This document discusses the oSCJ project for developing safety-critical applications in Java. It describes safety-critical systems and the challenges of developing such systems. It then provides an overview of the Safety-Critical Java (SCJ) specification, the oSCJ implementation including its virtual machine, libraries, and tools. It also presents benchmark results and discusses future work.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Open Safety-Critical Java
1. oSCJ Project:
Developing Safety-Critical Applications in
Java
Ales Plsek
www.omvj.net/oscj/
oSCJ
Open Safety-Critical Java
Saturday, April 24, 2010
2. Safety-Critical Systems
Safety-Critical Systems
is a system whose failure or malfunction may
result in: death or serious injury to people, or
loss or severe damage to equipment.
Ariane 5, 1996
$800 million embedded software
growing complexity failure
MLOC - code size
productivity, reusability, and availability of
trained personnel
Saturday, April 24, 2010
3. Safety-Critical Software Development
Programming Languages
C, C++, Ada
static allocation, schedulability analysis
Certification standards
DO-178 A, B, C and D
Saturday, April 24, 2010
4. Java in Real-Time Domain
2001 - RTSJ
2003 - Golden Gate
Java 10-100 times slower than C
2005 - RT GC technology
2005-7 - RT Java Technology boom
SUN, IBM Metronome, Aicas, Aonix, etc.
2010 - Fiji VM
comparable performance with C, ~30% overhead
2010 - SCJ (JSR-302) near completion
Saturday, April 24, 2010
5. Safety-Critical Specification for Java
Expressivness
SCJ specified by JSR-302
Java
RT GC
subset of RTSJ RTSJ
memory safety SCJ
no heap, no GC
<<1ms 1ms >>1ms
annotations Latency
static allocation
Designed to be amenable for certification - DO-178B, Level A
reduction of system’s complexity and cost of certification
Compliance Levels
Saturday, April 24, 2010
6. oSCJ oSCJ
Open Safety-Critical Java
oSCJ contains
L3 - No Heap
oSCJ Level 2 RealtimeThreads
Level 1 L2 - Asynchronous Event
Library Handlers
Level 0 L0 - Periodic Event Handlers
oSCJ VM - running on top of
oSCJ VM OS or directly on bare hardware
SCJ-compliant VM
RTEMS RTEMS OS
Xilinx FPGA board with
Tools HARDWARE LEON 3 architecture
Static Checker
Technology Compatibility Kit (TCK)
miniCDj benchmark
Saturday, April 24, 2010
8. Safety-Critical Specification for Java
Execution Model
current mission
Mission Concept setup initialization execution cleanup teardown
next mission
Memory Model
region based memory model, no heap
no dynamic allocation
Compliance Levels 0-2
Level 0 - single-threaded, Periodic Event Handlers, single Mission
Level 1 - AperiodicEvent handlers, Fixed-Priority Preemptive Scheduler
Level 2 - sub-missions, ManagedThreads
Saturday, April 24, 2010
9. The Mission Concept
application organized as a series of Missions
ImmortalMemory
setup missions teardown
Mission - independent computation unit
with respect to lifetime and resources MissionSequencer - getNextMission()
M1 ... Mi ... Mn
current
MissionSequencer - creates MissionMemory
MissionMemory - runs in
manages Missions and determines their initialization execution cleanup
execution order MissionManager - startAll()
- waitAll()
bounded number of Schedulable objects SO1 ... ... SOn
- runs in
PrivateMemory PrivateMemory
Schedulable Objects (SO)
application logic executed by SO
parameters - scheduling, priority, storage
e.g. storage requirements must be
know prior to execution
Saturday, April 24, 2010
10. Memory Model PEH AEH
P3
Memory Management Strategy
P2 P4 P2
no heap, no GC
P1 P1
memory safety
Mission
each SO memory size statically given
Immortal
static analysis friendly model
Memory Types
Region-Based Memory model immortal memory
inspired by scoped memory areas (RTSJ) shared by all missions
memory areas forming an easily-analyzable mission memory
tree - scope stack
shared by all SOs in mission
strictly nested lifetime of scopes
private memory
execInArea supported
SO is allowed to switch its allocation context SO private
Saturday, April 24, 2010
11. Compliance Levels
Compliance Levels 0-2
refer to expected cost and difficulty of certification
allow to develop variously constrained SCJ applications
both application and implementation can conform
Level 0
only PeriodicEventHandlers
only 1 Mission
simple cyclic-execution model
used already during Apollo missions [1]
no aperiodicity
Saturday, April 24, 2010
12. Compliance Levels
Level 1
Periodic and Aperiodic Event Handlers
Fixed-priority preemptive scheduler
Level 2
nesting of missions is allowed
Saturday, April 24, 2010
13. Library Status
Stable features In development
programming model exceptions
memory model JNI support
scheduling model external event / interrupt model
time and clock dependent on JSR-282
annotations
I/0
raw memory access
Saturday, April 24, 2010
14. VM Interface interface VM_Interface {
public static native Opaque makeExplicitArea ( long size);
public static native Opaque makeArea (MemoryArea ma, long size);
public static native Opaque setCurrentArea(Opaque scope);
public static native Opaque getCurrentArea( );
...
