1 / 19

Model for Supporting High Integrity and Fault Tolerance

Model for Supporting High Integrity and Fault Tolerance. Brian Dobbing, Aonix Europe Ltd Chief Technical Consultant November 1999. Background. Real-Time Core Specification is Released High Integrity Profile A subset of APIs in the RT-Core Address requirements of Fault Tolerance

aizza
Download Presentation

Model for Supporting High Integrity and Fault Tolerance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model for Supporting High Integrity and Fault Tolerance Brian Dobbing, Aonix Europe Ltd Chief Technical Consultant November 1999

  2. Background • Real-Time Core Specification is Released • High Integrity Profile • A subset of APIs in the RT-Core • Address requirements of • Fault Tolerance • High Integrity and Safety Critical systems • Work in progress, led by Aonix • Draft circulated for internal J-Consortium review • CALL FOR PARTICIPATION e.g. from Telecoms High Integrity and Fault Tolerance

  3. Characteristics Fault Tol Partitioning Determinism High Integ Minimal Size Safety Crit Certifiability High Integrity and Fault Tolerance

  4. Partitioning - single processor Non-Critical e.g. JVM Network ControlledCommunication Other peripherals Critical Component I/O devicesPhysical memory access High Integrity and Fault Tolerance

  5. Partitioning - hot standby Network Messages ControlledCommunication ControlledCommunication Critical Component Critical Component I/O devices / Physical memory High Integrity and Fault Tolerance

  6. Partitioning - distribution Network Messages Messages ControlledCommunication ControlledCommunication Critical Component Critical Component Non-Critical Component I/O devices / Physical memory • Support for Distributed Systems is being addressed by “Real-Time and Embedded Distributed Middleware Profile” High Integrity and Fault Tolerance

  7. Partitioning - interfaces Remote Method InvocationInterface Critical Component Parameters / Results(No Addresses) Physical Memory High Integrity and Fault Tolerance

  8. Partition Construction • Static Linking only • Need to verify statically every byte loaded • Native code execution only • Temporal constraints prohibit interpreters • “Control” of the processor • HI partition will (normally) contain main() • Low-level interaction with underlying board • Intended to be user-configurable High Integrity and Fault Tolerance

  9. Memory Management (1) Default Allocation Context ExecutionStack Per Thread Non-Stackable Objects Stackable Objects plus dynamic call frames No garbage collector! High Integrity and Fault Tolerance

  10. Memory Management (2) • Allocation context re-used for each run() • Useful for Periodic, Sporadic, Interrupt tasks • Special allocation context supported • Programmatic reclamation for Ongoing tasks • Allocation context must be non-fragmenting High Integrity and Fault Tolerance

  11. Concurrency • Periodic tasks (threads) • Scheduled by the runtime system • Sporadic tasks (threads) • Additional to RT Core, run by signalling Events • Interrupt “tasks” (handlers) • Triggered by hardware / software interrupt • Ongoing tasks (not run automatically) • Often background tasks in an infinite loop High Integrity and Fault Tolerance

  12. Task Interaction • Remove asynchronous task-to-task actions • Stop, Interrupt, Wakeup, Suspend / Resume • Important for replica determinism • PCP used for Synchronized methods • Mutual exclusive access to Shared Resources • Tight bound on the blocking time (no queues) • Used in preference to mutexes, semaphores • Atomic regions used for interrupt handlers • Can signal Event object to run Sporadic task High Integrity and Fault Tolerance

  13. Task Interaction Example H/w interrupt run Interrupt Task Periodic Task Sporadic Task signal run put get Event object PCP Object High Integrity and Fault Tolerance

  14. Scheduling • Priorities as in the RT-Core • Interrupt range + non-interrupt range • Normal FIFO_Within_Priorities scheduling • Task inherits ceiling priority when in PCP • Each task has : • Base priority (at creation time) • Active priority (for scheduling) • Higher of base and any inherited priority High Integrity and Fault Tolerance

  15. Sequential Execution • Need to be able to support : • Access to physical memory addresses • for example RT Core IO class and Device I/O Registry • Exception handling • Needed for failure recovery (roll back state) • Finally clauses • Tidy up when failure occurs • Must exclude any non-determinism • Needed for replica consistency in fault tolerance High Integrity and Fault Tolerance

  16. Fault Tolerance (1) • Hardware-related considerations • Keep standby replicas as identical as possible • Eliminate constructs with race conditions • Predictable execution even if clocks vary slightly • Allow access to physical addresses • e.g fast DMA to compare / update state in replica • No addresses exported from HI partition • Simplifies switching to replica on failure High Integrity and Fault Tolerance

  17. Fault Tolerance (2) • Software-related considerations • Checkpoint objects at specific points • Save state in durable (persistent) storage • Allow access to physical addresses for this storage • Detect and recover from data errors • Exception catching • Roll back to saved state • Tidy up in normal and exception case • Finally clauses High Integrity and Fault Tolerance

  18. Summary (1) • The HI Profile supports : • Partitioning • Controlled access to code and data • Determinism in sequential and concurrency • Small footprint runtime system • Proposed features : • Simplified memory management scheme • Including access to physical memory addresses • Simplified threads kernel • Full exception handling and “finally” clauses High Integrity and Fault Tolerance

  19. Summary (2) • The HI Profile will be : • Compatible with the Real-Time Core definition • Compatible with the Distributed Middleware profile • A full solution for the entire range of software requirements Needs YOUR review comments & participation High Integrity and Fault Tolerance

More Related