Improving the Efficiency of Dislocality Constraints for an Automated Software Deployment in Safety-Critical Systems Dr. Robert Hilbrich Dr. Michael Behrisch German Aerospace Center German Aerospace Center Rutherfordstr. 2 Rutherfordstr. 2 12489 Berlin, Germany 12489 Berlin, Germany Email: robert.hilbrich@dlr.de Email: michael.behrisch@dlr.de Abstract—Mapping software components to hardware re- achieved, if critical software components are deployed ac- sources is a central part of the systems engineering process. This cordingly. Deploying software components is a very intricate task can be automated by formalization and transformation into a task with zero tolerance for errors as they may jeopardize Constraint Satisfaction Problem and the subsequent application of a constraint solver. The toolsuite ASSIST demonstrates the the correctness of the system. At the same time, it requires feasibility of this concept. In ASSIST, dislocality requirements a detailed understanding of the requirements of all software can be specified for software components to constrain the set of components and the capabilities of all hardware resources in valid mapping solutions and to ensure reliability and fault toler- the system. Due to the sensitivity and complexity of this task, ance of the system. Three approaches to model these dislocality its formalization and automation is a valuable research goal. requirements with constraints are presented. They are compared to each other based on twenty synthetic mapping examples. II. AUTOMATED C ONSTRUCTION OF D EPLOYMENTS I. I NTRODUCTION In order to achieve an automated construction of a de- Engineering complex and safety-critical systems, such as ployment and to argue its correctness, a formalization of the flight control systems aboard an airplane, is still challenging mapping problem is required. For smaller mapping problems, and costly. Despite recent advancements in our model-based this has been successfully achieved based on Linear Integer tool suites and engineering methods, the design of these Programming [3], [4], SMT-based solvers [5] or evolutionary systems still bears risk and uncertainties with regard to its algorithms [6]. However, these approaches reach their limits outcome. when larger, real-world mapping problems are considered. The formalization and automation of crucial engineering On the one hand, methods based on integer programming tasks appears to be a promising approach to tackle these techniques are typically unable to provide solutions in a short challenges [1], [2]. Systems in these areas are engineered to timespan (20 minutes), when the complexity of the system implement a complex interplay between mechanical elements, reaches the level of real-world systems. Heuristic approaches electronic components, as well as (embedded) software. There- based on evolutionary algorithms on the other hand are usually fore, their design has to mirror this interplay and requires the unable to cope with limited gradient information to guide a development of a hardware and software architecture. search process, because the design space of real-world systems In practice, these architectures can often be developed often contains many discontinuities. independent of each other, but their integration in the final The authors instead chose to transform a mapping problem system requires a link between the software components and into a semantically equivalent Constraint Satisfaction Problem their hardware resources. Creating this link is referred to as (CSP) [7] and solve this CSP with Constraint Programming the deployment of the software components. Constructing a techniques [8]. The advantages of using Constraint Program- deployment requires the systems engineer to map software ming in comparison to other techniques lie in the availability components to resources and to schedule the access to shared of powerful modeling elements, such as an allDifferent resources. Therefore, mapping refers to a spatial allocation, constraint, and the ease with which custom search heuristics while scheduling refers to a temporal allocation of software can be implemented. components. The construction of a deployment is an engineering task, A. Constraint Satisfaction Problems which not only affects the fulfillment of functional require- Constraint Programming refers to a set of techniques in ar- ments by providing the necessary resources, but also affects tificial intelligence and operations research. These techniques the satisfaction of non-functional requirements, such as safety assist in finding solutions for problems based on variables, and reliability. Redundancy and fault tolerance can only be which are affected by constraints. Each constraint defines valid SEERTS 2018: Workshop on Software Engineering for Applied Embedded RealTime Systems @ SE18, Ulm, Germany 90 or invalid solutions for a subset of these variables. In this to. For example, a simple redundancy