Memory Management
public static native Opaque getCurrentTime{};
public static native getClockResolution();
Time
...
VM Interface }
Library designed independently on the VM
dedicated interface for communication with the VM
Delegated tasks to the VM
memory management
thread-related methods (e.g. getMaxPriority)
I/O - raw memory access methods
time
Saturday, April 24, 2010
16. SCJ VM Design SquawkVM
Java code
OVM
a metacircular Virtual Machine
C code
similarly as J9, FijiVM, Squawk VM, etc.
requires a bootstrap JVM to run upon to create a boot image.
a small C loader is responsible for loading the boot image at runtime.
Java code compiled down to C
SCJ VM
optimizations towards Level 0
Memory Manager
Saturday, April 24, 2010
17. Optimizations
Synchronization Support
Level 0 - single threaded
no synchronization/Monitor support
needed
Java Object Model
BluePrint
Hash-Code
Object Model Monitor
GC info
optimized fields
DATA
monitor, GC information
hash-code SCJ Object Model
BluePrint
physical address of the object - non-
moving object model DATA
Saturday, April 24, 2010
21. Static Checker
Static verification of certain SCJ properties of the code
API visibility
@SCJAllowed, @SCJProtected
to prevent users to access internal elements
Memory Safety
@AllocFree, @ScopeDef, @Scope, @RunsIn
Saturday, April 24, 2010
22. API Visibility
javax.realtime package
@SCJAllowed(Level 2)
javax.safetycritical package class Realtime {
@SCJAllowed(Level 1) @SCJAllowed(Level 2)
class Foo extends Realtime { public void foobar() {
@SCJAllowed(Level 1) ...
class ExFoo extends Foo { @SCJAllowed(Level 1) }
}
public void foo() {
@SCJAllowed(Level 2) ...
public void foo() { }
super.foo(); }
bar();
}
@SCJProtected
@SCJAllowed(Level 1)
public void bar () {
class User {
}
public main() {
}
Foo.foo();
Realtime.foobar();
}
}
user-level code
Saturday, April 24, 2010
23. Memory Safety @Scope(“immortal”)
class Outer { Scope
A
@ScopeDef(name=”a”, parent=”immortal”)
PrivateMemory a = new PrivateMemory(“10000”);
void initialize() {
run( );
}
@AllocFree
boolean foo ( ) {...}
Scope
A
@RunsIn(“a”)
void run () {
Memory Safety initialize();
foo();
@AllocFree - no allocation }
}
@ScopeDef - defines a scope memory
@Scope - per object, indicates allocation context
@RunsIn - overrides the class annotation, the default scope in which
the type runs
Saturday, April 24, 2010
24. Static Checker Implementation
based on Checker Framework (JSR 308) that will be part of Java 7
verification is done through AST visitors
Memory Safety
double pass of the algorithm
1. a scope-tree is constructed
2. scope-tree used to verify the memory-safety rules
Saturday, April 24, 2010
26. Evaluation Platform
Hardware Platform
Xilinx FPGA GR-XC3S-1500 development board
8Mb flash PROM, 64MB SDRAM
no FPU
LEON3 Processor
flashed with LEON3, running at 40MHz
used by NASA and ESA (Venus Express Mission 2005, Dawn Misssion 2007)
Real-time OS
RTEMS 4.9
Saturday, April 24, 2010
27. Benchmark
Collision Detector Benchmark - CDx
periodic real-time task
highly configurable
workloads - # of planes, # of iterations, # of collisions, period
Various languages used
C, RTSJ, regular Java
miniCDj - CDx implementation in SCJ
Open-source, available at www.ovmj.net/cdx/
Saturday, April 24, 2010
28. Results
Benchmark results for LEON3 and x86 platforms
to be published soon....
Saturday, April 24, 2010
30. Conclusion
oSCJ
Open Safety-Critical Java
oSCJ Distribution available and open-source
Library, VM, tools and benchmark
www.omvj.net/oscj
Performance
compatitive with C both on LEON3 and x86
Future Work
Library implementation
full Level 0 functionality (Exceptions, I/O, etc.)
supported both by OVM and FijiVM
FijiVM optimizations
Saturday, April 24, 2010