Cooperative Memory Management in Safety-Critical Embedded Systems

Memory management is a challenging task and its handling becomes more difficult with the rising complexity of software systems. Embedded systems are predominated by the use of manual storage control and as these systems become more and more extensive, means to assist the programmer in performing correct memory management are required. By using a type-safe language, the use of automated storage control is promoted: Combining the knowledge about a type-safe application, system software and the hardware properties assists the creation of a memory handling that is tailored to a particular system setup: Software can be deployed on several kinds of microcontrollers that may vary in their hardware-specific properties, such as the availability of memories, the address-space layout or their proneness to transient hardware faults. In addition, a program’s non-functional properties, for instance, its predictability, have to be respected during the design of memory management. In this thesis I describe how systemand application-specific memory management for a particular hardware device can be created. I call my approach cooperative memory management (CMM) and it pursues a co-design of memory management by respecting the software quality attributes efficiency and predictability and the hardware property reliability. CMM is a compound of static analyses on type-safe applications and runtime support. For the implementation of my framework, I use the KESO JVM [169] in which I integrated an amended version of an escape analysis to encourage compiler-assisted storage control. Besides safe, automatic stack allocation, I implemented new backends for my escape analysis through which, among other things, I provide an automated solution to regional memory specified in the Real-Time Specification for Java [33]. The use of escape-analysis results ameliorates a program’s reliability by reducing the effects of transient hardware faults. To further improve reliability, I evolved special runtime checks that are able to preserve memory safety in systems prone to transient faults. Besides compiler support, I developed RT-LAGC, a real-time garbage collector to maintain heap objects not managed by regional memory. RT-LAGC is optimized through the compilation process and tailored to the application whose heap memory it manages. I designed CMM’s storage control techniques to be easily exchangeable and extensible by the developer so that static and dynamic analyses can find out which combination of techniques works reasonably well to achieve efficiency, predictability and reliability. By evaluating a comprehensive real-time benchmark and various memory-management configurations I showed, that the developer-assisted co-design approach is able to address the properties reliability, efficiency and predictability.

[1]  Laurie J. Hendren,et al.  Connection Analysis: A Practical Interprocedural Heap Analysis for C , 2016, International Journal of Parallel Programming.

[2]  Benjamin Goldberg,et al.  Higher Order Escape Analysis: Optimizing Stack Allocation in Functional Program Implementations , 1990, ESOP.

[3]  Keith H. Randall,et al.  Field analysis: getting useful and low-cost interprocedural information , 2000, PLDI '00.

[4]  Stefan Poledna,et al.  Replica determinism in distributed real-time systems: A brief survey , 1994, Real-Time Systems.

[5]  David Gay,et al.  Memory management with explicit regions , 1998, PLDI.

[6]  Samuel P. Midkiff,et al.  Practical escape analyses: how good are they? , 2007, VEE '07.

[7]  James Gosling,et al.  The Real-Time Specification for Java , 2000, Computer.

[8]  Mads Tofte,et al.  Implementation of the typed call-by-value λ-calculus using a stack of regions , 1994, POPL '94.

[9]  V. T. Rajan,et al.  A real-time garbage collector with low overhead and consistent utilization , 2003, POPL '03.

[10]  David F. Bacon,et al.  Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[11]  Wolfgang Schröder-Preikschat,et al.  Automated application of fault tolerance mechanisms in a component-based system , 2011, JTRES '11.

[12]  D.N. Nguyen,et al.  Single Event Effect Characterization of High Density Commercial NAND and NOR Nonvolatile Flash Memories , 2007, IEEE Transactions on Nuclear Science.

[13]  Rafael Dueire Lins,et al.  Garbage collection: algorithms for automatic dynamic memory management , 1996 .

[14]  Michael Golm,et al.  The JX Operating System , 2002, USENIX Annual Technical Conference, General Track.

[15]  Kiem-Phong Vo,et al.  Vmalloc: A General and Efficient Memory Allocator , 1996, Softw. Pract. Exp..

[16]  Weng-Fai Wong,et al.  EnVM: Virtual memory design for new memory architectures , 2014, 2014 International Conference on Compilers, Architecture and Synthesis for Embedded Systems (CASES).

[17]  Julian Dolby Automatic inline allocation of objects , 1997, PLDI '97.

[18]  Joshua S. Auerbach,et al.  Design and implementation of a comprehensive real-time java virtual machine , 2007, EMSOFT '07.

