What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

[Adam Jensen]

I am surveying the software engineering/technology landscape. This 
document on the SPARK Ravenscar Profile, RavenSPARK[1], is dated 2010 - 
well before Ada-2012 and Spark-2014.

[1]: http://docs.adacore.com/sparkdocs-docs/Examiner_Ravenscar.htm

What is the current Ada language profile for concurrent, multi-core, 
safety-critical, hard real-time systems? 

Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

[Dennis Lee Bieber]

On Tue, 1 Aug 2017 00:25:18 -0000 (UTC), Adam Jensen <hanzer@riseup.net>
declaimed the following:

>
>What is the current Ada language profile for concurrent, multi-core, 
>safety-critical, hard real-time systems? 

	As soon as you say "multi-core" you enter the realm of experimental
science. For example -- in the four years I spent at GE Aviation,
multi-core processors used in flight management software would be run with
all but one core shutdown.

	Reason: there has not been enough experience/study of how multiple
cores/cache/etc. affect hard real-time latency (how can you evaluate WCET
for a process on core-A when you don't have control of what happens on
core-B, which could cause cache line flushing, etc. affecting the timing of
core-A)

	What multi-core processors I saw being used in development were for
non-safety critical functions -- data logging type operations, wherein loss
of the logging processor wouldn't affect the flight management system; only
reducing the post-flight analysis capabilities should there be anomalous
flight operations.
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

[Adam Jensen]

On Mon, 31 Jul 2017 20:54:08 -0400, Dennis Lee Bieber wrote:

> On Tue, 1 Aug 2017 00:25:18 -0000 (UTC), Adam Jensen <hanzer@riseup.net>
> declaimed the following:
> 
> 
>>What is the current Ada language profile for concurrent, multi-core,
>>safety-critical, hard real-time systems?
> 
> 	As soon as you say "multi-core" you enter the realm of 
experimental
> science. For example -- in the four years I spent at GE Aviation,
> multi-core processors used in flight management software would be run
> with all but one core shutdown.
> 
> 	Reason: there has not been enough experience/study of how multiple
> cores/cache/etc. affect hard real-time latency (how can you evaluate
> WCET for a process on core-A when you don't have control of what happens
> on core-B, which could cause cache line flushing, etc. affecting the
> timing of core-A)
> 
> 	What multi-core processors I saw being used in development were 
for
> non-safety critical functions -- data logging type operations, wherein
> loss of the logging processor wouldn't affect the flight management
> system; only reducing the post-flight analysis capabilities should there
> be anomalous flight operations.

That's interesting, thanks. I've been looking at the ARM Cortex-R8[1] 
which seems like it might address some of these issues in its hardware 
architecture.

[1]: https://developer.arm.com/products/processors/cortex-r/cortex-r8

I suppose that mapping an Ada run-time system onto that specific hardware 
might require a significant investment.

But more simply, this web page <http://www.ada2012.org/> says: "Ravenscar 
for multiprocessor systems adapts a safe and widely used tasking profile 
to modern architectures". Doesn't that seem to suggest that there exists 
an Ada-2012 Ravenscar profile for multi-core systems? Is that mostly hype 
or hokum? 

Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

[Dennis Lee Bieber]

On Tue, 1 Aug 2017 01:45:22 -0000 (UTC), Adam Jensen <hanzer@riseup.net>
declaimed the following:


>That's interesting, thanks. I've been looking at the ARM Cortex-R8[1] 
>which seems like it might address some of these issues in its hardware 
>architecture.
>
>[1]: https://developer.arm.com/products/processors/cortex-r/cortex-r8
>
>I suppose that mapping an Ada run-time system onto that specific hardware 
>might require a significant investment.
>

	I suspect /very/ significant. Can you lock tasks to specific
processors? If not, you run into the uncertainty in timing when a task gets
loaded into a different core. Even if you can, can you show that the
processing on one core will not impact another. As I understand it,
lock-step doesn't help for independent tasks -- it's a redundancy mode in
which a difference between the cores signals an exception condition (in
flight systems, this would be a periodic compare between two independent
/boxes/ to confirm that both are producing the same results).

>But more simply, this web page <http://www.ada2012.org/> says: "Ravenscar 
>for multiprocessor systems adapts a safe and widely used tasking profile 
>to modern architectures". Doesn't that seem to suggest that there exists 
>an Ada-2012 Ravenscar profile for multi-core systems? Is that mostly hype 
>or hokum? 

	There may be a profile -- but (again, from my little exposure in FMS)
will it pass certification? There isn't yet enough history for multi-core
to pass flight certification (granted, part of that may be that no company
wants to spend the money to prove to the FAA that multi-core can be safe --
dual single-core boxes can be validated as there is no "hidden" interaction
on memory access, WCET is a single core determination).