requirement between paper, a subclass of constraint satisfaction problems is used two software components, may force the systems engineer to express mapping problems: finite domain integer constraint to allocate these software components to different processing satisfaction problems in which each variable has a finite inte- boards in different locations aboard an airplane. Furthermore, ger domain. Solutions for this problem class can be obtained systematic errors and undetected design flaws in hardware by applying a combination of search techniques – including components may be addressed by choosing dissimilar hard- backtracking – and constraint propagation techniques for value ware resources, processors or memory blocks from different elimination. vendors for example. To illustrate the modeling approach of Constraint Satis- Due to the importance of choosing “different” resources faction Problems, consider the well-known Map Coloring for fault tolerance and reliability in safety-critical systems, problem as an example. This problem asks, whether it is engineering tools for an automated construction of deploy- possible to color a map with only four colors in such a way, ments need to be able to fully support these choices. ASSIST that neighboring countries have different colors. It can be supports the engineer by offering dislocality and dissimilarity formulated as a CSP by assigning an integer variable xi for requirements as part of the domain specific language. They can each country with the index i. The domain of each variable be used to enforce “differences” for the choice of resources corresponds to the four colors: Dxi = {0, 1, 2, 3}. In order to during the mapping process. Finding an efficient formulation model the restrictions of this problem, a constraint is added to express the semantics of each requirement as a Constraint for each pair of adjacent countries. If country xi is adjacent Satisfaction Problem is challenging, but also essential in order to country xj , then xi 6= xj is required. The search algorithm to provide an effective toolsuite for the engineering of safety- is now responsible to select a variable and test a value of its critical systems. domain. Assuming a simple “first variable, first value” strategy, In order to illustrate the challenges and to present specific the variable x0 would be chosen and set to the value 0 as a test. modeling improvements, the dislocality requirement is used This would be propagated to all variables which are directly as an example in this paper. Please note, that the concepts linked to x0 by a constraint, so that the value 0 gets removed developed for dislocality requirements can also be applied to from their domains. This removal may lead to other value dissimilarity requirements. removals in indirectly linked variables and is processed until The semantics of a dislocality requirement can be illustrated a fix point is reached. If a contradiction is encountered or the with the following deployment problem (see Figure 2). In domain of a variable becomes empty, backtracking is initiated, this example system, there are three applications consisting so that the next value of the variable x0 is tested. Otherwise, of one or more tasks. Each task has to be mapped to exactly the search algorithm continues with the next uninstantiated one of the processors in the system. It is assumed, that variable. the processor contains multiple cores, so that multiple tasks This example also shows, that the propagation of the can be mapped to a single processor. However, in order to N OT E QUAL constraint is weak, because it affects only two ensure fault tolerance, a dislocality requirement is added for variables and invalidates only 4 out of the 16 possible value all applications. This means, that the applications must not combinations between two variables. share a processor, so that a faulty processor affects only one application. B. Toolsuite ASSIST Expressing the basic deployment problem with constraints As a proof of concept for the ongoing research toward an is straight forward. Each task i in the system is represented automated construction of deployments based on Constraint by an integer variable Xi . The domain of each variable Xi Satisfaction Problems, the toolsuite Architecture Synthesis corresponds to the indices of the n processors in the system for Safety-Critical Systems (ASSIST) was developed by the (Xi 2 {0, 1, . . . , n 1}). In order to add the constraints authors. It is publicly available and uses the constraint solver for the dislocality requirements, two cases have to be distin- Choco 4.0.6 [9] internally. guished. In the simple case, in which all applications consist ASSIST allows a systems engineer to automatically con- of only one task, a dislocality can be enforced with a single struct and optimize mappings based on textual specifications of allDifferent constraint (see [10]) over all task variables the software components