[19]  Filip Pizlo,et al.  Stopless: a real-time garbage collector for multiprocessors , 2007, ISMM '07.

[20]  Kathryn S. McKinley,et al.  Ulterior reference counting: fast garbage collection without a long wait , 2003, OOPSLA '03.

[21]  Christophe Rippert,et al.  Semi-Automatic Region-Based Memory Management for Real-Time Java Embedded Systems , 2007, 13th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2007).

[22]  V. T. Rajan,et al.  An efficient on-the-fly cycle collection , 2005, TOPL.

[23]  Chau-Wen Tseng,et al.  Compiler optimizations for improving data locality , 1994, ASPLOS VI.

[24]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[25]  Isabella Stilkerich,et al.  RT-LAGC: Fragmentation-Tolerant Real-Time Memory Management Revisited , 2014, JTRES '14.

[26]  Wolfgang Schröder-Preikschat,et al.  Eliminating Single Points of Failure in Software-Based Redundancy , 2012, 2012 Ninth European Dependable Computing Conference.

[27]  Barbara G. Ryder,et al.  A safe approximate algorithm for interprocedural aliasing , 1992, PLDI '92.

[28]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[29]  Hans-Juergen Boehm,et al.  Garbage collection in the next C++ standard , 2009, ISMM '09.

[30]  Massimo Violante,et al.  Soft-error detection using control flow assertions , 2003, Proceedings 18th IEEE Symposium on Defect and Fault Tolerance in VLSI Systems.

[31]  Benedikt Huber,et al.  Worst-Case Analysis of Heap Allocations , 2010, ISoLA.

[32]  Fergus Henderson Accurate garbage collection in an uncooperative environment , 2002, ISMM '02.

[33]  Stephan Korsholm Flash memory in embedded Java programs , 2011, JTRES '11.

[34]  Erez Petrank,et al.  Thread-local heaps for Java , 2002, ISMM '02.

[35]  John Regehr,et al.  Eliminating stack overflow by abstract interpretation , 2003, TECS.

[36]  Leslie Lamport,et al.  On-the-fly garbage collection: an exercise in cooperation , 1975, CACM.

[37]  Douglas T. Ross The AED free storage package , 1967, CACM.

[38]  Andrew A. Chien,et al.  An evaluation of automatic object inline allocation techniques , 1998, OOPSLA '98.

[39]  Jong-Deok Choi,et al.  Stack allocation and synchronization optimizations for Java using escape analysis , 2003, TOPL.

[40]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[41]  Rüdiger Kapitza,et al.  Fail∗: Towards a versatile fault-injection experiment framework , 2012, ARCS 2012.

[42]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[43]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[44]  Jong-Deok Choi,et al.  Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects , 1993, POPL '93.

[45]  Clemens Lang Compiler-Assisted Memory Management Using Escape Analysis in the KESO JVM , 2014 .

[46]  Olaf Spinczyk,et al.  FAIL*: An Open and Versatile Fault-Injection Framework for the Assessment of Software-Implemented Hardware Fault Tolerance , 2015, 2015 11th European Dependable Computing Conference (EDCC).

[47]  R. Velazco,et al.  Experimentally evaluating an automatic approach for generating safety-critical software with respect to transient errors , 2000 .

[48]  Robert G. Pettit,et al.  Ada 95, Quality and Style: Guidelines for Professional Programmers , 1998 .

[49]  Virginie Wiels,et al.  Formal Verification of Critical Aerospace Software , 2012 .

[50]  Urs Hölzle,et al.  Eliminating Virtual Function Calls in C++ Programs , 1996, ECOOP.

[51]  Wolfgang Schröder-Preikschat,et al.  KESO: an open-source multi-JVM for deeply embedded systems , 2010, JTRES '10.

[52]  Sigmund Cherem,et al.  Region analysis and transformation for Java programs , 2004, ISMM '04.

[53]  Ron K. Cytron,et al.  Static determination of allocation rates to support real-time garbage collection , 2005, LCTES '05.

[54]  Henry G. Baker,et al.  The treadmill: real-time garbage collection without motion sickness , 1992, SIGP.

[55]  Massimo Violante,et al.  Software-Implemented Hardware Fault Tolerance , 2010 .

[56]  Christof Fetzer,et al.  AN-Encoding Compiler: Building Safety-Critical Systems with Commodity Hardware , 2009, SAFECOMP.

