Modern real-time embedded systems are moving from federated architectures, where logical applications and subsystems are implemented on different hardware components, to progressively more integrated architectures which use extensive sharing of different physical resources. These systems employ multiple active components, such as CPU cores, HW processors, coprocessors and peripherals, which can all autonomously perform computational and communication activities. Furthermore, they are increasingly built using Commercial Off-The-Shelf (COTS) components in an attempt to increase performance and reduce cost and time to market.;Integrated real-time systems such as those employed in the avionic, medical and automotive domain are often mixed-criticality systems: they implement different applications with widely varying levels of criticality. Therefore, a key issue is to provide sufficient isolation among different applications. In particular, safety-critical applications can expose requirements both in terms of functional isolation, e.g. fault containment, and in terms of physical isolation, e.g. safe sharing of physical resources such as CPU and communication time, memory and power.;In this work, we study the design of mechanisms and policies to support both functional and physical isolation, with a special focus on timing guarantees. In particular, since most available COTS components do not provide sufficient hardware isolation mechanisms, we propose the concept of a control abstraction: an unintrusive hardware device or software layer that is interposed between a COTS component and the rest of the system, allowing the system architect to predictably control all its resource accesses. By employing control abstractions, unverified COTS components can be used to implement low-criticality but high-performance applications, while still providing all required isolation guarantees to safety-critical modules. Functional isolation is provided by monitoring the run-time communication behavior of the component against a formal specification, and taking a recovery action whenever the specification is violated. Timing isolation is provided by coscheduling all computational and communication activities in such as way that there is no contention for access to system resources.;We show the validity of our methodology by applying it to two different embedded architectures. For System-on-Chip architectures, we detail a complete platform-based design process that automatically generates control abstractions for all integrated processors from a high-level functional system specification. We test the described design process on the case study of a medical pacemaker.;For COTS-based computational nodes, we focus on the contention between CPU tasks and peripherals for access both to shared communication infrastructures such as PCI and to main memory. Our experiments show that main memory interference can greatly increase the worst-case execution time of a task, up to almost 200% for a dual core system with a single PCIe peripheral. To overcome this issue, we propose both analysis techniques to compute upper bounds on the worst-case task delay, as well as hardware and software control abstractions to reduce such delay. In particular, we detail the design and implementation of a new hardware device, the real-time bridge, which is interposed between each COTS peripheral and the PCI bus. The real-time bridge buffers all incoming/outgoing traffic to/from the peripheral, and delivers it predictably according to a defined schedule. Furthermore, we propose to execute CPU tasks according to a new PRedictable Execution Model (PREM), which uses a combination of compiler techniques and OS modifications to precisely control all main memory accesses performed by a task. By combining PREM with the real-time bridge, we can coschedule all accesses in main memory by both peripherals and tasks, thus eliminating low-level contention and unpredictable access delays. Our experiments show reductions in worst-case execution time up to 40%-60% compared to a traditional execution model.
展开▼