	Even Ada tasking may not be trusted (I was maintaining a program that
used a small RTOS to create the processes, rather than having Ada tasks
doing the work).


	A bit of a chicken&egg situation: there may be processors designed for
multi-core real-time, and there may be companies who'd like to use them...
But developing and getting software certified for use (again, my exposure
is flight management systems) would have to be done on company R&D funds --
since client companies probably won't pay for an "experiment"; they likely
want just an upgrade to an existing single core system, where reuse may
reduce the cost of certification for flight.

	Automotive may be less critical -- a timing discrepancy isn't going to
result in a few hundred people falling from the sky, one should be able to
limp-mode to the shoulder of the road. (OTOH: between ABS, traction
control, stability control, etc. I expect the next generation of drivers
will not be able to react properly should the assists fault even
momentarily)
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

[Dmitry A. Kazakov]

On 2017-08-01 06:19, Dennis Lee Bieber wrote:
> On Tue, 1 Aug 2017 01:45:22 -0000 (UTC), Adam Jensen <hanzer@riseup.net>
> declaimed the following:
> 
> 
>> That's interesting, thanks. I've been looking at the ARM Cortex-R8[1]
>> which seems like it might address some of these issues in its hardware
>> architecture.
>>
>> [1]: https://developer.arm.com/products/processors/cortex-r/cortex-r8
>>
>> I suppose that mapping an Ada run-time system onto that specific hardware
>> might require a significant investment.
>>
> 
> 	I suspect /very/ significant. Can you lock tasks to specific
> processors? If not, you run into the uncertainty in timing when a task gets
> loaded into a different core. Even if you can, can you show that the
> processing on one core will not impact another. As I understand it,
> lock-step doesn't help for independent tasks -- it's a redundancy mode in
> which a difference between the cores signals an exception condition (in
> flight systems, this would be a periodic compare between two independent
> /boxes/ to confirm that both are producing the same results).
> 
>> But more simply, this web page <http://www.ada2012.org/> says: "Ravenscar
>> for multiprocessor systems adapts a safe and widely used tasking profile
>> to modern architectures". Doesn't that seem to suggest that there exists
>> an Ada-2012 Ravenscar profile for multi-core systems? Is that mostly hype
>> or hokum?
> 
> 	There may be a profile -- but (again, from my little exposure in FMS)
> will it pass certification? There isn't yet enough history for multi-core
> to pass flight certification (granted, part of that may be that no company
> wants to spend the money to prove to the FAA that multi-core can be safe --
> dual single-core boxes can be validated as there is no "hidden" interaction
> on memory access, WCET is a single core determination).
> 
> 	Even Ada tasking may not be trusted (I was maintaining a program that
> used a small RTOS to create the processes, rather than having Ada tasks
> doing the work).
> 
> 
> 	A bit of a chicken&egg situation: there may be processors designed for
> multi-core real-time, and there may be companies who'd like to use them...
> But developing and getting software certified for use (again, my exposure
> is flight management systems) would have to be done on company R&D funds --
> since client companies probably won't pay for an "experiment"; they likely
> want just an upgrade to an existing single core system, where reuse may
> reduce the cost of certification for flight.
> 
> 	Automotive may be less critical -- a timing discrepancy isn't going to
> result in a few hundred people falling from the sky, one should be able to
> limp-mode to the shoulder of the road. (OTOH: between ABS, traction
> control, stability control, etc. I expect the next generation of drivers
> will not be able to react properly should the assists fault even
> momentarily)

I am quite pessimistic regarding how automotive approaches functional 
safety. My impression is that certification processes there are designed 
to cover up lack of elementary software safety behind tool chains, code 
generators and administrative overhead. If anything to happen then not 
there. (:-()

P.S. And there is a hard push to add security on top or bottom of all 
mess...

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems?

[Jacob Sparre Andersen]

Adam Jensen wrote:

> I am surveying the software engineering/technology landscape. This
> document on the SPARK Ravenscar Profile, RavenSPARK[1], is dated 2010
> - well before Ada-2012 and Spark-2014.
>
> [1]: http://docs.adacore.com/sparkdocs-docs/Examiner_Ravenscar.htm
>
> What is the current Ada language profile for concurrent, multi-core,
> safety-critical, hard real-time systems?

The Ravenscar profile is still _the_ profile for safety-critical, hard
real-time tasking.  AdaCore has done work on an extension to the
Ravenscar profile (the Vienna profile?), but I'm not sure it has been
formalised yet.

The most recent release of the SPARK 2014 tools include support for
tasking.  (I haven't looked into the details yet.)

As it has already been mentioned, multi-core, caches and shared caches
are all features which aren't understood well enough for practical use
in safety-critical hard real-time systems. - But there's lots of
research in the area.

Greetings,

Jacob
-- 
"The generation of random numbers is too important to be left to chance"