* What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? @ 2017-08-01 0:25 Adam Jensen 2017-08-01 0:54 ` Dennis Lee Bieber 2017-08-01 8:38 ` Jacob Sparre Andersen 0 siblings, 2 replies; 6+ messages in thread From: Adam Jensen @ 2017-08-01 0:25 UTC (permalink / raw) I am surveying the software engineering/technology landscape. This document on the SPARK Ravenscar Profile, RavenSPARK[1], is dated 2010 - well before Ada-2012 and Spark-2014. [1]: http://docs.adacore.com/sparkdocs-docs/Examiner_Ravenscar.htm What is the current Ada language profile for concurrent, multi-core, safety-critical, hard real-time systems? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? 2017-08-01 0:25 What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? Adam Jensen @ 2017-08-01 0:54 ` Dennis Lee Bieber 2017-08-01 1:45 ` Adam Jensen 2017-08-01 8:38 ` Jacob Sparre Andersen 1 sibling, 1 reply; 6+ messages in thread From: Dennis Lee Bieber @ 2017-08-01 0:54 UTC (permalink / raw) On Tue, 1 Aug 2017 00:25:18 -0000 (UTC), Adam Jensen <hanzer@riseup.net> declaimed the following: > >What is the current Ada language profile for concurrent, multi-core, >safety-critical, hard real-time systems? As soon as you say "multi-core" you enter the realm of experimental science. For example -- in the four years I spent at GE Aviation, multi-core processors used in flight management software would be run with all but one core shutdown. Reason: there has not been enough experience/study of how multiple cores/cache/etc. affect hard real-time latency (how can you evaluate WCET for a process on core-A when you don't have control of what happens on core-B, which could cause cache line flushing, etc. affecting the timing of core-A) What multi-core processors I saw being used in development were for non-safety critical functions -- data logging type operations, wherein loss of the logging processor wouldn't affect the flight management system; only reducing the post-flight analysis capabilities should there be anomalous flight operations. -- Wulfraed Dennis Lee Bieber AF6VN wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? 2017-08-01 0:54 ` Dennis Lee Bieber @ 2017-08-01 1:45 ` Adam Jensen 2017-08-01 4:19 ` Dennis Lee Bieber 0 siblings, 1 reply; 6+ messages in thread From: Adam Jensen @ 2017-08-01 1:45 UTC (permalink / raw) On Mon, 31 Jul 2017 20:54:08 -0400, Dennis Lee Bieber wrote: > On Tue, 1 Aug 2017 00:25:18 -0000 (UTC), Adam Jensen <hanzer@riseup.net> > declaimed the following: > > >>What is the current Ada language profile for concurrent, multi-core, >>safety-critical, hard real-time systems? > > As soon as you say "multi-core" you enter the realm of experimental > science. For example -- in the four years I spent at GE Aviation, > multi-core processors used in flight management software would be run > with all but one core shutdown. > > Reason: there has not been enough experience/study of how multiple > cores/cache/etc. affect hard real-time latency (how can you evaluate > WCET for a process on core-A when you don't have control of what happens > on core-B, which could cause cache line flushing, etc. affecting the > timing of core-A) > > What multi-core processors I saw being used in development were for > non-safety critical functions -- data logging type operations, wherein > loss of the logging processor wouldn't affect the flight management > system; only reducing the post-flight analysis capabilities should there > be anomalous flight operations. That's interesting, thanks. I've been looking at the ARM Cortex-R8[1] which seems like it might address some of these issues in its hardware architecture. [1]: https://developer.arm.com/products/processors/cortex-r/cortex-r8 I suppose that mapping an Ada run-time system onto that specific hardware might require a significant investment. But more simply, this web page <http://www.ada2012.org/> says: "Ravenscar for multiprocessor systems adapts a safe and widely used tasking profile to modern architectures". Doesn't that seem to suggest that there exists an Ada-2012 Ravenscar profile for multi-core systems? Is that mostly hype or hokum? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? 2017-08-01 1:45 ` Adam Jensen @ 2017-08-01 4:19 ` Dennis Lee Bieber 2017-08-01 7:12 ` Dmitry A. Kazakov 0 siblings, 1 reply; 6+ messages in thread From: Dennis Lee Bieber @ 2017-08-01 4:19 UTC (permalink / raw) On Tue, 1 Aug 2017 01:45:22 -0000 (UTC), Adam Jensen <hanzer@riseup.net> declaimed the following: >That's interesting, thanks. I've been looking at the ARM Cortex-R8[1] >which seems like it might address some of these issues in its hardware >architecture. > >[1]: https://developer.arm.com/products/processors/cortex-r/cortex-r8 > >I suppose that mapping an Ada run-time system onto that specific hardware >might require a significant investment. > I suspect /very/ significant. Can you lock tasks to specific processors? If not, you run into the uncertainty in timing when a task gets loaded into a different core. Even if you can, can you show that the processing on one core will not impact another. As I understand it, lock-step doesn't help for independent tasks -- it's a redundancy mode in which a difference between the cores signals an exception condition (in flight systems, this would be a periodic compare between two independent /boxes/ to confirm that both are producing the same results). >But more simply, this web page <http://www.ada2012.org/> says: "Ravenscar >for multiprocessor systems adapts a safe and widely used tasking profile >to modern architectures". Doesn't that seem to suggest that there exists >an Ada-2012 Ravenscar profile for multi-core systems? Is that mostly hype >or hokum? There may be a profile -- but (again, from my little exposure in FMS) will it pass certification? There isn't yet enough history for multi-core to pass flight certification (granted, part of that may be that no company wants to spend the money to prove to the FAA that multi-core can be safe -- dual single-core boxes can be validated as there is no "hidden" interaction on memory access, WCET is a single core determination). Even Ada tasking may not be trusted (I was maintaining a program that used a small RTOS to create the processes, rather than having Ada tasks doing