[57]  Mark N. Wegman,et al.  Constant propagation with conditional branches , 1985, POPL.

[58]  Stefan Kempf,et al.  Compiler and runtime techniques to identify and optimize atomic blocks in parallel programs , 2014 .

[59]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[60]  Dinakar Dhurjati,et al.  Memory safety without garbage collection for embedded applications , 2005, TECS.

[61]  A. Taber,et al.  Single event upset in avionics , 1993 .

[62]  Alan Burns,et al.  Replica Determinism and Flexible Scheduling in Hard Real-Time Dependable Systems , 2000, IEEE Trans. Computers.

[63]  Kevin P. Lawton Bochs: A Portable PC Emulator for Unix/X , 1996 .

[64]  Guy E. Blelloch,et al.  A parallel, real-time garbage collector , 2001, PLDI '01.

[65]  Sergio Yovine,et al.  Fast Escape Analysis for Region-based Memory Management , 2005, AIOOL@VMCAI.

[66]  Andy J. Wellings,et al.  Hard Real-Time Hybrid Garbage Collection with Low Memory Requirements , 2006, 2006 27th IEEE International Real-Time Systems Symposium (RTSS'06).

[67]  Marcus Rimén,et al.  A study of the effects of transient fault injection into a 32-bit RISC with built-in watchdog , 1992, [1992] Digest of Papers. FTCS-22: The Twenty-Second International Symposium on Fault-Tolerant Computing.

[68]  Benjamin G. Zorn,et al.  Using lifetime predictors to improve memory allocation performance , 1993, PLDI '93.

[69]  Christian Walter Alois Wawersich KESO: konstruktiver Speicherschutz für eingebettete Systeme , 2009 .

[70]  David Gay,et al.  Language support for regions , 2001, PLDI '01.

[71]  James R. Larus,et al.  Deconstructing process isolation , 2006, MSPC '06.

[72]  C. Frost,et al.  Neutron-induced soft errors in advanced flash memories , 2008, 2008 IEEE International Electron Devices Meeting.

[73]  Laurie J. Hendren,et al.  Practical virtual method call resolution for Java , 2000, OOPSLA '00.

[74]  Ondrej Lhoták,et al.  Run-time evaluation of opportunities for object inlining in Java , 2002, JGI '02.

[75]  Shekhar Y. Borkar,et al.  Designing reliable systems from unreliable components: the challenges of transistor variability and degradation , 2005, IEEE Micro.

[76]  Peter Ulbrich Ganzheitliche Fehlertoleranz in eingebetteten Softwaresystemen , 2014 .

[77]  Michael Engel,et al.  The Reliable Computing Base - A Paradigm for Software-based Reliability , 2012, GI-Jahrestagung.

[78]  Jürgen Mössinger Software in Automotive Systems , 2010, IEEE Software.

[79]  Sven G. Robertz,et al.  Applying priorities to memory allocation , 2002, ISMM '02.

[80]  Diploma Thesis,et al.  An OSEK Operating System Interface and Memory Management for Java , 2006 .

[81]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[82]  Fridtjof Siebert Realtime garbage collection in the JamaicaVM 3.0 , 2007, JTRES.

[83]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[84]  Eric Jenn,et al.  Use of PERC Pico in the AIDA avionics platform , 2009, JTRES '09.

[85]  Wolfgang Schröder-Preikschat,et al.  Exploiting static application knowledge in a Java compiler for embedded systems: a case study , 2011, JTRES '11.

[86]  Edward J. McCluskey,et al.  Control-flow checking by software signatures , 2002, IEEE Trans. Reliab..

[87]  C. H. Lindsey,et al.  A history of ALGOL 68 , 1993, HOPL-II.

[88]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[89]  Bruno Blanchet,et al.  Escape analysis for object-oriented languages: application to Java , 1999, OOPSLA '99.

[90]  Sven Gestegard Robertz,et al.  Time-triggered garbage collection: robust and adaptive real-time GC scheduling for embedded systems , 2003, LCTES '03.

[91]  Alexander Aiken,et al.  Better static memory management: improving region-based analysis of higher-order languages , 1995, PLDI '95.

[92]  Wolfgang Schröder-Preikschat,et al.  A JVM for soft-error-prone embedded systems , 2013, LCTES '13.

[93]  Philip C. Treleaven,et al.  Volume II: Parallel Languages on PARLE: Parallel Architectures and Languages Europe , 1987 .

