# Konfigurierbare Systemsoftware (KSS)

## VL 5 – Generative Programming: The **SLOTH** Approach

#### **Daniel Lohmann**

Lehrstuhl für Informatik 4 Verteilte Systeme und Betriebssysteme

Friedrich-Alexander-Universität Erlangen-Nürnberg

SS 16 - 2016-05-09



http://www4.informatik.uni-erlangen.de/Lehre/SS16/V\_KSS

# Implementation Techniques: Classification





# Implementation Techniques: Classification





#### OSEK OS: Abstractions [9] (Cont'd)

- Coordination and synchronization
  - Resource: mutual exclusion between well-defined set of tasks
    - stack-based priority ceiling protocol ([12]): GetResource()  $\sim$  priority is raised to that of highest participating task
    - pre-defined RES\_SCHED has highest priority ( $\sim$  blocks preemption)
    - implementation-optional: task set may also include cat 2 ISRs
  - Event: condition variable on which ETs may block
    - part of a task's context
  - Alarm: asynchronous trigger by HW/SW counter
    - may execute a callback, activate a task, or set an event on expiry

KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.1 Motivation: OSEK and Co

## OSEK OS: Conformance Classes [9]

OSEK offers predefined tailorability by four conformance classes
BCC1 only basic tasks, limited to one activation request per task and one task per priority, while all tasks have different priorities
BCC2 like BCC1, plus more than one task per priority possible and multiple requesting of task activation allowed
ECC1 like BCC1, plus extended tasks
ECC2 like ECC1, plus more than one task per priority possible and multiple requesting of task activation allowed for basic tasks
The OSEK feature diagram



## OSEK OS: System Services (Excerpt)

- Task-related services ActivateTask(task)  $\rightarrow$  task is active ( $\mapsto$  ready), counted - TerminateTask()  $\sim$  running task is terminated - Schedule()  $\rightarrow$  active task with highest priority is running ActivateTask(task) - ChainTask(task)  $\mapsto$  atomic TerminateTask() Resource-related services GetResource(res) ~ current task has *res* ceiling priority ReleaseResource(res)  $\sim$  current task has previous priority Event-related services (extended tasks only!) - SetEvent(*task*, *mask*)  $\sim$  events in *mask* for *task* are set - ClearEvent(mask)  $\sim$  events in *mask* for current task are unset - WaitEvent(*mask*)  $\sim$  current task blocks until event from mask has been set Alarm-related services - SetAbsAlarm(alarm, ...)  $\rightarrow$  arms *alarm* with absolute offset - SetRelAlarm(alarm, ...)  $\sim$  arms alarm with relative offset KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.1 Motivation: OSEK and Co (Ddl 5-9 OSEK OS: System Specification with OIL [10] OS ExampleOS { An OSEK OS instance is = STANDARD STATUS = STAND configured **completely statically**
- all general OS features (hooks, ...)
  all instances of OS abstractions (tasks, ...)
- all relationships between OS abstractions
- described in a domain-specific language (DSL)
- OIL: The OSEK Implementation Language
- standard types and attributes (TASK, ISR, ...)
- vendor/plattform-specific attributes (ISR source, priority, triggering)
- task types and conformance class is deduced

#### OIL File for Example System (BCC1)

5-8

- Three basic tasks: Task1, Task3, Task4
- Category 2 ISR: ISR2 (platform-spec. source/priority)
- Task1 and Task3 use resource Res1 ~ ceiling pri = 3
   Alarm Alarm1 triggers Task4 on expiry

- (C) dl KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.1 Motivation: OSEK and Co

RESOURCEPROPERTY = STANDARD }; ISR ISR2 {

1:

1:

TASK Task1 {

PRIORITY

RESOURCE

TASK Task3 { PRIORITY

AUTOSTART

RESOURCE Res1 {

AUTOSTART

- ISR ISR2 {
   CATEGORY = 2;
   PRIORITY = 2;
  };
  ALARM Alarm1 {
- COUNTER = Timer1; ACTION = ACTIVATETASK {

= 1; = TRUE;

= Res1:

= FALSE; = Res1:

= 3;

- TASK = Task4;
- AUTOSTART = FALSE;



## **SLOTH** Design

IRQ system must support priorities and software triggering



#### **SLOTH:** Qualitative Results

- Concise kernel design and implementation
  - $\bullet$  < 200 LoC, < 700 bytes code memory, very little RAM
- Single control-flow abstraction for tasks, ISRs (1/2), callbacks
  - Handling oblivious to how it was triggered (by hardware or software)
- Unified priority space for tasks and ISRs

() D

- No rate-monotonic priority inversion [3, 4]
- Straight-forward synchronization by altering CPU priority
  - Resources with ceiling priority (also for ISRs!)
  - Non-preemptive sections with RES\_SCHEDULER (highest task priority)
  - Kernel synchronization with highest task/cat.-2-ISR priority

## **SLOTH:** Example Control-Flow



- - 32-bit load/store architecture
  - Interrupt controller: 256 priority levels, about 200 IRQ sources with memory-mapped registers
  - Meanwhile also implementations for ARM Cortex-M3 (SAM3U) and x86

5 The SLOTH Approach 5.2 SLOTH: Threads as Interrupts

- Evaluation of task-related system calls:
  - Task activation
  - Task termination

KSS (VL 5 | SS 16)

- Task acquiring/releasing resource
- Comparison with commercial OSEK implementation and CiAO
- Two numbers for SLOTH: best case, worst case
  - Depending on number of tasks and system frequency

