

#### A Personal View of Real-Time Computing

### Edward A. Lee

#### Professor of the Graduate School

#### **Invited Talk**

INRIA Grenoble, France, April 2, 2019



University of California at Berkeley



Predictability requires determinacy and depends on timing, including execution times and network delays.



## What is Real Time?

- fast computation
- prioritized scheduling
- computation on streaming data
- bounded execution time
- temporal semantics in programs
- temporal semantics in networks





## What is Real Time?

- fast computation
- prioritized scheduling
- computation on streaming data
- bounded execution time
- temporal semantics in programs
- temporal semantics in networks

These are very different from one another. We have to decide which to focus on.



# Timing is not part of software and network semantics

**Correct execution** of a program in all widely used programming languages, and **correct delivery** of a network message in all general-purpose networks has nothing to do with how long it takes to do anything.



Programmers have to step outside the programming abstractions to specify timing behavior.



## Achieving Real Time

- overengineering
- using old technology
- response-time analysis
- real-time operating systems (RTOSs)
- specialized networks
- extensive testing and validation



#### Timing of programs emerges from the implementation

- Pipeline hazards
- Cache effects
- Variable DRAM latencies
- Speculative execution
- Interrupts
- Forwarding
- Dynamic voltage/frequency

Image from Lee & Seshia, Introduction to Embedded Systems MIT Press, 2017





#### Messy Time

## Time becomes a mess with interrupts and threads



#### Model

```
void initTimer(void) {
1
       SysTickPeriodSet(SysCtlClockGet() / 1000);
2
       SysTickEnable();
3
       SysTickIntEnable();
4
  7
5
  volatile uint timer_count = 0;
  void ISR(void) {
       if(timer_count != 0) {
           timer_count --;
9
       7
10
  7
11
  int main(void) {
12
       SysTickIntRegister(&ISR);
13
       .. // other init
14
       timer count = 2000;
15
       initTimer();
16
       while(timer_count != 0) {
17
            ... code to run for 2 seconds
18
       3
19
       ... // other code
20
  7
21
```

*Edward A. Lee* University of California, Berkeley

IEEE Computer, May, 2006.



## Current Trends in Real-Time Software

- Model the details
- Analyze the models

Result is expensive, intractable models.



Fig. 15. Response time across jobs for the multi-resource scheduler with  $R_s(i-1) = 7.76$  and  $R_s(i-2) = 7.74$ .

Even deterministic real-time models can lead to chaos. [Thiele and Kumar, EMSOFT 2015]

9



Image: Wikimedia Commons

Newtonian time advances uniformly in a continuum, observable everywhere.



## Pitfall with Newtonian Time (1)

When realized in a software-based model:

- 1. The precision of time should be finite and the same for all observers.
- 2. The precision of time should be independent of the absolute magnitude of the time.
- 3. Addition of time should be associative. That is, for any three time intervals  $t_1$ ,  $t_2$ , and  $t_3$ ,

$$(t_1 + t_2) + t_3 = t_1 + (t_2 + t_3)$$

Floating point numbers do not satisfy these.

[1] Broman, et al. "Requirements for hybrid cosimulation standards. HSCC 2015.[2] Cremona, et al., "Hybrid co-simulation: it's about time," Software and Systems Modeling 2017.







## Achieving Real Time in Practice

- overengineering
- using old technology
- response-time analysis
- real-time operating systems (RTOSs)
- specialized networks
- extensive testing and validation

Maybe we can do better?





## An Epiphany







#### The Value of Models

- In *science*, the value of a *model* lies in how well its behavior matches that of the physical system.
- In *engineering*, the value of the *physical system* lies in how well its behavior matches that of the model.

A scientist asks, "Can I make a model for this thing?" An engineer asks, "Can I make a thing for this model?"



#### Models vs. Reality

$$x(t) = x(0) + \int_0^t v(\tau) d\tau$$
$$v(t) = v(0) + \frac{1}{m} \int_0^t F(\tau) d\tau$$

The model



The target (the thing being modeled). In this example, the *modeling framework* is calculus and Newton's laws.

