Giotto:

1
Giotto Predictable, Portable Real-Time Code
Tom Henzinger Ben Horowitz Christoph Kirsch
2
Control Software Development
Mathematical Model
Platform Constraints
e.g. Matlab/Simulink
-hardware configuration -RTOS (scheduling
algorithm) -network protocol
-CONCURRENCY -ENVIRONMENT TIME
-DISTRIBUTION -PLATFORM TIME
some automatic code generation, some manual code
optimization
Executable Code
3
Control Software Development
Mathematical Model
Platform Constraints
e.g. Matlab/Simulink
-hardware configuration -RTOS (scheduling
algorithm) -network protocol
Problems -close correspondence between model
and code is lost with code optimization -if
either model or platform changes, the entire
process needs to be repeated
some automatic code generation, some manual code
optimization
Executable Code
4
Control Software Development
Mathematical Model
An intermediate layer that separates
platform-independent from platform-dependent
software issues.
Platform-independent Software Model
Platform Constraints
e.g. synchronous language
-executable -composable -verifiable
-optimizable -portable -reusable
Executable Code
5
Control Software Development
e.g.
What is the control equation?
What is the sampling rate?

Mathematical Model
Platform-independent Software Model
Platform Constraints
e.g.
Which procedure computes the
control equation?
Which (clock) event triggers the computation?

e.g.
Which CPU executes the control procedure?
What priority has the
execution?
Executable Code
-still CONCURRENCY -still
ENVIRONMENT TIME
6
Control Software Development
Platform-independent code generation and
optimization e.g. shared data structures
Mathematical Model
Platform-dependent code generation and
optimization e.g. choice of priorities
Platform-independent Software Model
Platform Constraints
Executable Code
SEPARATION OF CONCERNS !!!
7
Motivation Flight Control Software
Single CPU.
8
Motivation Flight Control Software
Two connected CPUs.
9
Motivation Flight Control Software
10
Motivation Flight Control Software
11
Platform-independent Software Model
1. Concurrent periodic tasks -sensing


-control law computation

-actuating 2. Multiple
modes of operation -navigational modes
(autopilot, manual, etc.)
-maneuver modes (taxi,
takeoff, cruise, etc.)
-degraded modes (sensor,
actuator, CPU failures)
12
Platform-independent Software Model
Mode 1
Mode 2
Condition 1.2
Task S 400 Hz
Task S 400 Hz
Task C 200 Hz
Task C 200 Hz
Task A 1 kHz
Task A 1 kHz
Condition 2.1
Task A 1 kHz
Mode 4
Mode 3
Task S 400 Hz
Task C 100 Hz
Task C 200 Hz
Task A 1 kHz
Task A 2 kHz
13
Platform-independent Software Model
Host code e.g. C
Glue code Giotto
Functionality.
Timing and interaction.
-Concurrency, not distribution.
-Environment time, not platform time.
14
Platform-independent Software Model
Host code e.g. C
Glue code Giotto
Functionality.
Timing and interaction.
This kind of software is understood
Host code may be generated automatically.
The software complexity lies in the glue code
Giotto enables
requirements-driven rather than platform-driven
glue-code programming.
15
The Giotto Programmers Model
Programming in terms of environment
time -time-triggered task invocation
-tasks have fixed duration ( ? WCET
) -tasks are not
preemptable Implementation in terms of platform
time -need access to (logical) global
time, no other platform requirements
-tasks may finish early, but outputs cannot
be observed early -tasks may be
preempted Similar to the synchronous programmers
model, only simpler (no fixpoint issues).
16
The Giotto Programmers Model
Given

• 1. Units of scheduled host code
  (application-level tasks). e.g.
  control law computation
• 2. Units of synchronous host code (system-level
  drivers). e.g. device drivers
• 3. Real-time requirements and data flow between
  tasks.