the work). A bit of a chicken&egg situation: there may be processors designed for multi-core real-time, and there may be companies who'd like to use them... But developing and getting software certified for use (again, my exposure is flight management systems) would have to be done on company R&D funds -- since client companies probably won't pay for an "experiment"; they likely want just an upgrade to an existing single core system, where reuse may reduce the cost of certification for flight. Automotive may be less critical -- a timing discrepancy isn't going to result in a few hundred people falling from the sky, one should be able to limp-mode to the shoulder of the road. (OTOH: between ABS, traction control, stability control, etc. I expect the next generation of drivers will not be able to react properly should the assists fault even momentarily) -- Wulfraed Dennis Lee Bieber AF6VN wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? 2017-08-01 4:19 ` Dennis Lee Bieber @ 2017-08-01 7:12 ` Dmitry A. Kazakov 0 siblings, 0 replies; 6+ messages in thread From: Dmitry A. Kazakov @ 2017-08-01 7:12 UTC (permalink / raw) On 2017-08-01 06:19, Dennis Lee Bieber wrote: > On Tue, 1 Aug 2017 01:45:22 -0000 (UTC), Adam Jensen <hanzer@riseup.net> > declaimed the following: > > >> That's interesting, thanks. I've been looking at the ARM Cortex-R8[1] >> which seems like it might address some of these issues in its hardware >> architecture. >> >> [1]: https://developer.arm.com/products/processors/cortex-r/cortex-r8 >> >> I suppose that mapping an Ada run-time system onto that specific hardware >> might require a significant investment. >> > > I suspect /very/ significant. Can you lock tasks to specific > processors? If not, you run into the uncertainty in timing when a task gets > loaded into a different core. Even if you can, can you show that the > processing on one core will not impact another. As I understand it, > lock-step doesn't help for independent tasks -- it's a redundancy mode in > which a difference between the cores signals an exception condition (in > flight systems, this would be a periodic compare between two independent > /boxes/ to confirm that both are producing the same results). > >> But more simply, this web page <http://www.ada2012.org/> says: "Ravenscar >> for multiprocessor systems adapts a safe and widely used tasking profile >> to modern architectures". Doesn't that seem to suggest that there exists >> an Ada-2012 Ravenscar profile for multi-core systems? Is that mostly hype >> or hokum? > > There may be a profile -- but (again, from my little exposure in FMS) > will it pass certification? There isn't yet enough history for multi-core > to pass flight certification (granted, part of that may be that no company > wants to spend the money to prove to the FAA that multi-core can be safe -- > dual single-core boxes can be validated as there is no "hidden" interaction > on memory access, WCET is a single core determination). > > Even Ada tasking may not be trusted (I was maintaining a program that > used a small RTOS to create the processes, rather than having Ada tasks > doing the work). > > > A bit of a chicken&egg situation: there may be processors designed for > multi-core real-time, and there may be companies who'd like to use them... > But developing and getting software certified for use (again, my exposure > is flight management systems) would have to be done on company R&D funds -- > since client companies probably won't pay for an "experiment"; they likely > want just an upgrade to an existing single core system, where reuse may > reduce the cost of certification for flight. > > Automotive may be less critical -- a timing discrepancy isn't going to > result in a few hundred people falling from the sky, one should be able to > limp-mode to the shoulder of the road. (OTOH: between ABS, traction > control, stability control, etc. I expect the next generation of drivers > will not be able to react properly should the assists fault even > momentarily) I am quite pessimistic regarding how automotive approaches functional safety. My impression is that certification processes there are designed to cover up lack of elementary software safety behind tool chains, code generators and administrative overhead. If anything to happen then not there. (:-() P.S. And there is a hard push to add security on top or bottom of all mess... -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? 2017-08-01 0:25 What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? Adam Jensen 2017-08-01 0:54 ` Dennis Lee Bieber @ 2017-08-01 8:38 ` Jacob Sparre Andersen 1 sibling, 0 replies; 6+ messages in thread From: Jacob Sparre Andersen @ 2017-08-01 8:38 UTC (permalink / raw) Adam Jensen wrote: > I am surveying the software engineering/technology landscape. This > document on the SPARK Ravenscar Profile, RavenSPARK[1], is dated 2010 > - well before Ada-2012 and Spark-2014. > > [1]: http://docs.adacore.com/sparkdocs-docs/Examiner_Ravenscar.htm > > What is the current Ada language profile for concurrent, multi-core, > safety-critical, hard real-time systems? The Ravenscar profile is still _the_ profile for safety-critical, hard real-time tasking. AdaCore has done work on an extension to the Ravenscar profile (the Vienna profile?), but I'm not sure it has been formalised yet. The most recent release of the SPARK 2014 tools include support for tasking. (I haven't looked into the details yet.) As it has already been mentioned, multi-core, caches and shared caches are all features which aren't understood well enough for practical use in safety-critical hard real-time systems. - But there's lots of research in the area. Greetings, Jacob -- "The generation of random numbers is too important to be left to chance" ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-08-01 8:38 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-08-01 0:25 What is the current language profile for concurrent, multi-core, safety-critical, hard real-time systems? Adam Jensen 2017-08-01 0:54 ` Dennis Lee Bieber 2017-08-01 1:45 ` Adam Jensen 2017-08-01 4:19 ` Dennis Lee Bieber 2017-08-01 7:12 ` Dmitry A. Kazakov 2017-08-01 8:38 ` Jacob Sparre Andersen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox