critical ones -have to be certified for the highest criticality level. The use of hypervisors promises to shield applications of different criticality from each other, thus keepting certification cost reasonable. Indeed hypervisors can provide spatial isolation. Further they can prohibit certain types of temporal interference. We show, however, that full temporal isolation is only achievable if the hypervisor is run on appropriate hardware. We discuss hardware mechanisms that thwart respectlively facilitate temporal isolation. This way we provide a guideline for the sharing of resources and the realization of memory hierarchies for mixedcriticality multi-core systems.
In mixed-criticality systems, applications of different criticality levels share the same computi... more In mixed-criticality systems, applications of different criticality levels share the same computing platform. To avoid spatial and temporal interference of the applications, the computing platform must implement measures for spatial and temporal isolation. In this paper we show how the enhancement of a static memory arbiter by a second, dynamic arbitration layer facilitates the interference-free integration of mixed-criticality applications with different performance requirements. This paper (a) compares the performance tradeoffs of the new dual-layer arbiter and a COTS arbiter and (b) evaluates the performance of an XtratuM hypervisor system running on a platform with this dual-layer arbiter.
2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops, 2011
Today's embedded systems are considering cache as inherent part of their design. Unfortunately, c... more Today's embedded systems are considering cache as inherent part of their design. Unfortunately, cache memory behavior heavily depends on the past references which model a large execution history and makes WCET analysis impractical. This paper presents a novel prefetch memory mechanism that simplifies the prediction of cache hits/misses because the memory access times are independent of the execution history. We use local prefetching into on-chip memory together with a customdesigned prefetch controller instead of cache memories to provide for time-predictable memory accesses. To be competitive in code execution time, our approach relies on a special organization of main memory and on a modified compiler that generates code layouts to allow for parallel prefetching from different memory banks. The proposed solution is still in a conceptual phase. The paper discusses design decisions and parameters to be explored.
2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops, 2010
In this paper we explore a hierarchical memory architecture that simplifies the WCET prediction o... more In this paper we explore a hierarchical memory architecture that simplifies the WCET prediction of tasks. Instead of using cache memories for speeding up code execution, we propose to use hierarchical memories that are similar to scratchpad memories. These memories are filled by explicit prefetch operations that are executed in synchrony with program execution. The instructions respectively the data that control the timing and the content to be loaded by these memory-fill operations are computed at code-generation time. The paper describes the overall system and memory architecture, and design choices for explicitely controlled timepredictable hierarchical memory architectures.
2014 12th IEEE International Conference on Industrial Informatics (INDIN), 2014
In mixed-criticality systems, applications with different levels of criticality are integrated on... more In mixed-criticality systems, applications with different levels of criticality are integrated on the same computational platform. Without a proper isolation of the different applications of such a mixed-criticality system certification gets expensive, because it has to be shown that application components of lower criticality do not hamper the correct operation of the critical applications. Therefore, all components -even the less critical ones -have to be certified for the highest criticality level. For single core platforms the use of hypervisors promises to shield applications of different criticality from each other. Timing problems may emerge when the hypervisor is ported to a multicore platform where different cores access the global memory concurrently. We show, that full temporal isolation of applications executing on different cores is only achievable if the hypervisor is run on appropriate hardware. The presented duallayer bus arbiter enables critical applications to preserve isolation properties and also improves the execution performance of noncritical applications.
The demand for predictable timing behavior is characteristic for real-time applications. Experien... more The demand for predictable timing behavior is characteristic for real-time applications. Experience has shown that this property cannot be achieved by software alone but rather requires support from the processor. This situation is analyzed and mapped to a design rationale for SPEAR (Scalable Processor for Embedded Applications in Real-time Environments), a processor that has been designed to meet the specific temporal demands of real-time systems. At the hardware level, SPEAR guarantees interrupt response with minimum temporal jitter and minimum delay. Furthermore, the processor provides an instruction set that only has constant-time instructions. At the software level, SPEAR supports the implementation of temporally predictable code according to the single-path programming paradigm. Altogether, these features support writing of code with minimal jitter and provide the basis for exact temporal predictability. Experimental results show that SPEAR indeed exhibits the anticipated high...
@techreport{TUW-137961, author = {Vilanek, Johann and Schmid, Ulrich and Kastner, Wolfgang and We... more @techreport{TUW-137961, author = {Vilanek, Johann and Schmid, Ulrich and Kastner, Wolfgang and Weiss, Bettina and Puschner, Peter and Elmenreich, Wilfried and Deinhart, Heinz and Meyer, Wolfgang}, title = {Projektbericht Technische Informatik: Seamless Campus}, institution = {E182 - Institut f{\"u}r Technische Informatik, E183 - Institut f{\"u}r Rechnergest{\"u}tzte Automation; Technische Universit{\"a}t Wien}, year = {2003}, url = {http://www.auto.tuwien.ac.at /TR} } Erstellt aus der Publikationsdatenbank der Technischen Universität Wien.
Traditional worst-case execution time (WCET) analysis interfaces to the user either through high-... more Traditional worst-case execution time (WCET) analysis interfaces to the user either through high-level language source code or assembly/machine code. This paper demonstrates how WCET analysis can be integrated into high-level application design and simulation tools like Matlab/Simulink, thus providing a higher-level interface to WCET analysis. The paper shows necessary restrictions and adaptations to Matlab/Simulink that make code generated from the tool chain amenable to WCET analysis. It presents the interface between the Matlab/ ...
In order to fulfill the temporal requirements of a real-time system, it is necessary to enforce p... more In order to fulfill the temporal requirements of a real-time system, it is necessary to enforce predictability in the temporal domain. Therefore, it is required to determine the timing behavior of the tasks running on a real-time computer system. The worst-case execution time (WCET) denotes an upper bound of a task's execution time.
This paper presents a WCET analysis concept which is based on the analysis of source code, writte... more This paper presents a WCET analysis concept which is based on the analysis of source code, written in a high-level programming language. Additional information about the timing behaviour of the program is given as annotations. These annotations are transformed inside the compiler to assembly code level. This transformation also works for code optimizations performed by the compiler. Experiments show examples of effects that can arise and be handles by this WCET analysis concept.
Workshop Programme, Apr 21, 2009
As real-time software is increasing in size and complexity, the need for advanced modeling and an... more As real-time software is increasing in size and complexity, the need for advanced modeling and analysis capabilities early in the software development process is getting more and more urgent. One particular concern is the lack of sufficient methods and tools to effectively reason about the timing of software in such a way that software systems can be constructed hierarchically from components while still guaranteeing the timing properties [1]. In this talk, we will discuss deficiencies in current real-time embedded hardware and software ...
Technische Universität Wien, Institut für Technische Informatik, Treitlstr, 2009
The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program b... more The analysis of the worst-case execution time (WCET) requires detailed knowledge of the program behavior. On modern processors the instruction timing heavily depends on the processor state. WCET analysis therefore has to the model processor behavior in detail. This analysis is challenging in case of so called timing anomalies, which violate the continuity properties proportionality and continuity of the timing behavior.
International Workshop on Real-Time Embedded Systems RTES (in conjunction with 22nd IEEE RTSS 2001), Dec 1, 2001
$ EVWUDFW--In this paper we describe the construction of a safe and tight timing model of the Inf... more $ EVWUDFW--In this paper we describe the construction of a safe and tight timing model of the Infineon C1 7 proces sor. We performed systematic measurements to assess the execution time of single instructions and of instruction se Tuences. All timing measurements were performed on real hardware not on an emulator. The accurate timing model was implemented in a tool for static WCET analysis. The WCET estimates made by the tool for several benchmark programs are safe and remarkably tight.