[94]  Reinhold Heckmann,et al.  Worst case execution time prediction by static program analysis , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[95]  Geoffrey Phipps Comparing Observed Bug and Productivity Rates for Java and C++ , 1999, Softw. Pract. Exp..

[96]  Dariusz Makowski,et al.  The impact of radiation on electronic devices with the special consideration of neutron and gamma radiation monitoring , 2007 .

[97]  Jong-Deok Choi,et al.  Escape analysis for Java , 1999, OOPSLA '99.

[98]  Andrew A. Chien,et al.  An automatic object inlining optimization and its evaluation , 2000, PLDI '00.

[99]  Hermann Kopetz,et al.  Real-time systems , 2018, CSC '73.

[100]  Wang Honghao,et al.  Bipartite graph-based control flow checking for COTS-based small satellites , 2015 .

[101]  Filip Pizlo,et al.  A study of concurrent real-time garbage collectors , 2008, PLDI '08.

[102]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[103]  Roy Dz-Ching Ju,et al.  Translating Out of Static Single Assignment Form , 1999, SAS.

[104]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1960, Commun. ACM.

[105]  Aloysius Ka-Lau Mok,et al.  Fundamental design problems of distributed systems for the hard-real-time environment , 1983 .

[106]  Paul R. Wilson,et al.  Non-compacting memory allocation and real-time garbage collection , 1997 .

[107]  D. I. Bevan,et al.  Distributed Garbage Collection Using Reference Counting , 1987, PARLE.

[108]  Jan Vitek,et al.  Scheduling Hard Real-Time Garbage Collection , 2009, 2009 30th IEEE Real-Time Systems Symposium.

[109]  John Paul Shen,et al.  Processor Control Flow Monitoring Using Signatured Instruction Streams , 1987, IEEE Transactions on Computers.

[110]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[111]  Laurie J. Hendren,et al.  SableVM: A Research Framework for the Efficient Execution of Java Bytecode , 2001, Java Virtual Machine Research and Technology Symposium.

[112]  John Daniels,et al.  Java™ on the bare metal of wireless sensor devices: the squawk Java virtual machine , 2006, VEE '06.

[113]  David R. Hanson Fast allocation and deallocation of memory based on object lifetimes , 1990, Softw. Pract. Exp..

[114]  Andrew W. Appel,et al.  RETROSPECTIVE : Real-time Concurrent Collection on Stock Multiprocessors , 2004 .

[115]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[116]  Jan Vitek,et al.  A Real-time Java Virtual Machine for Avionics - An Experience Report , 2006, 12th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'06).

[117]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[118]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[119]  David E. Gay,et al.  Stack Allocating Objects in Java ( Extended Abstract ) , 1998 .

[120]  Martin Schoeberl,et al.  Scheduling of hard real-time garbage collection , 2010, Real-Time Systems.

[121]  Paul Watson,et al.  An Efficient Garbage Collection Scheme for Parallel Computer Architectures , 1987, PARLE.

[122]  Bruno Blanchet,et al.  Escape analysis: correctness proof, implementation and experimental results , 1998, POPL '98.

[123]  V. T. Rajan,et al.  The Metronome: A Simpler Approach to Garbage Collection in Real-Time Systems , 2003, OTM Workshops.

[124]  Isabella Stilkerich,et al.  A Practical Getaway: Applications of Escape Analysis in Embedded Real-Time Systems , 2015, LCTES.

[125]  Jan Vitek,et al.  Schism: fragmentation-tolerant real-time garbage collection , 2010, PLDI '10.

[126]  Christian Dietrich,et al.  dOSEK: the design and implementation of a dependability-oriented static embedded kernel , 2015, 21st IEEE Real-Time and Embedded Technology and Applications Symposium.

[127]  Escape Analysis for Java. Theory and Practice , 2003 .

[128]  Isabella Stilkerich,et al.  Team up: Cooperative memory management in embedded systems , 2014, 2014 International Conference on Compilers, Architecture and Synthesis for Embedded Systems (CASES).

[129]  Jan Vitek,et al.  High-level programming of embedded hard real-time devices , 2010, EuroSys '10.

[130]  Wolfgang Schröder-Preikschat,et al.  SAFER SLOTH: Efficient, hardware-tailored memory protection , 2014, 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[131]  Michael Stilkerich,et al.  Memory protection at option: application-tailored memory safety in safety-critical embedded systems (Speicherschutz nach Wahl) , 2012 .