*Fidelity* is how well the model and its target match



Image by Dominique Toussaint, GNU Free Documentation License, Version 1.2 or later.





## Model Fidelity

- To a *scientist*, the model is flawed.
- To an *engineer*, the realization is flawed.

#### l'm an engineer...

Perhaps we should be making our realizations more faithful to our models rather than the other way around?



#### Useful Models and Useful Things

#### "Essentially, all models are wrong, but some are useful."

Box, G. E. P. and N. R. Draper, 1987: *Empirical Model-Building and Response Surfaces*. Wiley Series in Probability and Statistics, Wiley.

"Essentially, all system implementations are wrong, but some are useful."

Lee and Sirjani, "What good are models," FACS 2018.



Lee and Sirjani, "What good are models," FACS 2018.



## Changing the Question

Is the question whether our models describe the behavior of real-time systems (with high fidelity)?

Or

Is the question whether we can build real-time systems where behavior matches that of our models (with high probability)?



The hardware out of which we build computers is capable of delivering "correct" computations *and* precise timing...

Ro

SO

Synchronous digital logic delivers E.

... but the overlaying software abstractions discard timing.

// Perform the convolution.
for (int i=0; i<10; i++) {
 x[i] = a[i]\*b[j-i];
 // Notify listeners.
 notify(x[i]);
}</pre>



PRET Machines – Giving Software the Capabilities its Hardware Already Has.

- **PRE**cision-**T**imed processors = **PRET**
- Predictable, REpeatable Timing = PRET
- Performance *with* **RE**peatable **Timing** = **PRET**

With time

http://chess.eecs.berkeley.edu/pret

```
// Perform the convolution.
for (int i=0; i<10; i++) {
   x[i] = a[i]*b[j-i];
   // Notify listeners.
   notify(x[i]);</pre>
```

}

Computing

Lee, Berkeley



= PRET



## Major Challenges

and existence proofs that they can be met

- Pipelines
  - fine-grain multithreading
- Memory hierarchy
  - memory controllers with controllable latency
- 1/0

- threaded interrupts with zero effect on timing



- [Zimmer et al., RTAS, 2014, PhD Thesis 2015]





#### Our Third-Generation PRET: Open-Source FlexPRET (Zimmer 2014/15)

- 32-bit, 5-stage thread interleaved pipeline, RISC-V ISA
  - Hard real-time HW threads: scheduled at constant rate for isolation and repeatability.
  - Soft real-time HW threads: share all available cycles for efficiency.
- Deployed on Xilinx FPGA





Digilent Atlys (Spartan 6) and NI myRIO (Zync)



Michael Zimmer



Fact

The real-time performance of a FlexPRET machine is never worse than that of a conventional machine.

**Proof**: A FlexPRET machine *is* a conventional machine if the memory-mapped registers controlling HRT and SRT threads is set to have only one thread, a SRT thread.



- Four hardware threads is enough to eliminate all pipeline bubbles and memory latency variability.
- Unrealistic task models become realistic.
  - Exact, known WCET.
  - Zero-interference tasks.
  - Interrupts enabled at all times.
- High-precision timing instructions
  - Repeatable nanosecond precision



#### Size:



[Zimmer, Broman, Shaver, Lee, RTAS 2014]



A **baseline RISC-V** without any complex instructions (floating point, integer division, packed instructions) can be realized on an FPGA with 580 flip flops and 2,788 LUTs.

A **4-thread FlexPRET** can be realized with 908 flip flops and 3,943 LUTs, an increase of 56% and 41% respectively.

Percentage is much lower with floating point, division, etc. [Zimmer, Broman, Shaver, Lee, RTAS 2014]



#### About Interrupts

"[M]any a systems programmer's grey hair bears witness to the fact that we should not talk lightly about the logical problems created by that feature"



- Edsger Dijkstra (1972)



- Nondeterministically interleaved with program
- Make response time > execution time
- Disrupt cache and branch predictors
- Overhead of context switching
- For WCET analysis, have to disable interrupts
- Disabling interrupts increases variability in response time



Scientific solution:

• Model all these effects

**Engineering solution:** 

• Eliminate all these effects

The latter is what PRET machines do.