and hardware resources, dislocality, Xi . This case is depicted in Figure 2 (a). Fortunately, Choco 4 dissimilarity and colocality requirements, and also optimiza- already contains an implementation for an allDifferent tion goals. The textual specifications in ASSIST conform to a constraint based on the algorithm of Rgin [11], so that the domain-specific language which allows to hide the intricacies simple case can be implemented. of a formal specification. In real-world systems, applications usually consist of more than one task. Furthermore, tasks of the same application III. E NSURING FAULT T OLERANCE BY R EQUIRING usually share the same processor. This situation is more com- D ISLOCALITY plex and depicted in Figure 2 (b). Unfortunately, in this case, In order to achieve fault tolerance and reliability, it is the previous approach of applying a single allDifferent essential to support “significant differences” in the choice of constraint over all task variables Xi can no longer be used. resources to which critical software components are deployed It would prevent solutions in which a processor is shared by SEERTS 2018: Workshop on Software Engineering for Applied Embedded RealTime Systems @ SE18, Ulm, Germany 91 Fig. 1. Screenshot of the ASSIST User Interface App A App B App C App A App B App C Task A.1 Task B.1 Task C.1 Task A.1 Task B.1 Task C.1 Task A.2 Task B.2 Processor 1 Processor 2 Processor 3 Processor 4 Processor 1 Processor 2 Processor 3 Processor 4 (a) Simple Case (b) Complex Case Fig. 2. An Example Deployment Problem - Mapping Tasks to Processors multiple tasks of the same application. Before continuing with the description of possible imple- The existing allDifferent constraint simply ensures, mentations, the semantics of an advanced allDifferent that values for a list of variables are different. However, constraint should be described more precisely. For this pur- the complex case requires an advanced allDifferent pose, consider the example system in Figure 2 (b). It consists constraint working with a list of a list of variables and ensuring of the applications A, B and C. Each of these applications that the combined values for each list of variables are disjunct. contains one or more tasks, i.e. A = {A1 , A2 }, B = {B1 , B2 } Unfortunately, such a constraint is neither part of the Global and C = {C1 }. An advanced allDifferent for all Constraint Catalog [10] nor available in Choco 4. applications would be working with a list of a list of variables, for example: IV. M ODELING C OMPLEX D ISLOCALITY R EQUIREMENTS allDifferent {{A1 , A2 }, {B1 , B2 }, {C1 }} This section introduces three alternative implementations for Assuming that A? combines the values for each task in the semantics of an advanced allDifferent constraint. application A: Their performance and impact on resolution time will be [ analyzed and compared to each other in the next section. A? 2 P(N) = {Ai : Ai 2 A} (= A1 [ A2 ) SEERTS 2018: Workshop on Software Engineering for Applied Embedded RealTime Systems @ SE18, Ulm, Germany 92 and B ? and C ? do the same for the applications B and C, Based on the description of these three approaches to then the advanced allDifferent constraint would ensure, implement the semantics of an advanced allDifferent that the sets A? , B ? and C ? are pairwise disjunct. constraint, the next sections will describe experiments con- ducted by the authors and preliminary results to assess and Element-wise Approach compare the performance and efficiency of each approach. One option to implement the advanced allDifferent constraint semantic is to apply the already existing V. E XPERIMENTS allDifferent constraint for every subset s with Benchmarking the performance and efficiency of these approaches requires several example to work on. For this s = {a, b, c | a 2 A, b 2 B, c 2 C} purpose, the authors developed a generator for synthetic For systems with a large amount of applications and more than mapping problems that resemble the typical characteristics one task within each application, the amount of constraints, of mapping problems encountered in safety-critical systems. that will be added to the constraint solver by this approach, Twenty randomized examples with at least one solution were may significantly prolong the resolution time. However, this generated for the experiments. They exhibit the following approach can be realized with the tools already available in properties. Choco 4 and does not require any additional implementation In each example, there are two compartments, each contain- of custom propagators and constraints. ing between four and six boxes. Each box contains between four and six processing boards and every processing board Instantiation-only Approach is equipped with one or two processors each comprising of In order to address the drawbacks of the first approach, up to four cores. The examples contain between 16 and 24 another option is to implement a