Contention-Aware Dynamic Memory Bandwidth Isolation with Predictability in COTS Multicores: An Avionics Case Study

Contention-Aware Dynamic Memory Bandwidth Isolation With Predictability in COTS Multicores: An Avionics Case Study∗ Ankit Agrawal1 , Gerhard Fohler2 , Johannes Freitag3 , Jan Nowotsch4 , Sascha Uhrig5 , and Michael Paulitsch6 1 2 3 4 5 6 Chair of Real-Time Systems, Technische Universität Kaiserslautern, Kaiserslautern, Germany Chair of Real-Time Systems, Technische Universität Kaiserslautern, Kaiserslautern, Germany Airbus Innovations, Munich, Germany Airbus Innovations, Munich, Germany Airbus Innovations, Munich, Germany Base Systems, Thales Austria GmbH, Vienna, Austria† Abstract Airbus is investigating COTS multicore platforms for safety-critical avionics applications, pursuing helicopter-style autonomous and electric aircraft. These aircraft need to be ultra-lightweight for future mobility in the urban city landscape. As a step towards certification, Airbus identified the need for new methods that preserve the ARINC 653 single core schedule of a Helicopter Terrain Awareness and Warning System (HTAWS) application while scheduling additional safetycritical partitions on the other cores. As some partitions in the HTAWS application are memory-intensive, static memory bandwidth throttling may lead to slow down of such partitions or provide only little remaining bandwidth to the other cores. Thus, there is a need for dynamic memory bandwidth isolation. This poses new challenges for scheduling, as execution times and scheduling become interdependent: scheduling requires execution times as input, which depends on memory latencies and contention from memory accesses of other cores – which are determined by scheduling. Furthermore, execution times depend on memory access patterns. In this paper, we propose a method to solve this problem for slot-based time-triggered systems without requiring application source-code modifications using a number of dynamic memory bandwidth levels. It is NoC and DRAM controller contention-aware and based on the existing interference-sensitive WCET computation and the memory bandwidth throttling mechanism. It constructs schedule tables by assigning partitions and dynamic memory bandwidth to each slot on each core, considering worst case memory access patterns. Then at runtime, two servers – for processing time and memory bandwidth – run on each core, jointly controlling the contention between the cores and the amount of memory accesses per slot. ∗ The research leading to these results was funded within the EMC2 project by the EU ARTEMIS Joint Undertaking under grant agreement no. 621429. † The work presented here was carried out while the author was at Airbus Innovations. © Ankit Agrawal, Gerhard Fohler, Johannes Freitag, Jan Nowotsch, Sascha Uhrig, and Michael Paulitsch; licensed under Creative Commons License CC-BY 29th Euromicro Conference on Real-Time Systems (ECRTS 2017). Editor: Marko Bertogna; Article No. 2; pp. 2:1–2:22 Leibniz International Proceedings in Informatics Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany 2:2 Contention-Aware Dynamic Memory Bandwidth Isolation With Predictability As a proof-of-concept, we use a constraint solver to construct tables. Experiments on the P4080 COTS multicore platform, using a research OS from Airbus and EEMBC benchmarks, demonstrate that our proposed method enables preserving existing schedules on a core while scheduling additional safety-critical partitions on other cores, and meets dynamic memory bandwidth isolation requirements. 1998 ACM Subject Classification D.4.7 Organization and Design Keywords and phrases dynamic memory bandwidth isolation, safety-critical avionics, COTS multicores Digital Object Identifier 10.4230/LIPIcs.ECRTS.2017.2 1 Introduction For future mobility, Airbus is pursuing autonomous aircraft targeting urban landscape to ease traffic, for instance, Uber-like CityAirbus [12], and the Vahana aircraft [17]. These helicopter-style aircraft will be electrically powered, requiring ultra-light weight to boost their power-to-weight ratio. They will need most avionics applications used in current aircraft, along with a DAL-A (the highest design assurance level) sense-and-avoid application for autonomous flying, unavailable today. Further, the electronic systems used in current aircraft need to be redesigned to reduce size, weight, and power consumption (SWaP), by integrating more avionics applications on the same number of processors, which is not feasible with single-core processors. The power consumption of current electronic systems is marginal compared the envisaged electric propulsion system. However, limiting it will eliminate the need for active cooling, further reducing SWaP. It will also eliminate the risk of a failure of the cooling system. Airbus is investigating COTS multicores to meet these future demands. Safety-critical avionics hardware and software demand certification from certification authorities, which requires that the processes used in the design of digital hardware must relate to the DAL of the intended use [9]. However, COTS multicores are designed primarily for mass market and average-case performance and do not customarily follow DAL-based design processes. The CAST-32a position paper [27] describes the issues in the certification of COTS multicores, but the concrete implementation details are still open. Airbus is aiming at an incremental transition step towards the use of full COTS multicore performance: In the first step existing safety-critical single-core avionics application will be ported to a COTS multicore by preserving the original ARINC 653 schedule as well as the source code while executing it on only one core. Additional applications must be assigned to another core of the COTS multicore. This step reduces certification cost since documentation and verification of the software is already available. In the second (future) step, an application can be distributed over all the available cores. This paper focuses on the first step. The Helicopter Terrain Awareness and Warning System (HTAWS), selected as reference application, is a pilot supporting system rated as DAL-C. It shows the helicopter pilot the surrounding topographical layout (including large buildings, power lines) with “flyable” areas together with warnings when the helicopter approaches rough terrain, e.g., when vision is degraded. Such a system also needs to be integrated into future autonomous aircraft to allow the aircraft to perform autonomous path planning and in-flight re-planning. HTAWS application is currently implemented on a dedicated avionics computer which is not feasible for ultra-light autonomous aircraft due to their SWaP constraints. One of the major obstacles in certifying COTS multicores for use in safety-critical avionics systems is the contention between cores. The contention between cores arises due to the A. Agrawal, G. Fohler, J. Freitag, J. Nowotsch, S. Uhrig, and M. Paulitsch 2:3 implicit sharing of hardwa (...truncated)