## Abstract PRET Machines (APM)

## Abstract PRET Machines

#### Invited TCRTS award paper

Edward A. Lee (award recipient)

Jan Reineke

Michael Zimmer

#### RTSS, 2017, Paris.

This paper shows that achieving deterministic response times that meet deadlines, when that is feasible, comes at *no cost* in worst-case response times.

This is shown for a task model of *N* sporadic independent tasks with deadlines.



N sporadic real-time tasks with minimum interarrival time T<sub>i</sub>, deadlines D<sub>i</sub>, and WCET C<sub>i</sub>.

**Theorem**: When  $T_i = D_i$ , PRET yields deterministic response times no worse than the worst case response time of a conventional architecture.

When  $T_i > D_i$ , if any processor can deliver deterministic response times, PRET will, with worst case response time no worse than a conventional architecture.

## Benefits of PRET

(Even if you don't care about determinism)

### Very low context switch overhead

- Up to the number of hardware threads.
- Conventional overhead above that.

### • Tighter WCET analysis

 Particularly when activating enough threads to eliminate pipeline bubbles and memory access order dependencies.



## Benefits of PRET

## (If you take advantage of determinism)

- Modularity
  - Non-interference between tasks.
  - Interrupts have *exactly no effect* on hard-real-time tasks.

#### Exactness

- Can get not just WCET, but actual ET.
- Not just ET, but *response* time.

#### • Repeatability

- Works in the field like on the bench.
- Event ordering can be made invariant.
- Complexity
  - More hard-real-time tasks is better than fewer.
- Certifiability
  - Every *correct* execution of the software gives the same behavior.
- Energy
  - Reduce voltage and frequency to the bare minimum to meet deadlines.

Lee, Berkeley



## **Opportunities for the Future**

- Synthesizing HRT thread schedules on the fly
- OS support for dynamic HRT thread instantiation
- Exploiting potential reduction in energy
- Programming models with temporal semantics



## Engineering Models for Real-Time Cyber-Physical Systems

- **PRET**: time-deterministic architectures
  - <u>http://chess.eecs.berkeley.edu/pret</u>
- **PTIDES**: distributed real-time software
  - http://chess.eecs.berkeley.edu/ptides

These enable models with tightly controlled timing and deterministic behaviors.

We have shown that that these models are practically realizable at reasonable cost.



## Roots of the Idea

#### Using Time Instead of Timeout for Fault-Tolerant Distributed Systems

LESLIE LAMPORT SRI International

A general method is described for implementing a distributed system with any desired degree of faulttolerance. Instead of relying upon explicit timeouts, processes execute a simple clock-driven algorithm. Reliable clock synchronization and a solution to the Byzantine Generals Problem are assumed.

Categories and Subject Descriptors: C.2.4 [Computer-Communications Networks]: Distributed Systems—network operating systems; D.1.3 [Programming Techniques]: Concurrent Programming; D.4.1 [Operating Systems]: Process Management—synchronization; D.4.3 [Operating Systems]: File Systems Management—distributed file systems; D.4.5 [Operating Systems]: Reliability—fault-tolerance; D.4.7 [Operating Systems]: Organization and Design—distributed systems; real-time systems

General Terms: Design, Reliability

Additional Key Words and Phrases: Clocks, transaction commit, timestamps, interactive consistency, Byzantine Generals Problem

ACM Transactions on Programming Languages and Systems, 1984.

Lee, Berkeley

| 1 |
|---|
|   |
|   |

## Ptides – A Robust Distributed DE MoC for IoIT Applications

in Proceedings of the 13th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 07), Bellevue, WA, United States.