custom constraint and prop- applications and each of these applications have between two agator for Choco 4, that is able to operate on a list of a list and eight tasks that need to be mapped to the cores on the of variables. For the sake of simplicity, the propagator should processors. All tasks of an application are required to be only react on instantiation events for any of its variables. If placed on the same processing board to allow for memory- an instantiation is detected, then the value of the instantiated based communication (colocality requirement). Finally, every variable will be removed from the values of all variables in example features between 24 and 32 dislocality requirements all of the other lists. This approach has the advantage, that and each of these requirements refers to at least four and up only one constraint needs to be added to the constraint solver to six applications. for each dislocality requirement. However, this instantiation- Every example was benchmarked on an Apple iMac 5k with only approach leads to a weak propagation as it only removes 64GB of RAM by using ASSIST 2.3 and Choco 4.0.6. The values, when one of the variables is instantiated. experiments were done with the Domain over Weighted Degree as a variable selector strategy and Minimum Value First as a Combined Union-Variables and Instantiation-Only Approach value selector strategy. The examples are publicly available in the ASSIST repository. The third approach tries to build upon the instantiation-only approach and improve the strength of its propagation. For this VI. R ESULTS purpose, a new integer variable X ? will be added for each list of task variables X = {X1 , . . . , Xn } that were provided to the The amount of constraints and variables are depicted for advanced allDifferent constraint. The new variable X ? each example and each approach in Figure 3 and Figure 4. will contain the union of the remaining values of all variables The results show, that the element-wise approach leads to a in X. This can be achieved with a custom propagator similar to substantial increase in the amount of constraints in the solver the already existing PropSetIntValuesUnion propagator in comparison to the other two approaches. However, the in Choco 4. With these new “union variables” being available, increase of the variable count due to the addition of union- adding a simple allDifferent constraint, which links all variables for the implementation of the third approach appears of the union variables, should improve the effectiveness of the to be rather negligible. propagation. The total resolution time until the first solution has been Please note, that these “union variables” must not be added reached is depicted in Figure 5. Please note the logarithmic to the list of variables for branching as part of the search scale on the y-axis. The results demonstrate, that the resolution strategy in Choco 4 as they will not always be resolved to time can be significantly reduced in all examples by adopting only one value if tasks of an application are deployed to the instantiation-only approach. different processors. This approach will be combined with Further improvements to the instantiation-only approach the instantiation-only approach from the previous section. In can be achieved by applying the combined approach, but the comparison to the instantiation-only approach, the handling of additional gains are significantly smaller. In some examples, union-variables requires the addition of a new variable and a the combined approach requires slightly more time for a propagator for each list of variables, so there is some overhead resolution. However, the time differences in these cases are to be expected. so small, that they may also be induced by external effects, SEERTS 2018: Workshop on Software Engineering for Applied Embedded RealTime Systems @ SE18, Ulm, Germany 93 Fig. 3. Amount of constraints in the Choco solver in each example Fig. 4. Amount of variables in the Choco solver in each example Fig. 5. Resolution time (in ms) to reach the first solution in each example Fig. 6. Amount of backtracking occurring in each example SEERTS 2018: Workshop on Software Engineering for Applied Embedded RealTime Systems @ SE18, Ulm, Germany 94 such as garbage collection in Java or scheduling interferences does not always lead to the lowest rate of backtracks in the in the operating system. examples. Backtracking occurs, when the search process in the con- straint solver encounters a fail event, i.e. a variable has an ACKNOWLEDGMENT empty domain after value propagation or one of the constraints The authors acknowledge the financial support for this determines a contradiction. Figure 6 shows the amount of work by the Federal Ministry of Education and Research of backtracking that occurred before finding the first solution Germany (BMBF) in the project “ARAMiS II” (DLR, grant in each example. One would assume, that the