[132]  Keso Multi-JVM Improved Stack Allocation Using Escape Analysis in the , 2012 .

[133]  Rüdiger Kapitza,et al.  Effectiveness of Fault Detection Mechanisms in Static and Dynamic Operating System Designs , 2014, 2014 IEEE 17th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing.

[134]  Peter Fritzson,et al.  Decreasing Memory Overhead in Hard Real-Time Garbage Collection , 2002, EMSOFT.

[135]  Ben Hardekopf,et al.  Flow-sensitive pointer analysis for millions of lines of code , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[136]  Christoph M. Kirsch,et al.  Low-latency time-portable real-time programming with Exotasks , 2009, TECS.

[137]  Benjamin Goldberg,et al.  Escape analysis on lists , 1992, PLDI '92.

[138]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[139]  Martin Schoeberl,et al.  Java for Safety-Critical Applications , 2009 .

[140]  Olaf Spinczyk,et al.  Avoiding Pitfalls in Fault-Injection Based Comparison of Program Susceptibility to Soft Errors , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[141]  David Gay,et al.  Fast Escape Analysis and Stack Allocation for Object-Based Programs , 2000, CC.

[142]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[143]  Alain Deutsch,et al.  On the complexity of escape analysis , 1997, POPL '97.

[144]  Adam Dunkels,et al.  Contiki - a lightweight and flexible operating system for tiny networked sensors , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[145]  Leslie Lamport,et al.  On-the-fly garbage collection: an exercise in cooperation , 1975, Language Hierarchies and Interfaces.

[146]  Jan Vitek,et al.  Developing safety critical Java applications with oSCJ/L0 , 2010, JTRES '10.

[147]  George E. Collins,et al.  A method for overlapping and erasure of lists , 1960, CACM.

[148]  Wolfgang Schröder-Preikschat,et al.  The final Frontier: Coping With Immutable Data in a JVM for Embedded Real-Time Systems , 2014, JTRES '14.

[149]  Henry G. Baker,et al.  Minimizing reference count updating with deferred and anchored pointers for functional data structures , 1994, SIGP.

[150]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[151]  Wolfgang Schröder-Preikschat,et al.  CiAO: An Aspect-Oriented Operating-System Family for Resource-Constrained Embedded Systems , 2009, USENIX Annual Technical Conference.

[152]  J. Maiz,et al.  Characterization of multi-bit soft error events in advanced SRAMs , 2003, IEEE International Electron Devices Meeting 2003.

[153]  Björn Döbel,et al.  Operating system support for redundant multithreading , 2012, EMSOFT '12.

[154]  Jonathan L. Schilling Dynamically-valued constants: an underused language feature , 1995, SIGP.

[155]  Christian Dietrich,et al.  Cross-Kernel Control-Flow--Graph Analysis for Event-Driven Real-Time Systems , 2015, LCTES.

[156]  Bowen Alpern,et al.  Implementing jalapeño in Java , 1999, OOPSLA '99.

[157]  Shengchao Qin,et al.  Region inference for an object-oriented language , 2004, PLDI '04.

[158]  Andreas Krall,et al.  Stack allocation of objects in the CACAO virtual machine , 2009, PPPJ '09.

[159]  Taiichi Yuasa,et al.  Real-time garbage collection on general-purpose machines , 1990, J. Syst. Softw..

[160]  Xi Yang,et al.  Taking off the gloves with reference counting Immix , 2013, OOPSLA.

[161]  Martin Elsman,et al.  Combining region inference and garbage collection , 2002, PLDI '02.

[162]  Wolfgang Schröder-Preikschat,et al.  Tailor‐made JVMs for statically configured embedded systems , 2012, Concurr. Comput. Pract. Exp..

[163]  Jan Vitek,et al.  CDx: a family of real-time Java benchmarks , 2009, JTRES '09.

[164]  Thomas P. Murtagh,et al.  Lifetime analysis of dynamically allocated objects , 1988, POPL '88.

[165]  V. T. Rajan,et al.  Controlling fragmentation and space consumption in the metronome, a real-time garbage collector for Java , 2003, LCTES '03.

[166]  Christian Harkort,et al.  I4Copter: an adaptable and modular quadrotor platform , 2011, SAC '11.

[167]  Kelvin Nilsen,et al.  Ada-Java middleware for legacy software modernization , 2010, JTRES '10.

[168]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.