#### A Programming Model for Time-Synchronized Distributed Real-Time Systems

| Yang Zhao       | Jie Liu            | Edward A. Lee   |
|-----------------|--------------------|-----------------|
| EECS Department | Microsoft Research | EECS Department |
| UC Berkeley     | One Microsoft Way  | UC Berkeley     |

**Abstract**: Discrete-event (DE) models are formal system specifications that have analyzable deterministic behaviors. Using a global, consistent notion of time, DE components communicate via time-stamped events. DE models have primarily been used in performance modeling and simulation, where time stamps are a modeling property bearing no relationship to real time during execution of the model. In this paper, we extend DE models with the capability of relating certain events to physical time...

Lee, Berkeley



## Google Spanner – A Reinvention

#### Spanner: Google's Globally-Distributed Database

Google independently developed a very similar technique and applied it to distributed databases.

James C. Corbett, Jeffrey Dean, Michael Epstein, Andrew Fikes, Christopher Frost, JJ Furman, Sanjay Ghemawat, Andrey Gubarev, Christopher Heiser, Peter Hochschild, Wilson Hsieh, Sebastian Kanthak, Eugene Kogan, Hongyi Li, Alexander Lloyd, Sergey Melnik, David Mwaura, David Nagle, Sean Quinlan, Rajesh Rao, Lindsay Rolig, Yasushi Saito, Michal Szymaniak, Christopher Taylor, Ruth Wang, Dale Woodford

Google, Inc.

#### Abstract

Spanner is Google's scalable, multi-version, globallydistributed, and synchronously-replicated database. It is the first system to distribute data at global scale and support externally-consistent distributed transactions. This paper describes how Spanner is structured, its feature set, the rationale underlying various design decisions, and a novel time API that exposes clock uncertainty. This API and its implementation are critical to supporting external consistency and a variety of powerful features: nonblocking reads in the past, lock-free read-only transactions, and atomic schema changes, across all of Spanner. tency over higher availability, as long as they can survive 1 or 2 datacenter failures.

Spanner's main focus is managing cross-datacenter replicated data, but we have also spent a great deal of time in designing and implementing important database features on top of our distributed-systems infrastructure. Even though many projects happily use Bigtable [9], we have also consistently received complaints from users that Bigtable can be difficult to use for some kinds of applications: those that have complex, evolving schemas, or those that want strong consistency in the presence of wide-area replication. (Similar claims have been made by other authors [37].) Many applications at Google

Proceedings of OSDI 2012



Networking

Lee, Berkeley

etwork Simulator

apping Guide

#### PTIDES: Discrete-Event Semantics + Synchronized Clocks + Sensors and Actuators

Time-stamped events that are processed in time-stamp order.

This MoC is widely used in simulation and HDLs.

ANCES IN CAD FOR MUSH Volumet

Given time-stamped inputs, it is a deterministic concurrent MoC.

Introduction to

**Discrete Event** 

Systems

Christos G. Cassandras

Klasser Academic Publishes

éphane Lafortune

A few texts that use the DE MoC



# Google Spanner – A Reinvention of PTIDES



# Google Spanner – A Reinvention of PTIDES



# Google Spanner: When to Respond?





Lee, Berkeley

## Google Spanner: Fault!



record update with time stamp  $t_1 < t_2$ declare a fault. Spanner handles this with a transaction schema.

## Deterministic Distributed Real-Time

### Assume bounds on:

- clock synchronization error
- network latency

then *events are processed in time-stamp order* at every component. If in addition we assume

• bounds on execution time

then events are delivered to actuators on time.

See http://chess.eecs.berkeley.edu/ptides



## PTIDES Requires Synchronized Clocks with Bounded Error

Every engineered design makes assumptions about its execution platform.

If we can count on ubiquitous clock synchronization, we have a new and powerful tool.





- In science, the value of a model lies in how well its behavior matches that of the physical system.
- In *engineering*, the value of the *physical system* lies in how well its behavior matches that of the model.

**My message**: Do less science and more engineering.

http://ptolemy.berkeley.edu/pret http://ptolemy.berkeley.edu/ptides



http://platoandthenerd.org