Task
Input ports
Output ports
Task driver loads task input ports.
Task
Giotto Glue code that calls 1. and 2. in order
to realize 3.
17
Environment Timeline (defined by Giotto semantics)
Task duration
Actuator
Driver
Sensor
d
Task
Driver execution in environment time 0.
Task execution in environment time d.
Input ports loaded.
Output ports read.
Sensor/output ports read.
Actuator/input ports loaded.
Time t
Time t
Time td
Time td
18
Platform Timeline (chosen by Giotto compiler)
Actuator
Driver
Sensor
d
Task
Task on CPU.
Input ports loaded.
Output ports read.
Time t
Time t
Time td
Time td
19
Platform Independence ensures Predictability
Time Determinism The Giotto compiler chooses for
a given platform a platform timeline that is
value equivalent to the environment timeline
defined by the Giotto semantics.
implies
Value Determinism For a given time-triggered
sequence of sensor readings, the corresponding
time-triggered sequence of actuator settings is
uniquely determined (i.e., there are no race
conditions).
20
Helicopter Software
Control
10
Actuators
a
i
Navigation
5
Sensors
s
21
Helicopter Software
Control
10
Actuators
a
i
Navigation
5
Sensors
s
Matlab Design
22
Helicopter Software Environment Timeline
Task
a
i
a
Control
i
s
Navigation
Navigation
s
s
t10ms
t10ms
t
t
t5ms
t5ms
Block of synchronous code (nonpreemptable)
Scheduled tasks (preemptable)
23
Helicopter Software Giotto Syntax (Functionality)
sensor gps_type GPS uses c_gps_device actuator
servo_type Servo c_servo_init
uses c_servo_device output ctr_type
CtrOutput c_ctr_init nav_type NavOutput
c_nav_init driver sensing (GPS) output
(gps_type gps) c_gps_pre_processing
( GPS, gps ) task Navigation (gps_type gps)
output (NavOutput) c_matlab_navigation_code (
gps, NavOutput )
24
Helicopter Software Giotto Syntax (Timing)
mode Flight ( ) period 10ms
actfreq 1 do Actuator ( actuating )
taskfreq 1 do Control ( input )
taskfreq 2 do Navigation ( sensing )
25
The Giotto Compiler
Native Code
for tasks and drivers
Functionality
Timing Interaction
Giotto Program
Giotto-H
hardware specification -topology (CPUs, nets)
-performance (WCET, latency)
Hardware
Giotto Compiler
Failure either Giotto-H overconstrained, or
compiler not smart enough (distributed scheduling
problem!)
Executables
or
26
Closing the Gap Annotated Giotto
Native Code
for tasks and drivers
Functionality
Timing Interaction
Giotto Program
-topology (CPUs, nets) -performance (WCET,
latency)
Giotto-H
Hardware
Giotto-HM
-assign tasks to CPUs -assign connections to
nets
Map
Giotto Compiler
Failure either Giotto-HM overconstrained, or
compiler not smart enough (local scheduling
problems)
Executables
or
27
Closing the Gap Annotated Giotto
Native Code
for tasks and drivers
Functionality
Timing Interaction
Giotto Program
-topology (CPUs, nets) -performance (WCET,
latency)
Giotto-H
Hardware
Giotto-HM
-assign tasks to CPUs -assign connections to
nets
Map
Giotto-HMS
Schedule
-assign tasks to priorities (say)
-assign connections to TDMA slots (say)
Giotto Compiler
Failure Giotto-HMS overconstrained
Executables
or
28
Single-CPU Helicopter Annotated Giotto
host Heli address 192.168.0.1 // Giotto-H
Annotation mode Flight ( ) period 10ms
actfreq 1 do Actuator ( actuating )
taskfreq 1 do Control ( input ) host Heli
deadline 10 // Giotto-MS taskfreq 2
do Navigation ( sensing ) host Heli deadline 5

29
Single-CPU Helicopter Platform Timeline (EDF)
Task







t10ms
t10ms
t
t
t5ms
t5ms
30
Code Generation
F1 call(actuating) call(sensing) call(input)
schedule(Control 10) schedule(Navigation5)
enable(timer, F2) return
Task
a
i
a
Control
i
s
Navigation
Navigation
s
s
t10ms
t10ms
t
t
t5ms
t5ms
31
Code Generation
F2 call(sensing) schedule(Navigation5) enab
le(timer, F1) return
Task
a
i
a
Control
i
s
Navigation
Navigation
s
s
t10ms
t10ms
t
t
t5ms
t5ms
32
Two-CPU Helicopter Annotated Giotto
(Time-triggered Communication)
host HeliCtr address 192.168.0.1 host
HeliNav address 192.168.0.2 network HeliNet
address 192.168.0.0 connects HeliCtr, HeliNav
mode Flight ( ) period 10ms
actfreq 1 do Actuator ( actuating )
taskfreq 1 do Control ( input ) host HeliCtr
deadline 7 taskfreq 2 do Navigation (
sensing ) host HeliNav deadline 2 push
( NavOutput ) to ( HeliCtr ) in HeliNet slots
(7,10)
33
Two-CPU Helicopter Platform Timeline
(Time-triggered Communication)
TDMA Slot




HeliCtr
HeliNet



HeliNav
t10ms
t10ms
t
t
t5ms
t5ms
t7ms
34
Code Generation for HeliNav
F2 call(sensing) schedule(Navigation2) sche
dule(Connection(7,10)) enable(timer,
F1) return




HeliCtr



HeliNav
t10ms
t10ms
t
t
t5ms
t5ms
t7ms
35
Two-CPU Helicopter Annotated Giotto
(Event-triggered Communication)
host HeliCtr address 192.168.0.1 host
HeliNav address 192.168.0.2 network HeliNet
address 192.168.0.0 connects HeliCtr, HeliNav
mode Flight ( ) period 10ms
actfreq 1 do Actuator ( actuating )
taskfreq 1 do Control ( input ) host HeliCtr
deadline 10 taskfreq 2 do Navigation
( sensing ) host HeliNav deadline 2
push ( NavOutput ) to ( HeliCtr ) in HeliNet
deadline 3
36
Two-CPU Helicopter Platform Timeline
(Event-triggered Communication)
Message




HeliCtr
HeliNet



HeliNav
t10ms
t7.5ms
t
t
t5ms
t5ms
t6.5ms
37
Mode Switch
Mode m
Mode m
f
10
f
10
h
g
2.5
5
5
d
d
p ? s
38
Mode Switch Environment Timeline
Task
f
p
p
d
g
Time
Mode Switch _at_ t5ms
39
Mode Switch Environment Timeline
Task
f
p
d
p
g
s
Time
Mode Switch finished _at_ t5ms
40
Mode Switch Environment Timeline
Task
f
d
p
d
p
g
s
Time
t5ms
t5ms
41
Mode Switch Environment Timeline
Task
f
p
d
s
p
h
d
g
Time
t7.5ms
t5ms
42
Mode Switch Environment Timeline
Task
f
s
d
p
p
d
h
d
h
d
g
t10ms
43
Try it out! www.eecs.berkeley.edu/fresco/giotto