(C) dl

5-18



5 The SLOTH Approach 5.3 SLEEPY SLOTH: Threads as IRQs as Threads 5-22 (C) dl

() D

KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.3 SLEEPY SLOTH: Threads as IRQs as Threads 5-23

Coordination

5-21





#### Memory Protection in Embedded Systems

- Safety, but not security
- Protect the data, but not the code
- Safety model based on AUTOSAR OS
- MPU-based isolation



- **Vertically:** Protect kernel state and MPU configuration
- Horizontally: Isolate applications or even tasks from each other
  - KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.4 SAFER SLOTH: Hardware-Tailored Isolation 5–32

## Protection Modes in SAFER SLOTH

Unsafe

The original Sloth OS, without isolation

#### MPU

() D

- MPU active, but tasks execute with supervisor privileges
- Vertical isolation ensured constructively in post-validation

#### MPU+traps

KSS (VL 5 | SS 16)

- Vertical isolation ensured by hardware privilege levels
- System services acquire kernel privileges via syscall mechanism

5 The SLOTH Approach | 5.4 SAFER SLOTH: Hardware-Tailored Isolation

5-34

#### Maintaining the SLOTH Principles for SAFER SLOTH

- Exploit as much knowledge about target hardware as possible
- Tailor kernel to fit both the platform and the application
- Taking into account:

(C) dl

- Extent and layout of MPU configuration
- Method for re-programming the MPU
- Available hardware privilege levels
- Is MPU active in all levels?
- Degree of safety required by the application

KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.4 SAFER SLOTH: Hardware-Tailored Isolation

5-33

#### SAFER SLOTH: Architecture







#### Evaluation Results: Additional Overheads

[2]



#### Agenda

- 5.1 Motivation: OSEK and Co
- 5.2 **SLOTH**: Threads as Interrupts
- 5.3 SLEEPY SLOTH: Threads as IRQs as Threads
- 5.4 SAFER SLOTH: Hardware-Tailored Isolation

5.5 SLOTH ON TIME: Time-Triggered Laziness

- 5.6 SLOTH\* Generation
- 5.7 Summary and Conclusions
- 5.8 References





#### Referenzen (Cont'd)

- [5] Wanja Hofer, Daniel Danner, Rainer Müller, Fabian Scheler, Wolfgang Schröder-Preikschat, and Daniel Lohmann. "Sloth on Time: Efficient Hardware-Based Scheduling for Time-Triggered RTOS". In: Proceedings of the 33rd IEEE International Symposium on Real-Time Systems (RTSS '12). (San Juan, Puerto Rico, Dec. 4–7, 2012). IEEE Computer Society Press, Dec. 2012, pp. 237–247. ISBN: 978-0-7695-4869-2. DOI: 10.1109/RTSS.2012.75.
- [6] Wanja Hofer, Daniel Lohmann, Fabian Scheler, and Wolfgang Schröder-Preikschat. "Sloth: Threads as Interrupts". In: *Proceedings of the 30th IEEE International Symposium on Real-Time Systems (RTSS '09)*. (Washington, D.C., USA, Dec. 1–4, 2009). IEEE Computer Society Press, Dec. 2009, pp. 204–213. ISBN: 978-0-7695-3875-4. DOI: 10.1109/RTSS.2009.18.
- [7] Wanja Hofer, Daniel Lohmann, and Wolfgang Schröder-Preikschat. "Sleepy Sloth: Threads as Interrupts as Threads". In: *Proceedings of the 32nd IEEE International Symposium on Real-Time Systems (RTSS '11)*. (Vienna, Austria, Nov. 29–Dec. 2, 2011). IEEE Computer Society Press, Dec. 2011, pp. 67–77. ISBN: 978-0-7695-4591-2. DOI: 10.1109/RTSS.2011.14.
- [8] Steve Kleiman and Joe Eykholt. "Interrupts as Threads". In: ACM SIGOPS Operating Systems Review 29.2 (Apr. 1995), pp. 21–26. ISSN: 0163-5980.

#### Referenzen (Cont'd)

- OSEK/VDX Group. Operating System Specification 2.2.3. Tech. rep. http://portal.osek-vdx.org/files/pdf/specs/os223.pdf, visited 2014-09-29. OSEK/VDX Group, Feb. 2005.
- [10] OSEK/VDX Group. OSEK Implementation Language Specification 2.5. Tech. rep. http://portal.osek-vdx.org/files/pdf/specs/oil25.pdf, visited 2014-09-29. OSEK/VDX Group, 2004.
- [11] OSEK/VDX Group. Time-Triggered Operating System Specification 1.0. Tech. rep. http://portal.osek-vdx.org/files/pdf/specs/ttos10.pdf. OSEK/VDX Group, July 2001.
- [12] Lui Sha, Ragunathan Rajkumar, and John P. Lehoczky. "Priority Inheritance Protocols: An Approach to Real-Time Synchronization". In: *IEEE Transactions* on Computers 39.9 (1990), pp. 1175–1185. ISSN: 0018-9340. DOI: 10.1109/12.57058.
- [13] David B. Stewart. "Twenty-Five Most Common Mistakes with Real-Time Software Development". In: Proceedings of the 1999 Embedded Systems Conference (ESC '99). 1999.

KSS (VL 5 | SS 16) 5 The SLOTH Approach | 5.8 References

5-51

(C) dl

5-52