element-wise identifier 01IS16025D). approach exhibits the strongest propagation due to the large R EFERENCES amount of additional allDifferent constraints, so that the amount of fails and backtracks might be smaller compared to [1] R. Chapman, “Correctness by construction: putting engineering (back) into software,” in Proceedings of the 2007 ACM international the other approaches. In fact, the results are not as clear-cut. conference on SIGAda annual international conference, ser. SIGAda Some examples show, that the propagation of the element- ’07. New York, NY, USA: ACM, 2007, pp. 100–100. [Online]. wise approach is significantly stronger compared to the other Available: http://doi.acm.org/10.1145/1315580.1315605 [2] R. Hilbrich, Platzierung von Softwarekomponenten auf Mehrkernprozes- approaches. However, there are also other examples in which soren: Automatisierte Konstruktion und Analyse für funktionssichere the situation is reversed. Systeme. Springer Fachmedien Wiesbaden, 2015. [Online]. Available: https://books.google.de/books?id=qu5rCgAAQBAJ VII. S UMMARY AND C ONCLUSIONS [3] W. Damm, A. Metzner, F. Eisenbrand, G. Shmonin, R. Wilhelm, and S. Winkel, “Mapping Task-Graphs on Distributed ECU Networks: Ensuring significant differences in the choice of resources Efficient Algorithms for Feasibility and Optimality,” in Embedded and to which software components in safety-critical systems are Real-Time Computing Systems and Applications, 2006. Proceedings. deployed to, is essential for satisfying safety requirements and 12th IEEE International Conference on, 2006, pp. 87–90. [4] S. Kugele, W. Haberl, M. Tautschnig, and M. Wechs, facilitating fault tolerance. ASSIST is a toolsuite for system “Optimizing Automatic Deployment Using Non-functional Requirement engineers, which aims to automate the deployment of soft- Annotations,” in Leveraging Applications of Formal Methods, ware components to hardware resources by transforming this Verification and Validation, ser. Communications in Computer and Information Science, T. Margaria and B. Steffen, Eds. Springer mapping problem into an equivalent Constraint Satisfaction Berlin Heidelberg, 2009, vol. 17, pp. 400–414. [Online]. Available: Problem. In ASSIST, there are several means to require “dif- http://dx.doi.org/10.1007/978-3-540-88479-8 28 ferences” in the choice of resources. Dislocality requirements [5] S. Voss and B. Schatz, “Deployment and Scheduling Synthesis for Mixed-Critical Shared-Memory Applications,” in Engineering of Com- are one of those means and they are used as an example in puter Based Systems (ECBS), 2013 20th IEEE International Conference this paper to illustrate the challenge of finding an efficient and Workshops on the, 2013, pp. 100–109. constraint model. [6] J. White, B. Dougherty, C. Thompson, and D. C. Schmidt, “ScatterD: Three different approaches to implement the intended se- Spatial deployment optimization with hybrid heuristic/evolutionary al- gorithms,” TAAS, vol. 6, no. 3, p. 18, 2011. mantics of dislocality requirements are presented. They specif- [7] K. R. Apt, Principles of constraint programming. Cambridge University ically address complex use-cases in which applications consist Press, 2003. of multiple tasks. While one of these approaches can be [8] F. Rossi, P. van Beek, and T. Walsh, Eds., Handbook of Constraint Programming. ELSEVIER SCIENCE & TECHNOLOGY, realized without any customized constraints or propagators, 2006. [Online]. Available: http://www.ebook.de/de/product/5834373/ the other two approaches rely on custom implementations of handbook of constraint programming.html constraints and propagators as well as additional variables in [9] C. Prud’homme, J.-G. Fages, and X. Lorca, Choco Documentation, TASC, INRIA Rennes, LINA CNRS UMR 6241, COSLING S.A.S., the third approach. 2016. [Online]. Available: http://www.choco-solver.org Experiments conducted with twenty synthesized mapping [10] N. Beldiceanu, M. Carlsson, and J.-X. Rampo, “Global Constraint examples for ASSIST show, that the implementation of custom Catalog,” online, SICS, Technical Report T2012:03, Feb. 2014, iSSN: 1100-3154. [Online]. Available: http://www.emn.fr/z-info/sdemasse/ constraints and propagators is well worth the effort. They lead gccat/ to a substantial reduction in the resolution time with only min- [11] J.-C. Régin, “A filtering algorithm for constraints of difference in imal overhead due to the additional constraints and variables. csps,” in Proceedings of the Twelfth National Conference on Artificial Intelligence (Vol. 1), ser. AAAI ’94. Menlo Park, CA, USA: American The results also indicate, that the element-wise approach, Association for Artificial Intelligence, 1994, pp. 362–367. [Online]. which requires the highest amount of additional constraints, Available: http://dl.acm.org/citation.cfm?id=199288.178024 SEERTS 2018: Workshop on Software Engineering for Applied Embedded RealTime Systems @ SE18, Ulm, Germany 95